svn rev #23412: branches/fast-negotiate/src/ kdc/ lib/krb5/
hartmans@MIT.EDU
hartmans at MIT.EDU
Wed Dec 2 11:16:19 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23412
Commit By: hartmans
Log Message:
Implement KDC side of protected negotiation:
* Move return_enc_padata so reply key is available
* Include checksum of reply if requested
* export encode_krb5_checksum so we can call it from the KDC
Changed Files:
U branches/fast-negotiate/src/kdc/do_as_req.c
U branches/fast-negotiate/src/kdc/do_tgs_req.c
U branches/fast-negotiate/src/kdc/kdc_preauth.c
U branches/fast-negotiate/src/kdc/kdc_util.c
U branches/fast-negotiate/src/kdc/kdc_util.h
U branches/fast-negotiate/src/lib/krb5/libkrb5.exports
Modified: branches/fast-negotiate/src/kdc/do_as_req.c
===================================================================
--- branches/fast-negotiate/src/kdc/do_as_req.c 2009-12-02 16:16:15 UTC (rev 23411)
+++ branches/fast-negotiate/src/kdc/do_as_req.c 2009-12-02 16:16:19 UTC (rev 23412)
@@ -557,12 +557,6 @@
reply.client->realm.data, reply.client->data->data);
#endif /* APPLE_PKINIT */
- errcode = return_enc_padata(kdc_context, req_pkt, request,
- &server, &reply_encpart);
- if (errcode) {
- status = "KDC_RETURN_ENC_PADATA";
- goto errout;
- }
errcode = handle_authdata(kdc_context,
@@ -608,6 +602,14 @@
status = "generating reply key";
goto errout;
}
+ errcode = return_enc_padata(kdc_context, req_pkt, request,
+ as_encrypting_key,
+ &server, &reply_encpart);
+ if (errcode) {
+ status = "KDC_RETURN_ENC_PADATA";
+ goto errout;
+ }
+
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart,
0, as_encrypting_key, &reply, response);
reply.enc_part.kvno = client_key->key_data_kvno;
Modified: branches/fast-negotiate/src/kdc/do_tgs_req.c
===================================================================
--- branches/fast-negotiate/src/kdc/do_tgs_req.c 2009-12-02 16:16:15 UTC (rev 23411)
+++ branches/fast-negotiate/src/kdc/do_tgs_req.c 2009-12-02 16:16:19 UTC (rev 23412)
@@ -756,14 +756,6 @@
goto cleanup;
}
- if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
- errcode = return_enc_padata(kdc_context, pkt, request,
- &server, &reply_encpart);
- if (errcode) {
- status = "KDC_RETURN_ENC_PADATA";
- goto cleanup;
- }
- }
/*
* Only add the realm of the presented tgt to the transited list if
@@ -955,6 +947,31 @@
status = "generating reply key";
goto cleanup;
}
+ if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
+ errcode = return_enc_padata(kdc_context, pkt, request,
+ reply_key,
+ &server, &reply_encpart);
+ if (errcode) {
+ status = "KDC_RETURN_ENC_PADATA";
+ goto cleanup;
+ } else {/*Not refferal*/
+ int idx = 0;
+ reply_encpart.enc_padata = calloc(3, sizeof(krb5_pa_data *));
+ if (reply_encpart.enc_padata == NULL) {
+ errcode = ENOMEM;
+ status = "Allocating enc_padata";
+ goto cleanup;
+ }
+ errcode = kdc_handle_protected_negotiation(pkt, request,
+ reply_key, reply_encpart.enc_padata, &idx);
+ if (errcode != 0) {
+ status = "protected negotiation";
+ goto cleanup;
+ }
+ }
+
+ }
+
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
subkey ? 1 : 0,
reply_key,
Modified: branches/fast-negotiate/src/kdc/kdc_preauth.c
===================================================================
--- branches/fast-negotiate/src/kdc/kdc_preauth.c 2009-12-02 16:16:15 UTC (rev 23411)
+++ branches/fast-negotiate/src/kdc/kdc_preauth.c 2009-12-02 16:16:19 UTC (rev 23412)
@@ -3066,6 +3066,7 @@
krb5_error_code
return_enc_padata(krb5_context context,
krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_keyblock *reply_key,
krb5_db_entry *server,
krb5_enc_kdc_rep_part *reply_encpart)
{
@@ -3081,13 +3082,10 @@
if (reply_encpart->enc_padata == NULL) {
return ENOMEM;
}
-
-
tl_data.tl_data_type = KRB5_TL_SVR_REFERRAL_DATA;
-
code = krb5_dbe_lookup_tl_data(context, server, &tl_data);
if (code || tl_data.tl_data_length == 0)
- return 0; /* no server referrals to return */
+ goto negotiate; /* no server referrals to return */
pa_data = (krb5_pa_data *)malloc(sizeof(*pa_data));
if (pa_data == NULL)
@@ -3105,8 +3103,9 @@
reply_encpart->enc_padata[idx++] = pa_data;
reply_encpart->enc_padata[1] = NULL;
-
- return 0;
+negotiate:
+ return kdc_handle_protected_negotiation(req_pkt, request, reply_key,
+ reply_encpart->enc_padata, &idx);
}
#if 0
Modified: branches/fast-negotiate/src/kdc/kdc_util.c
===================================================================
--- branches/fast-negotiate/src/kdc/kdc_util.c 2009-12-02 16:16:15 UTC (rev 23411)
+++ branches/fast-negotiate/src/kdc/kdc_util.c 2009-12-02 16:16:19 UTC (rev 23412)
@@ -2651,3 +2651,62 @@
*out_endtime = starttime + life;
}
+
+/**
+ * Handle protected negotiation of FAST using enc_padata
+ * - If ENCPADATA_REQ_ENC_PA_REP is present, then:
+ * - Return ENCPADATA_REQ_ENC_PA_REP with checksum of AS-REQ from client
+ * - Include PADATA_FX_FAST in the enc_padata to indicate FAST
+ * @pre @c out_enc_padata has space for at least two more padata
+ * @param index in/out index into @c out_enc_padata for next item
+ */
+krb5_error_code
+kdc_handle_protected_negotiation( krb5_data *req_pkt, krb5_kdc_req *request,
+ const krb5_keyblock *reply_key, krb5_pa_data **out_enc_padata, int *idx)
+{
+ krb5_error_code retval = 0;
+ krb5_checksum checksum;
+ krb5_data *out = NULL;
+ krb5_pa_data *pa;
+ assert(out_enc_padata != NULL);
+ pa = krb5int_find_pa_data(kdc_context, request->padata, KRB5_ENCPADATA_REQ_ENC_PA_REP);
+ if (pa == NULL)
+ return 0;
+ checksum.contents = NULL;
+ pa = malloc(sizeof(krb5_pa_data));
+ if (pa == NULL)
+ return ENOMEM;
+ pa->magic = KV5M_PA_DATA;
+ pa->pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+ retval = krb5_c_make_checksum(kdc_context,0, reply_key, KRB5_KEYUSAGE_AS_REQ,
+ req_pkt, &checksum);
+ if (retval != 0)
+ goto cleanup;
+ retval = encode_krb5_checksum(&checksum, &out);
+ if (retval != 0)
+ goto cleanup;
+ pa->contents = (krb5_octet *) out->data;
+ pa->length = out->length;
+ out_enc_padata[(*idx)++] = pa;
+ pa = NULL;
+ out->data = NULL;
+ pa = malloc(sizeof(krb5_pa_data));
+ if (pa == NULL) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ pa->magic = KV5M_PA_DATA;
+ pa->pa_type = KRB5_PADATA_FX_FAST;
+ pa->length = 0;
+ pa->contents = NULL;
+ out_enc_padata[(*idx)++] = pa;
+ pa = NULL;
+cleanup:
+ if (checksum.contents)
+ krb5_free_checksum_contents(kdc_context, &checksum);
+ if (out != NULL)
+ krb5_free_data(kdc_context, out);
+ if (pa != NULL)
+ free(pa);
+ return retval;
+}
Modified: branches/fast-negotiate/src/kdc/kdc_util.h
===================================================================
--- branches/fast-negotiate/src/kdc/kdc_util.h 2009-12-02 16:16:15 UTC (rev 23411)
+++ branches/fast-negotiate/src/kdc/kdc_util.h 2009-12-02 16:16:19 UTC (rev 23412)
@@ -252,6 +252,7 @@
krb5_error_code
return_enc_padata(krb5_context context,
krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_keyblock *reply_key,
krb5_db_entry *server,
krb5_enc_kdc_rep_part *reply_encpart);
@@ -393,10 +394,13 @@
krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state,
krb5_pa_data **cookie);
+krb5_error_code
+kdc_handle_protected_negotiation( krb5_data *req_pkt, krb5_kdc_req *request,
+ const krb5_keyblock *reply_key,
+ krb5_pa_data **out_enc_padata, int *idx);
-
#define isflagset(flagfield, flag) (flagfield & (flag))
#define setflag(flagfield, flag) (flagfield |= (flag))
#define clear(flagfield, flag) (flagfield &= ~(flag))
Modified: branches/fast-negotiate/src/lib/krb5/libkrb5.exports
===================================================================
--- branches/fast-negotiate/src/lib/krb5/libkrb5.exports 2009-12-02 16:16:15 UTC (rev 23411)
+++ branches/fast-negotiate/src/lib/krb5/libkrb5.exports 2009-12-02 16:16:19 UTC (rev 23412)
@@ -53,6 +53,7 @@
encode_krb5_as_req
encode_krb5_authdata
encode_krb5_authenticator
+encode_krb5_checksum
encode_krb5_cred
encode_krb5_enc_cred_part
encode_krb5_enc_data
More information about the cvs-krb5
mailing list