Skip Menu |

Subject: Interleaved init_creds operations use same per-request preauth context
In preauth2.c, krb5_preauth_context_st mixes context-global preauth data
with per-request data. The "tried" field of krb5_preauth_context_st and
the "req" field of clpreauth_handle are per-request, while the "vt" and
"data" fields of clpreauth_handle are context-global.

Alll of this information is managed out of krb5_context, not
krb5_init_creds_context. So if a caller interleaves
krb5_init_creds_init/krb5_init_creds_step for different
krb5_init_creds_context objects with the same krb5_context object, both
operations will use the same per-request preauth data, likely causing one
or both operations to fail.

The per-request information should be separated out and managed out of
Subject: git commit

Properly scope per-request preauth data

It should be possible to successfully use multiple initial credentials
contexts with the same library context. Create a new internal type
krb5_preauth_req_context containing per-request preauth state,
including the clpreauth modreq handles and the list of preauth types
already tried. Remove this state from clpreauth_handle and
Author: Greg Hudson <>
Commit: b061f419cfc9653b7549b905e54fbbd78deea49e
Branch: master
src/include/k5-trace.h | 3 +
src/lib/krb5/krb/get_in_tkt.c | 12 +-
src/lib/krb5/krb/init_creds_ctx.h | 3 +
src/lib/krb5/krb/int-proto.h | 8 +-
src/lib/krb5/krb/preauth2.c | 190 +++++++++++++++++++++++--------------
5 files changed, 135 insertions(+), 81 deletions(-)
Subject: git commit

Add tests for per-request preauth data scoping

Add a test harness which interleaves calls for multiple initial creds
contexts using the same library context. Add a test case to using the new harness and the test preauth module to
verify that modreq pointers are correctly tracked.
Author: Greg Hudson <>
Commit: c0b25fe282355d4f329418956b9c6295780af633
Branch: master
.gitignore | 1 +
src/tests/ | 23 +++++---
src/tests/icinterleave.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++
src/tests/ | 13 +++++
4 files changed, 152 insertions(+), 9 deletions(-)
Subject: git commit

Document and check init_creds context requirement

To ensure that the same clpreauth plugin modules and moddata pointers
are used for each step of an initial creds operation, the caller must
use the same library context for krb5_init_creds_init(),
krb5_init_creds_step(), and krb5_init_creds_free(). Document and
enforce this requirement.
Author: Greg Hudson <>
Commit: c4beb35c9ac0711ef650abc4f1e44a4c82d5f3d0
Branch: master
src/include/krb5/krb5.hin | 13 +++++++++++++
src/lib/krb5/krb/get_in_tkt.c | 6 +++++-
src/lib/krb5/krb/int-proto.h | 3 +++
src/lib/krb5/krb/preauth2.c | 13 +++++++++++++
4 files changed, 34 insertions(+), 1 deletions(-)