From: Tom Yu Date: Mon, 11 May 2009 20:55:54 +0000 (+0000) Subject: pull up r22292 from trunk X-Git-Tag: krb5-1.7-beta2~10 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=2c05402d97606e6683c3b8aa3c7d2b2cbe88526c;p=krb5.git pull up r22292 from trunk ------------------------------------------------------------------------ r22292 | hartmans | 2009-04-29 20:38:48 -0400 (Wed, 29 Apr 2009) | 10 lines Changed paths: M /trunk/src/kdc/kdc_preauth.c ticket: 6480 Subject: Do not return PREAUTH_FAILED on unknown preauth Target_Version: 1.7 Tags: pullup If the KDC receives unknown pre-authentication data then ignore it. Do not get into a case where PREAUTH_FAILED is returned because of unknown pre-authentication. The main AS loop will cause PREAUTH_REQUIRED to be returned if the preauth_required flag is set and no valid preauth is found. ticket: 6480 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22334 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index b153bbf25..63f768756 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1204,17 +1204,11 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, if (pa_ok) return 0; - /* pa system was not found, but principal doesn't require preauth */ - if (!pa_found && - !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && - !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH)) + /* pa system was not found; we may return PREAUTH_REQUIRED later, + but we did not actually fail to verify the pre-auth. */ + if (!pa_found) return 0; - if (!pa_found) { - emsg = krb5_get_error_message(context, retval); - krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg); - krb5_free_error_message(context, emsg); - } /* The following switch statement allows us * to return some preauth system errors back to the client.