Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
krb5-mini.34946
0124-Use-responder-for-non-preauth-AS-requests....
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0124-Use-responder-for-non-preauth-AS-requests.patch of Package krb5-mini.34946
From 671ac68c4d21af006017a3de6bb685492b230ccc Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Fri, 5 Aug 2016 12:28:03 -0400 Subject: [PATCH 3/3] Use responder for non-preauth AS requests If no AS reply key is computed during pre-authentication (typically because no pre-authentication was required by the KDC), ask for the password using the responder before calling gak_fct for the key, and supply any resulting responder items to gak_fct. (cherry picked from commit 0639adc91ae9f66496171d14a232eae3c02bda0d) ticket: 8454 version_fixed: 1.13.7 (cherry picked from commit af6f7168b1a13edfc8824e0d26741fec010e0657) --- src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++- src/tests/t_general.py | 5 +++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index e5eaaec7e..11dc741a1 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1414,6 +1414,8 @@ init_creds_step_reply(krb5_context context, krb5_keyblock encrypting_key; krb5_boolean fast_avail; krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt); + krb5_responder_fn responder; + void *responder_data; encrypting_key.length = 0; encrypting_key.contents = NULL; @@ -1565,13 +1567,33 @@ init_creds_step_reply(krb5_context context, code = -1; if (code != 0) { + /* If a responder was provided and we are using a password, ask for the + * password using the responder before falling back to the prompter. */ + k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data); + if (responder != NULL && !ctx->as_key.length) { + /* Indicate a need for the AS key by calling the gak_fct with a + * NULL as_key. */ + code = ctx->gak_fct(context, ctx->request->client, ctx->etype, + NULL, NULL, NULL, NULL, NULL, ctx->gak_data, + ctx->rctx.items); + if (code != 0) + goto cleanup; + + /* If that produced a responder question, invoke the responder. */ + if (!k5_response_items_empty(ctx->rctx.items)) { + code = (*responder)(context, responder_data, &ctx->rctx); + if (code != 0) + goto cleanup; + } + } + /* if we haven't get gotten a key, get it now */ TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams); code = (*ctx->gak_fct)(context, ctx->request->client, ctx->reply->enc_part.enctype, ctx->prompter, ctx->prompter_data, &ctx->salt, &ctx->s2kparams, - &ctx->as_key, ctx->gak_data, NULL); + &ctx->as_key, ctx->gak_data, ctx->rctx.items); if (code != 0) goto cleanup; TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key); diff --git a/src/tests/t_general.py b/src/tests/t_general.py index 5349b05b5..e27e99f0a 100755 --- a/src/tests/t_general.py +++ b/src/tests/t_general.py @@ -33,6 +33,11 @@ realm.stop() realm = K5Realm(create_host=False) +# Regression test for #8454 (responder callback isn't used when +# preauth is not required). +realm.run(['./responder', '-r', 'password=%s' % password('user'), + realm.user_princ]) + # Test that WRONG_REALM responses aren't treated as referrals unless # they contain a crealm field pointing to a different realm. # (Regression test for #8060.) -- 2.22.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor