From raeburn at MIT.EDU Mon Mar 2 16:07:00 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 2 Mar 2009 16:07:00 -0500 Subject: svn rev #22063: tools/gssmonger/trunk/gssmaster/ Message-ID: <200903022107.n22L701h025320@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22063 Commit By: raeburn Log Message: Don't crash if finishblock is explicitly passed a NULL pointer. Changed Files: U tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp Modified: tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp =================================================================== --- tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp 2009-02-27 18:58:37 UTC (rev 22062) +++ tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp 2009-03-02 21:07:00 UTC (rev 22063) @@ -268,7 +268,7 @@ // Close the specified log4cpp log EZLOGAPI ezFinishBlock( IN OPTIONAL HANDLE handle ) { ezLogMsg(EZLOG_BLOCK, EZ_DEFAULT, "FinishBlock %p(%s)", handle, - ((CatStack *)handle)->cat->getName().data()); + (handle ? ((CatStack *)handle)->cat->getName().data() : "NULL")); CatStack *c2 = cats; cats = c2->parent; delete c2; From raeburn at MIT.EDU Mon Mar 2 16:07:32 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 2 Mar 2009 16:07:32 -0500 Subject: svn rev #22064: tools/gssmonger/trunk/gssmaggot/ Message-ID: <200903022107.n22L7Wd3025419@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22064 Commit By: raeburn Log Message: Only print out base of source filename. Changed Files: U tools/gssmonger/trunk/gssmaggot/logging.c Modified: tools/gssmonger/trunk/gssmaggot/logging.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/logging.c 2009-03-02 21:07:00 UTC (rev 22063) +++ tools/gssmonger/trunk/gssmaggot/logging.c 2009-03-02 21:07:32 UTC (rev 22064) @@ -212,10 +212,14 @@ CHAR buffer[ 100 ]; #endif - printf( "%s:%ld: ", - file, - line ); - + { + const char *basename = strrchr(file, '/'); + if (basename) + basename++; + else + basename = file; + printf( "%s:%ld: ", basename, line ); + } StringLength = vfprintf( stdout, fmt, From tsitkova at MIT.EDU Thu Mar 5 11:49:13 2009 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Thu, 5 Mar 2009 11:49:13 -0500 Subject: svn rev #22065: trunk/src/lib/crypto/ Message-ID: <200903051649.n25GnDSO031188@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22065 Commit By: tsitkova Log Message: Take out of the loop unchangeble assignments. Tabulation. Changed Files: U trunk/src/lib/crypto/hmac.c Modified: trunk/src/lib/crypto/hmac.c =================================================================== --- trunk/src/lib/crypto/hmac.c 2009-03-02 21:07:32 UTC (rev 22064) +++ trunk/src/lib/crypto/hmac.c 2009-03-05 16:49:12 UTC (rev 22065) @@ -41,7 +41,7 @@ krb5_error_code krb5_hmac(const struct krb5_hash_provider *hash, const krb5_keyblock *key, - unsigned int icount, const krb5_data *input, krb5_data *output) + unsigned int icount, const krb5_data *input, krb5_data *output) { size_t hashsize, blocksize; unsigned char *xorkey, *ihash; @@ -53,26 +53,26 @@ blocksize = hash->blocksize; if (key->length > blocksize) - return(KRB5_CRYPTO_INTERNAL); + return(KRB5_CRYPTO_INTERNAL); if (output->length < hashsize) - return(KRB5_BAD_MSIZE); + return(KRB5_BAD_MSIZE); /* if this isn't > 0, then there won't be enough space in this array to compute the outer hash */ if (icount == 0) - return(KRB5_CRYPTO_INTERNAL); + return(KRB5_CRYPTO_INTERNAL); /* allocate space for the xor key, hash input vector, and inner hash */ if ((xorkey = (unsigned char *) malloc(blocksize)) == NULL) - return(ENOMEM); + return(ENOMEM); if ((ihash = (unsigned char *) malloc(hashsize)) == NULL) { - free(xorkey); - return(ENOMEM); + free(xorkey); + return(ENOMEM); } if ((hashin = (krb5_data *)malloc(sizeof(krb5_data)*(icount+1))) == NULL) { - free(ihash); - free(xorkey); - return(ENOMEM); + free(ihash); + free(xorkey); + return(ENOMEM); } /* create the inner padded key */ @@ -80,28 +80,27 @@ memset(xorkey, 0x36, blocksize); for (i=0; ilength; i++) - xorkey[i] ^= key->contents[i]; + xorkey[i] ^= key->contents[i]; /* compute the inner hash */ - for (i=0; ihash))(icount+1, hashin, &hashout)))) - goto cleanup; + goto cleanup; /* create the outer padded key */ memset(xorkey, 0x5c, blocksize); for (i=0; ilength; i++) - xorkey[i] ^= key->contents[i]; + xorkey[i] ^= key->contents[i]; /* compute the outer hash */ @@ -112,7 +111,7 @@ output->length = hashsize; if ((ret = ((*(hash->hash))(2, hashin, output)))) - memset(output->data, 0, output->length); + memset(output->data, 0, output->length); /* ret is set correctly by the prior call */ @@ -129,7 +128,7 @@ krb5_error_code krb5int_hmac_iov(const struct krb5_hash_provider *hash, const krb5_keyblock *key, - const krb5_crypto_iov *data, size_t num_data, krb5_data *output) + const krb5_crypto_iov *data, size_t num_data, krb5_data *output) { krb5_data *sign_data; size_t num_sign_data; @@ -138,22 +137,22 @@ /* Create a checksum over all the data to be signed */ for (i = 0, num_sign_data = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; + const krb5_crypto_iov *iov = &data[i]; - if (SIGN_IOV(iov)) - num_sign_data++; + if (SIGN_IOV(iov)) + num_sign_data++; } /* XXX cleanup to avoid alloc */ sign_data = (krb5_data *)calloc(num_sign_data, sizeof(krb5_data)); if (sign_data == NULL) - return ENOMEM; + return ENOMEM; for (i = 0, j = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; + const krb5_crypto_iov *iov = &data[i]; - if (SIGN_IOV(iov)) - sign_data[j++] = iov->data; + if (SIGN_IOV(iov)) + sign_data[j++] = iov->data; } /* caller must store checksum in iov as it may be TYPE_TRAILER or TYPE_CHECKSUM */ From raeburn at MIT.EDU Thu Mar 5 15:59:52 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Thu, 5 Mar 2009 15:59:52 -0500 Subject: svn rev #22066: tools/gssmonger/trunk/gssmaggot/ Message-ID: <200903052059.n25KxqjF015842@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22066 Commit By: raeburn Log Message: use messages.h from ../include Changed Files: D tools/gssmonger/trunk/gssmaggot/messages.h Deleted: tools/gssmonger/trunk/gssmaggot/messages.h From hartmans at MIT.EDU Fri Mar 6 12:26:29 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Fri, 6 Mar 2009 12:26:29 -0500 Subject: svn rev #22067: trunk/src/lib/krb5/krb/ Message-ID: <200903061726.n26HQT9r031047@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22067 Commit By: hartmans Log Message: ticket: 6401 Subject: send_as_req re-encodes the request krb5_get_init_creds calls encode_krb5_as_req to produce an encoding for the preauth plugins, then passes the unencoded request structure into the static function send_as_req. That function re-encodes the request. This is an unnecessary call to the encoder. In addition, for the FAST project, it is desirable to encapsulate the unencoded outer request so that krb5_get_init_creds does not need it. * send_as_req is modified to take an encoded request and realm * Remove unused logic to fill in request nonce from send_as_req Changed Files: U trunk/src/lib/krb5/krb/get_in_tkt.c Modified: trunk/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-03-05 20:59:52 UTC (rev 22066) +++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-03-06 17:26:29 UTC (rev 22067) @@ -136,36 +136,25 @@ */ static krb5_error_code send_as_request(krb5_context context, - krb5_kdc_req *request, + krb5_data *packet, const krb5_data *realm, krb5_error ** ret_err_reply, krb5_kdc_rep ** ret_as_reply, int *use_master) { krb5_kdc_rep *as_reply = 0; krb5_error_code retval; - krb5_data *packet = 0; krb5_data reply; char k4_version; /* same type as *(krb5_data::data) */ int tcp_only = 0; - krb5_timestamp time_now; reply.data = 0; /* set the nonce if the caller expects us to do it */ - if (request->nonce == 0) { - if ((retval = krb5_timeofday(context, &time_now))) - goto cleanup; - request->nonce = (krb5_int32) time_now; - } - /* encode & send to KDC */ - if ((retval = encode_krb5_as_req(request, &packet)) != 0) - goto cleanup; - k4_version = packet->data[0]; send_again: retval = krb5_sendto_kdc(context, packet, - krb5_princ_realm(context, request->client), + realm, &reply, use_master, tcp_only); #if APPLE_PKINIT inTktDebug("krb5_sendto_kdc returned %d\n", (int)retval); @@ -240,8 +229,6 @@ krb5_free_kdc_rep(context, as_reply); cleanup: - if (packet) - krb5_free_data(context, packet); if (reply.data) free(reply.data); return retval; @@ -517,6 +504,7 @@ krb5_timestamp time_now; krb5_keyblock * decrypt_key = 0; krb5_kdc_req request; + krb5_data *encoded_request; krb5_pa_data **padata = 0; krb5_error * err_reply; krb5_kdc_rep * as_reply = 0; @@ -650,9 +638,14 @@ */ request.nonce = (krb5_int32) time_now; - if ((retval = send_as_request(context, &request, &err_reply, - &as_reply, &use_master))) + if ((retval = encode_krb5_as_req(&request, &encoded_request)) != 0) goto cleanup; + retval = send_as_request(context, encoded_request, + krb5_princ_realm(context, request.client), &err_reply, + &as_reply, &use_master); + krb5_free_data_contents(context, encoded_request); + if (retval != 0) + goto cleanup; if (err_reply) { if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && @@ -1156,7 +1149,6 @@ krb5_preauth_request_context_init(context); - /* nonce is filled in by send_as_request if we don't take care of it */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)) { request.ktype = options->etype_list; @@ -1301,7 +1293,8 @@ err_reply = 0; local_as_reply = 0; - if ((ret = send_as_request(context, &request, &err_reply, + if ((ret = send_as_request(context, encoded_previous_request, + krb5_princ_realm(context, request.client), &err_reply, &local_as_reply, use_master))) goto cleanup; From raeburn at MIT.EDU Fri Mar 6 18:57:10 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 6 Mar 2009 18:57:10 -0500 Subject: svn rev #22068: trunk/src/clients/klist/ Message-ID: <200903062357.n26NvATd026557@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22068 Commit By: raeburn Log Message: ticket: 4241 target_version: 1.7 tags: pullup Add "-V" option to klist to print the package name and version, and exit. Changed Files: U trunk/src/clients/klist/klist.c Modified: trunk/src/clients/klist/klist.c =================================================================== --- trunk/src/clients/klist/klist.c 2009-03-06 17:26:29 UTC (rev 22067) +++ trunk/src/clients/klist/klist.c 2009-03-06 23:57:10 UTC (rev 22068) @@ -56,7 +56,7 @@ extern int optind; int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0; -int show_etype = 0, show_addresses = 0, no_resolve = 0; +int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0; char *defname; char *progname; krb5_int32 now; @@ -81,12 +81,13 @@ { #define KRB_AVAIL_STRING(x) ((x)?"available":"not available") - fprintf(stderr, "Usage: %s [-e] [[-c] [-f] [-s] [-a [-n]]] %s", + fprintf(stderr, "Usage: %s [-e] [-V] [[-c] [-f] [-s] [-a [-n]]] %s", progname, "[-k [-t] [-K]] [name]\n"); fprintf(stderr, "\t-c specifies credentials cache\n"); fprintf(stderr, "\t-k specifies keytab\n"); fprintf(stderr, "\t (Default is credentials cache)\n"); fprintf(stderr, "\t-e shows the encryption type\n"); + fprintf(stderr, "\t-V shows the Kerberos version and exits\n"); fprintf(stderr, "\toptions for credential caches:\n"); fprintf(stderr, "\t\t-f shows credentials flags\n"); fprintf(stderr, "\t\t-s sets exit status based on valid tgt existence\n"); @@ -111,7 +112,8 @@ name = NULL; mode = DEFAULT; - while ((c = getopt(argc, argv, "fetKsnack45")) != -1) { + /* V=version so v can be used for verbose later if desired. */ + while ((c = getopt(argc, argv, "fetKsnack45V")) != -1) { switch (c) { case 'f': show_flags = 1; @@ -148,6 +150,9 @@ break; case '5': break; + case 'V': + print_version = 1; + break; default: usage(); break; @@ -172,6 +177,11 @@ usage(); } + if (print_version) { + printf("%s version %s\n", PACKAGE_NAME, PACKAGE_VERSION); + exit(0); + } + name = (optind == argc-1) ? argv[optind] : 0; now = time(0); From tsitkova at MIT.EDU Mon Mar 9 10:21:20 2009 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Mon, 9 Mar 2009 10:21:20 -0400 Subject: svn rev #22069: trunk/src/clients/kvno/ Message-ID: <200903091421.n29ELKjH005857@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22069 Commit By: tsitkova Log Message: Introduced '-u' option to kvno to enforce KRB5_NT_UNKNOWN princ type. Changed Files: U trunk/src/clients/kvno/kvno.c Modified: trunk/src/clients/kvno/kvno.c =================================================================== --- trunk/src/clients/kvno/kvno.c 2009-03-06 23:57:10 UTC (rev 22068) +++ trunk/src/clients/kvno/kvno.c 2009-03-09 14:21:20 UTC (rev 22069) @@ -39,7 +39,7 @@ static void xusage() { - fprintf(stderr, "usage: %s [-C] [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n", + fprintf(stderr, "usage: %s [-C] [-u] [-c ccache] [-e etype] [-k keytab] [-S sname] service1 service2 ...\n", prog); exit(1); } @@ -48,7 +48,7 @@ static void do_v5_kvno (int argc, char *argv[], char *ccachestr, char *etypestr, char *keytab_name, - char *sname, int canon); + char *sname, int canon, int unknown); #include static void extended_com_err_fn (const char *, errcode_t, const char *, @@ -59,7 +59,7 @@ int option; char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL; char *sname = NULL; - int canon = 0; + int canon = 0, unknown = 0; set_com_err_hook (extended_com_err_fn); @@ -67,7 +67,7 @@ prog = strrchr(argv[0], '/'); prog = prog ? (prog + 1) : argv[0]; - while ((option = getopt(argc, argv, "Cc:e:hk:qS:")) != -1) { + while ((option = getopt(argc, argv, "uCc:e:hk:qS:")) != -1) { switch (option) { case 'C': canon = 1; @@ -89,7 +89,18 @@ break; case 'S': sname = optarg; + if (unknown == 1){ + fprintf(stderr, "Options -u and -S are mutually exclusive\n"); + xusage(); + } break; + case 'u': + unknown = 1; + if (sname){ + fprintf(stderr, "Options -u and -S are mutually exclusive\n"); + xusage(); + } + break; default: xusage(); break; @@ -100,7 +111,7 @@ xusage(); do_v5_kvno(argc - optind, argv + optind, - ccachestr, etypestr, keytab_name, sname, canon); + ccachestr, etypestr, keytab_name, sname, canon, unknown); return 0; } @@ -119,7 +130,7 @@ static void do_v5_kvno (int count, char *names[], char * ccachestr, char *etypestr, char *keytab_name, - char *sname, int canon) + char *sname, int canon, int unknown) { krb5_error_code ret; int i, errors; @@ -190,6 +201,9 @@ errors++; continue; } + if (unknown == 1) { + krb5_princ_type(context, in_creds.server) = KRB5_NT_UNKNOWN; + } ret = krb5_unparse_name(context, in_creds.server, &princ); if (ret) { From tsitkova at MIT.EDU Mon Mar 9 10:23:32 2009 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Mon, 9 Mar 2009 10:23:32 -0400 Subject: svn rev #22070: trunk/src/kdc/ Message-ID: <200903091423.n29ENWpG006048@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22070 Commit By: tsitkova Log Message: Removed unneeded printf's Changed Files: U trunk/src/kdc/do_tgs_req.c Modified: trunk/src/kdc/do_tgs_req.c =================================================================== --- trunk/src/kdc/do_tgs_req.c 2009-03-09 14:21:20 UTC (rev 22069) +++ trunk/src/kdc/do_tgs_req.c 2009-03-09 14:23:31 UTC (rev 22070) @@ -1124,12 +1124,10 @@ goto cleanup; } if (realms == 0) { - printf(" (null)\n"); retval = KRB5KRB_AP_ERR_BADMATCH; goto cleanup; } if (realms[0] == 0) { - printf(" (none)\n"); free(realms); retval = KRB5KRB_AP_ERR_BADMATCH; goto cleanup; From ghudson at MIT.EDU Mon Mar 9 21:28:13 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 9 Mar 2009 21:28:13 -0400 Subject: svn rev #22071: trunk/src/ include/ lib/kdb/ plugins/kdb/ldap/ldap_util/ Message-ID: <200903100128.n2A1SDEY017375@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22071 Commit By: ghudson Log Message: ticket: 6403 Rename kdb_setup_lib_handle to krb5_db_setup_lib_handle and export it. Make kdb5_ldap_util work again by calling this function to set up dal_handle instead of using one with an uninitialized lib_handle. It is likely that kdb5_ldap_util will only function given a krb5.conf which specifies a realm with an LDAP database module as the default realm. Not sure if that was the case before. Changed Files: U trunk/src/include/kdb.h U trunk/src/lib/kdb/kdb5.c U trunk/src/lib/kdb/libkdb5.exports U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c Modified: trunk/src/include/kdb.h =================================================================== --- trunk/src/include/kdb.h 2009-03-09 14:23:31 UTC (rev 22070) +++ trunk/src/include/kdb.h 2009-03-10 01:28:12 UTC (rev 22071) @@ -266,6 +266,7 @@ #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 /* libkdb.spec */ +krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext); krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); krb5_error_code krb5_db_init ( krb5_context kcontext ); krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args ); Modified: trunk/src/lib/kdb/kdb5.c =================================================================== --- trunk/src/lib/kdb/kdb5.c 2009-03-09 14:23:31 UTC (rev 22070) +++ trunk/src/lib/kdb/kdb5.c 2009-03-10 01:28:12 UTC (rev 22071) @@ -616,8 +616,8 @@ return status; } -static krb5_error_code -kdb_setup_lib_handle(krb5_context kcontext) +krb5_error_code +krb5_db_setup_lib_handle(krb5_context kcontext) { char *library = NULL; krb5_error_code status = 0; @@ -714,7 +714,7 @@ } if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -763,7 +763,7 @@ } if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -836,7 +836,7 @@ } if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -866,7 +866,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -893,7 +893,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -921,7 +921,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -951,7 +951,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -983,7 +983,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1017,7 +1017,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1047,7 +1047,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1189,7 +1189,7 @@ log_ctx = kcontext->kdblog_context; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1306,7 +1306,7 @@ log_ctx = kcontext->kdblog_context; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1378,7 +1378,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1407,7 +1407,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1435,7 +1435,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1465,7 +1465,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1500,7 +1500,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1528,7 +1528,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1557,7 +1557,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1590,7 +1590,7 @@ krb5_error_code status = 0; if (context->dal_handle == NULL) { - status = kdb_setup_lib_handle(context); + status = krb5_db_setup_lib_handle(context); if (status) { goto clean_n_exit; } @@ -1645,7 +1645,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1680,7 +1680,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -1778,7 +1778,7 @@ kdb5_dal_handle *dal_handle; if (context->dal_handle == NULL) { - retval = kdb_setup_lib_handle(context); + retval = krb5_db_setup_lib_handle(context); if (retval) { goto clean_n_exit; } @@ -1835,7 +1835,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2030,7 +2030,7 @@ void *new_ptr = NULL; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2051,7 +2051,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2091,7 +2091,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2758,7 +2758,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2792,7 +2792,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2820,7 +2820,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2849,7 +2849,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2877,7 +2877,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2906,7 +2906,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2933,7 +2933,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -2970,7 +2970,7 @@ } if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -3004,7 +3004,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -3037,7 +3037,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } @@ -3087,7 +3087,7 @@ kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); + status = krb5_db_setup_lib_handle(kcontext); if (status) { goto clean_n_exit; } Modified: trunk/src/lib/kdb/libkdb5.exports =================================================================== --- trunk/src/lib/kdb/libkdb5.exports 2009-03-09 14:23:31 UTC (rev 22070) +++ trunk/src/lib/kdb/libkdb5.exports 2009-03-10 01:28:12 UTC (rev 22071) @@ -1,3 +1,4 @@ +krb5_db_setup_lib_handle krb5_db_open krb5_db_inited krb5_db_alloc Modified: trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c =================================================================== --- trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c 2009-03-09 14:23:31 UTC (rev 22070) +++ trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c 2009-03-10 01:28:12 UTC (rev 22071) @@ -297,7 +297,6 @@ unsigned int ldapmask = 0; unsigned int passwd_len = 0; char *prompt = NULL; - kdb5_dal_handle *dal_handle = NULL; krb5_ldap_context *ldap_context=NULL; char *value = NULL, *conf_section = NULL; krb5_boolean realm_name_required = TRUE; @@ -587,12 +586,13 @@ cmd = cmd_lookup(cmd_argv[0]); /* Setup DAL handle to access the database */ - dal_handle = calloc((size_t)1, sizeof(kdb5_dal_handle)); - if (dal_handle == NULL) { + db_retval = krb5_db_setup_lib_handle(util_context); + if (db_retval) { + com_err(progname, db_retval, "while setting up lib handle"); + exit_status++; goto cleanup; } - dal_handle->db_context = ldap_context; - util_context->dal_handle = dal_handle; + util_context->dal_handle->db_context = ldap_context; ldap_context = NULL; db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER); @@ -603,7 +603,7 @@ } if (cmd->opendb) { - db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)dal_handle->db_context); + db_retval = krb5_ldap_db_init(util_context, (krb5_ldap_context *)util_context->dal_handle->db_context); if (db_retval) { com_err(progname, db_retval, "while initializing database"); exit_status++; @@ -639,8 +639,6 @@ free(prompt); if (conf_section) free(conf_section); - if (dal_handle) - free(dal_handle); if (usage_print) { usage(); From tsitkova at MIT.EDU Tue Mar 10 10:49:44 2009 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Tue, 10 Mar 2009 10:49:44 -0400 Subject: svn rev #22072: trunk/src/tests/kdc_realm/ input_conf/ Message-ID: <200903101449.n2AEniKP030750@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22072 Commit By: tsitkova Log Message: Added test for KRB5_NT_UNKNOWN princ type Changed Files: A trunk/src/tests/kdc_realm/input_conf/test_KDCs_1.conf U trunk/src/tests/kdc_realm/input_conf/test_setup.conf U trunk/src/tests/kdc_realm/kdcref.py Added: trunk/src/tests/kdc_realm/input_conf/test_KDCs_1.conf =================================================================== --- trunk/src/tests/kdc_realm/input_conf/test_KDCs_1.conf 2009-03-10 01:28:12 UTC (rev 22071) +++ trunk/src/tests/kdc_realm/input_conf/test_KDCs_1.conf 2009-03-10 14:49:43 UTC (rev 22072) @@ -0,0 +1,9 @@ +krb5_priKDC_template.conf,0 +krb5_priKDC_1_template.conf,1 +krb5_priKDC_2_template.conf,0 +krb5_priKDC_3_template.conf,1 +krb5_priKDC_4_template.conf,1 +krb5_priKDC_5_template.conf,1 +krb5_priKDC_6_template.conf,1 +krb5_priKDC_7_template.conf,0 +krb5_priKDC_8_template.conf,1 Modified: trunk/src/tests/kdc_realm/input_conf/test_setup.conf =================================================================== --- trunk/src/tests/kdc_realm/input_conf/test_setup.conf 2009-03-10 01:28:12 UTC (rev 22071) +++ trunk/src/tests/kdc_realm/input_conf/test_setup.conf 2009-03-10 14:49:43 UTC (rev 22072) @@ -1,5 +1,6 @@ sandboxDir=tests/kdc_realm/sandbox testKDCconf=test_KDCs.conf +testKDCconf_1=test_KDCs_1.conf principals=test_princs.conf tier1=sandbox/tier1 -tier2=sandbox/tier2 \ No newline at end of file +tier2=sandbox/tier2 Modified: trunk/src/tests/kdc_realm/kdcref.py =================================================================== --- trunk/src/tests/kdc_realm/kdcref.py 2009-03-10 01:28:12 UTC (rev 22071) +++ trunk/src/tests/kdc_realm/kdcref.py 2009-03-10 14:49:43 UTC (rev 22072) @@ -28,6 +28,7 @@ self._sandboxTier1 = '%s/%s' % (self._sandboxDir, 'tier1') self._sandboxTier2 = '%s/%s' % (self._sandboxDir, 'tier2') self._configurations = self._readServerConfiguration('%s/%s' % (self._confDir,confParams['testKDCconf'])) + self._configurations_1 = self._readServerConfiguration('%s/%s' % (self._confDir,confParams['testKDCconf_1'])) self._principals = self._readTestInputs('%s/%s' % (self._confDir,confParams['principals'])) os.environ["LD_LIBRARY_PATH"] = '%s/lib' % self._buildDir self._pidRefKDC = 0 @@ -94,7 +95,7 @@ raise LaunchError, err_msg - def _launchClient(self, args, env): + def _launchClient(self, args, env, princType): """ kinit & kvno """ @@ -109,7 +110,11 @@ # testHost', 'mybox.mit.edu is a srv defined in referral KDC. Get its kvno cmd = '%s/clients/kvno/kvno' % self._buildDir - handle = Popen([cmd, '-C', '-S', 'testHost', 'mybox.mit.edu'], + if princType == 0: + handle = Popen([cmd, '-C', '-S', 'testHost', 'mybox.mit.edu'], + env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) + if princType == 1: + handle = Popen([cmd, '-C', '-u', 'testHost/mybox.mit.edu'], env = env, stdin=PIPE, stdout=PIPE, stderr=PIPE) (out, err) = handle.communicate() handle.wait() @@ -185,7 +190,7 @@ self._tier1Init = True - def _launchTestingPair(self, srvParam,clntParam): + def _launchTestingPair(self, srvParam,clntParam, princType): # launch KDC server_env = os.environ.copy() server_env["KRB5_KDC_PROFILE"] = '%s/kdc.conf' % self._sandboxTier2 @@ -198,9 +203,9 @@ '%s/%s' % (self._confDir,'kdc_pri_template.conf'), self._vars) if self._tier2Init == False: - pid = self._createDB(server_env) - self._crossRealm('Y.COM', 'Z.COM', server_env) - self._tier2Init = True + pid = self._createDB(server_env) + self._crossRealm('Y.COM', 'Z.COM', server_env) + self._tier2Init = True server = self._launchKDC( 2, server_args, server_env) @@ -211,7 +216,7 @@ '%s/%s' % (self._confDir, 'krb5_priCL_template.conf'), self._vars) client_env["KRB5_KDC_PROFILE"] = server_env["KRB5_KDC_PROFILE"] - rc = self._launchClient(clntParam, client_env) + rc = self._launchClient(clntParam, client_env, princType) self._kill(server) return rc @@ -232,9 +237,15 @@ result = dict() for princs in self._principals: for conf in self._configurations: - rc = self._launchTestingPair( conf['confName'], princs % self._vars) + rc = self._launchTestingPair( conf['confName'], princs % self._vars, 0) result[conf['confName']] = {'expected':conf['expected'], 'actual':rc} - print 'Test code for configuration %s principal %s: %s' % (conf, princs, rc) + print 'Test code for configuration %s principal %s type KRB5_NT_SRV_HST: %s' % (conf, princs, rc) + self.printTestResults(result) + for conf in self._configurations_1: + rc = self._launchTestingPair( conf['confName'], princs % self._vars, 1) + result[conf['confName']] = {'expected':conf['expected'], 'actual':rc} + print 'Test code for configuration %s principal %si type KRB5_NT_UNKNOWN: %s' % (conf, princs, rc) + self.printTestResults(result) return result @@ -317,7 +328,6 @@ test = Launcher(src_path) result = test.run('main') test.clean() - test.printTestResults(result) except: if test is not None: From wfiveash at MIT.EDU Tue Mar 10 16:26:24 2009 From: wfiveash at MIT.EDU (wfiveash@MIT.EDU) Date: Tue, 10 Mar 2009 16:26:24 -0400 Subject: svn rev #22073: trunk/src/ kadmin/dbutil/ lib/kdb/ plugins/kdb/ldap/libkdb_ldap/ Message-ID: <200903102026.n2AKQO6P018307@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22073 Commit By: wfiveash Log Message: ticket: 6405 Tags: pullup Several small fixes to enable the migrate mkey commands to work properly with a LDAP KDB. See the ticket for more details. Changed Files: U trunk/src/kadmin/dbutil/kdb5_mkey.c U trunk/src/lib/kdb/kdb5.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c Modified: trunk/src/kadmin/dbutil/kdb5_mkey.c =================================================================== --- trunk/src/kadmin/dbutil/kdb5_mkey.c 2009-03-10 14:49:43 UTC (rev 22072) +++ trunk/src/kadmin/dbutil/kdb5_mkey.c 2009-03-10 20:26:24 UTC (rev 22073) @@ -185,6 +185,7 @@ mkey_aux_data_head))) { goto clean_n_exit; } + master_entry->mask |= KADM5_KEY_DATA; clean_n_exit: krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_head); @@ -906,6 +907,8 @@ goto fail; } + ent->mask |= KADM5_KEY_DATA; + if ((retval = krb5_db_put_principal(util_context, ent, &nentries))) { com_err(progname, retval, "while updating principal '%s' key data in the database", @@ -1422,6 +1425,8 @@ goto cleanup_return; } + master_entry.mask |= KADM5_KEY_DATA; + if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) { (void) krb5_db_fini(util_context); com_err(progname, retval, "while adding master key entry to the database"); Modified: trunk/src/lib/kdb/kdb5.c =================================================================== --- trunk/src/lib/kdb/kdb5.c 2009-03-10 14:49:43 UTC (rev 22072) +++ trunk/src/lib/kdb/kdb5.c 2009-03-10 20:26:24 UTC (rev 22073) @@ -2678,8 +2678,8 @@ krb5_dbe_free_tl_data(context, free_tl_data); entry->n_tl_data--; } else { + prev_tl_data = tl_data; tl_data = tl_data->tl_data_next; - prev_tl_data = tl_data; } } Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c =================================================================== --- trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c 2009-03-10 14:49:43 UTC (rev 22072) +++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c 2009-03-10 20:26:24 UTC (rev 22073) @@ -148,52 +148,7 @@ return(0); } -#if 0 /************** Begin IFDEF'ed OUT *******************************/ -krb5_error_code -krb5_dbe_lookup_mkvno(krb5_context context, - krb5_db_entry *entry, - krb5_kvno *mkvno) -{ - krb5_tl_data tl_data; - krb5_error_code code; - krb5_int16 tmp; - tl_data.tl_data_type = KRB5_TL_MKVNO; - - if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) - return (code); - - /* XXX need to think about this */ - if (tl_data.tl_data_length != 2) { - *mkvno = 0; - return (0); - } - - /* XXX this needs to be the inverse of how this is encoded */ - krb5_kdb_decode_int16(tl_data.tl_data_contents, tmp); - - *mkvno = (krb5_kvno) tmp; - - return (0); -} - -krb5_error_code -krb5_dbe_update_mkvno(krb5_context context, - krb5_db_entry * entry, - krb5_kvno mkvno) -{ - krb5_tl_data tl_data; - krb5_octet buf[2]; /* this is the encoded size of an int16 */ - - tl_data.tl_data_type = KRB5_TL_MKVNO; - tl_data.tl_data_length = sizeof(buf); - krb5_kdb_encode_int16((krb5_int16) mkvno, buf); - tl_data.tl_data_contents = buf; - - return (krb5_dbe_update_tl_data(context, entry, &tl_data)); -} -#endif /**************** END IFDEF'ed OUT *******************************/ - /* it seems odd that there's no function to remove a tl_data, but if I need one, I'll add one */ From raeburn at MIT.EDU Tue Mar 10 19:42:42 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 10 Mar 2009 19:42:42 -0400 Subject: svn rev #22074: tools/gssmonger/trunk/ gssmaggot/ gssmaster/ include/ Message-ID: <200903102342.n2ANggAG029479@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22074 Commit By: raeburn Log Message: Add new protocol commands for wrap/unwrap_iov testing. Currently unconditional, and doesn't support downgrading to be compatible with the older master/maggot code that doesn't have this support. No SSPI support yet. Changed Files: U tools/gssmonger/trunk/gssmaggot/gssapi.c U tools/gssmonger/trunk/gssmaggot/handlers.c U tools/gssmonger/trunk/gssmaster/clientapis.c U tools/gssmonger/trunk/gssmaster/clientlib.h U tools/gssmonger/trunk/gssmaster/interfere.c U tools/gssmonger/trunk/include/helpers.h U tools/gssmonger/trunk/include/messages.h Modified: tools/gssmonger/trunk/gssmaggot/gssapi.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-10 20:26:24 UTC (rev 22073) +++ tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-10 23:42:41 UTC (rev 22074) @@ -68,6 +68,12 @@ DeleteCredentialResource --*/ + +/* BUG: Don't call MapApiReturnVal(...,gss_foo(&minor,...), minor) + because 'minor' may be read for the MapApiReturnVal call before + gss_foo has a chance to set it. (Depends on the compiler and + options.) */ + #include "messages.h" #include "everything.h" #include "netutil.h" @@ -982,7 +988,137 @@ } +#if 1 +ULONG +DoWrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs, + IN PHCTXT phContext, + IN ULONG Flags, + IN ULONG SeqNo, + IN PVOID Message1, + IN ULONG cbMessage1, + IN PVOID Message2, + IN ULONG cbMessage2, + OUT PVOID *ppvHeader, + OUT PULONG pcbHeader, + OUT PVOID *ppvCrypt, + OUT PULONG pcbCrypt, + OUT PVOID *ppvPad, + OUT PULONG pcbPad, + OUT PVOID *ppvTrailer, + OUT PULONG pcbTrailer ) { + + GSSERRTYPE minor = 0; + ULONG ulRet = GSMERR_TEST_ISSUE; + gss_iov_buffer_desc Buffers[5] = { { 0 } }; + int conf = 1; + + UNUSED_PARAMETER( Flags ); + UNUSED_PARAMETER( SeqNo ); + + Buffers[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; + + Buffers[1].type = GSS_IOV_BUFFER_TYPE_DATA; + Buffers[1].buffer.value = Message1; + Buffers[1].buffer.length = cbMessage1; + + Buffers[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + Buffers[2].buffer.value = Message2; + Buffers[2].buffer.length = cbMessage2; + + Buffers[3].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE; + Buffers[4].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE; + + /* + * Possible desirable variations: + * no confidentiality; no trailer; more than two messages; STREAM mode + */ + ulRet = gss_wrap_iov ( &minor, + *phContext, + 1, /* conf */ + GSS_C_QOP_DEFAULT, + &conf, + Buffers, + 5 ); + ulRet = MapApiReturnVal( pArgs, + "gss_wrapex", + FILE_AND_LINE, + ulRet, + minor ); + + /* Outputs: header, wrapped-data, padding, trailer. */ + + *ppvHeader = Buffers[0].buffer.value; + *pcbHeader = Buffers[0].buffer.length; + *ppvCrypt = Buffers[1].buffer.value; + *pcbCrypt = Buffers[1].buffer.length; + *ppvPad = Buffers[3].buffer.value; + *pcbPad = Buffers[3].buffer.length; + *ppvTrailer = Buffers[4].buffer.value; + *pcbTrailer = Buffers[4].buffer.length; + + return ulRet; +} + +ULONG +DoUnwrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs, + IN PHCTXT phContext, + IN ULONG Flags, + IN ULONG SeqNo, + + IN PVOID pvHeader, + IN ULONG cbHeader, + IN PVOID pvCrypt, + IN ULONG cbCrypt, + IN PVOID pvSign, + IN ULONG cbSign, + IN PVOID pvPad, + IN ULONG cbPad, + IN PVOID pvTrailer, + IN ULONG cbTrailer, + + OUT PVOID *ppvClear, + OUT PULONG pcbClear ) { + gss_iov_buffer_desc Buffers[5] = { { 0 } }; + GSSERRTYPE minor = 0; + ULONG ulRet = GSMERR_TEST_ISSUE; + int conf = 1; + gss_qop_t qop = GSS_C_QOP_DEFAULT; + + UNUSED_PARAMETER( Flags ); + UNUSED_PARAMETER( SeqNo ); + + Buffers[0].type = GSS_IOV_BUFFER_TYPE_HEADER; + Buffers[0].buffer.value = pvHeader; + Buffers[0].buffer.length = cbHeader; + Buffers[1].type = GSS_IOV_BUFFER_TYPE_DATA; + Buffers[1].buffer.value = pvCrypt; + Buffers[1].buffer.length = cbCrypt; + Buffers[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + Buffers[2].buffer.value = pvSign; + Buffers[2].buffer.length = cbSign; + Buffers[3].type = GSS_IOV_BUFFER_TYPE_PADDING; + Buffers[3].buffer.value = pvPad; + Buffers[3].buffer.length = cbPad; + Buffers[4].type = GSS_IOV_BUFFER_TYPE_TRAILER; + Buffers[4].buffer.value = pvTrailer; + Buffers[4].buffer.length = cbTrailer; + + ulRet = gss_unwrap_iov( &minor, *phContext, + &conf, &qop, + Buffers, 5 ); + + ulRet = MapApiReturnVal( pArgs, "gss_unwrapex", FILE_AND_LINE, + ulRet, minor ); + /* Output: cleartext. */ + /* XXX Ignoring conf and qop for now. */ + *ppvClear = Buffers[1].buffer.value; + *pcbClear = Buffers[1].buffer.length; + + return ulRet; +} +#endif + VOID FreeMessageOutput( IN ULONG cbData, IN PVOID pvData ) { Modified: tools/gssmonger/trunk/gssmaggot/handlers.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/handlers.c 2009-03-10 20:26:24 UTC (rev 22073) +++ tools/gssmonger/trunk/gssmaggot/handlers.c 2009-03-10 23:42:41 UTC (rev 22074) @@ -1339,8 +1339,290 @@ } +#if 1 +/*++************************************************************** + NAME: HandleWrapEx + handles a call to gss_wrapex + + CREATED: Mar 2, 2009 from HandleEncryptOrSign + LOCKING: none + CALLED BY: the server engine + FREE WITH: n/a -- no resources are allocated + + **************************************************************--*/ + + +BOOL +HandleWrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs ) { + + ULONG ulRet = GSMERR_OK; + ULONG ulContextId, Flags, SeqNo; + LPSTR PlainText1, PlainText2; + PVOID pvCipher = NULL, pvHeader = NULL, pvPad = NULL, pvTrailer = NULL; + ULONG cbCipher = 0, cbString1 = 0, cbString2 = 0, cbPad = 0, cbHeader = 0, cbTrailer = 0; + PHCTXT phContext; + BOOL ret; + NETARGENTRY InputEntries[] = { + + { "ContextId", sizeof( ulContextId ), &ulContextId, NETARG_NUMBER }, + { "Flags", sizeof( Flags ), &Flags, NETARG_NUMBER }, + { "SeqNo", sizeof( SeqNo ), &SeqNo, NETARG_NUMBER }, + { "Plaintext1", + + 0, NULL, /* unknown size */ + + NETARG_GENERIC | + NETARG_LENGTH_ENCODE | + NETARG_ALLOCFORME, + + (PVOID *) &PlainText1, + &cbString1 }, + { "Plaintext2", + + 0, NULL, /* unknown size */ + + NETARG_GENERIC | + NETARG_LENGTH_ENCODE | + NETARG_ALLOCFORME, + + (PVOID *) &PlainText2, + &cbString2 }, + + }; + + if ( !NetReadArgArray( pArgs->sock, + ARRAY_ENTRIES( InputEntries ), + InputEntries ) ) { + + /* not worth continuing. */ + + return FALSE; + + } + + ulRet = GetContextForId( pArgs->pResourceTable, + FILE_AND_LINE, + &ulContextId, + &phContext ); + + if ( GSM_SUCCESS( ulRet ) ) { + + ulRet = DoWrapEx ( pArgs, + phContext, + Flags, + SeqNo, + PlainText1, + cbString1, + PlainText2, + cbString2, + &pvHeader, + &cbHeader, + &pvCipher, + &cbCipher, + &pvPad, + &cbPad, + &pvTrailer, + &cbTrailer ); + + } + + { + + NETARGENTRY + OutputEntries[] = { + + { "Return", + sizeof( ulRet ), + &ulRet, + NETARG_NUMBER }, + + /* for wrapex: header, ciphertext, padding?, trailer? */ + { "Header", + cbHeader, + pvHeader, + NETARG_LENGTH_ENCODE | + NETARG_GENERIC + }, + { "Ciphertext", + cbCipher, + pvCipher, + NETARG_LENGTH_ENCODE | + NETARG_GENERIC + }, + { "Padding", + cbPad, + pvPad, + NETARG_LENGTH_ENCODE | + NETARG_GENERIC + }, + { "Trailer", + cbTrailer, + pvTrailer, + NETARG_LENGTH_ENCODE | + NETARG_GENERIC + } + + }; + + ret = NetWriteArgArray( pArgs->sock, + ARRAY_ENTRIES( OutputEntries ), + OutputEntries ); + + } + + FreeNetArgArray( ARRAY_ENTRIES( InputEntries ), + InputEntries ); + + return ret; + +} + /*++************************************************************** + NAME: HandleUnwrapEx + + handles a call to gss_unwrapex + + CREATED: Mar 6, 2009 from HandleWrapEx + LOCKING: none + CALLED BY: the server engine + FREE WITH: n/a -- no resources are allocated + + **************************************************************--*/ + + +BOOL +HandleUnwrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs ) { + + ULONG ulRet = GSMERR_OK; + ULONG ulContextId, Flags, SeqNo; + PVOID pvCipher = NULL, pvHeader = NULL, pvPad = NULL, pvTrailer = NULL, pvSign = NULL, pvPlain = NULL; + ULONG cbCipher = 0, cbHeader = 0, cbPad = 0, cbTrailer = 0, cbSign = 0, cbPlain = 0; + PHCTXT phContext; + BOOL ret; + NETARGENTRY InputEntries[] = { + + { "ContextId", sizeof( ulContextId ), &ulContextId, NETARG_NUMBER }, + { "Flags", sizeof( Flags ), &Flags, NETARG_NUMBER }, + { "SeqNo", sizeof( SeqNo ), &SeqNo, NETARG_NUMBER }, + { "Header", + + 0, NULL, /* unknown size */ + + NETARG_GENERIC | + NETARG_LENGTH_ENCODE | + NETARG_ALLOCFORME, + + (PVOID *) &pvHeader, + &cbHeader }, + { "Ciphertext", + + 0, NULL, /* unknown size */ + + NETARG_GENERIC | + NETARG_LENGTH_ENCODE | + NETARG_ALLOCFORME, + + (PVOID *) &pvCipher, + &cbCipher }, + { "Sign-only", + + 0, NULL, /* unknown size */ + + NETARG_GENERIC | + NETARG_LENGTH_ENCODE | + NETARG_ALLOCFORME, + + (PVOID *) &pvSign, + &cbSign }, + { "Pad", + + 0, NULL, /* unknown size */ + + NETARG_GENERIC | + NETARG_LENGTH_ENCODE | + NETARG_ALLOCFORME, + + (PVOID *) &pvPad, + &cbPad }, + { "Trailer", + + 0, NULL, /* unknown size */ + + NETARG_GENERIC | + NETARG_LENGTH_ENCODE | + NETARG_ALLOCFORME, + + (PVOID *) &pvTrailer, + &cbTrailer }, + + }; + + if ( !NetReadArgArray( pArgs->sock, + ARRAY_ENTRIES( InputEntries ), + InputEntries ) ) { + + /* not worth continuing. */ + + return FALSE; + + } + + ulRet = GetContextForId( pArgs->pResourceTable, + FILE_AND_LINE, + &ulContextId, + &phContext ); + + if ( GSM_SUCCESS( ulRet ) ) { + + ulRet = DoUnwrapEx ( pArgs, + phContext, + Flags, + SeqNo, + pvHeader, cbHeader, + pvCipher, cbCipher, + pvSign, cbSign, + pvPad, cbPad, + pvTrailer, cbTrailer, + &pvPlain, &cbPlain ); + + } + + { + + NETARGENTRY + OutputEntries[] = { + + { "Return", + sizeof( ulRet ), + &ulRet, + NETARG_NUMBER }, + + /* for unwrapex: plaintext */ + { "Plaintext", + cbPlain, + pvPlain, + NETARG_LENGTH_ENCODE | + NETARG_GENERIC + } + + }; + + ret = NetWriteArgArray( pArgs->sock, + ARRAY_ENTRIES( OutputEntries ), + OutputEntries ); + + } + + FreeNetArgArray( ARRAY_ENTRIES( InputEntries ), + InputEntries ); + + return ret; + +} +#endif + +/*++************************************************************** NAME: HandleVerify callout into VerifySignature or gss_verify_mic @@ -1824,6 +2106,9 @@ { eUnwrap, "Unwrap", HandleDecryptOrUnwrap, (PVOID) DoUnwrap }, + { eWrapEx, "WrapEx", HandleWrapEx }, + { eUnwrapEx, "UnwrapEx", HandleUnwrapEx }, + { eVerify, "Verify", HandleVerify }, { eChangePassword, "ChangePassword", HandleChangePassword, @@ -1852,7 +2137,7 @@ { eAcquirePKInitCreds, "AcquirePKINIT", HandleAcquirePKInit }, -#if PROTOCOL_VERSION != 14 +#if PROTOCOL_VERSION != 16 /* If you add more messages in messages.h, the server must be able to handle them here. */ Modified: tools/gssmonger/trunk/gssmaster/clientapis.c =================================================================== --- tools/gssmonger/trunk/gssmaster/clientapis.c 2009-03-10 20:26:24 UTC (rev 22073) +++ tools/gssmonger/trunk/gssmaster/clientapis.c 2009-03-10 23:42:41 UTC (rev 22074) @@ -895,6 +895,159 @@ } +ULONG +ServerWrapEx( IN HSERVER hServer, + IN ULONG ulContextId, + IN ULONG Flags, + IN ULONG SeqNo, + IN PVOID pvPlain, + IN ULONG cbPlain, + IN PVOID pvSign, + IN ULONG cbSign, + + OUT PVOID *ppvHeader, + OUT PULONG pcbHeader, + OUT PVOID *ppvWrappedText, + OUT PULONG pcbWrappedText, + OUT PVOID *ppvPad, + OUT PULONG pcbPad, + OUT PVOID *ppvTrailer, + OUT PULONG pcbTrailer ) { + + ULONG ret = GSMERR_OK; + NETARGENTRY InputEntries[] = { + + { "ContextId", sizeof( ulContextId ), &ulContextId, NETARG_NUMBER }, + { "Flags", sizeof( Flags ), &Flags, NETARG_NUMBER }, + { "SeqNo", sizeof( SeqNo ), &SeqNo, NETARG_NUMBER }, + { "Plaintext", cbPlain, pvPlain, ( NETARG_GENERIC | + NETARG_LENGTH_ENCODE ) }, + { "Sign-only", cbSign, pvSign, ( NETARG_GENERIC | + NETARG_LENGTH_ENCODE ) }, + + }, OutputEntries[] = { + + { "Return", sizeof( ret ), &ret, NETARG_NUMBER }, + + { "Header", + 0, NULL, /* Unknown size, alloc buffer for us */ + NETARG_GENERIC | + NETARG_ALLOCFORME | + NETARG_LENGTH_ENCODE, + + ppvHeader, + pcbHeader }, + { "Wrapped text", + 0, NULL, /* Unknown size, alloc buffer for us */ + NETARG_GENERIC | + NETARG_ALLOCFORME | + NETARG_LENGTH_ENCODE, + + ppvWrappedText, + pcbWrappedText }, + { "Padding", + 0, NULL, /* Unknown size, alloc buffer for us */ + NETARG_GENERIC | + NETARG_ALLOCFORME | + NETARG_LENGTH_ENCODE, + + ppvPad, + pcbPad }, + { "Trailer", + 0, NULL, /* Unknown size, alloc buffer for us */ + NETARG_GENERIC | + NETARG_ALLOCFORME | + NETARG_LENGTH_ENCODE, + + ppvTrailer, + pcbTrailer }, + + }; + + if ( !ClientSendReceiveData( hServer, + eWrapEx, + "WrapEx Message", + ARRAY_ENTRIES( InputEntries ), + InputEntries, + ARRAY_ENTRIES( OutputEntries ), + OutputEntries ) ) { + + ret = GSMERR_TEST_ISSUE; + + } + + return ret; + + +} + +ULONG +ServerUnwrapEx( IN HSERVER hServer, + IN ULONG ulContextId, + IN ULONG Flags, + IN ULONG SeqNo, + IN PVOID pvHeader, + IN ULONG cbHeader, + IN PVOID pvCipher, + IN ULONG cbCipher, + IN PVOID pvSign, + IN ULONG cbSign, + IN PVOID pvPad, + IN ULONG cbPad, + IN PVOID pvTrailer, + IN ULONG cbTrailer, + + OUT PVOID *ppvPlaintext, + OUT PULONG pcbPlaintext ) { + + ULONG ret = GSMERR_OK; + NETARGENTRY InputEntries[] = { + + { "ContextId", sizeof( ulContextId ), &ulContextId, NETARG_NUMBER }, + { "Flags", sizeof( Flags ), &Flags, NETARG_NUMBER }, + { "SeqNo", sizeof( SeqNo ), &SeqNo, NETARG_NUMBER }, + { "Header", cbHeader, pvHeader, ( NETARG_GENERIC | + NETARG_LENGTH_ENCODE ) } , + { "Ciphertext", cbCipher, pvCipher, ( NETARG_GENERIC | + NETARG_LENGTH_ENCODE ) }, + { "Sign-only", cbSign, pvSign, ( NETARG_GENERIC | + NETARG_LENGTH_ENCODE ) }, + { "Padding", cbPad, pvPad, ( NETARG_GENERIC | + NETARG_LENGTH_ENCODE ) }, + { "Trailer", cbTrailer, pvTrailer, ( NETARG_GENERIC | + NETARG_LENGTH_ENCODE ) }, + + }, OutputEntries[] = { + + { "Return", sizeof( ret ), &ret, NETARG_NUMBER }, + + { "Plaintext", + 0, NULL, /* Unknown size, alloc buffer for us */ + NETARG_GENERIC | + NETARG_ALLOCFORME | + NETARG_LENGTH_ENCODE, + + ppvPlaintext, + pcbPlaintext }, + }; + + if ( !ClientSendReceiveData( hServer, + eUnwrapEx, + "UnwrapEx Message", + ARRAY_ENTRIES( InputEntries ), + InputEntries, + ARRAY_ENTRIES( OutputEntries ), + OutputEntries ) ) { + + ret = GSMERR_TEST_ISSUE; + + } + + return ret; + + +} + BOOL GetVersionInfoAndCapFlags( IN HSERVER hServer, OUT PULONG pulVersion, Modified: tools/gssmonger/trunk/gssmaster/clientlib.h =================================================================== --- tools/gssmonger/trunk/gssmaster/clientlib.h 2009-03-10 20:26:24 UTC (rev 22073) +++ tools/gssmonger/trunk/gssmaster/clientlib.h 2009-03-10 23:42:41 UTC (rev 22074) @@ -160,8 +160,46 @@ DECODE_FN ServerDecrypt, ServerUnwrap; +typedef ULONG ENCODE_IOV_FN( IN HSERVER hServer, + IN ULONG ulContextId, + IN ULONG Flags, + IN ULONG SeqNo, + IN PVOID pvPlain, + IN ULONG cbPlain, + IN PVOID pvSign, + IN ULONG cbSign, + OUT PVOID *ppvHeader, + OUT PULONG pcbHeader, + OUT PVOID *ppvWrappedText, + OUT PULONG pcbWrappedText, + OUT PVOID *ppvPad, + OUT PULONG pcbPad, + OUT PVOID *ppvTrailer, + OUT PULONG pcbTrailer ); +ENCODE_IOV_FN ServerWrapEx; + +typedef ULONG DECODE_IOV_FN( IN HSERVER hServer, + IN ULONG ulContextId, + IN ULONG Flags, + IN ULONG SeqNo, + IN PVOID pvHeader, + IN ULONG cbHeader, + IN PVOID pvCipher, + IN ULONG cbCipher, + IN PVOID pvSign, + IN ULONG cbSign, + IN PVOID pvPad, + IN ULONG cbPad, + IN PVOID pvTrailer, + IN ULONG cbTrailer, + + OUT PVOID *ppvPlaintext, + OUT PULONG pcbPlaintext ); + +DECODE_IOV_FN ServerUnwrapEx; + ULONG ServerSignBinary( IN HSERVER hServer, IN ULONG ulContextId, Modified: tools/gssmonger/trunk/gssmaster/interfere.c =================================================================== --- tools/gssmonger/trunk/gssmaster/interfere.c 2009-03-10 20:26:24 UTC (rev 22073) +++ tools/gssmonger/trunk/gssmaster/interfere.c 2009-03-10 23:42:41 UTC (rev 22074) @@ -96,7 +96,8 @@ #define MESSAGETEST_ENCRYPT 0x1 #define MESSAGETEST_SIGNED 0x2 #define MESSAGETEST_WRAPPED 0x4 -#define LAST_MESSAGETEST MESSAGETEST_WRAPPED // update if more are added +#define MESSAGETEST_WRAPEX 0x8 +#define LAST_MESSAGETEST MESSAGETEST_WRAPEX // update if more are added ULONG iWhichMessages = ( MESSAGETEST_ENCRYPT | MESSAGETEST_WRAPPED | @@ -116,8 +117,9 @@ MSGTST( "Encrypt", ENCRYPT, "Exchanges encrypted messages" ), MSGTST( "Signed", SIGNED, "Exchanges messages with an unwrapped sig" ), MSGTST( "Wrapped", WRAPPED, "Exchanges clearsigned wrapped messages" ), + MSGTST( "WrapEx", WRAPEX, "Exchanges encrypted messages with additional signed data" ), -#if LAST_MESSAGETEST != MESSAGETEST_WRAPPED +#if LAST_MESSAGETEST != MESSAGETEST_WRAPEX #error "New MessageTests? Update this array or they won't be on the command line" #endif @@ -228,6 +230,10 @@ ULONG SeqNo; BOOL bAlreadyFreed; + // iov tests only + ULONG cbHeader, cbPad, cbTrailer; + PVOID pvHeader, pvPad, pvTrailer; + } MESSAGEDATA, *PMESSAGEDATA; struct __messagefuncargs; @@ -313,7 +319,55 @@ &pData->pvPlain ) ); } +#define SIGN_ONLY_DATA "sign-me-please" +BOOL +EncodeIOVMessage( IN PMESSAGEFUNCARGS pArgs, + IN OUT PMESSAGEDATA pData ) { + + ENCODE_IOV_FN *f = (ENCODE_IOV_FN *) pArgs->Glue.pEncode; + + return GSM_SUCCESS( f( pArgs->pEncoder->hConn, + pArgs->pEncoder->ContextId, + 0, // no flags + pData->SeqNo, + pData->OriginalMessage->pvMessage, + pData->OriginalMessage->cbMessage, + SIGN_ONLY_DATA, sizeof(SIGN_ONLY_DATA), + &pData->pvHeader, + &pData->cbHeader, + &pData->pvData, + &pData->cbData, + &pData->pvPad, + &pData->cbPad, + &pData->pvTrailer, + &pData->cbTrailer ) ); + +} + +BOOL +DecodeIOVMessage( IN PMESSAGEFUNCARGS pArgs, + IN OUT PMESSAGEDATA pData ) { + + DECODE_IOV_FN *f = (DECODE_IOV_FN *)pArgs->Glue.pDecode; + + return GSM_SUCCESS( f( pArgs->pDecoder->hConn, + pArgs->pDecoder->ContextId, + 0, // no flags + pData->SeqNo, + pData->pvHeader, + pData->cbHeader, + pData->pvData, + pData->cbData, + SIGN_ONLY_DATA, sizeof(SIGN_ONLY_DATA), + pData->pvPad, + pData->cbPad, + pData->pvTrailer, + pData->cbTrailer, + &pData->pvPlain, + &pData->cbPlain ) ); +} + VOID FreeMessageBurst( IN ULONG cMessages, IN PMESSAGEDATA pData ) { @@ -698,9 +752,18 @@ "signing", ServerSignBinary }, + { "WrapEx", + GSMFLAG_CONFIDENTIALITY, + MESSAGETEST_ENCRYPT, + EncodeIOVMessage, + DecodeIOVMessage, + "encrypting", + (ENCODE_FN *) ServerWrapEx, + (DECODE_FN *) ServerUnwrapEx + }, -#if LAST_MESSAGETEST != MESSAGETEST_WRAPPED +#if LAST_MESSAGETEST != MESSAGETEST_WRAPEX #error "New Message Test type? Update this array and #defines at top" #endif Modified: tools/gssmonger/trunk/include/helpers.h =================================================================== --- tools/gssmonger/trunk/include/helpers.h 2009-03-10 20:26:24 UTC (rev 22073) +++ tools/gssmonger/trunk/include/helpers.h 2009-03-10 23:42:41 UTC (rev 22074) @@ -182,7 +182,43 @@ FreeMessageOutput( IN ULONG cbData, IN PVOID pvData ); +ULONG +DoWrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs, + IN PHCTXT phContext, + IN ULONG Flags, + IN ULONG SeqNo, + IN PVOID Message1, + IN ULONG cbMessage1, + IN PVOID Message2, + IN ULONG cbMessage2, + OUT PVOID *ppvHeader, + OUT PULONG pcbHeader, + OUT PVOID *ppvCrypt, + OUT PULONG pcbCrypt, + OUT PVOID *ppvPad, + OUT PULONG pcbPad, + OUT PVOID *ppvTrailer, + OUT PULONG pcbTrailer ); +ULONG +DoWrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs, + IN PHCTXT phContext, + IN ULONG Flags, + IN ULONG SeqNo, + IN PVOID Message1, + IN ULONG cbMessage1, + IN PVOID Message2, + IN ULONG cbMessage2, + + OUT PVOID *ppvHeader, + OUT PULONG pcbHeader, + OUT PVOID *ppvCrypt, + OUT PULONG pcbCrypt, + OUT PVOID *ppvPad, + OUT PULONG pcbPad, + OUT PVOID *ppvTrailer, + OUT PULONG pcbTrailer ); + typedef ULONG (CHPWD_FUNCTION)( IN PPROTOCOL_CALLBACK_ARGS, /* pArgs */ IN LPSTR, /* Principal */ IN LPSTR, /* Old Password */ Modified: tools/gssmonger/trunk/include/messages.h =================================================================== --- tools/gssmonger/trunk/include/messages.h 2009-03-10 20:26:24 UTC (rev 22073) +++ tools/gssmonger/trunk/include/messages.h 2009-03-10 23:42:41 UTC (rev 22074) @@ -161,9 +161,12 @@ credential resource as eAcquireCreds, free with eToastResource (as eAcquireCreds) */ + eWrapEx, + eUnwrapEx, + /* Add new protocol messages here */ -#define PROTOCOL_VERSION 14 /* update this if you add more-- +#define PROTOCOL_VERSION 16 /* update this if you add more-- we use it to make sure that the new entries show up in other areas of the code that depend on it. */ From raeburn at MIT.EDU Tue Mar 10 19:46:14 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 10 Mar 2009 19:46:14 -0400 Subject: svn rev #22075: tools/gssmonger/trunk/ gssmaggot/ Message-ID: <200903102346.n2ANkEMf029694@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22075 Commit By: raeburn Log Message: remove duplicated files Changed Files: D tools/gssmonger/trunk/gssmaggot/mapvals.h D tools/gssmonger/trunk/gssmaggot/netutil.h D tools/gssmonger/trunk/gssmaggot/svconn.h D tools/gssmonger/trunk/netutil.c D tools/gssmonger/trunk/util.c Deleted: tools/gssmonger/trunk/gssmaggot/mapvals.h Deleted: tools/gssmonger/trunk/gssmaggot/netutil.h Deleted: tools/gssmonger/trunk/gssmaggot/svconn.h Deleted: tools/gssmonger/trunk/netutil.c Deleted: tools/gssmonger/trunk/util.c From tsitkova at MIT.EDU Wed Mar 11 11:32:14 2009 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Wed, 11 Mar 2009 11:32:14 -0400 Subject: svn rev #22076: trunk/src/util/collected-client-lib/ Message-ID: <200903111532.n2BFWEPq029072@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22076 Commit By: tsitkova Log Message: Make it link again. Changed Files: U trunk/src/util/collected-client-lib/Makefile.in Modified: trunk/src/util/collected-client-lib/Makefile.in =================================================================== --- trunk/src/util/collected-client-lib/Makefile.in 2009-03-10 23:46:14 UTC (rev 22075) +++ trunk/src/util/collected-client-lib/Makefile.in 2009-03-11 15:32:14 UTC (rev 22076) @@ -31,13 +31,14 @@ ../../lib/gssapi/krb5/OBJS.ST \ ../../lib/gssapi/spnego/OBJS.ST \ ../../lib/krb5/OBJS.ST \ - ../../lib/krb5/error_tables/OBJS.ST \ +# ../../lib/krb5/error_tables/OBJS.ST \ ../../lib/krb5/asn.1/OBJS.ST \ ../../lib/krb5/ccache/OBJS.ST \ ../../lib/krb5/keytab/OBJS.ST \ ../../lib/krb5/krb/OBJS.ST \ ../../lib/krb5/rcache/OBJS.ST \ ../../lib/krb5/os/OBJS.ST \ + ../../lib/krb5/unicode/OBJS.ST \ ../profile/OBJS.ST \ ../../lib/crypto/crc32/OBJS.ST \ ../../lib/crypto/des/OBJS.ST \ @@ -60,8 +61,10 @@ SRCS= SHLIB_EXPDEPS = + +LIBS_UTILS=-lresolv # Add -lm if dumping thread stats, for sqrt. -SHLIB_EXPLIBS= @CRYPTO_LIBS@ $(LIBS) $(DL_LIB) +SHLIB_EXPLIBS= @CRYPTO_LIBS@ $(LIBS) $(DL_LIB) $(LIBS_UTILS) SHLIB_DIRS= SHLIB_RDIRS= From tsitkova at MIT.EDU Wed Mar 11 11:36:41 2009 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Wed, 11 Mar 2009 11:36:41 -0400 Subject: svn rev #22077: trunk/src/util/collected-client-lib/ Message-ID: <200903111536.n2BFafDT029649@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22077 Commit By: tsitkova Log Message: Make Lite Client lib link again. Changed Files: U trunk/src/util/collected-client-lib/Makefile.in Modified: trunk/src/util/collected-client-lib/Makefile.in =================================================================== --- trunk/src/util/collected-client-lib/Makefile.in 2009-03-11 15:32:14 UTC (rev 22076) +++ trunk/src/util/collected-client-lib/Makefile.in 2009-03-11 15:36:41 UTC (rev 22077) @@ -31,7 +31,7 @@ ../../lib/gssapi/krb5/OBJS.ST \ ../../lib/gssapi/spnego/OBJS.ST \ ../../lib/krb5/OBJS.ST \ -# ../../lib/krb5/error_tables/OBJS.ST \ + ../../lib/krb5/error_tables/OBJS.ST \ ../../lib/krb5/asn.1/OBJS.ST \ ../../lib/krb5/ccache/OBJS.ST \ ../../lib/krb5/keytab/OBJS.ST \ From ghudson at MIT.EDU Wed Mar 11 18:11:07 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 11 Mar 2009 18:11:07 -0400 Subject: svn rev #22078: trunk/src/ include/ include/krb5/ lib/krb5/ lib/krb5/krb/ Message-ID: <200903112211.n2BMB79v026059@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22078 Commit By: ghudson Log Message: ticket: 6407 subject: Make a working krb5_copy_error_message target_version: 1.7 tags: pullup The krb5_copy_error_state macro wasn't used, didn't work, and didn't need to be a macro. Replace it with an exported API function named krb5_copy_error_message. Changed Files: U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/lib/krb5/krb/kerrs.c U trunk/src/lib/krb5/libkrb5.exports Modified: trunk/src/include/k5-int.h =================================================================== --- trunk/src/include/k5-int.h 2009-03-11 15:36:41 UTC (rev 22077) +++ trunk/src/include/k5-int.h 2009-03-11 22:11:06 UTC (rev 22078) @@ -2298,9 +2298,6 @@ extern int krb5int_crypto_init (void); extern int krb5int_prng_init(void); -#define krb5_copy_error_state(CTX, OCTX) \ - krb5int_set_error(&(CTX)->errinfo, (OCTX)->errinfo.code, "%s", (OCTX)->errinfo.msg) - /* * Referral definitions, debugging hooks, and subfunctions. */ Modified: trunk/src/include/krb5/krb5.hin =================================================================== --- trunk/src/include/krb5/krb5.hin 2009-03-11 15:36:41 UTC (rev 22077) +++ trunk/src/include/krb5/krb5.hin 2009-03-11 22:11:06 UTC (rev 22078) @@ -2490,6 +2490,9 @@ __attribute__((__format__(__printf__, 3, 0))) #endif ; +void KRB5_CALLCONV +krb5_copy_error_message (krb5_context, krb5_context); + /* * The behavior of krb5_get_error_message is only defined the first * time it is called after a failed call to a krb5 function using the Modified: trunk/src/lib/krb5/krb/kerrs.c =================================================================== --- trunk/src/lib/krb5/krb/kerrs.c 2009-03-11 15:36:41 UTC (rev 22077) +++ trunk/src/lib/krb5/krb/kerrs.c 2009-03-11 22:11:06 UTC (rev 22078) @@ -75,6 +75,20 @@ #endif } +/* Set the error message state of dest_ctx to that of src_ctx. */ +void KRB5_CALLCONV +krb5_copy_error_message (krb5_context dest_ctx, krb5_context src_ctx) +{ + if (dest_ctx == src_ctx) + return; + if (src_ctx->err.msg) { + krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", + src_ctx->err.msg); + } else { + krb5int_clear_error(dest_ctx); + } +} + const char * KRB5_CALLCONV krb5_get_error_message (krb5_context ctx, krb5_error_code code) { Modified: trunk/src/lib/krb5/libkrb5.exports =================================================================== --- trunk/src/lib/krb5/libkrb5.exports 2009-03-11 15:36:41 UTC (rev 22077) +++ trunk/src/lib/krb5/libkrb5.exports 2009-03-11 22:11:06 UTC (rev 22078) @@ -172,6 +172,7 @@ krb5_copy_context krb5_copy_creds krb5_copy_data +krb5_copy_error_message krb5_copy_keyblock krb5_copy_keyblock_contents krb5_copy_principal From ghudson at MIT.EDU Wed Mar 11 18:14:25 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 11 Mar 2009 18:14:25 -0400 Subject: svn rev #22079: trunk/src/kdc/ Message-ID: <200903112214.n2BMEPpT026263@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22079 Commit By: ghudson Log Message: ticket: 6408 subject: Report verbose error messages from KDC target_version: 1.7 tags: pullup We were losing verbose error messages when logging from the KDC because the context passed to krb5_klog_init did not match the realm-specific context used for most library function calls. Introduce a wrapper function kdc_err which copies the error state from the call context to the log context. The wrapper function also knows the program name, which removes the need to pass argv[0] around everywhere or make up program names. Changed Files: U trunk/src/kdc/do_tgs_req.c U trunk/src/kdc/kdc_preauth.c U trunk/src/kdc/kdc_util.h U trunk/src/kdc/main.c U trunk/src/kdc/network.c Modified: trunk/src/kdc/do_tgs_req.c =================================================================== --- trunk/src/kdc/do_tgs_req.c 2009-03-11 22:11:06 UTC (rev 22078) +++ trunk/src/kdc/do_tgs_req.c 2009-03-11 22:14:24 UTC (rev 22079) @@ -55,7 +55,6 @@ */ #include "k5-int.h" -#include "com_err.h" #include #ifdef HAVE_NETINET_IN_H @@ -1120,7 +1119,7 @@ free(temp_buf); if (retval) { /* no match found */ - com_err("krb5_get_domain_realm_mapping", retval, 0); + kdc_err(kdc_context, retval, 0); goto cleanup; } if (realms == 0) { Modified: trunk/src/kdc/kdc_preauth.c =================================================================== --- trunk/src/kdc/kdc_preauth.c 2009-03-11 22:11:06 UTC (rev 22078) +++ trunk/src/kdc/kdc_preauth.c 2009-03-11 22:14:24 UTC (rev 22079) @@ -1861,7 +1861,7 @@ scratch.length = in_padata->length; if ((retval = decode_krb5_sam_response(&scratch, &sr))) { - com_err("krb5kdc", retval, + kdc_err(context, retval, "return_sam_data(): decode_krb5_sam_response failed"); goto cleanup; } @@ -1880,7 +1880,7 @@ if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0, &tmpdata, &scratch))) { - com_err("krb5kdc", retval, + kdc_err(context, retval, "return_sam_data(): decrypt track_id failed"); free(scratch.data); goto cleanup; @@ -1888,7 +1888,7 @@ } if ((retval = decode_krb5_predicted_sam_response(&scratch, &psr))) { - com_err("krb5kdc", retval, + kdc_err(context, retval, "return_sam_data(): decode_krb5_predicted_sam_response failed"); free(scratch.data); goto cleanup; @@ -1896,7 +1896,7 @@ /* We could use sr->sam_flags, but it may be absent or altered. */ if (psr->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED, + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, "Unsupported SAM flag must-pk-encrypt-sad"); goto cleanup; } @@ -1949,7 +1949,7 @@ break; default: - com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED, + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, "Unimplemented keytype for SAM key mixing"); goto cleanup; } @@ -2017,7 +2017,7 @@ retval = krb5_copy_principal(kdc_context, request->client, &newp); if (retval) { - com_err("krb5kdc", retval, "copying client name for preauth probe"); + kdc_err(kdc_context, retval, "copying client name for preauth probe"); return retval; } @@ -2075,7 +2075,7 @@ if (retval) { char *sname; krb5_unparse_name(kdc_context, request->client, &sname); - com_err("krb5kdc", retval, + kdc_err(kdc_context, retval, "snk4 finding the enctype and key <%s>", sname); free(sname); return retval; @@ -2086,7 +2086,7 @@ assoc_key, &encrypting_key, NULL); if (retval) { - com_err("krb5kdc", retval, + kdc_err(kdc_context, retval, "snk4 pulling out key entry"); return retval; } @@ -2213,13 +2213,14 @@ if (retval) { /* random key failed */ - com_err("krb5kdc", retval,"generating random challenge for preauth"); + kdc_err(kdc_context, retval, + "generating random challenge for preauth"); return retval; } /* now session_key has a key which we can pick bits out of */ /* we need six decimal digits. Grab 6 bytes, div 2, mod 10 each. */ if (session_key.length != 8) { - com_err("krb5kdc", retval = KRB5KDC_ERR_ETYPE_NOSUPP, + kdc_err(kdc_context, retval = KRB5KDC_ERR_ETYPE_NOSUPP, "keytype didn't match code expectations"); return retval; } @@ -2236,9 +2237,8 @@ encrypting_key.enctype = ENCTYPE_DES_CBC_RAW; - if (retval) { - com_err("krb5kdc", retval, "snk4 processing key"); - } + if (retval) + kdc_err(kdc_context, retval, "snk4 processing key"); { krb5_data plain; @@ -2255,7 +2255,8 @@ if ((retval = krb5_c_encrypt(kdc_context, &encrypting_key, /* XXX */ 0, 0, &plain, &cipher))) { - com_err("krb5kdc", retval, "snk4 response generation failed"); + kdc_err(kdc_context, retval, + "snk4 response generation failed"); return retval; } } @@ -2389,7 +2390,7 @@ if ((retval = decode_krb5_sam_response(&scratch, &sr))) { scratch.data = 0; - com_err("krb5kdc", retval, "decode_krb5_sam_response failed"); + kdc_err(context, retval, "decode_krb5_sam_response failed"); goto cleanup; } @@ -2409,13 +2410,13 @@ if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0, &tmpdata, &scratch))) { - com_err("krb5kdc", retval, "decrypt track_id failed"); + kdc_err(context, retval, "decrypt track_id failed"); goto cleanup; } } if ((retval = decode_krb5_predicted_sam_response(&scratch, &psr))) { - com_err("krb5kdc", retval, + kdc_err(context, retval, "decode_krb5_predicted_sam_response failed -- replay attack?"); goto cleanup; } @@ -2426,7 +2427,7 @@ if ((retval = krb5_unparse_name(context, psr->client, &princ_psr))) goto cleanup; if (strcmp(princ_req, princ_psr) != 0) { - com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED, + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, "Principal mismatch in SAM psr! -- replay attack?"); goto cleanup; } @@ -2444,7 +2445,7 @@ * psr's would be able to be replayed. */ if (timenow - psr->stime > rc_lifetime) { - com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED, + kdc_err(context, retval = KRB5KDC_ERR_PREAUTH_FAILED, "SAM psr came back too late! -- replay attack?"); goto cleanup; } @@ -2457,7 +2458,7 @@ rep.cusec = psr->susec; retval = krb5_rc_store(kdc_context, kdc_rcache, &rep); if (retval) { - com_err("krb5kdc", retval, "SAM psr replay attack!"); + kdc_err(kdc_context, retval, "SAM psr replay attack!"); goto cleanup; } } @@ -2474,13 +2475,13 @@ if ((retval = krb5_c_decrypt(context, &psr->sam_key, /* XXX */ 0, 0, &sr->sam_enc_nonce_or_ts, &scratch))) { - com_err("krb5kdc", retval, "decrypt nonce_or_ts failed"); + kdc_err(context, retval, "decrypt nonce_or_ts failed"); goto cleanup; } } if ((retval = decode_krb5_enc_sam_response_enc(&scratch, &esre))) { - com_err("krb5kdc", retval, "decode_krb5_enc_sam_response_enc failed"); + kdc_err(context, retval, "decode_krb5_enc_sam_response_enc failed"); goto cleanup; } @@ -2498,7 +2499,7 @@ cleanup: if (retval) - com_err("krb5kdc", retval, "sam verify failure"); + kdc_err(context, retval, "sam verify failure"); if (scratch.data) free(scratch.data); if (sr) free(sr); if (psr) free(psr); Modified: trunk/src/kdc/kdc_util.h =================================================================== --- trunk/src/kdc/kdc_util.h 2009-03-11 22:11:06 UTC (rev 22078) +++ trunk/src/kdc/kdc_util.h 2009-03-11 22:14:24 UTC (rev 22079) @@ -134,11 +134,12 @@ krb5_error_code kdc_initialize_rcache (krb5_context, char *); krb5_error_code setup_server_realm (krb5_principal); +void kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...); /* network.c */ -krb5_error_code listen_and_process (const char *); -krb5_error_code setup_network (const char *); -krb5_error_code closedown_network (const char *); +krb5_error_code listen_and_process (void); +krb5_error_code setup_network (void); +krb5_error_code closedown_network (void); /* policy.c */ int against_local_policy_as (krb5_kdc_req *, krb5_db_entry, Modified: trunk/src/kdc/main.c =================================================================== --- trunk/src/kdc/main.c 2009-03-11 22:11:06 UTC (rev 22078) +++ trunk/src/kdc/main.c 2009-03-11 22:14:24 UTC (rev 22079) @@ -86,7 +86,7 @@ void initialize_realms (krb5_context, int, char **); -void finish_realms (char *); +void finish_realms (void); static int nofork = 0; static int rkey_init_done = 0; @@ -97,7 +97,32 @@ #define KRB5_KDC_MAX_REALMS 32 +static krb5_context kdc_err_context; +static const char *kdc_progname; + /* + * We use krb5_klog_init to set up a com_err callback to log error + * messages. The callback also pulls the error message out of the + * context we pass to krb5_klog_init; however, we use realm-specific + * contexts for most of our krb5 library calls, so the error message + * isn't present in the global context. This wrapper ensures that the + * error message state from the call context is copied into the + * context known by krb5_klog. call_context can be NULL if the error + * code did not come from a krb5 library function. + */ +void +kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...) +{ + va_list ap; + + if (call_context) + krb5_copy_error_message(kdc_err_context, call_context); + va_start(ap, fmt); + com_err_va(kdc_progname, code, fmt, ap); + va_end(ap); +} + +/* * Find the realm entry for a given realm. */ kdc_realm_t * @@ -237,10 +262,10 @@ * realm data and we should be all set to begin operation for that realm. */ static krb5_error_code -init_realm(char *progname, kdc_realm_t *rdp, char *realm, - char *def_mpname, krb5_enctype def_enctype, char *def_udp_ports, - char *def_tcp_ports, krb5_boolean def_manual, char **db_args, - char *no_refrls, char *host_based_srvcs) +init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, + krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports, + krb5_boolean def_manual, char **db_args, char *no_refrls, + char *host_based_srvcs) { krb5_error_code kret; krb5_boolean manual; @@ -257,15 +282,14 @@ rdp->realm_name = realm; kret = krb5int_init_context_kdc(&rdp->realm_context); if (kret) { - com_err(progname, kret, "while getting context for realm %s", - realm); + kdc_err(NULL, kret, "while getting context for realm %s", realm); goto whoops; } kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name, &rparams); if (kret) { - com_err(progname, kret, "while reading realm parameters"); + kdc_err(rdp->realm_context, kret, "while reading realm parameters"); goto whoops; } @@ -351,7 +375,7 @@ /* Set the default realm of this context */ if ((kret = krb5_set_default_realm(rdp->realm_context, realm))) { - com_err(progname, kret, "while setting default realm to %s", + kdc_err(rdp->realm_context, kret, "while setting default realm to %s", realm); goto whoops; } @@ -363,7 +387,7 @@ kdb_open_flags = KRB5_KDB_OPEN_RO | KRB5_KDB_SRV_TYPE_KDC; #endif if ((kret = krb5_db_open(rdp->realm_context, db_args, kdb_open_flags))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while initializing database for realm %s", realm); goto whoops; } @@ -372,7 +396,7 @@ if ((kret = krb5_db_setup_mkey_name(rdp->realm_context, rdp->realm_mpname, rdp->realm_name, (char **) NULL, &rdp->realm_mprinc))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while setting up master key name %s for realm %s", rdp->realm_mpname, realm); goto whoops; @@ -385,7 +409,7 @@ rdp->realm_mkey.enctype, manual, FALSE, rdp->realm_stash, &mkvno, NULL, &rdp->realm_mkey))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while fetching master key %s for realm %s", rdp->realm_mpname, realm); goto whoops; @@ -403,7 +427,7 @@ rdp->realm_mprinc, IGNORE_VNO, &rdp->realm_mkey))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while verifying master key for realm %s", realm); goto whoops; } @@ -411,13 +435,13 @@ if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc, &rdp->realm_mkey, mkvno, &rdp->mkey_list))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while fetching master keys list for realm %s", realm); goto whoops; } if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while setting master key for realm %s", realm); goto whoops; } @@ -425,7 +449,7 @@ /* Set up the keytab */ if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL, &rdp->realm_keytab))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while resolving kdb keytab for realm %s", realm); goto whoops; } @@ -434,7 +458,7 @@ if ((kret = krb5_build_principal(rdp->realm_context, &rdp->realm_tgsprinc, strlen(realm), realm, KRB5_TGS_NAME, realm, (char *) NULL))) { - com_err(progname, kret, + kdc_err(rdp->realm_context, kret, "while building TGS name for realm %s", realm); goto whoops; } @@ -619,9 +643,8 @@ case 'r': /* realm name for db */ if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) { if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { - if ((retval = init_realm(argv[0], rdatap, optarg, - mkey_name, menctype, - default_udp_ports, + if ((retval = init_realm(rdatap, optarg, mkey_name, + menctype, default_udp_ports, default_tcp_ports, manual, db_args, no_refrls, host_based_srvcs))) { fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", @@ -722,10 +745,10 @@ exit(1); } if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { - if ((retval = init_realm(argv[0], rdatap, lrealm, - mkey_name, menctype, default_udp_ports, - default_tcp_ports, manual, db_args, - no_refrls, host_based_srvcs))) { + if ((retval = init_realm(rdatap, lrealm, mkey_name, menctype, + default_udp_ports, default_tcp_ports, + manual, db_args, no_refrls, + host_based_srvcs))) { fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", argv[0], lrealm); exit(1); @@ -765,7 +788,7 @@ } void -finish_realms(char *prog) +finish_realms() { int i; @@ -830,8 +853,12 @@ exit(1); } krb5_klog_init(kcontext, "kdc", argv[0], 1); + kdc_err_context = kcontext; + kdc_progname = argv[0]; /* N.B.: After this point, com_err sends output to the KDC log - file, and not to stderr. */ + file, and not to stderr. We use the kdc_err wrapper around + com_err to ensure that the error state exists in the context + known to the krb5_klog callback. */ initialize_kdc5_error_table(); @@ -847,35 +874,35 @@ retval = setup_sam(); if (retval) { - com_err(argv[0], retval, "while initializing SAM"); - finish_realms(argv[0]); + kdc_err(kcontext, retval, "while initializing SAM"); + finish_realms(); return 1; } - if ((retval = setup_network(argv[0]))) { - com_err(argv[0], retval, "while initializing network"); - finish_realms(argv[0]); + if ((retval = setup_network())) { + kdc_err(kcontext, retval, "while initializing network"); + finish_realms(); return 1; } if (!nofork && daemon(0, 0)) { - com_err(argv[0], errno, "while detaching from tty"); - finish_realms(argv[0]); + kdc_err(kcontext, errno, "while detaching from tty"); + finish_realms(); return 1; } krb5_klog_syslog(LOG_INFO, "commencing operation"); - if ((retval = listen_and_process(argv[0]))) { - com_err(argv[0], retval, "while processing network requests"); + if ((retval = listen_and_process())) { + kdc_err(kcontext, retval, "while processing network requests"); errout++; } - if ((retval = closedown_network(argv[0]))) { - com_err(argv[0], retval, "while shutting down network"); + if ((retval = closedown_network())) { + kdc_err(kcontext, retval, "while shutting down network"); errout++; } krb5_klog_syslog(LOG_INFO, "shutting down"); unload_preauth_plugins(kcontext); unload_authdata_plugins(kcontext); krb5_klog_close(kdc_context); - finish_realms(argv[0]); + finish_realms(); if (kdc_realmlist) free(kdc_realmlist); #ifdef USE_RCACHE Modified: trunk/src/kdc/network.c =================================================================== --- trunk/src/kdc/network.c 2009-03-11 22:11:06 UTC (rev 22078) +++ trunk/src/kdc/network.c 2009-03-11 22:14:24 UTC (rev 22079) @@ -27,7 +27,6 @@ */ #include "k5-int.h" -#include "com_err.h" #include "kdc_util.h" #include "extern.h" #include "kdc5_err.h" @@ -184,7 +183,7 @@ struct connection { int fd; enum conn_type type; - void (*service)(struct connection *, const char *, int); + void (*service)(struct connection *, int); union { /* Type-specific information. */ struct { @@ -300,7 +299,6 @@ #include "foreachaddr.h" struct socksetup { - const char *prog; krb5_error_code retval; int udp_flags; #define UDP_DO_IPV4 1 @@ -309,7 +307,7 @@ static struct connection * add_fd (struct socksetup *data, int sock, enum conn_type conntype, - void (*service)(struct connection *, const char *, int)) + void (*service)(struct connection *, int)) { struct connection *newconn; void *tmp; @@ -317,21 +315,19 @@ #ifndef _WIN32 if (sock >= FD_SETSIZE) { data->retval = EMFILE; /* XXX */ - com_err(data->prog, 0, - "file descriptor number %d too high", sock); + kdc_err(NULL, 0, "file descriptor number %d too high", sock); return 0; } #endif newconn = malloc(sizeof(*newconn)); if (newconn == 0) { data->retval = ENOMEM; - com_err(data->prog, ENOMEM, - "cannot allocate storage for connection info"); + kdc_err(NULL, ENOMEM, "cannot allocate storage for connection info"); return 0; } if (!ADD(connections, newconn, tmp)) { data->retval = ENOMEM; - com_err(data->prog, ENOMEM, "cannot save socket info"); + kdc_err(NULL, ENOMEM, "cannot save socket info"); free(newconn); return 0; } @@ -343,9 +339,9 @@ return newconn; } -static void process_packet(struct connection *, const char *, int); -static void accept_tcp_connection(struct connection *, const char *, int); -static void process_tcp_connection(struct connection *, const char *, int); +static void process_packet(struct connection *, int); +static void accept_tcp_connection(struct connection *, int); +static void process_tcp_connection(struct connection *, int); static struct connection * add_udp_fd (struct socksetup *data, int sock, int pktinfo) @@ -409,7 +405,7 @@ sock = socket(addr->sa_family, SOCK_STREAM, 0); if (sock == -1) { - com_err(data->prog, errno, "Cannot create TCP server socket on %s", + kdc_err(NULL, errno, "Cannot create TCP server socket on %s", paddr(addr)); return -1; } @@ -417,49 +413,46 @@ #ifndef _WIN32 if (sock >= FD_SETSIZE) { close(sock); - com_err(data->prog, 0, "TCP socket fd number %d (for %s) too high", + kdc_err(NULL, 0, "TCP socket fd number %d (for %s) too high", sock, paddr(addr)); return -1; } #endif if (setreuseaddr(sock, 1) < 0) - com_err(data->prog, errno, - "Cannot enable SO_REUSEADDR on fd %d", sock); + kdc_err(NULL, errno, "Cannot enable SO_REUSEADDR on fd %d", sock); #ifdef KRB5_USE_INET6 if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY if (setv6only(sock, 1)) - com_err(data->prog, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", - sock); + kdc_err(NULL, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); else - com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", - sock); + kdc_err(NULL, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", sock); #else krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ } #endif /* KRB5_USE_INET6 */ if (bind(sock, addr, socklen(addr)) == -1) { - com_err(data->prog, errno, - "Cannot bind TCP server socket on %s", paddr(addr)); + kdc_err(NULL, errno, "Cannot bind TCP server socket on %s", + paddr(addr)); close(sock); return -1; } if (listen(sock, 5) < 0) { - com_err(data->prog, errno, "Cannot listen on TCP server socket on %s", + kdc_err(NULL, errno, "Cannot listen on TCP server socket on %s", paddr(addr)); close(sock); return -1; } if (setnbio(sock)) { - com_err(data->prog, errno, + kdc_err(NULL, errno, "cannot set listening tcp socket on %s non-blocking", paddr(addr)); close(sock); return -1; } if (setnolinger(sock)) { - com_err(data->prog, errno, "disabling SO_LINGER on TCP socket on %s", + kdc_err(NULL, errno, "disabling SO_LINGER on TCP socket on %s", paddr(addr)); close(sock); return -1; @@ -617,7 +610,7 @@ sock = socket (addr->sa_family, SOCK_DGRAM, 0); if (sock == -1) { data->retval = errno; - com_err(data->prog, data->retval, + kdc_err(NULL, data->retval, "Cannot create server socket for port %d address %s", port, haddrbuf); return 1; @@ -627,11 +620,10 @@ if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY if (setv6only(sock, 1)) - com_err(data->prog, errno, - "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); - else - com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", + kdc_err(NULL, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); + else + kdc_err(NULL, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", sock); #else krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ @@ -640,7 +632,7 @@ set_sa_port(addr, htons(port)); if (bind (sock, (struct sockaddr *)addr, socklen (addr)) == -1) { data->retval = errno; - com_err(data->prog, data->retval, + kdc_err(NULL, data->retval, "Cannot bind server socket to port %d address %s", port, haddrbuf); close(sock); @@ -652,7 +644,7 @@ if (pktinfo) { r = set_pktinfo(sock, addr->sa_family); if (r) { - com_err(data->prog, r, + kdc_err(NULL, r, "Cannot request packet info for udp socket address %s port %d", haddrbuf, port); close(sock); @@ -803,8 +795,7 @@ } } -static void process_routing_update(struct connection *conn, const char *prog, - int selflags) +static void process_routing_update(struct connection *conn, int selflags) { int n_read; struct rt_msghdr rtm; @@ -902,7 +893,7 @@ extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t); krb5_error_code -setup_network(const char *prog) +setup_network() { struct socksetup setup_data; krb5_error_code retval; @@ -948,7 +939,6 @@ } } - setup_data.prog = prog; setup_data.retval = 0; krb5_klog_syslog (LOG_INFO, "setting up network..."); #ifdef HAVE_STRUCT_RT_MSGHDR @@ -968,7 +958,7 @@ setup_tcp_listener_ports(&setup_data); krb5_klog_syslog (LOG_INFO, "set up %d sockets", n_sockets); if (n_sockets == 0) { - com_err(prog, 0, "no sockets set up?"); + kdc_err(NULL, 0, "no sockets set up?"); exit (1); } @@ -1198,8 +1188,7 @@ return 0; } -static void process_packet(struct connection *conn, const char *prog, - int selflags) +static void process_packet(struct connection *conn, int selflags) { int cc; socklen_t saddr_len, daddr_len; @@ -1225,7 +1214,7 @@ before getting the response packet. */ && errno != ECONNREFUSED ) - com_err(prog, errno, "while receiving from network"); + kdc_err(NULL, errno, "while receiving from network"); return; } if (!cc) @@ -1237,7 +1226,7 @@ if (getnameinfo(ss2sa(&daddr), daddr_len, addrbuf, sizeof(addrbuf), 0, 0, NI_NUMERICHOST)) strlcpy(addrbuf, "?", sizeof(addrbuf)); - com_err(prog, 0, "pktinfo says local addr is %s", addrbuf); + kdc_err(NULL, 0, "pktinfo says local addr is %s", addrbuf); } #endif @@ -1247,7 +1236,7 @@ init_addr(&faddr, ss2sa(&saddr)); /* this address is in net order */ if ((retval = dispatch(&request, &faddr, &response))) { - com_err(prog, retval, "while dispatching (udp)"); + kdc_err(NULL, retval, "while dispatching (udp)"); return; } if (response == NULL) @@ -1272,12 +1261,12 @@ addr.contents, addrbuf, sizeof(addrbuf)) == 0) { strlcpy(addrbuf, "?", sizeof(addrbuf)); } - com_err(prog, errno, "while sending reply to %s/%d", + kdc_err(NULL, errno, "while sending reply to %s/%d", addrbuf, faddr.port); return; } if (cc != response->length) { - com_err(prog, 0, "short reply write %d vs %d\n", + kdc_err(NULL, 0, "short reply write %d vs %d\n", response->length, cc); } krb5_free_data(kdc_context, response); @@ -1289,8 +1278,7 @@ static void kill_tcp_connection(struct connection *); -static void accept_tcp_connection(struct connection *conn, const char *prog, - int selflags) +static void accept_tcp_connection(struct connection *conn, int selflags) { int s; struct sockaddr_storage addr_s; @@ -1312,7 +1300,6 @@ #endif setnbio(s), setnolinger(s), setkeepalive(s); - sockdata.prog = prog; sockdata.retval = 0; newconn = add_tcp_data_fd(&sockdata, s); @@ -1372,7 +1359,7 @@ } } if (newconn->u.tcp.buffer == 0) { - com_err(prog, errno, "allocating buffer for new TCP session from %s", + kdc_err(NULL, errno, "allocating buffer for new TCP session from %s", newconn->u.tcp.addrbuf); delete_fd(newconn); close(s); @@ -1456,7 +1443,7 @@ } static void -process_tcp_connection(struct connection *conn, const char *prog, int selflags) +process_tcp_connection(struct connection *conn, int selflags) { if (selflags & SSF_WRITE) { ssize_t nwrote; @@ -1556,7 +1543,7 @@ err = dispatch(&request, &conn->u.tcp.faddr, &conn->u.tcp.response); if (err) { - com_err(prog, err, "while dispatching (tcp)"); + kdc_err(NULL, err, "while dispatching (tcp)"); goto kill_tcp_connection; } have_response: @@ -1572,10 +1559,9 @@ kill_tcp_connection(conn); } -static void service_conn(struct connection *conn, const char *prog, - int selflags) +static void service_conn(struct connection *conn, int selflags) { - conn->service(conn, prog, selflags); + conn->service(conn, selflags); } /* from sendto_kdc.c */ @@ -1593,7 +1579,7 @@ } krb5_error_code -listen_and_process(const char *prog) +listen_and_process() { int nfound; /* This struct contains 3 fd_set objects; on some platforms, they @@ -1627,7 +1613,7 @@ big deal. */ err = getcurtime(&sstate.end_time); if (err) { - com_err(prog, err, "while getting the time"); + kdc_err(NULL, err, "while getting the time"); continue; } sstate.end_time.tv_sec += 3; @@ -1638,22 +1624,22 @@ err = krb5int_cm_call_select(&sstate, &sout, &sret); if (err) { if (err != EINTR) - com_err(prog, err, "while selecting for network input(1)"); + kdc_err(NULL, err, "while selecting for network input(1)"); continue; } if (sret == 0 && netchanged) { network_reconfiguration_needed = 0; - closedown_network(prog); - err = setup_network(prog); + closedown_network(); + err = setup_network(); if (err) { - com_err(prog, err, "while reinitializing network"); + kdc_err(NULL, err, "while reinitializing network"); return err; } netchanged = 0; } if (sret == -1) { if (errno != EINTR) - com_err(prog, errno, "while selecting for network input(2)"); + kdc_err(NULL, errno, "while selecting for network input(2)"); continue; } nfound = sret; @@ -1666,7 +1652,7 @@ if (FD_ISSET(conns[i]->fd, &sout.wfds)) sflags |= SSF_WRITE, nfound--; if (sflags) - service_conn(conns[i], prog, sflags); + service_conn(conns[i], sflags); } } krb5_klog_syslog(LOG_INFO, "shutdown signal received"); @@ -1674,7 +1660,7 @@ } krb5_error_code -closedown_network(const char *prog) +closedown_network() { int i; struct connection *conn; From raeburn at MIT.EDU Wed Mar 11 22:07:27 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Wed, 11 Mar 2009 22:07:27 -0400 Subject: svn rev #22080: tools/gssmonger/trunk/ gssmaggot/ gssmaster/ include/ Message-ID: <200903120207.n2C27RcM007737@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22080 Commit By: raeburn Log Message: Make WrapEx support a capability flag reported by the maggot. Set that flag if not using SSPI (for which the test code hasn't been written yet). Create a context flag to indicate that all parties indicate WrapEx capability. (This check may be too strict.) Only run the WrapEx test if the context flag is set. Also fix a recent bug that disabled the WrapEx tests in the default case. Changed Files: U tools/gssmonger/trunk/gssmaggot/handlers.c U tools/gssmonger/trunk/gssmaster/combos.c U tools/gssmonger/trunk/gssmaster/interfere.c U tools/gssmonger/trunk/include/mapvals.h Modified: tools/gssmonger/trunk/gssmaggot/handlers.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/handlers.c 2009-03-11 22:14:24 UTC (rev 22079) +++ tools/gssmonger/trunk/gssmaggot/handlers.c 2009-03-12 02:07:26 UTC (rev 22080) @@ -1748,6 +1748,11 @@ Capabilities |= GSMCAP_MS_KERBEROS; #endif + /* XXX Should tie this to actual capabilities. */ +#ifndef USE_SSPI /* haven't written the SSPI version yet */ + Capabilities |= GSMCAP_HAS_WRAPEX; +#endif + if ( !VersionString ) { CHAR OsVersion[ 255 ]; Modified: tools/gssmonger/trunk/gssmaster/combos.c =================================================================== --- tools/gssmonger/trunk/gssmaster/combos.c 2009-03-11 22:14:24 UTC (rev 22079) +++ tools/gssmonger/trunk/gssmaster/combos.c 2009-03-12 02:07:26 UTC (rev 22080) @@ -313,7 +313,6 @@ **************************************************************--*/ - BOOL IterateOverServers( IN PTESTARGS pArgs, IN PGSSCONTEXT pDelegatingContext, @@ -403,6 +402,13 @@ ContextArgs.GsmTestFlags = 0; #endif + if ( pArgs->pSlaves[ iServer ].VersionCaps & + GSMCAP_HAS_WRAPEX ) + /* Tentative - may be cleared below. */ + ContextArgs.ContextFlags |= GSMFLAG_WRAPEX; + else + ContextArgs.ContextFlags &= ~GSMFLAG_WRAPEX; + if ( pDelegatingContext ) { /* Delegating from the previous server to this client. */ @@ -413,6 +419,9 @@ ContextArgs.ClientPrincipal = (LPSTR) (DWORD_PTR) 0xdeadbeef; ContextArgs.ClientPassword = ContextArgs.ClientPrincipal; + if ( !(pDelegatingContext->ContextFlags & GSMFLAG_WRAPEX ) ) + ContextArgs.ContextFlags &= ~GSMFLAG_WRAPEX; + } else { hActualClient = pArgs->pSlaves[ iClient ].hServer; @@ -433,6 +442,10 @@ ContextArgs.ContextFlags |= GSMFLAG_MUTUAL_AUTH; } + if ( !(pArgs->pSlaves[ iClient ].VersionCaps & + GSMCAP_HAS_WRAPEX ) ) { + ContextArgs.ContextFlags &= ~GSMFLAG_WRAPEX; + } } Modified: tools/gssmonger/trunk/gssmaster/interfere.c =================================================================== --- tools/gssmonger/trunk/gssmaster/interfere.c 2009-03-11 22:14:24 UTC (rev 22079) +++ tools/gssmonger/trunk/gssmaster/interfere.c 2009-03-12 02:07:26 UTC (rev 22080) @@ -101,7 +101,8 @@ ULONG iWhichMessages = ( MESSAGETEST_ENCRYPT | MESSAGETEST_WRAPPED | - MESSAGETEST_SIGNED ); + MESSAGETEST_SIGNED | + MESSAGETEST_WRAPEX ); //////////////////////////////////////////////////////////// @@ -753,8 +754,8 @@ ServerSignBinary }, { "WrapEx", - GSMFLAG_CONFIDENTIALITY, - MESSAGETEST_ENCRYPT, + GSMFLAG_WRAPEX, + MESSAGETEST_WRAPEX, EncodeIOVMessage, DecodeIOVMessage, "encrypting", @@ -876,7 +877,7 @@ if ( !( iWhichMessages & MessageTests[ iMessage ].iMessageFlag ) ) continue; - + // otherwise, run with it: // copy the glue for the API: Modified: tools/gssmonger/trunk/include/mapvals.h =================================================================== --- tools/gssmonger/trunk/include/mapvals.h 2009-03-11 22:14:24 UTC (rev 22079) +++ tools/gssmonger/trunk/include/mapvals.h 2009-03-12 02:07:26 UTC (rev 22080) @@ -122,6 +122,10 @@ #define GSMSSPI_PACKAGE_NTLM 0x100 #define GSMSSPI_PACKAGE_SPNEGO 0x200 +/* Set if both parties can support WrapEx tests. */ +#define GSMFLAG_WRAPEX 0x400 + + /*------------------------------------------------------------ CAPABILITY FLAGS (returned by the eGetVersionAndCapabilities) ------------------------------------------------------------*/ @@ -163,8 +167,9 @@ 1.2.3.4 is as opposed to 1.3.2.4. Remembering "Windows Client" and "Unix Box" is much easier. */ - - + +#define GSMCAP_HAS_WRAPEX 0x20 /* I can do GSSWrapEx. */ + /*------------------------------------------------------------ ACQUIRE flags (passed to eAcquireCreds) ------------------------------------------------------------*/ From raeburn at MIT.EDU Thu Mar 12 12:48:16 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Thu, 12 Mar 2009 12:48:16 -0400 Subject: svn rev #22081: trunk/src/lib/gssapi/krb5/ Message-ID: <200903121648.n2CGmGYK016125@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22081 Commit By: raeburn Log Message: ticket: 6412 subject: crash using library-allocated storage for header in wrap_iov target_version: 1.7 tags: pullup When allocating storage for the header buffer, update the internal output buffer pointer as well. Changed Files: U trunk/src/lib/gssapi/krb5/k5sealv3iov.c Modified: trunk/src/lib/gssapi/krb5/k5sealv3iov.c =================================================================== --- trunk/src/lib/gssapi/krb5/k5sealv3iov.c 2009-03-12 02:07:26 UTC (rev 22080) +++ trunk/src/lib/gssapi/krb5/k5sealv3iov.c 2009-03-12 16:48:15 UTC (rev 22081) @@ -129,9 +129,10 @@ gss_headerlen += gss_trailerlen; } - if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) + if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) { code = kg_allocate_iov(header, (size_t) gss_headerlen); - else if (header->buffer.length < gss_headerlen) + outbuf = (unsigned char *)header->buffer.value; + } else if (header->buffer.length < gss_headerlen) code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; From raeburn at MIT.EDU Thu Mar 12 18:06:35 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Thu, 12 Mar 2009 18:06:35 -0400 Subject: svn rev #22082: trunk/src/lib/gssapi/krb5/ Message-ID: <200903122206.n2CM6Z5i003448@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22082 Commit By: raeburn Log Message: ticket: 6412 tags: pullup Better fix: Delay setting 'outbuf' until after the header buffer might have been allocated locally, and set it in both code paths instead of just the confidentiality-requested code path. Changed Files: U trunk/src/lib/gssapi/krb5/k5sealv3iov.c Modified: trunk/src/lib/gssapi/krb5/k5sealv3iov.c =================================================================== --- trunk/src/lib/gssapi/krb5/k5sealv3iov.c 2009-03-12 16:48:15 UTC (rev 22081) +++ trunk/src/lib/gssapi/krb5/k5sealv3iov.c 2009-03-12 22:06:35 UTC (rev 22082) @@ -90,8 +90,6 @@ trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); - outbuf = (unsigned char *)header->buffer.value; - if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { unsigned int k5_headerlen, k5_trailerlen, k5_padlen; size_t ec = 0; @@ -131,11 +129,11 @@ if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) { code = kg_allocate_iov(header, (size_t) gss_headerlen); - outbuf = (unsigned char *)header->buffer.value; } else if (header->buffer.length < gss_headerlen) code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; + outbuf = (unsigned char *)header->buffer.value; header->buffer.length = (size_t) gss_headerlen; if (trailer != NULL) { @@ -205,6 +203,7 @@ code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; + outbuf = (unsigned char *)header->buffer.value; header->buffer.length = (size_t) gss_headerlen; if (trailer != NULL) { From ghudson at MIT.EDU Thu Mar 12 23:10:13 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 12 Mar 2009 23:10:13 -0400 Subject: svn rev #22083: trunk/src/lib/krb5/krb/ Message-ID: <200903130310.n2D3ADqw022739@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22083 Commit By: ghudson Log Message: ticket: 6415 subject: Use correct salt for canonicalized principals target_version: 1.7 tags: pullup In cases where the salt is derived from the client principal, use the canonicalized principal received from the KDC to determine the salt. Further changes are probably required for some preauth cases. Changed Files: U trunk/src/lib/krb5/krb/get_in_tkt.c Modified: trunk/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-03-12 22:06:35 UTC (rev 22082) +++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-03-13 03:10:12 UTC (rev 22083) @@ -254,7 +254,13 @@ if (key) decrypt_key = key; else { - if ((retval = krb5_principal2salt(context, request->client, &salt))) + /* + * Use salt corresponding to the client principal supplied by + * the KDC, which may differ from the requested principal if + * canonicalization is in effect. We will check + * as_reply->client later in verify_as_reply. + */ + if ((retval = krb5_principal2salt(context, as_reply->client, &salt))) return(retval); retval = (*key_proc)(context, as_reply->enc_part.enctype, @@ -1385,6 +1391,22 @@ goto cleanup; } + /* + * If we haven't gotten a salt from another source yet, set up one + * corresponding to the client principal returned by the KDC. We + * could get the same effect by passing local_as_reply->client to + * gak_fct below, but that would put the canonicalized client name + * in the prompt, which raises issues of needing to sanitize + * unprintable characters. So for now we just let it affect the + * salt. local_as_reply->client will be checked later on in + * verify_as_reply. + */ + if (salt.length == SALT_TYPE_AFS_LENGTH && salt.data == NULL) { + ret = krb5_principal2salt(context, local_as_reply->client, &salt); + if (ret) + goto cleanup; + } + /* XXX For 1.1.1 and prior KDC's, when SAM is used w/ USE_SAD_AS_KEY, the AS_REP comes back encrypted in the user's longterm key instead of in the SAD. If there was a SAM preauth, there From tlyu at MIT.EDU Fri Mar 13 17:16:15 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Fri, 13 Mar 2009 17:16:15 -0400 Subject: svn rev #22084: trunk/src/lib/gssapi/spnego/ Message-ID: <200903132116.n2DLGFoT021936@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22084 Commit By: tlyu Log Message: ticket: 6417 subject: CVE-2009-0845 SPNEGO can dereference a null pointer tags: pullup target_version: 1.7 acc_ctx_new() can return an error condition without establishing a SPNEGO context structure. This can cause a null pointer dereference in cleanup code in spnego_gss_accept_sec_context(). Changed Files: U trunk/src/lib/gssapi/spnego/spnego_mech.c Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-03-13 03:10:12 UTC (rev 22083) +++ trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-03-13 21:16:14 UTC (rev 22084) @@ -1650,7 +1650,8 @@ &negState, &return_token); } cleanup: - if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { + if (return_token == INIT_TOKEN_SEND || + return_token == CONT_TOKEN_SEND) { /* For acceptor-sends-first send a tokenInit */ int tmpret; From raeburn at MIT.EDU Fri Mar 13 19:03:01 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 13 Mar 2009 19:03:01 -0400 Subject: svn rev #22085: tools/gssmonger/trunk/ gssmaggot/ gssmaster/ include/ Message-ID: <200903132303.n2DN31qN027993@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22085 Commit By: raeburn Log Message: Tweak WrapEx message to include a confidentiality flag, and send it from the master. Changed Files: U tools/gssmonger/trunk/gssmaggot/gssapi.c U tools/gssmonger/trunk/gssmaggot/handlers.c U tools/gssmonger/trunk/gssmaster/clientapis.c U tools/gssmonger/trunk/include/helpers.h Modified: tools/gssmonger/trunk/gssmaggot/gssapi.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-13 21:16:14 UTC (rev 22084) +++ tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-13 23:03:00 UTC (rev 22085) @@ -994,6 +994,7 @@ IN PHCTXT phContext, IN ULONG Flags, IN ULONG SeqNo, + IN ULONG Conf, IN PVOID Message1, IN ULONG cbMessage1, IN PVOID Message2, @@ -1011,7 +1012,7 @@ GSSERRTYPE minor = 0; ULONG ulRet = GSMERR_TEST_ISSUE; gss_iov_buffer_desc Buffers[5] = { { 0 } }; - int conf = 1; + int conf = Conf; UNUSED_PARAMETER( Flags ); UNUSED_PARAMETER( SeqNo ); @@ -1035,7 +1036,7 @@ */ ulRet = gss_wrap_iov ( &minor, *phContext, - 1, /* conf */ + conf, /* conf */ GSS_C_QOP_DEFAULT, &conf, Buffers, Modified: tools/gssmonger/trunk/gssmaggot/handlers.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/handlers.c 2009-03-13 21:16:14 UTC (rev 22084) +++ tools/gssmonger/trunk/gssmaggot/handlers.c 2009-03-13 23:03:00 UTC (rev 22085) @@ -1357,7 +1357,7 @@ HandleWrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs ) { ULONG ulRet = GSMERR_OK; - ULONG ulContextId, Flags, SeqNo; + ULONG ulContextId, Flags, SeqNo, Conf; LPSTR PlainText1, PlainText2; PVOID pvCipher = NULL, pvHeader = NULL, pvPad = NULL, pvTrailer = NULL; ULONG cbCipher = 0, cbString1 = 0, cbString2 = 0, cbPad = 0, cbHeader = 0, cbTrailer = 0; @@ -1368,6 +1368,7 @@ { "ContextId", sizeof( ulContextId ), &ulContextId, NETARG_NUMBER }, { "Flags", sizeof( Flags ), &Flags, NETARG_NUMBER }, { "SeqNo", sizeof( SeqNo ), &SeqNo, NETARG_NUMBER }, + { "Conf", sizeof( Conf ), &Conf, NETARG_NUMBER }, { "Plaintext1", 0, NULL, /* unknown size */ @@ -1412,6 +1413,7 @@ phContext, Flags, SeqNo, + Conf, PlainText1, cbString1, PlainText2, Modified: tools/gssmonger/trunk/gssmaster/clientapis.c =================================================================== --- tools/gssmonger/trunk/gssmaster/clientapis.c 2009-03-13 21:16:14 UTC (rev 22084) +++ tools/gssmonger/trunk/gssmaster/clientapis.c 2009-03-13 23:03:00 UTC (rev 22085) @@ -915,11 +915,13 @@ OUT PULONG pcbTrailer ) { ULONG ret = GSMERR_OK; + ULONG Conf = 1; NETARGENTRY InputEntries[] = { { "ContextId", sizeof( ulContextId ), &ulContextId, NETARG_NUMBER }, { "Flags", sizeof( Flags ), &Flags, NETARG_NUMBER }, { "SeqNo", sizeof( SeqNo ), &SeqNo, NETARG_NUMBER }, + { "Conf", sizeof( Conf ), &Conf, NETARG_NUMBER }, { "Plaintext", cbPlain, pvPlain, ( NETARG_GENERIC | NETARG_LENGTH_ENCODE ) }, { "Sign-only", cbSign, pvSign, ( NETARG_GENERIC | Modified: tools/gssmonger/trunk/include/helpers.h =================================================================== --- tools/gssmonger/trunk/include/helpers.h 2009-03-13 21:16:14 UTC (rev 22084) +++ tools/gssmonger/trunk/include/helpers.h 2009-03-13 23:03:00 UTC (rev 22085) @@ -187,6 +187,7 @@ IN PHCTXT phContext, IN ULONG Flags, IN ULONG SeqNo, + IN ULONG Conf, IN PVOID Message1, IN ULONG cbMessage1, IN PVOID Message2, @@ -201,24 +202,25 @@ OUT PVOID *ppvTrailer, OUT PULONG pcbTrailer ); ULONG -DoWrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs, - IN PHCTXT phContext, - IN ULONG Flags, - IN ULONG SeqNo, - IN PVOID Message1, - IN ULONG cbMessage1, - IN PVOID Message2, - IN ULONG cbMessage2, +DoUnwrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs, + IN PHCTXT phContext, + IN ULONG Flags, + IN ULONG SeqNo, - OUT PVOID *ppvHeader, - OUT PULONG pcbHeader, - OUT PVOID *ppvCrypt, - OUT PULONG pcbCrypt, - OUT PVOID *ppvPad, - OUT PULONG pcbPad, - OUT PVOID *ppvTrailer, - OUT PULONG pcbTrailer ); + IN PVOID pvHeader, + IN ULONG cbHeader, + IN PVOID pvCrypt, + IN ULONG cbCrypt, + IN PVOID pvSign, + IN ULONG cbSign, + IN PVOID pvPad, + IN ULONG cbPad, + IN PVOID pvTrailer, + IN ULONG cbTrailer, + OUT PVOID *ppvClear, + OUT PULONG pcbClear ); + typedef ULONG (CHPWD_FUNCTION)( IN PPROTOCOL_CALLBACK_ARGS, /* pArgs */ IN LPSTR, /* Principal */ IN LPSTR, /* Old Password */ From raeburn at MIT.EDU Fri Mar 13 19:32:21 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 13 Mar 2009 19:32:21 -0400 Subject: svn rev #22086: tools/gssmonger/trunk/gssmaster/ Message-ID: <200903132332.n2DNWLsX029668@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22086 Commit By: raeburn Log Message: log more info at block start Changed Files: U tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp Modified: tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp =================================================================== --- tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp 2009-03-13 23:03:00 UTC (rev 22085) +++ tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp 2009-03-13 23:32:21 UTC (rev 22086) @@ -185,12 +185,13 @@ cat->setAppender(appConsole); cats = new CatStack(cat, cats); - ezLogMsg(EZLOG_BLOCK, EZ_DEFAULT, "StartBlock %p from %p(%s)", + ezLogMsg(EZLOG_BLOCK, EZ_DEFAULT, "StartBlock %p from %p(%s): %s", (void *)cat, OldLevel, (OldLevel ? ((CatStack *)OldLevel)->cat->getName().data() - : "?")); + : "?"), + ProcessedLogString); cat->log(etol_priority(LogLevel), ProcessedLogString); From raeburn at MIT.EDU Fri Mar 13 19:37:19 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 13 Mar 2009 19:37:19 -0400 Subject: svn rev #22087: tools/gssmonger/trunk/gssmaggot/ Message-ID: <200903132337.n2DNbJHi029993@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22087 Commit By: raeburn Log Message: the info being logged from gss_unwrap is conf state, not QOP Changed Files: U tools/gssmonger/trunk/gssmaggot/gssapi.c Modified: tools/gssmonger/trunk/gssmaggot/gssapi.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-13 23:32:21 UTC (rev 22086) +++ tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-13 23:37:19 UTC (rev 22087) @@ -913,7 +913,7 @@ if ( GSM_SUCCESS( ulRet ) ) { ServerLogMessage( pArgs, FILE_AND_LINE, - "gss_unwrap: QOP state=%d", + "gss_unwrap: conf state=%d", state ); } From ghudson at MIT.EDU Sat Mar 14 01:46:19 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Sat, 14 Mar 2009 01:46:19 -0400 Subject: svn rev #22088: trunk/doc/ Message-ID: <200903140546.n2E5kJZp018299@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22088 Commit By: ghudson Log Message: ticket: 6418 subject: Improve LDAP admin documentation target_version: 1.7 tags: pullup Use dc=example,dc=com as the example base DN instead of more archaic forms. Provide a little more cross-referencing of concepts and mechanisms. Add additional steps in the OpenLDAP setup instructions for choosing DNs for the Kerberos container, KDC service, and kadmin service. Explain a little bit about what the Kerberos container and realm container are. Be clearer that using separate subtrees from the realm container for principals is an option, not a necessity, and don't use the base DN as an example of a separate subtree (it's confusing). Changed Files: U trunk/doc/admin.texinfo Modified: trunk/doc/admin.texinfo =================================================================== --- trunk/doc/admin.texinfo 2009-03-13 23:37:19 UTC (rev 22087) +++ trunk/doc/admin.texinfo 2009-03-14 05:46:18 UTC (rev 22088) @@ -1013,7 +1013,7 @@ @itemx ldap_service_password_file -This LDAP specific tag indicates the file containing the stashed passwords for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. This value is used if no service password file is mentioned in the configuration section under [dbmodules]. +This LDAP specific tag indicates the file containing the stashed passwords (created by @code{kdb5_ldap_util stashsrvpw}) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. This value is used if no service password file is mentioned in the configuration section under [dbmodules]. @itemx ldap_server @@ -1044,7 +1044,7 @@ This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. @itemx ldap_service_password_file -This LDAP specific tag indicates the file containing the stashed passwords for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. +This LDAP specific tag indicates the file containing the stashed passwords (created by @code{kdb5_ldap_util stashsrvpw}) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. @itemx ldap_server This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. It is recommended to use ldapi:// or ldaps:// interface to connect to the LDAP server. @@ -1379,20 +1379,20 @@ kdc = SYSLOG:INFO admin_server = FILE=/var/kadm5.log [dbdefaults] - ldap_kerberos_container_dn = cn=krbcontainer,o=mit + ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com [dbmodules] openldap_ldapconf = @{ - db_library = kldap - ldap_kerberos_container_dn = cn=krbcontainer,o=mit - ldap_kdc_dn = "cn=krbadmin,o=mit" - # this object needs to have read rights on - # the realm container, principal container and realm sub-trees - ldap_kadmind_dn = "cn=krbadmin,o=mit" - # this object needs to have read and write rights on - # the realm container, principal container and realm sub-trees - ldap_service_password_file = /etc/kerberos/service.keyfile - ldap_servers = ldaps://kerberos.mit.edu - ldap_conns_per_server = 5 + db_library = kldap + ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com + ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com" + # this object needs to have read rights on + # the realm container and principal subtrees + ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com" + # this object needs to have read and write rights on + # the realm container and principal subtrees + ldap_service_password_file = /etc/kerberos/service.keyfile + ldap_servers = ldaps://kerberos.mit.edu + ldap_conns_per_server = 5 @} @@ -2310,7 +2310,7 @@ @smallexample @group - at b{kadmin:} addprinc -x dn=cn=@value{RANDOMUSER1},o=mit @value{RANDOMUSER1} + at b{kadmin:} addprinc -x dn=cn=@value{RANDOMUSER1},dc=example,dc=com @value{RANDOMUSER1} @b{WARNING: no policy specified for "@value{RANDOMUSER1}@@@value{PRIMARYREALM}"; defaulting to no policy.} @iftex @@ -2334,7 +2334,7 @@ @smallexample @group - at b{kadmin:} addprinc -x containerdn=o=mit -x linkdn=cn=@value{RANDOMUSER2},o=mit @value{RANDOMUSER2} + at b{kadmin:} addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=@value{RANDOMUSER2},dc=example,dc=com @value{RANDOMUSER2} @b{WARNING: no policy specified for "@value{RANDOMUSER2}@@@value{PRIMARYREALM}"; defaulting to no policy.} @iftex @@ -3131,9 +3131,9 @@ @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -sscope --subtree ou=users,o=org -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create -sscope 2 +-subtree ou=users,dc=example,dc=com -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{Initializing database for realm 'ATHENA.MIT.EDU'} @b{You will be prompted for the database Master Password.} @b{It is important that you NOT FORGET this password.} @@ -3159,9 +3159,9 @@ @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -sscope --subtree ou=users,o=org -kdcdn cn=krbkdc,o=org -admindn cn=krbadmin,o=org -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create -sscope 2 +-subtree ou=users,dc=example,dc=com -kdcdn cn=krbkdc,dc=example,dc=com -admindn cn=krbadmin,dc=example,dc=com -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{Initializing database for realm 'ATHENA.MIT.EDU'} @b{You will be prompted for the database Master Password.} @b{It is important that you NOT FORGET this password.} @@ -3256,9 +3256,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu modify -r ATHENA.MIT.EDU +requires_preauth - at b{Password for "cn=admin,o=org":} + at b{Password for "cn=admin,dc=example,dc=com":} shell% @end group @end smallexample @@ -3306,11 +3306,11 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{Realm Name: ATHENA.MIT.EDU} - at b{Subtree: ou=users,o=org} - at b{Subtree: ou=servers,o=org} + at b{Subtree: ou=users,dc=example,dc=com} + at b{Subtree: ou=servers,dc=example,dc=com} @b{SearchScope: ONE} @b{Maximum ticket life: 0 days 01:00:00} @b{Maximum renewable life: 0 days 10:00:00} @@ -3339,8 +3339,8 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?} @b{type 'yes' to confirm)? Yes} @b{OK, deleting database of 'ATHENA.MIT.EDU'...} @@ -3359,8 +3359,8 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu list + at b{Password for "cn=admin,dc=example,dc=com":} @b{ATHENA.MIT.EDU} @b{OPENLDAP.MIT.EDU} @b{MEDIA-LAB.MIT.EDU} @@ -3387,9 +3387,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyle cn=service-kdc,o=org - at b{Password for "cn=service-kdc,o=org"}: - at b{Re-enter password for "cn=service-kdc,o=org"}: +shell% kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyle cn=service-kdc,dc=example,dc=com + at b{Password for "cn=service-kdc,dc=example,dc=com"}: + at b{Re-enter password for "cn=service-kdc,dc=example,dc=com"}: shell% @end group @end smallexample @@ -3488,9 +3488,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_forwardable usertktpolicy - at b{Password for "cn=admin,o=org":} + at b{Password for "cn=admin,dc=example,dc=com":} shell% @end group @end smallexample @@ -3513,9 +3513,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu view_policy -r ATHENA.MIT.EDU usertktpolicy - at b{Password for "cn=admin,o=org":} + at b{Password for "cn=admin,dc=example,dc=com":} @b{Ticket policy: usertktpolicy} @b{Maxmum ticket life: 0 days 01:00:00} @b{Maxmum renewable life: 0 days 10:00:00} @@ -3548,9 +3548,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu destroy_policy -r ATHENA.MIT.EDU usertktpolicy - at b{Password for "cn=admin,o=org":} + at b{Password for "cn=admin,dc=example,dc=com":} @b{This will delete the policy object 'usertktpolicy', are you sure?} @b{(type 'yes' to confirm)? Yes} @b{** policy object 'usertktpolicy' deleted.} @@ -3577,8 +3577,8 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU + at b{Password for "cn=admin,dc=example,dc=com":} @b{usertktpolicy} @b{tempusertktpolicy} @b{krbtktpolicy} @@ -3628,9 +3628,9 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -create_service -kdc -randpw -f /home/andrew/service_passwd cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +create_service -kdc -randpw -f /home/andrew/service_passwd cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} @b{File does not exist. Creating the file /home/andrew/service_passwd...} shell% @end group @@ -3674,9 +3674,9 @@ @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +modify_service -realm ATHENA.MIT.EDU cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} @b{Changing rights for the service object. Please wait ... done} shell% @end group @@ -3695,13 +3695,13 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -view_service cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} - at b{Service dn: cn=service-kdc,o=org} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +view_service cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} + at b{Service dn: cn=service-kdc,dc=example,dc=com} @b{Service type: kdc} @b{Service host list:} - at b{Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,o=org} + at b{Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,dc=example,dc=com} shell% @end group @end smallexample @@ -3726,12 +3726,12 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -destroy_service cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} - at b{This will delete the service object 'cn=service-kdc,o=org', are you sure?} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +destroy_service cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} + at b{This will delete the service object 'cn=service-kdc,dc=example,dc=com', are you sure?} @b{(type 'yes' to confirm)? Yes} - at b{** service object 'cn=service-kdc,o=org' deleted.} + at b{** service object 'cn=service-kdc,dc=example,dc=com' deleted.} shell% @end group @end smallexample @@ -3751,11 +3751,11 @@ For example: @smallexample @group -shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_service - at b{Password for "cn=admin,o=org":} - at b{cn=service-kdc,o=org} - at b{cn=service-adm,o=org} - at b{cn=service-pwd,o=org} +shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu list_service + at b{Password for "cn=admin,dc=example,dc=com":} + at b{cn=service-kdc,dc=example,dc=com} + at b{cn=service-adm,dc=example,dc=com} + at b{cn=service-pwd,dc=example,dc=com} shell% @end group @end smallexample @@ -3786,11 +3786,11 @@ @smallexample @group -shell% kdb5_ldap_util setsrvpw -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -setsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org - at b{Password for "cn=admin,o=org":} - at b{Password for "cn=service-kdc,o=org":} - at b{Re-enter password for "cn=service-kdc,o=org":} +shell% kdb5_ldap_util setsrvpw -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu +setsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,dc=example,dc=com + at b{Password for "cn=admin,dc=example,dc=com":} + at b{Password for "cn=service-kdc,dc=example,dc=com":} + at b{Re-enter password for "cn=service-kdc,dc=example,dc=com":} shell% @end group @end smallexample @@ -3924,9 +3924,25 @@ @end smallexample @item -Configure the LDAP server ACLs to enable the KDC and Admin server to -read and write the Kerberos data. +Choose DNs for the KDC and kadmin servers to bind to the LDAP server, +and create them if necessary. These DNs will be specified with the + at code{ldap_kdc_dn} and @code{ldap_kadmind_dn} directives in krb5.conf; +their passwords can be stashed with @code{kdb5_ldap_util stashsrvpw} +and the resulting file specified with the + at code{ldap_service_password_file} directive. + at item +Choose a DN for the global Kerberos container entry (but do not create +the entry at this time). This DN will be specified with the + at code{ldap_kerberos_container_dn} directive in krb5.conf. Realm +container entries will be created underneath this DN. Principal +entries may exist either underneath the realm container (the default) +or in separate trees referenced from the realm container. + + at item +Configure the LDAP server ACLs to enable the KDC and kadmin server DNs +to read and write the Kerberos data. + @subheading Sample access control information @@ -3945,16 +3961,16 @@ by self write by * read -# Providing access to realm subtree -access to @code{dn.subtree}= @i{"o=mit"} - by @code{dn.exact}=@i{"cn=kdc-service,o=mit"} read - by @code{dn.exact}=@i{"cn=adm-service,o=mit"} write +# Providing access to realm container +access to @code{dn.subtree}= @i{"cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"} + by @code{dn.exact}=@i{"cn=kdc-service,dc=example,dc=com"} read + by @code{dn.exact}=@i{"cn=adm-service,dc=example,dc=com"} write by * none -# Providing access to realm container -access to @code{dn.subtree}= @i{"cn=MIT.EDU,cn=Kerberos,o=mit"} - by @code{dn.exact}=@i{"cn=kdc-service,o=mit"} read - by @code{dn.exact}=@i{"cn=adm-service,o=mit"} write +# Providing access to principals, if not underneath realm container +access to @code{dn.subtree}= @i{"ou=users,dc=example,dc=com"} + by @code{dn.exact}=@i{"cn=kdc-service,dc=example,dc=com"} read + by @code{dn.exact}=@i{"cn=adm-service,dc=example,dc=com"} write by * none access to * @@ -3962,10 +3978,9 @@ @end smallexample @noindent -The above list provides the access control information for the KDC and -Admin service object for the realm container and the realm -subtree. Thus if the realm subtree or the service objects for a realm -are changed then this information should be updated. +If the locations of the container and principals or the DNs of the +service objects for a realm are changed then this information should +be updated. @item Start the LDAP server as follows: @@ -3998,11 +4013,11 @@ Create the realm using @samp{kdb5_ldap_util}. @smallexample - at b{kdb5_ldap_util} @b{-D} @i{ cn=admin,o=mit} create @b{-subtrees} @i{ o=mit} @b{-r} @i{MIT.EDU} @b{-s} + at b{kdb5_ldap_util} @b{-D} @i{cn=admin,dc=example,dc=com} create @b{-subtrees} @i{ou=users,dc=example,dc=com} @b{-r} @i{EXAMPLE.COM} @b{-s} @end smallexample @noindent -Before executing the command, make sure that the subtree mentioned above @samp{(o=mit)} exists. +Use the @code{-subtrees} option if the principals are to exist in a separate subtree from the realm container. Before executing the command, make sure that the subtree mentioned above @samp{(ou=users,dc=example,dc=com)} exists. If the principals will exist underneath the realm container, omit the @code{-subtrees} option and do not worry about creating the principal subtree. For more information, refer to the section @dfn{Global Operations on the Kerberos LDAP Database}. @@ -4017,7 +4032,7 @@ file. @smallexample - at b{kdb5_ldap_util} @b{-D} @i{ cn=admin,o=mit} @i{stashsrvpw} @b{-f} @code{/etc/kerberos/service.keyfile} @i{cn=krbadmin,o=mit} + at b{kdb5_ldap_util} @b{-D} @i{cn=admin,dc=example,dc=com} @i{stashsrvpw} @b{-f} @code{/etc/kerberos/service.keyfile} @i{cn=krbadmin,dc=example,dc=com} @end smallexample @item From ghudson at MIT.EDU Sun Mar 15 00:15:17 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Sun, 15 Mar 2009 00:15:17 -0400 Subject: svn rev #22089: trunk/doc/ Message-ID: <200903150415.n2F4FHCd030662@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22089 Commit By: ghudson Log Message: ticket: 6419 subject: Document alias support in LDAP back end tags: pullup target_version: 1.7 Add a few paragraphs to the LDAP instructions on creating aliases through direct manipulation of the LDAP data, and briefly explain when aliases will be used. Changed Files: U trunk/doc/admin.texinfo Modified: trunk/doc/admin.texinfo =================================================================== --- trunk/doc/admin.texinfo 2009-03-14 05:46:18 UTC (rev 22088) +++ trunk/doc/admin.texinfo 2009-03-15 04:15:16 UTC (rev 22089) @@ -4039,6 +4039,26 @@ Add krb5principalname to the indexes in slapd.conf to speed up the access. @end enumerate +With the LDAP back end it is possible to provide aliases for principal +entries. Currently we provide no mechanism provided for creating +aliases, so it must be done by direct manipulation of the LDAP +entries. + +An entry with aliases contains multiple values of the krbPrincipalName +attribute. Since LDAP attribute values are not ordered, it is +necessary to specify which principal name is canonical, by using the +krbCanonicalName attribute. Therefore, to create aliases for an +entry, first set the krbCanonicalName attribute of the entry to the +canonical principal name (which should be identical to the +pre-existing krbPrincipalName value), and then add additional +krbPrincipalName attributes for the aliases. + +Principal aliases are only returned by the KDC when the client +requests canonicalization. Canonicalization is normally requested for +service principals; for client principals, an explicit flag is often +required (e.g. @code{kinit -C}) and canonicalization is only performed +for initial ticket requests. + @node Application Servers, Backups of Secure Hosts, Configuring Kerberos with OpenLDAP back-end, Top @chapter Application Servers From ghudson at MIT.EDU Sun Mar 15 00:21:13 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Sun, 15 Mar 2009 00:21:13 -0400 Subject: svn rev #22090: trunk/src/plugins/kdb/ldap/libkdb_ldap/ Message-ID: <200903150421.n2F4LDxW030963@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22090 Commit By: ghudson Log Message: ticket: 6420 subject: Add LDAP back end support for canonical name attribute tags: pullup target_version: 1.7 Add a krbCanonicalName attribute to the schema. When looking up a principal, if the canonical name is set and does not match the requested name, then return the entry only if canonicalization was requested, and use the entry's canonical name. Changed Files: U trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif U trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif =================================================================== --- trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif 2009-03-15 04:15:16 UTC (rev 22089) +++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif 2009-03-15 04:21:12 UTC (rev 22090) @@ -20,6 +20,15 @@ # specific syntax definitions # Kerberos Object Class(6) class# version# # specific class definitions +# +# iso(1) +# member-body(2) +# United States(840) +# mit (113554) +# infosys(1) +# ldap(4) +# attributeTypes(1) +# Kerberos(6) ######################################################################## @@ -40,6 +49,21 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) +##### If there are multiple krbPrincipalName values for an entry, this +##### is the canonical principal name in the RFC 1964 specified +##### format. (If this attribute does not exist, then all +##### krbPrincipalName values are treated as canonical.) + +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 1.2.840.113554.1.4.1.6.1 + NAME 'krbCanonicalName' + EQUALITY caseExactIA5Match + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE) + ##### This specifies the type of the principal, the types could be any of ##### the types mentioned in section 6.2 of RFC 4120 @@ -685,7 +709,7 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY - MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) + MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) ###### This class is used to create additional principals and stand alone principals. Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema =================================================================== --- trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema 2009-03-15 04:15:16 UTC (rev 22089) +++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema 2009-03-15 04:21:12 UTC (rev 22090) @@ -20,6 +20,15 @@ # specific syntax definitions # Kerberos Object Class(6) class# version# # specific class definitions +# +# iso(1) +# member-body(2) +# United States(840) +# mit (113554) +# infosys(1) +# ldap(4) +# attributeTypes(1) +# Kerberos(6) ######################################################################## @@ -36,7 +45,18 @@ SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) +##### If there are multiple krbPrincipalName values for an entry, this +##### is the canonical principal name in the RFC 1964 specified +##### format. (If this attribute does not exist, then all +##### krbPrincipalName values are treated as canonical.) +attributetype ( 1.2.840.113554.1.4.1.6.1 + NAME 'krbCanonicalName' + EQUALITY caseExactIA5Match + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE) + ##### This specifies the type of the principal, the types could be any of ##### the types mentioned in section 6.2 of RFC 4120 @@ -422,7 +442,7 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) -##### This stores the alternate principal names for the principal in the RFC 1961 specified format +##### This stores the alternate principal names for the principal in the RFC 1964 specified format attributetype ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' @@ -556,7 +576,7 @@ NAME 'krbPrincipalAux' SUP top AUXILIARY - MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) + MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) ###### This class is used to create additional principals and stand alone principals. Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c =================================================================== --- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-03-15 04:15:16 UTC (rev 22089) +++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-03-15 04:21:12 UTC (rev 22090) @@ -40,6 +40,7 @@ struct timeval timelimit = {300, 0}; /* 5 minutes */ char *principal_attributes[] = { "krbprincipalname", + "krbcanonicalname", "objectclass", "krbprincipalkey", "krbmaxrenewableage", Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c =================================================================== --- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2009-03-15 04:15:16 UTC (rev 22089) +++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2009-03-15 04:21:12 UTC (rev 22090) @@ -85,12 +85,13 @@ char *user=NULL, *filter=NULL, **subtree=NULL; unsigned int tree=0, ntrees=1, princlen=0; krb5_error_code tempst=0, st=0; - char **values=NULL; + char **values=NULL, *cname=NULL; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; krb5_ldap_context *ldap_context=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; + krb5_principal cprinc=NULL; /* Clear the global error string */ krb5_clear_error_message(context); @@ -145,7 +146,7 @@ * NOTE: a principalname k* in ldap server will return all the principals starting with a k */ for (i=0; values[i] != NULL; ++i) { - if (strcasecmp(values[i], user) == 0) { + if (strcmp(values[i], user) == 0) { *nentries = 1; break; } @@ -156,8 +157,27 @@ continue; } - if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, searchfor, - entries)) != 0) + if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { + if (values[0] && strcmp(values[0], user) != 0) { + /* We matched an alias, not the canonical name. */ + if (flags & KRB5_KDB_FLAG_CANONICALIZE) { + st = krb5_ldap_parse_principal_name(values[0], &cname); + if (st != 0) + goto cleanup; + st = krb5_parse_name(context, cname, &cprinc); + if (st != 0) + goto cleanup; + } else /* No canonicalization, so don't return aliases. */ + *nentries = 0; + } + ldap_value_free(values); + if (*nentries == 0) + continue; + } + + if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, + cprinc ? cprinc : searchfor, + entries)) != 0) goto cleanup; } ldap_msgfree(result); @@ -190,6 +210,12 @@ if (user) free(user); + if (cname) + free(cname); + + if (cprinc) + krb5_free_principal(context, cprinc); + return st; } From raeburn at MIT.EDU Mon Mar 16 12:47:29 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 16 Mar 2009 12:47:29 -0400 Subject: svn rev #22091: tools/gssmonger/trunk/gssmaster/ Message-ID: <200903161647.n2GGlT5C016921@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22091 Commit By: raeburn Log Message: Add new text for WrapEx without confidentiality requested. Add new field in interference tests indicating a set of flags all of which are required in order to run the test (as opposed to the existing field of flags of which any one is required). Changed Files: U tools/gssmonger/trunk/gssmaster/clientapis.c U tools/gssmonger/trunk/gssmaster/clientlib.h U tools/gssmonger/trunk/gssmaster/interfere.c Modified: tools/gssmonger/trunk/gssmaster/clientapis.c =================================================================== --- tools/gssmonger/trunk/gssmaster/clientapis.c 2009-03-15 04:21:12 UTC (rev 22090) +++ tools/gssmonger/trunk/gssmaster/clientapis.c 2009-03-16 16:47:28 UTC (rev 22091) @@ -895,27 +895,27 @@ } -ULONG -ServerWrapEx( IN HSERVER hServer, - IN ULONG ulContextId, - IN ULONG Flags, - IN ULONG SeqNo, - IN PVOID pvPlain, - IN ULONG cbPlain, - IN PVOID pvSign, - IN ULONG cbSign, +static ULONG +ServerWrapExCommon( IN HSERVER hServer, + IN ULONG ulContextId, + IN ULONG Flags, + IN ULONG SeqNo, + IN ULONG Conf, + IN PVOID pvPlain, + IN ULONG cbPlain, + IN PVOID pvSign, + IN ULONG cbSign, - OUT PVOID *ppvHeader, - OUT PULONG pcbHeader, - OUT PVOID *ppvWrappedText, - OUT PULONG pcbWrappedText, - OUT PVOID *ppvPad, - OUT PULONG pcbPad, - OUT PVOID *ppvTrailer, - OUT PULONG pcbTrailer ) { + OUT PVOID *ppvHeader, + OUT PULONG pcbHeader, + OUT PVOID *ppvWrappedText, + OUT PULONG pcbWrappedText, + OUT PVOID *ppvPad, + OUT PULONG pcbPad, + OUT PVOID *ppvTrailer, + OUT PULONG pcbTrailer ) { ULONG ret = GSMERR_OK; - ULONG Conf = 1; NETARGENTRY InputEntries[] = { { "ContextId", sizeof( ulContextId ), &ulContextId, NETARG_NUMBER }, @@ -984,6 +984,84 @@ } ULONG +ServerWrapEx( IN HSERVER hServer, + IN ULONG ulContextId, + IN ULONG Flags, + IN ULONG SeqNo, + IN PVOID pvPlain, + IN ULONG cbPlain, + IN PVOID pvSign, + IN ULONG cbSign, + + OUT PVOID *ppvHeader, + OUT PULONG pcbHeader, + OUT PVOID *ppvWrappedText, + OUT PULONG pcbWrappedText, + OUT PVOID *ppvPad, + OUT PULONG pcbPad, + OUT PVOID *ppvTrailer, + OUT PULONG pcbTrailer ) +{ + return ServerWrapExCommon( hServer, + ulContextId, + Flags, + SeqNo, + 1UL, + pvPlain, + cbPlain, + pvSign, + cbSign, + + ppvHeader, + pcbHeader, + ppvWrappedText, + pcbWrappedText, + ppvPad, + pcbPad, + ppvTrailer, + pcbTrailer ); +} + +ULONG +ServerWrapExNoConf( IN HSERVER hServer, + IN ULONG ulContextId, + IN ULONG Flags, + IN ULONG SeqNo, + IN PVOID pvPlain, + IN ULONG cbPlain, + IN PVOID pvSign, + IN ULONG cbSign, + + OUT PVOID *ppvHeader, + OUT PULONG pcbHeader, + OUT PVOID *ppvWrappedText, + OUT PULONG pcbWrappedText, + OUT PVOID *ppvPad, + OUT PULONG pcbPad, + OUT PVOID *ppvTrailer, + OUT PULONG pcbTrailer ) +{ + return ServerWrapExCommon( hServer, + ulContextId, + Flags, + SeqNo, + 0UL, + pvPlain, + cbPlain, + pvSign, + cbSign, + + ppvHeader, + pcbHeader, + ppvWrappedText, + pcbWrappedText, + ppvPad, + pcbPad, + ppvTrailer, + pcbTrailer ); +} + +ULONG ServerUnwrapEx( IN HSERVER hServer, IN ULONG ulContextId, IN ULONG Flags, Modified: tools/gssmonger/trunk/gssmaster/clientlib.h =================================================================== --- tools/gssmonger/trunk/gssmaster/clientlib.h 2009-03-15 04:21:12 UTC (rev 22090) +++ tools/gssmonger/trunk/gssmaster/clientlib.h 2009-03-16 16:47:28 UTC (rev 22091) @@ -178,7 +178,7 @@ OUT PVOID *ppvTrailer, OUT PULONG pcbTrailer ); -ENCODE_IOV_FN ServerWrapEx; +ENCODE_IOV_FN ServerWrapEx, ServerWrapExNoConf; typedef ULONG DECODE_IOV_FN( IN HSERVER hServer, IN ULONG ulContextId, Modified: tools/gssmonger/trunk/gssmaster/interfere.c =================================================================== --- tools/gssmonger/trunk/gssmaster/interfere.c 2009-03-15 04:21:12 UTC (rev 22090) +++ tools/gssmonger/trunk/gssmaster/interfere.c 2009-03-16 16:47:28 UTC (rev 22091) @@ -93,16 +93,18 @@ This is the type of message-passing that will be tested ------------------------------------------------------------*/ -#define MESSAGETEST_ENCRYPT 0x1 -#define MESSAGETEST_SIGNED 0x2 -#define MESSAGETEST_WRAPPED 0x4 -#define MESSAGETEST_WRAPEX 0x8 -#define LAST_MESSAGETEST MESSAGETEST_WRAPEX // update if more are added +#define MESSAGETEST_ENCRYPT 0x01 +#define MESSAGETEST_SIGNED 0x02 +#define MESSAGETEST_WRAPPED 0x04 +#define MESSAGETEST_WRAPEX 0x08 +#define MESSAGETEST_WRAPEX_NOCONF 0x10 +#define LAST_MESSAGETEST MESSAGETEST_WRAPEX_NOCONF // update if more are added ULONG iWhichMessages = ( MESSAGETEST_ENCRYPT | MESSAGETEST_WRAPPED | MESSAGETEST_SIGNED | - MESSAGETEST_WRAPEX ); + MESSAGETEST_WRAPEX | + MESSAGETEST_WRAPEX_NOCONF ); //////////////////////////////////////////////////////////// @@ -119,8 +121,9 @@ MSGTST( "Signed", SIGNED, "Exchanges messages with an unwrapped sig" ), MSGTST( "Wrapped", WRAPPED, "Exchanges clearsigned wrapped messages" ), MSGTST( "WrapEx", WRAPEX, "Exchanges encrypted messages with additional signed data" ), + MSGTST( "WrapExNoConf", WRAPEX_NOCONF, "Exchanges clearsigned messages with additional signed data" ), -#if LAST_MESSAGETEST != MESSAGETEST_WRAPEX +#if LAST_MESSAGETEST != MESSAGETEST_WRAPEX_NOCONF #error "New MessageTests? Update this array or they won't be on the command line" #endif @@ -715,7 +718,7 @@ struct { LPSTR Description; - ULONG RequireAnyFlags; + ULONG RequireAnyFlags, RequireAllFlags; ULONG iMessageFlag; MESSAGEGLUE Glue; @@ -723,6 +726,7 @@ { "Encrypt", GSMFLAG_CONFIDENTIALITY, + 0, MESSAGETEST_ENCRYPT, GenericEncodeMessage, GenericDecodeMessage, @@ -735,6 +739,7 @@ GSMFLAG_REPLAY_DETECT | GSMFLAG_SEQUENCE_DETECT | GSMFLAG_CONFIDENTIALITY, + 0, MESSAGETEST_WRAPPED, GenericEncodeMessage, GenericDecodeMessage, @@ -747,6 +752,7 @@ GSMFLAG_REPLAY_DETECT | GSMFLAG_SEQUENCE_DETECT | GSMFLAG_CONFIDENTIALITY, + 0, MESSAGETEST_SIGNED, GenericEncodeMessage, ValidateSignedMessage, @@ -755,16 +761,28 @@ }, { "WrapEx", GSMFLAG_WRAPEX, + GSMFLAG_WRAPEX | + GSMFLAG_CONFIDENTIALITY, MESSAGETEST_WRAPEX, EncodeIOVMessage, DecodeIOVMessage, - "encrypting", + "encrypting-iov", (ENCODE_FN *) ServerWrapEx, (DECODE_FN *) ServerUnwrapEx }, + { "WrapExNoConf", + GSMFLAG_WRAPEX, + 0, + MESSAGETEST_WRAPEX, + EncodeIOVMessage, + DecodeIOVMessage, + "wrapping-iov", + (ENCODE_FN *) ServerWrapExNoConf, + (DECODE_FN *) ServerUnwrapEx + }, -#if LAST_MESSAGETEST != MESSAGETEST_WRAPEX +#if LAST_MESSAGETEST != MESSAGETEST_WRAPEX_NOCONF #error "New Message Test type? Update this array and #defines at top" #endif @@ -870,8 +888,30 @@ // if the context doesn't support this type of message, skip it... - if ( !( pContext->ContextFlags & - MessageTests[ iMessage ].RequireAnyFlags ) ) continue; + if ( ( pContext->ContextFlags & + MessageTests[ iMessage ].RequireAllFlags ) != + MessageTests[ iMessage ].RequireAllFlags || + !( pContext->ContextFlags & + MessageTests[ iMessage ].RequireAnyFlags ) ) { +#if 0 + printf("%s:%d: skipping test %s: ctx %lx req-all %lx req-any %lx\n", + __FILE__, __LINE__, + MessageTests[ iMessage ].Description, + pContext->ContextFlags, + MessageTests[ iMessage ].RequireAllFlags, + MessageTests[ iMessage ].RequireAnyFlags); +#endif + continue; + } else { +#if 0 + printf("%s:%d: running test %s: ctx %lx req-all %lx req-any %lx\n", + __FILE__, __LINE__, + MessageTests[ iMessage ].Description, + pContext->ContextFlags, + MessageTests[ iMessage ].RequireAllFlags, + MessageTests[ iMessage ].RequireAnyFlags); +#endif + } // if the user didn't request this type of messaging, skip it... From hartmans at MIT.EDU Mon Mar 16 12:50:00 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 16 Mar 2009 12:50:00 -0400 Subject: svn rev #22092: trunk/src/lib/krb5/krb/ Message-ID: <200903161650.n2GGo0Dd017079@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22092 Commit By: hartmans Log Message: ticket: 6423 Subject: krb5_auth_con_free should support freeing a null auth_context without segfault. If the input auth_con is NULL, return success. Changed Files: U trunk/src/lib/krb5/krb/auth_con.c Modified: trunk/src/lib/krb5/krb/auth_con.c =================================================================== --- trunk/src/lib/krb5/krb/auth_con.c 2009-03-16 16:47:28 UTC (rev 22091) +++ trunk/src/lib/krb5/krb/auth_con.c 2009-03-16 16:49:59 UTC (rev 22092) @@ -44,6 +44,8 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) { + if (auth_context == NULL) + return 0; if (auth_context->local_addr) krb5_free_address(context, auth_context->local_addr); if (auth_context->remote_addr) From hartmans at MIT.EDU Mon Mar 16 12:50:04 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 16 Mar 2009 12:50:04 -0400 Subject: svn rev #22093: trunk/src/kdc/ Message-ID: <200903161650.n2GGo4kU017159@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22093 Commit By: hartmans Log Message: ticket: 6424 Subject: Call kdb_set_mkey_list from the KDC Target_version: 1.7 tags: pullup In order for the kdb keytab to be used from within the KDC, the KDC needs to set the master key list in the context. Changed Files: U trunk/src/kdc/kdc_util.c U trunk/src/kdc/main.c Modified: trunk/src/kdc/kdc_util.c =================================================================== --- trunk/src/kdc/kdc_util.c 2009-03-16 16:49:59 UTC (rev 22092) +++ trunk/src/kdc/kdc_util.c 2009-03-16 16:50:04 UTC (rev 22093) @@ -454,6 +454,7 @@ &master_keyblock, 0, &tmp_mkey_list) == 0) { krb5_dbe_free_key_list(kdc_context, master_keylist); master_keylist = tmp_mkey_list; + krb5_db_set_mkey_list(kdc_context, master_keylist); if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server, &mkey_ptr))) { goto errout; Modified: trunk/src/kdc/main.c =================================================================== --- trunk/src/kdc/main.c 2009-03-16 16:49:59 UTC (rev 22092) +++ trunk/src/kdc/main.c 2009-03-16 16:50:04 UTC (rev 22093) @@ -414,7 +414,6 @@ rdp->realm_mpname, realm); goto whoops; } - #if 0 /************** Begin IFDEF'ed OUT *******************************/ /* * Commenting krb5_db_verify_master_key out because it requires the most @@ -445,6 +444,7 @@ "while setting master key for realm %s", realm); goto whoops; } + krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list); /* Set up the keytab */ if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL, From hartmans at MIT.EDU Mon Mar 16 12:50:10 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 16 Mar 2009 12:50:10 -0400 Subject: svn rev #22094: trunk/src/ include/krb5/ lib/crypto/ Message-ID: <200903161650.n2GGoAP6017211@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22094 Commit By: hartmans Log Message: ticket: 6421 Subject: Implement KRB-FX_CF2 Draft-ietf-krb-wg-preauth-framework defines a function KRB-FX-CF2 that combines two keys of arbitrary enctype. Implement this function as an exported API. Changed Files: U trunk/src/include/krb5/krb5.hin U trunk/src/lib/crypto/Makefile.in A trunk/src/lib/crypto/cf2.c U trunk/src/lib/crypto/etypes.h U trunk/src/lib/crypto/libk5crypto.exports Modified: trunk/src/include/krb5/krb5.hin =================================================================== --- trunk/src/include/krb5/krb5.hin 2009-03-16 16:50:04 UTC (rev 22093) +++ trunk/src/include/krb5/krb5.hin 2009-03-16 16:50:09 UTC (rev 22094) @@ -497,7 +497,22 @@ krb5_error_code KRB5_CALLCONV krb5_c_prf_length (krb5_context, krb5_enctype, size_t *outlen); +krb5_error_code KRB5_CALLCONV +krb5_c_fx_cf2_simple(krb5_context context, + krb5_keyblock *k1, const char *pepper1, + krb5_keyblock *k2, const char *pepper2, + krb5_keyblock **out); + /* Returns KRB-FX-CF2 in a newly allocated + * keyblock on success or an error code on error. + * This function is simple in that it assumes + * pepper1 and pepper2 are C strings with no + * internal nulls and that the enctype of the + * result will be the same as that of k1. Both + * of these assumptions are true of current + * specs. + */ + krb5_error_code KRB5_CALLCONV krb5_c_make_random_key (krb5_context context, krb5_enctype enctype, Modified: trunk/src/lib/crypto/Makefile.in =================================================================== --- trunk/src/lib/crypto/Makefile.in 2009-03-16 16:50:04 UTC (rev 22093) +++ trunk/src/lib/crypto/Makefile.in 2009-03-16 16:50:09 UTC (rev 22094) @@ -36,6 +36,7 @@ STLIBOBJS=\ aead.o \ block_size.o \ + cf2.o \ checksum_length.o \ cksumtype_to_string.o \ cksumtypes.o \ @@ -79,6 +80,7 @@ OBJS=\ $(OUTPRE)aead.$(OBJEXT) \ $(OUTPRE)block_size.$(OBJEXT) \ + $(OUTPRE)cf2$(OBJEXT) \ $(OUTPRE)checksum_length.$(OBJEXT) \ $(OUTPRE)cksumtype_to_string.$(OBJEXT) \ $(OUTPRE)cksumtypes.$(OBJEXT) \ @@ -151,6 +153,7 @@ $(srcdir)/old_api_glue.c \ $(srcdir)/pbkdf2.c \ $(srcdir)/prf.c \ + $(srcdir)/cf2.c \ $(srcdir)/prng.c \ $(srcdir)/random_to_key.c \ $(srcdir)/state.c \ Added: trunk/src/lib/crypto/cf2.c =================================================================== --- trunk/src/lib/crypto/cf2.c 2009-03-16 16:50:04 UTC (rev 22093) +++ trunk/src/lib/crypto/cf2.c 2009-03-16 16:50:09 UTC (rev 22094) @@ -0,0 +1,154 @@ +/* + * lib/crypto/cf2.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * Implement KRB_FX_CF2 function per + *draft-ietf-krb-wg-preauth-framework-09. Take two keys and two + *pepper strings as input and return a combined key. + */ + +#include +#include +#include "etypes.h" + + +/* + * Call the PRF function multiple times with the pepper prefixed with + * a count byte to get enough bits of output. + */ +static krb5_error_code +prf_plus( krb5_context context, krb5_keyblock *k,const char *pepper, + size_t keybytes, char **out) +{ + krb5_error_code retval = 0; + size_t prflen, iterations; + krb5_data out_data; + krb5_data in_data; + char *buffer = NULL; + struct k5buf prf_inbuf; + krb5int_buf_init_dynamic(&prf_inbuf); + krb5int_buf_add_len( &prf_inbuf, "\001", 1); + krb5int_buf_add( &prf_inbuf, pepper); + retval = krb5_c_prf_length( context, k->enctype, &prflen); + if (retval != 0) + goto cleanup; + iterations = keybytes/prflen; + if ((keybytes%prflen) != 0) + iterations++; + assert(iterations <= 254); + buffer = malloc(iterations*prflen); + if (buffer == NULL) { + retval = ENOMEM; + goto cleanup; + } + if (krb5int_buf_len( &prf_inbuf) == -1) { + retval = ENOMEM; + goto cleanup; + } + in_data.length = (krb5_int32) krb5int_buf_len( &prf_inbuf); + in_data.data = krb5int_buf_data( &prf_inbuf); + out_data.length = prflen; + out_data.data = buffer; + + while (iterations > 0) { + retval = krb5_c_prf( context, k, &in_data, &out_data); + if (retval != 0) + goto cleanup; + out_data.data += prflen; + in_data.data[0]++; + iterations--; + } + cleanup: + if (retval == 0 ) + *out = buffer; + else{ + if (buffer != NULL) + free(buffer); + } + krb5int_free_buf( &prf_inbuf); + return retval; +} + + +krb5_error_code KRB5_CALLCONV +krb5_c_fx_cf2_simple(krb5_context context, + krb5_keyblock *k1, const char *pepper1, + krb5_keyblock *k2, const char *pepper2, + krb5_keyblock **out) +{ + const struct krb5_keytypes *out_enctype; + size_t keybytes, keylength, i; + char *prf1 = NULL, *prf2 = NULL; + krb5_data keydata; + krb5_enctype out_enctype_num; + krb5_error_code retval = 0; + krb5_keyblock *out_key = NULL; + + + if (k1 == NULL ||!krb5_c_valid_enctype(k1->enctype)) + return KRB5_BAD_ENCTYPE; + if (k2 == NULL || !krb5_c_valid_enctype(k2->enctype)) + return KRB5_BAD_ENCTYPE; + out_enctype_num = k1->enctype; + assert(out != NULL); + assert ((out_enctype = find_enctype(out_enctype_num)) != NULL); + if (out_enctype->prf == NULL) { + if (context) + krb5int_set_error(&(context->err) , KRB5_CRYPTO_INTERNAL, + "Enctype %d has no PRF", out_enctype_num); + return KRB5_CRYPTO_INTERNAL; + } + keybytes = out_enctype->enc->keybytes; + keylength = out_enctype->enc->keylength; + + retval = prf_plus( context, k1, pepper1, keybytes, &prf1); + if (retval != 0) + goto cleanup; + retval = prf_plus( context, k2, pepper2, keybytes, &prf2); + if (retval != 0) + goto cleanup; + for (i = 0; i < keybytes; i++) + prf1[i] ^= prf2[i]; + zap(prf2, keybytes); + retval = krb5int_c_init_keyblock( context, out_enctype_num, keylength, &out_key); + if (retval != 0) + goto cleanup; + keydata.data = prf1; + keydata.length = keybytes; + retval = out_enctype->enc->make_key( &keydata, out_key); + + cleanup: + if (retval == 0) + *out = out_key; + else krb5int_c_free_keyblock( context, out_key); + if (prf1 != NULL) { + zap(prf1, keybytes); + free(prf1); + } + if (prf2 != NULL) + free(prf2); + return retval; +} Modified: trunk/src/lib/crypto/etypes.h =================================================================== --- trunk/src/lib/crypto/etypes.h 2009-03-16 16:50:04 UTC (rev 22093) +++ trunk/src/lib/crypto/etypes.h 2009-03-16 16:50:09 UTC (rev 22094) @@ -67,3 +67,17 @@ extern const struct krb5_keytypes krb5_enctypes_list[]; extern const int krb5_enctypes_length; + +static inline const struct krb5_keytypes* +find_enctype (krb5_enctype enctype) +{ + int i; + for (i=0; i http://src.mit.edu/fisheye/changelog/krb5/?cs=22095 Commit By: hartmans Log Message: ticket: 6421 Implement test cases for CF2 Implement a simple program to call KRB-FX-CF2 and print the resulting keys. Add to regression tests. Also, use the PRF testing application to confirm that CF2 generates consistent keys if called by hand. Changed Files: U trunk/src/lib/crypto/Makefile.in A trunk/src/lib/crypto/t_cf2.c A trunk/src/lib/crypto/t_cf2.comments A trunk/src/lib/crypto/t_cf2.expected A trunk/src/lib/crypto/t_cf2.in A trunk/src/lib/crypto/t_prf.comments A trunk/src/lib/crypto/t_prf.expected A trunk/src/lib/crypto/t_prf.in Modified: trunk/src/lib/crypto/Makefile.in =================================================================== --- trunk/src/lib/crypto/Makefile.in 2009-03-16 16:50:09 UTC (rev 22094) +++ trunk/src/lib/crypto/Makefile.in 2009-03-16 16:50:23 UTC (rev 22095) @@ -16,6 +16,7 @@ EXTRADEPSRCS=\ $(srcdir)/t_nfold.c \ + $(srcdir)/t_cf2.c \ $(srcdir)/t_encrypt.c \ $(srcdir)/t_prf.c \ $(srcdir)/t_prng.c \ @@ -205,13 +206,18 @@ clean-unix:: clean-liblinks clean-libs clean-libobjs -check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 +check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 $(RUN_SETUP) $(VALGRIND) ./t_nfold $(RUN_SETUP) $(VALGRIND) ./t_encrypt $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ diff t_prng.output $(srcdir)/t_prng.expected $(RUN_SETUP) $(VALGRIND) ./t_hmac + $(RUN_SETUP) $(VALGRIND) ./t_prf <$(srcdir)/t_prf.in >t_prf.output + diff t_prf.output $(srcdir)/t_prf.expected + $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output + diff t_cf2.output $(srcdir)/t_cf2.expected + # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 t_nfold$(EXEEXT): t_nfold.$(OBJEXT) nfold.$(OBJEXT) $(SUPPORT_DEPLIB) @@ -223,6 +229,10 @@ t_prf$(EXEEXT): t_prf.$(OBJEXT) $(SUPPORT_DEPLIB) $(CC_LINK) -o $@ t_prf.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) +t_cf2$(EXEEXT): t_cf2.$(OBJEXT) $(SUPPORT_DEPLIB) + $(CC_LINK) -o $@ t_cf2.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) + + t_prng$(EXEEXT): t_prng.$(OBJEXT) $(SUPPORT_DEPLIB) $(CC_LINK) -o $@ t_prng.$(OBJEXT) -lk5crypto -lcom_err $(SUPPORT_LIB) @@ -242,7 +252,7 @@ clean:: $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ - t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o + t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o -$(RM) t_prng.output all-windows:: Added: trunk/src/lib/crypto/t_cf2.c =================================================================== --- trunk/src/lib/crypto/t_cf2.c 2009-03-16 16:50:09 UTC (rev 22094) +++ trunk/src/lib/crypto/t_cf2.c 2009-03-16 16:50:23 UTC (rev 22095) @@ -0,0 +1,88 @@ +/* + * lib/crypto/t_cf2.c + * + * Copyright (C) 2004, 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * This file contains tests for theKRB-FX-CF2 code in Kerberos, based + *on the PRF regression tests. It reads an input file, and writes an + *output file. It is assumed that the output file will be diffed + *against expected output to see whether regression tests pass. The + *input file is a very primitive format. + *First line: enctype + *second line: key to pass to string2key; also used as salt + *Third line: second key to pass to string2key + *fourth line: pepper1 + *fifth line: pepper2 + *scanf is used to read the file, so interior spaces are not permitted. The program outputs the hex bytes of the key. + */ +#include + +#include +#include +#include + +int main () { + char pepper1[1024], pepper2[1024]; + krb5_keyblock *k1 = NULL, *k2 = NULL, *out = NULL; + krb5_data s2k; + unsigned int i; + while (1) { + krb5_enctype enctype; + char s[1025]; + + if (scanf( "%d", &enctype) == EOF) + break; + if (scanf("%1024s", &s[0]) == EOF) + break; + assert (krb5_init_keyblock(0, enctype, 0, &k1) == 0); + s2k.data = &s[0]; + s2k.length = strlen(s); + assert(krb5_c_string_to_key (0, enctype, &s2k, &s2k, k1) == 0); + if (scanf("%1024s", &s[0]) == EOF) + break; + assert (krb5_init_keyblock(0, enctype, 0, &k2) == 0); + s2k.data = &s[0]; + s2k.length = strlen(s); + assert(krb5_c_string_to_key (0, enctype, &s2k, &s2k, k2) == 0); + if (scanf("%1024s %1024s", pepper1, pepper2) == EOF) + break; + assert(krb5_c_fx_cf2_simple(0, k1, pepper1, + k2, pepper2, &out) ==0); + i = out->length; + for (; i > 0; i--) { + printf ("%02x", + (unsigned int) ((unsigned char) out->contents[out->length-i])); + } + printf ("\n"); + + krb5_free_keyblock(0,out); + out = NULL; + + krb5_free_keyblock(0, k1); + k1 = NULL; + krb5_free_keyblock(0, k2); + k2 = NULL; + } + + return (0); +} Added: trunk/src/lib/crypto/t_cf2.comments =================================================================== --- trunk/src/lib/crypto/t_cf2.comments 2009-03-16 16:50:09 UTC (rev 22094) +++ trunk/src/lib/crypto/t_cf2.comments 2009-03-16 16:50:23 UTC (rev 22095) @@ -0,0 +1,3 @@ +The first test mirrors the first two tests in t_prf.in. + +The second test mirrors the following four tests in t_prf.in. Added: trunk/src/lib/crypto/t_cf2.expected =================================================================== --- trunk/src/lib/crypto/t_cf2.expected 2009-03-16 16:50:09 UTC (rev 22094) +++ trunk/src/lib/crypto/t_cf2.expected 2009-03-16 16:50:23 UTC (rev 22095) @@ -0,0 +1,2 @@ +97df97e4b798b29eb31ed7280287a92a +4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b Added: trunk/src/lib/crypto/t_cf2.in =================================================================== --- trunk/src/lib/crypto/t_cf2.in 2009-03-16 16:50:09 UTC (rev 22094) +++ trunk/src/lib/crypto/t_cf2.in 2009-03-16 16:50:23 UTC (rev 22095) @@ -0,0 +1,10 @@ +17 +key1 +key2 +a +b +18 +key1 +key2 +a +b Added: trunk/src/lib/crypto/t_prf.comments =================================================================== --- trunk/src/lib/crypto/t_prf.comments 2009-03-16 16:50:09 UTC (rev 22094) +++ trunk/src/lib/crypto/t_prf.comments 2009-03-16 16:50:23 UTC (rev 22095) @@ -0,0 +1,8 @@ +The first two tests are effectively a call to krb-fx-cf2 for +aes-128-cts. This mirrorrs the first test in t_cf2.in. + + +The next four tests mirror a call to KRB-FX-CF2 for aes256-cts; this +mirrors the second test in t_cf2.in. + + Added: trunk/src/lib/crypto/t_prf.expected =================================================================== --- trunk/src/lib/crypto/t_prf.expected 2009-03-16 16:50:09 UTC (rev 22094) +++ trunk/src/lib/crypto/t_prf.expected 2009-03-16 16:50:23 UTC (rev 22095) @@ -0,0 +1,6 @@ +77b39a37a868920f2a51f9dd150c5717 +e06c0dd31ff02091994f2ef5178bfe3d +b2628c788e2e9c4a9bb4644678c29f2f +b406373350cee8a6126f4a9b65a0cd21 +ff0e289ea756c0559a0e911856961a49 +0d674dd0f9a6806525a4d92e828bd15a Added: trunk/src/lib/crypto/t_prf.in =================================================================== --- trunk/src/lib/crypto/t_prf.in 2009-03-16 16:50:09 UTC (rev 22094) +++ trunk/src/lib/crypto/t_prf.in 2009-03-16 16:50:23 UTC (rev 22095) @@ -0,0 +1,18 @@ +17 +key1 +2 0161 +17 +key2 +2 0162 +18 +key1 +2 0161 +18 +key1 +2 0261 +18 +key2 +2 0162 +18 +key2 +2 0262 From hartmans at MIT.EDU Mon Mar 16 12:50:26 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 16 Mar 2009 12:50:26 -0400 Subject: svn rev #22096: trunk/src/lib/krb5/krb/ Message-ID: <200903161650.n2GGoQ2G017290@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22096 Commit By: hartmans Log Message: subject: Implement krb5int_find_authdata ticket: 6422 Implement a function to find all instances of a particular ad_type in ticket or authenticator authdata. Changed Files: U trunk/src/lib/krb5/krb/copy_auth.c Modified: trunk/src/lib/krb5/krb/copy_auth.c =================================================================== --- trunk/src/lib/krb5/krb/copy_auth.c 2009-03-16 16:50:23 UTC (rev 22095) +++ trunk/src/lib/krb5/krb/copy_auth.c 2009-03-16 16:50:26 UTC (rev 22096) @@ -187,3 +187,92 @@ return code; } + +struct find_authdata_context { + krb5_authdata **out; + size_t space; + size_t length; +}; + +static krb5_error_code grow_find_authdata +(krb5_context context, struct find_authdata_context *fctx, + krb5_authdata *elem) +{ + krb5_error_code retval = 0; + if (fctx->length == fctx->space) { + krb5_authdata **new; + if (fctx->space >= 256) { + krb5_set_error_message(context, ERANGE, "More than 256 authdata matched a query"); + return ERANGE; + } + new = realloc(fctx->out, + sizeof (krb5_authdata *)*(2*fctx->space+1)); + if (new == NULL) + return ENOMEM; + fctx->out = new; + fctx->space *=2; + } + fctx->out[fctx->length+1] = NULL; + retval = krb5_copy_authdatum(context, elem, + &fctx->out[fctx->length]); + if (retval == 0) + fctx->length++; + return retval; +} + + + + +static krb5_error_code find_authdata_1 +(krb5_context context, krb5_authdata *const *in_authdat, krb5_authdatatype ad_type, + struct find_authdata_context *fctx) +{ + int i = 0; + krb5_error_code retval=0; + + for (i = 0; in_authdat[i]; i++) { + krb5_authdata *ad = in_authdat[i]; + if (ad->ad_type == ad_type && retval ==0) + retval = grow_find_authdata(context, fctx, ad); + else switch (ad->ad_type) { + krb5_authdata **decoded_container; + case KRB5_AUTHDATA_IF_RELEVANT: + if (retval == 0) + retval = krb5_decode_authdata_container( context, ad->ad_type, ad, &decoded_container); + if (retval == 0) { + retval = find_authdata_1(context, + decoded_container, ad_type, fctx); + krb5_free_authdata(context, decoded_container); + } + break; + default: + break; + } + } + return retval; +} + + +krb5_error_code krb5int_find_authdata +(krb5_context context, krb5_authdata *const * ticket_authdata, + krb5_authdata * const *ap_req_authdata, + krb5_authdatatype ad_type, + krb5_authdata ***results) +{ + krb5_error_code retval = 0; + struct find_authdata_context fctx; + fctx.length = 0; + fctx.space = 2; + fctx.out = calloc(fctx.space+1, sizeof (krb5_authdata *)); + *results = NULL; + if (fctx.out == NULL) + return ENOMEM; + if (ticket_authdata) + retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx); + if ((retval==0) && ap_req_authdata) + retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx); + if ((retval== 0) && fctx.length) + *results = fctx.out; + else krb5_free_authdata(context, fctx.out); + return retval; +} From hartmans at MIT.EDU Mon Mar 16 12:50:31 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 16 Mar 2009 12:50:31 -0400 Subject: svn rev #22097: trunk/src/ include/ lib/krb5/krb/ Message-ID: <200903161650.n2GGoVBp017330@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22097 Commit By: hartmans Log Message: ticket: 6422 Implement tests for authdata functions Implement some test cases for krb5_merge_authdata and krb5int_find_authdata Changed Files: U trunk/src/include/k5-int.h U trunk/src/lib/krb5/krb/Makefile.in A trunk/src/lib/krb5/krb/t_authdata.c Modified: trunk/src/include/k5-int.h =================================================================== --- trunk/src/include/k5-int.h 2009-03-16 16:50:26 UTC (rev 22096) +++ trunk/src/include/k5-int.h 2009-03-16 16:50:30 UTC (rev 22097) @@ -2542,6 +2542,11 @@ krb5_data *, const krb5_keyblock *, krb5_kdc_rep ** ); +krb5_error_code krb5int_find_authdata +(krb5_context context, krb5_authdata *const * ticket_authdata, + krb5_authdata * const *ap_req_authdata, + krb5_authdatatype ad_type, + krb5_authdata ***results); krb5_error_code krb5_rd_req_decoded (krb5_context, Modified: trunk/src/lib/krb5/krb/Makefile.in =================================================================== --- trunk/src/lib/krb5/krb/Makefile.in 2009-03-16 16:50:26 UTC (rev 22096) +++ trunk/src/lib/krb5/krb/Makefile.in 2009-03-16 16:50:30 UTC (rev 22097) @@ -308,6 +308,8 @@ t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_walk_rtree $(T_WALK_RTREE_OBJS) $(KRB5_BASE_LIBS) +t_authdata: t_authdata.o copy_auth.o + $(CC_LINK) -o $@ $< copy_auth.o $(KRB5_BASE_LIBS) t_kerb: $(T_KERB_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_kerb $(T_KERB_OBJS) $(KRB5_BASE_LIBS) @@ -323,7 +325,7 @@ t_expand : $(T_EXPAND_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_expand $(T_EXPAND_OBJS) $(KRB5_BASE_LIBS) -TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand +TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata check-unix:: $(TEST_PROGS) KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ @@ -356,13 +358,16 @@ $(RUN_SETUP) $(VALGRIND) sh $(srcdir)/transit-tests KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ $(RUN_SETUP) $(VALGRIND) sh $(srcdir)/walktree-tests + KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ + $(RUN_SETUP) $(VALGRIND) ./t_authdata clean:: $(RM) $(OUTPRE)t_walk_rtree$(EXEEXT) $(OUTPRE)t_walk_rtree.$(OBJEXT) \ $(OUTPRE)t_kerb$(EXEEXT) $(OUTPRE)t_kerb.$(OBJEXT) \ $(OUTPRE)t_ser$(EXEEXT) $(OUTPRE)t_ser.$(OBJEXT) \ $(OUTPRE)t_deltat$(EXEEXT) $(OUTPRE)t_deltat.$(OBJEXT) \ - $(OUTPRE)t_expand$(EXEEXT) $(OUTPRE)t_expand.$(OBJEXT) + $(OUTPRE)t_expand$(EXEEXT) $(OUTPRE)t_expand.$(OBJEXT) \ + $(OUTPRE)t_authdata$(EXEEXT) $(OUTPRE)t_authdata.$(OBJEXT) @libobj_frag@ Added: trunk/src/lib/krb5/krb/t_authdata.c =================================================================== --- trunk/src/lib/krb5/krb/t_authdata.c 2009-03-16 16:50:26 UTC (rev 22096) +++ trunk/src/lib/krb5/krb/t_authdata.c 2009-03-16 16:50:30 UTC (rev 22097) @@ -0,0 +1,102 @@ +/* + * lib/krb5/krb/t_authdata.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * Test authorization data search + */ + +#include +#include +#include +#include + +krb5_authdata ad1 = { + KV5M_AUTHDATA, + 22, + 4, + (unsigned char *) "abcd"}; +krb5_authdata ad2 = { + KV5M_AUTHDATA, + 23, + 5, + (unsigned char *) "abcde" +}; + +krb5_authdata ad3= { + KV5M_AUTHDATA, + 22, + 3, + (unsigned char *) "ab" +}; +/* we want three results in the return from krb5int_find_authdata so +it has to grow its list. +*/ +krb5_authdata ad4 = { + KV5M_AUTHDATA, + 22, + 5, + (unsigned char *)"abcd" +}; + +krb5_authdata *adseq1[] = {&ad1, &ad2, &ad4, NULL}; + +krb5_authdata *adseq2[] = {&ad3, NULL}; + +static void compare_authdata(const krb5_authdata *adc1, krb5_authdata *adc2) { + assert(adc1->ad_type == adc2->ad_type); + assert(adc1->length == adc2->length); + assert(memcmp(adc1->contents, adc2->contents, adc1->length) == 0); +} + +int main() +{ + krb5_context context; + krb5_authdata **results; + krb5_authdata *container[2]; + krb5_authdata **container_out; + + + assert(krb5_init_context(&context) == 0); + assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0); + compare_authdata(results[0], &ad1); + compare_authdata( results[1], &ad2); + compare_authdata(results[2], &ad4); + compare_authdata( results[3], &ad3); + assert(results[4] == NULL); + krb5_free_authdata(context, results); + container[0] = &ad3; + container[1] = NULL; + assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0); + assert(krb5int_find_authdata(context, + adseq1, container_out, 22, &results) == 0); + compare_authdata(&ad1, results[0]); + compare_authdata( results[1], &ad4); + compare_authdata( results[2], &ad3); + assert( results[3] == NULL); + krb5_free_authdata(context, results); + krb5_free_authdata(context, container_out); + return 0; +} From hartmans at MIT.EDU Mon Mar 16 12:54:40 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 16 Mar 2009 12:54:40 -0400 Subject: svn rev #22098: trunk/src/ lib/crypto/ plugins/kdb/db2/libdb2/btree/ plugins/kdb/db2/libdb2/db/ ... Message-ID: <200903161654.n2GGseV0017620@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22098 Commit By: hartmans Log Message: make depend Changed Files: U trunk/src/lib/crypto/deps U trunk/src/plugins/kdb/db2/libdb2/btree/deps U trunk/src/plugins/kdb/db2/libdb2/db/deps U trunk/src/plugins/kdb/db2/libdb2/hash/deps U trunk/src/plugins/kdb/db2/libdb2/mpool/deps U trunk/src/plugins/kdb/db2/libdb2/recno/deps U trunk/src/plugins/preauth/pkinit/deps Modified: trunk/src/lib/crypto/deps =================================================================== --- trunk/src/lib/crypto/deps 2009-03-16 16:50:30 UTC (rev 22097) +++ trunk/src/lib/crypto/deps 2009-03-16 16:54:40 UTC (rev 22098) @@ -327,6 +327,16 @@ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ etypes.h prf.c +cf2.so cf2.po $(OUTPRE)cf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + cf2.c etypes.h prng.so prng.po $(OUTPRE)prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -441,6 +451,8 @@ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ t_nfold.c +t_cf2.so t_cf2.po $(OUTPRE)t_cf2.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h t_cf2.c t_encrypt.so t_encrypt.po $(OUTPRE)t_encrypt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ Modified: trunk/src/plugins/kdb/db2/libdb2/btree/deps =================================================================== --- trunk/src/plugins/kdb/db2/libdb2/btree/deps 2009-03-16 16:50:30 UTC (rev 22097) +++ trunk/src/plugins/kdb/db2/libdb2/btree/deps 2009-03-16 16:54:40 UTC (rev 22098) @@ -2,68 +2,75 @@ # Generated makefile dependencies follow. # bt_close.so bt_close.po $(OUTPRE)bt_close.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_close.c btree.h extern.h -bt_conv.so bt_conv.po $(OUTPRE)bt_conv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_conv.c btree.h extern.h -bt_debug.so bt_debug.po $(OUTPRE)bt_debug.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ + bt_close.c btree.h extern.h +bt_conv.so bt_conv.po $(OUTPRE)bt_conv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_debug.c btree.h extern.h -bt_delete.so bt_delete.po $(OUTPRE)bt_delete.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_delete.c btree.h extern.h -bt_get.so bt_get.po $(OUTPRE)bt_get.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(srcdir)/../mpool/mpool.h bt_conv.c btree.h extern.h +bt_debug.so bt_debug.po $(OUTPRE)bt_debug.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_get.c btree.h extern.h -bt_open.so bt_open.po $(OUTPRE)bt_open.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ + bt_debug.c btree.h extern.h +bt_delete.so bt_delete.po $(OUTPRE)bt_delete.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_open.c btree.h extern.h -bt_overflow.so bt_overflow.po $(OUTPRE)bt_overflow.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ + bt_delete.c btree.h extern.h +bt_get.so bt_get.po $(OUTPRE)bt_get.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_overflow.c btree.h extern.h -bt_page.so bt_page.po $(OUTPRE)bt_page.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(srcdir)/../mpool/mpool.h bt_get.c btree.h extern.h +bt_open.so bt_open.po $(OUTPRE)bt_open.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-thread.h $(srcdir)/../include/config.h \ + $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ + $(srcdir)/../mpool/mpool.h bt_open.c btree.h extern.h +bt_overflow.so bt_overflow.po $(OUTPRE)bt_overflow.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_page.c btree.h extern.h + bt_overflow.c btree.h extern.h +bt_page.so bt_page.po $(OUTPRE)bt_page.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ + $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ + $(srcdir)/../mpool/mpool.h bt_page.c btree.h extern.h bt_put.so bt_put.po $(OUTPRE)bt_put.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ + $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ + $(srcdir)/../mpool/mpool.h bt_put.c btree.h extern.h +bt_search.so bt_search.po $(OUTPRE)bt_search.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_put.c btree.h extern.h -bt_search.so bt_search.po $(OUTPRE)bt_search.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ + bt_search.c btree.h extern.h +bt_seq.so bt_seq.po $(OUTPRE)bt_seq.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_search.c btree.h extern.h -bt_seq.so bt_seq.po $(OUTPRE)bt_seq.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(srcdir)/../mpool/mpool.h bt_seq.c btree.h extern.h +bt_split.so bt_split.po $(OUTPRE)bt_split.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_seq.c btree.h extern.h -bt_split.so bt_split.po $(OUTPRE)bt_split.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_split.c btree.h extern.h + bt_split.c btree.h extern.h bt_utils.so bt_utils.po $(OUTPRE)bt_utils.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_utils.c btree.h extern.h + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ + $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ + bt_utils.c btree.h extern.h Modified: trunk/src/plugins/kdb/db2/libdb2/db/deps =================================================================== --- trunk/src/plugins/kdb/db2/libdb2/db/deps 2009-03-16 16:50:30 UTC (rev 22097) +++ trunk/src/plugins/kdb/db2/libdb2/db/deps 2009-03-16 16:54:40 UTC (rev 22098) @@ -2,6 +2,6 @@ # Generated makefile dependencies follow. # db.so db.po $(OUTPRE)db.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ - $(srcdir)/../include/db-int.h $(srcdir)/../include/db.h \ - db.c + $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ + $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db.h db.c Modified: trunk/src/plugins/kdb/db2/libdb2/hash/deps =================================================================== --- trunk/src/plugins/kdb/db2/libdb2/hash/deps 2009-03-16 16:50:30 UTC (rev 22097) +++ trunk/src/plugins/kdb/db2/libdb2/hash/deps 2009-03-16 16:54:40 UTC (rev 22098) @@ -2,43 +2,44 @@ # Generated makefile dependencies follow. # hash.so hash.po $(OUTPRE)hash.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ + $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ + $(srcdir)/../mpool/mpool.h extern.h hash.c hash.h page.h +hash_bigkey.so hash_bigkey.po $(OUTPRE)hash_bigkey.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h hash.c hash.h page.h -hash_bigkey.so hash_bigkey.po $(OUTPRE)hash_bigkey.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h hash.h hash_bigkey.c \ - page.h + extern.h hash.h hash_bigkey.c page.h hash_debug.so hash_debug.po $(OUTPRE)hash_debug.$(OBJEXT): \ hash_debug.c hash_func.so hash_func.po $(OUTPRE)hash_func.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h hash.h hash_func.c \ - page.h + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ + $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ + extern.h hash.h hash_func.c page.h hash_log2.so hash_log2.po $(OUTPRE)hash_log2.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h hash.h hash_log2.c \ - page.h + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ + $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ + extern.h hash.h hash_log2.c page.h hash_page.so hash_page.po $(OUTPRE)hash_page.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../include/config.h \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ + $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ + extern.h hash.h hash_page.c page.h +hsearch.so hsearch.po $(OUTPRE)hsearch.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h hash.h hash_page.c \ - page.h -hsearch.so hsearch.po $(OUTPRE)hsearch.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ - $(srcdir)/../include/db-int.h $(srcdir)/../include/db.h \ - hsearch.c search.h + $(srcdir)/../include/db.h hsearch.c search.h dbm.so dbm.po $(OUTPRE)dbm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-ndbm.h $(BUILDTOP)/include/db.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ - $(srcdir)/../include/db-dbm.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h dbm.c hash.h + $(BUILDTOP)/include/db-config.h $(BUILDTOP)/include/db-ndbm.h \ + $(BUILDTOP)/include/db.h $(srcdir)/../include/config.h \ + $(srcdir)/../include/db-config.h $(srcdir)/../include/db-dbm.h \ + $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ + $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ + dbm.c hash.h Modified: trunk/src/plugins/kdb/db2/libdb2/mpool/deps =================================================================== --- trunk/src/plugins/kdb/db2/libdb2/mpool/deps 2009-03-16 16:50:30 UTC (rev 22097) +++ trunk/src/plugins/kdb/db2/libdb2/mpool/deps 2009-03-16 16:54:40 UTC (rev 22098) @@ -2,6 +2,7 @@ # Generated makefile dependencies follow. # mpool.so mpool.po $(OUTPRE)mpool.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ - $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h mpool.c mpool.h + $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ + $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ + mpool.c mpool.h Modified: trunk/src/plugins/kdb/db2/libdb2/recno/deps =================================================================== --- trunk/src/plugins/kdb/db2/libdb2/recno/deps 2009-03-16 16:50:30 UTC (rev 22097) +++ trunk/src/plugins/kdb/db2/libdb2/recno/deps 2009-03-16 16:54:40 UTC (rev 22098) @@ -2,50 +2,55 @@ # Generated makefile dependencies follow. # rec_close.so rec_close.po $(OUTPRE)rec_close.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \ - $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h rec_close.c recno.h + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ + $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ + $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ + extern.h rec_close.c recno.h rec_delete.so rec_delete.po $(OUTPRE)rec_delete.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ + $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ + $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ + extern.h rec_delete.c recno.h +rec_get.so rec_get.po $(OUTPRE)rec_get.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../btree/btree.h \ $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h rec_delete.c recno.h -rec_get.so rec_get.po $(OUTPRE)rec_get.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(srcdir)/../mpool/mpool.h extern.h rec_get.c recno.h +rec_open.so rec_open.po $(OUTPRE)rec_open.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h rec_get.c recno.h -rec_open.so rec_open.po $(OUTPRE)rec_open.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \ + extern.h rec_open.c recno.h +rec_put.so rec_put.po $(OUTPRE)rec_put.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../btree/btree.h \ $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h rec_open.c recno.h -rec_put.so rec_put.po $(OUTPRE)rec_put.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(srcdir)/../mpool/mpool.h extern.h rec_put.c recno.h +rec_search.so rec_search.po $(OUTPRE)rec_search.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h rec_put.c recno.h -rec_search.so rec_search.po $(OUTPRE)rec_search.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \ + extern.h rec_search.c recno.h +rec_seq.so rec_seq.po $(OUTPRE)rec_seq.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/db-config.h $(srcdir)/../btree/btree.h \ $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h rec_search.c recno.h -rec_seq.so rec_seq.po $(OUTPRE)rec_seq.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(srcdir)/../mpool/mpool.h extern.h rec_seq.c recno.h +rec_utils.so rec_utils.po $(OUTPRE)rec_utils.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h rec_seq.c recno.h -rec_utils.so rec_utils.po $(OUTPRE)rec_utils.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(srcdir)/../btree/btree.h \ - $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h rec_utils.c recno.h + extern.h rec_utils.c recno.h Modified: trunk/src/plugins/preauth/pkinit/deps =================================================================== --- trunk/src/plugins/preauth/pkinit/deps 2009-03-16 16:50:30 UTC (rev 22097) +++ trunk/src/plugins/preauth/pkinit/deps 2009-03-16 16:54:40 UTC (rev 22098) @@ -13,10 +13,16 @@ $(SRCTOP)/include/socket-utils.h pkinit_accessor.c \ pkinit_accessor.h pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ - pkinit_srv.c + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h pkcs11.h pkinit.h \ + pkinit_accessor.h pkinit_crypto.h pkinit_srv.c pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h \ @@ -24,9 +30,16 @@ $(SRCTOP)/include/krb5/preauth_plugin.h pkcs11.h pkinit.h \ pkinit_accessor.h pkinit_crypto.h pkinit_lib.c pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - pkcs11.h pkinit.h pkinit_accessor.h pkinit_clnt.c pkinit_crypto.h + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h pkcs11.h pkinit.h \ + pkinit_accessor.h pkinit_clnt.c pkinit_crypto.h pkinit_profile.so pkinit_profile.po $(OUTPRE)pkinit_profile.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -44,9 +57,15 @@ pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ pkinit_identity.c pkinit_matching.so pkinit_matching.po $(OUTPRE)pkinit_matching.$(OBJEXT): \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h pkcs11.h pkinit.h \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h pkcs11.h pkinit.h \ pkinit_accessor.h pkinit_crypto.h pkinit_matching.c pkinit_crypto_openssl.so pkinit_crypto_openssl.po $(OUTPRE)pkinit_crypto_openssl.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ From tlyu at MIT.EDU Mon Mar 16 13:58:53 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 16 Mar 2009 13:58:53 -0400 Subject: svn rev #22099: branches/krb5-1-7/src/lib/gssapi/spnego/ Message-ID: <200903161758.n2GHwrFn021796@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22099 Commit By: tlyu Log Message: ticket: 6402 version_fixed: 1.7 pull up r22084 from trunk acc_ctx_new() can return an error condition without establishing a SPNEGO context structure. This can cause a null pointer dereference in cleanup code in spnego_gss_accept_sec_context(). Changed Files: U branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c 2009-03-16 16:54:40 UTC (rev 22098) +++ branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c 2009-03-16 17:58:53 UTC (rev 22099) @@ -1650,7 +1650,8 @@ &negState, &return_token); } cleanup: - if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { + if (return_token == INIT_TOKEN_SEND || + return_token == CONT_TOKEN_SEND) { /* For acceptor-sends-first send a tokenInit */ int tmpret; From tsitkova at MIT.EDU Mon Mar 16 14:00:07 2009 From: tsitkova at MIT.EDU (tsitkova@MIT.EDU) Date: Mon, 16 Mar 2009 14:00:07 -0400 Subject: svn rev #22100: trunk/src/kdc/ Message-ID: <200903161800.n2GI07DM021953@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22100 Commit By: tsitkova Log Message: Verify return code from krb5_db_set_mkey_list. Changed Files: U trunk/src/kdc/kdc_util.c U trunk/src/kdc/main.c Modified: trunk/src/kdc/kdc_util.c =================================================================== --- trunk/src/kdc/kdc_util.c 2009-03-16 17:58:53 UTC (rev 22099) +++ trunk/src/kdc/kdc_util.c 2009-03-16 18:00:06 UTC (rev 22100) @@ -454,7 +454,9 @@ &master_keyblock, 0, &tmp_mkey_list) == 0) { krb5_dbe_free_key_list(kdc_context, master_keylist); master_keylist = tmp_mkey_list; - krb5_db_set_mkey_list(kdc_context, master_keylist); + retval = krb5_db_set_mkey_list(kdc_context, master_keylist); + if (retval) + goto errout; if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server, &mkey_ptr))) { goto errout; @@ -469,10 +471,10 @@ -1, (krb5_int32)ticket->enc_part.kvno, &server_key); if (retval) - goto errout; + goto errout; if (!server_key) { - retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto errout; + retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto errout; } if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { retval = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, Modified: trunk/src/kdc/main.c =================================================================== --- trunk/src/kdc/main.c 2009-03-16 17:58:53 UTC (rev 22099) +++ trunk/src/kdc/main.c 2009-03-16 18:00:06 UTC (rev 22100) @@ -444,7 +444,12 @@ "while setting master key for realm %s", realm); goto whoops; } - krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list); + kret = krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list); + if (kret) { + kdc_err(rdp->realm_context, kret, + "while setting master key list for realm %s", realm); + goto whoops; + } /* Set up the keytab */ if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL, From raeburn at MIT.EDU Mon Mar 16 15:39:38 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 16 Mar 2009 15:39:38 -0400 Subject: svn rev #22101: tools/gssmonger/trunk/gssmaster/ Message-ID: <200903161939.n2GJdcxa031236@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22101 Commit By: raeburn Log Message: native eol-style Changed Files: UU tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp Modified: tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp =================================================================== --- tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp 2009-03-16 18:00:06 UTC (rev 22100) +++ tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp 2009-03-16 19:39:37 UTC (rev 22101) @@ -1,291 +1,291 @@ -/*++ - - EZLOG_LOG4CPP.CPP - - Microsoft Permissive License (Ms-PL) - - This license governs use of the accompanying software. If you use the - software, you accept this license. If you do not accept the license, - do not use the software. - - 1. Definitions - The terms "reproduce," "reproduction" and "distribution" have the same - meaning here as under U.S. copyright law. "You" means the licensee of the - software. "Licensed patents" means any Microsoft patent claims which read - directly on the software as distributed by Microsoft under this license. - - 2. Grant of Rights - (A) Copyright Grant- Subject to the terms of this license, including the - license conditions and limitations in section 3, Microsoft grants you a - non-exclusive, worldwide, royalty-free copyright license to reproduce the - software, prepare derivative works of the software and distribute the - software or any derivative works that you create. - - (B) Patent Grant- Subject to the terms of this license, including the license - conditions and limitations in section 3, Microsoft grants you a non- - exclusive, worldwide, royalty-free patent license under licensed patents to - make, have made, use, practice, sell, and offer for sale, and/or otherwise - dispose of the software or derivative works of the software. - - 3. Conditions and Limitations - (A) No Trademark License- This license does not grant you any rights to use - Microsoft's name, logo, or trademarks. - - (B) If you begin patent litigation against Microsoft over patents that you - think may apply to the software (including a cross-claim or counterclaim in - a lawsuit), your license to the software ends automatically. - - (C) If you distribute copies of the software or derivative works, you must - retain all copyright, patent, trademark, and attribution notices that are - present in the software. - - (D) If you distribute the software or derivative works in source code form - you may do so only under this license (i.e., you must include a complete - copy of this license with your distribution), and if you distribute the - software or derivative works in compiled or object code form you may only do - so under a license that complies with this license. - - (E) The software is licensed "as-is." You bear the risk of using it. - Microsoft gives no express warranties, guarantees or conditions. You may - have additional consumer rights under your local laws which this license - cannot change. To the extent permitted under your local laws, Microsoft - excludes the implied warranties of merchantability, fitness for a particular - purpose and non-infringement. - - DESCRIPTION: reimplementation of ezLog API functions as wrappers around the log4c library - - As a warning to future users: This is a very ugly hack to shoehorn log4cpp onto the ezlog API in a way that doens't break too many things. I make no guarantees about sanity. It should work reasonably well, though. - - Created, July 9, 2007 by Adam Seering. - ---*/ - -#include -#include -#include "unix.h" -#include "ezlog.h" -#include "protocol.h" -#define LPEZSTR LPSTR - -#include -#include -#include -#include - -#include - -using namespace log4cpp; - -#ifndef WINNT -#define __stdcall -#define __cdecl -#endif // WINNT - - -// Convert EZLog priority ID's to Log4CPP priority ID's -int etol_priority(int EZLogPriority) { - // Note that these mappings are pretty arbitrary. - // There may well be reason to tweak them in the future. - - int Log4cPriority; - - switch(EZLogPriority) { - case EZLOG_ABORT: - Log4cPriority = Priority::FATAL; - break; - - case EZLOG_BLOCK: - Log4cPriority = Priority::NOTICE; - break; - - case EZLOG_KNOWNBUG: - Log4cPriority = Priority::WARN; - break; - - case EZLOG_SEV1: - Log4cPriority = Priority::ERROR; - break; - - case EZLOG_SEV2: - Log4cPriority = Priority::ERROR; - break; - - case EZLOG_SEV3: - Log4cPriority = Priority::ERROR; - break; - - case EZLOG_WARN: - Log4cPriority = Priority::WARN; - break; - - case EZLOG_PASS: - Log4cPriority = Priority::DEBUG; - break; - - case EZLOG_SKIPPED: - Log4cPriority = Priority::DEBUG; - break; - - case EZLOG_INFO: - Log4cPriority = Priority::INFO; - break; - - case EZLOG_DEBUG: - Log4cPriority = Priority::DEBUG; - break; - - case EZLOG_DBGPRINT: - Log4cPriority = Priority::DEBUG; - break; - - default: - Log4cPriority = Priority::NOTSET; - } - - return Log4cPriority; -} - -struct CatStack { - Category *cat; - CatStack *parent; - CatStack(Category *c, CatStack *p = NULL) : cat(c), parent(p) { } -}; -//Category *cat = NULL; -static CatStack *cats = NULL; - -// Start a new log4cpp log -EZLOGAPI ezStartBlock(IN OPTIONAL HANDLE OldLevel, - OUT OPTIONAL PHANDLE NewLevel, - IN OPTIONAL ULONG Flags, // currently ignored - IN OPTIONAL ULONG LogLevel, - IN LPEZSTR LogString, - ...) { - - Appender* app = new FileAppender("FileAppender", "gssmaster.log"); - Appender* appConsole = new OstreamAppender("OstreamAppender", &(std::cout)); - - Layout* layout = new BasicLayout(); - app->setLayout(layout); - - static ULONG BlockCounter = 0; - - char ProcessedLogString[4096]; - va_list args; - - va_start(args, LogString); - vsnprintf(ProcessedLogString, 4096, LogString, args); - va_end(args); - - char LogName[24]; - snprintf(LogName, 24, "gssMonger.%ld", BlockCounter); - - Category *cat = &Category::getInstance(LogName); - cat->setAdditivity(true); - cat->setAppender(app); - cat->setAppender(appConsole); - cats = new CatStack(cat, cats); - - ezLogMsg(EZLOG_BLOCK, EZ_DEFAULT, "StartBlock %p from %p(%s): %s", - (void *)cat, - OldLevel, - (OldLevel - ? ((CatStack *)OldLevel)->cat->getName().data() - : "?"), - ProcessedLogString); - - cat->log(etol_priority(LogLevel), - ProcessedLogString); - - BlockCounter++; - - if (NewLevel) - *NewLevel = (void*)cats; - - return TRUE; -} - -// Log a message to the current log4cpp log -EZLOGAPI ServerLogMessage( PPROTOCOL_CALLBACK_ARGS pArgs, - IN PCHAR File, - IN int Line, - IN PCHAR LogString, - ... ) { - va_list args; - va_start(args, LogString); - - ezStartBlock( NULL, NULL, 0, 0, LogString, args); -} - -// Log a message to the current log4cpp log -EZLOGAPI vezLogMsg( IN ULONG LogLevel, - IN OPTIONAL HANDLE Log4cCategory, - IN LPEZSTR File, - IN ULONG Line, - IN LPEZSTR LogString, - IN va_list * ExtraArgs) { - - if (cats == NULL) { - void* temp; - ezStartBlock( NULL, &temp, 0, LogLevel, "Autoinitializing log..." ); - } - - char ProcessedLogString[4096]; - va_list * args = ExtraArgs; - - if (File) { - const char *basename; - basename = strrchr(File, '/'); - if (basename == NULL) - basename = File; - else - basename++; - snprintf(ProcessedLogString, sizeof(ProcessedLogString), - "%s:%lu ", basename, Line); - } else - ProcessedLogString[0] = 0; - - vsnprintf(ProcessedLogString + strlen(ProcessedLogString), - sizeof(ProcessedLogString) - strlen(ProcessedLogString), - LogString, *args); - va_end(*args); - - cats->cat->log(etol_priority(LogLevel), ProcessedLogString); - - return TRUE; -} - -// Log a message to the current log4cpp log -EZLOGAPI ezLogMsg(IN ULONG LogLevel, - IN OPTIONAL HANDLE Log4cCategory, - IN LPEZSTR File, - IN ULONG Line, - IN LPEZSTR LogString, ...) { - va_list args; - - va_start(args, LogString); - vezLogMsg( LogLevel, Log4cCategory, File, Line, LogString, &args ); -} - -// Close the specified log4cpp log -EZLOGAPI ezFinishBlock( IN OPTIONAL HANDLE handle ) { - ezLogMsg(EZLOG_BLOCK, EZ_DEFAULT, "FinishBlock %p(%s)", handle, - (handle ? ((CatStack *)handle)->cat->getName().data() : "NULL")); - CatStack *c2 = cats; - cats = c2->parent; - delete c2; -} - -// Close the log4cpp log -EZLOGAPI ezCloseLog( IN OPTIONAL ULONG flags, ... ) { - Category::shutdown(); -} - -// Open the log4cpp log -EZLOGAPI ezOpenLogEx( IN OUT PEZLOG_OPENLOG_DATA pData ) { - // pass -} - -#ifndef WINNT -#undef __stdcall -#undef __cdecl -#endif // WINNT +/*++ + + EZLOG_LOG4CPP.CPP + + Microsoft Permissive License (Ms-PL) + + This license governs use of the accompanying software. If you use the + software, you accept this license. If you do not accept the license, + do not use the software. + + 1. Definitions + The terms "reproduce," "reproduction" and "distribution" have the same + meaning here as under U.S. copyright law. "You" means the licensee of the + software. "Licensed patents" means any Microsoft patent claims which read + directly on the software as distributed by Microsoft under this license. + + 2. Grant of Rights + (A) Copyright Grant- Subject to the terms of this license, including the + license conditions and limitations in section 3, Microsoft grants you a + non-exclusive, worldwide, royalty-free copyright license to reproduce the + software, prepare derivative works of the software and distribute the + software or any derivative works that you create. + + (B) Patent Grant- Subject to the terms of this license, including the license + conditions and limitations in section 3, Microsoft grants you a non- + exclusive, worldwide, royalty-free patent license under licensed patents to + make, have made, use, practice, sell, and offer for sale, and/or otherwise + dispose of the software or derivative works of the software. + + 3. Conditions and Limitations + (A) No Trademark License- This license does not grant you any rights to use + Microsoft's name, logo, or trademarks. + + (B) If you begin patent litigation against Microsoft over patents that you + think may apply to the software (including a cross-claim or counterclaim in + a lawsuit), your license to the software ends automatically. + + (C) If you distribute copies of the software or derivative works, you must + retain all copyright, patent, trademark, and attribution notices that are + present in the software. + + (D) If you distribute the software or derivative works in source code form + you may do so only under this license (i.e., you must include a complete + copy of this license with your distribution), and if you distribute the + software or derivative works in compiled or object code form you may only do + so under a license that complies with this license. + + (E) The software is licensed "as-is." You bear the risk of using it. + Microsoft gives no express warranties, guarantees or conditions. You may + have additional consumer rights under your local laws which this license + cannot change. To the extent permitted under your local laws, Microsoft + excludes the implied warranties of merchantability, fitness for a particular + purpose and non-infringement. + + DESCRIPTION: reimplementation of ezLog API functions as wrappers around the log4c library + + As a warning to future users: This is a very ugly hack to shoehorn log4cpp onto the ezlog API in a way that doens't break too many things. I make no guarantees about sanity. It should work reasonably well, though. + + Created, July 9, 2007 by Adam Seering. + +--*/ + +#include +#include +#include "unix.h" +#include "ezlog.h" +#include "protocol.h" +#define LPEZSTR LPSTR + +#include +#include +#include +#include + +#include + +using namespace log4cpp; + +#ifndef WINNT +#define __stdcall +#define __cdecl +#endif // WINNT + + +// Convert EZLog priority ID's to Log4CPP priority ID's +int etol_priority(int EZLogPriority) { + // Note that these mappings are pretty arbitrary. + // There may well be reason to tweak them in the future. + + int Log4cPriority; + + switch(EZLogPriority) { + case EZLOG_ABORT: + Log4cPriority = Priority::FATAL; + break; + + case EZLOG_BLOCK: + Log4cPriority = Priority::NOTICE; + break; + + case EZLOG_KNOWNBUG: + Log4cPriority = Priority::WARN; + break; + + case EZLOG_SEV1: + Log4cPriority = Priority::ERROR; + break; + + case EZLOG_SEV2: + Log4cPriority = Priority::ERROR; + break; + + case EZLOG_SEV3: + Log4cPriority = Priority::ERROR; + break; + + case EZLOG_WARN: + Log4cPriority = Priority::WARN; + break; + + case EZLOG_PASS: + Log4cPriority = Priority::DEBUG; + break; + + case EZLOG_SKIPPED: + Log4cPriority = Priority::DEBUG; + break; + + case EZLOG_INFO: + Log4cPriority = Priority::INFO; + break; + + case EZLOG_DEBUG: + Log4cPriority = Priority::DEBUG; + break; + + case EZLOG_DBGPRINT: + Log4cPriority = Priority::DEBUG; + break; + + default: + Log4cPriority = Priority::NOTSET; + } + + return Log4cPriority; +} + +struct CatStack { + Category *cat; + CatStack *parent; + CatStack(Category *c, CatStack *p = NULL) : cat(c), parent(p) { } +}; +//Category *cat = NULL; +static CatStack *cats = NULL; + +// Start a new log4cpp log +EZLOGAPI ezStartBlock(IN OPTIONAL HANDLE OldLevel, + OUT OPTIONAL PHANDLE NewLevel, + IN OPTIONAL ULONG Flags, // currently ignored + IN OPTIONAL ULONG LogLevel, + IN LPEZSTR LogString, + ...) { + + Appender* app = new FileAppender("FileAppender", "gssmaster.log"); + Appender* appConsole = new OstreamAppender("OstreamAppender", &(std::cout)); + + Layout* layout = new BasicLayout(); + app->setLayout(layout); + + static ULONG BlockCounter = 0; + + char ProcessedLogString[4096]; + va_list args; + + va_start(args, LogString); + vsnprintf(ProcessedLogString, 4096, LogString, args); + va_end(args); + + char LogName[24]; + snprintf(LogName, 24, "gssMonger.%ld", BlockCounter); + + Category *cat = &Category::getInstance(LogName); + cat->setAdditivity(true); + cat->setAppender(app); + cat->setAppender(appConsole); + cats = new CatStack(cat, cats); + + ezLogMsg(EZLOG_BLOCK, EZ_DEFAULT, "StartBlock %p from %p(%s): %s", + (void *)cat, + OldLevel, + (OldLevel + ? ((CatStack *)OldLevel)->cat->getName().data() + : "?"), + ProcessedLogString); + + cat->log(etol_priority(LogLevel), + ProcessedLogString); + + BlockCounter++; + + if (NewLevel) + *NewLevel = (void*)cats; + + return TRUE; +} + +// Log a message to the current log4cpp log +EZLOGAPI ServerLogMessage( PPROTOCOL_CALLBACK_ARGS pArgs, + IN PCHAR File, + IN int Line, + IN PCHAR LogString, + ... ) { + va_list args; + va_start(args, LogString); + + ezStartBlock( NULL, NULL, 0, 0, LogString, args); +} + +// Log a message to the current log4cpp log +EZLOGAPI vezLogMsg( IN ULONG LogLevel, + IN OPTIONAL HANDLE Log4cCategory, + IN LPEZSTR File, + IN ULONG Line, + IN LPEZSTR LogString, + IN va_list * ExtraArgs) { + + if (cats == NULL) { + void* temp; + ezStartBlock( NULL, &temp, 0, LogLevel, "Autoinitializing log..." ); + } + + char ProcessedLogString[4096]; + va_list * args = ExtraArgs; + + if (File) { + const char *basename; + basename = strrchr(File, '/'); + if (basename == NULL) + basename = File; + else + basename++; + snprintf(ProcessedLogString, sizeof(ProcessedLogString), + "%s:%lu ", basename, Line); + } else + ProcessedLogString[0] = 0; + + vsnprintf(ProcessedLogString + strlen(ProcessedLogString), + sizeof(ProcessedLogString) - strlen(ProcessedLogString), + LogString, *args); + va_end(*args); + + cats->cat->log(etol_priority(LogLevel), ProcessedLogString); + + return TRUE; +} + +// Log a message to the current log4cpp log +EZLOGAPI ezLogMsg(IN ULONG LogLevel, + IN OPTIONAL HANDLE Log4cCategory, + IN LPEZSTR File, + IN ULONG Line, + IN LPEZSTR LogString, ...) { + va_list args; + + va_start(args, LogString); + vezLogMsg( LogLevel, Log4cCategory, File, Line, LogString, &args ); +} + +// Close the specified log4cpp log +EZLOGAPI ezFinishBlock( IN OPTIONAL HANDLE handle ) { + ezLogMsg(EZLOG_BLOCK, EZ_DEFAULT, "FinishBlock %p(%s)", handle, + (handle ? ((CatStack *)handle)->cat->getName().data() : "NULL")); + CatStack *c2 = cats; + cats = c2->parent; + delete c2; +} + +// Close the log4cpp log +EZLOGAPI ezCloseLog( IN OPTIONAL ULONG flags, ... ) { + Category::shutdown(); +} + +// Open the log4cpp log +EZLOGAPI ezOpenLogEx( IN OUT PEZLOG_OPENLOG_DATA pData ) { + // pass +} + +#ifndef WINNT +#undef __stdcall +#undef __cdecl +#endif // WINNT Property changes on: tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp ___________________________________________________________________ Name: svn:eol-style + native From raeburn at MIT.EDU Mon Mar 16 15:47:28 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 16 Mar 2009 15:47:28 -0400 Subject: svn rev #22102: tools/gssmonger/trunk/gssmaster/ Message-ID: <200903161947.n2GJlSSg031831@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22102 Commit By: raeburn Log Message: don't open a new fd for each block; set appenders on root and inherit Changed Files: U tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp Modified: tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp =================================================================== --- tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp 2009-03-16 19:39:37 UTC (rev 22101) +++ tools/gssmonger/trunk/gssmaster/ezlog_log4cpp.cpp 2009-03-16 19:47:27 UTC (rev 22102) @@ -152,6 +152,7 @@ }; //Category *cat = NULL; static CatStack *cats = NULL; +static Appender *app = NULL, *appConsole = NULL; // Start a new log4cpp log EZLOGAPI ezStartBlock(IN OPTIONAL HANDLE OldLevel, @@ -160,12 +161,16 @@ IN OPTIONAL ULONG LogLevel, IN LPEZSTR LogString, ...) { - - Appender* app = new FileAppender("FileAppender", "gssmaster.log"); - Appender* appConsole = new OstreamAppender("OstreamAppender", &(std::cout)); - Layout* layout = new BasicLayout(); - app->setLayout(layout); + if (app == NULL) { + app = new FileAppender("FileAppender", "gssmaster.log"); + app->setLayout(new BasicLayout()); + Category::getRoot().setAppender(app); + } + if (appConsole == NULL) { + appConsole = new OstreamAppender("OstreamAppender", &(std::cout)); + Category::getRoot().setAppender(appConsole); + } static ULONG BlockCounter = 0; @@ -181,8 +186,6 @@ Category *cat = &Category::getInstance(LogName); cat->setAdditivity(true); - cat->setAppender(app); - cat->setAppender(appConsole); cats = new CatStack(cat, cats); ezLogMsg(EZLOG_BLOCK, EZ_DEFAULT, "StartBlock %p from %p(%s): %s", @@ -278,6 +281,10 @@ // Close the log4cpp log EZLOGAPI ezCloseLog( IN OPTIONAL ULONG flags, ... ) { Category::shutdown(); + delete app; + app = NULL; + delete appConsole; + appConsole = NULL; } // Open the log4cpp log From raeburn at MIT.EDU Mon Mar 16 18:42:02 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 16 Mar 2009 18:42:02 -0400 Subject: svn rev #22103: tools/gssmonger/trunk/ gssmaster/ Message-ID: <200903162242.n2GMg2jf009349@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22103 Commit By: raeburn Log Message: MS docs and XSLT file Changed Files: A tools/gssmonger/trunk/gssMonger.doc A tools/gssmonger/trunk/gssmaster/ezlog.xslt Added: tools/gssmonger/trunk/gssMonger.doc =================================================================== (Binary files differ) Added: tools/gssmonger/trunk/gssmaster/ezlog.xslt =================================================================== --- tools/gssmonger/trunk/gssmaster/ezlog.xslt 2009-03-16 19:47:27 UTC (rev 22102) +++ tools/gssmonger/trunk/gssmaster/ezlog.xslt 2009-03-16 22:42:01 UTC (rev 22103) @@ -0,0 +1,212 @@ + + + + + + + + + + <xsl:value-of select="/ezLog/ezHeader/fileName"/> - + ezLog v<xsl:value-of select="/ezLog/@FileFmt"/> + + + + + + + 
+        
+
+ + + + + + + + + + + + +
+ Click mouse to stick ruler to one line.
Click the same line again to unstick ruler. +
LocationLevelMessage
+ + + + + + .Lev { + padding-left:5; + cursor: default; + + + + border-top: 1 solid #FFFFFF; + border-bottom: 1 solid #FFFFFF; + background-color: #FFFFFF; + + + border-top: 1 solid #FFFFD0; + border-bottom: 1 solid #FFFFD0; + background-color: #FFFFD0; + + + + + border-top: 1 solid #FFD0FF; + border-bottom: 1 solid #FFD0FF; + background-color: #FFD0FF; + + + border-top: 1 solid #FFC0C8; + border-bottom: 1 solid #FFC0C8; + background-color: #FFC0C8; + + + + + + + border-top: 1 solid #DAFFFF; + border-bottom: 1 solid #DAFFFF; + background-color: #DAFFFF; + + + border-top: 1 solid #C0FFD8; + border-bottom: 1 solid #C0FFD8; + background-color: #C0FFD8; + + + + + border-top: 1 solid #C0D8FF; + border-bottom: 1 solid #C0D8FF; + background-color: #C0D8FF; + + + border-top: 1 solid #F5F5F5; + border-bottom: 1 solid #F5F5F5; + background-color: #F5F5F5; + + + + } + + + + + + Bug + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Lev + + + + + + + + JavaScript:Enter(this); + JavaScript:Leave(this); + Lev + JavaScript:Click(this); +
+ + + + + + \ No newline at end of file Property changes on: tools/gssmonger/trunk/gssMonger.doc ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Property changes on: tools/gssmonger/trunk/gssmaster/ezlog.xslt ___________________________________________________________________ Name: svn:eol-style + native From tlyu at MIT.EDU Tue Mar 17 17:34:14 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 17 Mar 2009 17:34:14 -0400 Subject: svn rev #22104: branches/krb5-1-6/src/lib/gssapi/spnego/ Message-ID: <200903172134.n2HLYETe025034@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22104 Commit By: tlyu Log Message: ticket: 6426 subject: CVE-2009-0845 (1.6.x) SPNEGO can dereference a null pointer tags: pullup target_version: 1.6.4 version_fixed: 1.6.4 pull up r22084 from trunk acc_ctx_new() can return an error condition without establishing a SPNEGO context structure. This can cause a null pointer dereference in cleanup code in spnego_gss_accept_sec_context(). Changed Files: U branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c 2009-03-16 22:42:01 UTC (rev 22103) +++ branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 21:34:13 UTC (rev 22104) @@ -1248,7 +1248,8 @@ &negState, &return_token); } cleanup: - if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { + if (return_token == INIT_TOKEN_SEND || + return_token == CONT_TOKEN_SEND) { tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, &mechtok_out, mic_out, return_token, From raeburn at MIT.EDU Tue Mar 17 17:49:47 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 17 Mar 2009 17:49:47 -0400 Subject: svn rev #22105: tools/gssmonger/trunk/gssmaster/ Message-ID: <200903172149.n2HLnljE025901@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22105 Commit By: raeburn Log Message: pull in reused sources from ../gssmaggot at build time Changed Files: U tools/gssmonger/trunk/gssmaster/Makefile.am D tools/gssmonger/trunk/gssmaster/mitkrb5.c D tools/gssmonger/trunk/gssmaster/netrw.c D tools/gssmonger/trunk/gssmaster/netutil.c D tools/gssmonger/trunk/gssmaster/util.c Modified: tools/gssmonger/trunk/gssmaster/Makefile.am =================================================================== --- tools/gssmonger/trunk/gssmaster/Makefile.am 2009-03-17 21:34:13 UTC (rev 22104) +++ tools/gssmonger/trunk/gssmaster/Makefile.am 2009-03-17 21:49:46 UTC (rev 22105) @@ -3,6 +3,8 @@ AM_CFLAGS = -I$(srcdir)/../include -I../include -DHAVE_EZLOG AM_CPPFLAGS = -I$(srcdir)/../include -I../include -DHAVE_EZLOG -DUSE_GSSAPI +VPATH = $(srcdir):$(srcdir)/../gssmaggot + bin_PROGRAMS = gssmaster gssmaster_SOURCES = alltests.c caseprv.c chgpass.c combos.c context.c \ interfere.c main.c mangle.c misc.c netutil.c clientapis.c \ Deleted: tools/gssmonger/trunk/gssmaster/mitkrb5.c Deleted: tools/gssmonger/trunk/gssmaster/netrw.c Deleted: tools/gssmonger/trunk/gssmaster/netutil.c Deleted: tools/gssmonger/trunk/gssmaster/util.c From raeburn at MIT.EDU Tue Mar 17 17:54:00 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 17 Mar 2009 17:54:00 -0400 Subject: svn rev #22106: tools/gssmonger/trunk/gssmaggot/ Message-ID: <200903172154.n2HLs0TG026197@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22106 Commit By: raeburn Log Message: build WrapEx code everywhere, return error for sspi or ifndef HAVE_GSS_WRAP_EX Changed Files: U tools/gssmonger/trunk/gssmaggot/gssapi.c U tools/gssmonger/trunk/gssmaggot/handlers.c U tools/gssmonger/trunk/gssmaggot/sspi.c Modified: tools/gssmonger/trunk/gssmaggot/gssapi.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-17 21:49:46 UTC (rev 22105) +++ tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-17 21:54:00 UTC (rev 22106) @@ -988,7 +988,6 @@ } -#if 1 ULONG DoWrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs, IN PHCTXT phContext, @@ -1008,7 +1007,7 @@ OUT PULONG pcbPad, OUT PVOID *ppvTrailer, OUT PULONG pcbTrailer ) { - +#ifdef HAVE_GSS_WRAP_EX GSSERRTYPE minor = 0; ULONG ulRet = GSMERR_TEST_ISSUE; gss_iov_buffer_desc Buffers[5] = { { 0 } }; @@ -1059,6 +1058,9 @@ *pcbTrailer = Buffers[4].buffer.length; return ulRet; +#else + return GSMERR_NOT_SUPPORTED; +#endif } ULONG @@ -1080,6 +1082,7 @@ OUT PVOID *ppvClear, OUT PULONG pcbClear ) { +#ifdef HAVE_GSS_WRAP_EX gss_iov_buffer_desc Buffers[5] = { { 0 } }; GSSERRTYPE minor = 0; ULONG ulRet = GSMERR_TEST_ISSUE; @@ -1117,8 +1120,10 @@ *pcbClear = Buffers[1].buffer.length; return ulRet; +#else + return GSMERR_NOT_SUPPORTED; +#endif } -#endif VOID FreeMessageOutput( IN ULONG cbData, Modified: tools/gssmonger/trunk/gssmaggot/handlers.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/handlers.c 2009-03-17 21:49:46 UTC (rev 22105) +++ tools/gssmonger/trunk/gssmaggot/handlers.c 2009-03-17 21:54:00 UTC (rev 22106) @@ -1339,7 +1339,6 @@ } -#if 1 /*++************************************************************** NAME: HandleWrapEx @@ -1622,7 +1621,6 @@ return ret; } -#endif /*++************************************************************** NAME: HandleVerify Modified: tools/gssmonger/trunk/gssmaggot/sspi.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/sspi.c 2009-03-17 21:49:46 UTC (rev 22105) +++ tools/gssmonger/trunk/gssmaggot/sspi.c 2009-03-17 21:54:00 UTC (rev 22106) @@ -1685,6 +1685,52 @@ pcbString ); } +ULONG +DoWrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs, + IN PHCTXT phContext, + IN ULONG Flags, + IN ULONG SeqNo, + IN ULONG Conf, + IN PVOID Message1, + IN ULONG cbMessage1, + IN PVOID Message2, + IN ULONG cbMessage2, + + OUT PVOID *ppvHeader, + OUT PULONG pcbHeader, + OUT PVOID *ppvCrypt, + OUT PULONG pcbCrypt, + OUT PVOID *ppvPad, + OUT PULONG pcbPad, + OUT PVOID *ppvTrailer, + OUT PULONG pcbTrailer ) +{ + return GSMERR_NOT_SUPPORTED; +} + +ULONG +DoUnwrapEx( IN PPROTOCOL_CALLBACK_ARGS pArgs, + IN PHCTXT phContext, + IN ULONG Flags, + IN ULONG SeqNo, + + IN PVOID pvHeader, + IN ULONG cbHeader, + IN PVOID pvCrypt, + IN ULONG cbCrypt, + IN PVOID pvSign, + IN ULONG cbSign, + IN PVOID pvPad, + IN ULONG cbPad, + IN PVOID pvTrailer, + IN ULONG cbTrailer, + + OUT PVOID *ppvClear, + OUT PULONG pcbClear ) +{ + return GSMERR_NOT_SUPPORTED; +} + /*++************************************************************** NAME: FreeMessageOutput From ghudson at MIT.EDU Tue Mar 17 17:54:52 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 17 Mar 2009 17:54:52 -0400 Subject: svn rev #22107: trunk/src/lib/krb5/asn.1/ Message-ID: <200903172154.n2HLsqVd026263@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22107 Commit By: ghudson Log Message: ticket: 6427 subject: Fix error handling issue in ASN.1 decoder tags: pullup target_version: 1.7 In asn1_k_decode.c, check the return value of end_sequence_of_no_tagvars_helper. Changed Files: U trunk/src/lib/krb5/asn.1/asn1_k_decode.c Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-17 21:54:00 UTC (rev 22106) +++ trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-17 21:54:51 UTC (rev 22107) @@ -364,7 +364,8 @@ return retval; } #define end_sequence_of_no_tagvars(buf) \ - end_sequence_of_no_tagvars_helper(buf, &seqbuf, seqofindef) + retval = end_sequence_of_no_tagvars_helper(buf, &seqbuf, seqofindef); \ + if (retval) clean_return(retval) /* * Function body for a pointer decoder, which allocates a pointer From raeburn at MIT.EDU Tue Mar 17 17:55:05 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 17 Mar 2009 17:55:05 -0400 Subject: svn rev #22108: tools/gssmonger/trunk/ gssmaggot/ gssmaster/ Message-ID: <200903172155.n2HLt5hM026372@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22108 Commit By: raeburn Log Message: update for vs2008 and some path changes Changed Files: U tools/gssmonger/trunk/gssmaggot/gssmaggot.vcproj U tools/gssmonger/trunk/gssmaster/gssmaster.vcproj U tools/gssmonger/trunk/gssmonger.sln U tools/gssmonger/trunk/gssmonger.suo Modified: tools/gssmonger/trunk/gssmaggot/gssmaggot.vcproj =================================================================== --- tools/gssmonger/trunk/gssmaggot/gssmaggot.vcproj 2009-03-17 21:54:51 UTC (rev 22107) +++ tools/gssmonger/trunk/gssmaggot/gssmaggot.vcproj 2009-03-17 21:55:05 UTC (rev 22108) @@ -1,11 +1,12 @@ - @@ -149,6 +149,8 @@ SubSystem="1" OptimizeReferences="2" EnableCOMDATFolding="2" + RandomizedBaseAddress="1" + DataExecutionPrevention="0" TargetMachine="1" /> - Modified: tools/gssmonger/trunk/gssmaster/gssmaster.vcproj =================================================================== --- tools/gssmonger/trunk/gssmaster/gssmaster.vcproj 2009-03-17 21:54:51 UTC (rev 22107) +++ tools/gssmonger/trunk/gssmaster/gssmaster.vcproj 2009-03-17 21:55:05 UTC (rev 22108) @@ -1,11 +1,12 @@ - @@ -149,6 +149,8 @@ SubSystem="1" OptimizeReferences="2" EnableCOMDATFolding="2" + RandomizedBaseAddress="1" + DataExecutionPrevention="0" TargetMachine="1" /> - Modified: tools/gssmonger/trunk/gssmonger.sln =================================================================== --- tools/gssmonger/trunk/gssmonger.sln 2009-03-17 21:54:51 UTC (rev 22107) +++ tools/gssmonger/trunk/gssmonger.sln 2009-03-17 21:55:05 UTC (rev 22108) @@ -1,6 +1,6 @@  -Microsoft Visual Studio Solution File, Format Version 9.00 -# Visual Studio 2005 +Microsoft Visual Studio Solution File, Format Version 10.00 +# Visual Studio 2008 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gssmaster", "gssmaster\gssmaster.vcproj", "{267D7F2E-14B0-497A-90B7-EF894D63961E}" EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gssmaggot", "gssmaggot\gssmaggot.vcproj", "{5F57A6E9-73FE-46EC-B074-F3DD84056D21}" Modified: tools/gssmonger/trunk/gssmonger.suo =================================================================== (Binary files differ) From raeburn at MIT.EDU Tue Mar 17 18:36:30 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 17 Mar 2009 18:36:30 -0400 Subject: svn rev #22109: tools/gssmonger/trunk/gssmaggot/ Message-ID: <200903172236.n2HMaUms028770@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22109 Commit By: raeburn Log Message: define a DbgPrint function for Windows because the binary libraries need it and it doesn't seem to be provided now; not sure when that broke Changed Files: U tools/gssmonger/trunk/gssmaggot/netutil.c Modified: tools/gssmonger/trunk/gssmaggot/netutil.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/netutil.c 2009-03-17 21:55:05 UTC (rev 22108) +++ tools/gssmonger/trunk/gssmaggot/netutil.c 2009-03-17 22:36:30 UTC (rev 22109) @@ -969,3 +969,13 @@ } +#ifdef _WIN32 /* XXX */ +#undef DbgPrint +void DbgPrint(const char *fmt, ...) +{ + va_list va; + va_start(va, fmt); + vfprintf(stderr, fmt, va); + va_end(va); +} +#endif From raeburn at MIT.EDU Tue Mar 17 18:37:00 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 17 Mar 2009 18:37:00 -0400 Subject: svn rev #22110: tools/gssmonger/trunk/ gssmaggot/ gssmaster/ Message-ID: <200903172237.n2HMb0Gv028822@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22110 Commit By: raeburn Log Message: no, really, actually fix the pathnames this time... Changed Files: U tools/gssmonger/trunk/gssmaggot/gssmaggot.vcproj U tools/gssmonger/trunk/gssmaster/gssmaster.vcproj U tools/gssmonger/trunk/gssmonger.suo Modified: tools/gssmonger/trunk/gssmaggot/gssmaggot.vcproj =================================================================== --- tools/gssmonger/trunk/gssmaggot/gssmaggot.vcproj 2009-03-17 22:36:30 UTC (rev 22109) +++ tools/gssmonger/trunk/gssmaggot/gssmaggot.vcproj 2009-03-17 22:37:00 UTC (rev 22110) @@ -197,7 +197,7 @@ > http://src.mit.edu/fisheye/changelog/krb5/?cs=22111 Commit By: raeburn Log Message: fix up conditionalization of gss_wrap_iov - actually do configure test; get macro name right; actually include config.h Changed Files: U tools/gssmonger/trunk/configure.ac U tools/gssmonger/trunk/gssmaggot/gssapi.c U tools/gssmonger/trunk/include/unix.h Modified: tools/gssmonger/trunk/configure.ac =================================================================== --- tools/gssmonger/trunk/configure.ac 2009-03-17 22:37:00 UTC (rev 22110) +++ tools/gssmonger/trunk/configure.ac 2009-03-17 22:48:38 UTC (rev 22111) @@ -90,6 +90,8 @@ # Not much to check; we hope that krb5-config checked everything for us fi +AC_CHECK_FUNCS(gss_wrap_iov) + # Log4cpp replaces ezlog under Windows. AC_ARG_WITH(log4cpp, [ --with-log4cpp=PREFIX Specify location of log4cpp], [log4cpp="$withval"], [log4cpp=yes]) if test "$log4cpp" != no; then Modified: tools/gssmonger/trunk/gssmaggot/gssapi.c =================================================================== --- tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-17 22:37:00 UTC (rev 22110) +++ tools/gssmonger/trunk/gssmaggot/gssapi.c 2009-03-17 22:48:38 UTC (rev 22111) @@ -1007,7 +1007,7 @@ OUT PULONG pcbPad, OUT PVOID *ppvTrailer, OUT PULONG pcbTrailer ) { -#ifdef HAVE_GSS_WRAP_EX +#ifdef HAVE_GSS_WRAP_IOV GSSERRTYPE minor = 0; ULONG ulRet = GSMERR_TEST_ISSUE; gss_iov_buffer_desc Buffers[5] = { { 0 } }; @@ -1082,7 +1082,7 @@ OUT PVOID *ppvClear, OUT PULONG pcbClear ) { -#ifdef HAVE_GSS_WRAP_EX +#ifdef HAVE_GSS_WRAP_IOV gss_iov_buffer_desc Buffers[5] = { { 0 } }; GSSERRTYPE minor = 0; ULONG ulRet = GSMERR_TEST_ISSUE; Modified: tools/gssmonger/trunk/include/unix.h =================================================================== --- tools/gssmonger/trunk/include/unix.h 2009-03-17 22:37:00 UTC (rev 22110) +++ tools/gssmonger/trunk/include/unix.h 2009-03-17 22:48:38 UTC (rev 22111) @@ -74,6 +74,8 @@ #include #include +#include "../config.h" + #ifdef USE_TIME_H #include #else From ghudson at MIT.EDU Fri Mar 20 14:09:21 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 20 Mar 2009 14:09:21 -0400 Subject: svn rev #22112: trunk/src/ config/ include/ lib/kadm5/ Message-ID: <200903201809.n2KI9L3c018725@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22112 Commit By: ghudson Log Message: ticket: 6431 subject: Install kadmin and kdb headers tags: pullup target_version: 1.7 Add disclaimers to the kadmin and kdb headers about the weaker stability commitments we make for their APIs, and install them for the benefit of users who can tolerate such instability. (The kadmin interface is the real goal here, but the kadmin header includes kdb.h so we need to install both.) Changed Files: U trunk/src/config/pre.in U trunk/src/include/Makefile.in U trunk/src/include/kdb.h U trunk/src/lib/kadm5/Makefile.in U trunk/src/lib/kadm5/admin.h Modified: trunk/src/config/pre.in =================================================================== --- trunk/src/config/pre.in 2009-03-17 22:48:38 UTC (rev 22111) +++ trunk/src/config/pre.in 2009-03-20 18:09:19 UTC (rev 22112) @@ -219,6 +219,7 @@ KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5 GSS_MODULE_DIR = @libdir@/gss KRB5_INCSUBDIRS = \ + $(KRB5_INCDIR)/kadm5 \ $(KRB5_INCDIR)/krb5 \ $(KRB5_INCDIR)/gssapi \ $(KRB5_INCDIR)/gssrpc Modified: trunk/src/include/Makefile.in =================================================================== --- trunk/src/include/Makefile.in 2009-03-17 22:48:38 UTC (rev 22111) +++ trunk/src/include/Makefile.in 2009-03-20 18:09:19 UTC (rev 22112) @@ -132,6 +132,7 @@ install-headers-unix install:: krb5/krb5.h profile.h $(INSTALL_DATA) $(srcdir)/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h + $(INSTALL_DATA) $(srcdir)/kdb.h $(DESTDIR)$(KRB5_INCDIR)$(S)kdb.h $(INSTALL_DATA) krb5/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)krb5.h $(INSTALL_DATA) $(srcdir)/krb5/locate_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)locate_plugin.h $(INSTALL_DATA) profile.h $(DESTDIR)$(KRB5_INCDIR)$(S)profile.h Modified: trunk/src/include/kdb.h =================================================================== --- trunk/src/include/kdb.h 2009-03-17 22:48:38 UTC (rev 22111) +++ trunk/src/include/kdb.h 2009-03-20 18:09:19 UTC (rev 22112) @@ -58,9 +58,19 @@ * Use is subject to license terms. */ +/* This API is not considered as stable as the main krb5 API. + * + * - We may make arbitrary incompatible changes between feature + * releases (e.g. from 1.7 to 1.8). + * - We will make some effort to avoid making incompatible changes for + * bugfix releases, but will make them if necessary. + */ + #ifndef KRB5_KDB5__ #define KRB5_KDB5__ +#include + /* Salt types */ #define KRB5_KDB_SALTTYPE_NORMAL 0 #define KRB5_KDB_SALTTYPE_V4 1 Modified: trunk/src/lib/kadm5/Makefile.in =================================================================== --- trunk/src/lib/kadm5/Makefile.in 2009-03-17 22:48:38 UTC (rev 22111) +++ trunk/src/lib/kadm5/Makefile.in 2009-03-20 18:09:19 UTC (rev 22112) @@ -98,5 +98,10 @@ clean-windows:: +install-headers-unix install:: $(BUILD_HDRS) + $(INSTALL_DATA) $(srcdir)/admin.h $(DESTDIR)$(KRB5_INCDIR)$(S)kadm5$(S)admin.h + $(INSTALL_DATA) chpass_util_strings.h $(DESTDIR)$(KRB5_INCDIR)$(S)kadm5$(S)chpass_util_strings.h + $(INSTALL_DATA) kadm_err.h $(DESTDIR)$(KRB5_INCDIR)$(S)kadm5$(S)kadm_err.h + @libobj_frag@ Modified: trunk/src/lib/kadm5/admin.h =================================================================== --- trunk/src/lib/kadm5/admin.h 2009-03-17 22:48:38 UTC (rev 22111) +++ trunk/src/lib/kadm5/admin.h 2009-03-20 18:09:19 UTC (rev 22112) @@ -30,6 +30,17 @@ * $Header$ */ +/* + * This API is not considered as stable as the main krb5 API. + * + * - We may make arbitrary incompatible changes between feature + * releases (e.g. from 1.7 to 1.8). + * - We will make some effort to avoid making incompatible changes for + * bugfix releases, but will make them if necessary. + * - We make no commitments at all regarding the v1 API (obtained by + * defining USE_KADM5_API_VERSION to 1) and expect to remove it. + */ + #ifndef __KADM5_ADMIN_H__ #define __KADM5_ADMIN_H__ From ghudson at MIT.EDU Tue Mar 24 13:24:32 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 24 Mar 2009 13:24:32 -0400 Subject: svn rev #22113: trunk/src/ include/ plugins/preauth/pkinit/ Message-ID: <200903241724.n2OHOWNT015511@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22113 Commit By: ghudson Log Message: Revert r21880 which included k5-int.h in several pkinit source files. Instead, move the pkinit-specific KRB5_CONF macros to pkinit.h, and add duplicate definitions of the non-pkinit-specific macros used by the pkinit code. Changed Files: U trunk/src/include/k5-int.h U trunk/src/plugins/preauth/pkinit/pkinit.h U trunk/src/plugins/preauth/pkinit/pkinit_clnt.c U trunk/src/plugins/preauth/pkinit/pkinit_matching.c U trunk/src/plugins/preauth/pkinit/pkinit_srv.c Modified: trunk/src/include/k5-int.h =================================================================== --- trunk/src/include/k5-int.h 2009-03-20 18:09:19 UTC (rev 22112) +++ trunk/src/include/k5-int.h 2009-03-24 17:24:31 UTC (rev 22113) @@ -241,22 +241,6 @@ #define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life" #define KRB5_CONF_NOADDRESSES "noaddresses" #define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes" -#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn" -#define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors" -#define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match" -#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits" -#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking" -#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity" -#define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities" -#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname" -#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp" -#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn" -#define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mappings_file" -#define KRB5_CONF_PKINIT_POOL "pkinit_pool" -#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke" -#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking" -#define KRB5_CONF_PKINIT_WIN2K "pkinit_win2k" -#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding" #define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types" #define KRB5_CONF_PROXIABLE "proxiable" #define KRB5_CONF_RDNS "rdns" Modified: trunk/src/plugins/preauth/pkinit/pkinit.h =================================================================== --- trunk/src/plugins/preauth/pkinit/pkinit.h 2009-03-20 18:09:19 UTC (rev 22112) +++ trunk/src/plugins/preauth/pkinit/pkinit.h 2009-03-24 17:24:31 UTC (rev 22113) @@ -71,6 +71,26 @@ #define PKINIT_DEFAULT_DH_MIN_BITS 2048 +#define KRB5_CONF_KDCDEFAULTS "kdcdefaults" +#define KRB5_CONF_LIBDEFAULTS "libdefaults" +#define KRB5_CONF_REALMS "realms" +#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn" +#define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors" +#define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match" +#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits" +#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking" +#define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities" +#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity" +#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname" +#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp" +#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn" +#define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mapping_file" +#define KRB5_CONF_PKINIT_POOL "pkinit_pool" +#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking" +#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke" +#define KRB5_CONF_PKINIT_WIN2K "pkinit_win2k" +#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding" + /* Make pkiDebug(fmt,...) print, or not. */ #ifdef DEBUG #define pkiDebug printf Modified: trunk/src/plugins/preauth/pkinit/pkinit_clnt.c =================================================================== --- trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-03-20 18:09:19 UTC (rev 22112) +++ trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-03-24 17:24:31 UTC (rev 22113) @@ -38,7 +38,6 @@ #include #include -#include "k5-int.h" #include "pkinit.h" #ifdef LONGHORN_BETA_COMPAT Modified: trunk/src/plugins/preauth/pkinit/pkinit_matching.c =================================================================== --- trunk/src/plugins/preauth/pkinit/pkinit_matching.c 2009-03-20 18:09:19 UTC (rev 22112) +++ trunk/src/plugins/preauth/pkinit/pkinit_matching.c 2009-03-24 17:24:31 UTC (rev 22113) @@ -34,7 +34,6 @@ #include #include #include -#include "k5-int.h" #include "pkinit.h" typedef struct _pkinit_cert_info pkinit_cert_info; Modified: trunk/src/plugins/preauth/pkinit/pkinit_srv.c =================================================================== --- trunk/src/plugins/preauth/pkinit/pkinit_srv.c 2009-03-20 18:09:19 UTC (rev 22112) +++ trunk/src/plugins/preauth/pkinit/pkinit_srv.c 2009-03-24 17:24:31 UTC (rev 22113) @@ -33,7 +33,6 @@ #include #include -#include "k5-int.h" #include "pkinit.h" static krb5_error_code From wfiveash at MIT.EDU Wed Mar 25 17:12:59 2009 From: wfiveash at MIT.EDU (wfiveash@MIT.EDU) Date: Wed, 25 Mar 2009 17:12:59 -0400 Subject: svn rev #22114: trunk/src/kadmin/dbutil/ Message-ID: <200903252112.n2PLCxrc022291@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22114 Commit By: wfiveash Log Message: Ticket: 6432 Subject: Update kdb5_util man page for mkey migration project Version_Reported: 1.7 Target_Version: 1.7 Tags: pullup Updated the kdb5_util command man page to include documentation on new subcommands added as a result of the Master Key Migration project. Changed Files: U trunk/src/kadmin/dbutil/kdb5_util.M Modified: trunk/src/kadmin/dbutil/kdb5_util.M =================================================================== --- trunk/src/kadmin/dbutil/kdb5_util.M 2009-03-24 17:24:31 UTC (rev 22113) +++ trunk/src/kadmin/dbutil/kdb5_util.M 2009-03-25 21:12:58 UTC (rev 22114) @@ -216,20 +216,31 @@ \fBark\fP Adds a random key. .TP -\fBadd_mkey\fP ... -This option needs documentation. +\fBadd_mkey\fP [\fB\-e etype\fP] [\fB\-s\fP] +Adds a new master key to the K/M (master key) principal. Existing master keys will remain. +The +.B \-e etype +option allows specification of the enctype of the new master key. The +.B \-s +option stashes the new master key in a local stash file which will be created if it doesn't already exist. .TP -\fBuse_mkey\fP ... -This option needs documentation. +\fBuse_mkey\fP \fImkeyVNO [\fBtime\fP] +Sets the activation time of the master key specified by +.B mkeyVNO. +Once a master key is active (i.e. its activation time has been reached) it will then be used to encrypt principal keys either when the principal keys change, are newly created or when the update_princ_encryption command is run. If the +.B time +argument is provided then that will be the activation time otherwise the current time is used by default. The format of the optional +.B time +argument is that specified in the Time Formats section of the kadmin man page. .TP \fBlist_mkeys\fP -This option needs documentation. +List all master keys from most recent to earliest in K/M principal. The output will show the KVNO, enctype and salt for each mkey similar to kadmin getprinc output. A * following an mkey denotes the currently active master key. .TP \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fBprinc\-pattern\fP] Update all principal records (or only those matching the .B princ\-pattern -glob pattern) to re-encrypt the key data using the latest version of -the database master key, if they are encrypted using older versions, +glob pattern) to re-encrypt the key data using the active +database master key, if they are encrypted using older versions, and give a count at the end of the number of principals updated. If the .B \-f From hartmans at MIT.EDU Thu Mar 26 01:31:50 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:31:50 -0400 Subject: svn rev #22115: branches/ Message-ID: <200903260531.n2Q5Vo4M017728@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22115 Commit By: hartmans Log Message: Branch trunk for FAST project Changed Files: A branches/fast/ Copied: branches/fast (from rev 22114, trunk) From hartmans at MIT.EDU Thu Mar 26 01:36:05 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:05 -0400 Subject: svn rev #22116: branches/fast/src/ include/ lib/krb5/error_tables/ Message-ID: <200903260536.n2Q5a5a6018007@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22116 Commit By: hartmans Log Message: FAST data structures for protocol messages Changed Files: U branches/fast/src/include/k5-int.h U branches/fast/src/lib/krb5/error_tables/kv5m_err.et Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-03-26 05:31:49 UTC (rev 22115) +++ branches/fast/src/include/k5-int.h 2009-03-26 05:36:05 UTC (rev 22116) @@ -963,6 +963,40 @@ krb5_data auth_package; } krb5_pa_for_user; +typedef struct _krb5_fast_armor { + krb5_int32 armor_type; + krb5_data armor_value; +} krb5_fast_armor; +typedef struct _krb5_fast_armored_req { + krb5_magic magic; + krb5_fast_armor *armor; + krb5_checksum req_checksum; + krb5_enc_data enc_part; +} krb5_fast_armored_req; + +typedef struct _krb5_fast_req { + krb5_magic magic; + krb5_int32 fast_options; + /* padata from req_body is used*/ + krb5_kdc_req req_body; +} krb5_fast_req; + + typedef struct _krb5_fast_finished { + krb5_timestamp timestamp; + krb5_int32 usec; + krb5_principal client; + krb5_checksum checksum; + krb5_checksum ticket_checksum; + } krb5_fast_finished; + + typedef struct _krb5_fast_response { + krb5_magic magic; + krb5_pa_data **padata; + krb5_keyblock *rep_key; + krb5_fast_finished *finished; +} krb5_fast_response; + + typedef krb5_error_code (*krb5_preauth_obtain_proc) (krb5_context, krb5_pa_data *, Modified: branches/fast/src/lib/krb5/error_tables/kv5m_err.et =================================================================== --- branches/fast/src/lib/krb5/error_tables/kv5m_err.et 2009-03-26 05:31:49 UTC (rev 22115) +++ branches/fast/src/lib/krb5/error_tables/kv5m_err.et 2009-03-26 05:36:05 UTC (rev 22116) @@ -86,5 +86,7 @@ error_code KV5M_PASSWD_PHRASE_ELEMENT, "Bad magic number for passwd_phrase_element" error_code KV5M_GSS_OID, "Bad magic number for GSSAPI OID" error_code KV5M_GSS_QUEUE, "Bad magic number for GSSAPI QUEUE" - +error_code KV5M_FAST_ARMORED_REQ, "Bad magic number for fast armored request" +error_code KV5M_FAST_REQ, "Bad magic number for FAST request" +error_code KV5M_FAST_RESPONSE, "Bad magic number for FAST response" end From hartmans at MIT.EDU Thu Mar 26 01:36:18 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:18 -0400 Subject: svn rev #22117: branches/fast/src/ include/ lib/krb5/asn.1/ Message-ID: <200903260536.n2Q5aIOa018061@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22117 Commit By: hartmans Log Message: Define FAST encoders and decoders Initial implementation of FAST encoders and decoders Changed Files: U branches/fast/src/include/k5-int.h U branches/fast/src/lib/krb5/asn.1/asn1_k_decode.c U branches/fast/src/lib/krb5/asn.1/asn1_k_decode.h U branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c U branches/fast/src/lib/krb5/asn.1/krb5_decode.c Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-03-26 05:36:05 UTC (rev 22116) +++ branches/fast/src/include/k5-int.h 2009-03-26 05:36:17 UTC (rev 22117) @@ -1288,6 +1288,16 @@ void KRB5_CALLCONV krb5_free_etype_list (krb5_context, krb5_etype_list * ); +void KRB5_CALLCONV krb5_free_fast_armor +(krb5_context, krb5_fast_armor *); +void KRB5_CALLCONV krb5_free_fast_armored_req +(krb5_context, krb5_fast_armored_req *); +void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *); +void KRB5_CALLCONV krb5_free_fast_finished +(krb5_context, krb5_fast_finished *); +void KRB5_CALLCONV krb5_free_fast_response +(krb5_context, krb5_fast_response *); + /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */ #include "com_err.h" #include "k5-plugin.h" @@ -1597,6 +1607,13 @@ krb5_error_code encode_krb5_etype_list (const krb5_etype_list * , krb5_data **); +krb5_error_code encode_krb5_pa_fx_fast_request +(const krb5_fast_armored_req *, krb5_data **); +krb5_error_code encode_krb5_fast_req +(const krb5_fast_req *, krb5_data **); +krb5_error_code encode_krb5_pa_fx_fast_reply +(const krb5_fast_response *, krb5_data **); + /************************************************************************* * End of prototypes for krb5_encode.c *************************************************************************/ @@ -1756,6 +1773,16 @@ krb5_error_code decode_krb5_etype_list (const krb5_data *, krb5_etype_list **); +krb5_error_code decode_krb5_pa_fx_fast_request +(const krb5_data *, krb5_fast_armored_req **); + +krb5_error_code decode_krb5_fast_req +(const krb5_data *, krb5_fast_req **); + + +krb5_error_code decode_krb5_pa_fx_fast_reply +(const krb5_data *, krb5_fast_response **); + struct _krb5_key_data; /* kdb.h */ struct ldap_seqof_key_data { Modified: branches/fast/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-26 05:36:05 UTC (rev 22116) +++ branches/fast/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-26 05:36:17 UTC (rev 22117) @@ -1625,6 +1625,60 @@ return retval; } +asn1_error_code asn1_decode_fast_armor +(asn1buf *buf, krb5_fast_armor *val) +{ + setup(); + val->armor_value.data = NULL; + {begin_structure(); + get_field(val->armor_type, 0, asn1_decode_int32); + get_lenfield(val->armor_value.length, val->armor_value.data, + 1, asn1_decode_charstring); + end_structure(); + } + return 0; + error_out: + krb5_free_data_contents( NULL, &val->armor_value); + return retval; +} + +asn1_error_code asn1_decode_fast_armor_ptr +(asn1buf *buf, krb5_fast_armor **valptr) +{ + decode_ptr(krb5_fast_armor *, asn1_decode_fast_armor); +} + +asn1_error_code asn1_decode_fast_finished +(asn1buf *buf, krb5_fast_finished *val) +{ + setup(); + val->client = NULL; + val->checksum.contents = NULL; + val->ticket_checksum.contents = NULL; + {begin_structure(); + get_field(val->timestamp, 0, asn1_decode_kerberos_time); + get_field(val->usec, 1, asn1_decode_int32); + alloc_field(val->client); + get_field(val->client, 2, asn1_decode_realm); + get_field(val->client, 3, asn1_decode_principal_name); + get_field(val->checksum, 4, asn1_decode_checksum); + get_field(val->ticket_checksum, 5, asn1_decode_checksum); + end_structure(); + } + return 0; + error_out: + krb5_free_principal(NULL, val->client); + krb5_free_checksum_contents(NULL, &val->checksum); + krb5_free_checksum_contents( NULL, &val->ticket_checksum); + return retval; +} +asn1_error_code asn1_decode_fast_finished_ptr +(asn1buf *buf, krb5_fast_finished **valptr) +{ + decode_ptr( krb5_fast_finished *, asn1_decode_fast_finished); +} + + #ifndef DISABLE_PKINIT /* PKINIT */ Modified: branches/fast/src/lib/krb5/asn.1/asn1_k_decode.h =================================================================== --- branches/fast/src/lib/krb5/asn.1/asn1_k_decode.h 2009-03-26 05:36:05 UTC (rev 22116) +++ branches/fast/src/lib/krb5/asn.1/asn1_k_decode.h 2009-03-26 05:36:17 UTC (rev 22117) @@ -266,4 +266,16 @@ asn1_error_code asn1_decode_pa_pac_req (asn1buf *buf, krb5_pa_pac_req *val); +asn1_error_code asn1_decode_fast_armor +(asn1buf *buf, krb5_fast_armor *val); + +asn1_error_code asn1_decode_fast_armor_ptr +(asn1buf *buf, krb5_fast_armor **val); + +asn1_error_code asn1_decode_fast_finished +(asn1buf *buf, krb5_fast_finished *val); + +asn1_error_code asn1_decode_fast_finished_ptr +(asn1buf *buf, krb5_fast_finished **val); + #endif Modified: branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-26 05:36:05 UTC (rev 22116) +++ branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-26 05:36:17 UTC (rev 22117) @@ -1177,6 +1177,79 @@ DEFFIELDTYPE(etype_list, krb5_etype_list, FIELDOF_SEQOF_INT32(krb5_etype_list, int32_ptr, etypes, length, -1)); +/* draft-ietf-krb-wg-preauth-framework-09 */ +static const struct field_info fast_armor_fields[] = { + FIELDOF_NORM(krb5_fast_armor, int32, armor_type, 0), + FIELDOF_NORM( krb5_fast_armor, ostring_data, armor_value, 1), +}; + +DEFSEQTYPE( fast_armor, krb5_fast_armor, fast_armor_fields, 0); +DEFPTRTYPE( ptr_fast_armor, fast_armor); + +static const struct field_info fast_armored_req_fields[] = { + FIELDOF_OPT( krb5_fast_armored_req, ptr_fast_armor, armor, 0, 0), + FIELDOF_NORM( krb5_fast_armored_req, checksum, req_checksum, 1), + FIELDOF_NORM( krb5_fast_armored_req, encrypted_data, enc_part, 2), +}; + +static unsigned int fast_armored_req_optional (const void *p) { + const krb5_fast_armored_req *val = p; + unsigned int optional = 0; + if (val->armor) + optional |= (1u)<<0; + return optional; +} + +DEFSEQTYPE( fast_armored_req, krb5_fast_armored_req, fast_armored_req_fields, fast_armored_req_optional); +DEFFIELDTYPE( pa_fx_fast_request, krb5_fast_armored_req, + FIELDOF_ENCODEAS( krb5_fast_armored_req, fast_armored_req, 0)); + +static const struct field_info fast_req_fields[] = { + FIELDOF_NORM(krb5_fast_req, int32, fast_options, 0), + FIELDOF_NORM( krb5_fast_req, ptr_seqof_pa_data, req_body.padata, 1), + FIELDOF_NORM( krb5_fast_req, kdc_req_body, req_body, 2), +}; + +DEFSEQTYPE(fast_req, krb5_fast_req, fast_req_fields, 0); + + +static const struct field_info fast_finished_fields[] = { + FIELDOF_NORM( krb5_fast_finished, kerberos_time, timestamp, 0), + FIELDOF_NORM( krb5_fast_finished, int32, usec, 1), + FIELDOF_NORM( krb5_fast_finished, realm_of_principal, client, 2), + FIELDOF_NORM(krb5_fast_finished, principal, client, 3), + FIELDOF_NORM( krb5_fast_finished, checksum, checksum, 4), + FIELDOF_NORM( krb5_fast_finished, checksum, ticket_checksum, 5), +}; + +DEFSEQTYPE( fast_finished, krb5_fast_finished, fast_finished_fields, 0); + +DEFPTRTYPE( ptr_fast_finished, fast_finished); + +static const struct field_info fast_response_fields[] = { + FIELDOF_NORM(krb5_fast_response, ptr_seqof_pa_data, padata, 0), + FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, rep_key, 1, 1), + FIELDOF_OPT( krb5_fast_response, ptr_fast_finished, finished, 2, 2), +}; + +static unsigned int fast_response_optional (const void *p) +{ + unsigned int optional = 0; + const krb5_fast_response *val = p; + if (val->rep_key) + optional |= (1u <<1); + if (val->finished) + optional |= (1u<<2); + return optional; +} +DEFSEQTYPE( fast_response, krb5_fast_response, fast_response_fields, fast_response_optional); + +DEFFIELDTYPE(pa_fx_fast_reply, krb5_fast_response, + FIELDOF_ENCODEAS(krb5_fast_response, fast_response, 0)); + + + + /* Exported complete encoders -- these produce a krb5_data with the encoding in the correct byte order. */ @@ -1243,6 +1316,9 @@ MAKE_FULL_ENCODER(encode_krb5_pa_server_referral_data, pa_server_referral_data); MAKE_FULL_ENCODER(encode_krb5_etype_list, etype_list); +MAKE_FULL_ENCODER(encode_krb5_pa_fx_fast_request, pa_fx_fast_request); +MAKE_FULL_ENCODER( encode_krb5_fast_req, fast_req); +MAKE_FULL_ENCODER( encode_krb5_pa_fx_fast_reply, pa_fx_fast_reply); Modified: branches/fast/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:36:05 UTC (rev 22116) +++ branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:36:17 UTC (rev 22117) @@ -94,9 +94,9 @@ /* process a structure *******************************************/ /* decode an explicit tag and place the number in tagnum */ -#define next_tag() \ +#define next_tag_from_buf(buf) \ { taginfo t2; \ - retval = asn1_get_tag_2(&subbuf, &t2); \ + retval = asn1_get_tag_2(&(buf), &t2); \ if (retval) clean_return(retval); \ asn1class = t2.asn1class; \ construction = t2.construction; \ @@ -104,7 +104,9 @@ indef = t2.indef; \ taglen = t2.length; \ } +#define next_tag() next_tag_from_buf(subbuf) + static asn1_error_code asn1_get_eoc_tag (asn1buf *buf) { @@ -1080,6 +1082,71 @@ cleanup(free); } +krb5_error_code decode_krb5_pa_fx_fast_request +(const krb5_data *code, krb5_fast_armored_req **repptr) +{ + setup(krb5_fast_armored_req *); + alloc_field(rep); + clear_field(rep, armor); + { + int indef; + unsigned int taglen; + next_tag_from_buf(buf); + if (tagnum != 0) + clean_return(ASN1_BAD_ID); + } + {begin_structure(); + opt_field(rep->armor, 0, asn1_decode_fast_armor_ptr); + get_field(rep->req_checksum, 1, asn1_decode_checksum); + get_field(rep->enc_part, 2, asn1_decode_encrypted_data); + end_structure();} + rep->magic = KV5M_FAST_ARMORED_REQ; + cleanup(free); +} + +krb5_error_code decode_krb5_fast_req +(const krb5_data *code, krb5_fast_req **repptr) +{ + setup(krb5_fast_req *); + alloc_field(rep); + clear_field(rep, req_body.padata); + {begin_structure(); + + + get_field(rep->fast_options, 0, asn1_decode_int32); + opt_field(rep->req_body.padata, 1, asn1_decode_sequence_of_pa_data); + get_field(rep->req_body, 2, asn1_decode_kdc_req_body); + end_structure(); } + rep->magic = KV5M_FAST_REQ; + cleanup(free); +} + +krb5_error_code decode_krb5_pa_fx_fast_reply +(const krb5_data *code, krb5_fast_response **repptr) +{ + setup(krb5_fast_response *); + + alloc_field(rep); + clear_field(rep, finished); + clear_field(rep, padata); + clear_field(rep,rep_key); + { + int indef; + unsigned int taglen; + next_tag_from_buf(buf); + if (tagnum != 0) + clean_return(ASN1_BAD_ID); + } + {begin_structure(); + get_field(rep->padata, 0, asn1_decode_sequence_of_pa_data); + opt_field(rep->rep_key, 1, asn1_decode_encryption_key_ptr); + opt_field(rep->finished, 2, asn1_decode_fast_finished_ptr); + end_structure(); } + rep->magic = KV5M_FAST_RESPONSE; + cleanup(free); +} + + #ifndef DISABLE_PKINIT krb5_error_code decode_krb5_pa_pk_as_req(const krb5_data *code, krb5_pa_pk_as_req **repptr) From hartmans at MIT.EDU Thu Mar 26 01:36:21 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:21 -0400 Subject: svn rev #22118: branches/fast/src/ include/ lib/krb5/asn.1/ Message-ID: <200903260536.n2Q5aLhT018098@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22118 Commit By: hartmans Log Message: pa_fx_fast_reply is a choice of sequence of encrypted data There is a decryption step that needs to go between unwrapping the fx_fast_reply and decoding the fast_response. Expose the necessary encoders and decoders? Changed Files: U branches/fast/src/include/k5-int.h U branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c U branches/fast/src/lib/krb5/asn.1/krb5_decode.c Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-03-26 05:36:17 UTC (rev 22117) +++ branches/fast/src/include/k5-int.h 2009-03-26 05:36:20 UTC (rev 22118) @@ -1612,7 +1612,7 @@ krb5_error_code encode_krb5_fast_req (const krb5_fast_req *, krb5_data **); krb5_error_code encode_krb5_pa_fx_fast_reply -(const krb5_fast_response *, krb5_data **); +(const krb5_enc_data *, krb5_data **); /************************************************************************* * End of prototypes for krb5_encode.c @@ -1781,6 +1781,9 @@ krb5_error_code decode_krb5_pa_fx_fast_reply +(const krb5_data *, krb5_enc_data **); + +krb5_error_code decode_krb5_fast_response (const krb5_data *, krb5_fast_response **); struct _krb5_key_data; /* kdb.h */ Modified: branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-26 05:36:17 UTC (rev 22117) +++ branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-26 05:36:20 UTC (rev 22118) @@ -1244,12 +1244,17 @@ } DEFSEQTYPE( fast_response, krb5_fast_response, fast_response_fields, fast_response_optional); -DEFFIELDTYPE(pa_fx_fast_reply, krb5_fast_response, - FIELDOF_ENCODEAS(krb5_fast_response, fast_response, 0)); +static const struct field_info fast_rep_fields[] = { + FIELDOF_ENCODEAS(krb5_enc_data, encrypted_data, 0), +}; +DEFSEQTYPE(fast_rep, krb5_enc_data, fast_rep_fields, 0); +DEFFIELDTYPE(pa_fx_fast_reply, krb5_enc_data, + FIELDOF_ENCODEAS(krb5_enc_data, fast_rep, 0)); + /* Exported complete encoders -- these produce a krb5_data with the encoding in the correct byte order. */ @@ -1319,6 +1324,7 @@ MAKE_FULL_ENCODER(encode_krb5_pa_fx_fast_request, pa_fx_fast_request); MAKE_FULL_ENCODER( encode_krb5_fast_req, fast_req); MAKE_FULL_ENCODER( encode_krb5_pa_fx_fast_reply, pa_fx_fast_reply); +MAKE_FULL_ENCODER(encode_krb5_fast_response, fast_response); Modified: branches/fast/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:36:17 UTC (rev 22117) +++ branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:36:20 UTC (rev 22118) @@ -1121,31 +1121,44 @@ cleanup(free); } -krb5_error_code decode_krb5_pa_fx_fast_reply +krb5_error_code decode_krb5_fast_response (const krb5_data *code, krb5_fast_response **repptr) { - setup(krb5_fast_response *); + setup(krb5_fast_response *); - alloc_field(rep); - clear_field(rep, finished); - clear_field(rep, padata); - clear_field(rep,rep_key); - { - int indef; - unsigned int taglen; - next_tag_from_buf(buf); - if (tagnum != 0) - clean_return(ASN1_BAD_ID); - } - {begin_structure(); - get_field(rep->padata, 0, asn1_decode_sequence_of_pa_data); - opt_field(rep->rep_key, 1, asn1_decode_encryption_key_ptr); - opt_field(rep->finished, 2, asn1_decode_fast_finished_ptr); - end_structure(); } - rep->magic = KV5M_FAST_RESPONSE; - cleanup(free); + alloc_field(rep); + clear_field(rep, finished); + clear_field(rep, padata); + clear_field(rep,rep_key); + {begin_structure(); + get_field(rep->padata, 0, asn1_decode_sequence_of_pa_data); + opt_field(rep->rep_key, 1, asn1_decode_encryption_key_ptr); + opt_field(rep->finished, 2, asn1_decode_fast_finished_ptr); + end_structure(); } + rep->magic = KV5M_FAST_RESPONSE; + cleanup(free); } +krb5_error_code decode_krb5_pa_fx_fast_reply +(const krb5_data *code, krb5_enc_data **repptr) +{ + setup(krb5_enc_data *); + alloc_field(rep); + { + int indef; + unsigned int taglen; + next_tag_from_buf(buf); + if (tagnum != 0) + clean_return(ASN1_BAD_ID); + } + {begin_structure(); + get_field(*rep, 0, asn1_decode_encrypted_data); + end_structure(); + } + + cleanup(free); +} + #ifndef DISABLE_PKINIT krb5_error_code From hartmans at MIT.EDU Thu Mar 26 01:36:23 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:23 -0400 Subject: svn rev #22119: branches/fast/src/ include/ lib/krb5/asn.1/ Message-ID: <200903260536.n2Q5aNf0018135@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22119 Commit By: hartmans Log Message: kdc_req_body in fast_req should be a pointer The req_body needs to be a pointer so after FAST processing it can replace the request. Changed Files: U branches/fast/src/include/k5-int.h U branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c U branches/fast/src/lib/krb5/asn.1/krb5_decode.c Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-03-26 05:36:20 UTC (rev 22118) +++ branches/fast/src/include/k5-int.h 2009-03-26 05:36:23 UTC (rev 22119) @@ -978,7 +978,7 @@ krb5_magic magic; krb5_int32 fast_options; /* padata from req_body is used*/ - krb5_kdc_req req_body; + krb5_kdc_req *req_body; } krb5_fast_req; typedef struct _krb5_fast_finished { @@ -1614,6 +1614,9 @@ krb5_error_code encode_krb5_pa_fx_fast_reply (const krb5_enc_data *, krb5_data **); +krb5_error_code encode_krb5_fast_response +(const krb5_fast_response *, krb5_data **); + /************************************************************************* * End of prototypes for krb5_encode.c *************************************************************************/ Modified: branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-26 05:36:20 UTC (rev 22118) +++ branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-26 05:36:23 UTC (rev 22119) @@ -338,6 +338,8 @@ DEFFNXTYPE(kdc_req_body, krb5_kdc_req, asn1_encode_kdc_req_body); /* end ugly hack */ +DEFPTRTYPE(ptr_kdc_req_body,kdc_req_body); + static const struct field_info transited_fields[] = { FIELDOF_NORM(krb5_transited, octet, tr_type, 0), FIELDOF_NORM(krb5_transited, ostring_data, tr_contents, 1), @@ -1204,10 +1206,14 @@ DEFFIELDTYPE( pa_fx_fast_request, krb5_fast_armored_req, FIELDOF_ENCODEAS( krb5_fast_armored_req, fast_armored_req, 0)); +DEFFIELDTYPE(fast_req_padata, krb5_kdc_req, + FIELDOF_NORM(krb5_kdc_req, ptr_seqof_pa_data, padata, -1)); +DEFPTRTYPE(ptr_fast_req_padata, fast_req_padata); + static const struct field_info fast_req_fields[] = { FIELDOF_NORM(krb5_fast_req, int32, fast_options, 0), - FIELDOF_NORM( krb5_fast_req, ptr_seqof_pa_data, req_body.padata, 1), - FIELDOF_NORM( krb5_fast_req, kdc_req_body, req_body, 2), + FIELDOF_NORM( krb5_fast_req, ptr_fast_req_padata, req_body, 1), + FIELDOF_NORM( krb5_fast_req, ptr_kdc_req_body, req_body, 2), }; DEFSEQTYPE(fast_req, krb5_fast_req, fast_req_fields, 0); Modified: branches/fast/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:36:20 UTC (rev 22118) +++ branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:36:23 UTC (rev 22119) @@ -1107,18 +1107,24 @@ krb5_error_code decode_krb5_fast_req (const krb5_data *code, krb5_fast_req **repptr) { - setup(krb5_fast_req *); - alloc_field(rep); - clear_field(rep, req_body.padata); - {begin_structure(); - - - get_field(rep->fast_options, 0, asn1_decode_int32); - opt_field(rep->req_body.padata, 1, asn1_decode_sequence_of_pa_data); - get_field(rep->req_body, 2, asn1_decode_kdc_req_body); - end_structure(); } - rep->magic = KV5M_FAST_REQ; - cleanup(free); + setup(krb5_fast_req *); + alloc_field(rep); + alloc_field(rep->req_body); + clear_field(rep, req_body->padata); + {begin_structure(); + get_field(rep->fast_options, 0, asn1_decode_int32); + opt_field(rep->req_body->padata, 1, asn1_decode_sequence_of_pa_data); + get_field(*(rep->req_body), 2, asn1_decode_kdc_req_body); + end_structure(); } + rep->magic = KV5M_FAST_REQ; + cleanup_manual(); + error_out: + if (rep) { + if (rep->req_body) + krb5_free_kdc_req(0, rep->req_body); + free(rep); + } + return retval; } krb5_error_code decode_krb5_fast_response From hartmans at MIT.EDU Thu Mar 26 01:36:26 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:26 -0400 Subject: svn rev #22120: branches/fast/src/lib/krb5/error_tables/ Message-ID: <200903260536.n2Q5aQUm018172@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22120 Commit By: hartmans Log Message: Add KRB5KDC_UNKNOWN_FAST_CRITICAL_OPTION Changed Files: U branches/fast/src/lib/krb5/error_tables/krb5_err.et Modified: branches/fast/src/lib/krb5/error_tables/krb5_err.et =================================================================== --- branches/fast/src/lib/krb5/error_tables/krb5_err.et 2009-03-26 05:36:23 UTC (rev 22119) +++ branches/fast/src/lib/krb5/error_tables/krb5_err.et 2009-03-26 05:36:26 UTC (rev 22120) @@ -134,7 +134,7 @@ error_code KRB5PLACEHOLD_90, "KRB5 error code 90" error_code KRB5PLACEHOLD_91, "KRB5 error code 91" error_code KRB5PLACEHOLD_92, "KRB5 error code 92" -error_code KRB5PLACEHOLD_93, "KRB5 error code 93" +error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested" error_code KRB5PLACEHOLD_94, "KRB5 error code 94" error_code KRB5PLACEHOLD_95, "KRB5 error code 95" error_code KRB5PLACEHOLD_96, "KRB5 error code 96" From hartmans at MIT.EDU Thu Mar 26 01:36:29 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:29 -0400 Subject: svn rev #22121: branches/fast/src/include/ Message-ID: <200903260536.n2Q5aTK9018209@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22121 Commit By: hartmans Log Message: Add #defines for fast options and to keep track of unsupported critical fast options. Changed Files: U branches/fast/src/include/k5-int.h Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-03-26 05:36:26 UTC (rev 22120) +++ branches/fast/src/include/k5-int.h 2009-03-26 05:36:28 UTC (rev 22121) @@ -981,6 +981,10 @@ krb5_kdc_req *req_body; } krb5_fast_req; +/* Bits 0-15 are critical in fast options.*/ +#define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff +#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01 + typedef struct _krb5_fast_finished { krb5_timestamp timestamp; krb5_int32 usec; From hartmans at MIT.EDU Thu Mar 26 01:36:34 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:34 -0400 Subject: svn rev #22123: branches/fast/src/include/krb5/ Message-ID: <200903260536.n2Q5aYJT018283@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22123 Commit By: hartmans Log Message: defines for fast padata assignments Changed Files: U branches/fast/src/include/krb5/krb5.hin Modified: branches/fast/src/include/krb5/krb5.hin =================================================================== --- branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:36:31 UTC (rev 22122) +++ branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:36:34 UTC (rev 22123) @@ -631,7 +631,12 @@ /* Defined in KDC referrals draft */ #define KRB5_KEYUSAGE_PA_REFERRAL 26 /* XXX note conflict with above */ +/* define in draft-ietf-krb-wg-preauth-framework*/ +#define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 +#define KRB5_KEYUSAGE_FAST_ENC 51 +#define KRB5_KEYUSAGE_FAST_FINISHED 53 +#define KRB5_KEYUSAGE_FAST_REP 52 krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype (krb5_enctype ktype); krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype @@ -982,6 +987,11 @@ #define KRB5_PADATA_PAC_REQUEST 128 /* include Windows PAC */ #define KRB5_PADATA_FOR_USER 129 /* username protocol transition request */ #define KRB5_PADATA_S4U_X509_USER 130 /* certificate protocol transition request */ +#define KRB5_PADATA_FX_COOKIE 133 +#define KRB5_PADATA_FX_FAST 136 +#define KRB5_PADATA_FX_ERROR 137 +#define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 + #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 #define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /* currently must be zero */ From hartmans at MIT.EDU Thu Mar 26 01:36:31 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:31 -0400 Subject: svn rev #22122: branches/fast/src/ include/krb5/ lib/krb5/asn.1/ lib/krb5/krb/ Message-ID: <200903260536.n2Q5aVIw018246@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22122 Commit By: hartmans Log Message: Add kdc_state field to krb5_kdc_req Add a kdc_state field to track internal state in handling a request. The current usage is to pass FAST information to pre-authentication plugins. Changed Files: U branches/fast/src/include/krb5/krb5.hin U branches/fast/src/lib/krb5/asn.1/krb5_decode.c U branches/fast/src/lib/krb5/krb/kfree.c Modified: branches/fast/src/include/krb5/krb5.hin =================================================================== --- branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:36:28 UTC (rev 22121) +++ branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:36:31 UTC (rev 22122) @@ -1142,6 +1142,13 @@ krb5_authdata **unenc_authdata; /* unencrypted auth data, if available */ krb5_ticket **second_ticket;/* second ticket array; OPTIONAL */ + /* the following field is added in March 2009; it is a hack so + * that FAST state can be carried to pre-authentication plugins. + * A new plugin interface may be a better long-term approach. It + * is believed to be safe to extend this structure because it is + * not found in any public APIs. + */ + void * kdc_state; } krb5_kdc_req; typedef struct _krb5_enc_kdc_rep_part { Modified: branches/fast/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:36:28 UTC (rev 22121) +++ branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:36:31 UTC (rev 22122) @@ -520,6 +520,7 @@ clear_field(rep,authorization_data.ciphertext.data); clear_field(rep,unenc_authdata); clear_field(rep,second_ticket); + clear_field(rep, kdc_state); check_apptag(10); retval = asn1_decode_kdc_req(&buf,rep); @@ -547,6 +548,7 @@ clear_field(rep,authorization_data.ciphertext.data); clear_field(rep,unenc_authdata); clear_field(rep,second_ticket); + clear_field(rep, kdc_state); check_apptag(12); retval = asn1_decode_kdc_req(&buf,rep); Modified: branches/fast/src/lib/krb5/krb/kfree.c =================================================================== --- branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:36:28 UTC (rev 22121) +++ branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:36:31 UTC (rev 22122) @@ -54,6 +54,7 @@ */ #include "k5-int.h" +#include void KRB5_CALLCONV krb5_free_address(krb5_context context, krb5_address *val) @@ -344,6 +345,7 @@ { if (val == NULL) return; + assert( val->kdc_state == NULL); krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); krb5_free_principal(context, val->server); From hartmans at MIT.EDU Thu Mar 26 01:36:38 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:38 -0400 Subject: svn rev #22124: branches/fast/src/ kdc/ lib/krb5/ Message-ID: <200903260536.n2Q5acib018320@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22124 Commit By: hartmans Log Message: Function to parse FAST for KDC requests * Add fast_util to KDC * export fast_req decoder from libkrb5 * Function to find a fast request, extract and use inner body * functions to free and create kdc_request_state Changed Files: U branches/fast/src/kdc/Makefile.in A branches/fast/src/kdc/fast_util.c U branches/fast/src/kdc/kdc_util.h U branches/fast/src/lib/krb5/libkrb5.exports Modified: branches/fast/src/kdc/Makefile.in =================================================================== --- branches/fast/src/kdc/Makefile.in 2009-03-26 05:36:34 UTC (rev 22123) +++ branches/fast/src/kdc/Makefile.in 2009-03-26 05:36:38 UTC (rev 22124) @@ -24,6 +24,7 @@ $(srcdir)/dispatch.c \ $(srcdir)/do_as_req.c \ $(srcdir)/do_tgs_req.c \ + $(srcdir)/fast_util.c \ $(srcdir)/kdc_util.c \ $(srcdir)/kdc_preauth.c \ $(srcdir)/main.c \ @@ -38,6 +39,7 @@ dispatch.o \ do_as_req.o \ do_tgs_req.o \ + fast_util.o \ kdc_util.o \ kdc_preauth.o \ main.o \ Added: branches/fast/src/kdc/fast_util.c =================================================================== --- branches/fast/src/kdc/fast_util.c 2009-03-26 05:36:34 UTC (rev 22123) +++ branches/fast/src/kdc/fast_util.c 2009-03-26 05:36:38 UTC (rev 22124) @@ -0,0 +1,124 @@ +/* + * kdc/fast_util.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + */ + +#include + +#include "kdc_util.h" +#include "extern.h" + + +/* + * This function will find the fast and cookie padata and if fast is + * successfully processed, will throw away (and free) the outer + * request and update the pointer to point to the inner request. The + * checksummed_data points to the data that is in the + * armored_fast_request checksum; either the pa-tgs-req or the + * kdc-req-body. + */ + +krb5_error_code kdc_find_fast +(krb5_kdc_req **requestptr, krb5_data *checksummed_data, + krb5_keyblock *tgs_subkey, + struct kdc_request_state *state) +{ + krb5_error_code retval = 0; + krb5_pa_data *fast_padata, *cookie_padata; + krb5_data scratch; + krb5_fast_req * fast_req = NULL; + krb5_kdc_req *request = *requestptr; + + scratch.data = NULL; + fast_padata = find_pa_data(request->padata, + KRB5_PADATA_FX_FAST); + cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); + if (fast_padata == NULL) + return 0; /*no fast*/ + + scratch.length = fast_padata->length; + scratch.data = (char *) fast_padata->contents; + retval = decode_krb5_fast_req(&scratch, &fast_req); + if (retval == 0) { + if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) + retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; + } + if (retval == 0 && cookie_padata != NULL) { + krb5_pa_data *new_padata = malloc(sizeof (krb5_pa_data)); + if (new_padata != NULL) { + retval = ENOMEM; + } else { + new_padata->pa_type = KRB5_PADATA_FX_COOKIE; + new_padata->length = cookie_padata->length; + new_padata->contents = malloc(new_padata->length); + if (new_padata->contents == NULL) { + retval = ENOMEM; + free(new_padata); + } else { + memcpy(new_padata->contents, cookie_padata->contents, new_padata->length); + state->cookie = new_padata; + } + } + } + if (retval == 0) { + state->fast_options = fast_req->fast_options; + if (request->kdc_state == state) + request->kdc_state = NULL; + krb5_free_kdc_req( kdc_context, request); + *requestptr = fast_req->req_body; + fast_req->req_body = NULL; + + } + if (fast_req) + krb5_free_fast_req( kdc_context, fast_req); + return retval; +} + + +krb5_error_code kdc_make_rstate(struct kdc_request_state **out) +{ + struct kdc_request_state *state = malloc( sizeof(struct kdc_request_state)); + if (state == NULL) + return ENOMEM; + memset( state, 0, sizeof(struct kdc_request_state)); + *out = state; + return 0; +} + +void kdc_free_rstate +(struct kdc_request_state *s) +{ + if (s == NULL) + return; + if (s->armor_key) + krb5_free_keyblock(kdc_context, s->armor_key); + if (s->cookie) { + free(s->cookie->contents); + free(s->cookie); + } + free(s); +} Modified: branches/fast/src/kdc/kdc_util.h =================================================================== --- branches/fast/src/kdc/kdc_util.h 2009-03-26 05:36:34 UTC (rev 22123) +++ branches/fast/src/kdc/kdc_util.h 2009-03-26 05:36:38 UTC (rev 22124) @@ -298,8 +298,32 @@ const char *status, krb5_error_code errcode, const char *emsg); void log_tgs_alt_tgt(krb5_principal p); +/*Request state*/ +struct kdc_request_state { + krb5_keyblock *armor_key; + krb5_pa_data *cookie; + krb5_int32 fast_options; + krb5_int32 fast_internal_flags; +}; +krb5_error_code kdc_make_rstate(struct kdc_request_state **out); +void kdc_free_rstate +(struct kdc_request_state *s); +/* FAST*/ +enum krb5_fast_kdc_flags { + KRB5_FAST_REPLY_KEY_USED = 0x1, + KRB5_FAST_REPLY_KEY_REPLACED = 0x02, +}; + +krb5_error_code kdc_find_fast +(krb5_kdc_req **requestptr, krb5_data *checksummed_data, + krb5_keyblock *tgs_subkey, + struct kdc_request_state *state); + + + + #define isflagset(flagfield, flag) (flagfield & (flag)) #define setflag(flagfield, flag) (flagfield |= (flag)) #define clear(flagfield, flag) (flagfield &= ~(flag)) Modified: branches/fast/src/lib/krb5/libkrb5.exports =================================================================== --- branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:36:34 UTC (rev 22123) +++ branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:36:38 UTC (rev 22124) @@ -19,6 +19,7 @@ decode_krb5_error decode_krb5_etype_info decode_krb5_etype_info2 +decode_krb5_fast_req decode_krb5_kdc_req_body decode_krb5_pa_enc_ts decode_krb5_pa_for_user From hartmans at MIT.EDU Thu Mar 26 01:36:41 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:41 -0400 Subject: svn rev #22125: branches/fast/src/kdc/ Message-ID: <200903260536.n2Q5afJH018372@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22125 Commit By: hartmans Log Message: Integrate FAST into AS and TGS Integrate calls to lookup FAST padata into the AS and TGS paths. kdc_util needs to return a pointer to the pa-tgs-req padata for the fast checksum. This code does not generate fast responses or errors yet. Changed Files: U branches/fast/src/kdc/do_as_req.c U branches/fast/src/kdc/do_tgs_req.c U branches/fast/src/kdc/kdc_util.c U branches/fast/src/kdc/kdc_util.h Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:36:38 UTC (rev 22124) +++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:36:40 UTC (rev 22125) @@ -117,6 +117,8 @@ int did_log = 0; const char *emsg = 0; krb5_keylist_node *tmp_mkey_list; + struct kdc_request_state *state = NULL; + #if APPLE_PKINIT asReqDebug("process_as_req top realm %s name %s\n", @@ -133,6 +135,15 @@ session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; + errcode = kdc_make_rstate(&state); + if (errcode != 0) { + status = "constructing state"; + goto errout; + } + errcode = kdc_find_fast(&request, req_pkt, NULL /*TGS key*/, state); + if (errcode) + goto errout; + if (!request->client) { status = "NULL_CLIENT"; errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -679,6 +690,7 @@ } krb5_free_data_contents(kdc_context, &e_data); + kdc_free_rstate(state); assert(did_log != 0); return errcode; } Modified: branches/fast/src/kdc/do_tgs_req.c =================================================================== --- branches/fast/src/kdc/do_tgs_req.c 2009-03-26 05:36:38 UTC (rev 22124) +++ branches/fast/src/kdc/do_tgs_req.c 2009-03-26 05:36:40 UTC (rev 22125) @@ -125,6 +125,9 @@ krb5_data *tgs_1 =NULL, *server_1 = NULL; krb5_principal krbtgt_princ; krb5_kvno ticket_kvno = 0; + struct kdc_request_state *state = NULL; + krb5_pa_data *pa_tgs_req; /*points into request*/ + krb5_data scratch; session_key.contents = NULL; @@ -140,7 +143,7 @@ return retval; } errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket, - &krbtgt, &k_nprincs, &subkey); + &krbtgt, &k_nprincs, &subkey, &pa_tgs_req); if (header_ticket && header_ticket->enc_part2 && (errcode2 = krb5_unparse_name(kdc_context, header_ticket->enc_part2->client, @@ -161,7 +164,15 @@ status="UNEXPECTED NULL in header_ticket"; goto cleanup; } - + scratch.length = pa_tgs_req->length; + scratch.data = (char *) pa_tgs_req->contents; + errcode = kdc_find_fast(&request, &scratch, subkey, state); + if (errcode !=0) { + status = "kdc_find_fast"; + goto cleanup; + } + + /* * Pointer to the encrypted part of the header ticket, which may be * replaced to point to the encrypted part of the evidence ticket @@ -916,6 +927,8 @@ krb5_free_ticket(kdc_context, header_ticket); if (request != NULL) krb5_free_kdc_req(kdc_context, request); + if (state) + kdc_free_rstate(state); if (cname != NULL) free(cname); if (sname != NULL) Modified: branches/fast/src/kdc/kdc_util.c =================================================================== --- branches/fast/src/kdc/kdc_util.c 2009-03-26 05:36:38 UTC (rev 22124) +++ branches/fast/src/kdc/kdc_util.c 2009-03-26 05:36:40 UTC (rev 22125) @@ -234,7 +234,8 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, krb5_data *pkt, krb5_ticket **ticket, krb5_db_entry *krbtgt, int *nprincs, - krb5_keyblock **subkey) + krb5_keyblock **subkey, + krb5_pa_data **pa_tgs_req) { krb5_pa_data * tmppa; krb5_ap_req * apreq; @@ -383,6 +384,8 @@ } } + if (retval == 0) + *pa_tgs_req = tmppa; cleanup_authenticator: krb5_free_authenticator(kdc_context, authenticator); Modified: branches/fast/src/kdc/kdc_util.h =================================================================== --- branches/fast/src/kdc/kdc_util.h 2009-03-26 05:36:38 UTC (rev 22124) +++ branches/fast/src/kdc/kdc_util.h 2009-03-26 05:36:40 UTC (rev 22125) @@ -66,7 +66,7 @@ krb5_ticket **, krb5_db_entry *krbtgt, int *nprincs, - krb5_keyblock **); + krb5_keyblock **, krb5_pa_data **pa_tgs_req); krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int, krb5_boolean match_enctype, From hartmans at MIT.EDU Thu Mar 26 01:36:48 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:48 -0400 Subject: svn rev #22127: branches/fast/src/lib/krb5/ krb/ Message-ID: <200903260536.n2Q5amDN018448@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22127 Commit By: hartmans Log Message: Some fast free functions Changed Files: U branches/fast/src/lib/krb5/krb/kfree.c U branches/fast/src/lib/krb5/libkrb5.exports Modified: branches/fast/src/lib/krb5/krb/kfree.c =================================================================== --- branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:36:45 UTC (rev 22126) +++ branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:36:48 UTC (rev 22127) @@ -797,3 +797,18 @@ free(etypes); } } +void krb5_free_fast_req(krb5_context context, krb5_fast_req *val) +{ + if (val == NULL) + return; + krb5_free_kdc_req(context, val->req_body); + free(val); +} + +void krb5_free_fast_armor(krb5_context context, krb5_fast_armor *val) +{ + if (val == NULL) + return; + krb5_free_data_contents(context, &val->armor_value); + free(val); +} Modified: branches/fast/src/lib/krb5/libkrb5.exports =================================================================== --- branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:36:45 UTC (rev 22126) +++ branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:36:48 UTC (rev 22127) @@ -227,6 +227,7 @@ krb5_free_error krb5_free_error_message krb5_free_etype_info +krb5_free_fast_req krb5_free_host_realm krb5_free_kdc_rep krb5_free_kdc_req From hartmans at MIT.EDU Thu Mar 26 01:36:45 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:45 -0400 Subject: svn rev #22126: branches/fast/src/lib/krb5/krb/ Message-ID: <200903260536.n2Q5aj7O018411@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22126 Commit By: hartmans Log Message: Integrate FAST in to client AS sending Functions to generate FAST request and to manage client fast state. Integrate into client AS req loop. Most of this is stub code although the integration points and arguments should be correct. * Call into fast to prepare the request body. If FAST is being used, this may end up hiding the names in the future in the outer request. * Call into FAST to prepare the request before sending. This will generate the FAST padata and return an encoded outer request. * Call into fast to handle error replies, potentially extracting padata and information on whether to continue processing. Changed Files: U branches/fast/src/lib/krb5/krb/Makefile.in A branches/fast/src/lib/krb5/krb/fast.c A branches/fast/src/lib/krb5/krb/fast.h U branches/fast/src/lib/krb5/krb/get_in_tkt.c Modified: branches/fast/src/lib/krb5/krb/Makefile.in =================================================================== --- branches/fast/src/lib/krb5/krb/Makefile.in 2009-03-26 05:36:40 UTC (rev 22125) +++ branches/fast/src/lib/krb5/krb/Makefile.in 2009-03-26 05:36:45 UTC (rev 22126) @@ -40,6 +40,7 @@ enc_helper.o \ encode_kdc.o \ encrypt_tk.o \ + fast.o \ free_rtree.o \ fwd_tgt.o \ gc_frm_kdc.o \ @@ -127,6 +128,7 @@ $(OUTPRE)enc_helper.$(OBJEXT) \ $(OUTPRE)encode_kdc.$(OBJEXT) \ $(OUTPRE)encrypt_tk.$(OBJEXT) \ + $(OUTPRE)fast.$(OBJEXT) \ $(OUTPRE)free_rtree.$(OBJEXT) \ $(OUTPRE)fwd_tgt.$(OBJEXT) \ $(OUTPRE)gc_frm_kdc.$(OBJEXT) \ @@ -215,6 +217,7 @@ $(srcdir)/enc_helper.c \ $(srcdir)/encode_kdc.c \ $(srcdir)/encrypt_tk.c \ + $(srcdir)/fast.c \ $(srcdir)/free_rtree.c \ $(srcdir)/fwd_tgt.c \ $(srcdir)/gc_frm_kdc.c \ Added: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:36:40 UTC (rev 22125) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:36:45 UTC (rev 22126) @@ -0,0 +1,196 @@ +/* + * lib/krb5/krb/fast.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + */ + +#include + +/* + * It is possible to support sending a request that includes both a + * FAST and normal version. This would complicate the + * pre-authentication logic significantly. You would need to maintain + * two contexts, one for FAST and one for normal use. In adition, you + * would need to manage the security issues surrounding downgrades. + * However trying FAST at all requires an armor key. Generally in + * obtaining the armor key, the client learns enough to know that FAST + * is supported. If not, the client can see FAST in the + * preauth_required error's padata and retry with FAST. So, this + * implementation does not support FAST+normal. + * + * We store the outer version of the request to use . The caller + * stores the inner version. We handle the encoding of the request + * body (and request) and provide encoded request bodies for the + * caller to use as these may be used for checksums. In the AS case + * we also evaluate whether to continue a conversation as one of the + * important questions there is the presence of a cookie. + */ +#include "fast.h" + + + +krb5_error_code +krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, krb5_data **encoded_request_body) +{ + krb5_error_code retval = 0; + krb5_data *local_encoded_request_body = NULL; + assert(state != NULL); + *encoded_request_body = NULL; + if (state->armor_key == NULL) { + return encode_krb5_kdc_req_body(request, encoded_request_body); + } + state->fast_outer_request = *request; + state->fast_outer_request.padata = NULL; + if (retval == 0) + retval = encode_krb5_kdc_req_body(&state->fast_outer_request, + &local_encoded_request_body); + if (retval == 0) { + *encoded_request_body = local_encoded_request_body; + local_encoded_request_body = NULL; + } + if (local_encoded_request_body != NULL) + krb5_free_data(context, local_encoded_request_body); + return retval; +} + + +krb5_error_code +krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, + const krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request) +{ + krb5_error_code retval = 0; + krb5_pa_data *pa_array[3]; + krb5_pa_data pa[2]; + krb5_fast_req fast_req; + krb5_data *encoded_fast_req = NULL; + krb5_data *local_encoded_result = NULL; + + assert(state != NULL); + assert(state->fast_outer_request.padata == NULL); + memset(pa_array, 0, sizeof pa_array); + if (state->armor_key == NULL) { + return encoder(request, encoded_request); + } + fast_req.req_body = request; + if (fast_req.req_body->padata == NULL) { + fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); + if (fast_req.req_body->padata == NULL) + retval = ENOMEM; + } + fast_req.fast_options = state->fast_options; + if (retval == 0) + retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); + if (retval==0) { + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].contents = (unsigned char *) encoded_fast_req->data; + pa[0].length = encoded_fast_req->length; + pa_array[0] = &pa[0]; + } + if (state->cookie_contents.data) { + pa[1].contents = (unsigned char *) state->cookie_contents.data; + pa[1].length = state->cookie_contents.length; + pa[1].pa_type = KRB5_PADATA_FX_COOKIE; + pa_array[1] = &pa[1]; + } + state->fast_outer_request.padata = pa_array; + if(retval == 0) + retval = encoder(&state->fast_outer_request, &local_encoded_result); + if (retval == 0) { + *encoded_request = local_encoded_result; + local_encoded_result = NULL; + } + if (encoded_fast_req) + krb5_free_data(context, encoded_fast_req); + if (local_encoded_result) + krb5_free_data(context, local_encoded_result); + state->fast_outer_request.padata = NULL; + return retval; +} + +/* + * FAST separates two concepts: the set of padata we're using to + * decide what pre-auth mechanisms to use and the set of padata we're + * making available to mechanisms in order for them to respond to an + * error. The plugin interface in March 2009 does not permit + * separating these concepts for the plugins. This function makes + * both available for future revisions to the plugin interface. It + * also re-encodes the padata from the current error as a encoded + * typed-data and puts that in the e_data field. That will allow + * existing plugins with the old interface to find the error data. + * The output parameter out_padata contains the padata from the error + * whenever padata is available (all the time with fast). + */ +krb5_error_code +krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry) +{ + krb5_error_code retval = 0; + krb5_error *err_reply = *err_replyptr; + *retry = (err_reply->e_data.length > 0); + *out_padata = NULL; + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED + ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { + krb5_pa_data **result = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + if (retval == 0) { + *out_padata = result; + + return 0; + } + krb5_free_pa_data(context, result); + krb5_set_error_message(context, retval, + "Error decoding padata in error reply"); + return retval; + } + return 0; +} + +krb5_error_code +krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state) +{ + krb5_error_code retval = 0; + struct krb5int_fast_request_state *local_state ; + local_state = malloc(sizeof *local_state); + if (local_state == NULL) + return ENOMEM; + memset(local_state, 0, sizeof(*local_state)); + *state = local_state; + return 0; +} + +void +krb5int_fast_free_state( krb5_context context, struct krb5int_fast_request_state *state) +{ + /*We are responsible for none of the store in the fast_outer_req*/ + krb5_free_keyblock(context, state->armor_key); + krb5_free_fast_armor(context, state->armor); + krb5_free_data_contents(context, &state->cookie_contents); +} Added: branches/fast/src/lib/krb5/krb/fast.h =================================================================== --- branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:36:40 UTC (rev 22125) +++ branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:36:45 UTC (rev 22126) @@ -0,0 +1,67 @@ +/* + * lib/krb5/krb/fast.h + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * <<< Description >>> + */ +#ifndef KRB_FAST_H + +#define KRB_FAST_H + +#include + +struct krb5int_fast_request_state { + krb5_kdc_req fast_outer_request; + krb5_keyblock *armor_key; /*non-null means fast is in use*/ + krb5_fast_armor *armor; + krb5_ui_4 fast_state_flags; + krb5_ui_4 fast_options; + krb5_data cookie_contents; +}; + +krb5_error_code +krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, krb5_data **encoded_req_body); + +typedef krb5_error_code(*kdc_req_encoder_proc) (const krb5_kdc_req *, krb5_data **); + +krb5_error_code +krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, + const krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request); +krb5_error_code +krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry); + +krb5_error_code +krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state); + +void +krb5int_fast_free_state( krb5_context , struct krb5int_fast_request_state *state); + + +#endif Modified: branches/fast/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-03-26 05:36:40 UTC (rev 22125) +++ branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-03-26 05:36:45 UTC (rev 22126) @@ -32,6 +32,7 @@ #include "k5-int.h" #include "int-proto.h" #include "os-proto.h" +#include "fast.h" #if APPLE_PKINIT #define IN_TKT_DEBUG 0 @@ -974,6 +975,10 @@ krb5_preauth_client_rock get_data_rock; int canon_flag = 0; krb5_principal_data referred_client; + krb5_boolean retry = 0; + struct krb5int_fast_request_state *fast_state = NULL; + krb5_pa_data **out_padata = NULL; + /* initialize everything which will be freed at cleanup */ @@ -1002,6 +1007,9 @@ referred_client = *client; referred_client.realm.data = NULL; referred_client.realm.length = 0; + ret = krb5int_fast_make_state(context, &fast_state); + if (ret) + goto cleanup; /* * Set up the basic request structure @@ -1233,7 +1241,8 @@ } /* give the preauth plugins a chance to prep the request body */ krb5_preauth_prepare_request(context, options, &request); - ret = encode_krb5_kdc_req_body(&request, &encoded_request_body); + ret = krb5int_fast_prep_req_body(context, fast_state, + &request, &encoded_request_body); if (ret) goto cleanup; @@ -1258,6 +1267,10 @@ gak_fct, gak_data, &get_data_rock, options))) goto cleanup; + if (out_padata) { + krb5_free_pa_data(context, out_padata); + out_padata = NULL; + } } else { if (preauth_to_use != NULL) { /* @@ -1293,7 +1306,9 @@ krb5_free_data(context, encoded_previous_request); encoded_previous_request = NULL; } - ret = encode_krb5_as_req(&request, &encoded_previous_request); + ret = krb5int_fast_prep_req(context, fast_state, + &request, encoded_request_body, + encode_krb5_as_req, &encoded_previous_request); if (ret) goto cleanup; @@ -1305,15 +1320,19 @@ goto cleanup; if (err_reply) { - if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && - err_reply->e_data.length > 0) { + ret = krb5int_fast_process_error(context, fast_state, &err_reply, + &out_padata, &retry); + if (ret !=0) + goto cleanup; + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error == KDC_ERR_PREAUTH_FAILED) +&& retry) { /* reset the list of preauth types to try */ if (preauth_to_use) { krb5_free_pa_data(context, preauth_to_use); preauth_to_use = NULL; } - ret = decode_krb5_padata_sequence(&err_reply->e_data, - &preauth_to_use); + preauth_to_use = out_padata; + out_padata = NULL; krb5_free_error(context, err_reply); err_reply = NULL; if (ret) @@ -1345,7 +1364,7 @@ goto cleanup; request.client = &referred_client; } else { - if (err_reply->e_data.length > 0) { + if (retry) { /* continue to next iteration */ } else { /* error + no hints = give up */ @@ -1477,6 +1496,10 @@ } } krb5_preauth_request_context_fini(context); + if (fast_state) + krb5int_fast_free_state(context, fast_state); + if (out_padata) + krb5_free_pa_data(context, out_padata); if (encoded_previous_request != NULL) { krb5_free_data(context, encoded_previous_request); encoded_previous_request = NULL; From hartmans at MIT.EDU Thu Mar 26 01:36:51 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:51 -0400 Subject: svn rev #22128: branches/fast/src/kdc/ Message-ID: <200903260536.n2Q5apsa018485@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22128 Commit By: hartmans Log Message: Free the request in process_as_req for parallelism with TGS case. This permits the FAST code to free the outer request if FAST is in use. Changed Files: U branches/fast/src/kdc/dispatch.c U branches/fast/src/kdc/do_as_req.c Modified: branches/fast/src/kdc/dispatch.c =================================================================== --- branches/fast/src/kdc/dispatch.c 2009-03-26 05:36:48 UTC (rev 22127) +++ branches/fast/src/kdc/dispatch.c 2009-03-26 05:36:50 UTC (rev 22128) @@ -92,11 +92,12 @@ /* * setup_server_realm() sets up the global realm-specific data * pointer. + * process_as_req frees the request if it is called */ if (!(retval = setup_server_realm(as_req->server))) { retval = process_as_req(as_req, pkt, from, response); } - krb5_free_kdc_req(kdc_context, as_req); + else krb5_free_kdc_req(kdc_context, as_req); } } else Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:36:48 UTC (rev 22127) +++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:36:50 UTC (rev 22128) @@ -691,6 +691,7 @@ krb5_free_data_contents(kdc_context, &e_data); kdc_free_rstate(state); + krb5_free_kdc_req(kdc_context, request); assert(did_log != 0); return errcode; } From hartmans at MIT.EDU Thu Mar 26 01:36:53 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:53 -0400 Subject: svn rev #22129: branches/fast/src/ kdc/ lib/krb5/ Message-ID: <200903260536.n2Q5ariX018522@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22129 Commit By: hartmans Log Message: Implement KDC side FAST response Implement generation of fast_response, partial finish and fx_error. Add reply key to state. Changed Files: U branches/fast/src/kdc/fast_util.c U branches/fast/src/kdc/kdc_util.h U branches/fast/src/lib/krb5/libkrb5.exports Modified: branches/fast/src/kdc/fast_util.c =================================================================== --- branches/fast/src/kdc/fast_util.c 2009-03-26 05:36:50 UTC (rev 22128) +++ branches/fast/src/kdc/fast_util.c 2009-03-26 05:36:53 UTC (rev 22129) @@ -116,9 +116,144 @@ return; if (s->armor_key) krb5_free_keyblock(kdc_context, s->armor_key); + if (s->reply_key) + krb5_free_keyblock(kdc_context, s->reply_key); if (s->cookie) { free(s->cookie->contents); free(s->cookie); } free(s); } + +krb5_error_code kdc_fast_response_handle_padata +(struct kdc_request_state *state, krb5_kdc_rep *rep, const krb5_data *pkt) +{ + krb5_error_code retval = 0; + krb5_fast_finished finish; + krb5_fast_response fast_response; + krb5_data *encoded_ticket = NULL; + krb5_data *encoded_fast_response = NULL; + krb5_pa_data *pa = NULL, **pa_array; + krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; + + if (!state->armor_key) + return 0; + memset(&finish, 0, sizeof(finish)); + fast_response.padata = rep->padata; + fast_response.rep_key = state->reply_key; + fast_response.finished = &finish; + finish.client = rep->client; + pa_array = calloc(3, sizeof(*pa_array)); + if (pa_array == NULL) + retval = ENOMEM; + pa = calloc(1, sizeof(krb5_pa_data)); + if (retval == 0 && pa == NULL) + retval = ENOMEM; + if (retval == 0) + retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec); + if (retval == 0) + retval = encode_krb5_ticket(rep->ticket, &encoded_ticket); + if (retval == 0) + retval = krb5_c_make_checksum(kdc_context, cksumtype, + state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, &finish.ticket_checksum); +/* xxx checksum should be something else; sticking ticket_checksum there is a placeholder*/ + if (retval == 0) + retval = krb5_c_make_checksum(kdc_context, cksumtype, + state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, &finish.checksum); + if (retval == 0) + retval = encode_krb5_fast_response(&fast_response, &encoded_fast_response); + if (retval == 0) { + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].length = encoded_fast_response->length; + pa[0].contents = (unsigned char *) encoded_fast_response->data; + pa_array[0] = &pa[0]; + rep->padata = pa_array; + pa_array = NULL; + encoded_fast_response = NULL; + pa = NULL; + } + if (pa) + free(pa); + if (encoded_fast_response) + krb5_free_data(kdc_context, encoded_fast_response); + if (encoded_ticket) + krb5_free_data(kdc_context, encoded_ticket); + if (finish.checksum.contents) + krb5_free_checksum_contents(kdc_context, &finish.checksum); + if (finish.ticket_checksum.contents) + krb5_free_checksum_contents(kdc_context, &finish.checksum); + return retval; +} + +/* + * We assume the caller is responsible for passing us an in_padata + * sufficient to include in a FAST error. In the FAST case we will + * throw away the e_data in the error (if any); in the non-FAST case + * we will not use the in_padata. + */ +krb5_error_code kdc_fast_handle_error +(krb5_context context, struct kdc_request_state *state, + krb5_pa_data **in_padata, krb5_error *err) +{ + krb5_error_code retval = 0; + krb5_fast_response resp; + krb5_error fx_error; + krb5_data *encoded_fx_error = NULL, *encoded_fast_response = NULL; + krb5_pa_data pa[2]; + krb5_pa_data *outer_pa[3]; + krb5_pa_data **inner_pa = NULL; + size_t size = 0; + krb5_data *encoded_e_data = NULL; + + memset(outer_pa, 0, sizeof(outer_pa)); + if (!state->armor_key) + return 0; + fx_error = *err; + fx_error.e_data.data = NULL; + fx_error.e_data.length = 0; + for (size = 0; in_padata&&in_padata[size]; size++); + size +=3; + inner_pa = calloc(size, sizeof(krb5_pa_data *)); + if (inner_pa == NULL) + retval = ENOMEM; + if (retval == 0) + for (size=0; in_padata&&in_padata[size]; size++) + inner_pa[size] = in_padata[size]; + if (retval == 0) + retval = encode_krb5_error(&fx_error, &encoded_fx_error); + if (retval == 0) { + pa[0].pa_type = KRB5_PADATA_FX_ERROR; + pa[0].length = encoded_fx_error->length; + pa[0].contents = (unsigned char *) encoded_fx_error->data; + inner_pa[size++] = &pa[0]; + resp.padata = inner_pa; + resp.rep_key = NULL; + resp.finished = NULL; + } + if (retval == 0) + retval = encode_krb5_fast_response(&resp, &encoded_fast_response); + if (inner_pa) + free(inner_pa); /*contained storage from caller and our stack*/ + if (retval == 0) { + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].length = encoded_fast_response->length; + pa[0].contents = (unsigned char *) encoded_fast_response->data; + outer_pa[0] = &pa[0]; + } + retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data); + if (retval == 0) { + /*process_as holds onto a pointer to the original e_data and frees it*/ + err->e_data = *encoded_e_data; + free(encoded_e_data); /*contents belong to err*/ + encoded_e_data = NULL; + } + if (encoded_e_data) + krb5_free_data(kdc_context, encoded_e_data); + if (encoded_fast_response) + krb5_free_data(kdc_context, encoded_fast_response); + if (encoded_fx_error) + krb5_free_data(kdc_context, encoded_fx_error); + return retval; +} Modified: branches/fast/src/kdc/kdc_util.h =================================================================== --- branches/fast/src/kdc/kdc_util.h 2009-03-26 05:36:50 UTC (rev 22128) +++ branches/fast/src/kdc/kdc_util.h 2009-03-26 05:36:53 UTC (rev 22129) @@ -302,6 +302,7 @@ struct kdc_request_state { krb5_keyblock *armor_key; + krb5_keyblock *reply_key; /*When replaced by FAST*/ krb5_pa_data *cookie; krb5_int32 fast_options; krb5_int32 fast_internal_flags; @@ -321,6 +322,12 @@ krb5_keyblock *tgs_subkey, struct kdc_request_state *state); +krb5_error_code kdc_fast_response_handle_padata +(struct kdc_request_state *state, krb5_kdc_rep *rep, const krb5_data *pkt); +krb5_error_code kdc_fast_handle_error +(krb5_context context, struct kdc_request_state *state, + krb5_pa_data **in_padata, krb5_error *err); + Modified: branches/fast/src/lib/krb5/libkrb5.exports =================================================================== --- branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:36:50 UTC (rev 22128) +++ branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:36:53 UTC (rev 22129) @@ -57,6 +57,7 @@ encode_krb5_error encode_krb5_etype_info encode_krb5_etype_info2 +encode_krb5_fast_response encode_krb5_kdc_req_body encode_krb5_pa_enc_ts encode_krb5_pa_for_user From hartmans at MIT.EDU Thu Mar 26 01:36:56 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:56 -0400 Subject: svn rev #22130: branches/fast/src/lib/krb5/krb/ Message-ID: <200903260536.n2Q5auFn018559@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22130 Commit By: hartmans Log Message: Implement free_fast_response and free_fast_finished Changed Files: U branches/fast/src/lib/krb5/krb/kfree.c Modified: branches/fast/src/lib/krb5/krb/kfree.c =================================================================== --- branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:36:53 UTC (rev 22129) +++ branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:36:56 UTC (rev 22130) @@ -812,3 +812,22 @@ krb5_free_data_contents(context, &val->armor_value); free(val); } + +void krb5_free_fast_response(krb5_context context, krb5_fast_response *val) +{ + if (!val) + return; + krb5_free_pa_data(context, val->padata); + krb5_free_fast_finished(context, val->finished); + free(val); +} + +void krb5_free_fast_finished +(krb5_context context, krb5_fast_finished *val) +{ + if (!val) + return; + krb5_free_principal(context, val->client); + krb5_free_checksum_contents(context, &val->checksum); + krb5_free_checksum_contents(context, &val->ticket_checksum); +} From hartmans at MIT.EDU Thu Mar 26 01:36:59 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:36:59 -0400 Subject: svn rev #22131: branches/fast/src/ include/ kdc/ lib/krb5/ lib/krb5/krb/ Message-ID: <200903260536.n2Q5axMB018596@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22131 Commit By: hartmans Log Message: Client AS-req error handling for FAST Find and decode the fast_response and fx_error. Pull out padata and re-encode as typed-data * Implement krb5_free_typed_data * implement error handling logic in krb5int_fast_handle_error * Implement krb5int_find_pa_data Changed Files: U branches/fast/src/include/k5-int-pkinit.h U branches/fast/src/include/k5-int.h U branches/fast/src/kdc/kdc_util.c U branches/fast/src/lib/krb5/krb/fast.c U branches/fast/src/lib/krb5/krb/kfree.c U branches/fast/src/lib/krb5/libkrb5.exports Modified: branches/fast/src/include/k5-int-pkinit.h =================================================================== --- branches/fast/src/include/k5-int-pkinit.h 2009-03-26 05:36:56 UTC (rev 22130) +++ branches/fast/src/include/k5-int-pkinit.h 2009-03-26 05:36:58 UTC (rev 22131) @@ -101,6 +101,9 @@ } krb5_trusted_ca; /* typed data */ +/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other + * if this structure changes, that code needs to be updated to copy. + */ typedef struct _krb5_typed_data { krb5_magic magic; krb5_int32 type; @@ -267,4 +270,6 @@ krb5_error_code decode_krb5_td_dh_parameters (const krb5_data *, krb5_algorithm_identifier ***); +void krb5_free_typed_data(krb5_context, krb5_typed_data **); + #endif /* _KRB5_INT_PKINIT_H */ Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-03-26 05:36:56 UTC (rev 22130) +++ branches/fast/src/include/k5-int.h 2009-03-26 05:36:58 UTC (rev 22131) @@ -1074,6 +1074,10 @@ krb5_creds *, krb5_int32 *); +krb5_pa_data * krb5int_find_pa_data +(krb5_context, krb5_pa_data * const *, krb5_preauthtype); +/* Does not return a copy; original padata sequence responsible for freeing*/ + void krb5_free_etype_info (krb5_context, krb5_etype_info); Modified: branches/fast/src/kdc/kdc_util.c =================================================================== --- branches/fast/src/kdc/kdc_util.c 2009-03-26 05:36:56 UTC (rev 22130) +++ branches/fast/src/kdc/kdc_util.c 2009-03-26 05:36:58 UTC (rev 22131) @@ -217,17 +217,7 @@ krb5_pa_data * find_pa_data(krb5_pa_data **padata, krb5_preauthtype pa_type) { - krb5_pa_data **tmppa; - - if (padata == NULL) - return NULL; - - for (tmppa = padata; *tmppa != NULL; tmppa++) { - if ((*tmppa)->pa_type == pa_type) - break; - } - - return *tmppa; +return krb5int_find_pa_data(kdc_context, padata, pa_type); } krb5_error_code Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:36:56 UTC (rev 22130) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:36:58 UTC (rev 22131) @@ -153,24 +153,88 @@ { krb5_error_code retval = 0; krb5_error *err_reply = *err_replyptr; - *retry = (err_reply->e_data.length > 0); *out_padata = NULL; - if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED - ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { + if (state->armor_key) { + krb5_pa_data *fast_pa, *fx_error_pa; krb5_pa_data **result = NULL; + krb5_data scratch, *encoded_td = NULL; + krb5_error *fx_error = NULL; + krb5_fast_response *fast_response = NULL; retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); if (retval == 0) + fast_pa = krb5int_find_pa_data(context, result, KRB5_PADATA_FX_FAST); + if (retval || fast_pa == NULL) { + /*This can happen if the KDC does not understand FAST. We + * don't expect that, but treating it as the fatal error + * indicated by the KDC seems reasonable. + */ + *retry = 0; + krb5_free_pa_data(context, result); + return 0; + } + scratch.data = (char *) fast_pa->contents; + scratch.length = fast_pa->length; + retval = decode_krb5_fast_response(&scratch, &fast_response); + krb5_free_pa_data(context, result); + result = NULL; if (retval == 0) { - *out_padata = result; + fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); + if (fx_error_pa == NULL) { + krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0) { + scratch.data = (char *) fx_error_pa->contents; + scratch.length = fx_error_pa->length; + retval = decode_krb5_error(&scratch, &fx_error); + } + /* + * krb5_pa_data and krb5_typed_data are safe to cast between: + * they have the same type fields in the same order. + * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is + * ever changed then this will need to be a copy not a cast. + */ + if (retval == 0) + retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, + &encoded_td); + if (retval == 0) { + fx_error->e_data = *encoded_td; + free(encoded_td); /*contents owned by fx_error*/ + encoded_td = NULL; + krb5_free_error(context, err_reply); + *err_replyptr = fx_error; + fx_error = NULL; + *out_padata = fast_response->padata; + fast_response->padata = NULL; + /* + * If there is more than the fx_error padata, then we want + * to retry the error + */ + *retry = (*out_padata)[1] != NULL; + } + if (fx_error) + krb5_free_error(context, fx_error); + krb5_free_fast_response(context, fast_response); + } else { /*not FAST*/ + *retry = (err_reply->e_data.length > 0); + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED + ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { + krb5_pa_data **result = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + if (retval == 0) { + *out_padata = result; - return 0; + return 0; + } + krb5_free_pa_data(context, result); + krb5_set_error_message(context, retval, + "Error decoding padata in error reply"); + return retval; } - krb5_free_pa_data(context, result); - krb5_set_error_message(context, retval, - "Error decoding padata in error reply"); - return retval; - } - return 0; + } + return retval; } krb5_error_code @@ -194,3 +258,20 @@ krb5_free_fast_armor(context, state->armor); krb5_free_data_contents(context, &state->cookie_contents); } + +krb5_pa_data * krb5int_find_pa_data +(krb5_context context, krb5_pa_data *const *padata, krb5_preauthtype pa_type) +{ + krb5_pa_data * const *tmppa; + + if (padata == NULL) + return NULL; + + for (tmppa = padata; *tmppa != NULL; tmppa++) { + if ((*tmppa)->pa_type == pa_type) + break; + } + + return *tmppa; +} + Modified: branches/fast/src/lib/krb5/krb/kfree.c =================================================================== --- branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:36:56 UTC (rev 22130) +++ branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:36:58 UTC (rev 22131) @@ -831,3 +831,16 @@ krb5_free_checksum_contents(context, &val->checksum); krb5_free_checksum_contents(context, &val->ticket_checksum); } + +void krb5_free_typed_data(krb5_context context, krb5_typed_data **in) +{ + int i = 0; + if (in == NULL) return; + while (in[i] != NULL) { + if (in[i]->data != NULL) + free(in[i]->data); + free(in[i]); + i++; + } + free(in); +} Modified: branches/fast/src/lib/krb5/libkrb5.exports =================================================================== --- branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:36:56 UTC (rev 22130) +++ branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:36:58 UTC (rev 22131) @@ -37,6 +37,7 @@ decode_krb5_tgs_rep decode_krb5_tgs_req decode_krb5_ticket +decode_krb5_typed_data encode_krb5_alt_method encode_krb5_ap_rep encode_krb5_ap_rep_enc_part @@ -269,6 +270,7 @@ krb5_free_ticket krb5_free_tickets krb5_free_tkt_authent +krb5_free_typed_data krb5_free_unparsed_name krb5_fwd_tgt_creds krb5_gen_portaddr @@ -519,6 +521,7 @@ krb5int_cleanup_library krb5int_cm_call_select krb5int_copy_data_contents_add0 +krb5int_find_pa_data krb5int_foreach_localaddr krb5int_free_addrlist krb5int_init_context_kdc From hartmans at MIT.EDU Thu Mar 26 01:37:01 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:01 -0400 Subject: svn rev #22132: branches/fast/src/kdc/ Message-ID: <200903260537.n2Q5b1mI018634@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22132 Commit By: hartmans Log Message: Integrate fast in KDC AS errors Call kdc_fast_handle_error from prepare_as_error Also, decode either td or pa sequence in e_data and feed into fast's idea of a pa sequence. Changed Files: U branches/fast/src/kdc/do_as_req.c Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:36:58 UTC (rev 22131) +++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:01 UTC (rev 22132) @@ -82,7 +82,7 @@ #endif #endif /* APPLE_PKINIT */ -static krb5_error_code prepare_error_as (krb5_kdc_req *, int, krb5_data *, +static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *, krb5_principal, krb5_data **, const char *); @@ -640,7 +640,7 @@ if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; - errcode = prepare_error_as(request, errcode, &e_data, + errcode = prepare_error_as(state, request, errcode, &e_data, c_nprincs ? client.princ : NULL, response, status); status = 0; @@ -697,13 +697,16 @@ } static krb5_error_code -prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data, +prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int error, krb5_data *e_data, krb5_principal canon_client, krb5_data **response, const char *status) { krb5_error errpkt; krb5_error_code retval; krb5_data *scratch; + krb5_pa_data **pa = NULL; + krb5_typed_data **td = NULL; + size_t size; errpkt.ctime = request->nonce; errpkt.cusec = 0; @@ -732,13 +735,38 @@ errpkt.e_data.length = 0; errpkt.e_data.data = NULL; } - + /*We need to try and produce a padata sequence for FAST*/ + retval = decode_krb5_padata_sequence(e_data, &pa); + if (retval != 0) { + retval = decode_krb5_typed_data(e_data, &td); + if (retval == 0) { + for (size =0; td[size]; size++); + pa = calloc(size+1, sizeof(*pa)); + if (pa == NULL) + retval = ENOMEM; + else for (size = 0; td[size]; size++) { + krb5_pa_data *pad = malloc(sizeof(krb5_pa_data *)); + if (pad == NULL) { + retval = ENOMEM; + break; + } + pad->pa_type = td[size]->type; + pad->contents = td[size]->data; + pad->length = td[size]->length; + pa[size] = pad; + } + krb5_free_typed_data(kdc_context, td); + } + } + retval = kdc_fast_handle_error(kdc_context, rstate, + pa, &errpkt); + if (retval == 0) retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); if (retval) free(scratch); else *response = scratch; - + krb5_free_pa_data(kdc_context, pa); return retval; } From hartmans at MIT.EDU Thu Mar 26 01:37:04 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:04 -0400 Subject: svn rev #22133: branches/fast/src/lib/krb5/krb/ Message-ID: <200903260537.n2Q5b4Qk018671@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22133 Commit By: hartmans Log Message: default to not retrying after error in client preauth loop Changed Files: U branches/fast/src/lib/krb5/krb/fast.c Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:01 UTC (rev 22132) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:04 UTC (rev 22133) @@ -154,6 +154,7 @@ krb5_error_code retval = 0; krb5_error *err_reply = *err_replyptr; *out_padata = NULL; + *retry = 0; if (state->armor_key) { krb5_pa_data *fast_pa, *fx_error_pa; krb5_pa_data **result = NULL; From hartmans at MIT.EDU Thu Mar 26 01:37:07 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:07 -0400 Subject: svn rev #22134: branches/fast/src/ include/ include/krb5/ lib/krb5/ lib/krb5/krb/ Message-ID: <200903260537.n2Q5b7MX018708@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22134 Commit By: hartmans Log Message: Implement client AS armor * fast_armor_ap_request: generate ap_request armor * krb5int_fast_as_armor: parse GIC options and request armor * krb5_get_init_creds: call * krb5_get_init_creds_opt_set_fast_ccache_name: API to indicate where armor credentials are found * krb5_free_fast_armored_req: implement Changed Files: U branches/fast/src/include/k5-int.h U branches/fast/src/include/krb5/krb5.hin U branches/fast/src/lib/krb5/krb/fast.c U branches/fast/src/lib/krb5/krb/fast.h U branches/fast/src/lib/krb5/krb/get_in_tkt.c U branches/fast/src/lib/krb5/krb/gic_opt.c U branches/fast/src/lib/krb5/krb/kfree.c U branches/fast/src/lib/krb5/libkrb5.exports Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-03-26 05:37:04 UTC (rev 22133) +++ branches/fast/src/include/k5-int.h 2009-03-26 05:37:06 UTC (rev 22134) @@ -963,6 +963,10 @@ krb5_data auth_package; } krb5_pa_for_user; +enum { + KRB5_FAST_ARMOR_AP_REQUEST = 0x1 +}; + typedef struct _krb5_fast_armor { krb5_int32 armor_type; krb5_data armor_value; @@ -1130,6 +1134,7 @@ typedef struct _krb5_gic_opt_private { int num_preauth_data; krb5_gic_opt_pa_data *preauth_data; + char * fast_ccache_name; } krb5_gic_opt_private; /* Modified: branches/fast/src/include/krb5/krb5.hin =================================================================== --- branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:04 UTC (rev 22133) +++ branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:06 UTC (rev 22134) @@ -2410,6 +2410,15 @@ const char *attr, const char *value); +krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name +(krb5_context context, krb5_get_init_creds_opt *opt, + const char * fast_ccache_name); + /* This API sets a ccache name that will contain some TGT on + calls to get_init_creds functions. If set, this ccache will + be used for FAST (draft-ietf-krb-wg-preauth-framework) to + protect the AS-REQ from observation and active attack. If + the fast_ccache_name is set, then FAST may be required by the + client library. In this version FAST is required.*/ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password (krb5_context context, Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:04 UTC (rev 22133) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:06 UTC (rev 22134) @@ -49,8 +49,59 @@ * important questions there is the presence of a cookie. */ #include "fast.h" +#include "int-proto.h" +static krb5_error_code fast_armor_ap_request +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_ccache ccache, krb5_data *target_realm) +{ + krb5_error_code retval = 0; + krb5_creds creds, *out_creds = NULL; + krb5_auth_context authcontext = NULL; + krb5_data encoded_authenticator; + krb5_fast_armor *armor = NULL; + krb5_keyblock *subkey = NULL, *armor_key = NULL; + encoded_authenticator.data = NULL; + memset(&creds, 0, sizeof(creds)); + retval = krb5_tgtname(context, target_realm, target_realm, &creds.server); + if (retval ==0) + retval = krb5_cc_get_principal(context, ccache, &creds.client); + if (retval == 0) + retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); + if (retval == 0) + retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, + out_creds, &encoded_authenticator); + if (retval == 0) + retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", + &out_creds->keyblock, "ticketarmor", &armor_key); + if (retval == 0) { + armor = calloc(1, sizeof(krb5_fast_armor)); + if (armor == NULL) + retval = ENOMEM; + } + if (retval == 0) { + armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; + armor->armor_value = encoded_authenticator; + encoded_authenticator.data = NULL; + encoded_authenticator.length = 0; + state->armor = armor; + armor = NULL; + state->armor_key = armor_key; + armor_key = NULL; + } + krb5_free_keyblock(context, armor_key); + krb5_free_keyblock(context, subkey); + if (out_creds) + krb5_free_creds(context, out_creds); + krb5_free_cred_contents(context, &creds); + if (encoded_authenticator.data) + krb5_free_data_contents(context, &encoded_authenticator); + krb5_auth_con_free(context, authcontext); + return retval; +} krb5_error_code krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, @@ -77,7 +128,35 @@ return retval; } +krb5_error_code krb5int_fast_as_armor +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_gic_opt_ext *opte, + krb5_kdc_req *request) +{ + krb5_error_code retval = 0; + krb5_ccache ccache = NULL; + krb5_clear_error_message(context); + if (opte->opt_private->fast_ccache_name) { + retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, + &ccache); + if (retval==0) + retval = fast_armor_ap_request(context, state, ccache, + krb5_princ_realm(context, request->server)); + if (retval != 0) { + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + if (errmsg) { + krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); + krb5_free_error_message(context, errmsg); + } + } + } + if (ccache) + krb5_cc_close(context, ccache); + return retval; +} + krb5_error_code krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, const krb5_kdc_req *request, @@ -88,28 +167,51 @@ krb5_pa_data *pa_array[3]; krb5_pa_data pa[2]; krb5_fast_req fast_req; + krb5_fast_armored_req *armored_req = NULL; krb5_data *encoded_fast_req = NULL; + krb5_data *encoded_armored_req = NULL; krb5_data *local_encoded_result = NULL; + krb5_cksumtype cksumtype; assert(state != NULL); - assert(state->fast_outer_request.padata == NULL); + assert(state->fast_outer_request.padata == NULL); memset(pa_array, 0, sizeof pa_array); if (state->armor_key == NULL) { return encoder(request, encoded_request); } fast_req.req_body = request; if (fast_req.req_body->padata == NULL) { - fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); - if (fast_req.req_body->padata == NULL) - retval = ENOMEM; + fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); + if (fast_req.req_body->padata == NULL) + retval = ENOMEM; } fast_req.fast_options = state->fast_options; if (retval == 0) retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); + if (retval == 0) { + armored_req = calloc(1, sizeof(krb5_fast_armored_req)); + if (armored_req == NULL) + retval = ENOMEM; + } + if (retval == 0) + armored_req->armor = state->armor; + if (retval == 0) + retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, + &cksumtype); + if (retval ==0) + retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, to_be_checksummed, + &armored_req->req_checksum); + if (retval == 0) + retval = krb5_encrypt_helper(context, state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, encoded_fast_req, + &armored_req->enc_part); + if (retval == 0) + retval = encode_krb5_pa_fx_fast_request(armored_req, &encoded_armored_req); if (retval==0) { pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].contents = (unsigned char *) encoded_fast_req->data; - pa[0].length = encoded_fast_req->length; + pa[0].contents = (unsigned char *) encoded_armored_req->data; + pa[0].length = encoded_armored_req->length; pa_array[0] = &pa[0]; } if (state->cookie_contents.data) { @@ -125,6 +227,12 @@ *encoded_request = local_encoded_result; local_encoded_result = NULL; } + if (encoded_armored_req) + krb5_free_data(context, encoded_armored_req); + if (armored_req) { + armored_req->armor = NULL; /*owned by state*/ + krb5_free_fast_armored_req(context, armored_req); + } if (encoded_fast_req) krb5_free_data(context, encoded_fast_req); if (local_encoded_result) Modified: branches/fast/src/lib/krb5/krb/fast.h =================================================================== --- branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:37:04 UTC (rev 22133) +++ branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:37:06 UTC (rev 22134) @@ -62,6 +62,10 @@ void krb5int_fast_free_state( krb5_context , struct krb5int_fast_request_state *state); +krb5_error_code krb5int_fast_as_armor +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_gic_opt_ext *opte, + krb5_kdc_req *request); #endif Modified: branches/fast/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-03-26 05:37:04 UTC (rev 22133) +++ branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-03-26 05:37:06 UTC (rev 22134) @@ -1239,6 +1239,9 @@ /* XXX Yuck. Old version. */ request.nonce = (krb5_int32) time_now; } + ret = krb5int_fast_as_armor(context, fast_state, options, &request); + if (ret != 0) + goto cleanup; /* give the preauth plugins a chance to prep the request body */ krb5_preauth_prepare_request(context, options, &request); ret = krb5int_fast_prep_req_body(context, fast_state, Modified: branches/fast/src/lib/krb5/krb/gic_opt.c =================================================================== --- branches/fast/src/lib/krb5/krb/gic_opt.c 2009-03-26 05:37:04 UTC (rev 22133) +++ branches/fast/src/lib/krb5/krb/gic_opt.c 2009-03-26 05:37:06 UTC (rev 22134) @@ -146,6 +146,8 @@ /* Free up any private stuff */ if (opte->opt_private->preauth_data != NULL) free_gic_opt_ext_preauth_data(context, opte); + if (opte->opt_private->fast_ccache_name) + free(opte->opt_private->fast_ccache_name); free(opte->opt_private); opte->opt_private = NULL; return 0; @@ -465,3 +467,21 @@ } free(preauth_data); } +krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name +(krb5_context context, krb5_get_init_creds_opt *opt, const char *ccache_name) +{ + krb5_error_code retval = 0; + krb5_gic_opt_ext *opte; + + retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, + "krb5_get_init_creds_opt_set_fast_ccache_name"); + if (retval) + return retval; + if (opte->opt_private->fast_ccache_name) { + free(opte->opt_private->fast_ccache_name); + } + opte->opt_private->fast_ccache_name = strdup(ccache_name); + if (opte->opt_private->fast_ccache_name == NULL) + retval = ENOMEM; + return retval; +} Modified: branches/fast/src/lib/krb5/krb/kfree.c =================================================================== --- branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:37:04 UTC (rev 22133) +++ branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:37:06 UTC (rev 22134) @@ -830,6 +830,7 @@ krb5_free_principal(context, val->client); krb5_free_checksum_contents(context, &val->checksum); krb5_free_checksum_contents(context, &val->ticket_checksum); + free(val); } void krb5_free_typed_data(krb5_context context, krb5_typed_data **in) @@ -844,3 +845,16 @@ } free(in); } + +void krb5_free_fast_armored_req(krb5_context context, + krb5_fast_armored_req *val) +{ + if (val == NULL) + return; + if (val->armor) + krb5_free_fast_armor(context, val->armor); + krb5_free_data_contents(context, &val->enc_part.ciphertext); + if (val->req_checksum.contents) + krb5_free_checksum_contents(context, &val->req_checksum); + free(val); +} Modified: branches/fast/src/lib/krb5/libkrb5.exports =================================================================== --- branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:04 UTC (rev 22133) +++ branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:06 UTC (rev 22134) @@ -305,6 +305,7 @@ krb5_get_init_creds_opt_set_canonicalize krb5_get_init_creds_opt_set_change_password_prompt krb5_get_init_creds_opt_set_etype_list +krb5_get_init_creds_opt_set_fast_ccache_name krb5_get_init_creds_opt_set_forwardable krb5_get_init_creds_opt_set_pa krb5_get_init_creds_opt_set_preauth_list From hartmans at MIT.EDU Thu Mar 26 01:37:10 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:10 -0400 Subject: svn rev #22135: branches/fast/src/ kdc/ lib/krb5/ Message-ID: <200903260537.n2Q5bAqf018750@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22135 Commit By: hartmans Log Message: ap-request armor handling for KDC Implement support for ap-request armor handling in the KDC FAST routines. * export needed decoders and free functions from libkrb5 Changed Files: U branches/fast/src/kdc/fast_util.c U branches/fast/src/lib/krb5/libkrb5.exports Modified: branches/fast/src/kdc/fast_util.c =================================================================== --- branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:06 UTC (rev 22134) +++ branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:09 UTC (rev 22135) @@ -42,6 +42,60 @@ * kdc-req-body. */ +static krb5_error_code armor_ap_request +(struct kdc_request_state *state, krb5_fast_armor *armor) +{ + krb5_error_code retval = 0; + krb5_auth_context authcontext = NULL; + krb5_ticket *ticket = NULL; + krb5_keyblock *subkey = NULL; + + assert(armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST); + krb5_clear_error_message(kdc_context); + retval = krb5_auth_con_init(kdc_context, &authcontext); + if (retval == 0) + retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/ + retval = krb5_rd_req(kdc_context, &authcontext, + &armor->armor_value, NULL /*server*/, + kdc_active_realm->realm_keytab, NULL, &ticket); + if (retval !=0) { + const char * errmsg = krb5_get_error_message(kdc_context, retval); + krb5_set_error_message(kdc_context, retval, + "%s while handling ap-request armor", errmsg); + krb5_free_error_message(kdc_context, errmsg); + } + if (retval == 0) { + if (!krb5_principal_compare_any_realm(kdc_context, + tgs_server, + ticket->server)) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH, + "ap-request armor for something other than the local TGS"); + retval = KRB5KDC_ERR_SERVER_NOMATCH; + } + } + if (retval ==0) { + retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey); + if (retval !=0 || subkey == NULL) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "ap-request armor without subkey"); + retval = KRB5KDC_ERR_POLICY; + } + } + if (retval==0) + retval = krb5_c_fx_cf2_simple(kdc_context, + subkey, "subkeyarmor", + ticket->enc_part2->session, "ticketarmor", + &state->armor_key); + if (ticket) + krb5_free_ticket(kdc_context, ticket); + if (subkey) + krb5_free_keyblock(kdc_context, subkey); + if (authcontext) + krb5_auth_con_free(kdc_context, authcontext); + return retval; +} + + krb5_error_code kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data, krb5_keyblock *tgs_subkey, @@ -52,8 +106,11 @@ krb5_data scratch; krb5_fast_req * fast_req = NULL; krb5_kdc_req *request = *requestptr; + krb5_fast_armored_req *fast_armored_req = NULL; + krb5_boolean cksum_valid; scratch.data = NULL; + krb5_clear_error_message(kdc_context); fast_padata = find_pa_data(request->padata, KRB5_PADATA_FX_FAST); cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); @@ -62,8 +119,55 @@ scratch.length = fast_padata->length; scratch.data = (char *) fast_padata->contents; - retval = decode_krb5_fast_req(&scratch, &fast_req); + retval = decode_krb5_pa_fx_fast_request(&scratch, &fast_armored_req); + if (retval == 0 &&fast_armored_req->armor) { + switch (fast_armored_req->armor->armor_type) { + case KRB5_FAST_ARMOR_AP_REQUEST: + retval = armor_ap_request(state, fast_armored_req->armor); + break; + default: + krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "Unknow FAST armor type %d", + fast_armored_req->armor->armor_type); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0 && !state->armor_key) { + if (tgs_subkey) + retval =krb5_copy_keyblock(kdc_context, tgs_subkey, &state->armor_key); + else { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "No armor key but FAST armored request present"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } if (retval == 0) { + krb5_data plaintext; + plaintext.length = fast_armored_req->enc_part.ciphertext.length; + plaintext.data = malloc(plaintext.length); + if (plaintext.data == NULL) + retval = ENOMEM; + retval = krb5_c_decrypt(kdc_context, + state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, NULL, + &fast_armored_req->enc_part, + &plaintext); + if (retval == 0) + retval = decode_krb5_fast_req(&plaintext, &fast_req); + if (plaintext.data) + free(plaintext.data); + } + if (retval == 0) + retval = krb5_c_verify_checksum(kdc_context, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (retval == 0 && !cksum_valid) { + retval = KRB5KRB_AP_ERR_MODIFIED; + krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, + "FAST req_checksum invalid; request modified"); + } + if (retval == 0) { if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; } @@ -95,6 +199,8 @@ } if (fast_req) krb5_free_fast_req( kdc_context, fast_req); + if (fast_armored_req) + krb5_free_fast_armored_req(kdc_context, fast_armored_req); return retval; } Modified: branches/fast/src/lib/krb5/libkrb5.exports =================================================================== --- branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:06 UTC (rev 22134) +++ branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:09 UTC (rev 22135) @@ -20,6 +20,7 @@ decode_krb5_etype_info decode_krb5_etype_info2 decode_krb5_fast_req +decode_krb5_pa_fx_fast_request decode_krb5_kdc_req_body decode_krb5_pa_enc_ts decode_krb5_pa_for_user @@ -229,6 +230,7 @@ krb5_free_error krb5_free_error_message krb5_free_etype_info +krb5_free_fast_armored_req krb5_free_fast_req krb5_free_host_realm krb5_free_kdc_rep From hartmans at MIT.EDU Thu Mar 26 01:37:12 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:12 -0400 Subject: svn rev #22136: branches/fast/src/kdc/ Message-ID: <200903260537.n2Q5bCFq018799@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22136 Commit By: hartmans Log Message: Set status when kdc_find_fast fails in do_as_req.c Changed Files: U branches/fast/src/kdc/do_as_req.c Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:09 UTC (rev 22135) +++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:12 UTC (rev 22136) @@ -141,9 +141,10 @@ goto errout; } errcode = kdc_find_fast(&request, req_pkt, NULL /*TGS key*/, state); - if (errcode) + if (errcode) { + status = "error decoding FAST"; goto errout; - + } if (!request->client) { status = "NULL_CLIENT"; errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; From hartmans at MIT.EDU Thu Mar 26 01:37:15 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:15 -0400 Subject: svn rev #22137: branches/fast/src/kdc/ Message-ID: <200903260537.n2Q5bFPg018836@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22137 Commit By: hartmans Log Message: do_as_req: decode kdc_req_body Pull the kdc_req_body out of the ASN.1 packet and pass in to be checksummed; the code previously incorrectly passed in the entire kdc_req. Changed Files: U branches/fast/src/kdc/do_as_req.c Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:12 UTC (rev 22136) +++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:15 UTC (rev 22137) @@ -118,6 +118,7 @@ const char *emsg = 0; krb5_keylist_node *tmp_mkey_list; struct kdc_request_state *state = NULL; + krb5_data encoded_req_body; #if APPLE_PKINIT @@ -140,7 +141,12 @@ status = "constructing state"; goto errout; } - errcode = kdc_find_fast(&request, req_pkt, NULL /*TGS key*/, state); + if (fetch_asn1_field((unsigned char *) req_pkt->data, + 1, 4, &encoded_req_body) != 0) { + errcode = ASN1_BAD_ID; + status = "Finding req_body"; +} + errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, state); if (errcode) { status = "error decoding FAST"; goto errout; From hartmans at MIT.EDU Thu Mar 26 01:37:19 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:19 -0400 Subject: svn rev #22138: branches/fast/src/ include/ kdc/ lib/krb5/asn.1/ lib/krb5/krb/ Message-ID: <200903260537.n2Q5bJ9c018873@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22138 Commit By: hartmans Log Message: Remove FAST finish checksum Per discussion on ietf-krb-wg, the checksum is unnecessary if a nonce is included in the response . For this to be secure, the cookie needs to be inner padata when FAST is used. * kdc/fast.c: when constructing fast responses include the nonce * lib/krb5/krb/fast.c: generate a random nonce for each time a fast request is constructed * add nonce field to fast_response * remove checksum field from fast_finished * Look for cookie as inner padata when FAST is used Changed Files: U branches/fast/src/include/k5-int.h U branches/fast/src/kdc/do_as_req.c U branches/fast/src/kdc/fast_util.c U branches/fast/src/kdc/kdc_util.h U branches/fast/src/lib/krb5/asn.1/asn1_k_decode.c U branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c U branches/fast/src/lib/krb5/asn.1/krb5_decode.c U branches/fast/src/lib/krb5/krb/fast.c U branches/fast/src/lib/krb5/krb/fast.h U branches/fast/src/lib/krb5/krb/kfree.c Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/include/k5-int.h 2009-03-26 05:37:18 UTC (rev 22138) @@ -989,19 +989,19 @@ #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff #define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01 - typedef struct _krb5_fast_finished { - krb5_timestamp timestamp; - krb5_int32 usec; - krb5_principal client; - krb5_checksum checksum; - krb5_checksum ticket_checksum; - } krb5_fast_finished; +typedef struct _krb5_fast_finished { + krb5_timestamp timestamp; + krb5_int32 usec; + krb5_principal client; + krb5_checksum ticket_checksum; +} krb5_fast_finished; - typedef struct _krb5_fast_response { - krb5_magic magic; +typedef struct _krb5_fast_response { + krb5_magic magic; krb5_pa_data **padata; krb5_keyblock *rep_key; krb5_fast_finished *finished; + krb5_int32 nonce; } krb5_fast_response; Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:18 UTC (rev 22138) @@ -766,7 +766,7 @@ } } retval = kdc_fast_handle_error(kdc_context, rstate, - pa, &errpkt); + request, pa, &errpkt); if (retval == 0) retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); Modified: branches/fast/src/kdc/fast_util.c =================================================================== --- branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:18 UTC (rev 22138) @@ -113,10 +113,7 @@ krb5_clear_error_message(kdc_context); fast_padata = find_pa_data(request->padata, KRB5_PADATA_FX_FAST); - cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); - if (fast_padata == NULL) - return 0; /*no fast*/ - + if (fast_padata != NULL){ scratch.length = fast_padata->length; scratch.data = (char *) fast_padata->contents; retval = decode_krb5_pa_fx_fast_request(&scratch, &fast_armored_req); @@ -171,7 +168,20 @@ if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; } - if (retval == 0 && cookie_padata != NULL) { + if (retval == 0) + cookie_padata = find_pa_data(fast_req->req_body->padata, KRB5_PADATA_FX_COOKIE); + if (retval == 0) { + state->fast_options = fast_req->fast_options; + if (request->kdc_state == state) + request->kdc_state = NULL; + krb5_free_kdc_req( kdc_context, request); + *requestptr = fast_req->req_body; + fast_req->req_body = NULL; + + } + } + else cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); + if (retval == 0 && cookie_padata != NULL) { krb5_pa_data *new_padata = malloc(sizeof (krb5_pa_data)); if (new_padata != NULL) { retval = ENOMEM; @@ -188,16 +198,7 @@ } } } - if (retval == 0) { - state->fast_options = fast_req->fast_options; - if (request->kdc_state == state) - request->kdc_state = NULL; - krb5_free_kdc_req( kdc_context, request); - *requestptr = fast_req->req_body; - fast_req->req_body = NULL; - - } - if (fast_req) + if (fast_req) krb5_free_fast_req( kdc_context, fast_req); if (fast_armored_req) krb5_free_fast_armored_req(kdc_context, fast_armored_req); @@ -232,7 +233,9 @@ } krb5_error_code kdc_fast_response_handle_padata -(struct kdc_request_state *state, krb5_kdc_rep *rep, const krb5_data *pkt) +(struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_kdc_rep *rep) { krb5_error_code retval = 0; krb5_fast_finished finish; @@ -246,7 +249,8 @@ return 0; memset(&finish, 0, sizeof(finish)); fast_response.padata = rep->padata; - fast_response.rep_key = state->reply_key; + fast_response.rep_key = state->reply_key; + fast_response.nonce = request->nonce; fast_response.finished = &finish; finish.client = rep->client; pa_array = calloc(3, sizeof(*pa_array)); @@ -263,12 +267,7 @@ retval = krb5_c_make_checksum(kdc_context, cksumtype, state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, encoded_ticket, &finish.ticket_checksum); -/* xxx checksum should be something else; sticking ticket_checksum there is a placeholder*/ if (retval == 0) - retval = krb5_c_make_checksum(kdc_context, cksumtype, - state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, - encoded_ticket, &finish.checksum); - if (retval == 0) retval = encode_krb5_fast_response(&fast_response, &encoded_fast_response); if (retval == 0) { pa[0].pa_type = KRB5_PADATA_FX_FAST; @@ -286,10 +285,8 @@ krb5_free_data(kdc_context, encoded_fast_response); if (encoded_ticket) krb5_free_data(kdc_context, encoded_ticket); - if (finish.checksum.contents) - krb5_free_checksum_contents(kdc_context, &finish.checksum); if (finish.ticket_checksum.contents) - krb5_free_checksum_contents(kdc_context, &finish.checksum); + krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum); return retval; } @@ -301,6 +298,7 @@ */ krb5_error_code kdc_fast_handle_error (krb5_context context, struct kdc_request_state *state, + krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_error *err) { krb5_error_code retval = 0; @@ -335,6 +333,7 @@ pa[0].contents = (unsigned char *) encoded_fx_error->data; inner_pa[size++] = &pa[0]; resp.padata = inner_pa; + resp.nonce = request->nonce; resp.rep_key = NULL; resp.finished = NULL; } Modified: branches/fast/src/kdc/kdc_util.h =================================================================== --- branches/fast/src/kdc/kdc_util.h 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/kdc/kdc_util.h 2009-03-26 05:37:18 UTC (rev 22138) @@ -323,9 +323,12 @@ struct kdc_request_state *state); krb5_error_code kdc_fast_response_handle_padata -(struct kdc_request_state *state, krb5_kdc_rep *rep, const krb5_data *pkt); +(struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_kdc_rep *rep); krb5_error_code kdc_fast_handle_error (krb5_context context, struct kdc_request_state *state, + krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_error *err); Modified: branches/fast/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-26 05:37:18 UTC (rev 22138) @@ -1653,7 +1653,6 @@ { setup(); val->client = NULL; - val->checksum.contents = NULL; val->ticket_checksum.contents = NULL; {begin_structure(); get_field(val->timestamp, 0, asn1_decode_kerberos_time); @@ -1661,14 +1660,12 @@ alloc_field(val->client); get_field(val->client, 2, asn1_decode_realm); get_field(val->client, 3, asn1_decode_principal_name); - get_field(val->checksum, 4, asn1_decode_checksum); - get_field(val->ticket_checksum, 5, asn1_decode_checksum); + get_field(val->ticket_checksum, 4, asn1_decode_checksum); end_structure(); } return 0; error_out: krb5_free_principal(NULL, val->client); - krb5_free_checksum_contents(NULL, &val->checksum); krb5_free_checksum_contents( NULL, &val->ticket_checksum); return retval; } Modified: branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-26 05:37:18 UTC (rev 22138) @@ -1224,8 +1224,7 @@ FIELDOF_NORM( krb5_fast_finished, int32, usec, 1), FIELDOF_NORM( krb5_fast_finished, realm_of_principal, client, 2), FIELDOF_NORM(krb5_fast_finished, principal, client, 3), - FIELDOF_NORM( krb5_fast_finished, checksum, checksum, 4), - FIELDOF_NORM( krb5_fast_finished, checksum, ticket_checksum, 5), + FIELDOF_NORM( krb5_fast_finished, checksum, ticket_checksum, 4), }; DEFSEQTYPE( fast_finished, krb5_fast_finished, fast_finished_fields, 0); @@ -1236,6 +1235,7 @@ FIELDOF_NORM(krb5_fast_response, ptr_seqof_pa_data, padata, 0), FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, rep_key, 1, 1), FIELDOF_OPT( krb5_fast_response, ptr_fast_finished, finished, 2, 2), + FIELDOF_NORM(krb5_fast_response, int32, nonce, 3), }; static unsigned int fast_response_optional (const void *p) Modified: branches/fast/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/lib/krb5/asn.1/krb5_decode.c 2009-03-26 05:37:18 UTC (rev 22138) @@ -1142,7 +1142,8 @@ get_field(rep->padata, 0, asn1_decode_sequence_of_pa_data); opt_field(rep->rep_key, 1, asn1_decode_encryption_key_ptr); opt_field(rep->finished, 2, asn1_decode_fast_finished_ptr); - end_structure(); } + get_field(rep->nonce, 3, asn1_decode_int32); + end_structure(); } rep->magic = KV5M_FAST_RESPONSE; cleanup(free); } Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:18 UTC (rev 22138) @@ -159,7 +159,7 @@ krb5_error_code krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, - const krb5_kdc_req *request, + krb5_kdc_req *request, const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, krb5_data **encoded_request) { @@ -172,6 +172,8 @@ krb5_data *encoded_armored_req = NULL; krb5_data *local_encoded_result = NULL; krb5_cksumtype cksumtype; + krb5_data random_data; + char random_buf[4]; assert(state != NULL); assert(state->fast_outer_request.padata == NULL); @@ -179,6 +181,14 @@ if (state->armor_key == NULL) { return encoder(request, encoded_request); } +/* Fill in a fresh random nonce for each inner request*/ + random_data.length = 4; + random_data.data = (char *)random_buf; + retval = krb5_c_random_make_octets(context, &random_data); + if (retval == 0) { + request->nonce = 0x7fffffff & load_32_n(random_buf); + state->nonce = request->nonce; + } fast_req.req_body = request; if (fast_req.req_body->padata == NULL) { fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); @@ -287,6 +297,12 @@ krb5_free_pa_data(context, result); result = NULL; if (retval == 0) { + if (fast_response->nonce != state->nonce) { + krb5_set_error_message(context, KRB5_KDCREP_MODIFIED, "Nonce in reply did not match expected value"); + retval = KRB5_KDCREP_MODIFIED; + } + } + if (retval == 0) { fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); if (fx_error_pa == NULL) { krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); Modified: branches/fast/src/lib/krb5/krb/fast.h =================================================================== --- branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:37:18 UTC (rev 22138) @@ -39,6 +39,7 @@ krb5_ui_4 fast_state_flags; krb5_ui_4 fast_options; krb5_data cookie_contents; + krb5_int32 nonce; }; krb5_error_code @@ -49,7 +50,7 @@ krb5_error_code krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, - const krb5_kdc_req *request, + krb5_kdc_req *request, const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, krb5_data **encoded_request); krb5_error_code Modified: branches/fast/src/lib/krb5/krb/kfree.c =================================================================== --- branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:37:15 UTC (rev 22137) +++ branches/fast/src/lib/krb5/krb/kfree.c 2009-03-26 05:37:18 UTC (rev 22138) @@ -828,7 +828,6 @@ if (!val) return; krb5_free_principal(context, val->client); - krb5_free_checksum_contents(context, &val->checksum); krb5_free_checksum_contents(context, &val->ticket_checksum); free(val); } From hartmans at MIT.EDU Thu Mar 26 01:37:23 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:23 -0400 Subject: svn rev #22139: branches/fast/src/lib/krb5/krb/ Message-ID: <200903260537.n2Q5bNbw018910@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22139 Commit By: hartmans Log Message: Do not include cookie in outer padata on client If the cookie is going to be present in the inner padata then krb5int_fast_process_error is the wrong place to emit it. Instead it should be added to the padata in the preauth loop. This patch removes it from the outer padata. In addition, it is easier if the cookie is stored as a pa_data on the client rather than a krb5_data. Changed Files: U branches/fast/src/lib/krb5/krb/fast.c U branches/fast/src/lib/krb5/krb/fast.h Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:18 UTC (rev 22138) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:23 UTC (rev 22139) @@ -164,7 +164,7 @@ krb5_data **encoded_request) { krb5_error_code retval = 0; - krb5_pa_data *pa_array[3]; + krb5_pa_data *pa_array[2]; krb5_pa_data pa[2]; krb5_fast_req fast_req; krb5_fast_armored_req *armored_req = NULL; @@ -175,6 +175,7 @@ krb5_data random_data; char random_buf[4]; + assert(state != NULL); assert(state->fast_outer_request.padata == NULL); memset(pa_array, 0, sizeof pa_array); @@ -224,12 +225,6 @@ pa[0].length = encoded_armored_req->length; pa_array[0] = &pa[0]; } - if (state->cookie_contents.data) { - pa[1].contents = (unsigned char *) state->cookie_contents.data; - pa[1].length = state->cookie_contents.length; - pa[1].pa_type = KRB5_PADATA_FX_COOKIE; - pa_array[1] = &pa[1]; - } state->fast_outer_request.padata = pa_array; if(retval == 0) retval = encoder(&state->fast_outer_request, &local_encoded_result); @@ -381,7 +376,11 @@ /*We are responsible for none of the store in the fast_outer_req*/ krb5_free_keyblock(context, state->armor_key); krb5_free_fast_armor(context, state->armor); - krb5_free_data_contents(context, &state->cookie_contents); + if (state->cookie) { + free(state->cookie->contents); + free(state->cookie); + state->cookie = NULL; + } } krb5_pa_data * krb5int_find_pa_data Modified: branches/fast/src/lib/krb5/krb/fast.h =================================================================== --- branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:37:18 UTC (rev 22138) +++ branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:37:23 UTC (rev 22139) @@ -38,7 +38,7 @@ krb5_fast_armor *armor; krb5_ui_4 fast_state_flags; krb5_ui_4 fast_options; - krb5_data cookie_contents; + krb5_pa_data *cookie; krb5_int32 nonce; }; From hartmans at MIT.EDU Thu Mar 26 01:37:26 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:26 -0400 Subject: svn rev #22140: branches/fast/src/lib/krb5/ error_tables/ krb/ Message-ID: <200903260537.n2Q5bQU5018947@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22140 Commit By: hartmans Log Message: FAST encrypted response for client Implement routine to decrypt FAST response. Use this in process_error. Implement new krb5int_fast_process_response to process FAST in an AS-REP or TGS-rep. Call that routine from krb5_get_init_creds. Add a new error code for FAST required but not supported. Changed Files: U branches/fast/src/lib/krb5/error_tables/krb5_err.et U branches/fast/src/lib/krb5/krb/fast.c U branches/fast/src/lib/krb5/krb/fast.h U branches/fast/src/lib/krb5/krb/get_in_tkt.c Modified: branches/fast/src/lib/krb5/error_tables/krb5_err.et =================================================================== --- branches/fast/src/lib/krb5/error_tables/krb5_err.et 2009-03-26 05:37:23 UTC (rev 22139) +++ branches/fast/src/lib/krb5/error_tables/krb5_err.et 2009-03-26 05:37:25 UTC (rev 22140) @@ -347,4 +347,5 @@ error_code KRB5_PLUGIN_OP_NOTSUPP, "Plugin does not support the operaton" error_code KRB5_ERR_INVALID_UTF8, "Invalid UTF-8 string" +error_code KRB5_ERR_FAST_REQUIRED, "FAST protected pre-authentication required but not supported by KDC" end Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:23 UTC (rev 22139) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:25 UTC (rev 22140) @@ -246,6 +246,63 @@ return retval; } +static krb5_error_code decrypt_fast_reply +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_pa_data **in_padata, + krb5_fast_response **response) +{ + krb5_error_code retval = 0; + krb5_data scratch; + krb5_enc_data *encrypted_response = NULL; + krb5_pa_data *fx_reply = NULL; + krb5_fast_response *local_resp = NULL; + assert(state != NULL); + if (state->armor_key == NULL) + return 0; + fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); + if (fx_reply == NULL) + retval = KRB5_ERR_FAST_REQUIRED; + if (retval == 0) { + scratch.data = (char *) fx_reply->contents; + scratch.length = fx_reply->length; + retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); + } + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(encrypted_response->ciphertext.length); + if (scratch.data == NULL) + retval = ENOMEM; + scratch.length = encrypted_response->ciphertext.length; + } + if (retval == 0) + retval = krb5_c_decrypt(context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, NULL, + encrypted_response, &scratch); + if (retval != 0) { + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); + krb5_free_error_message(context, errmsg); + } + if (retval == 0) + retval = decode_krb5_fast_response(&scratch, &local_resp); + if (retval == 0) { + if (local_resp->nonce != state->nonce) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); + } + } + if (retval == 0) { + *response = local_resp; + local_resp = NULL; + } + if (scratch.data) + free(scratch.data); + if (encrypted_response) + krb5_free_enc_data(context, encrypted_response); + return retval; +} + /* * FAST separates two concepts: the set of padata we're using to * decide what pre-auth mechanisms to use and the set of padata we're @@ -269,15 +326,15 @@ *out_padata = NULL; *retry = 0; if (state->armor_key) { - krb5_pa_data *fast_pa, *fx_error_pa; + krb5_pa_data *fx_error_pa; krb5_pa_data **result = NULL; krb5_data scratch, *encoded_td = NULL; krb5_error *fx_error = NULL; krb5_fast_response *fast_response = NULL; retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); if (retval == 0) - fast_pa = krb5int_find_pa_data(context, result, KRB5_PADATA_FX_FAST); - if (retval || fast_pa == NULL) { + retval = decrypt_fast_reply(context, state, result, &fast_response); + if (retval) { /*This can happen if the KDC does not understand FAST. We * don't expect that, but treating it as the fatal error * indicated by the KDC seems reasonable. @@ -286,17 +343,8 @@ krb5_free_pa_data(context, result); return 0; } - scratch.data = (char *) fast_pa->contents; - scratch.length = fast_pa->length; - retval = decode_krb5_fast_response(&scratch, &fast_response); krb5_free_pa_data(context, result); result = NULL; - if (retval == 0) { - if (fast_response->nonce != state->nonce) { - krb5_set_error_message(context, KRB5_KDCREP_MODIFIED, "Nonce in reply did not match expected value"); - retval = KRB5_KDCREP_MODIFIED; - } - } if (retval == 0) { fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); if (fx_error_pa == NULL) { @@ -317,7 +365,7 @@ */ if (retval == 0) retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, - &encoded_td); + &encoded_td); if (retval == 0) { fx_error->e_data = *encoded_td; free(encoded_td); /*contents owned by fx_error*/ @@ -353,10 +401,58 @@ "Error decoding padata in error reply"); return retval; } + } + return retval; +} + + +krb5_error_code krb5int_fast_process_response +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_rep *resp, + krb5_keyblock **as_key) +{ + krb5_error_code retval = 0; + krb5_fast_response *fast_response = NULL; + krb5_data *encoded_ticket = NULL; + krb5_boolean cksum_valid; + krb5_clear_error_message(context); + *as_key = NULL; + retval = decrypt_fast_reply(context, state, resp->padata, + &fast_response); + if (retval == 0) { + if (fast_response->finished == 0) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "FAST response missing finish message in KDC reply"); } + } + if (retval == 0) + retval = encode_krb5_ticket(resp->ticket, &encoded_ticket); + if (retval == 0) + retval = krb5_c_verify_checksum(context, state->armor_key, + KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, + &fast_response->finished->ticket_checksum, + &cksum_valid); + if (retval == 0 && cksum_valid == 0) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "ticket modified in KDC reply"); + } + if (retval == 0) { + krb5_free_principal(context, resp->client); + resp->client = fast_response->finished->client; + fast_response->finished->client = NULL; + *as_key = fast_response->rep_key; + fast_response->rep_key = NULL; + krb5_free_pa_data(context, resp->padata); + resp->padata = fast_response->padata; + fast_response->padata = NULL; + } + if (fast_response) + krb5_free_fast_response(context, fast_response); + if (encoded_ticket) + krb5_free_data(context, encoded_ticket); return retval; } - krb5_error_code krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state) { @@ -381,6 +477,7 @@ free(state->cookie); state->cookie = NULL; } + free(state); } krb5_pa_data * krb5int_find_pa_data Modified: branches/fast/src/lib/krb5/krb/fast.h =================================================================== --- branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:37:23 UTC (rev 22139) +++ branches/fast/src/lib/krb5/krb/fast.h 2009-03-26 05:37:25 UTC (rev 22140) @@ -58,6 +58,11 @@ krb5_error **err_replyptr , krb5_pa_data ***out_padata, krb5_boolean *retry); +krb5_error_code krb5int_fast_process_response +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_rep *resp, + krb5_keyblock **as_key); + krb5_error_code krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state); Modified: branches/fast/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-03-26 05:37:23 UTC (rev 22139) +++ branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-03-26 05:37:25 UTC (rev 22140) @@ -968,6 +968,7 @@ krb5_data salt; krb5_data s2kparams; krb5_keyblock as_key; + krb5_keyblock *fast_as_key = NULL; krb5_error *err_reply; krb5_kdc_rep *local_as_reply; krb5_timestamp time_now; @@ -993,7 +994,7 @@ preauth_to_use = NULL; kdc_padata = NULL; as_key.length = 0; - salt.length = 0; + salt.length = 0; salt.data = NULL; local_as_reply = 0; @@ -1396,6 +1397,10 @@ /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); + ret = krb5int_fast_process_response(context, fast_state, + local_as_reply, &fast_as_key); + if (ret) + goto cleanup; if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, local_as_reply->padata))) goto cleanup; @@ -1441,8 +1446,14 @@ it. If decrypting the as_rep fails, or if there isn't an as_key at all yet, then use the gak_fct to get one, and try again. */ - - if (as_key.length) + if (fast_as_key) { + if (as_key.length) + krb5_free_keyblock_contents(context, &as_key); + as_key = *fast_as_key; + free(fast_as_key); + fast_as_key = NULL; + } + if (as_key.length) ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, NULL, &as_key, krb5_kdc_rep_decrypt_proc, NULL); @@ -1499,6 +1510,7 @@ } } krb5_preauth_request_context_fini(context); + krb5_free_keyblock(context, fast_as_key); if (fast_state) krb5int_fast_free_state(context, fast_state); if (out_padata) From hartmans at MIT.EDU Thu Mar 26 01:37:31 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:31 -0400 Subject: svn rev #22142: branches/fast/src/kdc/ Message-ID: <200903260537.n2Q5bVDJ019021@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22142 Commit By: hartmans Log Message: KDC TGS FAST support * Correct TGS armor key handling * Use appropriate checksum type for FAST responses from KDC * FAST response handling for TGS replies and errors Changed Files: U branches/fast/src/kdc/do_as_req.c U branches/fast/src/kdc/do_tgs_req.c U branches/fast/src/kdc/fast_util.c U branches/fast/src/kdc/kdc_util.h Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:28 UTC (rev 22141) +++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:31 UTC (rev 22142) @@ -146,7 +146,7 @@ errcode = ASN1_BAD_ID; status = "Finding req_body"; } - errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, state); + errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state); if (errcode) { status = "error decoding FAST"; goto errout; Modified: branches/fast/src/kdc/do_tgs_req.c =================================================================== --- branches/fast/src/kdc/do_tgs_req.c 2009-03-26 05:37:28 UTC (rev 22141) +++ branches/fast/src/kdc/do_tgs_req.c 2009-03-26 05:37:31 UTC (rev 22142) @@ -76,7 +76,7 @@ krb5_boolean *,int *); static krb5_error_code -prepare_error_tgs(krb5_kdc_req *,krb5_ticket *,int, +prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int, krb5_principal,krb5_data **,const char *); static krb5_int32 @@ -166,7 +166,7 @@ } scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; - errcode = kdc_find_fast(&request, &scratch, subkey, state); + errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state); if (errcode !=0) { status = "kdc_find_fast"; goto cleanup; @@ -873,7 +873,12 @@ reply.enc_part.enctype = subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype; - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, + errcode = kdc_fast_response_handle_padata(state, request, &reply); + if (errcode !=0 ) { + status = "Preparing FAST padata"; + goto cleanup; + } + errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, subkey ? 1 : 0, subkey ? subkey : header_ticket->enc_part2->session, @@ -914,7 +919,7 @@ if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; - retval = prepare_error_tgs(request, header_ticket, errcode, + retval = prepare_error_tgs(state, request, header_ticket, errcode, nprincs ? server.princ : NULL, response, status); if (got_err) { @@ -956,7 +961,8 @@ } static krb5_error_code -prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, +prepare_error_tgs (struct kdc_request_state *state, + krb5_kdc_req *request, krb5_ticket *ticket, int error, krb5_principal canon_server, krb5_data **response, const char *status) { @@ -979,14 +985,19 @@ errpkt.text.length = strlen(status) + 1; if (!(errpkt.text.data = strdup(status))) return ENOMEM; - + if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { free(errpkt.text.data); return ENOMEM; } errpkt.e_data.length = 0; errpkt.e_data.data = NULL; - + retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); + if (retval) { + free(scratch); + free(errpkt.text.data); + return retval; + } retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); if (retval) Modified: branches/fast/src/kdc/fast_util.c =================================================================== --- branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:28 UTC (rev 22141) +++ branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:31 UTC (rev 22142) @@ -123,6 +123,7 @@ krb5_error_code kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data, krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, struct kdc_request_state *state) { krb5_error_code retval = 0; @@ -155,7 +156,10 @@ } if (retval == 0 && !state->armor_key) { if (tgs_subkey) - retval =krb5_copy_keyblock(kdc_context, tgs_subkey, &state->armor_key); + retval = krb5_c_fx_cf2_simple(kdc_context, + tgs_subkey, "subkeyarmor", + tgs_session, "ticketarmor", + &state->armor_key); else { krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, "No armor key but FAST armored request present"); @@ -268,12 +272,15 @@ krb5_data *encrypted_reply = NULL; krb5_pa_data *pa = NULL, **pa_array; krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; + krb5_pa_data *empty_padata[] = {NULL}; if (!state->armor_key) return 0; memset(&finish, 0, sizeof(finish)); fast_response.padata = rep->padata; - fast_response.rep_key = state->reply_key; + if (fast_response.padata == NULL) + fast_response.padata = &empty_padata[0]; + fast_response.rep_key = state->reply_key; fast_response.nonce = request->nonce; fast_response.finished = &finish; finish.client = rep->client; @@ -288,6 +295,8 @@ if (retval == 0) retval = encode_krb5_ticket(rep->ticket, &encoded_ticket); if (retval == 0) + retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype); + if (retval == 0) retval = krb5_c_make_checksum(kdc_context, cksumtype, state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, encoded_ticket, &finish.ticket_checksum); Modified: branches/fast/src/kdc/kdc_util.h =================================================================== --- branches/fast/src/kdc/kdc_util.h 2009-03-26 05:37:28 UTC (rev 22141) +++ branches/fast/src/kdc/kdc_util.h 2009-03-26 05:37:31 UTC (rev 22142) @@ -319,7 +319,7 @@ krb5_error_code kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data, - krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, struct kdc_request_state *state); krb5_error_code kdc_fast_response_handle_padata From hartmans at MIT.EDU Thu Mar 26 01:37:28 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:28 -0400 Subject: svn rev #22141: branches/fast/src/ include/krb5/ kdc/ lib/krb5/ Message-ID: <200903260537.n2Q5bS2x018984@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22141 Commit By: hartmans Log Message: KDC handling of FAST response Integrate FAST response handling into AS reply and error paths. Ad support for encrypting and generating PA_FX_FAST_REPLY. Use that support in the AS. Changed Files: U branches/fast/src/include/krb5/krb5.hin U branches/fast/src/kdc/do_as_req.c U branches/fast/src/kdc/fast_util.c U branches/fast/src/lib/krb5/libkrb5.exports Modified: branches/fast/src/include/krb5/krb5.hin =================================================================== --- branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:25 UTC (rev 22140) +++ branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:28 UTC (rev 22141) @@ -634,6 +634,7 @@ /* define in draft-ietf-krb-wg-preauth-framework*/ #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 #define KRB5_KEYUSAGE_FAST_ENC 51 +#define KRB5_KEYUSAGE_FAST_REP 52 #define KRB5_KEYUSAGE_FAST_FINISHED 53 #define KRB5_KEYUSAGE_FAST_REP 52 Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:25 UTC (rev 22140) +++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:28 UTC (rev 22141) @@ -566,6 +566,7 @@ goto errout; } + errcode = handle_authdata(kdc_context, c_flags, &client, @@ -590,6 +591,11 @@ goto errout; } ticket_reply.enc_part.kvno = server_key->key_data_kvno; + errcode = kdc_fast_response_handle_padata(state, request, &reply); + if (errcode) { + status = "fast response handling"; + goto errout; + } /* now encode/encrypt the response */ Modified: branches/fast/src/kdc/fast_util.c =================================================================== --- branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:25 UTC (rev 22140) +++ branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:28 UTC (rev 22141) @@ -95,6 +95,30 @@ return retval; } +static krb5_error_code encrypt_fast_reply +(struct kdc_request_state *state, const krb5_fast_response *response, + krb5_data **fx_fast_reply) +{ + krb5_error_code retval = 0; + krb5_enc_data encrypted_reply; + krb5_data *encoded_response = NULL; + assert(state->armor_key); + retval = encode_krb5_fast_response(response, &encoded_response); + if (retval== 0) + retval = krb5_encrypt_helper(kdc_context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, + encoded_response, &encrypted_reply); + if (encoded_response) + krb5_free_data(kdc_context, encoded_response); + encoded_response = NULL; + if (retval == 0) { + retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply, + fx_fast_reply); + krb5_free_data_contents(kdc_context, &encrypted_reply.ciphertext); + } + return retval; +} + krb5_error_code kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data, @@ -241,7 +265,7 @@ krb5_fast_finished finish; krb5_fast_response fast_response; krb5_data *encoded_ticket = NULL; - krb5_data *encoded_fast_response = NULL; + krb5_data *encrypted_reply = NULL; krb5_pa_data *pa = NULL, **pa_array; krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; @@ -268,21 +292,21 @@ state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, encoded_ticket, &finish.ticket_checksum); if (retval == 0) - retval = encode_krb5_fast_response(&fast_response, &encoded_fast_response); + retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply); if (retval == 0) { pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].length = encoded_fast_response->length; - pa[0].contents = (unsigned char *) encoded_fast_response->data; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; pa_array[0] = &pa[0]; rep->padata = pa_array; pa_array = NULL; - encoded_fast_response = NULL; + encrypted_reply = NULL; pa = NULL; } if (pa) free(pa); - if (encoded_fast_response) - krb5_free_data(kdc_context, encoded_fast_response); + if (encrypted_reply) + krb5_free_data(kdc_context, encrypted_reply); if (encoded_ticket) krb5_free_data(kdc_context, encoded_ticket); if (finish.ticket_checksum.contents) @@ -290,6 +314,7 @@ return retval; } + /* * We assume the caller is responsible for passing us an in_padata * sufficient to include in a FAST error. In the FAST case we will @@ -304,7 +329,7 @@ krb5_error_code retval = 0; krb5_fast_response resp; krb5_error fx_error; - krb5_data *encoded_fx_error = NULL, *encoded_fast_response = NULL; + krb5_data *encoded_fx_error = NULL, *encrypted_reply = NULL; krb5_pa_data pa[2]; krb5_pa_data *outer_pa[3]; krb5_pa_data **inner_pa = NULL; @@ -338,13 +363,13 @@ resp.finished = NULL; } if (retval == 0) - retval = encode_krb5_fast_response(&resp, &encoded_fast_response); + retval = encrypt_fast_reply(state, &resp, &encrypted_reply); if (inner_pa) free(inner_pa); /*contained storage from caller and our stack*/ if (retval == 0) { pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].length = encoded_fast_response->length; - pa[0].contents = (unsigned char *) encoded_fast_response->data; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; outer_pa[0] = &pa[0]; } retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data); @@ -356,8 +381,8 @@ } if (encoded_e_data) krb5_free_data(kdc_context, encoded_e_data); - if (encoded_fast_response) - krb5_free_data(kdc_context, encoded_fast_response); + if (encrypted_reply) + krb5_free_data(kdc_context, encrypted_reply); if (encoded_fx_error) krb5_free_data(kdc_context, encoded_fx_error); return retval; Modified: branches/fast/src/lib/krb5/libkrb5.exports =================================================================== --- branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:25 UTC (rev 22140) +++ branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:28 UTC (rev 22141) @@ -60,6 +60,7 @@ encode_krb5_etype_info encode_krb5_etype_info2 encode_krb5_fast_response +encode_krb5_pa_fx_fast_reply encode_krb5_kdc_req_body encode_krb5_pa_enc_ts encode_krb5_pa_for_user From hartmans at MIT.EDU Thu Mar 26 01:37:34 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:34 -0400 Subject: svn rev #22143: branches/fast/src/lib/krb5/krb/ Message-ID: <200903260537.n2Q5bYik019058@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22143 Commit By: hartmans Log Message: FAST response only when FAST in use Client should expect a FAST response only when fast is being ussed. krb5int_fast_process_response now returns success if FAST is not in use. Changed Files: U branches/fast/src/lib/krb5/krb/fast.c Modified: branches/fast/src/lib/krb5/krb/fast.c =================================================================== --- branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:31 UTC (rev 22142) +++ branches/fast/src/lib/krb5/krb/fast.c 2009-03-26 05:37:34 UTC (rev 22143) @@ -257,8 +257,7 @@ krb5_pa_data *fx_reply = NULL; krb5_fast_response *local_resp = NULL; assert(state != NULL); - if (state->armor_key == NULL) - return 0; + assert(state->armor_key); fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); if (fx_reply == NULL) retval = KRB5_ERR_FAST_REQUIRED; @@ -417,6 +416,8 @@ krb5_boolean cksum_valid; krb5_clear_error_message(context); *as_key = NULL; + if (state->armor_key == 0) + return 0; retval = decrypt_fast_reply(context, state, resp->padata, &fast_response); if (retval == 0) { From hartmans at MIT.EDU Thu Mar 26 01:37:37 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:37 -0400 Subject: svn rev #22144: branches/fast/src/ include/krb5/ kdc/ lib/krb5/ Message-ID: <200903260537.n2Q5bbf1019095@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22144 Commit By: hartmans Log Message: Reject non-armor ticket use of AD-FX-ARMOR Reject tickets or authenticators that have AD-FX-ARMOR and are used with the TGS per draft-ietf-krb-wg-preauth-framework. * kdc_util.c find authdata and reject * krb5.hin include constant * libkrb5.exports: export krb5int_find_authdata Changed Files: U branches/fast/src/include/krb5/krb5.hin U branches/fast/src/kdc/kdc_util.c U branches/fast/src/lib/krb5/libkrb5.exports Modified: branches/fast/src/include/krb5/krb5.hin =================================================================== --- branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:34 UTC (rev 22143) +++ branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:36 UTC (rev 22144) @@ -1016,7 +1016,7 @@ #define KRB5_AUTHDATA_SESAME 65 #define KRB5_AUTHDATA_WIN2K_PAC 128 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ - +#define KRB5_AUTHDATA_FX_ARMOR 71 /* password change constants */ #define KRB5_KPASSWD_SUCCESS 0 Modified: branches/fast/src/kdc/kdc_util.c =================================================================== --- branches/fast/src/kdc/kdc_util.c 2009-03-26 05:37:34 UTC (rev 22143) +++ branches/fast/src/kdc/kdc_util.c 2009-03-26 05:37:36 UTC (rev 22144) @@ -230,6 +230,7 @@ krb5_pa_data * tmppa; krb5_ap_req * apreq; krb5_error_code retval; + krb5_authdata **authdata = NULL; krb5_data scratch1; krb5_data * scratch = NULL; krb5_boolean foreign_server = FALSE; @@ -341,6 +342,22 @@ &authenticator))) goto cleanup_auth_context; + retval = krb5int_find_authdata(kdc_context, + (*ticket)->enc_part2->authorization_data, + authenticator->authorization_data, + KRB5_AUTHDATA_FX_ARMOR, &authdata); + if (retval != 0) + goto cleanup_auth_context; + if (authdata&& authdata[0]) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "ticket valid only as FAST armor"); + retval = KRB5KDC_ERR_POLICY; + krb5_free_authdata(kdc_context, authdata); + goto cleanup_auth_context; + } + krb5_free_authdata(kdc_context, authdata); + + /* Check for a checksum */ if (!(his_cksum = authenticator->checksum)) { retval = KRB5KRB_AP_ERR_INAPP_CKSUM; Modified: branches/fast/src/lib/krb5/libkrb5.exports =================================================================== --- branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:34 UTC (rev 22143) +++ branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:36 UTC (rev 22144) @@ -525,6 +525,7 @@ krb5int_cleanup_library krb5int_cm_call_select krb5int_copy_data_contents_add0 +krb5int_find_authdata krb5int_find_pa_data krb5int_foreach_localaddr krb5int_free_addrlist From hartmans at MIT.EDU Thu Mar 26 01:37:45 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:45 -0400 Subject: svn rev #22146: branches/fast/src/kdc/ Message-ID: <200903260537.n2Q5bjqb019186@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22146 Commit By: hartmans Log Message: When FAST is enabled, do not use encrypted timestamp pre-authentication. FAST mandates encrypted challenge. Encrypted timestamp ends up using the raw client key in the AS reply. Also, if encrypted timestamp is enabled, it is preferred to any plugin. Changed Files: U branches/fast/src/kdc/kdc_preauth.c Modified: branches/fast/src/kdc/kdc_preauth.c =================================================================== --- branches/fast/src/kdc/kdc_preauth.c 2009-03-26 05:37:41 UTC (rev 22145) +++ branches/fast/src/kdc/kdc_preauth.c 2009-03-26 05:37:45 UTC (rev 22146) @@ -133,6 +133,12 @@ krb5_data **e_data, krb5_authdata ***authz_data); +static krb5_error_code get_enc_ts + (krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + krb5_pa_data *data); static krb5_error_code get_etype_info (krb5_context, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, @@ -279,7 +285,7 @@ NULL, NULL, NULL, - 0, + get_enc_ts, verify_enc_timestamp, 0 }, @@ -1365,7 +1371,20 @@ return 0; } - +static krb5_error_code get_enc_ts + (krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data_proc, + void *pa_system_context, + krb5_pa_data *data) +{ + struct kdc_request_state *state = request->kdc_state; + if (state->armor_key) + return ENOENT; + return 0; +} + + static krb5_error_code verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, From hartmans at MIT.EDU Thu Mar 26 01:37:42 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 26 Mar 2009 01:37:42 -0400 Subject: svn rev #22145: branches/fast/src/ include/ include/krb5/ kdc/ lib/krb5/krb/ ... Message-ID: <200903260537.n2Q5bg8H019148@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22145 Commit By: hartmans Log Message: Implement Encrypted Challenge fast factor Implement the encrypted challenge fast factor. As part of this, expose an interface for a preauth method to request the FAST armor key. * plugins/preauth/encrypted_challenge: new plugin * include/krb5/krb5.hin: constants (keyusages) for encrypted challenge * include/k5-int.h krb5/os/accessor.c: expose interfaces needed by encrypted challenge * kdc/kdc_preauth.c lib/krb5/krb/preauth2.c include/krb5/preauth_plugin.h: interface for fast armor key * kdc/do_as_req.c: make fast state available to preauth * lib/krb5/krb/get_in_tkt.c: initialize etype based on etype of AS reply * lib/krb5/krb/preauth2.c: Etype given to plugins tracked the same way as etype used internally Changed Files: U branches/fast/src/Makefile.in U branches/fast/src/configure.in U branches/fast/src/include/k5-int.h U branches/fast/src/include/krb5/krb5.hin U branches/fast/src/include/krb5/preauth_plugin.h U branches/fast/src/kdc/do_as_req.c U branches/fast/src/kdc/kdc_preauth.c U branches/fast/src/lib/krb5/krb/get_in_tkt.c U branches/fast/src/lib/krb5/krb/preauth2.c U branches/fast/src/lib/krb5/os/accessor.c A branches/fast/src/plugins/preauth/encrypted_challenge/ A branches/fast/src/plugins/preauth/encrypted_challenge/Makefile.in A branches/fast/src/plugins/preauth/encrypted_challenge/deps A branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports A branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c A branches/fast/src/plugins/preauth/fast_factor.h Modified: branches/fast/src/Makefile.in =================================================================== --- branches/fast/src/Makefile.in 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/Makefile.in 2009-03-26 05:37:41 UTC (rev 22145) @@ -12,6 +12,7 @@ SUBDIRS=util include lib kdc kadmin @ldap_plugin_dir@ slave clients \ plugins/kdb/db2 \ plugins/preauth/pkinit \ + plugins/preauth/encrypted_challenge \ appl tests \ config-files gen-manpages BUILDTOP=$(REL)$(C) Modified: branches/fast/src/configure.in =================================================================== --- branches/fast/src/configure.in 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/configure.in 2009-03-26 05:37:41 UTC (rev 22145) @@ -1080,7 +1080,7 @@ plugins/kdb/db2/libdb2/mpool plugins/kdb/db2/libdb2/recno plugins/kdb/db2/libdb2/test - plugins/preauth/cksum_body + plugins/preauth/cksum_body plugins/preauth/encrypted_challenge plugins/preauth/wpse plugins/authdata/greet Modified: branches/fast/src/include/k5-int.h =================================================================== --- branches/fast/src/include/k5-int.h 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/include/k5-int.h 2009-03-26 05:37:41 UTC (rev 22145) @@ -910,9 +910,11 @@ * requested information. It is opaque to the plugin code and can be * expanded in the future as new types of requests are defined which * may require other things to be passed through. */ + struct krb5int_fast_request_state; typedef struct _krb5_preauth_client_rock { krb5_magic magic; - krb5_kdc_rep *as_reply; + krb5_enctype *etype; + struct krb5int_fast_request_state *fast_state; } krb5_preauth_client_rock; /* This structure lets us keep track of all of the modules which are loaded, @@ -2031,7 +2033,7 @@ /* To keep happy libraries which are (for now) accessing internal stuff */ /* Make sure to increment by one when changing the struct */ -#define KRB5INT_ACCESS_STRUCT_VERSION 13 +#define KRB5INT_ACCESS_STRUCT_VERSION 14 #ifndef ANAME_SZ struct ktext; /* from krb.h, for krb524 support */ @@ -2085,6 +2087,16 @@ krb5_error_code (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in, ldap_seqof_key_data **); + /* Used for encrypted challenge fast factor*/ + krb5_error_code (*encode_enc_data)(const krb5_enc_data *, krb5_data **); + krb5_error_code (*decode_enc_data)(const krb5_data *, krb5_enc_data **); + void (*free_enc_data)(krb5_context, krb5_enc_data *); + krb5_error_code (*encode_enc_ts)(const krb5_pa_enc_ts *, krb5_data **); + krb5_error_code (*decode_enc_ts)(const krb5_data *, krb5_pa_enc_ts **); + void (*free_enc_ts)(krb5_context, krb5_pa_enc_ts *); + krb5_error_code (*encrypt_helper) + (krb5_context, const krb5_keyblock *, krb5_keyusage, const krb5_data *, + krb5_enc_data *); /* * pkinit asn.1 encode/decode functions Modified: branches/fast/src/include/krb5/krb5.hin =================================================================== --- branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:41 UTC (rev 22145) @@ -636,6 +636,8 @@ #define KRB5_KEYUSAGE_FAST_ENC 51 #define KRB5_KEYUSAGE_FAST_REP 52 #define KRB5_KEYUSAGE_FAST_FINISHED 53 +#define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54 +#define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55 #define KRB5_KEYUSAGE_FAST_REP 52 krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype Modified: branches/fast/src/include/krb5/preauth_plugin.h =================================================================== --- branches/fast/src/include/krb5/preauth_plugin.h 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/include/krb5/preauth_plugin.h 2009-03-26 05:37:41 UTC (rev 22145) @@ -123,11 +123,22 @@ * information to enable it to process a request. */ enum krb5plugin_preauth_client_request_type { - /* The returned krb5_data item holds the enctype used to encrypt the - * encrypted portion of the AS_REP packet. */ + /* The returned krb5_data item holds the enctype expected to be used to encrypt the + * encrypted portion of the AS_REP packet. When handling a + * PREAUTH_REQUIRED error, this typically comes from etype-info2. + * When handling an AS reply, it is initialized from the AS reply itself.*/ krb5plugin_preauth_client_get_etype = 1, /* Free the data returned from krb5plugin_preauth_client_req_get_etype */ - krb5plugin_preauth_client_free_etype = 2 + krb5plugin_preauth_client_free_etype = 2, + /* The returned krb5_data contains the FAST armor key in a + * krb5_keyblock. Returns success with a NULL data item in the + * krb5_data if the client library supports FAST but is not using it.*/ + krb5plugin_preauth_client_fast_armor = 3, + /* Frees return from KRB5PLUGIN_PREAUTH_CLIENT_FAST_ARMOR. It is + * acceptable to set data to NULL and free the keyblock using + * krb5_free_keyblock; in that case, this frees the krb5_data + * only.*/ +krb5plugin_preauth_client_free_fast_armor = 4, }; typedef krb5_error_code (*preauth_get_client_data_proc)(krb5_context, @@ -326,8 +337,16 @@ * implementation, there's a good chance that the result will not match * what the client sent, so don't go creating any fatal errors if it * doesn't match up. */ - krb5plugin_preauth_request_body = 4 -}; + krb5plugin_preauth_request_body = 4, + /* The returned krb5_data contains a krb5_keyblock with the FAST + armor key. The data member is NULL if this method is not part + of a FAST tunnel */ + krb5plugin_preauth_fast_armor = 5, + /* Frees a fast armor key; it is acceptable to set data to NULL + and free the keyblock using krb5_free_keyblock; in that case, + this function simply frees the data*/ + krb5plugin_preauth_free_fast_armor = 6, + }; typedef krb5_error_code (*preauth_get_entry_data_proc)(krb5_context, Modified: branches/fast/src/kdc/do_as_req.c =================================================================== --- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:41 UTC (rev 22145) @@ -151,6 +151,7 @@ status = "error decoding FAST"; goto errout; } + request->kdc_state = state; if (!request->client) { status = "NULL_CLIENT"; errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -704,6 +705,7 @@ krb5_free_data_contents(kdc_context, &e_data); kdc_free_rstate(state); + request->kdc_state = NULL; krb5_free_kdc_req(kdc_context, request); assert(did_log != 0); return errcode; Modified: branches/fast/src/kdc/kdc_preauth.c =================================================================== --- branches/fast/src/kdc/kdc_preauth.c 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/kdc/kdc_preauth.c 2009-03-26 05:37:41 UTC (rev 22145) @@ -668,6 +668,7 @@ krb5_keyblock *keys, *mkey_ptr; krb5_key_data *entry_key; krb5_error_code error; + struct kdc_request_state *state = request->kdc_state; switch (type) { case krb5plugin_preauth_entry_request_certificate: @@ -752,6 +753,30 @@ } return ASN1_PARSE_ERROR; break; + case krb5plugin_preauth_fast_armor: + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + if (state->armor_key == NULL) { + *result = ret; + return 0; + } + error = krb5_copy_keyblock(context, state->armor_key, &keys); + if (error == 0) { + ret->data = (char *) keys; + ret->length = sizeof(krb5_keyblock); + *result = ret; + return 0; + } + free(ret); + return error; + case krb5plugin_preauth_free_fast_armor: + if ((*result)->data) { + keys = (krb5_keyblock *) (*result)->data; + krb5_free_keyblock(context, keys); + } + free(*result); + return 0; default: break; } Modified: branches/fast/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/lib/krb5/krb/get_in_tkt.c 2009-03-26 05:37:41 UTC (rev 22145) @@ -1251,8 +1251,9 @@ goto cleanup; get_data_rock.magic = CLIENT_ROCK_MAGIC; - get_data_rock.as_reply = NULL; - + get_data_rock.etype = &etype; + get_data_rock.fast_state = fast_state; + /* now, loop processing preauth data and talking to the kdc */ for (loopcount = 0; loopcount < MAX_IN_TKT_LOOPS; loopcount++) { if (request.padata) { @@ -1404,7 +1405,7 @@ if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, local_as_reply->padata))) goto cleanup; - get_data_rock.as_reply = local_as_reply; + etype = local_as_reply->enc_part.enctype; if ((ret = krb5_do_preauth(context, &request, encoded_request_body, encoded_previous_request, Modified: branches/fast/src/lib/krb5/krb/preauth2.c =================================================================== --- branches/fast/src/lib/krb5/krb/preauth2.c 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/lib/krb5/krb/preauth2.c 2009-03-26 05:37:41 UTC (rev 22145) @@ -37,6 +37,7 @@ #include "osconf.h" #include #include "int-proto.h" +#include "fast.h" #if !defined(_WIN32) #include @@ -419,6 +420,7 @@ krb5_data **retdata) { krb5_data *ret; + krb5_error_code retval; char *data; if (rock->magic != CLIENT_ROCK_MAGIC) @@ -430,8 +432,6 @@ case krb5plugin_preauth_client_get_etype: { krb5_enctype *eptr; - if (rock->as_reply == NULL) - return ENOENT; ret = malloc(sizeof(krb5_data)); if (ret == NULL) return ENOMEM; @@ -443,7 +443,7 @@ ret->data = data; ret->length = sizeof(krb5_enctype); eptr = (krb5_enctype *)data; - *eptr = rock->as_reply->enc_part.enctype; + *eptr = *rock->etype; *retdata = ret; return 0; } @@ -457,7 +457,38 @@ free(ret); return 0; break; - default: + case krb5plugin_preauth_client_fast_armor: { + krb5_keyblock *key = NULL; + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + retval = 0; + if (rock->fast_state->armor_key) + retval = krb5_copy_keyblock(kcontext, rock->fast_state->armor_key, + &key); + if (retval == 0) { + ret->data = (char *) key; + ret->length = key?sizeof(krb5_keyblock):0; + key = NULL; + } + if (retval == 0) { + *retdata = ret; + ret = NULL; + } + if (ret) + free(ret); + return retval; + } + case krb5plugin_preauth_client_free_fast_armor: + ret = *retdata; + if (ret) { + if (ret->data) + krb5_free_keyblock(kcontext, (krb5_keyblock *) ret->data); + free(ret); + *retdata = NULL; + } + return 0; + default: return EINVAL; } } Modified: branches/fast/src/lib/krb5/os/accessor.c =================================================================== --- branches/fast/src/lib/krb5/os/accessor.c 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/lib/krb5/os/accessor.c 2009-03-26 05:37:41 UTC (rev 22145) @@ -132,6 +132,13 @@ S (encode_krb5_sam_response_2, encode_krb5_sam_response_2), S (encode_krb5_enc_sam_response_enc_2, encode_krb5_enc_sam_response_enc_2), + S (encode_enc_ts, encode_krb5_pa_enc_ts), + S (decode_enc_ts, decode_krb5_pa_enc_ts), + S (encode_enc_data, encode_krb5_enc_data), + S(decode_enc_data, decode_krb5_enc_data), + S(free_enc_ts, krb5_free_pa_enc_ts), + S(free_enc_data, krb5_free_enc_data), + S(encrypt_helper, krb5_encrypt_helper), #if DESIGNATED_INITIALIZERS }; Copied: branches/fast/src/plugins/preauth/encrypted_challenge/Makefile.in (from rev 22144, branches/fast/src/plugins/preauth/cksum_body/Makefile.in) =================================================================== --- branches/fast/src/plugins/preauth/cksum_body/Makefile.in 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/plugins/preauth/encrypted_challenge/Makefile.in 2009-03-26 05:37:41 UTC (rev 22145) @@ -0,0 +1,41 @@ +thisconfigdir=../../.. +myfulldir=plugins/preauth/encrypted_challenge +mydir=plugins/preauth/encrypted_challenge +BUILDTOP=$(REL)..$(S)..$(S).. +KRB5_RUN_ENV = @KRB5_RUN_ENV@ +KRB5_CONFIG_SETUP = KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; export KRB5_CONFIG ; +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) +MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) +DEFS=@DEFS@ + +LOCALINCLUDES = -I../../../include/krb5 -I. + +LIBBASE=encrypted_challenge +LIBMAJOR=0 +LIBMINOR=0 +SO_EXT=.so +RELDIR=../plugins/preauth/encrypted_challenge +# Depends on libk5crypto and libkrb5 +SHLIB_EXPDEPS = \ + $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) +SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) + +SHLIB_DIRS=-L$(TOPLIBD) +SHLIB_RDIRS=$(KRB5_LIBDIR) +STOBJLISTS=OBJS.ST +STLIBOBJS=encrypted_challenge_main.o + +SRCS= $(srcdir)/encrypted_challenge_main.c + +all-unix:: $(LIBBASE)$(SO_EXT) +install-unix:: install-libs +clean-unix:: clean-libs clean-libobjs + +clean:: + $(RM) lib$(LIBBASE)$(SO_EXT) + + at libnover_frag@ + at libobj_frag@ + Copied: branches/fast/src/plugins/preauth/encrypted_challenge/deps (from rev 22144, branches/fast/src/ccapi/test/deps) =================================================================== Copied: branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports (from rev 22144, branches/fast/src/plugins/preauth/pkinit/pkinit.exports) =================================================================== --- branches/fast/src/plugins/preauth/pkinit/pkinit.exports 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports 2009-03-26 05:37:41 UTC (rev 22145) @@ -0,0 +1,2 @@ +preauthentication_client_1 +preauthentication_server_1 Added: branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c =================================================================== --- branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-03-26 05:37:41 UTC (rev 22145) @@ -0,0 +1,409 @@ +/* + * plugins/preauth/encrypted_challenge/encrypted_challenge.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * Implement EncryptedChallenge fast factor from draft-ietf-krb-wg-preauth-framework + */ + +#include +#include "../fast_factor.h" + +#include + +static int preauth_flags +(krb5_context context, krb5_preauthtype pa_type) +{ + return PA_REAL; +} + +static krb5_error_code process_preauth +(krb5_context context, + void *plugin_context, + void *request_context, + krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc get_data_proc, + struct _krb5_preauth_client_rock *rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *padata, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + void *gak_data, + krb5_data *salt, + krb5_data *s2kparams, + krb5_keyblock *as_key, + krb5_pa_data ***out_padata) +{ + krb5_error_code retval = 0; + krb5_enctype enctype = 0; + krb5_keyblock *challenge_key = NULL, *armor_key = NULL; + krb5_data *etype_data = NULL; + krb5int_access kaccess; + + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); + if (retval || armor_key == NULL) + return 0; + retval = get_data_proc(context, rock, krb5plugin_preauth_client_get_etype, &etype_data); + if (retval == 0) { + enctype = *((krb5_enctype *)etype_data->data); + if (as_key->length == 0 ||as_key->enctype != enctype) + retval = gak_fct(context, request->client, + enctype, prompter, prompter_data, + salt, s2kparams, + as_key, gak_data); + } + if (padata->length) { + krb5_enc_data *enc = NULL; + krb5_data scratch; + scratch.length = padata->length; + scratch.data = (char *) padata->contents; + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", + as_key, "challengelongterm", &challenge_key); + if (retval == 0) + retval =kaccess.decode_enc_data(&scratch, &enc); + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(enc->ciphertext.length); + scratch.length = enc->ciphertext.length; + if (scratch.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, + enc, &scratch); +/*Per draft 11 of the preauth framework, the client MAY but + * is not required to actually check the timestamp from the KDC other than + * to confirm it decrypts. This code does not perform that check. + */ + if (scratch.data) + krb5_free_data_contents(context, &scratch); + if (retval == 0) + fast_set_kdc_verified(context, get_data_proc, rock); + if (enc) + kaccess.free_enc_data(context, enc); + } else { /*No padata; we send*/ + krb5_enc_data enc; + krb5_pa_data *pa = NULL; + krb5_pa_data **pa_array = NULL; + krb5_data *encoded_ts = NULL; + krb5_pa_enc_ts ts; + if (retval == 0) + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &encoded_ts); + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + as_key, "challengelongterm", + &challenge_key); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + encoded_ts, &enc); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + encoded_ts = NULL; + if (retval == 0) { + retval = kaccess.encode_enc_data(&enc, &encoded_ts); + krb5_free_data_contents(context, &enc.ciphertext); + } + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa_array = calloc(2, sizeof(krb5_pa_data *)); + if (pa_array == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->length = encoded_ts->length; + pa->contents = (unsigned char *) encoded_ts->data; + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + free(encoded_ts); + encoded_ts = NULL; + pa_array[0] = pa; + pa = NULL; + *out_padata = pa_array; + pa_array = NULL; + } + if (pa) + free(pa); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + if (pa_array) + free(pa_array); + } + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (armor_key) + krb5_free_keyblock(context, armor_key); + if (etype_data != NULL) + get_data_proc(context, rock, krb5plugin_preauth_client_free_etype, + &etype_data); + return retval; +} + + + + +static krb5_error_code kdc_include_padata +(krb5_context context, + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + krb5_pa_data *data) +{ + krb5_error_code retval = 0; + krb5_keyblock *armor_key = NULL; + retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + if (retval) + return retval; + if (armor_key == 0) + return ENOENT; + krb5_free_keyblock(context, armor_key); + return 0; +} + +static krb5_error_code kdc_verify_preauth +(krb5_context context, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) +{ + krb5_error_code retval = 0; + krb5_timestamp now; + krb5_enc_data *enc = NULL; + krb5_data scratch, plain; + krb5_keyblock *armor_key = NULL; + krb5_pa_enc_ts *ts = NULL; + krb5int_access kaccess; + krb5_keyblock *client_keys = NULL; + krb5_data *client_data = NULL; + krb5_keyblock *challenge_key = NULL; + int i; + + plain.data = NULL; + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + + retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + if (retval == 0 &&armor_key == NULL) { + retval = ENOENT; + krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); + } + scratch.data = (char *) data->contents; + scratch.length = data->length; + if (retval == 0) + retval = kaccess.decode_enc_data(&scratch, &enc); + if (retval == 0) { + plain.data = malloc(enc->ciphertext.length); + plain.length = enc->ciphertext.length; + if (plain.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = get_entry_proc(context, request, client, + krb5plugin_preauth_keys, &client_data); + if (retval == 0) { + client_keys = (krb5_keyblock *) client_data->data; + for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) { + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + &client_keys[i], "challengelongterm", + &challenge_key); + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + NULL, enc, &plain); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + challenge_key = NULL; + if (retval == 0) + break; + /*We failed to decrypt. Try next key*/ + retval = 0; + krb5_free_keyblock_contents(context, &client_keys[i]); + } + if (client_keys[i].enctype == 0) { + retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); + } else { /*not run out of keys*/ + int j; + assert (retval == 0); + for (j = i+1; client_keys[j].enctype; j++) + krb5_free_keyblock_contents(context, &client_keys[j]); + } + + } + if (retval == 0) + retval = kaccess.decode_enc_ts(&plain, &ts); + if (retval == 0) + retval = krb5_timeofday(context, &now); + if (retval == 0) { + if (labs(now-ts->patimestamp) < context->clockskew) { + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; +/*If this fails, we won't generate a reply to the client. That may + * cause the client to fail, but at this point the KDC has considered + this a success, so the return value is ignored. */ + fast_kdc_replace_reply_key(context, get_entry_proc, request); + krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", + &client_keys[i], "challengelongterm", + (krb5_keyblock **) pa_request_context); + } else { /*skew*/ + retval = KRB5KRB_AP_ERR_SKEW; + } + } + if (client_keys) { + if (client_keys[i].enctype) + krb5_free_keyblock_contents(context, &client_keys[i]); + krb5_free_data(context, client_data); + } + if (armor_key) + krb5_free_keyblock(context, armor_key); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (plain.data) + free(plain.data); + if (enc) + kaccess.free_enc_data(context, enc); + if (ts) + kaccess.free_enc_ts(context, ts); + return retval; +} + +static krb5_error_code kdc_return_preauth +(krb5_context context, + krb5_pa_data * padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + void **pa_request_context) +{ + krb5_error_code retval = 0; + krb5_keyblock *challenge_key = *pa_request_context; + krb5_pa_enc_ts ts; + krb5_data *plain = NULL; + krb5_enc_data enc; + krb5_data *encoded = NULL; + krb5_pa_data *pa = NULL; + krb5int_access kaccess; + + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + if (challenge_key == NULL) + return 0; + * pa_request_context = NULL; /*this function will free the + * challenge key*/ + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &plain); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, + plain, &enc); + if (retval == 0) + retval = kaccess.encode_enc_data(&enc, &encoded); + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + pa->contents = (unsigned char *) encoded->data; + pa->length = encoded->length; + encoded->data = NULL; + *send_pa = pa; + pa = NULL; + } + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (encoded) + krb5_free_data(context, encoded); + if (plain) + krb5_free_data(context, plain); + if (enc.ciphertext.data) + krb5_free_data_contents(context, &enc.ciphertext); + return retval; +} + +static int kdc_preauth_flags +(krb5_context context, krb5_preauthtype patype) +{ + return 0; +} + +krb5_preauthtype supported_pa_types[] = { + KRB5_PADATA_ENCRYPTED_CHALLENGE, 0}; + +struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { + "Encrypted challenge", + &supported_pa_types[0], +NULL, +NULL, +kdc_preauth_flags, + kdc_include_padata, + kdc_verify_preauth, + kdc_return_preauth, +NULL +}; + +struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { + "Encrypted Challenge", /* name */ + &supported_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + NULL, /* plugin init function */ + NULL, /* plugin fini function */ + preauth_flags, /* get flags function */ + NULL, /* request init function */ + NULL, /* request fini function */ + process_preauth, /* process function */ + NULL, /* try_again function */ +NULL /* get init creds opt function */ +}; Added: branches/fast/src/plugins/preauth/fast_factor.h =================================================================== --- branches/fast/src/plugins/preauth/fast_factor.h 2009-03-26 05:37:36 UTC (rev 22144) +++ branches/fast/src/plugins/preauth/fast_factor.h 2009-03-26 05:37:41 UTC (rev 22145) @@ -0,0 +1,53 @@ +/*Returns success with a null armor_key if FAST is available but not in use. +Returns failure if the client library does not support FAST +*/ +static krb5_error_code fast_get_armor_key +(krb5_context context, preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock, + krb5_keyblock **armor_key) +{ + krb5_error_code retval = 0; + krb5_data *data; + retval = get_data(context, rock, krb5plugin_preauth_client_fast_armor, &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_data(context, rock, krb5plugin_preauth_client_free_fast_armor, + &data); + } + return retval; +} + +static krb5_error_code fast_kdc_get_armor_key +(krb5_context context, preauth_get_entry_data_proc get_entry, + krb5_kdc_req *request,struct _krb5_db_entry_new *client, + krb5_keyblock **armor_key) +{ + krb5_error_code retval; + krb5_data *data; + retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor, + &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_entry(context, request, client, + krb5plugin_preauth_free_fast_armor, &data); + } + return retval; + } + + + + static krb5_error_code fast_kdc_replace_reply_key + (krb5_context context, preauth_get_entry_data_proc get_data, + krb5_kdc_req *request) + { + return 0; + } + +static krb5_error_code fast_set_kdc_verified +(krb5_context context, preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock) +{ + return 0; +} From ghudson at MIT.EDU Sun Mar 29 22:43:52 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Sun, 29 Mar 2009 22:43:52 -0400 Subject: svn rev #22147: trunk/ src/lib/krb5/krb/ Message-ID: <200903300243.n2U2hqxo006238@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22147 Commit By: ghudson Log Message: ticket: 6435 subject: Add PAC and principal parsing test cases >From Heimdal, ported by Luke, further modified by me. Changed Files: U trunk/README U trunk/src/lib/krb5/krb/Makefile.in U trunk/src/lib/krb5/krb/deps A trunk/src/lib/krb5/krb/t_pac.c A trunk/src/lib/krb5/krb/t_princ.c Modified: trunk/README =================================================================== --- trunk/README 2009-03-26 05:37:45 UTC (rev 22146) +++ trunk/README 2009-03-30 02:43:51 UTC (rev 22147) @@ -629,6 +629,41 @@ California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. + -------------------- + +Marked test programs in src/lib/krb5/krb have the following copyright: + +Copyright (c) 2006 Kungliga Tekniska Högskolan +(Royal Institute of Technology, Stockholm, Sweden). +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of KTH nor the names of its contributors may be + used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY +EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + Acknowledgements ---------------- Modified: trunk/src/lib/krb5/krb/Makefile.in =================================================================== --- trunk/src/lib/krb5/krb/Makefile.in 2009-03-26 05:37:45 UTC (rev 22146) +++ trunk/src/lib/krb5/krb/Makefile.in 2009-03-30 02:43:51 UTC (rev 22147) @@ -278,7 +278,9 @@ $(srcdir)/t_kerb.c \ $(srcdir)/t_ser.c \ $(srcdir)/t_deltat.c \ - $(srcdir)/t_expand.c + $(srcdir)/t_expand.c \ + $(srcdir)/t_pac.c \ + $(srcdir)/t_princ.c # Someday, when we have a "maintainer mode", do this right: BISON=bison @@ -306,6 +308,10 @@ T_DELTAT_OBJS= t_deltat.o deltat.o +T_PAC_OBJS= t_pac.o pac.o + +T_PRINC_OBJS= t_princ.o parse.o unparse.o + t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_walk_rtree $(T_WALK_RTREE_OBJS) $(KRB5_BASE_LIBS) t_authdata: t_authdata.o copy_auth.o @@ -325,8 +331,15 @@ t_expand : $(T_EXPAND_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_expand $(T_EXPAND_OBJS) $(KRB5_BASE_LIBS) -TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata +t_pac: $(T_PAC_OBJS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o t_pac $(T_PAC_OBJS) $(KRB5_BASE_LIBS) +t_princ: $(T_PRINC_OBJS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o t_princ $(T_PRINC_OBJS) $(KRB5_BASE_LIBS) + +TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \ + t_princ + check-unix:: $(TEST_PROGS) KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ $(RUN_SETUP) $(VALGRIND) ./t_kerb \ @@ -360,6 +373,8 @@ $(RUN_SETUP) $(VALGRIND) sh $(srcdir)/walktree-tests KRB5_CONFIG=$(srcdir)/t_krb5.conf ; export KRB5_CONFIG ;\ $(RUN_SETUP) $(VALGRIND) ./t_authdata + $(RUN_SETUP) $(VALGRIND) ./t_pac + $(RUN_SETUP) $(VALGRIND) ./t_princ clean:: $(RM) $(OUTPRE)t_walk_rtree$(EXEEXT) $(OUTPRE)t_walk_rtree.$(OBJEXT) \ Modified: trunk/src/lib/krb5/krb/deps =================================================================== --- trunk/src/lib/krb5/krb/deps 2009-03-26 05:37:45 UTC (rev 22146) +++ trunk/src/lib/krb5/krb/deps 2009-03-30 02:43:51 UTC (rev 22147) @@ -910,3 +910,23 @@ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h chk_trans.c t_expand.c +t_pac.so t_pac.po $(OUTPRE)t_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + t_pac.c +t_princ.so t_princ.po $(OUTPRE)t_princ.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + t_princ.c Added: trunk/src/lib/krb5/krb/t_pac.c =================================================================== --- trunk/src/lib/krb5/krb/t_pac.c 2009-03-26 05:37:45 UTC (rev 22146) +++ trunk/src/lib/krb5/krb/t_pac.c 2009-03-30 02:43:51 UTC (rev 22147) @@ -0,0 +1,318 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "k5-int.h" + +/* + * This PAC and keys are copied (with permission) from Samba torture + * regression test suite, they where created by Andrew Bartlet. + */ + +static const unsigned char saved_pac[] = { + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, + 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, + 0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59, + 0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00, + 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, + 0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00, + 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, + 0x57, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x41, 0x00, 0x4c, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x57, 0x00, 0x32, 0x00, + 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x41, 0x00, 0x4c, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x57, 0x00, 0x49, 0x00, + 0x4e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x33, 0x00, 0x54, 0x00, 0x48, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x4b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, + 0x15, 0x00, 0x00, 0x00, 0x11, 0x2f, 0xaf, 0xb5, 0x90, 0x04, 0x1b, 0xec, 0x50, 0x3b, 0xec, 0xdc, + 0x01, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x80, 0x66, 0x28, 0xea, 0x37, 0x80, 0xc5, 0x01, 0x16, 0x00, 0x77, 0x00, 0x32, 0x00, 0x30, 0x00, + 0x30, 0x00, 0x33, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x24, 0x00, + 0x76, 0xff, 0xff, 0xff, 0x37, 0xd5, 0xb0, 0xf7, 0x24, 0xf0, 0xd6, 0xd4, 0xec, 0x09, 0x86, 0x5a, + 0xa0, 0xe8, 0xc3, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x76, 0xff, 0xff, 0xff, 0xb4, 0xd8, 0xb8, 0xfe, + 0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00 +}; + +static unsigned int type_1_length = 472; + +static const krb5_keyblock kdc_keyblock = { + 0, ENCTYPE_ARCFOUR_HMAC, + 16, (krb5_octet *)"\xB2\x86\x75\x71\x48\xAF\x7F\xD2\x52\xC5\x36\x03\xA1\x50\xB7\xE7" +}; + +static const krb5_keyblock member_keyblock = { + 0, ENCTYPE_ARCFOUR_HMAC, + 16, (krb5_octet *)"\xD2\x17\xFA\xEA\xE5\xE6\xB5\xF9\x5C\xCC\x94\x07\x7A\xB8\xA5\xFC" +}; + +static time_t authtime = 1120440609; +static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL"; + +static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) + __attribute__((__format__(__printf__, 3, 0))); + +static void +err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) +{ + va_list ap; + char *msg; + const char *errmsg = NULL; + + va_start(ap, fmt); + if (vasprintf(&msg, fmt, ap) < 0) + exit(1); + va_end(ap); + if (ctx && code) + errmsg = krb5_get_error_message(ctx, code); + if (errmsg) + fprintf(stderr, "t_pac: %s: %s\n", msg, errmsg); + else + fprintf(stderr, "t_pac: %s\n", msg); + exit(1); +} + +int +main(int argc, char **argv) +{ + krb5_error_code ret; + krb5_context context; + krb5_pac pac; + krb5_data data; + krb5_principal p; + + ret = krb5_init_context(&context); + if (ret) + err(NULL, 0, "krb5_init_contex"); + + krb5_set_default_realm(context, "WIN2K3.THINKER.LOCAL"); + + ret = krb5_parse_name(context, user, &p); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_pac_parse(context, saved_pac, sizeof(saved_pac), &pac); + if (ret) + err(context, ret, "krb5_pac_parse"); + + ret = krb5_pac_verify(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + err(context, ret, "krb5_pac_verify"); + + ret = krb5int_pac_sign(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock, &data); + if (ret) + err(context, ret, "krb5int_pac_sign"); + + krb5_pac_free(context, pac); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_free_data_contents(context, &data); + if (ret) + err(context, ret, "krb5_pac_parse 2"); + + ret = krb5_pac_verify(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + err(context, ret, "krb5_pac_verify 2"); + + /* make a copy and try to reproduce it */ + { + uint32_t *list; + size_t len, i; + krb5_pac pac2; + + ret = krb5_pac_init(context, &pac2); + if (ret) + err(context, ret, "krb5_pac_init"); + + /* our two user buffer plus the three "system" buffers */ + ret = krb5_pac_get_types(context, pac, &len, &list); + if (ret) + err(context, ret, "krb5_pac_get_types"); + + for (i = 0; i < len; i++) { + /* skip server_cksum, privsvr_cksum, and logon_name */ + if (list[i] == 6 || list[i] == 7 || list[i] == 10) + continue; + + ret = krb5_pac_get_buffer(context, pac, list[i], &data); + if (ret) + err(context, ret, "krb5_pac_get_buffer"); + + if (list[i] == 1) { + if (type_1_length != data.length) + err(context, 0, "type 1 have wrong length: %lu", + (unsigned long)data.length); + } else + err(context, 0, "unknown type %lu", (unsigned long)list[i]); + + ret = krb5_pac_add_buffer(context, pac2, list[i], &data); + if (ret) + err(context, ret, "krb5_pac_add_buffer"); + krb5_free_data_contents(context, &data); + } + free(list); + + ret = krb5int_pac_sign(context, pac2, authtime, p, + &member_keyblock, &kdc_keyblock, &data); + if (ret) + err(context, ret, "krb5int_pac_sign 4"); + + krb5_pac_free(context, pac2); + + ret = krb5_pac_parse(context, data.data, data.length, &pac2); + if (ret) + err(context, ret, "krb5_pac_parse 4"); + + ret = krb5_pac_verify(context, pac2, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + err(context, ret, "krb5_pac_verify 4"); + + krb5_pac_free(context, pac2); + } + + krb5_pac_free(context, pac); + + /* + * Test empty free + */ + + ret = krb5_pac_init(context, &pac); + if (ret) + err(context, ret, "krb5_pac_init"); + krb5_pac_free(context, pac); + + /* + * Test add remove buffer + */ + + ret = krb5_pac_init(context, &pac); + if (ret) + err(context, ret, "krb5_pac_init"); + + { + const krb5_data cdata = { 0, 2, "\x00\x01" } ; + + ret = krb5_pac_add_buffer(context, pac, 1, &cdata); + if (ret) + err(context, ret, "krb5_pac_add_buffer"); + } + { + ret = krb5_pac_get_buffer(context, pac, 1, &data); + if (ret) + err(context, ret, "krb5_pac_get_buffer"); + if (data.length != 2 || memcmp(data.data, "\x00\x01", 2) != 0) + err(context, 0, "krb5_pac_get_buffer data not the same"); + krb5_free_data_contents(context, &data); + } + + { + const krb5_data cdata = { 0, 2, "\x02\x00" } ; + + ret = krb5_pac_add_buffer(context, pac, 2, &cdata); + if (ret) + err(context, ret, "krb5_pac_add_buffer"); + } + { + ret = krb5_pac_get_buffer(context, pac, 1, &data); + if (ret) + err(context, ret, "krb5_pac_get_buffer"); + if (data.length != 2 || memcmp(data.data, "\x00\x01", 2) != 0) + err(context, 0, "krb5_pac_get_buffer data not the same"); + krb5_free_data_contents(context, &data); + /* */ + ret = krb5_pac_get_buffer(context, pac, 2, &data); + if (ret) + err(context, ret, "krb5_pac_get_buffer"); + if (data.length != 2 || memcmp(data.data, "\x02\x00", 2) != 0) + err(context, 0, "krb5_pac_get_buffer data not the same"); + krb5_free_data_contents(context, &data); + } + + ret = krb5int_pac_sign(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock, &data); + if (ret) + err(context, ret, "krb5int_pac_sign"); + + krb5_pac_free(context, pac); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_free_data_contents(context, &data); + if (ret) + err(context, ret, "krb5_pac_parse 3"); + + ret = krb5_pac_verify(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + err(context, ret, "krb5_pac_verify 3"); + + { + uint32_t *list; + size_t len; + + /* our two user buffer plus the three "system" buffers */ + ret = krb5_pac_get_types(context, pac, &len, &list); + if (ret) + err(context, ret, "krb5_pac_get_types"); + if (len != 5) + err(context, 0, "list wrong length"); + free(list); + } + + krb5_pac_free(context, pac); + + krb5_free_principal(context, p); + krb5_free_context(context); + + return 0; +} Added: trunk/src/lib/krb5/krb/t_princ.c =================================================================== --- trunk/src/lib/krb5/krb/t_princ.c 2009-03-26 05:37:45 UTC (rev 22146) +++ trunk/src/lib/krb5/krb/t_princ.c 2009-03-30 02:43:51 UTC (rev 22147) @@ -0,0 +1,401 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "k5-int.h" + +/* + * Check that a closed cc still keeps it data and that it's no longer + * there when it's destroyed. + */ + +static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) + __attribute__((__format__(__printf__, 3, 0))); + +static void +err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) +{ + va_list ap; + char *msg; + const char *errmsg = NULL; + + va_start(ap, fmt); + if (vasprintf(&msg, fmt, ap) < 0) + exit(1); + va_end(ap); + if (ctx && code) + errmsg = krb5_get_error_message(ctx, code); + if (errmsg) + fprintf(stderr, "t_princ: %s: %s\n", msg, errmsg); + else + fprintf(stderr, "t_princ: %s\n", msg); + exit(1); +} + +static void +test_princ(krb5_context context) +{ + const char *princ = "lha at SU.SE"; + const char *princ_short = "lha"; + const char *noquote; + krb5_error_code ret; + char *princ_unparsed; + char *princ_reformed = NULL; + const char *realm; + + krb5_principal p, p2; + + ret = krb5_parse_name(context, princ, &p); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_unparse_name(context, p, &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed)) { + err(context, 0, "%s != %s", princ, princ_unparsed); + } + + free(princ_unparsed); + + ret = krb5_unparse_name_flags(context, p, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ_short, princ_unparsed)) + err(context, 0, "%s != %s", princ_short, princ_unparsed); + free(princ_unparsed); + + realm = krb5_princ_realm(context, p)->data; + + asprintf(&princ_reformed, "%s@%s", princ_short, realm); + + ret = krb5_parse_name(context, princ_reformed, &p2); + free(princ_reformed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) { + err(context, 0, "p != p2"); + } + + krb5_free_principal(context, p2); + + ret = krb5_set_default_realm(context, "SU.SE"); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_unparse_name_flags(context, p, + KRB5_PRINCIPAL_UNPARSE_SHORT, + &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ_short, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ_short, princ_unparsed); + free(princ_unparsed); + + ret = krb5_parse_name(context, princ_short, &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) + err(context, 0, "p != p2"); + krb5_free_principal(context, p2); + + ret = krb5_unparse_name(context, p, &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_set_default_realm(context, "SAMBA.ORG"); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_parse_name(context, princ_short, &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (krb5_principal_compare(context, p, p2)) + err(context, 0, "p == p2"); + + if (!krb5_principal_compare_any_realm(context, p, p2)) + err(context, 0, "(ignoring realms) p != p2"); + + ret = krb5_unparse_name(context, p2, &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed) == 0) + err(context, 0, "%s == %s", princ, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p2); + + ret = krb5_parse_name(context, princ, &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) + err(context, 0, "p != p2"); + + ret = krb5_unparse_name(context, p2, &princ_unparsed); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p2); + + ret = krb5_unparse_name_flags(context, p, + KRB5_PRINCIPAL_UNPARSE_SHORT, + &princ_unparsed); + if (ret) + err(context, ret, "krb5_unparse_name_short"); + + if (strcmp(princ, princ_unparsed) != 0) + err(context, 0, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_unparse_name(context, p, &princ_unparsed); + if (ret) + err(context, ret, "krb5_unparse_name_short"); + + if (strcmp(princ, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_parse_name_flags(context, princ, + KRB5_PRINCIPAL_PARSE_NO_REALM, + &p2); + if (!ret) + err(context, ret, "Should have failed to parse %s a " + "short name", princ); + + ret = krb5_parse_name_flags(context, princ_short, + KRB5_PRINCIPAL_PARSE_NO_REALM, + &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_unparse_name_flags(context, p2, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_unparsed); + krb5_free_principal(context, p2); + if (ret) + err(context, ret, "krb5_unparse_name_norealm"); + + if (strcmp(princ_short, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ_short, princ_unparsed); + free(princ_unparsed); + + ret = krb5_parse_name_flags(context, princ_short, + KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, + &p2); + if (!ret) + err(context, ret, "Should have failed to parse %s " + "because it lacked a realm", princ_short); + + ret = krb5_parse_name_flags(context, princ, + KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, + &p2); + if (ret) + err(context, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) + err(context, 0, "p != p2"); + + ret = krb5_unparse_name_flags(context, p2, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_unparsed); + krb5_free_principal(context, p2); + if (ret) + err(context, ret, "krb5_unparse_name_norealm"); + + if (strcmp(princ_short, princ_unparsed)) + err(context, 0, "'%s' != '%s'", princ_short, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p); + + /* test quoting */ + + princ = "test\\/principal at SU.SE"; + noquote = "test/principal at SU.SE"; + + ret = krb5_parse_name_flags(context, princ, 0, &p); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_unparse_name_flags(context, p, 0, &princ_unparsed); + if (ret) + err(context, ret, "krb5_unparse_name_flags"); + + if (strcmp(princ, princ_unparsed)) + err(context, 0, "q '%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_DISPLAY, + &princ_unparsed); + if (ret) + err(context, ret, "krb5_unparse_name_flags"); + + if (strcmp(noquote, princ_unparsed)) + err(context, 0, "nq '%s' != '%s'", noquote, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p); +} + +static void +test_enterprise(krb5_context context) +{ + krb5_error_code ret; + char *unparsed; + krb5_principal p; + + ret = krb5_set_default_realm(context, "SAMBA.ORG"); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_parse_name_flags(context, "lha at su.se@WIN.SU.SE", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + + if (strcmp(unparsed, "lha\\@su.se at WIN.SU.SE") != 0) + err(context, 0, "enterprise name failed 1"); + free(unparsed); + + /* + * + */ + + ret = krb5_parse_name_flags(context, "lha\\@su.se at WIN.SU.SE", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lha\\@su.se\\@WIN.SU.SE at SAMBA.ORG") != 0) + err(context, 0, "enterprise name failed 2: %s", unparsed); + free(unparsed); + + /* + * + */ + + ret = krb5_parse_name_flags(context, "lha\\@su.se at WIN.SU.SE", 0, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lha\\@su.se at WIN.SU.SE") != 0) + err(context, 0, "enterprise name failed 3"); + free(unparsed); + + /* + * + */ + + ret = krb5_parse_name_flags(context, "lha at su.se", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lha\\@su.se at SAMBA.ORG") != 0) + err(context, 0, "enterprise name failed 2: %s", unparsed); + free(unparsed); + + + ret = krb5_parse_name_flags(context, "lukeh at ntdev.padl.com", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &unparsed); + if (ret) + err(context, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lukeh at ntdev.padl.com") != 0) + err(context, 0, "enterprise name failed 4: %s", unparsed); + free(unparsed); +} + + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + + ret = krb5_init_context(&context); + if (ret) + err(NULL, 0, "krb5_init_context failed: %d", ret); + + test_princ(context); + + test_enterprise(context); + + krb5_free_context(context); + + return 0; +} From hartmans at MIT.EDU Tue Mar 31 12:50:26 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 31 Mar 2009 12:50:26 -0400 Subject: svn rev #22148: trunk/src/lib/krb5/krb/ Message-ID: <200903311650.n2VGoQPn008951@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22148 Commit By: hartmans Log Message: ticket: 6393 in send_tgs.c: Encrypt using local_subkey not *subkey Changed Files: U trunk/src/lib/krb5/krb/send_tgs.c Modified: trunk/src/lib/krb5/krb/send_tgs.c =================================================================== --- trunk/src/lib/krb5/krb/send_tgs.c 2009-03-30 02:43:51 UTC (rev 22147) +++ trunk/src/lib/krb5/krb/send_tgs.c 2009-03-31 16:50:25 UTC (rev 22148) @@ -187,7 +187,7 @@ if ((retval = encode_krb5_authdata(authorization_data, &scratch))) goto send_tgs_error_1; - if ((retval = krb5_encrypt_helper(context, *subkey, + if ((retval = krb5_encrypt_helper(context, local_subkey, KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, scratch, &tgsreq.authorization_data))) { From hartmans at MIT.EDU Tue Mar 31 13:00:43 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 31 Mar 2009 13:00:43 -0400 Subject: svn rev #22149: trunk/src/ include/ include/krb5/ kdc/ lib/krb5/ lib/krb5/asn.1/ ... Message-ID: <200903311700.n2VH0hJR009765@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22149 Commit By: hartmans Log Message: ticket: 6436 subject: Implement FAST from draft-ietf-krb-wg-preauth-framework Target_Version: 1.7 Merge fast branch at 22146 onto trunk Implement the kerberos pre-authentication framework FAST feature per Projects/FAST on the wiki. Changed Files: U trunk/src/Makefile.in U trunk/src/configure.in U trunk/src/include/k5-int-pkinit.h U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/include/krb5/preauth_plugin.h U trunk/src/kdc/Makefile.in U trunk/src/kdc/dispatch.c U trunk/src/kdc/do_as_req.c U trunk/src/kdc/do_tgs_req.c A trunk/src/kdc/fast_util.c U trunk/src/kdc/kdc_preauth.c U trunk/src/kdc/kdc_util.c U trunk/src/kdc/kdc_util.h U trunk/src/lib/krb5/asn.1/asn1_k_decode.c U trunk/src/lib/krb5/asn.1/asn1_k_decode.h U trunk/src/lib/krb5/asn.1/asn1_k_encode.c U trunk/src/lib/krb5/asn.1/krb5_decode.c U trunk/src/lib/krb5/error_tables/krb5_err.et U trunk/src/lib/krb5/error_tables/kv5m_err.et U trunk/src/lib/krb5/krb/Makefile.in A trunk/src/lib/krb5/krb/fast.c A trunk/src/lib/krb5/krb/fast.h U trunk/src/lib/krb5/krb/get_in_tkt.c U trunk/src/lib/krb5/krb/gic_opt.c U trunk/src/lib/krb5/krb/kfree.c U trunk/src/lib/krb5/krb/preauth2.c U trunk/src/lib/krb5/libkrb5.exports U trunk/src/lib/krb5/os/accessor.c A trunk/src/plugins/preauth/encrypted_challenge/ A trunk/src/plugins/preauth/encrypted_challenge/Makefile.in A trunk/src/plugins/preauth/encrypted_challenge/deps A trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports A trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c A trunk/src/plugins/preauth/fast_factor.h Modified: trunk/src/Makefile.in =================================================================== --- trunk/src/Makefile.in 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/Makefile.in 2009-03-31 17:00:41 UTC (rev 22149) @@ -12,6 +12,7 @@ SUBDIRS=util include lib kdc kadmin @ldap_plugin_dir@ slave clients \ plugins/kdb/db2 \ plugins/preauth/pkinit \ + plugins/preauth/encrypted_challenge \ appl tests \ config-files gen-manpages BUILDTOP=$(REL)$(C) Modified: trunk/src/configure.in =================================================================== --- trunk/src/configure.in 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/configure.in 2009-03-31 17:00:41 UTC (rev 22149) @@ -1080,7 +1080,7 @@ plugins/kdb/db2/libdb2/mpool plugins/kdb/db2/libdb2/recno plugins/kdb/db2/libdb2/test - plugins/preauth/cksum_body + plugins/preauth/cksum_body plugins/preauth/encrypted_challenge plugins/preauth/wpse plugins/authdata/greet Modified: trunk/src/include/k5-int-pkinit.h =================================================================== --- trunk/src/include/k5-int-pkinit.h 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/include/k5-int-pkinit.h 2009-03-31 17:00:41 UTC (rev 22149) @@ -101,6 +101,9 @@ } krb5_trusted_ca; /* typed data */ +/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other + * if this structure changes, that code needs to be updated to copy. + */ typedef struct _krb5_typed_data { krb5_magic magic; krb5_int32 type; @@ -267,4 +270,6 @@ krb5_error_code decode_krb5_td_dh_parameters (const krb5_data *, krb5_algorithm_identifier ***); +void krb5_free_typed_data(krb5_context, krb5_typed_data **); + #endif /* _KRB5_INT_PKINIT_H */ Modified: trunk/src/include/k5-int.h =================================================================== --- trunk/src/include/k5-int.h 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/include/k5-int.h 2009-03-31 17:00:41 UTC (rev 22149) @@ -910,9 +910,11 @@ * requested information. It is opaque to the plugin code and can be * expanded in the future as new types of requests are defined which * may require other things to be passed through. */ + struct krb5int_fast_request_state; typedef struct _krb5_preauth_client_rock { krb5_magic magic; - krb5_kdc_rep *as_reply; + krb5_enctype *etype; + struct krb5int_fast_request_state *fast_state; } krb5_preauth_client_rock; /* This structure lets us keep track of all of the modules which are loaded, @@ -963,6 +965,48 @@ krb5_data auth_package; } krb5_pa_for_user; +enum { + KRB5_FAST_ARMOR_AP_REQUEST = 0x1 +}; + +typedef struct _krb5_fast_armor { + krb5_int32 armor_type; + krb5_data armor_value; +} krb5_fast_armor; +typedef struct _krb5_fast_armored_req { + krb5_magic magic; + krb5_fast_armor *armor; + krb5_checksum req_checksum; + krb5_enc_data enc_part; +} krb5_fast_armored_req; + +typedef struct _krb5_fast_req { + krb5_magic magic; + krb5_int32 fast_options; + /* padata from req_body is used*/ + krb5_kdc_req *req_body; +} krb5_fast_req; + +/* Bits 0-15 are critical in fast options.*/ +#define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff +#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01 + +typedef struct _krb5_fast_finished { + krb5_timestamp timestamp; + krb5_int32 usec; + krb5_principal client; + krb5_checksum ticket_checksum; +} krb5_fast_finished; + +typedef struct _krb5_fast_response { + krb5_magic magic; + krb5_pa_data **padata; + krb5_keyblock *rep_key; + krb5_fast_finished *finished; + krb5_int32 nonce; +} krb5_fast_response; + + typedef krb5_error_code (*krb5_preauth_obtain_proc) (krb5_context, krb5_pa_data *, @@ -1036,6 +1080,10 @@ krb5_creds *, krb5_int32 *); +krb5_pa_data * krb5int_find_pa_data +(krb5_context, krb5_pa_data * const *, krb5_preauthtype); +/* Does not return a copy; original padata sequence responsible for freeing*/ + void krb5_free_etype_info (krb5_context, krb5_etype_info); @@ -1088,6 +1136,7 @@ typedef struct _krb5_gic_opt_private { int num_preauth_data; krb5_gic_opt_pa_data *preauth_data; + char * fast_ccache_name; } krb5_gic_opt_private; /* @@ -1254,6 +1303,16 @@ void KRB5_CALLCONV krb5_free_etype_list (krb5_context, krb5_etype_list * ); +void KRB5_CALLCONV krb5_free_fast_armor +(krb5_context, krb5_fast_armor *); +void KRB5_CALLCONV krb5_free_fast_armored_req +(krb5_context, krb5_fast_armored_req *); +void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *); +void KRB5_CALLCONV krb5_free_fast_finished +(krb5_context, krb5_fast_finished *); +void KRB5_CALLCONV krb5_free_fast_response +(krb5_context, krb5_fast_response *); + /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */ #include "com_err.h" #include "k5-plugin.h" @@ -1563,6 +1622,16 @@ krb5_error_code encode_krb5_etype_list (const krb5_etype_list * , krb5_data **); +krb5_error_code encode_krb5_pa_fx_fast_request +(const krb5_fast_armored_req *, krb5_data **); +krb5_error_code encode_krb5_fast_req +(const krb5_fast_req *, krb5_data **); +krb5_error_code encode_krb5_pa_fx_fast_reply +(const krb5_enc_data *, krb5_data **); + +krb5_error_code encode_krb5_fast_response +(const krb5_fast_response *, krb5_data **); + /************************************************************************* * End of prototypes for krb5_encode.c *************************************************************************/ @@ -1722,6 +1791,19 @@ krb5_error_code decode_krb5_etype_list (const krb5_data *, krb5_etype_list **); +krb5_error_code decode_krb5_pa_fx_fast_request +(const krb5_data *, krb5_fast_armored_req **); + +krb5_error_code decode_krb5_fast_req +(const krb5_data *, krb5_fast_req **); + + +krb5_error_code decode_krb5_pa_fx_fast_reply +(const krb5_data *, krb5_enc_data **); + +krb5_error_code decode_krb5_fast_response +(const krb5_data *, krb5_fast_response **); + struct _krb5_key_data; /* kdb.h */ struct ldap_seqof_key_data { @@ -1951,7 +2033,7 @@ /* To keep happy libraries which are (for now) accessing internal stuff */ /* Make sure to increment by one when changing the struct */ -#define KRB5INT_ACCESS_STRUCT_VERSION 13 +#define KRB5INT_ACCESS_STRUCT_VERSION 14 #ifndef ANAME_SZ struct ktext; /* from krb.h, for krb524 support */ @@ -2005,6 +2087,16 @@ krb5_error_code (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in, ldap_seqof_key_data **); + /* Used for encrypted challenge fast factor*/ + krb5_error_code (*encode_enc_data)(const krb5_enc_data *, krb5_data **); + krb5_error_code (*decode_enc_data)(const krb5_data *, krb5_enc_data **); + void (*free_enc_data)(krb5_context, krb5_enc_data *); + krb5_error_code (*encode_enc_ts)(const krb5_pa_enc_ts *, krb5_data **); + krb5_error_code (*decode_enc_ts)(const krb5_data *, krb5_pa_enc_ts **); + void (*free_enc_ts)(krb5_context, krb5_pa_enc_ts *); + krb5_error_code (*encrypt_helper) + (krb5_context, const krb5_keyblock *, krb5_keyusage, const krb5_data *, + krb5_enc_data *); /* * pkinit asn.1 encode/decode functions Modified: trunk/src/include/krb5/krb5.hin =================================================================== --- trunk/src/include/krb5/krb5.hin 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/include/krb5/krb5.hin 2009-03-31 17:00:41 UTC (rev 22149) @@ -631,7 +631,15 @@ /* Defined in KDC referrals draft */ #define KRB5_KEYUSAGE_PA_REFERRAL 26 /* XXX note conflict with above */ +/* define in draft-ietf-krb-wg-preauth-framework*/ +#define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 +#define KRB5_KEYUSAGE_FAST_ENC 51 +#define KRB5_KEYUSAGE_FAST_REP 52 +#define KRB5_KEYUSAGE_FAST_FINISHED 53 +#define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54 +#define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55 +#define KRB5_KEYUSAGE_FAST_REP 52 krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype (krb5_enctype ktype); krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype @@ -982,6 +990,11 @@ #define KRB5_PADATA_PAC_REQUEST 128 /* include Windows PAC */ #define KRB5_PADATA_FOR_USER 129 /* username protocol transition request */ #define KRB5_PADATA_S4U_X509_USER 130 /* certificate protocol transition request */ +#define KRB5_PADATA_FX_COOKIE 133 +#define KRB5_PADATA_FX_FAST 136 +#define KRB5_PADATA_FX_ERROR 137 +#define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 + #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 #define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /* currently must be zero */ @@ -1005,7 +1018,7 @@ #define KRB5_AUTHDATA_SESAME 65 #define KRB5_AUTHDATA_WIN2K_PAC 128 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ - +#define KRB5_AUTHDATA_FX_ARMOR 71 /* password change constants */ #define KRB5_KPASSWD_SUCCESS 0 @@ -1142,6 +1155,13 @@ krb5_authdata **unenc_authdata; /* unencrypted auth data, if available */ krb5_ticket **second_ticket;/* second ticket array; OPTIONAL */ + /* the following field is added in March 2009; it is a hack so + * that FAST state can be carried to pre-authentication plugins. + * A new plugin interface may be a better long-term approach. It + * is believed to be safe to extend this structure because it is + * not found in any public APIs. + */ + void * kdc_state; } krb5_kdc_req; typedef struct _krb5_enc_kdc_rep_part { @@ -2393,6 +2413,15 @@ const char *attr, const char *value); +krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name +(krb5_context context, krb5_get_init_creds_opt *opt, + const char * fast_ccache_name); + /* This API sets a ccache name that will contain some TGT on + calls to get_init_creds functions. If set, this ccache will + be used for FAST (draft-ietf-krb-wg-preauth-framework) to + protect the AS-REQ from observation and active attack. If + the fast_ccache_name is set, then FAST may be required by the + client library. In this version FAST is required.*/ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password (krb5_context context, Modified: trunk/src/include/krb5/preauth_plugin.h =================================================================== --- trunk/src/include/krb5/preauth_plugin.h 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/include/krb5/preauth_plugin.h 2009-03-31 17:00:41 UTC (rev 22149) @@ -123,11 +123,22 @@ * information to enable it to process a request. */ enum krb5plugin_preauth_client_request_type { - /* The returned krb5_data item holds the enctype used to encrypt the - * encrypted portion of the AS_REP packet. */ + /* The returned krb5_data item holds the enctype expected to be used to encrypt the + * encrypted portion of the AS_REP packet. When handling a + * PREAUTH_REQUIRED error, this typically comes from etype-info2. + * When handling an AS reply, it is initialized from the AS reply itself.*/ krb5plugin_preauth_client_get_etype = 1, /* Free the data returned from krb5plugin_preauth_client_req_get_etype */ - krb5plugin_preauth_client_free_etype = 2 + krb5plugin_preauth_client_free_etype = 2, + /* The returned krb5_data contains the FAST armor key in a + * krb5_keyblock. Returns success with a NULL data item in the + * krb5_data if the client library supports FAST but is not using it.*/ + krb5plugin_preauth_client_fast_armor = 3, + /* Frees return from KRB5PLUGIN_PREAUTH_CLIENT_FAST_ARMOR. It is + * acceptable to set data to NULL and free the keyblock using + * krb5_free_keyblock; in that case, this frees the krb5_data + * only.*/ +krb5plugin_preauth_client_free_fast_armor = 4, }; typedef krb5_error_code (*preauth_get_client_data_proc)(krb5_context, @@ -326,8 +337,16 @@ * implementation, there's a good chance that the result will not match * what the client sent, so don't go creating any fatal errors if it * doesn't match up. */ - krb5plugin_preauth_request_body = 4 -}; + krb5plugin_preauth_request_body = 4, + /* The returned krb5_data contains a krb5_keyblock with the FAST + armor key. The data member is NULL if this method is not part + of a FAST tunnel */ + krb5plugin_preauth_fast_armor = 5, + /* Frees a fast armor key; it is acceptable to set data to NULL + and free the keyblock using krb5_free_keyblock; in that case, + this function simply frees the data*/ + krb5plugin_preauth_free_fast_armor = 6, + }; typedef krb5_error_code (*preauth_get_entry_data_proc)(krb5_context, Modified: trunk/src/kdc/Makefile.in =================================================================== --- trunk/src/kdc/Makefile.in 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/kdc/Makefile.in 2009-03-31 17:00:41 UTC (rev 22149) @@ -24,6 +24,7 @@ $(srcdir)/dispatch.c \ $(srcdir)/do_as_req.c \ $(srcdir)/do_tgs_req.c \ + $(srcdir)/fast_util.c \ $(srcdir)/kdc_util.c \ $(srcdir)/kdc_preauth.c \ $(srcdir)/main.c \ @@ -38,6 +39,7 @@ dispatch.o \ do_as_req.o \ do_tgs_req.o \ + fast_util.o \ kdc_util.o \ kdc_preauth.o \ main.o \ Modified: trunk/src/kdc/dispatch.c =================================================================== --- trunk/src/kdc/dispatch.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/kdc/dispatch.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -92,11 +92,12 @@ /* * setup_server_realm() sets up the global realm-specific data * pointer. + * process_as_req frees the request if it is called */ if (!(retval = setup_server_realm(as_req->server))) { retval = process_as_req(as_req, pkt, from, response); } - krb5_free_kdc_req(kdc_context, as_req); + else krb5_free_kdc_req(kdc_context, as_req); } } else Modified: trunk/src/kdc/do_as_req.c =================================================================== --- trunk/src/kdc/do_as_req.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/kdc/do_as_req.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -82,7 +82,7 @@ #endif #endif /* APPLE_PKINIT */ -static krb5_error_code prepare_error_as (krb5_kdc_req *, int, krb5_data *, +static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *, krb5_principal, krb5_data **, const char *); @@ -117,6 +117,9 @@ int did_log = 0; const char *emsg = 0; krb5_keylist_node *tmp_mkey_list; + struct kdc_request_state *state = NULL; + krb5_data encoded_req_body; + #if APPLE_PKINIT asReqDebug("process_as_req top realm %s name %s\n", @@ -133,6 +136,22 @@ session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; + errcode = kdc_make_rstate(&state); + if (errcode != 0) { + status = "constructing state"; + goto errout; + } + if (fetch_asn1_field((unsigned char *) req_pkt->data, + 1, 4, &encoded_req_body) != 0) { + errcode = ASN1_BAD_ID; + status = "Finding req_body"; +} + errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state); + if (errcode) { + status = "error decoding FAST"; + goto errout; + } + request->kdc_state = state; if (!request->client) { status = "NULL_CLIENT"; errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -548,6 +567,7 @@ goto errout; } + errcode = handle_authdata(kdc_context, c_flags, &client, @@ -572,6 +592,11 @@ goto errout; } ticket_reply.enc_part.kvno = server_key->key_data_kvno; + errcode = kdc_fast_response_handle_padata(state, request, &reply); + if (errcode) { + status = "fast response handling"; + goto errout; + } /* now encode/encrypt the response */ @@ -629,7 +654,7 @@ if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; - errcode = prepare_error_as(request, errcode, &e_data, + errcode = prepare_error_as(state, request, errcode, &e_data, c_nprincs ? client.princ : NULL, response, status); status = 0; @@ -679,18 +704,24 @@ } krb5_free_data_contents(kdc_context, &e_data); + kdc_free_rstate(state); + request->kdc_state = NULL; + krb5_free_kdc_req(kdc_context, request); assert(did_log != 0); return errcode; } static krb5_error_code -prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data, +prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int error, krb5_data *e_data, krb5_principal canon_client, krb5_data **response, const char *status) { krb5_error errpkt; krb5_error_code retval; krb5_data *scratch; + krb5_pa_data **pa = NULL; + krb5_typed_data **td = NULL; + size_t size; errpkt.ctime = request->nonce; errpkt.cusec = 0; @@ -719,13 +750,38 @@ errpkt.e_data.length = 0; errpkt.e_data.data = NULL; } - + /*We need to try and produce a padata sequence for FAST*/ + retval = decode_krb5_padata_sequence(e_data, &pa); + if (retval != 0) { + retval = decode_krb5_typed_data(e_data, &td); + if (retval == 0) { + for (size =0; td[size]; size++); + pa = calloc(size+1, sizeof(*pa)); + if (pa == NULL) + retval = ENOMEM; + else for (size = 0; td[size]; size++) { + krb5_pa_data *pad = malloc(sizeof(krb5_pa_data *)); + if (pad == NULL) { + retval = ENOMEM; + break; + } + pad->pa_type = td[size]->type; + pad->contents = td[size]->data; + pad->length = td[size]->length; + pa[size] = pad; + } + krb5_free_typed_data(kdc_context, td); + } + } + retval = kdc_fast_handle_error(kdc_context, rstate, + request, pa, &errpkt); + if (retval == 0) retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); if (retval) free(scratch); else *response = scratch; - + krb5_free_pa_data(kdc_context, pa); return retval; } Modified: trunk/src/kdc/do_tgs_req.c =================================================================== --- trunk/src/kdc/do_tgs_req.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/kdc/do_tgs_req.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -76,7 +76,7 @@ krb5_boolean *,int *); static krb5_error_code -prepare_error_tgs(krb5_kdc_req *,krb5_ticket *,int, +prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int, krb5_principal,krb5_data **,const char *); static krb5_int32 @@ -125,6 +125,9 @@ krb5_data *tgs_1 =NULL, *server_1 = NULL; krb5_principal krbtgt_princ; krb5_kvno ticket_kvno = 0; + struct kdc_request_state *state = NULL; + krb5_pa_data *pa_tgs_req; /*points into request*/ + krb5_data scratch; session_key.contents = NULL; @@ -140,7 +143,7 @@ return retval; } errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket, - &krbtgt, &k_nprincs, &subkey); + &krbtgt, &k_nprincs, &subkey, &pa_tgs_req); if (header_ticket && header_ticket->enc_part2 && (errcode2 = krb5_unparse_name(kdc_context, header_ticket->enc_part2->client, @@ -161,7 +164,15 @@ status="UNEXPECTED NULL in header_ticket"; goto cleanup; } - + scratch.length = pa_tgs_req->length; + scratch.data = (char *) pa_tgs_req->contents; + errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state); + if (errcode !=0) { + status = "kdc_find_fast"; + goto cleanup; + } + + /* * Pointer to the encrypted part of the header ticket, which may be * replaced to point to the encrypted part of the evidence ticket @@ -862,7 +873,12 @@ reply.enc_part.enctype = subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype; - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, + errcode = kdc_fast_response_handle_padata(state, request, &reply); + if (errcode !=0 ) { + status = "Preparing FAST padata"; + goto cleanup; + } + errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, subkey ? 1 : 0, subkey ? subkey : header_ticket->enc_part2->session, @@ -903,7 +919,7 @@ if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; - retval = prepare_error_tgs(request, header_ticket, errcode, + retval = prepare_error_tgs(state, request, header_ticket, errcode, nprincs ? server.princ : NULL, response, status); if (got_err) { @@ -916,6 +932,8 @@ krb5_free_ticket(kdc_context, header_ticket); if (request != NULL) krb5_free_kdc_req(kdc_context, request); + if (state) + kdc_free_rstate(state); if (cname != NULL) free(cname); if (sname != NULL) @@ -943,7 +961,8 @@ } static krb5_error_code -prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, +prepare_error_tgs (struct kdc_request_state *state, + krb5_kdc_req *request, krb5_ticket *ticket, int error, krb5_principal canon_server, krb5_data **response, const char *status) { @@ -966,14 +985,19 @@ errpkt.text.length = strlen(status) + 1; if (!(errpkt.text.data = strdup(status))) return ENOMEM; - + if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { free(errpkt.text.data); return ENOMEM; } errpkt.e_data.length = 0; errpkt.e_data.data = NULL; - + retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); + if (retval) { + free(scratch); + free(errpkt.text.data); + return retval; + } retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); if (retval) Added: trunk/src/kdc/fast_util.c =================================================================== --- trunk/src/kdc/fast_util.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/kdc/fast_util.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -0,0 +1,398 @@ +/* + * kdc/fast_util.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + */ + +#include + +#include "kdc_util.h" +#include "extern.h" + + +/* + * This function will find the fast and cookie padata and if fast is + * successfully processed, will throw away (and free) the outer + * request and update the pointer to point to the inner request. The + * checksummed_data points to the data that is in the + * armored_fast_request checksum; either the pa-tgs-req or the + * kdc-req-body. + */ + +static krb5_error_code armor_ap_request +(struct kdc_request_state *state, krb5_fast_armor *armor) +{ + krb5_error_code retval = 0; + krb5_auth_context authcontext = NULL; + krb5_ticket *ticket = NULL; + krb5_keyblock *subkey = NULL; + + assert(armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST); + krb5_clear_error_message(kdc_context); + retval = krb5_auth_con_init(kdc_context, &authcontext); + if (retval == 0) + retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/ + retval = krb5_rd_req(kdc_context, &authcontext, + &armor->armor_value, NULL /*server*/, + kdc_active_realm->realm_keytab, NULL, &ticket); + if (retval !=0) { + const char * errmsg = krb5_get_error_message(kdc_context, retval); + krb5_set_error_message(kdc_context, retval, + "%s while handling ap-request armor", errmsg); + krb5_free_error_message(kdc_context, errmsg); + } + if (retval == 0) { + if (!krb5_principal_compare_any_realm(kdc_context, + tgs_server, + ticket->server)) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH, + "ap-request armor for something other than the local TGS"); + retval = KRB5KDC_ERR_SERVER_NOMATCH; + } + } + if (retval ==0) { + retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey); + if (retval !=0 || subkey == NULL) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "ap-request armor without subkey"); + retval = KRB5KDC_ERR_POLICY; + } + } + if (retval==0) + retval = krb5_c_fx_cf2_simple(kdc_context, + subkey, "subkeyarmor", + ticket->enc_part2->session, "ticketarmor", + &state->armor_key); + if (ticket) + krb5_free_ticket(kdc_context, ticket); + if (subkey) + krb5_free_keyblock(kdc_context, subkey); + if (authcontext) + krb5_auth_con_free(kdc_context, authcontext); + return retval; +} + +static krb5_error_code encrypt_fast_reply +(struct kdc_request_state *state, const krb5_fast_response *response, + krb5_data **fx_fast_reply) +{ + krb5_error_code retval = 0; + krb5_enc_data encrypted_reply; + krb5_data *encoded_response = NULL; + assert(state->armor_key); + retval = encode_krb5_fast_response(response, &encoded_response); + if (retval== 0) + retval = krb5_encrypt_helper(kdc_context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, + encoded_response, &encrypted_reply); + if (encoded_response) + krb5_free_data(kdc_context, encoded_response); + encoded_response = NULL; + if (retval == 0) { + retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply, + fx_fast_reply); + krb5_free_data_contents(kdc_context, &encrypted_reply.ciphertext); + } + return retval; +} + + +krb5_error_code kdc_find_fast +(krb5_kdc_req **requestptr, krb5_data *checksummed_data, + krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, + struct kdc_request_state *state) +{ + krb5_error_code retval = 0; + krb5_pa_data *fast_padata, *cookie_padata; + krb5_data scratch; + krb5_fast_req * fast_req = NULL; + krb5_kdc_req *request = *requestptr; + krb5_fast_armored_req *fast_armored_req = NULL; + krb5_boolean cksum_valid; + + scratch.data = NULL; + krb5_clear_error_message(kdc_context); + fast_padata = find_pa_data(request->padata, + KRB5_PADATA_FX_FAST); + if (fast_padata != NULL){ + scratch.length = fast_padata->length; + scratch.data = (char *) fast_padata->contents; + retval = decode_krb5_pa_fx_fast_request(&scratch, &fast_armored_req); + if (retval == 0 &&fast_armored_req->armor) { + switch (fast_armored_req->armor->armor_type) { + case KRB5_FAST_ARMOR_AP_REQUEST: + retval = armor_ap_request(state, fast_armored_req->armor); + break; + default: + krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "Unknow FAST armor type %d", + fast_armored_req->armor->armor_type); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0 && !state->armor_key) { + if (tgs_subkey) + retval = krb5_c_fx_cf2_simple(kdc_context, + tgs_subkey, "subkeyarmor", + tgs_session, "ticketarmor", + &state->armor_key); + else { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + "No armor key but FAST armored request present"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0) { + krb5_data plaintext; + plaintext.length = fast_armored_req->enc_part.ciphertext.length; + plaintext.data = malloc(plaintext.length); + if (plaintext.data == NULL) + retval = ENOMEM; + retval = krb5_c_decrypt(kdc_context, + state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, NULL, + &fast_armored_req->enc_part, + &plaintext); + if (retval == 0) + retval = decode_krb5_fast_req(&plaintext, &fast_req); + if (plaintext.data) + free(plaintext.data); + } + if (retval == 0) + retval = krb5_c_verify_checksum(kdc_context, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (retval == 0 && !cksum_valid) { + retval = KRB5KRB_AP_ERR_MODIFIED; + krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, + "FAST req_checksum invalid; request modified"); + } + if (retval == 0) { + if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) + retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; + } + if (retval == 0) + cookie_padata = find_pa_data(fast_req->req_body->padata, KRB5_PADATA_FX_COOKIE); + if (retval == 0) { + state->fast_options = fast_req->fast_options; + if (request->kdc_state == state) + request->kdc_state = NULL; + krb5_free_kdc_req( kdc_context, request); + *requestptr = fast_req->req_body; + fast_req->req_body = NULL; + + } + } + else cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); + if (retval == 0 && cookie_padata != NULL) { + krb5_pa_data *new_padata = malloc(sizeof (krb5_pa_data)); + if (new_padata != NULL) { + retval = ENOMEM; + } else { + new_padata->pa_type = KRB5_PADATA_FX_COOKIE; + new_padata->length = cookie_padata->length; + new_padata->contents = malloc(new_padata->length); + if (new_padata->contents == NULL) { + retval = ENOMEM; + free(new_padata); + } else { + memcpy(new_padata->contents, cookie_padata->contents, new_padata->length); + state->cookie = new_padata; + } + } + } + if (fast_req) + krb5_free_fast_req( kdc_context, fast_req); + if (fast_armored_req) + krb5_free_fast_armored_req(kdc_context, fast_armored_req); + return retval; +} + + +krb5_error_code kdc_make_rstate(struct kdc_request_state **out) +{ + struct kdc_request_state *state = malloc( sizeof(struct kdc_request_state)); + if (state == NULL) + return ENOMEM; + memset( state, 0, sizeof(struct kdc_request_state)); + *out = state; + return 0; +} + +void kdc_free_rstate +(struct kdc_request_state *s) +{ + if (s == NULL) + return; + if (s->armor_key) + krb5_free_keyblock(kdc_context, s->armor_key); + if (s->reply_key) + krb5_free_keyblock(kdc_context, s->reply_key); + if (s->cookie) { + free(s->cookie->contents); + free(s->cookie); + } + free(s); +} + +krb5_error_code kdc_fast_response_handle_padata +(struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_kdc_rep *rep) +{ + krb5_error_code retval = 0; + krb5_fast_finished finish; + krb5_fast_response fast_response; + krb5_data *encoded_ticket = NULL; + krb5_data *encrypted_reply = NULL; + krb5_pa_data *pa = NULL, **pa_array; + krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; + krb5_pa_data *empty_padata[] = {NULL}; + + if (!state->armor_key) + return 0; + memset(&finish, 0, sizeof(finish)); + fast_response.padata = rep->padata; + if (fast_response.padata == NULL) + fast_response.padata = &empty_padata[0]; + fast_response.rep_key = state->reply_key; + fast_response.nonce = request->nonce; + fast_response.finished = &finish; + finish.client = rep->client; + pa_array = calloc(3, sizeof(*pa_array)); + if (pa_array == NULL) + retval = ENOMEM; + pa = calloc(1, sizeof(krb5_pa_data)); + if (retval == 0 && pa == NULL) + retval = ENOMEM; + if (retval == 0) + retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec); + if (retval == 0) + retval = encode_krb5_ticket(rep->ticket, &encoded_ticket); + if (retval == 0) + retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype); + if (retval == 0) + retval = krb5_c_make_checksum(kdc_context, cksumtype, + state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, &finish.ticket_checksum); + if (retval == 0) + retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply); + if (retval == 0) { + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; + pa_array[0] = &pa[0]; + rep->padata = pa_array; + pa_array = NULL; + encrypted_reply = NULL; + pa = NULL; + } + if (pa) + free(pa); + if (encrypted_reply) + krb5_free_data(kdc_context, encrypted_reply); + if (encoded_ticket) + krb5_free_data(kdc_context, encoded_ticket); + if (finish.ticket_checksum.contents) + krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum); + return retval; +} + + +/* + * We assume the caller is responsible for passing us an in_padata + * sufficient to include in a FAST error. In the FAST case we will + * throw away the e_data in the error (if any); in the non-FAST case + * we will not use the in_padata. + */ +krb5_error_code kdc_fast_handle_error +(krb5_context context, struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_pa_data **in_padata, krb5_error *err) +{ + krb5_error_code retval = 0; + krb5_fast_response resp; + krb5_error fx_error; + krb5_data *encoded_fx_error = NULL, *encrypted_reply = NULL; + krb5_pa_data pa[2]; + krb5_pa_data *outer_pa[3]; + krb5_pa_data **inner_pa = NULL; + size_t size = 0; + krb5_data *encoded_e_data = NULL; + + memset(outer_pa, 0, sizeof(outer_pa)); + if (!state->armor_key) + return 0; + fx_error = *err; + fx_error.e_data.data = NULL; + fx_error.e_data.length = 0; + for (size = 0; in_padata&&in_padata[size]; size++); + size +=3; + inner_pa = calloc(size, sizeof(krb5_pa_data *)); + if (inner_pa == NULL) + retval = ENOMEM; + if (retval == 0) + for (size=0; in_padata&&in_padata[size]; size++) + inner_pa[size] = in_padata[size]; + if (retval == 0) + retval = encode_krb5_error(&fx_error, &encoded_fx_error); + if (retval == 0) { + pa[0].pa_type = KRB5_PADATA_FX_ERROR; + pa[0].length = encoded_fx_error->length; + pa[0].contents = (unsigned char *) encoded_fx_error->data; + inner_pa[size++] = &pa[0]; + resp.padata = inner_pa; + resp.nonce = request->nonce; + resp.rep_key = NULL; + resp.finished = NULL; + } + if (retval == 0) + retval = encrypt_fast_reply(state, &resp, &encrypted_reply); + if (inner_pa) + free(inner_pa); /*contained storage from caller and our stack*/ + if (retval == 0) { + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; + outer_pa[0] = &pa[0]; + } + retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data); + if (retval == 0) { + /*process_as holds onto a pointer to the original e_data and frees it*/ + err->e_data = *encoded_e_data; + free(encoded_e_data); /*contents belong to err*/ + encoded_e_data = NULL; + } + if (encoded_e_data) + krb5_free_data(kdc_context, encoded_e_data); + if (encrypted_reply) + krb5_free_data(kdc_context, encrypted_reply); + if (encoded_fx_error) + krb5_free_data(kdc_context, encoded_fx_error); + return retval; +} Modified: trunk/src/kdc/kdc_preauth.c =================================================================== --- trunk/src/kdc/kdc_preauth.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/kdc/kdc_preauth.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -133,6 +133,12 @@ krb5_data **e_data, krb5_authdata ***authz_data); +static krb5_error_code get_enc_ts + (krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + krb5_pa_data *data); static krb5_error_code get_etype_info (krb5_context, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, @@ -279,7 +285,7 @@ NULL, NULL, NULL, - 0, + get_enc_ts, verify_enc_timestamp, 0 }, @@ -668,6 +674,7 @@ krb5_keyblock *keys, *mkey_ptr; krb5_key_data *entry_key; krb5_error_code error; + struct kdc_request_state *state = request->kdc_state; switch (type) { case krb5plugin_preauth_entry_request_certificate: @@ -752,6 +759,30 @@ } return ASN1_PARSE_ERROR; break; + case krb5plugin_preauth_fast_armor: + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + if (state->armor_key == NULL) { + *result = ret; + return 0; + } + error = krb5_copy_keyblock(context, state->armor_key, &keys); + if (error == 0) { + ret->data = (char *) keys; + ret->length = sizeof(krb5_keyblock); + *result = ret; + return 0; + } + free(ret); + return error; + case krb5plugin_preauth_free_fast_armor: + if ((*result)->data) { + keys = (krb5_keyblock *) (*result)->data; + krb5_free_keyblock(context, keys); + } + free(*result); + return 0; default: break; } @@ -1340,7 +1371,20 @@ return 0; } - +static krb5_error_code get_enc_ts + (krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data_proc, + void *pa_system_context, + krb5_pa_data *data) +{ + struct kdc_request_state *state = request->kdc_state; + if (state->armor_key) + return ENOENT; + return 0; +} + + static krb5_error_code verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, Modified: trunk/src/kdc/kdc_util.c =================================================================== --- trunk/src/kdc/kdc_util.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/kdc/kdc_util.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -217,28 +217,20 @@ krb5_pa_data * find_pa_data(krb5_pa_data **padata, krb5_preauthtype pa_type) { - krb5_pa_data **tmppa; - - if (padata == NULL) - return NULL; - - for (tmppa = padata; *tmppa != NULL; tmppa++) { - if ((*tmppa)->pa_type == pa_type) - break; - } - - return *tmppa; +return krb5int_find_pa_data(kdc_context, padata, pa_type); } krb5_error_code kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, krb5_data *pkt, krb5_ticket **ticket, krb5_db_entry *krbtgt, int *nprincs, - krb5_keyblock **subkey) + krb5_keyblock **subkey, + krb5_pa_data **pa_tgs_req) { krb5_pa_data * tmppa; krb5_ap_req * apreq; krb5_error_code retval; + krb5_authdata **authdata = NULL; krb5_data scratch1; krb5_data * scratch = NULL; krb5_boolean foreign_server = FALSE; @@ -350,6 +342,22 @@ &authenticator))) goto cleanup_auth_context; + retval = krb5int_find_authdata(kdc_context, + (*ticket)->enc_part2->authorization_data, + authenticator->authorization_data, + KRB5_AUTHDATA_FX_ARMOR, &authdata); + if (retval != 0) + goto cleanup_auth_context; + if (authdata&& authdata[0]) { + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "ticket valid only as FAST armor"); + retval = KRB5KDC_ERR_POLICY; + krb5_free_authdata(kdc_context, authdata); + goto cleanup_auth_context; + } + krb5_free_authdata(kdc_context, authdata); + + /* Check for a checksum */ if (!(his_cksum = authenticator->checksum)) { retval = KRB5KRB_AP_ERR_INAPP_CKSUM; @@ -383,6 +391,8 @@ } } + if (retval == 0) + *pa_tgs_req = tmppa; cleanup_authenticator: krb5_free_authenticator(kdc_context, authenticator); Modified: trunk/src/kdc/kdc_util.h =================================================================== --- trunk/src/kdc/kdc_util.h 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/kdc/kdc_util.h 2009-03-31 17:00:41 UTC (rev 22149) @@ -66,7 +66,7 @@ krb5_ticket **, krb5_db_entry *krbtgt, int *nprincs, - krb5_keyblock **); + krb5_keyblock **, krb5_pa_data **pa_tgs_req); krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int, krb5_boolean match_enctype, @@ -298,8 +298,42 @@ const char *status, krb5_error_code errcode, const char *emsg); void log_tgs_alt_tgt(krb5_principal p); +/*Request state*/ +struct kdc_request_state { + krb5_keyblock *armor_key; + krb5_keyblock *reply_key; /*When replaced by FAST*/ + krb5_pa_data *cookie; + krb5_int32 fast_options; + krb5_int32 fast_internal_flags; +}; +krb5_error_code kdc_make_rstate(struct kdc_request_state **out); +void kdc_free_rstate +(struct kdc_request_state *s); +/* FAST*/ +enum krb5_fast_kdc_flags { + KRB5_FAST_REPLY_KEY_USED = 0x1, + KRB5_FAST_REPLY_KEY_REPLACED = 0x02, +}; + +krb5_error_code kdc_find_fast +(krb5_kdc_req **requestptr, krb5_data *checksummed_data, + krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, + struct kdc_request_state *state); + +krb5_error_code kdc_fast_response_handle_padata +(struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_kdc_rep *rep); +krb5_error_code kdc_fast_handle_error +(krb5_context context, struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_pa_data **in_padata, krb5_error *err); + + + + #define isflagset(flagfield, flag) (flagfield & (flag)) #define setflag(flagfield, flag) (flagfield |= (flag)) #define clear(flagfield, flag) (flagfield &= ~(flag)) Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -1625,6 +1625,57 @@ return retval; } +asn1_error_code asn1_decode_fast_armor +(asn1buf *buf, krb5_fast_armor *val) +{ + setup(); + val->armor_value.data = NULL; + {begin_structure(); + get_field(val->armor_type, 0, asn1_decode_int32); + get_lenfield(val->armor_value.length, val->armor_value.data, + 1, asn1_decode_charstring); + end_structure(); + } + return 0; + error_out: + krb5_free_data_contents( NULL, &val->armor_value); + return retval; +} + +asn1_error_code asn1_decode_fast_armor_ptr +(asn1buf *buf, krb5_fast_armor **valptr) +{ + decode_ptr(krb5_fast_armor *, asn1_decode_fast_armor); +} + +asn1_error_code asn1_decode_fast_finished +(asn1buf *buf, krb5_fast_finished *val) +{ + setup(); + val->client = NULL; + val->ticket_checksum.contents = NULL; + {begin_structure(); + get_field(val->timestamp, 0, asn1_decode_kerberos_time); + get_field(val->usec, 1, asn1_decode_int32); + alloc_field(val->client); + get_field(val->client, 2, asn1_decode_realm); + get_field(val->client, 3, asn1_decode_principal_name); + get_field(val->ticket_checksum, 4, asn1_decode_checksum); + end_structure(); + } + return 0; + error_out: + krb5_free_principal(NULL, val->client); + krb5_free_checksum_contents( NULL, &val->ticket_checksum); + return retval; +} +asn1_error_code asn1_decode_fast_finished_ptr +(asn1buf *buf, krb5_fast_finished **valptr) +{ + decode_ptr( krb5_fast_finished *, asn1_decode_fast_finished); +} + + #ifndef DISABLE_PKINIT /* PKINIT */ Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.h =================================================================== --- trunk/src/lib/krb5/asn.1/asn1_k_decode.h 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/asn.1/asn1_k_decode.h 2009-03-31 17:00:41 UTC (rev 22149) @@ -266,4 +266,16 @@ asn1_error_code asn1_decode_pa_pac_req (asn1buf *buf, krb5_pa_pac_req *val); +asn1_error_code asn1_decode_fast_armor +(asn1buf *buf, krb5_fast_armor *val); + +asn1_error_code asn1_decode_fast_armor_ptr +(asn1buf *buf, krb5_fast_armor **val); + +asn1_error_code asn1_decode_fast_finished +(asn1buf *buf, krb5_fast_finished *val); + +asn1_error_code asn1_decode_fast_finished_ptr +(asn1buf *buf, krb5_fast_finished **val); + #endif Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -338,6 +338,8 @@ DEFFNXTYPE(kdc_req_body, krb5_kdc_req, asn1_encode_kdc_req_body); /* end ugly hack */ +DEFPTRTYPE(ptr_kdc_req_body,kdc_req_body); + static const struct field_info transited_fields[] = { FIELDOF_NORM(krb5_transited, octet, tr_type, 0), FIELDOF_NORM(krb5_transited, ostring_data, tr_contents, 1), @@ -1177,6 +1179,88 @@ DEFFIELDTYPE(etype_list, krb5_etype_list, FIELDOF_SEQOF_INT32(krb5_etype_list, int32_ptr, etypes, length, -1)); +/* draft-ietf-krb-wg-preauth-framework-09 */ +static const struct field_info fast_armor_fields[] = { + FIELDOF_NORM(krb5_fast_armor, int32, armor_type, 0), + FIELDOF_NORM( krb5_fast_armor, ostring_data, armor_value, 1), +}; + +DEFSEQTYPE( fast_armor, krb5_fast_armor, fast_armor_fields, 0); +DEFPTRTYPE( ptr_fast_armor, fast_armor); + +static const struct field_info fast_armored_req_fields[] = { + FIELDOF_OPT( krb5_fast_armored_req, ptr_fast_armor, armor, 0, 0), + FIELDOF_NORM( krb5_fast_armored_req, checksum, req_checksum, 1), + FIELDOF_NORM( krb5_fast_armored_req, encrypted_data, enc_part, 2), +}; + +static unsigned int fast_armored_req_optional (const void *p) { + const krb5_fast_armored_req *val = p; + unsigned int optional = 0; + if (val->armor) + optional |= (1u)<<0; + return optional; +} + +DEFSEQTYPE( fast_armored_req, krb5_fast_armored_req, fast_armored_req_fields, fast_armored_req_optional); +DEFFIELDTYPE( pa_fx_fast_request, krb5_fast_armored_req, + FIELDOF_ENCODEAS( krb5_fast_armored_req, fast_armored_req, 0)); + +DEFFIELDTYPE(fast_req_padata, krb5_kdc_req, + FIELDOF_NORM(krb5_kdc_req, ptr_seqof_pa_data, padata, -1)); +DEFPTRTYPE(ptr_fast_req_padata, fast_req_padata); + +static const struct field_info fast_req_fields[] = { + FIELDOF_NORM(krb5_fast_req, int32, fast_options, 0), + FIELDOF_NORM( krb5_fast_req, ptr_fast_req_padata, req_body, 1), + FIELDOF_NORM( krb5_fast_req, ptr_kdc_req_body, req_body, 2), +}; + +DEFSEQTYPE(fast_req, krb5_fast_req, fast_req_fields, 0); + + +static const struct field_info fast_finished_fields[] = { + FIELDOF_NORM( krb5_fast_finished, kerberos_time, timestamp, 0), + FIELDOF_NORM( krb5_fast_finished, int32, usec, 1), + FIELDOF_NORM( krb5_fast_finished, realm_of_principal, client, 2), + FIELDOF_NORM(krb5_fast_finished, principal, client, 3), + FIELDOF_NORM( krb5_fast_finished, checksum, ticket_checksum, 4), +}; + +DEFSEQTYPE( fast_finished, krb5_fast_finished, fast_finished_fields, 0); + +DEFPTRTYPE( ptr_fast_finished, fast_finished); + +static const struct field_info fast_response_fields[] = { + FIELDOF_NORM(krb5_fast_response, ptr_seqof_pa_data, padata, 0), + FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, rep_key, 1, 1), + FIELDOF_OPT( krb5_fast_response, ptr_fast_finished, finished, 2, 2), + FIELDOF_NORM(krb5_fast_response, int32, nonce, 3), +}; + +static unsigned int fast_response_optional (const void *p) +{ + unsigned int optional = 0; + const krb5_fast_response *val = p; + if (val->rep_key) + optional |= (1u <<1); + if (val->finished) + optional |= (1u<<2); + return optional; +} +DEFSEQTYPE( fast_response, krb5_fast_response, fast_response_fields, fast_response_optional); + +static const struct field_info fast_rep_fields[] = { + FIELDOF_ENCODEAS(krb5_enc_data, encrypted_data, 0), +}; +DEFSEQTYPE(fast_rep, krb5_enc_data, fast_rep_fields, 0); + +DEFFIELDTYPE(pa_fx_fast_reply, krb5_enc_data, + FIELDOF_ENCODEAS(krb5_enc_data, fast_rep, 0)); + + + + /* Exported complete encoders -- these produce a krb5_data with the encoding in the correct byte order. */ @@ -1243,6 +1327,10 @@ MAKE_FULL_ENCODER(encode_krb5_pa_server_referral_data, pa_server_referral_data); MAKE_FULL_ENCODER(encode_krb5_etype_list, etype_list); +MAKE_FULL_ENCODER(encode_krb5_pa_fx_fast_request, pa_fx_fast_request); +MAKE_FULL_ENCODER( encode_krb5_fast_req, fast_req); +MAKE_FULL_ENCODER( encode_krb5_pa_fx_fast_reply, pa_fx_fast_reply); +MAKE_FULL_ENCODER(encode_krb5_fast_response, fast_response); Modified: trunk/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -94,9 +94,9 @@ /* process a structure *******************************************/ /* decode an explicit tag and place the number in tagnum */ -#define next_tag() \ +#define next_tag_from_buf(buf) \ { taginfo t2; \ - retval = asn1_get_tag_2(&subbuf, &t2); \ + retval = asn1_get_tag_2(&(buf), &t2); \ if (retval) clean_return(retval); \ asn1class = t2.asn1class; \ construction = t2.construction; \ @@ -104,7 +104,9 @@ indef = t2.indef; \ taglen = t2.length; \ } +#define next_tag() next_tag_from_buf(subbuf) + static asn1_error_code asn1_get_eoc_tag (asn1buf *buf) { @@ -518,6 +520,7 @@ clear_field(rep,authorization_data.ciphertext.data); clear_field(rep,unenc_authdata); clear_field(rep,second_ticket); + clear_field(rep, kdc_state); check_apptag(10); retval = asn1_decode_kdc_req(&buf,rep); @@ -545,6 +548,7 @@ clear_field(rep,authorization_data.ciphertext.data); clear_field(rep,unenc_authdata); clear_field(rep,second_ticket); + clear_field(rep, kdc_state); check_apptag(12); retval = asn1_decode_kdc_req(&buf,rep); @@ -1080,6 +1084,91 @@ cleanup(free); } +krb5_error_code decode_krb5_pa_fx_fast_request +(const krb5_data *code, krb5_fast_armored_req **repptr) +{ + setup(krb5_fast_armored_req *); + alloc_field(rep); + clear_field(rep, armor); + { + int indef; + unsigned int taglen; + next_tag_from_buf(buf); + if (tagnum != 0) + clean_return(ASN1_BAD_ID); + } + {begin_structure(); + opt_field(rep->armor, 0, asn1_decode_fast_armor_ptr); + get_field(rep->req_checksum, 1, asn1_decode_checksum); + get_field(rep->enc_part, 2, asn1_decode_encrypted_data); + end_structure();} + rep->magic = KV5M_FAST_ARMORED_REQ; + cleanup(free); +} + +krb5_error_code decode_krb5_fast_req +(const krb5_data *code, krb5_fast_req **repptr) +{ + setup(krb5_fast_req *); + alloc_field(rep); + alloc_field(rep->req_body); + clear_field(rep, req_body->padata); + {begin_structure(); + get_field(rep->fast_options, 0, asn1_decode_int32); + opt_field(rep->req_body->padata, 1, asn1_decode_sequence_of_pa_data); + get_field(*(rep->req_body), 2, asn1_decode_kdc_req_body); + end_structure(); } + rep->magic = KV5M_FAST_REQ; + cleanup_manual(); + error_out: + if (rep) { + if (rep->req_body) + krb5_free_kdc_req(0, rep->req_body); + free(rep); + } + return retval; +} + +krb5_error_code decode_krb5_fast_response +(const krb5_data *code, krb5_fast_response **repptr) +{ + setup(krb5_fast_response *); + + alloc_field(rep); + clear_field(rep, finished); + clear_field(rep, padata); + clear_field(rep,rep_key); + {begin_structure(); + get_field(rep->padata, 0, asn1_decode_sequence_of_pa_data); + opt_field(rep->rep_key, 1, asn1_decode_encryption_key_ptr); + opt_field(rep->finished, 2, asn1_decode_fast_finished_ptr); + get_field(rep->nonce, 3, asn1_decode_int32); + end_structure(); } + rep->magic = KV5M_FAST_RESPONSE; + cleanup(free); +} + +krb5_error_code decode_krb5_pa_fx_fast_reply +(const krb5_data *code, krb5_enc_data **repptr) +{ + setup(krb5_enc_data *); + alloc_field(rep); + { + int indef; + unsigned int taglen; + next_tag_from_buf(buf); + if (tagnum != 0) + clean_return(ASN1_BAD_ID); + } + {begin_structure(); + get_field(*rep, 0, asn1_decode_encrypted_data); + end_structure(); + } + + cleanup(free); +} + + #ifndef DISABLE_PKINIT krb5_error_code decode_krb5_pa_pk_as_req(const krb5_data *code, krb5_pa_pk_as_req **repptr) Modified: trunk/src/lib/krb5/error_tables/krb5_err.et =================================================================== --- trunk/src/lib/krb5/error_tables/krb5_err.et 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/error_tables/krb5_err.et 2009-03-31 17:00:41 UTC (rev 22149) @@ -134,7 +134,7 @@ error_code KRB5PLACEHOLD_90, "KRB5 error code 90" error_code KRB5PLACEHOLD_91, "KRB5 error code 91" error_code KRB5PLACEHOLD_92, "KRB5 error code 92" -error_code KRB5PLACEHOLD_93, "KRB5 error code 93" +error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested" error_code KRB5PLACEHOLD_94, "KRB5 error code 94" error_code KRB5PLACEHOLD_95, "KRB5 error code 95" error_code KRB5PLACEHOLD_96, "KRB5 error code 96" @@ -347,4 +347,5 @@ error_code KRB5_PLUGIN_OP_NOTSUPP, "Plugin does not support the operaton" error_code KRB5_ERR_INVALID_UTF8, "Invalid UTF-8 string" +error_code KRB5_ERR_FAST_REQUIRED, "FAST protected pre-authentication required but not supported by KDC" end Modified: trunk/src/lib/krb5/error_tables/kv5m_err.et =================================================================== --- trunk/src/lib/krb5/error_tables/kv5m_err.et 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/error_tables/kv5m_err.et 2009-03-31 17:00:41 UTC (rev 22149) @@ -86,5 +86,7 @@ error_code KV5M_PASSWD_PHRASE_ELEMENT, "Bad magic number for passwd_phrase_element" error_code KV5M_GSS_OID, "Bad magic number for GSSAPI OID" error_code KV5M_GSS_QUEUE, "Bad magic number for GSSAPI QUEUE" - +error_code KV5M_FAST_ARMORED_REQ, "Bad magic number for fast armored request" +error_code KV5M_FAST_REQ, "Bad magic number for FAST request" +error_code KV5M_FAST_RESPONSE, "Bad magic number for FAST response" end Modified: trunk/src/lib/krb5/krb/Makefile.in =================================================================== --- trunk/src/lib/krb5/krb/Makefile.in 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/krb/Makefile.in 2009-03-31 17:00:41 UTC (rev 22149) @@ -40,6 +40,7 @@ enc_helper.o \ encode_kdc.o \ encrypt_tk.o \ + fast.o \ free_rtree.o \ fwd_tgt.o \ gc_frm_kdc.o \ @@ -127,6 +128,7 @@ $(OUTPRE)enc_helper.$(OBJEXT) \ $(OUTPRE)encode_kdc.$(OBJEXT) \ $(OUTPRE)encrypt_tk.$(OBJEXT) \ + $(OUTPRE)fast.$(OBJEXT) \ $(OUTPRE)free_rtree.$(OBJEXT) \ $(OUTPRE)fwd_tgt.$(OBJEXT) \ $(OUTPRE)gc_frm_kdc.$(OBJEXT) \ @@ -215,6 +217,7 @@ $(srcdir)/enc_helper.c \ $(srcdir)/encode_kdc.c \ $(srcdir)/encrypt_tk.c \ + $(srcdir)/fast.c \ $(srcdir)/free_rtree.c \ $(srcdir)/fwd_tgt.c \ $(srcdir)/gc_frm_kdc.c \ Added: trunk/src/lib/krb5/krb/fast.c =================================================================== --- trunk/src/lib/krb5/krb/fast.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/krb/fast.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -0,0 +1,499 @@ +/* + * lib/krb5/krb/fast.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + */ + +#include + +/* + * It is possible to support sending a request that includes both a + * FAST and normal version. This would complicate the + * pre-authentication logic significantly. You would need to maintain + * two contexts, one for FAST and one for normal use. In adition, you + * would need to manage the security issues surrounding downgrades. + * However trying FAST at all requires an armor key. Generally in + * obtaining the armor key, the client learns enough to know that FAST + * is supported. If not, the client can see FAST in the + * preauth_required error's padata and retry with FAST. So, this + * implementation does not support FAST+normal. + * + * We store the outer version of the request to use . The caller + * stores the inner version. We handle the encoding of the request + * body (and request) and provide encoded request bodies for the + * caller to use as these may be used for checksums. In the AS case + * we also evaluate whether to continue a conversation as one of the + * important questions there is the presence of a cookie. + */ +#include "fast.h" +#include "int-proto.h" + + +static krb5_error_code fast_armor_ap_request +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_ccache ccache, krb5_data *target_realm) +{ + krb5_error_code retval = 0; + krb5_creds creds, *out_creds = NULL; + krb5_auth_context authcontext = NULL; + krb5_data encoded_authenticator; + krb5_fast_armor *armor = NULL; + krb5_keyblock *subkey = NULL, *armor_key = NULL; + encoded_authenticator.data = NULL; + memset(&creds, 0, sizeof(creds)); + retval = krb5_tgtname(context, target_realm, target_realm, &creds.server); + if (retval ==0) + retval = krb5_cc_get_principal(context, ccache, &creds.client); + if (retval == 0) + retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); + if (retval == 0) + retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, + out_creds, &encoded_authenticator); + if (retval == 0) + retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", + &out_creds->keyblock, "ticketarmor", &armor_key); + if (retval == 0) { + armor = calloc(1, sizeof(krb5_fast_armor)); + if (armor == NULL) + retval = ENOMEM; + } + if (retval == 0) { + armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; + armor->armor_value = encoded_authenticator; + encoded_authenticator.data = NULL; + encoded_authenticator.length = 0; + state->armor = armor; + armor = NULL; + state->armor_key = armor_key; + armor_key = NULL; + } + krb5_free_keyblock(context, armor_key); + krb5_free_keyblock(context, subkey); + if (out_creds) + krb5_free_creds(context, out_creds); + krb5_free_cred_contents(context, &creds); + if (encoded_authenticator.data) + krb5_free_data_contents(context, &encoded_authenticator); + krb5_auth_con_free(context, authcontext); + return retval; +} + +krb5_error_code +krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, krb5_data **encoded_request_body) +{ + krb5_error_code retval = 0; + krb5_data *local_encoded_request_body = NULL; + assert(state != NULL); + *encoded_request_body = NULL; + if (state->armor_key == NULL) { + return encode_krb5_kdc_req_body(request, encoded_request_body); + } + state->fast_outer_request = *request; + state->fast_outer_request.padata = NULL; + if (retval == 0) + retval = encode_krb5_kdc_req_body(&state->fast_outer_request, + &local_encoded_request_body); + if (retval == 0) { + *encoded_request_body = local_encoded_request_body; + local_encoded_request_body = NULL; + } + if (local_encoded_request_body != NULL) + krb5_free_data(context, local_encoded_request_body); + return retval; +} + +krb5_error_code krb5int_fast_as_armor +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_gic_opt_ext *opte, + krb5_kdc_req *request) +{ + krb5_error_code retval = 0; + krb5_ccache ccache = NULL; + krb5_clear_error_message(context); + if (opte->opt_private->fast_ccache_name) { + retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, + &ccache); + if (retval==0) + retval = fast_armor_ap_request(context, state, ccache, + krb5_princ_realm(context, request->server)); + if (retval != 0) { + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + if (errmsg) { + krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); + krb5_free_error_message(context, errmsg); + } + } + } + if (ccache) + krb5_cc_close(context, ccache); + return retval; +} + + +krb5_error_code +krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request) +{ + krb5_error_code retval = 0; + krb5_pa_data *pa_array[2]; + krb5_pa_data pa[2]; + krb5_fast_req fast_req; + krb5_fast_armored_req *armored_req = NULL; + krb5_data *encoded_fast_req = NULL; + krb5_data *encoded_armored_req = NULL; + krb5_data *local_encoded_result = NULL; + krb5_cksumtype cksumtype; + krb5_data random_data; + char random_buf[4]; + + + assert(state != NULL); + assert(state->fast_outer_request.padata == NULL); + memset(pa_array, 0, sizeof pa_array); + if (state->armor_key == NULL) { + return encoder(request, encoded_request); + } +/* Fill in a fresh random nonce for each inner request*/ + random_data.length = 4; + random_data.data = (char *)random_buf; + retval = krb5_c_random_make_octets(context, &random_data); + if (retval == 0) { + request->nonce = 0x7fffffff & load_32_n(random_buf); + state->nonce = request->nonce; + } + fast_req.req_body = request; + if (fast_req.req_body->padata == NULL) { + fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); + if (fast_req.req_body->padata == NULL) + retval = ENOMEM; + } + fast_req.fast_options = state->fast_options; + if (retval == 0) + retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); + if (retval == 0) { + armored_req = calloc(1, sizeof(krb5_fast_armored_req)); + if (armored_req == NULL) + retval = ENOMEM; + } + if (retval == 0) + armored_req->armor = state->armor; + if (retval == 0) + retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, + &cksumtype); + if (retval ==0) + retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, to_be_checksummed, + &armored_req->req_checksum); + if (retval == 0) + retval = krb5_encrypt_helper(context, state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, encoded_fast_req, + &armored_req->enc_part); + if (retval == 0) + retval = encode_krb5_pa_fx_fast_request(armored_req, &encoded_armored_req); + if (retval==0) { + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].contents = (unsigned char *) encoded_armored_req->data; + pa[0].length = encoded_armored_req->length; + pa_array[0] = &pa[0]; + } + state->fast_outer_request.padata = pa_array; + if(retval == 0) + retval = encoder(&state->fast_outer_request, &local_encoded_result); + if (retval == 0) { + *encoded_request = local_encoded_result; + local_encoded_result = NULL; + } + if (encoded_armored_req) + krb5_free_data(context, encoded_armored_req); + if (armored_req) { + armored_req->armor = NULL; /*owned by state*/ + krb5_free_fast_armored_req(context, armored_req); + } + if (encoded_fast_req) + krb5_free_data(context, encoded_fast_req); + if (local_encoded_result) + krb5_free_data(context, local_encoded_result); + state->fast_outer_request.padata = NULL; + return retval; +} + +static krb5_error_code decrypt_fast_reply +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_pa_data **in_padata, + krb5_fast_response **response) +{ + krb5_error_code retval = 0; + krb5_data scratch; + krb5_enc_data *encrypted_response = NULL; + krb5_pa_data *fx_reply = NULL; + krb5_fast_response *local_resp = NULL; + assert(state != NULL); + assert(state->armor_key); + fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); + if (fx_reply == NULL) + retval = KRB5_ERR_FAST_REQUIRED; + if (retval == 0) { + scratch.data = (char *) fx_reply->contents; + scratch.length = fx_reply->length; + retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); + } + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(encrypted_response->ciphertext.length); + if (scratch.data == NULL) + retval = ENOMEM; + scratch.length = encrypted_response->ciphertext.length; + } + if (retval == 0) + retval = krb5_c_decrypt(context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, NULL, + encrypted_response, &scratch); + if (retval != 0) { + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); + krb5_free_error_message(context, errmsg); + } + if (retval == 0) + retval = decode_krb5_fast_response(&scratch, &local_resp); + if (retval == 0) { + if (local_resp->nonce != state->nonce) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); + } + } + if (retval == 0) { + *response = local_resp; + local_resp = NULL; + } + if (scratch.data) + free(scratch.data); + if (encrypted_response) + krb5_free_enc_data(context, encrypted_response); + return retval; +} + +/* + * FAST separates two concepts: the set of padata we're using to + * decide what pre-auth mechanisms to use and the set of padata we're + * making available to mechanisms in order for them to respond to an + * error. The plugin interface in March 2009 does not permit + * separating these concepts for the plugins. This function makes + * both available for future revisions to the plugin interface. It + * also re-encodes the padata from the current error as a encoded + * typed-data and puts that in the e_data field. That will allow + * existing plugins with the old interface to find the error data. + * The output parameter out_padata contains the padata from the error + * whenever padata is available (all the time with fast). + */ +krb5_error_code +krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry) +{ + krb5_error_code retval = 0; + krb5_error *err_reply = *err_replyptr; + *out_padata = NULL; + *retry = 0; + if (state->armor_key) { + krb5_pa_data *fx_error_pa; + krb5_pa_data **result = NULL; + krb5_data scratch, *encoded_td = NULL; + krb5_error *fx_error = NULL; + krb5_fast_response *fast_response = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + retval = decrypt_fast_reply(context, state, result, &fast_response); + if (retval) { + /*This can happen if the KDC does not understand FAST. We + * don't expect that, but treating it as the fatal error + * indicated by the KDC seems reasonable. + */ + *retry = 0; + krb5_free_pa_data(context, result); + return 0; + } + krb5_free_pa_data(context, result); + result = NULL; + if (retval == 0) { + fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); + if (fx_error_pa == NULL) { + krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0) { + scratch.data = (char *) fx_error_pa->contents; + scratch.length = fx_error_pa->length; + retval = decode_krb5_error(&scratch, &fx_error); + } + /* + * krb5_pa_data and krb5_typed_data are safe to cast between: + * they have the same type fields in the same order. + * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is + * ever changed then this will need to be a copy not a cast. + */ + if (retval == 0) + retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, + &encoded_td); + if (retval == 0) { + fx_error->e_data = *encoded_td; + free(encoded_td); /*contents owned by fx_error*/ + encoded_td = NULL; + krb5_free_error(context, err_reply); + *err_replyptr = fx_error; + fx_error = NULL; + *out_padata = fast_response->padata; + fast_response->padata = NULL; + /* + * If there is more than the fx_error padata, then we want + * to retry the error + */ + *retry = (*out_padata)[1] != NULL; + } + if (fx_error) + krb5_free_error(context, fx_error); + krb5_free_fast_response(context, fast_response); + } else { /*not FAST*/ + *retry = (err_reply->e_data.length > 0); + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED + ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { + krb5_pa_data **result = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + if (retval == 0) { + *out_padata = result; + + return 0; + } + krb5_free_pa_data(context, result); + krb5_set_error_message(context, retval, + "Error decoding padata in error reply"); + return retval; + } + } + return retval; +} + + +krb5_error_code krb5int_fast_process_response +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_rep *resp, + krb5_keyblock **as_key) +{ + krb5_error_code retval = 0; + krb5_fast_response *fast_response = NULL; + krb5_data *encoded_ticket = NULL; + krb5_boolean cksum_valid; + krb5_clear_error_message(context); + *as_key = NULL; + if (state->armor_key == 0) + return 0; + retval = decrypt_fast_reply(context, state, resp->padata, + &fast_response); + if (retval == 0) { + if (fast_response->finished == 0) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "FAST response missing finish message in KDC reply"); + } + } + if (retval == 0) + retval = encode_krb5_ticket(resp->ticket, &encoded_ticket); + if (retval == 0) + retval = krb5_c_verify_checksum(context, state->armor_key, + KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, + &fast_response->finished->ticket_checksum, + &cksum_valid); + if (retval == 0 && cksum_valid == 0) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "ticket modified in KDC reply"); + } + if (retval == 0) { + krb5_free_principal(context, resp->client); + resp->client = fast_response->finished->client; + fast_response->finished->client = NULL; + *as_key = fast_response->rep_key; + fast_response->rep_key = NULL; + krb5_free_pa_data(context, resp->padata); + resp->padata = fast_response->padata; + fast_response->padata = NULL; + } + if (fast_response) + krb5_free_fast_response(context, fast_response); + if (encoded_ticket) + krb5_free_data(context, encoded_ticket); + return retval; +} +krb5_error_code +krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state) +{ + krb5_error_code retval = 0; + struct krb5int_fast_request_state *local_state ; + local_state = malloc(sizeof *local_state); + if (local_state == NULL) + return ENOMEM; + memset(local_state, 0, sizeof(*local_state)); + *state = local_state; + return 0; +} + +void +krb5int_fast_free_state( krb5_context context, struct krb5int_fast_request_state *state) +{ + /*We are responsible for none of the store in the fast_outer_req*/ + krb5_free_keyblock(context, state->armor_key); + krb5_free_fast_armor(context, state->armor); + if (state->cookie) { + free(state->cookie->contents); + free(state->cookie); + state->cookie = NULL; + } + free(state); +} + +krb5_pa_data * krb5int_find_pa_data +(krb5_context context, krb5_pa_data *const *padata, krb5_preauthtype pa_type) +{ + krb5_pa_data * const *tmppa; + + if (padata == NULL) + return NULL; + + for (tmppa = padata; *tmppa != NULL; tmppa++) { + if ((*tmppa)->pa_type == pa_type) + break; + } + + return *tmppa; +} + Added: trunk/src/lib/krb5/krb/fast.h =================================================================== --- trunk/src/lib/krb5/krb/fast.h 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/krb/fast.h 2009-03-31 17:00:41 UTC (rev 22149) @@ -0,0 +1,77 @@ +/* + * lib/krb5/krb/fast.h + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * <<< Description >>> + */ +#ifndef KRB_FAST_H + +#define KRB_FAST_H + +#include + +struct krb5int_fast_request_state { + krb5_kdc_req fast_outer_request; + krb5_keyblock *armor_key; /*non-null means fast is in use*/ + krb5_fast_armor *armor; + krb5_ui_4 fast_state_flags; + krb5_ui_4 fast_options; + krb5_pa_data *cookie; + krb5_int32 nonce; +}; + +krb5_error_code +krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, krb5_data **encoded_req_body); + +typedef krb5_error_code(*kdc_req_encoder_proc) (const krb5_kdc_req *, krb5_data **); + +krb5_error_code +krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request); +krb5_error_code +krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry); + +krb5_error_code krb5int_fast_process_response +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_rep *resp, + krb5_keyblock **as_key); + +krb5_error_code +krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state); + +void +krb5int_fast_free_state( krb5_context , struct krb5int_fast_request_state *state); +krb5_error_code krb5int_fast_as_armor +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_gic_opt_ext *opte, + krb5_kdc_req *request); + + +#endif Modified: trunk/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -32,6 +32,7 @@ #include "k5-int.h" #include "int-proto.h" #include "os-proto.h" +#include "fast.h" #if APPLE_PKINIT #define IN_TKT_DEBUG 0 @@ -967,6 +968,7 @@ krb5_data salt; krb5_data s2kparams; krb5_keyblock as_key; + krb5_keyblock *fast_as_key = NULL; krb5_error *err_reply; krb5_kdc_rep *local_as_reply; krb5_timestamp time_now; @@ -974,6 +976,10 @@ krb5_preauth_client_rock get_data_rock; int canon_flag = 0; krb5_principal_data referred_client; + krb5_boolean retry = 0; + struct krb5int_fast_request_state *fast_state = NULL; + krb5_pa_data **out_padata = NULL; + /* initialize everything which will be freed at cleanup */ @@ -988,7 +994,7 @@ preauth_to_use = NULL; kdc_padata = NULL; as_key.length = 0; - salt.length = 0; + salt.length = 0; salt.data = NULL; local_as_reply = 0; @@ -1002,6 +1008,9 @@ referred_client = *client; referred_client.realm.data = NULL; referred_client.realm.length = 0; + ret = krb5int_fast_make_state(context, &fast_state); + if (ret) + goto cleanup; /* * Set up the basic request structure @@ -1231,15 +1240,20 @@ /* XXX Yuck. Old version. */ request.nonce = (krb5_int32) time_now; } + ret = krb5int_fast_as_armor(context, fast_state, options, &request); + if (ret != 0) + goto cleanup; /* give the preauth plugins a chance to prep the request body */ krb5_preauth_prepare_request(context, options, &request); - ret = encode_krb5_kdc_req_body(&request, &encoded_request_body); + ret = krb5int_fast_prep_req_body(context, fast_state, + &request, &encoded_request_body); if (ret) goto cleanup; get_data_rock.magic = CLIENT_ROCK_MAGIC; - get_data_rock.as_reply = NULL; - + get_data_rock.etype = &etype; + get_data_rock.fast_state = fast_state; + /* now, loop processing preauth data and talking to the kdc */ for (loopcount = 0; loopcount < MAX_IN_TKT_LOOPS; loopcount++) { if (request.padata) { @@ -1258,6 +1272,10 @@ gak_fct, gak_data, &get_data_rock, options))) goto cleanup; + if (out_padata) { + krb5_free_pa_data(context, out_padata); + out_padata = NULL; + } } else { if (preauth_to_use != NULL) { /* @@ -1293,7 +1311,9 @@ krb5_free_data(context, encoded_previous_request); encoded_previous_request = NULL; } - ret = encode_krb5_as_req(&request, &encoded_previous_request); + ret = krb5int_fast_prep_req(context, fast_state, + &request, encoded_request_body, + encode_krb5_as_req, &encoded_previous_request); if (ret) goto cleanup; @@ -1305,15 +1325,19 @@ goto cleanup; if (err_reply) { - if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && - err_reply->e_data.length > 0) { + ret = krb5int_fast_process_error(context, fast_state, &err_reply, + &out_padata, &retry); + if (ret !=0) + goto cleanup; + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error == KDC_ERR_PREAUTH_FAILED) +&& retry) { /* reset the list of preauth types to try */ if (preauth_to_use) { krb5_free_pa_data(context, preauth_to_use); preauth_to_use = NULL; } - ret = decode_krb5_padata_sequence(&err_reply->e_data, - &preauth_to_use); + preauth_to_use = out_padata; + out_padata = NULL; krb5_free_error(context, err_reply); err_reply = NULL; if (ret) @@ -1345,7 +1369,7 @@ goto cleanup; request.client = &referred_client; } else { - if (err_reply->e_data.length > 0) { + if (retry) { /* continue to next iteration */ } else { /* error + no hints = give up */ @@ -1374,10 +1398,14 @@ /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); + ret = krb5int_fast_process_response(context, fast_state, + local_as_reply, &fast_as_key); + if (ret) + goto cleanup; if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, local_as_reply->padata))) goto cleanup; - get_data_rock.as_reply = local_as_reply; + etype = local_as_reply->enc_part.enctype; if ((ret = krb5_do_preauth(context, &request, encoded_request_body, encoded_previous_request, @@ -1419,8 +1447,14 @@ it. If decrypting the as_rep fails, or if there isn't an as_key at all yet, then use the gak_fct to get one, and try again. */ - - if (as_key.length) + if (fast_as_key) { + if (as_key.length) + krb5_free_keyblock_contents(context, &as_key); + as_key = *fast_as_key; + free(fast_as_key); + fast_as_key = NULL; + } + if (as_key.length) ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, NULL, &as_key, krb5_kdc_rep_decrypt_proc, NULL); @@ -1477,6 +1511,11 @@ } } krb5_preauth_request_context_fini(context); + krb5_free_keyblock(context, fast_as_key); + if (fast_state) + krb5int_fast_free_state(context, fast_state); + if (out_padata) + krb5_free_pa_data(context, out_padata); if (encoded_previous_request != NULL) { krb5_free_data(context, encoded_previous_request); encoded_previous_request = NULL; Modified: trunk/src/lib/krb5/krb/gic_opt.c =================================================================== --- trunk/src/lib/krb5/krb/gic_opt.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/krb/gic_opt.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -146,6 +146,8 @@ /* Free up any private stuff */ if (opte->opt_private->preauth_data != NULL) free_gic_opt_ext_preauth_data(context, opte); + if (opte->opt_private->fast_ccache_name) + free(opte->opt_private->fast_ccache_name); free(opte->opt_private); opte->opt_private = NULL; return 0; @@ -465,3 +467,21 @@ } free(preauth_data); } +krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name +(krb5_context context, krb5_get_init_creds_opt *opt, const char *ccache_name) +{ + krb5_error_code retval = 0; + krb5_gic_opt_ext *opte; + + retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, + "krb5_get_init_creds_opt_set_fast_ccache_name"); + if (retval) + return retval; + if (opte->opt_private->fast_ccache_name) { + free(opte->opt_private->fast_ccache_name); + } + opte->opt_private->fast_ccache_name = strdup(ccache_name); + if (opte->opt_private->fast_ccache_name == NULL) + retval = ENOMEM; + return retval; +} Modified: trunk/src/lib/krb5/krb/kfree.c =================================================================== --- trunk/src/lib/krb5/krb/kfree.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/krb/kfree.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -54,6 +54,7 @@ */ #include "k5-int.h" +#include void KRB5_CALLCONV krb5_free_address(krb5_context context, krb5_address *val) @@ -344,6 +345,7 @@ { if (val == NULL) return; + assert( val->kdc_state == NULL); krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); krb5_free_principal(context, val->server); @@ -795,3 +797,63 @@ free(etypes); } } +void krb5_free_fast_req(krb5_context context, krb5_fast_req *val) +{ + if (val == NULL) + return; + krb5_free_kdc_req(context, val->req_body); + free(val); +} + +void krb5_free_fast_armor(krb5_context context, krb5_fast_armor *val) +{ + if (val == NULL) + return; + krb5_free_data_contents(context, &val->armor_value); + free(val); +} + +void krb5_free_fast_response(krb5_context context, krb5_fast_response *val) +{ + if (!val) + return; + krb5_free_pa_data(context, val->padata); + krb5_free_fast_finished(context, val->finished); + free(val); +} + +void krb5_free_fast_finished +(krb5_context context, krb5_fast_finished *val) +{ + if (!val) + return; + krb5_free_principal(context, val->client); + krb5_free_checksum_contents(context, &val->ticket_checksum); + free(val); +} + +void krb5_free_typed_data(krb5_context context, krb5_typed_data **in) +{ + int i = 0; + if (in == NULL) return; + while (in[i] != NULL) { + if (in[i]->data != NULL) + free(in[i]->data); + free(in[i]); + i++; + } + free(in); +} + +void krb5_free_fast_armored_req(krb5_context context, + krb5_fast_armored_req *val) +{ + if (val == NULL) + return; + if (val->armor) + krb5_free_fast_armor(context, val->armor); + krb5_free_data_contents(context, &val->enc_part.ciphertext); + if (val->req_checksum.contents) + krb5_free_checksum_contents(context, &val->req_checksum); + free(val); +} Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -37,6 +37,7 @@ #include "osconf.h" #include #include "int-proto.h" +#include "fast.h" #if !defined(_WIN32) #include @@ -419,6 +420,7 @@ krb5_data **retdata) { krb5_data *ret; + krb5_error_code retval; char *data; if (rock->magic != CLIENT_ROCK_MAGIC) @@ -430,8 +432,6 @@ case krb5plugin_preauth_client_get_etype: { krb5_enctype *eptr; - if (rock->as_reply == NULL) - return ENOENT; ret = malloc(sizeof(krb5_data)); if (ret == NULL) return ENOMEM; @@ -443,7 +443,7 @@ ret->data = data; ret->length = sizeof(krb5_enctype); eptr = (krb5_enctype *)data; - *eptr = rock->as_reply->enc_part.enctype; + *eptr = *rock->etype; *retdata = ret; return 0; } @@ -457,7 +457,38 @@ free(ret); return 0; break; - default: + case krb5plugin_preauth_client_fast_armor: { + krb5_keyblock *key = NULL; + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + retval = 0; + if (rock->fast_state->armor_key) + retval = krb5_copy_keyblock(kcontext, rock->fast_state->armor_key, + &key); + if (retval == 0) { + ret->data = (char *) key; + ret->length = key?sizeof(krb5_keyblock):0; + key = NULL; + } + if (retval == 0) { + *retdata = ret; + ret = NULL; + } + if (ret) + free(ret); + return retval; + } + case krb5plugin_preauth_client_free_fast_armor: + ret = *retdata; + if (ret) { + if (ret->data) + krb5_free_keyblock(kcontext, (krb5_keyblock *) ret->data); + free(ret); + *retdata = NULL; + } + return 0; + default: return EINVAL; } } Modified: trunk/src/lib/krb5/libkrb5.exports =================================================================== --- trunk/src/lib/krb5/libkrb5.exports 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/libkrb5.exports 2009-03-31 17:00:41 UTC (rev 22149) @@ -19,6 +19,8 @@ decode_krb5_error decode_krb5_etype_info decode_krb5_etype_info2 +decode_krb5_fast_req +decode_krb5_pa_fx_fast_request decode_krb5_kdc_req_body decode_krb5_pa_enc_ts decode_krb5_pa_for_user @@ -36,6 +38,7 @@ decode_krb5_tgs_rep decode_krb5_tgs_req decode_krb5_ticket +decode_krb5_typed_data encode_krb5_alt_method encode_krb5_ap_rep encode_krb5_ap_rep_enc_part @@ -56,6 +59,8 @@ encode_krb5_error encode_krb5_etype_info encode_krb5_etype_info2 +encode_krb5_fast_response +encode_krb5_pa_fx_fast_reply encode_krb5_kdc_req_body encode_krb5_pa_enc_ts encode_krb5_pa_for_user @@ -226,6 +231,8 @@ krb5_free_error krb5_free_error_message krb5_free_etype_info +krb5_free_fast_armored_req +krb5_free_fast_req krb5_free_host_realm krb5_free_kdc_rep krb5_free_kdc_req @@ -266,6 +273,7 @@ krb5_free_ticket krb5_free_tickets krb5_free_tkt_authent +krb5_free_typed_data krb5_free_unparsed_name krb5_fwd_tgt_creds krb5_gen_portaddr @@ -300,6 +308,7 @@ krb5_get_init_creds_opt_set_canonicalize krb5_get_init_creds_opt_set_change_password_prompt krb5_get_init_creds_opt_set_etype_list +krb5_get_init_creds_opt_set_fast_ccache_name krb5_get_init_creds_opt_set_forwardable krb5_get_init_creds_opt_set_pa krb5_get_init_creds_opt_set_preauth_list @@ -516,6 +525,8 @@ krb5int_cleanup_library krb5int_cm_call_select krb5int_copy_data_contents_add0 +krb5int_find_authdata +krb5int_find_pa_data krb5int_foreach_localaddr krb5int_free_addrlist krb5int_init_context_kdc Modified: trunk/src/lib/krb5/os/accessor.c =================================================================== --- trunk/src/lib/krb5/os/accessor.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/lib/krb5/os/accessor.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -132,6 +132,13 @@ S (encode_krb5_sam_response_2, encode_krb5_sam_response_2), S (encode_krb5_enc_sam_response_enc_2, encode_krb5_enc_sam_response_enc_2), + S (encode_enc_ts, encode_krb5_pa_enc_ts), + S (decode_enc_ts, decode_krb5_pa_enc_ts), + S (encode_enc_data, encode_krb5_enc_data), + S(decode_enc_data, decode_krb5_enc_data), + S(free_enc_ts, krb5_free_pa_enc_ts), + S(free_enc_data, krb5_free_enc_data), + S(encrypt_helper, krb5_encrypt_helper), #if DESIGNATED_INITIALIZERS }; Copied: trunk/src/plugins/preauth/encrypted_challenge/Makefile.in (from rev 22148, trunk/src/plugins/preauth/cksum_body/Makefile.in) =================================================================== --- trunk/src/plugins/preauth/cksum_body/Makefile.in 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/plugins/preauth/encrypted_challenge/Makefile.in 2009-03-31 17:00:41 UTC (rev 22149) @@ -0,0 +1,41 @@ +thisconfigdir=../../.. +myfulldir=plugins/preauth/encrypted_challenge +mydir=plugins/preauth/encrypted_challenge +BUILDTOP=$(REL)..$(S)..$(S).. +KRB5_RUN_ENV = @KRB5_RUN_ENV@ +KRB5_CONFIG_SETUP = KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; export KRB5_CONFIG ; +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) +MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) +DEFS=@DEFS@ + +LOCALINCLUDES = -I../../../include/krb5 -I. + +LIBBASE=encrypted_challenge +LIBMAJOR=0 +LIBMINOR=0 +SO_EXT=.so +RELDIR=../plugins/preauth/encrypted_challenge +# Depends on libk5crypto and libkrb5 +SHLIB_EXPDEPS = \ + $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) +SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) + +SHLIB_DIRS=-L$(TOPLIBD) +SHLIB_RDIRS=$(KRB5_LIBDIR) +STOBJLISTS=OBJS.ST +STLIBOBJS=encrypted_challenge_main.o + +SRCS= $(srcdir)/encrypted_challenge_main.c + +all-unix:: $(LIBBASE)$(SO_EXT) +install-unix:: install-libs +clean-unix:: clean-libs clean-libobjs + +clean:: + $(RM) lib$(LIBBASE)$(SO_EXT) + + at libnover_frag@ + at libobj_frag@ + Copied: trunk/src/plugins/preauth/encrypted_challenge/deps (from rev 22148, trunk/src/ccapi/test/deps) =================================================================== Copied: trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports (from rev 22148, trunk/src/plugins/preauth/pkinit/pkinit.exports) =================================================================== --- trunk/src/plugins/preauth/pkinit/pkinit.exports 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports 2009-03-31 17:00:41 UTC (rev 22149) @@ -0,0 +1,2 @@ +preauthentication_client_1 +preauthentication_server_1 Added: trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c =================================================================== --- trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c 2009-03-31 17:00:41 UTC (rev 22149) @@ -0,0 +1,409 @@ +/* + * plugins/preauth/encrypted_challenge/encrypted_challenge.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * Implement EncryptedChallenge fast factor from draft-ietf-krb-wg-preauth-framework + */ + +#include +#include "../fast_factor.h" + +#include + +static int preauth_flags +(krb5_context context, krb5_preauthtype pa_type) +{ + return PA_REAL; +} + +static krb5_error_code process_preauth +(krb5_context context, + void *plugin_context, + void *request_context, + krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc get_data_proc, + struct _krb5_preauth_client_rock *rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *padata, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + void *gak_data, + krb5_data *salt, + krb5_data *s2kparams, + krb5_keyblock *as_key, + krb5_pa_data ***out_padata) +{ + krb5_error_code retval = 0; + krb5_enctype enctype = 0; + krb5_keyblock *challenge_key = NULL, *armor_key = NULL; + krb5_data *etype_data = NULL; + krb5int_access kaccess; + + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); + if (retval || armor_key == NULL) + return 0; + retval = get_data_proc(context, rock, krb5plugin_preauth_client_get_etype, &etype_data); + if (retval == 0) { + enctype = *((krb5_enctype *)etype_data->data); + if (as_key->length == 0 ||as_key->enctype != enctype) + retval = gak_fct(context, request->client, + enctype, prompter, prompter_data, + salt, s2kparams, + as_key, gak_data); + } + if (padata->length) { + krb5_enc_data *enc = NULL; + krb5_data scratch; + scratch.length = padata->length; + scratch.data = (char *) padata->contents; + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", + as_key, "challengelongterm", &challenge_key); + if (retval == 0) + retval =kaccess.decode_enc_data(&scratch, &enc); + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(enc->ciphertext.length); + scratch.length = enc->ciphertext.length; + if (scratch.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, + enc, &scratch); +/*Per draft 11 of the preauth framework, the client MAY but + * is not required to actually check the timestamp from the KDC other than + * to confirm it decrypts. This code does not perform that check. + */ + if (scratch.data) + krb5_free_data_contents(context, &scratch); + if (retval == 0) + fast_set_kdc_verified(context, get_data_proc, rock); + if (enc) + kaccess.free_enc_data(context, enc); + } else { /*No padata; we send*/ + krb5_enc_data enc; + krb5_pa_data *pa = NULL; + krb5_pa_data **pa_array = NULL; + krb5_data *encoded_ts = NULL; + krb5_pa_enc_ts ts; + if (retval == 0) + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &encoded_ts); + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + as_key, "challengelongterm", + &challenge_key); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + encoded_ts, &enc); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + encoded_ts = NULL; + if (retval == 0) { + retval = kaccess.encode_enc_data(&enc, &encoded_ts); + krb5_free_data_contents(context, &enc.ciphertext); + } + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa_array = calloc(2, sizeof(krb5_pa_data *)); + if (pa_array == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->length = encoded_ts->length; + pa->contents = (unsigned char *) encoded_ts->data; + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + free(encoded_ts); + encoded_ts = NULL; + pa_array[0] = pa; + pa = NULL; + *out_padata = pa_array; + pa_array = NULL; + } + if (pa) + free(pa); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + if (pa_array) + free(pa_array); + } + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (armor_key) + krb5_free_keyblock(context, armor_key); + if (etype_data != NULL) + get_data_proc(context, rock, krb5plugin_preauth_client_free_etype, + &etype_data); + return retval; +} + + + + +static krb5_error_code kdc_include_padata +(krb5_context context, + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + krb5_pa_data *data) +{ + krb5_error_code retval = 0; + krb5_keyblock *armor_key = NULL; + retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + if (retval) + return retval; + if (armor_key == 0) + return ENOENT; + krb5_free_keyblock(context, armor_key); + return 0; +} + +static krb5_error_code kdc_verify_preauth +(krb5_context context, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) +{ + krb5_error_code retval = 0; + krb5_timestamp now; + krb5_enc_data *enc = NULL; + krb5_data scratch, plain; + krb5_keyblock *armor_key = NULL; + krb5_pa_enc_ts *ts = NULL; + krb5int_access kaccess; + krb5_keyblock *client_keys = NULL; + krb5_data *client_data = NULL; + krb5_keyblock *challenge_key = NULL; + int i; + + plain.data = NULL; + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + + retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + if (retval == 0 &&armor_key == NULL) { + retval = ENOENT; + krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); + } + scratch.data = (char *) data->contents; + scratch.length = data->length; + if (retval == 0) + retval = kaccess.decode_enc_data(&scratch, &enc); + if (retval == 0) { + plain.data = malloc(enc->ciphertext.length); + plain.length = enc->ciphertext.length; + if (plain.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = get_entry_proc(context, request, client, + krb5plugin_preauth_keys, &client_data); + if (retval == 0) { + client_keys = (krb5_keyblock *) client_data->data; + for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) { + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + &client_keys[i], "challengelongterm", + &challenge_key); + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + NULL, enc, &plain); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + challenge_key = NULL; + if (retval == 0) + break; + /*We failed to decrypt. Try next key*/ + retval = 0; + krb5_free_keyblock_contents(context, &client_keys[i]); + } + if (client_keys[i].enctype == 0) { + retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); + } else { /*not run out of keys*/ + int j; + assert (retval == 0); + for (j = i+1; client_keys[j].enctype; j++) + krb5_free_keyblock_contents(context, &client_keys[j]); + } + + } + if (retval == 0) + retval = kaccess.decode_enc_ts(&plain, &ts); + if (retval == 0) + retval = krb5_timeofday(context, &now); + if (retval == 0) { + if (labs(now-ts->patimestamp) < context->clockskew) { + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; +/*If this fails, we won't generate a reply to the client. That may + * cause the client to fail, but at this point the KDC has considered + this a success, so the return value is ignored. */ + fast_kdc_replace_reply_key(context, get_entry_proc, request); + krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", + &client_keys[i], "challengelongterm", + (krb5_keyblock **) pa_request_context); + } else { /*skew*/ + retval = KRB5KRB_AP_ERR_SKEW; + } + } + if (client_keys) { + if (client_keys[i].enctype) + krb5_free_keyblock_contents(context, &client_keys[i]); + krb5_free_data(context, client_data); + } + if (armor_key) + krb5_free_keyblock(context, armor_key); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (plain.data) + free(plain.data); + if (enc) + kaccess.free_enc_data(context, enc); + if (ts) + kaccess.free_enc_ts(context, ts); + return retval; +} + +static krb5_error_code kdc_return_preauth +(krb5_context context, + krb5_pa_data * padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, + void **pa_request_context) +{ + krb5_error_code retval = 0; + krb5_keyblock *challenge_key = *pa_request_context; + krb5_pa_enc_ts ts; + krb5_data *plain = NULL; + krb5_enc_data enc; + krb5_data *encoded = NULL; + krb5_pa_data *pa = NULL; + krb5int_access kaccess; + + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + if (challenge_key == NULL) + return 0; + * pa_request_context = NULL; /*this function will free the + * challenge key*/ + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &plain); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, + plain, &enc); + if (retval == 0) + retval = kaccess.encode_enc_data(&enc, &encoded); + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + pa->contents = (unsigned char *) encoded->data; + pa->length = encoded->length; + encoded->data = NULL; + *send_pa = pa; + pa = NULL; + } + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (encoded) + krb5_free_data(context, encoded); + if (plain) + krb5_free_data(context, plain); + if (enc.ciphertext.data) + krb5_free_data_contents(context, &enc.ciphertext); + return retval; +} + +static int kdc_preauth_flags +(krb5_context context, krb5_preauthtype patype) +{ + return 0; +} + +krb5_preauthtype supported_pa_types[] = { + KRB5_PADATA_ENCRYPTED_CHALLENGE, 0}; + +struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { + "Encrypted challenge", + &supported_pa_types[0], +NULL, +NULL, +kdc_preauth_flags, + kdc_include_padata, + kdc_verify_preauth, + kdc_return_preauth, +NULL +}; + +struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { + "Encrypted Challenge", /* name */ + &supported_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + NULL, /* plugin init function */ + NULL, /* plugin fini function */ + preauth_flags, /* get flags function */ + NULL, /* request init function */ + NULL, /* request fini function */ + process_preauth, /* process function */ + NULL, /* try_again function */ +NULL /* get init creds opt function */ +}; Added: trunk/src/plugins/preauth/fast_factor.h =================================================================== --- trunk/src/plugins/preauth/fast_factor.h 2009-03-31 16:50:25 UTC (rev 22148) +++ trunk/src/plugins/preauth/fast_factor.h 2009-03-31 17:00:41 UTC (rev 22149) @@ -0,0 +1,53 @@ +/*Returns success with a null armor_key if FAST is available but not in use. +Returns failure if the client library does not support FAST +*/ +static krb5_error_code fast_get_armor_key +(krb5_context context, preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock, + krb5_keyblock **armor_key) +{ + krb5_error_code retval = 0; + krb5_data *data; + retval = get_data(context, rock, krb5plugin_preauth_client_fast_armor, &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_data(context, rock, krb5plugin_preauth_client_free_fast_armor, + &data); + } + return retval; +} + +static krb5_error_code fast_kdc_get_armor_key +(krb5_context context, preauth_get_entry_data_proc get_entry, + krb5_kdc_req *request,struct _krb5_db_entry_new *client, + krb5_keyblock **armor_key) +{ + krb5_error_code retval; + krb5_data *data; + retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor, + &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_entry(context, request, client, + krb5plugin_preauth_free_fast_armor, &data); + } + return retval; + } + + + + static krb5_error_code fast_kdc_replace_reply_key + (krb5_context context, preauth_get_entry_data_proc get_data, + krb5_kdc_req *request) + { + return 0; + } + +static krb5_error_code fast_set_kdc_verified +(krb5_context context, preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock) +{ + return 0; +} From hartmans at MIT.EDU Tue Mar 31 13:12:44 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 31 Mar 2009 13:12:44 -0400 Subject: svn rev #22150: trunk/src/ kdc/ lib/krb5/krb/ plugins/preauth/encrypted_challenge/ ... Message-ID: <200903311712.n2VHCiCn010780@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22150 Commit By: hartmans Log Message: make depend Changed Files: U trunk/src/kdc/deps U trunk/src/lib/krb5/krb/deps U trunk/src/plugins/preauth/encrypted_challenge/deps U trunk/src/plugins/preauth/pkinit/deps Modified: trunk/src/kdc/deps =================================================================== --- trunk/src/kdc/deps 2009-03-31 17:00:41 UTC (rev 22149) +++ trunk/src/kdc/deps 2009-03-31 17:12:44 UTC (rev 22150) @@ -38,6 +38,17 @@ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h do_tgs_req.c extern.h \ kdc_util.h policy.h +$(OUTPRE)fast_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \ + $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + extern.h fast_util.c kdc_util.h $(OUTPRE)kdc_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm.h \ Modified: trunk/src/lib/krb5/krb/deps =================================================================== --- trunk/src/lib/krb5/krb/deps 2009-03-31 17:00:41 UTC (rev 22149) +++ trunk/src/lib/krb5/krb/deps 2009-03-31 17:12:44 UTC (rev 22150) @@ -273,6 +273,16 @@ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h encrypt_tk.c +fast.so fast.po $(OUTPRE)fast.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + fast.c fast.h int-proto.h free_rtree.so free_rtree.po $(OUTPRE)free_rtree.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -353,7 +363,7 @@ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(srcdir)/../os/os-proto.h \ - get_in_tkt.c int-proto.h + fast.h get_in_tkt.c int-proto.h gic_keytab.so gic_keytab.po $(OUTPRE)gic_keytab.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -564,7 +574,8 @@ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h int-proto.h preauth2.c + $(SRCTOP)/include/socket-utils.h fast.h int-proto.h \ + preauth2.c princ_comp.so princ_comp.po $(OUTPRE)princ_comp.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ Modified: trunk/src/plugins/preauth/encrypted_challenge/deps =================================================================== --- trunk/src/plugins/preauth/encrypted_challenge/deps 2009-03-31 17:00:41 UTC (rev 22149) +++ trunk/src/plugins/preauth/encrypted_challenge/deps 2009-03-31 17:12:44 UTC (rev 22150) @@ -0,0 +1,14 @@ +# +# Generated makefile dependencies follow. +# +encrypted_challenge_main.so encrypted_challenge_main.po \ + $(OUTPRE)encrypted_challenge_main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../fast_factor.h encrypted_challenge_main.c Modified: trunk/src/plugins/preauth/pkinit/deps =================================================================== --- trunk/src/plugins/preauth/pkinit/deps 2009-03-31 17:00:41 UTC (rev 22149) +++ trunk/src/plugins/preauth/pkinit/deps 2009-03-31 17:12:44 UTC (rev 22150) @@ -13,16 +13,10 @@ $(SRCTOP)/include/socket-utils.h pkinit_accessor.c \ pkinit_accessor.h pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h pkcs11.h pkinit.h \ - pkinit_accessor.h pkinit_crypto.h pkinit_srv.c + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ + pkinit_srv.c pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h \ @@ -30,16 +24,9 @@ $(SRCTOP)/include/krb5/preauth_plugin.h pkcs11.h pkinit.h \ pkinit_accessor.h pkinit_crypto.h pkinit_lib.c pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h pkcs11.h pkinit.h \ - pkinit_accessor.h pkinit_clnt.c pkinit_crypto.h + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + pkcs11.h pkinit.h pkinit_accessor.h pkinit_clnt.c pkinit_crypto.h pkinit_profile.so pkinit_profile.po $(OUTPRE)pkinit_profile.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -57,16 +44,10 @@ pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ pkinit_identity.c pkinit_matching.so pkinit_matching.po $(OUTPRE)pkinit_matching.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h pkcs11.h pkinit.h \ - pkinit_accessor.h pkinit_crypto.h pkinit_matching.c + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ + pkinit_matching.c pkinit_crypto_openssl.so pkinit_crypto_openssl.po $(OUTPRE)pkinit_crypto_openssl.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h \ From hartmans at MIT.EDU Tue Mar 31 18:35:59 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 31 Mar 2009 18:35:59 -0400 Subject: svn rev #22151: trunk/src/kdc/ Message-ID: <200903312235.n2VMZx6h031125@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22151 Commit By: hartmans Log Message: ticket: 6436 Initialize request state in the TGS path. Changed Files: U trunk/src/kdc/do_tgs_req.c Modified: trunk/src/kdc/do_tgs_req.c =================================================================== --- trunk/src/kdc/do_tgs_req.c 2009-03-31 17:12:44 UTC (rev 22150) +++ trunk/src/kdc/do_tgs_req.c 2009-03-31 22:35:59 UTC (rev 22151) @@ -164,6 +164,11 @@ status="UNEXPECTED NULL in header_ticket"; goto cleanup; } + errcode = kdc_make_rstate(&state); + if (errcode !=0) { + status = "making state"; + goto cleanup; + } scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state); From hartmans at MIT.EDU Tue Mar 31 18:36:04 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Tue, 31 Mar 2009 18:36:04 -0400 Subject: svn rev #22152: trunk/src/lib/crypto/ Message-ID: <200903312236.n2VMa4C8031171@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22152 Commit By: hartmans Log Message: ticket: 6437 target_version: 1.7 tags: pullup Subject: mark export grade RC4 as weak Set the weak enctype flag on the 40-bit RC4. Changed Files: U trunk/src/lib/crypto/etypes.c Modified: trunk/src/lib/crypto/etypes.c =================================================================== --- trunk/src/lib/crypto/etypes.c 2009-03-31 22:35:59 UTC (rev 22151) +++ trunk/src/lib/crypto/etypes.c 2009-03-31 22:36:03 UTC (rev 22152) @@ -137,7 +137,8 @@ NULL, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour, - 0 /*flags*/ }, + ETYPE_WEAK + }, { ENCTYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", { "aes128-cts" }, From tlyu at MIT.EDU Tue Mar 31 19:51:49 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 31 Mar 2009 19:51:49 -0400 Subject: svn rev #22153: trunk/src/lib/krb5/asn.1/ Message-ID: <200903312351.n2VNpnjD002898@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22153 Commit By: tlyu Log Message: ticket: 6436 Make FAST changes build when pkinit is disabled. Changed Files: U trunk/src/lib/krb5/asn.1/asn1_k_decode.c U trunk/src/lib/krb5/asn.1/asn1_k_encode.c U trunk/src/lib/krb5/asn.1/krb5_decode.c U trunk/src/lib/krb5/asn.1/krb5_encode.c Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-31 22:36:03 UTC (rev 22152) +++ trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2009-03-31 23:51:48 UTC (rev 22153) @@ -2321,6 +2321,8 @@ return retval; } +#endif /* DISABLE_PKINIT */ + static void free_typed_data(void *dummy, krb5_typed_data *val) { free(val->data); @@ -2354,4 +2356,3 @@ { decode_ptr(krb5_typed_data *, asn1_decode_typed_data); } -#endif /* DISABLE_PKINIT */ Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c =================================================================== --- trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-31 22:36:03 UTC (rev 22152) +++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2009-03-31 23:51:48 UTC (rev 22153) @@ -1337,7 +1337,6 @@ -#ifndef DISABLE_PKINIT /* * PKINIT */ @@ -1439,6 +1438,8 @@ return retval; }\ sum += length; } +#ifndef DISABLE_PKINIT + /* Callable encoders for the types defined above, until the PKINIT encoders get converted. */ MAKE_ENCFN(asn1_encode_realm, realm_of_principal_data); @@ -1819,6 +1820,8 @@ asn1_cleanup(); } +#endif /* DISABLE_PKINIT */ + asn1_error_code asn1_encode_sequence_of_typed_data(asn1buf *buf, const krb5_typed_data **val, unsigned int *retlen) { asn1_setup(); @@ -1847,4 +1850,3 @@ asn1_makeseq(); asn1_cleanup(); } -#endif /* DISABLE_PKINIT */ Modified: trunk/src/lib/krb5/asn.1/krb5_decode.c =================================================================== --- trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-03-31 22:36:03 UTC (rev 22152) +++ trunk/src/lib/krb5/asn.1/krb5_decode.c 2009-03-31 23:51:48 UTC (rev 22153) @@ -1297,16 +1297,6 @@ } krb5_error_code -decode_krb5_typed_data(const krb5_data *code, krb5_typed_data ***repptr) -{ - setup_buf_only(krb5_typed_data **); - retval = asn1_decode_sequence_of_typed_data(&buf, &rep); - if (retval) clean_return(retval); - - cleanup(free); -} - -krb5_error_code decode_krb5_td_trusted_certifiers(const krb5_data *code, krb5_external_principal_identifier ***repptr) { @@ -1328,3 +1318,13 @@ cleanup(free); } #endif /* DISABLE_PKINIT */ + +krb5_error_code +decode_krb5_typed_data(const krb5_data *code, krb5_typed_data ***repptr) +{ + setup_buf_only(krb5_typed_data **); + retval = asn1_decode_sequence_of_typed_data(&buf, &rep); + if (retval) clean_return(retval); + + cleanup(free); +} Modified: trunk/src/lib/krb5/asn.1/krb5_encode.c =================================================================== --- trunk/src/lib/krb5/asn.1/krb5_encode.c 2009-03-31 22:36:03 UTC (rev 22152) +++ trunk/src/lib/krb5/asn.1/krb5_encode.c 2009-03-31 23:51:48 UTC (rev 22153) @@ -34,7 +34,6 @@ /**************** Macros (these save a lot of typing) ****************/ -#ifndef DISABLE_PKINIT /* setup() -- create and initialize bookkeeping variables retval: stores error codes returned from subroutines buf: the coding buffer @@ -63,6 +62,7 @@ *code = tmpcode;\ return 0 +#ifndef DISABLE_PKINIT krb5_error_code encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code) { krb5_setup(); @@ -153,21 +153,22 @@ krb5_cleanup(); } -krb5_error_code encode_krb5_typed_data(const krb5_typed_data **rep, krb5_data **code) +krb5_error_code encode_krb5_td_dh_parameters(const krb5_algorithm_identifier **rep, krb5_data **code) { krb5_setup(); - retval = asn1_encode_sequence_of_typed_data(buf,rep,&length); + retval = asn1_encode_sequence_of_algorithm_identifier(buf,rep,&length); if (retval) goto error; sum += length; krb5_cleanup(); } +#endif /* DISABLE_PKINIT */ -krb5_error_code encode_krb5_td_dh_parameters(const krb5_algorithm_identifier **rep, krb5_data **code) +krb5_error_code encode_krb5_typed_data(const krb5_typed_data **rep, krb5_data **code) { krb5_setup(); - retval = asn1_encode_sequence_of_algorithm_identifier(buf,rep,&length); + retval = asn1_encode_sequence_of_typed_data(buf,rep,&length); if (retval) goto error; sum += length; krb5_cleanup(); } -#endif /* DISABLE_PKINIT */ +