From: Sam Hartman Date: Thu, 26 Mar 2009 05:37:28 +0000 (+0000) Subject: KDC handling of FAST response X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5391e1a3331b9b2eee35de7e90ff99b23e2acc89;p=thirdparty%2Fkrb5.git KDC handling of FAST response Integrate FAST response handling into AS reply and error paths. Ad support for encrypting and generating PA_FX_FAST_REPLY. Use that support in the AS. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22141 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 4443d33ac2..58b349bf84 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -634,6 +634,7 @@ krb5_error_code KRB5_CALLCONV /* define in draft-ietf-krb-wg-preauth-framework*/ #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 #define KRB5_KEYUSAGE_FAST_ENC 51 +#define KRB5_KEYUSAGE_FAST_REP 52 #define KRB5_KEYUSAGE_FAST_FINISHED 53 #define KRB5_KEYUSAGE_FAST_REP 52 diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index c6023ec604..26f7884fe7 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -566,6 +566,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } + errcode = handle_authdata(kdc_context, c_flags, &client, @@ -590,6 +591,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } ticket_reply.enc_part.kvno = server_key->key_data_kvno; + errcode = kdc_fast_response_handle_padata(state, request, &reply); + if (errcode) { + status = "fast response handling"; + goto errout; + } /* now encode/encrypt the response */ diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index fc5934ad49..2a3106ac89 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -95,6 +95,30 @@ static krb5_error_code armor_ap_request return retval; } +static krb5_error_code encrypt_fast_reply +(struct kdc_request_state *state, const krb5_fast_response *response, + krb5_data **fx_fast_reply) +{ + krb5_error_code retval = 0; + krb5_enc_data encrypted_reply; + krb5_data *encoded_response = NULL; + assert(state->armor_key); + retval = encode_krb5_fast_response(response, &encoded_response); + if (retval== 0) + retval = krb5_encrypt_helper(kdc_context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, + encoded_response, &encrypted_reply); + if (encoded_response) + krb5_free_data(kdc_context, encoded_response); + encoded_response = NULL; + if (retval == 0) { + retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply, + fx_fast_reply); + krb5_free_data_contents(kdc_context, &encrypted_reply.ciphertext); + } + return retval; +} + krb5_error_code kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data, @@ -241,7 +265,7 @@ krb5_error_code kdc_fast_response_handle_padata krb5_fast_finished finish; krb5_fast_response fast_response; krb5_data *encoded_ticket = NULL; - krb5_data *encoded_fast_response = NULL; + krb5_data *encrypted_reply = NULL; krb5_pa_data *pa = NULL, **pa_array; krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; @@ -268,21 +292,21 @@ krb5_error_code kdc_fast_response_handle_padata state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, encoded_ticket, &finish.ticket_checksum); if (retval == 0) - retval = encode_krb5_fast_response(&fast_response, &encoded_fast_response); + retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply); if (retval == 0) { pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].length = encoded_fast_response->length; - pa[0].contents = (unsigned char *) encoded_fast_response->data; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; pa_array[0] = &pa[0]; rep->padata = pa_array; pa_array = NULL; - encoded_fast_response = NULL; + encrypted_reply = NULL; pa = NULL; } if (pa) free(pa); - if (encoded_fast_response) - krb5_free_data(kdc_context, encoded_fast_response); + if (encrypted_reply) + krb5_free_data(kdc_context, encrypted_reply); if (encoded_ticket) krb5_free_data(kdc_context, encoded_ticket); if (finish.ticket_checksum.contents) @@ -290,6 +314,7 @@ krb5_error_code kdc_fast_response_handle_padata return retval; } + /* * We assume the caller is responsible for passing us an in_padata * sufficient to include in a FAST error. In the FAST case we will @@ -304,7 +329,7 @@ krb5_error_code kdc_fast_handle_error krb5_error_code retval = 0; krb5_fast_response resp; krb5_error fx_error; - krb5_data *encoded_fx_error = NULL, *encoded_fast_response = NULL; + krb5_data *encoded_fx_error = NULL, *encrypted_reply = NULL; krb5_pa_data pa[2]; krb5_pa_data *outer_pa[3]; krb5_pa_data **inner_pa = NULL; @@ -338,13 +363,13 @@ krb5_error_code kdc_fast_handle_error resp.finished = NULL; } if (retval == 0) - retval = encode_krb5_fast_response(&resp, &encoded_fast_response); + retval = encrypt_fast_reply(state, &resp, &encrypted_reply); if (inner_pa) free(inner_pa); /*contained storage from caller and our stack*/ if (retval == 0) { pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].length = encoded_fast_response->length; - pa[0].contents = (unsigned char *) encoded_fast_response->data; + pa[0].length = encrypted_reply->length; + pa[0].contents = (unsigned char *) encrypted_reply->data; outer_pa[0] = &pa[0]; } retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data); @@ -356,8 +381,8 @@ krb5_error_code kdc_fast_handle_error } if (encoded_e_data) krb5_free_data(kdc_context, encoded_e_data); - if (encoded_fast_response) - krb5_free_data(kdc_context, encoded_fast_response); + if (encrypted_reply) + krb5_free_data(kdc_context, encrypted_reply); if (encoded_fx_error) krb5_free_data(kdc_context, encoded_fx_error); return retval; diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 7d62c43dd6..0f1fd9c5da 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -60,6 +60,7 @@ encode_krb5_error encode_krb5_etype_info encode_krb5_etype_info2 encode_krb5_fast_response +encode_krb5_pa_fx_fast_reply encode_krb5_kdc_req_body encode_krb5_pa_enc_ts encode_krb5_pa_for_user