oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

encode fast state in the fast cookie

Browse Source
This commit is contained in:
Love Hörnquist Åstrand
2011-07-24 21:16:42 -07:00
parent 7f6f4206c6
commit 46f285bcc9
4 changed files with 155 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
kadmin/init.c
View File

@@ -232,6 +232,14 @@ init(struct init_options *opt, int argc, char **argv)
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
/* Create `WELLKNONW/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L' for FAST cookie */
krb5_make_principal(context, &princ, "WELLKNOWN:ORG.H5L",
KRB5_WELLKNOWN_NAME, "org.h5l.fast-cookie", NULL);
create_random_entry(princ, 60*60, 60*60,
KRB5_KDB_REQUIRES_PRE_AUTH|
KRB5_KDB_DISALLOW_TGT_BASED);
krb5_free_principal(context, princ);
/* Create `default' */ /* Create `default' */
{ {
kadm5_principal_ent_rec ent; kadm5_principal_ent_rec ent;

218
kdc/fast.c
View File

@@ -35,6 +35,140 @@
#include "kdc_locl.h" #include "kdc_locl.h"
static krb5_error_code
get_fastuser_crypto(kdc_request_t r, krb5_enctype enctype, krb5_crypto *crypto)
{
krb5_principal fast_princ;
hdb_entry_ex *fast_user = NULL;
Key *cookie_key = NULL;
krb5_error_code ret;
*crypto = NULL;
ret = krb5_make_principal(r->context, &fast_princ,
"WELLKNOWN:ORG.H5L",
"WELLKNOWN", "org.h5l.fast-cookie", NULL);
if (ret)
goto out;
ret = _kdc_db_fetch(r->context, r->config, fast_princ,
HDB_F_GET_CLIENT, NULL, NULL, &fast_user);
krb5_free_principal(r->context, fast_princ);
if (ret)
goto out;
if (enctype == KRB5_ENCTYPE_NULL)
ret = _kdc_get_preferred_key(r->context, r->config, fast_user,
"fast-cookie", &enctype, &cookie_key);
else
ret = hdb_enctype2key(r->context, &fast_user->entry,
enctype, &cookie_key);
if (ret)
goto out;
ret = krb5_crypto_init(r->context, &cookie_key->key, 0, crypto);
if (ret)
goto out;
out:
if (fast_user)
_kdc_free_ent(r->context, fast_user);
return ret;
}
static krb5_error_code
fast_parse_cookie(kdc_request_t r, const PA_DATA *pa)
{
krb5_crypto crypto = NULL;
krb5_error_code ret;
KDCFastCookie data;
krb5_data d1;
size_t len;
ret = decode_KDCFastCookie(pa->padata_value.data,
pa->padata_value.length,
&data, &len);
if (ret)
return ret;
if (len != pa->padata_value.length || strcmp("H5L1", data.version) != 0) {
free_KDCFastCookie(&data);
return KRB5KDC_ERR_POLICY;
}
ret = get_fastuser_crypto(r, data.cookie.etype, &crypto);
if (ret)
goto out;
ret = krb5_decrypt_EncryptedData(r->context, crypto,
KRB5_KU_H5L_COOKIE,
&data.cookie, &d1);
krb5_crypto_destroy(r->context, crypto);
if (ret)
goto out;
ret = decode_KDCFastState(d1.data, d1.length, &r->fast, &len);
krb5_data_free(&d1);
if (ret)
goto out;
out:
free_KDCFastCookie(&data);
return ret;
}
static krb5_error_code
fast_add_cookie(kdc_request_t r, METHOD_DATA *method_data)
{
krb5_crypto crypto = NULL;
KDCFastCookie shell;
krb5_error_code ret;
krb5_data data;
size_t size;
memset(&shell, 0, sizeof(shell));
ASN1_MALLOC_ENCODE(KDCFastState, data.data, data.length,
&r->fast, &size, ret);
if (ret)
return ret;
heim_assert(size == data.length, "internal asn1 encoder error");
ret = get_fastuser_crypto(r, KRB5_ENCTYPE_NULL, &crypto);
if (ret)
goto out;
ret = krb5_encrypt_EncryptedData(r->context, crypto,
KRB5_KU_H5L_COOKIE,
data.data, data.length, 0,
&shell.cookie);
krb5_crypto_destroy(r->context, crypto);
if (ret)
goto out;
free(data.data);
shell.version = "H5L1";
ASN1_MALLOC_ENCODE(KDCFastCookie, data.data, data.length,
&shell, &size, ret);
free_EncryptedData(&shell.cookie);
if (ret)
return ret;
heim_assert(size == data.length, "internal asn1 encoder error");
ret = krb5_padata_add(r->context, method_data,
KRB5_PADATA_FX_COOKIE,
data.data, data.length);
out:
if (ret)
free(data.data);
return ret;
}
krb5_error_code krb5_error_code
_kdc_fast_mk_response(krb5_context context, _kdc_fast_mk_response(krb5_context context,
krb5_crypto armor_crypto, krb5_crypto armor_crypto,
@@ -96,6 +230,7 @@ _kdc_fast_mk_response(krb5_context context,
krb5_error_code krb5_error_code
_kdc_fast_mk_error(krb5_context context, _kdc_fast_mk_error(krb5_context context,
kdc_request_t r,
METHOD_DATA *error_method, METHOD_DATA *error_method,
krb5_crypto armor_crypto, krb5_crypto armor_crypto,
const KDC_REQ_BODY *req_body, const KDC_REQ_BODY *req_body,
@@ -147,11 +282,17 @@ _kdc_fast_mk_error(krb5_context context,
e_text = NULL; e_text = NULL;
} }
ret = krb5_padata_add(context, error_method, if (r)
KRB5_PADATA_FX_COOKIE, ret = fast_add_cookie(r, error_method);
NULL, 0); else
if (ret) ret = krb5_padata_add(context, error_method,
KRB5_PADATA_FX_COOKIE,
NULL, 0);
if (ret) {
kdc_log(r->context, r->config, 0, "failed to add fast cookie with: %d", ret);
free_METHOD_DATA(error_method);
return ret; return ret;
}
ret = _kdc_fast_mk_response(context, armor_crypto, ret = _kdc_fast_mk_response(context, armor_crypto,
error_method, NULL, NULL, error_method, NULL, NULL,
@@ -165,9 +306,6 @@ _kdc_fast_mk_error(krb5_context context,
e_data.data, e_data.length); e_data.data, e_data.length);
if (ret) if (ret)
return ret; return ret;
if (ret)
return ret;
} }
if (error_method && error_method->len) { if (error_method && error_method->len) {
@@ -193,72 +331,6 @@ _kdc_fast_mk_error(krb5_context context,
return ret; return ret;
} }
static krb5_error_code
fast_parse_cookie(kdc_request_t r, const PA_DATA *pa)
{
krb5_principal fast_princ;
hdb_entry_ex *fast_user = NULL;
krb5_crypto crypto = NULL;
Key *cookie_key = NULL;
krb5_error_code ret;
KDCFastCookie data;
krb5_data d1;
size_t len;
ret = decode_KDCFastCookie(pa->padata_value.data,
pa->padata_value.length,
&data, &len);
if (ret)
return ret;
if (len != pa->padata_value.length || strcmp("H5L1", data.version) != 0) {
free_KDCFastCookie(&data);
return KRB5KDC_ERR_POLICY;
}
ret = krb5_make_principal(r->context, &fast_princ,
"WELLKNOWN:ORG.H5L",
"WELLKNOWN", "org.h5l.fast-cookie", NULL);
if (ret)
goto out;
ret = _kdc_db_fetch(r->context, r->config, fast_princ,
HDB_F_GET_CLIENT, NULL, NULL, &fast_user);
krb5_free_principal(r->context, fast_princ);
if (ret)
goto out;
ret = hdb_enctype2key(r->context, &fast_user->entry,
data.cookie.etype, &cookie_key);
if (ret)
goto out;
ret = krb5_crypto_init(r->context, &cookie_key->key, 0, &crypto);
if (ret)
goto out;
ret = krb5_decrypt_EncryptedData(r->context, crypto,
KRB5_KU_H5L_COOKIE,
&data.cookie, &d1);
krb5_crypto_destroy(r->context, crypto);
if (ret)
goto out;
ret = decode_KDCFastState(d1.data, d1.length, &r->fast, &len);
krb5_data_free(&d1);
if (ret)
goto out;
out:
free_KDCFastCookie(&data);
if (fast_user)
_kdc_free_ent(r->context, fast_user);
return ret;
}
krb5_error_code krb5_error_code
_kdc_fast_unwrap_request(kdc_request_t r) _kdc_fast_unwrap_request(kdc_request_t r)
{ {

2
kdc/kerberos5.c
View File

@@ -2158,7 +2158,7 @@ out:
* In case of a non proxy error, build an error message. * In case of a non proxy error, build an error message.
*/ */
if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE) { if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE) {
ret = _kdc_fast_mk_error(context, ret = _kdc_fast_mk_error(context, r,
&error_method, &error_method,
r->armor_crypto, r->armor_crypto,
&req->req_body, &req->req_body,

2
kdc/krb5tgs.c
View File

@@ -2362,7 +2362,7 @@ out:
kdc_log(context, config, 10, "tgs-req: sending error: %d to client", ret); kdc_log(context, config, 10, "tgs-req: sending error: %d to client", ret);
ret = _kdc_fast_mk_error(context, ret = _kdc_fast_mk_error(context, NULL,
&error_method, &error_method,
NULL, NULL,
NULL, NULL,