oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

lib/krb5: Do not re-send the AS-REQ if fast was disabled

Browse Source 
Without this, in an AS-REQ that has no local key for FAST
we would send the AS-REQ again, which can bump the bad
password count on the KDC twice.

So only try again if FAST was actually tried.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Bartlett
2018-09-18 19:08:10 -07:00
committed by Nico Williams
parent 4279b467cb
commit de4fbc9514
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/krb5/init_creds_pw.c
View File

@@ -2414,6 +2414,9 @@ krb5_init_creds_step(krb5_context context,
if (ctx->fast_state.flags & KRB5_FAST_DISABLED) if (ctx->fast_state.flags & KRB5_FAST_DISABLED)
goto out; goto out;
if (!(ctx->fast_state.flags & KRB5_FAST_EXPECTED)) {
goto out;
}
if (ctx->fast_state.flags & (KRB5_FAST_REQUIRED | KRB5_FAST_EXPECTED)) if (ctx->fast_state.flags & (KRB5_FAST_REQUIRED | KRB5_FAST_EXPECTED))
goto out; goto out;