diff options
author | Greg Hudson <ghudson@mit.edu> | 2011-11-14 21:45:33 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2011-11-14 21:45:33 +0000 |
commit | b87d9d3c376c2623ae9eb0cfc8da50985c7bb592 (patch) | |
tree | ecd9df8a753a5d129b9f3cdb3a5bb8d36aaebc06 /src/kdc/fast_util.c | |
parent | 6a1f05eb0fb5451c887e73406fb8fcf5a3716d1c (diff) | |
download | krb5-b87d9d3c376c2623ae9eb0cfc8da50985c7bb592.tar.gz krb5-b87d9d3c376c2623ae9eb0cfc8da50985c7bb592.tar.xz krb5-b87d9d3c376c2623ae9eb0cfc8da50985c7bb592.zip |
Simplify and fix kdcpreauth request_body callback
Alter the contract for the kdcpreauth request_body callback so that it
returns an alias to the encoded body instead of a fresh copy. At the
beginning of AS request processing, save a copy of the encoded request
body, or the encoded inner request body for FAST requests. Previously
the request_body callback would re-encode the request structure, which
in some cases has been modified by the AS request code.
No kdcpreauth modules currently use the request_body callback, but
PKINIT will need to start using it in order to handle FAST requests
correctly.
ticket: 7017
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc/fast_util.c')
-rw-r--r-- | src/kdc/fast_util.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 96c8c1394..f3e037d53 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -126,11 +126,12 @@ kdc_find_fast(krb5_kdc_req **requestptr, krb5_data *checksummed_data, krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, - struct kdc_request_state *state) + struct kdc_request_state *state, + krb5_data **inner_body_out) { krb5_error_code retval = 0; krb5_pa_data *fast_padata, *cookie_padata = NULL; - krb5_data scratch; + krb5_data scratch, *inner_body = NULL; krb5_fast_req * fast_req = NULL; krb5_kdc_req *request = *requestptr; krb5_fast_armored_req *fast_armored_req = NULL; @@ -138,6 +139,8 @@ kdc_find_fast(krb5_kdc_req **requestptr, krb5_boolean cksum_valid; krb5_keyblock empty_keyblock; + if (inner_body_out != NULL) + *inner_body_out = NULL; scratch.data = NULL; krb5_clear_error_message(kdc_context); memset(&empty_keyblock, 0, sizeof(krb5_keyblock)); @@ -192,6 +195,14 @@ kdc_find_fast(krb5_kdc_req **requestptr, &plaintext); if (retval == 0) retval = decode_krb5_fast_req(&plaintext, &fast_req); + if (retval == 0 && inner_body_out != NULL) { + retval = fetch_asn1_field((unsigned char *)plaintext.data, + 1, 2, &scratch); + if (retval == 0) { + retval = krb5_copy_data(kdc_context, &scratch, + &inner_body); + } + } if (plaintext.data) free(plaintext.data); } @@ -247,6 +258,11 @@ kdc_find_fast(krb5_kdc_req **requestptr, } } } + if (retval == 0 && inner_body_out != NULL) { + *inner_body_out = inner_body; + inner_body = NULL; + } + krb5_free_data(kdc_context, inner_body); if (fast_req) krb5_free_fast_req( kdc_context, fast_req); if (fast_armored_req) |