From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Sat, 2 May 2015 02:52:47 +0000 (-0400)
Subject: Add ASN.1 encoder and decoder for secure cookie
X-Git-Tag: krb5-1.14-alpha1~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=312b3bc29a0c52a0a82055f566241964532c2128;p=thirdparty%2Fkrb5.git

Add ASN.1 encoder and decoder for secure cookie

Add an internal type declaration, ASN.1 encoder and decoder functions,
an internal free function, and ASN.1 tests for krb5_secure_cookie.
The reference DER encoding was constructed by hand.

To save on space, we don't use context tags, and use an integer rather
than a KerberosTime for the timestamp.  The timestamp is stored in a
time_t; this requires a bugfix to the 64-bit case in
asn1_encode.c:store_int().

[ghudson@mit.edu: reference encoding; decode test; minor adustments to
free functions; added comments; alterations for space savings; commit
message]
---

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 8bc8c482d7..78391a63a8 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -540,6 +540,12 @@ typedef struct _krb5_kkdcp_message {
     krb5_int32 dclocator_hint;
 } krb5_kkdcp_message;
 
+/* Plain text of an encrypted PA-FX-COOKIE value produced by the KDC. */
+typedef struct _krb5_secure_cookie {
+    time_t time;
+    krb5_pa_data **data;
+} krb5_secure_cookie;
+
 #include <stdlib.h>
 #include <string.h>
 
@@ -942,6 +948,7 @@ void k5_free_pa_otp_challenge(krb5_context context,
 void k5_free_pa_otp_req(krb5_context context, krb5_pa_otp_req *val);
 void k5_free_kkdcp_message(krb5_context context, krb5_kkdcp_message *val);
 void k5_free_cammac(krb5_context context, krb5_cammac *val);
+void k5_free_secure_cookie(krb5_context context, krb5_secure_cookie *val);
 
 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
 #include "com_err.h"
@@ -1501,6 +1508,9 @@ encode_krb5_cammac(const krb5_cammac *, krb5_data **);
 krb5_error_code
 encode_utf8_strings(krb5_data *const *ut8fstrings, krb5_data **);
 
+krb5_error_code
+encode_krb5_secure_cookie(const krb5_secure_cookie *, krb5_data **);
+
 /*************************************************************************
  * End of prototypes for krb5_encode.c
  *************************************************************************/
@@ -1680,6 +1690,9 @@ decode_krb5_cammac(const krb5_data *, krb5_cammac **);
 krb5_error_code
 decode_utf8_strings(const krb5_data *, krb5_data ***);
 
+krb5_error_code
+decode_krb5_secure_cookie(const krb5_data *, krb5_secure_cookie **);
+
 struct _krb5_key_data;          /* kdb.h */
 
 struct ldap_seqof_key_data {
diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
index acbec37ce0..a7423b642a 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -588,7 +588,7 @@ store_int(intmax_t intval, size_t size, void *val)
     case 8:
         if ((int64_t)intval != intval)
             return ASN1_OVERFLOW;
-        *(int64_t *)intval = intval;
+        *(int64_t *)val = intval;
         return 0;
     default:
         abort();
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 9e58389441..b2d2675778 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1797,3 +1797,20 @@ MAKE_DECODER(decode_krb5_cammac, cammac);
 
 MAKE_ENCODER(encode_utf8_strings, seqof_utf8_data);
 MAKE_DECODER(decode_utf8_strings, seqof_utf8_data);
+
+/*
+ * SecureCookie ::= SEQUENCE {
+ *     time     INTEGER,
+ *     data     SEQUENCE OF PA-DATA,
+ *     ...
+ * }
+ */
+DEFINTTYPE(inttime, time_t);
+DEFOFFSETTYPE(secure_cookie_0, krb5_secure_cookie, time, inttime);
+DEFOFFSETTYPE(secure_cookie_1, krb5_secure_cookie, data, ptr_seqof_pa_data);
+static const struct atype_info *secure_cookie_fields[] = {
+    &k5_atype_secure_cookie_0, &k5_atype_secure_cookie_1
+};
+DEFSEQTYPE(secure_cookie, krb5_secure_cookie, secure_cookie_fields);
+MAKE_ENCODER(encode_krb5_secure_cookie, secure_cookie);
+MAKE_DECODER(decode_krb5_secure_cookie, secure_cookie);
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index f3af260052..bb75ecaf7b 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -866,3 +866,12 @@ k5_free_cammac(krb5_context context, krb5_cammac *val)
     free(val->other_verifiers);
     free(val);
 }
+
+void
+k5_free_secure_cookie(krb5_context context, krb5_secure_cookie *val)
+{
+    if (val == NULL)
+        return;
+    krb5_free_pa_data(context, val->data);
+    free(val);
+}
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 994ca34164..7677dacc9f 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -42,6 +42,7 @@ decode_krb5_safe
 decode_krb5_sam_challenge_2
 decode_krb5_sam_challenge_2_body
 decode_krb5_sam_response_2
+decode_krb5_secure_cookie
 decode_krb5_setpw_req
 decode_krb5_tgs_rep
 decode_krb5_tgs_req
@@ -92,6 +93,7 @@ encode_krb5_safe
 encode_krb5_sam_challenge_2
 encode_krb5_sam_challenge_2_body
 encode_krb5_sam_response_2
+encode_krb5_secure_cookie
 encode_krb5_sp80056a_other_info
 encode_krb5_tgs_rep
 encode_krb5_tgs_req
@@ -124,6 +126,7 @@ k5_free_otp_tokeninfo
 k5_free_kkdcp_message
 k5_free_pa_otp_challenge
 k5_free_pa_otp_req
+k5_free_secure_cookie
 k5_free_serverlist
 k5_hostrealm_free_context
 k5_init_trace
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 1a99b0e4e2..e017739934 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -1098,6 +1098,14 @@ int main(argc, argv)
         ktest_empty_cammac(&ref);
     }
 
+    /****************************************************************/
+    /* decode_krb5_secure_cookie */
+    {
+        setup(krb5_secure_cookie,ktest_make_sample_secure_cookie);
+        decode_run("secure_cookie","","30 2C 02 04 2D F8 02 25 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61",decode_krb5_secure_cookie,ktest_equal_secure_cookie,k5_free_secure_cookie);
+        ktest_empty_secure_cookie(&ref);
+    }
+
 #ifndef DISABLE_PKINIT
 
     /****************************************************************/
diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c
index 633d8a9367..f5710b68c4 100644
--- a/src/tests/asn.1/krb5_encode_test.c
+++ b/src/tests/asn.1/krb5_encode_test.c
@@ -751,6 +751,14 @@ main(argc, argv)
         encode_run(req, "cammac", "", encode_krb5_cammac);
         ktest_empty_cammac(&req);
     }
+    /****************************************************************/
+    /* encode_krb5_secure_cookie */
+    {
+        krb5_secure_cookie cookie;
+        ktest_make_sample_secure_cookie(&cookie);
+        encode_run(cookie, "secure_cookie", "", encode_krb5_secure_cookie);
+        ktest_empty_secure_cookie(&cookie);
+    }
 #ifndef DISABLE_PKINIT
     /****************************************************************/
     /* encode_krb5_pa_pk_as_req */
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 340b6bd086..43084cbbd4 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -1009,6 +1009,13 @@ ktest_make_maximal_cammac(krb5_cammac *p)
     p->other_verifiers[2] = NULL;
 }
 
+void
+ktest_make_sample_secure_cookie(krb5_secure_cookie *p)
+{
+    ktest_make_sample_pa_data_array(&p->data);
+    p->time = SAMPLE_TIME;
+}
+
 /****************************************************************/
 /* destructors */
 
@@ -1841,3 +1848,9 @@ ktest_empty_cammac(krb5_cammac *p)
     free(p->other_verifiers);
     p->other_verifiers = NULL;
 }
+
+void
+ktest_empty_secure_cookie(krb5_secure_cookie *p)
+{
+    ktest_empty_pa_data_array(p->data);
+}
diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h
index 9c11040baf..493303cc8e 100644
--- a/src/tests/asn.1/ktest.h
+++ b/src/tests/asn.1/ktest.h
@@ -123,6 +123,7 @@ void ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data *p);
 void ktest_make_sample_kkdcp_message(krb5_kkdcp_message *p);
 void ktest_make_minimal_cammac(krb5_cammac *p);
 void ktest_make_maximal_cammac(krb5_cammac *p);
+void ktest_make_sample_secure_cookie(krb5_secure_cookie *p);
 
 /*----------------------------------------------------------------------*/
 
@@ -207,6 +208,7 @@ void ktest_empty_ldap_seqof_key_data(krb5_context, ldap_seqof_key_data *p);
 
 void ktest_empty_kkdcp_message(krb5_kkdcp_message *p);
 void ktest_empty_cammac(krb5_cammac *p);
+void ktest_empty_secure_cookie(krb5_secure_cookie *p);
 
 extern krb5_context test_context;
 extern char *sample_principal_name;
diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c
index 7ecdbcd603..e8bb889449 100644
--- a/src/tests/asn.1/ktest_equal.c
+++ b/src/tests/asn.1/ktest_equal.c
@@ -1083,3 +1083,14 @@ ktest_equal_cammac(krb5_cammac *ref, krb5_cammac *var)
     p = p && ptr_equal(other_verifiers, vmac_list_eq);
     return p;
 }
+
+int
+ktest_equal_secure_cookie(krb5_secure_cookie *ref, krb5_secure_cookie *var)
+{
+    int p = TRUE;
+    if (ref == var) return TRUE;
+    else if (ref == NULL || var == NULL) return FALSE;
+    p = p && ktest_equal_sequence_of_pa_data(ref->data, var->data);
+    p = p && ref->time == ref->time;
+    return p;
+}
diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h
index 6d04246639..c7b5d74672 100644
--- a/src/tests/asn.1/ktest_equal.h
+++ b/src/tests/asn.1/ktest_equal.h
@@ -149,4 +149,7 @@ int ktest_equal_kkdcp_message(krb5_kkdcp_message *ref,
                               krb5_kkdcp_message *var);
 int ktest_equal_cammac(krb5_cammac *ref, krb5_cammac *var);
 
+int ktest_equal_secure_cookie(krb5_secure_cookie *ref,
+                              krb5_secure_cookie *var);
+
 #endif
diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out
index 491fd576d0..824e0798be 100644
--- a/src/tests/asn.1/reference_encode.out
+++ b/src/tests/asn.1/reference_encode.out
@@ -71,3 +71,4 @@ encode_krb5_pa_otp_enc_req: 30 0A 80 08 6B 72 62 35 64 61 74 61
 encode_krb5_kkdcp_message: 30 82 01 FC A0 82 01 EC 04 82 01 E8 6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 98 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A1 0A 1B 08 6B 72 62 35 64 61 74 61
 encode_krb5_cammac(optionals NULL): 30 12 A0 10 30 0E 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31
 encode_krb5_cammac: 30 81 F2 A0 1E 30 1C 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31 30 0C A0 03 02 01 02 A1 05 04 03 61 64 32 A1 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 6B 64 63 A2 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 73 76 63 A3 52 30 50 30 13 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 31 30 39 A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 32
+encode_krb5_secure_cookie: 30 2C 02 04 2D F8 02 25 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61
diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out
index ec3f17cead..c27a0425bf 100644
--- a/src/tests/asn.1/trval_reference.out
+++ b/src/tests/asn.1/trval_reference.out
@@ -1572,3 +1572,15 @@ encode_krb5_cammac:
 .  .  .  [3] [Sequence/Sequence Of]
 .  .  .  .  [0] [Integer] 1
 .  .  .  .  [1] [Octet String] "cksum2"
+
+encode_krb5_secure_cookie:
+
+[Sequence/Sequence Of]
+.  [Integer] 771228197
+.  [Sequence/Sequence Of]
+.  .  [Sequence/Sequence Of]
+.  .  .  [1] [Integer] 13
+.  .  .  [2] [Octet String] "pa-data"
+.  .  [Sequence/Sequence Of]
+.  .  .  [1] [Integer] 13
+.  .  .  [2] [Octet String] "pa-data"