[28187] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.11]: Fix S4U2Self against non-FAST KDCs
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Jan 16 15:47:14 2014
Date: Thu, 16 Jan 2014 15:46:30 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201401162046.s0GKkUCV013736@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/7b461608791ba07049be66f6b599b1d1b81eb457
commit 7b461608791ba07049be66f6b599b1d1b81eb457
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Dec 5 20:32:05 2013 -0500
Fix S4U2Self against non-FAST KDCs
When we added FAST TGS support in 1.11, we broke S4U2Self against KDCs
which don't support FAST, because the S4U2Self padata is only present
within the FAST request. For now, duplicate that padata in the outer
request so that both FAST and non-FAST KDCs can see it.
(cherry picked from commit 55c3a5f69919c2b5435bac0cb48ab09b11be869c)
ticket: 7824 (new)
version_fixed: 1.11.5
status: resolved
src/lib/krb5/krb/fast.c | 39 ++++++++++++++++++++++++++++++++++-----
1 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c
index 612fffd..a2a8020 100644
--- a/src/lib/krb5/krb/fast.c
+++ b/src/lib/krb5/krb/fast.c
@@ -224,6 +224,32 @@ krb5int_fast_as_armor(krb5_context context,
return retval;
}
+/*
+ * Construct a list of outer request padata for a TGS request. Since we do
+ * FAST TGS even when we don't have reason to believe the KDC supports FAST,
+ * the outer padata has to contain duplicates of the inner padata (such as
+ * S4U2Self padata) as well as the PA-TGS-REQ and PA-FX-FAST padata. The
+ * caller must free *out_padata with free() as it is not a deep copy.
+ */
+static krb5_error_code
+make_tgs_outer_padata(krb5_pa_data *tgs, krb5_pa_data *fast,
+ krb5_pa_data **other, krb5_pa_data ***out_padata)
+{
+ krb5_pa_data **pa_list;
+ size_t i;
+
+ *out_padata = NULL;
+ for (i = 0; other[i] != NULL; i++);
+ pa_list = calloc(i + 3, sizeof(*pa_list));
+ if (pa_list == NULL)
+ return ENOMEM;
+ pa_list[0] = tgs;
+ pa_list[1] = fast;
+ for (i = 0; other[i] != NULL; i++)
+ pa_list[i + 2] = other[i];
+ *out_padata = pa_list;
+ return 0;
+}
krb5_error_code
krb5int_fast_prep_req(krb5_context context,
@@ -234,7 +260,7 @@ krb5int_fast_prep_req(krb5_context context,
krb5_data **encoded_request)
{
krb5_error_code retval = 0;
- krb5_pa_data *pa_array[3];
+ krb5_pa_data *pa_array[2], **pa_tgs_array = NULL;
krb5_pa_data pa[2];
krb5_fast_req fast_req;
krb5_pa_data *tgs = NULL;
@@ -298,12 +324,14 @@ krb5int_fast_prep_req(krb5_context context,
pa[0].contents = (unsigned char *) encoded_armored_req->data;
pa[0].length = encoded_armored_req->length;
if (tgs) {
- pa_array[0] = tgs;
- pa_array[1] = &pa[0];
- } else
+ retval = make_tgs_outer_padata(tgs, pa, request->padata,
+ &pa_tgs_array);
+ state->fast_outer_request.padata = pa_tgs_array;
+ } else {
pa_array[0] = &pa[0];
+ state->fast_outer_request.padata = pa_array;
+ }
}
- state->fast_outer_request.padata = pa_array;
if (retval == 0)
retval = encoder(&state->fast_outer_request, &local_encoded_result);
if (retval == 0) {
@@ -325,6 +353,7 @@ krb5int_fast_prep_req(krb5_context context,
free(tgs);
}
state->fast_outer_request.padata = NULL;
+ free(pa_tgs_array);
return retval;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
