oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

(as_rep): search for pkinit-9, pkinit-19, and pkinit-25 pa-data,

Browse Source 
return empty pkinit pa-data in the PREAUTH_REQUIRED krb-error


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15115 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-05-10 19:37:44 +00:00
parent bdd471607e
commit 2c65e2f431
1 changed files with 40 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
kdc/kerberos5.c
View File

@@ -741,21 +741,33 @@ as_rep(KDC_REQ *req,
#ifdef PKINIT #ifdef PKINIT
kdc_log(5, "Looking for PKINIT pa-data -- %s", client_name); kdc_log(5, "Looking for PKINIT pa-data -- %s", client_name);
i = 0;
e_text = "No PKINIT PA found"; e_text = "No PKINIT PA found";
while((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ))){
i = 0;
if ((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ)))
;
if (pa == NULL) {
i = 0;
if((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_19)))
;
}
if (pa == NULL) {
i = 0;
if((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN)))
;
}
if (pa) {
char *client_cert = NULL; char *client_cert = NULL;
found_pa = 1;
ret = pk_rd_padata(context, req, pa, &pkp); ret = pk_rd_padata(context, req, pa, &pkp);
if (ret) { if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(5, "Failed to decode PKINIT PA-DATA -- %s", kdc_log(5, "Failed to decode PKINIT PA-DATA -- %s",
client_name); client_name);
continue; goto ts_enc;
} }
if (ret == 0 && pkp == NULL) if (ret == 0 && pkp == NULL)
continue; goto ts_enc;
ret = pk_check_client(context, ret = pk_check_client(context,
client_princ, client_princ,
@@ -767,16 +779,17 @@ as_rep(KDC_REQ *req,
"impersonate principal"; "impersonate principal";
pk_free_client_param(context, pkp); pk_free_client_param(context, pkp);
pkp = NULL; pkp = NULL;
goto preauth_done; goto ts_enc;
} }
found_pa = 1;
et.flags.pre_authent = 1; et.flags.pre_authent = 1;
kdc_log(2, "PKINIT pre-authentication succeeded -- %s using %s", kdc_log(2, "PKINIT pre-authentication succeeded -- %s using %s",
client_name, client_cert); client_name, client_cert);
free(client_cert); free(client_cert);
break; if (pkp)
goto preauth_done;
} }
if (pkp) ts_enc:
goto preauth_done;
#endif #endif
kdc_log(5, "Looking for ENC-TS pa-data -- %s", client_name); kdc_log(5, "Looking for ENC-TS pa-data -- %s", client_name);
@@ -903,6 +916,20 @@ as_rep(KDC_REQ *req,
pa->padata_value.length = 0; pa->padata_value.length = 0;
pa->padata_value.data = NULL; pa->padata_value.data = NULL;
#ifdef PKINIT
ret = realloc_method_data(&method_data);
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_PK_AS_REQ;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
ret = realloc_method_data(&method_data);
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_PK_AS_REQ_19;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
#endif
/* XXX check ret */ /* XXX check ret */
if (only_older_enctype_p(req)) if (only_older_enctype_p(req))
ret = get_pa_etype_info(&method_data, client, ret = get_pa_etype_info(&method_data, client,
@@ -920,7 +947,7 @@ as_rep(KDC_REQ *req,
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
krb5_mk_error(context, krb5_mk_error(context,
ret, ret,
"Need to use PA-ENC-TIMESTAMP", "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
&foo_data, &foo_data,
client_princ, client_princ,
server_princ, server_princ,
@@ -928,7 +955,8 @@ as_rep(KDC_REQ *req,
NULL, NULL,
reply); reply);
free(buf); free(buf);
kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name); kdc_log(0, "No preauth found, returning PREAUTH-REQUIRED -- %s",
client_name);
ret = 0; ret = 0;
goto out2; goto out2;
} }