From 007cc9fdc356b40d08b194612b60f04182f1739f Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Tue, 30 Nov 2021 10:38:10 +1100 Subject: [PATCH] kdc: remove temporary krb5_context variable Use r->context (from request) instead of a temporary context variable, where available. --- kdc/fast.c | 11 ++-- kdc/kerberos5.c | 146 ++++++++++++++++++++++------------------------ kdc/krb5tgs.c | 149 +++++++++++++++++++++++------------------------ kdc/pkinit.c | 150 ++++++++++++++++++++++++------------------------ kdc/windc.c | 3 +- 5 files changed, 222 insertions(+), 237 deletions(-) diff --git a/kdc/fast.c b/kdc/fast.c index fb813431f..f22196bec 100644 --- a/kdc/fast.c +++ b/kdc/fast.c @@ -334,7 +334,6 @@ _kdc_fast_mk_error(astgs_request_t r, time_t *csec, int *cusec, krb5_data *error_msg) { - krb5_context context = r->context; krb5_error_code ret; krb5_data e_data; size_t size; @@ -365,7 +364,7 @@ _kdc_fast_mk_error(astgs_request_t r, /* first add the KRB-ERROR to the fast errors */ - ret = krb5_mk_error(context, + ret = krb5_mk_error(r->context, outer_error, e_text, NULL, @@ -377,7 +376,7 @@ _kdc_fast_mk_error(astgs_request_t r, if (ret) return ret; - ret = krb5_padata_add(context, error_method, + ret = krb5_padata_add(r->context, error_method, KRB5_PADATA_FX_ERROR, e_data.data, e_data.length); if (ret) { @@ -394,14 +393,14 @@ _kdc_fast_mk_error(astgs_request_t r, csec = 0; cusec = 0; - ret = _kdc_fast_mk_response(context, armor_crypto, + ret = _kdc_fast_mk_response(r->context, armor_crypto, error_method, NULL, NULL, req_body->nonce, &e_data); free_METHOD_DATA(error_method); if (ret) return ret; - ret = krb5_padata_add(context, error_method, + ret = krb5_padata_add(r->context, error_method, KRB5_PADATA_FX_FAST, e_data.data, e_data.length); if (ret) @@ -416,7 +415,7 @@ _kdc_fast_mk_error(astgs_request_t r, heim_assert(size == e_data.length, "internal asn.1 encoder error"); } - ret = krb5_mk_error(context, + ret = krb5_mk_error(r->context, outer_error, e_text, (e_data.length ? &e_data : NULL), diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index e7c0070d6..f7cbc4dec 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -158,7 +158,6 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, krb5_enctype *ret_enctype, Key **ret_key, krb5_boolean *ret_default_salt) { - krb5_context context = r->context; krb5_boolean use_strongest_session_key; krb5_boolean is_preauth = flags & KFE_IS_PREAUTH; krb5_boolean is_tgs = flags & KFE_IS_TGS; @@ -189,7 +188,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, r->config->svc_use_strongest_session_key); /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */ - ret = krb5_get_pw_salt(context, request_princ, &def_salt); + ret = krb5_get_pw_salt(r->context, request_princ, &def_salt); if (ret) return ret; @@ -223,11 +222,11 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, */ /* drive the search with local supported enctypes list */ - p = krb5_kerberos_enctypes(context); + p = krb5_kerberos_enctypes(r->context); for (i = 0; p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL; i++) { - if (krb5_enctype_valid(context, p[i]) != 0 && + if (krb5_enctype_valid(r->context, p[i]) != 0 && !_kdc_is_weak_exception(princ->entry.principal, p[i])) continue; @@ -269,7 +268,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, * PA-ETYPE-INFO* or because we're selecting a session key * enctype. */ - while (hdb_next_enctype2key(context, &princ->entry, NULL, + while (hdb_next_enctype2key(r->context, &princ->entry, NULL, p[i], &key) == 0) { if (key->key.keyvalue.length == 0) { ret = KRB5KDC_ERR_NULL_KEY; @@ -296,13 +295,13 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, */ for(i = 0; ret != 0 && i < len; i++) { - if (krb5_enctype_valid(context, etypes[i]) != 0 && + if (krb5_enctype_valid(r->context, etypes[i]) != 0 && !_kdc_is_weak_exception(princ->entry.principal, etypes[i])) continue; key = NULL; while (ret != 0 && - hdb_next_enctype2key(context, &princ->entry, NULL, + hdb_next_enctype2key(r->context, &princ->entry, NULL, etypes[i], &key) == 0) { if (key->key.keyvalue.length == 0) { ret = KRB5KDC_ERR_NULL_KEY; @@ -341,7 +340,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, *ret_default_salt = is_default_salt_p(&def_salt, key); } - krb5_free_salt (context, def_salt); + krb5_free_salt (r->context, def_salt); return ret; } @@ -420,7 +419,6 @@ _kdc_log_timestamp(astgs_request_t r, const char *type, KerberosTime authtime, KerberosTime *starttime, KerberosTime endtime, KerberosTime *renew_till) { - krb5_context context = r->context; krb5_kdc_configuration *config = r->config; char authtime_str[100], starttime_str[100], endtime_str[100], renewtime_str[100]; @@ -436,22 +434,22 @@ _kdc_log_timestamp(astgs_request_t r, const char *type, _kdc_audit_addkv((kdc_request_t)r, 0, "renew", "%ld", (long)*renew_till); - krb5_format_time(context, authtime, + krb5_format_time(r->context, authtime, authtime_str, sizeof(authtime_str), TRUE); if (starttime) - krb5_format_time(context, *starttime, + krb5_format_time(r->context, *starttime, starttime_str, sizeof(starttime_str), TRUE); else strlcpy(starttime_str, "unset", sizeof(starttime_str)); - krb5_format_time(context, endtime, + krb5_format_time(r->context, endtime, endtime_str, sizeof(endtime_str), TRUE); if (renew_till) - krb5_format_time(context, *renew_till, + krb5_format_time(r->context, *renew_till, renewtime_str, sizeof(renewtime_str), TRUE); else strlcpy(renewtime_str, "unset", sizeof(renewtime_str)); - kdc_log(context, config, 4, + kdc_log(r->context, config, 4, "%s authtime: %s starttime: %s endtime: %s renew till: %s", type, authtime_str, starttime_str, endtime_str, renewtime_str); } @@ -930,7 +928,6 @@ static const struct kdc_patypes pat[] = { static void log_patypes(astgs_request_t r, METHOD_DATA *padata) { - krb5_context context = r->context; krb5_kdc_configuration *config = r->config; struct rk_strpool *p = NULL; char *str; @@ -948,7 +945,7 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata) if (p && n + 1 < padata->len) p = rk_strpoolprintf(p, ", "); if (p == NULL) { - kdc_log(context, config, 1, "out of memory"); + kdc_log(r->context, config, 1, "out of memory"); return; } } @@ -956,7 +953,7 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata) p = rk_strpoolprintf(p, "none"); str = rk_strpoolcollect(p); - kdc_log(context, config, 4, "Client sent patypes: %s", str); + kdc_log(r->context, config, 4, "Client sent patypes: %s", str); _kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, "client-pa", "%s", str); free(str); @@ -1461,7 +1458,6 @@ get_pa_etype_info_both(krb5_context context, void _log_astgs_req(astgs_request_t r, krb5_enctype setype) { - krb5_context context = r->context; const KDC_REQ_BODY *b = &r->req.req_body; krb5_enctype cetype = r->reply_key.keytype; krb5_error_code ret; @@ -1483,7 +1479,7 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype) p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: "); for (i = 0; i < b->etype.len; i++) { - ret = krb5_enctype_to_string(context, b->etype.val[i], &str); + ret = krb5_enctype_to_string(r->context, b->etype.val[i], &str); if (ret == 0) { p = rk_strpoolprintf(p, "%s", str); free(str); @@ -1509,9 +1505,9 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype) str); free(str); - ret = krb5_enctype_to_string(context, cetype, &cet); + ret = krb5_enctype_to_string(r->context, cetype, &cet); if(ret == 0) { - ret = krb5_enctype_to_string(context, setype, &set); + ret = krb5_enctype_to_string(r->context, setype, &set); if (ret == 0) { p = rk_strpoolprintf(p, ", using %s/%s", cet, set); free(set); @@ -1554,8 +1550,6 @@ kdc_check_flags(astgs_request_t r, hdb_entry_ex *client_ex, hdb_entry_ex *server_ex) { - krb5_context context = r->context; - if (client_ex != NULL) { hdb_entry *client = &client_ex->entry; @@ -1579,7 +1573,7 @@ kdc_check_flags(astgs_request_t r, if (client->valid_start && *client->valid_start > kdc_time) { char starttime_str[100]; - krb5_format_time(context, *client->valid_start, + krb5_format_time(r->context, *client->valid_start, starttime_str, sizeof(starttime_str), TRUE); _kdc_audit_addreason((kdc_request_t)r, "Client not yet valid " "until %s", starttime_str); @@ -1588,7 +1582,7 @@ kdc_check_flags(astgs_request_t r, if (client->valid_end && *client->valid_end < kdc_time) { char endtime_str[100]; - krb5_format_time(context, *client->valid_end, + krb5_format_time(r->context, *client->valid_end, endtime_str, sizeof(endtime_str), TRUE); _kdc_audit_addreason((kdc_request_t)r, "Client expired at %s", endtime_str); @@ -1602,7 +1596,7 @@ kdc_check_flags(astgs_request_t r, if (client->pw_end && *client->pw_end < kdc_time && (server_ex == NULL || !server_ex->entry.flags.change_pw)) { char pwend_str[100]; - krb5_format_time(context, *client->pw_end, + krb5_format_time(r->context, *client->pw_end, pwend_str, sizeof(pwend_str), TRUE); _kdc_audit_addreason((kdc_request_t)r, "Client's key has expired " "at %s", pwend_str); @@ -1638,7 +1632,7 @@ kdc_check_flags(astgs_request_t r, if (server->valid_start && *server->valid_start > kdc_time) { char starttime_str[100]; - krb5_format_time(context, *server->valid_start, + krb5_format_time(r->context, *server->valid_start, starttime_str, sizeof(starttime_str), TRUE); _kdc_audit_addreason((kdc_request_t)r, "Server not yet valid " "until %s", starttime_str); @@ -1647,7 +1641,7 @@ kdc_check_flags(astgs_request_t r, if (server->valid_end && *server->valid_end < kdc_time) { char endtime_str[100]; - krb5_format_time(context, *server->valid_end, + krb5_format_time(r->context, *server->valid_end, endtime_str, sizeof(endtime_str), TRUE); _kdc_audit_addreason((kdc_request_t)r, "Server expired at %s", endtime_str); @@ -1656,7 +1650,7 @@ kdc_check_flags(astgs_request_t r, if (server->pw_end && *server->pw_end < kdc_time) { char pwend_str[100]; - krb5_format_time(context, *server->pw_end, + krb5_format_time(r->context, *server->pw_end, pwend_str, sizeof(pwend_str), TRUE); _kdc_audit_addreason((kdc_request_t)r, "Server's key has expired " "at %s", pwend_str); @@ -1676,7 +1670,6 @@ krb5_boolean _kdc_check_addresses(astgs_request_t r, HostAddresses *addresses, const struct sockaddr *from) { - krb5_context context = r->context; krb5_kdc_configuration *config = r->config; krb5_error_code ret; krb5_address addr; @@ -1710,12 +1703,12 @@ _kdc_check_addresses(astgs_request_t r, HostAddresses *addresses, if(only_netbios) return config->allow_null_ticket_addresses; - ret = krb5_sockaddr2address (context, from, &addr); + ret = krb5_sockaddr2address (r->context, from, &addr); if(ret) return FALSE; - result = krb5_address_search(context, &addr, addresses); - krb5_free_address (context, &addr); + result = krb5_address_search(r->context, &addr, addresses); + krb5_free_address (r->context, &addr); return result; } @@ -1928,7 +1921,6 @@ get_local_tgs(krb5_context context, krb5_error_code _kdc_as_rep(astgs_request_t r) { - krb5_context context = r->context; krb5_kdc_configuration *config = r->config; KDC_REQ *req = &r->req; const char *from = r->from; @@ -1969,12 +1961,12 @@ _kdc_as_rep(astgs_request_t r) goto out; } - ret = _krb5_principalname2krb5_principal(context, &r->server_princ, + ret = _krb5_principalname2krb5_principal(r->context, &r->server_princ, *(b->sname), b->realm); if (!ret) - ret = krb5_unparse_name(context, r->server_princ, &r->sname); + ret = krb5_unparse_name(r->context, r->server_princ, &r->sname); if (ret) { - kdc_log(context, config, 2, + kdc_log(r->context, config, 2, "AS_REQ malformed server name from %s", from); goto out; } @@ -1985,48 +1977,48 @@ _kdc_as_rep(astgs_request_t r) goto out; } - ret = _krb5_principalname2krb5_principal(context, &r->client_princ, + ret = _krb5_principalname2krb5_principal(r->context, &r->client_princ, *(b->cname), b->realm); if (!ret) - ret = krb5_unparse_name(context, r->client_princ, &r->cname); + ret = krb5_unparse_name(r->context, r->client_princ, &r->cname); if (ret) { - kdc_log(context, config, 2, + kdc_log(r->context, config, 2, "AS-REQ malformed client name from %s", from); goto out; } - kdc_log(context, config, 4, "AS-REQ %s from %s for %s", + kdc_log(r->context, config, 4, "AS-REQ %s from %s for %s", r->cname, r->from, r->sname); - is_tgs = krb5_principal_is_krbtgt(context, r->server_princ); + is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ); - if (_kdc_is_anonymous(context, r->client_princ) && + if (_kdc_is_anonymous(r->context, r->client_princ) && !_kdc_is_anon_request(req)) { - kdc_log(context, config, 2, "Anonymous client w/o anonymous flag"); + kdc_log(r->context, config, 2, "Anonymous client w/o anonymous flag"); ret = KRB5KDC_ERR_BADOPTION; goto out; } - ret = _kdc_db_fetch(context, config, r->client_princ, + ret = _kdc_db_fetch(r->context, config, r->client_princ, HDB_F_GET_CLIENT | HDB_F_SYNTHETIC_OK | flags, NULL, &r->clientdb, &r->client); switch (ret) { case 0: /* Success */ break; case HDB_ERR_NOT_FOUND_HERE: - kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", + kdc_log(r->context, config, 5, "client %s does not have secrets at this KDC, need to proxy", r->cname); goto out; case HDB_ERR_WRONG_REALM: { char *fixed_client_name = NULL; - ret = krb5_unparse_name(context, r->client->entry.principal, + ret = krb5_unparse_name(r->context, r->client->entry.principal, &fixed_client_name); if (ret) { goto out; } - kdc_log(context, config, 4, "WRONG_REALM - %s -> %s", + kdc_log(r->context, config, 4, "WRONG_REALM - %s -> %s", r->cname, fixed_client_name); free(fixed_client_name); @@ -2038,13 +2030,13 @@ _kdc_as_rep(astgs_request_t r) goto out; } default: - msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg); - krb5_free_error_message(context, msg); + msg = krb5_get_error_message(r->context, ret); + kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg); + krb5_free_error_message(r->context, msg); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } - ret = _kdc_db_fetch(context, config, r->server_princ, + ret = _kdc_db_fetch(r->context, config, r->server_princ, HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags | (is_tgs ? HDB_F_GET_KRBTGT : 0), NULL, NULL, &r->server); @@ -2052,13 +2044,13 @@ _kdc_as_rep(astgs_request_t r) case 0: /* Success */ break; case HDB_ERR_NOT_FOUND_HERE: - kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", + kdc_log(r->context, config, 5, "target %s does not have secrets at this KDC, need to proxy", r->sname); goto out; default: - msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 4, "UNKNOWN -- %s: %s", r->sname, msg); - krb5_free_error_message(context, msg); + msg = krb5_get_error_message(r->context, ret); + kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->sname, msg); + krb5_free_error_message(r->context, msg); ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto out; } @@ -2072,7 +2064,7 @@ _kdc_as_rep(astgs_request_t r) b->etype.val, b->etype.len, &r->sessionetype, NULL, NULL); if (ret) { - kdc_log(context, config, 4, + kdc_log(r->context, config, 4, "Client (%s) from %s has no common enctypes with KDC " "to use for the session key", r->cname, from); @@ -2096,14 +2088,14 @@ _kdc_as_rep(astgs_request_t r) if (r->armor_crypto == NULL && (pat[n].flags & PA_REQ_FAST)) continue; - kdc_log(context, config, 5, + kdc_log(r->context, config, 5, "Looking for %s pa-data -- %s", pat[n].name, r->cname); i = 0; pa = _kdc_find_padata(req, &i, pat[n].type); if (pa) { if (r->client->entry.flags.synthetic && !(pat[n].flags & PA_SYNTHETIC_OK)) { - kdc_log(context, config, 4, "UNKNOWN -- %s", r->cname); + kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname); ret = HDB_ERR_NOENTRY; goto out; } @@ -2122,14 +2114,14 @@ _kdc_as_rep(astgs_request_t r) b->etype.val, b->etype.len, NULL, &ckey, &default_salt); if (ret2 == 0) { - ret2 = get_pa_etype_info_both(context, config, &b->etype, + ret2 = get_pa_etype_info_both(r->context, config, &b->etype, &r->outpadata, ckey, !default_salt); if (ret2 != 0) ret = ret2; } goto out; } - kdc_log(context, config, 4, + kdc_log(r->context, config, 4, "%s pre-authentication succeeded -- %s", pat[n].name, r->cname); found_pa = 1; @@ -2144,7 +2136,7 @@ _kdc_as_rep(astgs_request_t r) krb5_boolean default_salt; if (r->client->entry.flags.synthetic) { - kdc_log(context, config, 4, "UNKNOWN -- %s", r->cname); + kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname); ret = HDB_ERR_NOENTRY; goto out; } @@ -2152,7 +2144,7 @@ _kdc_as_rep(astgs_request_t r) for (n = 0; n < sizeof(pat) / sizeof(pat[0]); n++) { if ((pat[n].flags & PA_ANNOUNCE) == 0) continue; - ret = krb5_padata_add(context, &r->outpadata, + ret = krb5_padata_add(r->context, &r->outpadata, pat[n].type, NULL, 0); if (ret) goto out; @@ -2165,7 +2157,7 @@ _kdc_as_rep(astgs_request_t r) b->etype.val, b->etype.len, NULL, &ckey, &default_salt); if (ret == 0) { - ret = get_pa_etype_info_both(context, config, &b->etype, + ret = get_pa_etype_info_both(r->context, config, &b->etype, &r->outpadata, ckey, !default_salt); if (ret) goto out; @@ -2193,7 +2185,7 @@ _kdc_as_rep(astgs_request_t r) } if (r->clientdb->hdb_auth_status) { - r->clientdb->hdb_auth_status(context, r->clientdb, r->client, + r->clientdb->hdb_auth_status(r->context, r->clientdb, r->client, HDB_AUTH_SUCCESS); } @@ -2221,7 +2213,7 @@ _kdc_as_rep(astgs_request_t r) * the client since the client never needs to read that data. */ - ret = _kdc_get_preferred_key(context, config, + ret = _kdc_get_preferred_key(r->context, config, r->server, r->sname, &setype, &skey); if(ret) @@ -2231,12 +2223,12 @@ _kdc_as_rep(astgs_request_t r) if (is_tgs) { krbtgt_key = skey; } else { - ret = get_local_tgs(context, config, r->server_princ->realm, + ret = get_local_tgs(r->context, config, r->server_princ->realm, &krbtgt); if (ret) goto out; - ret = _kdc_get_preferred_key(context, config, krbtgt, + ret = _kdc_get_preferred_key(r->context, config, krbtgt, r->server_princ->realm, NULL, &krbtgt_key); if (ret) @@ -2257,7 +2249,7 @@ _kdc_as_rep(astgs_request_t r) rep.msg_type = krb_as_rep; if (!config->historical_anon_realm && - _kdc_is_anonymous(context, r->client_princ)) { + _kdc_is_anonymous(r->context, r->client_princ)) { Realm anon_realm = KRB5_ANON_REALM; ret = copy_Realm(&anon_realm, &rep.crealm); } else if (f.canonicalize || r->client->entry.flags.force_canonicalize) @@ -2478,7 +2470,7 @@ _kdc_as_rep(astgs_request_t r) */ if (r->session_key.keytype == ETYPE_NULL) { - ret = krb5_generate_random_keyblock(context, r->sessionetype, &r->session_key); + ret = krb5_generate_random_keyblock(r->context, r->sessionetype, &r->session_key); if (ret) goto out; } @@ -2510,7 +2502,7 @@ _kdc_as_rep(astgs_request_t r) } /* Add the PAC */ - if (send_pac_p(context, req) && !r->et.flags.anonymous) { + if (send_pac_p(r->context, req) && !r->et.flags.anonymous) { generate_pac(r, skey, krbtgt_key); } @@ -2555,7 +2547,7 @@ _kdc_as_rep(astgs_request_t r) * */ - ret = _kdc_encode_reply(context, config, + ret = _kdc_encode_reply(r->context, config, r, req->req_body.nonce, &rep, &r->et, &r->ek, setype, r->server->entry.kvno, &skey->key, @@ -2597,19 +2589,19 @@ out: if (r->outpadata.len) free_METHOD_DATA(&r->outpadata); if (r->client_princ) { - krb5_free_principal(context, r->client_princ); + krb5_free_principal(r->context, r->client_princ); r->client_princ = NULL; } if (r->server_princ){ - krb5_free_principal(context, r->server_princ); + krb5_free_principal(r->context, r->server_princ); r->server_princ = NULL; } if (r->client) - _kdc_free_ent(context, r->client); + _kdc_free_ent(r->context, r->client); if (r->server) - _kdc_free_ent(context, r->server); + _kdc_free_ent(r->context, r->server); if (krbtgt) - _kdc_free_ent(context, krbtgt); + _kdc_free_ent(r->context, krbtgt); if (r->armor_crypto) { krb5_crypto_destroy(r->context, r->armor_crypto); r->armor_crypto = NULL; diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index f7890f198..90d782009 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -147,7 +147,6 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, krb5_const_principal tgt_name, const EncTicketPart *tgt, EncTicketPart *et) { - krb5_context context = r->context; KDCOptions f = b->kdc_options; if(f.validate){ @@ -227,7 +226,7 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, *et->starttime = *b->from; et->flags.postdated = 1; et->flags.invalid = 1; - } else if (b->from && *b->from > kdc_time + context->max_skew) { + } else if (b->from && *b->from > kdc_time + r->context->max_skew) { _kdc_audit_addreason((kdc_request_t)r, "Ticket cannot be postdated"); return KRB5KDC_ERR_CANNOT_POSTDATE; @@ -266,7 +265,7 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, * the anonymous principal and the anonymous ticket flag. */ if (tgt->flags.anonymous && - !_kdc_is_anonymous(context, tgt_name)) { + !_kdc_is_anonymous(r->context, tgt_name)) { _kdc_audit_addreason((kdc_request_t)r, "Anonymous ticket flag set without " "anonymous principal"); @@ -922,7 +921,6 @@ tgs_parse_request(astgs_request_t r, int **cusec, AuthorizationData **auth_data) { - krb5_context context = r->context; krb5_kdc_configuration *config = r->config; KDC_REQ_BODY *b = &r->req.req_body; static char failed[] = ""; @@ -946,38 +944,38 @@ tgs_parse_request(astgs_request_t r, *cusec = NULL; memset(&ap_req, 0, sizeof(ap_req)); - ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); + ret = krb5_decode_ap_req(r->context, &tgs_req->padata_value, &ap_req); if(ret){ - const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 4, "Failed to decode AP-REQ: %s", msg); - krb5_free_error_message(context, msg); + const char *msg = krb5_get_error_message(r->context, ret); + kdc_log(r->context, config, 4, "Failed to decode AP-REQ: %s", msg); + krb5_free_error_message(r->context, msg); goto out; } if(!get_krbtgt_realm(&ap_req.ticket.sname)){ /* XXX check for ticket.sname == req.sname */ - kdc_log(context, config, 4, "PA-DATA is not a ticket-granting ticket"); + kdc_log(r->context, config, 4, "PA-DATA is not a ticket-granting ticket"); ret = KRB5KDC_ERR_POLICY; /* ? */ goto out; } - _krb5_principalname2krb5_principal(context, + _krb5_principalname2krb5_principal(r->context, &princ, ap_req.ticket.sname, ap_req.ticket.realm); krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0; - ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, + ret = _kdc_db_fetch(r->context, config, princ, HDB_F_GET_KRBTGT, &krbtgt_kvno, NULL, krbtgt); if (ret == HDB_ERR_NOT_FOUND_HERE) { /* XXX Factor out this unparsing of the same princ all over */ char *p; - ret = krb5_unparse_name(context, princ, &p); + ret = krb5_unparse_name(r->context, princ, &p); if (ret != 0) p = failed; - krb5_free_principal(context, princ); - kdc_log(context, config, 5, + krb5_free_principal(r->context, princ); + kdc_log(r->context, config, 5, "Ticket-granting ticket account %s does not have secrets at " "this KDC, need to proxy", p); if (ret == 0) @@ -986,11 +984,11 @@ tgs_parse_request(astgs_request_t r, goto out; } else if (ret == HDB_ERR_KVNO_NOT_FOUND) { char *p; - ret = krb5_unparse_name(context, princ, &p); + ret = krb5_unparse_name(r->context, princ, &p); if (ret != 0) p = failed; - krb5_free_principal(context, princ); - kdc_log(context, config, 5, + krb5_free_principal(r->context, princ); + kdc_log(r->context, config, 5, "Ticket-granting ticket account %s does not have keys for " "kvno %d at this KDC", p, krbtgt_kvno); if (ret == 0) @@ -999,11 +997,11 @@ tgs_parse_request(astgs_request_t r, goto out; } else if (ret == HDB_ERR_NO_MKEY) { char *p; - ret = krb5_unparse_name(context, princ, &p); + ret = krb5_unparse_name(r->context, princ, &p); if (ret != 0) p = failed; - krb5_free_principal(context, princ); - kdc_log(context, config, 5, + krb5_free_principal(r->context, princ); + kdc_log(r->context, config, 5, "Missing master key for decrypting keys for ticket-granting " "ticket account %s with kvno %d at this KDC", p, krbtgt_kvno); if (ret == 0) @@ -1011,15 +1009,15 @@ tgs_parse_request(astgs_request_t r, ret = HDB_ERR_KVNO_NOT_FOUND; goto out; } else if (ret) { - const char *msg = krb5_get_error_message(context, ret); + const char *msg = krb5_get_error_message(r->context, ret); char *p; - ret = krb5_unparse_name(context, princ, &p); + ret = krb5_unparse_name(r->context, princ, &p); if (ret != 0) p = failed; - kdc_log(context, config, 4, + kdc_log(r->context, config, 4, "Ticket-granting ticket %s not found in database: %s", p, msg); - krb5_free_principal(context, princ); - krb5_free_error_message(context, msg); + krb5_free_principal(r->context, princ); + krb5_free_error_message(r->context, msg); if (ret == 0) free(p); ret = KRB5KRB_AP_ERR_NOT_US; @@ -1030,8 +1028,8 @@ tgs_parse_request(astgs_request_t r, *krbtgt_etype = ap_req.ticket.enc_part.etype; next_kvno: - krbtgt_keys = hdb_kvno2keys(context, &(*krbtgt)->entry, krbtgt_kvno_try); - ret = hdb_enctype2key(context, &(*krbtgt)->entry, krbtgt_keys, + krbtgt_keys = hdb_kvno2keys(r->context, &(*krbtgt)->entry, krbtgt_kvno_try); + ret = hdb_enctype2key(r->context, &(*krbtgt)->entry, krbtgt_keys, ap_req.ticket.enc_part.etype, &tkey); if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) { kvno_search_tries--; @@ -1040,9 +1038,9 @@ next_kvno: } else if (ret) { char *str = NULL, *p = NULL; - krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str); - krb5_unparse_name(context, princ, &p); - kdc_log(context, config, 4, + krb5_enctype_to_string(r->context, ap_req.ticket.enc_part.etype, &str); + krb5_unparse_name(r->context, princ, &p); + kdc_log(r->context, config, 4, "No server key with enctype %s found for %s", str ? str : "", p ? p : ""); @@ -1058,7 +1056,7 @@ next_kvno: if (r->config->warn_ticket_addresses) verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_IGNORE_ADDRS; - ret = krb5_verify_ap_req2(context, + ret = krb5_verify_ap_req2(r->context, &ac, &ap_req, princ, @@ -1080,11 +1078,11 @@ next_kvno: goto next_kvno; } - krb5_free_principal(context, princ); + krb5_free_principal(r->context, princ); if(ret) { - const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 4, "Failed to verify AP-REQ: %s", msg); - krb5_free_error_message(context, msg); + const char *msg = krb5_get_error_message(r->context, ret); + kdc_log(r->context, config, 4, "Failed to verify AP-REQ: %s", msg); + krb5_free_error_message(r->context, msg); goto out; } @@ -1093,64 +1091,64 @@ next_kvno: { krb5_authenticator auth; - ret = krb5_auth_con_getauthenticator(context, ac, &auth); + ret = krb5_auth_con_getauthenticator(r->context, ac, &auth); if (ret == 0) { *csec = malloc(sizeof(**csec)); if (*csec == NULL) { - krb5_free_authenticator(context, &auth); - kdc_log(context, config, 4, "malloc failed"); + krb5_free_authenticator(r->context, &auth); + kdc_log(r->context, config, 4, "malloc failed"); goto out; } **csec = auth->ctime; *cusec = malloc(sizeof(**cusec)); if (*cusec == NULL) { - krb5_free_authenticator(context, &auth); - kdc_log(context, config, 4, "malloc failed"); + krb5_free_authenticator(r->context, &auth); + kdc_log(r->context, config, 4, "malloc failed"); goto out; } **cusec = auth->cusec; ret = validate_fast_ad(r, auth->authorization_data); - krb5_free_authenticator(context, &auth); + krb5_free_authenticator(r->context, &auth); if (ret) goto out; } } - ret = tgs_check_authenticator(context, config, + ret = tgs_check_authenticator(r->context, config, ac, b, e_text, &(*ticket)->ticket.key); if (ret) { - krb5_auth_con_free(context, ac); + krb5_auth_con_free(r->context, ac); goto out; } usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY; r->rk_is_subkey = 1; - ret = krb5_auth_con_getremotesubkey(context, ac, &subkey); + ret = krb5_auth_con_getremotesubkey(r->context, ac, &subkey); if(ret){ - const char *msg = krb5_get_error_message(context, ret); - krb5_auth_con_free(context, ac); - kdc_log(context, config, 4, "Failed to get remote subkey: %s", msg); - krb5_free_error_message(context, msg); + const char *msg = krb5_get_error_message(r->context, ret); + krb5_auth_con_free(r->context, ac); + kdc_log(r->context, config, 4, "Failed to get remote subkey: %s", msg); + krb5_free_error_message(r->context, msg); goto out; } if(subkey == NULL){ usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; r->rk_is_subkey = 0; - ret = krb5_auth_con_getkey(context, ac, &subkey); + ret = krb5_auth_con_getkey(r->context, ac, &subkey); if(ret) { - const char *msg = krb5_get_error_message(context, ret); - krb5_auth_con_free(context, ac); - kdc_log(context, config, 4, "Failed to get session key: %s", msg); - krb5_free_error_message(context, msg); + const char *msg = krb5_get_error_message(r->context, ret); + krb5_auth_con_free(r->context, ac); + kdc_log(r->context, config, 4, "Failed to get session key: %s", msg); + krb5_free_error_message(r->context, msg); goto out; } } if(subkey == NULL){ - krb5_auth_con_free(context, ac); - kdc_log(context, config, 4, + krb5_auth_con_free(r->context, ac); + kdc_log(r->context, config, 4, "Failed to get key for enc-authorization-data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; @@ -1165,39 +1163,39 @@ next_kvno: if (b->enc_authorization_data) { krb5_data ad; - ret = krb5_crypto_init(context, &r->reply_key, 0, &crypto); + ret = krb5_crypto_init(r->context, &r->reply_key, 0, &crypto); if (ret) { - const char *msg = krb5_get_error_message(context, ret); - krb5_auth_con_free(context, ac); - kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg); - krb5_free_error_message(context, msg); + const char *msg = krb5_get_error_message(r->context, ret); + krb5_auth_con_free(r->context, ac); + kdc_log(r->context, config, 4, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(r->context, msg); goto out; } - ret = krb5_decrypt_EncryptedData (context, + ret = krb5_decrypt_EncryptedData (r->context, crypto, usage, b->enc_authorization_data, &ad); - krb5_crypto_destroy(context, crypto); + krb5_crypto_destroy(r->context, crypto); if(ret){ - krb5_auth_con_free(context, ac); - kdc_log(context, config, 4, + krb5_auth_con_free(r->context, ac); + kdc_log(r->context, config, 4, "Failed to decrypt enc-authorization-data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; } ALLOC(*auth_data); if (*auth_data == NULL) { - krb5_auth_con_free(context, ac); + krb5_auth_con_free(r->context, ac); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; } ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL); if(ret){ - krb5_auth_con_free(context, ac); + krb5_auth_con_free(r->context, ac); free(*auth_data); *auth_data = NULL; - kdc_log(context, config, 4, "Failed to decode authorization data"); + kdc_log(r->context, config, 4, "Failed to decode authorization data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; } @@ -1216,7 +1214,7 @@ next_kvno: if (ret) goto out; - krb5_auth_con_free(context, ac); + krb5_auth_con_free(r->context, ac); out: free_AP_REQ(&ap_req); @@ -2321,7 +2319,6 @@ out: krb5_error_code _kdc_tgs_rep(astgs_request_t r) { - krb5_context context = r->context; krb5_kdc_configuration *config = r->config; KDC_REQ *req = &r->req; krb5_data *data = r->reply; @@ -2343,7 +2340,7 @@ _kdc_tgs_rep(astgs_request_t r) if(req->padata == NULL){ ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */ - kdc_log(context, config, 4, + kdc_log(r->context, config, 4, "TGS-REQ from %s without PA-DATA", from); goto out; } @@ -2361,7 +2358,7 @@ _kdc_tgs_rep(astgs_request_t r) if(tgs_req == NULL){ ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - kdc_log(context, config, 4, + kdc_log(r->context, config, 4, "TGS-REQ from %s without PA-TGS-REQ", from); goto out; } @@ -2378,7 +2375,7 @@ _kdc_tgs_rep(astgs_request_t r) goto out; } if (ret) { - kdc_log(context, config, 4, + kdc_log(r->context, config, 4, "Failed parsing TGS-REQ from %s", from); goto out; } @@ -2395,7 +2392,7 @@ _kdc_tgs_rep(astgs_request_t r) &auth_data, from_addr); if (ret) { - kdc_log(context, config, 4, + kdc_log(r->context, config, 4, "Failed building TGS-REP to %s", from); goto out; } @@ -2411,7 +2408,7 @@ out: if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){ METHOD_DATA error_method = { 0, NULL }; - kdc_log(context, config, 5, "tgs-req: sending error: %d to client", ret); + kdc_log(r->context, config, 5, "tgs-req: sending error: %d to client", ret); ret = _kdc_fast_mk_error(r, &error_method, r->armor_crypto, @@ -2430,9 +2427,9 @@ out: krb5_free_keyblock_contents(r->context, &r->strengthen_key); if (ticket) - krb5_free_ticket(context, ticket); + krb5_free_ticket(r->context, ticket); if(krbtgt) - _kdc_free_ent(context, krbtgt); + _kdc_free_ent(r->context, krbtgt); _kdc_free_fast_state(&r->fast); diff --git a/kdc/pkinit.c b/kdc/pkinit.c index c1c8da029..6b5aa8d95 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -1131,7 +1131,6 @@ pk_mk_pa_reply_dh(krb5_context context, krb5_error_code _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) { - krb5_context context = r->context; krb5_kdc_configuration *config = r->config; krb5_enctype sessionetype = r->sessionetype; const KDC_REQ *req = &r->req; @@ -1148,17 +1147,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) size_t i; if (!config->enable_pkinit) { - krb5_clear_error_message(context); + krb5_clear_error_message(r->context); return 0; } if (req->req_body.etype.len > 0) { for (i = 0; i < req->req_body.etype.len; i++) - if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0) + if (krb5_enctype_valid(r->context, req->req_body.etype.val[i]) == 0) break; if (req->req_body.etype.len <= i) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "No valid enctype available from client"); goto out; } @@ -1181,13 +1180,13 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) rep.element = choice_PA_PK_AS_REP_encKeyPack; - ret = krb5_generate_random_keyblock(context, enctype, + ret = krb5_generate_random_keyblock(r->context, enctype, &cp->reply_key); if (ret) { free_PA_PK_AS_REP(&rep); goto out; } - ret = pk_mk_pa_reply_enckey(context, + ret = pk_mk_pa_reply_enckey(r->context, config, cp, req, @@ -1204,15 +1203,15 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) ret); free_ContentInfo(&info); if (ret) { - krb5_set_error_message(context, ret, "encoding of Key ContentInfo " + krb5_set_error_message(r->context, ret, "encoding of Key ContentInfo " "failed %d", ret); free_PA_PK_AS_REP(&rep); goto out; } if (rep.u.encKeyPack.length != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); + krb5_abortx(r->context, "Internal ASN.1 encoder error"); - ret = krb5_generate_random_keyblock(context, sessionetype, + ret = krb5_generate_random_keyblock(r->context, sessionetype, sessionkey); if (ret) { free_PA_PK_AS_REP(&rep); @@ -1225,7 +1224,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) switch (cp->keyex) { case USE_DH: type = "dh"; break; case USE_ECDH: type = "ecdh"; break; - default: krb5_abortx(context, "unknown keyex"); break; + default: krb5_abortx(r->context, "unknown keyex"); break; } if (cp->dh_group_name) @@ -1233,17 +1232,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) rep.element = choice_PA_PK_AS_REP_dhInfo; - ret = generate_dh_keyblock(context, cp, enctype); + ret = generate_dh_keyblock(r->context, cp, enctype); if (ret) return ret; - ret = pk_mk_pa_reply_dh(context, config, + ret = pk_mk_pa_reply_dh(r->context, config, cp, &info, &kdc_cert); if (ret) { free_PA_PK_AS_REP(&rep); - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "create pa-reply-dh " "failed %d", ret); goto out; @@ -1254,14 +1253,14 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) ret); free_ContentInfo(&info); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "encoding of Key ContentInfo " "failed %d", ret); free_PA_PK_AS_REP(&rep); goto out; } if (rep.u.encKeyPack.length != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); + krb5_abortx(r->context, "Internal ASN.1 encoder error"); /* generate the session key using the method from RFC6112 */ { @@ -1276,49 +1275,49 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) void *kxdata; size_t kxlen; - ret = krb5_generate_random_keyblock(context, sessionetype, + ret = krb5_generate_random_keyblock(r->context, sessionetype, &kdc_contribution_key); if (ret) { free_PA_PK_AS_REP(&rep); goto out; } - ret = krb5_crypto_init(context, &cp->reply_key, enctype, &reply_crypto); + ret = krb5_crypto_init(r->context, &cp->reply_key, enctype, &reply_crypto); if (ret) { - krb5_free_keyblock_contents(context, &kdc_contribution_key); + krb5_free_keyblock_contents(r->context, &kdc_contribution_key); free_PA_PK_AS_REP(&rep); goto out; } - ret = krb5_crypto_init(context, &kdc_contribution_key, sessionetype, &kdccont_crypto); + ret = krb5_crypto_init(r->context, &kdc_contribution_key, sessionetype, &kdccont_crypto); if (ret) { - krb5_crypto_destroy(context, reply_crypto); - krb5_free_keyblock_contents(context, &kdc_contribution_key); + krb5_crypto_destroy(r->context, reply_crypto); + krb5_free_keyblock_contents(r->context, &kdc_contribution_key); free_PA_PK_AS_REP(&rep); goto out; } /* KRB-FX-CF2 */ - ret = krb5_crypto_fx_cf2(context, kdccont_crypto, reply_crypto, + ret = krb5_crypto_fx_cf2(r->context, kdccont_crypto, reply_crypto, &p1, &p2, sessionetype, sessionkey); - krb5_crypto_destroy(context, kdccont_crypto); + krb5_crypto_destroy(r->context, kdccont_crypto); if (ret) { - krb5_crypto_destroy(context, reply_crypto); - krb5_free_keyblock_contents(context, &kdc_contribution_key); + krb5_crypto_destroy(r->context, reply_crypto); + krb5_free_keyblock_contents(r->context, &kdc_contribution_key); free_PA_PK_AS_REP(&rep); goto out; } ASN1_MALLOC_ENCODE(EncryptionKey, kckdata, kcklen, &kdc_contribution_key, &size, ret); - krb5_free_keyblock_contents(context, &kdc_contribution_key); + krb5_free_keyblock_contents(r->context, &kdc_contribution_key); if (ret) { - krb5_set_error_message(context, ret, "encoding of PKINIT-KX Key failed %d", ret); - krb5_crypto_destroy(context, reply_crypto); + krb5_set_error_message(r->context, ret, "encoding of PKINIT-KX Key failed %d", ret); + krb5_crypto_destroy(r->context, reply_crypto); free_PA_PK_AS_REP(&rep); goto out; } if (kcklen != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); - ret = krb5_encrypt_EncryptedData(context, reply_crypto, KRB5_KU_PA_PKINIT_KX, + krb5_abortx(r->context, "Internal ASN.1 encoder error"); + ret = krb5_encrypt_EncryptedData(r->context, reply_crypto, KRB5_KU_PA_PKINIT_KX, kckdata, kcklen, 0, &kx); - krb5_crypto_destroy(context, reply_crypto); + krb5_crypto_destroy(r->context, reply_crypto); free(kckdata); if (ret) { free_PA_PK_AS_REP(&rep); @@ -1328,17 +1327,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) &kx, &size, ret); free_EncryptedData(&kx); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "encoding of PKINIT-KX failed %d", ret); free_PA_PK_AS_REP(&rep); goto out; } if (kxlen != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); + krb5_abortx(r->context, "Internal ASN.1 encoder error"); /* Add PA-PKINIT-KX */ - ret = krb5_padata_add(context, md, KRB5_PADATA_PKINIT_KX, kxdata, kxlen); + ret = krb5_padata_add(r->context, md, KRB5_PADATA_PKINIT_KX, kxdata, kxlen); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "Failed adding PKINIT-KX %d", ret); free(buf); goto out; @@ -1364,14 +1363,14 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) free_PA_PK_AS_REP(&rep); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "encode PA-PK-AS-REP failed %d", ret); goto out; } if (len != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); + krb5_abortx(r->context, "Internal ASN.1 encoder error"); - kdc_log(context, config, 0, "PKINIT using %s %s", type, other); + kdc_log(r->context, config, 0, "PKINIT using %s %s", type, other); } else if (cp->type == PKINIT_WIN2K) { PA_PK_AS_REP_Win2k rep; @@ -1379,7 +1378,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) if (cp->keyex != USE_RSA) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "Win2k PKINIT doesn't support DH"); goto out; } @@ -1389,13 +1388,13 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) pa_type = KRB5_PADATA_PK_AS_REP_19; rep.element = choice_PA_PK_AS_REP_Win2k_encKeyPack; - ret = krb5_generate_random_keyblock(context, enctype, + ret = krb5_generate_random_keyblock(r->context, enctype, &cp->reply_key); if (ret) { free_PA_PK_AS_REP_Win2k(&rep); goto out; } - ret = pk_mk_pa_reply_enckey(context, + ret = pk_mk_pa_reply_enckey(r->context, config, cp, req, @@ -1412,25 +1411,25 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) ret); free_ContentInfo(&info); if (ret) { - krb5_set_error_message(context, ret, "encoding of Key ContentInfo " + krb5_set_error_message(r->context, ret, "encoding of Key ContentInfo " "failed %d", ret); free_PA_PK_AS_REP_Win2k(&rep); goto out; } if (rep.u.encKeyPack.length != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); + krb5_abortx(r->context, "Internal ASN.1 encoder error"); ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret); free_PA_PK_AS_REP_Win2k(&rep); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "encode PA-PK-AS-REP-Win2k failed %d", ret); goto out; } if (len != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); + krb5_abortx(r->context, "Internal ASN.1 encoder error"); - ret = krb5_generate_random_keyblock(context, sessionetype, + ret = krb5_generate_random_keyblock(r->context, sessionetype, sessionkey); if (ret) { free(buf); @@ -1438,12 +1437,12 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) } } else - krb5_abortx(context, "PKINIT internal error"); + krb5_abortx(r->context, "PKINIT internal error"); - ret = krb5_padata_add(context, md, pa_type, buf, len); + ret = krb5_padata_add(r->context, md, pa_type, buf, len); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "Failed adding PA-PK-AS-REP %d", ret); free(buf); goto out; @@ -1462,7 +1461,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY); if (fd < 0) { - kdc_log(context, config, 0, + kdc_log(r->context, config, 0, "PKINIT failed to open ocsp data file %d", errno); goto out_ocsp; } @@ -1470,7 +1469,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) if (ret) { ret = errno; close(fd); - kdc_log(context, config, 0, + kdc_log(r->context, config, 0, "PKINIT failed to stat ocsp data %d", ret); goto out_ocsp; } @@ -1478,7 +1477,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) ret = krb5_data_alloc(&ocsp.data, sb.st_size); if (ret) { close(fd); - kdc_log(context, config, 0, + kdc_log(r->context, config, 0, "PKINIT failed to stat ocsp data %d", ret); goto out_ocsp; } @@ -1486,19 +1485,19 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) ret = read(fd, ocsp.data.data, sb.st_size); close(fd); if (ret != sb.st_size) { - kdc_log(context, config, 0, + kdc_log(r->context, config, 0, "PKINIT failed to read ocsp data %d", errno); goto out_ocsp; } - ret = hx509_ocsp_verify(context->hx509ctx, + ret = hx509_ocsp_verify(r->context->hx509ctx, kdc_time, kdc_cert, 0, ocsp.data.data, ocsp.data.length, &ocsp.expire); if (ret) { - kdc_log(context, config, 0, + kdc_log(r->context, config, 0, "PKINIT failed to verify ocsp data %d", ret); krb5_data_free(&ocsp.data); ocsp.expire = 0; @@ -1514,11 +1513,11 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp) if (ocsp.expire != 0 && ocsp.expire > kdc_time) { - ret = krb5_padata_add(context, md, + ret = krb5_padata_add(r->context, md, KRB5_PADATA_PA_PK_OCSP_RESPONSE, ocsp.data.data, ocsp.data.length); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "Failed adding OCSP response %d", ret); goto out; } @@ -1530,7 +1529,7 @@ out: hx509_cert_free(kdc_cert); if (ret == 0) - ret = krb5_copy_keyblock_contents(context, &cp->reply_key, reply_key); + ret = krb5_copy_keyblock_contents(r->context, &cp->reply_key, reply_key); return ret; } @@ -1672,7 +1671,6 @@ _kdc_pk_check_client(astgs_request_t r, pk_client_params *cp, char **subject_name) { - krb5_context context = r->context; krb5_kdc_configuration *config = r->config; HDB *clientdb = r->clientdb; hdb_entry_ex *client = r->client; @@ -1683,7 +1681,7 @@ _kdc_pk_check_client(astgs_request_t r, size_t i; if (cp->cert == NULL) { - if (!_kdc_is_anonymous(context, client->entry.principal) + if (!_kdc_is_anonymous(r->context, client->entry.principal) && !config->historical_anon_realm) return KRB5KDC_ERR_BADOPTION; @@ -1697,7 +1695,7 @@ _kdc_pk_check_client(astgs_request_t r, cp->max_life = 0; if (config->pkinit_max_life_from_cert_extension) cp->max_life = - hx509_cert_get_pkinit_max_life(context->hx509ctx, cp->cert, + hx509_cert_get_pkinit_max_life(r->context->hx509ctx, cp->cert, config->pkinit_max_life_bound); if (cp->max_life == 0 && config->pkinit_max_life_from_cert > 0) { cp->max_life = cp->endtime - hx509_cert_get_notBefore(cp->cert); @@ -1705,7 +1703,7 @@ _kdc_pk_check_client(astgs_request_t r, cp->max_life = config->pkinit_max_life_from_cert; } - ret = hx509_cert_get_base_subject(context->hx509ctx, + ret = hx509_cert_get_base_subject(r->context->hx509ctx, cp->cert, &name); if (ret) @@ -1716,7 +1714,7 @@ _kdc_pk_check_client(astgs_request_t r, if (ret) return ret; - kdc_log(context, config, 0, + kdc_log(r->context, config, 0, "Trying to authorize PKINIT subject DN %s", *subject_name); @@ -1726,7 +1724,7 @@ _kdc_pk_check_client(astgs_request_t r, size_t j; for (j = 0; j < pc->len; j++) { - cert = hx509_cert_init_data(context->hx509ctx, + cert = hx509_cert_init_data(r->context->hx509ctx, pc->val[j].cert.data, pc->val[j].cert.length, NULL); @@ -1735,7 +1733,7 @@ _kdc_pk_check_client(astgs_request_t r, ret = hx509_cert_cmp(cert, cp->cert); hx509_cert_free(cert); if (ret == 0) { - kdc_log(context, config, 5, + kdc_log(r->context, config, 5, "Found matching PKINIT cert in hdb"); return 0; } @@ -1744,22 +1742,22 @@ _kdc_pk_check_client(astgs_request_t r, if (config->pkinit_princ_in_cert) { - ret = match_rfc_san(context, config, - context->hx509ctx, + ret = match_rfc_san(r->context, config, + r->context->hx509ctx, cp->cert, client->entry.principal); if (ret == 0) { - kdc_log(context, config, 5, + kdc_log(r->context, config, 5, "Found matching PKINIT SAN in certificate"); return 0; } - ret = match_ms_upn_san(context, config, - context->hx509ctx, + ret = match_ms_upn_san(r->context, config, + r->context->hx509ctx, cp->cert, clientdb, client); if (ret == 0) { - kdc_log(context, config, 5, + kdc_log(r->context, config, 5, "Found matching MS UPN SAN in certificate"); return 0; } @@ -1781,7 +1779,7 @@ _kdc_pk_check_client(astgs_request_t r, if (acl->val[0].anchor) continue; - kdc_log(context, config, 5, + kdc_log(r->context, config, 5, "Found matching PKINIT database ACL"); return 0; } @@ -1790,24 +1788,24 @@ _kdc_pk_check_client(astgs_request_t r, for (i = 0; i < principal_mappings.len; i++) { krb5_boolean b; - b = krb5_principal_compare(context, + b = krb5_principal_compare(r->context, client->entry.principal, principal_mappings.val[i].principal); if (b == FALSE) continue; if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0) continue; - kdc_log(context, config, 5, + kdc_log(r->context, config, 5, "Found matching PKINIT FILE ACL"); return 0; } ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; - krb5_set_error_message(context, ret, + krb5_set_error_message(r->context, ret, "PKINIT no matching principals for %s", *subject_name); - kdc_log(context, config, 5, + kdc_log(r->context, config, 5, "PKINIT no matching principals for %s", *subject_name); diff --git a/kdc/windc.c b/kdc/windc.c index fa5f7ccd6..5a4f3c42d 100644 --- a/kdc/windc.c +++ b/kdc/windc.c @@ -198,7 +198,6 @@ check(krb5_context context, const void *plug, void *plugctx, void *userctx) krb5_error_code _kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data) { - krb5_context context = r->context; krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE; struct check_uc uc; @@ -211,7 +210,7 @@ _kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data) uc.req = req; uc.method_data = method_data; - ret = _krb5_plugin_run_f(context, &windc_plugin_data, + ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, &uc, check); }