kdc: remove temporary krb5_context variable
Use r->context (from request) instead of a temporary context variable, where available.
This commit is contained in:
11
kdc/fast.c
11
kdc/fast.c
@@ -334,7 +334,6 @@ _kdc_fast_mk_error(astgs_request_t r,
|
||||
time_t *csec, int *cusec,
|
||||
krb5_data *error_msg)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_error_code ret;
|
||||
krb5_data e_data;
|
||||
size_t size;
|
||||
@@ -365,7 +364,7 @@ _kdc_fast_mk_error(astgs_request_t r,
|
||||
|
||||
/* first add the KRB-ERROR to the fast errors */
|
||||
|
||||
ret = krb5_mk_error(context,
|
||||
ret = krb5_mk_error(r->context,
|
||||
outer_error,
|
||||
e_text,
|
||||
NULL,
|
||||
@@ -377,7 +376,7 @@ _kdc_fast_mk_error(astgs_request_t r,
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = krb5_padata_add(context, error_method,
|
||||
ret = krb5_padata_add(r->context, error_method,
|
||||
KRB5_PADATA_FX_ERROR,
|
||||
e_data.data, e_data.length);
|
||||
if (ret) {
|
||||
@@ -394,14 +393,14 @@ _kdc_fast_mk_error(astgs_request_t r,
|
||||
csec = 0;
|
||||
cusec = 0;
|
||||
|
||||
ret = _kdc_fast_mk_response(context, armor_crypto,
|
||||
ret = _kdc_fast_mk_response(r->context, armor_crypto,
|
||||
error_method, NULL, NULL,
|
||||
req_body->nonce, &e_data);
|
||||
free_METHOD_DATA(error_method);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = krb5_padata_add(context, error_method,
|
||||
ret = krb5_padata_add(r->context, error_method,
|
||||
KRB5_PADATA_FX_FAST,
|
||||
e_data.data, e_data.length);
|
||||
if (ret)
|
||||
@@ -416,7 +415,7 @@ _kdc_fast_mk_error(astgs_request_t r,
|
||||
heim_assert(size == e_data.length, "internal asn.1 encoder error");
|
||||
}
|
||||
|
||||
ret = krb5_mk_error(context,
|
||||
ret = krb5_mk_error(r->context,
|
||||
outer_error,
|
||||
e_text,
|
||||
(e_data.length ? &e_data : NULL),
|
||||
|
146
kdc/kerberos5.c
146
kdc/kerberos5.c
@@ -158,7 +158,6 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
||||
krb5_enctype *ret_enctype, Key **ret_key,
|
||||
krb5_boolean *ret_default_salt)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_boolean use_strongest_session_key;
|
||||
krb5_boolean is_preauth = flags & KFE_IS_PREAUTH;
|
||||
krb5_boolean is_tgs = flags & KFE_IS_TGS;
|
||||
@@ -189,7 +188,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
||||
r->config->svc_use_strongest_session_key);
|
||||
|
||||
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
|
||||
ret = krb5_get_pw_salt(context, request_princ, &def_salt);
|
||||
ret = krb5_get_pw_salt(r->context, request_princ, &def_salt);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
@@ -223,11 +222,11 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
||||
*/
|
||||
|
||||
/* drive the search with local supported enctypes list */
|
||||
p = krb5_kerberos_enctypes(context);
|
||||
p = krb5_kerberos_enctypes(r->context);
|
||||
for (i = 0;
|
||||
p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL;
|
||||
i++) {
|
||||
if (krb5_enctype_valid(context, p[i]) != 0 &&
|
||||
if (krb5_enctype_valid(r->context, p[i]) != 0 &&
|
||||
!_kdc_is_weak_exception(princ->entry.principal, p[i]))
|
||||
continue;
|
||||
|
||||
@@ -269,7 +268,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
||||
* PA-ETYPE-INFO* or because we're selecting a session key
|
||||
* enctype.
|
||||
*/
|
||||
while (hdb_next_enctype2key(context, &princ->entry, NULL,
|
||||
while (hdb_next_enctype2key(r->context, &princ->entry, NULL,
|
||||
p[i], &key) == 0) {
|
||||
if (key->key.keyvalue.length == 0) {
|
||||
ret = KRB5KDC_ERR_NULL_KEY;
|
||||
@@ -296,13 +295,13 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
||||
*/
|
||||
for(i = 0; ret != 0 && i < len; i++) {
|
||||
|
||||
if (krb5_enctype_valid(context, etypes[i]) != 0 &&
|
||||
if (krb5_enctype_valid(r->context, etypes[i]) != 0 &&
|
||||
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
|
||||
continue;
|
||||
|
||||
key = NULL;
|
||||
while (ret != 0 &&
|
||||
hdb_next_enctype2key(context, &princ->entry, NULL,
|
||||
hdb_next_enctype2key(r->context, &princ->entry, NULL,
|
||||
etypes[i], &key) == 0) {
|
||||
if (key->key.keyvalue.length == 0) {
|
||||
ret = KRB5KDC_ERR_NULL_KEY;
|
||||
@@ -341,7 +340,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
||||
*ret_default_salt = is_default_salt_p(&def_salt, key);
|
||||
}
|
||||
|
||||
krb5_free_salt (context, def_salt);
|
||||
krb5_free_salt (r->context, def_salt);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -420,7 +419,6 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
|
||||
KerberosTime authtime, KerberosTime *starttime,
|
||||
KerberosTime endtime, KerberosTime *renew_till)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_kdc_configuration *config = r->config;
|
||||
char authtime_str[100], starttime_str[100],
|
||||
endtime_str[100], renewtime_str[100];
|
||||
@@ -436,22 +434,22 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
|
||||
_kdc_audit_addkv((kdc_request_t)r, 0, "renew", "%ld",
|
||||
(long)*renew_till);
|
||||
|
||||
krb5_format_time(context, authtime,
|
||||
krb5_format_time(r->context, authtime,
|
||||
authtime_str, sizeof(authtime_str), TRUE);
|
||||
if (starttime)
|
||||
krb5_format_time(context, *starttime,
|
||||
krb5_format_time(r->context, *starttime,
|
||||
starttime_str, sizeof(starttime_str), TRUE);
|
||||
else
|
||||
strlcpy(starttime_str, "unset", sizeof(starttime_str));
|
||||
krb5_format_time(context, endtime,
|
||||
krb5_format_time(r->context, endtime,
|
||||
endtime_str, sizeof(endtime_str), TRUE);
|
||||
if (renew_till)
|
||||
krb5_format_time(context, *renew_till,
|
||||
krb5_format_time(r->context, *renew_till,
|
||||
renewtime_str, sizeof(renewtime_str), TRUE);
|
||||
else
|
||||
strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
|
||||
|
||||
kdc_log(context, config, 4,
|
||||
kdc_log(r->context, config, 4,
|
||||
"%s authtime: %s starttime: %s endtime: %s renew till: %s",
|
||||
type, authtime_str, starttime_str, endtime_str, renewtime_str);
|
||||
}
|
||||
@@ -930,7 +928,6 @@ static const struct kdc_patypes pat[] = {
|
||||
static void
|
||||
log_patypes(astgs_request_t r, METHOD_DATA *padata)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_kdc_configuration *config = r->config;
|
||||
struct rk_strpool *p = NULL;
|
||||
char *str;
|
||||
@@ -948,7 +945,7 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata)
|
||||
if (p && n + 1 < padata->len)
|
||||
p = rk_strpoolprintf(p, ", ");
|
||||
if (p == NULL) {
|
||||
kdc_log(context, config, 1, "out of memory");
|
||||
kdc_log(r->context, config, 1, "out of memory");
|
||||
return;
|
||||
}
|
||||
}
|
||||
@@ -956,7 +953,7 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata)
|
||||
p = rk_strpoolprintf(p, "none");
|
||||
|
||||
str = rk_strpoolcollect(p);
|
||||
kdc_log(context, config, 4, "Client sent patypes: %s", str);
|
||||
kdc_log(r->context, config, 4, "Client sent patypes: %s", str);
|
||||
_kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
|
||||
"client-pa", "%s", str);
|
||||
free(str);
|
||||
@@ -1461,7 +1458,6 @@ get_pa_etype_info_both(krb5_context context,
|
||||
void
|
||||
_log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
const KDC_REQ_BODY *b = &r->req.req_body;
|
||||
krb5_enctype cetype = r->reply_key.keytype;
|
||||
krb5_error_code ret;
|
||||
@@ -1483,7 +1479,7 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
||||
p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
|
||||
|
||||
for (i = 0; i < b->etype.len; i++) {
|
||||
ret = krb5_enctype_to_string(context, b->etype.val[i], &str);
|
||||
ret = krb5_enctype_to_string(r->context, b->etype.val[i], &str);
|
||||
if (ret == 0) {
|
||||
p = rk_strpoolprintf(p, "%s", str);
|
||||
free(str);
|
||||
@@ -1509,9 +1505,9 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
||||
str);
|
||||
free(str);
|
||||
|
||||
ret = krb5_enctype_to_string(context, cetype, &cet);
|
||||
ret = krb5_enctype_to_string(r->context, cetype, &cet);
|
||||
if(ret == 0) {
|
||||
ret = krb5_enctype_to_string(context, setype, &set);
|
||||
ret = krb5_enctype_to_string(r->context, setype, &set);
|
||||
if (ret == 0) {
|
||||
p = rk_strpoolprintf(p, ", using %s/%s", cet, set);
|
||||
free(set);
|
||||
@@ -1554,8 +1550,6 @@ kdc_check_flags(astgs_request_t r,
|
||||
hdb_entry_ex *client_ex,
|
||||
hdb_entry_ex *server_ex)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
|
||||
if (client_ex != NULL) {
|
||||
hdb_entry *client = &client_ex->entry;
|
||||
|
||||
@@ -1579,7 +1573,7 @@ kdc_check_flags(astgs_request_t r,
|
||||
|
||||
if (client->valid_start && *client->valid_start > kdc_time) {
|
||||
char starttime_str[100];
|
||||
krb5_format_time(context, *client->valid_start,
|
||||
krb5_format_time(r->context, *client->valid_start,
|
||||
starttime_str, sizeof(starttime_str), TRUE);
|
||||
_kdc_audit_addreason((kdc_request_t)r, "Client not yet valid "
|
||||
"until %s", starttime_str);
|
||||
@@ -1588,7 +1582,7 @@ kdc_check_flags(astgs_request_t r,
|
||||
|
||||
if (client->valid_end && *client->valid_end < kdc_time) {
|
||||
char endtime_str[100];
|
||||
krb5_format_time(context, *client->valid_end,
|
||||
krb5_format_time(r->context, *client->valid_end,
|
||||
endtime_str, sizeof(endtime_str), TRUE);
|
||||
_kdc_audit_addreason((kdc_request_t)r, "Client expired at %s",
|
||||
endtime_str);
|
||||
@@ -1602,7 +1596,7 @@ kdc_check_flags(astgs_request_t r,
|
||||
if (client->pw_end && *client->pw_end < kdc_time
|
||||
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
|
||||
char pwend_str[100];
|
||||
krb5_format_time(context, *client->pw_end,
|
||||
krb5_format_time(r->context, *client->pw_end,
|
||||
pwend_str, sizeof(pwend_str), TRUE);
|
||||
_kdc_audit_addreason((kdc_request_t)r, "Client's key has expired "
|
||||
"at %s", pwend_str);
|
||||
@@ -1638,7 +1632,7 @@ kdc_check_flags(astgs_request_t r,
|
||||
|
||||
if (server->valid_start && *server->valid_start > kdc_time) {
|
||||
char starttime_str[100];
|
||||
krb5_format_time(context, *server->valid_start,
|
||||
krb5_format_time(r->context, *server->valid_start,
|
||||
starttime_str, sizeof(starttime_str), TRUE);
|
||||
_kdc_audit_addreason((kdc_request_t)r, "Server not yet valid "
|
||||
"until %s", starttime_str);
|
||||
@@ -1647,7 +1641,7 @@ kdc_check_flags(astgs_request_t r,
|
||||
|
||||
if (server->valid_end && *server->valid_end < kdc_time) {
|
||||
char endtime_str[100];
|
||||
krb5_format_time(context, *server->valid_end,
|
||||
krb5_format_time(r->context, *server->valid_end,
|
||||
endtime_str, sizeof(endtime_str), TRUE);
|
||||
_kdc_audit_addreason((kdc_request_t)r, "Server expired at %s",
|
||||
endtime_str);
|
||||
@@ -1656,7 +1650,7 @@ kdc_check_flags(astgs_request_t r,
|
||||
|
||||
if (server->pw_end && *server->pw_end < kdc_time) {
|
||||
char pwend_str[100];
|
||||
krb5_format_time(context, *server->pw_end,
|
||||
krb5_format_time(r->context, *server->pw_end,
|
||||
pwend_str, sizeof(pwend_str), TRUE);
|
||||
_kdc_audit_addreason((kdc_request_t)r, "Server's key has expired "
|
||||
"at %s", pwend_str);
|
||||
@@ -1676,7 +1670,6 @@ krb5_boolean
|
||||
_kdc_check_addresses(astgs_request_t r, HostAddresses *addresses,
|
||||
const struct sockaddr *from)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_kdc_configuration *config = r->config;
|
||||
krb5_error_code ret;
|
||||
krb5_address addr;
|
||||
@@ -1710,12 +1703,12 @@ _kdc_check_addresses(astgs_request_t r, HostAddresses *addresses,
|
||||
if(only_netbios)
|
||||
return config->allow_null_ticket_addresses;
|
||||
|
||||
ret = krb5_sockaddr2address (context, from, &addr);
|
||||
ret = krb5_sockaddr2address (r->context, from, &addr);
|
||||
if(ret)
|
||||
return FALSE;
|
||||
|
||||
result = krb5_address_search(context, &addr, addresses);
|
||||
krb5_free_address (context, &addr);
|
||||
result = krb5_address_search(r->context, &addr, addresses);
|
||||
krb5_free_address (r->context, &addr);
|
||||
return result;
|
||||
}
|
||||
|
||||
@@ -1928,7 +1921,6 @@ get_local_tgs(krb5_context context,
|
||||
krb5_error_code
|
||||
_kdc_as_rep(astgs_request_t r)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_kdc_configuration *config = r->config;
|
||||
KDC_REQ *req = &r->req;
|
||||
const char *from = r->from;
|
||||
@@ -1969,12 +1961,12 @@ _kdc_as_rep(astgs_request_t r)
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = _krb5_principalname2krb5_principal(context, &r->server_princ,
|
||||
ret = _krb5_principalname2krb5_principal(r->context, &r->server_princ,
|
||||
*(b->sname), b->realm);
|
||||
if (!ret)
|
||||
ret = krb5_unparse_name(context, r->server_princ, &r->sname);
|
||||
ret = krb5_unparse_name(r->context, r->server_princ, &r->sname);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 2,
|
||||
kdc_log(r->context, config, 2,
|
||||
"AS_REQ malformed server name from %s", from);
|
||||
goto out;
|
||||
}
|
||||
@@ -1985,48 +1977,48 @@ _kdc_as_rep(astgs_request_t r)
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = _krb5_principalname2krb5_principal(context, &r->client_princ,
|
||||
ret = _krb5_principalname2krb5_principal(r->context, &r->client_princ,
|
||||
*(b->cname), b->realm);
|
||||
if (!ret)
|
||||
ret = krb5_unparse_name(context, r->client_princ, &r->cname);
|
||||
ret = krb5_unparse_name(r->context, r->client_princ, &r->cname);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 2,
|
||||
kdc_log(r->context, config, 2,
|
||||
"AS-REQ malformed client name from %s", from);
|
||||
goto out;
|
||||
}
|
||||
|
||||
kdc_log(context, config, 4, "AS-REQ %s from %s for %s",
|
||||
kdc_log(r->context, config, 4, "AS-REQ %s from %s for %s",
|
||||
r->cname, r->from, r->sname);
|
||||
|
||||
is_tgs = krb5_principal_is_krbtgt(context, r->server_princ);
|
||||
is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ);
|
||||
|
||||
if (_kdc_is_anonymous(context, r->client_princ) &&
|
||||
if (_kdc_is_anonymous(r->context, r->client_princ) &&
|
||||
!_kdc_is_anon_request(req)) {
|
||||
kdc_log(context, config, 2, "Anonymous client w/o anonymous flag");
|
||||
kdc_log(r->context, config, 2, "Anonymous client w/o anonymous flag");
|
||||
ret = KRB5KDC_ERR_BADOPTION;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = _kdc_db_fetch(context, config, r->client_princ,
|
||||
ret = _kdc_db_fetch(r->context, config, r->client_princ,
|
||||
HDB_F_GET_CLIENT | HDB_F_SYNTHETIC_OK | flags, NULL,
|
||||
&r->clientdb, &r->client);
|
||||
switch (ret) {
|
||||
case 0: /* Success */
|
||||
break;
|
||||
case HDB_ERR_NOT_FOUND_HERE:
|
||||
kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy",
|
||||
kdc_log(r->context, config, 5, "client %s does not have secrets at this KDC, need to proxy",
|
||||
r->cname);
|
||||
goto out;
|
||||
case HDB_ERR_WRONG_REALM: {
|
||||
char *fixed_client_name = NULL;
|
||||
|
||||
ret = krb5_unparse_name(context, r->client->entry.principal,
|
||||
ret = krb5_unparse_name(r->context, r->client->entry.principal,
|
||||
&fixed_client_name);
|
||||
if (ret) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
kdc_log(context, config, 4, "WRONG_REALM - %s -> %s",
|
||||
kdc_log(r->context, config, 4, "WRONG_REALM - %s -> %s",
|
||||
r->cname, fixed_client_name);
|
||||
free(fixed_client_name);
|
||||
|
||||
@@ -2038,13 +2030,13 @@ _kdc_as_rep(astgs_request_t r)
|
||||
goto out;
|
||||
}
|
||||
default:
|
||||
msg = krb5_get_error_message(context, ret);
|
||||
kdc_log(context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
msg = krb5_get_error_message(r->context, ret);
|
||||
kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||
goto out;
|
||||
}
|
||||
ret = _kdc_db_fetch(context, config, r->server_princ,
|
||||
ret = _kdc_db_fetch(r->context, config, r->server_princ,
|
||||
HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS |
|
||||
flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
|
||||
NULL, NULL, &r->server);
|
||||
@@ -2052,13 +2044,13 @@ _kdc_as_rep(astgs_request_t r)
|
||||
case 0: /* Success */
|
||||
break;
|
||||
case HDB_ERR_NOT_FOUND_HERE:
|
||||
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy",
|
||||
kdc_log(r->context, config, 5, "target %s does not have secrets at this KDC, need to proxy",
|
||||
r->sname);
|
||||
goto out;
|
||||
default:
|
||||
msg = krb5_get_error_message(context, ret);
|
||||
kdc_log(context, config, 4, "UNKNOWN -- %s: %s", r->sname, msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
msg = krb5_get_error_message(r->context, ret);
|
||||
kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->sname, msg);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||
goto out;
|
||||
}
|
||||
@@ -2072,7 +2064,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
b->etype.val, b->etype.len,
|
||||
&r->sessionetype, NULL, NULL);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 4,
|
||||
kdc_log(r->context, config, 4,
|
||||
"Client (%s) from %s has no common enctypes with KDC "
|
||||
"to use for the session key",
|
||||
r->cname, from);
|
||||
@@ -2096,14 +2088,14 @@ _kdc_as_rep(astgs_request_t r)
|
||||
if (r->armor_crypto == NULL && (pat[n].flags & PA_REQ_FAST))
|
||||
continue;
|
||||
|
||||
kdc_log(context, config, 5,
|
||||
kdc_log(r->context, config, 5,
|
||||
"Looking for %s pa-data -- %s", pat[n].name, r->cname);
|
||||
i = 0;
|
||||
pa = _kdc_find_padata(req, &i, pat[n].type);
|
||||
if (pa) {
|
||||
if (r->client->entry.flags.synthetic &&
|
||||
!(pat[n].flags & PA_SYNTHETIC_OK)) {
|
||||
kdc_log(context, config, 4, "UNKNOWN -- %s", r->cname);
|
||||
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
|
||||
ret = HDB_ERR_NOENTRY;
|
||||
goto out;
|
||||
}
|
||||
@@ -2122,14 +2114,14 @@ _kdc_as_rep(astgs_request_t r)
|
||||
b->etype.val, b->etype.len,
|
||||
NULL, &ckey, &default_salt);
|
||||
if (ret2 == 0) {
|
||||
ret2 = get_pa_etype_info_both(context, config, &b->etype,
|
||||
ret2 = get_pa_etype_info_both(r->context, config, &b->etype,
|
||||
&r->outpadata, ckey, !default_salt);
|
||||
if (ret2 != 0)
|
||||
ret = ret2;
|
||||
}
|
||||
goto out;
|
||||
}
|
||||
kdc_log(context, config, 4,
|
||||
kdc_log(r->context, config, 4,
|
||||
"%s pre-authentication succeeded -- %s",
|
||||
pat[n].name, r->cname);
|
||||
found_pa = 1;
|
||||
@@ -2144,7 +2136,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
krb5_boolean default_salt;
|
||||
|
||||
if (r->client->entry.flags.synthetic) {
|
||||
kdc_log(context, config, 4, "UNKNOWN -- %s", r->cname);
|
||||
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
|
||||
ret = HDB_ERR_NOENTRY;
|
||||
goto out;
|
||||
}
|
||||
@@ -2152,7 +2144,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
for (n = 0; n < sizeof(pat) / sizeof(pat[0]); n++) {
|
||||
if ((pat[n].flags & PA_ANNOUNCE) == 0)
|
||||
continue;
|
||||
ret = krb5_padata_add(context, &r->outpadata,
|
||||
ret = krb5_padata_add(r->context, &r->outpadata,
|
||||
pat[n].type, NULL, 0);
|
||||
if (ret)
|
||||
goto out;
|
||||
@@ -2165,7 +2157,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
b->etype.val, b->etype.len,
|
||||
NULL, &ckey, &default_salt);
|
||||
if (ret == 0) {
|
||||
ret = get_pa_etype_info_both(context, config, &b->etype,
|
||||
ret = get_pa_etype_info_both(r->context, config, &b->etype,
|
||||
&r->outpadata, ckey, !default_salt);
|
||||
if (ret)
|
||||
goto out;
|
||||
@@ -2193,7 +2185,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
}
|
||||
|
||||
if (r->clientdb->hdb_auth_status) {
|
||||
r->clientdb->hdb_auth_status(context, r->clientdb, r->client,
|
||||
r->clientdb->hdb_auth_status(r->context, r->clientdb, r->client,
|
||||
HDB_AUTH_SUCCESS);
|
||||
}
|
||||
|
||||
@@ -2221,7 +2213,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
* the client since the client never needs to read that data.
|
||||
*/
|
||||
|
||||
ret = _kdc_get_preferred_key(context, config,
|
||||
ret = _kdc_get_preferred_key(r->context, config,
|
||||
r->server, r->sname,
|
||||
&setype, &skey);
|
||||
if(ret)
|
||||
@@ -2231,12 +2223,12 @@ _kdc_as_rep(astgs_request_t r)
|
||||
if (is_tgs) {
|
||||
krbtgt_key = skey;
|
||||
} else {
|
||||
ret = get_local_tgs(context, config, r->server_princ->realm,
|
||||
ret = get_local_tgs(r->context, config, r->server_princ->realm,
|
||||
&krbtgt);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
ret = _kdc_get_preferred_key(context, config, krbtgt,
|
||||
ret = _kdc_get_preferred_key(r->context, config, krbtgt,
|
||||
r->server_princ->realm,
|
||||
NULL, &krbtgt_key);
|
||||
if (ret)
|
||||
@@ -2257,7 +2249,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
rep.msg_type = krb_as_rep;
|
||||
|
||||
if (!config->historical_anon_realm &&
|
||||
_kdc_is_anonymous(context, r->client_princ)) {
|
||||
_kdc_is_anonymous(r->context, r->client_princ)) {
|
||||
Realm anon_realm = KRB5_ANON_REALM;
|
||||
ret = copy_Realm(&anon_realm, &rep.crealm);
|
||||
} else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
|
||||
@@ -2478,7 +2470,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
*/
|
||||
|
||||
if (r->session_key.keytype == ETYPE_NULL) {
|
||||
ret = krb5_generate_random_keyblock(context, r->sessionetype, &r->session_key);
|
||||
ret = krb5_generate_random_keyblock(r->context, r->sessionetype, &r->session_key);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
@@ -2510,7 +2502,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
}
|
||||
|
||||
/* Add the PAC */
|
||||
if (send_pac_p(context, req) && !r->et.flags.anonymous) {
|
||||
if (send_pac_p(r->context, req) && !r->et.flags.anonymous) {
|
||||
generate_pac(r, skey, krbtgt_key);
|
||||
}
|
||||
|
||||
@@ -2555,7 +2547,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
*
|
||||
*/
|
||||
|
||||
ret = _kdc_encode_reply(context, config,
|
||||
ret = _kdc_encode_reply(r->context, config,
|
||||
r, req->req_body.nonce,
|
||||
&rep, &r->et, &r->ek, setype,
|
||||
r->server->entry.kvno, &skey->key,
|
||||
@@ -2597,19 +2589,19 @@ out:
|
||||
if (r->outpadata.len)
|
||||
free_METHOD_DATA(&r->outpadata);
|
||||
if (r->client_princ) {
|
||||
krb5_free_principal(context, r->client_princ);
|
||||
krb5_free_principal(r->context, r->client_princ);
|
||||
r->client_princ = NULL;
|
||||
}
|
||||
if (r->server_princ){
|
||||
krb5_free_principal(context, r->server_princ);
|
||||
krb5_free_principal(r->context, r->server_princ);
|
||||
r->server_princ = NULL;
|
||||
}
|
||||
if (r->client)
|
||||
_kdc_free_ent(context, r->client);
|
||||
_kdc_free_ent(r->context, r->client);
|
||||
if (r->server)
|
||||
_kdc_free_ent(context, r->server);
|
||||
_kdc_free_ent(r->context, r->server);
|
||||
if (krbtgt)
|
||||
_kdc_free_ent(context, krbtgt);
|
||||
_kdc_free_ent(r->context, krbtgt);
|
||||
if (r->armor_crypto) {
|
||||
krb5_crypto_destroy(r->context, r->armor_crypto);
|
||||
r->armor_crypto = NULL;
|
||||
|
149
kdc/krb5tgs.c
149
kdc/krb5tgs.c
@@ -147,7 +147,6 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
||||
krb5_const_principal tgt_name,
|
||||
const EncTicketPart *tgt, EncTicketPart *et)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
KDCOptions f = b->kdc_options;
|
||||
|
||||
if(f.validate){
|
||||
@@ -227,7 +226,7 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
||||
*et->starttime = *b->from;
|
||||
et->flags.postdated = 1;
|
||||
et->flags.invalid = 1;
|
||||
} else if (b->from && *b->from > kdc_time + context->max_skew) {
|
||||
} else if (b->from && *b->from > kdc_time + r->context->max_skew) {
|
||||
_kdc_audit_addreason((kdc_request_t)r,
|
||||
"Ticket cannot be postdated");
|
||||
return KRB5KDC_ERR_CANNOT_POSTDATE;
|
||||
@@ -266,7 +265,7 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
||||
* the anonymous principal and the anonymous ticket flag.
|
||||
*/
|
||||
if (tgt->flags.anonymous &&
|
||||
!_kdc_is_anonymous(context, tgt_name)) {
|
||||
!_kdc_is_anonymous(r->context, tgt_name)) {
|
||||
_kdc_audit_addreason((kdc_request_t)r,
|
||||
"Anonymous ticket flag set without "
|
||||
"anonymous principal");
|
||||
@@ -922,7 +921,6 @@ tgs_parse_request(astgs_request_t r,
|
||||
int **cusec,
|
||||
AuthorizationData **auth_data)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_kdc_configuration *config = r->config;
|
||||
KDC_REQ_BODY *b = &r->req.req_body;
|
||||
static char failed[] = "<unparse_name failed>";
|
||||
@@ -946,38 +944,38 @@ tgs_parse_request(astgs_request_t r,
|
||||
*cusec = NULL;
|
||||
|
||||
memset(&ap_req, 0, sizeof(ap_req));
|
||||
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
|
||||
ret = krb5_decode_ap_req(r->context, &tgs_req->padata_value, &ap_req);
|
||||
if(ret){
|
||||
const char *msg = krb5_get_error_message(context, ret);
|
||||
kdc_log(context, config, 4, "Failed to decode AP-REQ: %s", msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
const char *msg = krb5_get_error_message(r->context, ret);
|
||||
kdc_log(r->context, config, 4, "Failed to decode AP-REQ: %s", msg);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if(!get_krbtgt_realm(&ap_req.ticket.sname)){
|
||||
/* XXX check for ticket.sname == req.sname */
|
||||
kdc_log(context, config, 4, "PA-DATA is not a ticket-granting ticket");
|
||||
kdc_log(r->context, config, 4, "PA-DATA is not a ticket-granting ticket");
|
||||
ret = KRB5KDC_ERR_POLICY; /* ? */
|
||||
goto out;
|
||||
}
|
||||
|
||||
_krb5_principalname2krb5_principal(context,
|
||||
_krb5_principalname2krb5_principal(r->context,
|
||||
&princ,
|
||||
ap_req.ticket.sname,
|
||||
ap_req.ticket.realm);
|
||||
|
||||
krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0;
|
||||
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT,
|
||||
ret = _kdc_db_fetch(r->context, config, princ, HDB_F_GET_KRBTGT,
|
||||
&krbtgt_kvno, NULL, krbtgt);
|
||||
|
||||
if (ret == HDB_ERR_NOT_FOUND_HERE) {
|
||||
/* XXX Factor out this unparsing of the same princ all over */
|
||||
char *p;
|
||||
ret = krb5_unparse_name(context, princ, &p);
|
||||
ret = krb5_unparse_name(r->context, princ, &p);
|
||||
if (ret != 0)
|
||||
p = failed;
|
||||
krb5_free_principal(context, princ);
|
||||
kdc_log(context, config, 5,
|
||||
krb5_free_principal(r->context, princ);
|
||||
kdc_log(r->context, config, 5,
|
||||
"Ticket-granting ticket account %s does not have secrets at "
|
||||
"this KDC, need to proxy", p);
|
||||
if (ret == 0)
|
||||
@@ -986,11 +984,11 @@ tgs_parse_request(astgs_request_t r,
|
||||
goto out;
|
||||
} else if (ret == HDB_ERR_KVNO_NOT_FOUND) {
|
||||
char *p;
|
||||
ret = krb5_unparse_name(context, princ, &p);
|
||||
ret = krb5_unparse_name(r->context, princ, &p);
|
||||
if (ret != 0)
|
||||
p = failed;
|
||||
krb5_free_principal(context, princ);
|
||||
kdc_log(context, config, 5,
|
||||
krb5_free_principal(r->context, princ);
|
||||
kdc_log(r->context, config, 5,
|
||||
"Ticket-granting ticket account %s does not have keys for "
|
||||
"kvno %d at this KDC", p, krbtgt_kvno);
|
||||
if (ret == 0)
|
||||
@@ -999,11 +997,11 @@ tgs_parse_request(astgs_request_t r,
|
||||
goto out;
|
||||
} else if (ret == HDB_ERR_NO_MKEY) {
|
||||
char *p;
|
||||
ret = krb5_unparse_name(context, princ, &p);
|
||||
ret = krb5_unparse_name(r->context, princ, &p);
|
||||
if (ret != 0)
|
||||
p = failed;
|
||||
krb5_free_principal(context, princ);
|
||||
kdc_log(context, config, 5,
|
||||
krb5_free_principal(r->context, princ);
|
||||
kdc_log(r->context, config, 5,
|
||||
"Missing master key for decrypting keys for ticket-granting "
|
||||
"ticket account %s with kvno %d at this KDC", p, krbtgt_kvno);
|
||||
if (ret == 0)
|
||||
@@ -1011,15 +1009,15 @@ tgs_parse_request(astgs_request_t r,
|
||||
ret = HDB_ERR_KVNO_NOT_FOUND;
|
||||
goto out;
|
||||
} else if (ret) {
|
||||
const char *msg = krb5_get_error_message(context, ret);
|
||||
const char *msg = krb5_get_error_message(r->context, ret);
|
||||
char *p;
|
||||
ret = krb5_unparse_name(context, princ, &p);
|
||||
ret = krb5_unparse_name(r->context, princ, &p);
|
||||
if (ret != 0)
|
||||
p = failed;
|
||||
kdc_log(context, config, 4,
|
||||
kdc_log(r->context, config, 4,
|
||||
"Ticket-granting ticket %s not found in database: %s", p, msg);
|
||||
krb5_free_principal(context, princ);
|
||||
krb5_free_error_message(context, msg);
|
||||
krb5_free_principal(r->context, princ);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
if (ret == 0)
|
||||
free(p);
|
||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||
@@ -1030,8 +1028,8 @@ tgs_parse_request(astgs_request_t r,
|
||||
*krbtgt_etype = ap_req.ticket.enc_part.etype;
|
||||
|
||||
next_kvno:
|
||||
krbtgt_keys = hdb_kvno2keys(context, &(*krbtgt)->entry, krbtgt_kvno_try);
|
||||
ret = hdb_enctype2key(context, &(*krbtgt)->entry, krbtgt_keys,
|
||||
krbtgt_keys = hdb_kvno2keys(r->context, &(*krbtgt)->entry, krbtgt_kvno_try);
|
||||
ret = hdb_enctype2key(r->context, &(*krbtgt)->entry, krbtgt_keys,
|
||||
ap_req.ticket.enc_part.etype, &tkey);
|
||||
if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
|
||||
kvno_search_tries--;
|
||||
@@ -1040,9 +1038,9 @@ next_kvno:
|
||||
} else if (ret) {
|
||||
char *str = NULL, *p = NULL;
|
||||
|
||||
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
|
||||
krb5_unparse_name(context, princ, &p);
|
||||
kdc_log(context, config, 4,
|
||||
krb5_enctype_to_string(r->context, ap_req.ticket.enc_part.etype, &str);
|
||||
krb5_unparse_name(r->context, princ, &p);
|
||||
kdc_log(r->context, config, 4,
|
||||
"No server key with enctype %s found for %s",
|
||||
str ? str : "<unknown enctype>",
|
||||
p ? p : "<unparse_name failed>");
|
||||
@@ -1058,7 +1056,7 @@ next_kvno:
|
||||
if (r->config->warn_ticket_addresses)
|
||||
verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_IGNORE_ADDRS;
|
||||
|
||||
ret = krb5_verify_ap_req2(context,
|
||||
ret = krb5_verify_ap_req2(r->context,
|
||||
&ac,
|
||||
&ap_req,
|
||||
princ,
|
||||
@@ -1080,11 +1078,11 @@ next_kvno:
|
||||
goto next_kvno;
|
||||
}
|
||||
|
||||
krb5_free_principal(context, princ);
|
||||
krb5_free_principal(r->context, princ);
|
||||
if(ret) {
|
||||
const char *msg = krb5_get_error_message(context, ret);
|
||||
kdc_log(context, config, 4, "Failed to verify AP-REQ: %s", msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
const char *msg = krb5_get_error_message(r->context, ret);
|
||||
kdc_log(r->context, config, 4, "Failed to verify AP-REQ: %s", msg);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -1093,64 +1091,64 @@ next_kvno:
|
||||
{
|
||||
krb5_authenticator auth;
|
||||
|
||||
ret = krb5_auth_con_getauthenticator(context, ac, &auth);
|
||||
ret = krb5_auth_con_getauthenticator(r->context, ac, &auth);
|
||||
if (ret == 0) {
|
||||
*csec = malloc(sizeof(**csec));
|
||||
if (*csec == NULL) {
|
||||
krb5_free_authenticator(context, &auth);
|
||||
kdc_log(context, config, 4, "malloc failed");
|
||||
krb5_free_authenticator(r->context, &auth);
|
||||
kdc_log(r->context, config, 4, "malloc failed");
|
||||
goto out;
|
||||
}
|
||||
**csec = auth->ctime;
|
||||
*cusec = malloc(sizeof(**cusec));
|
||||
if (*cusec == NULL) {
|
||||
krb5_free_authenticator(context, &auth);
|
||||
kdc_log(context, config, 4, "malloc failed");
|
||||
krb5_free_authenticator(r->context, &auth);
|
||||
kdc_log(r->context, config, 4, "malloc failed");
|
||||
goto out;
|
||||
}
|
||||
**cusec = auth->cusec;
|
||||
|
||||
ret = validate_fast_ad(r, auth->authorization_data);
|
||||
krb5_free_authenticator(context, &auth);
|
||||
krb5_free_authenticator(r->context, &auth);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
ret = tgs_check_authenticator(context, config,
|
||||
ret = tgs_check_authenticator(r->context, config,
|
||||
ac, b, e_text, &(*ticket)->ticket.key);
|
||||
if (ret) {
|
||||
krb5_auth_con_free(context, ac);
|
||||
krb5_auth_con_free(r->context, ac);
|
||||
goto out;
|
||||
}
|
||||
|
||||
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
|
||||
r->rk_is_subkey = 1;
|
||||
|
||||
ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
|
||||
ret = krb5_auth_con_getremotesubkey(r->context, ac, &subkey);
|
||||
if(ret){
|
||||
const char *msg = krb5_get_error_message(context, ret);
|
||||
krb5_auth_con_free(context, ac);
|
||||
kdc_log(context, config, 4, "Failed to get remote subkey: %s", msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
const char *msg = krb5_get_error_message(r->context, ret);
|
||||
krb5_auth_con_free(r->context, ac);
|
||||
kdc_log(r->context, config, 4, "Failed to get remote subkey: %s", msg);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
goto out;
|
||||
}
|
||||
if(subkey == NULL){
|
||||
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
|
||||
r->rk_is_subkey = 0;
|
||||
|
||||
ret = krb5_auth_con_getkey(context, ac, &subkey);
|
||||
ret = krb5_auth_con_getkey(r->context, ac, &subkey);
|
||||
if(ret) {
|
||||
const char *msg = krb5_get_error_message(context, ret);
|
||||
krb5_auth_con_free(context, ac);
|
||||
kdc_log(context, config, 4, "Failed to get session key: %s", msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
const char *msg = krb5_get_error_message(r->context, ret);
|
||||
krb5_auth_con_free(r->context, ac);
|
||||
kdc_log(r->context, config, 4, "Failed to get session key: %s", msg);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
if(subkey == NULL){
|
||||
krb5_auth_con_free(context, ac);
|
||||
kdc_log(context, config, 4,
|
||||
krb5_auth_con_free(r->context, ac);
|
||||
kdc_log(r->context, config, 4,
|
||||
"Failed to get key for enc-authorization-data");
|
||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||
goto out;
|
||||
@@ -1165,39 +1163,39 @@ next_kvno:
|
||||
if (b->enc_authorization_data) {
|
||||
krb5_data ad;
|
||||
|
||||
ret = krb5_crypto_init(context, &r->reply_key, 0, &crypto);
|
||||
ret = krb5_crypto_init(r->context, &r->reply_key, 0, &crypto);
|
||||
if (ret) {
|
||||
const char *msg = krb5_get_error_message(context, ret);
|
||||
krb5_auth_con_free(context, ac);
|
||||
kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
const char *msg = krb5_get_error_message(r->context, ret);
|
||||
krb5_auth_con_free(r->context, ac);
|
||||
kdc_log(r->context, config, 4, "krb5_crypto_init failed: %s", msg);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
goto out;
|
||||
}
|
||||
ret = krb5_decrypt_EncryptedData (context,
|
||||
ret = krb5_decrypt_EncryptedData (r->context,
|
||||
crypto,
|
||||
usage,
|
||||
b->enc_authorization_data,
|
||||
&ad);
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
krb5_crypto_destroy(r->context, crypto);
|
||||
if(ret){
|
||||
krb5_auth_con_free(context, ac);
|
||||
kdc_log(context, config, 4,
|
||||
krb5_auth_con_free(r->context, ac);
|
||||
kdc_log(r->context, config, 4,
|
||||
"Failed to decrypt enc-authorization-data");
|
||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||
goto out;
|
||||
}
|
||||
ALLOC(*auth_data);
|
||||
if (*auth_data == NULL) {
|
||||
krb5_auth_con_free(context, ac);
|
||||
krb5_auth_con_free(r->context, ac);
|
||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||
goto out;
|
||||
}
|
||||
ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
|
||||
if(ret){
|
||||
krb5_auth_con_free(context, ac);
|
||||
krb5_auth_con_free(r->context, ac);
|
||||
free(*auth_data);
|
||||
*auth_data = NULL;
|
||||
kdc_log(context, config, 4, "Failed to decode authorization data");
|
||||
kdc_log(r->context, config, 4, "Failed to decode authorization data");
|
||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||
goto out;
|
||||
}
|
||||
@@ -1216,7 +1214,7 @@ next_kvno:
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
krb5_auth_con_free(context, ac);
|
||||
krb5_auth_con_free(r->context, ac);
|
||||
|
||||
out:
|
||||
free_AP_REQ(&ap_req);
|
||||
@@ -2321,7 +2319,6 @@ out:
|
||||
krb5_error_code
|
||||
_kdc_tgs_rep(astgs_request_t r)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_kdc_configuration *config = r->config;
|
||||
KDC_REQ *req = &r->req;
|
||||
krb5_data *data = r->reply;
|
||||
@@ -2343,7 +2340,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
||||
|
||||
if(req->padata == NULL){
|
||||
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
|
||||
kdc_log(context, config, 4,
|
||||
kdc_log(r->context, config, 4,
|
||||
"TGS-REQ from %s without PA-DATA", from);
|
||||
goto out;
|
||||
}
|
||||
@@ -2361,7 +2358,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
||||
if(tgs_req == NULL){
|
||||
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
||||
|
||||
kdc_log(context, config, 4,
|
||||
kdc_log(r->context, config, 4,
|
||||
"TGS-REQ from %s without PA-TGS-REQ", from);
|
||||
goto out;
|
||||
}
|
||||
@@ -2378,7 +2375,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
||||
goto out;
|
||||
}
|
||||
if (ret) {
|
||||
kdc_log(context, config, 4,
|
||||
kdc_log(r->context, config, 4,
|
||||
"Failed parsing TGS-REQ from %s", from);
|
||||
goto out;
|
||||
}
|
||||
@@ -2395,7 +2392,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
||||
&auth_data,
|
||||
from_addr);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 4,
|
||||
kdc_log(r->context, config, 4,
|
||||
"Failed building TGS-REP to %s", from);
|
||||
goto out;
|
||||
}
|
||||
@@ -2411,7 +2408,7 @@ out:
|
||||
if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
|
||||
METHOD_DATA error_method = { 0, NULL };
|
||||
|
||||
kdc_log(context, config, 5, "tgs-req: sending error: %d to client", ret);
|
||||
kdc_log(r->context, config, 5, "tgs-req: sending error: %d to client", ret);
|
||||
ret = _kdc_fast_mk_error(r,
|
||||
&error_method,
|
||||
r->armor_crypto,
|
||||
@@ -2430,9 +2427,9 @@ out:
|
||||
krb5_free_keyblock_contents(r->context, &r->strengthen_key);
|
||||
|
||||
if (ticket)
|
||||
krb5_free_ticket(context, ticket);
|
||||
krb5_free_ticket(r->context, ticket);
|
||||
if(krbtgt)
|
||||
_kdc_free_ent(context, krbtgt);
|
||||
_kdc_free_ent(r->context, krbtgt);
|
||||
|
||||
_kdc_free_fast_state(&r->fast);
|
||||
|
||||
|
150
kdc/pkinit.c
150
kdc/pkinit.c
@@ -1131,7 +1131,6 @@ pk_mk_pa_reply_dh(krb5_context context,
|
||||
krb5_error_code
|
||||
_kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_kdc_configuration *config = r->config;
|
||||
krb5_enctype sessionetype = r->sessionetype;
|
||||
const KDC_REQ *req = &r->req;
|
||||
@@ -1148,17 +1147,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
size_t i;
|
||||
|
||||
if (!config->enable_pkinit) {
|
||||
krb5_clear_error_message(context);
|
||||
krb5_clear_error_message(r->context);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (req->req_body.etype.len > 0) {
|
||||
for (i = 0; i < req->req_body.etype.len; i++)
|
||||
if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)
|
||||
if (krb5_enctype_valid(r->context, req->req_body.etype.val[i]) == 0)
|
||||
break;
|
||||
if (req->req_body.etype.len <= i) {
|
||||
ret = KRB5KRB_ERR_GENERIC;
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"No valid enctype available from client");
|
||||
goto out;
|
||||
}
|
||||
@@ -1181,13 +1180,13 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
|
||||
rep.element = choice_PA_PK_AS_REP_encKeyPack;
|
||||
|
||||
ret = krb5_generate_random_keyblock(context, enctype,
|
||||
ret = krb5_generate_random_keyblock(r->context, enctype,
|
||||
&cp->reply_key);
|
||||
if (ret) {
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
goto out;
|
||||
}
|
||||
ret = pk_mk_pa_reply_enckey(context,
|
||||
ret = pk_mk_pa_reply_enckey(r->context,
|
||||
config,
|
||||
cp,
|
||||
req,
|
||||
@@ -1204,15 +1203,15 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
ret);
|
||||
free_ContentInfo(&info);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
|
||||
krb5_set_error_message(r->context, ret, "encoding of Key ContentInfo "
|
||||
"failed %d", ret);
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
goto out;
|
||||
}
|
||||
if (rep.u.encKeyPack.length != size)
|
||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
||||
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||
|
||||
ret = krb5_generate_random_keyblock(context, sessionetype,
|
||||
ret = krb5_generate_random_keyblock(r->context, sessionetype,
|
||||
sessionkey);
|
||||
if (ret) {
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
@@ -1225,7 +1224,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
switch (cp->keyex) {
|
||||
case USE_DH: type = "dh"; break;
|
||||
case USE_ECDH: type = "ecdh"; break;
|
||||
default: krb5_abortx(context, "unknown keyex"); break;
|
||||
default: krb5_abortx(r->context, "unknown keyex"); break;
|
||||
}
|
||||
|
||||
if (cp->dh_group_name)
|
||||
@@ -1233,17 +1232,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
|
||||
rep.element = choice_PA_PK_AS_REP_dhInfo;
|
||||
|
||||
ret = generate_dh_keyblock(context, cp, enctype);
|
||||
ret = generate_dh_keyblock(r->context, cp, enctype);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = pk_mk_pa_reply_dh(context, config,
|
||||
ret = pk_mk_pa_reply_dh(r->context, config,
|
||||
cp,
|
||||
&info,
|
||||
&kdc_cert);
|
||||
if (ret) {
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"create pa-reply-dh "
|
||||
"failed %d", ret);
|
||||
goto out;
|
||||
@@ -1254,14 +1253,14 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
ret);
|
||||
free_ContentInfo(&info);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"encoding of Key ContentInfo "
|
||||
"failed %d", ret);
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
goto out;
|
||||
}
|
||||
if (rep.u.encKeyPack.length != size)
|
||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
||||
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||
|
||||
/* generate the session key using the method from RFC6112 */
|
||||
{
|
||||
@@ -1276,49 +1275,49 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
void *kxdata;
|
||||
size_t kxlen;
|
||||
|
||||
ret = krb5_generate_random_keyblock(context, sessionetype,
|
||||
ret = krb5_generate_random_keyblock(r->context, sessionetype,
|
||||
&kdc_contribution_key);
|
||||
if (ret) {
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
goto out;
|
||||
}
|
||||
ret = krb5_crypto_init(context, &cp->reply_key, enctype, &reply_crypto);
|
||||
ret = krb5_crypto_init(r->context, &cp->reply_key, enctype, &reply_crypto);
|
||||
if (ret) {
|
||||
krb5_free_keyblock_contents(context, &kdc_contribution_key);
|
||||
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
goto out;
|
||||
}
|
||||
ret = krb5_crypto_init(context, &kdc_contribution_key, sessionetype, &kdccont_crypto);
|
||||
ret = krb5_crypto_init(r->context, &kdc_contribution_key, sessionetype, &kdccont_crypto);
|
||||
if (ret) {
|
||||
krb5_crypto_destroy(context, reply_crypto);
|
||||
krb5_free_keyblock_contents(context, &kdc_contribution_key);
|
||||
krb5_crypto_destroy(r->context, reply_crypto);
|
||||
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
goto out;
|
||||
}
|
||||
/* KRB-FX-CF2 */
|
||||
ret = krb5_crypto_fx_cf2(context, kdccont_crypto, reply_crypto,
|
||||
ret = krb5_crypto_fx_cf2(r->context, kdccont_crypto, reply_crypto,
|
||||
&p1, &p2, sessionetype, sessionkey);
|
||||
krb5_crypto_destroy(context, kdccont_crypto);
|
||||
krb5_crypto_destroy(r->context, kdccont_crypto);
|
||||
if (ret) {
|
||||
krb5_crypto_destroy(context, reply_crypto);
|
||||
krb5_free_keyblock_contents(context, &kdc_contribution_key);
|
||||
krb5_crypto_destroy(r->context, reply_crypto);
|
||||
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
goto out;
|
||||
}
|
||||
ASN1_MALLOC_ENCODE(EncryptionKey, kckdata, kcklen,
|
||||
&kdc_contribution_key, &size, ret);
|
||||
krb5_free_keyblock_contents(context, &kdc_contribution_key);
|
||||
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret, "encoding of PKINIT-KX Key failed %d", ret);
|
||||
krb5_crypto_destroy(context, reply_crypto);
|
||||
krb5_set_error_message(r->context, ret, "encoding of PKINIT-KX Key failed %d", ret);
|
||||
krb5_crypto_destroy(r->context, reply_crypto);
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
goto out;
|
||||
}
|
||||
if (kcklen != size)
|
||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
||||
ret = krb5_encrypt_EncryptedData(context, reply_crypto, KRB5_KU_PA_PKINIT_KX,
|
||||
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||
ret = krb5_encrypt_EncryptedData(r->context, reply_crypto, KRB5_KU_PA_PKINIT_KX,
|
||||
kckdata, kcklen, 0, &kx);
|
||||
krb5_crypto_destroy(context, reply_crypto);
|
||||
krb5_crypto_destroy(r->context, reply_crypto);
|
||||
free(kckdata);
|
||||
if (ret) {
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
@@ -1328,17 +1327,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
&kx, &size, ret);
|
||||
free_EncryptedData(&kx);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"encoding of PKINIT-KX failed %d", ret);
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
goto out;
|
||||
}
|
||||
if (kxlen != size)
|
||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
||||
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||
/* Add PA-PKINIT-KX */
|
||||
ret = krb5_padata_add(context, md, KRB5_PADATA_PKINIT_KX, kxdata, kxlen);
|
||||
ret = krb5_padata_add(r->context, md, KRB5_PADATA_PKINIT_KX, kxdata, kxlen);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"Failed adding PKINIT-KX %d", ret);
|
||||
free(buf);
|
||||
goto out;
|
||||
@@ -1364,14 +1363,14 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
|
||||
free_PA_PK_AS_REP(&rep);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"encode PA-PK-AS-REP failed %d", ret);
|
||||
goto out;
|
||||
}
|
||||
if (len != size)
|
||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
||||
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||
|
||||
kdc_log(context, config, 0, "PKINIT using %s %s", type, other);
|
||||
kdc_log(r->context, config, 0, "PKINIT using %s %s", type, other);
|
||||
|
||||
} else if (cp->type == PKINIT_WIN2K) {
|
||||
PA_PK_AS_REP_Win2k rep;
|
||||
@@ -1379,7 +1378,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
|
||||
if (cp->keyex != USE_RSA) {
|
||||
ret = KRB5KRB_ERR_GENERIC;
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"Win2k PKINIT doesn't support DH");
|
||||
goto out;
|
||||
}
|
||||
@@ -1389,13 +1388,13 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
pa_type = KRB5_PADATA_PK_AS_REP_19;
|
||||
rep.element = choice_PA_PK_AS_REP_Win2k_encKeyPack;
|
||||
|
||||
ret = krb5_generate_random_keyblock(context, enctype,
|
||||
ret = krb5_generate_random_keyblock(r->context, enctype,
|
||||
&cp->reply_key);
|
||||
if (ret) {
|
||||
free_PA_PK_AS_REP_Win2k(&rep);
|
||||
goto out;
|
||||
}
|
||||
ret = pk_mk_pa_reply_enckey(context,
|
||||
ret = pk_mk_pa_reply_enckey(r->context,
|
||||
config,
|
||||
cp,
|
||||
req,
|
||||
@@ -1412,25 +1411,25 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
ret);
|
||||
free_ContentInfo(&info);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
|
||||
krb5_set_error_message(r->context, ret, "encoding of Key ContentInfo "
|
||||
"failed %d", ret);
|
||||
free_PA_PK_AS_REP_Win2k(&rep);
|
||||
goto out;
|
||||
}
|
||||
if (rep.u.encKeyPack.length != size)
|
||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
||||
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||
|
||||
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
|
||||
free_PA_PK_AS_REP_Win2k(&rep);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"encode PA-PK-AS-REP-Win2k failed %d", ret);
|
||||
goto out;
|
||||
}
|
||||
if (len != size)
|
||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
||||
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||
|
||||
ret = krb5_generate_random_keyblock(context, sessionetype,
|
||||
ret = krb5_generate_random_keyblock(r->context, sessionetype,
|
||||
sessionkey);
|
||||
if (ret) {
|
||||
free(buf);
|
||||
@@ -1438,12 +1437,12 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
}
|
||||
|
||||
} else
|
||||
krb5_abortx(context, "PKINIT internal error");
|
||||
krb5_abortx(r->context, "PKINIT internal error");
|
||||
|
||||
|
||||
ret = krb5_padata_add(context, md, pa_type, buf, len);
|
||||
ret = krb5_padata_add(r->context, md, pa_type, buf, len);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"Failed adding PA-PK-AS-REP %d", ret);
|
||||
free(buf);
|
||||
goto out;
|
||||
@@ -1462,7 +1461,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
|
||||
fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(r->context, config, 0,
|
||||
"PKINIT failed to open ocsp data file %d", errno);
|
||||
goto out_ocsp;
|
||||
}
|
||||
@@ -1470,7 +1469,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
if (ret) {
|
||||
ret = errno;
|
||||
close(fd);
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(r->context, config, 0,
|
||||
"PKINIT failed to stat ocsp data %d", ret);
|
||||
goto out_ocsp;
|
||||
}
|
||||
@@ -1478,7 +1477,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
ret = krb5_data_alloc(&ocsp.data, sb.st_size);
|
||||
if (ret) {
|
||||
close(fd);
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(r->context, config, 0,
|
||||
"PKINIT failed to stat ocsp data %d", ret);
|
||||
goto out_ocsp;
|
||||
}
|
||||
@@ -1486,19 +1485,19 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
ret = read(fd, ocsp.data.data, sb.st_size);
|
||||
close(fd);
|
||||
if (ret != sb.st_size) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(r->context, config, 0,
|
||||
"PKINIT failed to read ocsp data %d", errno);
|
||||
goto out_ocsp;
|
||||
}
|
||||
|
||||
ret = hx509_ocsp_verify(context->hx509ctx,
|
||||
ret = hx509_ocsp_verify(r->context->hx509ctx,
|
||||
kdc_time,
|
||||
kdc_cert,
|
||||
0,
|
||||
ocsp.data.data, ocsp.data.length,
|
||||
&ocsp.expire);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(r->context, config, 0,
|
||||
"PKINIT failed to verify ocsp data %d", ret);
|
||||
krb5_data_free(&ocsp.data);
|
||||
ocsp.expire = 0;
|
||||
@@ -1514,11 +1513,11 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||
|
||||
if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
|
||||
|
||||
ret = krb5_padata_add(context, md,
|
||||
ret = krb5_padata_add(r->context, md,
|
||||
KRB5_PADATA_PA_PK_OCSP_RESPONSE,
|
||||
ocsp.data.data, ocsp.data.length);
|
||||
if (ret) {
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"Failed adding OCSP response %d", ret);
|
||||
goto out;
|
||||
}
|
||||
@@ -1530,7 +1529,7 @@ out:
|
||||
hx509_cert_free(kdc_cert);
|
||||
|
||||
if (ret == 0)
|
||||
ret = krb5_copy_keyblock_contents(context, &cp->reply_key, reply_key);
|
||||
ret = krb5_copy_keyblock_contents(r->context, &cp->reply_key, reply_key);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1672,7 +1671,6 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
pk_client_params *cp,
|
||||
char **subject_name)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_kdc_configuration *config = r->config;
|
||||
HDB *clientdb = r->clientdb;
|
||||
hdb_entry_ex *client = r->client;
|
||||
@@ -1683,7 +1681,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
size_t i;
|
||||
|
||||
if (cp->cert == NULL) {
|
||||
if (!_kdc_is_anonymous(context, client->entry.principal)
|
||||
if (!_kdc_is_anonymous(r->context, client->entry.principal)
|
||||
&& !config->historical_anon_realm)
|
||||
return KRB5KDC_ERR_BADOPTION;
|
||||
|
||||
@@ -1697,7 +1695,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
cp->max_life = 0;
|
||||
if (config->pkinit_max_life_from_cert_extension)
|
||||
cp->max_life =
|
||||
hx509_cert_get_pkinit_max_life(context->hx509ctx, cp->cert,
|
||||
hx509_cert_get_pkinit_max_life(r->context->hx509ctx, cp->cert,
|
||||
config->pkinit_max_life_bound);
|
||||
if (cp->max_life == 0 && config->pkinit_max_life_from_cert > 0) {
|
||||
cp->max_life = cp->endtime - hx509_cert_get_notBefore(cp->cert);
|
||||
@@ -1705,7 +1703,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
cp->max_life = config->pkinit_max_life_from_cert;
|
||||
}
|
||||
|
||||
ret = hx509_cert_get_base_subject(context->hx509ctx,
|
||||
ret = hx509_cert_get_base_subject(r->context->hx509ctx,
|
||||
cp->cert,
|
||||
&name);
|
||||
if (ret)
|
||||
@@ -1716,7 +1714,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(r->context, config, 0,
|
||||
"Trying to authorize PKINIT subject DN %s",
|
||||
*subject_name);
|
||||
|
||||
@@ -1726,7 +1724,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
size_t j;
|
||||
|
||||
for (j = 0; j < pc->len; j++) {
|
||||
cert = hx509_cert_init_data(context->hx509ctx,
|
||||
cert = hx509_cert_init_data(r->context->hx509ctx,
|
||||
pc->val[j].cert.data,
|
||||
pc->val[j].cert.length,
|
||||
NULL);
|
||||
@@ -1735,7 +1733,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
ret = hx509_cert_cmp(cert, cp->cert);
|
||||
hx509_cert_free(cert);
|
||||
if (ret == 0) {
|
||||
kdc_log(context, config, 5,
|
||||
kdc_log(r->context, config, 5,
|
||||
"Found matching PKINIT cert in hdb");
|
||||
return 0;
|
||||
}
|
||||
@@ -1744,22 +1742,22 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
|
||||
|
||||
if (config->pkinit_princ_in_cert) {
|
||||
ret = match_rfc_san(context, config,
|
||||
context->hx509ctx,
|
||||
ret = match_rfc_san(r->context, config,
|
||||
r->context->hx509ctx,
|
||||
cp->cert,
|
||||
client->entry.principal);
|
||||
if (ret == 0) {
|
||||
kdc_log(context, config, 5,
|
||||
kdc_log(r->context, config, 5,
|
||||
"Found matching PKINIT SAN in certificate");
|
||||
return 0;
|
||||
}
|
||||
ret = match_ms_upn_san(context, config,
|
||||
context->hx509ctx,
|
||||
ret = match_ms_upn_san(r->context, config,
|
||||
r->context->hx509ctx,
|
||||
cp->cert,
|
||||
clientdb,
|
||||
client);
|
||||
if (ret == 0) {
|
||||
kdc_log(context, config, 5,
|
||||
kdc_log(r->context, config, 5,
|
||||
"Found matching MS UPN SAN in certificate");
|
||||
return 0;
|
||||
}
|
||||
@@ -1781,7 +1779,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
if (acl->val[0].anchor)
|
||||
continue;
|
||||
|
||||
kdc_log(context, config, 5,
|
||||
kdc_log(r->context, config, 5,
|
||||
"Found matching PKINIT database ACL");
|
||||
return 0;
|
||||
}
|
||||
@@ -1790,24 +1788,24 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
for (i = 0; i < principal_mappings.len; i++) {
|
||||
krb5_boolean b;
|
||||
|
||||
b = krb5_principal_compare(context,
|
||||
b = krb5_principal_compare(r->context,
|
||||
client->entry.principal,
|
||||
principal_mappings.val[i].principal);
|
||||
if (b == FALSE)
|
||||
continue;
|
||||
if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0)
|
||||
continue;
|
||||
kdc_log(context, config, 5,
|
||||
kdc_log(r->context, config, 5,
|
||||
"Found matching PKINIT FILE ACL");
|
||||
return 0;
|
||||
}
|
||||
|
||||
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
|
||||
krb5_set_error_message(context, ret,
|
||||
krb5_set_error_message(r->context, ret,
|
||||
"PKINIT no matching principals for %s",
|
||||
*subject_name);
|
||||
|
||||
kdc_log(context, config, 5,
|
||||
kdc_log(r->context, config, 5,
|
||||
"PKINIT no matching principals for %s",
|
||||
*subject_name);
|
||||
|
||||
|
@@ -198,7 +198,6 @@ check(krb5_context context, const void *plug, void *plugctx, void *userctx)
|
||||
krb5_error_code
|
||||
_kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data)
|
||||
{
|
||||
krb5_context context = r->context;
|
||||
krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
struct check_uc uc;
|
||||
|
||||
@@ -211,7 +210,7 @@ _kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data)
|
||||
uc.req = req;
|
||||
uc.method_data = method_data;
|
||||
|
||||
ret = _krb5_plugin_run_f(context, &windc_plugin_data,
|
||||
ret = _krb5_plugin_run_f(r->context, &windc_plugin_data,
|
||||
0, &uc, check);
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user