diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-12-05 20:32:05 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-12-06 21:00:11 -0500 |
| commit | 55c3a5f69919c2b5435bac0cb48ab09b11be869c (patch) | |
| tree | ac3395038d5ca0aa9016642c8b913f7108848f5c /src/lib/krb5 | |
| parent | 68d7fcf11553c29a2e0c28a57896fbce4a3ef611 (diff) | |
| download | krb5-55c3a5f69919c2b5435bac0cb48ab09b11be869c.tar.gz krb5-55c3a5f69919c2b5435bac0cb48ab09b11be869c.tar.xz krb5-55c3a5f69919c2b5435bac0cb48ab09b11be869c.zip | |
Fix S4U2Self against non-FAST KDCs
When we added FAST TGS support in 1.11, we broke S4U2Self against KDCs
which don't support FAST, because the S4U2Self padata is only present
within the FAST request. For now, duplicate that padata in the outer
request so that both FAST and non-FAST KDCs can see it.
ticket: 7791
target_version: 1.11.5
tags: pullup
Diffstat (limited to 'src/lib/krb5')
| -rw-r--r-- | src/lib/krb5/krb/fast.c | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index 84eaca441b..56e61a63a5 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -225,6 +225,32 @@ krb5int_fast_as_armor(krb5_context context, return retval; } +/* + * Construct a list of outer request padata for a TGS request. Since we do + * FAST TGS even when we don't have reason to believe the KDC supports FAST, + * the outer padata has to contain duplicates of the inner padata (such as + * S4U2Self padata) as well as the PA-TGS-REQ and PA-FX-FAST padata. The + * caller must free *out_padata with free() as it is not a deep copy. + */ +static krb5_error_code +make_tgs_outer_padata(krb5_pa_data *tgs, krb5_pa_data *fast, + krb5_pa_data **other, krb5_pa_data ***out_padata) +{ + krb5_pa_data **pa_list; + size_t i; + + *out_padata = NULL; + for (i = 0; other[i] != NULL; i++); + pa_list = calloc(i + 3, sizeof(*pa_list)); + if (pa_list == NULL) + return ENOMEM; + pa_list[0] = tgs; + pa_list[1] = fast; + for (i = 0; other[i] != NULL; i++) + pa_list[i + 2] = other[i]; + *out_padata = pa_list; + return 0; +} krb5_error_code krb5int_fast_prep_req(krb5_context context, @@ -235,7 +261,7 @@ krb5int_fast_prep_req(krb5_context context, krb5_data **encoded_request) { krb5_error_code retval = 0; - krb5_pa_data *pa_array[3]; + krb5_pa_data *pa_array[2], **pa_tgs_array = NULL; krb5_pa_data pa[2]; krb5_fast_req fast_req; krb5_pa_data *tgs = NULL; @@ -299,12 +325,14 @@ krb5int_fast_prep_req(krb5_context context, pa[0].contents = (unsigned char *) encoded_armored_req->data; pa[0].length = encoded_armored_req->length; if (tgs) { - pa_array[0] = tgs; - pa_array[1] = &pa[0]; - } else + retval = make_tgs_outer_padata(tgs, pa, request->padata, + &pa_tgs_array); + state->fast_outer_request.padata = pa_tgs_array; + } else { pa_array[0] = &pa[0]; + state->fast_outer_request.padata = pa_array; + } } - state->fast_outer_request.padata = pa_array; if (retval == 0) retval = encoder(&state->fast_outer_request, &local_encoded_result); if (retval == 0) { @@ -326,6 +354,7 @@ krb5int_fast_prep_req(krb5_context context, free(tgs); } state->fast_outer_request.padata = NULL; + free(pa_tgs_array); return retval; } |