|
 |
e98d94d |
>From 8f6d12bae1a0f1d274593c4a06dfa5948aa61418 Mon Sep 17 00:00:00 2001
|
|
|
e98d94d |
From: Stef Walter <stefw@redhat.com>
|
|
|
e98d94d |
Date: Thu, 23 May 2013 08:38:20 +0200
|
|
|
e98d94d |
Subject: [PATCH 1/2] krb5: Refator duplicate code for setting the AS REQ nonce
|
|
|
e98d94d |
|
|
|
e98d94d |
---
|
|
|
e98d94d |
src/lib/krb5/krb/get_in_tkt.c | 64 +++++++++++++++++++++++--------------------
|
|
|
e98d94d |
1 file changed, 35 insertions(+), 29 deletions(-)
|
|
|
e98d94d |
|
|
|
e98d94d |
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
|
|
e98d94d |
index 828b0fb..1058112 100644
|
|
|
e98d94d |
--- a/src/lib/krb5/krb/get_in_tkt.c
|
|
|
e98d94d |
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
|
|
e98d94d |
@@ -650,6 +650,34 @@ cleanup:
|
|
|
e98d94d |
return code;
|
|
|
e98d94d |
}
|
|
|
e98d94d |
|
|
|
e98d94d |
+static krb5_error_code
|
|
|
e98d94d |
+update_req_before_encoding(krb5_context context, krb5_init_creds_context ctx)
|
|
|
e98d94d |
+{
|
|
|
e98d94d |
+ krb5_error_code code = 0;
|
|
|
e98d94d |
+ unsigned char random_buf[4];
|
|
|
e98d94d |
+ krb5_data random_data;
|
|
|
e98d94d |
+
|
|
|
e98d94d |
+ /*
|
|
|
e98d94d |
+ * RFC 6113 requires a new nonce for the inner request on each try. It's
|
|
|
e98d94d |
+ * permitted to change the nonce even for non-FAST as well.
|
|
|
e98d94d |
+ */
|
|
|
e98d94d |
+ random_data.length = 4;
|
|
|
e98d94d |
+ random_data.data = (char *)random_buf;
|
|
|
e98d94d |
+ code = krb5_c_random_make_octets(context, &random_data);
|
|
|
e98d94d |
+ if (code != 0)
|
|
|
e98d94d |
+ goto cleanup;
|
|
|
e98d94d |
+
|
|
|
e98d94d |
+ /*
|
|
|
e98d94d |
+ * See RT ticket 3196 at MIT. If we set the high bit, we may have
|
|
|
e98d94d |
+ * compatibility problems with Heimdal, because we (incorrectly) encode
|
|
|
e98d94d |
+ * this value as signed.
|
|
|
e98d94d |
+ */
|
|
|
e98d94d |
+ ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
|
|
|
e98d94d |
+
|
|
|
e98d94d |
+cleanup:
|
|
|
e98d94d |
+ return code;
|
|
|
e98d94d |
+}
|
|
|
e98d94d |
+
|
|
|
e98d94d |
/**
|
|
|
e98d94d |
* Throw away any state related to specific realm either at the beginning of a
|
|
|
e98d94d |
* request, or when a realm changes, or when we start to use FAST after
|
|
|
e98d94d |
@@ -664,8 +692,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
|
|
e98d94d |
krb5_pa_data **padata)
|
|
|
e98d94d |
{
|
|
|
e98d94d |
krb5_error_code code = 0;
|
|
|
e98d94d |
- unsigned char random_buf[4];
|
|
|
e98d94d |
- krb5_data random_data;
|
|
|
e98d94d |
krb5_timestamp from;
|
|
|
e98d94d |
|
|
|
e98d94d |
if (ctx->preauth_to_use) {
|
|
|
e98d94d |
@@ -693,18 +719,10 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
|
|
e98d94d |
goto cleanup;
|
|
|
e98d94d |
}
|
|
|
e98d94d |
|
|
|
e98d94d |
- /* Set the request nonce. */
|
|
|
e98d94d |
- random_data.length = 4;
|
|
|
e98d94d |
- random_data.data = (char *)random_buf;
|
|
|
e98d94d |
- code = krb5_c_random_make_octets(context, &random_data);
|
|
|
e98d94d |
- if (code !=0)
|
|
|
e98d94d |
+ code = update_req_before_encoding(context, ctx);
|
|
|
e98d94d |
+ if (code != 0)
|
|
|
e98d94d |
goto cleanup;
|
|
|
e98d94d |
- /*
|
|
|
e98d94d |
- * See RT ticket 3196 at MIT. If we set the high bit, we may have
|
|
|
e98d94d |
- * compatibility problems with Heimdal, because we (incorrectly) encode
|
|
|
e98d94d |
- * this value as signed.
|
|
|
e98d94d |
- */
|
|
|
e98d94d |
- ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
|
|
|
e98d94d |
+
|
|
|
e98d94d |
krb5_free_principal(context, ctx->request->server);
|
|
|
e98d94d |
ctx->request->server = NULL;
|
|
|
e98d94d |
|
|
|
e98d94d |
@@ -1188,28 +1206,16 @@ init_creds_step_request(krb5_context context,
|
|
|
e98d94d |
{
|
|
|
e98d94d |
krb5_error_code code;
|
|
|
e98d94d |
krb5_boolean got_real;
|
|
|
e98d94d |
- char random_buf[4];
|
|
|
e98d94d |
- krb5_data random_data;
|
|
|
e98d94d |
|
|
|
e98d94d |
if (ctx->loopcount >= MAX_IN_TKT_LOOPS) {
|
|
|
e98d94d |
code = KRB5_GET_IN_TKT_LOOP;
|
|
|
e98d94d |
goto cleanup;
|
|
|
e98d94d |
}
|
|
|
e98d94d |
- /*
|
|
|
e98d94d |
- * RFC 6113 requires a new nonce for the inner request on each try. It's
|
|
|
e98d94d |
- * permitted to change the nonce even for non-FAST so we do here.
|
|
|
e98d94d |
- */
|
|
|
e98d94d |
- random_data.length = 4;
|
|
|
e98d94d |
- random_data.data = (char *)random_buf;
|
|
|
e98d94d |
- code = krb5_c_random_make_octets(context, &random_data);
|
|
|
e98d94d |
- if (code !=0)
|
|
|
e98d94d |
+
|
|
|
e98d94d |
+ code = update_req_before_encoding(context, ctx);
|
|
|
e98d94d |
+ if (code != 0)
|
|
|
e98d94d |
goto cleanup;
|
|
|
e98d94d |
- /*
|
|
|
e98d94d |
- * See RT ticket 3196 at MIT. If we set the high bit, we may have
|
|
|
e98d94d |
- * compatibility problems with Heimdal, because we (incorrectly) encode
|
|
|
e98d94d |
- * this value as signed.
|
|
|
e98d94d |
- */
|
|
|
e98d94d |
- ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
|
|
|
e98d94d |
+
|
|
|
e98d94d |
krb5_free_data(context, ctx->inner_request_body);
|
|
|
e98d94d |
ctx->inner_request_body = NULL;
|
|
|
e98d94d |
code = encode_krb5_kdc_req_body(ctx->request, &ctx->inner_request_body);
|
|
|
e98d94d |
--
|
|
|
e98d94d |
1.8.1.4
|
|
|
e98d94d |
|