oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: use PAC from request in _kdc_gss_finalize_pac()

Browse Source 
Pass astgs_request_t to _kdc_gss_finalize_pac() in order to harmonize with
other functions.
This commit is contained in:
Luke Howard
2021-12-23 19:51:35 +11:00
committed by Nico Williams
parent d3549c4ab7
commit 6b312659cb
4 changed files with 19 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
kdc/altsecid_gss_preauth_authorizer.c
View File

@@ -372,10 +372,7 @@ out:
static KRB5_LIB_CALL krb5_error_code
authorize(void *ctx,
krb5_context context,
KDC_REQ *req,
krb5_const_principal client_name,
hdb_entry_ex *client,
astgs_request_t r,
gss_const_name_t initiator_name,
gss_const_OID mech_type,
OM_uint32 ret_flags,
@@ -383,30 +380,22 @@ authorize(void *ctx,
krb5_principal *mapped_name,
krb5_data *requestor_sid)
{
const KDC_REQ_BODY *b = &req->req_body;
struct altsecid_gss_preauth_authorizer_context *c = ctx;
struct ad_server_tuple *server = NULL;
krb5_error_code ret;
krb5_const_realm realm = krb5_principal_get_realm(context, client->entry.principal);
krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->entry.principal);
krb5_boolean reconnect_p = FALSE;
krb5_principal server_princ;
krb5_boolean is_tgs;
*authorized = FALSE;
*mapped_name = NULL;
krb5_data_zero(requestor_sid);
if (!krb5_principal_is_federated(context, client->entry.principal) ||
if (!krb5_principal_is_federated(r->context, r->client->entry.principal) ||
(ret_flags & GSS_C_ANON_FLAG))
return KRB5_PLUGIN_NO_HANDLE;
ret = _krb5_principalname2krb5_principal(context, &server_princ,
*b->sname, b->realm);
if (ret)
return ret;
is_tgs = krb5_principal_is_krbtgt(context, server_princ);
krb5_free_principal(context, server_princ);
is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ);
HEIM_TAILQ_FOREACH(server, &c->servers, link) {
if (strcmp(realm, server->realm) == 0)
@@ -416,12 +405,12 @@ authorize(void *ctx,
if (server == NULL) {
server = calloc(1, sizeof(*server));
if (server == NULL)
return krb5_enomem(context);
return krb5_enomem(r->context);
server->realm = strdup(realm);
if (server->realm == NULL) {
free(server);
return krb5_enomem(context);
return krb5_enomem(r->context);
}
HEIM_TAILQ_INSERT_HEAD(&c->servers, server, link);
@@ -429,12 +418,12 @@ authorize(void *ctx,
do {
if (server->ld == NULL) {
ret = ad_connect(context, realm, server);
ret = ad_connect(r->context, realm, server);
if (ret)
return ret;
}
ret = ad_lookup(context, realm, server,
ret = ad_lookup(r->context, realm, server,
initiator_name, mech_type,
mapped_name, is_tgs ? requestor_sid : NULL);
if (ret == KRB5KDC_ERR_SVC_UNAVAILABLE) {
@@ -452,15 +441,12 @@ authorize(void *ctx,
}
static KRB5_LIB_CALL krb5_error_code
finalize_pac(void *ctx,
krb5_context context,
krb5_pac mspac,
krb5_data *requestor_sid)
finalize_pac(void *ctx, astgs_request_t r, krb5_data *requestor_sid)
{
if (requestor_sid->length == 0)
return 0;
return krb5_pac_add_buffer(context, mspac,
return krb5_pac_add_buffer(r->context, r->pac,
PAC_REQUESTOR_SID, requestor_sid);
}

16
kdc/gss_preauth.c
View File

@@ -510,10 +510,8 @@ pa_gss_authorize_cb(krb5_context context,
const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug;
struct pa_gss_authorize_plugin_ctx *pa_gss_authorize_plugin_ctx = userctx;
return authorizer->authorize(plugctx, context,
&pa_gss_authorize_plugin_ctx->r->req,
pa_gss_authorize_plugin_ctx->r->client_princ,
pa_gss_authorize_plugin_ctx->r->client,
return authorizer->authorize(plugctx,
pa_gss_authorize_plugin_ctx->r,
pa_gss_authorize_plugin_ctx->gcp->initiator_name,
pa_gss_authorize_plugin_ctx->gcp->mech_type,
pa_gss_authorize_plugin_ctx->gcp->flags,
@@ -1017,7 +1015,6 @@ pa_gss_display_name(gss_name_t name,
struct pa_gss_finalize_pac_plugin_ctx {
astgs_request_t r;
krb5_pac pac;
krb5_data *pac_data;
};
@@ -1030,21 +1027,20 @@ pa_gss_finalize_pac_cb(krb5_context context,
const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug;
struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx;
return authorizer->finalize_pac(plugctx, context,
pa_gss_finalize_pac_ctx->pac,
return authorizer->finalize_pac(plugctx,
pa_gss_finalize_pac_ctx->r,
pa_gss_finalize_pac_ctx->pac_data);
}
krb5_error_code
_kdc_gss_finalize_pac(astgs_request_t r,
gss_client_params *gcp,
krb5_pac pac)
gss_client_params *gcp)
{
krb5_error_code ret;
struct pa_gss_finalize_pac_plugin_ctx ctx;
ctx.pac = pac;
ctx.r = r;
ctx.pac_data = &gcp->pac_data;
krb5_clear_error_message(r->context);

8
kdc/gss_preauth_authorizer_plugin.h
View File

@@ -64,10 +64,7 @@ typedef struct krb5plugin_gss_preauth_authorizer_ftable_desc {
krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **);
void (KRB5_LIB_CALL *fini)(void *);
krb5_error_code (KRB5_LIB_CALL *authorize)(void *, /*plug_ctx*/
krb5_context, /*context*/
KDC_REQ *, /*req*/
krb5_const_principal,/*client_name*/
hdb_entry_ex *, /*client*/
astgs_request_t, /*r*/
gss_const_name_t, /*initiator_name*/
gss_const_OID, /*mech_type*/
OM_uint32, /*ret_flags*/
@@ -75,8 +72,7 @@ typedef struct krb5plugin_gss_preauth_authorizer_ftable_desc {
krb5_principal *, /*mapped_name*/
krb5_data *); /*pac_data*/
krb5_error_code (KRB5_LIB_CALL *finalize_pac)(void *, /*plug_ctx*/
krb5_context, /*context*/
krb5_pac, /*pac*/
astgs_request_t, /*r*/
krb5_data *); /*pac_data*/
} krb5plugin_gss_preauth_authorizer_ftable;

2
kdc/kerberos5.c
View File

@@ -611,7 +611,7 @@ pa_gss_finalize_pac(astgs_request_t r)
heim_assert(gcp != NULL, "invalid GSS-API client params");
return _kdc_gss_finalize_pac(r, gcp, r->pac);
return _kdc_gss_finalize_pac(r, gcp);
}
static void