use et, ek from r->
This commit is contained in:
Love Hornquist Astrand
committed by
Love Hörnquist Åstrand
Love Hörnquist Åstrand
parent
4d63c98125
commit
035afb17db
136
kdc/kerberos5.c
136
kdc/kerberos5.c
@@ -1558,8 +1558,6 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
AS_REP rep;
|
AS_REP rep;
|
||||||
KDCOptions f;
|
KDCOptions f;
|
||||||
krb5_enctype setype;
|
krb5_enctype setype;
|
||||||
EncTicketPart et;
|
|
||||||
EncKDCRepPart ek;
|
|
||||||
krb5_error_code ret = 0;
|
krb5_error_code ret = 0;
|
||||||
Key *ckey, *skey;
|
Key *ckey, *skey;
|
||||||
int found_pa = 0;
|
int found_pa = 0;
|
||||||
@@ -1568,8 +1566,6 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
const PA_DATA *pa;
|
const PA_DATA *pa;
|
||||||
|
|
||||||
memset(&rep, 0, sizeof(rep));
|
memset(&rep, 0, sizeof(rep));
|
||||||
memset(&et, 0, sizeof(et));
|
|
||||||
memset(&ek, 0, sizeof(ek));
|
|
||||||
error_method.len = 0;
|
error_method.len = 0;
|
||||||
error_method.val = NULL;
|
error_method.val = NULL;
|
||||||
|
|
||||||
@@ -1675,9 +1671,6 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
memset(&et, 0, sizeof(et));
|
|
||||||
memset(&ek, 0, sizeof(ek));
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Select a session enctype from the list of the crypto system
|
* Select a session enctype from the list of the crypto system
|
||||||
* supported enctypes that is supported by the client and is one of
|
* supported enctypes that is supported by the client and is one of
|
||||||
@@ -1729,7 +1722,7 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
"%s pre-authentication succeeded -- %s",
|
"%s pre-authentication succeeded -- %s",
|
||||||
pat[n].name, r->client_name);
|
pat[n].name, r->client_name);
|
||||||
found_pa = 1;
|
found_pa = 1;
|
||||||
et.flags.pre_authent = 1;
|
r->et.flags.pre_authent = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1842,23 +1835,23 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
rep.ticket.sname.name_type = b->sname->name_type;
|
rep.ticket.sname.name_type = b->sname->name_type;
|
||||||
#undef CNT
|
#undef CNT
|
||||||
|
|
||||||
et.flags.initial = 1;
|
r->et.flags.initial = 1;
|
||||||
if(r->client->entry.flags.forwardable && r->server->entry.flags.forwardable)
|
if(r->client->entry.flags.forwardable && r->server->entry.flags.forwardable)
|
||||||
et.flags.forwardable = f.forwardable;
|
r->et.flags.forwardable = f.forwardable;
|
||||||
else if (f.forwardable) {
|
else if (f.forwardable) {
|
||||||
_kdc_set_e_text(r, "Ticket may not be forwardable");
|
_kdc_set_e_text(r, "Ticket may not be forwardable");
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(r->client->entry.flags.proxiable && r->server->entry.flags.proxiable)
|
if(r->client->entry.flags.proxiable && r->server->entry.flags.proxiable)
|
||||||
et.flags.proxiable = f.proxiable;
|
r->et.flags.proxiable = f.proxiable;
|
||||||
else if (f.proxiable) {
|
else if (f.proxiable) {
|
||||||
_kdc_set_e_text(r, "Ticket may not be proxiable");
|
_kdc_set_e_text(r, "Ticket may not be proxiable");
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(r->client->entry.flags.postdate && r->server->entry.flags.postdate)
|
if(r->client->entry.flags.postdate && r->server->entry.flags.postdate)
|
||||||
et.flags.may_postdate = f.allow_postdate;
|
r->et.flags.may_postdate = f.allow_postdate;
|
||||||
else if (f.allow_postdate){
|
else if (f.allow_postdate){
|
||||||
_kdc_set_e_text(r, "Ticket may not be postdate");
|
_kdc_set_e_text(r, "Ticket may not be postdate");
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
@@ -1872,10 +1865,10 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = copy_PrincipalName(&rep.cname, &et.cname);
|
ret = copy_PrincipalName(&rep.cname, &r->et.cname);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
ret = copy_Realm(&rep.crealm, &et.crealm);
|
ret = copy_Realm(&rep.crealm, &r->et.crealm);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -1883,13 +1876,13 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
time_t start;
|
time_t start;
|
||||||
time_t t;
|
time_t t;
|
||||||
|
|
||||||
start = et.authtime = kdc_time;
|
start = r->et.authtime = kdc_time;
|
||||||
|
|
||||||
if(f.postdated && req->req_body.from){
|
if(f.postdated && req->req_body.from){
|
||||||
ALLOC(et.starttime);
|
ALLOC(r->et.starttime);
|
||||||
start = *et.starttime = *req->req_body.from;
|
start = *r->et.starttime = *req->req_body.from;
|
||||||
et.flags.invalid = 1;
|
r->et.flags.invalid = 1;
|
||||||
et.flags.postdated = 1; /* XXX ??? */
|
r->et.flags.postdated = 1; /* XXX ??? */
|
||||||
}
|
}
|
||||||
_kdc_fix_time(&b->till);
|
_kdc_fix_time(&b->till);
|
||||||
t = *b->till;
|
t = *b->till;
|
||||||
@@ -1903,8 +1896,8 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
#if 0
|
#if 0
|
||||||
t = min(t, start + realm->max_life);
|
t = min(t, start + realm->max_life);
|
||||||
#endif
|
#endif
|
||||||
et.endtime = t;
|
r->et.endtime = t;
|
||||||
if(f.renewable_ok && et.endtime < *b->till){
|
if(f.renewable_ok && r->et.endtime < *b->till){
|
||||||
f.renewable = 1;
|
f.renewable = 1;
|
||||||
if(b->rtime == NULL){
|
if(b->rtime == NULL){
|
||||||
ALLOC(b->rtime);
|
ALLOC(b->rtime);
|
||||||
@@ -1924,22 +1917,22 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
#if 0
|
#if 0
|
||||||
t = min(t, start + realm->max_renew);
|
t = min(t, start + realm->max_renew);
|
||||||
#endif
|
#endif
|
||||||
ALLOC(et.renew_till);
|
ALLOC(r->et.renew_till);
|
||||||
*et.renew_till = t;
|
*r->et.renew_till = t;
|
||||||
et.flags.renewable = 1;
|
r->et.flags.renewable = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (f.request_anonymous)
|
if (f.request_anonymous)
|
||||||
et.flags.anonymous = 1;
|
r->et.flags.anonymous = 1;
|
||||||
|
|
||||||
if(b->addresses){
|
if(b->addresses){
|
||||||
ALLOC(et.caddr);
|
ALLOC(r->et.caddr);
|
||||||
copy_HostAddresses(b->addresses, et.caddr);
|
copy_HostAddresses(b->addresses, r->et.caddr);
|
||||||
}
|
}
|
||||||
|
|
||||||
et.transited.tr_type = DOMAIN_X500_COMPRESS;
|
r->et.transited.tr_type = DOMAIN_X500_COMPRESS;
|
||||||
krb5_data_zero(&et.transited.contents);
|
krb5_data_zero(&r->et.transited.contents);
|
||||||
|
|
||||||
/* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
|
/* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
|
||||||
* as 0 and as 0x80 (meaning indefinite length) apart, and is thus
|
* as 0 and as 0x80 (meaning indefinite length) apart, and is thus
|
||||||
@@ -1950,58 +1943,58 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
* If there's a pw_end or valid_end we will use that,
|
* If there's a pw_end or valid_end we will use that,
|
||||||
* otherwise just a dummy lr.
|
* otherwise just a dummy lr.
|
||||||
*/
|
*/
|
||||||
ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
|
r->ek.last_req.val = malloc(2 * sizeof(*r->ek.last_req.val));
|
||||||
if (ek.last_req.val == NULL) {
|
if (r->ek.last_req.val == NULL) {
|
||||||
ret = ENOMEM;
|
ret = ENOMEM;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ek.last_req.len = 0;
|
r->ek.last_req.len = 0;
|
||||||
if (r->client->entry.pw_end
|
if (r->client->entry.pw_end
|
||||||
&& (config->kdc_warn_pwexpire == 0
|
&& (config->kdc_warn_pwexpire == 0
|
||||||
|| kdc_time + config->kdc_warn_pwexpire >= *r->client->entry.pw_end)) {
|
|| kdc_time + config->kdc_warn_pwexpire >= *r->client->entry.pw_end)) {
|
||||||
ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME;
|
r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_PW_EXPTIME;
|
||||||
ek.last_req.val[ek.last_req.len].lr_value = *r->client->entry.pw_end;
|
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.pw_end;
|
||||||
++ek.last_req.len;
|
++r->ek.last_req.len;
|
||||||
}
|
}
|
||||||
if (r->client->entry.valid_end) {
|
if (r->client->entry.valid_end) {
|
||||||
ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
|
r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
|
||||||
ek.last_req.val[ek.last_req.len].lr_value = *r->client->entry.valid_end;
|
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.valid_end;
|
||||||
++ek.last_req.len;
|
++r->ek.last_req.len;
|
||||||
}
|
}
|
||||||
if (ek.last_req.len == 0) {
|
if (r->ek.last_req.len == 0) {
|
||||||
ek.last_req.val[ek.last_req.len].lr_type = LR_NONE;
|
r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_NONE;
|
||||||
ek.last_req.val[ek.last_req.len].lr_value = 0;
|
r->ek.last_req.val[r->ek.last_req.len].lr_value = 0;
|
||||||
++ek.last_req.len;
|
++r->ek.last_req.len;
|
||||||
}
|
}
|
||||||
ek.nonce = b->nonce;
|
r->ek.nonce = b->nonce;
|
||||||
if (r->client->entry.valid_end || r->client->entry.pw_end) {
|
if (r->client->entry.valid_end || r->client->entry.pw_end) {
|
||||||
ALLOC(ek.key_expiration);
|
ALLOC(r->ek.key_expiration);
|
||||||
if (r->client->entry.valid_end) {
|
if (r->client->entry.valid_end) {
|
||||||
if (r->client->entry.pw_end)
|
if (r->client->entry.pw_end)
|
||||||
*ek.key_expiration = min(*r->client->entry.valid_end,
|
*r->ek.key_expiration = min(*r->client->entry.valid_end,
|
||||||
*r->client->entry.pw_end);
|
*r->client->entry.pw_end);
|
||||||
else
|
else
|
||||||
*ek.key_expiration = *r->client->entry.valid_end;
|
*r->ek.key_expiration = *r->client->entry.valid_end;
|
||||||
} else
|
} else
|
||||||
*ek.key_expiration = *r->client->entry.pw_end;
|
*r->ek.key_expiration = *r->client->entry.pw_end;
|
||||||
} else
|
} else
|
||||||
ek.key_expiration = NULL;
|
r->ek.key_expiration = NULL;
|
||||||
ek.flags = et.flags;
|
r->ek.flags = r->et.flags;
|
||||||
ek.authtime = et.authtime;
|
r->ek.authtime = r->et.authtime;
|
||||||
if (et.starttime) {
|
if (r->et.starttime) {
|
||||||
ALLOC(ek.starttime);
|
ALLOC(r->ek.starttime);
|
||||||
*ek.starttime = *et.starttime;
|
*r->ek.starttime = *r->et.starttime;
|
||||||
}
|
}
|
||||||
ek.endtime = et.endtime;
|
r->ek.endtime = r->et.endtime;
|
||||||
if (et.renew_till) {
|
if (r->et.renew_till) {
|
||||||
ALLOC(ek.renew_till);
|
ALLOC(r->ek.renew_till);
|
||||||
*ek.renew_till = *et.renew_till;
|
*r->ek.renew_till = *r->et.renew_till;
|
||||||
}
|
}
|
||||||
copy_Realm(&rep.ticket.realm, &ek.srealm);
|
copy_Realm(&rep.ticket.realm, &r->ek.srealm);
|
||||||
copy_PrincipalName(&rep.ticket.sname, &ek.sname);
|
copy_PrincipalName(&rep.ticket.sname, &r->ek.sname);
|
||||||
if(et.caddr){
|
if(r->et.caddr){
|
||||||
ALLOC(ek.caddr);
|
ALLOC(r->ek.caddr);
|
||||||
copy_HostAddresses(et.caddr, ek.caddr);
|
copy_HostAddresses(r->et.caddr, r->ek.caddr);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -2020,11 +2013,11 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = copy_EncryptionKey(&r->session_key, &et.key);
|
ret = copy_EncryptionKey(&r->session_key, &r->et.key);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
ret = copy_EncryptionKey(&r->session_key, &ek.key);
|
ret = copy_EncryptionKey(&r->session_key, &r->ek.key);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -2052,7 +2045,7 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
krb5_abortx(context, "internal asn.1 error");
|
krb5_abortx(context, "internal asn.1 error");
|
||||||
|
|
||||||
/* sign using "returned session key" */
|
/* sign using "returned session key" */
|
||||||
ret = krb5_crypto_init(context, &et.key, 0, &cryptox);
|
ret = krb5_crypto_init(context, &r->et.key, 0, &cryptox);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free(data.data);
|
free(data.data);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2100,8 +2093,8 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
generate_pac(r, skey);
|
generate_pac(r, skey);
|
||||||
}
|
}
|
||||||
|
|
||||||
_kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime,
|
_kdc_log_timestamp(context, config, "AS-REQ", r->et.authtime, r->et.starttime,
|
||||||
et.endtime, et.renew_till);
|
r->et.endtime, r->et.renew_till);
|
||||||
|
|
||||||
/* do this as the last thing since this signs the EncTicketPart */
|
/* do this as the last thing since this signs the EncTicketPart */
|
||||||
ret = _kdc_add_KRB5SignedPath(context,
|
ret = _kdc_add_KRB5SignedPath(context,
|
||||||
@@ -2111,7 +2104,7 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
r->client->entry.principal,
|
r->client->entry.principal,
|
||||||
NULL,
|
NULL,
|
||||||
NULL,
|
NULL,
|
||||||
&et);
|
&r->et);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -2120,6 +2113,7 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
/*
|
/*
|
||||||
* Add REQ_ENC_PA_REP if client supports it
|
* Add REQ_ENC_PA_REP if client supports it
|
||||||
*/
|
*/
|
||||||
|
|
||||||
i = 0;
|
i = 0;
|
||||||
pa = _kdc_find_padata(req, &i, KRB5_PADATA_REQ_ENC_PA_REP);
|
pa = _kdc_find_padata(req, &i, KRB5_PADATA_REQ_ENC_PA_REP);
|
||||||
if (pa) {
|
if (pa) {
|
||||||
@@ -2138,7 +2132,7 @@ _kdc_as_rep(kdc_request_t r,
|
|||||||
|
|
||||||
ret = _kdc_encode_reply(context, config,
|
ret = _kdc_encode_reply(context, config,
|
||||||
r->armor_crypto, req->req_body.nonce,
|
r->armor_crypto, req->req_body.nonce,
|
||||||
&rep, &et, &ek, setype, r->server->entry.kvno,
|
&rep, &r->et, &r->ek, setype, r->server->entry.kvno,
|
||||||
&skey->key, r->client->entry.kvno,
|
&skey->key, r->client->entry.kvno,
|
||||||
&r->reply_key, 0, &r->e_text, reply);
|
&r->reply_key, 0, &r->e_text, reply);
|
||||||
if (ret)
|
if (ret)
|
||||||
@@ -2171,8 +2165,8 @@ out:
|
|||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
out2:
|
out2:
|
||||||
free_EncTicketPart(&et);
|
free_EncTicketPart(&r->et);
|
||||||
free_EncKDCRepPart(&ek);
|
free_EncKDCRepPart(&r->ek);
|
||||||
|
|
||||||
if (error_method.len)
|
if (error_method.len)
|
||||||
free_METHOD_DATA(&error_method);
|
free_METHOD_DATA(&error_method);
|
||||||
|
|||||||
Reference in New Issue
Block a user