krb5 commit: Add authentication indicators in AS-REQs
Greg Hudson
ghudson at mit.edu
Wed Jul 22 13:29:38 EDT 2015
https://github.com/krb5/krb5/commit/7601a1c9e103b148d94974bb2ba0c85969055c65
commit 7601a1c9e103b148d94974bb2ba0c85969055c65
Author: Greg Hudson <ghudson at mit.edu>
Date: Sun Jan 18 14:46:11 2015 -0500
Add authentication indicators in AS-REQs
Add an auth_indicators parameter to handle_authdata(). In
finish_process_as_req(), supply the auth indicators asserted by
preauth modules. In handle_authdata(), wrap any supplied auth
indicators in CAMMAC and IF-RELEVANT containers and include them in
the ticket.
ticket: 8157
src/kdc/do_as_req.c | 1 +
src/kdc/do_tgs_req.c | 1 +
src/kdc/kdc_authdata.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
src/kdc/kdc_util.h | 1 +
4 files changed, 53 insertions(+), 0 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 121d027..1a76ada 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -282,6 +282,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
state->request,
NULL, /* for_user_princ */
NULL, /* enc_tkt_request */
+ state->auth_indicators,
&state->enc_tkt_reply);
if (errcode) {
krb5_klog_syslog(LOG_INFO, _("AS_REQ : handle_authdata (%d)"),
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index f6d5cd3..fbc7fe7 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -660,6 +660,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
s4u_x509_user ?
s4u_x509_user->user_id.user : NULL,
subject_tkt,
+ NULL,
&enc_tkt_reply);
if (errcode) {
krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index e06bbe6..50b4636 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -738,6 +738,46 @@ cleanup:
return ret;
}
+/* Add authentication indicator authdata to enc_tkt_reply, wrapped in a CAMMAC
+ * and an IF-RELEVANT container. */
+static krb5_error_code
+add_auth_indicators(krb5_context context, krb5_data *const *auth_indicators,
+ krb5_keyblock *server_key, krb5_db_entry *krbtgt,
+ krb5_enc_tkt_part *enc_tkt_reply)
+{
+ krb5_error_code ret;
+ krb5_data *der_indicators = NULL;
+ krb5_authdata ad, *list[2], **cammac = NULL;
+
+ /* Format the authentication indicators into an authdata list. */
+ ret = encode_utf8_strings(auth_indicators, &der_indicators);
+ if (ret)
+ goto cleanup;
+ ad.ad_type = KRB5_AUTHDATA_AUTH_INDICATOR;
+ ad.length = der_indicators->length;
+ ad.contents = (uint8_t *)der_indicators->data;
+ list[0] = &ad;
+ list[1] = NULL;
+
+ /* Wrap the list in CAMMAC and IF-RELEVANT containers. */
+ ret = cammac_create(context, enc_tkt_reply, server_key, krbtgt, list,
+ &cammac);
+ if (ret)
+ goto cleanup;
+
+ /* Add the wrapped authdata to the ticket, without copying or filtering. */
+ ret = merge_authdata(context, cammac, &enc_tkt_reply->authorization_data,
+ FALSE, FALSE);
+ if (ret)
+ goto cleanup;
+ cammac = NULL; /* merge_authdata() freed */
+
+cleanup:
+ krb5_free_data(context, der_indicators);
+ krb5_free_authdata(context, cammac);
+ return ret;
+}
+
krb5_error_code
handle_authdata(krb5_context context, unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
@@ -746,6 +786,7 @@ handle_authdata(krb5_context context, unsigned int flags,
krb5_keyblock *header_key, krb5_data *req_pkt,
krb5_kdc_req *req, krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_req,
+ krb5_data *const *auth_indicators,
krb5_enc_tkt_part *enc_tkt_reply)
{
kdcauthdata_handle *h;
@@ -783,6 +824,15 @@ handle_authdata(krb5_context context, unsigned int flags,
return ret;
}
+ /* Add auth indicators if any were given. */
+ if (auth_indicators != NULL && *auth_indicators != NULL &&
+ !isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED)) {
+ ret = add_auth_indicators(context, auth_indicators, server_key,
+ local_tgt, enc_tkt_reply);
+ if (ret)
+ return ret;
+ }
+
if (!isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS)) {
/* Fetch authdata from the KDB if appropriate. */
ret = fetch_kdb_authdata(context, flags, client, server, header_server,
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index bc98fbf..ea87e96 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -249,6 +249,7 @@ handle_authdata (krb5_context context,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
+ krb5_data *const *auth_indicators,
krb5_enc_tkt_part *enc_tkt_reply);
/* replay.c */
More information about the cvs-krb5
mailing list