Try all valid pa-datas in as_rep before giving up. Send back an empty

pa-data if the client has the v4 flag set. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2472 ec53bebd-3082-4978-b11e-865c3cabbd6b
1997-07-19 08:01:00 +00:00
parent 94cbc8ee82
commit 05ce3fa9b0
1 changed files with 108 additions and 85 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -101,94 +101,111 @@ as_rep(krb5_context context,
    }
-    if(req->padata == NULL || req->padata->len < 1 ||
+    if(req->padata){
-       req->padata->val->padata_type != pa_enc_timestamp) {
+	int i;
-	if(require_enc_timestamp){
+	PA_DATA *pa;
-	    PA_DATA foo;
+	int found_pa = 0;
-	    u_char buf[16];
+	for(i = 0; i < req->padata->len; i++){
-	    size_t len;
+	    PA_DATA *pa = &req->padata->val[i];
-	    krb5_data foo_data;
+	    if(pa->padata_type == pa_enc_timestamp){
 		krb5_data ts_data;
 		PA_ENC_TS_ENC p;
 		time_t patime;
 		size_t len;
 		EncryptedData enc_data;
 		found_pa = 1;
 		ret = decode_EncryptedData(pa->padata_value.data,
 					   pa->padata_value.length,
 					   &enc_data,
 					   &len);
 		if (ret) {
 		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 		    kdc_log(0, "Failed to decode PA-DATA -- %s", client_name);
 		    goto out;
 		}
-	    foo.padata_type = pa_enc_timestamp;
+		ret = krb5_decrypt (context,
-	    foo.padata_value.length = 0;
+				    enc_data.cipher.data,
-	    foo.padata_value.data   = NULL;
+				    enc_data.cipher.length,
-
+				    enc_data.etype,
-	    encode_PA_DATA(buf + sizeof(buf) - 1,
+				    &client->keyblock,
-			   sizeof(buf),
+				    &ts_data);
-			   &foo,
+		free_EncryptedData(&enc_data);
-			   &len);
+		if(ret){
-	    foo_data.length = len;
+		    e_text = "Failed to decrypt PA-DATA";
-	    foo_data.data   = buf + sizeof(buf) - len;
+		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-
+		    continue;
-	    ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
+		}
-	    krb5_mk_error(context,
+		ret = decode_PA_ENC_TS_ENC(ts_data.data,
-			  ret,
+					   ts_data.length,
-			  "Need to use PA-ENC-TIMESTAMP",
+					   &p,
-			  &foo_data,
+					   &len);
-			  client_princ,
+		krb5_data_free(&ts_data);
-			  server_princ,
+		if(ret){
-			  0,
+		    e_text = "Failed to decode PA-ENC-TS-ENC";
-			  reply);
+		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-	
+		    continue;
-	    kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
+		}
-	    goto out2;
+		patime = p.patimestamp;
 		free_PA_ENC_TS_ENC(&p);
 		if (abs(kdc_time - p.patimestamp) > context->max_skew) {
 		    ret = KRB5KDC_ERR_PREAUTH_FAILED;
 		    krb5_mk_error (context,
 				   ret,
 				   "Too large time skew",
 				   NULL,
 				   client_princ,
 				   server_princ,
 				   0,
 				   reply);
 		    kdc_log(0, "Too large time skew -- %s", client_name);
 		    goto out2;
 		}
 		et->flags.pre_authent = 1;
 		kdc_log(2, "Pre-authentication succeded -- %s", client_name);
 		break;
 	    }
 	}
-    } else {
+	/* XXX */
-	krb5_data ts_data;
+	if(found_pa == 0)
-	PA_ENC_TS_ENC p;
+	    goto use_pa;
-	time_t patime;
+	if(et->flags.pre_authent == 0){
 	    kdc_log(0, "%s -- %s", e_text, client_name);
 	    e_text = NULL;
 	    goto out;
 	}
    }else{
 	PA_DATA foo;
 	u_char buf[16];
 	size_t len;
-	EncryptedData enc_data;
+	krb5_data foo_data;
-
+	
-	ret = decode_EncryptedData(req->padata->val->padata_value.data,
+    use_pa:
-				   req->padata->val->padata_value.length,
+	foo.padata_type = pa_enc_timestamp;
-				   &enc_data,
+	foo.padata_value.length = 0;
-				   &len);
+	foo.padata_value.data   = NULL;
-	if (ret) {
+	
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	encode_PA_DATA(buf + sizeof(buf) - 1,
-	    kdc_log(0, "Failed to decode PA-DATA -- %s", client_name);
+		       sizeof(buf),
-	    goto out;
+		       &foo,
-	}
+		       &len);
-
+	foo_data.length = len;
-	ret = krb5_decrypt (context,
+	foo_data.data   = buf + sizeof(buf) - len;
-			    enc_data.cipher.data,
+	
-			    enc_data.cipher.length,
+	ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
-			    enc_data.etype,
+	krb5_mk_error(context,
-			    &client->keyblock,
+		      ret,
-			    &ts_data);
+		      "Need to use PA-ENC-TIMESTAMP",
-	free_EncryptedData(&enc_data);
+		      &foo_data,
-	if (ret) {
+		      client_princ,
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		      server_princ,
-	    kdc_log(0, "Failed to decrypt PA-DATA -- %s", client_name);
+		      0,
-	    goto out;
+		      reply);
-	}
+	
-	ret = decode_PA_ENC_TS_ENC(ts_data.data,
+	kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
-				   ts_data.length,
+	goto out2;
 				   &p,
 				   &len);
 	krb5_data_free(&ts_data);
 	if (ret) {
 	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 	    kdc_log(0, "Failed to decode PA-ENC-TS-ENC -- %s", client_name);
 	    goto out;
 	}
 	patime = p.patimestamp;
 	free_PA_ENC_TS_ENC(&p);
 	if (abs(kdc_time - p.patimestamp) > context->max_skew) {
 	    krb5_mk_error (context,
 			   KRB5KDC_ERR_PREAUTH_FAILED,
 			   "Too large time skew",
 			   NULL,
 			   client_princ,
 			   server_princ,
 			   0,
 			   reply);
 	    ret = KRB5KDC_ERR_PREAUTH_FAILED;
 	    kdc_log(0, "Too large time skew -- %s", client_name);
 	    goto out2;
 	}
 	et->flags.pre_authent = 1;
 	kdc_log(2, "Pre-authentication succeded -- %s", client_name);
    }
    /* Find appropriate key */
@@ -351,6 +368,12 @@ as_rep(krb5_context context,
 	rep.enc_part.kvno = malloc(sizeof(*rep.enc_part.kvno));
 	*rep.enc_part.kvno = client.kvno;
 #endif
 	if(client->flags.b.v4){
 	    rep.padata = malloc(sizeof(*rep.padata));
 	    rep.padata->len = 1;
 	    rep.padata->val = calloc(1, sizeof(*rep.padata->val));
 	    rep.padata->val->padata_type = pa_pw_salt;
 	}
 	ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
 	free_AS_REP(&rep);