oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kill trailing whitespace

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22733 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-03-24 12:07:05 +00:00
parent b0aae2d071
commit 294999cc14
1 changed files with 151 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

302
kdc/krb5tgs.c
View File

@@ -1,34 +1,34 @@
/*
* Copyright (c) 1997-2008 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
@@ -39,7 +39,7 @@ RCSID("$Id$");
* return the realm of a krbtgt-ticket or NULL
*/
static Realm
static Realm
get_krbtgt_realm(const PrincipalName *p)
{
if(p->name_string.len == 2
@@ -168,7 +168,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
if (data.length != size)
krb5_abortx(context, "internal asn.1 encoder error");
/*
* Add IF-RELEVANT(KRB5SignedPath) to the last slot in
* authorization data field.
@@ -237,8 +237,8 @@ check_KRB5SignedPath(krb5_context context,
return ret;
}
}
ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
data.data, data.length,
ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
data.data, data.length,
&sp.cksum);
krb5_crypto_destroy(context, crypto);
free(data.data);
@@ -323,7 +323,7 @@ check_PAC(krb5_context context,
if (ret)
return ret;
ret = krb5_pac_verify(context, pac, tkt->authtime,
ret = krb5_pac_verify(context, pac, tkt->authtime,
client_principal,
krbtgt_key, NULL);
if (ret) {
@@ -331,7 +331,7 @@ check_PAC(krb5_context context,
return ret;
}
ret = _kdc_pac_verify(context, client_principal,
ret = _kdc_pac_verify(context, client_principal,
client, server, &pac);
if (ret) {
krb5_pac_free(context, pac);
@@ -358,7 +358,7 @@ check_PAC(krb5_context context,
*/
static krb5_error_code
check_tgs_flags(krb5_context context,
check_tgs_flags(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
{
@@ -378,7 +378,7 @@ check_tgs_flags(krb5_context context,
/* XXX tkt = tgt */
et->flags.invalid = 0;
}else if(tgt->flags.invalid){
kdc_log(context, config, 0,
kdc_log(context, config, 0,
"Ticket-granting ticket has INVALID flag set");
return KRB5KRB_AP_ERR_TKT_INVALID;
}
@@ -472,8 +472,8 @@ check_tgs_flags(krb5_context context,
et->endtime = *et->starttime + old_life;
if (et->renew_till != NULL)
et->endtime = min(*et->renew_till, et->endtime);
}
}
#if 0
/* checks for excess flags */
if(f.request_anonymous && !config->allow_anonymous){
@@ -490,7 +490,7 @@ check_tgs_flags(krb5_context context,
*/
static krb5_error_code
check_constrained_delegation(krb5_context context,
check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *client,
krb5_const_principal server)
@@ -521,7 +521,7 @@ check_constrained_delegation(krb5_context context,
*/
static krb5_error_code
verify_flags (krb5_context context,
verify_flags (krb5_context context,
krb5_kdc_configuration *config,
const EncTicketPart *et,
const char *pstr)
@@ -542,13 +542,13 @@ verify_flags (krb5_context context,
*/
static krb5_error_code
fix_transited_encoding(krb5_context context,
fix_transited_encoding(krb5_context context,
krb5_kdc_configuration *config,
krb5_boolean check_policy,
const TransitedEncoding *tr,
EncTicketPart *et,
const char *client_realm,
const char *server_realm,
const TransitedEncoding *tr,
EncTicketPart *et,
const char *client_realm,
const char *server_realm,
const char *tgt_realm)
{
krb5_error_code ret = 0;
@@ -575,9 +575,9 @@ fix_transited_encoding(krb5_context context,
return KRB5KDC_ERR_TRTYPE_NOSUPP;
}
ret = krb5_domain_x500_decode(context,
ret = krb5_domain_x500_decode(context,
tr->contents,
&realms,
&realms,
&num_realms,
client_realm,
server_realm);
@@ -606,7 +606,7 @@ fix_transited_encoding(krb5_context context,
num_realms++;
}
if(num_realms == 0) {
if(strcmp(client_realm, server_realm))
if(strcmp(client_realm, server_realm))
kdc_log(context, config, 0,
"cross-realm %s -> %s", client_realm, server_realm);
} else {
@@ -629,11 +629,11 @@ fix_transited_encoding(krb5_context context,
}
}
if(check_policy) {
ret = krb5_check_transited(context, client_realm,
server_realm,
ret = krb5_check_transited(context, client_realm,
server_realm,
realms, num_realms, NULL);
if(ret) {
krb5_warn(context, ret, "cross-realm %s -> %s",
krb5_warn(context, ret, "cross-realm %s -> %s",
client_realm, server_realm);
goto free_realms;
}
@@ -652,19 +652,19 @@ fix_transited_encoding(krb5_context context,
static krb5_error_code
tgs_make_reply(krb5_context context,
tgs_make_reply(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ_BODY *b,
KDC_REQ_BODY *b,
krb5_const_principal tgt_name,
const EncTicketPart *tgt,
const EncTicketPart *tgt,
const EncryptionKey *serverkey,
const krb5_keyblock *sessionkey,
krb5_kvno kvno,
AuthorizationData *auth_data,
hdb_entry_ex *server,
const char *server_name,
hdb_entry_ex *client,
krb5_principal client_principal,
hdb_entry_ex *server,
const char *server_name,
hdb_entry_ex *client,
krb5_principal client_principal,
hdb_entry_ex *krbtgt,
krb5_enctype krbtgt_etype,
KRB5SignedPathPrincipals *spp,
@@ -677,11 +677,11 @@ tgs_make_reply(krb5_context context,
EncTicketPart et;
KDCOptions f = b->kdc_options;
krb5_error_code ret;
memset(&rep, 0, sizeof(rep));
memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek));
rep.pvno = 5;
rep.msg_type = krb_tgs_rep;
@@ -690,7 +690,7 @@ tgs_make_reply(krb5_context context,
et.endtime = min(tgt->endtime, *b->till);
ALLOC(et.starttime);
*et.starttime = kdc_time;
ret = check_tgs_flags(context, config, b, tgt, &et);
if(ret)
goto out;
@@ -714,11 +714,11 @@ tgs_make_reply(krb5_context context,
#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
ret = fix_transited_encoding(context, config,
ret = fix_transited_encoding(context, config,
!f.disable_transited_check ||
GLOBAL_FORCE_TRANSITED_CHECK ||
PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
!((GLOBAL_ALLOW_PER_PRINCIPAL &&
!((GLOBAL_ALLOW_PER_PRINCIPAL &&
PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
&tgt->transited, &et,
@@ -728,7 +728,7 @@ tgs_make_reply(krb5_context context,
if(ret)
goto out;
copy_Realm(krb5_princ_realm(context, server->entry.principal),
copy_Realm(krb5_princ_realm(context, server->entry.principal),
&rep.ticket.realm);
_krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
copy_Realm(&tgt_name->realm, &rep.crealm);
@@ -753,7 +753,7 @@ tgs_make_reply(krb5_context context,
life = min(life, *server->entry.max_life);
et.endtime = *et.starttime + life;
}
if(f.renewable_ok && tgt->flags.renewable &&
if(f.renewable_ok && tgt->flags.renewable &&
et.renew_till == NULL && et.endtime < *b->till){
et.flags.renewable = 1;
ALLOC(et.renew_till);
@@ -768,13 +768,13 @@ tgs_make_reply(krb5_context context,
renew = min(renew, *server->entry.max_renew);
*et.renew_till = et.authtime + renew;
}
if(et.renew_till){
*et.renew_till = min(*et.renew_till, *tgt->renew_till);
*et.starttime = min(*et.starttime, *et.renew_till);
et.endtime = min(et.endtime, *et.renew_till);
}
*et.starttime = min(*et.starttime, et.endtime);
if(*et.starttime == et.endtime){
@@ -786,12 +786,12 @@ tgs_make_reply(krb5_context context,
et.renew_till = NULL;
et.flags.renewable = 0;
}
et.flags.pre_authent = tgt->flags.pre_authent;
et.flags.hw_authent = tgt->flags.hw_authent;
et.flags.anonymous = tgt->flags.anonymous;
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
if (auth_data) {
/* XXX Check enc-authorization-data */
et.authorization_data = calloc(1, sizeof(*et.authorization_data));
@@ -835,7 +835,7 @@ tgs_make_reply(krb5_context context,
goto out;
et.crealm = tgt->crealm;
et.cname = tgt_name->name;
ek.key = et.key;
/* MIT must have at least one last_req */
ek.last_req.len = 1;
@@ -852,8 +852,8 @@ tgs_make_reply(krb5_context context,
ek.renew_till = et.renew_till;
ek.srealm = rep.ticket.realm;
ek.sname = rep.ticket.sname;
_kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
_kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
et.endtime, et.renew_till);
/* Don't sign cross realm tickets, they can't be checked anyway */
@@ -883,9 +883,9 @@ tgs_make_reply(krb5_context context,
CAST session key. Should the DES3 etype be added to the
etype list, even if we don't want a session key with
DES3? */
ret = _kdc_encode_reply(context, config,
ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, et.key.keytype,
kvno,
kvno,
serverkey, 0, &tgt->key, e_text, reply);
out:
free_TGS_REP(&rep);
@@ -905,10 +905,10 @@ out:
}
static krb5_error_code
tgs_check_authenticator(krb5_context context,
tgs_check_authenticator(krb5_context context,
krb5_kdc_configuration *config,
krb5_auth_context ac,
KDC_REQ_BODY *b,
KDC_REQ_BODY *b,
const char **e_text,
krb5_keyblock *key)
{
@@ -918,7 +918,7 @@ tgs_check_authenticator(krb5_context context,
size_t buf_size;
krb5_error_code ret;
krb5_crypto crypto;
krb5_auth_con_getauthenticator(context, ac, &auth);
if(auth->cksum == NULL){
kdc_log(context, config, 0, "No authenticator in request");
@@ -935,7 +935,7 @@ tgs_check_authenticator(krb5_context context,
||
#endif
!krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
auth->cksum->cksumtype);
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
@@ -944,7 +944,7 @@ tgs_check_authenticator(krb5_context context,
/* XXX should not re-encode this */
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
if(ret){
kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -965,14 +965,14 @@ tgs_check_authenticator(krb5_context context,
ret = krb5_verify_checksum(context,
crypto,
KRB5_KU_TGS_REQ_AUTH_CKSUM,
buf,
buf,
len,
auth->cksum);
free(buf);
krb5_crypto_destroy(context, crypto);
if(ret){
kdc_log(context, config, 0,
"Failed to verify authenticator checksum: %s",
"Failed to verify authenticator checksum: %s",
krb5_get_err_text(context, ret));
}
out:
@@ -990,13 +990,13 @@ find_rpath(krb5_context context, Realm crealm, Realm srealm)
{
const char *new_realm = krb5_config_get_string(context,
NULL,
"capaths",
"capaths",
crealm,
srealm,
NULL);
return new_realm;
}
static krb5_boolean
need_referral(krb5_context context, krb5_kdc_configuration *config,
@@ -1007,21 +1007,21 @@ need_referral(krb5_context context, krb5_kdc_configuration *config,
if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
return FALSE;
if (server->name.name_string.len == 1)
name = server->name.name_string.val[0];
if (server->name.name_string.len > 1)
name = server->name.name_string.val[1];
else
return FALSE;
kdc_log(context, config, 0, "Searching referral for %s", name);
return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
}
static krb5_error_code
tgs_parse_request(krb5_context context,
tgs_parse_request(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ_BODY *b,
const PA_DATA *tgs_req,
@@ -1051,7 +1051,7 @@ tgs_parse_request(krb5_context context,
memset(&ap_req, 0, sizeof(ap_req));
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
if(ret){
kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -1062,12 +1062,12 @@ tgs_parse_request(krb5_context context,
ret = KRB5KDC_ERR_POLICY; /* ? */
goto out;
}
_krb5_principalname2krb5_principal(context,
&princ,
ap_req.ticket.sname,
ap_req.ticket.realm);
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
if(ret) {
@@ -1084,8 +1084,8 @@ tgs_parse_request(krb5_context context,
ret = KRB5KRB_AP_ERR_NOT_US;
goto out;
}
if(ap_req.ticket.enc_part.kvno &&
if(ap_req.ticket.enc_part.kvno &&
*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
char *p;
@@ -1094,7 +1094,7 @@ tgs_parse_request(krb5_context context,
if (ret != 0)
p = "<unparse_name failed>";
kdc_log(context, config, 0,
"Ticket kvno = %d, DB kvno = %d (%s)",
"Ticket kvno = %d, DB kvno = %d (%s)",
*ap_req.ticket.enc_part.kvno,
(*krbtgt)->entry.kvno,
p);
@@ -1106,7 +1106,7 @@ tgs_parse_request(krb5_context context,
*krbtgt_etype = ap_req.ticket.enc_part.etype;
ret = hdb_enctype2key(context, &(*krbtgt)->entry,
ret = hdb_enctype2key(context, &(*krbtgt)->entry,
ap_req.ticket.enc_part.etype, &tkey);
if(ret){
char *str = NULL, *p = NULL;
@@ -1122,7 +1122,7 @@ tgs_parse_request(krb5_context context,
ret = KRB5KRB_AP_ERR_BADKEYVER;
goto out;
}
if (b->kdc_options.validate)
verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
else
@@ -1137,10 +1137,10 @@ tgs_parse_request(krb5_context context,
&ap_req_options,
ticket,
KRB5_KU_TGS_REQ_AUTH);
krb5_free_principal(context, princ);
if(ret) {
kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -1168,7 +1168,7 @@ tgs_parse_request(krb5_context context,
}
}
ret = tgs_check_authenticator(context, config,
ret = tgs_check_authenticator(context, config,
ac, b, e_text, &(*ticket)->ticket.key);
if (ret) {
krb5_auth_con_free(context, ac);
@@ -1185,7 +1185,7 @@ tgs_parse_request(krb5_context context,
&subkey);
if(ret){
krb5_auth_con_free(context, ac);
kdc_log(context, config, 0, "Failed to get remote subkey: %s",
kdc_log(context, config, 0, "Failed to get remote subkey: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -1194,7 +1194,7 @@ tgs_parse_request(krb5_context context,
ret = krb5_auth_con_getkey(context, ac, &subkey);
if(ret) {
krb5_auth_con_free(context, ac);
kdc_log(context, config, 0, "Failed to get session key: %s",
kdc_log(context, config, 0, "Failed to get session key: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -1221,7 +1221,7 @@ tgs_parse_request(krb5_context context,
krb5_crypto_destroy(context, crypto);
if(ret){
krb5_auth_con_free(context, ac);
kdc_log(context, config, 0,
kdc_log(context, config, 0,
"Failed to decrypt enc-authorization-data");
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out;
@@ -1245,10 +1245,10 @@ tgs_parse_request(krb5_context context,
}
krb5_auth_con_free(context, ac);
out:
free_AP_REQ(&ap_req);
return ret;
}
@@ -1260,7 +1260,7 @@ tgs_build_referral(krb5_context context,
const PrincipalName *true_principal_name,
const PrincipalName *requested_principal,
krb5_data *outdata)
{
{
PA_ServerReferralData ref;
krb5_error_code ret;
EncryptedData ed;
@@ -1278,7 +1278,7 @@ tgs_build_referral(krb5_context context,
goto eout;
}
if (true_principal_name) {
ref.true_principal_name =
ref.true_principal_name =
malloc(sizeof(ref.true_principal_name));
if (ref.true_principal_name == NULL)
goto eout;
@@ -1287,17 +1287,17 @@ tgs_build_referral(krb5_context context,
goto eout;
}
if (requested_principal) {
ref.requested_principal_name =
ref.requested_principal_name =
malloc(sizeof(ref.requested_principal_name));
if (ref.requested_principal_name == NULL)
goto eout;
ret = copy_PrincipalName(requested_principal,
ret = copy_PrincipalName(requested_principal,
ref.requested_principal_name);
if (ret)
goto eout;
}
ASN1_MALLOC_ENCODE(PA_ServerReferralData,
ASN1_MALLOC_ENCODE(PA_ServerReferralData,
data.data, data.length,
&ref, &size, ret);
free_PA_ServerReferralData(&ref);
@@ -1314,7 +1314,7 @@ tgs_build_referral(krb5_context context,
if (ret)
return ret;
ASN1_MALLOC_ENCODE(EncryptedData,
ASN1_MALLOC_ENCODE(EncryptedData,
outdata->data, outdata->length,
&ed, &size, ret);
free_EncryptedData(&ed);
@@ -1331,9 +1331,9 @@ eout:
}
static krb5_error_code
tgs_build_reply(krb5_context context,
tgs_build_reply(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
KDC_REQ *req,
KDC_REQ_BODY *b,
hdb_entry_ex *krbtgt,
krb5_enctype krbtgt_etype,
@@ -1378,8 +1378,8 @@ tgs_build_reply(krb5_context context,
hdb_entry_ex *uu;
krb5_principal p;
Key *uukey;
if(b->additional_tickets == NULL ||
if(b->additional_tickets == NULL ||
b->additional_tickets->len == 0){
ret = KRB5KDC_ERR_BADOPTION; /* ? */
kdc_log(context, config, 0,
@@ -1394,8 +1394,8 @@ tgs_build_reply(krb5_context context,
goto out;
}
_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
ret = _kdc_db_fetch(context, config, p,
HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
ret = _kdc_db_fetch(context, config, p,
HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
NULL, &uu);
krb5_free_principal(context, p);
if(ret){
@@ -1403,7 +1403,7 @@ tgs_build_reply(krb5_context context,
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
ret = hdb_enctype2key(context, &uu->entry,
ret = hdb_enctype2key(context, &uu->entry,
t->enc_part.etype, &uukey);
if(ret){
_kdc_free_ent(context, uu);
@@ -1436,7 +1436,7 @@ tgs_build_reply(krb5_context context,
opt_str, sizeof(opt_str));
if(*opt_str)
kdc_log(context, config, 0,
"TGS-REQ %s from %s for %s [%s]",
"TGS-REQ %s from %s for %s [%s]",
cpn, from, spn, opt_str);
else
kdc_log(context, config, 0,
@@ -1459,11 +1459,11 @@ server_lookup:
new_rlm = find_rpath(context, tgt->crealm, req_rlm);
if(new_rlm) {
kdc_log(context, config, 5, "krbtgt for realm %s "
"not found, trying %s",
"not found, trying %s",
req_rlm, new_rlm);
krb5_free_principal(context, sp);
free(spn);
krb5_make_principal(context, &sp, r,
krb5_make_principal(context, &sp, r,
KRB5_TGS_NAME, new_rlm, NULL);
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
@@ -1508,7 +1508,7 @@ server_lookup:
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client);
if(ret) {
const char *krbtgt_realm;
const char *krbtgt_realm;
/*
* If the client belongs to the same realm as our krbtgt, it
@@ -1516,8 +1516,8 @@ server_lookup:
*
*/
krbtgt_realm =
krb5_principal_get_comp_string(context,
krbtgt_realm =
krb5_principal_get_comp_string(context,
krbtgt->entry.principal, 1);
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
@@ -1533,7 +1533,7 @@ server_lookup:
cross_realm = 1;
}
/*
* Select enctype, return key and kvno.
*/
@@ -1548,7 +1548,7 @@ server_lookup:
if (b->etype.val[i] == adtkt.key.keytype)
break;
if(i == b->etype.len) {
kdc_log(context, config, 0,
kdc_log(context, config, 0,
"Addition ticket have not matching etypes", spp);
krb5_clear_error_string(context);
return KRB5KDC_ERR_ETYPE_NOSUPP;
@@ -1557,11 +1557,11 @@ server_lookup:
kvno = 0;
} else {
Key *skey;
ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
&skey, &etype);
if(ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spp);
return ret;
}
@@ -1583,10 +1583,10 @@ server_lookup:
* not the same, it's someone that is using a uni-directional trust
* backward.
*/
if (strcmp(krb5_principal_get_realm(context, sp),
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1)) != 0) {
char *tpn;
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
@@ -1603,7 +1603,7 @@ server_lookup:
if (!cross_realm) {
Key *tkey;
ret = hdb_enctype2key(context, &krbtgt->entry,
ret = hdb_enctype2key(context, &krbtgt->entry,
krbtgt_etype, &tkey);
if(ret) {
kdc_log(context, config, 0,
@@ -1611,7 +1611,7 @@ server_lookup:
goto out;
}
ret = check_PAC(context, config, cp,
ret = check_PAC(context, config, cp,
client, server, ekey, &tkey->key,
tgt, &rspac, &signedpath);
if (ret) {
@@ -1654,7 +1654,7 @@ server_lookup:
char *selfcpn = NULL;
const char *str;
ret = decode_PA_S4U2Self(sdata->padata_value.data,
ret = decode_PA_S4U2Self(sdata->padata_value.data,
sdata->padata_value.length,
&self, NULL);
if (ret) {
@@ -1678,14 +1678,14 @@ server_lookup:
ret = krb5_verify_checksum(context,
crypto,
KRB5_KU_OTHER_CKSUM,
datack.data,
datack.length,
datack.data,
datack.length,
&self.cksum);
krb5_data_free(&datack);
krb5_crypto_destroy(context, crypto);
if (ret) {
free_PA_S4U2Self(&self);
kdc_log(context, config, 0,
kdc_log(context, config, 0,
"krb5_verify_checksum failed for S4U2Self: %s",
krb5_get_err_text(context, ret));
goto out;
@@ -1748,7 +1748,7 @@ server_lookup:
Ticket *t;
char *str;
/*
/*
* Require that the KDC have issued the service's krbtgt (not
* self-issued ticket with kimpersonate(1).
*/
@@ -1762,7 +1762,7 @@ server_lookup:
t = &b->additional_tickets->val[0];
ret = hdb_enctype2key(context, &client->entry,
ret = hdb_enctype2key(context, &client->entry,
t->enc_part.etype, &clientkey);
if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
@@ -1789,7 +1789,7 @@ server_lookup:
ret = check_constrained_delegation(context, config, client, sp);
if (ret) {
kdc_log(context, config, 0,
"constrained delegation from %s to %s not allowed",
"constrained delegation from %s to %s not allowed",
spn, cpn);
goto out;
}
@@ -1841,15 +1841,15 @@ server_lookup:
* Check flags
*/
ret = _kdc_check_flags(context, config,
ret = _kdc_check_flags(context, config,
client, cpn,
server, spn,
FALSE);
if(ret)
goto out;
if((b->kdc_options.validate || b->kdc_options.renew) &&
!krb5_principal_compare(context,
if((b->kdc_options.validate || b->kdc_options.renew) &&
!krb5_principal_compare(context,
krbtgt->entry.principal,
server->entry.principal)){
kdc_log(context, config, 0, "Inconsistent request.");
@@ -1909,19 +1909,19 @@ server_lookup:
*/
ret = tgs_make_reply(context,
config,
b,
config,
b,
client_principal,
tgt,
tgt,
ekey,
&sessionkey,
kvno,
*auth_data,
server,
server,
spn,
client,
cp,
krbtgt,
client,
cp,
krbtgt,
krbtgt_etype,
spp,
&rspac,
@@ -1931,7 +1931,7 @@ server_lookup:
out:
free(spn);
free(cpn);
krb5_data_free(&rspac);
krb5_free_keyblock_contents(context, &sessionkey);
if(server)
@@ -1958,9 +1958,9 @@ out:
*/
krb5_error_code
_kdc_tgs_rep(krb5_context context,
_kdc_tgs_rep(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
KDC_REQ *req,
krb5_data *data,
const char *from,
struct sockaddr *from_addr,
@@ -1985,17 +1985,17 @@ _kdc_tgs_rep(krb5_context context,
"TGS-REQ from %s without PA-DATA", from);
goto out;
}
tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
if(tgs_req == NULL){
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
kdc_log(context, config, 0,
kdc_log(context, config, 0,
"TGS-REQ from %s without PA-TGS-REQ", from);
goto out;
}
ret = tgs_parse_request(context, config,
ret = tgs_parse_request(context, config,
&req->req_body, tgs_req,
&krbtgt,
&krbtgt_etype,
@@ -2005,7 +2005,7 @@ _kdc_tgs_rep(krb5_context context,
&csec, &cusec,
&auth_data);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 0,
"Failed parsing TGS-REQ from %s", from);
goto out;
}
@@ -2024,7 +2024,7 @@ _kdc_tgs_rep(krb5_context context,
from_addr,
datagram_reply);
if (ret) {
kdc_log(context, config, 0,
kdc_log(context, config, 0,
"Failed building TGS-REP to %s", from);
goto out;
}