From: Luke Howard Date: Sun, 30 Aug 2009 16:01:16 +0000 (+0000) Subject: fix some bugs in AD-KDCIssued implementation X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf82a2ec0a434ed280b096649ec99594c1c04d42;p=thirdparty%2Fkrb5.git fix some bugs in AD-KDCIssued implementation git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22661 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 7e9c63aaf2..ea7475261e 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -2573,7 +2573,7 @@ krb5_make_authdata_kdc_issued(krb5_context context, const krb5_keyblock *key, krb5_const_principal issuer, krb5_authdata *const *authdata, - krb5_authdata **ad_kdcissued); + krb5_authdata ***ad_kdcissued); krb5_error_code KRB5_CALLCONV krb5_verify_authdata_kdc_issued(krb5_context context, const krb5_keyblock *key, diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in index 66f3d2ad5f..ca4edd893f 100644 --- a/src/lib/krb5/krb/Makefile.in +++ b/src/lib/krb5/krb/Makefile.in @@ -327,8 +327,8 @@ t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) t_ad_fx_armor: t_ad_fx_armor.o $(CC_LINK) -o $@ t_ad_fx_armor.o $(KRB5_BASE_LIBS) -t_authdata: t_authdata.o copy_auth.o - $(CC_LINK) -o $@ t_authdata.o copy_auth.o $(KRB5_BASE_LIBS) +t_authdata: t_authdata.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ t_authdata.o $(KRB5_BASE_LIBS) t_kerb: $(T_KERB_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_kerb $(T_KERB_OBJS) $(KRB5_BASE_LIBS) diff --git a/src/lib/krb5/krb/copy_auth.c b/src/lib/krb5/krb/copy_auth.c index 9f19289a1a..ba51f38084 100644 --- a/src/lib/krb5/krb/copy_auth.c +++ b/src/lib/krb5/krb/copy_auth.c @@ -282,25 +282,27 @@ krb5_make_authdata_kdc_issued(krb5_context context, const krb5_keyblock *key, krb5_const_principal issuer, krb5_authdata *const *authdata, - krb5_authdata **ad_kdcissued) + krb5_authdata ***ad_kdcissued) { krb5_error_code code; krb5_ad_kdcissued ad_kdci; krb5_data *data; krb5_cksumtype cksumtype; + krb5_authdata ad_datum; + krb5_authdata *ad_data[2]; *ad_kdcissued = NULL; ad_kdci.ad_checksum.contents = NULL; ad_kdci.i_principal = (krb5_principal)issuer; - ad_kdci.elements = ad_kdcissued; + ad_kdci.elements = (krb5_authdata **)authdata; code = krb5int_c_mandatory_cksumtype(context, key->enctype, &cksumtype); if (code != 0) return code; - code = encode_krb5_authdata(ad_kdcissued, &data); + code = encode_krb5_authdata(ad_kdci.elements, &data); if (code != 0) return code; @@ -318,22 +320,19 @@ krb5_make_authdata_kdc_issued(krb5_context context, if (code != 0) return code; - krb5_free_checksum_contents(context, &ad_kdci.ad_checksum); + ad_datum.ad_type = KRB5_AUTHDATA_KDC_ISSUED; + ad_datum.length = data->length; + ad_datum.contents = (unsigned char *)data->data; - *ad_kdcissued = calloc(1, sizeof(krb5_authdata)); - if (*ad_kdcissued == NULL) { - krb5_free_data(context, data); - return ENOMEM; - } + ad_data[0] = &ad_datum; + ad_data[1] = NULL; - (*ad_kdcissued)->magic = KV5M_AUTHDATA; - (*ad_kdcissued)->ad_type = KRB5_AUTHDATA_KDC_ISSUED; - (*ad_kdcissued)->length = data->length; - (*ad_kdcissued)->contents = (krb5_octet *)data->data; + code = krb5_copy_authdata(context, ad_data, ad_kdcissued); - free(data); + krb5_free_data(context, data); + krb5_free_checksum_contents(context, &ad_kdci.ad_checksum); - return 0; + return code; } krb5_error_code KRB5_CALLCONV @@ -348,6 +347,10 @@ krb5_verify_authdata_kdc_issued(krb5_context context, krb5_data data, *data2; krb5_boolean valid = FALSE; + if ((ad_kdcissued->ad_type & AD_TYPE_FIELD_TYPE_MASK) != + KRB5_AUTHDATA_KDC_ISSUED) + return EINVAL; + if (issuer != NULL) *issuer = NULL; if (authdata != NULL) diff --git a/src/lib/krb5/krb/t_authdata.c b/src/lib/krb5/krb/t_authdata.c index 8b786875f5..86838cead3 100644 --- a/src/lib/krb5/krb/t_authdata.c +++ b/src/lib/krb5/krb/t_authdata.c @@ -65,6 +65,13 @@ krb5_authdata *adseq1[] = {&ad1, &ad2, &ad4, NULL}; krb5_authdata *adseq2[] = {&ad3, NULL}; +krb5_keyblock key = { + KV5M_KEYBLOCK, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + 16, + (unsigned char *)"1234567890ABCDEF" +}; + static void compare_authdata(const krb5_authdata *adc1, krb5_authdata *adc2) { assert(adc1->ad_type == adc2->ad_type); assert(adc1->length == adc2->length); @@ -77,7 +84,7 @@ int main() krb5_authdata **results; krb5_authdata *container[2]; krb5_authdata **container_out; - + krb5_authdata **kdci; assert(krb5_init_context(&context) == 0); assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0); @@ -96,6 +103,13 @@ int main() compare_authdata( results[1], &ad4); compare_authdata( results[2], &ad3); assert( results[3] == NULL); + krb5_free_authdata(context, container_out); + assert(krb5_make_authdata_kdc_issued(context, &key, NULL, results, &kdci) == 0); + assert(krb5_verify_authdata_kdc_issued(context, &key, kdci[0], NULL, &container_out) == 0); + compare_authdata(container_out[0], results[0]); + compare_authdata(container_out[1], results[1]); + compare_authdata(container_out[2], results[2]); + krb5_free_authdata(context, kdci); krb5_free_authdata(context, results); krb5_free_authdata(context, container_out); krb5_free_context(context);