From 995fa59fac53f8e2e6fb987e0e29a5ae3a4bbf38 Mon Sep 17 00:00:00 2001 From: Sai Sandeep Rangisetti Date: Tue, 10 Mar 2026 12:53:37 +0530 Subject: [PATCH] Fixed a preauth validation issue If preauth is required, users can bypass it by sending an unknown preauth data entry. this is because we are only checking if preauth is present and not whether at least one preauth is valid --- .../kerb/server/preauth/PreauthHandle.java | 4 ++-- .../kerb/server/preauth/PreauthHandler.java | 7 ++++--- .../kerb/server/request/KdcRequest.java | 20 +++++++++---------- 3 files changed, 15 insertions(+), 16 deletions(-) diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandle.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandle.java index acbaccb91..9a76cbc31 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandle.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandle.java @@ -42,8 +42,8 @@ public void provideEdata(KdcRequest kdcRequest, PaData outPaData) throws KrbExce preauth.provideEdata(kdcRequest, requestContext, outPaData); } - public void verify(KdcRequest kdcRequest, PaDataEntry paData) throws KrbException { - preauth.verify(kdcRequest, requestContext, paData); + public boolean verify(KdcRequest kdcRequest, PaDataEntry paData) throws KrbException { + return preauth.verify(kdcRequest, requestContext, paData); } public void providePaData(KdcRequest kdcRequest, PaData paData) { diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java index b9482d5da..4284dcb94 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java @@ -94,13 +94,14 @@ public void provideEdata(KdcRequest kdcRequest, PaData outPaData) throws KrbExce } } - public void verify(KdcRequest kdcRequest, PaData paData) throws KrbException { + public boolean verify(KdcRequest kdcRequest, PaData paData) throws KrbException { for (PaDataEntry paEntry : paData.getElements()) { PreauthHandle handle = findHandle(kdcRequest, paEntry.getPaDataType()); - if (handle != null) { - handle.verify(kdcRequest, paEntry); + if (handle != null && handle.verify(kdcRequest, paEntry)) { + return true; } } + return false; } public void providePaData(KdcRequest kdcRequest, PaData paData) { diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java index 9fe331a70..b9d873ea6 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java @@ -678,18 +678,16 @@ protected void preauth() throws KrbException { } PaData preAuthData = request.getPaData(); - if (preAuthData == null || preAuthData.isEmpty()) { - if (isPreauthRequired()) { - LOG.info("The preauth data is empty."); - KrbError krbError = makePreAuthenticationError(kdcContext, request, - KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false); - throw new KdcRecoverableException(krbError); - } - } else { - getPreauthHandler().verify(this, preAuthData); + if (preAuthData != null && !preAuthData.isEmpty()) { + boolean preAuthenticated = getPreauthHandler().verify(this, preAuthData); + setPreAuthenticated(preAuthenticated); + } + if (isPreauthRequired() && !isPreAuthenticated()) { + LOG.info("The preauth verification failed."); + KrbError krbError = makePreAuthenticationError(kdcContext, request, + KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false); + throw new KdcRecoverableException(krbError); } - - setPreAuthenticated(true); } /**