diff options
author | Greg Hudson <ghudson@mit.edu> | 2015-08-17 18:26:36 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2015-08-27 11:55:42 -0400 |
commit | 1b4bd4e388faa5685aa483fdc2bded02c95350bc (patch) | |
tree | 0d83d3a923f8026a1f65a70ab15dcb9262e57d63 /src/plugins | |
parent | 426d0bae0ebc8a4d4c6e44dd8953cde2196b5d82 (diff) | |
download | krb5-1b4bd4e388faa5685aa483fdc2bded02c95350bc.zip krb5-1b4bd4e388faa5685aa483fdc2bded02c95350bc.tar.gz krb5-1b4bd4e388faa5685aa483fdc2bded02c95350bc.tar.bz2 |
Add etype-info2 to MORE_PREAUTH_DATA_REQUIRED
A multi-round-trip preauth mechanism may require key information, but
not for the initial message from the client. To support optimistic
preauth for such mechanisms, make the KDC include etype-info2
information in a MORE_PREAUTH_DATA_REQUIRED error if the client didn't
include a PA-FX-COOKIE in its request.
Add optimistic preauth support to the test preauth module and to
etinfo.c, and add a test case to t_etype_info.py to verify that
etype-info2 is included in the optimistic multi-hop scenario.
ticket: 8234 (new)
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/preauth/test/cltest.c | 17 | ||||
-rw-r--r-- | src/plugins/preauth/test/kdctest.c | 11 |
2 files changed, 23 insertions, 5 deletions
diff --git a/src/plugins/preauth/test/cltest.c b/src/plugins/preauth/test/cltest.c index 5244a7d..4c31e1c 100644 --- a/src/plugins/preauth/test/cltest.c +++ b/src/plugins/preauth/test/cltest.c @@ -120,7 +120,22 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata, krb5_data plain; const char *indstr; - if (reqst->second_round_trip) { + if (pa_data->length == 0) { + /* This is an optimistic preauth test. Send a recognizable padata + * value so the KDC knows not to expect a cookie. */ + list = k5calloc(2, sizeof(*list), &ret); + assert(!ret); + pa = k5alloc(sizeof(*pa), &ret); + assert(!ret); + pa->pa_type = TEST_PA_TYPE; + pa->contents = (uint8_t *)strdup("optimistic"); + assert(pa->contents != NULL); + pa->length = 10; + list[0] = pa; + list[1] = NULL; + *out_pa_data = list; + return 0; + } else if (reqst->second_round_trip) { printf("2rt: %.*s\n", pa_data->length, pa_data->contents); } else if (pa_data->length == 6 && memcmp(pa_data->contents, "no key", 6) == 0) { diff --git a/src/plugins/preauth/test/kdctest.c b/src/plugins/preauth/test/kdctest.c index 8c1d01d..82a03b0 100644 --- a/src/plugins/preauth/test/kdctest.c +++ b/src/plugins/preauth/test/kdctest.c @@ -120,12 +120,15 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, assert(!ret); /* Check the incoming cookie value. */ - if (!cb->get_cookie(context, rock, TEST_PA_TYPE, &cookie_data)) - abort(); - if (data_eq_string(cookie_data, "more")) + if (!cb->get_cookie(context, rock, TEST_PA_TYPE, &cookie_data)) { + /* Make sure we are seeing optimistic preauth and not a lost cookie. */ + d = make_data(data->contents, data->length); + assert(data_eq_string(d, "optimistic")); + } else if (data_eq_string(cookie_data, "more")) { second_round_trip = TRUE; - else + } else { assert(data_eq_string(cookie_data, "method-data")); + } if (attr == NULL || second_round_trip) { /* Parse and assert the indicators. */ |