diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 1318d008d..a771dbfb9 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -1,34 +1,34 @@ /* * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -39,7 +39,7 @@ RCSID("$Id$"); * return the realm of a krbtgt-ticket or NULL */ -static Realm +static Realm get_krbtgt_realm(const PrincipalName *p) { if(p->name_string.len == 2 @@ -168,7 +168,7 @@ _kdc_add_KRB5SignedPath(krb5_context context, if (data.length != size) krb5_abortx(context, "internal asn.1 encoder error"); - + /* * Add IF-RELEVANT(KRB5SignedPath) to the last slot in * authorization data field. @@ -237,8 +237,8 @@ check_KRB5SignedPath(krb5_context context, return ret; } } - ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, - data.data, data.length, + ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, + data.data, data.length, &sp.cksum); krb5_crypto_destroy(context, crypto); free(data.data); @@ -323,7 +323,7 @@ check_PAC(krb5_context context, if (ret) return ret; - ret = krb5_pac_verify(context, pac, tkt->authtime, + ret = krb5_pac_verify(context, pac, tkt->authtime, client_principal, krbtgt_key, NULL); if (ret) { @@ -331,7 +331,7 @@ check_PAC(krb5_context context, return ret; } - ret = _kdc_pac_verify(context, client_principal, + ret = _kdc_pac_verify(context, client_principal, client, server, &pac); if (ret) { krb5_pac_free(context, pac); @@ -358,7 +358,7 @@ check_PAC(krb5_context context, */ static krb5_error_code -check_tgs_flags(krb5_context context, +check_tgs_flags(krb5_context context, krb5_kdc_configuration *config, KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et) { @@ -378,7 +378,7 @@ check_tgs_flags(krb5_context context, /* XXX tkt = tgt */ et->flags.invalid = 0; }else if(tgt->flags.invalid){ - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Ticket-granting ticket has INVALID flag set"); return KRB5KRB_AP_ERR_TKT_INVALID; } @@ -472,8 +472,8 @@ check_tgs_flags(krb5_context context, et->endtime = *et->starttime + old_life; if (et->renew_till != NULL) et->endtime = min(*et->renew_till, et->endtime); - } - + } + #if 0 /* checks for excess flags */ if(f.request_anonymous && !config->allow_anonymous){ @@ -490,7 +490,7 @@ check_tgs_flags(krb5_context context, */ static krb5_error_code -check_constrained_delegation(krb5_context context, +check_constrained_delegation(krb5_context context, krb5_kdc_configuration *config, hdb_entry_ex *client, krb5_const_principal server) @@ -521,7 +521,7 @@ check_constrained_delegation(krb5_context context, */ static krb5_error_code -verify_flags (krb5_context context, +verify_flags (krb5_context context, krb5_kdc_configuration *config, const EncTicketPart *et, const char *pstr) @@ -542,13 +542,13 @@ verify_flags (krb5_context context, */ static krb5_error_code -fix_transited_encoding(krb5_context context, +fix_transited_encoding(krb5_context context, krb5_kdc_configuration *config, krb5_boolean check_policy, - const TransitedEncoding *tr, - EncTicketPart *et, - const char *client_realm, - const char *server_realm, + const TransitedEncoding *tr, + EncTicketPart *et, + const char *client_realm, + const char *server_realm, const char *tgt_realm) { krb5_error_code ret = 0; @@ -575,9 +575,9 @@ fix_transited_encoding(krb5_context context, return KRB5KDC_ERR_TRTYPE_NOSUPP; } - ret = krb5_domain_x500_decode(context, + ret = krb5_domain_x500_decode(context, tr->contents, - &realms, + &realms, &num_realms, client_realm, server_realm); @@ -606,7 +606,7 @@ fix_transited_encoding(krb5_context context, num_realms++; } if(num_realms == 0) { - if(strcmp(client_realm, server_realm)) + if(strcmp(client_realm, server_realm)) kdc_log(context, config, 0, "cross-realm %s -> %s", client_realm, server_realm); } else { @@ -629,11 +629,11 @@ fix_transited_encoding(krb5_context context, } } if(check_policy) { - ret = krb5_check_transited(context, client_realm, - server_realm, + ret = krb5_check_transited(context, client_realm, + server_realm, realms, num_realms, NULL); if(ret) { - krb5_warn(context, ret, "cross-realm %s -> %s", + krb5_warn(context, ret, "cross-realm %s -> %s", client_realm, server_realm); goto free_realms; } @@ -652,19 +652,19 @@ fix_transited_encoding(krb5_context context, static krb5_error_code -tgs_make_reply(krb5_context context, +tgs_make_reply(krb5_context context, krb5_kdc_configuration *config, - KDC_REQ_BODY *b, + KDC_REQ_BODY *b, krb5_const_principal tgt_name, - const EncTicketPart *tgt, + const EncTicketPart *tgt, const EncryptionKey *serverkey, const krb5_keyblock *sessionkey, krb5_kvno kvno, AuthorizationData *auth_data, - hdb_entry_ex *server, - const char *server_name, - hdb_entry_ex *client, - krb5_principal client_principal, + hdb_entry_ex *server, + const char *server_name, + hdb_entry_ex *client, + krb5_principal client_principal, hdb_entry_ex *krbtgt, krb5_enctype krbtgt_etype, KRB5SignedPathPrincipals *spp, @@ -677,11 +677,11 @@ tgs_make_reply(krb5_context context, EncTicketPart et; KDCOptions f = b->kdc_options; krb5_error_code ret; - + memset(&rep, 0, sizeof(rep)); memset(&et, 0, sizeof(et)); memset(&ek, 0, sizeof(ek)); - + rep.pvno = 5; rep.msg_type = krb_tgs_rep; @@ -690,7 +690,7 @@ tgs_make_reply(krb5_context context, et.endtime = min(tgt->endtime, *b->till); ALLOC(et.starttime); *et.starttime = kdc_time; - + ret = check_tgs_flags(context, config, b, tgt, &et); if(ret) goto out; @@ -714,11 +714,11 @@ tgs_make_reply(krb5_context context, #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0 - ret = fix_transited_encoding(context, config, + ret = fix_transited_encoding(context, config, !f.disable_transited_check || GLOBAL_FORCE_TRANSITED_CHECK || PRINCIPAL_FORCE_TRANSITED_CHECK(server) || - !((GLOBAL_ALLOW_PER_PRINCIPAL && + !((GLOBAL_ALLOW_PER_PRINCIPAL && PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) || GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), &tgt->transited, &et, @@ -728,7 +728,7 @@ tgs_make_reply(krb5_context context, if(ret) goto out; - copy_Realm(krb5_princ_realm(context, server->entry.principal), + copy_Realm(krb5_princ_realm(context, server->entry.principal), &rep.ticket.realm); _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); copy_Realm(&tgt_name->realm, &rep.crealm); @@ -753,7 +753,7 @@ tgs_make_reply(krb5_context context, life = min(life, *server->entry.max_life); et.endtime = *et.starttime + life; } - if(f.renewable_ok && tgt->flags.renewable && + if(f.renewable_ok && tgt->flags.renewable && et.renew_till == NULL && et.endtime < *b->till){ et.flags.renewable = 1; ALLOC(et.renew_till); @@ -768,13 +768,13 @@ tgs_make_reply(krb5_context context, renew = min(renew, *server->entry.max_renew); *et.renew_till = et.authtime + renew; } - + if(et.renew_till){ *et.renew_till = min(*et.renew_till, *tgt->renew_till); *et.starttime = min(*et.starttime, *et.renew_till); et.endtime = min(et.endtime, *et.renew_till); } - + *et.starttime = min(*et.starttime, et.endtime); if(*et.starttime == et.endtime){ @@ -786,12 +786,12 @@ tgs_make_reply(krb5_context context, et.renew_till = NULL; et.flags.renewable = 0; } - + et.flags.pre_authent = tgt->flags.pre_authent; et.flags.hw_authent = tgt->flags.hw_authent; et.flags.anonymous = tgt->flags.anonymous; et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; - + if (auth_data) { /* XXX Check enc-authorization-data */ et.authorization_data = calloc(1, sizeof(*et.authorization_data)); @@ -835,7 +835,7 @@ tgs_make_reply(krb5_context context, goto out; et.crealm = tgt->crealm; et.cname = tgt_name->name; - + ek.key = et.key; /* MIT must have at least one last_req */ ek.last_req.len = 1; @@ -852,8 +852,8 @@ tgs_make_reply(krb5_context context, ek.renew_till = et.renew_till; ek.srealm = rep.ticket.realm; ek.sname = rep.ticket.sname; - - _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime, + + _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime, et.endtime, et.renew_till); /* Don't sign cross realm tickets, they can't be checked anyway */ @@ -883,9 +883,9 @@ tgs_make_reply(krb5_context context, CAST session key. Should the DES3 etype be added to the etype list, even if we don't want a session key with DES3? */ - ret = _kdc_encode_reply(context, config, + ret = _kdc_encode_reply(context, config, &rep, &et, &ek, et.key.keytype, - kvno, + kvno, serverkey, 0, &tgt->key, e_text, reply); out: free_TGS_REP(&rep); @@ -905,10 +905,10 @@ out: } static krb5_error_code -tgs_check_authenticator(krb5_context context, +tgs_check_authenticator(krb5_context context, krb5_kdc_configuration *config, krb5_auth_context ac, - KDC_REQ_BODY *b, + KDC_REQ_BODY *b, const char **e_text, krb5_keyblock *key) { @@ -918,7 +918,7 @@ tgs_check_authenticator(krb5_context context, size_t buf_size; krb5_error_code ret; krb5_crypto crypto; - + krb5_auth_con_getauthenticator(context, ac, &auth); if(auth->cksum == NULL){ kdc_log(context, config, 0, "No authenticator in request"); @@ -935,7 +935,7 @@ tgs_check_authenticator(krb5_context context, || #endif !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) { - kdc_log(context, config, 0, "Bad checksum type in authenticator: %d", + kdc_log(context, config, 0, "Bad checksum type in authenticator: %d", auth->cksum->cksumtype); ret = KRB5KRB_AP_ERR_INAPP_CKSUM; goto out; @@ -944,7 +944,7 @@ tgs_check_authenticator(krb5_context context, /* XXX should not re-encode this */ ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); if(ret){ - kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", + kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", krb5_get_err_text(context, ret)); goto out; } @@ -965,14 +965,14 @@ tgs_check_authenticator(krb5_context context, ret = krb5_verify_checksum(context, crypto, KRB5_KU_TGS_REQ_AUTH_CKSUM, - buf, + buf, len, auth->cksum); free(buf); krb5_crypto_destroy(context, crypto); if(ret){ kdc_log(context, config, 0, - "Failed to verify authenticator checksum: %s", + "Failed to verify authenticator checksum: %s", krb5_get_err_text(context, ret)); } out: @@ -990,13 +990,13 @@ find_rpath(krb5_context context, Realm crealm, Realm srealm) { const char *new_realm = krb5_config_get_string(context, NULL, - "capaths", + "capaths", crealm, srealm, NULL); return new_realm; } - + static krb5_boolean need_referral(krb5_context context, krb5_kdc_configuration *config, @@ -1007,21 +1007,21 @@ need_referral(krb5_context context, krb5_kdc_configuration *config, if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST) return FALSE; - + if (server->name.name_string.len == 1) name = server->name.name_string.val[0]; if (server->name.name_string.len > 1) name = server->name.name_string.val[1]; else return FALSE; - + kdc_log(context, config, 0, "Searching referral for %s", name); return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0; } static krb5_error_code -tgs_parse_request(krb5_context context, +tgs_parse_request(krb5_context context, krb5_kdc_configuration *config, KDC_REQ_BODY *b, const PA_DATA *tgs_req, @@ -1051,7 +1051,7 @@ tgs_parse_request(krb5_context context, memset(&ap_req, 0, sizeof(ap_req)); ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); if(ret){ - kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", + kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", krb5_get_err_text(context, ret)); goto out; } @@ -1062,12 +1062,12 @@ tgs_parse_request(krb5_context context, ret = KRB5KDC_ERR_POLICY; /* ? */ goto out; } - + _krb5_principalname2krb5_principal(context, &princ, ap_req.ticket.sname, ap_req.ticket.realm); - + ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt); if(ret) { @@ -1084,8 +1084,8 @@ tgs_parse_request(krb5_context context, ret = KRB5KRB_AP_ERR_NOT_US; goto out; } - - if(ap_req.ticket.enc_part.kvno && + + if(ap_req.ticket.enc_part.kvno && *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){ char *p; @@ -1094,7 +1094,7 @@ tgs_parse_request(krb5_context context, if (ret != 0) p = ""; kdc_log(context, config, 0, - "Ticket kvno = %d, DB kvno = %d (%s)", + "Ticket kvno = %d, DB kvno = %d (%s)", *ap_req.ticket.enc_part.kvno, (*krbtgt)->entry.kvno, p); @@ -1106,7 +1106,7 @@ tgs_parse_request(krb5_context context, *krbtgt_etype = ap_req.ticket.enc_part.etype; - ret = hdb_enctype2key(context, &(*krbtgt)->entry, + ret = hdb_enctype2key(context, &(*krbtgt)->entry, ap_req.ticket.enc_part.etype, &tkey); if(ret){ char *str = NULL, *p = NULL; @@ -1122,7 +1122,7 @@ tgs_parse_request(krb5_context context, ret = KRB5KRB_AP_ERR_BADKEYVER; goto out; } - + if (b->kdc_options.validate) verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID; else @@ -1137,10 +1137,10 @@ tgs_parse_request(krb5_context context, &ap_req_options, ticket, KRB5_KU_TGS_REQ_AUTH); - + krb5_free_principal(context, princ); if(ret) { - kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", + kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", krb5_get_err_text(context, ret)); goto out; } @@ -1168,7 +1168,7 @@ tgs_parse_request(krb5_context context, } } - ret = tgs_check_authenticator(context, config, + ret = tgs_check_authenticator(context, config, ac, b, e_text, &(*ticket)->ticket.key); if (ret) { krb5_auth_con_free(context, ac); @@ -1185,7 +1185,7 @@ tgs_parse_request(krb5_context context, &subkey); if(ret){ krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "Failed to get remote subkey: %s", + kdc_log(context, config, 0, "Failed to get remote subkey: %s", krb5_get_err_text(context, ret)); goto out; } @@ -1194,7 +1194,7 @@ tgs_parse_request(krb5_context context, ret = krb5_auth_con_getkey(context, ac, &subkey); if(ret) { krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "Failed to get session key: %s", + kdc_log(context, config, 0, "Failed to get session key: %s", krb5_get_err_text(context, ret)); goto out; } @@ -1221,7 +1221,7 @@ tgs_parse_request(krb5_context context, krb5_crypto_destroy(context, crypto); if(ret){ krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Failed to decrypt enc-authorization-data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; @@ -1245,10 +1245,10 @@ tgs_parse_request(krb5_context context, } krb5_auth_con_free(context, ac); - + out: free_AP_REQ(&ap_req); - + return ret; } @@ -1260,7 +1260,7 @@ tgs_build_referral(krb5_context context, const PrincipalName *true_principal_name, const PrincipalName *requested_principal, krb5_data *outdata) -{ +{ PA_ServerReferralData ref; krb5_error_code ret; EncryptedData ed; @@ -1278,7 +1278,7 @@ tgs_build_referral(krb5_context context, goto eout; } if (true_principal_name) { - ref.true_principal_name = + ref.true_principal_name = malloc(sizeof(ref.true_principal_name)); if (ref.true_principal_name == NULL) goto eout; @@ -1287,17 +1287,17 @@ tgs_build_referral(krb5_context context, goto eout; } if (requested_principal) { - ref.requested_principal_name = + ref.requested_principal_name = malloc(sizeof(ref.requested_principal_name)); if (ref.requested_principal_name == NULL) goto eout; - ret = copy_PrincipalName(requested_principal, + ret = copy_PrincipalName(requested_principal, ref.requested_principal_name); if (ret) goto eout; } - ASN1_MALLOC_ENCODE(PA_ServerReferralData, + ASN1_MALLOC_ENCODE(PA_ServerReferralData, data.data, data.length, &ref, &size, ret); free_PA_ServerReferralData(&ref); @@ -1314,7 +1314,7 @@ tgs_build_referral(krb5_context context, if (ret) return ret; - ASN1_MALLOC_ENCODE(EncryptedData, + ASN1_MALLOC_ENCODE(EncryptedData, outdata->data, outdata->length, &ed, &size, ret); free_EncryptedData(&ed); @@ -1331,9 +1331,9 @@ eout: } static krb5_error_code -tgs_build_reply(krb5_context context, +tgs_build_reply(krb5_context context, krb5_kdc_configuration *config, - KDC_REQ *req, + KDC_REQ *req, KDC_REQ_BODY *b, hdb_entry_ex *krbtgt, krb5_enctype krbtgt_etype, @@ -1378,8 +1378,8 @@ tgs_build_reply(krb5_context context, hdb_entry_ex *uu; krb5_principal p; Key *uukey; - - if(b->additional_tickets == NULL || + + if(b->additional_tickets == NULL || b->additional_tickets->len == 0){ ret = KRB5KDC_ERR_BADOPTION; /* ? */ kdc_log(context, config, 0, @@ -1394,8 +1394,8 @@ tgs_build_reply(krb5_context context, goto out; } _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm); - ret = _kdc_db_fetch(context, config, p, - HDB_F_GET_CLIENT|HDB_F_GET_SERVER, + ret = _kdc_db_fetch(context, config, p, + HDB_F_GET_CLIENT|HDB_F_GET_SERVER, NULL, &uu); krb5_free_principal(context, p); if(ret){ @@ -1403,7 +1403,7 @@ tgs_build_reply(krb5_context context, ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto out; } - ret = hdb_enctype2key(context, &uu->entry, + ret = hdb_enctype2key(context, &uu->entry, t->enc_part.etype, &uukey); if(ret){ _kdc_free_ent(context, uu); @@ -1436,7 +1436,7 @@ tgs_build_reply(krb5_context context, opt_str, sizeof(opt_str)); if(*opt_str) kdc_log(context, config, 0, - "TGS-REQ %s from %s for %s [%s]", + "TGS-REQ %s from %s for %s [%s]", cpn, from, spn, opt_str); else kdc_log(context, config, 0, @@ -1459,11 +1459,11 @@ server_lookup: new_rlm = find_rpath(context, tgt->crealm, req_rlm); if(new_rlm) { kdc_log(context, config, 5, "krbtgt for realm %s " - "not found, trying %s", + "not found, trying %s", req_rlm, new_rlm); krb5_free_principal(context, sp); free(spn); - krb5_make_principal(context, &sp, r, + krb5_make_principal(context, &sp, r, KRB5_TGS_NAME, new_rlm, NULL); ret = krb5_unparse_name(context, sp, &spn); if (ret) @@ -1508,7 +1508,7 @@ server_lookup: ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client); if(ret) { - const char *krbtgt_realm; + const char *krbtgt_realm; /* * If the client belongs to the same realm as our krbtgt, it @@ -1516,8 +1516,8 @@ server_lookup: * */ - krbtgt_realm = - krb5_principal_get_comp_string(context, + krbtgt_realm = + krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1); if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) { @@ -1533,7 +1533,7 @@ server_lookup: cross_realm = 1; } - + /* * Select enctype, return key and kvno. */ @@ -1548,7 +1548,7 @@ server_lookup: if (b->etype.val[i] == adtkt.key.keytype) break; if(i == b->etype.len) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Addition ticket have not matching etypes", spp); krb5_clear_error_string(context); return KRB5KDC_ERR_ETYPE_NOSUPP; @@ -1557,11 +1557,11 @@ server_lookup: kvno = 0; } else { Key *skey; - + ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len, &skey, &etype); if(ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Server (%s) has no support for etypes", spp); return ret; } @@ -1583,10 +1583,10 @@ server_lookup: * not the same, it's someone that is using a uni-directional trust * backward. */ - + if (strcmp(krb5_principal_get_realm(context, sp), - krb5_principal_get_comp_string(context, - krbtgt->entry.principal, + krb5_principal_get_comp_string(context, + krbtgt->entry.principal, 1)) != 0) { char *tpn; ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); @@ -1603,7 +1603,7 @@ server_lookup: if (!cross_realm) { Key *tkey; - ret = hdb_enctype2key(context, &krbtgt->entry, + ret = hdb_enctype2key(context, &krbtgt->entry, krbtgt_etype, &tkey); if(ret) { kdc_log(context, config, 0, @@ -1611,7 +1611,7 @@ server_lookup: goto out; } - ret = check_PAC(context, config, cp, + ret = check_PAC(context, config, cp, client, server, ekey, &tkey->key, tgt, &rspac, &signedpath); if (ret) { @@ -1654,7 +1654,7 @@ server_lookup: char *selfcpn = NULL; const char *str; - ret = decode_PA_S4U2Self(sdata->padata_value.data, + ret = decode_PA_S4U2Self(sdata->padata_value.data, sdata->padata_value.length, &self, NULL); if (ret) { @@ -1678,14 +1678,14 @@ server_lookup: ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, - datack.data, - datack.length, + datack.data, + datack.length, &self.cksum); krb5_data_free(&datack); krb5_crypto_destroy(context, crypto); if (ret) { free_PA_S4U2Self(&self); - kdc_log(context, config, 0, + kdc_log(context, config, 0, "krb5_verify_checksum failed for S4U2Self: %s", krb5_get_err_text(context, ret)); goto out; @@ -1748,7 +1748,7 @@ server_lookup: Ticket *t; char *str; - /* + /* * Require that the KDC have issued the service's krbtgt (not * self-issued ticket with kimpersonate(1). */ @@ -1762,7 +1762,7 @@ server_lookup: t = &b->additional_tickets->val[0]; - ret = hdb_enctype2key(context, &client->entry, + ret = hdb_enctype2key(context, &client->entry, t->enc_part.etype, &clientkey); if(ret){ ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ @@ -1789,7 +1789,7 @@ server_lookup: ret = check_constrained_delegation(context, config, client, sp); if (ret) { kdc_log(context, config, 0, - "constrained delegation from %s to %s not allowed", + "constrained delegation from %s to %s not allowed", spn, cpn); goto out; } @@ -1841,15 +1841,15 @@ server_lookup: * Check flags */ - ret = _kdc_check_flags(context, config, + ret = _kdc_check_flags(context, config, client, cpn, server, spn, FALSE); if(ret) goto out; - if((b->kdc_options.validate || b->kdc_options.renew) && - !krb5_principal_compare(context, + if((b->kdc_options.validate || b->kdc_options.renew) && + !krb5_principal_compare(context, krbtgt->entry.principal, server->entry.principal)){ kdc_log(context, config, 0, "Inconsistent request."); @@ -1909,19 +1909,19 @@ server_lookup: */ ret = tgs_make_reply(context, - config, - b, + config, + b, client_principal, - tgt, + tgt, ekey, &sessionkey, kvno, *auth_data, - server, + server, spn, - client, - cp, - krbtgt, + client, + cp, + krbtgt, krbtgt_etype, spp, &rspac, @@ -1931,7 +1931,7 @@ server_lookup: out: free(spn); free(cpn); - + krb5_data_free(&rspac); krb5_free_keyblock_contents(context, &sessionkey); if(server) @@ -1958,9 +1958,9 @@ out: */ krb5_error_code -_kdc_tgs_rep(krb5_context context, +_kdc_tgs_rep(krb5_context context, krb5_kdc_configuration *config, - KDC_REQ *req, + KDC_REQ *req, krb5_data *data, const char *from, struct sockaddr *from_addr, @@ -1985,17 +1985,17 @@ _kdc_tgs_rep(krb5_context context, "TGS-REQ from %s without PA-DATA", from); goto out; } - + tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ); if(tgs_req == NULL){ ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - kdc_log(context, config, 0, + kdc_log(context, config, 0, "TGS-REQ from %s without PA-TGS-REQ", from); goto out; } - ret = tgs_parse_request(context, config, + ret = tgs_parse_request(context, config, &req->req_body, tgs_req, &krbtgt, &krbtgt_etype, @@ -2005,7 +2005,7 @@ _kdc_tgs_rep(krb5_context context, &csec, &cusec, &auth_data); if (ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Failed parsing TGS-REQ from %s", from); goto out; } @@ -2024,7 +2024,7 @@ _kdc_tgs_rep(krb5_context context, from_addr, datagram_reply); if (ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "Failed building TGS-REP to %s", from); goto out; }