Pass both version5 and version4 salted pa-data. DTRT if there is any

pa-data in the reply.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2471 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1997-07-19 07:59:01 +00:00
parent 1e5d844c1e
commit 94cbc8ee82

View File

@@ -48,10 +48,10 @@ krb5_init_etype (krb5_context context,
{
int i;
krb5_error_code ret;
const krb5_enctype *tmp;
krb5_enctype *tmp;
if (etypes)
tmp = etypes;
tmp = (krb5_enctype*)etypes;
else {
ret = krb5_get_default_in_tkt_etypes(context,
&tmp);
@@ -181,15 +181,60 @@ extract_ticket(krb5_context context,
return err;
}
/*
*
*/
static krb5_error_code
make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, krb5_keyblock *key)
{
PA_ENC_TS_ENC p;
u_char buf[1024];
size_t len;
EncryptedData encdata;
krb5_error_code ret;
p.patimestamp = time(NULL);
p.pausec = NULL;
ret = encode_PA_ENC_TS_ENC(buf + sizeof(buf) - 1,
sizeof(buf),
&p,
&len);
if (ret)
return ret;
/*
* According to the spec this is the only encryption method
* that must be supported so it's the safest choice. On the
* other hand, old KDCs might not support it.
*/
ret = krb5_encrypt_EncryptedData(context,
buf + sizeof(buf) - len,
len,
ETYPE_DES_CBC_MD5,
key,
&encdata);
if (ret)
return ret;
ret = encode_EncryptedData(buf + sizeof(buf) - 1,
sizeof(buf),
&encdata,
&len);
free_EncryptedData(&encdata);
if (ret)
return ret;
pa->padata_type = pa_enc_timestamp;
pa->padata_value.length = 0;
krb5_data_copy(&pa->padata_value,
buf + sizeof(buf) - len,
len);
return 0;
}
krb5_error_code
krb5_get_in_tkt(krb5_context context,
krb5_flags options,
const krb5_addresses *addrs,
/* krb5_address *const *addrs,*/
const krb5_enctype *etypes,
const krb5_preauthtype *ptypes,
krb5_key_proc key_proc,
@@ -213,6 +258,7 @@ krb5_get_in_tkt(krb5_context context,
krb5_flags i;
KDCOptions f;
} opts;
PA_DATA *pa;
opts.i = options;
memset(&a, 0, sizeof(a));
@@ -254,82 +300,36 @@ krb5_get_in_tkt(krb5_context context,
a.req_body.enc_authorization_data = NULL;
a.req_body.additional_tickets = NULL;
/*
* moved the call of `key_proc' here so that the key is available
* when/if creating pre-authentication. This will failed when
* using different encryption/string-to-key algorithms for the
* initial PA-ENC-TS-ENC and the decryption of the ticket.
*/
salt.length = 0;
salt.data = NULL;
ret = krb5_get_salt (creds->client, &salt);
if (ret)
return ret;
ret = (*key_proc)(context, *(a.req_body.etype.val), &salt,
keyseed, &key);
krb5_data_free (&salt);
if (ret)
return ret;
/* not sure this is the way to use `ptypes' */
if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
a.padata = NULL;
else if (*ptypes == KRB5_PADATA_ENC_TIMESTAMP) {
PA_ENC_TS_ENC p;
u_char buf[1024];
struct timeval tv;
size_t len;
unsigned foo;
EncryptedData encdata;
gettimeofday (&tv, NULL);
p.patimestamp = tv.tv_sec;
foo = tv.tv_usec;
p.pausec = &foo;
ret = encode_PA_ENC_TS_ENC(buf + sizeof(buf) - 1,
sizeof(buf),
&p,
&len);
if (ret)
return ret;
a.padata = malloc(sizeof(*a.padata));
a.padata->len = 1;
a.padata->val = malloc(sizeof(*a.padata->val));
a.padata->val->padata_type = pa_enc_timestamp;
a.padata->val->padata_value.length = 0;
/*
* According to the spec this is the only encryption method
* that must be supported so it's the safest choice. On the
* other hand, old KDCs might not support it.
*/
encdata.etype = ETYPE_DES_CBC_MD5;
encdata.kvno = NULL;
ret = krb5_encrypt (context,
buf + sizeof(buf) - len,
len,
encdata.etype,
key,
&encdata.cipher);
a.padata->len = 2;
a.padata->val = calloc(a.padata->len, sizeof(*a.padata->val));
/* make a v5 salted pa-data */
salt.length = 0;
salt.data = NULL;
ret = krb5_get_salt (creds->client, &salt);
if (ret)
return ret;
ret = encode_EncryptedData(buf + sizeof(buf) - 1,
sizeof(buf),
&encdata,
&len);
krb5_data_free(&encdata.cipher);
ret = (*key_proc)(context, *(a.req_body.etype.val), &salt,
keyseed, &key);
krb5_data_free (&salt);
if (ret)
return ret;
krb5_data_copy(&a.padata->val->padata_value,
buf + sizeof(buf) - len,
len);
make_pa_enc_timestamp(context, &a.padata->val[0], key);
/* make a v4 salted pa-data */
salt.length = 0;
salt.data = NULL;
ret = (*key_proc)(context, *(a.req_body.etype.val), &salt,
keyseed, &key);
if (ret)
return ret;
make_pa_enc_timestamp(context, &a.padata->val[1], key);
} else
return KRB5_PREAUTH_BAD_TYPE;
@@ -366,6 +366,30 @@ krb5_get_in_tkt(krb5_context context,
}
krb5_data_free(&resp);
pa = NULL;
if(rep.part1.padata){
int index = 0;
pa = krb5_find_padata(rep.part1.padata->val, rep.part1.padata->len,
pa_pw_salt, &index);
}
if(pa)
ret = (*key_proc)(context, *(a.req_body.etype.val),
&pa->padata_value, keyseed, &key);
else{
/* make a v5 salted pa-data */
salt.length = 0;
salt.data = NULL;
ret = krb5_get_salt (creds->client, &salt);
if (ret)
return ret;
ret = (*key_proc)(context, *(a.req_body.etype.val), &salt,
keyseed, &key);
krb5_data_free (&salt);
if (ret)
return ret;
}
ret = extract_ticket(context, &rep, creds, key, keyseed,
decrypt_proc, decryptarg);
memset (key->keyvalue.data, 0, key->keyvalue.length);