Add better support for specifying what pre-authentication to use.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4348 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -323,6 +323,44 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
add_padata(krb5_context context,
|
||||
METHOD_DATA *md,
|
||||
krb5_principal client,
|
||||
krb5_key_proc key_proc,
|
||||
krb5_const_pointer keyseed,
|
||||
krb5_keytype keytype,
|
||||
krb5_data *salt)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
PA_DATA pa, *pa2;
|
||||
krb5_keyblock *key;
|
||||
krb5_enctype etype;
|
||||
krb5_data salt2;
|
||||
|
||||
krb5_data_zero(&salt2);
|
||||
if(salt == NULL) {
|
||||
/* default to standard salt */
|
||||
ret = krb5_get_salt (client, &salt2);
|
||||
salt = &salt2;
|
||||
}
|
||||
ret = (*key_proc)(context, keytype, salt, keyseed, &key);
|
||||
krb5_data_free(&salt2);
|
||||
if (ret)
|
||||
return ret;
|
||||
pa2 = realloc(md->val, (md->len + 1) * sizeof(*md->val));
|
||||
if(pa2 == NULL)
|
||||
return ENOMEM;
|
||||
md->val = pa2;
|
||||
krb5_keytype_to_etype(context, keytype, &etype);
|
||||
ret = make_pa_enc_timestamp(context, &md->val[md->len], etype, key);
|
||||
krb5_free_keyblock (context, key);
|
||||
if(ret)
|
||||
return ret;
|
||||
md->len++;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
init_as_req (krb5_context context,
|
||||
krb5_kdc_flags opts,
|
||||
@@ -330,6 +368,7 @@ init_as_req (krb5_context context,
|
||||
const krb5_addresses *addrs,
|
||||
const krb5_enctype *etypes,
|
||||
const krb5_preauthtype *ptypes,
|
||||
const krb5_preauthdata *preauth,
|
||||
krb5_key_proc key_proc,
|
||||
krb5_const_pointer keyseed,
|
||||
unsigned nonce,
|
||||
@@ -411,65 +450,68 @@ init_as_req (krb5_context context,
|
||||
a->req_body.enc_authorization_data = NULL;
|
||||
a->req_body.additional_tickets = NULL;
|
||||
|
||||
/* not sure this is the way to use `ptypes' */
|
||||
if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
|
||||
a->padata = NULL;
|
||||
else if (*ptypes == KRB5_PADATA_ENC_TIMESTAMP) {
|
||||
a->padata = malloc(sizeof(*a->padata));
|
||||
if(preauth != NULL) {
|
||||
int i;
|
||||
ALLOC(a->padata, 1);
|
||||
if(a->padata == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
a->padata->len = 2;
|
||||
a->padata->val = calloc(a->padata->len, sizeof(*a->padata->val));
|
||||
if (a->padata->val == NULL) {
|
||||
for(i = 0; i < preauth->len; i++) {
|
||||
if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
|
||||
int j;
|
||||
PA_DATA *tmp = realloc(a->padata->val,
|
||||
(a->padata->len +
|
||||
preauth->val[i].info.len) *
|
||||
sizeof(*a->padata->val));
|
||||
if(tmp == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto fail;
|
||||
}
|
||||
a->padata->val = tmp;
|
||||
for(j = 0; j < preauth->val[i].info.len; j++) {
|
||||
krb5_keytype keytype = preauth->val[i].info.val[j].keytype;
|
||||
if(preauth->val[i].info.val[j].salttype ==
|
||||
KRB5_PA_AFS3_SALT) {
|
||||
if(keytype != KEYTYPE_DES) {
|
||||
ret = KRB5_PROG_KEYTYPE_NOSUPP;
|
||||
goto fail;
|
||||
}
|
||||
keytype = KEYTYPE_DES_AFS3;
|
||||
}
|
||||
add_padata(context, a->padata, creds->client,
|
||||
key_proc, keyseed, keytype,
|
||||
preauth->val[i].info.val[j].salt);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
} else
|
||||
/* not sure this is the way to use `ptypes' */
|
||||
if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
|
||||
a->padata = NULL;
|
||||
else if (*ptypes == KRB5_PADATA_ENC_TIMESTAMP) {
|
||||
krb5_keytype keytype;
|
||||
ALLOC(a->padata, 1);
|
||||
if (a->padata == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto fail;
|
||||
}
|
||||
a->padata->len = 0;
|
||||
a->padata->val = NULL;
|
||||
|
||||
ret = krb5_etype_to_keytype(context, etype, &keytype);
|
||||
if(ret)
|
||||
goto fail;
|
||||
|
||||
/* make a v5 salted pa-data */
|
||||
salt.length = 0;
|
||||
salt.data = NULL;
|
||||
ret = krb5_get_salt (creds->client, &salt);
|
||||
add_padata(context, a->padata, creds->client,
|
||||
key_proc, keyseed, keytype, NULL);
|
||||
|
||||
if (ret)
|
||||
goto fail;
|
||||
|
||||
{
|
||||
krb5_keytype keytype;
|
||||
ret = krb5_etype_to_keytype(context, etype, &keytype);
|
||||
if(ret){
|
||||
krb5_data_free(&salt);
|
||||
goto fail;
|
||||
}
|
||||
ret = (*key_proc)(context, keytype, &salt, keyseed, &key);
|
||||
krb5_data_free (&salt);
|
||||
}
|
||||
if (ret)
|
||||
goto fail;
|
||||
ret = make_pa_enc_timestamp(context, &a->padata->val[0], etype, key);
|
||||
krb5_free_keyblock_contents (context, key);
|
||||
free (key);
|
||||
if (ret)
|
||||
goto fail;
|
||||
/* make a v4 salted pa-data */
|
||||
salt.length = 0;
|
||||
salt.data = NULL;
|
||||
{
|
||||
krb5_keytype keytype;
|
||||
ret = krb5_etype_to_keytype(context, etype, &keytype);
|
||||
if(ret)
|
||||
goto fail;
|
||||
ret = (*key_proc)(context, keytype, &salt, keyseed, &key);
|
||||
}
|
||||
if (ret)
|
||||
goto fail;
|
||||
ret = make_pa_enc_timestamp(context, &a->padata->val[1], etype, key);
|
||||
krb5_free_keyblock_contents (context, key);
|
||||
free (key);
|
||||
if (ret)
|
||||
goto fail;
|
||||
krb5_data_zero(&salt);
|
||||
add_padata(context, a->padata, creds->client,
|
||||
key_proc, keyseed, keytype, &salt);
|
||||
} else {
|
||||
ret = KRB5_PREAUTH_BAD_TYPE;
|
||||
goto fail;
|
||||
@@ -486,6 +528,7 @@ krb5_get_in_cred(krb5_context context,
|
||||
const krb5_addresses *addrs,
|
||||
const krb5_enctype *etypes,
|
||||
const krb5_preauthtype *ptypes,
|
||||
const krb5_preauthdata *preauth,
|
||||
krb5_key_proc key_proc,
|
||||
krb5_const_pointer keyseed,
|
||||
krb5_decrypt_proc decrypt_proc,
|
||||
@@ -517,6 +560,7 @@ krb5_get_in_cred(krb5_context context,
|
||||
addrs,
|
||||
etypes,
|
||||
ptypes,
|
||||
preauth,
|
||||
key_proc,
|
||||
keyseed,
|
||||
nonce,
|
||||
@@ -635,6 +679,7 @@ krb5_get_in_tkt(krb5_context context,
|
||||
addrs,
|
||||
etypes,
|
||||
ptypes,
|
||||
NULL,
|
||||
key_proc,
|
||||
keyseed,
|
||||
decrypt_proc,
|
||||
|
||||
Reference in New Issue
Block a user