From bb89afd7c59deea855d2818fe36ef7472b4abf2e Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Mon, 9 Sep 2013 14:23:56 -0400 Subject: [PATCH 05/13] Add ASN.1 codec for KKDCP's KDC-PROXY-MESSAGE Handle encoding and decoding [MS-KKDCP] proxy messages, including handling of the additional length bytes. Early versions of [MS-KKDCP] incorrectly omit that the size of the proxied message is prepended to the proxied message, as it is when we're using plain TCP, before encoding the proxy-message structure. This is fixed at least as of version 2.1 of the spec. [nalin@redhat.com: add tests] ticket: 7929 --- src/include/k5-int.h | 13 +++++++++++++ src/lib/krb5/asn.1/asn1_k_encode.c | 14 ++++++++++++++ src/lib/krb5/krb/kfree.c | 10 ++++++++++ src/lib/krb5/libkrb5.exports | 3 +++ src/tests/asn.1/krb5_decode_test.c | 18 ++++++++++++++++++ src/tests/asn.1/krb5_encode_test.c | 8 ++++++++ src/tests/asn.1/ktest.c | 23 ++++++++++++++++++++++ src/tests/asn.1/ktest.h | 5 +++++ src/tests/asn.1/ktest_equal.c | 12 ++++++++++++ src/tests/asn.1/ktest_equal.h | 3 +++ src/tests/asn.1/reference_encode.out | 1 + src/tests/asn.1/trval_reference.out | 37 ++++++++++++++++++++++++++++++++++++ 12 files changed, 147 insertions(+) diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 096cd14..8f039ee 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -518,6 +518,12 @@ typedef struct _krb5_pa_otp_req { krb5_data vendor; } krb5_pa_otp_req; +typedef struct _krb5_kkdcp_message { + krb5_data kerb_message; + krb5_data target_domain; + krb5_int32 dclocator_hint; +} krb5_kkdcp_message; + #include #include @@ -898,6 +904,7 @@ void k5_free_otp_tokeninfo(krb5_context context, krb5_otp_tokeninfo *val); void k5_free_pa_otp_challenge(krb5_context context, krb5_pa_otp_challenge *val); void k5_free_pa_otp_req(krb5_context context, krb5_pa_otp_req *val); +void k5_free_kkdcp_message(krb5_context context, krb5_kkdcp_message *val); /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */ #include "com_err.h" @@ -1438,6 +1445,9 @@ encode_krb5_pa_otp_req(const krb5_pa_otp_req *, krb5_data **); krb5_error_code encode_krb5_pa_otp_enc_req(const krb5_data *, krb5_data **); +krb5_error_code +encode_krb5_kkdcp_message(const krb5_kkdcp_message *, krb5_data **); + /************************************************************************* * End of prototypes for krb5_encode.c *************************************************************************/ @@ -1608,6 +1618,9 @@ decode_krb5_pa_otp_req(const krb5_data *, krb5_pa_otp_req **); krb5_error_code decode_krb5_pa_otp_enc_req(const krb5_data *, krb5_data **); +krb5_error_code +decode_krb5_kkdcp_message(const krb5_data *, krb5_kkdcp_message **); + struct _krb5_key_data; /* kdb.h */ struct ldap_seqof_key_data { diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index 7b9179d..4dc49c2 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -1711,3 +1711,17 @@ static const struct atype_info *pa_otp_enc_req_fields[] = { }; DEFSEQTYPE(pa_otp_enc_req, krb5_data, pa_otp_enc_req_fields); MAKE_CODEC(krb5_pa_otp_enc_req, pa_otp_enc_req); + +DEFFIELD(kkdcp_message_0, krb5_kkdcp_message, + kerb_message, 0, ostring_data); +DEFFIELD(kkdcp_message_1, krb5_kkdcp_message, + target_domain, 1, opt_gstring_data); +DEFFIELD(kkdcp_message_2, krb5_kkdcp_message, + dclocator_hint, 2, opt_int32); +static const struct atype_info *kkdcp_message_fields[] = { + &k5_atype_kkdcp_message_0, &k5_atype_kkdcp_message_1, + &k5_atype_kkdcp_message_2 +}; +DEFSEQTYPE(kkdcp_message, krb5_kkdcp_message, + kkdcp_message_fields); +MAKE_CODEC(krb5_kkdcp_message, kkdcp_message); diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 32b2151..f86c619 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -821,3 +821,13 @@ k5_free_pa_otp_req(krb5_context context, krb5_pa_otp_req *val) free(val->vendor.data); free(val); } + +void +k5_free_kkdcp_message(krb5_context context, krb5_kkdcp_message *val) +{ + if (val == NULL) + return; + free(val->target_domain.data); + free(val->kerb_message.data); + free(val); +} diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 863ec02..2d0852d 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -25,6 +25,7 @@ decode_krb5_iakerb_finished decode_krb5_iakerb_header decode_krb5_kdc_req_body decode_krb5_otp_tokeninfo +decode_krb5_kkdcp_message decode_krb5_pa_enc_ts decode_krb5_pa_for_user decode_krb5_pa_fx_fast_reply @@ -72,6 +73,7 @@ encode_krb5_iakerb_finished encode_krb5_iakerb_header encode_krb5_kdc_req_body encode_krb5_otp_tokeninfo +encode_krb5_kkdcp_message encode_krb5_pa_enc_ts encode_krb5_pa_for_user encode_krb5_pa_fx_fast_reply @@ -113,6 +115,7 @@ k5_expand_path_tokens k5_expand_path_tokens_extra k5_free_algorithm_identifier k5_free_otp_tokeninfo +k5_free_kkdcp_message k5_free_pa_otp_challenge k5_free_pa_otp_req k5_free_serverlist diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c index 8719978..f12bb16 100644 --- a/src/tests/asn.1/krb5_decode_test.c +++ b/src/tests/asn.1/krb5_decode_test.c @@ -54,6 +54,8 @@ static void ktest_free_reply_key_pack(krb5_context context, static void ktest_free_reply_key_pack_draft9(krb5_context context, krb5_reply_key_pack_draft9 *val); #endif +static void ktest_free_kkdcp_message(krb5_context context, + krb5_kkdcp_message *val); int main(argc, argv) int argc; @@ -1077,6 +1079,13 @@ int main(argc, argv) ktest_empty_data(&ref); } + /****************************************************************/ + /* decode_krb5_kkdcp_message */ + { + setup(krb5_kkdcp_message,ktest_make_sample_kkdcp_message); + decode_run("kkdcp_message","","30 82 01 FC A0 82 01 EC 04 82 01 E8 6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 98 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A1 0A 1B 08 6B 72 62 35 64 61 74 61",decode_krb5_kkdcp_message,ktest_equal_kkdcp_message,ktest_free_kkdcp_message); + } + #ifndef DISABLE_PKINIT /****************************************************************/ @@ -1262,3 +1271,12 @@ ktest_free_reply_key_pack_draft9(krb5_context context, } #endif /* not DISABLE_PKINIT */ + +static void +ktest_free_kkdcp_message(krb5_context context, + krb5_kkdcp_message *val) +{ + if (val) + ktest_empty_kkdcp_message(val); + free(val); +} diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c index 638f6fe..3ba8684 100644 --- a/src/tests/asn.1/krb5_encode_test.c +++ b/src/tests/asn.1/krb5_encode_test.c @@ -734,6 +734,14 @@ main(argc, argv) encode_run(d, "pa_otp_enc_req", "", encode_krb5_pa_otp_enc_req); ktest_empty_data(&d); } + /****************************************************************/ + /* encode_krb5_kkdcp_message */ + { + krb5_kkdcp_message info; + ktest_make_sample_kkdcp_message(&info); + encode_run(info, "kkdcp_message", "", encode_krb5_kkdcp_message); + ktest_empty_kkdcp_message(&info); + } #ifndef DISABLE_PKINIT /****************************************************************/ /* encode_krb5_pa_pk_as_req */ diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c index aa41fd8..4ce9f70 100644 --- a/src/tests/asn.1/ktest.c +++ b/src/tests/asn.1/ktest.c @@ -933,6 +933,21 @@ ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data *p) } #endif +void +ktest_make_sample_kkdcp_message(krb5_kkdcp_message *p) +{ + krb5_kdc_req req; + krb5_data *message; + + ktest_make_sample_kdc_req(&req); + req.msg_type = KRB5_AS_REQ; + encode_krb5_as_req(&req, &message); + p->kerb_message = *message; + free(message); + ktest_empty_kdc_req(&req); + ktest_make_sample_data(&(p->target_domain)); + p->dclocator_hint = 0; +} /****************************************************************/ /* destructors */ @@ -1731,3 +1746,11 @@ ktest_empty_ldap_seqof_key_data(krb5_context ctx, ldap_seqof_key_data *p) free(p->key_data); } #endif + +void +ktest_empty_kkdcp_message(krb5_kkdcp_message *p) +{ + ktest_empty_data(&p->kerb_message); + ktest_empty_data(&p->target_domain); + p->dclocator_hint = -1; +} diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h index 67a6c69..a9ebb77 100644 --- a/src/tests/asn.1/ktest.h +++ b/src/tests/asn.1/ktest.h @@ -119,6 +119,9 @@ void ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p); #ifdef ENABLE_LDAP void ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data *p); #endif + +void ktest_make_sample_kkdcp_message(krb5_kkdcp_message *p); + /*----------------------------------------------------------------------*/ void ktest_empty_authorization_data(krb5_authdata **ad); @@ -200,6 +203,8 @@ void ktest_empty_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p); void ktest_empty_ldap_seqof_key_data(krb5_context, ldap_seqof_key_data *p); #endif +void ktest_empty_kkdcp_message(krb5_kkdcp_message *p); + extern krb5_context test_context; extern char *sample_principal_name; diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c index 4e71242..39c35b5 100644 --- a/src/tests/asn.1/ktest_equal.c +++ b/src/tests/asn.1/ktest_equal.c @@ -1039,3 +1039,15 @@ ktest_equal_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *ref, } #endif /* not DISABLE_PKINIT */ + +int +ktest_equal_kkdcp_message(krb5_kkdcp_message *ref, krb5_kkdcp_message *var) +{ + int p = TRUE; + if (ref == var) return TRUE; + else if (ref == NULL || var == NULL) return FALSE; + p = p && data_eq(ref->kerb_message, var->kerb_message); + p = p && data_eq(ref->target_domain, var->target_domain); + p = p && (ref->dclocator_hint == var->dclocator_hint); + return p; +} diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h index e75f86a..491653f 100644 --- a/src/tests/asn.1/ktest_equal.h +++ b/src/tests/asn.1/ktest_equal.h @@ -145,4 +145,7 @@ generic(ktest_equal_reply_key_pack, krb5_reply_key_pack); generic(ktest_equal_reply_key_pack_draft9, krb5_reply_key_pack_draft9); #endif /* not DISABLE_PKINIT */ +int ktest_equal_kkdcp_message(krb5_kkdcp_message *ref, + krb5_kkdcp_message *var); + #endif diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out index 315e25b..b737da3 100644 --- a/src/tests/asn.1/reference_encode.out +++ b/src/tests/asn.1/reference_encode.out @@ -68,3 +68,4 @@ encode_krb5_pa_otp_challenge: 30 81 A5 80 08 6D 61 78 6E 6F 6E 63 65 81 0B 74 65 encode_krb5_pa_otp_req(optionals NULL): 30 2C 80 05 00 00 00 00 00 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 encode_krb5_pa_otp_req: 30 81 B9 80 05 00 60 00 00 00 81 05 6E 6F 6E 63 65 A2 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 0B 06 09 60 86 48 01 65 03 04 02 01 84 02 03 E8 85 05 66 72 6F 67 73 86 0A 6D 79 66 69 72 73 74 70 69 6E 87 05 68 61 72 6B 21 88 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 89 03 33 34 36 8A 01 02 8B 09 79 6F 75 72 74 6F 6B 65 6E 8C 28 75 72 6E 3A 69 65 74 66 3A 70 61 72 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 6B 65 79 70 72 6F 76 3A 70 73 6B 63 3A 68 6F 74 70 8D 0B 45 78 61 6D 70 6C 65 63 6F 72 70 encode_krb5_pa_otp_enc_req: 30 0A 80 08 6B 72 62 35 64 61 74 61 +encode_krb5_kkdcp_message: 30 82 01 FC A0 82 01 EC 04 82 01 E8 6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 98 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A1 0A 1B 08 6B 72 62 35 64 61 74 61 diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out index 461021e..599580c 100644 --- a/src/tests/asn.1/trval_reference.out +++ b/src/tests/asn.1/trval_reference.out @@ -1478,3 +1478,40 @@ encode_krb5_pa_otp_enc_req: [Sequence/Sequence Of] . [0] <8> 6b 72 62 35 64 61 74 61 krb5data + +encode_krb5_kkdcp_message: + +[Sequence/Sequence Of] +. [0] [Octet String] <488> + 6a 82 01 e4 30 82 01 e0 a1 03 02 01 05 a2 03 02 j...0........... + 01 0a a3 26 30 24 30 10 a1 03 02 01 0d a2 09 04 ...&0$0......... + 07 70 61 2d 64 61 74 61 30 10 a1 03 02 01 0d a2 .pa-data0....... + 09 04 07 70 61 2d 64 61 74 61 a4 82 01 aa 30 82 ...pa-data....0. + 01 a6 a0 07 03 05 00 fe dc ba 98 a1 1a 30 18 a0 .............0.. + 03 02 01 01 a1 11 30 0f 1b 06 68 66 74 73 61 69 ......0...hftsai + 1b 05 65 78 74 72 61 a2 10 1b 0e 41 54 48 45 4e ..extra....ATHEN + 41 2e 4d 49 54 2e 45 44 55 a3 1a 30 18 a0 03 02 A.MIT.EDU..0.... + 01 01 a1 11 30 0f 1b 06 68 66 74 73 61 69 1b 05 ....0...hftsai.. + 65 78 74 72 61 a4 11 18 0f 31 39 39 34 30 36 31 extra....1994061 + 30 30 36 30 33 31 37 5a a5 11 18 0f 31 39 39 34 0060317Z....1994 + 30 36 31 30 30 36 30 33 31 37 5a a6 11 18 0f 31 0610060317Z....1 + 39 39 34 30 36 31 30 30 36 30 33 31 37 5a a7 03 9940610060317Z.. + 02 01 2a a8 08 30 06 02 01 00 02 01 01 a9 20 30 ..*..0........ 0 + 1e 30 0d a0 03 02 01 02 a1 06 04 04 12 d0 00 23 .0.............# + 30 0d a0 03 02 01 02 a1 06 04 04 12 d0 00 23 aa 0.............#. + 25 30 23 a0 03 02 01 00 a1 03 02 01 05 a2 17 04 %0#............. + 15 6b 72 62 41 53 4e 2e 31 20 74 65 73 74 20 6d .krbASN.1 test m + 65 73 73 61 67 65 ab 81 bf 30 81 bc 61 5c 30 5a essage...0..a\0Z + a0 03 02 01 05 a1 10 1b 0e 41 54 48 45 4e 41 2e .........ATHENA. + 4d 49 54 2e 45 44 55 a2 1a 30 18 a0 03 02 01 01 MIT.EDU..0...... + a1 11 30 0f 1b 06 68 66 74 73 61 69 1b 05 65 78 ..0...hftsai..ex + 74 72 61 a3 25 30 23 a0 03 02 01 00 a1 03 02 01 tra.%0#......... + 05 a2 17 04 15 6b 72 62 41 53 4e 2e 31 20 74 65 .....krbASN.1 te + 73 74 20 6d 65 73 73 61 67 65 61 5c 30 5a a0 03 st messagea\0Z.. + 02 01 05 a1 10 1b 0e 41 54 48 45 4e 41 2e 4d 49 .......ATHENA.MI + 54 2e 45 44 55 a2 1a 30 18 a0 03 02 01 01 a1 11 T.EDU..0........ + 30 0f 1b 06 68 66 74 73 61 69 1b 05 65 78 74 72 0...hftsai..extr + 61 a3 25 30 23 a0 03 02 01 00 a1 03 02 01 05 a2 a.%0#........... + 17 04 15 6b 72 62 41 53 4e 2e 31 20 74 65 73 74 ...krbASN.1 test + 20 6d 65 73 73 61 67 65 message +. [1] [General string] "krb5data" -- 2.1.0