diff options
| author | Greg Hudson <ghudson@mit.edu> | 2016-08-05 12:28:03 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2016-09-02 18:30:32 -0400 |
| commit | af6f7168b1a13edfc8824e0d26741fec010e0657 (patch) | |
| tree | 236d227e8cf684e808fb9643162988c9f4e8bf4b | |
| parent | 977e59f5aeb3d9c1e0a110d628c5b14f7085858e (diff) | |
| download | krb5-af6f7168b1a13edfc8824e0d26741fec010e0657.zip krb5-af6f7168b1a13edfc8824e0d26741fec010e0657.tar.gz krb5-af6f7168b1a13edfc8824e0d26741fec010e0657.tar.bz2 | |
Use responder for non-preauth AS requests
If no AS reply key is computed during pre-authentication (typically
because no pre-authentication was required by the KDC), ask for the
password using the responder before calling gak_fct for the key, and
supply any resulting responder items to gak_fct.
(cherry picked from commit 0639adc91ae9f66496171d14a232eae3c02bda0d)
ticket: 8454
version_fixed: 1.13.7
| -rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 24 | ||||
| -rwxr-xr-x | src/tests/t_general.py | 5 |
2 files changed, 28 insertions, 1 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 4ec4e55..13ececc 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1412,6 +1412,8 @@ init_creds_step_reply(krb5_context context, krb5_keyblock encrypting_key; krb5_boolean fast_avail; krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt); + krb5_responder_fn responder; + void *responder_data; encrypting_key.length = 0; encrypting_key.contents = NULL; @@ -1563,13 +1565,33 @@ init_creds_step_reply(krb5_context context, code = -1; if (code != 0) { + /* If a responder was provided and we are using a password, ask for the + * password using the responder before falling back to the prompter. */ + k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data); + if (responder != NULL && !ctx->as_key.length) { + /* Indicate a need for the AS key by calling the gak_fct with a + * NULL as_key. */ + code = ctx->gak_fct(context, ctx->request->client, ctx->etype, + NULL, NULL, NULL, NULL, NULL, ctx->gak_data, + ctx->rctx.items); + if (code != 0) + goto cleanup; + + /* If that produced a responder question, invoke the responder. */ + if (!k5_response_items_empty(ctx->rctx.items)) { + code = (*responder)(context, responder_data, &ctx->rctx); + if (code != 0) + goto cleanup; + } + } + /* if we haven't get gotten a key, get it now */ TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams); code = (*ctx->gak_fct)(context, ctx->request->client, ctx->reply->enc_part.enctype, ctx->prompter, ctx->prompter_data, &ctx->salt, &ctx->s2kparams, - &ctx->as_key, ctx->gak_data, NULL); + &ctx->as_key, ctx->gak_data, ctx->rctx.items); if (code != 0) goto cleanup; TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key); diff --git a/src/tests/t_general.py b/src/tests/t_general.py index 5349b05..e27e99f 100755 --- a/src/tests/t_general.py +++ b/src/tests/t_general.py @@ -33,6 +33,11 @@ realm.stop() realm = K5Realm(create_host=False) +# Regression test for #8454 (responder callback isn't used when +# preauth is not required). +realm.run(['./responder', '-r', 'password=%s' % password('user'), + realm.user_princ]) + # Test that WRONG_REALM responses aren't treated as referrals unless # they contain a crealm field pointing to a different realm. # (Regression test for #8060.) |