Client-side cookie support

Echo the pa-fx-cookie back to the KDC.
No need to store cookie padata in the state structure; removed.
If cookie is not present and FAST is being used, do not retry after error.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22161 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c
index 3b13c184a1156e768f13accf560550d382763108..fff05fb3c459f1a669770d7dd4ae00dcd0745827 100644 (file)
--- a/src/lib/krb5/krb/fast.c
+++ b/src/lib/krb5/krb/fast.c
@@ -378,9 +378,11 @@ krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_sta
            fast_response->padata = NULL;
            /*
             * If there is more than the fx_error padata, then we want
-            * to retry the error
+            * to retry the error if a cookie is present
             */
            *retry = (*out_padata)[1] != NULL;
+           if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL)
+               *retry = 0;
        }
        if (fx_error)
            krb5_free_error(context, fx_error);
@@ -475,11 +477,6 @@ krb5int_fast_free_state( krb5_context context, struct krb5int_fast_request_state
     /*We are responsible for none of the store in the fast_outer_req*/
     krb5_free_keyblock(context, state->armor_key);
     krb5_free_fast_armor(context, state->armor);
-    if (state->cookie) {
-       free(state->cookie->contents);
-       free(state->cookie);
-       state->cookie = NULL;
-    }
     free(state);
 }
 

diff --git a/src/lib/krb5/krb/fast.h b/src/lib/krb5/krb/fast.h
index e21df6504b7a97121fb4816433797139c1703980..7e58fd060ecceadb008e7d0308d7d1339be38c5d 100644 (file)
--- a/src/lib/krb5/krb/fast.h
+++ b/src/lib/krb5/krb/fast.h
@@ -38,7 +38,6 @@ struct krb5int_fast_request_state {
     krb5_fast_armor *armor;
     krb5_ui_4 fast_state_flags;
     krb5_ui_4 fast_options;
-  krb5_pa_data *cookie;
     krb5_int32 nonce;
 };
 

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 4c7dd5e607b95c24dc8e750586ae9e8608135036..73f4e79b613b95c226536bbd39aa17d604b3c477 100644 (file)
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -645,6 +645,36 @@ krb5_error_code pa_salt(krb5_context context,
     return(0);
 }
 
+static
+krb5_error_code pa_fx_cookie(krb5_context context,
+                                krb5_kdc_req *request,
+                                krb5_pa_data *in_padata,
+                                krb5_pa_data **out_padata,
+                                krb5_data *salt,
+                                krb5_data *s2kparams,
+                                krb5_enctype *etype,
+                                krb5_keyblock *as_key,
+                                krb5_prompter_fct prompter,
+                                void *prompter_data,
+                                krb5_gic_get_as_key_fct gak_fct,
+                                void *gak_data)
+{
+    krb5_pa_data *pa = calloc(1, sizeof(krb5_pa_data));
+    krb5_octet *contents;
+    if (pa == NULL)
+       return ENOMEM;
+    contents = malloc(in_padata->length);
+    if (contents == NULL) {
+       free(pa);
+       return ENOMEM;
+    }
+    *pa = *in_padata;
+    pa->contents = contents;
+    memcpy(contents, in_padata->contents, pa->length);
+    *out_padata = pa;
+    return 0;
+}
+
 static
 krb5_error_code pa_enc_timestamp(krb5_context context,
                                 krb5_kdc_req *request,
@@ -1709,6 +1739,11 @@ static const pa_types_t pa_types[] = {
        pa_sam,
        PA_REAL,
     },
+    {
+       KRB5_PADATA_FX_COOKIE,
+       pa_fx_cookie,
+       PA_INFO,
+    },
     {
        -1,
        NULL,