diff options
| author | Greg Hudson <ghudson@mit.edu> | 2016-07-19 10:52:06 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2016-07-19 18:05:20 -0400 |
| commit | 857b82485a67094bbb2d73eb7572366878a4a9a9 (patch) | |
| tree | f3b28ed8060cb2fd81da1711a8ad0392fb4634fe | |
| parent | ffd4a365e226df422c8978e819c5080c07547126 (diff) | |
| download | krb5-857b82485a67094bbb2d73eb7572366878a4a9a9.zip krb5-857b82485a67094bbb2d73eb7572366878a4a9a9.tar.gz krb5-857b82485a67094bbb2d73eb7572366878a4a9a9.tar.bz2 | |
Fix error code on clpreauth module failure
Commit 632260bd1fccfb420f0827b59c85c329203eafc9 (ticket #7517) allows
better error reporting for some client pre-authentication failures.
However, it breaks an assumption in the S4U2Self code that such errors
can be recognized by the KRB5_PREAUTH_FAILED error code. Instead of
passing through the error code reported by the first real preauth
module, wrap that error and return KRB5_PREAUTH_FAILED.
(cherry picked from commit 560e11dabb63b141df29c54aaa2e120309a1e021)
ticket: 8457
version_fixed: 1.14.3
| -rw-r--r-- | src/lib/krb5/krb/preauth2.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 783bb31..ca26fb0 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -638,8 +638,12 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, if (must_preauth) { /* No real preauth types succeeded and we needed to preauthenticate. */ - ret = (save.code != 0) ? k5_restore_ctx_error(context, &save) : - KRB5_PREAUTH_FAILED; + if (save.code != 0) { + ret = k5_restore_ctx_error(context, &save); + k5_wrapmsg(context, ret, KRB5_PREAUTH_FAILED, + _("Pre-authentication failed")); + } + ret = KRB5_PREAUTH_FAILED; } cleanup: |