From 83c3fb469824ef4398143a327bc956088a33a2ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Tue, 13 Dec 2005 19:10:44 +0000 Subject: [PATCH] Finish up transition from hdb_entry with hdb_entry_ex. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16401 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/kerberos5.c | 161 +++++++++++++++++++++++++----------------------- 1 file changed, 84 insertions(+), 77 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 674af7ac1..ee6a51079 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -88,7 +88,7 @@ find_padata(KDC_REQ *req, int *start, int type) */ static krb5_error_code -find_etype(krb5_context context, hdb_entry *princ, +find_etype(krb5_context context, const hdb_entry_ex *princ, krb5_enctype *etypes, unsigned len, Key **ret_key, krb5_enctype *ret_etype) { @@ -101,7 +101,7 @@ find_etype(krb5_context context, hdb_entry *princ, if (krb5_enctype_valid(context, etypes[i]) != 0) continue; - while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) { + while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) { if (key->key.keyvalue.length == 0) { ret = KRB5KDC_ERR_NULL_KEY; continue; @@ -119,8 +119,8 @@ find_etype(krb5_context context, hdb_entry *princ, static krb5_error_code find_keys(krb5_context context, krb5_kdc_configuration *config, - hdb_entry *client, - hdb_entry *server, + const hdb_entry_ex *client, + const hdb_entry_ex *server, Key **ckey, krb5_enctype *cetype, Key **skey, @@ -136,7 +136,7 @@ find_keys(krb5_context context, /* find client key */ ret = find_etype(context, client, etypes, num_etypes, ckey, cetype); if (ret) { - if (krb5_unparse_name(context, client->principal, &name) != 0) + if (krb5_unparse_name(context, client->entry.principal, &name) != 0) name = unparse_name; kdc_log(context, config, 0, "Client (%s) has no support for etypes", name); @@ -150,7 +150,7 @@ find_keys(krb5_context context, /* find server key */ ret = find_etype(context, server, etypes, num_etypes, skey, setype); if (ret) { - if (krb5_unparse_name(context, server->principal, &name) != 0) + if (krb5_unparse_name(context, server->entry.principal, &name) != 0) name = unparse_name; kdc_log(context, config, 0, "Server (%s) has no support for etypes", name); @@ -788,7 +788,7 @@ _kdc_as_rep(krb5_context context, KDC_REQ_BODY *b = &req->req_body; AS_REP rep; KDCOptions f = b->kdc_options; - hdb_entry *client = NULL, *server = NULL; + hdb_entry_ex *client = NULL, *server = NULL; krb5_enctype cetype, setype; EncTicketPart et; EncKDCRepPart ek; @@ -851,8 +851,8 @@ _kdc_as_rep(krb5_context context, } ret = _kdc_check_flags(context, config, - client, client_name, - server, server_name, + &client->entry, client_name, + &server->entry, server_name, TRUE); if(ret) goto out; @@ -945,7 +945,8 @@ _kdc_as_rep(krb5_context context, goto out; } - ret = hdb_enctype2key(context, client, enc_data.etype, &pa_key); + ret = hdb_enctype2key(context, &client->entry, + enc_data.etype, &pa_key); if(ret){ char *estr; e_text = "No key matches pa-data"; @@ -995,7 +996,7 @@ _kdc_as_rep(krb5_context context, krb5_get_err_text(context, ret)); free(str); - if(hdb_next_enctype2key(context, client, + if(hdb_next_enctype2key(context, &client->entry, enc_data.etype, &pa_key) == 0) goto try_next_key; e_text = "Failed to decrypt PA-DATA"; @@ -1051,8 +1052,8 @@ _kdc_as_rep(krb5_context context, goto out; } }else if (config->require_preauth - || client->flags.require_preauth - || server->flags.require_preauth) { + || client->entry.flags.require_preauth + || server->entry.flags.require_preauth) { METHOD_DATA method_data; PA_DATA *pa; unsigned char *buf; @@ -1087,11 +1088,12 @@ _kdc_as_rep(krb5_context context, /* XXX check ret */ if (only_older_enctype_p(req)) - ret = get_pa_etype_info(context, config, &method_data, client, + ret = get_pa_etype_info(context, config, + &method_data, &client->entry, b->etype.val, b->etype.len); /* XXX check ret */ - ret = get_pa_etype_info2(context, config, &method_data, client, - b->etype.val, b->etype.len); + ret = get_pa_etype_info2(context, config, &method_data, + &client->entry, b->etype.val, b->etype.len); ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret); @@ -1183,19 +1185,19 @@ _kdc_as_rep(krb5_context context, rep.pvno = 5; rep.msg_type = krb_as_rep; - copy_Realm(&client->principal->realm, &rep.crealm); + copy_Realm(&client->entry.principal->realm, &rep.crealm); if (f.request_anonymous) make_anonymous_principalname (&rep.cname); else _krb5_principal2principalname(&rep.cname, - client->principal); + client->entry.principal); rep.ticket.tkt_vno = 5; - copy_Realm(&server->principal->realm, &rep.ticket.realm); + copy_Realm(&server->entry.principal->realm, &rep.ticket.realm); _krb5_principal2principalname(&rep.ticket.sname, - server->principal); + server->entry.principal); et.flags.initial = 1; - if(client->flags.forwardable && server->flags.forwardable) + if(client->entry.flags.forwardable && server->entry.flags.forwardable) et.flags.forwardable = f.forwardable; else if (f.forwardable) { ret = KRB5KDC_ERR_POLICY; @@ -1203,7 +1205,7 @@ _kdc_as_rep(krb5_context context, "Ticket may not be forwardable -- %s", client_name); goto out; } - if(client->flags.proxiable && server->flags.proxiable) + if(client->entry.flags.proxiable && server->entry.flags.proxiable) et.flags.proxiable = f.proxiable; else if (f.proxiable) { ret = KRB5KDC_ERR_POLICY; @@ -1211,7 +1213,7 @@ _kdc_as_rep(krb5_context context, "Ticket may not be proxiable -- %s", client_name); goto out; } - if(client->flags.postdate && server->flags.postdate) + if(client->entry.flags.postdate && server->entry.flags.postdate) et.flags.may_postdate = f.allow_postdate; else if (f.allow_postdate){ ret = KRB5KDC_ERR_POLICY; @@ -1249,10 +1251,10 @@ _kdc_as_rep(krb5_context context, /* be careful not overflowing */ - if(client->max_life) - t = start + min(t - start, *client->max_life); - if(server->max_life) - t = start + min(t - start, *server->max_life); + if(client->entry.max_life) + t = start + min(t - start, *client->entry.max_life); + if(server->entry.max_life) + t = start + min(t - start, *server->entry.max_life); #if 0 t = min(t, start + realm->max_life); #endif @@ -1270,10 +1272,10 @@ _kdc_as_rep(krb5_context context, t = *b->rtime; if(t == 0) t = MAX_TIME; - if(client->max_renew) - t = start + min(t - start, *client->max_renew); - if(server->max_renew) - t = start + min(t - start, *server->max_renew); + if(client->entry.max_renew) + t = start + min(t - start, *client->entry.max_renew); + if(server->entry.max_renew) + t = start + min(t - start, *server->entry.max_renew); #if 0 t = min(t, start + realm->max_renew); #endif @@ -1307,16 +1309,16 @@ _kdc_as_rep(krb5_context context, */ ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val)); ek.last_req.len = 0; - if (client->pw_end + if (client->entry.pw_end && (config->kdc_warn_pwexpire == 0 - || kdc_time + config->kdc_warn_pwexpire <= *client->pw_end)) { + || kdc_time + config->kdc_warn_pwexpire <= *client->entry.pw_end)) { ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME; - ek.last_req.val[ek.last_req.len].lr_value = *client->pw_end; + ek.last_req.val[ek.last_req.len].lr_value = *client->entry.pw_end; ++ek.last_req.len; } - if (client->valid_end) { + if (client->entry.valid_end) { ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME; - ek.last_req.val[ek.last_req.len].lr_value = *client->valid_end; + ek.last_req.val[ek.last_req.len].lr_value = *client->entry.valid_end; ++ek.last_req.len; } if (ek.last_req.len == 0) { @@ -1325,15 +1327,16 @@ _kdc_as_rep(krb5_context context, ++ek.last_req.len; } ek.nonce = b->nonce; - if (client->valid_end || client->pw_end) { + if (client->entry.valid_end || client->entry.pw_end) { ALLOC(ek.key_expiration); - if (client->valid_end) { - if (client->pw_end) - *ek.key_expiration = min(*client->valid_end, *client->pw_end); + if (client->entry.valid_end) { + if (client->entry.pw_end) + *ek.key_expiration = min(*client->entry.valid_end, + *client->entry.pw_end); else - *ek.key_expiration = *client->valid_end; + *ek.key_expiration = *client->entry.valid_end; } else - *ek.key_expiration = *client->pw_end; + *ek.key_expiration = *client->entry.pw_end; } else ek.key_expiration = NULL; ek.flags = et.flags; @@ -1380,8 +1383,8 @@ _kdc_as_rep(krb5_context context, et.endtime, et.renew_till); ret = encode_reply(context, config, - &rep, &et, &ek, setype, server->kvno, &skey->key, - client->kvno, reply_key, &e_text, reply); + &rep, &et, &ek, setype, server->entry.kvno, &skey->key, + client->entry.kvno, reply_key, &e_text, reply); free_EncTicketPart(&et); free_EncKDCRepPart(&ek); out: @@ -1660,10 +1663,10 @@ tgs_make_reply(krb5_context context, EncTicketPart *tgt, EncTicketPart *adtkt, AuthorizationData *auth_data, - hdb_entry *server, - hdb_entry *client, + const hdb_entry_ex *server, + const hdb_entry_ex *client, krb5_principal client_principal, - hdb_entry *krbtgt, + const hdb_entry_ex *krbtgt, krb5_enctype cetype, const char **e_text, krb5_data *reply) @@ -1744,14 +1747,14 @@ tgs_make_reply(krb5_context context, GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), &tgt->transited, &et, *krb5_princ_realm(context, client_principal), - *krb5_princ_realm(context, server->principal), - *krb5_princ_realm(context, krbtgt->principal)); + *krb5_princ_realm(context, server->entry.principal), + *krb5_princ_realm(context, krbtgt->entry.principal)); if(ret) goto out; - copy_Realm(krb5_princ_realm(context, server->principal), + copy_Realm(krb5_princ_realm(context, server->entry.principal), &rep.ticket.realm); - _krb5_principal2principalname(&rep.ticket.sname, server->principal); + _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); copy_Realm(&tgt->crealm, &rep.crealm); if (f.request_anonymous) make_anonymous_principalname (&tgt->cname); @@ -1766,10 +1769,10 @@ tgs_make_reply(krb5_context context, { time_t life; life = et.endtime - *et.starttime; - if(client && client->max_life) - life = min(life, *client->max_life); - if(server->max_life) - life = min(life, *server->max_life); + if(client && client->entry.max_life) + life = min(life, *client->entry.max_life); + if(server->entry.max_life) + life = min(life, *server->entry.max_life); et.endtime = *et.starttime + life; } if(f.renewable_ok && tgt->flags.renewable && @@ -1781,10 +1784,10 @@ tgs_make_reply(krb5_context context, if(et.renew_till){ time_t renew; renew = *et.renew_till - et.authtime; - if(client && client->max_renew) - renew = min(renew, *client->max_renew); - if(server->max_renew) - renew = min(renew, *server->max_renew); + if(client && client->entry.max_renew) + renew = min(renew, *client->entry.max_renew); + if(server->entry.max_renew) + renew = min(renew, *server->entry.max_renew); *et.renew_till = et.authtime + renew; } @@ -1809,7 +1812,7 @@ tgs_make_reply(krb5_context context, et.flags.pre_authent = tgt->flags.pre_authent; et.flags.hw_authent = tgt->flags.hw_authent; et.flags.anonymous = tgt->flags.anonymous; - et.flags.ok_as_delegate = server->flags.ok_as_delegate; + et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; /* XXX Check enc-authorization-data */ et.authorization_data = auth_data; @@ -1845,8 +1848,8 @@ tgs_make_reply(krb5_context context, etype list, even if we don't want a session key with DES3? */ ret = encode_reply(context, config, - &rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey, - 0, &tgt->key, e_text, reply); + &rep, &et, &ek, etype, adtkt ? 0 : server->entry.kvno, + ekey, 0, &tgt->key, e_text, reply); out: free_TGS_REP(&rep); free_TransitedEncoding(&et.transited); @@ -1996,7 +1999,7 @@ tgs_rep2(krb5_context context, const char *e_text = NULL; krb5_crypto crypto; - hdb_entry *krbtgt = NULL; + hdb_entry_ex *krbtgt = NULL; EncTicketPart *tgt; Key *tkey; krb5_enctype cetype; @@ -2044,7 +2047,7 @@ tgs_rep2(krb5_context context, } if(ap_req.ticket.enc_part.kvno && - *ap_req.ticket.enc_part.kvno != krbtgt->kvno){ + *ap_req.ticket.enc_part.kvno != krbtgt->entry.kvno){ char *p; ret = krb5_unparse_name (context, princ, &p); @@ -2054,7 +2057,7 @@ tgs_rep2(krb5_context context, kdc_log(context, config, 0, "Ticket kvno = %d, DB kvno = %d (%s)", *ap_req.ticket.enc_part.kvno, - krbtgt->kvno, + krbtgt->entry.kvno, p); if (ret == 0) free (p); @@ -2062,7 +2065,8 @@ tgs_rep2(krb5_context context, goto out2; } - ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey); + ret = hdb_enctype2key(context, &krbtgt->entry, + ap_req.ticket.enc_part.etype, &tkey); if(ret){ char *str; krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str); @@ -2195,7 +2199,7 @@ tgs_rep2(krb5_context context, PrincipalName *s; Realm r; char *spn = NULL, *cpn = NULL; - hdb_entry *server = NULL, *client = NULL; + hdb_entry_ex *server = NULL, *client = NULL; int nloop = 0; EncTicketPart adtkt; char opt_str[128]; @@ -2204,7 +2208,7 @@ tgs_rep2(krb5_context context, r = b->realm; if(b->kdc_options.enc_tkt_in_skey){ Ticket *t; - hdb_entry *uu; + hdb_entry_ex *uu; krb5_principal p; Key *uukey; @@ -2230,13 +2234,15 @@ tgs_rep2(krb5_context context, ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto out; } - ret = hdb_enctype2key(context, uu, t->enc_part.etype, &uukey); + ret = hdb_enctype2key(context, &uu->entry, + t->enc_part.etype, &uukey); if(ret){ + _kdc_free_ent(context, uu); ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ goto out; } ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0); - + _kdc_free_ent(context, uu); if(ret) goto out; s = &adtkt.cname; @@ -2328,9 +2334,9 @@ tgs_rep2(krb5_context context, #endif if(strcmp(krb5_principal_get_realm(context, sp), - krb5_principal_get_comp_string(context, krbtgt->principal, 1)) != 0) { + krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) { char *tpn; - ret = krb5_unparse_name(context, krbtgt->principal, &tpn); + ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); kdc_log(context, config, 0, "Request with wrong krbtgt: %s", (ret == 0) ? tpn : ""); @@ -2342,16 +2348,16 @@ tgs_rep2(krb5_context context, } ret = _kdc_check_flags(context, config, - client, cpn, - server, spn, + &client->entry, cpn, + &server->entry, spn, FALSE); if(ret) goto out; if((b->kdc_options.validate || b->kdc_options.renew) && !krb5_principal_compare(context, - krbtgt->principal, - server->principal)){ + krbtgt->entry.principal, + server->entry.principal)){ kdc_log(context, config, 0, "Inconsistent request."); ret = KRB5KDC_ERR_SERVER_NOMATCH; goto out; @@ -2364,7 +2370,8 @@ tgs_rep2(krb5_context context, goto out; } - ret = tgs_make_reply(context, config, + ret = tgs_make_reply(context, + config, b, tgt, b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,