svn rev #22142: branches/fast/src/kdc/
hartmans@MIT.EDU
hartmans at MIT.EDU
Thu Mar 26 01:37:31 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22142
Commit By: hartmans
Log Message:
KDC TGS FAST support
* Correct TGS armor key handling
* Use appropriate checksum type for FAST responses from KDC
* FAST response handling for TGS replies and errors
Changed Files:
U branches/fast/src/kdc/do_as_req.c
U branches/fast/src/kdc/do_tgs_req.c
U branches/fast/src/kdc/fast_util.c
U branches/fast/src/kdc/kdc_util.h
Modified: branches/fast/src/kdc/do_as_req.c
===================================================================
--- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:28 UTC (rev 22141)
+++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:31 UTC (rev 22142)
@@ -146,7 +146,7 @@
errcode = ASN1_BAD_ID;
status = "Finding req_body";
}
- errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, state);
+ errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state);
if (errcode) {
status = "error decoding FAST";
goto errout;
Modified: branches/fast/src/kdc/do_tgs_req.c
===================================================================
--- branches/fast/src/kdc/do_tgs_req.c 2009-03-26 05:37:28 UTC (rev 22141)
+++ branches/fast/src/kdc/do_tgs_req.c 2009-03-26 05:37:31 UTC (rev 22142)
@@ -76,7 +76,7 @@
krb5_boolean *,int *);
static krb5_error_code
-prepare_error_tgs(krb5_kdc_req *,krb5_ticket *,int,
+prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
krb5_principal,krb5_data **,const char *);
static krb5_int32
@@ -166,7 +166,7 @@
}
scratch.length = pa_tgs_req->length;
scratch.data = (char *) pa_tgs_req->contents;
- errcode = kdc_find_fast(&request, &scratch, subkey, state);
+ errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state);
if (errcode !=0) {
status = "kdc_find_fast";
goto cleanup;
@@ -873,7 +873,12 @@
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
- errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
+ errcode = kdc_fast_response_handle_padata(state, request, &reply);
+ if (errcode !=0 ) {
+ status = "Preparing FAST padata";
+ goto cleanup;
+ }
+ errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
subkey ? 1 : 0,
subkey ? subkey :
header_ticket->enc_part2->session,
@@ -914,7 +919,7 @@
if (errcode < 0 || errcode > 128)
errcode = KRB_ERR_GENERIC;
- retval = prepare_error_tgs(request, header_ticket, errcode,
+ retval = prepare_error_tgs(state, request, header_ticket, errcode,
nprincs ? server.princ : NULL,
response, status);
if (got_err) {
@@ -956,7 +961,8 @@
}
static krb5_error_code
-prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error,
+prepare_error_tgs (struct kdc_request_state *state,
+ krb5_kdc_req *request, krb5_ticket *ticket, int error,
krb5_principal canon_server,
krb5_data **response, const char *status)
{
@@ -979,14 +985,19 @@
errpkt.text.length = strlen(status) + 1;
if (!(errpkt.text.data = strdup(status)))
return ENOMEM;
-
+
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
return ENOMEM;
}
errpkt.e_data.length = 0;
errpkt.e_data.data = NULL;
-
+ retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt);
+ if (retval) {
+ free(scratch);
+ free(errpkt.text.data);
+ return retval;
+ }
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
if (retval)
Modified: branches/fast/src/kdc/fast_util.c
===================================================================
--- branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:28 UTC (rev 22141)
+++ branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:31 UTC (rev 22142)
@@ -123,6 +123,7 @@
krb5_error_code kdc_find_fast
(krb5_kdc_req **requestptr, krb5_data *checksummed_data,
krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_session,
struct kdc_request_state *state)
{
krb5_error_code retval = 0;
@@ -155,7 +156,10 @@
}
if (retval == 0 && !state->armor_key) {
if (tgs_subkey)
- retval =krb5_copy_keyblock(kdc_context, tgs_subkey, &state->armor_key);
+ retval = krb5_c_fx_cf2_simple(kdc_context,
+ tgs_subkey, "subkeyarmor",
+ tgs_session, "ticketarmor",
+ &state->armor_key);
else {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
"No armor key but FAST armored request present");
@@ -268,12 +272,15 @@
krb5_data *encrypted_reply = NULL;
krb5_pa_data *pa = NULL, **pa_array;
krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5;
+ krb5_pa_data *empty_padata[] = {NULL};
if (!state->armor_key)
return 0;
memset(&finish, 0, sizeof(finish));
fast_response.padata = rep->padata;
- fast_response.rep_key = state->reply_key;
+ if (fast_response.padata == NULL)
+ fast_response.padata = &empty_padata[0];
+ fast_response.rep_key = state->reply_key;
fast_response.nonce = request->nonce;
fast_response.finished = &finish;
finish.client = rep->client;
@@ -288,6 +295,8 @@
if (retval == 0)
retval = encode_krb5_ticket(rep->ticket, &encoded_ticket);
if (retval == 0)
+ retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype);
+ if (retval == 0)
retval = krb5_c_make_checksum(kdc_context, cksumtype,
state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED,
encoded_ticket, &finish.ticket_checksum);
Modified: branches/fast/src/kdc/kdc_util.h
===================================================================
--- branches/fast/src/kdc/kdc_util.h 2009-03-26 05:37:28 UTC (rev 22141)
+++ branches/fast/src/kdc/kdc_util.h 2009-03-26 05:37:31 UTC (rev 22142)
@@ -319,7 +319,7 @@
krb5_error_code kdc_find_fast
(krb5_kdc_req **requestptr, krb5_data *checksummed_data,
- krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,
struct kdc_request_state *state);
krb5_error_code kdc_fast_response_handle_padata
More information about the cvs-krb5
mailing list