kill trailing whitespace
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22733 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
302
kdc/krb5tgs.c
302
kdc/krb5tgs.c
@@ -1,34 +1,34 @@
|
||||
/*
|
||||
* Copyright (c) 1997-2008 Kungliga Tekniska H<>gskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* 3. Neither the name of the Institute nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
* 3. Neither the name of the Institute nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "kdc_locl.h"
|
||||
@@ -39,7 +39,7 @@ RCSID("$Id$");
|
||||
* return the realm of a krbtgt-ticket or NULL
|
||||
*/
|
||||
|
||||
static Realm
|
||||
static Realm
|
||||
get_krbtgt_realm(const PrincipalName *p)
|
||||
{
|
||||
if(p->name_string.len == 2
|
||||
@@ -168,7 +168,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
|
||||
if (data.length != size)
|
||||
krb5_abortx(context, "internal asn.1 encoder error");
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* Add IF-RELEVANT(KRB5SignedPath) to the last slot in
|
||||
* authorization data field.
|
||||
@@ -237,8 +237,8 @@ check_KRB5SignedPath(krb5_context context,
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
|
||||
data.data, data.length,
|
||||
ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
|
||||
data.data, data.length,
|
||||
&sp.cksum);
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
free(data.data);
|
||||
@@ -323,7 +323,7 @@ check_PAC(krb5_context context,
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = krb5_pac_verify(context, pac, tkt->authtime,
|
||||
ret = krb5_pac_verify(context, pac, tkt->authtime,
|
||||
client_principal,
|
||||
krbtgt_key, NULL);
|
||||
if (ret) {
|
||||
@@ -331,7 +331,7 @@ check_PAC(krb5_context context,
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = _kdc_pac_verify(context, client_principal,
|
||||
ret = _kdc_pac_verify(context, client_principal,
|
||||
client, server, &pac);
|
||||
if (ret) {
|
||||
krb5_pac_free(context, pac);
|
||||
@@ -358,7 +358,7 @@ check_PAC(krb5_context context,
|
||||
*/
|
||||
|
||||
static krb5_error_code
|
||||
check_tgs_flags(krb5_context context,
|
||||
check_tgs_flags(krb5_context context,
|
||||
krb5_kdc_configuration *config,
|
||||
KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
|
||||
{
|
||||
@@ -378,7 +378,7 @@ check_tgs_flags(krb5_context context,
|
||||
/* XXX tkt = tgt */
|
||||
et->flags.invalid = 0;
|
||||
}else if(tgt->flags.invalid){
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 0,
|
||||
"Ticket-granting ticket has INVALID flag set");
|
||||
return KRB5KRB_AP_ERR_TKT_INVALID;
|
||||
}
|
||||
@@ -472,8 +472,8 @@ check_tgs_flags(krb5_context context,
|
||||
et->endtime = *et->starttime + old_life;
|
||||
if (et->renew_till != NULL)
|
||||
et->endtime = min(*et->renew_till, et->endtime);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
#if 0
|
||||
/* checks for excess flags */
|
||||
if(f.request_anonymous && !config->allow_anonymous){
|
||||
@@ -490,7 +490,7 @@ check_tgs_flags(krb5_context context,
|
||||
*/
|
||||
|
||||
static krb5_error_code
|
||||
check_constrained_delegation(krb5_context context,
|
||||
check_constrained_delegation(krb5_context context,
|
||||
krb5_kdc_configuration *config,
|
||||
hdb_entry_ex *client,
|
||||
krb5_const_principal server)
|
||||
@@ -521,7 +521,7 @@ check_constrained_delegation(krb5_context context,
|
||||
*/
|
||||
|
||||
static krb5_error_code
|
||||
verify_flags (krb5_context context,
|
||||
verify_flags (krb5_context context,
|
||||
krb5_kdc_configuration *config,
|
||||
const EncTicketPart *et,
|
||||
const char *pstr)
|
||||
@@ -542,13 +542,13 @@ verify_flags (krb5_context context,
|
||||
*/
|
||||
|
||||
static krb5_error_code
|
||||
fix_transited_encoding(krb5_context context,
|
||||
fix_transited_encoding(krb5_context context,
|
||||
krb5_kdc_configuration *config,
|
||||
krb5_boolean check_policy,
|
||||
const TransitedEncoding *tr,
|
||||
EncTicketPart *et,
|
||||
const char *client_realm,
|
||||
const char *server_realm,
|
||||
const TransitedEncoding *tr,
|
||||
EncTicketPart *et,
|
||||
const char *client_realm,
|
||||
const char *server_realm,
|
||||
const char *tgt_realm)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
@@ -575,9 +575,9 @@ fix_transited_encoding(krb5_context context,
|
||||
return KRB5KDC_ERR_TRTYPE_NOSUPP;
|
||||
}
|
||||
|
||||
ret = krb5_domain_x500_decode(context,
|
||||
ret = krb5_domain_x500_decode(context,
|
||||
tr->contents,
|
||||
&realms,
|
||||
&realms,
|
||||
&num_realms,
|
||||
client_realm,
|
||||
server_realm);
|
||||
@@ -606,7 +606,7 @@ fix_transited_encoding(krb5_context context,
|
||||
num_realms++;
|
||||
}
|
||||
if(num_realms == 0) {
|
||||
if(strcmp(client_realm, server_realm))
|
||||
if(strcmp(client_realm, server_realm))
|
||||
kdc_log(context, config, 0,
|
||||
"cross-realm %s -> %s", client_realm, server_realm);
|
||||
} else {
|
||||
@@ -629,11 +629,11 @@ fix_transited_encoding(krb5_context context,
|
||||
}
|
||||
}
|
||||
if(check_policy) {
|
||||
ret = krb5_check_transited(context, client_realm,
|
||||
server_realm,
|
||||
ret = krb5_check_transited(context, client_realm,
|
||||
server_realm,
|
||||
realms, num_realms, NULL);
|
||||
if(ret) {
|
||||
krb5_warn(context, ret, "cross-realm %s -> %s",
|
||||
krb5_warn(context, ret, "cross-realm %s -> %s",
|
||||
client_realm, server_realm);
|
||||
goto free_realms;
|
||||
}
|
||||
@@ -652,19 +652,19 @@ fix_transited_encoding(krb5_context context,
|
||||
|
||||
|
||||
static krb5_error_code
|
||||
tgs_make_reply(krb5_context context,
|
||||
tgs_make_reply(krb5_context context,
|
||||
krb5_kdc_configuration *config,
|
||||
KDC_REQ_BODY *b,
|
||||
KDC_REQ_BODY *b,
|
||||
krb5_const_principal tgt_name,
|
||||
const EncTicketPart *tgt,
|
||||
const EncTicketPart *tgt,
|
||||
const EncryptionKey *serverkey,
|
||||
const krb5_keyblock *sessionkey,
|
||||
krb5_kvno kvno,
|
||||
AuthorizationData *auth_data,
|
||||
hdb_entry_ex *server,
|
||||
const char *server_name,
|
||||
hdb_entry_ex *client,
|
||||
krb5_principal client_principal,
|
||||
hdb_entry_ex *server,
|
||||
const char *server_name,
|
||||
hdb_entry_ex *client,
|
||||
krb5_principal client_principal,
|
||||
hdb_entry_ex *krbtgt,
|
||||
krb5_enctype krbtgt_etype,
|
||||
KRB5SignedPathPrincipals *spp,
|
||||
@@ -677,11 +677,11 @@ tgs_make_reply(krb5_context context,
|
||||
EncTicketPart et;
|
||||
KDCOptions f = b->kdc_options;
|
||||
krb5_error_code ret;
|
||||
|
||||
|
||||
memset(&rep, 0, sizeof(rep));
|
||||
memset(&et, 0, sizeof(et));
|
||||
memset(&ek, 0, sizeof(ek));
|
||||
|
||||
|
||||
rep.pvno = 5;
|
||||
rep.msg_type = krb_tgs_rep;
|
||||
|
||||
@@ -690,7 +690,7 @@ tgs_make_reply(krb5_context context,
|
||||
et.endtime = min(tgt->endtime, *b->till);
|
||||
ALLOC(et.starttime);
|
||||
*et.starttime = kdc_time;
|
||||
|
||||
|
||||
ret = check_tgs_flags(context, config, b, tgt, &et);
|
||||
if(ret)
|
||||
goto out;
|
||||
@@ -714,11 +714,11 @@ tgs_make_reply(krb5_context context,
|
||||
#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
|
||||
#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
|
||||
|
||||
ret = fix_transited_encoding(context, config,
|
||||
ret = fix_transited_encoding(context, config,
|
||||
!f.disable_transited_check ||
|
||||
GLOBAL_FORCE_TRANSITED_CHECK ||
|
||||
PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
|
||||
!((GLOBAL_ALLOW_PER_PRINCIPAL &&
|
||||
!((GLOBAL_ALLOW_PER_PRINCIPAL &&
|
||||
PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
|
||||
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
|
||||
&tgt->transited, &et,
|
||||
@@ -728,7 +728,7 @@ tgs_make_reply(krb5_context context,
|
||||
if(ret)
|
||||
goto out;
|
||||
|
||||
copy_Realm(krb5_princ_realm(context, server->entry.principal),
|
||||
copy_Realm(krb5_princ_realm(context, server->entry.principal),
|
||||
&rep.ticket.realm);
|
||||
_krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
|
||||
copy_Realm(&tgt_name->realm, &rep.crealm);
|
||||
@@ -753,7 +753,7 @@ tgs_make_reply(krb5_context context,
|
||||
life = min(life, *server->entry.max_life);
|
||||
et.endtime = *et.starttime + life;
|
||||
}
|
||||
if(f.renewable_ok && tgt->flags.renewable &&
|
||||
if(f.renewable_ok && tgt->flags.renewable &&
|
||||
et.renew_till == NULL && et.endtime < *b->till){
|
||||
et.flags.renewable = 1;
|
||||
ALLOC(et.renew_till);
|
||||
@@ -768,13 +768,13 @@ tgs_make_reply(krb5_context context,
|
||||
renew = min(renew, *server->entry.max_renew);
|
||||
*et.renew_till = et.authtime + renew;
|
||||
}
|
||||
|
||||
|
||||
if(et.renew_till){
|
||||
*et.renew_till = min(*et.renew_till, *tgt->renew_till);
|
||||
*et.starttime = min(*et.starttime, *et.renew_till);
|
||||
et.endtime = min(et.endtime, *et.renew_till);
|
||||
}
|
||||
|
||||
|
||||
*et.starttime = min(*et.starttime, et.endtime);
|
||||
|
||||
if(*et.starttime == et.endtime){
|
||||
@@ -786,12 +786,12 @@ tgs_make_reply(krb5_context context,
|
||||
et.renew_till = NULL;
|
||||
et.flags.renewable = 0;
|
||||
}
|
||||
|
||||
|
||||
et.flags.pre_authent = tgt->flags.pre_authent;
|
||||
et.flags.hw_authent = tgt->flags.hw_authent;
|
||||
et.flags.anonymous = tgt->flags.anonymous;
|
||||
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
|
||||
|
||||
|
||||
if (auth_data) {
|
||||
/* XXX Check enc-authorization-data */
|
||||
et.authorization_data = calloc(1, sizeof(*et.authorization_data));
|
||||
@@ -835,7 +835,7 @@ tgs_make_reply(krb5_context context,
|
||||
goto out;
|
||||
et.crealm = tgt->crealm;
|
||||
et.cname = tgt_name->name;
|
||||
|
||||
|
||||
ek.key = et.key;
|
||||
/* MIT must have at least one last_req */
|
||||
ek.last_req.len = 1;
|
||||
@@ -852,8 +852,8 @@ tgs_make_reply(krb5_context context,
|
||||
ek.renew_till = et.renew_till;
|
||||
ek.srealm = rep.ticket.realm;
|
||||
ek.sname = rep.ticket.sname;
|
||||
|
||||
_kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
|
||||
|
||||
_kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
|
||||
et.endtime, et.renew_till);
|
||||
|
||||
/* Don't sign cross realm tickets, they can't be checked anyway */
|
||||
@@ -883,9 +883,9 @@ tgs_make_reply(krb5_context context,
|
||||
CAST session key. Should the DES3 etype be added to the
|
||||
etype list, even if we don't want a session key with
|
||||
DES3? */
|
||||
ret = _kdc_encode_reply(context, config,
|
||||
ret = _kdc_encode_reply(context, config,
|
||||
&rep, &et, &ek, et.key.keytype,
|
||||
kvno,
|
||||
kvno,
|
||||
serverkey, 0, &tgt->key, e_text, reply);
|
||||
out:
|
||||
free_TGS_REP(&rep);
|
||||
@@ -905,10 +905,10 @@ out:
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
tgs_check_authenticator(krb5_context context,
|
||||
tgs_check_authenticator(krb5_context context,
|
||||
krb5_kdc_configuration *config,
|
||||
krb5_auth_context ac,
|
||||
KDC_REQ_BODY *b,
|
||||
KDC_REQ_BODY *b,
|
||||
const char **e_text,
|
||||
krb5_keyblock *key)
|
||||
{
|
||||
@@ -918,7 +918,7 @@ tgs_check_authenticator(krb5_context context,
|
||||
size_t buf_size;
|
||||
krb5_error_code ret;
|
||||
krb5_crypto crypto;
|
||||
|
||||
|
||||
krb5_auth_con_getauthenticator(context, ac, &auth);
|
||||
if(auth->cksum == NULL){
|
||||
kdc_log(context, config, 0, "No authenticator in request");
|
||||
@@ -935,7 +935,7 @@ tgs_check_authenticator(krb5_context context,
|
||||
||
|
||||
#endif
|
||||
!krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
|
||||
kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
|
||||
kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
|
||||
auth->cksum->cksumtype);
|
||||
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
||||
goto out;
|
||||
@@ -944,7 +944,7 @@ tgs_check_authenticator(krb5_context context,
|
||||
/* XXX should not re-encode this */
|
||||
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
|
||||
if(ret){
|
||||
kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
|
||||
kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
@@ -965,14 +965,14 @@ tgs_check_authenticator(krb5_context context,
|
||||
ret = krb5_verify_checksum(context,
|
||||
crypto,
|
||||
KRB5_KU_TGS_REQ_AUTH_CKSUM,
|
||||
buf,
|
||||
buf,
|
||||
len,
|
||||
auth->cksum);
|
||||
free(buf);
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
if(ret){
|
||||
kdc_log(context, config, 0,
|
||||
"Failed to verify authenticator checksum: %s",
|
||||
"Failed to verify authenticator checksum: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
}
|
||||
out:
|
||||
@@ -990,13 +990,13 @@ find_rpath(krb5_context context, Realm crealm, Realm srealm)
|
||||
{
|
||||
const char *new_realm = krb5_config_get_string(context,
|
||||
NULL,
|
||||
"capaths",
|
||||
"capaths",
|
||||
crealm,
|
||||
srealm,
|
||||
NULL);
|
||||
return new_realm;
|
||||
}
|
||||
|
||||
|
||||
|
||||
static krb5_boolean
|
||||
need_referral(krb5_context context, krb5_kdc_configuration *config,
|
||||
@@ -1007,21 +1007,21 @@ need_referral(krb5_context context, krb5_kdc_configuration *config,
|
||||
|
||||
if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
|
||||
return FALSE;
|
||||
|
||||
|
||||
if (server->name.name_string.len == 1)
|
||||
name = server->name.name_string.val[0];
|
||||
if (server->name.name_string.len > 1)
|
||||
name = server->name.name_string.val[1];
|
||||
else
|
||||
return FALSE;
|
||||
|
||||
|
||||
kdc_log(context, config, 0, "Searching referral for %s", name);
|
||||
|
||||
return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
tgs_parse_request(krb5_context context,
|
||||
tgs_parse_request(krb5_context context,
|
||||
krb5_kdc_configuration *config,
|
||||
KDC_REQ_BODY *b,
|
||||
const PA_DATA *tgs_req,
|
||||
@@ -1051,7 +1051,7 @@ tgs_parse_request(krb5_context context,
|
||||
memset(&ap_req, 0, sizeof(ap_req));
|
||||
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
|
||||
if(ret){
|
||||
kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
|
||||
kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
@@ -1062,12 +1062,12 @@ tgs_parse_request(krb5_context context,
|
||||
ret = KRB5KDC_ERR_POLICY; /* ? */
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
||||
_krb5_principalname2krb5_principal(context,
|
||||
&princ,
|
||||
ap_req.ticket.sname,
|
||||
ap_req.ticket.realm);
|
||||
|
||||
|
||||
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
|
||||
|
||||
if(ret) {
|
||||
@@ -1084,8 +1084,8 @@ tgs_parse_request(krb5_context context,
|
||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if(ap_req.ticket.enc_part.kvno &&
|
||||
|
||||
if(ap_req.ticket.enc_part.kvno &&
|
||||
*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
|
||||
char *p;
|
||||
|
||||
@@ -1094,7 +1094,7 @@ tgs_parse_request(krb5_context context,
|
||||
if (ret != 0)
|
||||
p = "<unparse_name failed>";
|
||||
kdc_log(context, config, 0,
|
||||
"Ticket kvno = %d, DB kvno = %d (%s)",
|
||||
"Ticket kvno = %d, DB kvno = %d (%s)",
|
||||
*ap_req.ticket.enc_part.kvno,
|
||||
(*krbtgt)->entry.kvno,
|
||||
p);
|
||||
@@ -1106,7 +1106,7 @@ tgs_parse_request(krb5_context context,
|
||||
|
||||
*krbtgt_etype = ap_req.ticket.enc_part.etype;
|
||||
|
||||
ret = hdb_enctype2key(context, &(*krbtgt)->entry,
|
||||
ret = hdb_enctype2key(context, &(*krbtgt)->entry,
|
||||
ap_req.ticket.enc_part.etype, &tkey);
|
||||
if(ret){
|
||||
char *str = NULL, *p = NULL;
|
||||
@@ -1122,7 +1122,7 @@ tgs_parse_request(krb5_context context,
|
||||
ret = KRB5KRB_AP_ERR_BADKEYVER;
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
||||
if (b->kdc_options.validate)
|
||||
verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
|
||||
else
|
||||
@@ -1137,10 +1137,10 @@ tgs_parse_request(krb5_context context,
|
||||
&ap_req_options,
|
||||
ticket,
|
||||
KRB5_KU_TGS_REQ_AUTH);
|
||||
|
||||
|
||||
krb5_free_principal(context, princ);
|
||||
if(ret) {
|
||||
kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
|
||||
kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
@@ -1168,7 +1168,7 @@ tgs_parse_request(krb5_context context,
|
||||
}
|
||||
}
|
||||
|
||||
ret = tgs_check_authenticator(context, config,
|
||||
ret = tgs_check_authenticator(context, config,
|
||||
ac, b, e_text, &(*ticket)->ticket.key);
|
||||
if (ret) {
|
||||
krb5_auth_con_free(context, ac);
|
||||
@@ -1185,7 +1185,7 @@ tgs_parse_request(krb5_context context,
|
||||
&subkey);
|
||||
if(ret){
|
||||
krb5_auth_con_free(context, ac);
|
||||
kdc_log(context, config, 0, "Failed to get remote subkey: %s",
|
||||
kdc_log(context, config, 0, "Failed to get remote subkey: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
@@ -1194,7 +1194,7 @@ tgs_parse_request(krb5_context context,
|
||||
ret = krb5_auth_con_getkey(context, ac, &subkey);
|
||||
if(ret) {
|
||||
krb5_auth_con_free(context, ac);
|
||||
kdc_log(context, config, 0, "Failed to get session key: %s",
|
||||
kdc_log(context, config, 0, "Failed to get session key: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
@@ -1221,7 +1221,7 @@ tgs_parse_request(krb5_context context,
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
if(ret){
|
||||
krb5_auth_con_free(context, ac);
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 0,
|
||||
"Failed to decrypt enc-authorization-data");
|
||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
|
||||
goto out;
|
||||
@@ -1245,10 +1245,10 @@ tgs_parse_request(krb5_context context,
|
||||
}
|
||||
|
||||
krb5_auth_con_free(context, ac);
|
||||
|
||||
|
||||
out:
|
||||
free_AP_REQ(&ap_req);
|
||||
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1260,7 +1260,7 @@ tgs_build_referral(krb5_context context,
|
||||
const PrincipalName *true_principal_name,
|
||||
const PrincipalName *requested_principal,
|
||||
krb5_data *outdata)
|
||||
{
|
||||
{
|
||||
PA_ServerReferralData ref;
|
||||
krb5_error_code ret;
|
||||
EncryptedData ed;
|
||||
@@ -1278,7 +1278,7 @@ tgs_build_referral(krb5_context context,
|
||||
goto eout;
|
||||
}
|
||||
if (true_principal_name) {
|
||||
ref.true_principal_name =
|
||||
ref.true_principal_name =
|
||||
malloc(sizeof(ref.true_principal_name));
|
||||
if (ref.true_principal_name == NULL)
|
||||
goto eout;
|
||||
@@ -1287,17 +1287,17 @@ tgs_build_referral(krb5_context context,
|
||||
goto eout;
|
||||
}
|
||||
if (requested_principal) {
|
||||
ref.requested_principal_name =
|
||||
ref.requested_principal_name =
|
||||
malloc(sizeof(ref.requested_principal_name));
|
||||
if (ref.requested_principal_name == NULL)
|
||||
goto eout;
|
||||
ret = copy_PrincipalName(requested_principal,
|
||||
ret = copy_PrincipalName(requested_principal,
|
||||
ref.requested_principal_name);
|
||||
if (ret)
|
||||
goto eout;
|
||||
}
|
||||
|
||||
ASN1_MALLOC_ENCODE(PA_ServerReferralData,
|
||||
ASN1_MALLOC_ENCODE(PA_ServerReferralData,
|
||||
data.data, data.length,
|
||||
&ref, &size, ret);
|
||||
free_PA_ServerReferralData(&ref);
|
||||
@@ -1314,7 +1314,7 @@ tgs_build_referral(krb5_context context,
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ASN1_MALLOC_ENCODE(EncryptedData,
|
||||
ASN1_MALLOC_ENCODE(EncryptedData,
|
||||
outdata->data, outdata->length,
|
||||
&ed, &size, ret);
|
||||
free_EncryptedData(&ed);
|
||||
@@ -1331,9 +1331,9 @@ eout:
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
tgs_build_reply(krb5_context context,
|
||||
tgs_build_reply(krb5_context context,
|
||||
krb5_kdc_configuration *config,
|
||||
KDC_REQ *req,
|
||||
KDC_REQ *req,
|
||||
KDC_REQ_BODY *b,
|
||||
hdb_entry_ex *krbtgt,
|
||||
krb5_enctype krbtgt_etype,
|
||||
@@ -1378,8 +1378,8 @@ tgs_build_reply(krb5_context context,
|
||||
hdb_entry_ex *uu;
|
||||
krb5_principal p;
|
||||
Key *uukey;
|
||||
|
||||
if(b->additional_tickets == NULL ||
|
||||
|
||||
if(b->additional_tickets == NULL ||
|
||||
b->additional_tickets->len == 0){
|
||||
ret = KRB5KDC_ERR_BADOPTION; /* ? */
|
||||
kdc_log(context, config, 0,
|
||||
@@ -1394,8 +1394,8 @@ tgs_build_reply(krb5_context context,
|
||||
goto out;
|
||||
}
|
||||
_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
|
||||
ret = _kdc_db_fetch(context, config, p,
|
||||
HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
|
||||
ret = _kdc_db_fetch(context, config, p,
|
||||
HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
|
||||
NULL, &uu);
|
||||
krb5_free_principal(context, p);
|
||||
if(ret){
|
||||
@@ -1403,7 +1403,7 @@ tgs_build_reply(krb5_context context,
|
||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||
goto out;
|
||||
}
|
||||
ret = hdb_enctype2key(context, &uu->entry,
|
||||
ret = hdb_enctype2key(context, &uu->entry,
|
||||
t->enc_part.etype, &uukey);
|
||||
if(ret){
|
||||
_kdc_free_ent(context, uu);
|
||||
@@ -1436,7 +1436,7 @@ tgs_build_reply(krb5_context context,
|
||||
opt_str, sizeof(opt_str));
|
||||
if(*opt_str)
|
||||
kdc_log(context, config, 0,
|
||||
"TGS-REQ %s from %s for %s [%s]",
|
||||
"TGS-REQ %s from %s for %s [%s]",
|
||||
cpn, from, spn, opt_str);
|
||||
else
|
||||
kdc_log(context, config, 0,
|
||||
@@ -1459,11 +1459,11 @@ server_lookup:
|
||||
new_rlm = find_rpath(context, tgt->crealm, req_rlm);
|
||||
if(new_rlm) {
|
||||
kdc_log(context, config, 5, "krbtgt for realm %s "
|
||||
"not found, trying %s",
|
||||
"not found, trying %s",
|
||||
req_rlm, new_rlm);
|
||||
krb5_free_principal(context, sp);
|
||||
free(spn);
|
||||
krb5_make_principal(context, &sp, r,
|
||||
krb5_make_principal(context, &sp, r,
|
||||
KRB5_TGS_NAME, new_rlm, NULL);
|
||||
ret = krb5_unparse_name(context, sp, &spn);
|
||||
if (ret)
|
||||
@@ -1508,7 +1508,7 @@ server_lookup:
|
||||
|
||||
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client);
|
||||
if(ret) {
|
||||
const char *krbtgt_realm;
|
||||
const char *krbtgt_realm;
|
||||
|
||||
/*
|
||||
* If the client belongs to the same realm as our krbtgt, it
|
||||
@@ -1516,8 +1516,8 @@ server_lookup:
|
||||
*
|
||||
*/
|
||||
|
||||
krbtgt_realm =
|
||||
krb5_principal_get_comp_string(context,
|
||||
krbtgt_realm =
|
||||
krb5_principal_get_comp_string(context,
|
||||
krbtgt->entry.principal, 1);
|
||||
|
||||
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
|
||||
@@ -1533,7 +1533,7 @@ server_lookup:
|
||||
|
||||
cross_realm = 1;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Select enctype, return key and kvno.
|
||||
*/
|
||||
@@ -1548,7 +1548,7 @@ server_lookup:
|
||||
if (b->etype.val[i] == adtkt.key.keytype)
|
||||
break;
|
||||
if(i == b->etype.len) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 0,
|
||||
"Addition ticket have not matching etypes", spp);
|
||||
krb5_clear_error_string(context);
|
||||
return KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||
@@ -1557,11 +1557,11 @@ server_lookup:
|
||||
kvno = 0;
|
||||
} else {
|
||||
Key *skey;
|
||||
|
||||
|
||||
ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
|
||||
&skey, &etype);
|
||||
if(ret) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 0,
|
||||
"Server (%s) has no support for etypes", spp);
|
||||
return ret;
|
||||
}
|
||||
@@ -1583,10 +1583,10 @@ server_lookup:
|
||||
* not the same, it's someone that is using a uni-directional trust
|
||||
* backward.
|
||||
*/
|
||||
|
||||
|
||||
if (strcmp(krb5_principal_get_realm(context, sp),
|
||||
krb5_principal_get_comp_string(context,
|
||||
krbtgt->entry.principal,
|
||||
krb5_principal_get_comp_string(context,
|
||||
krbtgt->entry.principal,
|
||||
1)) != 0) {
|
||||
char *tpn;
|
||||
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
|
||||
@@ -1603,7 +1603,7 @@ server_lookup:
|
||||
if (!cross_realm) {
|
||||
Key *tkey;
|
||||
|
||||
ret = hdb_enctype2key(context, &krbtgt->entry,
|
||||
ret = hdb_enctype2key(context, &krbtgt->entry,
|
||||
krbtgt_etype, &tkey);
|
||||
if(ret) {
|
||||
kdc_log(context, config, 0,
|
||||
@@ -1611,7 +1611,7 @@ server_lookup:
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = check_PAC(context, config, cp,
|
||||
ret = check_PAC(context, config, cp,
|
||||
client, server, ekey, &tkey->key,
|
||||
tgt, &rspac, &signedpath);
|
||||
if (ret) {
|
||||
@@ -1654,7 +1654,7 @@ server_lookup:
|
||||
char *selfcpn = NULL;
|
||||
const char *str;
|
||||
|
||||
ret = decode_PA_S4U2Self(sdata->padata_value.data,
|
||||
ret = decode_PA_S4U2Self(sdata->padata_value.data,
|
||||
sdata->padata_value.length,
|
||||
&self, NULL);
|
||||
if (ret) {
|
||||
@@ -1678,14 +1678,14 @@ server_lookup:
|
||||
ret = krb5_verify_checksum(context,
|
||||
crypto,
|
||||
KRB5_KU_OTHER_CKSUM,
|
||||
datack.data,
|
||||
datack.length,
|
||||
datack.data,
|
||||
datack.length,
|
||||
&self.cksum);
|
||||
krb5_data_free(&datack);
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
if (ret) {
|
||||
free_PA_S4U2Self(&self);
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 0,
|
||||
"krb5_verify_checksum failed for S4U2Self: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
@@ -1748,7 +1748,7 @@ server_lookup:
|
||||
Ticket *t;
|
||||
char *str;
|
||||
|
||||
/*
|
||||
/*
|
||||
* Require that the KDC have issued the service's krbtgt (not
|
||||
* self-issued ticket with kimpersonate(1).
|
||||
*/
|
||||
@@ -1762,7 +1762,7 @@ server_lookup:
|
||||
|
||||
t = &b->additional_tickets->val[0];
|
||||
|
||||
ret = hdb_enctype2key(context, &client->entry,
|
||||
ret = hdb_enctype2key(context, &client->entry,
|
||||
t->enc_part.etype, &clientkey);
|
||||
if(ret){
|
||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
|
||||
@@ -1789,7 +1789,7 @@ server_lookup:
|
||||
ret = check_constrained_delegation(context, config, client, sp);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 0,
|
||||
"constrained delegation from %s to %s not allowed",
|
||||
"constrained delegation from %s to %s not allowed",
|
||||
spn, cpn);
|
||||
goto out;
|
||||
}
|
||||
@@ -1841,15 +1841,15 @@ server_lookup:
|
||||
* Check flags
|
||||
*/
|
||||
|
||||
ret = _kdc_check_flags(context, config,
|
||||
ret = _kdc_check_flags(context, config,
|
||||
client, cpn,
|
||||
server, spn,
|
||||
FALSE);
|
||||
if(ret)
|
||||
goto out;
|
||||
|
||||
if((b->kdc_options.validate || b->kdc_options.renew) &&
|
||||
!krb5_principal_compare(context,
|
||||
if((b->kdc_options.validate || b->kdc_options.renew) &&
|
||||
!krb5_principal_compare(context,
|
||||
krbtgt->entry.principal,
|
||||
server->entry.principal)){
|
||||
kdc_log(context, config, 0, "Inconsistent request.");
|
||||
@@ -1909,19 +1909,19 @@ server_lookup:
|
||||
*/
|
||||
|
||||
ret = tgs_make_reply(context,
|
||||
config,
|
||||
b,
|
||||
config,
|
||||
b,
|
||||
client_principal,
|
||||
tgt,
|
||||
tgt,
|
||||
ekey,
|
||||
&sessionkey,
|
||||
kvno,
|
||||
*auth_data,
|
||||
server,
|
||||
server,
|
||||
spn,
|
||||
client,
|
||||
cp,
|
||||
krbtgt,
|
||||
client,
|
||||
cp,
|
||||
krbtgt,
|
||||
krbtgt_etype,
|
||||
spp,
|
||||
&rspac,
|
||||
@@ -1931,7 +1931,7 @@ server_lookup:
|
||||
out:
|
||||
free(spn);
|
||||
free(cpn);
|
||||
|
||||
|
||||
krb5_data_free(&rspac);
|
||||
krb5_free_keyblock_contents(context, &sessionkey);
|
||||
if(server)
|
||||
@@ -1958,9 +1958,9 @@ out:
|
||||
*/
|
||||
|
||||
krb5_error_code
|
||||
_kdc_tgs_rep(krb5_context context,
|
||||
_kdc_tgs_rep(krb5_context context,
|
||||
krb5_kdc_configuration *config,
|
||||
KDC_REQ *req,
|
||||
KDC_REQ *req,
|
||||
krb5_data *data,
|
||||
const char *from,
|
||||
struct sockaddr *from_addr,
|
||||
@@ -1985,17 +1985,17 @@ _kdc_tgs_rep(krb5_context context,
|
||||
"TGS-REQ from %s without PA-DATA", from);
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
||||
tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
|
||||
|
||||
if(tgs_req == NULL){
|
||||
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
||||
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 0,
|
||||
"TGS-REQ from %s without PA-TGS-REQ", from);
|
||||
goto out;
|
||||
}
|
||||
ret = tgs_parse_request(context, config,
|
||||
ret = tgs_parse_request(context, config,
|
||||
&req->req_body, tgs_req,
|
||||
&krbtgt,
|
||||
&krbtgt_etype,
|
||||
@@ -2005,7 +2005,7 @@ _kdc_tgs_rep(krb5_context context,
|
||||
&csec, &cusec,
|
||||
&auth_data);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 0,
|
||||
"Failed parsing TGS-REQ from %s", from);
|
||||
goto out;
|
||||
}
|
||||
@@ -2024,7 +2024,7 @@ _kdc_tgs_rep(krb5_context context,
|
||||
from_addr,
|
||||
datagram_reply);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 0,
|
||||
kdc_log(context, config, 0,
|
||||
"Failed building TGS-REP to %s", from);
|
||||
goto out;
|
||||
}
|
||||
|
Reference in New Issue
Block a user