From: Sam Hartman <hartmans@mit.edu>
Date: Thu, 26 Mar 2009 05:36:40 +0000 (+0000)
Subject: Integrate FAST into AS and TGS
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c51f3d298fa79d3321d548ae0bb1c20901e6954f;p=thirdparty%2Fkrb5.git

Integrate FAST into AS and TGS

Integrate calls to lookup FAST padata into the AS and TGS paths.
kdc_util needs to return a pointer to the pa-tgs-req padata for the
fast checksum.

This code does not generate fast responses or errors yet.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22125 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 8db39ac4f2..ded72e4a80 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -117,6 +117,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     int did_log = 0;
     const char *emsg = 0;
     krb5_keylist_node *tmp_mkey_list;
+    struct kdc_request_state *state = NULL;
+    
 
 #if APPLE_PKINIT
     asReqDebug("process_as_req top realm %s name %s\n", 
@@ -133,6 +135,15 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     session_key.contents = 0;
     enc_tkt_reply.authorization_data = NULL;
 
+    errcode = kdc_make_rstate(&state);
+    if (errcode != 0) {
+	status = "constructing state";
+	goto errout;
+    }
+    errcode = kdc_find_fast(&request, req_pkt, NULL /*TGS key*/, state);
+    if (errcode)
+	goto errout;
+
     if (!request->client) {
 	status = "NULL_CLIENT";
 	errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -679,6 +690,7 @@ egress:
     }
 
     krb5_free_data_contents(kdc_context, &e_data);
+    kdc_free_rstate(state);
     assert(did_log != 0);
     return errcode;
 }
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 33ba0cd247..cb05f4f256 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -125,6 +125,9 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     krb5_data *tgs_1 =NULL, *server_1 = NULL;
     krb5_principal krbtgt_princ;
     krb5_kvno ticket_kvno = 0;
+    struct kdc_request_state *state = NULL;
+    krb5_pa_data *pa_tgs_req; /*points into request*/
+    krb5_data scratch;
 
     session_key.contents = NULL;
     
@@ -140,7 +143,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
         return retval;
     }
     errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
-                                  &krbtgt, &k_nprincs, &subkey);
+                                  &krbtgt, &k_nprincs, &subkey, &pa_tgs_req);
     if (header_ticket && header_ticket->enc_part2 &&
         (errcode2 = krb5_unparse_name(kdc_context, 
                                       header_ticket->enc_part2->client,
@@ -161,7 +164,15 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
         status="UNEXPECTED NULL in header_ticket";
         goto cleanup;
     }
-
+    scratch.length = pa_tgs_req->length;
+    scratch.data = (char *) pa_tgs_req->contents;
+    errcode = kdc_find_fast(&request, &scratch, subkey, state);
+    if (errcode !=0) {
+	status = "kdc_find_fast";
+		goto cleanup;
+    }
+    
+    
     /*
      * Pointer to the encrypted part of the header ticket, which may be
      * replaced to point to the encrypted part of the evidence ticket
@@ -916,6 +927,8 @@ cleanup:
         krb5_free_ticket(kdc_context, header_ticket);
     if (request != NULL)
         krb5_free_kdc_req(kdc_context, request);
+    if (state)
+	kdc_free_rstate(state);
     if (cname != NULL)
         free(cname);
     if (sname != NULL)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 4b1e31c787..a6d8eabe49 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -234,7 +234,8 @@ krb5_error_code
 kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
 		    krb5_data *pkt, krb5_ticket **ticket,
 		    krb5_db_entry *krbtgt, int *nprincs,
-		    krb5_keyblock **subkey)
+		    krb5_keyblock **subkey,
+		    krb5_pa_data **pa_tgs_req)
 {
     krb5_pa_data        * tmppa;
     krb5_ap_req 	* apreq;
@@ -383,6 +384,8 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
 	}
     }
 
+    if (retval == 0)
+      *pa_tgs_req = tmppa;
 cleanup_authenticator:
     krb5_free_authenticator(kdc_context, authenticator);
 
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 5d8c8c2e82..9336c53038 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -66,7 +66,7 @@ krb5_error_code kdc_process_tgs_req
 	           krb5_ticket **,
 		   krb5_db_entry *krbtgt,
 		   int *nprincs,
-	           krb5_keyblock **);
+	           krb5_keyblock **, krb5_pa_data **pa_tgs_req);
 
 krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int,
 				    krb5_boolean match_enctype,