diff --git a/kdc/524.c b/kdc/524.c index 97f64623e..0a791391d 100644 --- a/kdc/524.c +++ b/kdc/524.c @@ -48,7 +48,7 @@ do_524(Ticket *t, krb5_data *reply, const char *from) krb5_error_code ret; krb5_principal sprinc = NULL; hdb_entry *server; - Key *skey, *ekey = NULL; + Key *skey; krb5_data et_data; EncTicketPart et; EncryptedData ticket; @@ -71,14 +71,12 @@ do_524(Ticket *t, krb5_data *reply, const char *from) "when converting ticket from ", spn, from); goto out; } - ekey = unseal_key(skey); ret = krb5_decrypt (context, t->enc_part.cipher.data, t->enc_part.cipher.length, t->enc_part.etype, - &ekey->key, + &skey->key, &et_data); - hdb_free_key(ekey); if(ret){ kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn); goto out; @@ -124,10 +122,8 @@ do_524(Ticket *t, krb5_data *reply, const char *from) kdc_log(0, "No DES key for server (%s)", spn); goto out; } - ekey = unseal_key(skey); ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, - ekey->key.keyvalue.data, &ticket); - hdb_free_key(ekey); + skey->key.keyvalue.data, &ticket); if(ret){ kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn); goto out; diff --git a/kdc/kaserver.c b/kdc/kaserver.c index 021898ae2..b20262354 100644 --- a/kdc/kaserver.c +++ b/kdc/kaserver.c @@ -257,7 +257,6 @@ create_reply_ticket (struct rx_header *hdr, krb5_data *reply) { KTEXT_ST ticket; - Key *ekey = NULL; des_cblock session; krb5_storage *sp; krb5_data enc_data; @@ -267,15 +266,13 @@ create_reply_ticket (struct rx_header *hdr, size_t pad; /* create the ticket */ - ekey = unseal_key(skey); des_new_random_key(&session); krb_create_ticket (&ticket, 0, name, instance, realm, addr->sin_addr.s_addr, &session, life, kdc_time, - sname, sinstance, ekey->key.keyvalue.data); - hdb_free_key (ekey); + sname, sinstance, skey->key.keyvalue.data); /* create the encrypted part of the reply */ sp = krb5_storage_emem (); @@ -435,20 +432,15 @@ do_authenticate (struct rx_header *hdr, } /* try to decode the `request' */ - { - Key *ekey = unseal_key(ckey); - - memcpy (&key, ekey->key.keyvalue.data, sizeof(key)); - hdb_free_key(ekey); - des_set_key (&key, schedule); - des_pcbc_encrypt ((des_cblock *)request.data, - (des_cblock *)request.data, - request.length, - schedule, - &key, - DES_DECRYPT); - memset (&schedule, 0, sizeof(schedule)); - } + memcpy (&key, ckey->key.keyvalue.data, sizeof(key)); + des_set_key (&key, schedule); + des_pcbc_encrypt ((des_cblock *)request.data, + (des_cblock *)request.data, + request.length, + schedule, + &key, + DES_DECRYPT); + memset (&schedule, 0, sizeof(schedule)); /* check for the magic label */ if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) { @@ -613,11 +605,7 @@ do_getticket (struct rx_header *hdr, } /* decrypt the incoming ticket */ - { - Key *ekey = unseal_key(kkey); - memcpy (&key, ekey->key.keyvalue.data, sizeof(key)); - hdb_free_key(ekey); - } + memcpy (&key, kkey->key.keyvalue.data, sizeof(key)); /* unpack the ticket */ { diff --git a/kdc/kerberos4.c b/kdc/kerberos4.c index 3e24c6bcd..34aea3451 100644 --- a/kdc/kerberos4.c +++ b/kdc/kerberos4.c @@ -121,7 +121,7 @@ do_version4(unsigned char *buf, krb5_storage *sp; krb5_error_code ret; hdb_entry *client = NULL, *server = NULL; - Key *ckey, *skey, *ekey; + Key *ckey, *skey; int8_t pvno; int8_t msg_type; int lsb; @@ -216,18 +216,14 @@ do_version4(unsigned char *buf, des_cblock session; des_new_random_key(&session); - ekey = unseal_key(skey); krb_create_ticket(&ticket, 0, name, inst, v4_realm, addr->sin_addr.s_addr, session, life, kdc_time, - sname, sinst, ekey->key.keyvalue.data); - hdb_free_key(ekey); + sname, sinst, skey->key.keyvalue.data); - ekey = unseal_key(ckey); create_ciph(&cipher, session, sname, sinst, v4_realm, life, server->kvno, &ticket, kdc_time, - ekey->key.keyvalue.data); - hdb_free_key(ekey); + ckey->key.keyvalue.data); memset(&session, 0, sizeof(session)); r = create_auth_reply(name, inst, realm, req_time, 0, client->pw_end ? *client->pw_end : 0, @@ -295,9 +291,7 @@ do_version4(unsigned char *buf, memset(&auth, 0, sizeof(auth)); memcpy(&auth.dat, buf, pos); auth.length = pos; - ekey = unseal_key(tkey); - krb_set_key(ekey->key.keyvalue.data, 0); - hdb_free_key(ekey); + krb_set_key(tkey->key.keyvalue.data, 0); { int e; e = krb_rd_req(&auth, "krbtgt", realm, @@ -379,11 +373,9 @@ do_version4(unsigned char *buf, KTEXT r; des_cblock session; des_new_random_key(&session); - ekey = unseal_key(skey); krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm, addr->sin_addr.s_addr, &session, life, kdc_time, - sname, sinst, ekey->key.keyvalue.data); - hdb_free_key(ekey); + sname, sinst, skey->key.keyvalue.data); create_ciph(&cipher, session, sname, sinst, v4_realm, life, server->kvno, &ticket, diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 93698c4ee..4affb380a 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -84,7 +84,7 @@ as_rep(KDC_REQ *req, const char *e_text = NULL; int i; - Key *ckey, *skey, *ekey; + Key *ckey, *skey; if(b->sname == NULL){ server_name = ""; @@ -223,15 +223,12 @@ as_rep(KDC_REQ *req, continue; } - ekey = unseal_key(pa_key); - ret = krb5_decrypt (context, enc_data.cipher.data, enc_data.cipher.length, enc_data.etype, - &ekey->key, + &pa_key->key, &ts_data); - hdb_free_key(ekey); free_EncryptedData(&enc_data); if(ret){ e_text = "Failed to decrypt PA-DATA"; @@ -551,15 +548,13 @@ as_rep(KDC_REQ *req, goto out; } - ekey = unseal_key(skey); krb5_encrypt_EncryptedData(context, buf + sizeof(buf) - len, len, setype, server->kvno, - &ekey->key, + &skey->key, &rep.ticket.enc_part); - hdb_free_key(ekey); ret = encode_EncASRepPart(buf + sizeof(buf) - 1, sizeof(buf), &ek, &len); @@ -568,15 +563,13 @@ as_rep(KDC_REQ *req, kdc_log(0, "Failed to encode KDC-REP -- %s", client_name); goto out; } - ekey = unseal_key(ckey); krb5_encrypt_EncryptedData(context, buf + sizeof(buf) - len, len, cetype, client->kvno, - &ekey->key, + &ckey->key, &rep.enc_part); - hdb_free_key(ekey); set_salt_padata (&rep.padata, ckey->salt); ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len); @@ -790,7 +783,7 @@ tgs_make_reply(KDC_REQ_BODY *b, EncTicketPart *tgt, krb5_error_code ret; int i; krb5_enctype setype; - Key *skey, *ekey; + Key *skey; krb5_keytype sess_ktype; /* Find appropriate key */ @@ -934,13 +927,11 @@ tgs_make_reply(KDC_REQ_BODY *b, EncTicketPart *tgt, krb5_get_err_text(context, ret)); goto out; } - ekey = unseal_key(skey); krb5_encrypt_EncryptedData(context, buf + sizeof(buf) - len, len, setype, server->kvno, - &ekey->key, + &skey->key, &rep.ticket.enc_part); - hdb_free_key(ekey); ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1, sizeof(buf), &ek, &len); @@ -1072,7 +1063,7 @@ tgs_rep2(KDC_REQ_BODY *b, hdb_entry *krbtgt; EncTicketPart *tgt; - Key *tkey, *ekey; + Key *tkey; krb5_enctype cetype; krb5_principal cp = NULL; krb5_principal sp = NULL; @@ -1116,15 +1107,13 @@ tgs_rep2(KDC_REQ_BODY *b, goto out2; } - ekey = unseal_key(tkey); ret = krb5_verify_ap_req(context, &ac, &ap_req, princ, - &ekey->key, + &tkey->key, &ap_req_options, &ticket); - hdb_free_key(ekey); krb5_free_principal(context, princ); if(ret) { @@ -1181,10 +1170,8 @@ tgs_rep2(KDC_REQ_BODY *b, ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ goto out; } - ekey = unseal_key(tkey); ret = krb5_decrypt_EncryptedData(context, &t->enc_part, - &ekey->key, &result); - + &tkey->key, &result); if(ret){ /* XXX */