kdc: use PAC from request in _kdc_gss_finalize_pac()
Pass astgs_request_t to _kdc_gss_finalize_pac() in order to harmonize with other functions.
This commit is contained in:

committed by
Nico Williams

parent
d3549c4ab7
commit
6b312659cb
@@ -372,10 +372,7 @@ out:
|
||||
|
||||
static KRB5_LIB_CALL krb5_error_code
|
||||
authorize(void *ctx,
|
||||
krb5_context context,
|
||||
KDC_REQ *req,
|
||||
krb5_const_principal client_name,
|
||||
hdb_entry_ex *client,
|
||||
astgs_request_t r,
|
||||
gss_const_name_t initiator_name,
|
||||
gss_const_OID mech_type,
|
||||
OM_uint32 ret_flags,
|
||||
@@ -383,30 +380,22 @@ authorize(void *ctx,
|
||||
krb5_principal *mapped_name,
|
||||
krb5_data *requestor_sid)
|
||||
{
|
||||
const KDC_REQ_BODY *b = &req->req_body;
|
||||
struct altsecid_gss_preauth_authorizer_context *c = ctx;
|
||||
struct ad_server_tuple *server = NULL;
|
||||
krb5_error_code ret;
|
||||
krb5_const_realm realm = krb5_principal_get_realm(context, client->entry.principal);
|
||||
krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->entry.principal);
|
||||
krb5_boolean reconnect_p = FALSE;
|
||||
krb5_principal server_princ;
|
||||
krb5_boolean is_tgs;
|
||||
|
||||
*authorized = FALSE;
|
||||
*mapped_name = NULL;
|
||||
krb5_data_zero(requestor_sid);
|
||||
|
||||
if (!krb5_principal_is_federated(context, client->entry.principal) ||
|
||||
if (!krb5_principal_is_federated(r->context, r->client->entry.principal) ||
|
||||
(ret_flags & GSS_C_ANON_FLAG))
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
ret = _krb5_principalname2krb5_principal(context, &server_princ,
|
||||
*b->sname, b->realm);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
is_tgs = krb5_principal_is_krbtgt(context, server_princ);
|
||||
krb5_free_principal(context, server_princ);
|
||||
is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ);
|
||||
|
||||
HEIM_TAILQ_FOREACH(server, &c->servers, link) {
|
||||
if (strcmp(realm, server->realm) == 0)
|
||||
@@ -416,12 +405,12 @@ authorize(void *ctx,
|
||||
if (server == NULL) {
|
||||
server = calloc(1, sizeof(*server));
|
||||
if (server == NULL)
|
||||
return krb5_enomem(context);
|
||||
return krb5_enomem(r->context);
|
||||
|
||||
server->realm = strdup(realm);
|
||||
if (server->realm == NULL) {
|
||||
free(server);
|
||||
return krb5_enomem(context);
|
||||
return krb5_enomem(r->context);
|
||||
}
|
||||
|
||||
HEIM_TAILQ_INSERT_HEAD(&c->servers, server, link);
|
||||
@@ -429,12 +418,12 @@ authorize(void *ctx,
|
||||
|
||||
do {
|
||||
if (server->ld == NULL) {
|
||||
ret = ad_connect(context, realm, server);
|
||||
ret = ad_connect(r->context, realm, server);
|
||||
if (ret)
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = ad_lookup(context, realm, server,
|
||||
ret = ad_lookup(r->context, realm, server,
|
||||
initiator_name, mech_type,
|
||||
mapped_name, is_tgs ? requestor_sid : NULL);
|
||||
if (ret == KRB5KDC_ERR_SVC_UNAVAILABLE) {
|
||||
@@ -452,15 +441,12 @@ authorize(void *ctx,
|
||||
}
|
||||
|
||||
static KRB5_LIB_CALL krb5_error_code
|
||||
finalize_pac(void *ctx,
|
||||
krb5_context context,
|
||||
krb5_pac mspac,
|
||||
krb5_data *requestor_sid)
|
||||
finalize_pac(void *ctx, astgs_request_t r, krb5_data *requestor_sid)
|
||||
{
|
||||
if (requestor_sid->length == 0)
|
||||
return 0;
|
||||
|
||||
return krb5_pac_add_buffer(context, mspac,
|
||||
return krb5_pac_add_buffer(r->context, r->pac,
|
||||
PAC_REQUESTOR_SID, requestor_sid);
|
||||
}
|
||||
|
||||
|
@@ -510,10 +510,8 @@ pa_gss_authorize_cb(krb5_context context,
|
||||
const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug;
|
||||
struct pa_gss_authorize_plugin_ctx *pa_gss_authorize_plugin_ctx = userctx;
|
||||
|
||||
return authorizer->authorize(plugctx, context,
|
||||
&pa_gss_authorize_plugin_ctx->r->req,
|
||||
pa_gss_authorize_plugin_ctx->r->client_princ,
|
||||
pa_gss_authorize_plugin_ctx->r->client,
|
||||
return authorizer->authorize(plugctx,
|
||||
pa_gss_authorize_plugin_ctx->r,
|
||||
pa_gss_authorize_plugin_ctx->gcp->initiator_name,
|
||||
pa_gss_authorize_plugin_ctx->gcp->mech_type,
|
||||
pa_gss_authorize_plugin_ctx->gcp->flags,
|
||||
@@ -1017,7 +1015,6 @@ pa_gss_display_name(gss_name_t name,
|
||||
|
||||
struct pa_gss_finalize_pac_plugin_ctx {
|
||||
astgs_request_t r;
|
||||
krb5_pac pac;
|
||||
krb5_data *pac_data;
|
||||
};
|
||||
|
||||
@@ -1030,21 +1027,20 @@ pa_gss_finalize_pac_cb(krb5_context context,
|
||||
const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug;
|
||||
struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx;
|
||||
|
||||
return authorizer->finalize_pac(plugctx, context,
|
||||
pa_gss_finalize_pac_ctx->pac,
|
||||
return authorizer->finalize_pac(plugctx,
|
||||
pa_gss_finalize_pac_ctx->r,
|
||||
pa_gss_finalize_pac_ctx->pac_data);
|
||||
}
|
||||
|
||||
|
||||
krb5_error_code
|
||||
_kdc_gss_finalize_pac(astgs_request_t r,
|
||||
gss_client_params *gcp,
|
||||
krb5_pac pac)
|
||||
gss_client_params *gcp)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
struct pa_gss_finalize_pac_plugin_ctx ctx;
|
||||
|
||||
ctx.pac = pac;
|
||||
ctx.r = r;
|
||||
ctx.pac_data = &gcp->pac_data;
|
||||
|
||||
krb5_clear_error_message(r->context);
|
||||
|
@@ -64,10 +64,7 @@ typedef struct krb5plugin_gss_preauth_authorizer_ftable_desc {
|
||||
krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **);
|
||||
void (KRB5_LIB_CALL *fini)(void *);
|
||||
krb5_error_code (KRB5_LIB_CALL *authorize)(void *, /*plug_ctx*/
|
||||
krb5_context, /*context*/
|
||||
KDC_REQ *, /*req*/
|
||||
krb5_const_principal,/*client_name*/
|
||||
hdb_entry_ex *, /*client*/
|
||||
astgs_request_t, /*r*/
|
||||
gss_const_name_t, /*initiator_name*/
|
||||
gss_const_OID, /*mech_type*/
|
||||
OM_uint32, /*ret_flags*/
|
||||
@@ -75,8 +72,7 @@ typedef struct krb5plugin_gss_preauth_authorizer_ftable_desc {
|
||||
krb5_principal *, /*mapped_name*/
|
||||
krb5_data *); /*pac_data*/
|
||||
krb5_error_code (KRB5_LIB_CALL *finalize_pac)(void *, /*plug_ctx*/
|
||||
krb5_context, /*context*/
|
||||
krb5_pac, /*pac*/
|
||||
astgs_request_t, /*r*/
|
||||
krb5_data *); /*pac_data*/
|
||||
} krb5plugin_gss_preauth_authorizer_ftable;
|
||||
|
||||
|
@@ -611,7 +611,7 @@ pa_gss_finalize_pac(astgs_request_t r)
|
||||
|
||||
heim_assert(gcp != NULL, "invalid GSS-API client params");
|
||||
|
||||
return _kdc_gss_finalize_pac(r, gcp, r->pac);
|
||||
return _kdc_gss_finalize_pac(r, gcp);
|
||||
}
|
||||
|
||||
static void
|
||||
|
Reference in New Issue
Block a user