oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

adapt pkinit code to libkdc split

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15540 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-07-01 04:42:59 +00:00
parent 96f2182811
commit de92125f9d
5 changed files with 38 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kdc/config.c
View File

@@ -516,7 +516,7 @@ krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv)
if (x509_anchors == NULL) if (x509_anchors == NULL)
krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
_pk_initialize(user_id, x509_anchors); _pk_initialize(context, config, user_id, x509_anchors);
config->enable_pkinit_princ_in_cert = config->enable_pkinit_princ_in_cert =
krb5_config_get_bool_default(context, krb5_config_get_bool_default(context,

14
kdc/kdc_locl.h
View File

@@ -106,16 +106,22 @@ _kdc_do_524(krb5_context context,
#ifdef PKINIT #ifdef PKINIT
typedef struct pk_client_params pk_client_params; typedef struct pk_client_params pk_client_params;
krb5_error_code _pk_initialize(const char *, const char *); krb5_error_code _pk_initialize(krb5_context,
krb5_error_code _pk_rd_padata(krb5_context, KDC_REQ *, krb5_kdc_configuration *,
PA_DATA *, pk_client_params **); const char *,
const char *);
krb5_error_code _pk_rd_padata(krb5_context, krb5_kdc_configuration *,
KDC_REQ *, PA_DATA *, pk_client_params **);
krb5_error_code _pk_mk_pa_reply(krb5_context, krb5_error_code _pk_mk_pa_reply(krb5_context,
krb5_kdc_configuration *,
pk_client_params *, pk_client_params *,
const hdb_entry *, const hdb_entry *,
const KDC_REQ *, const KDC_REQ *,
krb5_keyblock **, krb5_keyblock **,
METHOD_DATA *); METHOD_DATA *);
krb5_error_code _pk_check_client(krb5_context, krb5_principal, krb5_error_code _pk_check_client(krb5_context,
krb5_kdc_configuration *,
krb5_principal,
const hdb_entry *, const hdb_entry *,
pk_client_params *, char **); pk_client_params *, char **);
void _pk_free_client_param(krb5_context, pk_client_params *); void _pk_free_client_param(krb5_context, pk_client_params *);

7
kdc/kerberos5.c
View File

@@ -819,7 +819,7 @@ _kdc_as_rep(krb5_context context,
if (pa) { if (pa) {
char *client_cert = NULL; char *client_cert = NULL;
ret = _pk_rd_padata(context, req, pa, &pkp); ret = _pk_rd_padata(context, config, req, pa, &pkp);
if (ret) { if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 5, kdc_log(context, config, 5,
@@ -830,7 +830,8 @@ _kdc_as_rep(krb5_context context,
if (ret == 0 && pkp == NULL) if (ret == 0 && pkp == NULL)
goto ts_enc; goto ts_enc;
ret = _pk_check_client(context, ret = _pk_check_client(context,
config,
client_princ, client_princ,
client, client,
pkp, pkp,
@@ -1275,7 +1276,7 @@ _kdc_as_rep(krb5_context context,
reply_key = &ckey->key; reply_key = &ckey->key;
#if PKINIT #if PKINIT
if (pkp) { if (pkp) {
ret = _pk_mk_pa_reply(context, pkp, client, req, ret = _pk_mk_pa_reply(context, config, pkp, client, req,
&reply_key, rep.padata); &reply_key, rep.padata);
if (ret) if (ret)
goto out; goto out;

1
kdc/main.c
View File

@@ -46,6 +46,7 @@ static RETSIGTYPE
sigterm(int sig) sigterm(int sig)
{ {
exit_flag = sig; exit_flag = sig;
_exit(3);
} }
int int

33
kdc/pkinit.c
View File

@@ -509,6 +509,7 @@ verify_trusted_ca(PA_PK_AS_REQ_19 *r)
krb5_error_code krb5_error_code
_pk_rd_padata(krb5_context context, _pk_rd_padata(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req, KDC_REQ *req,
PA_DATA *pa, PA_DATA *pa,
pk_client_params **ret_params) pk_client_params **ret_params)
@@ -523,7 +524,7 @@ _pk_rd_padata(krb5_context context,
*ret_params = NULL; *ret_params = NULL;
if (!enable_pkinit) { if (!config->enable_pkinit) {
krb5_clear_error_string(context); krb5_clear_error_string(context);
return 0; return 0;
} }
@@ -812,7 +813,7 @@ _pk_rd_padata(krb5_context context,
* are ignored for now. * are ignored for now.
*/ */
kdc_log(0, "PK-INIT request of type %s", type); kdc_log(context, config, 0, "PK-INIT request of type %s", type);
out: out:
@@ -821,7 +822,7 @@ _pk_rd_padata(krb5_context context,
krb5_data_free(&eContent); krb5_data_free(&eContent);
free_oid(&eContentType); free_oid(&eContentType);
if (ret) if (ret)
pk_free_client_param(context, client_params); _pk_free_client_param(context, client_params);
else else
*ret_params = client_params; *ret_params = client_params;
return ret; return ret;
@@ -1170,6 +1171,7 @@ pk_mk_pa_reply_dh(krb5_context context,
krb5_error_code krb5_error_code
_pk_mk_pa_reply(krb5_context context, _pk_mk_pa_reply(krb5_context context,
krb5_kdc_configuration *config,
pk_client_params *client_params, pk_client_params *client_params,
const hdb_entry *client, const hdb_entry *client,
const KDC_REQ *req, const KDC_REQ *req,
@@ -1183,7 +1185,7 @@ _pk_mk_pa_reply(krb5_context context,
int pa_type; int pa_type;
int i; int i;
if (!enable_pkinit) { if (!config->enable_pkinit) {
krb5_clear_error_string(context); krb5_clear_error_string(context);
return 0; return 0;
} }
@@ -1375,6 +1377,7 @@ _pk_mk_pa_reply(krb5_context context,
static int static int
pk_principal_from_X509(krb5_context context, pk_principal_from_X509(krb5_context context,
krb5_kdc_configuration *config,
struct krb5_pk_cert *client_cert, struct krb5_pk_cert *client_cert,
krb5_principal *principal) krb5_principal *principal)
{ {
@@ -1410,7 +1413,8 @@ pk_principal_from_X509(krb5_context context,
ret = decode_KRB5PrincipalName(p, len, &kn, &size); ret = decode_KRB5PrincipalName(p, len, &kn, &size);
if (ret) { if (ret) {
kdc_log(0, "Decoding kerberos name in certificate failed: %s", kdc_log(context, config, 0,
"Decoding kerberos name in certificate failed: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
continue; continue;
} }
@@ -1433,6 +1437,7 @@ pk_principal_from_X509(krb5_context context,
krb5_error_code krb5_error_code
_pk_check_client(krb5_context context, _pk_check_client(krb5_context context,
krb5_kdc_configuration *config,
krb5_principal client_princ, krb5_principal client_princ,
const hdb_entry *client, const hdb_entry *client,
pk_client_params *client_params, pk_client_params *client_params,
@@ -1465,8 +1470,9 @@ _pk_check_client(krb5_context context,
} }
OPENSSL_free(subject); OPENSSL_free(subject);
if (enable_pkinit_princ_in_cert) { if (config->enable_pkinit_princ_in_cert) {
ret = pk_principal_from_X509(context, client_cert, &cert_princ); ret = pk_principal_from_X509(context, config,
client_cert, &cert_princ);
if (ret == 0) { if (ret == 0) {
b = krb5_principal_compare(context, client_princ, cert_princ); b = krb5_principal_compare(context, client_princ, cert_princ);
krb5_free_principal(context, cert_princ); krb5_free_principal(context, cert_princ);
@@ -1492,7 +1498,9 @@ _pk_check_client(krb5_context context,
} }
static krb5_error_code static krb5_error_code
add_principal_mapping(const char *principal_name, const char * subject) add_principal_mapping(krb5_context context,
const char *principal_name,
const char * subject)
{ {
struct pk_allowed_princ *tmp; struct pk_allowed_princ *tmp;
krb5_principal principal; krb5_principal principal;
@@ -1522,7 +1530,10 @@ add_principal_mapping(const char *principal_name, const char * subject)
krb5_error_code krb5_error_code
_pk_initialize(const char *user_id, const char *x509_anchors) _pk_initialize(krb5_context context,
krb5_kdc_configuration *config,
const char *user_id,
const char *x509_anchors)
{ {
const char *mapping_file; const char *mapping_file;
krb5_error_code ret; krb5_error_code ret;
@@ -1542,7 +1553,7 @@ _pk_initialize(const char *user_id, const char *x509_anchors)
NULL); NULL);
if (ret) { if (ret) {
krb5_warn(context, ret, "PKINIT: failed to load"); krb5_warn(context, ret, "PKINIT: failed to load");
enable_pkinit = 0; config->enable_pkinit = 0;
return ret; return ret;
} }
@@ -1579,7 +1590,7 @@ _pk_initialize(const char *user_id, const char *x509_anchors)
} }
*subject_name++ = '\0'; *subject_name++ = '\0';
ret = add_principal_mapping(p, subject_name); ret = add_principal_mapping(context, p, subject_name);
if (ret) { if (ret) {
krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n", krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
lineno, buf); lineno, buf);