From 6b312659cbde64a7ee9f60a64d3a7770ff4a79f2 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 23 Dec 2021 19:51:35 +1100 Subject: [PATCH] kdc: use PAC from request in _kdc_gss_finalize_pac() Pass astgs_request_t to _kdc_gss_finalize_pac() in order to harmonize with other functions. --- kdc/altsecid_gss_preauth_authorizer.c | 34 ++++++++------------------- kdc/gss_preauth.c | 16 +++++-------- kdc/gss_preauth_authorizer_plugin.h | 8 ++----- kdc/kerberos5.c | 2 +- 4 files changed, 19 insertions(+), 41 deletions(-) diff --git a/kdc/altsecid_gss_preauth_authorizer.c b/kdc/altsecid_gss_preauth_authorizer.c index 262d4e9db..961ced0db 100644 --- a/kdc/altsecid_gss_preauth_authorizer.c +++ b/kdc/altsecid_gss_preauth_authorizer.c @@ -372,10 +372,7 @@ out: static KRB5_LIB_CALL krb5_error_code authorize(void *ctx, - krb5_context context, - KDC_REQ *req, - krb5_const_principal client_name, - hdb_entry_ex *client, + astgs_request_t r, gss_const_name_t initiator_name, gss_const_OID mech_type, OM_uint32 ret_flags, @@ -383,30 +380,22 @@ authorize(void *ctx, krb5_principal *mapped_name, krb5_data *requestor_sid) { - const KDC_REQ_BODY *b = &req->req_body; struct altsecid_gss_preauth_authorizer_context *c = ctx; struct ad_server_tuple *server = NULL; krb5_error_code ret; - krb5_const_realm realm = krb5_principal_get_realm(context, client->entry.principal); + krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->entry.principal); krb5_boolean reconnect_p = FALSE; - krb5_principal server_princ; krb5_boolean is_tgs; *authorized = FALSE; *mapped_name = NULL; krb5_data_zero(requestor_sid); - if (!krb5_principal_is_federated(context, client->entry.principal) || + if (!krb5_principal_is_federated(r->context, r->client->entry.principal) || (ret_flags & GSS_C_ANON_FLAG)) return KRB5_PLUGIN_NO_HANDLE; - ret = _krb5_principalname2krb5_principal(context, &server_princ, - *b->sname, b->realm); - if (ret) - return ret; - - is_tgs = krb5_principal_is_krbtgt(context, server_princ); - krb5_free_principal(context, server_princ); + is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ); HEIM_TAILQ_FOREACH(server, &c->servers, link) { if (strcmp(realm, server->realm) == 0) @@ -416,12 +405,12 @@ authorize(void *ctx, if (server == NULL) { server = calloc(1, sizeof(*server)); if (server == NULL) - return krb5_enomem(context); + return krb5_enomem(r->context); server->realm = strdup(realm); if (server->realm == NULL) { free(server); - return krb5_enomem(context); + return krb5_enomem(r->context); } HEIM_TAILQ_INSERT_HEAD(&c->servers, server, link); @@ -429,12 +418,12 @@ authorize(void *ctx, do { if (server->ld == NULL) { - ret = ad_connect(context, realm, server); + ret = ad_connect(r->context, realm, server); if (ret) return ret; } - ret = ad_lookup(context, realm, server, + ret = ad_lookup(r->context, realm, server, initiator_name, mech_type, mapped_name, is_tgs ? requestor_sid : NULL); if (ret == KRB5KDC_ERR_SVC_UNAVAILABLE) { @@ -452,15 +441,12 @@ authorize(void *ctx, } static KRB5_LIB_CALL krb5_error_code -finalize_pac(void *ctx, - krb5_context context, - krb5_pac mspac, - krb5_data *requestor_sid) +finalize_pac(void *ctx, astgs_request_t r, krb5_data *requestor_sid) { if (requestor_sid->length == 0) return 0; - return krb5_pac_add_buffer(context, mspac, + return krb5_pac_add_buffer(r->context, r->pac, PAC_REQUESTOR_SID, requestor_sid); } diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c index 8cbcfa61e..a2c192067 100644 --- a/kdc/gss_preauth.c +++ b/kdc/gss_preauth.c @@ -510,10 +510,8 @@ pa_gss_authorize_cb(krb5_context context, const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug; struct pa_gss_authorize_plugin_ctx *pa_gss_authorize_plugin_ctx = userctx; - return authorizer->authorize(plugctx, context, - &pa_gss_authorize_plugin_ctx->r->req, - pa_gss_authorize_plugin_ctx->r->client_princ, - pa_gss_authorize_plugin_ctx->r->client, + return authorizer->authorize(plugctx, + pa_gss_authorize_plugin_ctx->r, pa_gss_authorize_plugin_ctx->gcp->initiator_name, pa_gss_authorize_plugin_ctx->gcp->mech_type, pa_gss_authorize_plugin_ctx->gcp->flags, @@ -1017,7 +1015,6 @@ pa_gss_display_name(gss_name_t name, struct pa_gss_finalize_pac_plugin_ctx { astgs_request_t r; - krb5_pac pac; krb5_data *pac_data; }; @@ -1030,21 +1027,20 @@ pa_gss_finalize_pac_cb(krb5_context context, const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug; struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx; - return authorizer->finalize_pac(plugctx, context, - pa_gss_finalize_pac_ctx->pac, + return authorizer->finalize_pac(plugctx, + pa_gss_finalize_pac_ctx->r, pa_gss_finalize_pac_ctx->pac_data); } krb5_error_code _kdc_gss_finalize_pac(astgs_request_t r, - gss_client_params *gcp, - krb5_pac pac) + gss_client_params *gcp) { krb5_error_code ret; struct pa_gss_finalize_pac_plugin_ctx ctx; - ctx.pac = pac; + ctx.r = r; ctx.pac_data = &gcp->pac_data; krb5_clear_error_message(r->context); diff --git a/kdc/gss_preauth_authorizer_plugin.h b/kdc/gss_preauth_authorizer_plugin.h index 8763004b3..69bd5fc1a 100644 --- a/kdc/gss_preauth_authorizer_plugin.h +++ b/kdc/gss_preauth_authorizer_plugin.h @@ -64,10 +64,7 @@ typedef struct krb5plugin_gss_preauth_authorizer_ftable_desc { krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **); void (KRB5_LIB_CALL *fini)(void *); krb5_error_code (KRB5_LIB_CALL *authorize)(void *, /*plug_ctx*/ - krb5_context, /*context*/ - KDC_REQ *, /*req*/ - krb5_const_principal,/*client_name*/ - hdb_entry_ex *, /*client*/ + astgs_request_t, /*r*/ gss_const_name_t, /*initiator_name*/ gss_const_OID, /*mech_type*/ OM_uint32, /*ret_flags*/ @@ -75,8 +72,7 @@ typedef struct krb5plugin_gss_preauth_authorizer_ftable_desc { krb5_principal *, /*mapped_name*/ krb5_data *); /*pac_data*/ krb5_error_code (KRB5_LIB_CALL *finalize_pac)(void *, /*plug_ctx*/ - krb5_context, /*context*/ - krb5_pac, /*pac*/ + astgs_request_t, /*r*/ krb5_data *); /*pac_data*/ } krb5plugin_gss_preauth_authorizer_ftable; diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index ab5eb0f78..3e9dffdc8 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -611,7 +611,7 @@ pa_gss_finalize_pac(astgs_request_t r) heim_assert(gcp != NULL, "invalid GSS-API client params"); - return _kdc_gss_finalize_pac(r, gcp, r->pac); + return _kdc_gss_finalize_pac(r, gcp); } static void