diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c index 4fd7158f5..3bb04130a 100644 --- a/lib/krb5/init_creds_pw.c +++ b/lib/krb5/init_creds_pw.c @@ -701,8 +701,7 @@ change_password (krb5_context context, strlcpy (newpw, buf1, newpw_sz); ret = 0; } else { - ret = ENOTTY; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret = KRB5_CHPW_FAIL, N_("failed changing password: %s", ""), p); } free (p); @@ -2954,6 +2953,19 @@ krb5_init_creds_set_fast_anon_pkinit(krb5_context context, return 0; } +KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL +_krb5_init_creds_set_fast_anon_pkinit_optimistic(krb5_context context, + krb5_init_creds_context ctx) +{ + if (ctx->fast_state.armor_ccache) + return EINVAL; + + ctx->fast_state.flags |= KRB5_FAST_REQUIRED; + ctx->fast_state.flags |= KRB5_FAST_ANON_PKINIT_ARMOR; + ctx->fast_state.flags |= KRB5_FAST_OPTIMISTIC; + return 0; +} + static size_t available_padata_count(METHOD_DATA *md) { @@ -3350,16 +3362,6 @@ init_creds_step(krb5_context context, goto out; } - if ((ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC) == 0) { - _krb5_debug(context, 10, "Preauth failed"); - goto out; - } - - _krb5_debug(context, 10, "preauth failed with optimistic FAST, trying w/o FAST"); - - ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC; - ctx->fast_state.flags |= KRB5_FAST_DISABLED; - retry: pa_restart(context, ctx); @@ -3368,6 +3370,8 @@ init_creds_step(krb5_context context, "Some other error %d failed with optimistic FAST, trying w/o FAST", ret); ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC; + ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED; + ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR; ctx->fast_state.flags |= KRB5_FAST_DISABLED; pa_restart(context, ctx); } else { @@ -3483,9 +3487,15 @@ krb5_init_creds_step(krb5_context context, ctx->fast_state.armor_ccache == NULL) { ret = _krb5_fast_anon_pkinit_step(context, ctx, &ctx->fast_state, in, out, hostinfo, flags); - if (ret || - ((*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0) || - out->length) + if (ret && (ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC)) { + _krb5_debug(context, 5, "Preauth failed with optimistic " + "FAST, trying w/o FAST"); + ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC; + ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED; + ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR; + } else if (ret || + ((*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0) || + out->length) return ret; in = ∅ diff --git a/lib/krb5/libkrb5-exports.def.in b/lib/krb5/libkrb5-exports.def.in index 245f4b1bf..e016c3bec 100644 --- a/lib/krb5/libkrb5-exports.def.in +++ b/lib/krb5/libkrb5-exports.def.in @@ -857,6 +857,7 @@ EXPORTS krb5_init_creds_get_error krb5_init_creds_init krb5_init_creds_set_fast_anon_pkinit + _krb5_init_creds_set_fast_anon_pkinit_optimistic krb5_init_creds_set_fast_ccache krb5_init_creds_set_keytab krb5_init_creds_set_kdc_hostname diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map index ce2783c35..b325c121b 100644 --- a/lib/krb5/version-script.map +++ b/lib/krb5/version-script.map @@ -842,6 +842,7 @@ HEIMDAL_KRB5_2.0 { krb5_init_creds_init; krb5_init_creds_set_service; krb5_init_creds_set_fast_anon_pkinit; + _krb5_init_creds_set_fast_anon_pkinit_optimistic; krb5_init_creds_set_fast_ccache; krb5_init_creds_set_keytab; krb5_init_creds_set_kdc_hostname;