svn rev #22161: branches/fast/src/lib/krb5/krb/

hartmans@MIT.EDU hartmans at MIT.EDU
Thu Apr 2 23:39:39 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22161
Commit By: hartmans
Log Message:
Client-side cookie support

Echo the pa-fx-cookie back to the KDC.
No need to store cookie padata in the state structure; removed.
If cookie is not present and FAST is being used, do not retry after error.


Changed Files:
U   branches/fast/src/lib/krb5/krb/fast.c
U   branches/fast/src/lib/krb5/krb/fast.h
U   branches/fast/src/lib/krb5/krb/preauth2.c
Modified: branches/fast/src/lib/krb5/krb/fast.c
===================================================================
--- branches/fast/src/lib/krb5/krb/fast.c	2009-04-03 03:33:01 UTC (rev 22160)
+++ branches/fast/src/lib/krb5/krb/fast.c	2009-04-03 03:39:38 UTC (rev 22161)
@@ -378,9 +378,11 @@
 	    fast_response->padata = NULL;
 	    /*
 	     * If there is more than the fx_error padata, then we want
-	     * to retry the error
+	     * to retry the error if a cookie is present
 	     */
 	    *retry = (*out_padata)[1] != NULL;
+	    if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL)
+		*retry = 0;
 	}
 	if (fx_error)
 	    krb5_free_error(context, fx_error);
@@ -475,11 +477,6 @@
     /*We are responsible for none of the store in the fast_outer_req*/
     krb5_free_keyblock(context, state->armor_key);
     krb5_free_fast_armor(context, state->armor);
-    if (state->cookie) {
-	free(state->cookie->contents);
-	free(state->cookie);
-	state->cookie = NULL;
-    }
     free(state);
 }
 

Modified: branches/fast/src/lib/krb5/krb/fast.h
===================================================================
--- branches/fast/src/lib/krb5/krb/fast.h	2009-04-03 03:33:01 UTC (rev 22160)
+++ branches/fast/src/lib/krb5/krb/fast.h	2009-04-03 03:39:38 UTC (rev 22161)
@@ -38,7 +38,6 @@
     krb5_fast_armor *armor;
     krb5_ui_4 fast_state_flags;
     krb5_ui_4 fast_options;
-  krb5_pa_data *cookie;
     krb5_int32 nonce;
 };
 

Modified: branches/fast/src/lib/krb5/krb/preauth2.c
===================================================================
--- branches/fast/src/lib/krb5/krb/preauth2.c	2009-04-03 03:33:01 UTC (rev 22160)
+++ branches/fast/src/lib/krb5/krb/preauth2.c	2009-04-03 03:39:38 UTC (rev 22161)
@@ -646,6 +646,36 @@
 }
 
 static
+krb5_error_code pa_fx_cookie(krb5_context context,
+				 krb5_kdc_req *request,
+				 krb5_pa_data *in_padata,
+				 krb5_pa_data **out_padata,
+				 krb5_data *salt,
+				 krb5_data *s2kparams,
+				 krb5_enctype *etype,
+				 krb5_keyblock *as_key,
+				 krb5_prompter_fct prompter,
+				 void *prompter_data,
+				 krb5_gic_get_as_key_fct gak_fct,
+				 void *gak_data)
+{
+    krb5_pa_data *pa = calloc(1, sizeof(krb5_pa_data));
+    krb5_octet *contents;
+    if (pa == NULL)
+	return ENOMEM;
+    contents = malloc(in_padata->length);
+    if (contents == NULL) {
+	free(pa);
+	return ENOMEM;
+    }
+    *pa = *in_padata;
+    pa->contents = contents;
+    memcpy(contents, in_padata->contents, pa->length);
+    *out_padata = pa;
+    return 0;
+}
+
+static
 krb5_error_code pa_enc_timestamp(krb5_context context,
 				 krb5_kdc_req *request,
 				 krb5_pa_data *in_padata,
@@ -1710,6 +1740,11 @@
 	PA_REAL,
     },
     {
+	KRB5_PADATA_FX_COOKIE,
+	pa_fx_cookie,
+	PA_INFO,
+    },
+    {
 	-1,
 	NULL,
 	0,

More information about the cvs-krb5 mailing list