diff options
author | Love Hörnquist Åstrand <lha@h5l.org> | 2015-04-28 08:54:03 -0700 |
---|---|---|
committer | Love Hörnquist Åstrand <lha@h5l.org> | 2015-04-28 08:54:24 -0700 |
commit | 4c98e27edaae75208637c927cd7d142d7665d4c1 (patch) | |
tree | 6cac0628af7f7db6c0ebb87d2a707e006eccbada | |
parent | 3d469d738650958a929bf129f530fddcf6d7296f (diff) |
call hdb_auth_status when password is wrong in the ENC-CHAL case too, thanks Andrew Bartlett for pointing this out
-rw-r--r-- | kdc/kerberos5.c | 36 | ||||
-rw-r--r-- | tests/kdc/check-fast.in | 6 |
2 files changed, 38 insertions, 4 deletions
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index f93a0108b..4c1964c24 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -423,6 +423,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa) { krb5_data pepper1, pepper2, ts_data; KDC_REQ_BODY *b = &r->req.req_body; + int invalidPassword = 0; EncryptedData enc_data; krb5_enctype aenctype; krb5_error_code ret; @@ -483,8 +484,24 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa) KRB5_KU_ENC_CHALLENGE_CLIENT, &enc_data, &ts_data); - if (ret) + if (ret) { + const char *msg = krb5_get_error_message(r->context, ret); + krb5_error_code ret2; + char *str = NULL; + + invalidPassword = 1; + + ret2 = krb5_enctype_to_string(r->context, k->key.keytype, &str); + if (ret2) + str = NULL; + _kdc_r_log(r, 5, "Failed to decrypt ENC-CHAL -- %s " + "(enctype %s) error %s", + r->client_name, str ? str : "unknown enctype", msg); + krb5_free_error_message(r->context, msg); + free(str); + continue; + } ret = decode_PA_ENC_TS_ENC(ts_data.data, ts_data.length, @@ -533,10 +550,20 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa) if (ret) goto out; - break; + /* + * Success + */ + if (r->clientdb->hdb_auth_status) + r->clientdb->hdb_auth_status(r->context, r->clientdb, r->client, + HDB_AUTH_SUCCESS); + goto out; } - if (i < r->client->entry.keys.len) + + if (invalidPassword && r->clientdb->hdb_auth_status) { + r->clientdb->hdb_auth_status(r->context, r->clientdb, r->client, + HDB_AUTH_WRONG_PASSWORD); ret = KRB5KDC_ERR_PREAUTH_FAILED; + } out: free_EncryptedData(&enc_data); @@ -1832,9 +1859,10 @@ _kdc_as_rep(kdc_request_t r, goto out; } - if (r->clientdb->hdb_auth_status) + if (r->clientdb->hdb_auth_status) { r->clientdb->hdb_auth_status(context, r->clientdb, r->client, HDB_AUTH_SUCCESS); + } /* * Verify flags after the user been required to prove its identity diff --git a/tests/kdc/check-fast.in b/tests/kdc/check-fast.in index 79e18554d..3027ae1ab 100644 --- a/tests/kdc/check-fast.in +++ b/tests/kdc/check-fast.in @@ -84,6 +84,7 @@ echo "Doing database check" ${kadmin} check ${R} || exit 1 echo foo > ${objdir}/foopassword +echo bar > ${objdir}/barpassword echo Starting kdc ; > messages.log env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \ @@ -129,6 +130,11 @@ ${kinit} --fast-armor-cache=${acache} \ --password-file=${objdir}/foopassword foo@$R || \ { ec=1 ; eval "${testfailed}"; } +echo "Getting client initial tickets with FAST armor ticket [failure]"; > messages.log +${kinit} --fast-armor-cache=${acache} \ + --password-file=${objdir}/barpassword foo@$R 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + echo "Checking for FAST avail (in the FAST acquired cache)"; > messages.log ${klist} --hidden | grep fast_avail > /dev/null || { exit 1; } |