Ticket History #7571: Allow multi-hop SAM-2 exchanges

# Tue Feb 19 12:12:53 2013 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 639B

Allow multi-hop SAM-2 exchanges

Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
multiple hops by sending repeated preauth-required errors with
different challenges (which is not the way multi-hop exchanges are
described in RFC 6113, but it can still work). This stopped working
when SAM-2 was converted to a built-in module. Make it work again.

https://github.com/krb5/krb5/commit/f20a77e879d203cdcb1bdbf9dc8e604a5187c88f
Author: Greg Hudson <ghudson@mit.edu>
Commit: f20a77e879d203cdcb1bdbf9dc8e604a5187c88f
Branch: master
src/lib/krb5/krb/preauth2.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)

# Tue Feb 19 12:12:54 2013 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Tue Feb 19 12:12:54 2013 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Tue Feb 19 12:12:54 2013 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Tue Feb 19 12:12:54 2013 ghudson@mit.edu (Greg Hudson) - Target_Version 1.11.1 added

# Tue Feb 19 12:27:57 2013 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 131B

The preauth code was substantially different in 1.11 than it is in master.
Here is a patch against 1.11 (which Garry has tested).

Download patch.txt
text/plain 1.1KiB

commit 51c14a1f30cdfcfff8815f02e72c2ee841b16120
Author: Greg Hudson <ghudson@mit.edu>
Date: Sun Feb 17 12:23:30 2013 -0500

Allow multi-hop SAM-2 exchanges

Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
multiple hops by sending repeated preauth-required errors with
different challenges (which is not the way multi-hop exchanges are
described in RFC 6113, but it can still work). This stopped working
when SAM-2 was converted to a built-in module because of the use_count
field. Disable the use count for SAM-2 specifically.

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 23f00f3..4e235bd 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -590,7 +590,8 @@ run_preauth_plugins(krb5_context kcontext,
TRACE_PREAUTH_SKIP(kcontext, module->name, module->pa_type);
continue;
}
- module->use_count++;
+ if (module->pa_type != KRB5_PADATA_SAM_CHALLENGE_2)
+ module->use_count++;
}
/* run the module's callback function */
out_pa_data = NULL;

# Tue Feb 19 16:31:55 2013 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Tue Feb 19 16:31:56 2013 tlyu (Taylor Yu) - Version_Fixed 1.11.1 added

# Tue Feb 19 16:31:56 2013 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 730B

Allow multi-hop SAM-2 exchanges

Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
multiple hops by sending repeated preauth-required errors with
different challenges (which is not the way multi-hop exchanges are
described in RFC 6113, but it can still work). This stopped working
when SAM-2 was converted to a built-in module because of the use_count
field. Disable the use count for SAM-2 specifically.

https://github.com/krb5/krb5/commit/370572d682c569c21a7d6a94080237e131b38664
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 370572d682c569c21a7d6a94080237e131b38664
Branch: krb5-1.11
src/lib/krb5/krb/preauth2.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)

# Wed Dec 16 18:03:00 2015 tlyu (Taylor Yu) - CustomField pullup deleted