diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-11-21 21:14:39 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-11-21 21:14:39 +0000 |
| commit | 3fe47057c7535f4603825a01fb84262b7bfa4c55 (patch) | |
| tree | be7bef0585d0635d1683cdbe215f8d09824b7bba /src/plugins | |
| parent | f7805327f31940d27e78aecc339108c138f0bec4 (diff) | |
| download | krb5-3fe47057c7535f4603825a01fb84262b7bfa4c55.tar.gz krb5-3fe47057c7535f4603825a01fb84262b7bfa4c55.tar.xz krb5-3fe47057c7535f4603825a01fb84262b7bfa4c55.zip | |
Clean up client-side preauth error data handling
Change the clpreauth tryagain method to accept a list of pa-data,
taken either from the FAST response or from decoding the e_data as
either pa-data or typed-data. Also change the in_padata argument to
contain just the type of the request padata rather than the whole
element, since modules generally shouldn't care about the contents of
their request padata (or they can remember it).
In krb5int_fast_process_error, no longer re-encode FAST pa-data as
typed-data for the inner error e_data, but decode traditional error
e_data for all error types, and try both pa-data and typed-data
encoding.
In PKINIT, try all elements of the new pa-data list, since it may
contain FAST elements as well as the actual PKINIT array. (Fixes an
outstanding bug in FAST PKINIT.)
ticket: 7023
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25483 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 113 |
1 files changed, 52 insertions, 61 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 2e5afef75..ad354cf0b 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -93,7 +93,7 @@ pa_pkinit_gen_req(krb5_context context, pkinit_context plgctx, pkinit_req_context reqctx, krb5_kdc_req * request, - krb5_pa_data * in_padata, + krb5_preauthtype pa_type, krb5_pa_data *** out_padata, krb5_prompter_fct prompter, void *prompter_data, @@ -110,7 +110,7 @@ pa_pkinit_gen_req(krb5_context context, krb5_pa_data **return_pa_data = NULL; cksum.contents = NULL; - reqctx->pa_type = in_padata->pa_type; + reqctx->pa_type = pa_type; pkiDebug("kdc_options = 0x%x till = %d\n", request->kdc_options, request->till); @@ -183,10 +183,10 @@ pa_pkinit_gen_req(krb5_context context, return_pa_data[0]->magic = KV5M_PA_DATA; - if (in_padata->pa_type == KRB5_PADATA_PK_AS_REQ_OLD) + if (pa_type == KRB5_PADATA_PK_AS_REQ_OLD) return_pa_data[0]->pa_type = KRB5_PADATA_PK_AS_REP_OLD; else - return_pa_data[0]->pa_type = in_padata->pa_type; + return_pa_data[0]->pa_type = pa_type; return_pa_data[0]->length = out_data->length; return_pa_data[0]->contents = (krb5_octet *) out_data->data; @@ -1084,7 +1084,7 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, return retval; } retval = pa_pkinit_gen_req(context, plgctx, reqctx, request, - in_padata, out_padata, prompter, + in_padata->pa_type, out_padata, prompter, prompter_data, gic_opt); } else { /* @@ -1110,85 +1110,76 @@ pkinit_client_tryagain(krb5_context context, krb5_clpreauth_moddata moddata, krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, krb5_kdc_req *request, krb5_data *encoded_request_body, krb5_data *encoded_previous_request, - krb5_pa_data *in_padata, krb5_error *err_reply, - krb5_prompter_fct prompter, void *prompter_data, - krb5_pa_data ***out_padata) + krb5_preauthtype pa_type, krb5_error *err_reply, + krb5_pa_data **err_padata, krb5_prompter_fct prompter, + void *prompter_data, krb5_pa_data ***out_padata) { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; pkinit_context plgctx = (pkinit_context)moddata; pkinit_req_context reqctx = (pkinit_req_context)modreq; - krb5_typed_data **typed_data = NULL; + krb5_pa_data *pa; krb5_data scratch; - krb5_external_principal_identifier **krb5_trusted_certifiers = NULL; + krb5_external_principal_identifier **certifiers = NULL; krb5_algorithm_identifier **algId = NULL; int do_again = 0; pkiDebug("pkinit_client_tryagain %p %p %p %p\n", context, plgctx, reqctx, request); - if (reqctx->pa_type != in_padata->pa_type) + if (reqctx->pa_type != pa_type || err_padata == NULL) return retval; -#ifdef DEBUG_ASN1 - print_buffer_bin((unsigned char *)err_reply->e_data.data, - err_reply->e_data.length, "/tmp/client_edata"); -#endif - retval = k5int_decode_krb5_typed_data(&err_reply->e_data, &typed_data); - if (retval) { - pkiDebug("decode_krb5_typed_data failed\n"); - goto cleanup; - } -#ifdef DEBUG_ASN1 - print_buffer_bin(typed_data[0]->data, typed_data[0]->length, - "/tmp/client_typed_data"); -#endif - OCTETDATA_TO_KRB5DATA(typed_data[0], &scratch); - - switch(typed_data[0]->type) { - case TD_TRUSTED_CERTIFIERS: - case TD_INVALID_CERTIFICATES: - retval = k5int_decode_krb5_td_trusted_certifiers(&scratch, - &krb5_trusted_certifiers); - if (retval) { - pkiDebug("failed to decode sequence of trusted certifiers\n"); - goto cleanup; - } - retval = pkinit_process_td_trusted_certifiers(context, - plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, - krb5_trusted_certifiers, typed_data[0]->type); - if (!retval) - do_again = 1; - break; - case TD_DH_PARAMETERS: - retval = k5int_decode_krb5_td_dh_parameters(&scratch, &algId); - if (retval) { - pkiDebug("failed to decode td_dh_parameters\n"); - goto cleanup; + for (; *err_padata != NULL && !do_again; err_padata++) { + pa = *err_padata; + PADATA_TO_KRB5DATA(pa, &scratch); + switch (pa->pa_type) { + case TD_TRUSTED_CERTIFIERS: + case TD_INVALID_CERTIFICATES: + retval = k5int_decode_krb5_td_trusted_certifiers(&scratch, + &certifiers); + if (retval) { + pkiDebug("failed to decode sequence of trusted certifiers\n"); + goto cleanup; + } + retval = pkinit_process_td_trusted_certifiers(context, + plgctx->cryptoctx, + reqctx->cryptoctx, + reqctx->idctx, + certifiers, + pa->pa_type); + if (!retval) + do_again = 1; + break; + case TD_DH_PARAMETERS: + retval = k5int_decode_krb5_td_dh_parameters(&scratch, &algId); + if (retval) { + pkiDebug("failed to decode td_dh_parameters\n"); + goto cleanup; + } + retval = pkinit_process_td_dh_params(context, plgctx->cryptoctx, + reqctx->cryptoctx, + reqctx->idctx, algId, + &reqctx->opts->dh_size); + if (!retval) + do_again = 1; + break; + default: + break; } - retval = pkinit_process_td_dh_params(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, algId, - &reqctx->opts->dh_size); - if (!retval) - do_again = 1; - break; - default: - break; } if (do_again) { - retval = pa_pkinit_gen_req(context, plgctx, reqctx, request, in_padata, - out_padata, prompter, prompter_data, gic_opt); + retval = pa_pkinit_gen_req(context, plgctx, reqctx, request, pa_type, + out_padata, prompter, prompter_data, + gic_opt); if (retval) goto cleanup; } retval = 0; cleanup: - if (krb5_trusted_certifiers != NULL) - free_krb5_external_principal_identifier(&krb5_trusted_certifiers); - - if (typed_data != NULL) - free_krb5_typed_data(&typed_data); + if (certifiers != NULL) + free_krb5_external_principal_identifier(&certifiers); if (algId != NULL) free_krb5_algorithm_identifiers(&algId); |