krb5_enctype_is_disabled is the same thing as krb5_enctype_valid, so
use the later since its older and the api doesn't really need another entry point git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14487 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997-2003 Kungliga Tekniska H<>gskolan
|
||||
* Copyright (c) 1997-2005 Kungliga Tekniska H<>gskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@@ -97,7 +97,7 @@ find_etype(hdb_entry *princ, krb5_enctype *etypes, unsigned len,
|
||||
for(i = 0; ret != 0 && i < len ; i++) {
|
||||
Key *key = NULL;
|
||||
|
||||
if (krb5_enctype_is_disabled(context, etypes[i]))
|
||||
if (krb5_enctype_valid(context, etypes[i]) != 0)
|
||||
continue;
|
||||
|
||||
while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) {
|
||||
@@ -348,7 +348,7 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client,
|
||||
goto skip1;
|
||||
for(i = 0; i < client->keys.len; i++) {
|
||||
if(client->keys.val[i].key.keytype == etypes[j]) {
|
||||
if (krb5_enctype_is_disabled(context, etypes[j]))
|
||||
if (krb5_enctype_valid(context, etypes[j]) != 0)
|
||||
continue;
|
||||
if((ret = make_etype_info_entry(&pa.val[n++],
|
||||
&client->keys.val[i])) != 0) {
|
||||
@@ -364,7 +364,7 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client,
|
||||
if(client->keys.val[i].key.keytype == etypes[j])
|
||||
goto skip2;
|
||||
}
|
||||
if (krb5_enctype_is_disabled(context, client->keys.val[i].key.keytype))
|
||||
if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
|
||||
continue;
|
||||
if((ret = make_etype_info_entry(&pa.val[n++],
|
||||
&client->keys.val[i])) != 0) {
|
||||
@@ -500,7 +500,7 @@ get_pa_etype_info2(METHOD_DATA *md, hdb_entry *client,
|
||||
goto skip1;
|
||||
for(i = 0; i < client->keys.len; i++) {
|
||||
if(client->keys.val[i].key.keytype == etypes[j]) {
|
||||
if (krb5_enctype_is_disabled(context, etypes[j]))
|
||||
if (krb5_enctype_valid(context, etypes[j]) != 0)
|
||||
continue;
|
||||
if((ret = make_etype_info2_entry(&pa.val[n++],
|
||||
&client->keys.val[i])) != 0) {
|
||||
@@ -516,7 +516,7 @@ get_pa_etype_info2(METHOD_DATA *md, hdb_entry *client,
|
||||
if(client->keys.val[i].key.keytype == etypes[j])
|
||||
goto skip2;
|
||||
}
|
||||
if (krb5_enctype_is_disabled(context, client->keys.val[i].key.keytype))
|
||||
if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
|
||||
continue;
|
||||
if((ret = make_etype_info2_entry(&pa.val[n++],
|
||||
&client->keys.val[i])) != 0) {
|
||||
@@ -1408,6 +1408,7 @@ tgs_make_reply(KDC_REQ_BODY *b,
|
||||
EncTicketPart *tgt,
|
||||
EncTicketPart *adtkt,
|
||||
AuthorizationData *auth_data,
|
||||
krb5_data *referral,
|
||||
hdb_entry *server,
|
||||
hdb_entry *client,
|
||||
krb5_principal client_principal,
|
||||
@@ -1455,6 +1456,7 @@ tgs_make_reply(KDC_REQ_BODY *b,
|
||||
|
||||
rep.pvno = 5;
|
||||
rep.msg_type = krb_tgs_rep;
|
||||
rep.padata = NULL;
|
||||
|
||||
et.authtime = tgt->authtime;
|
||||
fix_time(&b->till);
|
||||
@@ -1564,8 +1566,7 @@ tgs_make_reply(KDC_REQ_BODY *b,
|
||||
|
||||
ek.key = et.key;
|
||||
/* MIT must have at least one last_req */
|
||||
ek.last_req.len = 1;
|
||||
ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
|
||||
ALLOC_SEQ(&ek.last_req, 1);
|
||||
ek.nonce = b->nonce;
|
||||
ek.flags = et.flags;
|
||||
ek.authtime = et.authtime;
|
||||
@@ -1575,6 +1576,45 @@ tgs_make_reply(KDC_REQ_BODY *b,
|
||||
ek.srealm = rep.ticket.realm;
|
||||
ek.sname = rep.ticket.sname;
|
||||
|
||||
if (referral) {
|
||||
krb5_crypto crypto;
|
||||
EncryptedData enc;
|
||||
size_t len;
|
||||
|
||||
ALLOC(rep.padata);
|
||||
ALLOC_SEQ(rep.padata, 1);
|
||||
rep.padata->val[0].padata_type = KRB5_PADATA_SERVER_REFERRAL;
|
||||
|
||||
ret = krb5_crypto_init(context, &et.key, 0, &crypto);
|
||||
if (ret) {
|
||||
kdc_log(0, "krb5_crypto_init failed: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
ret = krb5_encrypt_EncryptedData(context,
|
||||
crypto,
|
||||
KRB5_KU_PA_SERVER_REFERRAL,
|
||||
referral->data,
|
||||
referral->length,
|
||||
0,
|
||||
&enc);
|
||||
krb5_crypto_destroy(context, crypto);
|
||||
if (ret) {
|
||||
kdc_log(0, "referral krb5_encrypt_EncryptedData: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
ASN1_MALLOC_ENCODE(EncryptedData, rep.padata->val[0].padata_value.data,
|
||||
rep.padata->val[0].padata_value.length, &enc,
|
||||
&len, ret);
|
||||
free_EncryptedData(&enc);
|
||||
if (ret) {
|
||||
kdc_log(0, "failed encoding EncryptedData for referral: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
/* It is somewhat unclear where the etype in the following
|
||||
encryption should come from. What we have is a session
|
||||
key in the passed tgt, and a list of preferred etypes
|
||||
@@ -1739,6 +1779,9 @@ tgs_rep2(KDC_REQ_BODY *b,
|
||||
krb5_principal sp = NULL;
|
||||
AuthorizationData *auth_data = NULL;
|
||||
|
||||
krb5_boolean did_referral = FALSE;
|
||||
krb5_data *referral = NULL;
|
||||
|
||||
*csec = NULL;
|
||||
*cusec = NULL;
|
||||
|
||||
@@ -2024,6 +2067,7 @@ tgs_rep2(KDC_REQ_BODY *b,
|
||||
if (ret)
|
||||
goto out;
|
||||
krb5_free_host_realm(context, realms);
|
||||
did_referral = TRUE;
|
||||
goto server_lookup;
|
||||
}
|
||||
krb5_free_host_realm(context, realms);
|
||||
@@ -2082,10 +2126,43 @@ tgs_rep2(KDC_REQ_BODY *b,
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (did_referral) {
|
||||
KrbServerReferralData r;
|
||||
size_t len;
|
||||
|
||||
r.referred_realm = &sp->realm;
|
||||
r.true_principal_name = NULL;
|
||||
|
||||
ALLOC(referral);
|
||||
if (referral == NULL) {
|
||||
kdc_log(0, "malloc: out of memory");
|
||||
e_text = "malloc: out of memory";
|
||||
ret = ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
ASN1_MALLOC_ENCODE(KrbServerReferralData, referral->data,
|
||||
referral->length, &r, &len, ret);
|
||||
if (ret) {
|
||||
kdc_log(0, "failed to encode referral: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
e_text = "failed to encode referral";
|
||||
goto out;
|
||||
}
|
||||
if (len != referral->length) {
|
||||
krb5_free_data(context, referral);
|
||||
kdc_log(0, "Internal error in ASN.1 encoder");
|
||||
referral = NULL;
|
||||
e_text = "KDC internal error";
|
||||
ret = KRB5KRB_ERR_GENERIC;
|
||||
goto out2;
|
||||
}
|
||||
}
|
||||
|
||||
ret = tgs_make_reply(b,
|
||||
tgt,
|
||||
b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,
|
||||
auth_data,
|
||||
referral,
|
||||
server,
|
||||
client,
|
||||
cp,
|
||||
@@ -2102,6 +2179,8 @@ tgs_rep2(KDC_REQ_BODY *b,
|
||||
free_ent(server);
|
||||
if(client)
|
||||
free_ent(client);
|
||||
if (referral)
|
||||
krb5_free_data(context, referral);
|
||||
}
|
||||
out2:
|
||||
if(ret) {
|
||||
|
||||
@@ -68,7 +68,7 @@ set_etypes (krb5_context context,
|
||||
krb5_enctype e;
|
||||
if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
|
||||
continue;
|
||||
if (krb5_enctype_is_disabled(context, e))
|
||||
if (krb5_enctype_valid(context, e) != 0)
|
||||
continue;
|
||||
etypes[k++] = e;
|
||||
}
|
||||
@@ -436,7 +436,7 @@ default_etypes(krb5_context context, krb5_enctype **etype)
|
||||
int i, n = 0;
|
||||
|
||||
for (i = 0; i < sizeof(p)/sizeof(p[0]); i++) {
|
||||
if (krb5_enctype_is_disabled(context, p[i]))
|
||||
if (krb5_enctype_valid(context, p[i]) != 0)
|
||||
continue;
|
||||
ep = realloc(e, (n + 2) * sizeof(*e));
|
||||
if (ep == NULL) {
|
||||
|
||||
@@ -436,7 +436,7 @@ krb5_verify_ap_req2(krb5_context context,
|
||||
int i;
|
||||
|
||||
for (i = 0; i < etypes.len; i++) {
|
||||
if (!krb5_enctype_is_disabled(context, etypes.val[i])) {
|
||||
if (krb5_enctype_valid(context, etypes.val[i]) == 0) {
|
||||
ac->keytype = etypes.val[i];
|
||||
break;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user