[29498] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.14]: Fix error code on clpreauth module failure

daemon@ATHENA.MIT.EDU (Tom Yu)
Tue Jul 19 18:45:47 2016

Date: Tue, 19 Jul 2016 18:45:43 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201607192245.u6JMjhmA028985@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/857b82485a67094bbb2d73eb7572366878a4a9a9
commit 857b82485a67094bbb2d73eb7572366878a4a9a9
Author: Greg Hudson <ghudson@mit.edu>
Date:   Tue Jul 19 10:52:06 2016 -0400

    Fix error code on clpreauth module failure
    
    Commit 632260bd1fccfb420f0827b59c85c329203eafc9 (ticket #7517) allows
    better error reporting for some client pre-authentication failures.
    However, it breaks an assumption in the S4U2Self code that such errors
    can be recognized by the KRB5_PREAUTH_FAILED error code.  Instead of
    passing through the error code reported by the first real preauth
    module, wrap that error and return KRB5_PREAUTH_FAILED.
    
    (cherry picked from commit 560e11dabb63b141df29c54aaa2e120309a1e021)
    
    ticket: 8457
    version_fixed: 1.14.3

 src/lib/krb5/krb/preauth2.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 783bb31..ca26fb0 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -638,8 +638,12 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
 
     if (must_preauth) {
         /* No real preauth types succeeded and we needed to preauthenticate. */
-        ret = (save.code != 0) ? k5_restore_ctx_error(context, &save) :
-            KRB5_PREAUTH_FAILED;
+        if (save.code != 0) {
+            ret = k5_restore_ctx_error(context, &save);
+            k5_wrapmsg(context, ret, KRB5_PREAUTH_FAILED,
+                       _("Pre-authentication failed"));
+        }
+        ret = KRB5_PREAUTH_FAILED;
     }
 
 cleanup:
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post