diff options
Diffstat (limited to 'krb5-1.14.4-responder-non-preauth.patch')
-rw-r--r-- | krb5-1.14.4-responder-non-preauth.patch | 86 |
1 files changed, 0 insertions, 86 deletions
diff --git a/krb5-1.14.4-responder-non-preauth.patch b/krb5-1.14.4-responder-non-preauth.patch deleted file mode 100644 index fc22104..0000000 --- a/krb5-1.14.4-responder-non-preauth.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 60824edc278fe2207ead773baca6fe56416e2874 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Fri, 5 Aug 2016 12:28:03 -0400 -Subject: [PATCH] Use responder for non-preauth AS requests - -If no AS reply key is computed during pre-authentication (typically -because no pre-authentication was required by the KDC), ask for the -password using the responder before calling gak_fct for the key, and -supply any resulting responder items to gak_fct. - -ticket: 8454 -target_version: 1.14-next -target_version: 1.13-next -tags: pullup ---- - src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++- - src/tests/t_general.py | 5 +++++ - 2 files changed, 28 insertions(+), 1 deletion(-) - -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index b78e19a..659be66 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -1351,6 +1351,8 @@ init_creds_step_reply(krb5_context context, - krb5_keyblock encrypting_key; - krb5_boolean fast_avail; - krb5_ccache out_ccache = k5_gic_opt_get_out_ccache(ctx->opt); -+ krb5_responder_fn responder; -+ void *responder_data; - - encrypting_key.length = 0; - encrypting_key.contents = NULL; -@@ -1509,13 +1511,33 @@ init_creds_step_reply(krb5_context context, - code = -1; - - if (code != 0) { -+ /* If a responder was provided and we are using a password, ask for the -+ * password using the responder before falling back to the prompter. */ -+ k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data); -+ if (responder != NULL && !ctx->as_key.length) { -+ /* Indicate a need for the AS key by calling the gak_fct with a -+ * NULL as_key. */ -+ code = ctx->gak_fct(context, ctx->request->client, ctx->etype, -+ NULL, NULL, NULL, NULL, NULL, ctx->gak_data, -+ ctx->rctx.items); -+ if (code != 0) -+ goto cleanup; -+ -+ /* If that produced a responder question, invoke the responder. */ -+ if (!k5_response_items_empty(ctx->rctx.items)) { -+ code = (*responder)(context, responder_data, &ctx->rctx); -+ if (code != 0) -+ goto cleanup; -+ } -+ } -+ - /* if we haven't get gotten a key, get it now */ - TRACE_INIT_CREDS_GAK(context, &ctx->salt, &ctx->s2kparams); - code = (*ctx->gak_fct)(context, ctx->request->client, - ctx->reply->enc_part.enctype, - ctx->prompter, ctx->prompter_data, - &ctx->salt, &ctx->s2kparams, -- &ctx->as_key, ctx->gak_data, NULL); -+ &ctx->as_key, ctx->gak_data, ctx->rctx.items); - if (code != 0) - goto cleanup; - TRACE_INIT_CREDS_AS_KEY_GAK(context, &ctx->as_key); -diff --git a/src/tests/t_general.py b/src/tests/t_general.py -index c3629e6..13dd99b 100755 ---- a/src/tests/t_general.py -+++ b/src/tests/t_general.py -@@ -34,6 +34,11 @@ realm.stop() - - realm = K5Realm(create_host=False) - -+# Regression test for #8454 (responder callback isn't used when -+# preauth is not required). -+realm.run(['./responder', '-r', 'password=%s' % password('user'), -+ realm.user_princ]) -+ - # Test that WRONG_REALM responses aren't treated as referrals unless - # they contain a crealm field pointing to a different realm. - # (Regression test for #8060.) --- -2.9.3 - |