Integrate FAST into AS and TGS

Integrate calls to lookup FAST padata into the AS and TGS paths.
kdc_util needs to return a pointer to the pa-tgs-req padata for the
fast checksum.

This code does not generate fast responses or errors yet.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22125 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 8db39ac4f2da1254936a12e3cf0926bc41ac2fa5..ded72e4a8088a72f62c68909ed12728c33e3f41f 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -117,6 +117,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     int did_log = 0;
     const char *emsg = 0;
     krb5_keylist_node *tmp_mkey_list;
+    struct kdc_request_state *state = NULL;
+    
 
 #if APPLE_PKINIT
     asReqDebug("process_as_req top realm %s name %s\n", 
@@ -133,6 +135,15 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     session_key.contents = 0;
     enc_tkt_reply.authorization_data = NULL;
 
+    errcode = kdc_make_rstate(&state);
+    if (errcode != 0) {
+       status = "constructing state";
+       goto errout;
+    }
+    errcode = kdc_find_fast(&request, req_pkt, NULL /*TGS key*/, state);
+    if (errcode)
+       goto errout;
+
     if (!request->client) {
        status = "NULL_CLIENT";
        errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -679,6 +690,7 @@ egress:
     }
 
     krb5_free_data_contents(kdc_context, &e_data);
+    kdc_free_rstate(state);
     assert(did_log != 0);
     return errcode;
 }

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 33ba0cd247e88dae0969e67ca96463b1cf5abf4f..cb05f4f25647c4891e36427de69b59a7978550c5 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -125,6 +125,9 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     krb5_data *tgs_1 =NULL, *server_1 = NULL;
     krb5_principal krbtgt_princ;
     krb5_kvno ticket_kvno = 0;
+    struct kdc_request_state *state = NULL;
+    krb5_pa_data *pa_tgs_req; /*points into request*/
+    krb5_data scratch;
 
     session_key.contents = NULL;
     
@@ -140,7 +143,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
         return retval;
     }
     errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
-                                  &krbtgt, &k_nprincs, &subkey);
+                                  &krbtgt, &k_nprincs, &subkey, &pa_tgs_req);
     if (header_ticket && header_ticket->enc_part2 &&
         (errcode2 = krb5_unparse_name(kdc_context, 
                                       header_ticket->enc_part2->client,
@@ -161,7 +164,15 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
         status="UNEXPECTED NULL in header_ticket";
         goto cleanup;
     }
-
+    scratch.length = pa_tgs_req->length;
+    scratch.data = (char *) pa_tgs_req->contents;
+    errcode = kdc_find_fast(&request, &scratch, subkey, state);
+    if (errcode !=0) {
+       status = "kdc_find_fast";
+               goto cleanup;
+    }
+    
+    
     /*
      * Pointer to the encrypted part of the header ticket, which may be
      * replaced to point to the encrypted part of the evidence ticket
@@ -916,6 +927,8 @@ cleanup:
         krb5_free_ticket(kdc_context, header_ticket);
     if (request != NULL)
         krb5_free_kdc_req(kdc_context, request);
+    if (state)
+       kdc_free_rstate(state);
     if (cname != NULL)
         free(cname);
     if (sname != NULL)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 4b1e31c787ff2dd202971ffb5c1abb6948e78b21..a6d8eabe49eb98ea09cfd692fed39d5d0ad2cee6 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -234,7 +234,8 @@ krb5_error_code
 kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
                    krb5_data *pkt, krb5_ticket **ticket,
                    krb5_db_entry *krbtgt, int *nprincs,
-                   krb5_keyblock **subkey)
+                   krb5_keyblock **subkey,
+                   krb5_pa_data **pa_tgs_req)
 {
     krb5_pa_data        * tmppa;
     krb5_ap_req        * apreq;
@@ -383,6 +384,8 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
        }
     }
 
+    if (retval == 0)
+      *pa_tgs_req = tmppa;
 cleanup_authenticator:
     krb5_free_authenticator(kdc_context, authenticator);
 

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 5d8c8c2e82a5aa8c588dc387560ea1894340be7a..9336c53038d6f4c12da6a28605b5ac1c8ee8951f 100644 (file)
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -66,7 +66,7 @@ krb5_error_code kdc_process_tgs_req
                   krb5_ticket **,
                   krb5_db_entry *krbtgt,
                   int *nprincs,
-                  krb5_keyblock **);
+                  krb5_keyblock **, krb5_pa_data **pa_tgs_req);
 
 krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int,
                                    krb5_boolean match_enctype,