kdc: remove temporary krb5_context variable
Use r->context (from request) instead of a temporary context variable, where available.
This commit is contained in:
Luke Howard
11
kdc/fast.c
11
kdc/fast.c
@@ -334,7 +334,6 @@ _kdc_fast_mk_error(astgs_request_t r,
|
|||||||
time_t *csec, int *cusec,
|
time_t *csec, int *cusec,
|
||||||
krb5_data *error_msg)
|
krb5_data *error_msg)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_data e_data;
|
krb5_data e_data;
|
||||||
size_t size;
|
size_t size;
|
||||||
@@ -365,7 +364,7 @@ _kdc_fast_mk_error(astgs_request_t r,
|
|||||||
|
|
||||||
/* first add the KRB-ERROR to the fast errors */
|
/* first add the KRB-ERROR to the fast errors */
|
||||||
|
|
||||||
ret = krb5_mk_error(context,
|
ret = krb5_mk_error(r->context,
|
||||||
outer_error,
|
outer_error,
|
||||||
e_text,
|
e_text,
|
||||||
NULL,
|
NULL,
|
||||||
@@ -377,7 +376,7 @@ _kdc_fast_mk_error(astgs_request_t r,
|
|||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
ret = krb5_padata_add(context, error_method,
|
ret = krb5_padata_add(r->context, error_method,
|
||||||
KRB5_PADATA_FX_ERROR,
|
KRB5_PADATA_FX_ERROR,
|
||||||
e_data.data, e_data.length);
|
e_data.data, e_data.length);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
@@ -394,14 +393,14 @@ _kdc_fast_mk_error(astgs_request_t r,
|
|||||||
csec = 0;
|
csec = 0;
|
||||||
cusec = 0;
|
cusec = 0;
|
||||||
|
|
||||||
ret = _kdc_fast_mk_response(context, armor_crypto,
|
ret = _kdc_fast_mk_response(r->context, armor_crypto,
|
||||||
error_method, NULL, NULL,
|
error_method, NULL, NULL,
|
||||||
req_body->nonce, &e_data);
|
req_body->nonce, &e_data);
|
||||||
free_METHOD_DATA(error_method);
|
free_METHOD_DATA(error_method);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
ret = krb5_padata_add(context, error_method,
|
ret = krb5_padata_add(r->context, error_method,
|
||||||
KRB5_PADATA_FX_FAST,
|
KRB5_PADATA_FX_FAST,
|
||||||
e_data.data, e_data.length);
|
e_data.data, e_data.length);
|
||||||
if (ret)
|
if (ret)
|
||||||
@@ -416,7 +415,7 @@ _kdc_fast_mk_error(astgs_request_t r,
|
|||||||
heim_assert(size == e_data.length, "internal asn.1 encoder error");
|
heim_assert(size == e_data.length, "internal asn.1 encoder error");
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = krb5_mk_error(context,
|
ret = krb5_mk_error(r->context,
|
||||||
outer_error,
|
outer_error,
|
||||||
e_text,
|
e_text,
|
||||||
(e_data.length ? &e_data : NULL),
|
(e_data.length ? &e_data : NULL),
|
||||||
|
|||||||
146
kdc/kerberos5.c
146
kdc/kerberos5.c
@@ -158,7 +158,6 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
|||||||
krb5_enctype *ret_enctype, Key **ret_key,
|
krb5_enctype *ret_enctype, Key **ret_key,
|
||||||
krb5_boolean *ret_default_salt)
|
krb5_boolean *ret_default_salt)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_boolean use_strongest_session_key;
|
krb5_boolean use_strongest_session_key;
|
||||||
krb5_boolean is_preauth = flags & KFE_IS_PREAUTH;
|
krb5_boolean is_preauth = flags & KFE_IS_PREAUTH;
|
||||||
krb5_boolean is_tgs = flags & KFE_IS_TGS;
|
krb5_boolean is_tgs = flags & KFE_IS_TGS;
|
||||||
@@ -189,7 +188,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
|||||||
r->config->svc_use_strongest_session_key);
|
r->config->svc_use_strongest_session_key);
|
||||||
|
|
||||||
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
|
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
|
||||||
ret = krb5_get_pw_salt(context, request_princ, &def_salt);
|
ret = krb5_get_pw_salt(r->context, request_princ, &def_salt);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
@@ -223,11 +222,11 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
/* drive the search with local supported enctypes list */
|
/* drive the search with local supported enctypes list */
|
||||||
p = krb5_kerberos_enctypes(context);
|
p = krb5_kerberos_enctypes(r->context);
|
||||||
for (i = 0;
|
for (i = 0;
|
||||||
p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL;
|
p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL;
|
||||||
i++) {
|
i++) {
|
||||||
if (krb5_enctype_valid(context, p[i]) != 0 &&
|
if (krb5_enctype_valid(r->context, p[i]) != 0 &&
|
||||||
!_kdc_is_weak_exception(princ->entry.principal, p[i]))
|
!_kdc_is_weak_exception(princ->entry.principal, p[i]))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
@@ -269,7 +268,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
|||||||
* PA-ETYPE-INFO* or because we're selecting a session key
|
* PA-ETYPE-INFO* or because we're selecting a session key
|
||||||
* enctype.
|
* enctype.
|
||||||
*/
|
*/
|
||||||
while (hdb_next_enctype2key(context, &princ->entry, NULL,
|
while (hdb_next_enctype2key(r->context, &princ->entry, NULL,
|
||||||
p[i], &key) == 0) {
|
p[i], &key) == 0) {
|
||||||
if (key->key.keyvalue.length == 0) {
|
if (key->key.keyvalue.length == 0) {
|
||||||
ret = KRB5KDC_ERR_NULL_KEY;
|
ret = KRB5KDC_ERR_NULL_KEY;
|
||||||
@@ -296,13 +295,13 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
|||||||
*/
|
*/
|
||||||
for(i = 0; ret != 0 && i < len; i++) {
|
for(i = 0; ret != 0 && i < len; i++) {
|
||||||
|
|
||||||
if (krb5_enctype_valid(context, etypes[i]) != 0 &&
|
if (krb5_enctype_valid(r->context, etypes[i]) != 0 &&
|
||||||
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
|
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
key = NULL;
|
key = NULL;
|
||||||
while (ret != 0 &&
|
while (ret != 0 &&
|
||||||
hdb_next_enctype2key(context, &princ->entry, NULL,
|
hdb_next_enctype2key(r->context, &princ->entry, NULL,
|
||||||
etypes[i], &key) == 0) {
|
etypes[i], &key) == 0) {
|
||||||
if (key->key.keyvalue.length == 0) {
|
if (key->key.keyvalue.length == 0) {
|
||||||
ret = KRB5KDC_ERR_NULL_KEY;
|
ret = KRB5KDC_ERR_NULL_KEY;
|
||||||
@@ -341,7 +340,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
|
|||||||
*ret_default_salt = is_default_salt_p(&def_salt, key);
|
*ret_default_salt = is_default_salt_p(&def_salt, key);
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_free_salt (context, def_salt);
|
krb5_free_salt (r->context, def_salt);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -420,7 +419,6 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
|
|||||||
KerberosTime authtime, KerberosTime *starttime,
|
KerberosTime authtime, KerberosTime *starttime,
|
||||||
KerberosTime endtime, KerberosTime *renew_till)
|
KerberosTime endtime, KerberosTime *renew_till)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_kdc_configuration *config = r->config;
|
krb5_kdc_configuration *config = r->config;
|
||||||
char authtime_str[100], starttime_str[100],
|
char authtime_str[100], starttime_str[100],
|
||||||
endtime_str[100], renewtime_str[100];
|
endtime_str[100], renewtime_str[100];
|
||||||
@@ -436,22 +434,22 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
|
|||||||
_kdc_audit_addkv((kdc_request_t)r, 0, "renew", "%ld",
|
_kdc_audit_addkv((kdc_request_t)r, 0, "renew", "%ld",
|
||||||
(long)*renew_till);
|
(long)*renew_till);
|
||||||
|
|
||||||
krb5_format_time(context, authtime,
|
krb5_format_time(r->context, authtime,
|
||||||
authtime_str, sizeof(authtime_str), TRUE);
|
authtime_str, sizeof(authtime_str), TRUE);
|
||||||
if (starttime)
|
if (starttime)
|
||||||
krb5_format_time(context, *starttime,
|
krb5_format_time(r->context, *starttime,
|
||||||
starttime_str, sizeof(starttime_str), TRUE);
|
starttime_str, sizeof(starttime_str), TRUE);
|
||||||
else
|
else
|
||||||
strlcpy(starttime_str, "unset", sizeof(starttime_str));
|
strlcpy(starttime_str, "unset", sizeof(starttime_str));
|
||||||
krb5_format_time(context, endtime,
|
krb5_format_time(r->context, endtime,
|
||||||
endtime_str, sizeof(endtime_str), TRUE);
|
endtime_str, sizeof(endtime_str), TRUE);
|
||||||
if (renew_till)
|
if (renew_till)
|
||||||
krb5_format_time(context, *renew_till,
|
krb5_format_time(r->context, *renew_till,
|
||||||
renewtime_str, sizeof(renewtime_str), TRUE);
|
renewtime_str, sizeof(renewtime_str), TRUE);
|
||||||
else
|
else
|
||||||
strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
|
strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
|
||||||
|
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"%s authtime: %s starttime: %s endtime: %s renew till: %s",
|
"%s authtime: %s starttime: %s endtime: %s renew till: %s",
|
||||||
type, authtime_str, starttime_str, endtime_str, renewtime_str);
|
type, authtime_str, starttime_str, endtime_str, renewtime_str);
|
||||||
}
|
}
|
||||||
@@ -930,7 +928,6 @@ static const struct kdc_patypes pat[] = {
|
|||||||
static void
|
static void
|
||||||
log_patypes(astgs_request_t r, METHOD_DATA *padata)
|
log_patypes(astgs_request_t r, METHOD_DATA *padata)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_kdc_configuration *config = r->config;
|
krb5_kdc_configuration *config = r->config;
|
||||||
struct rk_strpool *p = NULL;
|
struct rk_strpool *p = NULL;
|
||||||
char *str;
|
char *str;
|
||||||
@@ -948,7 +945,7 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata)
|
|||||||
if (p && n + 1 < padata->len)
|
if (p && n + 1 < padata->len)
|
||||||
p = rk_strpoolprintf(p, ", ");
|
p = rk_strpoolprintf(p, ", ");
|
||||||
if (p == NULL) {
|
if (p == NULL) {
|
||||||
kdc_log(context, config, 1, "out of memory");
|
kdc_log(r->context, config, 1, "out of memory");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -956,7 +953,7 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata)
|
|||||||
p = rk_strpoolprintf(p, "none");
|
p = rk_strpoolprintf(p, "none");
|
||||||
|
|
||||||
str = rk_strpoolcollect(p);
|
str = rk_strpoolcollect(p);
|
||||||
kdc_log(context, config, 4, "Client sent patypes: %s", str);
|
kdc_log(r->context, config, 4, "Client sent patypes: %s", str);
|
||||||
_kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
|
_kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
|
||||||
"client-pa", "%s", str);
|
"client-pa", "%s", str);
|
||||||
free(str);
|
free(str);
|
||||||
@@ -1461,7 +1458,6 @@ get_pa_etype_info_both(krb5_context context,
|
|||||||
void
|
void
|
||||||
_log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
_log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
const KDC_REQ_BODY *b = &r->req.req_body;
|
const KDC_REQ_BODY *b = &r->req.req_body;
|
||||||
krb5_enctype cetype = r->reply_key.keytype;
|
krb5_enctype cetype = r->reply_key.keytype;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
@@ -1483,7 +1479,7 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
|||||||
p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
|
p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
|
||||||
|
|
||||||
for (i = 0; i < b->etype.len; i++) {
|
for (i = 0; i < b->etype.len; i++) {
|
||||||
ret = krb5_enctype_to_string(context, b->etype.val[i], &str);
|
ret = krb5_enctype_to_string(r->context, b->etype.val[i], &str);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
p = rk_strpoolprintf(p, "%s", str);
|
p = rk_strpoolprintf(p, "%s", str);
|
||||||
free(str);
|
free(str);
|
||||||
@@ -1509,9 +1505,9 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
|||||||
str);
|
str);
|
||||||
free(str);
|
free(str);
|
||||||
|
|
||||||
ret = krb5_enctype_to_string(context, cetype, &cet);
|
ret = krb5_enctype_to_string(r->context, cetype, &cet);
|
||||||
if(ret == 0) {
|
if(ret == 0) {
|
||||||
ret = krb5_enctype_to_string(context, setype, &set);
|
ret = krb5_enctype_to_string(r->context, setype, &set);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
p = rk_strpoolprintf(p, ", using %s/%s", cet, set);
|
p = rk_strpoolprintf(p, ", using %s/%s", cet, set);
|
||||||
free(set);
|
free(set);
|
||||||
@@ -1554,8 +1550,6 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
hdb_entry_ex *client_ex,
|
hdb_entry_ex *client_ex,
|
||||||
hdb_entry_ex *server_ex)
|
hdb_entry_ex *server_ex)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
|
|
||||||
if (client_ex != NULL) {
|
if (client_ex != NULL) {
|
||||||
hdb_entry *client = &client_ex->entry;
|
hdb_entry *client = &client_ex->entry;
|
||||||
|
|
||||||
@@ -1579,7 +1573,7 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
|
|
||||||
if (client->valid_start && *client->valid_start > kdc_time) {
|
if (client->valid_start && *client->valid_start > kdc_time) {
|
||||||
char starttime_str[100];
|
char starttime_str[100];
|
||||||
krb5_format_time(context, *client->valid_start,
|
krb5_format_time(r->context, *client->valid_start,
|
||||||
starttime_str, sizeof(starttime_str), TRUE);
|
starttime_str, sizeof(starttime_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Client not yet valid "
|
_kdc_audit_addreason((kdc_request_t)r, "Client not yet valid "
|
||||||
"until %s", starttime_str);
|
"until %s", starttime_str);
|
||||||
@@ -1588,7 +1582,7 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
|
|
||||||
if (client->valid_end && *client->valid_end < kdc_time) {
|
if (client->valid_end && *client->valid_end < kdc_time) {
|
||||||
char endtime_str[100];
|
char endtime_str[100];
|
||||||
krb5_format_time(context, *client->valid_end,
|
krb5_format_time(r->context, *client->valid_end,
|
||||||
endtime_str, sizeof(endtime_str), TRUE);
|
endtime_str, sizeof(endtime_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Client expired at %s",
|
_kdc_audit_addreason((kdc_request_t)r, "Client expired at %s",
|
||||||
endtime_str);
|
endtime_str);
|
||||||
@@ -1602,7 +1596,7 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
if (client->pw_end && *client->pw_end < kdc_time
|
if (client->pw_end && *client->pw_end < kdc_time
|
||||||
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
|
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
|
||||||
char pwend_str[100];
|
char pwend_str[100];
|
||||||
krb5_format_time(context, *client->pw_end,
|
krb5_format_time(r->context, *client->pw_end,
|
||||||
pwend_str, sizeof(pwend_str), TRUE);
|
pwend_str, sizeof(pwend_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Client's key has expired "
|
_kdc_audit_addreason((kdc_request_t)r, "Client's key has expired "
|
||||||
"at %s", pwend_str);
|
"at %s", pwend_str);
|
||||||
@@ -1638,7 +1632,7 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
|
|
||||||
if (server->valid_start && *server->valid_start > kdc_time) {
|
if (server->valid_start && *server->valid_start > kdc_time) {
|
||||||
char starttime_str[100];
|
char starttime_str[100];
|
||||||
krb5_format_time(context, *server->valid_start,
|
krb5_format_time(r->context, *server->valid_start,
|
||||||
starttime_str, sizeof(starttime_str), TRUE);
|
starttime_str, sizeof(starttime_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Server not yet valid "
|
_kdc_audit_addreason((kdc_request_t)r, "Server not yet valid "
|
||||||
"until %s", starttime_str);
|
"until %s", starttime_str);
|
||||||
@@ -1647,7 +1641,7 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
|
|
||||||
if (server->valid_end && *server->valid_end < kdc_time) {
|
if (server->valid_end && *server->valid_end < kdc_time) {
|
||||||
char endtime_str[100];
|
char endtime_str[100];
|
||||||
krb5_format_time(context, *server->valid_end,
|
krb5_format_time(r->context, *server->valid_end,
|
||||||
endtime_str, sizeof(endtime_str), TRUE);
|
endtime_str, sizeof(endtime_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Server expired at %s",
|
_kdc_audit_addreason((kdc_request_t)r, "Server expired at %s",
|
||||||
endtime_str);
|
endtime_str);
|
||||||
@@ -1656,7 +1650,7 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
|
|
||||||
if (server->pw_end && *server->pw_end < kdc_time) {
|
if (server->pw_end && *server->pw_end < kdc_time) {
|
||||||
char pwend_str[100];
|
char pwend_str[100];
|
||||||
krb5_format_time(context, *server->pw_end,
|
krb5_format_time(r->context, *server->pw_end,
|
||||||
pwend_str, sizeof(pwend_str), TRUE);
|
pwend_str, sizeof(pwend_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Server's key has expired "
|
_kdc_audit_addreason((kdc_request_t)r, "Server's key has expired "
|
||||||
"at %s", pwend_str);
|
"at %s", pwend_str);
|
||||||
@@ -1676,7 +1670,6 @@ krb5_boolean
|
|||||||
_kdc_check_addresses(astgs_request_t r, HostAddresses *addresses,
|
_kdc_check_addresses(astgs_request_t r, HostAddresses *addresses,
|
||||||
const struct sockaddr *from)
|
const struct sockaddr *from)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_kdc_configuration *config = r->config;
|
krb5_kdc_configuration *config = r->config;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_address addr;
|
krb5_address addr;
|
||||||
@@ -1710,12 +1703,12 @@ _kdc_check_addresses(astgs_request_t r, HostAddresses *addresses,
|
|||||||
if(only_netbios)
|
if(only_netbios)
|
||||||
return config->allow_null_ticket_addresses;
|
return config->allow_null_ticket_addresses;
|
||||||
|
|
||||||
ret = krb5_sockaddr2address (context, from, &addr);
|
ret = krb5_sockaddr2address (r->context, from, &addr);
|
||||||
if(ret)
|
if(ret)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
result = krb5_address_search(context, &addr, addresses);
|
result = krb5_address_search(r->context, &addr, addresses);
|
||||||
krb5_free_address (context, &addr);
|
krb5_free_address (r->context, &addr);
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1928,7 +1921,6 @@ get_local_tgs(krb5_context context,
|
|||||||
krb5_error_code
|
krb5_error_code
|
||||||
_kdc_as_rep(astgs_request_t r)
|
_kdc_as_rep(astgs_request_t r)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_kdc_configuration *config = r->config;
|
krb5_kdc_configuration *config = r->config;
|
||||||
KDC_REQ *req = &r->req;
|
KDC_REQ *req = &r->req;
|
||||||
const char *from = r->from;
|
const char *from = r->from;
|
||||||
@@ -1969,12 +1961,12 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = _krb5_principalname2krb5_principal(context, &r->server_princ,
|
ret = _krb5_principalname2krb5_principal(r->context, &r->server_princ,
|
||||||
*(b->sname), b->realm);
|
*(b->sname), b->realm);
|
||||||
if (!ret)
|
if (!ret)
|
||||||
ret = krb5_unparse_name(context, r->server_princ, &r->sname);
|
ret = krb5_unparse_name(r->context, r->server_princ, &r->sname);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(r->context, config, 2,
|
||||||
"AS_REQ malformed server name from %s", from);
|
"AS_REQ malformed server name from %s", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1985,48 +1977,48 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = _krb5_principalname2krb5_principal(context, &r->client_princ,
|
ret = _krb5_principalname2krb5_principal(r->context, &r->client_princ,
|
||||||
*(b->cname), b->realm);
|
*(b->cname), b->realm);
|
||||||
if (!ret)
|
if (!ret)
|
||||||
ret = krb5_unparse_name(context, r->client_princ, &r->cname);
|
ret = krb5_unparse_name(r->context, r->client_princ, &r->cname);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 2,
|
kdc_log(r->context, config, 2,
|
||||||
"AS-REQ malformed client name from %s", from);
|
"AS-REQ malformed client name from %s", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
kdc_log(context, config, 4, "AS-REQ %s from %s for %s",
|
kdc_log(r->context, config, 4, "AS-REQ %s from %s for %s",
|
||||||
r->cname, r->from, r->sname);
|
r->cname, r->from, r->sname);
|
||||||
|
|
||||||
is_tgs = krb5_principal_is_krbtgt(context, r->server_princ);
|
is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ);
|
||||||
|
|
||||||
if (_kdc_is_anonymous(context, r->client_princ) &&
|
if (_kdc_is_anonymous(r->context, r->client_princ) &&
|
||||||
!_kdc_is_anon_request(req)) {
|
!_kdc_is_anon_request(req)) {
|
||||||
kdc_log(context, config, 2, "Anonymous client w/o anonymous flag");
|
kdc_log(r->context, config, 2, "Anonymous client w/o anonymous flag");
|
||||||
ret = KRB5KDC_ERR_BADOPTION;
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = _kdc_db_fetch(context, config, r->client_princ,
|
ret = _kdc_db_fetch(r->context, config, r->client_princ,
|
||||||
HDB_F_GET_CLIENT | HDB_F_SYNTHETIC_OK | flags, NULL,
|
HDB_F_GET_CLIENT | HDB_F_SYNTHETIC_OK | flags, NULL,
|
||||||
&r->clientdb, &r->client);
|
&r->clientdb, &r->client);
|
||||||
switch (ret) {
|
switch (ret) {
|
||||||
case 0: /* Success */
|
case 0: /* Success */
|
||||||
break;
|
break;
|
||||||
case HDB_ERR_NOT_FOUND_HERE:
|
case HDB_ERR_NOT_FOUND_HERE:
|
||||||
kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy",
|
kdc_log(r->context, config, 5, "client %s does not have secrets at this KDC, need to proxy",
|
||||||
r->cname);
|
r->cname);
|
||||||
goto out;
|
goto out;
|
||||||
case HDB_ERR_WRONG_REALM: {
|
case HDB_ERR_WRONG_REALM: {
|
||||||
char *fixed_client_name = NULL;
|
char *fixed_client_name = NULL;
|
||||||
|
|
||||||
ret = krb5_unparse_name(context, r->client->entry.principal,
|
ret = krb5_unparse_name(r->context, r->client->entry.principal,
|
||||||
&fixed_client_name);
|
&fixed_client_name);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
kdc_log(context, config, 4, "WRONG_REALM - %s -> %s",
|
kdc_log(r->context, config, 4, "WRONG_REALM - %s -> %s",
|
||||||
r->cname, fixed_client_name);
|
r->cname, fixed_client_name);
|
||||||
free(fixed_client_name);
|
free(fixed_client_name);
|
||||||
|
|
||||||
@@ -2038,13 +2030,13 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
msg = krb5_get_error_message(context, ret);
|
msg = krb5_get_error_message(r->context, ret);
|
||||||
kdc_log(context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
|
kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = _kdc_db_fetch(context, config, r->server_princ,
|
ret = _kdc_db_fetch(r->context, config, r->server_princ,
|
||||||
HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS |
|
HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS |
|
||||||
flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
|
flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
|
||||||
NULL, NULL, &r->server);
|
NULL, NULL, &r->server);
|
||||||
@@ -2052,13 +2044,13 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
case 0: /* Success */
|
case 0: /* Success */
|
||||||
break;
|
break;
|
||||||
case HDB_ERR_NOT_FOUND_HERE:
|
case HDB_ERR_NOT_FOUND_HERE:
|
||||||
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy",
|
kdc_log(r->context, config, 5, "target %s does not have secrets at this KDC, need to proxy",
|
||||||
r->sname);
|
r->sname);
|
||||||
goto out;
|
goto out;
|
||||||
default:
|
default:
|
||||||
msg = krb5_get_error_message(context, ret);
|
msg = krb5_get_error_message(r->context, ret);
|
||||||
kdc_log(context, config, 4, "UNKNOWN -- %s: %s", r->sname, msg);
|
kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->sname, msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2072,7 +2064,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
b->etype.val, b->etype.len,
|
b->etype.val, b->etype.len,
|
||||||
&r->sessionetype, NULL, NULL);
|
&r->sessionetype, NULL, NULL);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"Client (%s) from %s has no common enctypes with KDC "
|
"Client (%s) from %s has no common enctypes with KDC "
|
||||||
"to use for the session key",
|
"to use for the session key",
|
||||||
r->cname, from);
|
r->cname, from);
|
||||||
@@ -2096,14 +2088,14 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
if (r->armor_crypto == NULL && (pat[n].flags & PA_REQ_FAST))
|
if (r->armor_crypto == NULL && (pat[n].flags & PA_REQ_FAST))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"Looking for %s pa-data -- %s", pat[n].name, r->cname);
|
"Looking for %s pa-data -- %s", pat[n].name, r->cname);
|
||||||
i = 0;
|
i = 0;
|
||||||
pa = _kdc_find_padata(req, &i, pat[n].type);
|
pa = _kdc_find_padata(req, &i, pat[n].type);
|
||||||
if (pa) {
|
if (pa) {
|
||||||
if (r->client->entry.flags.synthetic &&
|
if (r->client->entry.flags.synthetic &&
|
||||||
!(pat[n].flags & PA_SYNTHETIC_OK)) {
|
!(pat[n].flags & PA_SYNTHETIC_OK)) {
|
||||||
kdc_log(context, config, 4, "UNKNOWN -- %s", r->cname);
|
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
|
||||||
ret = HDB_ERR_NOENTRY;
|
ret = HDB_ERR_NOENTRY;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2122,14 +2114,14 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
b->etype.val, b->etype.len,
|
b->etype.val, b->etype.len,
|
||||||
NULL, &ckey, &default_salt);
|
NULL, &ckey, &default_salt);
|
||||||
if (ret2 == 0) {
|
if (ret2 == 0) {
|
||||||
ret2 = get_pa_etype_info_both(context, config, &b->etype,
|
ret2 = get_pa_etype_info_both(r->context, config, &b->etype,
|
||||||
&r->outpadata, ckey, !default_salt);
|
&r->outpadata, ckey, !default_salt);
|
||||||
if (ret2 != 0)
|
if (ret2 != 0)
|
||||||
ret = ret2;
|
ret = ret2;
|
||||||
}
|
}
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"%s pre-authentication succeeded -- %s",
|
"%s pre-authentication succeeded -- %s",
|
||||||
pat[n].name, r->cname);
|
pat[n].name, r->cname);
|
||||||
found_pa = 1;
|
found_pa = 1;
|
||||||
@@ -2144,7 +2136,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
krb5_boolean default_salt;
|
krb5_boolean default_salt;
|
||||||
|
|
||||||
if (r->client->entry.flags.synthetic) {
|
if (r->client->entry.flags.synthetic) {
|
||||||
kdc_log(context, config, 4, "UNKNOWN -- %s", r->cname);
|
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
|
||||||
ret = HDB_ERR_NOENTRY;
|
ret = HDB_ERR_NOENTRY;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2152,7 +2144,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
for (n = 0; n < sizeof(pat) / sizeof(pat[0]); n++) {
|
for (n = 0; n < sizeof(pat) / sizeof(pat[0]); n++) {
|
||||||
if ((pat[n].flags & PA_ANNOUNCE) == 0)
|
if ((pat[n].flags & PA_ANNOUNCE) == 0)
|
||||||
continue;
|
continue;
|
||||||
ret = krb5_padata_add(context, &r->outpadata,
|
ret = krb5_padata_add(r->context, &r->outpadata,
|
||||||
pat[n].type, NULL, 0);
|
pat[n].type, NULL, 0);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2165,7 +2157,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
b->etype.val, b->etype.len,
|
b->etype.val, b->etype.len,
|
||||||
NULL, &ckey, &default_salt);
|
NULL, &ckey, &default_salt);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
ret = get_pa_etype_info_both(context, config, &b->etype,
|
ret = get_pa_etype_info_both(r->context, config, &b->etype,
|
||||||
&r->outpadata, ckey, !default_salt);
|
&r->outpadata, ckey, !default_salt);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2193,7 +2185,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (r->clientdb->hdb_auth_status) {
|
if (r->clientdb->hdb_auth_status) {
|
||||||
r->clientdb->hdb_auth_status(context, r->clientdb, r->client,
|
r->clientdb->hdb_auth_status(r->context, r->clientdb, r->client,
|
||||||
HDB_AUTH_SUCCESS);
|
HDB_AUTH_SUCCESS);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2221,7 +2213,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
* the client since the client never needs to read that data.
|
* the client since the client never needs to read that data.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
ret = _kdc_get_preferred_key(context, config,
|
ret = _kdc_get_preferred_key(r->context, config,
|
||||||
r->server, r->sname,
|
r->server, r->sname,
|
||||||
&setype, &skey);
|
&setype, &skey);
|
||||||
if(ret)
|
if(ret)
|
||||||
@@ -2231,12 +2223,12 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
if (is_tgs) {
|
if (is_tgs) {
|
||||||
krbtgt_key = skey;
|
krbtgt_key = skey;
|
||||||
} else {
|
} else {
|
||||||
ret = get_local_tgs(context, config, r->server_princ->realm,
|
ret = get_local_tgs(r->context, config, r->server_princ->realm,
|
||||||
&krbtgt);
|
&krbtgt);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
ret = _kdc_get_preferred_key(context, config, krbtgt,
|
ret = _kdc_get_preferred_key(r->context, config, krbtgt,
|
||||||
r->server_princ->realm,
|
r->server_princ->realm,
|
||||||
NULL, &krbtgt_key);
|
NULL, &krbtgt_key);
|
||||||
if (ret)
|
if (ret)
|
||||||
@@ -2257,7 +2249,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
rep.msg_type = krb_as_rep;
|
rep.msg_type = krb_as_rep;
|
||||||
|
|
||||||
if (!config->historical_anon_realm &&
|
if (!config->historical_anon_realm &&
|
||||||
_kdc_is_anonymous(context, r->client_princ)) {
|
_kdc_is_anonymous(r->context, r->client_princ)) {
|
||||||
Realm anon_realm = KRB5_ANON_REALM;
|
Realm anon_realm = KRB5_ANON_REALM;
|
||||||
ret = copy_Realm(&anon_realm, &rep.crealm);
|
ret = copy_Realm(&anon_realm, &rep.crealm);
|
||||||
} else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
|
} else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
|
||||||
@@ -2478,7 +2470,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
if (r->session_key.keytype == ETYPE_NULL) {
|
if (r->session_key.keytype == ETYPE_NULL) {
|
||||||
ret = krb5_generate_random_keyblock(context, r->sessionetype, &r->session_key);
|
ret = krb5_generate_random_keyblock(r->context, r->sessionetype, &r->session_key);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2510,7 +2502,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Add the PAC */
|
/* Add the PAC */
|
||||||
if (send_pac_p(context, req) && !r->et.flags.anonymous) {
|
if (send_pac_p(r->context, req) && !r->et.flags.anonymous) {
|
||||||
generate_pac(r, skey, krbtgt_key);
|
generate_pac(r, skey, krbtgt_key);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2555,7 +2547,7 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
ret = _kdc_encode_reply(context, config,
|
ret = _kdc_encode_reply(r->context, config,
|
||||||
r, req->req_body.nonce,
|
r, req->req_body.nonce,
|
||||||
&rep, &r->et, &r->ek, setype,
|
&rep, &r->et, &r->ek, setype,
|
||||||
r->server->entry.kvno, &skey->key,
|
r->server->entry.kvno, &skey->key,
|
||||||
@@ -2597,19 +2589,19 @@ out:
|
|||||||
if (r->outpadata.len)
|
if (r->outpadata.len)
|
||||||
free_METHOD_DATA(&r->outpadata);
|
free_METHOD_DATA(&r->outpadata);
|
||||||
if (r->client_princ) {
|
if (r->client_princ) {
|
||||||
krb5_free_principal(context, r->client_princ);
|
krb5_free_principal(r->context, r->client_princ);
|
||||||
r->client_princ = NULL;
|
r->client_princ = NULL;
|
||||||
}
|
}
|
||||||
if (r->server_princ){
|
if (r->server_princ){
|
||||||
krb5_free_principal(context, r->server_princ);
|
krb5_free_principal(r->context, r->server_princ);
|
||||||
r->server_princ = NULL;
|
r->server_princ = NULL;
|
||||||
}
|
}
|
||||||
if (r->client)
|
if (r->client)
|
||||||
_kdc_free_ent(context, r->client);
|
_kdc_free_ent(r->context, r->client);
|
||||||
if (r->server)
|
if (r->server)
|
||||||
_kdc_free_ent(context, r->server);
|
_kdc_free_ent(r->context, r->server);
|
||||||
if (krbtgt)
|
if (krbtgt)
|
||||||
_kdc_free_ent(context, krbtgt);
|
_kdc_free_ent(r->context, krbtgt);
|
||||||
if (r->armor_crypto) {
|
if (r->armor_crypto) {
|
||||||
krb5_crypto_destroy(r->context, r->armor_crypto);
|
krb5_crypto_destroy(r->context, r->armor_crypto);
|
||||||
r->armor_crypto = NULL;
|
r->armor_crypto = NULL;
|
||||||
|
|||||||
149
kdc/krb5tgs.c
149
kdc/krb5tgs.c
@@ -147,7 +147,6 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
|||||||
krb5_const_principal tgt_name,
|
krb5_const_principal tgt_name,
|
||||||
const EncTicketPart *tgt, EncTicketPart *et)
|
const EncTicketPart *tgt, EncTicketPart *et)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
KDCOptions f = b->kdc_options;
|
KDCOptions f = b->kdc_options;
|
||||||
|
|
||||||
if(f.validate){
|
if(f.validate){
|
||||||
@@ -227,7 +226,7 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
|||||||
*et->starttime = *b->from;
|
*et->starttime = *b->from;
|
||||||
et->flags.postdated = 1;
|
et->flags.postdated = 1;
|
||||||
et->flags.invalid = 1;
|
et->flags.invalid = 1;
|
||||||
} else if (b->from && *b->from > kdc_time + context->max_skew) {
|
} else if (b->from && *b->from > kdc_time + r->context->max_skew) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
_kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Ticket cannot be postdated");
|
"Ticket cannot be postdated");
|
||||||
return KRB5KDC_ERR_CANNOT_POSTDATE;
|
return KRB5KDC_ERR_CANNOT_POSTDATE;
|
||||||
@@ -266,7 +265,7 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
|||||||
* the anonymous principal and the anonymous ticket flag.
|
* the anonymous principal and the anonymous ticket flag.
|
||||||
*/
|
*/
|
||||||
if (tgt->flags.anonymous &&
|
if (tgt->flags.anonymous &&
|
||||||
!_kdc_is_anonymous(context, tgt_name)) {
|
!_kdc_is_anonymous(r->context, tgt_name)) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
_kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Anonymous ticket flag set without "
|
"Anonymous ticket flag set without "
|
||||||
"anonymous principal");
|
"anonymous principal");
|
||||||
@@ -922,7 +921,6 @@ tgs_parse_request(astgs_request_t r,
|
|||||||
int **cusec,
|
int **cusec,
|
||||||
AuthorizationData **auth_data)
|
AuthorizationData **auth_data)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_kdc_configuration *config = r->config;
|
krb5_kdc_configuration *config = r->config;
|
||||||
KDC_REQ_BODY *b = &r->req.req_body;
|
KDC_REQ_BODY *b = &r->req.req_body;
|
||||||
static char failed[] = "<unparse_name failed>";
|
static char failed[] = "<unparse_name failed>";
|
||||||
@@ -946,38 +944,38 @@ tgs_parse_request(astgs_request_t r,
|
|||||||
*cusec = NULL;
|
*cusec = NULL;
|
||||||
|
|
||||||
memset(&ap_req, 0, sizeof(ap_req));
|
memset(&ap_req, 0, sizeof(ap_req));
|
||||||
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
|
ret = krb5_decode_ap_req(r->context, &tgs_req->padata_value, &ap_req);
|
||||||
if(ret){
|
if(ret){
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
kdc_log(context, config, 4, "Failed to decode AP-REQ: %s", msg);
|
kdc_log(r->context, config, 4, "Failed to decode AP-REQ: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!get_krbtgt_realm(&ap_req.ticket.sname)){
|
if(!get_krbtgt_realm(&ap_req.ticket.sname)){
|
||||||
/* XXX check for ticket.sname == req.sname */
|
/* XXX check for ticket.sname == req.sname */
|
||||||
kdc_log(context, config, 4, "PA-DATA is not a ticket-granting ticket");
|
kdc_log(r->context, config, 4, "PA-DATA is not a ticket-granting ticket");
|
||||||
ret = KRB5KDC_ERR_POLICY; /* ? */
|
ret = KRB5KDC_ERR_POLICY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
_krb5_principalname2krb5_principal(context,
|
_krb5_principalname2krb5_principal(r->context,
|
||||||
&princ,
|
&princ,
|
||||||
ap_req.ticket.sname,
|
ap_req.ticket.sname,
|
||||||
ap_req.ticket.realm);
|
ap_req.ticket.realm);
|
||||||
|
|
||||||
krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0;
|
krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0;
|
||||||
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT,
|
ret = _kdc_db_fetch(r->context, config, princ, HDB_F_GET_KRBTGT,
|
||||||
&krbtgt_kvno, NULL, krbtgt);
|
&krbtgt_kvno, NULL, krbtgt);
|
||||||
|
|
||||||
if (ret == HDB_ERR_NOT_FOUND_HERE) {
|
if (ret == HDB_ERR_NOT_FOUND_HERE) {
|
||||||
/* XXX Factor out this unparsing of the same princ all over */
|
/* XXX Factor out this unparsing of the same princ all over */
|
||||||
char *p;
|
char *p;
|
||||||
ret = krb5_unparse_name(context, princ, &p);
|
ret = krb5_unparse_name(r->context, princ, &p);
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
p = failed;
|
p = failed;
|
||||||
krb5_free_principal(context, princ);
|
krb5_free_principal(r->context, princ);
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"Ticket-granting ticket account %s does not have secrets at "
|
"Ticket-granting ticket account %s does not have secrets at "
|
||||||
"this KDC, need to proxy", p);
|
"this KDC, need to proxy", p);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
@@ -986,11 +984,11 @@ tgs_parse_request(astgs_request_t r,
|
|||||||
goto out;
|
goto out;
|
||||||
} else if (ret == HDB_ERR_KVNO_NOT_FOUND) {
|
} else if (ret == HDB_ERR_KVNO_NOT_FOUND) {
|
||||||
char *p;
|
char *p;
|
||||||
ret = krb5_unparse_name(context, princ, &p);
|
ret = krb5_unparse_name(r->context, princ, &p);
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
p = failed;
|
p = failed;
|
||||||
krb5_free_principal(context, princ);
|
krb5_free_principal(r->context, princ);
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"Ticket-granting ticket account %s does not have keys for "
|
"Ticket-granting ticket account %s does not have keys for "
|
||||||
"kvno %d at this KDC", p, krbtgt_kvno);
|
"kvno %d at this KDC", p, krbtgt_kvno);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
@@ -999,11 +997,11 @@ tgs_parse_request(astgs_request_t r,
|
|||||||
goto out;
|
goto out;
|
||||||
} else if (ret == HDB_ERR_NO_MKEY) {
|
} else if (ret == HDB_ERR_NO_MKEY) {
|
||||||
char *p;
|
char *p;
|
||||||
ret = krb5_unparse_name(context, princ, &p);
|
ret = krb5_unparse_name(r->context, princ, &p);
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
p = failed;
|
p = failed;
|
||||||
krb5_free_principal(context, princ);
|
krb5_free_principal(r->context, princ);
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"Missing master key for decrypting keys for ticket-granting "
|
"Missing master key for decrypting keys for ticket-granting "
|
||||||
"ticket account %s with kvno %d at this KDC", p, krbtgt_kvno);
|
"ticket account %s with kvno %d at this KDC", p, krbtgt_kvno);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
@@ -1011,15 +1009,15 @@ tgs_parse_request(astgs_request_t r,
|
|||||||
ret = HDB_ERR_KVNO_NOT_FOUND;
|
ret = HDB_ERR_KVNO_NOT_FOUND;
|
||||||
goto out;
|
goto out;
|
||||||
} else if (ret) {
|
} else if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
char *p;
|
char *p;
|
||||||
ret = krb5_unparse_name(context, princ, &p);
|
ret = krb5_unparse_name(r->context, princ, &p);
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
p = failed;
|
p = failed;
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"Ticket-granting ticket %s not found in database: %s", p, msg);
|
"Ticket-granting ticket %s not found in database: %s", p, msg);
|
||||||
krb5_free_principal(context, princ);
|
krb5_free_principal(r->context, princ);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
free(p);
|
free(p);
|
||||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||||
@@ -1030,8 +1028,8 @@ tgs_parse_request(astgs_request_t r,
|
|||||||
*krbtgt_etype = ap_req.ticket.enc_part.etype;
|
*krbtgt_etype = ap_req.ticket.enc_part.etype;
|
||||||
|
|
||||||
next_kvno:
|
next_kvno:
|
||||||
krbtgt_keys = hdb_kvno2keys(context, &(*krbtgt)->entry, krbtgt_kvno_try);
|
krbtgt_keys = hdb_kvno2keys(r->context, &(*krbtgt)->entry, krbtgt_kvno_try);
|
||||||
ret = hdb_enctype2key(context, &(*krbtgt)->entry, krbtgt_keys,
|
ret = hdb_enctype2key(r->context, &(*krbtgt)->entry, krbtgt_keys,
|
||||||
ap_req.ticket.enc_part.etype, &tkey);
|
ap_req.ticket.enc_part.etype, &tkey);
|
||||||
if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
|
if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
|
||||||
kvno_search_tries--;
|
kvno_search_tries--;
|
||||||
@@ -1040,9 +1038,9 @@ next_kvno:
|
|||||||
} else if (ret) {
|
} else if (ret) {
|
||||||
char *str = NULL, *p = NULL;
|
char *str = NULL, *p = NULL;
|
||||||
|
|
||||||
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
|
krb5_enctype_to_string(r->context, ap_req.ticket.enc_part.etype, &str);
|
||||||
krb5_unparse_name(context, princ, &p);
|
krb5_unparse_name(r->context, princ, &p);
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"No server key with enctype %s found for %s",
|
"No server key with enctype %s found for %s",
|
||||||
str ? str : "<unknown enctype>",
|
str ? str : "<unknown enctype>",
|
||||||
p ? p : "<unparse_name failed>");
|
p ? p : "<unparse_name failed>");
|
||||||
@@ -1058,7 +1056,7 @@ next_kvno:
|
|||||||
if (r->config->warn_ticket_addresses)
|
if (r->config->warn_ticket_addresses)
|
||||||
verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_IGNORE_ADDRS;
|
verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_IGNORE_ADDRS;
|
||||||
|
|
||||||
ret = krb5_verify_ap_req2(context,
|
ret = krb5_verify_ap_req2(r->context,
|
||||||
&ac,
|
&ac,
|
||||||
&ap_req,
|
&ap_req,
|
||||||
princ,
|
princ,
|
||||||
@@ -1080,11 +1078,11 @@ next_kvno:
|
|||||||
goto next_kvno;
|
goto next_kvno;
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_free_principal(context, princ);
|
krb5_free_principal(r->context, princ);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
kdc_log(context, config, 4, "Failed to verify AP-REQ: %s", msg);
|
kdc_log(r->context, config, 4, "Failed to verify AP-REQ: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1093,64 +1091,64 @@ next_kvno:
|
|||||||
{
|
{
|
||||||
krb5_authenticator auth;
|
krb5_authenticator auth;
|
||||||
|
|
||||||
ret = krb5_auth_con_getauthenticator(context, ac, &auth);
|
ret = krb5_auth_con_getauthenticator(r->context, ac, &auth);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
*csec = malloc(sizeof(**csec));
|
*csec = malloc(sizeof(**csec));
|
||||||
if (*csec == NULL) {
|
if (*csec == NULL) {
|
||||||
krb5_free_authenticator(context, &auth);
|
krb5_free_authenticator(r->context, &auth);
|
||||||
kdc_log(context, config, 4, "malloc failed");
|
kdc_log(r->context, config, 4, "malloc failed");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
**csec = auth->ctime;
|
**csec = auth->ctime;
|
||||||
*cusec = malloc(sizeof(**cusec));
|
*cusec = malloc(sizeof(**cusec));
|
||||||
if (*cusec == NULL) {
|
if (*cusec == NULL) {
|
||||||
krb5_free_authenticator(context, &auth);
|
krb5_free_authenticator(r->context, &auth);
|
||||||
kdc_log(context, config, 4, "malloc failed");
|
kdc_log(r->context, config, 4, "malloc failed");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
**cusec = auth->cusec;
|
**cusec = auth->cusec;
|
||||||
|
|
||||||
ret = validate_fast_ad(r, auth->authorization_data);
|
ret = validate_fast_ad(r, auth->authorization_data);
|
||||||
krb5_free_authenticator(context, &auth);
|
krb5_free_authenticator(r->context, &auth);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = tgs_check_authenticator(context, config,
|
ret = tgs_check_authenticator(r->context, config,
|
||||||
ac, b, e_text, &(*ticket)->ticket.key);
|
ac, b, e_text, &(*ticket)->ticket.key);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
|
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
|
||||||
r->rk_is_subkey = 1;
|
r->rk_is_subkey = 1;
|
||||||
|
|
||||||
ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
|
ret = krb5_auth_con_getremotesubkey(r->context, ac, &subkey);
|
||||||
if(ret){
|
if(ret){
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
kdc_log(context, config, 4, "Failed to get remote subkey: %s", msg);
|
kdc_log(r->context, config, 4, "Failed to get remote subkey: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(subkey == NULL){
|
if(subkey == NULL){
|
||||||
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
|
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
|
||||||
r->rk_is_subkey = 0;
|
r->rk_is_subkey = 0;
|
||||||
|
|
||||||
ret = krb5_auth_con_getkey(context, ac, &subkey);
|
ret = krb5_auth_con_getkey(r->context, ac, &subkey);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
kdc_log(context, config, 4, "Failed to get session key: %s", msg);
|
kdc_log(r->context, config, 4, "Failed to get session key: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if(subkey == NULL){
|
if(subkey == NULL){
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"Failed to get key for enc-authorization-data");
|
"Failed to get key for enc-authorization-data");
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1165,39 +1163,39 @@ next_kvno:
|
|||||||
if (b->enc_authorization_data) {
|
if (b->enc_authorization_data) {
|
||||||
krb5_data ad;
|
krb5_data ad;
|
||||||
|
|
||||||
ret = krb5_crypto_init(context, &r->reply_key, 0, &crypto);
|
ret = krb5_crypto_init(r->context, &r->reply_key, 0, &crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
|
kdc_log(r->context, config, 4, "krb5_crypto_init failed: %s", msg);
|
||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = krb5_decrypt_EncryptedData (context,
|
ret = krb5_decrypt_EncryptedData (r->context,
|
||||||
crypto,
|
crypto,
|
||||||
usage,
|
usage,
|
||||||
b->enc_authorization_data,
|
b->enc_authorization_data,
|
||||||
&ad);
|
&ad);
|
||||||
krb5_crypto_destroy(context, crypto);
|
krb5_crypto_destroy(r->context, crypto);
|
||||||
if(ret){
|
if(ret){
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"Failed to decrypt enc-authorization-data");
|
"Failed to decrypt enc-authorization-data");
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ALLOC(*auth_data);
|
ALLOC(*auth_data);
|
||||||
if (*auth_data == NULL) {
|
if (*auth_data == NULL) {
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
|
ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
|
||||||
if(ret){
|
if(ret){
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
free(*auth_data);
|
free(*auth_data);
|
||||||
*auth_data = NULL;
|
*auth_data = NULL;
|
||||||
kdc_log(context, config, 4, "Failed to decode authorization data");
|
kdc_log(r->context, config, 4, "Failed to decode authorization data");
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1216,7 +1214,7 @@ next_kvno:
|
|||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
free_AP_REQ(&ap_req);
|
free_AP_REQ(&ap_req);
|
||||||
@@ -2321,7 +2319,6 @@ out:
|
|||||||
krb5_error_code
|
krb5_error_code
|
||||||
_kdc_tgs_rep(astgs_request_t r)
|
_kdc_tgs_rep(astgs_request_t r)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_kdc_configuration *config = r->config;
|
krb5_kdc_configuration *config = r->config;
|
||||||
KDC_REQ *req = &r->req;
|
KDC_REQ *req = &r->req;
|
||||||
krb5_data *data = r->reply;
|
krb5_data *data = r->reply;
|
||||||
@@ -2343,7 +2340,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
|||||||
|
|
||||||
if(req->padata == NULL){
|
if(req->padata == NULL){
|
||||||
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
|
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"TGS-REQ from %s without PA-DATA", from);
|
"TGS-REQ from %s without PA-DATA", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2361,7 +2358,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
|||||||
if(tgs_req == NULL){
|
if(tgs_req == NULL){
|
||||||
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
||||||
|
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"TGS-REQ from %s without PA-TGS-REQ", from);
|
"TGS-REQ from %s without PA-TGS-REQ", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2378,7 +2375,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"Failed parsing TGS-REQ from %s", from);
|
"Failed parsing TGS-REQ from %s", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2395,7 +2392,7 @@ _kdc_tgs_rep(astgs_request_t r)
|
|||||||
&auth_data,
|
&auth_data,
|
||||||
from_addr);
|
from_addr);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"Failed building TGS-REP to %s", from);
|
"Failed building TGS-REP to %s", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -2411,7 +2408,7 @@ out:
|
|||||||
if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
|
if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
|
||||||
METHOD_DATA error_method = { 0, NULL };
|
METHOD_DATA error_method = { 0, NULL };
|
||||||
|
|
||||||
kdc_log(context, config, 5, "tgs-req: sending error: %d to client", ret);
|
kdc_log(r->context, config, 5, "tgs-req: sending error: %d to client", ret);
|
||||||
ret = _kdc_fast_mk_error(r,
|
ret = _kdc_fast_mk_error(r,
|
||||||
&error_method,
|
&error_method,
|
||||||
r->armor_crypto,
|
r->armor_crypto,
|
||||||
@@ -2430,9 +2427,9 @@ out:
|
|||||||
krb5_free_keyblock_contents(r->context, &r->strengthen_key);
|
krb5_free_keyblock_contents(r->context, &r->strengthen_key);
|
||||||
|
|
||||||
if (ticket)
|
if (ticket)
|
||||||
krb5_free_ticket(context, ticket);
|
krb5_free_ticket(r->context, ticket);
|
||||||
if(krbtgt)
|
if(krbtgt)
|
||||||
_kdc_free_ent(context, krbtgt);
|
_kdc_free_ent(r->context, krbtgt);
|
||||||
|
|
||||||
_kdc_free_fast_state(&r->fast);
|
_kdc_free_fast_state(&r->fast);
|
||||||
|
|
||||||
|
|||||||
150
kdc/pkinit.c
150
kdc/pkinit.c
@@ -1131,7 +1131,6 @@ pk_mk_pa_reply_dh(krb5_context context,
|
|||||||
krb5_error_code
|
krb5_error_code
|
||||||
_kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
_kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_kdc_configuration *config = r->config;
|
krb5_kdc_configuration *config = r->config;
|
||||||
krb5_enctype sessionetype = r->sessionetype;
|
krb5_enctype sessionetype = r->sessionetype;
|
||||||
const KDC_REQ *req = &r->req;
|
const KDC_REQ *req = &r->req;
|
||||||
@@ -1148,17 +1147,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
if (!config->enable_pkinit) {
|
if (!config->enable_pkinit) {
|
||||||
krb5_clear_error_message(context);
|
krb5_clear_error_message(r->context);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (req->req_body.etype.len > 0) {
|
if (req->req_body.etype.len > 0) {
|
||||||
for (i = 0; i < req->req_body.etype.len; i++)
|
for (i = 0; i < req->req_body.etype.len; i++)
|
||||||
if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)
|
if (krb5_enctype_valid(r->context, req->req_body.etype.val[i]) == 0)
|
||||||
break;
|
break;
|
||||||
if (req->req_body.etype.len <= i) {
|
if (req->req_body.etype.len <= i) {
|
||||||
ret = KRB5KRB_ERR_GENERIC;
|
ret = KRB5KRB_ERR_GENERIC;
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"No valid enctype available from client");
|
"No valid enctype available from client");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1181,13 +1180,13 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
|
|
||||||
rep.element = choice_PA_PK_AS_REP_encKeyPack;
|
rep.element = choice_PA_PK_AS_REP_encKeyPack;
|
||||||
|
|
||||||
ret = krb5_generate_random_keyblock(context, enctype,
|
ret = krb5_generate_random_keyblock(r->context, enctype,
|
||||||
&cp->reply_key);
|
&cp->reply_key);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = pk_mk_pa_reply_enckey(context,
|
ret = pk_mk_pa_reply_enckey(r->context,
|
||||||
config,
|
config,
|
||||||
cp,
|
cp,
|
||||||
req,
|
req,
|
||||||
@@ -1204,15 +1203,15 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
ret);
|
ret);
|
||||||
free_ContentInfo(&info);
|
free_ContentInfo(&info);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
|
krb5_set_error_message(r->context, ret, "encoding of Key ContentInfo "
|
||||||
"failed %d", ret);
|
"failed %d", ret);
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (rep.u.encKeyPack.length != size)
|
if (rep.u.encKeyPack.length != size)
|
||||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||||
|
|
||||||
ret = krb5_generate_random_keyblock(context, sessionetype,
|
ret = krb5_generate_random_keyblock(r->context, sessionetype,
|
||||||
sessionkey);
|
sessionkey);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
@@ -1225,7 +1224,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
switch (cp->keyex) {
|
switch (cp->keyex) {
|
||||||
case USE_DH: type = "dh"; break;
|
case USE_DH: type = "dh"; break;
|
||||||
case USE_ECDH: type = "ecdh"; break;
|
case USE_ECDH: type = "ecdh"; break;
|
||||||
default: krb5_abortx(context, "unknown keyex"); break;
|
default: krb5_abortx(r->context, "unknown keyex"); break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (cp->dh_group_name)
|
if (cp->dh_group_name)
|
||||||
@@ -1233,17 +1232,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
|
|
||||||
rep.element = choice_PA_PK_AS_REP_dhInfo;
|
rep.element = choice_PA_PK_AS_REP_dhInfo;
|
||||||
|
|
||||||
ret = generate_dh_keyblock(context, cp, enctype);
|
ret = generate_dh_keyblock(r->context, cp, enctype);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
ret = pk_mk_pa_reply_dh(context, config,
|
ret = pk_mk_pa_reply_dh(r->context, config,
|
||||||
cp,
|
cp,
|
||||||
&info,
|
&info,
|
||||||
&kdc_cert);
|
&kdc_cert);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"create pa-reply-dh "
|
"create pa-reply-dh "
|
||||||
"failed %d", ret);
|
"failed %d", ret);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1254,14 +1253,14 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
ret);
|
ret);
|
||||||
free_ContentInfo(&info);
|
free_ContentInfo(&info);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"encoding of Key ContentInfo "
|
"encoding of Key ContentInfo "
|
||||||
"failed %d", ret);
|
"failed %d", ret);
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (rep.u.encKeyPack.length != size)
|
if (rep.u.encKeyPack.length != size)
|
||||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||||
|
|
||||||
/* generate the session key using the method from RFC6112 */
|
/* generate the session key using the method from RFC6112 */
|
||||||
{
|
{
|
||||||
@@ -1276,49 +1275,49 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
void *kxdata;
|
void *kxdata;
|
||||||
size_t kxlen;
|
size_t kxlen;
|
||||||
|
|
||||||
ret = krb5_generate_random_keyblock(context, sessionetype,
|
ret = krb5_generate_random_keyblock(r->context, sessionetype,
|
||||||
&kdc_contribution_key);
|
&kdc_contribution_key);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = krb5_crypto_init(context, &cp->reply_key, enctype, &reply_crypto);
|
ret = krb5_crypto_init(r->context, &cp->reply_key, enctype, &reply_crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_free_keyblock_contents(context, &kdc_contribution_key);
|
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = krb5_crypto_init(context, &kdc_contribution_key, sessionetype, &kdccont_crypto);
|
ret = krb5_crypto_init(r->context, &kdc_contribution_key, sessionetype, &kdccont_crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_crypto_destroy(context, reply_crypto);
|
krb5_crypto_destroy(r->context, reply_crypto);
|
||||||
krb5_free_keyblock_contents(context, &kdc_contribution_key);
|
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
/* KRB-FX-CF2 */
|
/* KRB-FX-CF2 */
|
||||||
ret = krb5_crypto_fx_cf2(context, kdccont_crypto, reply_crypto,
|
ret = krb5_crypto_fx_cf2(r->context, kdccont_crypto, reply_crypto,
|
||||||
&p1, &p2, sessionetype, sessionkey);
|
&p1, &p2, sessionetype, sessionkey);
|
||||||
krb5_crypto_destroy(context, kdccont_crypto);
|
krb5_crypto_destroy(r->context, kdccont_crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_crypto_destroy(context, reply_crypto);
|
krb5_crypto_destroy(r->context, reply_crypto);
|
||||||
krb5_free_keyblock_contents(context, &kdc_contribution_key);
|
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ASN1_MALLOC_ENCODE(EncryptionKey, kckdata, kcklen,
|
ASN1_MALLOC_ENCODE(EncryptionKey, kckdata, kcklen,
|
||||||
&kdc_contribution_key, &size, ret);
|
&kdc_contribution_key, &size, ret);
|
||||||
krb5_free_keyblock_contents(context, &kdc_contribution_key);
|
krb5_free_keyblock_contents(r->context, &kdc_contribution_key);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret, "encoding of PKINIT-KX Key failed %d", ret);
|
krb5_set_error_message(r->context, ret, "encoding of PKINIT-KX Key failed %d", ret);
|
||||||
krb5_crypto_destroy(context, reply_crypto);
|
krb5_crypto_destroy(r->context, reply_crypto);
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (kcklen != size)
|
if (kcklen != size)
|
||||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||||
ret = krb5_encrypt_EncryptedData(context, reply_crypto, KRB5_KU_PA_PKINIT_KX,
|
ret = krb5_encrypt_EncryptedData(r->context, reply_crypto, KRB5_KU_PA_PKINIT_KX,
|
||||||
kckdata, kcklen, 0, &kx);
|
kckdata, kcklen, 0, &kx);
|
||||||
krb5_crypto_destroy(context, reply_crypto);
|
krb5_crypto_destroy(r->context, reply_crypto);
|
||||||
free(kckdata);
|
free(kckdata);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
@@ -1328,17 +1327,17 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
&kx, &size, ret);
|
&kx, &size, ret);
|
||||||
free_EncryptedData(&kx);
|
free_EncryptedData(&kx);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"encoding of PKINIT-KX failed %d", ret);
|
"encoding of PKINIT-KX failed %d", ret);
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (kxlen != size)
|
if (kxlen != size)
|
||||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||||
/* Add PA-PKINIT-KX */
|
/* Add PA-PKINIT-KX */
|
||||||
ret = krb5_padata_add(context, md, KRB5_PADATA_PKINIT_KX, kxdata, kxlen);
|
ret = krb5_padata_add(r->context, md, KRB5_PADATA_PKINIT_KX, kxdata, kxlen);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"Failed adding PKINIT-KX %d", ret);
|
"Failed adding PKINIT-KX %d", ret);
|
||||||
free(buf);
|
free(buf);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1364,14 +1363,14 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
|
|
||||||
free_PA_PK_AS_REP(&rep);
|
free_PA_PK_AS_REP(&rep);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"encode PA-PK-AS-REP failed %d", ret);
|
"encode PA-PK-AS-REP failed %d", ret);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (len != size)
|
if (len != size)
|
||||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||||
|
|
||||||
kdc_log(context, config, 0, "PKINIT using %s %s", type, other);
|
kdc_log(r->context, config, 0, "PKINIT using %s %s", type, other);
|
||||||
|
|
||||||
} else if (cp->type == PKINIT_WIN2K) {
|
} else if (cp->type == PKINIT_WIN2K) {
|
||||||
PA_PK_AS_REP_Win2k rep;
|
PA_PK_AS_REP_Win2k rep;
|
||||||
@@ -1379,7 +1378,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
|
|
||||||
if (cp->keyex != USE_RSA) {
|
if (cp->keyex != USE_RSA) {
|
||||||
ret = KRB5KRB_ERR_GENERIC;
|
ret = KRB5KRB_ERR_GENERIC;
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"Win2k PKINIT doesn't support DH");
|
"Win2k PKINIT doesn't support DH");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1389,13 +1388,13 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
pa_type = KRB5_PADATA_PK_AS_REP_19;
|
pa_type = KRB5_PADATA_PK_AS_REP_19;
|
||||||
rep.element = choice_PA_PK_AS_REP_Win2k_encKeyPack;
|
rep.element = choice_PA_PK_AS_REP_Win2k_encKeyPack;
|
||||||
|
|
||||||
ret = krb5_generate_random_keyblock(context, enctype,
|
ret = krb5_generate_random_keyblock(r->context, enctype,
|
||||||
&cp->reply_key);
|
&cp->reply_key);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free_PA_PK_AS_REP_Win2k(&rep);
|
free_PA_PK_AS_REP_Win2k(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = pk_mk_pa_reply_enckey(context,
|
ret = pk_mk_pa_reply_enckey(r->context,
|
||||||
config,
|
config,
|
||||||
cp,
|
cp,
|
||||||
req,
|
req,
|
||||||
@@ -1412,25 +1411,25 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
ret);
|
ret);
|
||||||
free_ContentInfo(&info);
|
free_ContentInfo(&info);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
|
krb5_set_error_message(r->context, ret, "encoding of Key ContentInfo "
|
||||||
"failed %d", ret);
|
"failed %d", ret);
|
||||||
free_PA_PK_AS_REP_Win2k(&rep);
|
free_PA_PK_AS_REP_Win2k(&rep);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (rep.u.encKeyPack.length != size)
|
if (rep.u.encKeyPack.length != size)
|
||||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||||
|
|
||||||
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
|
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
|
||||||
free_PA_PK_AS_REP_Win2k(&rep);
|
free_PA_PK_AS_REP_Win2k(&rep);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"encode PA-PK-AS-REP-Win2k failed %d", ret);
|
"encode PA-PK-AS-REP-Win2k failed %d", ret);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (len != size)
|
if (len != size)
|
||||||
krb5_abortx(context, "Internal ASN.1 encoder error");
|
krb5_abortx(r->context, "Internal ASN.1 encoder error");
|
||||||
|
|
||||||
ret = krb5_generate_random_keyblock(context, sessionetype,
|
ret = krb5_generate_random_keyblock(r->context, sessionetype,
|
||||||
sessionkey);
|
sessionkey);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free(buf);
|
free(buf);
|
||||||
@@ -1438,12 +1437,12 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
}
|
}
|
||||||
|
|
||||||
} else
|
} else
|
||||||
krb5_abortx(context, "PKINIT internal error");
|
krb5_abortx(r->context, "PKINIT internal error");
|
||||||
|
|
||||||
|
|
||||||
ret = krb5_padata_add(context, md, pa_type, buf, len);
|
ret = krb5_padata_add(r->context, md, pa_type, buf, len);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"Failed adding PA-PK-AS-REP %d", ret);
|
"Failed adding PA-PK-AS-REP %d", ret);
|
||||||
free(buf);
|
free(buf);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1462,7 +1461,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
|
|
||||||
fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
|
fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
|
||||||
if (fd < 0) {
|
if (fd < 0) {
|
||||||
kdc_log(context, config, 0,
|
kdc_log(r->context, config, 0,
|
||||||
"PKINIT failed to open ocsp data file %d", errno);
|
"PKINIT failed to open ocsp data file %d", errno);
|
||||||
goto out_ocsp;
|
goto out_ocsp;
|
||||||
}
|
}
|
||||||
@@ -1470,7 +1469,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
ret = errno;
|
ret = errno;
|
||||||
close(fd);
|
close(fd);
|
||||||
kdc_log(context, config, 0,
|
kdc_log(r->context, config, 0,
|
||||||
"PKINIT failed to stat ocsp data %d", ret);
|
"PKINIT failed to stat ocsp data %d", ret);
|
||||||
goto out_ocsp;
|
goto out_ocsp;
|
||||||
}
|
}
|
||||||
@@ -1478,7 +1477,7 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
ret = krb5_data_alloc(&ocsp.data, sb.st_size);
|
ret = krb5_data_alloc(&ocsp.data, sb.st_size);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
close(fd);
|
close(fd);
|
||||||
kdc_log(context, config, 0,
|
kdc_log(r->context, config, 0,
|
||||||
"PKINIT failed to stat ocsp data %d", ret);
|
"PKINIT failed to stat ocsp data %d", ret);
|
||||||
goto out_ocsp;
|
goto out_ocsp;
|
||||||
}
|
}
|
||||||
@@ -1486,19 +1485,19 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
ret = read(fd, ocsp.data.data, sb.st_size);
|
ret = read(fd, ocsp.data.data, sb.st_size);
|
||||||
close(fd);
|
close(fd);
|
||||||
if (ret != sb.st_size) {
|
if (ret != sb.st_size) {
|
||||||
kdc_log(context, config, 0,
|
kdc_log(r->context, config, 0,
|
||||||
"PKINIT failed to read ocsp data %d", errno);
|
"PKINIT failed to read ocsp data %d", errno);
|
||||||
goto out_ocsp;
|
goto out_ocsp;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_ocsp_verify(context->hx509ctx,
|
ret = hx509_ocsp_verify(r->context->hx509ctx,
|
||||||
kdc_time,
|
kdc_time,
|
||||||
kdc_cert,
|
kdc_cert,
|
||||||
0,
|
0,
|
||||||
ocsp.data.data, ocsp.data.length,
|
ocsp.data.data, ocsp.data.length,
|
||||||
&ocsp.expire);
|
&ocsp.expire);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 0,
|
kdc_log(r->context, config, 0,
|
||||||
"PKINIT failed to verify ocsp data %d", ret);
|
"PKINIT failed to verify ocsp data %d", ret);
|
||||||
krb5_data_free(&ocsp.data);
|
krb5_data_free(&ocsp.data);
|
||||||
ocsp.expire = 0;
|
ocsp.expire = 0;
|
||||||
@@ -1514,11 +1513,11 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
|
|||||||
|
|
||||||
if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
|
if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
|
||||||
|
|
||||||
ret = krb5_padata_add(context, md,
|
ret = krb5_padata_add(r->context, md,
|
||||||
KRB5_PADATA_PA_PK_OCSP_RESPONSE,
|
KRB5_PADATA_PA_PK_OCSP_RESPONSE,
|
||||||
ocsp.data.data, ocsp.data.length);
|
ocsp.data.data, ocsp.data.length);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"Failed adding OCSP response %d", ret);
|
"Failed adding OCSP response %d", ret);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1530,7 +1529,7 @@ out:
|
|||||||
hx509_cert_free(kdc_cert);
|
hx509_cert_free(kdc_cert);
|
||||||
|
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
ret = krb5_copy_keyblock_contents(context, &cp->reply_key, reply_key);
|
ret = krb5_copy_keyblock_contents(r->context, &cp->reply_key, reply_key);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1672,7 +1671,6 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
pk_client_params *cp,
|
pk_client_params *cp,
|
||||||
char **subject_name)
|
char **subject_name)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_kdc_configuration *config = r->config;
|
krb5_kdc_configuration *config = r->config;
|
||||||
HDB *clientdb = r->clientdb;
|
HDB *clientdb = r->clientdb;
|
||||||
hdb_entry_ex *client = r->client;
|
hdb_entry_ex *client = r->client;
|
||||||
@@ -1683,7 +1681,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
if (cp->cert == NULL) {
|
if (cp->cert == NULL) {
|
||||||
if (!_kdc_is_anonymous(context, client->entry.principal)
|
if (!_kdc_is_anonymous(r->context, client->entry.principal)
|
||||||
&& !config->historical_anon_realm)
|
&& !config->historical_anon_realm)
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
|
|
||||||
@@ -1697,7 +1695,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
cp->max_life = 0;
|
cp->max_life = 0;
|
||||||
if (config->pkinit_max_life_from_cert_extension)
|
if (config->pkinit_max_life_from_cert_extension)
|
||||||
cp->max_life =
|
cp->max_life =
|
||||||
hx509_cert_get_pkinit_max_life(context->hx509ctx, cp->cert,
|
hx509_cert_get_pkinit_max_life(r->context->hx509ctx, cp->cert,
|
||||||
config->pkinit_max_life_bound);
|
config->pkinit_max_life_bound);
|
||||||
if (cp->max_life == 0 && config->pkinit_max_life_from_cert > 0) {
|
if (cp->max_life == 0 && config->pkinit_max_life_from_cert > 0) {
|
||||||
cp->max_life = cp->endtime - hx509_cert_get_notBefore(cp->cert);
|
cp->max_life = cp->endtime - hx509_cert_get_notBefore(cp->cert);
|
||||||
@@ -1705,7 +1703,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
cp->max_life = config->pkinit_max_life_from_cert;
|
cp->max_life = config->pkinit_max_life_from_cert;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_cert_get_base_subject(context->hx509ctx,
|
ret = hx509_cert_get_base_subject(r->context->hx509ctx,
|
||||||
cp->cert,
|
cp->cert,
|
||||||
&name);
|
&name);
|
||||||
if (ret)
|
if (ret)
|
||||||
@@ -1716,7 +1714,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
kdc_log(context, config, 0,
|
kdc_log(r->context, config, 0,
|
||||||
"Trying to authorize PKINIT subject DN %s",
|
"Trying to authorize PKINIT subject DN %s",
|
||||||
*subject_name);
|
*subject_name);
|
||||||
|
|
||||||
@@ -1726,7 +1724,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
size_t j;
|
size_t j;
|
||||||
|
|
||||||
for (j = 0; j < pc->len; j++) {
|
for (j = 0; j < pc->len; j++) {
|
||||||
cert = hx509_cert_init_data(context->hx509ctx,
|
cert = hx509_cert_init_data(r->context->hx509ctx,
|
||||||
pc->val[j].cert.data,
|
pc->val[j].cert.data,
|
||||||
pc->val[j].cert.length,
|
pc->val[j].cert.length,
|
||||||
NULL);
|
NULL);
|
||||||
@@ -1735,7 +1733,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
ret = hx509_cert_cmp(cert, cp->cert);
|
ret = hx509_cert_cmp(cert, cp->cert);
|
||||||
hx509_cert_free(cert);
|
hx509_cert_free(cert);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"Found matching PKINIT cert in hdb");
|
"Found matching PKINIT cert in hdb");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -1744,22 +1742,22 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
|
|
||||||
|
|
||||||
if (config->pkinit_princ_in_cert) {
|
if (config->pkinit_princ_in_cert) {
|
||||||
ret = match_rfc_san(context, config,
|
ret = match_rfc_san(r->context, config,
|
||||||
context->hx509ctx,
|
r->context->hx509ctx,
|
||||||
cp->cert,
|
cp->cert,
|
||||||
client->entry.principal);
|
client->entry.principal);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"Found matching PKINIT SAN in certificate");
|
"Found matching PKINIT SAN in certificate");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
ret = match_ms_upn_san(context, config,
|
ret = match_ms_upn_san(r->context, config,
|
||||||
context->hx509ctx,
|
r->context->hx509ctx,
|
||||||
cp->cert,
|
cp->cert,
|
||||||
clientdb,
|
clientdb,
|
||||||
client);
|
client);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"Found matching MS UPN SAN in certificate");
|
"Found matching MS UPN SAN in certificate");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -1781,7 +1779,7 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
if (acl->val[0].anchor)
|
if (acl->val[0].anchor)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"Found matching PKINIT database ACL");
|
"Found matching PKINIT database ACL");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -1790,24 +1788,24 @@ _kdc_pk_check_client(astgs_request_t r,
|
|||||||
for (i = 0; i < principal_mappings.len; i++) {
|
for (i = 0; i < principal_mappings.len; i++) {
|
||||||
krb5_boolean b;
|
krb5_boolean b;
|
||||||
|
|
||||||
b = krb5_principal_compare(context,
|
b = krb5_principal_compare(r->context,
|
||||||
client->entry.principal,
|
client->entry.principal,
|
||||||
principal_mappings.val[i].principal);
|
principal_mappings.val[i].principal);
|
||||||
if (b == FALSE)
|
if (b == FALSE)
|
||||||
continue;
|
continue;
|
||||||
if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0)
|
if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0)
|
||||||
continue;
|
continue;
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"Found matching PKINIT FILE ACL");
|
"Found matching PKINIT FILE ACL");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
|
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(r->context, ret,
|
||||||
"PKINIT no matching principals for %s",
|
"PKINIT no matching principals for %s",
|
||||||
*subject_name);
|
*subject_name);
|
||||||
|
|
||||||
kdc_log(context, config, 5,
|
kdc_log(r->context, config, 5,
|
||||||
"PKINIT no matching principals for %s",
|
"PKINIT no matching principals for %s",
|
||||||
*subject_name);
|
*subject_name);
|
||||||
|
|
||||||
|
|||||||
@@ -198,7 +198,6 @@ check(krb5_context context, const void *plug, void *plugctx, void *userctx)
|
|||||||
krb5_error_code
|
krb5_error_code
|
||||||
_kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data)
|
_kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data)
|
||||||
{
|
{
|
||||||
krb5_context context = r->context;
|
|
||||||
krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
|
krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
|
||||||
struct check_uc uc;
|
struct check_uc uc;
|
||||||
|
|
||||||
@@ -211,7 +210,7 @@ _kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data)
|
|||||||
uc.req = req;
|
uc.req = req;
|
||||||
uc.method_data = method_data;
|
uc.method_data = method_data;
|
||||||
|
|
||||||
ret = _krb5_plugin_run_f(context, &windc_plugin_data,
|
ret = _krb5_plugin_run_f(r->context, &windc_plugin_data,
|
||||||
0, &uc, check);
|
0, &uc, check);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user