svn rev #25508: branches/krb5-1-10/src/ include/krb5/ kdc/ plugins/preauth/cksum_body/
tlyu@MIT.EDU
tlyu at MIT.EDU
Mon Dec 5 14:44:05 EST 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=25508
Commit By: tlyu
Log Message:
ticket: 7017
version_fixed: 1.10
status: resolved
pull up r25473 from trunk
------------------------------------------------------------------------
r25473 | ghudson | 2011-11-14 16:45:33 -0500 (Mon, 14 Nov 2011) | 16 lines
ticket: 7017
subject: Simplify and fix kdcpreauth request_body callback
target_version: 1.10
tags: pullup
Alter the contract for the kdcpreauth request_body callback so that it
returns an alias to the encoded body instead of a fresh copy. At the
beginning of AS request processing, save a copy of the encoded request
body, or the encoded inner request body for FAST requests. Previously
the request_body callback would re-encode the request structure, which
in some cases has been modified by the AS request code.
No kdcpreauth modules currently use the request_body callback, but
PKINIT will need to start using it in order to handle FAST requests
correctly.
Changed Files:
U branches/krb5-1-10/src/include/krb5/preauth_plugin.h
U branches/krb5-1-10/src/kdc/do_as_req.c
U branches/krb5-1-10/src/kdc/do_tgs_req.c
U branches/krb5-1-10/src/kdc/fast_util.c
U branches/krb5-1-10/src/kdc/kdc_preauth.c
U branches/krb5-1-10/src/kdc/kdc_util.h
U branches/krb5-1-10/src/plugins/preauth/cksum_body/cksum_body_main.c
Modified: branches/krb5-1-10/src/include/krb5/preauth_plugin.h
===================================================================
--- branches/krb5-1-10/src/include/krb5/preauth_plugin.h 2011-12-05 19:01:49 UTC (rev 25507)
+++ branches/krb5-1-10/src/include/krb5/preauth_plugin.h 2011-12-05 19:44:05 UTC (rev 25508)
@@ -351,15 +351,12 @@
krb5_keyblock *keys);
/*
- * Get the request structure, re-encoded using DER. Unless the client
- * implementation is the same as the server implementation, there's a good
- * chance that the result will not match what the client sent, so don't
- * create any fatal errors if it doesn't match up. Free the resulting data
- * object with krb5_free_data.
+ * Get the encoded request body, which is sometimes needed for checksums.
+ * For a FAST request this is the encoded inner request body. The returned
+ * pointer is an alias and should not be freed.
*/
- krb5_error_code (*request_body)(krb5_context context,
- krb5_kdcpreauth_rock rock,
- krb5_data **body_out);
+ krb5_data *(*request_body)(krb5_context context,
+ krb5_kdcpreauth_rock rock);
/* Get a pointer to the FAST armor key, or NULL if the request did not use
* FAST. The returned pointer is an alias and should not be freed. */
Modified: branches/krb5-1-10/src/kdc/do_as_req.c
===================================================================
--- branches/krb5-1-10/src/kdc/do_as_req.c 2011-12-05 19:01:49 UTC (rev 25507)
+++ branches/krb5-1-10/src/kdc/do_as_req.c 2011-12-05 19:44:05 UTC (rev 25508)
@@ -120,6 +120,7 @@
krb5_keyblock session_key;
unsigned int c_flags;
krb5_data *req_pkt;
+ krb5_data *inner_body;
struct kdc_request_state *rstate;
char *sname, *cname;
void *pa_context;
@@ -396,6 +397,7 @@
}
krb5_free_pa_data(kdc_context, state->e_data);
+ krb5_free_data(kdc_context, state->inner_body);
kdc_free_rstate(state->rstate);
krb5_free_kdc_req(kdc_context, state->request);
assert(did_log != 0);
@@ -511,13 +513,23 @@
state->status = "Finding req_body";
goto errout;
}
- errcode = kdc_find_fast(&state->request, &encoded_req_body,
- NULL /*TGS key*/, NULL, state->rstate);
+ errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL,
+ state->rstate, &state->inner_body);
if (errcode) {
state->status = "error decoding FAST";
goto errout;
}
+ if (state->inner_body == NULL) {
+ /* Not a FAST request; copy the encoded request body. */
+ errcode = krb5_copy_data(kdc_context, &encoded_req_body,
+ &state->inner_body);
+ if (errcode) {
+ state->status = "storing req body";
+ goto errout;
+ }
+ }
state->rock.request = state->request;
+ state->rock.inner_body = state->inner_body;
state->rock.rstate = state->rstate;
if (!state->request->client) {
state->status = "NULL_CLIENT";
Modified: branches/krb5-1-10/src/kdc/do_tgs_req.c
===================================================================
--- branches/krb5-1-10/src/kdc/do_tgs_req.c 2011-12-05 19:01:49 UTC (rev 25507)
+++ branches/krb5-1-10/src/kdc/do_tgs_req.c 2011-12-05 19:44:05 UTC (rev 25508)
@@ -176,7 +176,7 @@
scratch.length = pa_tgs_req->length;
scratch.data = (char *) pa_tgs_req->contents;
errcode = kdc_find_fast(&request, &scratch, subkey,
- header_ticket->enc_part2->session, state);
+ header_ticket->enc_part2->session, state, NULL);
if (errcode !=0) {
status = "kdc_find_fast";
goto cleanup;
Modified: branches/krb5-1-10/src/kdc/fast_util.c
===================================================================
--- branches/krb5-1-10/src/kdc/fast_util.c 2011-12-05 19:01:49 UTC (rev 25507)
+++ branches/krb5-1-10/src/kdc/fast_util.c 2011-12-05 19:44:05 UTC (rev 25508)
@@ -126,11 +126,12 @@
krb5_data *checksummed_data,
krb5_keyblock *tgs_subkey,
krb5_keyblock *tgs_session,
- struct kdc_request_state *state)
+ struct kdc_request_state *state,
+ krb5_data **inner_body_out)
{
krb5_error_code retval = 0;
krb5_pa_data *fast_padata, *cookie_padata = NULL;
- krb5_data scratch;
+ krb5_data scratch, *inner_body = NULL;
krb5_fast_req * fast_req = NULL;
krb5_kdc_req *request = *requestptr;
krb5_fast_armored_req *fast_armored_req = NULL;
@@ -138,6 +139,8 @@
krb5_boolean cksum_valid;
krb5_keyblock empty_keyblock;
+ if (inner_body_out != NULL)
+ *inner_body_out = NULL;
scratch.data = NULL;
krb5_clear_error_message(kdc_context);
memset(&empty_keyblock, 0, sizeof(krb5_keyblock));
@@ -192,6 +195,14 @@
&plaintext);
if (retval == 0)
retval = decode_krb5_fast_req(&plaintext, &fast_req);
+ if (retval == 0 && inner_body_out != NULL) {
+ retval = fetch_asn1_field((unsigned char *)plaintext.data,
+ 1, 2, &scratch);
+ if (retval == 0) {
+ retval = krb5_copy_data(kdc_context, &scratch,
+ &inner_body);
+ }
+ }
if (plaintext.data)
free(plaintext.data);
}
@@ -247,6 +258,11 @@
}
}
}
+ if (retval == 0 && inner_body_out != NULL) {
+ *inner_body_out = inner_body;
+ inner_body = NULL;
+ }
+ krb5_free_data(kdc_context, inner_body);
if (fast_req)
krb5_free_fast_req( kdc_context, fast_req);
if (fast_armored_req)
Modified: branches/krb5-1-10/src/kdc/kdc_preauth.c
===================================================================
--- branches/krb5-1-10/src/kdc/kdc_preauth.c 2011-12-05 19:01:49 UTC (rev 25507)
+++ branches/krb5-1-10/src/kdc/kdc_preauth.c 2011-12-05 19:44:05 UTC (rev 25508)
@@ -543,11 +543,10 @@
free(keys);
}
-static krb5_error_code
-request_body(krb5_context context, krb5_kdcpreauth_rock rock,
- krb5_data **body_out)
+static krb5_data *
+request_body(krb5_context context, krb5_kdcpreauth_rock rock)
{
- return encode_krb5_kdc_req_body(rock->request, body_out);
+ return rock->inner_body;
}
static krb5_keyblock *
Modified: branches/krb5-1-10/src/kdc/kdc_util.h
===================================================================
--- branches/krb5-1-10/src/kdc/kdc_util.h 2011-12-05 19:01:49 UTC (rev 25507)
+++ branches/krb5-1-10/src/kdc/kdc_util.h 2011-12-05 19:44:05 UTC (rev 25508)
@@ -352,10 +352,19 @@
KRB5_FAST_REPLY_KEY_REPLACED = 0x02
};
+/*
+ * If *requestptr contains FX_FAST padata, compute the armor key, verify the
+ * checksum over checksummed_data, decode the FAST request, and substitute
+ * *requestptr with the inner request. Set the armor_key, cookie, and
+ * fast_options fields in state. state->cookie will be set for a non-FAST
+ * request if it contains FX_COOKIE padata. If inner_body_out is non-NULL, set
+ * *inner_body_out to a copy of the encoded inner body, or to NULL if the
+ * request is not a FAST request.
+ */
krb5_error_code
kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data,
krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,
- struct kdc_request_state *state);
+ struct kdc_request_state *state, krb5_data **inner_body_out);
krb5_error_code
kdc_fast_response_handle_padata (struct kdc_request_state *state,
@@ -387,6 +396,7 @@
/* Information handle for kdcpreauth callbacks. All pointers are aliases. */
struct krb5_kdcpreauth_rock_st {
krb5_kdc_req *request;
+ krb5_data *inner_body;
krb5_db_entry *client;
krb5_key_data *client_key;
struct kdc_request_state *rstate;
Modified: branches/krb5-1-10/src/plugins/preauth/cksum_body/cksum_body_main.c
===================================================================
--- branches/krb5-1-10/src/plugins/preauth/cksum_body/cksum_body_main.c 2011-12-05 19:01:49 UTC (rev 25507)
+++ branches/krb5-1-10/src/plugins/preauth/cksum_body/cksum_body_main.c 2011-12-05 19:44:05 UTC (rev 25508)
@@ -403,17 +403,7 @@
}
cb->free_keys(kcontext, rock, keys);
- /* Rebuild a copy of the client's request-body. If we were serious
- * about doing this with any chance of working interoperability, we'd
- * extract the structure directly from the req_pkt structure. This
- * will probably work if it's us on both ends, though. */
- req_body = NULL;
- if (cb->request_body(kcontext, rock, &req_body) != 0) {
- krb5_free_keyblock(kcontext, key);
- stats->failures++;
- (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
- return;
- }
+ req_body = cb->request_body(kcontext, rock);
#ifdef DEBUG
fprintf(stderr, "AS key type %d, checksum type %d, %d bytes.\n",
@@ -428,7 +418,6 @@
req_body, &checksum, &valid);
/* Clean up. */
- krb5_free_data(kcontext, req_body);
krb5_free_keyblock(kcontext, key);
/* Evaluate our results. */
More information about the cvs-krb5
mailing list