removed all unsealing, now done by the hdb layer
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@3629 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
10
kdc/524.c
10
kdc/524.c
@@ -48,7 +48,7 @@ do_524(Ticket *t, krb5_data *reply, const char *from)
|
|||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_principal sprinc = NULL;
|
krb5_principal sprinc = NULL;
|
||||||
hdb_entry *server;
|
hdb_entry *server;
|
||||||
Key *skey, *ekey = NULL;
|
Key *skey;
|
||||||
krb5_data et_data;
|
krb5_data et_data;
|
||||||
EncTicketPart et;
|
EncTicketPart et;
|
||||||
EncryptedData ticket;
|
EncryptedData ticket;
|
||||||
@@ -71,14 +71,12 @@ do_524(Ticket *t, krb5_data *reply, const char *from)
|
|||||||
"when converting ticket from ", spn, from);
|
"when converting ticket from ", spn, from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ekey = unseal_key(skey);
|
|
||||||
ret = krb5_decrypt (context,
|
ret = krb5_decrypt (context,
|
||||||
t->enc_part.cipher.data,
|
t->enc_part.cipher.data,
|
||||||
t->enc_part.cipher.length,
|
t->enc_part.cipher.length,
|
||||||
t->enc_part.etype,
|
t->enc_part.etype,
|
||||||
&ekey->key,
|
&skey->key,
|
||||||
&et_data);
|
&et_data);
|
||||||
hdb_free_key(ekey);
|
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
|
kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -124,10 +122,8 @@ do_524(Ticket *t, krb5_data *reply, const char *from)
|
|||||||
kdc_log(0, "No DES key for server (%s)", spn);
|
kdc_log(0, "No DES key for server (%s)", spn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ekey = unseal_key(skey);
|
|
||||||
ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len,
|
ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len,
|
||||||
ekey->key.keyvalue.data, &ticket);
|
skey->key.keyvalue.data, &ticket);
|
||||||
hdb_free_key(ekey);
|
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
|
kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
|
||||||
goto out;
|
goto out;
|
||||||
|
|||||||
@@ -257,7 +257,6 @@ create_reply_ticket (struct rx_header *hdr,
|
|||||||
krb5_data *reply)
|
krb5_data *reply)
|
||||||
{
|
{
|
||||||
KTEXT_ST ticket;
|
KTEXT_ST ticket;
|
||||||
Key *ekey = NULL;
|
|
||||||
des_cblock session;
|
des_cblock session;
|
||||||
krb5_storage *sp;
|
krb5_storage *sp;
|
||||||
krb5_data enc_data;
|
krb5_data enc_data;
|
||||||
@@ -267,15 +266,13 @@ create_reply_ticket (struct rx_header *hdr,
|
|||||||
size_t pad;
|
size_t pad;
|
||||||
|
|
||||||
/* create the ticket */
|
/* create the ticket */
|
||||||
ekey = unseal_key(skey);
|
|
||||||
|
|
||||||
des_new_random_key(&session);
|
des_new_random_key(&session);
|
||||||
|
|
||||||
krb_create_ticket (&ticket, 0, name, instance, realm,
|
krb_create_ticket (&ticket, 0, name, instance, realm,
|
||||||
addr->sin_addr.s_addr,
|
addr->sin_addr.s_addr,
|
||||||
&session, life, kdc_time,
|
&session, life, kdc_time,
|
||||||
sname, sinstance, ekey->key.keyvalue.data);
|
sname, sinstance, skey->key.keyvalue.data);
|
||||||
hdb_free_key (ekey);
|
|
||||||
|
|
||||||
/* create the encrypted part of the reply */
|
/* create the encrypted part of the reply */
|
||||||
sp = krb5_storage_emem ();
|
sp = krb5_storage_emem ();
|
||||||
@@ -435,20 +432,15 @@ do_authenticate (struct rx_header *hdr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* try to decode the `request' */
|
/* try to decode the `request' */
|
||||||
{
|
memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
|
||||||
Key *ekey = unseal_key(ckey);
|
des_set_key (&key, schedule);
|
||||||
|
des_pcbc_encrypt ((des_cblock *)request.data,
|
||||||
memcpy (&key, ekey->key.keyvalue.data, sizeof(key));
|
(des_cblock *)request.data,
|
||||||
hdb_free_key(ekey);
|
request.length,
|
||||||
des_set_key (&key, schedule);
|
schedule,
|
||||||
des_pcbc_encrypt ((des_cblock *)request.data,
|
&key,
|
||||||
(des_cblock *)request.data,
|
DES_DECRYPT);
|
||||||
request.length,
|
memset (&schedule, 0, sizeof(schedule));
|
||||||
schedule,
|
|
||||||
&key,
|
|
||||||
DES_DECRYPT);
|
|
||||||
memset (&schedule, 0, sizeof(schedule));
|
|
||||||
}
|
|
||||||
|
|
||||||
/* check for the magic label */
|
/* check for the magic label */
|
||||||
if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
|
if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
|
||||||
@@ -613,11 +605,7 @@ do_getticket (struct rx_header *hdr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* decrypt the incoming ticket */
|
/* decrypt the incoming ticket */
|
||||||
{
|
memcpy (&key, kkey->key.keyvalue.data, sizeof(key));
|
||||||
Key *ekey = unseal_key(kkey);
|
|
||||||
memcpy (&key, ekey->key.keyvalue.data, sizeof(key));
|
|
||||||
hdb_free_key(ekey);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* unpack the ticket */
|
/* unpack the ticket */
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -121,7 +121,7 @@ do_version4(unsigned char *buf,
|
|||||||
krb5_storage *sp;
|
krb5_storage *sp;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
hdb_entry *client = NULL, *server = NULL;
|
hdb_entry *client = NULL, *server = NULL;
|
||||||
Key *ckey, *skey, *ekey;
|
Key *ckey, *skey;
|
||||||
int8_t pvno;
|
int8_t pvno;
|
||||||
int8_t msg_type;
|
int8_t msg_type;
|
||||||
int lsb;
|
int lsb;
|
||||||
@@ -216,18 +216,14 @@ do_version4(unsigned char *buf,
|
|||||||
des_cblock session;
|
des_cblock session;
|
||||||
|
|
||||||
des_new_random_key(&session);
|
des_new_random_key(&session);
|
||||||
ekey = unseal_key(skey);
|
|
||||||
|
|
||||||
krb_create_ticket(&ticket, 0, name, inst, v4_realm,
|
krb_create_ticket(&ticket, 0, name, inst, v4_realm,
|
||||||
addr->sin_addr.s_addr, session, life, kdc_time,
|
addr->sin_addr.s_addr, session, life, kdc_time,
|
||||||
sname, sinst, ekey->key.keyvalue.data);
|
sname, sinst, skey->key.keyvalue.data);
|
||||||
hdb_free_key(ekey);
|
|
||||||
|
|
||||||
ekey = unseal_key(ckey);
|
|
||||||
create_ciph(&cipher, session, sname, sinst, v4_realm,
|
create_ciph(&cipher, session, sname, sinst, v4_realm,
|
||||||
life, server->kvno, &ticket, kdc_time,
|
life, server->kvno, &ticket, kdc_time,
|
||||||
ekey->key.keyvalue.data);
|
ckey->key.keyvalue.data);
|
||||||
hdb_free_key(ekey);
|
|
||||||
memset(&session, 0, sizeof(session));
|
memset(&session, 0, sizeof(session));
|
||||||
r = create_auth_reply(name, inst, realm, req_time, 0,
|
r = create_auth_reply(name, inst, realm, req_time, 0,
|
||||||
client->pw_end ? *client->pw_end : 0,
|
client->pw_end ? *client->pw_end : 0,
|
||||||
@@ -295,9 +291,7 @@ do_version4(unsigned char *buf,
|
|||||||
memset(&auth, 0, sizeof(auth));
|
memset(&auth, 0, sizeof(auth));
|
||||||
memcpy(&auth.dat, buf, pos);
|
memcpy(&auth.dat, buf, pos);
|
||||||
auth.length = pos;
|
auth.length = pos;
|
||||||
ekey = unseal_key(tkey);
|
krb_set_key(tkey->key.keyvalue.data, 0);
|
||||||
krb_set_key(ekey->key.keyvalue.data, 0);
|
|
||||||
hdb_free_key(ekey);
|
|
||||||
{
|
{
|
||||||
int e;
|
int e;
|
||||||
e = krb_rd_req(&auth, "krbtgt", realm,
|
e = krb_rd_req(&auth, "krbtgt", realm,
|
||||||
@@ -379,11 +373,9 @@ do_version4(unsigned char *buf,
|
|||||||
KTEXT r;
|
KTEXT r;
|
||||||
des_cblock session;
|
des_cblock session;
|
||||||
des_new_random_key(&session);
|
des_new_random_key(&session);
|
||||||
ekey = unseal_key(skey);
|
|
||||||
krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
|
krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
|
||||||
addr->sin_addr.s_addr, &session, life, kdc_time,
|
addr->sin_addr.s_addr, &session, life, kdc_time,
|
||||||
sname, sinst, ekey->key.keyvalue.data);
|
sname, sinst, skey->key.keyvalue.data);
|
||||||
hdb_free_key(ekey);
|
|
||||||
|
|
||||||
create_ciph(&cipher, session, sname, sinst, v4_realm,
|
create_ciph(&cipher, session, sname, sinst, v4_realm,
|
||||||
life, server->kvno, &ticket,
|
life, server->kvno, &ticket,
|
||||||
|
|||||||
@@ -84,7 +84,7 @@ as_rep(KDC_REQ *req,
|
|||||||
const char *e_text = NULL;
|
const char *e_text = NULL;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
Key *ckey, *skey, *ekey;
|
Key *ckey, *skey;
|
||||||
|
|
||||||
if(b->sname == NULL){
|
if(b->sname == NULL){
|
||||||
server_name = "<unknown server>";
|
server_name = "<unknown server>";
|
||||||
@@ -223,15 +223,12 @@ as_rep(KDC_REQ *req,
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
ekey = unseal_key(pa_key);
|
|
||||||
|
|
||||||
ret = krb5_decrypt (context,
|
ret = krb5_decrypt (context,
|
||||||
enc_data.cipher.data,
|
enc_data.cipher.data,
|
||||||
enc_data.cipher.length,
|
enc_data.cipher.length,
|
||||||
enc_data.etype,
|
enc_data.etype,
|
||||||
&ekey->key,
|
&pa_key->key,
|
||||||
&ts_data);
|
&ts_data);
|
||||||
hdb_free_key(ekey);
|
|
||||||
free_EncryptedData(&enc_data);
|
free_EncryptedData(&enc_data);
|
||||||
if(ret){
|
if(ret){
|
||||||
e_text = "Failed to decrypt PA-DATA";
|
e_text = "Failed to decrypt PA-DATA";
|
||||||
@@ -551,15 +548,13 @@ as_rep(KDC_REQ *req,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ekey = unseal_key(skey);
|
|
||||||
krb5_encrypt_EncryptedData(context,
|
krb5_encrypt_EncryptedData(context,
|
||||||
buf + sizeof(buf) - len,
|
buf + sizeof(buf) - len,
|
||||||
len,
|
len,
|
||||||
setype,
|
setype,
|
||||||
server->kvno,
|
server->kvno,
|
||||||
&ekey->key,
|
&skey->key,
|
||||||
&rep.ticket.enc_part);
|
&rep.ticket.enc_part);
|
||||||
hdb_free_key(ekey);
|
|
||||||
|
|
||||||
ret = encode_EncASRepPart(buf + sizeof(buf) - 1, sizeof(buf),
|
ret = encode_EncASRepPart(buf + sizeof(buf) - 1, sizeof(buf),
|
||||||
&ek, &len);
|
&ek, &len);
|
||||||
@@ -568,15 +563,13 @@ as_rep(KDC_REQ *req,
|
|||||||
kdc_log(0, "Failed to encode KDC-REP -- %s", client_name);
|
kdc_log(0, "Failed to encode KDC-REP -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ekey = unseal_key(ckey);
|
|
||||||
krb5_encrypt_EncryptedData(context,
|
krb5_encrypt_EncryptedData(context,
|
||||||
buf + sizeof(buf) - len,
|
buf + sizeof(buf) - len,
|
||||||
len,
|
len,
|
||||||
cetype,
|
cetype,
|
||||||
client->kvno,
|
client->kvno,
|
||||||
&ekey->key,
|
&ckey->key,
|
||||||
&rep.enc_part);
|
&rep.enc_part);
|
||||||
hdb_free_key(ekey);
|
|
||||||
set_salt_padata (&rep.padata, ckey->salt);
|
set_salt_padata (&rep.padata, ckey->salt);
|
||||||
|
|
||||||
ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
|
ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
|
||||||
@@ -790,7 +783,7 @@ tgs_make_reply(KDC_REQ_BODY *b, EncTicketPart *tgt,
|
|||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
int i;
|
int i;
|
||||||
krb5_enctype setype;
|
krb5_enctype setype;
|
||||||
Key *skey, *ekey;
|
Key *skey;
|
||||||
krb5_keytype sess_ktype;
|
krb5_keytype sess_ktype;
|
||||||
|
|
||||||
/* Find appropriate key */
|
/* Find appropriate key */
|
||||||
@@ -934,13 +927,11 @@ tgs_make_reply(KDC_REQ_BODY *b, EncTicketPart *tgt,
|
|||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ekey = unseal_key(skey);
|
|
||||||
krb5_encrypt_EncryptedData(context, buf + sizeof(buf) - len, len,
|
krb5_encrypt_EncryptedData(context, buf + sizeof(buf) - len, len,
|
||||||
setype,
|
setype,
|
||||||
server->kvno,
|
server->kvno,
|
||||||
&ekey->key,
|
&skey->key,
|
||||||
&rep.ticket.enc_part);
|
&rep.ticket.enc_part);
|
||||||
hdb_free_key(ekey);
|
|
||||||
|
|
||||||
ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1,
|
ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1,
|
||||||
sizeof(buf), &ek, &len);
|
sizeof(buf), &ek, &len);
|
||||||
@@ -1072,7 +1063,7 @@ tgs_rep2(KDC_REQ_BODY *b,
|
|||||||
|
|
||||||
hdb_entry *krbtgt;
|
hdb_entry *krbtgt;
|
||||||
EncTicketPart *tgt;
|
EncTicketPart *tgt;
|
||||||
Key *tkey, *ekey;
|
Key *tkey;
|
||||||
krb5_enctype cetype;
|
krb5_enctype cetype;
|
||||||
krb5_principal cp = NULL;
|
krb5_principal cp = NULL;
|
||||||
krb5_principal sp = NULL;
|
krb5_principal sp = NULL;
|
||||||
@@ -1116,15 +1107,13 @@ tgs_rep2(KDC_REQ_BODY *b,
|
|||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
|
|
||||||
ekey = unseal_key(tkey);
|
|
||||||
ret = krb5_verify_ap_req(context,
|
ret = krb5_verify_ap_req(context,
|
||||||
&ac,
|
&ac,
|
||||||
&ap_req,
|
&ap_req,
|
||||||
princ,
|
princ,
|
||||||
&ekey->key,
|
&tkey->key,
|
||||||
&ap_req_options,
|
&ap_req_options,
|
||||||
&ticket);
|
&ticket);
|
||||||
hdb_free_key(ekey);
|
|
||||||
|
|
||||||
krb5_free_principal(context, princ);
|
krb5_free_principal(context, princ);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
@@ -1181,10 +1170,8 @@ tgs_rep2(KDC_REQ_BODY *b,
|
|||||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
|
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ekey = unseal_key(tkey);
|
|
||||||
ret = krb5_decrypt_EncryptedData(context, &t->enc_part,
|
ret = krb5_decrypt_EncryptedData(context, &t->enc_part,
|
||||||
&ekey->key, &result);
|
&tkey->key, &result);
|
||||||
|
|
||||||
|
|
||||||
if(ret){
|
if(ret){
|
||||||
/* XXX */
|
/* XXX */
|
||||||
|
|||||||
Reference in New Issue
Block a user