50 lines
1.7 KiB
Diff
50 lines
1.7 KiB
Diff
Every KRB-PRIV message we generate to include as part of a password change
|
|
request we create (after the first one) will include sequence numbers which
|
|
look "wrong" to the recipient, because previously generating other KRB-PRIV
|
|
messages will mess with the counters in the auth_context. Because the
|
|
current code attempts to reuse auth_context structures (and changing that
|
|
would be more invasive), we'll just save the sequence number values as they
|
|
are after we build the AP-REQ, and restore them before generating requests.
|
|
RT#5867.
|
|
|
|
Index: src/lib/krb5/os/changepw.c
|
|
===================================================================
|
|
--- src/lib/krb5/os/changepw.c (revision 20195)
|
|
+++ src/lib/krb5/os/changepw.c (working copy)
|
|
@@ -34,6 +34,7 @@
|
|
#include "k5-int.h"
|
|
#include "os-proto.h"
|
|
#include "cm.h"
|
|
+#include "../krb/auth_con.h"
|
|
|
|
#include <stdio.h>
|
|
#include <errno.h>
|
|
@@ -48,6 +49,7 @@
|
|
krb5_principal set_password_for;
|
|
char *newpw;
|
|
krb5_data ap_req;
|
|
+ krb5_ui_4 remote_seq_num, local_seq_num;
|
|
};
|
|
|
|
|
|
@@ -159,6 +161,9 @@
|
|
&local_kaddr, NULL)))
|
|
goto cleanup;
|
|
|
|
+ ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
|
|
+ ctx->auth_context->local_seq_number = ctx->local_seq_num;
|
|
+
|
|
if (ctx->set_password_for)
|
|
code = krb5int_mk_setpw_req(ctx->context,
|
|
ctx->auth_context,
|
|
@@ -225,6 +230,9 @@
|
|
&callback_ctx.ap_req)))
|
|
goto cleanup;
|
|
|
|
+ callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
|
|
+ callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
|
|
+
|
|
do {
|
|
if ((code = krb5_locate_kpasswd(callback_ctx.context,
|
|
krb5_princ_realm(callback_ctx.context,
|