oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Split tgs_rep2 into tgs_parse_request and tgs_build_reply.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17600 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-06-01 13:17:42 +00:00
parent b0a3fd3a9c
commit cb7d1402f1
1 changed files with 280 additions and 248 deletions
Download Patch File Download Diff File Expand all files Collapse all files

154
kdc/krb5tgs.c
View File

@@ -283,7 +283,6 @@ tgs_make_reply(krb5_context context,
hdb_entry_ex *client, hdb_entry_ex *client,
krb5_principal client_principal, krb5_principal client_principal,
hdb_entry_ex *krbtgt, hdb_entry_ex *krbtgt,
krb5_enctype cetype,
const char **e_text, const char **e_text,
krb5_data *reply) krb5_data *reply)
{ {
@@ -595,34 +594,29 @@ need_referral(krb5_context context, krb5_principal server, krb5_realm **realms)
} }
static krb5_error_code static krb5_error_code
tgs_rep2(krb5_context context, tgs_parse_request(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ_BODY *b, KDC_REQ_BODY *b,
PA_DATA *tgs_req, PA_DATA *tgs_req,
krb5_data *reply, hdb_entry_ex **krbtgt,
krb5_ticket **ticket,
const char **e_text,
const char *from, const char *from,
const struct sockaddr *from_addr, const struct sockaddr *from_addr,
time_t **csec, time_t **csec,
int **cusec) int **cusec,
AuthorizationData **auth_data)
{ {
krb5_ap_req ap_req; krb5_ap_req ap_req;
krb5_error_code ret; krb5_error_code ret;
krb5_principal princ; krb5_principal princ;
krb5_auth_context ac = NULL; krb5_auth_context ac = NULL;
krb5_ticket *ticket = NULL;
krb5_flags ap_req_options; krb5_flags ap_req_options;
krb5_flags verify_ap_req_flags; krb5_flags verify_ap_req_flags;
const char *e_text = NULL;
krb5_crypto crypto; krb5_crypto crypto;
hdb_entry_ex *krbtgt = NULL;
EncTicketPart *tgt;
Key *tkey; Key *tkey;
krb5_enctype cetype;
krb5_principal cp = NULL;
krb5_principal sp = NULL;
AuthorizationData *auth_data = NULL;
*auth_data = NULL;
*csec = NULL; *csec = NULL;
*cusec = NULL; *cusec = NULL;
@@ -645,7 +639,7 @@ tgs_rep2(krb5_context context,
ap_req.ticket.sname, ap_req.ticket.sname,
ap_req.ticket.realm); ap_req.ticket.realm);
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, &krbtgt); ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, krbtgt);
if(ret) { if(ret) {
char *p; char *p;
@@ -663,7 +657,7 @@ tgs_rep2(krb5_context context,
} }
if(ap_req.ticket.enc_part.kvno && if(ap_req.ticket.enc_part.kvno &&
*ap_req.ticket.enc_part.kvno != krbtgt->entry.kvno){ *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
char *p; char *p;
ret = krb5_unparse_name (context, princ, &p); ret = krb5_unparse_name (context, princ, &p);
@@ -673,7 +667,7 @@ tgs_rep2(krb5_context context,
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Ticket kvno = %d, DB kvno = %d (%s)", "Ticket kvno = %d, DB kvno = %d (%s)",
*ap_req.ticket.enc_part.kvno, *ap_req.ticket.enc_part.kvno,
krbtgt->entry.kvno, (*krbtgt)->entry.kvno,
p); p);
if (ret == 0) if (ret == 0)
free (p); free (p);
@@ -681,7 +675,7 @@ tgs_rep2(krb5_context context,
goto out2; goto out2;
} }
ret = hdb_enctype2key(context, &krbtgt->entry, ret = hdb_enctype2key(context, &(*krbtgt)->entry,
ap_req.ticket.enc_part.etype, &tkey); ap_req.ticket.enc_part.etype, &tkey);
if(ret){ if(ret){
char *str, *p; char *str, *p;
@@ -707,7 +701,7 @@ tgs_rep2(krb5_context context,
&tkey->key, &tkey->key,
verify_ap_req_flags, verify_ap_req_flags,
&ap_req_options, &ap_req_options,
&ticket, ticket,
KRB5_KU_TGS_REQ_AUTH); KRB5_KU_TGS_REQ_AUTH);
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
@@ -740,12 +734,8 @@ tgs_rep2(krb5_context context,
} }
} }
cetype = ap_req.authenticator.etype;
tgt = &ticket->ticket;
ret = tgs_check_authenticator(context, config, ret = tgs_check_authenticator(context, config,
ac, b, &e_text, &tgt->key); ac, b, e_text, &(*ticket)->ticket.key);
if (ret) { if (ret) {
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
goto out2; goto out2;
@@ -800,17 +790,17 @@ tgs_rep2(krb5_context context,
goto out2; goto out2;
} }
krb5_free_keyblock(context, subkey); krb5_free_keyblock(context, subkey);
ALLOC(auth_data); ALLOC(*auth_data);
if (auth_data == NULL) { if (*auth_data == NULL) {
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out2; goto out2;
} }
ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL); ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
if(ret){ if(ret){
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
free(auth_data); free(*auth_data);
auth_data = NULL; *auth_data = NULL;
kdc_log(context, config, 0, "Failed to decode authorization data"); kdc_log(context, config, 0, "Failed to decode authorization data");
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
goto out2; goto out2;
@@ -819,17 +809,40 @@ tgs_rep2(krb5_context context,
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
{ out2:
PrincipalName *s; free_AP_REQ(&ap_req);
Realm r;
return ret;
}
static krb5_error_code
tgs_build_reply(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ_BODY *b,
hdb_entry_ex *krbtgt,
krb5_ticket *ticket,
krb5_data *reply,
const char *from,
const char **e_text,
AuthorizationData *auth_data,
const struct sockaddr *from_addr)
{
krb5_error_code ret;
krb5_principal cp = NULL;
krb5_principal sp = NULL;
char *spn = NULL, *cpn = NULL; char *spn = NULL, *cpn = NULL;
hdb_entry_ex *server = NULL, *client = NULL; hdb_entry_ex *server = NULL, *client = NULL;
EncTicketPart *tgt = &ticket->ticket;
PrincipalName *s;
Realm r;
int nloop = 0; int nloop = 0;
EncTicketPart adtkt; EncTicketPart adtkt;
char opt_str[128]; char opt_str[128];
s = b->sname; s = b->sname;
r = b->realm; r = b->realm;
if(b->kdc_options.enc_tkt_in_skey){ if(b->kdc_options.enc_tkt_in_skey){
Ticket *t; Ticket *t;
hdb_entry_ex *uu; hdb_entry_ex *uu;
@@ -892,7 +905,7 @@ tgs_rep2(krb5_context context,
else else
kdc_log(context, config, 0, kdc_log(context, config, 0,
"TGS-REQ %s from %s for %s", cpn, from, spn); "TGS-REQ %s from %s for %s", cpn, from, spn);
server_lookup: server_lookup:
ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, &server); ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, &server);
if(ret){ if(ret){
@@ -1011,11 +1024,11 @@ tgs_rep2(krb5_context context,
client, client,
cp, cp,
krbtgt, krbtgt,
cetype, e_text,
&e_text,
reply); reply);
out: out2:
out:
free(spn); free(spn);
free(cpn); free(cpn);
@@ -1023,36 +1036,15 @@ tgs_rep2(krb5_context context,
_kdc_free_ent(context, server); _kdc_free_ent(context, server);
if(client) if(client)
_kdc_free_ent(context, client); _kdc_free_ent(context, client);
}
out2:
if(ret) {
krb5_mk_error(context,
ret,
e_text,
NULL,
cp,
sp,
NULL,
NULL,
reply);
free(*csec);
free(*cusec);
*csec = NULL;
*cusec = NULL;
}
krb5_free_principal(context, cp); krb5_free_principal(context, cp);
krb5_free_principal(context, sp); krb5_free_principal(context, sp);
if (ticket)
krb5_free_ticket(context, ticket);
free_AP_REQ(&ap_req);
if(auth_data){ if(auth_data){
free_AuthorizationData(auth_data); free_AuthorizationData(auth_data);
free(auth_data); free(auth_data);
} }
if(krbtgt)
_kdc_free_ent(context, krbtgt);
return ret; return ret;
} }
@@ -1068,9 +1060,15 @@ _kdc_tgs_rep(krb5_context context,
const char *from, const char *from,
struct sockaddr *from_addr) struct sockaddr *from_addr)
{ {
AuthorizationData *auth_data = NULL;
krb5_error_code ret; krb5_error_code ret;
int i = 0; int i = 0;
PA_DATA *tgs_req = NULL; PA_DATA *tgs_req = NULL;
hdb_entry_ex *krbtgt = NULL;
krb5_ticket *ticket = NULL;
const char *e_text = NULL;
time_t *csec = NULL; time_t *csec = NULL;
int *cusec = NULL; int *cusec = NULL;
@@ -1090,9 +1088,35 @@ _kdc_tgs_rep(krb5_context context,
"TGS-REQ from %s without PA-TGS-REQ", from); "TGS-REQ from %s without PA-TGS-REQ", from);
goto out; goto out;
} }
ret = tgs_rep2(context, config, ret = tgs_parse_request(context, config,
&req->req_body, tgs_req, data, from, from_addr, &req->req_body, tgs_req,
&csec, &cusec); &krbtgt,
&ticket, &e_text,
from, from_addr,
&csec, &cusec,
&auth_data);
if (ret) {
kdc_log(context, config, 0,
"Failed parsing TGS-REQ from %s", from);
goto out;
}
ret = tgs_build_reply(context,
config,
&req->req_body,
krbtgt,
ticket,
data,
from,
&e_text,
auth_data,
from_addr);
if (ret) {
kdc_log(context, config, 0,
"Failed building TGS-REP to from %s", from);
goto out;
}
out: out:
if(ret && data->data == NULL){ if(ret && data->data == NULL){
krb5_mk_error(context, krb5_mk_error(context,
@@ -1107,5 +1131,13 @@ out:
} }
free(csec); free(csec);
free(cusec); free(cusec);
if (ticket)
krb5_free_ticket(context, ticket);
if(krbtgt)
_kdc_free_ent(context, krbtgt);
if (auth_data)
free_AuthorizationData(auth_data);
return 0; return 0;
} }