diff options
author | Sam Hartman <hartmans@mit.edu> | 2009-12-02 16:15:59 +0000 |
---|---|---|
committer | Sam Hartman <hartmans@mit.edu> | 2009-12-02 16:15:59 +0000 |
commit | 466d7c02d2f5c795ee00d0291041e8eb18bdd20f (patch) | |
tree | c3a92300ebf7dca2c7384fe875a4528d8d379f00 | |
parent | f1c1dfced0ac09ef5218bef0eff5ce389ff04eec (diff) | |
download | krb5-466d7c02d2f5c795ee00d0291041e8eb18bdd20f.zip krb5-466d7c02d2f5c795ee00d0291041e8eb18bdd20f.tar.gz krb5-466d7c02d2f5c795ee00d0291041e8eb18bdd20f.tar.bz2 |
Implement fast negotiation per discussion with Larry
This implementation is sloppy in that it always includes the padata
requesting reply checksum even though that will interact badly with some of our older KDCs.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23406 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/krb5/krb/fast.c | 42 | ||||
-rw-r--r-- | src/lib/krb5/krb/fast.h | 6 |
2 files changed, 48 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index 884a4ed..71134d6 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -528,3 +528,45 @@ krb5int_find_pa_data(krb5_context context, krb5_pa_data *const *padata, return *tmppa; } + +#define TKT_FLG_ENC_PA_REP 0x10000 +#define KRB5_KEYUSAGE_AS_REQ 56 +#define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 + +krb5_error_code krb5int_fast_verify_nego +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_rep *rep, krb5_data *request, + krb5_keyblock *decrypting_key) +{ + krb5_error_code retval = 0; + krb5_checksum *checksum = NULL; + krb5_pa_data *pa; + krb5_data scratch; + krb5_boolean valid; + if (rep->enc_part2->flags& TKT_FLG_ENC_PA_REP) { + pa = krb5int_find_pa_data(context, rep->enc_part2->enc_padata, + KRB5_ENCPADATA_REQ_ENC_PA_REP); + if (pa == NULL) + retval = KRB5_KDCREP_MODIFIED; + else { + scratch.data = (char *) pa->contents; + scratch.length = pa->length; + } + if (retval == 0) + retval = decode_krb5_checksum(&scratch, &checksum); + if (retval == 0) + retval =krb5_c_verify_checksum(context, decrypting_key, KRB5_KEYUSAGE_AS_REQ, + request, checksum, &valid); + if (retval == 0 &&valid == 0) + retval = KRB5_KDCREP_MODIFIED; + if (retval == 0) { + pa = krb5int_find_pa_data(context, rep->enc_part2->enc_padata, + KRB5_PADATA_FX_FAST); + /*if (pa) + printf("FAST enabled on KDC\n");*/ + } + } + if (checksum) + krb5_free_checksum(context, checksum); + return retval; +} diff --git a/src/lib/krb5/krb/fast.h b/src/lib/krb5/krb/fast.h index 443f3e1..3f03ae7 100644 --- a/src/lib/krb5/krb/fast.h +++ b/src/lib/krb5/krb/fast.h @@ -79,5 +79,11 @@ krb5_error_code krb5int_fast_reply_key(krb5_context context, krb5_keyblock *output_key); +krb5_error_code krb5int_fast_verify_nego +(krb5_context context, struct krb5int_fast_request_state *state, + krb5_kdc_rep *rep, krb5_data *request, + krb5_keyblock *decrypting_key); + + #endif |