oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hdb: eliminate hdb_entry_ex

Browse Source 
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
This commit is contained in:
Luke Howard
2022-01-07 12:54:40 +11:00
parent c5551775e2
commit 0e8c4ccc6e
50 changed files with 1035 additions and 1032 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
kdc/altsecid_gss_preauth_authorizer.c
View File

@@ -397,7 +397,7 @@ authorize(void *ctx,
struct altsecid_gss_preauth_authorizer_context *c = ctx;
struct ad_server_tuple *server = NULL;
krb5_error_code ret;
krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->entry.principal);
krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->principal);
krb5_boolean reconnect_p = FALSE;
krb5_boolean is_tgs;
heim_data_t requestor_sid = NULL;
@@ -405,7 +405,7 @@ authorize(void *ctx,
*authorized = FALSE;
*mapped_name = NULL;
if (!krb5_principal_is_federated(r->context, r->client->entry.principal) ||
if (!krb5_principal_is_federated(r->context, r->client->principal) ||
(ret_flags & GSS_C_ANON_FLAG))
return KRB5_PLUGIN_NO_HANDLE;

4
kdc/digest-service.c
View File

@@ -60,7 +60,7 @@ ntlm_service(void *ctx, const heim_idata *req,
unsigned char sessionkey[16];
heim_idata rep = { 0, NULL };
krb5_context context = ctx;
hdb_entry_ex *user = NULL;
hdb_entry *user = NULL;
HDB *db = NULL;
Key *key = NULL;
NTLMReply ntp;
@@ -119,7 +119,7 @@ ntlm_service(void *ctx, const heim_idata *req,
if (ret)
goto failed;
ret = hdb_enctype2key(context, &user->entry, NULL,
ret = hdb_enctype2key(context, user, NULL,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_message(context, ret, "NTLM missing arcfour key");

24
kdc/digest.c
View File

@@ -57,7 +57,7 @@ const struct units _kdc_digestunits[] = {
static krb5_error_code
get_digest_key(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *server,
hdb_entry *server,
krb5_crypto *crypto)
{
krb5_error_code ret;
@@ -81,12 +81,12 @@ get_digest_key(krb5_context context,
static char *
get_ntlm_targetname(krb5_context context,
hdb_entry_ex *client)
hdb_entry *client)
{
char *targetname, *p;
targetname = strdup(krb5_principal_get_realm(context,
client->entry.principal));
client->principal));
if (targetname == NULL)
return NULL;
@@ -101,7 +101,7 @@ get_ntlm_targetname(krb5_context context,
static krb5_error_code
fill_targetinfo(krb5_context context,
char *targetname,
hdb_entry_ex *client,
hdb_entry *client,
krb5_data *data)
{
struct ntlm_targetinfo ti;
@@ -113,7 +113,7 @@ fill_targetinfo(krb5_context context,
memset(&ti, 0, sizeof(ti));
ti.domainname = targetname;
p = client->entry.principal;
p = client->principal;
str = krb5_principal_get_comp_string(context, p, 0);
if (str != NULL &&
(strcmp("host", str) == 0 ||
@@ -168,7 +168,7 @@ get_password_entry(krb5_context context,
{
krb5_principal clientprincipal;
krb5_error_code ret;
hdb_entry_ex *user;
hdb_entry *user;
HDB *db;
/* get username */
@@ -182,7 +182,7 @@ get_password_entry(krb5_context context,
if (ret)
return ret;
ret = hdb_entry_get_password(context, db, &user->entry, password);
ret = hdb_entry_get_password(context, db, user, password);
if (ret || password == NULL) {
if (ret == 0) {
ret = EINVAL;
@@ -218,9 +218,9 @@ _kdc_do_digest(krb5_context context,
krb5_storage *sp = NULL;
Checksum res;
HDB *serverdb, *userdb;
hdb_entry_ex *server = NULL, *user = NULL;
hdb_entry *server = NULL, *user = NULL;
HDB *clientdb;
hdb_entry_ex *client = NULL;
hdb_entry *client = NULL;
char *client_name = NULL, *password = NULL;
krb5_data serverNonce;
@@ -321,7 +321,7 @@ _kdc_do_digest(krb5_context context,
if (ret)
goto out;
if (client->entry.flags.allow_digest == 0) {
if (client->flags.allow_digest == 0) {
kdc_log(context, config, 2,
"Client %s tried to use digest "
"but is not allowed to",
@@ -888,7 +888,7 @@ _kdc_do_digest(krb5_context context,
goto failed;
}
ret = hdb_enctype2key(context, &user->entry, NULL,
ret = hdb_enctype2key(context, user, NULL,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_message(context, ret,
@@ -1216,7 +1216,7 @@ _kdc_do_digest(krb5_context context,
goto out;
}
ret = hdb_enctype2key(context, &user->entry, NULL,
ret = hdb_enctype2key(context, user, NULL,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_message(context, ret, "NTLM missing arcfour key");

8
kdc/fast.c
View File

@@ -109,7 +109,7 @@ get_fastuser_crypto(astgs_request_t r,
{
krb5_principal fast_princ;
HDB *fast_db;
hdb_entry_ex *fast_user = NULL;
hdb_entry *fast_user = NULL;
Key *cookie_key = NULL;
krb5_crypto fast_crypto = NULL;
krb5_error_code ret;
@@ -131,7 +131,7 @@ get_fastuser_crypto(astgs_request_t r,
ret = _kdc_get_preferred_key(r->context, r->config, fast_user,
"fast-cookie", &enctype, &cookie_key);
else
ret = hdb_enctype2key(r->context, &fast_user->entry, NULL,
ret = hdb_enctype2key(r->context, fast_user, NULL,
enctype, &cookie_key);
if (ret)
goto out;
@@ -563,7 +563,7 @@ fast_unwrap_request(astgs_request_t r,
goto out;
}
ret = hdb_enctype2key(r->context, &r->armor_server->entry, NULL,
ret = hdb_enctype2key(r->context, r->armor_server, NULL,
ap_req.ticket.enc_part.etype,
&r->armor_key);
if (ret) {
@@ -836,7 +836,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
krb5_pac mspac = NULL;
krb5_principal armor_client_principal = NULL;
HDB *armor_db;
hdb_entry_ex *armor_client = NULL;
hdb_entry *armor_client = NULL;
char *armor_client_principal_name = NULL;
flags = HDB_F_FOR_TGS_REQ;

12
kdc/gss_preauth.c
View File

@@ -584,7 +584,7 @@ pa_gss_authorize_default(astgs_request_t r,
{
krb5_error_code ret;
krb5_principal principal;
krb5_const_realm realm = r->server->entry.principal->realm;
krb5_const_realm realm = r->server->principal->realm;
int flags = 0, cross_realm_allowed = 0, unauth_anon;
/*
@@ -680,7 +680,7 @@ _kdc_gss_check_client(astgs_request_t r,
{
krb5_error_code ret;
krb5_principal initiator_princ = NULL;
hdb_entry_ex *initiator = NULL;
hdb_entry *initiator = NULL;
krb5_boolean authorized = FALSE;
HDB *clientdb = r->clientdb;
@@ -740,15 +740,15 @@ _kdc_gss_check_client(astgs_request_t r,
* two principals must match, noting that GSS pre-authentication is
* for authentication, not general purpose impersonation.
*/
if (krb5_principal_is_federated(r->context, r->client->entry.principal)) {
initiator->entry.flags.force_canonicalize = 1;
if (krb5_principal_is_federated(r->context, r->client->principal)) {
initiator->flags.force_canonicalize = 1;
_kdc_free_ent(r->context, clientdb, r->client);
r->client = initiator;
initiator = NULL;
} else if (!krb5_principal_compare(r->context,
r->client->entry.principal,
initiator->entry.principal)) {
r->client->principal,
initiator->principal)) {
kdc_log(r->context, r->config, 2,
"GSS %s initiator %.*s does not match principal %s",
gss_oid_to_name(gcp->mech_type),

8
kdc/hprop.c
View File

@@ -87,28 +87,28 @@ open_socket(krb5_context context, const char *hostname, const char *port)
}
krb5_error_code
v5_prop(krb5_context context, HDB *db, hdb_entry_ex *entry, void *appdata)
v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata)
{
krb5_error_code ret;
struct prop_data *pd = appdata;
krb5_data data;
if(encrypt_flag) {
ret = hdb_seal_keys_mkey(context, &entry->entry, mkey5);
ret = hdb_seal_keys_mkey(context, entry, mkey5);
if (ret) {
krb5_warn(context, ret, "hdb_seal_keys_mkey");
return ret;
}
}
if(decrypt_flag) {
ret = hdb_unseal_keys_mkey(context, &entry->entry, mkey5);
ret = hdb_unseal_keys_mkey(context, entry, mkey5);
if (ret) {
krb5_warn(context, ret, "hdb_unseal_keys_mkey");
return ret;
}
}
ret = hdb_entry2value(context, &entry->entry, &data);
ret = hdb_entry2value(context, entry, &data);
if(ret) {
krb5_warn(context, ret, "hdb_entry2value");
return ret;

2
kdc/hprop.h
View File

@@ -53,7 +53,7 @@ struct prop_data{
#define NEVERDATE ((1U << 31) - 1)
#endif
krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry_ex*, void*);
krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry*, void*);
int mit_prop_dump(void*, const char*);
#endif /* __HPROP_H__ */

6
kdc/hpropd.c
View File

@@ -226,7 +226,7 @@ main(int argc, char **argv)
nprincs = 0;
while (1){
krb5_data data;
hdb_entry_ex entry;
hdb_entry entry;
if (from_stdin) {
ret = krb5_read_message(context, &sock, &data);
@@ -255,7 +255,7 @@ main(int argc, char **argv)
break;
}
memset(&entry, 0, sizeof(entry));
ret = hdb_value2entry(context, &data, &entry.entry);
ret = hdb_value2entry(context, &data, &entry);
krb5_data_free(&data);
if (ret)
krb5_err(context, 1, ret, "hdb_value2entry");
@@ -269,7 +269,7 @@ main(int argc, char **argv)
ret = db->hdb_store(context, db, 0, &entry);
if (ret == HDB_ERR_EXISTS) {
char *s;
ret = krb5_unparse_name(context, entry.entry.principal, &s);
ret = krb5_unparse_name(context, entry.principal, &s);
if (ret)
s = strdup(unparseable_name);
krb5_warnx(context, "Entry exists: %s", s);

38
kdc/kdc-plugin.c
View File

@@ -49,7 +49,7 @@ static const char *kdc_plugin_deps[] = {
static struct heim_plugin_data kdc_plugin_data = {
"krb5",
"kdc",
KRB5_PLUGIN_KDC_VERSION_9,
KRB5_PLUGIN_KDC_VERSION_10,
kdc_plugin_deps,
kdc_get_instance
};
@@ -70,8 +70,9 @@ krb5_kdc_plugin_init(krb5_context context)
}
struct generate_uc {
hdb_entry_ex *client;
hdb_entry_ex *server;
krb5_kdc_configuration *config;
hdb_entry *client;
hdb_entry *server;
const krb5_keyblock *reply_key;
uint64_t pac_attributes;
krb5_pac *pac;
@@ -86,7 +87,9 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx)
if (ft->pac_generate == NULL)
return KRB5_PLUGIN_NO_HANDLE;
return ft->pac_generate((void *)plug, context,
return ft->pac_generate((void *)plug,
context,
uc->config,
uc->client,
uc->server,
uc->reply_key,
@@ -97,8 +100,9 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx)
krb5_error_code
_kdc_pac_generate(krb5_context context,
hdb_entry_ex *client,
hdb_entry_ex *server,
krb5_kdc_configuration *config,
hdb_entry *client,
hdb_entry *server,
const krb5_keyblock *reply_key,
uint64_t pac_attributes,
krb5_pac *pac)
@@ -109,11 +113,12 @@ _kdc_pac_generate(krb5_context context,
*pac = NULL;
if (krb5_config_get_bool_default(context, NULL, FALSE, "realms",
client->entry.principal->realm,
client->principal->realm,
"disable_pac", NULL))
return 0;
if (have_plugin) {
uc.config = config;
uc.client = client;
uc.server = server;
uc.reply_key = reply_key;
@@ -134,11 +139,12 @@ _kdc_pac_generate(krb5_context context,
}
struct verify_uc {
krb5_kdc_configuration *config;
krb5_principal client_principal;
krb5_principal delegated_proxy_principal;
hdb_entry_ex *client;
hdb_entry_ex *server;
hdb_entry_ex *krbtgt;
hdb_entry *client;
hdb_entry *server;
hdb_entry *krbtgt;
krb5_pac *pac;
};
@@ -152,7 +158,9 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
if (ft->pac_verify == NULL)
return KRB5_PLUGIN_NO_HANDLE;
ret = ft->pac_verify((void *)plug, context,
ret = ft->pac_verify((void *)plug,
context,
uc->config,
uc->client_principal,
uc->delegated_proxy_principal,
uc->client, uc->server, uc->krbtgt, uc->pac);
@@ -161,11 +169,12 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
krb5_error_code
_kdc_pac_verify(krb5_context context,
krb5_kdc_configuration *config,
const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
hdb_entry_ex *krbtgt,
hdb_entry *client,
hdb_entry *server,
hdb_entry *krbtgt,
krb5_pac *pac)
{
struct verify_uc uc;
@@ -173,6 +182,7 @@ _kdc_pac_verify(krb5_context context,
if (!have_plugin)
return KRB5_PLUGIN_NO_HANDLE;
uc.config = config;
uc.client_principal = client_principal;
uc.delegated_proxy_principal = delegated_proxy_principal;
uc.client = client;

23
kdc/kdc-plugin.h
View File

@@ -38,8 +38,7 @@
#include <krb5.h>
#include <kdc.h>
struct hdb_entry_ex;
#include <hdb.h>
/*
* Allocate a PAC for the given client with krb5_pac_init(),
@@ -47,9 +46,11 @@ struct hdb_entry_ex;
*/
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *, krb5_context,
struct hdb_entry_ex *, /* client */
struct hdb_entry_ex *, /* server */
(KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *,
krb5_context, /* context */
krb5_kdc_configuration *, /* configuration */
hdb_entry *, /* client */
hdb_entry *, /* server */
const krb5_keyblock *, /* pk_replykey */
uint64_t, /* pac_attributes */
krb5_pac *);
@@ -61,12 +62,14 @@ typedef krb5_error_code
*/
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *, krb5_context,
(KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *,
krb5_context, /* context */
krb5_kdc_configuration *, /* configuration */
const krb5_principal, /* new ticket client */
const krb5_principal, /* delegation proxy */
struct hdb_entry_ex *,/* client */
struct hdb_entry_ex *,/* server */
struct hdb_entry_ex *,/* krbtgt */
hdb_entry *,/* client */
hdb_entry *,/* server */
hdb_entry *,/* krbtgt */
krb5_pac *);
/*
@@ -115,7 +118,7 @@ typedef krb5_error_code
* Plugins should carefully check API contract notes for changes
* between plugin API versions.
*/
#define KRB5_PLUGIN_KDC_VERSION_9 9
#define KRB5_PLUGIN_KDC_VERSION_10 10
typedef struct krb5plugin_kdc_ftable {
int minor_version;

6
kdc/kdc.h
View File

@@ -141,18 +141,18 @@ typedef struct krb5_kdc_configuration {
\
/* client principal (AS) or TGT/S4U principal (TGS) */ \
krb5_principal client_princ; \
hdb_entry_ex *client; \
hdb_entry *client; \
HDB *clientdb; \
krb5_principal canon_client_princ; \
\
/* server principal */ \
krb5_principal server_princ; \
hdb_entry_ex *server; \
hdb_entry *server; \
HDB *serverdb; \
\
/* presented ticket in TGS-REQ (unused by AS) */ \
krb5_principal *krbtgt_princ; \
hdb_entry_ex *krbtgt; \
hdb_entry *krbtgt; \
HDB *krbtgtdb; \
krb5_ticket *ticket; \
\

2
kdc/kdc_locl.h
View File

@@ -87,7 +87,7 @@ struct astgs_request_desc {
unsigned int fast_asserted : 1;
krb5_crypto armor_crypto;
hdb_entry_ex *armor_server;
hdb_entry *armor_server;
HDB *armor_serverdb;
krb5_ticket *armor_ticket;
Key *armor_key;

139
kdc/kerberos5.c
View File

@@ -161,7 +161,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
krb5_boolean use_strongest_session_key;
krb5_boolean is_preauth = flags & KFE_IS_PREAUTH;
krb5_boolean is_tgs = flags & KFE_IS_TGS;
hdb_entry_ex *princ;
hdb_entry *princ;
krb5_principal request_princ;
krb5_error_code ret;
krb5_salt def_salt;
@@ -171,15 +171,15 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
size_t i, k, m;
if (is_preauth && (flags & KFE_USE_CLIENT) &&
r->client->entry.flags.synthetic)
r->client->flags.synthetic)
return KRB5KDC_ERR_ETYPE_NOSUPP;
if ((flags & KFE_USE_CLIENT) && !r->client->entry.flags.synthetic) {
if ((flags & KFE_USE_CLIENT) && !r->client->flags.synthetic) {
princ = r->client;
request_princ = r->client_princ;
} else {
princ = r->server;
request_princ = r->server->entry.principal;
request_princ = r->server->principal;
}
use_strongest_session_key =
@@ -227,7 +227,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL;
i++) {
if (krb5_enctype_valid(r->context, p[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, p[i]))
!_kdc_is_weak_exception(princ->principal, p[i]))
continue;
/* check that the client supports it too */
@@ -248,15 +248,15 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
/* check target princ support */
key = NULL;
if (!(flags & KFE_USE_CLIENT) && princ->entry.etypes) {
if (!(flags & KFE_USE_CLIENT) && princ->etypes) {
/*
* Use the etypes list from the server's HDB entry instead
* of deriving it from its long-term keys. This allows an
* entry to have just one long-term key but record support
* for multiple enctypes.
*/
for (m = 0; m < princ->entry.etypes->len; m++) {
if (p[i] == princ->entry.etypes->val[m]) {
for (m = 0; m < princ->etypes->len; m++) {
if (p[i] == princ->etypes->val[m]) {
ret = 0;
break;
}
@@ -268,7 +268,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
* PA-ETYPE-INFO* or because we're selecting a session key
* enctype.
*/
while (hdb_next_enctype2key(r->context, &princ->entry, NULL,
while (hdb_next_enctype2key(r->context, princ, NULL,
p[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
@@ -296,12 +296,12 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
for(i = 0; ret != 0 && i < len; i++) {
if (krb5_enctype_valid(r->context, etypes[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
!_kdc_is_weak_exception(princ->principal, etypes[i]))
continue;
key = NULL;
while (ret != 0 &&
hdb_next_enctype2key(r->context, &princ->entry, NULL,
hdb_next_enctype2key(r->context, princ, NULL,
etypes[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
@@ -323,7 +323,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
* the service key list, provide a DES-CBC-CRC key.
*/
if (ret_key == NULL &&
_kdc_is_weak_exception(princ->entry.principal, ETYPE_DES_CBC_CRC)) {
_kdc_is_weak_exception(princ->principal, ETYPE_DES_CBC_CRC)) {
ret = 0;
enctype = ETYPE_DES_CBC_CRC;
} else {
@@ -504,7 +504,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
}
r->pa_endtime = _kdc_pk_endtime(pkp);
if (!r->client->entry.flags.synthetic)
if (!r->client->flags.synthetic)
r->pa_max_life = _kdc_pk_max_life(pkp);
_kdc_r_log(r, 4, "PKINIT pre-authentication succeeded -- %s using %s",
@@ -621,7 +621,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
return ret;
}
if (r->client->entry.flags.locked_out) {
if (r->client->flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname);
@@ -650,11 +650,11 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
kdc_log(r->context, r->config, 5, "FAST armor enctype is: %d", (int)aenctype);
for (i = 0; i < r->client->entry.keys.len; i++) {
for (i = 0; i < r->client->keys.len; i++) {
krb5_crypto challengecrypto, longtermcrypto;
krb5_keyblock challengekey;
k = &r->client->entry.keys.val[i];
k = &r->client->keys.val[i];
ret = krb5_crypto_init(r->context, &k->key, 0, &longtermcrypto);
if (ret)
@@ -794,7 +794,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
return ret;
}
if (r->client->entry.flags.locked_out) {
if (r->client->flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname);
@@ -814,7 +814,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
goto out;
}
ret = hdb_enctype2key(r->context, &r->client->entry, NULL,
ret = hdb_enctype2key(r->context, r->client, NULL,
enc_data.etype, &pa_key);
if(ret){
char *estr;
@@ -873,7 +873,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
pa_key->key.keytype);
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
if(hdb_next_enctype2key(r->context, &r->client->entry, NULL,
if(hdb_next_enctype2key(r->context, r->client, NULL,
enc_data.etype, &pa_key) == 0)
goto try_next_key;
@@ -1612,12 +1612,10 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
kdc_check_flags(astgs_request_t r,
krb5_boolean is_as_req,
hdb_entry_ex *client_ex,
hdb_entry_ex *server_ex)
hdb_entry *client,
hdb_entry *server)
{
if (client_ex != NULL) {
hdb_entry *client = &client_ex->entry;
if (client != NULL) {
/* check client */
if (client->flags.locked_out) {
_kdc_audit_addreason((kdc_request_t)r, "Client is locked out");
@@ -1655,11 +1653,11 @@ kdc_check_flags(astgs_request_t r,
}
if (client->flags.require_pwchange &&
(server_ex == NULL || !server_ex->entry.flags.change_pw))
(server == NULL || !server->flags.change_pw))
return KRB5KDC_ERR_KEY_EXPIRED;
if (client->pw_end && *client->pw_end < kdc_time
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
&& (server == NULL || !server->flags.change_pw)) {
char pwend_str[100];
krb5_format_time(r->context, *client->pw_end,
pwend_str, sizeof(pwend_str), TRUE);
@@ -1671,9 +1669,7 @@ kdc_check_flags(astgs_request_t r,
/* check server */
if (server_ex != NULL) {
hdb_entry *server = &server_ex->entry;
if (server != NULL) {
if (server->flags.locked_out) {
_kdc_audit_addreason((kdc_request_t)r, "Server locked out");
return KRB5KDC_ERR_SERVICE_REVOKED;
@@ -1851,6 +1847,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
*/
ret = _kdc_pac_generate(r->context,
r->config,
r->client,
r->server,
r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
@@ -1865,7 +1862,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
if (r->pac == NULL)
return 0;
rodc_id = r->server->entry.kvno >> 16;
rodc_id = r->server->kvno >> 16;
/* libkrb5 expects ticket and PAC client names to match */
ret = _krb5_principalname2krb5_principal(r->context, &client,
@@ -1950,8 +1947,8 @@ static int
require_preauth_p(astgs_request_t r)
{
return r->config->require_preauth
|| r->client->entry.flags.require_preauth
|| r->server->entry.flags.require_preauth;
|| r->client->flags.require_preauth
|| r->server->flags.require_preauth;
}
@@ -2023,7 +2020,7 @@ get_local_tgs(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_realm realm,
HDB **krbtgtdb,
hdb_entry_ex **krbtgt)
hdb_entry **krbtgt)
{
krb5_error_code ret;
krb5_principal tgs_name;
@@ -2151,7 +2148,7 @@ _kdc_as_rep(astgs_request_t r)
case HDB_ERR_WRONG_REALM: {
char *fixed_client_name = NULL;
ret = krb5_unparse_name(r->context, r->client->entry.principal,
ret = krb5_unparse_name(r->context, r->client->principal,
&fixed_client_name);
if (ret) {
goto out;
@@ -2165,7 +2162,7 @@ _kdc_as_rep(astgs_request_t r)
ret = _kdc_fast_mk_error(r, r->rep.padata, r->armor_crypto,
&req->req_body,
r->ret = KRB5_KDC_ERR_WRONG_REALM,
r->client->entry.principal, r->server_princ,
r->client->principal, r->server_princ,
NULL, NULL, r->reply);
goto out;
}
@@ -2237,7 +2234,7 @@ _kdc_as_rep(astgs_request_t r)
i = 0;
pa = _kdc_find_padata(req, &i, pat[n].type);
if (pa) {
if (r->client->entry.flags.synthetic &&
if (r->client->flags.synthetic &&
!(pat[n].flags & PA_SYNTHETIC_OK)) {
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -2288,7 +2285,7 @@ _kdc_as_rep(astgs_request_t r)
size_t n;
krb5_boolean default_salt;
if (r->client->entry.flags.synthetic) {
if (r->client->flags.synthetic) {
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
@@ -2347,7 +2344,7 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
r->canon_client_princ = r->client->entry.principal;
r->canon_client_princ = r->client->principal;
/*
* Verify flags after the user been required to prove its identity
@@ -2414,7 +2411,7 @@ _kdc_as_rep(astgs_request_t r)
_kdc_is_anonymous(r->context, r->client_princ)) {
Realm anon_realm = KRB5_ANON_REALM;
ret = copy_Realm(&anon_realm, &rep->crealm);
} else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
} else if (f.canonicalize || r->client->flags.force_canonicalize)
ret = copy_Realm(&r->canon_client_princ->realm, &rep->crealm);
else
ret = copy_Realm(&r->client_princ->realm, &rep->crealm);
@@ -2422,7 +2419,7 @@ _kdc_as_rep(astgs_request_t r)
goto out;
if (r->et.flags.anonymous)
ret = _kdc_make_anonymous_principalname(&rep->cname);
else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
else if (f.canonicalize || r->client->flags.force_canonicalize)
ret = _krb5_principal2principalname(&rep->cname, r->canon_client_princ);
else
ret = _krb5_principal2principalname(&rep->cname, r->client_princ);
@@ -2430,15 +2427,15 @@ _kdc_as_rep(astgs_request_t r)
goto out;
rep->ticket.tkt_vno = 5;
if (f.canonicalize || r->server->entry.flags.force_canonicalize)
ret = copy_Realm(&r->server->entry.principal->realm, &rep->ticket.realm);
if (f.canonicalize || r->server->flags.force_canonicalize)
ret = copy_Realm(&r->server->principal->realm, &rep->ticket.realm);
else
ret = copy_Realm(&r->server_princ->realm, &rep->ticket.realm);
if (ret)
goto out;
if (f.canonicalize || r->server->entry.flags.force_canonicalize)
if (f.canonicalize || r->server->flags.force_canonicalize)
_krb5_principal2principalname(&rep->ticket.sname,
r->server->entry.principal);
r->server->principal);
else
_krb5_principal2principalname(&rep->ticket.sname,
r->server_princ);
@@ -2450,16 +2447,16 @@ _kdc_as_rep(astgs_request_t r)
#undef CNT
r->et.flags.initial = 1;
if(r->client->entry.flags.forwardable && r->server->entry.flags.forwardable)
if(r->client->flags.forwardable && r->server->flags.forwardable)
r->et.flags.forwardable = f.forwardable;
if(r->client->entry.flags.proxiable && r->server->entry.flags.proxiable)
if(r->client->flags.proxiable && r->server->flags.proxiable)
r->et.flags.proxiable = f.proxiable;
else if (f.proxiable) {
_kdc_set_e_text(r, "Ticket may not be proxiable");
ret = KRB5KDC_ERR_POLICY;
goto out;
}
if(r->client->entry.flags.postdate && r->server->entry.flags.postdate)
if(r->client->flags.postdate && r->server->flags.postdate)
r->et.flags.may_postdate = f.allow_postdate;
else if (f.allow_postdate){
_kdc_set_e_text(r, "Ticket may not be postdate");
@@ -2506,18 +2503,18 @@ _kdc_as_rep(astgs_request_t r)
/* be careful not overflowing */
/*
* Pre-auth can override r->client->entry.max_life if configured.
* Pre-auth can override r->client->max_life if configured.
*
* See pre-auth methods, specifically PKINIT, which can get or derive
* this from the client's certificate.
*/
if (r->pa_max_life > 0)
t = start + min(t - start, r->pa_max_life);
else if (r->client->entry.max_life)
t = start + min(t - start, *r->client->entry.max_life);
else if (r->client->max_life)
t = start + min(t - start, *r->client->max_life);
if (r->server->entry.max_life)
t = start + min(t - start, *r->server->entry.max_life);
if (r->server->max_life)
t = start + min(t - start, *r->server->max_life);
/* Pre-auth can bound endtime as well */
if (r->pa_endtime > 0)
@@ -2539,10 +2536,10 @@ _kdc_as_rep(astgs_request_t r)
t = *b->rtime;
if(t == 0)
t = MAX_TIME;
if(r->client->entry.max_renew)
t = start + min(t - start, *r->client->entry.max_renew);
if(r->server->entry.max_renew)
t = start + min(t - start, *r->server->entry.max_renew);
if(r->client->max_renew)
t = start + min(t - start, *r->client->max_renew);
if(r->server->max_renew)
t = start + min(t - start, *r->server->max_renew);
#if 0
t = min(t, start + realm->max_renew);
#endif
@@ -2575,16 +2572,16 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
r->ek.last_req.len = 0;
if (r->client->entry.pw_end
if (r->client->pw_end
&& (config->kdc_warn_pwexpire == 0
|| kdc_time + config->kdc_warn_pwexpire >= *r->client->entry.pw_end)) {
|| kdc_time + config->kdc_warn_pwexpire >= *r->client->pw_end)) {
r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_PW_EXPTIME;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.pw_end;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->pw_end;
++r->ek.last_req.len;
}
if (r->client->entry.valid_end) {
if (r->client->valid_end) {
r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.valid_end;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->valid_end;
++r->ek.last_req.len;
}
if (r->ek.last_req.len == 0) {
@@ -2593,16 +2590,16 @@ _kdc_as_rep(astgs_request_t r)
++r->ek.last_req.len;
}
r->ek.nonce = b->nonce;
if (r->client->entry.valid_end || r->client->entry.pw_end) {
if (r->client->valid_end || r->client->pw_end) {
ALLOC(r->ek.key_expiration);
if (r->client->entry.valid_end) {
if (r->client->entry.pw_end)
*r->ek.key_expiration = min(*r->client->entry.valid_end,
*r->client->entry.pw_end);
if (r->client->valid_end) {
if (r->client->pw_end)
*r->ek.key_expiration = min(*r->client->valid_end,
*r->client->pw_end);
else
*r->ek.key_expiration = *r->client->entry.valid_end;
*r->ek.key_expiration = *r->client->valid_end;
} else
*r->ek.key_expiration = *r->client->entry.pw_end;
*r->ek.key_expiration = *r->client->pw_end;
} else
r->ek.key_expiration = NULL;
r->ek.flags = r->et.flags;
@@ -2656,7 +2653,7 @@ _kdc_as_rep(astgs_request_t r)
generate_pac(r, skey, krbtgt_key, is_tgs);
}
if (r->client->entry.flags.synthetic) {
if (r->client->flags.synthetic) {
ret = add_synthetic_princ_ad(r);
if (ret)
goto out;
@@ -2713,8 +2710,8 @@ _kdc_as_rep(astgs_request_t r)
ret = _kdc_encode_reply(r->context, config,
r, req->req_body.nonce, setype,
r->server->entry.kvno, &skey->key,
pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? 0 : r->client->entry.kvno,
r->server->kvno, &skey->key,
pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? 0 : r->client->kvno,
0, r->reply);
if (ret)
goto out;

107
kdc/krb5tgs.c
View File

@@ -80,10 +80,10 @@ _kdc_check_pac(krb5_context context,
krb5_kdc_configuration *config,
const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
hdb_entry_ex *krbtgt,
hdb_entry_ex *ticket_server,
hdb_entry *client,
hdb_entry *server,
hdb_entry *krbtgt,
hdb_entry *ticket_server,
const EncryptionKey *server_check_key,
const EncryptionKey *krbtgt_check_key,
EncTicketPart *tkt,
@@ -122,7 +122,8 @@ _kdc_check_pac(krb5_context context,
}
/* Verify the KDC signatures. */
ret = _kdc_pac_verify(context, client_principal, delegated_proxy_principal,
ret = _kdc_pac_verify(context, config,
client_principal, delegated_proxy_principal,
client, server, krbtgt, &pac);
if (ret == 0) {
if (pac_canon_name) {
@@ -140,8 +141,8 @@ _kdc_check_pac(krb5_context context,
* We can't verify the KDC signatures if the ticket was issued by
* another realm's KDC.
*/
if (krb5_realm_compare(context, server->entry.principal,
ticket_server->entry.principal)) {
if (krb5_realm_compare(context, server->principal,
ticket_server->principal)) {
ret = krb5_pac_verify(context, pac, 0, NULL, NULL,
krbtgt_check_key);
if (ret) {
@@ -173,7 +174,7 @@ _kdc_check_pac(krb5_context context,
*kdc_issued = signedticket ||
krb5_principal_is_krbtgt(context,
ticket_server->entry.principal);
ticket_server->principal);
*ppac = pac;
return 0;
@@ -359,8 +360,8 @@ krb5_error_code
_kdc_check_client_matches_target_service(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client,
hdb_entry_ex *target_server,
hdb_entry *client,
hdb_entry *target_server,
krb5_const_principal target_server_principal)
{
krb5_error_code ret;
@@ -378,7 +379,7 @@ _kdc_check_client_matches_target_service(krb5_context context,
if (ret == 0)
return 0;
} else if (krb5_principal_compare(context,
client->entry.principal,
client->principal,
target_server_principal) == TRUE) {
/* if client does a s4u2self to itself, and there is no plugin, that is ok */
return 0;
@@ -536,9 +537,9 @@ tgs_make_reply(astgs_request_t r,
const krb5_keyblock *sessionkey,
krb5_kvno kvno,
AuthorizationData *auth_data,
hdb_entry_ex *server,
hdb_entry *server,
krb5_principal server_principal,
hdb_entry_ex *client,
hdb_entry *client,
krb5_principal client_principal,
const char *tgt_realm,
uint16_t rodc_id,
@@ -596,7 +597,7 @@ tgs_make_reply(astgs_request_t r,
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
&tgt->transited, et,
krb5_principal_get_realm(r->context, client_principal),
krb5_principal_get_realm(r->context, server->entry.principal),
krb5_principal_get_realm(r->context, server->principal),
tgt_realm);
if(ret)
goto out;
@@ -628,10 +629,10 @@ tgs_make_reply(astgs_request_t r,
{
time_t life;
life = et->endtime - *et->starttime;
if(client && client->entry.max_life)
life = min(life, *client->entry.max_life);
if(server->entry.max_life)
life = min(life, *server->entry.max_life);
if(client && client->max_life)
life = min(life, *client->max_life);
if(server->max_life)
life = min(life, *server->max_life);
et->endtime = *et->starttime + life;
}
if(f.renewable_ok && tgt->flags.renewable &&
@@ -645,10 +646,10 @@ tgs_make_reply(astgs_request_t r,
if(et->renew_till){
time_t renew;
renew = *et->renew_till - *et->starttime;
if(client && client->entry.max_renew)
renew = min(renew, *client->entry.max_renew);
if(server->entry.max_renew)
renew = min(renew, *server->entry.max_renew);
if(client && client->max_renew)
renew = min(renew, *client->max_renew);
if(server->max_renew)
renew = min(renew, *server->max_renew);
*et->renew_till = *et->starttime + renew;
}
@@ -672,12 +673,12 @@ tgs_make_reply(astgs_request_t r,
et->flags.pre_authent = tgt->flags.pre_authent;
et->flags.hw_authent = tgt->flags.hw_authent;
et->flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
et->flags.ok_as_delegate = server->flags.ok_as_delegate;
/* See MS-KILE 3.3.5.1 */
if (!server->entry.flags.forwardable)
if (!server->flags.forwardable)
et->flags.forwardable = 0;
if (!server->entry.flags.proxiable)
if (!server->flags.proxiable)
et->flags.proxiable = 0;
if (auth_data) {
@@ -729,7 +730,7 @@ tgs_make_reply(astgs_request_t r,
et->endtime, et->renew_till);
if (krb5_enctype_valid(r->context, serverkey->keytype) != 0
&& _kdc_is_weak_exception(server->entry.principal, serverkey->keytype))
&& _kdc_is_weak_exception(server->principal, serverkey->keytype))
{
krb5_enctype_enable(r->context, serverkey->keytype);
is_weak = 1;
@@ -761,7 +762,7 @@ tgs_make_reply(astgs_request_t r,
*/
if (_kdc_include_pac_p(r)) {
krb5_boolean is_tgs =
krb5_principal_is_krbtgt(r->context, server->entry.principal);
krb5_principal_is_krbtgt(r->context, server->principal);
ret = _krb5_kdc_pac_sign_ticket(r->context, r->pac, r->client_princ, serverkey,
krbtgtkey, rodc_id, NULL, r->canon_client_princ,
@@ -1016,12 +1017,12 @@ tgs_parse_request(astgs_request_t r,
goto out;
}
krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : r->krbtgt->entry.kvno;
krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : r->krbtgt->kvno;
*krbtgt_etype = ap_req.ticket.enc_part.etype;
next_kvno:
krbtgt_keys = hdb_kvno2keys(r->context, &r->krbtgt->entry, krbtgt_kvno_try);
ret = hdb_enctype2key(r->context, &r->krbtgt->entry, krbtgt_keys,
krbtgt_keys = hdb_kvno2keys(r->context, r->krbtgt, krbtgt_kvno_try);
ret = hdb_enctype2key(r->context, r->krbtgt, krbtgt_keys,
ap_req.ticket.enc_part.etype, &tkey);
if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
kvno_search_tries--;
@@ -1301,10 +1302,10 @@ _kdc_db_fetch_client(krb5_context context,
const char *cpn,
const char *krbtgt_realm,
HDB **clientdb,
hdb_entry_ex **client_out)
hdb_entry **client_out)
{
krb5_error_code ret;
hdb_entry_ex *client = NULL;
hdb_entry *client = NULL;
*client_out = NULL;
@@ -1333,7 +1334,7 @@ _kdc_db_fetch_client(krb5_context context,
msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 4, "Client not found in database: %s", msg);
krb5_free_error_message(context, msg);
} else if (client->entry.flags.invalid || !client->entry.flags.client) {
} else if (client->flags.invalid || !client->flags.client) {
kdc_log(context, config, 4, "Client has invalid bit set");
_kdc_free_ent(context, *clientdb, client);
return KRB5KDC_ERR_POLICY;
@@ -1360,9 +1361,9 @@ tgs_build_reply(astgs_request_t priv,
krb5_principal user2user_princ = NULL;
char *spn = NULL, *cpn = NULL, *krbtgt_out_n = NULL;
char *user2user_name = NULL;
hdb_entry_ex *server = NULL, *client = NULL;
hdb_entry *server = NULL, *client = NULL;
HDB *user2user_krbtgtdb;
hdb_entry_ex *user2user_krbtgt = NULL;
hdb_entry *user2user_krbtgt = NULL;
HDB *clientdb;
HDB *serverdb = NULL;
krb5_realm ref_realm = NULL;
@@ -1374,14 +1375,14 @@ tgs_build_reply(astgs_request_t priv,
uint16_t rodc_id;
krb5_boolean add_ticket_sig = FALSE;
const char *tgt_realm = /* Realm of TGT issuer */
krb5_principal_get_realm(context, priv->krbtgt->entry.principal);
krb5_principal_get_realm(context, priv->krbtgt->principal);
const char *our_realm = /* Realm of this KDC */
krb5_principal_get_comp_string(context, priv->krbtgt->entry.principal, 1);
krb5_principal_get_comp_string(context, priv->krbtgt->principal, 1);
char **capath = NULL;
size_t num_capath = 0;
HDB *krbtgt_outdb;
hdb_entry_ex *krbtgt_out = NULL;
hdb_entry *krbtgt_out = NULL;
PrincipalName *s;
Realm r;
@@ -1457,7 +1458,7 @@ server_lookup:
goto out;
} else if (ret == HDB_ERR_WRONG_REALM) {
free(ref_realm);
ref_realm = strdup(server->entry.principal->realm);
ref_realm = strdup(server->principal->realm);
if (ref_realm == NULL) {
ret = krb5_enomem(context);
goto out;
@@ -1579,8 +1580,8 @@ server_lookup:
* backend to override this by setting the force-canonicalize HDB
* flag in the server entry.
*/
if (server->entry.flags.force_canonicalize)
rsp = server->entry.principal;
if (server->flags.force_canonicalize)
rsp = server->principal;
else
rsp = priv->server_princ;
@@ -1614,7 +1615,7 @@ server_lookup:
HDB_F_GET_KRBTGT, NULL, &krbtgt_outdb, &krbtgt_out);
if (ret) {
char *ktpn = NULL;
ret = krb5_unparse_name(context, priv->krbtgt->entry.principal, &ktpn);
ret = krb5_unparse_name(context, priv->krbtgt->principal, &ktpn);
kdc_log(context, config, 4,
"No such principal %s (needed for authz-data signature keys) "
"while processing TGS-REQ for service %s with krbtg %s",
@@ -1639,7 +1640,7 @@ server_lookup:
krb5uint32 *kvno_ptr = NULL;
size_t i;
HDB *user2user_db;
hdb_entry_ex *user2user_client = NULL;
hdb_entry *user2user_client = NULL;
krb5_boolean user2user_kdc_issued = FALSE;
char *tpn;
@@ -1684,7 +1685,7 @@ server_lookup:
krb5_xfree(tpn);
goto out;
}
ret = hdb_enctype2key(context, &user2user_krbtgt->entry, NULL,
ret = hdb_enctype2key(context, user2user_krbtgt, NULL,
t->enc_part.etype, &uukey);
if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
@@ -1832,7 +1833,7 @@ server_lookup:
goto out;
}
ekey = &skey->key;
kvno = server->entry.kvno;
kvno = server->kvno;
}
ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
@@ -1853,10 +1854,10 @@ server_lookup:
* the DB to possibly correct the case of the realm (Samba4 does
* this) before the strcmp()
*/
if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
if (strcmp(krb5_principal_get_realm(context, server->principal),
krb5_principal_get_realm(context, krbtgt_out->principal)) != 0) {
char *ktpn;
ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
ret = krb5_unparse_name(context, krbtgt_out->principal, &ktpn);
kdc_log(context, config, 4,
"Request with wrong krbtgt: %s",
(ret == 0) ? ktpn : "<unknown>");
@@ -1876,7 +1877,7 @@ server_lookup:
"Failed to find key for krbtgt PAC signature");
goto out;
}
ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
ret = hdb_enctype2key(context, krbtgt_out, NULL,
tkey_sign->key.keytype, &tkey_sign);
if(ret) {
kdc_log(context, config, 4,
@@ -1935,8 +1936,8 @@ server_lookup:
if((b->kdc_options.validate || b->kdc_options.renew) &&
!krb5_principal_compare(context,
priv->krbtgt->entry.principal,
priv->server->entry.principal)){
priv->krbtgt->principal,
priv->server->principal)){
_kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request");
kdc_log(context, config, 4, "Inconsistent request.");
ret = KRB5KDC_ERR_SERVER_NOMATCH;
@@ -2007,7 +2008,7 @@ server_lookup:
*/
if (kdc_issued &&
!krb5_principal_is_krbtgt(context, server->entry.principal)) {
!krb5_principal_is_krbtgt(context, server->principal)) {
/* Validate armor TGT before potentially including device claims */
if (priv->armor_ticket) {
@@ -2024,7 +2025,7 @@ server_lookup:
* read-only-dc identifier, we need to embed it in the PAC KDC signatures.
*/
rodc_id = krbtgt_out->entry.kvno >> 16;
rodc_id = krbtgt_out->kvno >> 16;
/*
*

2
kdc/kx509.c
View File

@@ -254,7 +254,7 @@ is_local_realm(krb5_context context,
krb5_error_code ret;
krb5_principal tgs;
HDB *db;
hdb_entry_ex *ent = NULL;
hdb_entry *ent = NULL;
ret = krb5_make_principal(context, &tgs, realm, KRB5_TGS_NAME, realm,
NULL);

74
kdc/misc.c
View File

@@ -67,11 +67,11 @@ synthesize_client(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_principal princ,
HDB **db,
hdb_entry_ex **h)
hdb_entry **h)
{
static HDB null_db;
krb5_error_code ret;
hdb_entry_ex *e;
hdb_entry *e;
/* Hope this works! */
null_db.hdb_destroy = synthesize_hdb_close;
@@ -81,40 +81,40 @@ synthesize_client(krb5_context context,
ret = (e = calloc(1, sizeof(*e))) ? 0 : krb5_enomem(context);
if (ret == 0) {
e->entry.flags.client = 1;
e->entry.flags.immutable = 1;
e->entry.flags.virtual = 1;
e->entry.flags.synthetic = 1;
e->entry.flags.do_not_store = 1;
e->entry.kvno = 1;
e->entry.keys.len = 0;
e->entry.keys.val = NULL;
e->entry.created_by.time = time(NULL);
e->entry.modified_by = NULL;
e->entry.valid_start = NULL;
e->entry.valid_end = NULL;
e->entry.pw_end = NULL;
e->entry.etypes = NULL;
e->entry.generation = NULL;
e->entry.extensions = NULL;
e->flags.client = 1;
e->flags.immutable = 1;
e->flags.virtual = 1;
e->flags.synthetic = 1;
e->flags.do_not_store = 1;
e->kvno = 1;
e->keys.len = 0;
e->keys.val = NULL;
e->created_by.time = time(NULL);
e->modified_by = NULL;
e->valid_start = NULL;
e->valid_end = NULL;
e->pw_end = NULL;
e->etypes = NULL;
e->generation = NULL;
e->extensions = NULL;
}
if (ret == 0)
ret = (e->entry.max_renew = calloc(1, sizeof(*e->entry.max_renew))) ?
ret = (e->max_renew = calloc(1, sizeof(*e->max_renew))) ?
0 : krb5_enomem(context);
if (ret == 0)
ret = (e->entry.max_life = calloc(1, sizeof(*e->entry.max_life))) ?
ret = (e->max_life = calloc(1, sizeof(*e->max_life))) ?
0 : krb5_enomem(context);
if (ret == 0)
ret = krb5_copy_principal(context, princ, &e->entry.principal);
ret = krb5_copy_principal(context, princ, &e->principal);
if (ret == 0)
ret = krb5_copy_principal(context, princ, &e->entry.created_by.principal);
ret = krb5_copy_principal(context, princ, &e->created_by.principal);
if (ret == 0) {
/*
* We can't check OCSP in the TGS path, so we can't let tickets for
* synthetic principals live very long.
*/
*(e->entry.max_renew) = config->synthetic_clients_max_renew;
*(e->entry.max_life) = config->synthetic_clients_max_life;
*(e->max_renew) = config->synthetic_clients_max_renew;
*(e->max_life) = config->synthetic_clients_max_life;
*h = e;
} else {
hdb_free_entry(context, &null_db, e);
@@ -129,9 +129,9 @@ _kdc_db_fetch(krb5_context context,
unsigned flags,
krb5uint32 *kvno_ptr,
HDB **db,
hdb_entry_ex **h)
hdb_entry **h)
{
hdb_entry_ex *ent = NULL;
hdb_entry *ent = NULL;
krb5_error_code ret = HDB_ERR_NOENTRY;
int i;
unsigned kvno = 0;
@@ -246,7 +246,7 @@ out:
}
KDC_LIB_FUNCTION void KDC_LIB_CALL
_kdc_free_ent(krb5_context context, HDB *db, hdb_entry_ex *ent)
_kdc_free_ent(krb5_context context, HDB *db, hdb_entry *ent)
{
hdb_free_entry (context, db, ent);
free (ent);
@@ -260,7 +260,7 @@ _kdc_free_ent(krb5_context context, HDB *db, hdb_entry_ex *ent)
krb5_error_code
_kdc_get_preferred_key(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *h,
hdb_entry *h,
const char *name,
krb5_enctype *enctype,
Key **key)
@@ -273,9 +273,9 @@ _kdc_get_preferred_key(krb5_context context,
for (i = 0; p[i] != (krb5_enctype)ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0 &&
!_kdc_is_weak_exception(h->entry.principal, p[i]))
!_kdc_is_weak_exception(h->principal, p[i]))
continue;
ret = hdb_enctype2key(context, &h->entry, NULL, p[i], key);
ret = hdb_enctype2key(context, h, NULL, p[i], key);
if (ret != 0)
continue;
if (enctype != NULL)
@@ -285,12 +285,12 @@ _kdc_get_preferred_key(krb5_context context,
} else {
*key = NULL;
for (i = 0; i < h->entry.keys.len; i++) {
if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) != 0 &&
!_kdc_is_weak_exception(h->entry.principal, h->entry.keys.val[i].key.keytype))
for (i = 0; i < h->keys.len; i++) {
if (krb5_enctype_valid(context, h->keys.val[i].key.keytype) != 0 &&
!_kdc_is_weak_exception(h->principal, h->keys.val[i].key.keytype))
continue;
ret = hdb_enctype2key(context, &h->entry, NULL,
h->entry.keys.val[i].key.keytype, key);
ret = hdb_enctype2key(context, h, NULL,
h->keys.val[i].key.keytype, key);
if (ret != 0)
continue;
if (enctype != NULL)
@@ -334,9 +334,9 @@ _kdc_verify_checksum(krb5_context context,
krb5_boolean
_kdc_include_pac_p(astgs_request_t r)
{
if (krb5_principal_is_krbtgt(r->context, r->server->entry.principal))
if (krb5_principal_is_krbtgt(r->context, r->server->principal))
return TRUE;
else if (r->server->entry.flags.no_auth_data_reqd)
else if (r->server->flags.no_auth_data_reqd)
return FALSE;
return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));

4
kdc/mit_dump.c
View File

@@ -146,7 +146,7 @@ mit_prop_dump(void *arg, const char *file)
char *line = NULL;
int lineno = 0;
FILE *f;
struct hdb_entry_ex ent;
hdb_entry ent;
struct prop_data *pd = arg;
krb5_storage *sp = NULL;
krb5_data kdb_ent;
@@ -202,7 +202,7 @@ mit_prop_dump(void *arg, const char *file)
}
ret = krb5_storage_to_data(sp, &kdb_ent);
if (ret) break;
ret = _hdb_mdb_value2entry(pd->context, &kdb_ent, 0, &ent.entry);
ret = _hdb_mdb_value2entry(pd->context, &kdb_ent, 0, &ent);
krb5_data_free(&kdb_ent);
if (ret) {
warnx("line: %d: failed to store; ignoring", lineno);

37
kdc/mssfu.c
View File

@@ -47,8 +47,8 @@ static krb5_error_code
check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client,
hdb_entry_ex *server,
hdb_entry *client,
hdb_entry *server,
krb5_const_principal target)
{
const HDB_Ext_Constrained_delegation_acl *acl;
@@ -61,7 +61,7 @@ check_constrained_delegation(krb5_context context,
* of the principals here, while "target" is the principal
* provided by the client.
*/
if (!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
if (!krb5_realm_compare(context, client->principal, server->principal)) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 4,
"Bad request for constrained delegation");
@@ -74,10 +74,10 @@ check_constrained_delegation(krb5_context context,
return 0;
} else {
/* if client delegates to itself, that ok */
if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
if (krb5_principal_compare(context, client->principal, server->principal) == TRUE)
return 0;
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
ret = hdb_entry_get_ConstrainedDelegACL(client, &acl);
if (ret) {
krb5_clear_error_message(context);
return ret;
@@ -101,7 +101,7 @@ update_client_names(astgs_request_t r,
char **s4ucname,
krb5_principal *s4u_client_name,
HDB **s4u_clientdb,
hdb_entry_ex **s4u_client,
hdb_entry **s4u_client,
krb5_principal *s4u_canon_client_name,
krb5_pac *s4u_pac)
{
@@ -139,7 +139,7 @@ validate_protocol_transition(astgs_request_t r)
krb5_error_code ret;
KDC_REQ_BODY *b = &r->req.req_body;
EncTicketPart *ticket = &r->ticket->ticket;
hdb_entry_ex *s4u_client = NULL;
hdb_entry *s4u_client = NULL;
HDB *s4u_clientdb;
int flags = HDB_F_FOR_TGS_REQ;
krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
@@ -275,15 +275,16 @@ validate_protocol_transition(astgs_request_t r)
* Ignore require_pwchange and pw_end attributes (as Windows does),
* since S4U2Self is not password authentication.
*/
s4u_client->entry.flags.require_pwchange = FALSE;
free(s4u_client->entry.pw_end);
s4u_client->entry.pw_end = NULL;
s4u_client->flags.require_pwchange = FALSE;
free(s4u_client->pw_end);
s4u_client->pw_end = NULL;
ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
if (ret)
goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
ret = _kdc_pac_generate(r->context,
r->config,
s4u_client,
r->server,
NULL,
@@ -312,7 +313,7 @@ validate_protocol_transition(astgs_request_t r)
goto out;
}
ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
ret = krb5_copy_principal(r->context, s4u_client->principal,
&s4u_canon_client_name);
if (ret)
goto out;
@@ -322,8 +323,8 @@ validate_protocol_transition(astgs_request_t r)
* delegation or if the impersonate client is disallowed
* forwardable, remove the forwardable flag.
*/
if (r->client->entry.flags.trusted_for_delegation &&
s4u_client->entry.flags.forwardable) {
if (r->client->flags.trusted_for_delegation &&
s4u_client->flags.forwardable) {
str = "[forwardable]";
} else {
b->kdc_options.forwardable = 0;
@@ -373,7 +374,7 @@ validate_constrained_delegation(astgs_request_t r)
char *s4ucname = NULL, *s4usname = NULL;
EncTicketPart evidence_tkt;
HDB *s4u_clientdb;
hdb_entry_ex *s4u_client = NULL;
hdb_entry *s4u_client = NULL;
krb5_boolean ad_kdc_issued = FALSE;
Key *clientkey;
Ticket *t;
@@ -388,7 +389,7 @@ validate_constrained_delegation(astgs_request_t r)
memset(&evidence_tkt, 0, sizeof(evidence_tkt));
local_realm =
krb5_principal_get_comp_string(r->context, r->krbtgt->entry.principal, 1);
krb5_principal_get_comp_string(r->context, r->krbtgt->principal, 1);
/*
* We require that the service's TGT has a PAC; this will have been
@@ -405,8 +406,8 @@ validate_constrained_delegation(astgs_request_t r)
t = &b->additional_tickets->val[0];
ret = hdb_enctype2key(r->context, &r->client->entry,
hdb_kvno2keys(r->context, &r->client->entry,
ret = hdb_enctype2key(r->context, r->client,
hdb_kvno2keys(r->context, r->client,
t->enc_part.kvno ? * t->enc_part.kvno : 0),
t->enc_part.etype, &clientkey);
if (ret) {
@@ -530,7 +531,7 @@ validate_constrained_delegation(astgs_request_t r)
* can insert the canonical client name ourselves.
*/
if (s4u_canon_client_name == NULL && s4u_client != NULL) {
ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
ret = krb5_copy_principal(r->context, s4u_client->principal,
&s4u_canon_client_name);
if (ret)
goto out;

26
kdc/pkinit.c
View File

@@ -388,7 +388,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
krb5_context context = priv->context;
krb5_kdc_configuration *config = priv->config;
const KDC_REQ *req = &priv->req;
hdb_entry_ex *client = priv->client;
hdb_entry *client = priv->client;
pk_client_params *cp;
krb5_error_code ret;
heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL };
@@ -431,7 +431,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
}
/* Add any registered certificates for this client as trust anchors */
ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
ret = hdb_entry_get_pkinit_cert(client, &pc);
if (ret == 0 && pc != NULL) {
hx509_cert cert;
unsigned int i;
@@ -467,7 +467,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
type = "PK-INIT-Win2k";
if (_kdc_is_anonymous(context, client->entry.principal)) {
if (_kdc_is_anonymous(context, client->principal)) {
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
krb5_set_error_message(context, ret,
"Anonymous client not supported in RSA mode");
@@ -613,7 +613,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
hx509_certs signer_certs;
int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */
if (_kdc_is_anonymous(context, client->entry.principal)
if (_kdc_is_anonymous(context, client->principal)
|| (config->historical_anon_realm && _kdc_is_anon_request(req)))
flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
@@ -699,7 +699,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
goto out;
}
if (_kdc_is_anonymous(context, client->entry.principal) &&
if (_kdc_is_anonymous(context, client->principal) &&
ap.clientPublicValue == NULL) {
free_AuthPack(&ap);
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
@@ -1598,7 +1598,7 @@ match_ms_upn_san(krb5_context context,
hx509_context hx509ctx,
hx509_cert client_cert,
HDB *clientdb,
hdb_entry_ex *client)
hdb_entry *client)
{
hx509_octet_string_list list;
krb5_principal principal = NULL;
@@ -1652,7 +1652,7 @@ match_ms_upn_san(krb5_context context,
*/
strupr(principal->realm);
if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE)
if (krb5_principal_compare(context, principal, client->principal) == FALSE)
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
}
@@ -1671,7 +1671,7 @@ _kdc_pk_check_client(astgs_request_t r,
{
krb5_kdc_configuration *config = r->config;
HDB *clientdb = r->clientdb;
hdb_entry_ex *client = r->client;
hdb_entry *client = r->client;
const HDB_Ext_PKINIT_acl *acl;
const HDB_Ext_PKINIT_cert *pc;
krb5_error_code ret;
@@ -1679,7 +1679,7 @@ _kdc_pk_check_client(astgs_request_t r,
size_t i;
if (cp->cert == NULL) {
if (!_kdc_is_anonymous(r->context, client->entry.principal)
if (!_kdc_is_anonymous(r->context, client->principal)
&& !config->historical_anon_realm)
return KRB5KDC_ERR_BADOPTION;
@@ -1716,7 +1716,7 @@ _kdc_pk_check_client(astgs_request_t r,
"Trying to authorize PKINIT subject DN %s",
*subject_name);
ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
ret = hdb_entry_get_pkinit_cert(client, &pc);
if (ret == 0 && pc) {
hx509_cert cert;
size_t j;
@@ -1743,7 +1743,7 @@ _kdc_pk_check_client(astgs_request_t r,
ret = match_rfc_san(r->context, config,
r->context->hx509ctx,
cp->cert,
client->entry.principal);
client->principal);
if (ret == 0) {
kdc_log(r->context, config, 5,
"Found matching PKINIT SAN in certificate");
@@ -1761,7 +1761,7 @@ _kdc_pk_check_client(astgs_request_t r,
}
}
ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
ret = hdb_entry_get_pkinit_acl(client, &acl);
if (ret == 0 && acl != NULL) {
/*
* Cheat here and compare the generated name with the string
@@ -1787,7 +1787,7 @@ _kdc_pk_check_client(astgs_request_t r,
krb5_boolean b;
b = krb5_principal_compare(r->context,
client->entry.principal,
client->principal,
principal_mappings.val[i].principal);
if (b == FALSE)
continue;