From 394becd543eca283dcd79d4cd26c7afa6ef720d8 Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Mon, 13 Nov 1995 18:01:26 +0000 Subject: [PATCH] * preauth.c (krb5_process_padata): Added generalized processing for preauth information which is returned by the KDC. This should be general enough to support the AFS3_SALT preauth type, the SNK4 preauth type, and the public-key mods to Kerberos. (process_pw_salt): New function for processing the KRB5_PW_SALT preauthentication type. * get_in_tkt.c (decrypt_as_reply): Removed temporary kludge for processing the PW_SALT preauth type; that's now done in preauth.c (krb5_get_in_tkt): Call krb5_process_padata with new arguments so that the preauth code can set the decryption_key if necessary. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7102 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/ChangeLog | 17 +++++ src/lib/krb5/krb/get_in_tkt.c | 50 ++++++------- src/lib/krb5/krb/preauth.c | 130 ++++++++++++++++++++++------------ 3 files changed, 121 insertions(+), 76 deletions(-) diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 998ef7b3d..09a998df3 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,20 @@ +Mon Nov 13 12:57:12 1995 Theodore Y. Ts'o + + * preauth.c (krb5_process_padata): Added generalized processing + for preauth information which is returned by the KDC. + This should be general enough to support the AFS3_SALT + preauth type, the SNK4 preauth type, and the public-key + mods to Kerberos. + (process_pw_salt): New function for processing the KRB5_PW_SALT + preauthentication type. + + * get_in_tkt.c (decrypt_as_reply): Removed temporary kludge for + processing the PW_SALT preauth type; that's now done in + preauth.c + (krb5_get_in_tkt): Call krb5_process_padata with new arguments so + that the preauth code can set the decryption_key if + necessary. + Thu Nov 09 17:05:57 1995 Chris Provenzano (proven@mit.edu) * in_tkt_pwd.c : Remove krb5_enctype from krb5_string_to_key() args. diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 18095ef8e..58bc1225a 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -173,57 +173,42 @@ cleanup: } static krb5_error_code -decrypt_as_reply(context, request, as_reply, key_proc, keyseed, +decrypt_as_reply(context, request, as_reply, key_proc, keyseed, key, decrypt_proc, decryptarg) krb5_context context; krb5_kdc_req *request; krb5_kdc_rep *as_reply; git_key_proc key_proc; krb5_const_pointer keyseed; + krb5_keyblock * key; git_decrypt_proc decrypt_proc; krb5_const_pointer decryptarg; { krb5_error_code retval; krb5_keyblock * decrypt_key = 0; krb5_data salt; - int use_salt = 0; - int f_salt = 0; if (as_reply->enc_part2) return 0; - - /* Temp kludge to get salt */ - if (as_reply->padata) { - krb5_pa_data **ptr; - - for (ptr = as_reply->padata; *ptr; ptr++) { - if ((*ptr)->pa_type == KRB5_PADATA_PW_SALT) { - /* use KDC-supplied salt, instead of default */ - salt.data = (char *)(*ptr)->contents; - salt.length = (*ptr)->length; - use_salt = 1; - break; - } - } - } - - if (!use_salt) { + + if (key) + decrypt_key = key; + else { if ((retval = krb5_principal2salt(context, request->client, &salt))) return(retval); - f_salt = 1; - } - if ((retval = (*key_proc)(context, as_reply->ticket->enc_part.enctype, - &salt, keyseed, &decrypt_key))) - goto cleanup; + retval = (*key_proc)(context, as_reply->ticket->enc_part.enctype, + &salt, keyseed, &decrypt_key); + krb5_xfree(salt.data); + if (retval) + goto cleanup; + } if ((retval = (*decrypt_proc)(context, decrypt_key, decryptarg, as_reply))) goto cleanup; cleanup: - if (f_salt) - krb5_xfree(salt.data); - if (decrypt_key) + if (!key && decrypt_key) krb5_free_keyblock(context, decrypt_key); return (retval); } @@ -391,6 +376,7 @@ krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed, { krb5_error_code retval; krb5_timestamp time_now; + krb5_keyblock * decrypt_key = 0; krb5_kdc_req request; krb5_pa_data **padata = 0; krb5_error * err_reply; @@ -483,7 +469,8 @@ krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed, goto cleanup; } if ((retval = krb5_process_padata(context, &request, as_reply, - key_proc, keyseed, creds, + key_proc, keyseed, decrypt_proc, + &decrypt_key, creds, &do_more)) != 0) goto cleanup; @@ -492,7 +479,8 @@ krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed, } if ((retval = decrypt_as_reply(context, &request, as_reply, key_proc, - keyseed, decrypt_proc, decryptarg))) + keyseed, decrypt_key, decrypt_proc, + decryptarg))) goto cleanup; if ((retval = verify_as_reply(context, time_now, &request, as_reply))) @@ -513,6 +501,8 @@ cleanup: krb5_free_pa_data(context, padata); if (preauth_to_use) krb5_free_pa_data(context, preauth_to_use); + if (decrypt_key) + krb5_free_keyblock(context, decrypt_key); if (as_reply) { if (ret_as_reply) *ret_as_reply = as_reply; diff --git a/src/lib/krb5/krb/preauth.c b/src/lib/krb5/krb/preauth.c index d02a7197d..4bfe9705a 100644 --- a/src/lib/krb5/krb/preauth.c +++ b/src/lib/krb5/krb/preauth.c @@ -1,6 +1,6 @@ /* - * Copyright 1990,1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. + * Copyright 1995 by the Massachusetts Institute of Technology. All + * Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -37,6 +37,7 @@ #endif static krb5_preauth_obtain_proc obtain_enc_ts_padata; +static krb5_preauth_process_proc process_pw_salt; static krb5_preauth_ops preauth_systems[] = { { @@ -46,7 +47,14 @@ static krb5_preauth_ops preauth_systems[] = { obtain_enc_ts_padata, 0, }, - { -1,} + { + KV5M_PREAUTH_OPS, + KRB5_PADATA_PW_SALT, + 0, + 0, + process_pw_salt, + }, + { KV5M_PREAUTH_OPS, -1 } }; static krb5_error_code find_pa_system @@ -60,47 +68,11 @@ typedef krb5_error_code (*git_key_proc) PROTOTYPE((krb5_context, krb5_const_pointer, krb5_keyblock **)); -krb5_error_code -krb5_encrypt_data(context, key, ivec, data, enc_data) - krb5_context context; - krb5_keyblock * key; - krb5_pointer ivec; - krb5_data * data; - krb5_enc_data * enc_data; -{ - krb5_error_code retval; - krb5_encrypt_block eblock; - - krb5_use_enctype(context, &eblock, key->enctype); - - enc_data->magic = KV5M_ENC_DATA; - enc_data->kvno = 0; - enc_data->enctype = key->enctype; - enc_data->ciphertext.length = krb5_encrypt_size(data->length, - eblock.crypto_entry); - enc_data->ciphertext.data = malloc(enc_data->ciphertext.length); - if (enc_data->ciphertext.data == 0) - return ENOMEM; +typedef krb5_error_code (*git_decrypt_proc) PROTOTYPE((krb5_context, + const krb5_keyblock *, + krb5_const_pointer, + krb5_kdc_rep * )); - if ((retval = krb5_process_key(context, &eblock, key)) != 0) - goto cleanup; - - if ((retval = krb5_encrypt(context, (krb5_pointer) data->data, - (krb5_pointer) enc_data->ciphertext.data, - data->length, &eblock, ivec))) { - krb5_finish_key(context, &eblock); - goto cleanup; - } - (void) krb5_finish_key(context, &eblock); - - return 0; - -cleanup: - free(enc_data->ciphertext.data); - return retval; -} - - krb5_error_code krb5_obtain_padata(context, preauth_to_use, key_proc, key_seed, creds, request) krb5_context context; @@ -199,19 +171,51 @@ cleanup: krb5_error_code krb5_process_padata(context, request, as_reply, key_proc, keyseed, - creds, do_more) + decrypt_proc, decrypt_key, creds, do_more) krb5_context context; krb5_kdc_req * request; krb5_kdc_rep * as_reply; git_key_proc key_proc; krb5_const_pointer keyseed; + git_decrypt_proc decrypt_proc; + krb5_keyblock ** decrypt_key; krb5_creds * creds; krb5_int32 * do_more; { - *do_more = 0; - return 0; + krb5_error_code retval = 0; + krb5_preauth_ops * ops; + krb5_pa_data ** pa; + krb5_int32 done = 0; + + *do_more = 0; /* By default, we don't need to repeat... */ + if (as_reply->padata == 0) + return 0; + + for (pa = as_reply->padata; *pa; pa++) { + if (find_pa_system((*pa)->pa_type, &ops)) + continue; + + if (ops->process == 0) + continue; + + retval = ((ops)->process)(context, *pa, request, as_reply, + key_proc, keyseed, decrypt_proc, + decrypt_key, creds, do_more, &done); + if (retval) + goto cleanup; + if (done) + break; + } + +cleanup: + return retval; } +/* + * This routine is the "obtain" function for the ENC_TIMESTAMP + * preauthentication type. It take the current time and encrypts it + * in the user's key. + */ static krb5_error_code obtain_enc_ts_padata(context, in_padata, etype_info, def_enc_key, key_proc, key_seed, creds, request, out_padata) @@ -276,6 +280,40 @@ cleanup: return retval; } +static krb5_error_code +process_pw_salt(context, padata, request, as_reply, + key_proc, keyseed, decrypt_proc, decrypt_key, + creds, do_more, done) + krb5_context context; + krb5_pa_data * padata; + krb5_kdc_req * request; + krb5_kdc_rep * as_reply; + git_key_proc key_proc; + krb5_const_pointer keyseed; + git_decrypt_proc decrypt_proc; + krb5_keyblock ** decrypt_key; + krb5_creds * creds; + krb5_int32 * do_more; + krb5_int32 * done; +{ + krb5_error_code retval; + krb5_data salt; + + if (*decrypt_key != 0) + return 0; + + salt.data = (char *) padata->contents; + salt.length = padata->length; + + if ((retval = (*key_proc)(context, as_reply->ticket->enc_part.enctype, + &salt, keyseed, decrypt_key))) { + *decrypt_key = 0; + return retval; + } + + return 0; +} + static krb5_error_code find_pa_system(type, preauth) int type; -- 2.26.2