oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: Add GIC optimistic FAST w/ anon

Browse Source
This commit is contained in:
Nicolas Williams
2021-12-15 15:49:54 -06:00
committed by Luke Howard
parent ca71e365ec
commit 944e12e103
3 changed files with 27 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
lib/krb5/init_creds_pw.c
View File

@@ -701,8 +701,7 @@ change_password (krb5_context context,
strlcpy (newpw, buf1, newpw_sz); strlcpy (newpw, buf1, newpw_sz);
ret = 0; ret = 0;
} else { } else {
ret = ENOTTY; krb5_set_error_message(context, ret = KRB5_CHPW_FAIL,
krb5_set_error_message(context, ret,
N_("failed changing password: %s", ""), p); N_("failed changing password: %s", ""), p);
} }
free (p); free (p);
@@ -2954,6 +2953,19 @@ krb5_init_creds_set_fast_anon_pkinit(krb5_context context,
return 0; return 0;
} }
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_init_creds_set_fast_anon_pkinit_optimistic(krb5_context context,
krb5_init_creds_context ctx)
{
if (ctx->fast_state.armor_ccache)
return EINVAL;
ctx->fast_state.flags |= KRB5_FAST_REQUIRED;
ctx->fast_state.flags |= KRB5_FAST_ANON_PKINIT_ARMOR;
ctx->fast_state.flags |= KRB5_FAST_OPTIMISTIC;
return 0;
}
static size_t static size_t
available_padata_count(METHOD_DATA *md) available_padata_count(METHOD_DATA *md)
{ {
@@ -3350,16 +3362,6 @@ init_creds_step(krb5_context context,
goto out; goto out;
} }
if ((ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC) == 0) {
_krb5_debug(context, 10, "Preauth failed");
goto out;
}
_krb5_debug(context, 10, "preauth failed with optimistic FAST, trying w/o FAST");
ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC;
ctx->fast_state.flags |= KRB5_FAST_DISABLED;
retry: retry:
pa_restart(context, ctx); pa_restart(context, ctx);
@@ -3368,6 +3370,8 @@ init_creds_step(krb5_context context,
"Some other error %d failed with optimistic FAST, trying w/o FAST", ret); "Some other error %d failed with optimistic FAST, trying w/o FAST", ret);
ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC; ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC;
ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED;
ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR;
ctx->fast_state.flags |= KRB5_FAST_DISABLED; ctx->fast_state.flags |= KRB5_FAST_DISABLED;
pa_restart(context, ctx); pa_restart(context, ctx);
} else { } else {
@@ -3483,7 +3487,13 @@ krb5_init_creds_step(krb5_context context,
ctx->fast_state.armor_ccache == NULL) { ctx->fast_state.armor_ccache == NULL) {
ret = _krb5_fast_anon_pkinit_step(context, ctx, &ctx->fast_state, ret = _krb5_fast_anon_pkinit_step(context, ctx, &ctx->fast_state,
in, out, hostinfo, flags); in, out, hostinfo, flags);
if (ret || if (ret && (ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC)) {
_krb5_debug(context, 5, "Preauth failed with optimistic "
"FAST, trying w/o FAST");
ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC;
ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED;
ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR;
} else if (ret ||
((*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0) || ((*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0) ||
out->length) out->length)
return ret; return ret;

1
lib/krb5/libkrb5-exports.def.in
View File

@@ -857,6 +857,7 @@ EXPORTS
krb5_init_creds_get_error krb5_init_creds_get_error
krb5_init_creds_init krb5_init_creds_init
krb5_init_creds_set_fast_anon_pkinit krb5_init_creds_set_fast_anon_pkinit
_krb5_init_creds_set_fast_anon_pkinit_optimistic
krb5_init_creds_set_fast_ccache krb5_init_creds_set_fast_ccache
krb5_init_creds_set_keytab krb5_init_creds_set_keytab
krb5_init_creds_set_kdc_hostname krb5_init_creds_set_kdc_hostname

1
lib/krb5/version-script.map
View File

@@ -842,6 +842,7 @@ HEIMDAL_KRB5_2.0 {
krb5_init_creds_init; krb5_init_creds_init;
krb5_init_creds_set_service; krb5_init_creds_set_service;
krb5_init_creds_set_fast_anon_pkinit; krb5_init_creds_set_fast_anon_pkinit;
_krb5_init_creds_set_fast_anon_pkinit_optimistic;
krb5_init_creds_set_fast_ccache; krb5_init_creds_set_fast_ccache;
krb5_init_creds_set_keytab; krb5_init_creds_set_keytab;
krb5_init_creds_set_kdc_hostname; krb5_init_creds_set_kdc_hostname;