svn rev #22129: branches/fast/src/ kdc/ lib/krb5/

hartmans@MIT.EDU hartmans at MIT.EDU
Thu Mar 26 01:36:53 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22129
Commit By: hartmans
Log Message:
Implement KDC side FAST response

Implement generation of fast_response, partial finish and fx_error.
Add reply key to state.


Changed Files:
U   branches/fast/src/kdc/fast_util.c
U   branches/fast/src/kdc/kdc_util.h
U   branches/fast/src/lib/krb5/libkrb5.exports
Modified: branches/fast/src/kdc/fast_util.c
===================================================================
--- branches/fast/src/kdc/fast_util.c	2009-03-26 05:36:50 UTC (rev 22128)
+++ branches/fast/src/kdc/fast_util.c	2009-03-26 05:36:53 UTC (rev 22129)
@@ -116,9 +116,144 @@
     return;
     if (s->armor_key)
 	krb5_free_keyblock(kdc_context, s->armor_key);
+    if (s->reply_key)
+	krb5_free_keyblock(kdc_context, s->reply_key);
     if (s->cookie) {
 	free(s->cookie->contents);
 	free(s->cookie);
     }
     free(s);
 }
+
+krb5_error_code kdc_fast_response_handle_padata
+(struct kdc_request_state *state, krb5_kdc_rep *rep, const krb5_data *pkt)
+{
+    krb5_error_code retval = 0;
+    krb5_fast_finished finish;
+    krb5_fast_response fast_response;
+    krb5_data *encoded_ticket = NULL;
+    krb5_data *encoded_fast_response = NULL;
+    krb5_pa_data *pa = NULL, **pa_array;
+    krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5;
+    
+    if (!state->armor_key)
+	return 0;
+    memset(&finish, 0, sizeof(finish));
+    fast_response.padata = rep->padata;
+    fast_response.rep_key = state->reply_key; 
+    fast_response.finished = &finish;
+    finish.client = rep->client;
+    pa_array = calloc(3, sizeof(*pa_array));
+    if (pa_array == NULL)
+	retval = ENOMEM;
+    pa = calloc(1, sizeof(krb5_pa_data));
+    if (retval == 0 && pa == NULL)
+	retval = ENOMEM;
+    if (retval == 0)
+	retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec);
+    if (retval == 0)
+	retval = encode_krb5_ticket(rep->ticket, &encoded_ticket);
+    if (retval == 0)
+	retval = krb5_c_make_checksum(kdc_context, cksumtype,
+				      state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED,
+				      encoded_ticket, &finish.ticket_checksum);
+/* xxx checksum should be something else; sticking ticket_checksum there is a placeholder*/
+    if (retval == 0)
+	retval = krb5_c_make_checksum(kdc_context, cksumtype,
+				      state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED,
+				      encoded_ticket, &finish.checksum);
+    if (retval == 0)
+	retval = encode_krb5_fast_response(&fast_response,  &encoded_fast_response);
+    if (retval == 0) {
+	pa[0].pa_type = KRB5_PADATA_FX_FAST;
+	pa[0].length = encoded_fast_response->length;
+	pa[0].contents = (unsigned char *)  encoded_fast_response->data;
+	pa_array[0] = &pa[0];
+	rep->padata = pa_array;
+	pa_array = NULL;
+	encoded_fast_response = NULL;
+	pa = NULL;
+    }
+    if (pa)
+      free(pa);
+    if (encoded_fast_response)
+	krb5_free_data(kdc_context, encoded_fast_response);
+    if (encoded_ticket)
+	krb5_free_data(kdc_context, encoded_ticket);
+    if (finish.checksum.contents)
+	krb5_free_checksum_contents(kdc_context, &finish.checksum);
+    if (finish.ticket_checksum.contents)
+	krb5_free_checksum_contents(kdc_context, &finish.checksum);
+    return retval;
+}
+
+/*
+ * We assume the caller is responsible for passing us an in_padata
+ * sufficient to include in a FAST error.  In the FAST case we will
+ * throw away the e_data in the error (if any); in the non-FAST case
+ * we will not use the in_padata.
+ */
+krb5_error_code kdc_fast_handle_error
+(krb5_context context, struct kdc_request_state *state,
+ krb5_pa_data  **in_padata, krb5_error *err)
+{
+    krb5_error_code retval = 0;
+    krb5_fast_response resp;
+    krb5_error fx_error;
+    krb5_data *encoded_fx_error = NULL, *encoded_fast_response = NULL;
+    krb5_pa_data pa[2];
+    krb5_pa_data *outer_pa[3];
+    krb5_pa_data **inner_pa = NULL;
+    size_t size = 0;
+    krb5_data *encoded_e_data = NULL;
+
+    memset(outer_pa, 0, sizeof(outer_pa));
+    if (!state->armor_key)
+	return 0;
+    fx_error = *err;
+    fx_error.e_data.data = NULL;
+    fx_error.e_data.length = 0;
+    for (size = 0; in_padata&&in_padata[size]; size++);
+    size +=3;
+    inner_pa = calloc(size, sizeof(krb5_pa_data *));
+    if (inner_pa == NULL)
+	retval = ENOMEM;
+    if (retval == 0)
+	for (size=0; in_padata&&in_padata[size]; size++)
+	    inner_pa[size] = in_padata[size];
+    if (retval == 0)
+	retval = encode_krb5_error(&fx_error, &encoded_fx_error);
+    if (retval == 0) {
+	pa[0].pa_type = KRB5_PADATA_FX_ERROR;
+	pa[0].length = encoded_fx_error->length;
+	pa[0].contents = (unsigned char *) encoded_fx_error->data;
+	inner_pa[size++] = &pa[0];
+	resp.padata = inner_pa;
+	resp.rep_key = NULL;
+	resp.finished = NULL;
+    }
+    if (retval == 0)
+	retval = encode_krb5_fast_response(&resp, &encoded_fast_response);
+    if (inner_pa)
+	free(inner_pa); /*contained storage from caller and our stack*/
+    if (retval == 0) {
+	pa[0].pa_type = KRB5_PADATA_FX_FAST;
+	pa[0].length = encoded_fast_response->length;
+	pa[0].contents = (unsigned char *) encoded_fast_response->data;
+	outer_pa[0] = &pa[0];
+    }
+    retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data);
+    if (retval == 0) {
+      /*process_as holds onto a pointer to the original e_data and frees it*/
+	err->e_data = *encoded_e_data;
+	free(encoded_e_data); /*contents belong to err*/
+	encoded_e_data = NULL;
+    }
+    if (encoded_e_data)
+	krb5_free_data(kdc_context, encoded_e_data);
+    if (encoded_fast_response)
+	krb5_free_data(kdc_context, encoded_fast_response);
+    if (encoded_fx_error)
+	krb5_free_data(kdc_context, encoded_fx_error);
+    return retval;
+}

Modified: branches/fast/src/kdc/kdc_util.h
===================================================================
--- branches/fast/src/kdc/kdc_util.h	2009-03-26 05:36:50 UTC (rev 22128)
+++ branches/fast/src/kdc/kdc_util.h	2009-03-26 05:36:53 UTC (rev 22129)
@@ -302,6 +302,7 @@
 
 struct kdc_request_state {
     krb5_keyblock *armor_key;
+  krb5_keyblock *reply_key; /*When replaced by FAST*/
     krb5_pa_data *cookie;
     krb5_int32 fast_options;
     krb5_int32 fast_internal_flags;
@@ -321,6 +322,12 @@
  krb5_keyblock *tgs_subkey,
  struct kdc_request_state *state);
 
+krb5_error_code kdc_fast_response_handle_padata
+(struct kdc_request_state *state, krb5_kdc_rep *rep, const krb5_data *pkt);
+krb5_error_code kdc_fast_handle_error
+(krb5_context context, struct kdc_request_state *state,
+ krb5_pa_data  **in_padata, krb5_error *err);
+
  
 
 

Modified: branches/fast/src/lib/krb5/libkrb5.exports
===================================================================
--- branches/fast/src/lib/krb5/libkrb5.exports	2009-03-26 05:36:50 UTC (rev 22128)
+++ branches/fast/src/lib/krb5/libkrb5.exports	2009-03-26 05:36:53 UTC (rev 22129)
@@ -57,6 +57,7 @@
 encode_krb5_error
 encode_krb5_etype_info
 encode_krb5_etype_info2
+encode_krb5_fast_response
 encode_krb5_kdc_req_body
 encode_krb5_pa_enc_ts
 encode_krb5_pa_for_user

More information about the cvs-krb5 mailing list