krb5 commit: Add tag to krb5_donot_replay

Greg Hudson ghudson at mit.edu
Fri May 31 15:45:09 EDT 2019 

https://github.com/krb5/krb5/commit/f8bd89e4a87a758d74897e483cdc3049b5564240
commit f8bd89e4a87a758d74897e483cdc3049b5564240
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Feb 19 01:30:41 2019 -0500

    Add tag to krb5_donot_replay
    
    For each use of replay caches, supply a tag based on a ciphertext or
    checksum associated with the use.  Stop creating or checking replay
    records for unencrypted KRB-CRED messages.
    
    ticket: 8786

 src/include/k5-int.h          |    1 +
 src/lib/krb5/krb/rd_req_dec.c |   10 +++++++---
 src/tests/threads/t_rcache.c  |    6 +++++-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 6feeb2f..30e4501 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1965,6 +1965,7 @@ typedef struct _krb5_donot_replay {
     char *server;                       /* null-terminated */
     char *client;                       /* null-terminated */
     char *msghash;                      /* null-terminated */
+    krb5_data tag;
     krb5_int32 cusec;
     krb5_timestamp ctime;
 } krb5_donot_replay;
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index e75192fe..cb98d96 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -595,9 +595,13 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
         tktauthent.ticket = req->ticket;
         tktauthent.authenticator = (*auth_context)->authentp;
         if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) {
-            retval = krb5_rc_hash_message(context,
-                                          &req->authenticator.ciphertext,
-                                          &rep.msghash);
+            retval = k5_rc_tag_from_ciphertext(context, &req->authenticator,
+                                               &rep.tag);
+            if (!retval) {
+                retval = krb5_rc_hash_message(context,
+                                              &req->authenticator.ciphertext,
+                                              &rep.msghash);
+            }
             if (!retval) {
                 retval = krb5_rc_store(context, (*auth_context)->rcache, &rep);
                 free(rep.msghash);
diff --git a/src/tests/threads/t_rcache.c b/src/tests/threads/t_rcache.c
index 9d9b1ac..6aa773a 100644
--- a/src/tests/threads/t_rcache.c
+++ b/src/tests/threads/t_rcache.c
@@ -64,7 +64,7 @@ static void try_one (struct tinfo *t)
 {
     krb5_donot_replay r;
     krb5_error_code err;
-    char buf[100], buf2[100];
+    char buf[100], buf2[100], tag[8];
     krb5_rcache my_rcache;
 
     snprintf(buf, sizeof(buf), "host/all-in-one.mit.edu/%p at ATHENA.MIT.EDU",
@@ -72,6 +72,7 @@ static void try_one (struct tinfo *t)
     r.server = buf;
     r.client = (t->my_cusec & 7) + "abcdefgh at ATHENA.MIT.EDU";
     r.msghash = NULL;
+    r.tag = empty_data();
     if (t->now != t->my_ctime) {
         if (t->my_ctime != 0) {
             snprintf(buf2, sizeof(buf2), "%3d: %ld %5d\n", t->idx,
@@ -84,6 +85,9 @@ static void try_one (struct tinfo *t)
         t->my_cusec++;
     r.ctime = t->my_ctime;
     r.cusec = t->my_cusec;
+    store_32_be(r.ctime, tag);
+    store_32_be(r.cusec, tag + 4);
+    r.tag = make_data(tag, 8);
     if (!init_once) {
         err = krb5_get_server_rcache(ctx, &piece, &my_rcache);
         if (err) {

More information about the cvs-krb5 mailing list