kdc: avoid re-encoding KDC-REQ-BODY

Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.
2021-09-13 13:50:45 +10:00
parent 908ef18c9f
commit ebfd48e40a
5 changed files with 8 additions and 56 deletions
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -357,7 +357,6 @@ fast_unwrap_request(astgs_request_t r)
    krb5_keyblock armorkey;
    krb5_error_code ret;
    krb5_ap_req ap_req;
-    unsigned char *buf = NULL;
    KrbFastReq fastreq;
    size_t len, size;
    krb5_data data;
@@ -476,18 +475,10 @@ fast_unwrap_request(astgs_request_t r)
    krb5_free_keyblock_contents(r->context, &armorkey);

    /* verify req-checksum of the outer body */
-
-    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, len, &r->req.req_body, &size, ret);
-    if (ret)
-	goto out;
-    if (size != len) {
-	ret = KRB5KDC_ERR_PREAUTH_FAILED;
-	goto out;
-    }
-
    ret = krb5_verify_checksum(r->context, r->armor_crypto,
 			       KRB5_KU_FAST_REQ_CHKSUM,
-			       buf, len, 
+			       r->req.req_body._save.data,
+			       r->req.req_body._save.length,
 			       &fxreq.u.armored_data.req_checksum);
    if (ret) {
 	kdc_log(r->context, r->config, 2,
@@ -548,7 +539,6 @@ fast_unwrap_request(astgs_request_t r)
 	krb5_free_principal(r->context, armor_server);
    if(armor_user)
 	_kdc_free_ent(r->context, armor_user);
-    free(buf);

    return ret;
 }