From 30c978f01396f83db63c4f722b133edeef7e5104 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 3 Mar 2022 17:45:02 +0100 Subject: [PATCH] lib/krb5: fix krb5_init_creds_step() interaction with krb5_fast_anon_pkinit_step() _krb5_fast_anon_pkinit_step() should not set KRB5_INIT_CREDS_STEP_FLAG_CONTINUE if it doesn't generate any output. And krb5_init_creds_step() needs to return if _krb5_fast_anon_pkinit_step() returned with KRB5_INIT_CREDS_STEP_FLAG_CONTINUE set. As that means the recursive call to krb5_init_creds_step() generated output that should be send to a KDC and the KDC response if needed as input for the next step. Signed-off-by: Stefan Metzmacher --- lib/krb5/fast.c | 2 -- lib/krb5/init_creds_pw.c | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/lib/krb5/fast.c b/lib/krb5/fast.c index 805e33f37..5b49c1be7 100644 --- a/lib/krb5/fast.c +++ b/lib/krb5/fast.c @@ -953,8 +953,6 @@ _krb5_fast_anon_pkinit_step(krb5_context context, krb5_get_init_creds_opt_free(context, state->anon_pkinit_opt); state->anon_pkinit_opt = NULL; - *flags |= KRB5_INIT_CREDS_STEP_FLAG_CONTINUE; - out: krb5_free_principal(context, principal); krb5_free_cred_contents(context, &cred); diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c index 8854a1a4f..dc090ded3 100644 --- a/lib/krb5/init_creds_pw.c +++ b/lib/krb5/init_creds_pw.c @@ -3469,8 +3469,7 @@ krb5_init_creds_step(krb5_context context, ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED; ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR; } else if (ret || - ((*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0) || - out->length) + (*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE)) return ret; in = ∅