oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: remove temporary krb5_context variable

Browse Source 
Use r->context (from request) instead of a temporary context variable, where
available.
This commit is contained in:
Luke Howard
2021-11-30 10:38:10 +11:00
parent 22c7e85c57
commit 007cc9fdc3
5 changed files with 222 additions and 237 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
kdc/fast.c
View File

@@ -334,7 +334,6 @@ _kdc_fast_mk_error(astgs_request_t r,
time_t *csec, int *cusec,
krb5_data *error_msg)
{
krb5_context context = r->context;
krb5_error_code ret;
krb5_data e_data;
size_t size;
@@ -365,7 +364,7 @@ _kdc_fast_mk_error(astgs_request_t r,
/* first add the KRB-ERROR to the fast errors */
ret = krb5_mk_error(context,
ret = krb5_mk_error(r->context,
outer_error,
e_text,
NULL,
@@ -377,7 +376,7 @@ _kdc_fast_mk_error(astgs_request_t r,
if (ret)
return ret;
ret = krb5_padata_add(context, error_method,
ret = krb5_padata_add(r->context, error_method,
KRB5_PADATA_FX_ERROR,
e_data.data, e_data.length);
if (ret) {
@@ -394,14 +393,14 @@ _kdc_fast_mk_error(astgs_request_t r,
csec = 0;
cusec = 0;
ret = _kdc_fast_mk_response(context, armor_crypto,
ret = _kdc_fast_mk_response(r->context, armor_crypto,
error_method, NULL, NULL,
req_body->nonce, &e_data);
free_METHOD_DATA(error_method);
if (ret)
return ret;
ret = krb5_padata_add(context, error_method,
ret = krb5_padata_add(r->context, error_method,
KRB5_PADATA_FX_FAST,
e_data.data, e_data.length);
if (ret)
@@ -416,7 +415,7 @@ _kdc_fast_mk_error(astgs_request_t r,
heim_assert(size == e_data.length, "internal asn.1 encoder error");
}
ret = krb5_mk_error(context,
ret = krb5_mk_error(r->context,
outer_error,
e_text,
(e_data.length ? &e_data : NULL),

146
kdc/kerberos5.c
View File

@@ -158,7 +158,6 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
krb5_enctype *ret_enctype, Key **ret_key,
krb5_boolean *ret_default_salt)
{
krb5_context context = r->context;
krb5_boolean use_strongest_session_key;
krb5_boolean is_preauth = flags & KFE_IS_PREAUTH;
krb5_boolean is_tgs = flags & KFE_IS_TGS;
@@ -189,7 +188,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
r->config->svc_use_strongest_session_key);
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
ret = krb5_get_pw_salt(context, request_princ, &def_salt);
ret = krb5_get_pw_salt(r->context, request_princ, &def_salt);
if (ret)
return ret;
@@ -223,11 +222,11 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
*/
/* drive the search with local supported enctypes list */
p = krb5_kerberos_enctypes(context);
p = krb5_kerberos_enctypes(r->context);
for (i = 0;
p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL;
i++) {
if (krb5_enctype_valid(context, p[i]) != 0 &&
if (krb5_enctype_valid(r->context, p[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, p[i]))
continue;
@@ -269,7 +268,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
* PA-ETYPE-INFO* or because we're selecting a session key
* enctype.
*/
while (hdb_next_enctype2key(context, &princ->entry, NULL,
while (hdb_next_enctype2key(r->context, &princ->entry, NULL,
p[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
@@ -296,13 +295,13 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
*/
for(i = 0; ret != 0 && i < len; i++) {
if (krb5_enctype_valid(context, etypes[i]) != 0 &&
if (krb5_enctype_valid(r->context, etypes[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
continue;
key = NULL;
while (ret != 0 &&
hdb_next_enctype2key(context, &princ->entry, NULL,
hdb_next_enctype2key(r->context, &princ->entry, NULL,
etypes[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
@@ -341,7 +340,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
*ret_default_salt = is_default_salt_p(&def_salt, key);
}
krb5_free_salt (context, def_salt);
krb5_free_salt (r->context, def_salt);
return ret;
}
@@ -420,7 +419,6 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
KerberosTime authtime, KerberosTime *starttime,
KerberosTime endtime, KerberosTime *renew_till)
{
krb5_context context = r->context;
krb5_kdc_configuration *config = r->config;
char authtime_str[100], starttime_str[100],
endtime_str[100], renewtime_str[100];
@@ -436,22 +434,22 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
_kdc_audit_addkv((kdc_request_t)r, 0, "renew", "%ld",
(long)*renew_till);
krb5_format_time(context, authtime,
krb5_format_time(r->context, authtime,
authtime_str, sizeof(authtime_str), TRUE);
if (starttime)
krb5_format_time(context, *starttime,
krb5_format_time(r->context, *starttime,
starttime_str, sizeof(starttime_str), TRUE);
else
strlcpy(starttime_str, "unset", sizeof(starttime_str));
krb5_format_time(context, endtime,
krb5_format_time(r->context, endtime,
endtime_str, sizeof(endtime_str), TRUE);
if (renew_till)
krb5_format_time(context, *renew_till,
krb5_format_time(r->context, *renew_till,
renewtime_str, sizeof(renewtime_str), TRUE);
else
strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
kdc_log(context, config, 4,
kdc_log(r->context, config, 4,
"%s authtime: %s starttime: %s endtime: %s renew till: %s",
type, authtime_str, starttime_str, endtime_str, renewtime_str);
}
@@ -930,7 +928,6 @@ static const struct kdc_patypes pat[] = {
static void
log_patypes(astgs_request_t r, METHOD_DATA *padata)
{
krb5_context context = r->context;
krb5_kdc_configuration *config = r->config;
struct rk_strpool *p = NULL;
char *str;
@@ -948,7 +945,7 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata)
if (p && n + 1 < padata->len)
p = rk_strpoolprintf(p, ", ");
if (p == NULL) {
kdc_log(context, config, 1, "out of memory");
kdc_log(r->context, config, 1, "out of memory");
return;
}
}
@@ -956,7 +953,7 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata)
p = rk_strpoolprintf(p, "none");
str = rk_strpoolcollect(p);
kdc_log(context, config, 4, "Client sent patypes: %s", str);
kdc_log(r->context, config, 4, "Client sent patypes: %s", str);
_kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
"client-pa", "%s", str);
free(str);
@@ -1461,7 +1458,6 @@ get_pa_etype_info_both(krb5_context context,
void
_log_astgs_req(astgs_request_t r, krb5_enctype setype)
{
krb5_context context = r->context;
const KDC_REQ_BODY *b = &r->req.req_body;
krb5_enctype cetype = r->reply_key.keytype;
krb5_error_code ret;
@@ -1483,7 +1479,7 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
for (i = 0; i < b->etype.len; i++) {
ret = krb5_enctype_to_string(context, b->etype.val[i], &str);
ret = krb5_enctype_to_string(r->context, b->etype.val[i], &str);
if (ret == 0) {
p = rk_strpoolprintf(p, "%s", str);
free(str);
@@ -1509,9 +1505,9 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
str);
free(str);
ret = krb5_enctype_to_string(context, cetype, &cet);
ret = krb5_enctype_to_string(r->context, cetype, &cet);
if(ret == 0) {
ret = krb5_enctype_to_string(context, setype, &set);
ret = krb5_enctype_to_string(r->context, setype, &set);
if (ret == 0) {
p = rk_strpoolprintf(p, ", using %s/%s", cet, set);
free(set);
@@ -1554,8 +1550,6 @@ kdc_check_flags(astgs_request_t r,
hdb_entry_ex *client_ex,
hdb_entry_ex *server_ex)
{
krb5_context context = r->context;
if (client_ex != NULL) {
hdb_entry *client = &client_ex->entry;
@@ -1579,7 +1573,7 @@ kdc_check_flags(astgs_request_t r,
if (client->valid_start && *client->valid_start > kdc_time) {
char starttime_str[100];
krb5_format_time(context, *client->valid_start,
krb5_format_time(r->context, *client->valid_start,
starttime_str, sizeof(starttime_str), TRUE);
_kdc_audit_addreason((kdc_request_t)r, "Client not yet valid "
"until %s", starttime_str);
@@ -1588,7 +1582,7 @@ kdc_check_flags(astgs_request_t r,
if (client->valid_end && *client->valid_end < kdc_time) {
char endtime_str[100];
krb5_format_time(context, *client->valid_end,
krb5_format_time(r->context, *client->valid_end,
endtime_str, sizeof(endtime_str), TRUE);
_kdc_audit_addreason((kdc_request_t)r, "Client expired at %s",
endtime_str);
@@ -1602,7 +1596,7 @@ kdc_check_flags(astgs_request_t r,
if (client->pw_end && *client->pw_end < kdc_time
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
char pwend_str[100];
krb5_format_time(context, *client->pw_end,
krb5_format_time(r->context, *client->pw_end,
pwend_str, sizeof(pwend_str), TRUE);
_kdc_audit_addreason((kdc_request_t)r, "Client's key has expired "
"at %s", pwend_str);
@@ -1638,7 +1632,7 @@ kdc_check_flags(astgs_request_t r,
if (server->valid_start && *server->valid_start > kdc_time) {
char starttime_str[100];
krb5_format_time(context, *server->valid_start,
krb5_format_time(r->context, *server->valid_start,
starttime_str, sizeof(starttime_str), TRUE);
_kdc_audit_addreason((kdc_request_t)r, "Server not yet valid "
"until %s", starttime_str);
@@ -1647,7 +1641,7 @@ kdc_check_flags(astgs_request_t r,
if (server->valid_end && *server->valid_end < kdc_time) {
char endtime_str[100];
krb5_format_time(context, *server->valid_end,
krb5_format_time(r->context, *server->valid_end,
endtime_str, sizeof(endtime_str), TRUE);
_kdc_audit_addreason((kdc_request_t)r, "Server expired at %s",
endtime_str);
@@ -1656,7 +1650,7 @@ kdc_check_flags(astgs_request_t r,
if (server->pw_end && *server->pw_end < kdc_time) {
char pwend_str[100];
krb5_format_time(context, *server->pw_end,
krb5_format_time(r->context, *server->pw_end,
pwend_str, sizeof(pwend_str), TRUE);
_kdc_audit_addreason((kdc_request_t)r, "Server's key has expired "
"at %s", pwend_str);
@@ -1676,7 +1670,6 @@ krb5_boolean
_kdc_check_addresses(astgs_request_t r, HostAddresses *addresses,
const struct sockaddr *from)
{
krb5_context context = r->context;
krb5_kdc_configuration *config = r->config;
krb5_error_code ret;
krb5_address addr;
@@ -1710,12 +1703,12 @@ _kdc_check_addresses(astgs_request_t r, HostAddresses *addresses,
if(only_netbios)
return config->allow_null_ticket_addresses;
ret = krb5_sockaddr2address (context, from, &addr);
ret = krb5_sockaddr2address (r->context, from, &addr);
if(ret)
return FALSE;
result = krb5_address_search(context, &addr, addresses);
krb5_free_address (context, &addr);
result = krb5_address_search(r->context, &addr, addresses);
krb5_free_address (r->context, &addr);
return result;
}
@@ -1928,7 +1921,6 @@ get_local_tgs(krb5_context context,
krb5_error_code
_kdc_as_rep(astgs_request_t r)
{
krb5_context context = r->context;
krb5_kdc_configuration *config = r->config;
KDC_REQ *req = &r->req;
const char *from = r->from;
@@ -1969,12 +1961,12 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
ret = _krb5_principalname2krb5_principal(context, &r->server_princ,
ret = _krb5_principalname2krb5_principal(r->context, &r->server_princ,
*(b->sname), b->realm);
if (!ret)
ret = krb5_unparse_name(context, r->server_princ, &r->sname);
ret = krb5_unparse_name(r->context, r->server_princ, &r->sname);
if (ret) {
kdc_log(context, config, 2,
kdc_log(r->context, config, 2,
"AS_REQ malformed server name from %s", from);
goto out;
}
@@ -1985,48 +1977,48 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
ret = _krb5_principalname2krb5_principal(context, &r->client_princ,
ret = _krb5_principalname2krb5_principal(r->context, &r->client_princ,
*(b->cname), b->realm);
if (!ret)
ret = krb5_unparse_name(context, r->client_princ, &r->cname);
ret = krb5_unparse_name(r->context, r->client_princ, &r->cname);
if (ret) {
kdc_log(context, config, 2,
kdc_log(r->context, config, 2,
"AS-REQ malformed client name from %s", from);
goto out;
}
kdc_log(context, config, 4, "AS-REQ %s from %s for %s",
kdc_log(r->context, config, 4, "AS-REQ %s from %s for %s",
r->cname, r->from, r->sname);
is_tgs = krb5_principal_is_krbtgt(context, r->server_princ);
is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ);
if (_kdc_is_anonymous(context, r->client_princ) &&
if (_kdc_is_anonymous(r->context, r->client_princ) &&
!_kdc_is_anon_request(req)) {
kdc_log(context, config, 2, "Anonymous client w/o anonymous flag");
kdc_log(r->context, config, 2, "Anonymous client w/o anonymous flag");
ret = KRB5KDC_ERR_BADOPTION;
goto out;
}
ret = _kdc_db_fetch(context, config, r->client_princ,
ret = _kdc_db_fetch(r->context, config, r->client_princ,
HDB_F_GET_CLIENT | HDB_F_SYNTHETIC_OK | flags, NULL,
&r->clientdb, &r->client);
switch (ret) {
case 0: /* Success */
break;
case HDB_ERR_NOT_FOUND_HERE:
kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy",
kdc_log(r->context, config, 5, "client %s does not have secrets at this KDC, need to proxy",
r->cname);
goto out;
case HDB_ERR_WRONG_REALM: {
char *fixed_client_name = NULL;
ret = krb5_unparse_name(context, r->client->entry.principal,
ret = krb5_unparse_name(r->context, r->client->entry.principal,
&fixed_client_name);
if (ret) {
goto out;
}
kdc_log(context, config, 4, "WRONG_REALM - %s -> %s",
kdc_log(r->context, config, 4, "WRONG_REALM - %s -> %s",
r->cname, fixed_client_name);
free(fixed_client_name);
@@ -2038,13 +2030,13 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
default:
msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
krb5_free_error_message(context, msg);
msg = krb5_get_error_message(r->context, ret);
kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
krb5_free_error_message(r->context, msg);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
ret = _kdc_db_fetch(context, config, r->server_princ,
ret = _kdc_db_fetch(r->context, config, r->server_princ,
HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS |
flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
NULL, NULL, &r->server);
@@ -2052,13 +2044,13 @@ _kdc_as_rep(astgs_request_t r)
case 0: /* Success */
break;
case HDB_ERR_NOT_FOUND_HERE:
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy",
kdc_log(r->context, config, 5, "target %s does not have secrets at this KDC, need to proxy",
r->sname);
goto out;
default:
msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 4, "UNKNOWN -- %s: %s", r->sname, msg);
krb5_free_error_message(context, msg);
msg = krb5_get_error_message(r->context, ret);
kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->sname, msg);
krb5_free_error_message(r->context, msg);
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
@@ -2072,7 +2064,7 @@ _kdc_as_rep(astgs_request_t r)
b->etype.val, b->etype.len,
&r->sessionetype, NULL, NULL);
if (ret) {
kdc_log(context, config, 4,
kdc_log(r->context, config, 4,
"Client (%s) from %s has no common enctypes with KDC "
"to use for the session key",
r->cname, from);
@@ -2096,14 +2088,14 @@ _kdc_as_rep(astgs_request_t r)
if (r->armor_crypto == NULL && (pat[n].flags & PA_REQ_FAST))
continue;
kdc_log(context, config, 5,
kdc_log(r->context, config, 5,
"Looking for %s pa-data -- %s", pat[n].name, r->cname);
i = 0;
pa = _kdc_find_padata(req, &i, pat[n].type);
if (pa) {
if (r->client->entry.flags.synthetic &&
!(pat[n].flags & PA_SYNTHETIC_OK)) {
kdc_log(context, config, 4, "UNKNOWN -- %s", r->cname);
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
ret = HDB_ERR_NOENTRY;
goto out;
}
@@ -2122,14 +2114,14 @@ _kdc_as_rep(astgs_request_t r)
b->etype.val, b->etype.len,
NULL, &ckey, &default_salt);
if (ret2 == 0) {
ret2 = get_pa_etype_info_both(context, config, &b->etype,
ret2 = get_pa_etype_info_both(r->context, config, &b->etype,
&r->outpadata, ckey, !default_salt);
if (ret2 != 0)
ret = ret2;
}
goto out;
}
kdc_log(context, config, 4,
kdc_log(r->context, config, 4,
"%s pre-authentication succeeded -- %s",
pat[n].name, r->cname);
found_pa = 1;
@@ -2144,7 +2136,7 @@ _kdc_as_rep(astgs_request_t r)
krb5_boolean default_salt;
if (r->client->entry.flags.synthetic) {
kdc_log(context, config, 4, "UNKNOWN -- %s", r->cname);
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
ret = HDB_ERR_NOENTRY;
goto out;
}
@@ -2152,7 +2144,7 @@ _kdc_as_rep(astgs_request_t r)
for (n = 0; n < sizeof(pat) / sizeof(pat[0]); n++) {
if ((pat[n].flags & PA_ANNOUNCE) == 0)
continue;
ret = krb5_padata_add(context, &r->outpadata,
ret = krb5_padata_add(r->context, &r->outpadata,
pat[n].type, NULL, 0);
if (ret)
goto out;
@@ -2165,7 +2157,7 @@ _kdc_as_rep(astgs_request_t r)
b->etype.val, b->etype.len,
NULL, &ckey, &default_salt);
if (ret == 0) {
ret = get_pa_etype_info_both(context, config, &b->etype,
ret = get_pa_etype_info_both(r->context, config, &b->etype,
&r->outpadata, ckey, !default_salt);
if (ret)
goto out;
@@ -2193,7 +2185,7 @@ _kdc_as_rep(astgs_request_t r)
}
if (r->clientdb->hdb_auth_status) {
r->clientdb->hdb_auth_status(context, r->clientdb, r->client,
r->clientdb->hdb_auth_status(r->context, r->clientdb, r->client,
HDB_AUTH_SUCCESS);
}
@@ -2221,7 +2213,7 @@ _kdc_as_rep(astgs_request_t r)
* the client since the client never needs to read that data.
*/
ret = _kdc_get_preferred_key(context, config,
ret = _kdc_get_preferred_key(r->context, config,
r->server, r->sname,
&setype, &skey);
if(ret)
@@ -2231,12 +2223,12 @@ _kdc_as_rep(astgs_request_t r)
if (is_tgs) {
krbtgt_key = skey;
} else {
ret = get_local_tgs(context, config, r->server_princ->realm,
ret = get_local_tgs(r->context, config, r->server_princ->realm,
&krbtgt);
if (ret)
goto out;
ret = _kdc_get_preferred_key(context, config, krbtgt,
ret = _kdc_get_preferred_key(r->context, config, krbtgt,
r->server_princ->realm,
NULL, &krbtgt_key);
if (ret)
@@ -2257,7 +2249,7 @@ _kdc_as_rep(astgs_request_t r)
rep.msg_type = krb_as_rep;
if (!config->historical_anon_realm &&
_kdc_is_anonymous(context, r->client_princ)) {
_kdc_is_anonymous(r->context, r->client_princ)) {
Realm anon_realm = KRB5_ANON_REALM;
ret = copy_Realm(&anon_realm, &rep.crealm);
} else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
@@ -2478,7 +2470,7 @@ _kdc_as_rep(astgs_request_t r)
*/
if (r->session_key.keytype == ETYPE_NULL) {
ret = krb5_generate_random_keyblock(context, r->sessionetype, &r->session_key);
ret = krb5_generate_random_keyblock(r->context, r->sessionetype, &r->session_key);
if (ret)
goto out;
}
@@ -2510,7 +2502,7 @@ _kdc_as_rep(astgs_request_t r)
}
/* Add the PAC */
if (send_pac_p(context, req) && !r->et.flags.anonymous) {
if (send_pac_p(r->context, req) && !r->et.flags.anonymous) {
generate_pac(r, skey, krbtgt_key);
}
@@ -2555,7 +2547,7 @@ _kdc_as_rep(astgs_request_t r)
*
*/
ret = _kdc_encode_reply(context, config,
ret = _kdc_encode_reply(r->context, config,
r, req->req_body.nonce,
&rep, &r->et, &r->ek, setype,
r->server->entry.kvno, &skey->key,
@@ -2597,19 +2589,19 @@ out:
if (r->outpadata.len)
free_METHOD_DATA(&r->outpadata);
if (r->client_princ) {
krb5_free_principal(context, r->client_princ);
krb5_free_principal(r->context, r->client_princ);
r->client_princ = NULL;
}
if (r->server_princ){
krb5_free_principal(context, r->server_princ);
krb5_free_principal(r->context, r->server_princ);
r->server_princ = NULL;
}
if (r->client)
_kdc_free_ent(context, r->client);
_kdc_free_ent(r->context, r->client);
if (r->server)
_kdc_free_ent(context, r->server);
_kdc_free_ent(r->context, r->server);
if (krbtgt)
_kdc_free_ent(context, krbtgt);
_kdc_free_ent(r->context, krbtgt);
if (r->armor_crypto) {
krb5_crypto_destroy(r->context, r->armor_crypto);
r->armor_crypto = NULL;

149
kdc/krb5tgs.c
View File

@@ -147,7 +147,6 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
krb5_const_principal tgt_name,
const EncTicketPart *tgt, EncTicketPart *et)
{
krb5_context context = r->context;
KDCOptions f = b->kdc_options;
if(f.validate){
@@ -227,7 +226,7 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
*et->starttime = *b->from;
et->flags.postdated = 1;
et->flags.invalid = 1;
} else if (b->from && *b->from > kdc_time + context->max_skew) {
} else if (b->from && *b->from > kdc_time + r->context->max_skew) {
_kdc_audit_addreason((kdc_request_t)r,
"Ticket cannot be postdated");
return KRB5KDC_ERR_CANNOT_POSTDATE;
@@ -266,7 +265,7 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
* the anonymous principal and the anonymous ticket flag.
*/
if (tgt->flags.anonymous &&
!_kdc_is_anonymous(context, tgt_name)) {
!_kdc_is_anonymous(r->context, tgt_name)) {
_kdc_audit_addreason((kdc_request_t)r,
"Anonymous ticket flag set without "
"anonymous principal");
@@ -922,7 +921,6 @@ tgs_parse_request(astgs_request_t r,
int **cusec,
AuthorizationData **auth_data)
{
krb5_context context = r->context;
krb5_kdc_configuration *config = r->config;
KDC_REQ_BODY *b = &r->req.req_body;
static char failed[] = "<unparse_name failed>";
@@ -946,38 +944,38 @@ tgs_parse_request(astgs_request_t r,
*cusec = NULL;
memset(&ap_req, 0, sizeof(ap_req));
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
ret = krb5_decode_ap_req(r->context, &tgs_req->padata_value, &ap_req);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 4, "Failed to decode AP-REQ: %s", msg);
krb5_free_error_message(context, msg);
const char *msg = krb5_get_error_message(r->context, ret);
kdc_log(r->context, config, 4, "Failed to decode AP-REQ: %s", msg);
krb5_free_error_message(r->context, msg);
goto out;
}
if(!get_krbtgt_realm(&ap_req.ticket.sname)){
/* XXX check for ticket.sname == req.sname */
kdc_log(context, config, 4, "PA-DATA is not a ticket-granting ticket");
kdc_log(r->context, config, 4, "PA-DATA is not a ticket-granting ticket");
ret = KRB5KDC_ERR_POLICY; /* ? */
goto out;
}
_krb5_principalname2krb5_principal(context,
_krb5_principalname2krb5_principal(r->context,
&princ,
ap_req.ticket.sname,
ap_req.ticket.realm);
krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0;
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT,
ret = _kdc_db_fetch(r->context, config, princ, HDB_F_GET_KRBTGT,
&krbtgt_kvno, NULL, krbtgt);
if (ret == HDB_ERR_NOT_FOUND_HERE) {
/* XXX Factor out this unparsing of the same princ all over */
char *p;
ret = krb5_unparse_name(context, princ, &p);
ret = krb5_unparse_name(r->context, princ, &p);
if (ret != 0)
p = failed;
krb5_free_principal(context, princ);
kdc_log(context, config, 5,
krb5_free_principal(r->context, princ);
kdc_log(r->context, config, 5,
"Ticket-granting ticket account %s does not have secrets at "
"this KDC, need to proxy", p);
if (ret == 0)
@@ -986,11 +984,11 @@ tgs_parse_request(astgs_request_t r,
goto out;
} else if (ret == HDB_ERR_KVNO_NOT_FOUND) {
char *p;
ret = krb5_unparse_name(context, princ, &p);
ret = krb5_unparse_name(r->context, princ, &p);
if (ret != 0)
p = failed;
krb5_free_principal(context, princ);
kdc_log(context, config, 5,
krb5_free_principal(r->context, princ);
kdc_log(r->context, config, 5,
"Ticket-granting ticket account %s does not have keys for "
"kvno %d at this KDC", p, krbtgt_kvno);
if (ret == 0)
@@ -999,11 +997,11 @@ tgs_parse_request(astgs_request_t r,
goto out;
} else if (ret == HDB_ERR_NO_MKEY) {
char *p;
ret = krb5_unparse_name(context, princ, &p);
ret = krb5_unparse_name(r->context, princ, &p);
if (ret != 0)
p = failed;
krb5_free_principal(context, princ);
kdc_log(context, config, 5,
krb5_free_principal(r->context, princ);
kdc_log(r->context, config, 5,
"Missing master key for decrypting keys for ticket-granting "
"ticket account %s with kvno %d at this KDC", p, krbtgt_kvno);
if (ret == 0)
@@ -1011,15 +1009,15 @@ tgs_parse_request(astgs_request_t r,
ret = HDB_ERR_KVNO_NOT_FOUND;
goto out;
} else if (ret) {
const char *msg = krb5_get_error_message(context, ret);
const char *msg = krb5_get_error_message(r->context, ret);
char *p;
ret = krb5_unparse_name(context, princ, &p);
ret = krb5_unparse_name(r->context, princ, &p);
if (ret != 0)
p = failed;
kdc_log(context, config, 4,
kdc_log(r->context, config, 4,
"Ticket-granting ticket %s not found in database: %s", p, msg);
krb5_free_principal(context, princ);
krb5_free_error_message(context, msg);
krb5_free_principal(r->context, princ);
krb5_free_error_message(r->context, msg);
if (ret == 0)
free(p);
ret = KRB5KRB_AP_ERR_NOT_US;
@@ -1030,8 +1028,8 @@ tgs_parse_request(astgs_request_t r,
*krbtgt_etype = ap_req.ticket.enc_part.etype;
next_kvno:
krbtgt_keys = hdb_kvno2keys(context, &(*krbtgt)->entry, krbtgt_kvno_try);
ret = hdb_enctype2key(context, &(*krbtgt)->entry, krbtgt_keys,
krbtgt_keys = hdb_kvno2keys(r->context, &(*krbtgt)->entry, krbtgt_kvno_try);
ret = hdb_enctype2key(r->context, &(*krbtgt)->entry, krbtgt_keys,
ap_req.ticket.enc_part.etype, &tkey);
if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
kvno_search_tries--;
@@ -1040,9 +1038,9 @@ next_kvno:
} else if (ret) {
char *str = NULL, *p = NULL;
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
krb5_unparse_name(context, princ, &p);
kdc_log(context, config, 4,
krb5_enctype_to_string(r->context, ap_req.ticket.enc_part.etype, &str);
krb5_unparse_name(r->context, princ, &p);
kdc_log(r->context, config, 4,
"No server key with enctype %s found for %s",
str ? str : "<unknown enctype>",
p ? p : "<unparse_name failed>");
@@ -1058,7 +1056,7 @@ next_kvno:
if (r->config->warn_ticket_addresses)
verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_IGNORE_ADDRS;
ret = krb5_verify_ap_req2(context,
ret = krb5_verify_ap_req2(r->context,
&ac,
&ap_req,
princ,
@@ -1080,11 +1078,11 @@ next_kvno:
goto next_kvno;
}
krb5_free_principal(context, princ);
krb5_free_principal(r->context, princ);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 4, "Failed to verify AP-REQ: %s", msg);
krb5_free_error_message(context, msg);
const char *msg = krb5_get_error_message(r->context, ret);
kdc_log(r->context, config, 4, "Failed to verify AP-REQ: %s", msg);
krb5_free_error_message(r->context, msg);
goto out;
}
@@ -1093,64 +1091,64 @@ next_kvno:
{
krb5_authenticator auth;
ret = krb5_auth_con_getauthenticator(context, ac, &auth);
ret = krb5_auth_con_getauthenticator(r->context, ac, &auth);
if (ret == 0) {
*csec = malloc(sizeof(**csec));
if (*csec == NULL) {
krb5_free_authenticator(context, &auth);
kdc_log(context, config, 4, "malloc failed");
krb5_free_authenticator(r->context, &auth);
kdc_log(r->context, config, 4, "malloc failed");
goto out;
}
**csec = auth->ctime;
*cusec = malloc(sizeof(**cusec));
if (*cusec == NULL) {
krb5_free_authenticator(context, &auth);
kdc_log(context, config, 4, "malloc failed");
krb5_free_authenticator(r->context, &auth);
kdc_log(r->context, config, 4, "malloc failed");
goto out;
}
**cusec = auth->cusec;
ret = validate_fast_ad(r, auth->authorization_data);
krb5_free_authenticator(context, &auth);
krb5_free_authenticator(r->context, &auth);
if (ret)
goto out;
}
}
ret = tgs_check_authenticator(context, config,
ret = tgs_check_authenticator(r->context, config,
ac, b, e_text, &(*ticket)->ticket.key);
if (ret) {
krb5_auth_con_free(context, ac);
krb5_auth_con_free(r->context, ac);
goto out;
}
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
r->rk_is_subkey = 1;
ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
ret = krb5_auth_con_getremotesubkey(r->context, ac, &subkey);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
krb5_auth_con_free(context, ac);
kdc_log(context, config, 4, "Failed to get remote subkey: %s", msg);
krb5_free_error_message(context, msg);
const char *msg = krb5_get_error_message(r->context, ret);
krb5_auth_con_free(r->context, ac);
kdc_log(r->context, config, 4, "Failed to get remote subkey: %s", msg);
krb5_free_error_message(r->context, msg);
goto out;
}
if(subkey == NULL){
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
r->rk_is_subkey = 0;
ret = krb5_auth_con_getkey(context, ac, &subkey);
ret = krb5_auth_con_getkey(r->context, ac, &subkey);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
krb5_auth_con_free(context, ac);
kdc_log(context, config, 4, "Failed to get session key: %s", msg);
krb5_free_error_message(context, msg);
const char *msg = krb5_get_error_message(r->context, ret);
krb5_auth_con_free(r->context, ac);
kdc_log(r->context, config, 4, "Failed to get session key: %s", msg);
krb5_free_error_message(r->context, msg);
goto out;
}
}
if(subkey == NULL){
krb5_auth_con_free(context, ac);
kdc_log(context, config, 4,
krb5_auth_con_free(r->context, ac);
kdc_log(r->context, config, 4,
"Failed to get key for enc-authorization-data");
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out;
@@ -1165,39 +1163,39 @@ next_kvno:
if (b->enc_authorization_data) {
krb5_data ad;
ret = krb5_crypto_init(context, &r->reply_key, 0, &crypto);
ret = krb5_crypto_init(r->context, &r->reply_key, 0, &crypto);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
krb5_auth_con_free(context, ac);
kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(context, msg);
const char *msg = krb5_get_error_message(r->context, ret);
krb5_auth_con_free(r->context, ac);
kdc_log(r->context, config, 4, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(r->context, msg);
goto out;
}
ret = krb5_decrypt_EncryptedData (context,
ret = krb5_decrypt_EncryptedData (r->context,
crypto,
usage,
b->enc_authorization_data,
&ad);
krb5_crypto_destroy(context, crypto);
krb5_crypto_destroy(r->context, crypto);
if(ret){
krb5_auth_con_free(context, ac);
kdc_log(context, config, 4,
krb5_auth_con_free(r->context, ac);
kdc_log(r->context, config, 4,
"Failed to decrypt enc-authorization-data");
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out;
}
ALLOC(*auth_data);
if (*auth_data == NULL) {
krb5_auth_con_free(context, ac);
krb5_auth_con_free(r->context, ac);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out;
}
ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
if(ret){
krb5_auth_con_free(context, ac);
krb5_auth_con_free(r->context, ac);
free(*auth_data);
*auth_data = NULL;
kdc_log(context, config, 4, "Failed to decode authorization data");
kdc_log(r->context, config, 4, "Failed to decode authorization data");
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out;
}
@@ -1216,7 +1214,7 @@ next_kvno:
if (ret)
goto out;
krb5_auth_con_free(context, ac);
krb5_auth_con_free(r->context, ac);
out:
free_AP_REQ(&ap_req);
@@ -2321,7 +2319,6 @@ out:
krb5_error_code
_kdc_tgs_rep(astgs_request_t r)
{
krb5_context context = r->context;
krb5_kdc_configuration *config = r->config;
KDC_REQ *req = &r->req;
krb5_data *data = r->reply;
@@ -2343,7 +2340,7 @@ _kdc_tgs_rep(astgs_request_t r)
if(req->padata == NULL){
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
kdc_log(context, config, 4,
kdc_log(r->context, config, 4,
"TGS-REQ from %s without PA-DATA", from);
goto out;
}
@@ -2361,7 +2358,7 @@ _kdc_tgs_rep(astgs_request_t r)
if(tgs_req == NULL){
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
kdc_log(context, config, 4,
kdc_log(r->context, config, 4,
"TGS-REQ from %s without PA-TGS-REQ", from);
goto out;
}
@@ -2378,7 +2375,7 @@ _kdc_tgs_rep(astgs_request_t r)
goto out;
}
if (ret) {
kdc_log(context, config, 4,
kdc_log(r->context, config, 4,
"Failed parsing TGS-REQ from %s", from);
goto out;
}
@@ -2395,7 +2392,7 @@ _kdc_tgs_rep(astgs_request_t r)
&auth_data,
from_addr);
if (ret) {
kdc_log(context, config, 4,
kdc_log(r->context, config, 4,
"Failed building TGS-REP to %s", from);
goto out;
}
@@ -2411,7 +2408,7 @@ out:
if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
METHOD_DATA error_method = { 0, NULL };
kdc_log(context, config, 5, "tgs-req: sending error: %d to client", ret);
kdc_log(r->context, config, 5, "tgs-req: sending error: %d to client", ret);
ret = _kdc_fast_mk_error(r,
&error_method,
r->armor_crypto,
@@ -2430,9 +2427,9 @@ out:
krb5_free_keyblock_contents(r->context, &r->strengthen_key);
if (ticket)
krb5_free_ticket(context, ticket);
krb5_free_ticket(r->context, ticket);
if(krbtgt)
_kdc_free_ent(context, krbtgt);
_kdc_free_ent(r->context, krbtgt);
_kdc_free_fast_state(&r->fast);

150
kdc/pkinit.c
View File

@@ -1131,7 +1131,6 @@ pk_mk_pa_reply_dh(krb5_context context,
krb5_error_code
_kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
{
krb5_context context = r->context;
krb5_kdc_configuration *config = r->config;
krb5_enctype sessionetype = r->sessionetype;
const KDC_REQ *req = &r->req;
@@ -1148,17 +1147,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
size_t i;
if (!config->enable_pkinit) {
krb5_clear_error_message(context);
krb5_clear_error_message(r->context);
return 0;
}
if (req->req_body.etype.len > 0) {
for (i = 0; i < req->req_body.etype.len; i++)
if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)
if (krb5_enctype_valid(r->context, req->req_body.etype.val[i]) == 0)
break;
if (req->req_body.etype.len <= i) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"No valid enctype available from client");
goto out;
}
@@ -1181,13 +1180,13 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
rep.element = choice_PA_PK_AS_REP_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype,
ret = krb5_generate_random_keyblock(r->context, enctype,
&cp->reply_key);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
ret = pk_mk_pa_reply_enckey(r->context,
config,
cp,
req,
@@ -1204,15 +1203,15 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
krb5_set_error_message(r->context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
krb5_abortx(r->context, "Internal ASN.1 encoder error");
ret = krb5_generate_random_keyblock(context, sessionetype,
ret = krb5_generate_random_keyblock(r->context, sessionetype,
sessionkey);
if (ret) {
free_PA_PK_AS_REP(&rep);
@@ -1225,7 +1224,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
switch (cp->keyex) {
case USE_DH: type = "dh"; break;
case USE_ECDH: type = "ecdh"; break;
default: krb5_abortx(context, "unknown keyex"); break;
default: krb5_abortx(r->context, "unknown keyex"); break;
}
if (cp->dh_group_name)
@@ -1233,17 +1232,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
rep.element = choice_PA_PK_AS_REP_dhInfo;
ret = generate_dh_keyblock(context, cp, enctype);
ret = generate_dh_keyblock(r->context, cp, enctype);
if (ret)
return ret;
ret = pk_mk_pa_reply_dh(context, config,
ret = pk_mk_pa_reply_dh(r->context, config,
cp,
&info,
&kdc_cert);
if (ret) {
free_PA_PK_AS_REP(&rep);
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"create pa-reply-dh "
"failed %d", ret);
goto out;
@@ -1254,14 +1253,14 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
krb5_abortx(r->context, "Internal ASN.1 encoder error");
/* generate the session key using the method from RFC6112 */
{
@@ -1276,49 +1275,49 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
void *kxdata;
size_t kxlen;
ret = krb5_generate_random_keyblock(context, sessionetype,
ret = krb5_generate_random_keyblock(r->context, sessionetype,
&kdc_contribution_key);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ret = krb5_crypto_init(context, &cp->reply_key, enctype, &reply_crypto);
ret = krb5_crypto_init(r->context, &cp->reply_key, enctype, &reply_crypto);
if (ret) {
krb5_free_keyblock_contents(context, &kdc_contribution_key);
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
free_PA_PK_AS_REP(&rep);
goto out;
}
ret = krb5_crypto_init(context, &kdc_contribution_key, sessionetype, &kdccont_crypto);
ret = krb5_crypto_init(r->context, &kdc_contribution_key, sessionetype, &kdccont_crypto);
if (ret) {
krb5_crypto_destroy(context, reply_crypto);
krb5_free_keyblock_contents(context, &kdc_contribution_key);
krb5_crypto_destroy(r->context, reply_crypto);
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
free_PA_PK_AS_REP(&rep);
goto out;
}
/* KRB-FX-CF2 */
ret = krb5_crypto_fx_cf2(context, kdccont_crypto, reply_crypto,
ret = krb5_crypto_fx_cf2(r->context, kdccont_crypto, reply_crypto,
&p1, &p2, sessionetype, sessionkey);
krb5_crypto_destroy(context, kdccont_crypto);
krb5_crypto_destroy(r->context, kdccont_crypto);
if (ret) {
krb5_crypto_destroy(context, reply_crypto);
krb5_free_keyblock_contents(context, &kdc_contribution_key);
krb5_crypto_destroy(r->context, reply_crypto);
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
free_PA_PK_AS_REP(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(EncryptionKey, kckdata, kcklen,
&kdc_contribution_key, &size, ret);
krb5_free_keyblock_contents(context, &kdc_contribution_key);
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
if (ret) {
krb5_set_error_message(context, ret, "encoding of PKINIT-KX Key failed %d", ret);
krb5_crypto_destroy(context, reply_crypto);
krb5_set_error_message(r->context, ret, "encoding of PKINIT-KX Key failed %d", ret);
krb5_crypto_destroy(r->context, reply_crypto);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (kcklen != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
ret = krb5_encrypt_EncryptedData(context, reply_crypto, KRB5_KU_PA_PKINIT_KX,
krb5_abortx(r->context, "Internal ASN.1 encoder error");
ret = krb5_encrypt_EncryptedData(r->context, reply_crypto, KRB5_KU_PA_PKINIT_KX,
kckdata, kcklen, 0, &kx);
krb5_crypto_destroy(context, reply_crypto);
krb5_crypto_destroy(r->context, reply_crypto);
free(kckdata);
if (ret) {
free_PA_PK_AS_REP(&rep);
@@ -1328,17 +1327,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
&kx, &size, ret);
free_EncryptedData(&kx);
if (ret) {
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"encoding of PKINIT-KX failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (kxlen != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
krb5_abortx(r->context, "Internal ASN.1 encoder error");
/* Add PA-PKINIT-KX */
ret = krb5_padata_add(context, md, KRB5_PADATA_PKINIT_KX, kxdata, kxlen);
ret = krb5_padata_add(r->context, md, KRB5_PADATA_PKINIT_KX, kxdata, kxlen);
if (ret) {
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"Failed adding PKINIT-KX %d", ret);
free(buf);
goto out;
@@ -1364,14 +1363,14 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
free_PA_PK_AS_REP(&rep);
if (ret) {
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"encode PA-PK-AS-REP failed %d", ret);
goto out;
}
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
krb5_abortx(r->context, "Internal ASN.1 encoder error");
kdc_log(context, config, 0, "PKINIT using %s %s", type, other);
kdc_log(r->context, config, 0, "PKINIT using %s %s", type, other);
} else if (cp->type == PKINIT_WIN2K) {
PA_PK_AS_REP_Win2k rep;
@@ -1379,7 +1378,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
if (cp->keyex != USE_RSA) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"Win2k PKINIT doesn't support DH");
goto out;
}
@@ -1389,13 +1388,13 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
pa_type = KRB5_PADATA_PK_AS_REP_19;
rep.element = choice_PA_PK_AS_REP_Win2k_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype,
ret = krb5_generate_random_keyblock(r->context, enctype,
&cp->reply_key);
if (ret) {
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
ret = pk_mk_pa_reply_enckey(r->context,
config,
cp,
req,
@@ -1412,25 +1411,25 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
krb5_set_error_message(r->context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
krb5_abortx(r->context, "Internal ASN.1 encoder error");
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP_Win2k(&rep);
if (ret) {
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"encode PA-PK-AS-REP-Win2k failed %d", ret);
goto out;
}
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
krb5_abortx(r->context, "Internal ASN.1 encoder error");
ret = krb5_generate_random_keyblock(context, sessionetype,
ret = krb5_generate_random_keyblock(r->context, sessionetype,
sessionkey);
if (ret) {
free(buf);
@@ -1438,12 +1437,12 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
}
} else
krb5_abortx(context, "PKINIT internal error");
krb5_abortx(r->context, "PKINIT internal error");
ret = krb5_padata_add(context, md, pa_type, buf, len);
ret = krb5_padata_add(r->context, md, pa_type, buf, len);
if (ret) {
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"Failed adding PA-PK-AS-REP %d", ret);
free(buf);
goto out;
@@ -1462,7 +1461,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
if (fd < 0) {
kdc_log(context, config, 0,
kdc_log(r->context, config, 0,
"PKINIT failed to open ocsp data file %d", errno);
goto out_ocsp;
}
@@ -1470,7 +1469,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
if (ret) {
ret = errno;
close(fd);
kdc_log(context, config, 0,
kdc_log(r->context, config, 0,
"PKINIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
@@ -1478,7 +1477,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
ret = krb5_data_alloc(&ocsp.data, sb.st_size);
if (ret) {
close(fd);
kdc_log(context, config, 0,
kdc_log(r->context, config, 0,
"PKINIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
@@ -1486,19 +1485,19 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
ret = read(fd, ocsp.data.data, sb.st_size);
close(fd);
if (ret != sb.st_size) {
kdc_log(context, config, 0,
kdc_log(r->context, config, 0,
"PKINIT failed to read ocsp data %d", errno);
goto out_ocsp;
}
ret = hx509_ocsp_verify(context->hx509ctx,
ret = hx509_ocsp_verify(r->context->hx509ctx,
kdc_time,
kdc_cert,
0,
ocsp.data.data, ocsp.data.length,
&ocsp.expire);
if (ret) {
kdc_log(context, config, 0,
kdc_log(r->context, config, 0,
"PKINIT failed to verify ocsp data %d", ret);
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
@@ -1514,11 +1513,11 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
ret = krb5_padata_add(context, md,
ret = krb5_padata_add(r->context, md,
KRB5_PADATA_PA_PK_OCSP_RESPONSE,
ocsp.data.data, ocsp.data.length);
if (ret) {
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"Failed adding OCSP response %d", ret);
goto out;
}
@@ -1530,7 +1529,7 @@ out:
hx509_cert_free(kdc_cert);
if (ret == 0)
ret = krb5_copy_keyblock_contents(context, &cp->reply_key, reply_key);
ret = krb5_copy_keyblock_contents(r->context, &cp->reply_key, reply_key);
return ret;
}
@@ -1672,7 +1671,6 @@ _kdc_pk_check_client(astgs_request_t r,
pk_client_params *cp,
char **subject_name)
{
krb5_context context = r->context;
krb5_kdc_configuration *config = r->config;
HDB *clientdb = r->clientdb;
hdb_entry_ex *client = r->client;
@@ -1683,7 +1681,7 @@ _kdc_pk_check_client(astgs_request_t r,
size_t i;
if (cp->cert == NULL) {
if (!_kdc_is_anonymous(context, client->entry.principal)
if (!_kdc_is_anonymous(r->context, client->entry.principal)
&& !config->historical_anon_realm)
return KRB5KDC_ERR_BADOPTION;
@@ -1697,7 +1695,7 @@ _kdc_pk_check_client(astgs_request_t r,
cp->max_life = 0;
if (config->pkinit_max_life_from_cert_extension)
cp->max_life =
hx509_cert_get_pkinit_max_life(context->hx509ctx, cp->cert,
hx509_cert_get_pkinit_max_life(r->context->hx509ctx, cp->cert,
config->pkinit_max_life_bound);
if (cp->max_life == 0 && config->pkinit_max_life_from_cert > 0) {
cp->max_life = cp->endtime - hx509_cert_get_notBefore(cp->cert);
@@ -1705,7 +1703,7 @@ _kdc_pk_check_client(astgs_request_t r,
cp->max_life = config->pkinit_max_life_from_cert;
}
ret = hx509_cert_get_base_subject(context->hx509ctx,
ret = hx509_cert_get_base_subject(r->context->hx509ctx,
cp->cert,
&name);
if (ret)
@@ -1716,7 +1714,7 @@ _kdc_pk_check_client(astgs_request_t r,
if (ret)
return ret;
kdc_log(context, config, 0,
kdc_log(r->context, config, 0,
"Trying to authorize PKINIT subject DN %s",
*subject_name);
@@ -1726,7 +1724,7 @@ _kdc_pk_check_client(astgs_request_t r,
size_t j;
for (j = 0; j < pc->len; j++) {
cert = hx509_cert_init_data(context->hx509ctx,
cert = hx509_cert_init_data(r->context->hx509ctx,
pc->val[j].cert.data,
pc->val[j].cert.length,
NULL);
@@ -1735,7 +1733,7 @@ _kdc_pk_check_client(astgs_request_t r,
ret = hx509_cert_cmp(cert, cp->cert);
hx509_cert_free(cert);
if (ret == 0) {
kdc_log(context, config, 5,
kdc_log(r->context, config, 5,
"Found matching PKINIT cert in hdb");
return 0;
}
@@ -1744,22 +1742,22 @@ _kdc_pk_check_client(astgs_request_t r,
if (config->pkinit_princ_in_cert) {
ret = match_rfc_san(context, config,
context->hx509ctx,
ret = match_rfc_san(r->context, config,
r->context->hx509ctx,
cp->cert,
client->entry.principal);
if (ret == 0) {
kdc_log(context, config, 5,
kdc_log(r->context, config, 5,
"Found matching PKINIT SAN in certificate");
return 0;
}
ret = match_ms_upn_san(context, config,
context->hx509ctx,
ret = match_ms_upn_san(r->context, config,
r->context->hx509ctx,
cp->cert,
clientdb,
client);
if (ret == 0) {
kdc_log(context, config, 5,
kdc_log(r->context, config, 5,
"Found matching MS UPN SAN in certificate");
return 0;
}
@@ -1781,7 +1779,7 @@ _kdc_pk_check_client(astgs_request_t r,
if (acl->val[0].anchor)
continue;
kdc_log(context, config, 5,
kdc_log(r->context, config, 5,
"Found matching PKINIT database ACL");
return 0;
}
@@ -1790,24 +1788,24 @@ _kdc_pk_check_client(astgs_request_t r,
for (i = 0; i < principal_mappings.len; i++) {
krb5_boolean b;
b = krb5_principal_compare(context,
b = krb5_principal_compare(r->context,
client->entry.principal,
principal_mappings.val[i].principal);
if (b == FALSE)
continue;
if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0)
continue;
kdc_log(context, config, 5,
kdc_log(r->context, config, 5,
"Found matching PKINIT FILE ACL");
return 0;
}
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
krb5_set_error_message(context, ret,
krb5_set_error_message(r->context, ret,
"PKINIT no matching principals for %s",
*subject_name);
kdc_log(context, config, 5,
kdc_log(r->context, config, 5,
"PKINIT no matching principals for %s",
*subject_name);

3
kdc/windc.c
View File

@@ -198,7 +198,6 @@ check(krb5_context context, const void *plug, void *plugctx, void *userctx)
krb5_error_code
_kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data)
{
krb5_context context = r->context;
krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
struct check_uc uc;
@@ -211,7 +210,7 @@ _kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data)
uc.req = req;
uc.method_data = method_data;
ret = _krb5_plugin_run_f(context, &windc_plugin_data,
ret = _krb5_plugin_run_f(r->context, &windc_plugin_data,
0, &uc, check);
}