diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2009-11-13 10:51:14 +1100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2009-11-13 23:19:05 +1100 |
| commit | 4f8ba5ad6ac9b7153b0e13654e59f47e67b3f608 (patch) | |
| tree | ca189d440b0a298cdcb3769d994828508dcd2e76 /source4/heimdal/kdc | |
| parent | 5bc87c14a1f5b45ed86e7ff9663f5f0aa2f70094 (diff) | |
| download | samba-4f8ba5ad6ac9b7153b0e13654e59f47e67b3f608.tar.gz samba-4f8ba5ad6ac9b7153b0e13654e59f47e67b3f608.tar.bz2 samba-4f8ba5ad6ac9b7153b0e13654e59f47e67b3f608.zip | |
s4:heimdal: import lorikeet-heimdal-200911122202 (commit 9291fd2d101f3eecec550178634faa94ead3e9a1)
Diffstat (limited to 'source4/heimdal/kdc')
| -rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 57 | ||||
| -rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 166 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kx509.c | 37 | ||||
| -rw-r--r-- | source4/heimdal/kdc/misc.c | 5 | ||||
| -rw-r--r-- | source4/heimdal/kdc/pkinit.c | 88 | ||||
| -rw-r--r-- | source4/heimdal/kdc/windc.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/windc_plugin.h | 1 |
7 files changed, 207 insertions, 149 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 0a9d4a5ca4..fb88aa9f8f 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -261,6 +261,7 @@ _kdc_encode_reply(krb5_context context, krb5_enctype etype, int skvno, const EncryptionKey *skey, int ckvno, const EncryptionKey *reply_key, + int rk_is_subkey, const char **e_text, krb5_data *reply) { @@ -272,8 +273,9 @@ _kdc_encode_reply(krb5_context context, ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret); if(ret) { - kdc_log(context, config, 0, "Failed to encode ticket: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "Failed to encode ticket: %s", msg); + krb5_free_error_message(context, msg); return ret; } if(buf_size != len) { @@ -286,8 +288,9 @@ _kdc_encode_reply(krb5_context context, ret = krb5_crypto_init(context, skey, etype, &crypto); if (ret) { free(buf); - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(context, msg); return ret; } @@ -301,8 +304,9 @@ _kdc_encode_reply(krb5_context context, free(buf); krb5_crypto_destroy(context, crypto); if(ret) { - kdc_log(context, config, 0, "Failed to encrypt data: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "Failed to encrypt data: %s", msg); + krb5_free_error_message(context, msg); return ret; } @@ -311,8 +315,9 @@ _kdc_encode_reply(krb5_context context, else ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret); if(ret) { - kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg); + krb5_free_error_message(context, msg); return ret; } if(buf_size != len) { @@ -323,9 +328,10 @@ _kdc_encode_reply(krb5_context context, } ret = krb5_crypto_init(context, reply_key, 0, &crypto); if (ret) { + const char *msg = krb5_get_error_message(context, ret); free(buf); - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(context, msg); return ret; } if(rep->msg_type == krb_as_rep) { @@ -341,7 +347,7 @@ _kdc_encode_reply(krb5_context context, } else { krb5_encrypt_EncryptedData(context, crypto, - KRB5_KU_TGS_REP_ENC_PART_SESSION, + rk_is_subkey ? KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : KRB5_KU_TGS_REP_ENC_PART_SESSION, buf, len, ckvno, @@ -351,8 +357,9 @@ _kdc_encode_reply(krb5_context context, } krb5_crypto_destroy(context, crypto); if(ret) { - kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg); + krb5_free_error_message(context, msg); return ret; } if(buf_size != len) { @@ -980,8 +987,9 @@ _kdc_as_rep(krb5_context context, ret = _kdc_db_fetch(context, config, client_princ, HDB_F_GET_CLIENT | flags, &clientdb, &client); if(ret){ - kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg); + krb5_free_error_message(context, msg); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } @@ -990,8 +998,9 @@ _kdc_as_rep(krb5_context context, HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, NULL, &server); if(ret){ - kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg); + krb5_free_error_message(context, msg); ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto out; } @@ -1135,8 +1144,9 @@ _kdc_as_rep(krb5_context context, try_next_key: ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto); if (ret) { - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(context, msg); free_EncryptedData(&enc_data); continue; } @@ -1154,6 +1164,8 @@ _kdc_as_rep(krb5_context context, */ if(ret){ krb5_error_code ret2; + const char *msg = krb5_get_error_message(context, ret); + ret2 = krb5_enctype_to_string(context, pa_key->key.keytype, &str); if (ret2) @@ -1161,9 +1173,8 @@ _kdc_as_rep(krb5_context context, kdc_log(context, config, 5, "Failed to decrypt PA-DATA -- %s " "(enctype %s) error %s", - client_name, - str ? str : "unknown enctype", - krb5_get_err_text(context, ret)); + client_name, str ? str : "unknown enctype", msg); + krb5_free_error_message(context, msg); free(str); if(hdb_next_enctype2key(context, &client->entry, @@ -1757,7 +1768,7 @@ _kdc_as_rep(krb5_context context, ret = _kdc_encode_reply(context, config, &rep, &et, &ek, setype, server->entry.kvno, &skey->key, client->entry.kvno, - reply_key, &e_text, reply); + reply_key, 0, &e_text, reply); free_EncTicketPart(&et); free_EncKDCRepPart(&ek); if (ret) diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index c3b0aaa89e..4f587cf1b6 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -671,6 +671,8 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, krb5_const_principal tgt_name, const EncTicketPart *tgt, + const krb5_keyblock *replykey, + int rk_is_subkey, const EncryptionKey *serverkey, const krb5_keyblock *sessionkey, krb5_kvno kvno, @@ -823,10 +825,14 @@ tgs_make_reply(krb5_context context, unsigned int i = 0; /* XXX check authdata */ + if (et.authorization_data == NULL) { - ret = ENOMEM; - krb5_set_error_message(context, ret, "malloc: out of memory"); - goto out; + et.authorization_data = calloc(1, sizeof(*et.authorization_data)); + if (et.authorization_data == NULL) { + ret = ENOMEM; + krb5_set_error_message(context, ret, "malloc: out of memory"); + goto out; + } } for(i = 0; i < auth_data->len ; i++) { ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]); @@ -927,7 +933,8 @@ tgs_make_reply(krb5_context context, ret = _kdc_encode_reply(context, config, &rep, &et, &ek, et.key.keytype, kvno, - serverkey, 0, &tgt->key, e_text, reply); + serverkey, 0, replykey, rk_is_subkey, + e_text, reply); if (is_weak) krb5_enctype_disable(context, et.key.keytype); @@ -988,8 +995,9 @@ tgs_check_authenticator(krb5_context context, /* XXX should not re-encode this */ ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); if(ret){ - kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg); + krb5_free_error_message(context, msg); goto out; } if(buf_size != len) { @@ -1001,9 +1009,10 @@ tgs_check_authenticator(krb5_context context, } ret = krb5_crypto_init(context, key, 0, &crypto); if (ret) { + const char *msg = krb5_get_error_message(context, ret); free(buf); - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(context, msg); goto out; } ret = krb5_verify_checksum(context, @@ -1015,9 +1024,10 @@ tgs_check_authenticator(krb5_context context, free(buf); krb5_crypto_destroy(context, crypto); if(ret){ + const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, - "Failed to verify authenticator checksum: %s", - krb5_get_err_text(context, ret)); + "Failed to verify authenticator checksum: %s", msg); + krb5_free_error_message(context, msg); } out: free_Authenticator(auth); @@ -1077,7 +1087,9 @@ tgs_parse_request(krb5_context context, const struct sockaddr *from_addr, time_t **csec, int **cusec, - AuthorizationData **auth_data) + AuthorizationData **auth_data, + krb5_keyblock **replykey, + int *rk_is_subkey) { krb5_ap_req ap_req; krb5_error_code ret; @@ -1087,16 +1099,20 @@ tgs_parse_request(krb5_context context, krb5_flags verify_ap_req_flags; krb5_crypto crypto; Key *tkey; + krb5_keyblock *subkey = NULL; + unsigned usage; *auth_data = NULL; *csec = NULL; *cusec = NULL; + *replykey = NULL; memset(&ap_req, 0, sizeof(ap_req)); ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); if(ret){ - kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg); + krb5_free_error_message(context, msg); goto out; } @@ -1115,14 +1131,15 @@ tgs_parse_request(krb5_context context, ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt); if(ret) { + const char *msg = krb5_get_error_message(context, ret); char *p; ret = krb5_unparse_name(context, princ, &p); if (ret != 0) p = "<unparse_name failed>"; krb5_free_principal(context, princ); kdc_log(context, config, 0, - "Ticket-granting ticket not found in database: %s: %s", - p, krb5_get_err_text(context, ret)); + "Ticket-granting ticket not found in database: %s: %s", msg); + krb5_free_error_message(context, msg); if (ret == 0) free(p); ret = KRB5KRB_AP_ERR_NOT_US; @@ -1184,8 +1201,9 @@ tgs_parse_request(krb5_context context, krb5_free_principal(context, princ); if(ret) { - kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg); + krb5_free_error_message(context, msg); goto out; } @@ -1219,41 +1237,49 @@ tgs_parse_request(krb5_context context, goto out; } - if (b->enc_authorization_data) { - unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY; - krb5_keyblock *subkey; - krb5_data ad; + usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY; + *rk_is_subkey = 1; - ret = krb5_auth_con_getremotesubkey(context, ac, &subkey); - if(ret){ - krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "Failed to get remote subkey: %s", - krb5_get_err_text(context, ret)); - goto out; - } - if(subkey == NULL){ - usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; - ret = krb5_auth_con_getkey(context, ac, &subkey); - if(ret) { - krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "Failed to get session key: %s", - krb5_get_err_text(context, ret)); - goto out; - } - } - if(subkey == NULL){ + ret = krb5_auth_con_getremotesubkey(context, ac, &subkey); + if(ret){ + const char *msg = krb5_get_error_message(context, ret); + krb5_auth_con_free(context, ac); + kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg); + krb5_free_error_message(context, msg); + goto out; + } + if(subkey == NULL){ + usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; + *rk_is_subkey = 0; + + ret = krb5_auth_con_getkey(context, ac, &subkey); + if(ret) { + const char *msg = krb5_get_error_message(context, ret); krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, - "Failed to get key for enc-authorization-data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + kdc_log(context, config, 0, "Failed to get session key: %s", msg); + krb5_free_error_message(context, msg); goto out; } + } + if(subkey == NULL){ + krb5_auth_con_free(context, ac); + kdc_log(context, config, 0, + "Failed to get key for enc-authorization-data"); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + + *replykey = subkey; + + if (b->enc_authorization_data) { + krb5_data ad; + ret = krb5_crypto_init(context, subkey, 0, &crypto); - krb5_free_keyblock(context, subkey); if (ret) { + const char *msg = krb5_get_error_message(context, ret); krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(context, msg); goto out; } ret = krb5_decrypt_EncryptedData (context, @@ -1377,6 +1403,8 @@ tgs_build_reply(krb5_context context, KDC_REQ_BODY *b, hdb_entry_ex *krbtgt, krb5_enctype krbtgt_etype, + const krb5_keyblock *replykey, + int rk_is_subkey, krb5_ticket *ticket, krb5_data *reply, const char *from, @@ -1495,7 +1523,7 @@ server_lookup: NULL, &server); if(ret){ - const char *new_rlm; + const char *new_rlm, *msg; Realm req_rlm; krb5_realm *realms; @@ -1543,9 +1571,10 @@ server_lookup: } krb5_free_host_realm(context, realms); } + msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, - "Server not found in database: %s: %s", spn, - krb5_get_err_text(context, ret)); + "Server not found in database: %s: %s", spn, msg); + krb5_free_error_message(context, msg); if (ret == HDB_ERR_NOENTRY) ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto out; @@ -1554,7 +1583,7 @@ server_lookup: ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON, &clientdb, &client); if(ret) { - const char *krbtgt_realm; + const char *krbtgt_realm, *msg; /* * If the client belongs to the same realm as our krbtgt, it @@ -1574,8 +1603,9 @@ server_lookup: goto out; } - kdc_log(context, config, 1, "Client not found in database: %s: %s", - cpn, krb5_get_err_text(context, ret)); + msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 1, "Client not found in database: %s", msg); + krb5_free_error_message(context, msg); } /* @@ -1656,9 +1686,11 @@ server_lookup: client, server, ekey, &tkey->key, tgt, &rspac, &signedpath); if (ret) { + const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, "Verify PAC failed for %s (%s) from %s with %s", - spn, cpn, from, krb5_get_err_text(context, ret)); + spn, cpn, from, msg); + krb5_free_error_message(context, msg); goto out; } @@ -1671,9 +1703,11 @@ server_lookup: &spp, &signedpath); if (ret) { + const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, "KRB5SignedPath check failed for %s (%s) from %s with %s", - spn, cpn, from, krb5_get_err_text(context, ret)); + spn, cpn, from, msg); + krb5_free_error_message(context, msg); goto out; } @@ -1709,10 +1743,11 @@ server_lookup: ret = krb5_crypto_init(context, &tgt->key, 0, &crypto); if (ret) { + const char *msg = krb5_get_error_message(context, ret); free_PA_S4U2Self(&self); krb5_data_free(&datack); - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", - krb5_get_err_text(context, ret)); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(context, msg); goto out; } @@ -1725,10 +1760,11 @@ server_lookup: krb5_data_free(&datack); krb5_crypto_destroy(context, crypto); if (ret) { + const char *msg = krb5_get_error_message(context, ret); free_PA_S4U2Self(&self); kdc_log(context, config, 0, - "krb5_verify_checksum failed for S4U2Self: %s", - krb5_get_err_text(context, ret)); + "krb5_verify_checksum failed for S4U2Self: %s", msg); + krb5_free_error_message(context, msg); goto out; } @@ -1866,11 +1902,13 @@ server_lookup: if (ret == 0 && !ad_signedpath) ret = KRB5KDC_ERR_BADOPTION; if (ret) { + const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, "KRB5SignedPath check from service %s failed " "for delegation to %s for client %s " "from %s failed with %s", - spn, str, cpn, from, krb5_get_err_text(context, ret)); + spn, str, cpn, from, msg); + krb5_free_error_message(context, msg); free(str); goto out; } @@ -1950,6 +1988,8 @@ server_lookup: b, client_principal, tgt, + replykey, + rk_is_subkey, ekey, &sessionkey, kvno, @@ -2016,6 +2056,8 @@ _kdc_tgs_rep(krb5_context context, const char *e_text = NULL; krb5_enctype krbtgt_etype = ETYPE_NULL; + krb5_keyblock *replykey = NULL; + int rk_is_subkey = 0; time_t *csec = NULL; int *cusec = NULL; @@ -2043,7 +2085,9 @@ _kdc_tgs_rep(krb5_context context, &e_text, from, from_addr, &csec, &cusec, - &auth_data); + &auth_data, + &replykey, + &rk_is_subkey); if (ret) { kdc_log(context, config, 0, "Failed parsing TGS-REQ from %s", from); @@ -2056,6 +2100,8 @@ _kdc_tgs_rep(krb5_context context, &req->req_body, krbtgt, krbtgt_etype, + replykey, + rk_is_subkey, ticket, data, from, @@ -2076,6 +2122,8 @@ _kdc_tgs_rep(krb5_context context, } out: + if (replykey) + krb5_free_keyblock(context, replykey); if(ret && data->data == NULL){ krb5_mk_error(context, ret, diff --git a/source4/heimdal/kdc/kx509.c b/source4/heimdal/kdc/kx509.c index 8f7f3a27fb..eb757bb578 100644 --- a/source4/heimdal/kdc/kx509.c +++ b/source4/heimdal/kdc/kx509.c @@ -143,7 +143,6 @@ build_certificate(krb5_context context, krb5_principal principal, krb5_data *certificate) { - hx509_context hxctx = NULL; hx509_ca_tbs tbs = NULL; hx509_env env = NULL; hx509_cert cert = NULL; @@ -155,11 +154,7 @@ build_certificate(krb5_context context, return EINVAL; } - ret = hx509_context_init(&hxctx); - if (ret) - goto out; - - ret = hx509_env_add(hxctx, &env, "principal-name", + ret = hx509_env_add(context->hx509ctx, &env, "principal-name", krb5_principal_get_comp_string(context, principal, 0)); if (ret) goto out; @@ -168,14 +163,14 @@ build_certificate(krb5_context context, hx509_certs certs; hx509_query *q; - ret = hx509_certs_init(hxctx, config->kx509_ca, 0, + ret = hx509_certs_init(context->hx509ctx, config->kx509_ca, 0, NULL, &certs); if (ret) { kdc_log(context, config, 0, "Failed to load CA %s", config->kx509_ca); goto out; } - ret = hx509_query_alloc(hxctx, &q); + ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) { hx509_certs_free(&certs); goto out; @@ -184,8 +179,8 @@ build_certificate(krb5_context context, hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN); - ret = hx509_certs_find(hxctx, certs, q, &signer); - hx509_query_free(hxctx, q); + ret = hx509_certs_find(context->hx509ctx, certs, q, &signer); + hx509_query_free(context->hx509ctx, q); hx509_certs_free(&certs); if (ret) { kdc_log(context, config, 0, "Failed to find a CA in %s", @@ -194,7 +189,7 @@ build_certificate(krb5_context context, } } - ret = hx509_ca_tbs_init(hxctx, &tbs); + ret = hx509_ca_tbs_init(context->hx509ctx, &tbs); if (ret) goto out; @@ -214,7 +209,7 @@ build_certificate(krb5_context context, any.length = 2; spki.algorithm.parameters = &any; - ret = hx509_ca_tbs_set_spki(hxctx, tbs, &spki); + ret = hx509_ca_tbs_set_spki(context->hx509ctx, tbs, &spki); der_free_oid(&spki.algorithm.algorithm); if (ret) goto out; @@ -224,21 +219,21 @@ build_certificate(krb5_context context, hx509_certs certs; hx509_cert template; - ret = hx509_certs_init(hxctx, config->kx509_template, 0, + ret = hx509_certs_init(context->hx509ctx, config->kx509_template, 0, NULL, &certs); if (ret) { kdc_log(context, config, 0, "Failed to load template %s", config->kx509_template); goto out; } - ret = hx509_get_one_cert(hxctx, certs, &template); + ret = hx509_get_one_cert(context->hx509ctx, certs, &template); hx509_certs_free(&certs); if (ret) { kdc_log(context, config, 0, "Failed to find template in %s", config->kx509_template); goto out; } - ret = hx509_ca_tbs_set_template(hxctx, tbs, + ret = hx509_ca_tbs_set_template(context->hx509ctx, tbs, HX509_CA_TEMPLATE_SUBJECT| HX509_CA_TEMPLATE_KU| HX509_CA_TEMPLATE_EKU, @@ -248,25 +243,23 @@ build_certificate(krb5_context context, goto out; } - hx509_ca_tbs_set_notAfter(hxctx, tbs, endtime); + hx509_ca_tbs_set_notAfter(context->hx509ctx, tbs, endtime); - hx509_ca_tbs_subject_expand(hxctx, tbs, env); + hx509_ca_tbs_subject_expand(context->hx509ctx, tbs, env); hx509_env_free(&env); - ret = hx509_ca_sign(hxctx, tbs, signer, &cert); + ret = hx509_ca_sign(context->hx509ctx, tbs, signer, &cert); hx509_cert_free(signer); if (ret) goto out; hx509_ca_tbs_free(&tbs); - ret = hx509_cert_binary(hxctx, cert, certificate); + ret = hx509_cert_binary(context->hx509ctx, cert, certificate); hx509_cert_free(cert); if (ret) goto out; - hx509_context_free(&hxctx); - return 0; out: if (env) @@ -275,8 +268,6 @@ out: hx509_ca_tbs_free(&tbs); if (signer) hx509_cert_free(signer); - if (hxctx) - hx509_context_free(&hxctx); krb5_set_error_message(context, ret, "cert creation failed"); return ret; } diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index e016183615..9a3f254640 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -80,8 +80,9 @@ _kdc_db_fetch(krb5_context context, ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0); if (ret) { - kdc_log(context, config, 0, "Failed to open database: %s", - krb5_get_err_text(context, ret)); + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "Failed to open database: %s", msg); + krb5_free_error_message(context, msg); continue; } diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index 0d00ef2173..7bb32eb577 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -517,7 +517,7 @@ _kdc_pk_rd_padata(krb5_context context, goto out; } - ret = hx509_certs_init(kdc_identity->hx509ctx, + ret = hx509_certs_init(context->hx509ctx, "MEMORY:trust-anchors", 0, NULL, &trust_anchors); if (ret) { @@ -525,7 +525,7 @@ _kdc_pk_rd_padata(krb5_context context, goto out; } - ret = hx509_certs_merge(kdc_identity->hx509ctx, trust_anchors, + ret = hx509_certs_merge(context->hx509ctx, trust_anchors, kdc_identity->anchors); if (ret) { hx509_certs_free(&trust_anchors); @@ -540,18 +540,18 @@ _kdc_pk_rd_padata(krb5_context context, unsigned int i; for (i = 0; i < pc->len; i++) { - ret = hx509_cert_init_data(kdc_identity->hx509ctx, + ret = hx509_cert_init_data(context->hx509ctx, pc->val[i].cert.data, pc->val[i].cert.length, &cert); if (ret) continue; - hx509_certs_add(kdc_identity->hx509ctx, trust_anchors, cert); + hx509_certs_add(context->hx509ctx, trust_anchors, cert); hx509_cert_free(cert); } } - ret = hx509_verify_init_ctx(kdc_identity->hx509ctx, &cp->verify_ctx); + ret = hx509_verify_init_ctx(context->hx509ctx, &cp->verify_ctx); if (ret) { hx509_certs_free(&trust_anchors); krb5_set_error_message(context, ret, "failed to create verify context"); @@ -618,7 +618,7 @@ _kdc_pk_rd_padata(krb5_context context, ExternalPrincipalIdentifiers *edi = r.trustedCertifiers; unsigned int i, maxedi; - ret = hx509_certs_init(kdc_identity->hx509ctx, + ret = hx509_certs_init(context->hx509ctx, "MEMORY:client-anchors", 0, NULL, &cp->client_anchors); @@ -645,7 +645,7 @@ _kdc_pk_rd_padata(krb5_context context, if (edi->val[i].issuerAndSerialNumber == NULL) continue; - ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); + ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) { krb5_set_error_message(context, ret, "Failed to allocate hx509_query"); @@ -657,24 +657,24 @@ _kdc_pk_rd_padata(krb5_context context, &iasn, &size); if (ret) { - hx509_query_free(kdc_identity->hx509ctx, q); + hx509_query_free(context->hx509ctx, q); continue; } ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber); free_IssuerAndSerialNumber(&iasn); if (ret) { - hx509_query_free(kdc_identity->hx509ctx, q); + hx509_query_free(context->hx509ctx, q); continue; } - ret = hx509_certs_find(kdc_identity->hx509ctx, + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, &cert); - hx509_query_free(kdc_identity->hx509ctx, q); + hx509_query_free(context->hx509ctx, q); if (ret) continue; - hx509_certs_add(kdc_identity->hx509ctx, + hx509_certs_add(context->hx509ctx, cp->client_anchors, cert); hx509_cert_free(cert); } @@ -719,7 +719,7 @@ _kdc_pk_rd_padata(krb5_context context, if (req->req_body.kdc_options.request_anonymous) flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER; - ret = hx509_cms_verify_signed(kdc_identity->hx509ctx, + ret = hx509_cms_verify_signed(context->hx509ctx, cp->verify_ctx, flags, signed_content.data, @@ -730,7 +730,7 @@ _kdc_pk_rd_padata(krb5_context context, &eContent, &signer_certs); if (ret) { - char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret); + char *s = hx509_get_error_string(context->hx509ctx, ret); krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d", s, ret); free(s); @@ -738,7 +738,7 @@ _kdc_pk_rd_padata(krb5_context context, } if (signer_certs) { - ret = hx509_get_one_cert(kdc_identity->hx509ctx, signer_certs, + ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &cp->cert); hx509_certs_free(&signer_certs); } @@ -843,7 +843,7 @@ _kdc_pk_rd_padata(krb5_context context, } else cp->keyex = USE_RSA; - ret = hx509_peer_info_alloc(kdc_identity->hx509ctx, + ret = hx509_peer_info_alloc(context->hx509ctx, &cp->peer); if (ret) { free_AuthPack(&ap); @@ -851,7 +851,7 @@ _kdc_pk_rd_padata(krb5_context context, } if (ap.supportedCMSTypes) { - ret = hx509_peer_info_set_cms_algs(kdc_identity->hx509ctx, + ret = hx509_peer_info_set_cms_algs(context->hx509ctx, cp->peer, ap.supportedCMSTypes->val, ap.supportedCMSTypes->len); @@ -861,11 +861,11 @@ _kdc_pk_rd_padata(krb5_context context, } } else { /* assume old client */ - hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer, + hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer, hx509_crypto_des_rsdi_ede3_cbc()); - hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer, + hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer, hx509_signature_rsa_with_sha1()); - hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer, + hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer, hx509_signature_sha1()); } free_AuthPack(&ap); @@ -1016,7 +1016,7 @@ pk_mk_pa_reply_enckey(krb5_context context, hx509_query *q; hx509_cert cert; - ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); + ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) goto out; @@ -1024,15 +1024,15 @@ pk_mk_pa_reply_enckey(krb5_context context, if (config->pkinit_kdc_friendly_name) hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); - ret = hx509_certs_find(kdc_identity->hx509ctx, + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, &cert); - hx509_query_free(kdc_identity->hx509ctx, q); + hx509_query_free(context->hx509ctx, q); if (ret) goto out; - ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx, + ret = hx509_cms_create_signed_1(context->hx509ctx, 0, sdAlg, buf.data, @@ -1060,7 +1060,7 @@ pk_mk_pa_reply_enckey(krb5_context context, signed_data = buf; } - ret = hx509_cms_envelope_1(kdc_identity->hx509ctx, + ret = hx509_cms_envelope_1(context->hx509ctx, HX509_CMS_EV_NO_KU_CHECK, cp->cert, signed_data.data, signed_data.length, @@ -1172,7 +1172,7 @@ pk_mk_pa_reply_dh(krb5_context context, * filled in above */ - ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); + ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) goto out; @@ -1180,15 +1180,15 @@ pk_mk_pa_reply_dh(krb5_context context, if (config->pkinit_kdc_friendly_name) hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); - ret = hx509_certs_find(kdc_identity->hx509ctx, + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, &cert); - hx509_query_free(kdc_identity->hx509ctx, q); + hx509_query_free(context->hx509ctx, q); if (ret) goto out; - ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx, + ret = hx509_cms_create_signed_1(context->hx509ctx, 0, &asn1_oid_id_pkdhkeydata, buf.data, @@ -1509,7 +1509,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, goto out_ocsp; } - ret = hx509_ocsp_verify(kdc_identity->hx509ctx, + ret = hx509_ocsp_verify(context->hx509ctx, kdc_time, kdc_cert, 0, @@ -1580,9 +1580,10 @@ match_rfc_san(krb5_context context, list.val[i].length, &kn, &size); if (ret) { + const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, - "Decoding kerberos name in certificate failed: %s", - krb5_get_err_text(context, ret)); + "Decoding kerberos name in certificate failed: %s", msg); + krb5_free_error_message(context, msg); break; } if (size != list.val[i].length) { @@ -1644,6 +1645,12 @@ match_ms_upn_san(krb5_context context, kdc_log(context, config, 0, "Decode of MS-UPN-SAN failed"); goto out; } + if (size != list.val[0].length) { + free_MS_UPN_SAN(&upn); + kdc_log(context, config, 0, "Trailing data in "); + ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; + goto out; + } kdc_log(context, config, 0, "found MS UPN SAN: %s", upn); @@ -1697,7 +1704,7 @@ _kdc_pk_check_client(krb5_context context, return 0; } - ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx, + ret = hx509_cert_get_base_subject(context->hx509ctx, cp->cert, &name); if (ret) @@ -1718,7 +1725,7 @@ _kdc_pk_check_client(krb5_context context, unsigned int i; for (i = 0; i < pc->len; i++) { - ret = hx509_cert_init_data(kdc_identity->hx509ctx, + ret = hx509_cert_init_data(context->hx509ctx, pc->val[i].cert.data, pc->val[i].cert.length, &cert); @@ -1737,7 +1744,7 @@ _kdc_pk_check_client(krb5_context context, if (config->pkinit_princ_in_cert) { ret = match_rfc_san(context, config, - kdc_identity->hx509ctx, + context->hx509ctx, cp->cert, client->entry.principal); if (ret == 0) { @@ -1746,7 +1753,7 @@ _kdc_pk_check_client(krb5_context context, return 0; } ret = match_ms_upn_san(context, config, - kdc_identity->hx509ctx, + context->hx509ctx, cp->cert, clientdb, client); @@ -1944,7 +1951,6 @@ _kdc_pk_initialize(krb5_context context, ret = _krb5_pk_load_id(context, &kdc_identity, - 0, user_id, anchors, pool, @@ -1962,7 +1968,7 @@ _kdc_pk_initialize(krb5_context context, hx509_query *q; hx509_cert cert; - ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); + ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) { krb5_warnx(context, "PKINIT: out of memory"); return ENOMEM; @@ -1972,13 +1978,13 @@ _kdc_pk_initialize(krb5_context context, if (config->pkinit_kdc_friendly_name) hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); - ret = hx509_certs_find(kdc_identity->hx509ctx, + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, &cert); - hx509_query_free(kdc_identity->hx509ctx, q); + hx509_query_free(context->hx509ctx, q); if (ret == 0) { - if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert, + if (hx509_cert_check_eku(context->hx509ctx, cert, &asn1_oid_id_pkkdcekuoid, 0)) { hx509_name name; char *str; diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index ab844e346c..0ef9cdb7ab 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -55,7 +55,7 @@ krb5_kdc_windc_init(krb5_context context) for (e = list; e != NULL; e = _krb5_plugin_get_next(e)) { windcft = _krb5_plugin_get_symbol(e); - if (windcft->minor_version < KRB5_WINDC_PLUGING_MINOR) + if (windcft->minor_version < KRB5_WINDC_PLUGIN_MINOR) continue; (*windcft->init)(context, &windcctx); diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h index c7efb7b852..0ec8e066c7 100644 --- a/source4/heimdal/kdc/windc_plugin.h +++ b/source4/heimdal/kdc/windc_plugin.h @@ -72,6 +72,7 @@ typedef krb5_error_code #define KRB5_WINDC_PLUGING_MINOR 4 +#define KRB5_WINDC_PLUGIN_MINOR 4 typedef struct krb5plugin_windc_ftable { int minor_version; |