[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

Just playing devil's advocate, without thinking much about it, do we  
do the "right" thing if the kdc in question decides to fudge the spec  
and e.g. returns PREAUTH_REQUIRED in some state other than 2?  Are  
there other states than 3 where we ought to respond similarly to  
PREAUTH_FAILED?

Thinking just a tiny bit more:  seems like we ought to test for those  
error returns on the outside and do just enough state-checking on the  
inside to guarantee we don't infinite-loop.  Without going all the way  
to pseudo-code I can't say if that results in a practical difference  
or not.

My first reaction was that the state machine was too complex, but I  
now agree with you that it's a good idea.

I'd suggest making the state an enum would improve readability.

On Jun 8, 2008, at 2:16 PM, Michael B Allen wrote:

> On Wed, 28 May 2008 16:15:45 -0400
> Michael B Allen <miallen@ioplex.com> wrote:
>
>> If not I'll make one and post it but I was hoping someone else had  
>> done
>> this already.
>
> I'm not in my environment right so I can't supply a real patch yet but
> here's the pseudocode that will be the basis for it:
>
>  get_in_cred(padata)
>  {
>      error = 0;
>      state = padata != NULL ? 1 : 2;
>
>      do {
>          done = 1;
>
>          switch (state) {
>              case 1: /* PA supplied as param */
>                  break;
>              case 2: /* Try optimistic PA */
>                  padata = make_optimistic_padata();
>                  if (pdata) {
>                      break;
>                  }
>                  /* Cannot determine suitable optimistic
>                   * padata, fall through to no PA
>                   */
>                  state = 3;
>              case 3: /* No PA */
>                  break;
>              case 4: /* Extract from ETYPE_INFO */
>                  padata = extract_etype_info_padata();
>                  break;
>          }
>
>          sendto_kdc(req, rep);
>
>          if (error) {
>              if (state == 2) {
>                  if (error == PREAUTH_FAILED) {
>                      /* Optimistic PA failed, try no PA to get  
> ETYPE_INFO */
>                      state = 3;
>                      done = 0;
>                  }
>              } else if (state == 3) {
>                  if (error == PREAUTH_REQUIRED) {
>                      if (is_etype_info_present) {
>                          /* Try PA from ETYPE_INFO */
>                          state = 4;
>                          done = 0;
>                      }
>                  }
>              }
>          }
>      } while (!done);
>
>      return error;
>  }
>
> One could argue that the state machine isn't necessary but, for the  
> long
> term, I think it is warranted here.
>
> Mike
>
> -- 
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/



------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu