call hdb_auth_status when password is wrong in the ENC-CHAL case too, thanks Andrew Bartlett for pointing this out
This commit is contained in:
Love Hörnquist Åstrand
@@ -423,6 +423,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
|
||||
{
|
||||
krb5_data pepper1, pepper2, ts_data;
|
||||
KDC_REQ_BODY *b = &r->req.req_body;
|
||||
int invalidPassword = 0;
|
||||
EncryptedData enc_data;
|
||||
krb5_enctype aenctype;
|
||||
krb5_error_code ret;
|
||||
@@ -483,8 +484,24 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
|
||||
KRB5_KU_ENC_CHALLENGE_CLIENT,
|
||||
&enc_data,
|
||||
&ts_data);
|
||||
if (ret)
|
||||
if (ret) {
|
||||
const char *msg = krb5_get_error_message(r->context, ret);
|
||||
krb5_error_code ret2;
|
||||
char *str = NULL;
|
||||
|
||||
invalidPassword = 1;
|
||||
|
||||
ret2 = krb5_enctype_to_string(r->context, k->key.keytype, &str);
|
||||
if (ret2)
|
||||
str = NULL;
|
||||
_kdc_r_log(r, 5, "Failed to decrypt ENC-CHAL -- %s "
|
||||
"(enctype %s) error %s",
|
||||
r->client_name, str ? str : "unknown enctype", msg);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
free(str);
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
ret = decode_PA_ENC_TS_ENC(ts_data.data,
|
||||
ts_data.length,
|
||||
@@ -533,10 +550,20 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
break;
|
||||
/*
|
||||
* Success
|
||||
*/
|
||||
if (r->clientdb->hdb_auth_status)
|
||||
r->clientdb->hdb_auth_status(r->context, r->clientdb, r->client,
|
||||
HDB_AUTH_SUCCESS);
|
||||
goto out;
|
||||
}
|
||||
if (i < r->client->entry.keys.len)
|
||||
|
||||
if (invalidPassword && r->clientdb->hdb_auth_status) {
|
||||
r->clientdb->hdb_auth_status(r->context, r->clientdb, r->client,
|
||||
HDB_AUTH_WRONG_PASSWORD);
|
||||
ret = KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
}
|
||||
out:
|
||||
free_EncryptedData(&enc_data);
|
||||
|
||||
@@ -1832,9 +1859,10 @@ _kdc_as_rep(kdc_request_t r,
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (r->clientdb->hdb_auth_status)
|
||||
if (r->clientdb->hdb_auth_status) {
|
||||
r->clientdb->hdb_auth_status(context, r->clientdb, r->client,
|
||||
HDB_AUTH_SUCCESS);
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify flags after the user been required to prove its identity
|
||||
|
||||
@@ -84,6 +84,7 @@ echo "Doing database check"
|
||||
${kadmin} check ${R} || exit 1
|
||||
|
||||
echo foo > ${objdir}/foopassword
|
||||
echo bar > ${objdir}/barpassword
|
||||
|
||||
echo Starting kdc ; > messages.log
|
||||
env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \
|
||||
@@ -129,6 +130,11 @@ ${kinit} --fast-armor-cache=${acache} \
|
||||
--password-file=${objdir}/foopassword foo@$R || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "Getting client initial tickets with FAST armor ticket [failure]"; > messages.log
|
||||
${kinit} --fast-armor-cache=${acache} \
|
||||
--password-file=${objdir}/barpassword foo@$R 2>/dev/null && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "Checking for FAST avail (in the FAST acquired cache)"; > messages.log
|
||||
${klist} --hidden | grep fast_avail > /dev/null || { exit 1; }
|
||||
|
||||
|
||||
Reference in New Issue
Block a user