oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: use PAC from request in _kdc_gss_finalize_pac()

Browse Source 
Pass astgs_request_t to _kdc_gss_finalize_pac() in order to harmonize with
other functions.
This commit is contained in:
Luke Howard
2021-12-23 19:51:35 +11:00
committed by Nico Williams
parent d3549c4ab7
commit 6b312659cb
4 changed files with 19 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
kdc/altsecid_gss_preauth_authorizer.c
View File

@@ -372,10 +372,7 @@ out:
static KRB5_LIB_CALL krb5_error_code static KRB5_LIB_CALL krb5_error_code
authorize(void *ctx, authorize(void *ctx,
krb5_context context, astgs_request_t r,
KDC_REQ *req,
krb5_const_principal client_name,
hdb_entry_ex *client,
gss_const_name_t initiator_name, gss_const_name_t initiator_name,
gss_const_OID mech_type, gss_const_OID mech_type,
OM_uint32 ret_flags, OM_uint32 ret_flags,
@@ -383,30 +380,22 @@ authorize(void *ctx,
krb5_principal *mapped_name, krb5_principal *mapped_name,
krb5_data *requestor_sid) krb5_data *requestor_sid)
{ {
const KDC_REQ_BODY *b = &req->req_body;
struct altsecid_gss_preauth_authorizer_context *c = ctx; struct altsecid_gss_preauth_authorizer_context *c = ctx;
struct ad_server_tuple *server = NULL; struct ad_server_tuple *server = NULL;
krb5_error_code ret; krb5_error_code ret;
krb5_const_realm realm = krb5_principal_get_realm(context, client->entry.principal); krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->entry.principal);
krb5_boolean reconnect_p = FALSE; krb5_boolean reconnect_p = FALSE;
krb5_principal server_princ;
krb5_boolean is_tgs; krb5_boolean is_tgs;
*authorized = FALSE; *authorized = FALSE;
*mapped_name = NULL; *mapped_name = NULL;
krb5_data_zero(requestor_sid); krb5_data_zero(requestor_sid);
if (!krb5_principal_is_federated(context, client->entry.principal) || if (!krb5_principal_is_federated(r->context, r->client->entry.principal) ||
(ret_flags & GSS_C_ANON_FLAG)) (ret_flags & GSS_C_ANON_FLAG))
return KRB5_PLUGIN_NO_HANDLE; return KRB5_PLUGIN_NO_HANDLE;
ret = _krb5_principalname2krb5_principal(context, &server_princ, is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ);
*b->sname, b->realm);
if (ret)
return ret;
is_tgs = krb5_principal_is_krbtgt(context, server_princ);
krb5_free_principal(context, server_princ);
HEIM_TAILQ_FOREACH(server, &c->servers, link) { HEIM_TAILQ_FOREACH(server, &c->servers, link) {
if (strcmp(realm, server->realm) == 0) if (strcmp(realm, server->realm) == 0)
@@ -416,12 +405,12 @@ authorize(void *ctx,
if (server == NULL) { if (server == NULL) {
server = calloc(1, sizeof(*server)); server = calloc(1, sizeof(*server));
if (server == NULL) if (server == NULL)
return krb5_enomem(context); return krb5_enomem(r->context);
server->realm = strdup(realm); server->realm = strdup(realm);
if (server->realm == NULL) { if (server->realm == NULL) {
free(server); free(server);
return krb5_enomem(context); return krb5_enomem(r->context);
} }
HEIM_TAILQ_INSERT_HEAD(&c->servers, server, link); HEIM_TAILQ_INSERT_HEAD(&c->servers, server, link);
@@ -429,12 +418,12 @@ authorize(void *ctx,
do { do {
if (server->ld == NULL) { if (server->ld == NULL) {
ret = ad_connect(context, realm, server); ret = ad_connect(r->context, realm, server);
if (ret) if (ret)
return ret; return ret;
} }
ret = ad_lookup(context, realm, server, ret = ad_lookup(r->context, realm, server,
initiator_name, mech_type, initiator_name, mech_type,
mapped_name, is_tgs ? requestor_sid : NULL); mapped_name, is_tgs ? requestor_sid : NULL);
if (ret == KRB5KDC_ERR_SVC_UNAVAILABLE) { if (ret == KRB5KDC_ERR_SVC_UNAVAILABLE) {
@@ -452,15 +441,12 @@ authorize(void *ctx,
} }
static KRB5_LIB_CALL krb5_error_code static KRB5_LIB_CALL krb5_error_code
finalize_pac(void *ctx, finalize_pac(void *ctx, astgs_request_t r, krb5_data *requestor_sid)
krb5_context context,
krb5_pac mspac,
krb5_data *requestor_sid)
{ {
if (requestor_sid->length == 0) if (requestor_sid->length == 0)
return 0; return 0;
return krb5_pac_add_buffer(context, mspac, return krb5_pac_add_buffer(r->context, r->pac,
PAC_REQUESTOR_SID, requestor_sid); PAC_REQUESTOR_SID, requestor_sid);
} }

16
kdc/gss_preauth.c
View File

@@ -510,10 +510,8 @@ pa_gss_authorize_cb(krb5_context context,
const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug; const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug;
struct pa_gss_authorize_plugin_ctx *pa_gss_authorize_plugin_ctx = userctx; struct pa_gss_authorize_plugin_ctx *pa_gss_authorize_plugin_ctx = userctx;
return authorizer->authorize(plugctx, context, return authorizer->authorize(plugctx,
&pa_gss_authorize_plugin_ctx->r->req, pa_gss_authorize_plugin_ctx->r,
pa_gss_authorize_plugin_ctx->r->client_princ,
pa_gss_authorize_plugin_ctx->r->client,
pa_gss_authorize_plugin_ctx->gcp->initiator_name, pa_gss_authorize_plugin_ctx->gcp->initiator_name,
pa_gss_authorize_plugin_ctx->gcp->mech_type, pa_gss_authorize_plugin_ctx->gcp->mech_type,
pa_gss_authorize_plugin_ctx->gcp->flags, pa_gss_authorize_plugin_ctx->gcp->flags,
@@ -1017,7 +1015,6 @@ pa_gss_display_name(gss_name_t name,
struct pa_gss_finalize_pac_plugin_ctx { struct pa_gss_finalize_pac_plugin_ctx {
astgs_request_t r; astgs_request_t r;
krb5_pac pac;
krb5_data *pac_data; krb5_data *pac_data;
}; };
@@ -1030,21 +1027,20 @@ pa_gss_finalize_pac_cb(krb5_context context,
const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug; const krb5plugin_gss_preauth_authorizer_ftable *authorizer = plug;
struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx; struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx;
return authorizer->finalize_pac(plugctx, context, return authorizer->finalize_pac(plugctx,
pa_gss_finalize_pac_ctx->pac, pa_gss_finalize_pac_ctx->r,
pa_gss_finalize_pac_ctx->pac_data); pa_gss_finalize_pac_ctx->pac_data);
} }
krb5_error_code krb5_error_code
_kdc_gss_finalize_pac(astgs_request_t r, _kdc_gss_finalize_pac(astgs_request_t r,
gss_client_params *gcp, gss_client_params *gcp)
krb5_pac pac)
{ {
krb5_error_code ret; krb5_error_code ret;
struct pa_gss_finalize_pac_plugin_ctx ctx; struct pa_gss_finalize_pac_plugin_ctx ctx;
ctx.pac = pac; ctx.r = r;
ctx.pac_data = &gcp->pac_data; ctx.pac_data = &gcp->pac_data;
krb5_clear_error_message(r->context); krb5_clear_error_message(r->context);

8
kdc/gss_preauth_authorizer_plugin.h
View File

@@ -64,10 +64,7 @@ typedef struct krb5plugin_gss_preauth_authorizer_ftable_desc {
krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **); krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **);
void (KRB5_LIB_CALL *fini)(void *); void (KRB5_LIB_CALL *fini)(void *);
krb5_error_code (KRB5_LIB_CALL *authorize)(void *, /*plug_ctx*/ krb5_error_code (KRB5_LIB_CALL *authorize)(void *, /*plug_ctx*/
krb5_context, /*context*/ astgs_request_t, /*r*/
KDC_REQ *, /*req*/
krb5_const_principal,/*client_name*/
hdb_entry_ex *, /*client*/
gss_const_name_t, /*initiator_name*/ gss_const_name_t, /*initiator_name*/
gss_const_OID, /*mech_type*/ gss_const_OID, /*mech_type*/
OM_uint32, /*ret_flags*/ OM_uint32, /*ret_flags*/
@@ -75,8 +72,7 @@ typedef struct krb5plugin_gss_preauth_authorizer_ftable_desc {
krb5_principal *, /*mapped_name*/ krb5_principal *, /*mapped_name*/
krb5_data *); /*pac_data*/ krb5_data *); /*pac_data*/
krb5_error_code (KRB5_LIB_CALL *finalize_pac)(void *, /*plug_ctx*/ krb5_error_code (KRB5_LIB_CALL *finalize_pac)(void *, /*plug_ctx*/
krb5_context, /*context*/ astgs_request_t, /*r*/
krb5_pac, /*pac*/
krb5_data *); /*pac_data*/ krb5_data *); /*pac_data*/
} krb5plugin_gss_preauth_authorizer_ftable; } krb5plugin_gss_preauth_authorizer_ftable;

2
kdc/kerberos5.c
View File

@@ -611,7 +611,7 @@ pa_gss_finalize_pac(astgs_request_t r)
heim_assert(gcp != NULL, "invalid GSS-API client params"); heim_assert(gcp != NULL, "invalid GSS-API client params");
return _kdc_gss_finalize_pac(r, gcp, r->pac); return _kdc_gss_finalize_pac(r, gcp);
} }
static void static void