From 2c65e2f43121b1d4a242b14d9b4c04cc48b40d24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Tue, 10 May 2005 19:37:44 +0000
Subject: [PATCH] (as_rep): search for pkinit-9, pkinit-19, and pkinit-25
 pa-data, return empty pkinit pa-data in the PREAUTH_REQUIRED krb-error

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15115 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kerberos5.c | 52 +++++++++++++++++++++++++++++++++++++------------
 1 file changed, 40 insertions(+), 12 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 060e598e7..d3c4235c1 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -741,21 +741,33 @@ as_rep(KDC_REQ *req,
 #ifdef PKINIT
 	kdc_log(5, "Looking for PKINIT pa-data -- %s", client_name);
 
-	i = 0;
 	e_text = "No PKINIT PA found";
-	while((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ))){
+
+	i = 0;
+	if ((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ)))
+	    ;
+	if (pa == NULL) {
+	    i = 0;
+	    if((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_19)))
+		;
+	}
+	if (pa == NULL) {
+	    i = 0;
+	    if((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN)))
+		;
+	}
+	if (pa) {
 	    char *client_cert = NULL;
-	    found_pa = 1;
-	    
+
 	    ret = pk_rd_padata(context, req, pa, &pkp);
 	    if (ret) {
 		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 		kdc_log(5, "Failed to decode PKINIT PA-DATA -- %s", 
 			client_name);
-		continue;
+		goto ts_enc;
 	    }
 	    if (ret == 0 && pkp == NULL)
-		continue;
+		goto ts_enc;
 
 	    ret = pk_check_client(context, 
 				  client_princ, 
@@ -767,16 +779,17 @@ as_rep(KDC_REQ *req,
 		    "impersonate principal";
 		pk_free_client_param(context, pkp);
 		pkp = NULL;
-		goto preauth_done;
+		goto ts_enc;
 	    }
+	    found_pa = 1;
 	    et.flags.pre_authent = 1;
 	    kdc_log(2, "PKINIT pre-authentication succeeded -- %s using %s", 
 		    client_name, client_cert);
 	    free(client_cert);
-	    break;
+	    if (pkp)
+		goto preauth_done;
 	}
-	if (pkp)
-	    goto preauth_done;
+    ts_enc:
 #endif
 	kdc_log(5, "Looking for ENC-TS pa-data -- %s", client_name);
 
@@ -903,6 +916,20 @@ as_rep(KDC_REQ *req,
 	pa->padata_value.length	= 0;
 	pa->padata_value.data	= NULL;
 
+#ifdef PKINIT
+	ret = realloc_method_data(&method_data);
+	pa = &method_data.val[method_data.len-1];
+	pa->padata_type		= KRB5_PADATA_PK_AS_REQ;
+	pa->padata_value.length	= 0;
+	pa->padata_value.data	= NULL;
+
+	ret = realloc_method_data(&method_data);
+	pa = &method_data.val[method_data.len-1];
+	pa->padata_type		= KRB5_PADATA_PK_AS_REQ_19;
+	pa->padata_value.length	= 0;
+	pa->padata_value.data	= NULL;
+#endif
+
 	/* XXX check ret */
 	if (only_older_enctype_p(req))
 	    ret = get_pa_etype_info(&method_data, client, 
@@ -920,7 +947,7 @@ as_rep(KDC_REQ *req,
 	ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
 	krb5_mk_error(context,
 		      ret,
-		      "Need to use PA-ENC-TIMESTAMP",
+		      "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
 		      &foo_data,
 		      client_princ,
 		      server_princ,
@@ -928,7 +955,8 @@ as_rep(KDC_REQ *req,
 		      NULL,
 		      reply);
 	free(buf);
-	kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
+	kdc_log(0, "No preauth found, returning PREAUTH-REQUIRED -- %s",
+		client_name);
 	ret = 0;
 	goto out2;
     }