Add an error to be returned by a preauth mechanism indicating that the KDC should...

author Sam Hartman <hartmans@mit.edu>

Fri, 1 Oct 2010 17:12:41 +0000 (17:12 +0000)

committer Sam Hartman <hartmans@mit.edu>

Fri, 1 Oct 2010 17:12:41 +0000 (17:12 +0000)
author Sam Hartman <hartmans@mit.edu>
Fri, 1 Oct 2010 17:12:41 +0000 (17:12 +0000)
committer Sam Hartman <hartmans@mit.edu>
Fri, 1 Oct 2010 17:12:41 +0000 (17:12 +0000)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c

index 557ae3dea31a61f1ecb1b40ce9563cdfb09e0a7d..46b5fa1fb186ec10a99cdac372ca1cab90e25435 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -633,6 +633,8 @@ egress:
          if (status == 0) {
              status = emsg;
          }
+        if (errcode == KRB5KDC_ERR_DISCARD)
+            goto discard;
          errcode -= ERROR_TABLE_BASE_krb5;
          if (errcode < 0 || errcode > 128)
              errcode = KRB_ERR_GENERIC;
@@ -643,7 +645,7 @@ egress:
          status = 0;
      }
  
-    if (emsg)
+discard: if (emsg)
          krb5_free_error_message(kdc_context, emsg);
      if (enc_tkt_reply.authorization_data != NULL)
          krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c

index 0c477266b35c937155aeb5e15b8304b9127771bb..957ac23031ce51dcb1d97f007a5a9c1fd52164a5 100644 (file)
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1202,6 +1202,7 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
      case KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE:
          /* This value is shared with KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. */
          /* case KRB5KDC_ERR_KEY_TOO_WEAK: */
+    case KRB5KDC_ERR_DISCARD:
          return retval;
      default:
          return KRB5KDC_ERR_PREAUTH_FAILED;
diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c

index 9d3daea40e1181fa45cc8c57ff8ee9040060b2db..c63ab8e36b20eedde91a8d3df02822b4a40a9f8c 100644 (file)
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -1759,6 +1759,8 @@ process_tcp_connection(void *handle, struct connection *conn, const char *prog,
                  com_err(prog, err, "while dispatching (tcp)");
                  goto kill_tcp_connection;
              }
+            if (conn->u.tcp.response == NULL)
+                goto kill_tcp_connection;
          have_response:
              queue_tcp_outgoing_response(conn);
              FD_CLR(conn->fd, &sstate.rfds);
diff --git a/src/lib/krb5/error_tables/k5e1_err.et b/src/lib/krb5/error_tables/k5e1_err.et

index 7fe4cc6fc4479156cf2126043844a074f6b98981..af2871049845188da63bc61839fb4904b7819925 100644 (file)
--- a/src/lib/krb5/error_tables/k5e1_err.et
+++ b/src/lib/krb5/error_tables/k5e1_err.et
@@ -33,5 +33,5 @@ error_table k5e1
  error_code KRB5_PLUGIN_VER_NOTSUPP, "Plugin does not support interface version"
  error_code KRB5_PLUGIN_BAD_MODULE_SPEC, "Invalid module specifier"
  error_code KRB5_PLUGIN_NAME_NOTFOUND, "Plugin module name not found"
-
+error_code KRB5KDC_ERR_DISCARD, "The KDC should discard this request"
  end
author	Sam Hartman <hartmans@mit.edu>
	Fri, 1 Oct 2010 17:12:41 +0000 (17:12 +0000)
committer	Sam Hartman <hartmans@mit.edu>
	Fri, 1 Oct 2010 17:12:41 +0000 (17:12 +0000)
src/kdc/do_as_req.c		patch \| blob \| history
src/kdc/kdc_preauth.c		patch \| blob \| history
src/lib/apputils/net-server.c		patch \| blob \| history
src/lib/krb5/error_tables/k5e1_err.et		patch \| blob \| history