diff options
| author | Sam Hartman <hartmans@mit.edu> | 2009-03-26 05:37:31 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2009-03-26 05:37:31 +0000 |
| commit | 1cb80969984661865e00c723233d6434480edc75 (patch) | |
| tree | 56161bb22a1c856ff364c79ef2cb86fed8de2da9 | |
| parent | 5391e1a3331b9b2eee35de7e90ff99b23e2acc89 (diff) | |
| download | krb5-1cb80969984661865e00c723233d6434480edc75.zip krb5-1cb80969984661865e00c723233d6434480edc75.tar.gz krb5-1cb80969984661865e00c723233d6434480edc75.tar.bz2 | |
KDC TGS FAST support
* Correct TGS armor key handling
* Use appropriate checksum type for FAST responses from KDC
* FAST response handling for TGS replies and errors
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22142 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/do_as_req.c | 2 | ||||
| -rw-r--r-- | src/kdc/do_tgs_req.c | 25 | ||||
| -rw-r--r-- | src/kdc/fast_util.c | 13 | ||||
| -rw-r--r-- | src/kdc/kdc_util.h | 2 |
4 files changed, 31 insertions, 11 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 26f7884..5b7fbf1 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -146,7 +146,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = ASN1_BAD_ID; status = "Finding req_body"; } - errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, state); + errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state); if (errcode) { status = "error decoding FAST"; goto errout; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index cb05f4f..5af7730 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -76,7 +76,7 @@ find_alternate_tgs(krb5_kdc_req *,krb5_db_entry *, krb5_boolean *,int *); static krb5_error_code -prepare_error_tgs(krb5_kdc_req *,krb5_ticket *,int, +prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int, krb5_principal,krb5_data **,const char *); static krb5_int32 @@ -166,7 +166,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, } scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; - errcode = kdc_find_fast(&request, &scratch, subkey, state); + errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state); if (errcode !=0) { status = "kdc_find_fast"; goto cleanup; @@ -873,7 +873,12 @@ tgt_again: reply.enc_part.enctype = subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype; - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, + errcode = kdc_fast_response_handle_padata(state, request, &reply); + if (errcode !=0 ) { + status = "Preparing FAST padata"; + goto cleanup; + } + errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, subkey ? 1 : 0, subkey ? subkey : header_ticket->enc_part2->session, @@ -914,7 +919,7 @@ cleanup: if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; - retval = prepare_error_tgs(request, header_ticket, errcode, + retval = prepare_error_tgs(state, request, header_ticket, errcode, nprincs ? server.princ : NULL, response, status); if (got_err) { @@ -956,7 +961,8 @@ cleanup: } static krb5_error_code -prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, +prepare_error_tgs (struct kdc_request_state *state, + krb5_kdc_req *request, krb5_ticket *ticket, int error, krb5_principal canon_server, krb5_data **response, const char *status) { @@ -979,14 +985,19 @@ prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, errpkt.text.length = strlen(status) + 1; if (!(errpkt.text.data = strdup(status))) return ENOMEM; - + if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { free(errpkt.text.data); return ENOMEM; } errpkt.e_data.length = 0; errpkt.e_data.data = NULL; - + retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); + if (retval) { + free(scratch); + free(errpkt.text.data); + return retval; + } retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); if (retval) diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 2a3106a..10d1d3e 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -123,6 +123,7 @@ static krb5_error_code encrypt_fast_reply krb5_error_code kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data, krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, struct kdc_request_state *state) { krb5_error_code retval = 0; @@ -155,7 +156,10 @@ krb5_error_code kdc_find_fast } if (retval == 0 && !state->armor_key) { if (tgs_subkey) - retval =krb5_copy_keyblock(kdc_context, tgs_subkey, &state->armor_key); + retval = krb5_c_fx_cf2_simple(kdc_context, + tgs_subkey, "subkeyarmor", + tgs_session, "ticketarmor", + &state->armor_key); else { krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, "No armor key but FAST armored request present"); @@ -268,12 +272,15 @@ krb5_error_code kdc_fast_response_handle_padata krb5_data *encrypted_reply = NULL; krb5_pa_data *pa = NULL, **pa_array; krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; + krb5_pa_data *empty_padata[] = {NULL}; if (!state->armor_key) return 0; memset(&finish, 0, sizeof(finish)); fast_response.padata = rep->padata; - fast_response.rep_key = state->reply_key; + if (fast_response.padata == NULL) + fast_response.padata = &empty_padata[0]; + fast_response.rep_key = state->reply_key; fast_response.nonce = request->nonce; fast_response.finished = &finish; finish.client = rep->client; @@ -288,6 +295,8 @@ krb5_error_code kdc_fast_response_handle_padata if (retval == 0) retval = encode_krb5_ticket(rep->ticket, &encoded_ticket); if (retval == 0) + retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype); + if (retval == 0) retval = krb5_c_make_checksum(kdc_context, cksumtype, state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, encoded_ticket, &finish.ticket_checksum); diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index a544125..90de8d3 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -319,7 +319,7 @@ enum krb5_fast_kdc_flags { krb5_error_code kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data, - krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, struct kdc_request_state *state); krb5_error_code kdc_fast_response_handle_padata |