oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kill trailing whitespace

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22733 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-03-24 12:07:05 +00:00
parent b0aae2d071
commit 294999cc14
1 changed files with 151 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

302
kdc/krb5tgs.c
View File

@@ -1,34 +1,34 @@
/* /*
* Copyright (c) 1997-2008 Kungliga Tekniska H<>gskolan * Copyright (c) 1997-2008 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden). * (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved. * All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
* are met: * are met:
* *
* 1. Redistributions of source code must retain the above copyright * 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer. * notice, this list of conditions and the following disclaimer.
* *
* 2. Redistributions in binary form must reproduce the above copyright * 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the * notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution. * documentation and/or other materials provided with the distribution.
* *
* 3. Neither the name of the Institute nor the names of its contributors * 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software * may be used to endorse or promote products derived from this software
* without specific prior written permission. * without specific prior written permission.
* *
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. * SUCH DAMAGE.
*/ */
#include "kdc_locl.h" #include "kdc_locl.h"
@@ -39,7 +39,7 @@ RCSID("$Id$");
* return the realm of a krbtgt-ticket or NULL * return the realm of a krbtgt-ticket or NULL
*/ */
static Realm static Realm
get_krbtgt_realm(const PrincipalName *p) get_krbtgt_realm(const PrincipalName *p)
{ {
if(p->name_string.len == 2 if(p->name_string.len == 2
@@ -168,7 +168,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
if (data.length != size) if (data.length != size)
krb5_abortx(context, "internal asn.1 encoder error"); krb5_abortx(context, "internal asn.1 encoder error");
/* /*
* Add IF-RELEVANT(KRB5SignedPath) to the last slot in * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
* authorization data field. * authorization data field.
@@ -237,8 +237,8 @@ check_KRB5SignedPath(krb5_context context,
return ret; return ret;
} }
} }
ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
data.data, data.length, data.data, data.length,
&sp.cksum); &sp.cksum);
krb5_crypto_destroy(context, crypto); krb5_crypto_destroy(context, crypto);
free(data.data); free(data.data);
@@ -323,7 +323,7 @@ check_PAC(krb5_context context,
if (ret) if (ret)
return ret; return ret;
ret = krb5_pac_verify(context, pac, tkt->authtime, ret = krb5_pac_verify(context, pac, tkt->authtime,
client_principal, client_principal,
krbtgt_key, NULL); krbtgt_key, NULL);
if (ret) { if (ret) {
@@ -331,7 +331,7 @@ check_PAC(krb5_context context,
return ret; return ret;
} }
ret = _kdc_pac_verify(context, client_principal, ret = _kdc_pac_verify(context, client_principal,
client, server, &pac); client, server, &pac);
if (ret) { if (ret) {
krb5_pac_free(context, pac); krb5_pac_free(context, pac);
@@ -358,7 +358,7 @@ check_PAC(krb5_context context,
*/ */
static krb5_error_code static krb5_error_code
check_tgs_flags(krb5_context context, check_tgs_flags(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et) KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
{ {
@@ -378,7 +378,7 @@ check_tgs_flags(krb5_context context,
/* XXX tkt = tgt */ /* XXX tkt = tgt */
et->flags.invalid = 0; et->flags.invalid = 0;
}else if(tgt->flags.invalid){ }else if(tgt->flags.invalid){
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Ticket-granting ticket has INVALID flag set"); "Ticket-granting ticket has INVALID flag set");
return KRB5KRB_AP_ERR_TKT_INVALID; return KRB5KRB_AP_ERR_TKT_INVALID;
} }
@@ -472,8 +472,8 @@ check_tgs_flags(krb5_context context,
et->endtime = *et->starttime + old_life; et->endtime = *et->starttime + old_life;
if (et->renew_till != NULL) if (et->renew_till != NULL)
et->endtime = min(*et->renew_till, et->endtime); et->endtime = min(*et->renew_till, et->endtime);
} }
#if 0 #if 0
/* checks for excess flags */ /* checks for excess flags */
if(f.request_anonymous && !config->allow_anonymous){ if(f.request_anonymous && !config->allow_anonymous){
@@ -490,7 +490,7 @@ check_tgs_flags(krb5_context context,
*/ */
static krb5_error_code static krb5_error_code
check_constrained_delegation(krb5_context context, check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
hdb_entry_ex *client, hdb_entry_ex *client,
krb5_const_principal server) krb5_const_principal server)
@@ -521,7 +521,7 @@ check_constrained_delegation(krb5_context context,
*/ */
static krb5_error_code static krb5_error_code
verify_flags (krb5_context context, verify_flags (krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const EncTicketPart *et, const EncTicketPart *et,
const char *pstr) const char *pstr)
@@ -542,13 +542,13 @@ verify_flags (krb5_context context,
*/ */
static krb5_error_code static krb5_error_code
fix_transited_encoding(krb5_context context, fix_transited_encoding(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
krb5_boolean check_policy, krb5_boolean check_policy,
const TransitedEncoding *tr, const TransitedEncoding *tr,
EncTicketPart *et, EncTicketPart *et,
const char *client_realm, const char *client_realm,
const char *server_realm, const char *server_realm,
const char *tgt_realm) const char *tgt_realm)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
@@ -575,9 +575,9 @@ fix_transited_encoding(krb5_context context,
return KRB5KDC_ERR_TRTYPE_NOSUPP; return KRB5KDC_ERR_TRTYPE_NOSUPP;
} }
ret = krb5_domain_x500_decode(context, ret = krb5_domain_x500_decode(context,
tr->contents, tr->contents,
&realms, &realms,
&num_realms, &num_realms,
client_realm, client_realm,
server_realm); server_realm);
@@ -606,7 +606,7 @@ fix_transited_encoding(krb5_context context,
num_realms++; num_realms++;
} }
if(num_realms == 0) { if(num_realms == 0) {
if(strcmp(client_realm, server_realm)) if(strcmp(client_realm, server_realm))
kdc_log(context, config, 0, kdc_log(context, config, 0,
"cross-realm %s -> %s", client_realm, server_realm); "cross-realm %s -> %s", client_realm, server_realm);
} else { } else {
@@ -629,11 +629,11 @@ fix_transited_encoding(krb5_context context,
} }
} }
if(check_policy) { if(check_policy) {
ret = krb5_check_transited(context, client_realm, ret = krb5_check_transited(context, client_realm,
server_realm, server_realm,
realms, num_realms, NULL); realms, num_realms, NULL);
if(ret) { if(ret) {
krb5_warn(context, ret, "cross-realm %s -> %s", krb5_warn(context, ret, "cross-realm %s -> %s",
client_realm, server_realm); client_realm, server_realm);
goto free_realms; goto free_realms;
} }
@@ -652,19 +652,19 @@ fix_transited_encoding(krb5_context context,
static krb5_error_code static krb5_error_code
tgs_make_reply(krb5_context context, tgs_make_reply(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ_BODY *b, KDC_REQ_BODY *b,
krb5_const_principal tgt_name, krb5_const_principal tgt_name,
const EncTicketPart *tgt, const EncTicketPart *tgt,
const EncryptionKey *serverkey, const EncryptionKey *serverkey,
const krb5_keyblock *sessionkey, const krb5_keyblock *sessionkey,
krb5_kvno kvno, krb5_kvno kvno,
AuthorizationData *auth_data, AuthorizationData *auth_data,
hdb_entry_ex *server, hdb_entry_ex *server,
const char *server_name, const char *server_name,
hdb_entry_ex *client, hdb_entry_ex *client,
krb5_principal client_principal, krb5_principal client_principal,
hdb_entry_ex *krbtgt, hdb_entry_ex *krbtgt,
krb5_enctype krbtgt_etype, krb5_enctype krbtgt_etype,
KRB5SignedPathPrincipals *spp, KRB5SignedPathPrincipals *spp,
@@ -677,11 +677,11 @@ tgs_make_reply(krb5_context context,
EncTicketPart et; EncTicketPart et;
KDCOptions f = b->kdc_options; KDCOptions f = b->kdc_options;
krb5_error_code ret; krb5_error_code ret;
memset(&rep, 0, sizeof(rep)); memset(&rep, 0, sizeof(rep));
memset(&et, 0, sizeof(et)); memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek)); memset(&ek, 0, sizeof(ek));
rep.pvno = 5; rep.pvno = 5;
rep.msg_type = krb_tgs_rep; rep.msg_type = krb_tgs_rep;
@@ -690,7 +690,7 @@ tgs_make_reply(krb5_context context,
et.endtime = min(tgt->endtime, *b->till); et.endtime = min(tgt->endtime, *b->till);
ALLOC(et.starttime); ALLOC(et.starttime);
*et.starttime = kdc_time; *et.starttime = kdc_time;
ret = check_tgs_flags(context, config, b, tgt, &et); ret = check_tgs_flags(context, config, b, tgt, &et);
if(ret) if(ret)
goto out; goto out;
@@ -714,11 +714,11 @@ tgs_make_reply(krb5_context context,
#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
ret = fix_transited_encoding(context, config, ret = fix_transited_encoding(context, config,
!f.disable_transited_check || !f.disable_transited_check ||
GLOBAL_FORCE_TRANSITED_CHECK || GLOBAL_FORCE_TRANSITED_CHECK ||
PRINCIPAL_FORCE_TRANSITED_CHECK(server) || PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
!((GLOBAL_ALLOW_PER_PRINCIPAL && !((GLOBAL_ALLOW_PER_PRINCIPAL &&
PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) || PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
&tgt->transited, &et, &tgt->transited, &et,
@@ -728,7 +728,7 @@ tgs_make_reply(krb5_context context,
if(ret) if(ret)
goto out; goto out;
copy_Realm(krb5_princ_realm(context, server->entry.principal), copy_Realm(krb5_princ_realm(context, server->entry.principal),
&rep.ticket.realm); &rep.ticket.realm);
_krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
copy_Realm(&tgt_name->realm, &rep.crealm); copy_Realm(&tgt_name->realm, &rep.crealm);
@@ -753,7 +753,7 @@ tgs_make_reply(krb5_context context,
life = min(life, *server->entry.max_life); life = min(life, *server->entry.max_life);
et.endtime = *et.starttime + life; et.endtime = *et.starttime + life;
} }
if(f.renewable_ok && tgt->flags.renewable && if(f.renewable_ok && tgt->flags.renewable &&
et.renew_till == NULL && et.endtime < *b->till){ et.renew_till == NULL && et.endtime < *b->till){
et.flags.renewable = 1; et.flags.renewable = 1;
ALLOC(et.renew_till); ALLOC(et.renew_till);
@@ -768,13 +768,13 @@ tgs_make_reply(krb5_context context,
renew = min(renew, *server->entry.max_renew); renew = min(renew, *server->entry.max_renew);
*et.renew_till = et.authtime + renew; *et.renew_till = et.authtime + renew;
} }
if(et.renew_till){ if(et.renew_till){
*et.renew_till = min(*et.renew_till, *tgt->renew_till); *et.renew_till = min(*et.renew_till, *tgt->renew_till);
*et.starttime = min(*et.starttime, *et.renew_till); *et.starttime = min(*et.starttime, *et.renew_till);
et.endtime = min(et.endtime, *et.renew_till); et.endtime = min(et.endtime, *et.renew_till);
} }
*et.starttime = min(*et.starttime, et.endtime); *et.starttime = min(*et.starttime, et.endtime);
if(*et.starttime == et.endtime){ if(*et.starttime == et.endtime){
@@ -786,12 +786,12 @@ tgs_make_reply(krb5_context context,
et.renew_till = NULL; et.renew_till = NULL;
et.flags.renewable = 0; et.flags.renewable = 0;
} }
et.flags.pre_authent = tgt->flags.pre_authent; et.flags.pre_authent = tgt->flags.pre_authent;
et.flags.hw_authent = tgt->flags.hw_authent; et.flags.hw_authent = tgt->flags.hw_authent;
et.flags.anonymous = tgt->flags.anonymous; et.flags.anonymous = tgt->flags.anonymous;
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
if (auth_data) { if (auth_data) {
/* XXX Check enc-authorization-data */ /* XXX Check enc-authorization-data */
et.authorization_data = calloc(1, sizeof(*et.authorization_data)); et.authorization_data = calloc(1, sizeof(*et.authorization_data));
@@ -835,7 +835,7 @@ tgs_make_reply(krb5_context context,
goto out; goto out;
et.crealm = tgt->crealm; et.crealm = tgt->crealm;
et.cname = tgt_name->name; et.cname = tgt_name->name;
ek.key = et.key; ek.key = et.key;
/* MIT must have at least one last_req */ /* MIT must have at least one last_req */
ek.last_req.len = 1; ek.last_req.len = 1;
@@ -852,8 +852,8 @@ tgs_make_reply(krb5_context context,
ek.renew_till = et.renew_till; ek.renew_till = et.renew_till;
ek.srealm = rep.ticket.realm; ek.srealm = rep.ticket.realm;
ek.sname = rep.ticket.sname; ek.sname = rep.ticket.sname;
_kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime, _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
et.endtime, et.renew_till); et.endtime, et.renew_till);
/* Don't sign cross realm tickets, they can't be checked anyway */ /* Don't sign cross realm tickets, they can't be checked anyway */
@@ -883,9 +883,9 @@ tgs_make_reply(krb5_context context,
CAST session key. Should the DES3 etype be added to the CAST session key. Should the DES3 etype be added to the
etype list, even if we don't want a session key with etype list, even if we don't want a session key with
DES3? */ DES3? */
ret = _kdc_encode_reply(context, config, ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, et.key.keytype, &rep, &et, &ek, et.key.keytype,
kvno, kvno,
serverkey, 0, &tgt->key, e_text, reply); serverkey, 0, &tgt->key, e_text, reply);
out: out:
free_TGS_REP(&rep); free_TGS_REP(&rep);
@@ -905,10 +905,10 @@ out:
} }
static krb5_error_code static krb5_error_code
tgs_check_authenticator(krb5_context context, tgs_check_authenticator(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
krb5_auth_context ac, krb5_auth_context ac,
KDC_REQ_BODY *b, KDC_REQ_BODY *b,
const char **e_text, const char **e_text,
krb5_keyblock *key) krb5_keyblock *key)
{ {
@@ -918,7 +918,7 @@ tgs_check_authenticator(krb5_context context,
size_t buf_size; size_t buf_size;
krb5_error_code ret; krb5_error_code ret;
krb5_crypto crypto; krb5_crypto crypto;
krb5_auth_con_getauthenticator(context, ac, &auth); krb5_auth_con_getauthenticator(context, ac, &auth);
if(auth->cksum == NULL){ if(auth->cksum == NULL){
kdc_log(context, config, 0, "No authenticator in request"); kdc_log(context, config, 0, "No authenticator in request");
@@ -935,7 +935,7 @@ tgs_check_authenticator(krb5_context context,
|| ||
#endif #endif
!krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) { !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
kdc_log(context, config, 0, "Bad checksum type in authenticator: %d", kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
auth->cksum->cksumtype); auth->cksum->cksumtype);
ret = KRB5KRB_AP_ERR_INAPP_CKSUM; ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out; goto out;
@@ -944,7 +944,7 @@ tgs_check_authenticator(krb5_context context,
/* XXX should not re-encode this */ /* XXX should not re-encode this */
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
if(ret){ if(ret){
kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -965,14 +965,14 @@ tgs_check_authenticator(krb5_context context,
ret = krb5_verify_checksum(context, ret = krb5_verify_checksum(context,
crypto, crypto,
KRB5_KU_TGS_REQ_AUTH_CKSUM, KRB5_KU_TGS_REQ_AUTH_CKSUM,
buf, buf,
len, len,
auth->cksum); auth->cksum);
free(buf); free(buf);
krb5_crypto_destroy(context, crypto); krb5_crypto_destroy(context, crypto);
if(ret){ if(ret){
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Failed to verify authenticator checksum: %s", "Failed to verify authenticator checksum: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
} }
out: out:
@@ -990,13 +990,13 @@ find_rpath(krb5_context context, Realm crealm, Realm srealm)
{ {
const char *new_realm = krb5_config_get_string(context, const char *new_realm = krb5_config_get_string(context,
NULL, NULL,
"capaths", "capaths",
crealm, crealm,
srealm, srealm,
NULL); NULL);
return new_realm; return new_realm;
} }
static krb5_boolean static krb5_boolean
need_referral(krb5_context context, krb5_kdc_configuration *config, need_referral(krb5_context context, krb5_kdc_configuration *config,
@@ -1007,21 +1007,21 @@ need_referral(krb5_context context, krb5_kdc_configuration *config,
if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST) if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
return FALSE; return FALSE;
if (server->name.name_string.len == 1) if (server->name.name_string.len == 1)
name = server->name.name_string.val[0]; name = server->name.name_string.val[0];
if (server->name.name_string.len > 1) if (server->name.name_string.len > 1)
name = server->name.name_string.val[1]; name = server->name.name_string.val[1];
else else
return FALSE; return FALSE;
kdc_log(context, config, 0, "Searching referral for %s", name); kdc_log(context, config, 0, "Searching referral for %s", name);
return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0; return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
} }
static krb5_error_code static krb5_error_code
tgs_parse_request(krb5_context context, tgs_parse_request(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ_BODY *b, KDC_REQ_BODY *b,
const PA_DATA *tgs_req, const PA_DATA *tgs_req,
@@ -1051,7 +1051,7 @@ tgs_parse_request(krb5_context context,
memset(&ap_req, 0, sizeof(ap_req)); memset(&ap_req, 0, sizeof(ap_req));
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
if(ret){ if(ret){
kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -1062,12 +1062,12 @@ tgs_parse_request(krb5_context context,
ret = KRB5KDC_ERR_POLICY; /* ? */ ret = KRB5KDC_ERR_POLICY; /* ? */
goto out; goto out;
} }
_krb5_principalname2krb5_principal(context, _krb5_principalname2krb5_principal(context,
&princ, &princ,
ap_req.ticket.sname, ap_req.ticket.sname,
ap_req.ticket.realm); ap_req.ticket.realm);
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt); ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
if(ret) { if(ret) {
@@ -1084,8 +1084,8 @@ tgs_parse_request(krb5_context context,
ret = KRB5KRB_AP_ERR_NOT_US; ret = KRB5KRB_AP_ERR_NOT_US;
goto out; goto out;
} }
if(ap_req.ticket.enc_part.kvno && if(ap_req.ticket.enc_part.kvno &&
*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){ *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
char *p; char *p;
@@ -1094,7 +1094,7 @@ tgs_parse_request(krb5_context context,
if (ret != 0) if (ret != 0)
p = "<unparse_name failed>"; p = "<unparse_name failed>";
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Ticket kvno = %d, DB kvno = %d (%s)", "Ticket kvno = %d, DB kvno = %d (%s)",
*ap_req.ticket.enc_part.kvno, *ap_req.ticket.enc_part.kvno,
(*krbtgt)->entry.kvno, (*krbtgt)->entry.kvno,
p); p);
@@ -1106,7 +1106,7 @@ tgs_parse_request(krb5_context context,
*krbtgt_etype = ap_req.ticket.enc_part.etype; *krbtgt_etype = ap_req.ticket.enc_part.etype;
ret = hdb_enctype2key(context, &(*krbtgt)->entry, ret = hdb_enctype2key(context, &(*krbtgt)->entry,
ap_req.ticket.enc_part.etype, &tkey); ap_req.ticket.enc_part.etype, &tkey);
if(ret){ if(ret){
char *str = NULL, *p = NULL; char *str = NULL, *p = NULL;
@@ -1122,7 +1122,7 @@ tgs_parse_request(krb5_context context,
ret = KRB5KRB_AP_ERR_BADKEYVER; ret = KRB5KRB_AP_ERR_BADKEYVER;
goto out; goto out;
} }
if (b->kdc_options.validate) if (b->kdc_options.validate)
verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID; verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
else else
@@ -1137,10 +1137,10 @@ tgs_parse_request(krb5_context context,
&ap_req_options, &ap_req_options,
ticket, ticket,
KRB5_KU_TGS_REQ_AUTH); KRB5_KU_TGS_REQ_AUTH);
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
if(ret) { if(ret) {
kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -1168,7 +1168,7 @@ tgs_parse_request(krb5_context context,
} }
} }
ret = tgs_check_authenticator(context, config, ret = tgs_check_authenticator(context, config,
ac, b, e_text, &(*ticket)->ticket.key); ac, b, e_text, &(*ticket)->ticket.key);
if (ret) { if (ret) {
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
@@ -1185,7 +1185,7 @@ tgs_parse_request(krb5_context context,
&subkey); &subkey);
if(ret){ if(ret){
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
kdc_log(context, config, 0, "Failed to get remote subkey: %s", kdc_log(context, config, 0, "Failed to get remote subkey: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -1194,7 +1194,7 @@ tgs_parse_request(krb5_context context,
ret = krb5_auth_con_getkey(context, ac, &subkey); ret = krb5_auth_con_getkey(context, ac, &subkey);
if(ret) { if(ret) {
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
kdc_log(context, config, 0, "Failed to get session key: %s", kdc_log(context, config, 0, "Failed to get session key: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -1221,7 +1221,7 @@ tgs_parse_request(krb5_context context,
krb5_crypto_destroy(context, crypto); krb5_crypto_destroy(context, crypto);
if(ret){ if(ret){
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Failed to decrypt enc-authorization-data"); "Failed to decrypt enc-authorization-data");
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out; goto out;
@@ -1245,10 +1245,10 @@ tgs_parse_request(krb5_context context,
} }
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
out: out:
free_AP_REQ(&ap_req); free_AP_REQ(&ap_req);
return ret; return ret;
} }
@@ -1260,7 +1260,7 @@ tgs_build_referral(krb5_context context,
const PrincipalName *true_principal_name, const PrincipalName *true_principal_name,
const PrincipalName *requested_principal, const PrincipalName *requested_principal,
krb5_data *outdata) krb5_data *outdata)
{ {
PA_ServerReferralData ref; PA_ServerReferralData ref;
krb5_error_code ret; krb5_error_code ret;
EncryptedData ed; EncryptedData ed;
@@ -1278,7 +1278,7 @@ tgs_build_referral(krb5_context context,
goto eout; goto eout;
} }
if (true_principal_name) { if (true_principal_name) {
ref.true_principal_name = ref.true_principal_name =
malloc(sizeof(ref.true_principal_name)); malloc(sizeof(ref.true_principal_name));
if (ref.true_principal_name == NULL) if (ref.true_principal_name == NULL)
goto eout; goto eout;
@@ -1287,17 +1287,17 @@ tgs_build_referral(krb5_context context,
goto eout; goto eout;
} }
if (requested_principal) { if (requested_principal) {
ref.requested_principal_name = ref.requested_principal_name =
malloc(sizeof(ref.requested_principal_name)); malloc(sizeof(ref.requested_principal_name));
if (ref.requested_principal_name == NULL) if (ref.requested_principal_name == NULL)
goto eout; goto eout;
ret = copy_PrincipalName(requested_principal, ret = copy_PrincipalName(requested_principal,
ref.requested_principal_name); ref.requested_principal_name);
if (ret) if (ret)
goto eout; goto eout;
} }
ASN1_MALLOC_ENCODE(PA_ServerReferralData, ASN1_MALLOC_ENCODE(PA_ServerReferralData,
data.data, data.length, data.data, data.length,
&ref, &size, ret); &ref, &size, ret);
free_PA_ServerReferralData(&ref); free_PA_ServerReferralData(&ref);
@@ -1314,7 +1314,7 @@ tgs_build_referral(krb5_context context,
if (ret) if (ret)
return ret; return ret;
ASN1_MALLOC_ENCODE(EncryptedData, ASN1_MALLOC_ENCODE(EncryptedData,
outdata->data, outdata->length, outdata->data, outdata->length,
&ed, &size, ret); &ed, &size, ret);
free_EncryptedData(&ed); free_EncryptedData(&ed);
@@ -1331,9 +1331,9 @@ eout:
} }
static krb5_error_code static krb5_error_code
tgs_build_reply(krb5_context context, tgs_build_reply(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ *req, KDC_REQ *req,
KDC_REQ_BODY *b, KDC_REQ_BODY *b,
hdb_entry_ex *krbtgt, hdb_entry_ex *krbtgt,
krb5_enctype krbtgt_etype, krb5_enctype krbtgt_etype,
@@ -1378,8 +1378,8 @@ tgs_build_reply(krb5_context context,
hdb_entry_ex *uu; hdb_entry_ex *uu;
krb5_principal p; krb5_principal p;
Key *uukey; Key *uukey;
if(b->additional_tickets == NULL || if(b->additional_tickets == NULL ||
b->additional_tickets->len == 0){ b->additional_tickets->len == 0){
ret = KRB5KDC_ERR_BADOPTION; /* ? */ ret = KRB5KDC_ERR_BADOPTION; /* ? */
kdc_log(context, config, 0, kdc_log(context, config, 0,
@@ -1394,8 +1394,8 @@ tgs_build_reply(krb5_context context,
goto out; goto out;
} }
_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm); _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
ret = _kdc_db_fetch(context, config, p, ret = _kdc_db_fetch(context, config, p,
HDB_F_GET_CLIENT|HDB_F_GET_SERVER, HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
NULL, &uu); NULL, &uu);
krb5_free_principal(context, p); krb5_free_principal(context, p);
if(ret){ if(ret){
@@ -1403,7 +1403,7 @@ tgs_build_reply(krb5_context context,
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out; goto out;
} }
ret = hdb_enctype2key(context, &uu->entry, ret = hdb_enctype2key(context, &uu->entry,
t->enc_part.etype, &uukey); t->enc_part.etype, &uukey);
if(ret){ if(ret){
_kdc_free_ent(context, uu); _kdc_free_ent(context, uu);
@@ -1436,7 +1436,7 @@ tgs_build_reply(krb5_context context,
opt_str, sizeof(opt_str)); opt_str, sizeof(opt_str));
if(*opt_str) if(*opt_str)
kdc_log(context, config, 0, kdc_log(context, config, 0,
"TGS-REQ %s from %s for %s [%s]", "TGS-REQ %s from %s for %s [%s]",
cpn, from, spn, opt_str); cpn, from, spn, opt_str);
else else
kdc_log(context, config, 0, kdc_log(context, config, 0,
@@ -1459,11 +1459,11 @@ server_lookup:
new_rlm = find_rpath(context, tgt->crealm, req_rlm); new_rlm = find_rpath(context, tgt->crealm, req_rlm);
if(new_rlm) { if(new_rlm) {
kdc_log(context, config, 5, "krbtgt for realm %s " kdc_log(context, config, 5, "krbtgt for realm %s "
"not found, trying %s", "not found, trying %s",
req_rlm, new_rlm); req_rlm, new_rlm);
krb5_free_principal(context, sp); krb5_free_principal(context, sp);
free(spn); free(spn);
krb5_make_principal(context, &sp, r, krb5_make_principal(context, &sp, r,
KRB5_TGS_NAME, new_rlm, NULL); KRB5_TGS_NAME, new_rlm, NULL);
ret = krb5_unparse_name(context, sp, &spn); ret = krb5_unparse_name(context, sp, &spn);
if (ret) if (ret)
@@ -1508,7 +1508,7 @@ server_lookup:
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client); ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client);
if(ret) { if(ret) {
const char *krbtgt_realm; const char *krbtgt_realm;
/* /*
* If the client belongs to the same realm as our krbtgt, it * If the client belongs to the same realm as our krbtgt, it
@@ -1516,8 +1516,8 @@ server_lookup:
* *
*/ */
krbtgt_realm = krbtgt_realm =
krb5_principal_get_comp_string(context, krb5_principal_get_comp_string(context,
krbtgt->entry.principal, 1); krbtgt->entry.principal, 1);
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) { if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
@@ -1533,7 +1533,7 @@ server_lookup:
cross_realm = 1; cross_realm = 1;
} }
/* /*
* Select enctype, return key and kvno. * Select enctype, return key and kvno.
*/ */
@@ -1548,7 +1548,7 @@ server_lookup:
if (b->etype.val[i] == adtkt.key.keytype) if (b->etype.val[i] == adtkt.key.keytype)
break; break;
if(i == b->etype.len) { if(i == b->etype.len) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Addition ticket have not matching etypes", spp); "Addition ticket have not matching etypes", spp);
krb5_clear_error_string(context); krb5_clear_error_string(context);
return KRB5KDC_ERR_ETYPE_NOSUPP; return KRB5KDC_ERR_ETYPE_NOSUPP;
@@ -1557,11 +1557,11 @@ server_lookup:
kvno = 0; kvno = 0;
} else { } else {
Key *skey; Key *skey;
ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len, ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
&skey, &etype); &skey, &etype);
if(ret) { if(ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spp); "Server (%s) has no support for etypes", spp);
return ret; return ret;
} }
@@ -1583,10 +1583,10 @@ server_lookup:
* not the same, it's someone that is using a uni-directional trust * not the same, it's someone that is using a uni-directional trust
* backward. * backward.
*/ */
if (strcmp(krb5_principal_get_realm(context, sp), if (strcmp(krb5_principal_get_realm(context, sp),
krb5_principal_get_comp_string(context, krb5_principal_get_comp_string(context,
krbtgt->entry.principal, krbtgt->entry.principal,
1)) != 0) { 1)) != 0) {
char *tpn; char *tpn;
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
@@ -1603,7 +1603,7 @@ server_lookup:
if (!cross_realm) { if (!cross_realm) {
Key *tkey; Key *tkey;
ret = hdb_enctype2key(context, &krbtgt->entry, ret = hdb_enctype2key(context, &krbtgt->entry,
krbtgt_etype, &tkey); krbtgt_etype, &tkey);
if(ret) { if(ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
@@ -1611,7 +1611,7 @@ server_lookup:
goto out; goto out;
} }
ret = check_PAC(context, config, cp, ret = check_PAC(context, config, cp,
client, server, ekey, &tkey->key, client, server, ekey, &tkey->key,
tgt, &rspac, &signedpath); tgt, &rspac, &signedpath);
if (ret) { if (ret) {
@@ -1654,7 +1654,7 @@ server_lookup:
char *selfcpn = NULL; char *selfcpn = NULL;
const char *str; const char *str;
ret = decode_PA_S4U2Self(sdata->padata_value.data, ret = decode_PA_S4U2Self(sdata->padata_value.data,
sdata->padata_value.length, sdata->padata_value.length,
&self, NULL); &self, NULL);
if (ret) { if (ret) {
@@ -1678,14 +1678,14 @@ server_lookup:
ret = krb5_verify_checksum(context, ret = krb5_verify_checksum(context,
crypto, crypto,
KRB5_KU_OTHER_CKSUM, KRB5_KU_OTHER_CKSUM,
datack.data, datack.data,
datack.length, datack.length,
&self.cksum); &self.cksum);
krb5_data_free(&datack); krb5_data_free(&datack);
krb5_crypto_destroy(context, crypto); krb5_crypto_destroy(context, crypto);
if (ret) { if (ret) {
free_PA_S4U2Self(&self); free_PA_S4U2Self(&self);
kdc_log(context, config, 0, kdc_log(context, config, 0,
"krb5_verify_checksum failed for S4U2Self: %s", "krb5_verify_checksum failed for S4U2Self: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
@@ -1748,7 +1748,7 @@ server_lookup:
Ticket *t; Ticket *t;
char *str; char *str;
/* /*
* Require that the KDC have issued the service's krbtgt (not * Require that the KDC have issued the service's krbtgt (not
* self-issued ticket with kimpersonate(1). * self-issued ticket with kimpersonate(1).
*/ */
@@ -1762,7 +1762,7 @@ server_lookup:
t = &b->additional_tickets->val[0]; t = &b->additional_tickets->val[0];
ret = hdb_enctype2key(context, &client->entry, ret = hdb_enctype2key(context, &client->entry,
t->enc_part.etype, &clientkey); t->enc_part.etype, &clientkey);
if(ret){ if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
@@ -1789,7 +1789,7 @@ server_lookup:
ret = check_constrained_delegation(context, config, client, sp); ret = check_constrained_delegation(context, config, client, sp);
if (ret) { if (ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
"constrained delegation from %s to %s not allowed", "constrained delegation from %s to %s not allowed",
spn, cpn); spn, cpn);
goto out; goto out;
} }
@@ -1841,15 +1841,15 @@ server_lookup:
* Check flags * Check flags
*/ */
ret = _kdc_check_flags(context, config, ret = _kdc_check_flags(context, config,
client, cpn, client, cpn,
server, spn, server, spn,
FALSE); FALSE);
if(ret) if(ret)
goto out; goto out;
if((b->kdc_options.validate || b->kdc_options.renew) && if((b->kdc_options.validate || b->kdc_options.renew) &&
!krb5_principal_compare(context, !krb5_principal_compare(context,
krbtgt->entry.principal, krbtgt->entry.principal,
server->entry.principal)){ server->entry.principal)){
kdc_log(context, config, 0, "Inconsistent request."); kdc_log(context, config, 0, "Inconsistent request.");
@@ -1909,19 +1909,19 @@ server_lookup:
*/ */
ret = tgs_make_reply(context, ret = tgs_make_reply(context,
config, config,
b, b,
client_principal, client_principal,
tgt, tgt,
ekey, ekey,
&sessionkey, &sessionkey,
kvno, kvno,
*auth_data, *auth_data,
server, server,
spn, spn,
client, client,
cp, cp,
krbtgt, krbtgt,
krbtgt_etype, krbtgt_etype,
spp, spp,
&rspac, &rspac,
@@ -1931,7 +1931,7 @@ server_lookup:
out: out:
free(spn); free(spn);
free(cpn); free(cpn);
krb5_data_free(&rspac); krb5_data_free(&rspac);
krb5_free_keyblock_contents(context, &sessionkey); krb5_free_keyblock_contents(context, &sessionkey);
if(server) if(server)
@@ -1958,9 +1958,9 @@ out:
*/ */
krb5_error_code krb5_error_code
_kdc_tgs_rep(krb5_context context, _kdc_tgs_rep(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ *req, KDC_REQ *req,
krb5_data *data, krb5_data *data,
const char *from, const char *from,
struct sockaddr *from_addr, struct sockaddr *from_addr,
@@ -1985,17 +1985,17 @@ _kdc_tgs_rep(krb5_context context,
"TGS-REQ from %s without PA-DATA", from); "TGS-REQ from %s without PA-DATA", from);
goto out; goto out;
} }
tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ); tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
if(tgs_req == NULL){ if(tgs_req == NULL){
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
kdc_log(context, config, 0, kdc_log(context, config, 0,
"TGS-REQ from %s without PA-TGS-REQ", from); "TGS-REQ from %s without PA-TGS-REQ", from);
goto out; goto out;
} }
ret = tgs_parse_request(context, config, ret = tgs_parse_request(context, config,
&req->req_body, tgs_req, &req->req_body, tgs_req,
&krbtgt, &krbtgt,
&krbtgt_etype, &krbtgt_etype,
@@ -2005,7 +2005,7 @@ _kdc_tgs_rep(krb5_context context,
&csec, &cusec, &csec, &cusec,
&auth_data); &auth_data);
if (ret) { if (ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Failed parsing TGS-REQ from %s", from); "Failed parsing TGS-REQ from %s", from);
goto out; goto out;
} }
@@ -2024,7 +2024,7 @@ _kdc_tgs_rep(krb5_context context,
from_addr, from_addr,
datagram_reply); datagram_reply);
if (ret) { if (ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Failed building TGS-REP to %s", from); "Failed building TGS-REP to %s", from);
goto out; goto out;
} }