Client-side cookie support

Echo the pa-fx-cookie back to the KDC. No need to store cookie padata in the state structure; removed. If cookie is not present and FAST is being used, do not retry after error. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast@22161 dc483132-0cff-0310-8789-dd5450dbe970
aadamowski · Apr 3, 2009 · ef14065 · ef14065
1 parent 8c835cf
commit ef14065
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 7 deletions.
diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c
@@ -378,9 +378,11 @@ krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_sta
 	    fast_response->padata = NULL;
 	    /*
 	     * If there is more than the fx_error padata, then we want
-	     * to retry the error
+	     * to retry the error if a cookie is present
 	     */
 	    *retry = (*out_padata)[1] != NULL;
+	    if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL)
+		*retry = 0;
 	}
 	if (fx_error)
 	    krb5_free_error(context, fx_error);
@@ -475,11 +477,6 @@ krb5int_fast_free_state( krb5_context context, struct krb5int_fast_request_state
     /*We are responsible for none of the store in the fast_outer_req*/
     krb5_free_keyblock(context, state->armor_key);
     krb5_free_fast_armor(context, state->armor);
-    if (state->cookie) {
-	free(state->cookie->contents);
-	free(state->cookie);
-	state->cookie = NULL;
-    }
     free(state);
 }
 

diff --git a/src/lib/krb5/krb/fast.h b/src/lib/krb5/krb/fast.h
@@ -38,7 +38,6 @@ struct krb5int_fast_request_state {
     krb5_fast_armor *armor;
     krb5_ui_4 fast_state_flags;
     krb5_ui_4 fast_options;
-  krb5_pa_data *cookie;
     krb5_int32 nonce;
 };
 

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
@@ -645,6 +645,36 @@ krb5_error_code pa_salt(krb5_context context,
     return(0);
 }
 
+static
+krb5_error_code pa_fx_cookie(krb5_context context,
+				 krb5_kdc_req *request,
+				 krb5_pa_data *in_padata,
+				 krb5_pa_data **out_padata,
+				 krb5_data *salt,
+				 krb5_data *s2kparams,
+				 krb5_enctype *etype,
+				 krb5_keyblock *as_key,
+				 krb5_prompter_fct prompter,
+				 void *prompter_data,
+				 krb5_gic_get_as_key_fct gak_fct,
+				 void *gak_data)
+{
+    krb5_pa_data *pa = calloc(1, sizeof(krb5_pa_data));
+    krb5_octet *contents;
+    if (pa == NULL)
+	return ENOMEM;
+    contents = malloc(in_padata->length);
+    if (contents == NULL) {
+	free(pa);
+	return ENOMEM;
+    }
+    *pa = *in_padata;
+    pa->contents = contents;
+    memcpy(contents, in_padata->contents, pa->length);
+    *out_padata = pa;
+    return 0;
+}
+
 static
 krb5_error_code pa_enc_timestamp(krb5_context context,
 				 krb5_kdc_req *request,
@@ -1709,6 +1739,11 @@ static const pa_types_t pa_types[] = {
 	pa_sam,
 	PA_REAL,
     },
+    {
+	KRB5_PADATA_FX_COOKIE,
+	pa_fx_cookie,
+	PA_INFO,
+    },
     {
 	-1,
 	NULL,