Finish up transition from hdb_entry with hdb_entry_ex.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16401 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
161
kdc/kerberos5.c
161
kdc/kerberos5.c
@@ -88,7 +88,7 @@ find_padata(KDC_REQ *req, int *start, int type)
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
find_etype(krb5_context context, hdb_entry *princ,
|
find_etype(krb5_context context, const hdb_entry_ex *princ,
|
||||||
krb5_enctype *etypes, unsigned len,
|
krb5_enctype *etypes, unsigned len,
|
||||||
Key **ret_key, krb5_enctype *ret_etype)
|
Key **ret_key, krb5_enctype *ret_etype)
|
||||||
{
|
{
|
||||||
@@ -101,7 +101,7 @@ find_etype(krb5_context context, hdb_entry *princ,
|
|||||||
if (krb5_enctype_valid(context, etypes[i]) != 0)
|
if (krb5_enctype_valid(context, etypes[i]) != 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) {
|
while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
|
||||||
if (key->key.keyvalue.length == 0) {
|
if (key->key.keyvalue.length == 0) {
|
||||||
ret = KRB5KDC_ERR_NULL_KEY;
|
ret = KRB5KDC_ERR_NULL_KEY;
|
||||||
continue;
|
continue;
|
||||||
@@ -119,8 +119,8 @@ find_etype(krb5_context context, hdb_entry *princ,
|
|||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
find_keys(krb5_context context,
|
find_keys(krb5_context context,
|
||||||
krb5_kdc_configuration *config,
|
krb5_kdc_configuration *config,
|
||||||
hdb_entry *client,
|
const hdb_entry_ex *client,
|
||||||
hdb_entry *server,
|
const hdb_entry_ex *server,
|
||||||
Key **ckey,
|
Key **ckey,
|
||||||
krb5_enctype *cetype,
|
krb5_enctype *cetype,
|
||||||
Key **skey,
|
Key **skey,
|
||||||
@@ -136,7 +136,7 @@ find_keys(krb5_context context,
|
|||||||
/* find client key */
|
/* find client key */
|
||||||
ret = find_etype(context, client, etypes, num_etypes, ckey, cetype);
|
ret = find_etype(context, client, etypes, num_etypes, ckey, cetype);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
if (krb5_unparse_name(context, client->principal, &name) != 0)
|
if (krb5_unparse_name(context, client->entry.principal, &name) != 0)
|
||||||
name = unparse_name;
|
name = unparse_name;
|
||||||
kdc_log(context, config, 0,
|
kdc_log(context, config, 0,
|
||||||
"Client (%s) has no support for etypes", name);
|
"Client (%s) has no support for etypes", name);
|
||||||
@@ -150,7 +150,7 @@ find_keys(krb5_context context,
|
|||||||
/* find server key */
|
/* find server key */
|
||||||
ret = find_etype(context, server, etypes, num_etypes, skey, setype);
|
ret = find_etype(context, server, etypes, num_etypes, skey, setype);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
if (krb5_unparse_name(context, server->principal, &name) != 0)
|
if (krb5_unparse_name(context, server->entry.principal, &name) != 0)
|
||||||
name = unparse_name;
|
name = unparse_name;
|
||||||
kdc_log(context, config, 0,
|
kdc_log(context, config, 0,
|
||||||
"Server (%s) has no support for etypes", name);
|
"Server (%s) has no support for etypes", name);
|
||||||
@@ -788,7 +788,7 @@ _kdc_as_rep(krb5_context context,
|
|||||||
KDC_REQ_BODY *b = &req->req_body;
|
KDC_REQ_BODY *b = &req->req_body;
|
||||||
AS_REP rep;
|
AS_REP rep;
|
||||||
KDCOptions f = b->kdc_options;
|
KDCOptions f = b->kdc_options;
|
||||||
hdb_entry *client = NULL, *server = NULL;
|
hdb_entry_ex *client = NULL, *server = NULL;
|
||||||
krb5_enctype cetype, setype;
|
krb5_enctype cetype, setype;
|
||||||
EncTicketPart et;
|
EncTicketPart et;
|
||||||
EncKDCRepPart ek;
|
EncKDCRepPart ek;
|
||||||
@@ -851,8 +851,8 @@ _kdc_as_rep(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
ret = _kdc_check_flags(context, config,
|
ret = _kdc_check_flags(context, config,
|
||||||
client, client_name,
|
&client->entry, client_name,
|
||||||
server, server_name,
|
&server->entry, server_name,
|
||||||
TRUE);
|
TRUE);
|
||||||
if(ret)
|
if(ret)
|
||||||
goto out;
|
goto out;
|
||||||
@@ -945,7 +945,8 @@ _kdc_as_rep(krb5_context context,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hdb_enctype2key(context, client, enc_data.etype, &pa_key);
|
ret = hdb_enctype2key(context, &client->entry,
|
||||||
|
enc_data.etype, &pa_key);
|
||||||
if(ret){
|
if(ret){
|
||||||
char *estr;
|
char *estr;
|
||||||
e_text = "No key matches pa-data";
|
e_text = "No key matches pa-data";
|
||||||
@@ -995,7 +996,7 @@ _kdc_as_rep(krb5_context context,
|
|||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
free(str);
|
free(str);
|
||||||
|
|
||||||
if(hdb_next_enctype2key(context, client,
|
if(hdb_next_enctype2key(context, &client->entry,
|
||||||
enc_data.etype, &pa_key) == 0)
|
enc_data.etype, &pa_key) == 0)
|
||||||
goto try_next_key;
|
goto try_next_key;
|
||||||
e_text = "Failed to decrypt PA-DATA";
|
e_text = "Failed to decrypt PA-DATA";
|
||||||
@@ -1051,8 +1052,8 @@ _kdc_as_rep(krb5_context context,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
}else if (config->require_preauth
|
}else if (config->require_preauth
|
||||||
|| client->flags.require_preauth
|
|| client->entry.flags.require_preauth
|
||||||
|| server->flags.require_preauth) {
|
|| server->entry.flags.require_preauth) {
|
||||||
METHOD_DATA method_data;
|
METHOD_DATA method_data;
|
||||||
PA_DATA *pa;
|
PA_DATA *pa;
|
||||||
unsigned char *buf;
|
unsigned char *buf;
|
||||||
@@ -1087,11 +1088,12 @@ _kdc_as_rep(krb5_context context,
|
|||||||
|
|
||||||
/* XXX check ret */
|
/* XXX check ret */
|
||||||
if (only_older_enctype_p(req))
|
if (only_older_enctype_p(req))
|
||||||
ret = get_pa_etype_info(context, config, &method_data, client,
|
ret = get_pa_etype_info(context, config,
|
||||||
|
&method_data, &client->entry,
|
||||||
b->etype.val, b->etype.len);
|
b->etype.val, b->etype.len);
|
||||||
/* XXX check ret */
|
/* XXX check ret */
|
||||||
ret = get_pa_etype_info2(context, config, &method_data, client,
|
ret = get_pa_etype_info2(context, config, &method_data,
|
||||||
b->etype.val, b->etype.len);
|
&client->entry, b->etype.val, b->etype.len);
|
||||||
|
|
||||||
|
|
||||||
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
|
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
|
||||||
@@ -1183,19 +1185,19 @@ _kdc_as_rep(krb5_context context,
|
|||||||
|
|
||||||
rep.pvno = 5;
|
rep.pvno = 5;
|
||||||
rep.msg_type = krb_as_rep;
|
rep.msg_type = krb_as_rep;
|
||||||
copy_Realm(&client->principal->realm, &rep.crealm);
|
copy_Realm(&client->entry.principal->realm, &rep.crealm);
|
||||||
if (f.request_anonymous)
|
if (f.request_anonymous)
|
||||||
make_anonymous_principalname (&rep.cname);
|
make_anonymous_principalname (&rep.cname);
|
||||||
else
|
else
|
||||||
_krb5_principal2principalname(&rep.cname,
|
_krb5_principal2principalname(&rep.cname,
|
||||||
client->principal);
|
client->entry.principal);
|
||||||
rep.ticket.tkt_vno = 5;
|
rep.ticket.tkt_vno = 5;
|
||||||
copy_Realm(&server->principal->realm, &rep.ticket.realm);
|
copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
|
||||||
_krb5_principal2principalname(&rep.ticket.sname,
|
_krb5_principal2principalname(&rep.ticket.sname,
|
||||||
server->principal);
|
server->entry.principal);
|
||||||
|
|
||||||
et.flags.initial = 1;
|
et.flags.initial = 1;
|
||||||
if(client->flags.forwardable && server->flags.forwardable)
|
if(client->entry.flags.forwardable && server->entry.flags.forwardable)
|
||||||
et.flags.forwardable = f.forwardable;
|
et.flags.forwardable = f.forwardable;
|
||||||
else if (f.forwardable) {
|
else if (f.forwardable) {
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
@@ -1203,7 +1205,7 @@ _kdc_as_rep(krb5_context context,
|
|||||||
"Ticket may not be forwardable -- %s", client_name);
|
"Ticket may not be forwardable -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(client->flags.proxiable && server->flags.proxiable)
|
if(client->entry.flags.proxiable && server->entry.flags.proxiable)
|
||||||
et.flags.proxiable = f.proxiable;
|
et.flags.proxiable = f.proxiable;
|
||||||
else if (f.proxiable) {
|
else if (f.proxiable) {
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
@@ -1211,7 +1213,7 @@ _kdc_as_rep(krb5_context context,
|
|||||||
"Ticket may not be proxiable -- %s", client_name);
|
"Ticket may not be proxiable -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(client->flags.postdate && server->flags.postdate)
|
if(client->entry.flags.postdate && server->entry.flags.postdate)
|
||||||
et.flags.may_postdate = f.allow_postdate;
|
et.flags.may_postdate = f.allow_postdate;
|
||||||
else if (f.allow_postdate){
|
else if (f.allow_postdate){
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
@@ -1249,10 +1251,10 @@ _kdc_as_rep(krb5_context context,
|
|||||||
|
|
||||||
/* be careful not overflowing */
|
/* be careful not overflowing */
|
||||||
|
|
||||||
if(client->max_life)
|
if(client->entry.max_life)
|
||||||
t = start + min(t - start, *client->max_life);
|
t = start + min(t - start, *client->entry.max_life);
|
||||||
if(server->max_life)
|
if(server->entry.max_life)
|
||||||
t = start + min(t - start, *server->max_life);
|
t = start + min(t - start, *server->entry.max_life);
|
||||||
#if 0
|
#if 0
|
||||||
t = min(t, start + realm->max_life);
|
t = min(t, start + realm->max_life);
|
||||||
#endif
|
#endif
|
||||||
@@ -1270,10 +1272,10 @@ _kdc_as_rep(krb5_context context,
|
|||||||
t = *b->rtime;
|
t = *b->rtime;
|
||||||
if(t == 0)
|
if(t == 0)
|
||||||
t = MAX_TIME;
|
t = MAX_TIME;
|
||||||
if(client->max_renew)
|
if(client->entry.max_renew)
|
||||||
t = start + min(t - start, *client->max_renew);
|
t = start + min(t - start, *client->entry.max_renew);
|
||||||
if(server->max_renew)
|
if(server->entry.max_renew)
|
||||||
t = start + min(t - start, *server->max_renew);
|
t = start + min(t - start, *server->entry.max_renew);
|
||||||
#if 0
|
#if 0
|
||||||
t = min(t, start + realm->max_renew);
|
t = min(t, start + realm->max_renew);
|
||||||
#endif
|
#endif
|
||||||
@@ -1307,16 +1309,16 @@ _kdc_as_rep(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
|
ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
|
||||||
ek.last_req.len = 0;
|
ek.last_req.len = 0;
|
||||||
if (client->pw_end
|
if (client->entry.pw_end
|
||||||
&& (config->kdc_warn_pwexpire == 0
|
&& (config->kdc_warn_pwexpire == 0
|
||||||
|| kdc_time + config->kdc_warn_pwexpire <= *client->pw_end)) {
|
|| kdc_time + config->kdc_warn_pwexpire <= *client->entry.pw_end)) {
|
||||||
ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME;
|
ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME;
|
||||||
ek.last_req.val[ek.last_req.len].lr_value = *client->pw_end;
|
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.pw_end;
|
||||||
++ek.last_req.len;
|
++ek.last_req.len;
|
||||||
}
|
}
|
||||||
if (client->valid_end) {
|
if (client->entry.valid_end) {
|
||||||
ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
|
ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
|
||||||
ek.last_req.val[ek.last_req.len].lr_value = *client->valid_end;
|
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.valid_end;
|
||||||
++ek.last_req.len;
|
++ek.last_req.len;
|
||||||
}
|
}
|
||||||
if (ek.last_req.len == 0) {
|
if (ek.last_req.len == 0) {
|
||||||
@@ -1325,15 +1327,16 @@ _kdc_as_rep(krb5_context context,
|
|||||||
++ek.last_req.len;
|
++ek.last_req.len;
|
||||||
}
|
}
|
||||||
ek.nonce = b->nonce;
|
ek.nonce = b->nonce;
|
||||||
if (client->valid_end || client->pw_end) {
|
if (client->entry.valid_end || client->entry.pw_end) {
|
||||||
ALLOC(ek.key_expiration);
|
ALLOC(ek.key_expiration);
|
||||||
if (client->valid_end) {
|
if (client->entry.valid_end) {
|
||||||
if (client->pw_end)
|
if (client->entry.pw_end)
|
||||||
*ek.key_expiration = min(*client->valid_end, *client->pw_end);
|
*ek.key_expiration = min(*client->entry.valid_end,
|
||||||
|
*client->entry.pw_end);
|
||||||
else
|
else
|
||||||
*ek.key_expiration = *client->valid_end;
|
*ek.key_expiration = *client->entry.valid_end;
|
||||||
} else
|
} else
|
||||||
*ek.key_expiration = *client->pw_end;
|
*ek.key_expiration = *client->entry.pw_end;
|
||||||
} else
|
} else
|
||||||
ek.key_expiration = NULL;
|
ek.key_expiration = NULL;
|
||||||
ek.flags = et.flags;
|
ek.flags = et.flags;
|
||||||
@@ -1380,8 +1383,8 @@ _kdc_as_rep(krb5_context context,
|
|||||||
et.endtime, et.renew_till);
|
et.endtime, et.renew_till);
|
||||||
|
|
||||||
ret = encode_reply(context, config,
|
ret = encode_reply(context, config,
|
||||||
&rep, &et, &ek, setype, server->kvno, &skey->key,
|
&rep, &et, &ek, setype, server->entry.kvno, &skey->key,
|
||||||
client->kvno, reply_key, &e_text, reply);
|
client->entry.kvno, reply_key, &e_text, reply);
|
||||||
free_EncTicketPart(&et);
|
free_EncTicketPart(&et);
|
||||||
free_EncKDCRepPart(&ek);
|
free_EncKDCRepPart(&ek);
|
||||||
out:
|
out:
|
||||||
@@ -1660,10 +1663,10 @@ tgs_make_reply(krb5_context context,
|
|||||||
EncTicketPart *tgt,
|
EncTicketPart *tgt,
|
||||||
EncTicketPart *adtkt,
|
EncTicketPart *adtkt,
|
||||||
AuthorizationData *auth_data,
|
AuthorizationData *auth_data,
|
||||||
hdb_entry *server,
|
const hdb_entry_ex *server,
|
||||||
hdb_entry *client,
|
const hdb_entry_ex *client,
|
||||||
krb5_principal client_principal,
|
krb5_principal client_principal,
|
||||||
hdb_entry *krbtgt,
|
const hdb_entry_ex *krbtgt,
|
||||||
krb5_enctype cetype,
|
krb5_enctype cetype,
|
||||||
const char **e_text,
|
const char **e_text,
|
||||||
krb5_data *reply)
|
krb5_data *reply)
|
||||||
@@ -1744,14 +1747,14 @@ tgs_make_reply(krb5_context context,
|
|||||||
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
|
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
|
||||||
&tgt->transited, &et,
|
&tgt->transited, &et,
|
||||||
*krb5_princ_realm(context, client_principal),
|
*krb5_princ_realm(context, client_principal),
|
||||||
*krb5_princ_realm(context, server->principal),
|
*krb5_princ_realm(context, server->entry.principal),
|
||||||
*krb5_princ_realm(context, krbtgt->principal));
|
*krb5_princ_realm(context, krbtgt->entry.principal));
|
||||||
if(ret)
|
if(ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
copy_Realm(krb5_princ_realm(context, server->principal),
|
copy_Realm(krb5_princ_realm(context, server->entry.principal),
|
||||||
&rep.ticket.realm);
|
&rep.ticket.realm);
|
||||||
_krb5_principal2principalname(&rep.ticket.sname, server->principal);
|
_krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
|
||||||
copy_Realm(&tgt->crealm, &rep.crealm);
|
copy_Realm(&tgt->crealm, &rep.crealm);
|
||||||
if (f.request_anonymous)
|
if (f.request_anonymous)
|
||||||
make_anonymous_principalname (&tgt->cname);
|
make_anonymous_principalname (&tgt->cname);
|
||||||
@@ -1766,10 +1769,10 @@ tgs_make_reply(krb5_context context,
|
|||||||
{
|
{
|
||||||
time_t life;
|
time_t life;
|
||||||
life = et.endtime - *et.starttime;
|
life = et.endtime - *et.starttime;
|
||||||
if(client && client->max_life)
|
if(client && client->entry.max_life)
|
||||||
life = min(life, *client->max_life);
|
life = min(life, *client->entry.max_life);
|
||||||
if(server->max_life)
|
if(server->entry.max_life)
|
||||||
life = min(life, *server->max_life);
|
life = min(life, *server->entry.max_life);
|
||||||
et.endtime = *et.starttime + life;
|
et.endtime = *et.starttime + life;
|
||||||
}
|
}
|
||||||
if(f.renewable_ok && tgt->flags.renewable &&
|
if(f.renewable_ok && tgt->flags.renewable &&
|
||||||
@@ -1781,10 +1784,10 @@ tgs_make_reply(krb5_context context,
|
|||||||
if(et.renew_till){
|
if(et.renew_till){
|
||||||
time_t renew;
|
time_t renew;
|
||||||
renew = *et.renew_till - et.authtime;
|
renew = *et.renew_till - et.authtime;
|
||||||
if(client && client->max_renew)
|
if(client && client->entry.max_renew)
|
||||||
renew = min(renew, *client->max_renew);
|
renew = min(renew, *client->entry.max_renew);
|
||||||
if(server->max_renew)
|
if(server->entry.max_renew)
|
||||||
renew = min(renew, *server->max_renew);
|
renew = min(renew, *server->entry.max_renew);
|
||||||
*et.renew_till = et.authtime + renew;
|
*et.renew_till = et.authtime + renew;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1809,7 +1812,7 @@ tgs_make_reply(krb5_context context,
|
|||||||
et.flags.pre_authent = tgt->flags.pre_authent;
|
et.flags.pre_authent = tgt->flags.pre_authent;
|
||||||
et.flags.hw_authent = tgt->flags.hw_authent;
|
et.flags.hw_authent = tgt->flags.hw_authent;
|
||||||
et.flags.anonymous = tgt->flags.anonymous;
|
et.flags.anonymous = tgt->flags.anonymous;
|
||||||
et.flags.ok_as_delegate = server->flags.ok_as_delegate;
|
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
|
||||||
|
|
||||||
/* XXX Check enc-authorization-data */
|
/* XXX Check enc-authorization-data */
|
||||||
et.authorization_data = auth_data;
|
et.authorization_data = auth_data;
|
||||||
@@ -1845,8 +1848,8 @@ tgs_make_reply(krb5_context context,
|
|||||||
etype list, even if we don't want a session key with
|
etype list, even if we don't want a session key with
|
||||||
DES3? */
|
DES3? */
|
||||||
ret = encode_reply(context, config,
|
ret = encode_reply(context, config,
|
||||||
&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey,
|
&rep, &et, &ek, etype, adtkt ? 0 : server->entry.kvno,
|
||||||
0, &tgt->key, e_text, reply);
|
ekey, 0, &tgt->key, e_text, reply);
|
||||||
out:
|
out:
|
||||||
free_TGS_REP(&rep);
|
free_TGS_REP(&rep);
|
||||||
free_TransitedEncoding(&et.transited);
|
free_TransitedEncoding(&et.transited);
|
||||||
@@ -1996,7 +1999,7 @@ tgs_rep2(krb5_context context,
|
|||||||
const char *e_text = NULL;
|
const char *e_text = NULL;
|
||||||
krb5_crypto crypto;
|
krb5_crypto crypto;
|
||||||
|
|
||||||
hdb_entry *krbtgt = NULL;
|
hdb_entry_ex *krbtgt = NULL;
|
||||||
EncTicketPart *tgt;
|
EncTicketPart *tgt;
|
||||||
Key *tkey;
|
Key *tkey;
|
||||||
krb5_enctype cetype;
|
krb5_enctype cetype;
|
||||||
@@ -2044,7 +2047,7 @@ tgs_rep2(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(ap_req.ticket.enc_part.kvno &&
|
if(ap_req.ticket.enc_part.kvno &&
|
||||||
*ap_req.ticket.enc_part.kvno != krbtgt->kvno){
|
*ap_req.ticket.enc_part.kvno != krbtgt->entry.kvno){
|
||||||
char *p;
|
char *p;
|
||||||
|
|
||||||
ret = krb5_unparse_name (context, princ, &p);
|
ret = krb5_unparse_name (context, princ, &p);
|
||||||
@@ -2054,7 +2057,7 @@ tgs_rep2(krb5_context context,
|
|||||||
kdc_log(context, config, 0,
|
kdc_log(context, config, 0,
|
||||||
"Ticket kvno = %d, DB kvno = %d (%s)",
|
"Ticket kvno = %d, DB kvno = %d (%s)",
|
||||||
*ap_req.ticket.enc_part.kvno,
|
*ap_req.ticket.enc_part.kvno,
|
||||||
krbtgt->kvno,
|
krbtgt->entry.kvno,
|
||||||
p);
|
p);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
free (p);
|
free (p);
|
||||||
@@ -2062,7 +2065,8 @@ tgs_rep2(krb5_context context,
|
|||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey);
|
ret = hdb_enctype2key(context, &krbtgt->entry,
|
||||||
|
ap_req.ticket.enc_part.etype, &tkey);
|
||||||
if(ret){
|
if(ret){
|
||||||
char *str;
|
char *str;
|
||||||
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
|
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
|
||||||
@@ -2195,7 +2199,7 @@ tgs_rep2(krb5_context context,
|
|||||||
PrincipalName *s;
|
PrincipalName *s;
|
||||||
Realm r;
|
Realm r;
|
||||||
char *spn = NULL, *cpn = NULL;
|
char *spn = NULL, *cpn = NULL;
|
||||||
hdb_entry *server = NULL, *client = NULL;
|
hdb_entry_ex *server = NULL, *client = NULL;
|
||||||
int nloop = 0;
|
int nloop = 0;
|
||||||
EncTicketPart adtkt;
|
EncTicketPart adtkt;
|
||||||
char opt_str[128];
|
char opt_str[128];
|
||||||
@@ -2204,7 +2208,7 @@ tgs_rep2(krb5_context context,
|
|||||||
r = b->realm;
|
r = b->realm;
|
||||||
if(b->kdc_options.enc_tkt_in_skey){
|
if(b->kdc_options.enc_tkt_in_skey){
|
||||||
Ticket *t;
|
Ticket *t;
|
||||||
hdb_entry *uu;
|
hdb_entry_ex *uu;
|
||||||
krb5_principal p;
|
krb5_principal p;
|
||||||
Key *uukey;
|
Key *uukey;
|
||||||
|
|
||||||
@@ -2230,13 +2234,15 @@ tgs_rep2(krb5_context context,
|
|||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = hdb_enctype2key(context, uu, t->enc_part.etype, &uukey);
|
ret = hdb_enctype2key(context, &uu->entry,
|
||||||
|
t->enc_part.etype, &uukey);
|
||||||
if(ret){
|
if(ret){
|
||||||
|
_kdc_free_ent(context, uu);
|
||||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
|
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
|
ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
|
||||||
|
_kdc_free_ent(context, uu);
|
||||||
if(ret)
|
if(ret)
|
||||||
goto out;
|
goto out;
|
||||||
s = &adtkt.cname;
|
s = &adtkt.cname;
|
||||||
@@ -2328,9 +2334,9 @@ tgs_rep2(krb5_context context,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
if(strcmp(krb5_principal_get_realm(context, sp),
|
if(strcmp(krb5_principal_get_realm(context, sp),
|
||||||
krb5_principal_get_comp_string(context, krbtgt->principal, 1)) != 0) {
|
krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) {
|
||||||
char *tpn;
|
char *tpn;
|
||||||
ret = krb5_unparse_name(context, krbtgt->principal, &tpn);
|
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
|
||||||
kdc_log(context, config, 0,
|
kdc_log(context, config, 0,
|
||||||
"Request with wrong krbtgt: %s",
|
"Request with wrong krbtgt: %s",
|
||||||
(ret == 0) ? tpn : "<unknown>");
|
(ret == 0) ? tpn : "<unknown>");
|
||||||
@@ -2342,16 +2348,16 @@ tgs_rep2(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
ret = _kdc_check_flags(context, config,
|
ret = _kdc_check_flags(context, config,
|
||||||
client, cpn,
|
&client->entry, cpn,
|
||||||
server, spn,
|
&server->entry, spn,
|
||||||
FALSE);
|
FALSE);
|
||||||
if(ret)
|
if(ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
if((b->kdc_options.validate || b->kdc_options.renew) &&
|
if((b->kdc_options.validate || b->kdc_options.renew) &&
|
||||||
!krb5_principal_compare(context,
|
!krb5_principal_compare(context,
|
||||||
krbtgt->principal,
|
krbtgt->entry.principal,
|
||||||
server->principal)){
|
server->entry.principal)){
|
||||||
kdc_log(context, config, 0, "Inconsistent request.");
|
kdc_log(context, config, 0, "Inconsistent request.");
|
||||||
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2364,7 +2370,8 @@ tgs_rep2(krb5_context context,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = tgs_make_reply(context, config,
|
ret = tgs_make_reply(context,
|
||||||
|
config,
|
||||||
b,
|
b,
|
||||||
tgt,
|
tgt,
|
||||||
b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,
|
b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,
|
||||||
|
|||||||
Reference in New Issue
Block a user