krb5 commit: Add ASN.1 encoder and decoder for secure cookie
Greg Hudson
ghudson at mit.edu
Wed Aug 26 13:29:46 EDT 2015
https://github.com/krb5/krb5/commit/312b3bc29a0c52a0a82055f566241964532c2128
commit 312b3bc29a0c52a0a82055f566241964532c2128
Author: Nathaniel McCallum <npmccallum at redhat.com>
Date: Fri May 1 22:52:47 2015 -0400
Add ASN.1 encoder and decoder for secure cookie
Add an internal type declaration, ASN.1 encoder and decoder functions,
an internal free function, and ASN.1 tests for krb5_secure_cookie.
The reference DER encoding was constructed by hand.
To save on space, we don't use context tags, and use an integer rather
than a KerberosTime for the timestamp. The timestamp is stored in a
time_t; this requires a bugfix to the 64-bit case in
asn1_encode.c:store_int().
[ghudson at mit.edu: reference encoding; decode test; minor adustments to
free functions; added comments; alterations for space savings; commit
message]
src/include/k5-int.h | 13 +++++++++++++
src/lib/krb5/asn.1/asn1_encode.c | 2 +-
src/lib/krb5/asn.1/asn1_k_encode.c | 17 +++++++++++++++++
src/lib/krb5/krb/kfree.c | 9 +++++++++
src/lib/krb5/libkrb5.exports | 3 +++
src/tests/asn.1/krb5_decode_test.c | 8 ++++++++
src/tests/asn.1/krb5_encode_test.c | 8 ++++++++
src/tests/asn.1/ktest.c | 13 +++++++++++++
src/tests/asn.1/ktest.h | 2 ++
src/tests/asn.1/ktest_equal.c | 11 +++++++++++
src/tests/asn.1/ktest_equal.h | 3 +++
src/tests/asn.1/reference_encode.out | 1 +
src/tests/asn.1/trval_reference.out | 12 ++++++++++++
13 files changed, 101 insertions(+), 1 deletions(-)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 8bc8c48..78391a6 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -540,6 +540,12 @@ typedef struct _krb5_kkdcp_message {
krb5_int32 dclocator_hint;
} krb5_kkdcp_message;
+/* Plain text of an encrypted PA-FX-COOKIE value produced by the KDC. */
+typedef struct _krb5_secure_cookie {
+ time_t time;
+ krb5_pa_data **data;
+} krb5_secure_cookie;
+
#include <stdlib.h>
#include <string.h>
@@ -942,6 +948,7 @@ void k5_free_pa_otp_challenge(krb5_context context,
void k5_free_pa_otp_req(krb5_context context, krb5_pa_otp_req *val);
void k5_free_kkdcp_message(krb5_context context, krb5_kkdcp_message *val);
void k5_free_cammac(krb5_context context, krb5_cammac *val);
+void k5_free_secure_cookie(krb5_context context, krb5_secure_cookie *val);
/* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
#include "com_err.h"
@@ -1501,6 +1508,9 @@ encode_krb5_cammac(const krb5_cammac *, krb5_data **);
krb5_error_code
encode_utf8_strings(krb5_data *const *ut8fstrings, krb5_data **);
+krb5_error_code
+encode_krb5_secure_cookie(const krb5_secure_cookie *, krb5_data **);
+
/*************************************************************************
* End of prototypes for krb5_encode.c
*************************************************************************/
@@ -1680,6 +1690,9 @@ decode_krb5_cammac(const krb5_data *, krb5_cammac **);
krb5_error_code
decode_utf8_strings(const krb5_data *, krb5_data ***);
+krb5_error_code
+decode_krb5_secure_cookie(const krb5_data *, krb5_secure_cookie **);
+
struct _krb5_key_data; /* kdb.h */
struct ldap_seqof_key_data {
diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
index acbec37..a7423b6 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -588,7 +588,7 @@ store_int(intmax_t intval, size_t size, void *val)
case 8:
if ((int64_t)intval != intval)
return ASN1_OVERFLOW;
- *(int64_t *)intval = intval;
+ *(int64_t *)val = intval;
return 0;
default:
abort();
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 9e58389..b2d2675 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1797,3 +1797,20 @@ MAKE_DECODER(decode_krb5_cammac, cammac);
MAKE_ENCODER(encode_utf8_strings, seqof_utf8_data);
MAKE_DECODER(decode_utf8_strings, seqof_utf8_data);
+
+/*
+ * SecureCookie ::= SEQUENCE {
+ * time INTEGER,
+ * data SEQUENCE OF PA-DATA,
+ * ...
+ * }
+ */
+DEFINTTYPE(inttime, time_t);
+DEFOFFSETTYPE(secure_cookie_0, krb5_secure_cookie, time, inttime);
+DEFOFFSETTYPE(secure_cookie_1, krb5_secure_cookie, data, ptr_seqof_pa_data);
+static const struct atype_info *secure_cookie_fields[] = {
+ &k5_atype_secure_cookie_0, &k5_atype_secure_cookie_1
+};
+DEFSEQTYPE(secure_cookie, krb5_secure_cookie, secure_cookie_fields);
+MAKE_ENCODER(encode_krb5_secure_cookie, secure_cookie);
+MAKE_DECODER(decode_krb5_secure_cookie, secure_cookie);
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index f3af260..bb75eca 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -866,3 +866,12 @@ k5_free_cammac(krb5_context context, krb5_cammac *val)
free(val->other_verifiers);
free(val);
}
+
+void
+k5_free_secure_cookie(krb5_context context, krb5_secure_cookie *val)
+{
+ if (val == NULL)
+ return;
+ krb5_free_pa_data(context, val->data);
+ free(val);
+}
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 994ca34..7677dac 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -42,6 +42,7 @@ decode_krb5_safe
decode_krb5_sam_challenge_2
decode_krb5_sam_challenge_2_body
decode_krb5_sam_response_2
+decode_krb5_secure_cookie
decode_krb5_setpw_req
decode_krb5_tgs_rep
decode_krb5_tgs_req
@@ -92,6 +93,7 @@ encode_krb5_safe
encode_krb5_sam_challenge_2
encode_krb5_sam_challenge_2_body
encode_krb5_sam_response_2
+encode_krb5_secure_cookie
encode_krb5_sp80056a_other_info
encode_krb5_tgs_rep
encode_krb5_tgs_req
@@ -124,6 +126,7 @@ k5_free_otp_tokeninfo
k5_free_kkdcp_message
k5_free_pa_otp_challenge
k5_free_pa_otp_req
+k5_free_secure_cookie
k5_free_serverlist
k5_hostrealm_free_context
k5_init_trace
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 1a99b0e..e017739 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -1098,6 +1098,14 @@ int main(argc, argv)
ktest_empty_cammac(&ref);
}
+ /****************************************************************/
+ /* decode_krb5_secure_cookie */
+ {
+ setup(krb5_secure_cookie,ktest_make_sample_secure_cookie);
+ decode_run("secure_cookie","","30 2C 02 04 2D F8 02 25 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61",decode_krb5_secure_cookie,ktest_equal_secure_cookie,k5_free_secure_cookie);
+ ktest_empty_secure_cookie(&ref);
+ }
+
#ifndef DISABLE_PKINIT
/****************************************************************/
diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c
index 633d8a9..f5710b6 100644
--- a/src/tests/asn.1/krb5_encode_test.c
+++ b/src/tests/asn.1/krb5_encode_test.c
@@ -751,6 +751,14 @@ main(argc, argv)
encode_run(req, "cammac", "", encode_krb5_cammac);
ktest_empty_cammac(&req);
}
+ /****************************************************************/
+ /* encode_krb5_secure_cookie */
+ {
+ krb5_secure_cookie cookie;
+ ktest_make_sample_secure_cookie(&cookie);
+ encode_run(cookie, "secure_cookie", "", encode_krb5_secure_cookie);
+ ktest_empty_secure_cookie(&cookie);
+ }
#ifndef DISABLE_PKINIT
/****************************************************************/
/* encode_krb5_pa_pk_as_req */
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 340b6bd..43084cb 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -1009,6 +1009,13 @@ ktest_make_maximal_cammac(krb5_cammac *p)
p->other_verifiers[2] = NULL;
}
+void
+ktest_make_sample_secure_cookie(krb5_secure_cookie *p)
+{
+ ktest_make_sample_pa_data_array(&p->data);
+ p->time = SAMPLE_TIME;
+}
+
/****************************************************************/
/* destructors */
@@ -1841,3 +1848,9 @@ ktest_empty_cammac(krb5_cammac *p)
free(p->other_verifiers);
p->other_verifiers = NULL;
}
+
+void
+ktest_empty_secure_cookie(krb5_secure_cookie *p)
+{
+ ktest_empty_pa_data_array(p->data);
+}
diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h
index 9c11040..493303c 100644
--- a/src/tests/asn.1/ktest.h
+++ b/src/tests/asn.1/ktest.h
@@ -123,6 +123,7 @@ void ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data *p);
void ktest_make_sample_kkdcp_message(krb5_kkdcp_message *p);
void ktest_make_minimal_cammac(krb5_cammac *p);
void ktest_make_maximal_cammac(krb5_cammac *p);
+void ktest_make_sample_secure_cookie(krb5_secure_cookie *p);
/*----------------------------------------------------------------------*/
@@ -207,6 +208,7 @@ void ktest_empty_ldap_seqof_key_data(krb5_context, ldap_seqof_key_data *p);
void ktest_empty_kkdcp_message(krb5_kkdcp_message *p);
void ktest_empty_cammac(krb5_cammac *p);
+void ktest_empty_secure_cookie(krb5_secure_cookie *p);
extern krb5_context test_context;
extern char *sample_principal_name;
diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c
index 7ecdbcd..e8bb889 100644
--- a/src/tests/asn.1/ktest_equal.c
+++ b/src/tests/asn.1/ktest_equal.c
@@ -1083,3 +1083,14 @@ ktest_equal_cammac(krb5_cammac *ref, krb5_cammac *var)
p = p && ptr_equal(other_verifiers, vmac_list_eq);
return p;
}
+
+int
+ktest_equal_secure_cookie(krb5_secure_cookie *ref, krb5_secure_cookie *var)
+{
+ int p = TRUE;
+ if (ref == var) return TRUE;
+ else if (ref == NULL || var == NULL) return FALSE;
+ p = p && ktest_equal_sequence_of_pa_data(ref->data, var->data);
+ p = p && ref->time == ref->time;
+ return p;
+}
diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h
index 6d04246..c7b5d74 100644
--- a/src/tests/asn.1/ktest_equal.h
+++ b/src/tests/asn.1/ktest_equal.h
@@ -149,4 +149,7 @@ int ktest_equal_kkdcp_message(krb5_kkdcp_message *ref,
krb5_kkdcp_message *var);
int ktest_equal_cammac(krb5_cammac *ref, krb5_cammac *var);
+int ktest_equal_secure_cookie(krb5_secure_cookie *ref,
+ krb5_secure_cookie *var);
+
#endif
diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out
index 491fd57..824e079 100644
--- a/src/tests/asn.1/reference_encode.out
+++ b/src/tests/asn.1/reference_encode.out
@@ -71,3 +71,4 @@ encode_krb5_pa_otp_enc_req: 30 0A 80 08 6B 72 62 35 64 61 74 61
encode_krb5_kkdcp_message: 30 82 01 FC A0 82 01 EC 04 82 01 E8 6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 98 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 0!
5 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A1 0A 1B 08 6B 72 62 35 64 61 74 61
encode_krb5_cammac(optionals NULL): 30 12 A0 10 30 0E 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31
encode_krb5_cammac: 30 81 F2 A0 1E 30 1C 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31 30 0C A0 03 02 01 02 A1 05 04 03 61 64 32 A1 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 6B 64 63 A2 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 73 76 63 A3 52 30 50 30 13 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 31 30 39 A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 32
+encode_krb5_secure_cookie: 30 2C 02 04 2D F8 02 25 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61
diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out
index ec3f17c..c27a042 100644
--- a/src/tests/asn.1/trval_reference.out
+++ b/src/tests/asn.1/trval_reference.out
@@ -1572,3 +1572,15 @@ encode_krb5_cammac:
. . . [3] [Sequence/Sequence Of]
. . . . [0] [Integer] 1
. . . . [1] [Octet String] "cksum2"
+
+encode_krb5_secure_cookie:
+
+[Sequence/Sequence Of]
+. [Integer] 771228197
+. [Sequence/Sequence Of]
+. . [Sequence/Sequence Of]
+. . . [1] [Integer] 13
+. . . [2] [Octet String] "pa-data"
+. . [Sequence/Sequence Of]
+. . . [1] [Integer] 13
+. . . [2] [Octet String] "pa-data"
More information about the cvs-krb5
mailing list