svn rev #22142: branches/fast/src/kdc/

hartmans@MIT.EDU hartmans at MIT.EDU
Thu Mar 26 01:37:31 EDT 2009


http://src.mit.edu/fisheye/changelog/krb5/?cs=22142
Commit By: hartmans
Log Message:
KDC TGS FAST support

* Correct TGS armor key handling
* Use appropriate checksum type  for FAST responses from KDC
* FAST response handling for TGS replies and errors


Changed Files:
U   branches/fast/src/kdc/do_as_req.c
U   branches/fast/src/kdc/do_tgs_req.c
U   branches/fast/src/kdc/fast_util.c
U   branches/fast/src/kdc/kdc_util.h
Modified: branches/fast/src/kdc/do_as_req.c
===================================================================
--- branches/fast/src/kdc/do_as_req.c	2009-03-26 05:37:28 UTC (rev 22141)
+++ branches/fast/src/kdc/do_as_req.c	2009-03-26 05:37:31 UTC (rev 22142)
@@ -146,7 +146,7 @@
     errcode = ASN1_BAD_ID;
     status = "Finding req_body";
 }
-    errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, state);
+    errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state);
     if (errcode) {
 	status = "error decoding FAST";
 	goto errout;

Modified: branches/fast/src/kdc/do_tgs_req.c
===================================================================
--- branches/fast/src/kdc/do_tgs_req.c	2009-03-26 05:37:28 UTC (rev 22141)
+++ branches/fast/src/kdc/do_tgs_req.c	2009-03-26 05:37:31 UTC (rev 22142)
@@ -76,7 +76,7 @@
                    krb5_boolean *,int *);
 
 static krb5_error_code 
-prepare_error_tgs(krb5_kdc_req *,krb5_ticket *,int,
+prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
                   krb5_principal,krb5_data **,const char *);
 
 static krb5_int32
@@ -166,7 +166,7 @@
     }
     scratch.length = pa_tgs_req->length;
     scratch.data = (char *) pa_tgs_req->contents;
-    errcode = kdc_find_fast(&request, &scratch, subkey, state);
+    errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state);
     if (errcode !=0) {
 	status = "kdc_find_fast";
 		goto cleanup;
@@ -873,7 +873,12 @@
 
     reply.enc_part.enctype = subkey ? subkey->enctype :
     header_ticket->enc_part2->session->enctype;
-    errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, 
+    errcode  = kdc_fast_response_handle_padata(state, request, &reply);
+    if (errcode !=0 ) {
+	status = "Preparing FAST padata";
+	goto cleanup;
+    }
+            errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, 
                   subkey ? 1 : 0,
                   subkey ? subkey :
                   header_ticket->enc_part2->session,
@@ -914,7 +919,7 @@
         if (errcode < 0 || errcode > 128)
             errcode = KRB_ERR_GENERIC;
             
-        retval = prepare_error_tgs(request, header_ticket, errcode,
+        retval = prepare_error_tgs(state, request, header_ticket, errcode,
         nprincs ? server.princ : NULL,
                    response, status);
         if (got_err) {
@@ -956,7 +961,8 @@
 }
 
 static krb5_error_code
-prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error,
+prepare_error_tgs (struct kdc_request_state *state,
+		   krb5_kdc_req *request, krb5_ticket *ticket, int error,
                    krb5_principal canon_server,
                    krb5_data **response, const char *status)
 {
@@ -979,14 +985,19 @@
     errpkt.text.length = strlen(status) + 1;
     if (!(errpkt.text.data = strdup(status)))
         return ENOMEM;
-
+    
     if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
         free(errpkt.text.data);
         return ENOMEM;
     }
     errpkt.e_data.length = 0;
     errpkt.e_data.data = NULL;
-
+    retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt);
+    if (retval) {
+	free(scratch);
+	free(errpkt.text.data);
+	return retval;
+    }
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
     if (retval)

Modified: branches/fast/src/kdc/fast_util.c
===================================================================
--- branches/fast/src/kdc/fast_util.c	2009-03-26 05:37:28 UTC (rev 22141)
+++ branches/fast/src/kdc/fast_util.c	2009-03-26 05:37:31 UTC (rev 22142)
@@ -123,6 +123,7 @@
 krb5_error_code  kdc_find_fast
 (krb5_kdc_req **requestptr,  krb5_data *checksummed_data,
  krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_session,
  struct kdc_request_state *state)
 {
     krb5_error_code retval = 0;
@@ -155,7 +156,10 @@
     }
     if (retval == 0 && !state->armor_key) {
 	if (tgs_subkey)
-	    retval =krb5_copy_keyblock(kdc_context, tgs_subkey, &state->armor_key);
+	  retval = krb5_c_fx_cf2_simple(kdc_context,
+					tgs_subkey, "subkeyarmor",
+					tgs_session, "ticketarmor",
+					&state->armor_key);
 	else {
 	    krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
 				   "No armor key but FAST armored request present");
@@ -268,12 +272,15 @@
     krb5_data *encrypted_reply = NULL;
     krb5_pa_data *pa = NULL, **pa_array;
     krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5;
+    krb5_pa_data *empty_padata[] = {NULL};
     
     if (!state->armor_key)
 	return 0;
     memset(&finish, 0, sizeof(finish));
     fast_response.padata = rep->padata;
-    fast_response.rep_key = state->reply_key;
+    if (fast_response.padata == NULL)
+	fast_response.padata = &empty_padata[0];
+        fast_response.rep_key = state->reply_key;
     fast_response.nonce = request->nonce;
     fast_response.finished = &finish;
     finish.client = rep->client;
@@ -288,6 +295,8 @@
     if (retval == 0)
 	retval = encode_krb5_ticket(rep->ticket, &encoded_ticket);
     if (retval == 0)
+    retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype);
+    if (retval == 0)
 	retval = krb5_c_make_checksum(kdc_context, cksumtype,
 				      state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED,
 				      encoded_ticket, &finish.ticket_checksum);

Modified: branches/fast/src/kdc/kdc_util.h
===================================================================
--- branches/fast/src/kdc/kdc_util.h	2009-03-26 05:37:28 UTC (rev 22141)
+++ branches/fast/src/kdc/kdc_util.h	2009-03-26 05:37:31 UTC (rev 22142)
@@ -319,7 +319,7 @@
 
 krb5_error_code  kdc_find_fast
 (krb5_kdc_req **requestptr,  krb5_data *checksummed_data,
- krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,
  struct kdc_request_state *state);
 
 krb5_error_code kdc_fast_response_handle_padata




More information about the cvs-krb5 mailing list