diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c index 58a627c2e..8cbcfa61e 100644 --- a/kdc/gss_preauth.c +++ b/kdc/gss_preauth.c @@ -1017,7 +1017,7 @@ pa_gss_display_name(gss_name_t name, struct pa_gss_finalize_pac_plugin_ctx { astgs_request_t r; - krb5_pac mspac; + krb5_pac pac; krb5_data *pac_data; }; @@ -1031,7 +1031,7 @@ pa_gss_finalize_pac_cb(krb5_context context, struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx; return authorizer->finalize_pac(plugctx, context, - pa_gss_finalize_pac_ctx->mspac, + pa_gss_finalize_pac_ctx->pac, pa_gss_finalize_pac_ctx->pac_data); } @@ -1039,12 +1039,12 @@ pa_gss_finalize_pac_cb(krb5_context context, krb5_error_code _kdc_gss_finalize_pac(astgs_request_t r, gss_client_params *gcp, - krb5_pac mspac) + krb5_pac pac) { krb5_error_code ret; struct pa_gss_finalize_pac_plugin_ctx ctx; - ctx.mspac = mspac; + ctx.pac = pac; ctx.pac_data = &gcp->pac_data; krb5_clear_error_message(r->context); diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 78e785cfc..1dffc3dc5 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -605,13 +605,13 @@ out: } static krb5_error_code -pa_gss_finalize_pac(astgs_request_t r, krb5_pac mspac) +pa_gss_finalize_pac(astgs_request_t r) { gss_client_params *gcp = (gss_client_params *)r->pa_state; heim_assert(gcp != NULL, "invalid GSS-API client params"); - return _kdc_gss_finalize_pac(r, gcp, mspac); + return _kdc_gss_finalize_pac(r, gcp, r->pac); } static void @@ -985,7 +985,7 @@ struct kdc_patypes { krb5_error_code (*validate)(astgs_request_t, const PA_DATA *pa, struct kdc_pa_auth_status *auth_status); - krb5_error_code (*finalize_pac)(astgs_request_t r, krb5_pac mspac); + krb5_error_code (*finalize_pac)(astgs_request_t r); void (*cleanup)(astgs_request_t r); }; @@ -1860,7 +1860,6 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, krb5_boolean is_tgs) { krb5_error_code ret; - krb5_pac p = NULL; krb5_data data; uint16_t rodc_id; krb5_principal client; @@ -1886,13 +1885,13 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY) ? &r->reply_key : NULL, r->pac_attributes, - &p); + &r->pac); if (ret) { _kdc_r_log(r, 4, "PAC generation failed for -- %s", r->cname); return ret; } - if (p == NULL) + if (r->pac == NULL) return 0; rodc_id = r->server->entry.kvno >> 16; @@ -1900,10 +1899,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, /* libkrb5 expects ticket and PAC client names to match */ ret = _krb5_principalname2krb5_principal(r->context, &client, r->et.cname, r->et.crealm); - if (ret) { - krb5_pac_free(r->context, p); + if (ret) return ret; - } /* * Include the canonical name of the principal in the authorization @@ -1923,14 +1920,14 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, } if (r->pa_used && r->pa_used->finalize_pac) { - ret = r->pa_used->finalize_pac(r, p); - if (ret) { - krb5_pac_free(r->context, p); + ret = r->pa_used->finalize_pac(r); + if (ret) return ret; - } } - ret = _krb5_pac_sign(r->context, p, r->et.authtime, + ret = _krb5_pac_sign(r->context, + r->pac, + r->et.authtime, client, &skey->key, /* Server key */ &tkey->key, /* TGS key */ @@ -1940,7 +1937,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, is_tgs ? &r->pac_attributes : NULL, &data); krb5_free_principal(r->context, client); - krb5_pac_free(r->context, p); + krb5_pac_free(r->context, r->pac); + r->pac = NULL; if (ret) { _kdc_r_log(r, 4, "PAC signing failed for -- %s", r->cname); @@ -2819,6 +2817,7 @@ out: krb5_free_keyblock_contents(r->context, &r->reply_key); krb5_free_keyblock_contents(r->context, &r->session_key); krb5_free_keyblock_contents(r->context, &r->strengthen_key); + krb5_pac_free(r->context, r->pac); return ret; } diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index aa636ca85..3dd29b1e0 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -599,7 +599,6 @@ tgs_make_reply(astgs_request_t r, hdb_entry_ex *client, krb5_principal client_principal, const char *tgt_realm, - krb5_pac mspac, uint16_t rodc_id, krb5_boolean add_ticket_sig, const METHOD_DATA *enc_pa_data) @@ -824,7 +823,7 @@ tgs_make_reply(astgs_request_t r, * restrictive authorization data. Policy for unknown authorization types * is implementation dependent. */ - if (mspac && !et.flags.anonymous) { + if (r->pac && !et.flags.anonymous) { _kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx", (long)r->pac_attributes); @@ -837,7 +836,7 @@ tgs_make_reply(astgs_request_t r, krb5_boolean is_tgs = krb5_principal_is_krbtgt(r->context, server->entry.principal); - ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey, + ret = _krb5_kdc_pac_sign_ticket(r->context, r->pac, tgt_name, serverkey, krbtgtkey, rodc_id, NULL, r->client_princ, add_ticket_sig, &et, is_tgs ? &r->pac_attributes : NULL); @@ -1479,7 +1478,6 @@ tgs_build_reply(astgs_request_t priv, const EncryptionKey *ekey; krb5_keyblock sessionkey; krb5_kvno kvno; - krb5_pac mspac = NULL; krb5_pac user2user_pac = NULL; uint16_t rodc_id; krb5_boolean add_ticket_sig = FALSE; @@ -1992,7 +1990,7 @@ server_lookup: ret = _kdc_check_pac(context, config, cp, NULL, client, server, krbtgt, krbtgt, &priv->ticket_key->key, &priv->ticket_key->key, tgt, - &kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes); + &kdc_issued, &priv->pac, &priv->client_princ, &priv->pac_attributes); if (ret) { const char *msg = krb5_get_error_message(context, ret); _kdc_audit_addreason((kdc_request_t)priv, "PAC check failed"); @@ -2146,15 +2144,15 @@ server_lookup: goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */ /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */ - krb5_pac_free(context, mspac); - mspac = NULL; + krb5_pac_free(context, priv->pac); + priv->pac = NULL; ret = _kdc_pac_generate(context, s4u2self_impersonated_client, server, NULL, KRB5_PAC_WAS_GIVEN_IMPLICITLY, - &mspac); + &priv->pac); if (ret) { kdc_log(context, config, 4, "PAC generation failed for -- %s", tpn); goto out; @@ -2214,7 +2212,7 @@ server_lookup: /* * We require that the service's krbtgt has a PAC. */ - if (mspac == NULL) { + if (priv->pac == NULL) { ret = KRB5KDC_ERR_BADOPTION; _kdc_audit_addreason((kdc_request_t)priv, "Missing PAC"); kdc_log(context, config, 4, @@ -2223,8 +2221,8 @@ server_lookup: goto out; } - krb5_pac_free(context, mspac); - mspac = NULL; + krb5_pac_free(context, priv->pac); + priv->pac = NULL; krb5_free_principal(context, priv->client_princ); priv->client_princ = NULL; @@ -2324,7 +2322,7 @@ server_lookup: */ ret = _kdc_check_pac(context, config, tp, dp, adclient, server, krbtgt, client, &clientkey->key, &priv->ticket_key->key, &adtkt, - &ad_kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes); + &ad_kdc_issued, &priv->pac, &priv->client_princ, &priv->pac_attributes); if (adclient) _kdc_free_ent(context, adclient); if (ret) { @@ -2339,12 +2337,12 @@ server_lookup: goto out; } - if (mspac == NULL || !ad_kdc_issued) { + if (priv->pac == NULL || !ad_kdc_issued) { ret = KRB5KDC_ERR_BADOPTION; kdc_log(context, config, 4, "Ticket not signed with PAC; service %s failed for " "for delegation to %s for client %s (%s) from %s; (%s).", - spn, tpn, dpn, cpn, from, mspac ? "Ticket unsigned" : "No PAC"); + spn, tpn, dpn, cpn, from, priv->pac ? "Ticket unsigned" : "No PAC"); _kdc_audit_addreason((kdc_request_t)priv, "Constrained delegation ticket not signed"); goto out; @@ -2472,7 +2470,6 @@ server_lookup: client, cp, tgt_realm, - mspac, rodc_id, add_ticket_sig, &enc_pa_data); @@ -2509,7 +2506,6 @@ out: free_EncTicketPart(&adtkt); - krb5_pac_free(context, mspac); krb5_pac_free(context, user2user_pac); return ret; @@ -2647,6 +2643,7 @@ out: _kdc_free_ent(r->context, krbtgt); _kdc_free_fast_state(&r->fast); + krb5_pac_free(r->context, r->pac); if (auth_data) { free_AuthorizationData(auth_data);