svn rev #22141: branches/fast/src/ include/krb5/ kdc/ lib/krb5/
hartmans@MIT.EDU
hartmans at MIT.EDU
Thu Mar 26 01:37:28 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22141
Commit By: hartmans
Log Message:
KDC handling of FAST response
Integrate FAST response handling into AS reply and error paths. Ad
support for encrypting and generating PA_FX_FAST_REPLY. Use that
support in the AS.
Changed Files:
U branches/fast/src/include/krb5/krb5.hin
U branches/fast/src/kdc/do_as_req.c
U branches/fast/src/kdc/fast_util.c
U branches/fast/src/lib/krb5/libkrb5.exports
Modified: branches/fast/src/include/krb5/krb5.hin
===================================================================
--- branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:25 UTC (rev 22140)
+++ branches/fast/src/include/krb5/krb5.hin 2009-03-26 05:37:28 UTC (rev 22141)
@@ -634,6 +634,7 @@
/* define in draft-ietf-krb-wg-preauth-framework*/
#define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50
#define KRB5_KEYUSAGE_FAST_ENC 51
+#define KRB5_KEYUSAGE_FAST_REP 52
#define KRB5_KEYUSAGE_FAST_FINISHED 53
#define KRB5_KEYUSAGE_FAST_REP 52
Modified: branches/fast/src/kdc/do_as_req.c
===================================================================
--- branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:25 UTC (rev 22140)
+++ branches/fast/src/kdc/do_as_req.c 2009-03-26 05:37:28 UTC (rev 22141)
@@ -566,6 +566,7 @@
goto errout;
}
+
errcode = handle_authdata(kdc_context,
c_flags,
&client,
@@ -590,6 +591,11 @@
goto errout;
}
ticket_reply.enc_part.kvno = server_key->key_data_kvno;
+ errcode = kdc_fast_response_handle_padata(state, request, &reply);
+ if (errcode) {
+ status = "fast response handling";
+ goto errout;
+ }
/* now encode/encrypt the response */
Modified: branches/fast/src/kdc/fast_util.c
===================================================================
--- branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:25 UTC (rev 22140)
+++ branches/fast/src/kdc/fast_util.c 2009-03-26 05:37:28 UTC (rev 22141)
@@ -95,6 +95,30 @@
return retval;
}
+static krb5_error_code encrypt_fast_reply
+(struct kdc_request_state *state, const krb5_fast_response *response,
+ krb5_data **fx_fast_reply)
+{
+ krb5_error_code retval = 0;
+ krb5_enc_data encrypted_reply;
+ krb5_data *encoded_response = NULL;
+ assert(state->armor_key);
+ retval = encode_krb5_fast_response(response, &encoded_response);
+ if (retval== 0)
+ retval = krb5_encrypt_helper(kdc_context, state->armor_key,
+ KRB5_KEYUSAGE_FAST_REP,
+ encoded_response, &encrypted_reply);
+ if (encoded_response)
+ krb5_free_data(kdc_context, encoded_response);
+ encoded_response = NULL;
+ if (retval == 0) {
+ retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply,
+ fx_fast_reply);
+ krb5_free_data_contents(kdc_context, &encrypted_reply.ciphertext);
+ }
+ return retval;
+}
+
krb5_error_code kdc_find_fast
(krb5_kdc_req **requestptr, krb5_data *checksummed_data,
@@ -241,7 +265,7 @@
krb5_fast_finished finish;
krb5_fast_response fast_response;
krb5_data *encoded_ticket = NULL;
- krb5_data *encoded_fast_response = NULL;
+ krb5_data *encrypted_reply = NULL;
krb5_pa_data *pa = NULL, **pa_array;
krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5;
@@ -268,21 +292,21 @@
state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED,
encoded_ticket, &finish.ticket_checksum);
if (retval == 0)
- retval = encode_krb5_fast_response(&fast_response, &encoded_fast_response);
+ retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply);
if (retval == 0) {
pa[0].pa_type = KRB5_PADATA_FX_FAST;
- pa[0].length = encoded_fast_response->length;
- pa[0].contents = (unsigned char *) encoded_fast_response->data;
+ pa[0].length = encrypted_reply->length;
+ pa[0].contents = (unsigned char *) encrypted_reply->data;
pa_array[0] = &pa[0];
rep->padata = pa_array;
pa_array = NULL;
- encoded_fast_response = NULL;
+ encrypted_reply = NULL;
pa = NULL;
}
if (pa)
free(pa);
- if (encoded_fast_response)
- krb5_free_data(kdc_context, encoded_fast_response);
+ if (encrypted_reply)
+ krb5_free_data(kdc_context, encrypted_reply);
if (encoded_ticket)
krb5_free_data(kdc_context, encoded_ticket);
if (finish.ticket_checksum.contents)
@@ -290,6 +314,7 @@
return retval;
}
+
/*
* We assume the caller is responsible for passing us an in_padata
* sufficient to include in a FAST error. In the FAST case we will
@@ -304,7 +329,7 @@
krb5_error_code retval = 0;
krb5_fast_response resp;
krb5_error fx_error;
- krb5_data *encoded_fx_error = NULL, *encoded_fast_response = NULL;
+ krb5_data *encoded_fx_error = NULL, *encrypted_reply = NULL;
krb5_pa_data pa[2];
krb5_pa_data *outer_pa[3];
krb5_pa_data **inner_pa = NULL;
@@ -338,13 +363,13 @@
resp.finished = NULL;
}
if (retval == 0)
- retval = encode_krb5_fast_response(&resp, &encoded_fast_response);
+ retval = encrypt_fast_reply(state, &resp, &encrypted_reply);
if (inner_pa)
free(inner_pa); /*contained storage from caller and our stack*/
if (retval == 0) {
pa[0].pa_type = KRB5_PADATA_FX_FAST;
- pa[0].length = encoded_fast_response->length;
- pa[0].contents = (unsigned char *) encoded_fast_response->data;
+ pa[0].length = encrypted_reply->length;
+ pa[0].contents = (unsigned char *) encrypted_reply->data;
outer_pa[0] = &pa[0];
}
retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data);
@@ -356,8 +381,8 @@
}
if (encoded_e_data)
krb5_free_data(kdc_context, encoded_e_data);
- if (encoded_fast_response)
- krb5_free_data(kdc_context, encoded_fast_response);
+ if (encrypted_reply)
+ krb5_free_data(kdc_context, encrypted_reply);
if (encoded_fx_error)
krb5_free_data(kdc_context, encoded_fx_error);
return retval;
Modified: branches/fast/src/lib/krb5/libkrb5.exports
===================================================================
--- branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:25 UTC (rev 22140)
+++ branches/fast/src/lib/krb5/libkrb5.exports 2009-03-26 05:37:28 UTC (rev 22141)
@@ -60,6 +60,7 @@
encode_krb5_etype_info
encode_krb5_etype_info2
encode_krb5_fast_response
+encode_krb5_pa_fx_fast_reply
encode_krb5_kdc_req_body
encode_krb5_pa_enc_ts
encode_krb5_pa_for_user
More information about the cvs-krb5
mailing list