* kdc_preauth.c (etype_info_as_rep_helper): New function; shared
authorTom Yu <tlyu@mit.edu>
Thu, 13 Oct 2005 22:42:26 +0000 (22:42 +0000)
committerTom Yu <tlyu@mit.edu>
Thu, 13 Oct 2005 22:42:26 +0000 (22:42 +0000)
code for handling ETYPE-INFO and ETYPE-INFO2.  Checks request for
"newer" enctypes and does not return an ETYPE-INFO if any "newer"
enctypes are present in the request.  Reported by Will Fiveash.
(return_etype_info2, return_etype_info): Implement in terms of
etype_info_as_rep_helper.

ticket: 3207
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17424 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/kdc_preauth.c

index 0b197b2feae8db5ca893150112676a4204766e74..dfde8284cb45ca9a4125649b55a97108b4aa0526 100644 (file)
@@ -1,3 +1,12 @@
+2005-10-13  Tom Yu  <tlyu@mit.edu>
+
+       * kdc_preauth.c (etype_info_as_rep_helper): New function; shared
+       code for handling ETYPE-INFO and ETYPE-INFO2.  Checks request for
+       "newer" enctypes and does not return an ETYPE-INFO if any "newer"
+       enctypes are present in the request.  Reported by Will Fiveash.
+       (return_etype_info2, return_etype_info): Implement in terms of
+       etype_info_as_rep_helper.
+
 2005-10-12  Tom Yu  <tlyu@mit.edu>
 
        * kdc_preauth.c (return_etype_info2): Apply patch from Will
index e2ffe255b3a4f7e9204cf679aebadde4ecb5fbcf..0fcb62a744369c1a929c75564e185192509e0b79 100644 (file)
@@ -111,6 +111,23 @@ get_etype_info2(krb5_context context, krb5_kdc_req *request,
               krb5_db_entry *client, krb5_db_entry *server,
                  krb5_pa_data *pa_data);
 static krb5_error_code
+etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, 
+                        krb5_db_entry *client,
+                        krb5_kdc_req *request, krb5_kdc_rep *reply,
+                        krb5_key_data *client_key,
+                        krb5_keyblock *encrypting_key,
+                        krb5_pa_data **send_pa,
+                        int etype_info2);
+
+static krb5_error_code
+return_etype_info(krb5_context, krb5_pa_data * padata, 
+                 krb5_db_entry *client,
+                 krb5_kdc_req *request, krb5_kdc_rep *reply,
+                 krb5_key_data *client_key,
+                 krb5_keyblock *encrypting_key,
+                 krb5_pa_data **send_pa);
+
+static krb5_error_code
 return_etype_info2(krb5_context, krb5_pa_data * padata, 
                   krb5_db_entry *client,
                   krb5_kdc_req *request, krb5_kdc_rep *reply,
@@ -167,7 +184,7 @@ static krb5_preauth_systems preauth_systems[] = {
        0,
        get_etype_info,
        0,
-       0
+       return_etype_info
     },
     {
        "etype-info2",
@@ -749,21 +766,41 @@ get_etype_info2(krb5_context context, krb5_kdc_req *request,
 }
 
 static krb5_error_code
-return_etype_info2(krb5_context context, krb5_pa_data * padata, 
-                  krb5_db_entry *client,
-                  krb5_kdc_req *request, krb5_kdc_rep *reply,
-                  krb5_key_data *client_key,
-                  krb5_keyblock *encrypting_key,
-                  krb5_pa_data **send_pa)
+etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, 
+                        krb5_db_entry *client,
+                        krb5_kdc_req *request, krb5_kdc_rep *reply,
+                        krb5_key_data *client_key,
+                        krb5_keyblock *encrypting_key,
+                        krb5_pa_data **send_pa,
+                        int etype_info2)
 {
+    int i;
     krb5_error_code retval;
     krb5_pa_data *tmp_padata;
     krb5_etype_info_entry **entry = NULL;
     krb5_data *scratch = NULL;
+
+    /*
+     * Skip PA-ETYPE-INFO completely if AS-REQ lists any "newer"
+     * enctypes.
+     */
+    if (!etype_info2) {
+       for (i = 0; i < request->nktypes; i++) {
+           if (enctype_requires_etype_info_2(request->ktype[i])) {
+               *send_pa = NULL;
+               return 0;
+           }
+       }
+    }
+
     tmp_padata = malloc( sizeof(krb5_pa_data));
     if (tmp_padata == NULL)
        return ENOMEM;
-    tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO2;
+    if (etype_info2)
+       tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO2;
+    else
+       tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO;
+
     entry = malloc(2 * sizeof(krb5_etype_info_entry *));
     if (entry == NULL) {
        retval = ENOMEM;
@@ -773,10 +810,15 @@ return_etype_info2(krb5_context context, krb5_pa_data * padata,
     entry[1] = NULL;
     retval = _make_etype_info_entry(context, request,
                                    client_key, encrypting_key->enctype,
-                                   entry, 1);
+                                   entry, etype_info2);
     if (retval)
        goto cleanup;
-    retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch);
+
+    if (etype_info2)
+       retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch);
+    else
+       retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry, &scratch);
+
     if (retval)
        goto cleanup;
     tmp_padata->contents = scratch->data;
@@ -800,6 +842,30 @@ return_etype_info2(krb5_context context, krb5_pa_data * padata,
     return retval;
 }
 
+static krb5_error_code
+return_etype_info2(krb5_context context, krb5_pa_data * padata, 
+                  krb5_db_entry *client,
+                  krb5_kdc_req *request, krb5_kdc_rep *reply,
+                  krb5_key_data *client_key,
+                  krb5_keyblock *encrypting_key,
+                  krb5_pa_data **send_pa)
+{
+    return etype_info_as_rep_helper(context, padata, client, request, reply,
+                                   client_key, encrypting_key, send_pa, 1);
+}
+
+
+static krb5_error_code
+return_etype_info(krb5_context context, krb5_pa_data * padata, 
+                 krb5_db_entry *client,
+                 krb5_kdc_req *request, krb5_kdc_rep *reply,
+                 krb5_key_data *client_key,
+                 krb5_keyblock *encrypting_key,
+                 krb5_pa_data **send_pa)
+{
+    return etype_info_as_rep_helper(context, padata, client, request, reply,
+                                   client_key, encrypting_key, send_pa, 0);
+}
 
 static krb5_error_code
 return_pw_salt(krb5_context context, krb5_pa_data *in_padata,