diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-12-15 20:38:24 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:47:26 -0500 |
| commit | fbf106f6701c580f5839da575996de34fc953e1f (patch) | |
| tree | 3691623409aab4ff0ede4b50cc4fcbfa255814f3 /source4/heimdal/kdc | |
| parent | d8966dcd7e88df9817c81434056628c0beff21e3 (diff) | |
| download | samba-fbf106f6701c580f5839da575996de34fc953e1f.tar.gz samba-fbf106f6701c580f5839da575996de34fc953e1f.tar.bz2 samba-fbf106f6701c580f5839da575996de34fc953e1f.zip | |
r12269: Update to current lorikeet-heimdal. This changed the way the hdb
interface worked, so hdb-ldb.c and the glue have been updated.
Andrew Bartlett
(This used to be commit 8fd5224c6b5c17c3a2c04c7366b7e367012db77e)
Diffstat (limited to 'source4/heimdal/kdc')
| -rw-r--r-- | source4/heimdal/kdc/524.c | 14 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kaserver.c | 46 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kdc-private.h | 151 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kdc_locl.h | 26 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kerberos4.c | 58 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 135 | ||||
| -rw-r--r-- | source4/heimdal/kdc/misc.c | 67 |
7 files changed, 296 insertions, 201 deletions
diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c index 497539b2e0..1642975616 100644 --- a/source4/heimdal/kdc/524.c +++ b/source4/heimdal/kdc/524.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: 524.c,v 1.34 2005/06/30 01:47:35 lha Exp $"); +RCSID("$Id: 524.c,v 1.35 2005/12/13 19:42:37 lha Exp $"); #include <krb5-v4compat.h> @@ -47,7 +47,7 @@ fetch_server (krb5_context context, krb5_kdc_configuration *config, const Ticket *t, char **spn, - hdb_entry **server, + hdb_entry_ex **server, const char *from) { krb5_error_code ret; @@ -221,7 +221,7 @@ static krb5_error_code encode_524_response(krb5_context context, krb5_kdc_configuration *config, const char *spn, const EncTicketPart et, - const Ticket *t, hdb_entry *server, + const Ticket *t, hdb_entry_ex *server, EncryptedData *ticket, int *kvno) { krb5_error_code ret; @@ -274,7 +274,7 @@ encode_524_response(krb5_context context, "Failed to encrypt v4 ticket (%s)", spn); return ret; } - *kvno = server->kvno; + *kvno = server->entry.kvno; } return 0; @@ -293,7 +293,7 @@ _kdc_do_524(krb5_context context, { krb5_error_code ret = 0; krb5_crypto crypto; - hdb_entry *server = NULL; + hdb_entry_ex *server = NULL; Key *skey; krb5_data et_data; EncTicketPart et; @@ -316,7 +316,7 @@ _kdc_do_524(krb5_context context, goto out; } - ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey); + ret = hdb_enctype2key(context, &server->entry, t->enc_part.etype, &skey); if(ret){ kdc_log(context, config, 0, "No suitable key found for server (%s) from %s", spn, from); diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c index 4a9bd87cb6..069af21660 100644 --- a/source4/heimdal/kdc/kaserver.c +++ b/source4/heimdal/kdc/kaserver.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kaserver.c,v 1.30 2005/06/30 01:49:39 lha Exp $"); +RCSID("$Id: kaserver.c,v 1.31 2005/12/13 19:44:27 lha Exp $"); #include <krb5-v4compat.h> #include <rx.h> @@ -404,8 +404,8 @@ do_authenticate (krb5_context context, time_t end_time; krb5_data request; int32_t max_seq_len; - hdb_entry *client_entry = NULL; - hdb_entry *server_entry = NULL; + hdb_entry_ex *client_entry = NULL; + hdb_entry_ex *server_entry = NULL; Key *ckey = NULL; Key *skey = NULL; krb5_storage *reply_sp; @@ -453,8 +453,8 @@ do_authenticate (krb5_context context, } ret = _kdc_check_flags (context, config, - client_entry, client_name, - server_entry, server_name, + &client_entry->entry, client_name, + &server_entry->entry, server_name, TRUE); if (ret) { make_error_reply (hdr, KAPWEXPIRED, reply); @@ -516,17 +516,17 @@ do_authenticate (krb5_context context, time skew between client and server. Let's make sure it is postive */ if(max_life < 1) max_life = 1; - if (client_entry->max_life) - max_life = min(max_life, *client_entry->max_life); - if (server_entry->max_life) - max_life = min(max_life, *server_entry->max_life); + if (client_entry->entry.max_life) + max_life = min(max_life, *client_entry->entry.max_life); + if (server_entry->entry.max_life) + max_life = min(max_life, *server_entry->entry.max_life); life = krb_time_to_life(kdc_time, kdc_time + max_life); create_reply_ticket (context, hdr, skey, name, instance, config->v4_realm, - addr, life, server_entry->kvno, + addr, life, server_entry->entry.kvno, max_seq_len, "krbtgt", config->v4_realm, chal + 1, "tgsT", @@ -618,9 +618,9 @@ do_getticket (krb5_context context, char *instance = NULL; krb5_data times; int32_t max_seq_len; - hdb_entry *server_entry = NULL; - hdb_entry *client_entry = NULL; - hdb_entry *krbtgt_entry = NULL; + hdb_entry_ex *server_entry = NULL; + hdb_entry_ex *client_entry = NULL; + hdb_entry_ex *krbtgt_entry = NULL; Key *kkey = NULL; Key *skey = NULL; DES_cblock key; @@ -752,8 +752,8 @@ do_getticket (krb5_context context, } ret = _kdc_check_flags (context, config, - client_entry, client_name, - server_entry, server_name, + &client_entry->entry, client_name, + &server_entry->entry, server_name, FALSE); if (ret) { make_error_reply (hdr, KAPWEXPIRED, reply); @@ -789,21 +789,21 @@ do_getticket (krb5_context context, time skew between client and server. Let's make sure it is postive */ if(max_life < 1) max_life = 1; - if (krbtgt_entry->max_life) - max_life = min(max_life, *krbtgt_entry->max_life); - if (server_entry->max_life) - max_life = min(max_life, *server_entry->max_life); + if (krbtgt_entry->entry.max_life) + max_life = min(max_life, *krbtgt_entry->entry.max_life); + if (server_entry->entry.max_life) + max_life = min(max_life, *server_entry->entry.max_life); /* if this is a cross realm request, the client_entry will likely be NULL */ - if (client_entry && client_entry->max_life) - max_life = min(max_life, *client_entry->max_life); + if (client_entry && client_entry->entry.max_life) + max_life = min(max_life, *client_entry->entry.max_life); life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life); create_reply_ticket (context, hdr, skey, ad.pname, ad.pinst, ad.prealm, - addr, life, server_entry->kvno, + addr, life, server_entry->entry.kvno, max_seq_len, name, instance, 0, "gtkt", diff --git a/source4/heimdal/kdc/kdc-private.h b/source4/heimdal/kdc/kdc-private.h new file mode 100644 index 0000000000..cfb76fd7b0 --- /dev/null +++ b/source4/heimdal/kdc/kdc-private.h @@ -0,0 +1,151 @@ +/* This is a generated file */ +#ifndef __kdc_private_h__ +#define __kdc_private_h__ + +#include <stdarg.h> + +krb5_error_code +_kdc_as_rep ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + KDC_REQ */*req*/, + const krb5_data */*req_buffer*/, + krb5_data */*reply*/, + const char */*from*/, + struct sockaddr */*from_addr*/); + +krb5_error_code +_kdc_check_flags ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + hdb_entry */*client*/, + const char */*client_name*/, + hdb_entry */*server*/, + const char */*server_name*/, + krb5_boolean /*is_as_req*/); + +krb5_error_code +_kdc_db_fetch ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + krb5_principal /*principal*/, + enum hdb_ent_type, + hdb_entry_ex **/*h*/); + +krb5_error_code +_kdc_db_fetch4 ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + const char */*name*/, + const char */*instance*/, + const char */*realm*/, + enum hdb_ent_type /*ent_type*/, + hdb_entry_ex **/*ent*/); + +krb5_error_code +_kdc_do_524 ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + const Ticket */*t*/, + krb5_data */*reply*/, + const char */*from*/, + struct sockaddr */*addr*/); + +krb5_error_code +_kdc_do_kaserver ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + unsigned char */*buf*/, + size_t /*len*/, + krb5_data */*reply*/, + const char */*from*/, + struct sockaddr_in */*addr*/); + +krb5_error_code +_kdc_do_version4 ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + unsigned char */*buf*/, + size_t /*len*/, + krb5_data */*reply*/, + const char */*from*/, + struct sockaddr_in */*addr*/); + +krb5_error_code +_kdc_encode_v4_ticket ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + void */*buf*/, + size_t /*len*/, + const EncTicketPart */*et*/, + const PrincipalName */*service*/, + size_t */*size*/); + +void +_kdc_free_ent ( + krb5_context /*context*/, + hdb_entry_ex */*ent*/); + +krb5_error_code +_kdc_get_des_key ( + krb5_context /*context*/, + hdb_entry_ex */*principal*/, + krb5_boolean /*is_server*/, + krb5_boolean /*prefer_afs_key*/, + Key **/*ret_key*/); + +int +_kdc_maybe_version4 ( + unsigned char */*buf*/, + int /*len*/); + +krb5_error_code +_kdc_pk_check_client ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + krb5_principal /*client_princ*/, + const hdb_entry */*client*/, + pk_client_params */*client_params*/, + char **/*subject_name*/); + +void +_kdc_pk_free_client_param ( + krb5_context /*context*/, + pk_client_params */*client_params*/); + +krb5_error_code +_kdc_pk_initialize ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + const char */*user_id*/, + const char */*x509_anchors*/); + +krb5_error_code +_kdc_pk_mk_pa_reply ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + pk_client_params */*client_params*/, + const hdb_entry */*client*/, + const KDC_REQ */*req*/, + const krb5_data */*req_buffer*/, + krb5_keyblock **/*reply_key*/, + METHOD_DATA */*md*/); + +krb5_error_code +_kdc_pk_rd_padata ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + KDC_REQ */*req*/, + PA_DATA */*pa*/, + pk_client_params **/*ret_params*/); + +krb5_error_code +_kdc_tgs_rep ( + krb5_context /*context*/, + krb5_kdc_configuration */*config*/, + KDC_REQ */*req*/, + krb5_data */*data*/, + const char */*from*/, + struct sockaddr */*from_addr*/); + +#endif /* __kdc_private_h__ */ diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h index 8658d33b68..58cf1f4173 100644 --- a/source4/heimdal/kdc/kdc_locl.h +++ b/source4/heimdal/kdc/kdc_locl.h @@ -32,7 +32,7 @@ */ /* - * $Id: kdc_locl.h,v 1.73 2005/08/15 11:07:25 lha Exp $ + * $Id: kdc_locl.h,v 1.74 2005/12/12 12:23:33 lha Exp $ */ #ifndef __KDC_LOCL_H__ @@ -41,6 +41,9 @@ #include "headers.h" #include "kdc.h" +typedef struct pk_client_params pk_client_params; +#include <kdc-private.h> + extern sig_atomic_t exit_flag; extern size_t max_request; extern const char *port_str; @@ -68,20 +71,13 @@ krb5_kdc_configuration * configure(krb5_context context, int argc, char **argv); krb5_error_code -_kdc_db_fetch(krb5_context, krb5_kdc_configuration *, - krb5_principal, enum hdb_ent_type, hdb_entry **); - -krb5_error_code -_kdc_db_fetch_ex(krb5_context context, - krb5_kdc_configuration *config, - krb5_principal principal, enum hdb_ent_type ent_type, - hdb_entry_ex **h); - -void -_kdc_free_ent(krb5_context context, hdb_entry *); +_kdc_db_fetch(krb5_context context, + krb5_kdc_configuration *config, + krb5_principal principal, enum hdb_ent_type ent_type, + hdb_entry_ex **h); void -_kdc_free_ent_ex(krb5_context context, hdb_entry_ex *ent); +_kdc_free_ent(krb5_context context, hdb_entry_ex *ent); void loop(krb5_context context, krb5_kdc_configuration *config); @@ -99,7 +95,7 @@ _kdc_check_flags(krb5_context context, krb5_boolean is_as_req); krb5_error_code -_kdc_get_des_key(krb5_context context, hdb_entry*, +_kdc_get_des_key(krb5_context context, hdb_entry_ex*, krb5_boolean, krb5_boolean, Key**); krb5_error_code @@ -145,7 +141,7 @@ void _kdc_pk_free_client_param(krb5_context, pk_client_params *); krb5_error_code _kdc_db_fetch4 (krb5_context context, krb5_kdc_configuration *config, - const char*, const char*, const char*, enum hdb_ent_type, hdb_entry**); + const char*, const char*, const char*, enum hdb_ent_type, hdb_entry_ex**); krb5_error_code _kdc_do_version4 (krb5_context context, diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c index a81fbb7b59..72ea41d9e6 100644 --- a/source4/heimdal/kdc/kerberos4.c +++ b/source4/heimdal/kdc/kerberos4.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,7 +35,7 @@ #include <krb5-v4compat.h> -RCSID("$Id: kerberos4.c,v 1.54 2005/06/30 01:51:43 lha Exp $"); +RCSID("$Id: kerberos4.c,v 1.56 2005/12/13 19:44:01 lha Exp $"); #ifndef swap32 static u_int32_t @@ -70,7 +70,7 @@ valid_princ(krb5_context context, krb5_kdc_configuration *config = funcctx; krb5_error_code ret; char *s; - hdb_entry *ent; + hdb_entry_ex *ent; ret = krb5_unparse_name(context, princ, &s); if (ret) @@ -93,7 +93,7 @@ _kdc_db_fetch4(krb5_context context, krb5_kdc_configuration *config, const char *name, const char *instance, const char *realm, enum hdb_ent_type ent_type, - hdb_entry **ent) + hdb_entry_ex **ent) { krb5_principal p; krb5_error_code ret; @@ -126,7 +126,7 @@ _kdc_do_version4(krb5_context context, { krb5_storage *sp; krb5_error_code ret; - hdb_entry *client = NULL, *server = NULL; + hdb_entry_ex *client = NULL, *server = NULL; Key *ckey, *skey; int8_t pvno; int8_t msg_type; @@ -201,8 +201,8 @@ _kdc_do_version4(krb5_context context, } ret = _kdc_check_flags (context, config, - client, client_name, - server, server_name, + &client->entry, client_name, + &server->entry, server_name, TRUE); if (ret) { /* good error code? */ @@ -217,8 +217,8 @@ _kdc_do_version4(krb5_context context, */ if (config->require_preauth - || client->flags.require_preauth - || server->flags.require_preauth) { + || client->entry.flags.require_preauth + || server->entry.flags.require_preauth) { kdc_log(context, config, 0, "Pre-authentication required for v4-request: " "%s for %s", @@ -240,7 +240,7 @@ _kdc_do_version4(krb5_context context, /* this is not necessary with the new code in libkrb */ /* find a properly salted key */ while(ckey->salt == NULL || ckey->salt->salt.length != 0) - ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey); + ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey); if(ret){ kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s", name, inst, realm); @@ -260,10 +260,10 @@ _kdc_do_version4(krb5_context context, } max_life = _krb5_krb_life_to_time(0, life); - if(client->max_life) - max_life = min(max_life, *client->max_life); - if(server->max_life) - max_life = min(max_life, *server->max_life); + if(client->entry.max_life) + max_life = min(max_life, *client->entry.max_life); + if(server->entry.max_life) + max_life = min(max_life, *server->entry.max_life); life = krb_time_to_life(kdc_time, kdc_time + max_life); @@ -302,7 +302,7 @@ _kdc_do_version4(krb5_context context, sinst, config->v4_realm, life, - server->kvno % 255, + server->entry.kvno % 255, &ticket, kdc_time, &ckey->key, @@ -321,8 +321,8 @@ _kdc_do_version4(krb5_context context, realm, req_time, 0, - client->pw_end ? *client->pw_end : 0, - client->kvno % 256, + client->entry.pw_end ? *client->entry.pw_end : 0, + client->entry.kvno % 256, &cipher, reply); krb5_data_free(&cipher); @@ -339,7 +339,7 @@ _kdc_do_version4(krb5_context context, int32_t address; size_t pos; krb5_principal tgt_princ = NULL; - hdb_entry *tgt = NULL; + hdb_entry_ex *tgt = NULL; Key *tkey; time_t max_end, actual_end, issue_time; @@ -373,10 +373,10 @@ _kdc_do_version4(krb5_context context, goto out2; } - if(tgt->kvno % 256 != kvno){ + if(tgt->entry.kvno % 256 != kvno){ kdc_log(context, config, 0, "tgs-req (krb4) with old kvno %d (current %d) for " - "krbtgt.%s@%s", kvno, tgt->kvno % 256, + "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256, realm, config->v4_realm); make_err_reply(context, reply, KDC_AUTH_EXP, "old krbtgt kvno used"); @@ -489,8 +489,8 @@ _kdc_do_version4(krb5_context context, } ret = _kdc_check_flags (context, config, - client, client_name, - server, server_name, + &client->entry, client_name, + &server->entry, server_name, FALSE); if (ret) { /* good error code? */ @@ -511,10 +511,10 @@ _kdc_do_version4(krb5_context context, max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life); max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life)); - if(server->max_life) - max_end = min(max_end, kdc_time + *server->max_life); - if(client && client->max_life) - max_end = min(max_end, kdc_time + *client->max_life); + if(server->entry.max_life) + max_end = min(max_end, kdc_time + *server->entry.max_life); + if(client && client->entry.max_life) + max_end = min(max_end, kdc_time + *client->entry.max_life); life = min(life, krb_time_to_life(kdc_time, max_end)); issue_time = kdc_time; @@ -571,7 +571,7 @@ _kdc_do_version4(krb5_context context, sinst, config->v4_realm, life, - server->kvno % 255, + server->entry.kvno % 255, &ticket, issue_time, &ad.session, @@ -721,7 +721,7 @@ _kdc_encode_v4_ticket(krb5_context context, krb5_error_code _kdc_get_des_key(krb5_context context, - hdb_entry *principal, krb5_boolean is_server, + hdb_entry_ex *principal, krb5_boolean is_server, krb5_boolean prefer_afs_key, Key **ret_key) { Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL; @@ -736,7 +736,7 @@ _kdc_get_des_key(krb5_context context, afs_key == NULL || server_key == NULL); ++i) { Key *key = NULL; - while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) { + while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) { if(key->salt == NULL) { if(v5_key == NULL) v5_key = key; diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 6f6203a92c..a0136ba425 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.198 2005/11/28 20:33:57 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.201 2005/12/14 12:17:58 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -88,7 +88,7 @@ find_padata(KDC_REQ *req, int *start, int type) */ static krb5_error_code -find_etype(krb5_context context, hdb_entry *princ, +find_etype(krb5_context context, const hdb_entry_ex *princ, krb5_enctype *etypes, unsigned len, Key **ret_key, krb5_enctype *ret_etype) { @@ -101,7 +101,7 @@ find_etype(krb5_context context, hdb_entry *princ, if (krb5_enctype_valid(context, etypes[i]) != 0) continue; - while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) { + while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) { if (key->key.keyvalue.length == 0) { ret = KRB5KDC_ERR_NULL_KEY; continue; @@ -119,8 +119,8 @@ find_etype(krb5_context context, hdb_entry *princ, static krb5_error_code find_keys(krb5_context context, krb5_kdc_configuration *config, - hdb_entry *client, - hdb_entry *server, + const hdb_entry_ex *client, + const hdb_entry_ex *server, Key **ckey, krb5_enctype *cetype, Key **skey, @@ -136,7 +136,7 @@ find_keys(krb5_context context, /* find client key */ ret = find_etype(context, client, etypes, num_etypes, ckey, cetype); if (ret) { - if (krb5_unparse_name(context, client->principal, &name) != 0) + if (krb5_unparse_name(context, client->entry.principal, &name) != 0) name = unparse_name; kdc_log(context, config, 0, "Client (%s) has no support for etypes", name); @@ -150,7 +150,7 @@ find_keys(krb5_context context, /* find server key */ ret = find_etype(context, server, etypes, num_etypes, skey, setype); if (ret) { - if (krb5_unparse_name(context, server->principal, &name) != 0) + if (krb5_unparse_name(context, server->entry.principal, &name) != 0) name = unparse_name; kdc_log(context, config, 0, "Server (%s) has no support for etypes", name); @@ -805,7 +805,7 @@ _kdc_as_rep(krb5_context context, AS_REP rep; KDCOptions f = b->kdc_options; hdb_entry_ex *client = NULL; - hdb_entry *server = NULL; + hdb_entry_ex *server = NULL; krb5_enctype cetype, setype; EncTicketPart et; EncKDCRepPart ek; @@ -851,7 +851,7 @@ _kdc_as_rep(krb5_context context, kdc_log(context, config, 0, "AS-REQ %s from %s for %s", client_name, from, server_name); - ret = _kdc_db_fetch_ex(context, config, client_princ, HDB_ENT_TYPE_CLIENT, &client); + ret = _kdc_db_fetch(context, config, client_princ, HDB_ENT_TYPE_CLIENT, &client); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -869,7 +869,7 @@ _kdc_as_rep(krb5_context context, ret = _kdc_check_flags(context, config, &client->entry, client_name, - server, server_name, + &server->entry, server_name, TRUE); if(ret) goto out; @@ -920,7 +920,7 @@ _kdc_as_rep(krb5_context context, ret = _kdc_pk_check_client(context, config, client_princ, - &client->entry, + client, pkp, &client_cert); if (ret) { @@ -969,7 +969,8 @@ _kdc_as_rep(krb5_context context, goto out; } - ret = hdb_enctype2key(context, &client->entry, enc_data.etype, &pa_key); + ret = hdb_enctype2key(context, &client->entry, + enc_data.etype, &pa_key); if(ret){ char *estr; e_text = "No key matches pa-data"; @@ -1076,7 +1077,7 @@ _kdc_as_rep(krb5_context context, } }else if (config->require_preauth || client->entry.flags.require_preauth - || server->flags.require_preauth) { + || server->entry.flags.require_preauth) { METHOD_DATA method_data; PA_DATA *pa; unsigned char *buf; @@ -1110,11 +1111,12 @@ _kdc_as_rep(krb5_context context, */ /* XXX check ret */ if (only_older_enctype_p(req)) - ret = get_pa_etype_info(context, config, &method_data, &client->entry, + ret = get_pa_etype_info(context, config, + &method_data, &client->entry, b->etype.val, b->etype.len); /* XXX check ret */ - ret = get_pa_etype_info2(context, config, &method_data, &client->entry, - b->etype.val, b->etype.len); + ret = get_pa_etype_info2(context, config, &method_data, + &client->entry, b->etype.val, b->etype.len); ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret); @@ -1141,7 +1143,7 @@ _kdc_as_rep(krb5_context context, } ret = find_keys(context, config, - &client->entry, server, &ckey, &cetype, &skey, &setype, + client, server, &ckey, &cetype, &skey, &setype, b->etype.val, b->etype.len); if(ret) { kdc_log(context, config, 0, "Server/client has no support for etypes"); @@ -1213,12 +1215,12 @@ _kdc_as_rep(krb5_context context, _krb5_principal2principalname(&rep.cname, client->entry.principal); rep.ticket.tkt_vno = 5; - copy_Realm(&server->principal->realm, &rep.ticket.realm); + copy_Realm(&server->entry.principal->realm, &rep.ticket.realm); _krb5_principal2principalname(&rep.ticket.sname, - server->principal); + server->entry.principal); et.flags.initial = 1; - if(client->entry.flags.forwardable && server->flags.forwardable) + if(client->entry.flags.forwardable && server->entry.flags.forwardable) et.flags.forwardable = f.forwardable; else if (f.forwardable) { ret = KRB5KDC_ERR_POLICY; @@ -1226,7 +1228,7 @@ _kdc_as_rep(krb5_context context, "Ticket may not be forwardable -- %s", client_name); goto out; } - if(client->entry.flags.proxiable && server->flags.proxiable) + if(client->entry.flags.proxiable && server->entry.flags.proxiable) et.flags.proxiable = f.proxiable; else if (f.proxiable) { ret = KRB5KDC_ERR_POLICY; @@ -1234,7 +1236,7 @@ _kdc_as_rep(krb5_context context, "Ticket may not be proxiable -- %s", client_name); goto out; } - if(client->entry.flags.postdate && server->flags.postdate) + if(client->entry.flags.postdate && server->entry.flags.postdate) et.flags.may_postdate = f.allow_postdate; else if (f.allow_postdate){ ret = KRB5KDC_ERR_POLICY; @@ -1274,8 +1276,8 @@ _kdc_as_rep(krb5_context context, if(client->entry.max_life) t = start + min(t - start, *client->entry.max_life); - if(server->max_life) - t = start + min(t - start, *server->max_life); + if(server->entry.max_life) + t = start + min(t - start, *server->entry.max_life); #if 0 t = min(t, start + realm->max_life); #endif @@ -1295,8 +1297,8 @@ _kdc_as_rep(krb5_context context, t = MAX_TIME; if(client->entry.max_renew) t = start + min(t - start, *client->entry.max_renew); - if(server->max_renew) - t = start + min(t - start, *server->max_renew); + if(server->entry.max_renew) + t = start + min(t - start, *server->entry.max_renew); #if 0 t = min(t, start + realm->max_renew); #endif @@ -1352,7 +1354,8 @@ _kdc_as_rep(krb5_context context, ALLOC(ek.key_expiration); if (client->entry.valid_end) { if (client->entry.pw_end) - *ek.key_expiration = min(*client->entry.valid_end, *client->entry.pw_end); + *ek.key_expiration = min(*client->entry.valid_end, + *client->entry.pw_end); else *ek.key_expiration = *client->entry.valid_end; } else @@ -1415,7 +1418,7 @@ _kdc_as_rep(krb5_context context, et.endtime, et.renew_till); ret = encode_reply(context, config, - &rep, &et, &ek, setype, server->kvno, &skey->key, + &rep, &et, &ek, setype, server->entry.kvno, &skey->key, client->entry.kvno, reply_key, &e_text, reply); free_EncTicketPart(&et); free_EncKDCRepPart(&ek); @@ -1445,7 +1448,7 @@ _kdc_as_rep(krb5_context context, krb5_free_principal(context, server_princ); free(server_name); if(client) - _kdc_free_ent_ex(context, client); + _kdc_free_ent(context, client); if(server) _kdc_free_ent(context, server); return ret; @@ -1697,9 +1700,9 @@ tgs_make_reply(krb5_context context, AuthorizationData *auth_data, krb5_ticket *tgs_ticket, hdb_entry_ex *server, - hdb_entry *client, + hdb_entry_ex *client, krb5_principal client_principal, - hdb_entry *krbtgt, + hdb_entry_ex *krbtgt, EncryptionKey *tgtkey, krb5_enctype cetype, const char **e_text, @@ -1717,21 +1720,18 @@ tgs_make_reply(krb5_context context, if(adtkt) { int i; - krb5_keytype kt; ekey = &adtkt->key; - for(i = 0; i < b->etype.len; i++){ - ret = krb5_enctype_to_keytype(context, b->etype.val[i], &kt); - if(ret) - continue; - if(adtkt->key.keytype == kt) + for(i = 0; i < b->etype.len; i++) + if (b->etype.val[i] == adtkt->key.keytype) break; - } - if(i == b->etype.len) + if(i == b->etype.len) { + krb5_clear_error_string(context); return KRB5KDC_ERR_ETYPE_NOSUPP; + } etype = b->etype.val[i]; }else{ ret = find_keys(context, config, - NULL, &server->entry, NULL, NULL, &skey, &etype, + NULL, server, NULL, NULL, &skey, &etype, b->etype.val, b->etype.len); if(ret) { kdc_log(context, config, 0, "Server has no support for etypes"); @@ -1786,7 +1786,7 @@ tgs_make_reply(krb5_context context, &tgt->transited, &et, *krb5_princ_realm(context, client_principal), *krb5_princ_realm(context, server->entry.principal), - *krb5_princ_realm(context, krbtgt->principal)); + *krb5_princ_realm(context, krbtgt->entry.principal)); if(ret) goto out; @@ -1807,8 +1807,8 @@ tgs_make_reply(krb5_context context, { time_t life; life = et.endtime - *et.starttime; - if(client && client->max_life) - life = min(life, *client->max_life); + if(client && client->entry.max_life) + life = min(life, *client->entry.max_life); if(server->entry.max_life) life = min(life, *server->entry.max_life); et.endtime = *et.starttime + life; @@ -1822,8 +1822,8 @@ tgs_make_reply(krb5_context context, if(et.renew_till){ time_t renew; renew = *et.renew_till - et.authtime; - if(client && client->max_renew) - renew = min(renew, *client->max_renew); + if(client && client->entry.max_renew) + renew = min(renew, *client->entry.max_renew); if(server->entry.max_renew) renew = min(renew, *server->entry.max_renew); *et.renew_till = et.authtime + renew; @@ -1902,8 +1902,8 @@ tgs_make_reply(krb5_context context, etype list, even if we don't want a session key with DES3? */ ret = encode_reply(context, config, - &rep, &et, &ek, etype, adtkt ? 0 : server->entry.kvno, ekey, - 0, &tgt->key, e_text, reply); + &rep, &et, &ek, etype, adtkt ? 0 : server->entry.kvno, + ekey, 0, &tgt->key, e_text, reply); out: free_TGS_REP(&rep); free_TransitedEncoding(&et.transited); @@ -2053,7 +2053,7 @@ tgs_rep2(krb5_context context, const char *e_text = NULL; krb5_crypto crypto; - hdb_entry *krbtgt = NULL; + hdb_entry_ex *krbtgt = NULL; EncTicketPart *tgt; Key *tkey; krb5_enctype cetype; @@ -2101,7 +2101,7 @@ tgs_rep2(krb5_context context, } if(ap_req.ticket.enc_part.kvno && - *ap_req.ticket.enc_part.kvno != krbtgt->kvno){ + *ap_req.ticket.enc_part.kvno != krbtgt->entry.kvno){ char *p; ret = krb5_unparse_name (context, princ, &p); @@ -2111,7 +2111,7 @@ tgs_rep2(krb5_context context, kdc_log(context, config, 0, "Ticket kvno = %d, DB kvno = %d (%s)", *ap_req.ticket.enc_part.kvno, - krbtgt->kvno, + krbtgt->entry.kvno, p); if (ret == 0) free (p); @@ -2119,13 +2119,16 @@ tgs_rep2(krb5_context context, goto out2; } - ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey); + ret = hdb_enctype2key(context, &krbtgt->entry, + ap_req.ticket.enc_part.etype, &tkey); if(ret){ - char *str; + char *str, *p; krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str); + krb5_unparse_name(context, princ, &p); kdc_log(context, config, 0, - "No server key found for %s", str); + "No server key with enctype %s found for %s", str, p); free(str); + free(p); ret = KRB5KRB_AP_ERR_BADKEYVER; goto out2; } @@ -2252,8 +2255,7 @@ tgs_rep2(krb5_context context, PrincipalName *s; Realm r; char *spn = NULL, *cpn = NULL; - hdb_entry_ex *server = NULL; - hdb_entry *client = NULL; + hdb_entry_ex *server = NULL, *client = NULL; int nloop = 0; EncTicketPart adtkt; char opt_str[128]; @@ -2262,7 +2264,7 @@ tgs_rep2(krb5_context context, r = b->realm; if(b->kdc_options.enc_tkt_in_skey){ Ticket *t; - hdb_entry *uu; + hdb_entry_ex *uu; krb5_principal p; Key *uukey; @@ -2288,13 +2290,15 @@ tgs_rep2(krb5_context context, ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto out; } - ret = hdb_enctype2key(context, uu, t->enc_part.etype, &uukey); + ret = hdb_enctype2key(context, &uu->entry, + t->enc_part.etype, &uukey); if(ret){ + _kdc_free_ent(context, uu); ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ goto out; } ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0); - + _kdc_free_ent(context, uu); if(ret) goto out; s = &adtkt.cname; @@ -2320,7 +2324,7 @@ tgs_rep2(krb5_context context, kdc_log(context, config, 0, "TGS-REQ %s from %s for %s", cpn, from, spn); server_lookup: - ret = _kdc_db_fetch_ex(context, config, sp, HDB_ENT_TYPE_SERVER, &server); + ret = _kdc_db_fetch(context, config, sp, HDB_ENT_TYPE_SERVER, &server); if(ret){ const char *new_rlm; @@ -2386,9 +2390,9 @@ tgs_rep2(krb5_context context, #endif if(strcmp(krb5_principal_get_realm(context, sp), - krb5_principal_get_comp_string(context, krbtgt->principal, 1)) != 0) { + krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) { char *tpn; - ret = krb5_unparse_name(context, krbtgt->principal, &tpn); + ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); kdc_log(context, config, 0, "Request with wrong krbtgt: %s", (ret == 0) ? tpn : "<unknown>"); @@ -2400,7 +2404,7 @@ tgs_rep2(krb5_context context, } ret = _kdc_check_flags(context, config, - client, cpn, + &client->entry, cpn, &server->entry, spn, FALSE); if(ret) @@ -2408,7 +2412,7 @@ tgs_rep2(krb5_context context, if((b->kdc_options.validate || b->kdc_options.renew) && !krb5_principal_compare(context, - krbtgt->principal, + krbtgt->entry.principal, server->entry.principal)){ kdc_log(context, config, 0, "Inconsistent request."); ret = KRB5KDC_ERR_SERVER_NOMATCH; @@ -2422,7 +2426,8 @@ tgs_rep2(krb5_context context, goto out; } - ret = tgs_make_reply(context, config, + ret = tgs_make_reply(context, + config, b, tgt, b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, @@ -2442,7 +2447,7 @@ tgs_rep2(krb5_context context, free(cpn); if(server) - _kdc_free_ent_ex(context, server); + _kdc_free_ent(context, server); if(client) _kdc_free_ent(context, client); } diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index b14bb50ea5..3027d32cfc 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: misc.c,v 1.25 2005/06/30 01:53:48 lha Exp $"); +RCSID("$Id: misc.c,v 1.26 2005/12/12 12:37:31 lha Exp $"); struct timeval _kdc_now; @@ -41,16 +41,15 @@ krb5_error_code _kdc_db_fetch(krb5_context context, krb5_kdc_configuration *config, krb5_principal principal, enum hdb_ent_type ent_type, - hdb_entry **h) + hdb_entry_ex **h) { - hdb_entry *ent; + hdb_entry_ex *ent; krb5_error_code ret = HDB_ERR_NOENTRY; int i; ent = malloc (sizeof (*ent)); if (ent == NULL) return ENOMEM; - ent->principal = principal; for(i = 0; i < config->num_db; i++) { ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0); @@ -76,65 +75,9 @@ _kdc_db_fetch(krb5_context context, } void -_kdc_free_ent(krb5_context context, hdb_entry *ent) +_kdc_free_ent(krb5_context context, hdb_entry_ex *ent) { hdb_free_entry (context, ent); free (ent); } -krb5_error_code -_kdc_db_fetch_ex(krb5_context context, - krb5_kdc_configuration *config, - krb5_principal principal, enum hdb_ent_type ent_type, - hdb_entry_ex **h) -{ - hdb_entry_ex *ent; - krb5_error_code ret = HDB_ERR_NOENTRY; - int i; - - ent = malloc (sizeof (*ent)); - if (ent == NULL) - return ENOMEM; - memset(ent, '\0', sizeof(*ent)); - - ent->entry.principal = principal; - - for(i = 0; i < config->num_db; i++) { - ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0); - if (ret) { - kdc_log(context, config, 0, "Failed to open database: %s", - krb5_get_err_text(context, ret)); - continue; - } - if (config->db[i]->hdb_fetch_ex) { - ret = config->db[i]->hdb_fetch_ex(context, - config->db[i], - HDB_F_DECRYPT, - principal, - ent_type, - ent); - } else { - ret = config->db[i]->hdb_fetch(context, - config->db[i], - HDB_F_DECRYPT, - principal, - ent_type, - &ent->entry); - } - config->db[i]->hdb_close(context, config->db[i]); - if(ret == 0) { - *h = ent; - return 0; - } - } - free(ent); - return ret; -} - -void -_kdc_free_ent_ex(krb5_context context, hdb_entry_ex *ent) -{ - hdb_free_entry_ex (context, ent); - free (ent); -} - |