diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-02-17 12:44:45 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-02-19 12:04:56 -0500 |
| commit | f20a77e879d203cdcb1bdbf9dc8e604a5187c88f (patch) | |
| tree | 1dac47e3a5275e129b27d59082d1e653b6026efd | |
| parent | b71f8c4aacea8849ceaf31a2fa95e143f3943097 (diff) | |
| download | krb5-f20a77e879d203cdcb1bdbf9dc8e604a5187c88f.tar.gz krb5-f20a77e879d203cdcb1bdbf9dc8e604a5187c88f.tar.xz krb5-f20a77e879d203cdcb1bdbf9dc8e604a5187c88f.zip | |
Allow multi-hop SAM-2 exchanges
Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
multiple hops by sending repeated preauth-required errors with
different challenges (which is not the way multi-hop exchanges are
described in RFC 6113, but it can still work). This stopped working
when SAM-2 was converted to a built-in module. Make it work again.
ticket: 7571 (new)
target_version: 1.11.1
tags: pullup
| -rw-r--r-- | src/lib/krb5/krb/preauth2.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 74a4f27beb..7252048cb9 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -570,6 +570,11 @@ already_tried(krb5_context context, krb5_preauthtype pa_type) size_t count; krb5_preauthtype *newptr; + /* Allow multi-hop SAM-2 exchanges using repeated preauth-required errors + * for historical compatibility. */ + if (pa_type == KRB5_PADATA_SAM_CHALLENGE_2) + return FALSE; + for (count = 0; pctx->tried != NULL && pctx->tried[count] != 0; count++) { if (pctx->tried[count] == pa_type) return TRUE; |