oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Finish up transition from hdb_entry with hdb_entry_ex.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16401 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-12-13 19:10:44 +00:00
parent 9d3b4783c9
commit 83c3fb4698
1 changed files with 84 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
kdc/kerberos5.c
View File

@@ -88,7 +88,7 @@ find_padata(KDC_REQ *req, int *start, int type)
*/
static krb5_error_code
find_etype(krb5_context context, hdb_entry *princ,
find_etype(krb5_context context, const hdb_entry_ex *princ,
krb5_enctype *etypes, unsigned len,
Key **ret_key, krb5_enctype *ret_etype)
{
@@ -101,7 +101,7 @@ find_etype(krb5_context context, hdb_entry *princ,
if (krb5_enctype_valid(context, etypes[i]) != 0)
continue;
while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) {
while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
continue;
@@ -119,8 +119,8 @@ find_etype(krb5_context context, hdb_entry *princ,
static krb5_error_code
find_keys(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry *client,
hdb_entry *server,
const hdb_entry_ex *client,
const hdb_entry_ex *server,
Key **ckey,
krb5_enctype *cetype,
Key **skey,
@@ -136,7 +136,7 @@ find_keys(krb5_context context,
/* find client key */
ret = find_etype(context, client, etypes, num_etypes, ckey, cetype);
if (ret) {
if (krb5_unparse_name(context, client->principal, &name) != 0)
if (krb5_unparse_name(context, client->entry.principal, &name) != 0)
name = unparse_name;
kdc_log(context, config, 0,
"Client (%s) has no support for etypes", name);
@@ -150,7 +150,7 @@ find_keys(krb5_context context,
/* find server key */
ret = find_etype(context, server, etypes, num_etypes, skey, setype);
if (ret) {
if (krb5_unparse_name(context, server->principal, &name) != 0)
if (krb5_unparse_name(context, server->entry.principal, &name) != 0)
name = unparse_name;
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", name);
@@ -788,7 +788,7 @@ _kdc_as_rep(krb5_context context,
KDC_REQ_BODY *b = &req->req_body;
AS_REP rep;
KDCOptions f = b->kdc_options;
hdb_entry *client = NULL, *server = NULL;
hdb_entry_ex *client = NULL, *server = NULL;
krb5_enctype cetype, setype;
EncTicketPart et;
EncKDCRepPart ek;
@@ -851,8 +851,8 @@ _kdc_as_rep(krb5_context context,
}
ret = _kdc_check_flags(context, config,
client, client_name,
server, server_name,
&client->entry, client_name,
&server->entry, server_name,
TRUE);
if(ret)
goto out;
@@ -945,7 +945,8 @@ _kdc_as_rep(krb5_context context,
goto out;
}
ret = hdb_enctype2key(context, client, enc_data.etype, &pa_key);
ret = hdb_enctype2key(context, &client->entry,
enc_data.etype, &pa_key);
if(ret){
char *estr;
e_text = "No key matches pa-data";
@@ -995,7 +996,7 @@ _kdc_as_rep(krb5_context context,
krb5_get_err_text(context, ret));
free(str);
if(hdb_next_enctype2key(context, client,
if(hdb_next_enctype2key(context, &client->entry,
enc_data.etype, &pa_key) == 0)
goto try_next_key;
e_text = "Failed to decrypt PA-DATA";
@@ -1051,8 +1052,8 @@ _kdc_as_rep(krb5_context context,
goto out;
}
}else if (config->require_preauth
|| client->flags.require_preauth
|| server->flags.require_preauth) {
|| client->entry.flags.require_preauth
|| server->entry.flags.require_preauth) {
METHOD_DATA method_data;
PA_DATA *pa;
unsigned char *buf;
@@ -1087,11 +1088,12 @@ _kdc_as_rep(krb5_context context,
/* XXX check ret */
if (only_older_enctype_p(req))
ret = get_pa_etype_info(context, config, &method_data, client,
ret = get_pa_etype_info(context, config,
&method_data, &client->entry,
b->etype.val, b->etype.len);
/* XXX check ret */
ret = get_pa_etype_info2(context, config, &method_data, client,
b->etype.val, b->etype.len);
ret = get_pa_etype_info2(context, config, &method_data,
&client->entry, b->etype.val, b->etype.len);
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
@@ -1183,19 +1185,19 @@ _kdc_as_rep(krb5_context context,
rep.pvno = 5;
rep.msg_type = krb_as_rep;
copy_Realm(&client->principal->realm, &rep.crealm);
copy_Realm(&client->entry.principal->realm, &rep.crealm);
if (f.request_anonymous)
make_anonymous_principalname (&rep.cname);
else
_krb5_principal2principalname(&rep.cname,
client->principal);
client->entry.principal);
rep.ticket.tkt_vno = 5;
copy_Realm(&server->principal->realm, &rep.ticket.realm);
copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
_krb5_principal2principalname(&rep.ticket.sname,
server->principal);
server->entry.principal);
et.flags.initial = 1;
if(client->flags.forwardable && server->flags.forwardable)
if(client->entry.flags.forwardable && server->entry.flags.forwardable)
et.flags.forwardable = f.forwardable;
else if (f.forwardable) {
ret = KRB5KDC_ERR_POLICY;
@@ -1203,7 +1205,7 @@ _kdc_as_rep(krb5_context context,
"Ticket may not be forwardable -- %s", client_name);
goto out;
}
if(client->flags.proxiable && server->flags.proxiable)
if(client->entry.flags.proxiable && server->entry.flags.proxiable)
et.flags.proxiable = f.proxiable;
else if (f.proxiable) {
ret = KRB5KDC_ERR_POLICY;
@@ -1211,7 +1213,7 @@ _kdc_as_rep(krb5_context context,
"Ticket may not be proxiable -- %s", client_name);
goto out;
}
if(client->flags.postdate && server->flags.postdate)
if(client->entry.flags.postdate && server->entry.flags.postdate)
et.flags.may_postdate = f.allow_postdate;
else if (f.allow_postdate){
ret = KRB5KDC_ERR_POLICY;
@@ -1249,10 +1251,10 @@ _kdc_as_rep(krb5_context context,
/* be careful not overflowing */
if(client->max_life)
t = start + min(t - start, *client->max_life);
if(server->max_life)
t = start + min(t - start, *server->max_life);
if(client->entry.max_life)
t = start + min(t - start, *client->entry.max_life);
if(server->entry.max_life)
t = start + min(t - start, *server->entry.max_life);
#if 0
t = min(t, start + realm->max_life);
#endif
@@ -1270,10 +1272,10 @@ _kdc_as_rep(krb5_context context,
t = *b->rtime;
if(t == 0)
t = MAX_TIME;
if(client->max_renew)
t = start + min(t - start, *client->max_renew);
if(server->max_renew)
t = start + min(t - start, *server->max_renew);
if(client->entry.max_renew)
t = start + min(t - start, *client->entry.max_renew);
if(server->entry.max_renew)
t = start + min(t - start, *server->entry.max_renew);
#if 0
t = min(t, start + realm->max_renew);
#endif
@@ -1307,16 +1309,16 @@ _kdc_as_rep(krb5_context context,
*/
ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
ek.last_req.len = 0;
if (client->pw_end
if (client->entry.pw_end
&& (config->kdc_warn_pwexpire == 0
|| kdc_time + config->kdc_warn_pwexpire <= *client->pw_end)) {
|| kdc_time + config->kdc_warn_pwexpire <= *client->entry.pw_end)) {
ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME;
ek.last_req.val[ek.last_req.len].lr_value = *client->pw_end;
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.pw_end;
++ek.last_req.len;
}
if (client->valid_end) {
if (client->entry.valid_end) {
ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
ek.last_req.val[ek.last_req.len].lr_value = *client->valid_end;
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.valid_end;
++ek.last_req.len;
}
if (ek.last_req.len == 0) {
@@ -1325,15 +1327,16 @@ _kdc_as_rep(krb5_context context,
++ek.last_req.len;
}
ek.nonce = b->nonce;
if (client->valid_end || client->pw_end) {
if (client->entry.valid_end || client->entry.pw_end) {
ALLOC(ek.key_expiration);
if (client->valid_end) {
if (client->pw_end)
*ek.key_expiration = min(*client->valid_end, *client->pw_end);
if (client->entry.valid_end) {
if (client->entry.pw_end)
*ek.key_expiration = min(*client->entry.valid_end,
*client->entry.pw_end);
else
*ek.key_expiration = *client->valid_end;
*ek.key_expiration = *client->entry.valid_end;
} else
*ek.key_expiration = *client->pw_end;
*ek.key_expiration = *client->entry.pw_end;
} else
ek.key_expiration = NULL;
ek.flags = et.flags;
@@ -1380,8 +1383,8 @@ _kdc_as_rep(krb5_context context,
et.endtime, et.renew_till);
ret = encode_reply(context, config,
&rep, &et, &ek, setype, server->kvno, &skey->key,
client->kvno, reply_key, &e_text, reply);
&rep, &et, &ek, setype, server->entry.kvno, &skey->key,
client->entry.kvno, reply_key, &e_text, reply);
free_EncTicketPart(&et);
free_EncKDCRepPart(&ek);
out:
@@ -1660,10 +1663,10 @@ tgs_make_reply(krb5_context context,
EncTicketPart *tgt,
EncTicketPart *adtkt,
AuthorizationData *auth_data,
hdb_entry *server,
hdb_entry *client,
const hdb_entry_ex *server,
const hdb_entry_ex *client,
krb5_principal client_principal,
hdb_entry *krbtgt,
const hdb_entry_ex *krbtgt,
krb5_enctype cetype,
const char **e_text,
krb5_data *reply)
@@ -1744,14 +1747,14 @@ tgs_make_reply(krb5_context context,
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
&tgt->transited, &et,
*krb5_princ_realm(context, client_principal),
*krb5_princ_realm(context, server->principal),
*krb5_princ_realm(context, krbtgt->principal));
*krb5_princ_realm(context, server->entry.principal),
*krb5_princ_realm(context, krbtgt->entry.principal));
if(ret)
goto out;
copy_Realm(krb5_princ_realm(context, server->principal),
copy_Realm(krb5_princ_realm(context, server->entry.principal),
&rep.ticket.realm);
_krb5_principal2principalname(&rep.ticket.sname, server->principal);
_krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
copy_Realm(&tgt->crealm, &rep.crealm);
if (f.request_anonymous)
make_anonymous_principalname (&tgt->cname);
@@ -1766,10 +1769,10 @@ tgs_make_reply(krb5_context context,
{
time_t life;
life = et.endtime - *et.starttime;
if(client && client->max_life)
life = min(life, *client->max_life);
if(server->max_life)
life = min(life, *server->max_life);
if(client && client->entry.max_life)
life = min(life, *client->entry.max_life);
if(server->entry.max_life)
life = min(life, *server->entry.max_life);
et.endtime = *et.starttime + life;
}
if(f.renewable_ok && tgt->flags.renewable &&
@@ -1781,10 +1784,10 @@ tgs_make_reply(krb5_context context,
if(et.renew_till){
time_t renew;
renew = *et.renew_till - et.authtime;
if(client && client->max_renew)
renew = min(renew, *client->max_renew);
if(server->max_renew)
renew = min(renew, *server->max_renew);
if(client && client->entry.max_renew)
renew = min(renew, *client->entry.max_renew);
if(server->entry.max_renew)
renew = min(renew, *server->entry.max_renew);
*et.renew_till = et.authtime + renew;
}
@@ -1809,7 +1812,7 @@ tgs_make_reply(krb5_context context,
et.flags.pre_authent = tgt->flags.pre_authent;
et.flags.hw_authent = tgt->flags.hw_authent;
et.flags.anonymous = tgt->flags.anonymous;
et.flags.ok_as_delegate = server->flags.ok_as_delegate;
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
/* XXX Check enc-authorization-data */
et.authorization_data = auth_data;
@@ -1845,8 +1848,8 @@ tgs_make_reply(krb5_context context,
etype list, even if we don't want a session key with
DES3? */
ret = encode_reply(context, config,
&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey,
0, &tgt->key, e_text, reply);
&rep, &et, &ek, etype, adtkt ? 0 : server->entry.kvno,
ekey, 0, &tgt->key, e_text, reply);
out:
free_TGS_REP(&rep);
free_TransitedEncoding(&et.transited);
@@ -1996,7 +1999,7 @@ tgs_rep2(krb5_context context,
const char *e_text = NULL;
krb5_crypto crypto;
hdb_entry *krbtgt = NULL;
hdb_entry_ex *krbtgt = NULL;
EncTicketPart *tgt;
Key *tkey;
krb5_enctype cetype;
@@ -2044,7 +2047,7 @@ tgs_rep2(krb5_context context,
}
if(ap_req.ticket.enc_part.kvno &&
*ap_req.ticket.enc_part.kvno != krbtgt->kvno){
*ap_req.ticket.enc_part.kvno != krbtgt->entry.kvno){
char *p;
ret = krb5_unparse_name (context, princ, &p);
@@ -2054,7 +2057,7 @@ tgs_rep2(krb5_context context,
kdc_log(context, config, 0,
"Ticket kvno = %d, DB kvno = %d (%s)",
*ap_req.ticket.enc_part.kvno,
krbtgt->kvno,
krbtgt->entry.kvno,
p);
if (ret == 0)
free (p);
@@ -2062,7 +2065,8 @@ tgs_rep2(krb5_context context,
goto out2;
}
ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey);
ret = hdb_enctype2key(context, &krbtgt->entry,
ap_req.ticket.enc_part.etype, &tkey);
if(ret){
char *str;
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
@@ -2195,7 +2199,7 @@ tgs_rep2(krb5_context context,
PrincipalName *s;
Realm r;
char *spn = NULL, *cpn = NULL;
hdb_entry *server = NULL, *client = NULL;
hdb_entry_ex *server = NULL, *client = NULL;
int nloop = 0;
EncTicketPart adtkt;
char opt_str[128];
@@ -2204,7 +2208,7 @@ tgs_rep2(krb5_context context,
r = b->realm;
if(b->kdc_options.enc_tkt_in_skey){
Ticket *t;
hdb_entry *uu;
hdb_entry_ex *uu;
krb5_principal p;
Key *uukey;
@@ -2230,13 +2234,15 @@ tgs_rep2(krb5_context context,
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
ret = hdb_enctype2key(context, uu, t->enc_part.etype, &uukey);
ret = hdb_enctype2key(context, &uu->entry,
t->enc_part.etype, &uukey);
if(ret){
_kdc_free_ent(context, uu);
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
goto out;
}
ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
_kdc_free_ent(context, uu);
if(ret)
goto out;
s = &adtkt.cname;
@@ -2328,9 +2334,9 @@ tgs_rep2(krb5_context context,
#endif
if(strcmp(krb5_principal_get_realm(context, sp),
krb5_principal_get_comp_string(context, krbtgt->principal, 1)) != 0) {
krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) {
char *tpn;
ret = krb5_unparse_name(context, krbtgt->principal, &tpn);
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
kdc_log(context, config, 0,
"Request with wrong krbtgt: %s",
(ret == 0) ? tpn : "<unknown>");
@@ -2342,16 +2348,16 @@ tgs_rep2(krb5_context context,
}
ret = _kdc_check_flags(context, config,
client, cpn,
server, spn,
&client->entry, cpn,
&server->entry, spn,
FALSE);
if(ret)
goto out;
if((b->kdc_options.validate || b->kdc_options.renew) &&
!krb5_principal_compare(context,
krbtgt->principal,
server->principal)){
krbtgt->entry.principal,
server->entry.principal)){
kdc_log(context, config, 0, "Inconsistent request.");
ret = KRB5KDC_ERR_SERVER_NOMATCH;
goto out;
@@ -2364,7 +2370,8 @@ tgs_rep2(krb5_context context,
goto out;
}
ret = tgs_make_reply(context, config,
ret = tgs_make_reply(context,
config,
b,
tgt,
b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,