Split tgs_rep2 into tgs_parse_request and tgs_build_reply.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17600 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-06-01 13:17:42 +00:00
parent b0a3fd3a9c
commit cb7d1402f1
1 changed files with 280 additions and 248 deletions
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -283,7 +283,6 @@ tgs_make_reply(krb5_context context,
 	       hdb_entry_ex *client, 
 	       krb5_principal client_principal, 
 	       hdb_entry_ex *krbtgt,
-	       krb5_enctype cetype,
 	       const char **e_text,
 	       krb5_data *reply)
 {
@@ -595,34 +594,29 @@ need_referral(krb5_context context, krb5_principal server, krb5_realm **realms)
 }

 static krb5_error_code
-tgs_rep2(krb5_context context, 
+tgs_parse_request(krb5_context context, 
 		  krb5_kdc_configuration *config,
 		  KDC_REQ_BODY *b,
 		  PA_DATA *tgs_req,
-	 krb5_data *reply,
+		  hdb_entry_ex **krbtgt,
+		  krb5_ticket **ticket,
+		  const char **e_text,
 		  const char *from,
 		  const struct sockaddr *from_addr,
 		  time_t **csec,
-	 int **cusec)
+		  int **cusec,
+		  AuthorizationData **auth_data)
 {
    krb5_ap_req ap_req;
    krb5_error_code ret;
    krb5_principal princ;
    krb5_auth_context ac = NULL;
-    krb5_ticket *ticket = NULL;
    krb5_flags ap_req_options;
    krb5_flags verify_ap_req_flags;
-    const char *e_text = NULL;
    krb5_crypto crypto;
-
-    hdb_entry_ex *krbtgt = NULL;
-    EncTicketPart *tgt;
    Key *tkey;
-    krb5_enctype cetype;
-    krb5_principal cp = NULL;
-    krb5_principal sp = NULL;
-    AuthorizationData *auth_data = NULL;

+    *auth_data = NULL;
    *csec  = NULL;
    *cusec = NULL;

@@ -645,7 +639,7 @@ tgs_rep2(krb5_context context,
 				       ap_req.ticket.sname,
 				       ap_req.ticket.realm);
    
-    ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, &krbtgt);
+    ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, krbtgt);

    if(ret) {
 	char *p;
@@ -663,7 +657,7 @@ tgs_rep2(krb5_context context,
    }
    
    if(ap_req.ticket.enc_part.kvno && 
-       *ap_req.ticket.enc_part.kvno != krbtgt->entry.kvno){
+       *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
 	char *p;

 	ret = krb5_unparse_name (context, princ, &p);
@@ -673,7 +667,7 @@ tgs_rep2(krb5_context context,
 	kdc_log(context, config, 0,
 		"Ticket kvno = %d, DB kvno = %d (%s)", 
 		*ap_req.ticket.enc_part.kvno,
-		krbtgt->entry.kvno,
+		(*krbtgt)->entry.kvno,
 		p);
 	if (ret == 0)
 	    free (p);
@@ -681,7 +675,7 @@ tgs_rep2(krb5_context context,
 	goto out2;
    }

-    ret = hdb_enctype2key(context, &krbtgt->entry, 
+    ret = hdb_enctype2key(context, &(*krbtgt)->entry, 
 			  ap_req.ticket.enc_part.etype, &tkey);
    if(ret){
 	char *str, *p;
@@ -707,7 +701,7 @@ tgs_rep2(krb5_context context,
 			      &tkey->key,
 			      verify_ap_req_flags,
 			      &ap_req_options,
-			      &ticket,
+			      ticket,
 			      KRB5_KU_TGS_REQ_AUTH);
 			     
    krb5_free_principal(context, princ);
@@ -740,12 +734,8 @@ tgs_rep2(krb5_context context,
 	}
    }

-    cetype = ap_req.authenticator.etype;
-
-    tgt = &ticket->ticket;
-
    ret = tgs_check_authenticator(context, config, 
-				  ac, b, &e_text, &tgt->key);
+				  ac, b, e_text, &(*ticket)->ticket.key);
    if (ret) {
 	krb5_auth_con_free(context, ac);
 	goto out2;
@@ -800,17 +790,17 @@ tgs_rep2(krb5_context context,
 	    goto out2;
 	}
 	krb5_free_keyblock(context, subkey);
-	ALLOC(auth_data);
-	if (auth_data == NULL) {
+	ALLOC(*auth_data);
+	if (*auth_data == NULL) {
 	    krb5_auth_con_free(context, ac);
 	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
 	    goto out2;
 	}
-	ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
+	ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
 	if(ret){
 	    krb5_auth_con_free(context, ac);
-	    free(auth_data);
-	    auth_data = NULL;
+	    free(*auth_data);
+	    *auth_data = NULL;
 	    kdc_log(context, config, 0, "Failed to decode authorization data");
 	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
 	    goto out2;
@@ -819,17 +809,40 @@ tgs_rep2(krb5_context context,

    krb5_auth_con_free(context, ac);
    
+out2:
+    free_AP_REQ(&ap_req);
+    
+    return ret;
+}
+
+static krb5_error_code
+tgs_build_reply(krb5_context context, 
+		krb5_kdc_configuration *config,
+		KDC_REQ_BODY *b,
+		hdb_entry_ex *krbtgt,
+		krb5_ticket *ticket,
+		krb5_data *reply,
+		const char *from,
+		const char **e_text,
+		AuthorizationData *auth_data,
+		const struct sockaddr *from_addr)
 {
-	PrincipalName *s;
-	Realm r;
+    krb5_error_code ret;
+    krb5_principal cp = NULL;
+    krb5_principal sp = NULL;
    char *spn = NULL, *cpn = NULL;
    hdb_entry_ex *server = NULL, *client = NULL;
+    EncTicketPart *tgt = &ticket->ticket;
+
+    PrincipalName *s;
+    Realm r;
    int nloop = 0;
    EncTicketPart adtkt;
    char opt_str[128];

    s = b->sname;
    r = b->realm;
+
    if(b->kdc_options.enc_tkt_in_skey){
 	Ticket *t;
 	hdb_entry_ex *uu;
@@ -1011,10 +1024,10 @@ tgs_rep2(krb5_context context,
 			 client, 
 			 cp, 
 			 krbtgt, 
-			     cetype, 
-			     &e_text,
+			 e_text,
 			 reply);
 	
+out2:
 out:
    free(spn);
    free(cpn);
@@ -1023,36 +1036,15 @@ tgs_rep2(krb5_context context,
 	_kdc_free_ent(context, server);
    if(client)
 	_kdc_free_ent(context, client);
-    }
- out2:
-    if(ret) {
-	krb5_mk_error(context,
-		      ret,
-		      e_text,
-		      NULL,
-		      cp,
-		      sp,
-		      NULL,
-		      NULL,
-		      reply);
-	free(*csec);
-	free(*cusec);
-	*csec  = NULL;
-	*cusec = NULL;
-    }
+
    krb5_free_principal(context, cp);
    krb5_free_principal(context, sp);
-    if (ticket)
-	krb5_free_ticket(context, ticket);
-    free_AP_REQ(&ap_req);
+
    if(auth_data){
 	free_AuthorizationData(auth_data);
 	free(auth_data);
    }

-    if(krbtgt)
-	_kdc_free_ent(context, krbtgt);
-
    return ret;
 }

@@ -1068,9 +1060,15 @@ _kdc_tgs_rep(krb5_context context,
 	     const char *from,
 	     struct sockaddr *from_addr)
 {
+    AuthorizationData *auth_data = NULL;
    krb5_error_code ret;
    int i = 0;
    PA_DATA *tgs_req = NULL;
+
+    hdb_entry_ex *krbtgt = NULL;
+    krb5_ticket *ticket = NULL;
+    const char *e_text = NULL;
+
    time_t *csec = NULL;
    int *cusec = NULL;

@@ -1090,9 +1088,35 @@ _kdc_tgs_rep(krb5_context context,
 		"TGS-REQ from %s without PA-TGS-REQ", from);
 	goto out;
    }
-    ret = tgs_rep2(context, config, 
-		   &req->req_body, tgs_req, data, from, from_addr,
-		   &csec, &cusec);
+    ret = tgs_parse_request(context, config, 
+			    &req->req_body, tgs_req,
+			    &krbtgt,
+			    &ticket, &e_text,
+			    from, from_addr,
+			    &csec, &cusec,
+			    &auth_data);
+    if (ret) {
+	kdc_log(context, config, 0, 
+		"Failed parsing TGS-REQ from %s", from);
+	goto out;
+    }
+
+    ret = tgs_build_reply(context,
+			  config,
+			  &req->req_body,
+			  krbtgt,
+			  ticket,
+			  data,
+			  from,
+			  &e_text,
+			  auth_data,
+			  from_addr);
+    if (ret) {
+	kdc_log(context, config, 0, 
+		"Failed building TGS-REP to from %s", from);
+	goto out;
+    }
+
 out:
    if(ret && data->data == NULL){
 	krb5_mk_error(context,
@@ -1107,5 +1131,13 @@ out:
    }
    free(csec);
    free(cusec);
+    if (ticket)
+	krb5_free_ticket(context, ticket);
+    if(krbtgt)
+	_kdc_free_ent(context, krbtgt);
+
+    if (auth_data)
+	free_AuthorizationData(auth_data);
+
    return 0;
 }