Add tag to krb5_donot_replay

For each use of replay caches, supply a tag based on a ciphertext or
checksum associated with the use.  Stop creating or checking replay
records for unencrypted KRB-CRED messages.

ticket: 8786

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 6feeb2fafc75a9b4639b7d4d1c898e5a251c6dff..30e45016baad6c3336278e11f426629db68fccec 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1965,6 +1965,7 @@ typedef struct _krb5_donot_replay {
     char *server;                       /* null-terminated */
     char *client;                       /* null-terminated */
     char *msghash;                      /* null-terminated */
+    krb5_data tag;
     krb5_int32 cusec;
     krb5_timestamp ctime;
 } krb5_donot_replay;

diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index e75192fee0a92acaacda63e77b55dc2434fe3dfe..cb98d967ec29a05f01b56fcdc988088b0957fee4 100644 (file)
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -595,9 +595,13 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
         tktauthent.ticket = req->ticket;
         tktauthent.authenticator = (*auth_context)->authentp;
         if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) {
-            retval = krb5_rc_hash_message(context,
-                                          &req->authenticator.ciphertext,
-                                          &rep.msghash);
+            retval = k5_rc_tag_from_ciphertext(context, &req->authenticator,
+                                               &rep.tag);
+            if (!retval) {
+                retval = krb5_rc_hash_message(context,
+                                              &req->authenticator.ciphertext,
+                                              &rep.msghash);
+            }
             if (!retval) {
                 retval = krb5_rc_store(context, (*auth_context)->rcache, &rep);
                 free(rep.msghash);

diff --git a/src/tests/threads/t_rcache.c b/src/tests/threads/t_rcache.c
index 9d9b1acd3358e34eba865261b912abe5df3086eb..6aa773ae363b9409ab3394a083c303d9bd91275b 100644 (file)
--- a/src/tests/threads/t_rcache.c
+++ b/src/tests/threads/t_rcache.c
@@ -64,7 +64,7 @@ static void try_one (struct tinfo *t)
 {
     krb5_donot_replay r;
     krb5_error_code err;
-    char buf[100], buf2[100];
+    char buf[100], buf2[100], tag[8];
     krb5_rcache my_rcache;
 
     snprintf(buf, sizeof(buf), "host/all-in-one.mit.edu/%p@ATHENA.MIT.EDU",
@@ -72,6 +72,7 @@ static void try_one (struct tinfo *t)
     r.server = buf;
     r.client = (t->my_cusec & 7) + "abcdefgh@ATHENA.MIT.EDU";
     r.msghash = NULL;
+    r.tag = empty_data();
     if (t->now != t->my_ctime) {
         if (t->my_ctime != 0) {
             snprintf(buf2, sizeof(buf2), "%3d: %ld %5d\n", t->idx,
@@ -84,6 +85,9 @@ static void try_one (struct tinfo *t)
         t->my_cusec++;
     r.ctime = t->my_ctime;
     r.cusec = t->my_cusec;
+    store_32_be(r.ctime, tag);
+    store_32_be(r.cusec, tag + 4);
+    r.tag = make_data(tag, 8);
     if (!init_once) {
         err = krb5_get_server_rcache(ctx, &piece, &my_rcache);
         if (err) {