From: Greg Hudson Date: Wed, 4 Nov 2009 16:31:41 +0000 (+0000) Subject: Restore the krb5 1.6 behavior of not retrying AS requests after X-Git-Tag: krb5-1.8-alpha1~213 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=53ba9ce10d82c79e3c1de4f3d122eeaafeba94cf;p=krb5.git Restore the krb5 1.6 behavior of not retrying AS requests after PREAUTH_FAILED errors. Among other things, this change causes krb5_get_init_creds_opt_set_pa to act (mostly) as a constraint rather than simply as an optimistic set of preauth types, which is the behavior apps had been seeing prior to 1.7. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23128 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 4fd837626..15da288bf 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1057,21 +1057,6 @@ build_in_tkt_name(krb5_context context, return ret; } -/* Decide whether to continue trying AS-REQ preauthentication. */ -static krb5_boolean -should_continue_preauth(krb5_ui_4 error, int loopcount) -{ - /* - * Continue on PREAUTH_FAILED only on the first iteration, which - * would imply that we did optimistic preauth unsuccessfully. We - * could continue on later iterations if the preauth framework - * reliably remembered what mechanisms had been tried, but - * currently it does not do so for built-in mechanisms. - */ - return (error == KDC_ERR_PREAUTH_REQUIRED || - (error == KDC_ERR_PREAUTH_FAILED && loopcount == 0)); -} - krb5_error_code KRB5_CALLCONV krb5_get_init_creds(krb5_context context, krb5_creds *creds, @@ -1429,7 +1414,7 @@ krb5_get_init_creds(krb5_context context, &out_padata, &retry); if (ret !=0) goto cleanup; - if (should_continue_preauth(err_reply->error, loopcount) && retry) { + if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) { /* reset the list of preauth types to try */ if (preauth_to_use) { krb5_free_pa_data(context, preauth_to_use);