diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-05-07 04:51:30 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:05:39 -0500 |
| commit | 835926c87921a0f4186a9331b6e31b2e6f1c0d90 (patch) | |
| tree | 1086d806019f4f7a86dc7b0073017a0fb876b6c2 /source4/heimdal/kdc | |
| parent | 7a0b65efce3669643d21a2e209d4bf2626a5e948 (diff) | |
| download | samba-835926c87921a0f4186a9331b6e31b2e6f1c0d90.tar.gz samba-835926c87921a0f4186a9331b6e31b2e6f1c0d90.tar.bz2 samba-835926c87921a0f4186a9331b6e31b2e6f1c0d90.zip | |
r15481: Update heimdal/ to match current lorikeet-heimdal.
This includes many useful upstream changes, many of which should
reduce warnings in our compile.
It also includes a change to the HDB interface, which removes the need
for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch().
The new flags replace the old entry type enum.
(This required the rework in hdb-ldb.c included in this commit)
Andrew Bartlett
(This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05)
Diffstat (limited to 'source4/heimdal/kdc')
| -rw-r--r-- | source4/heimdal/kdc/524.c | 6 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kaserver.c | 119 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kdc-private.h | 6 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kdc.h | 3 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kerberos4.c | 60 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 87 | ||||
| -rw-r--r-- | source4/heimdal/kdc/misc.c | 12 | ||||
| -rwxr-xr-x | source4/heimdal/kdc/pkinit.c | 208 | ||||
| -rw-r--r-- | source4/heimdal/kdc/rx.h | 16 |
9 files changed, 331 insertions, 186 deletions
diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c index 9fcf40a4c2..14969aaa52 100644 --- a/source4/heimdal/kdc/524.c +++ b/source4/heimdal/kdc/524.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: 524.c,v 1.36 2006/04/07 22:12:28 lha Exp $"); +RCSID("$Id: 524.c,v 1.37 2006/04/27 11:33:20 lha Exp $"); #include <krb5-v4compat.h> @@ -66,7 +66,7 @@ fetch_server (krb5_context context, krb5_get_err_text(context, ret)); return ret; } - ret = _kdc_db_fetch(context, config, sprinc, HDB_ENT_TYPE_SERVER, server); + ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, server); krb5_free_principal(context, sprinc); if (ret) { kdc_log(context, config, 0, diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c index 05fedeca29..c08a51b9cc 100644 --- a/source4/heimdal/kdc/kaserver.c +++ b/source4/heimdal/kdc/kaserver.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kaserver.c,v 1.32 2006/04/02 01:54:37 lha Exp $"); +RCSID("$Id: kaserver.c,v 1.35 2006/05/05 10:49:50 lha Exp $"); #include <krb5-v4compat.h> #include <rx.h> @@ -107,38 +107,69 @@ RCSID("$Id: kaserver.c,v 1.32 2006/04/02 01:54:37 lha Exp $"); #define KATOOSOON (180521L) #define KALOCKED (180522L) -static void + +static krb5_error_code decode_rx_header (krb5_storage *sp, struct rx_header *h) { - krb5_ret_int32(sp, &h->epoch); - krb5_ret_int32(sp, &h->connid); - krb5_ret_int32(sp, &h->callid); - krb5_ret_int32(sp, &h->seqno); - krb5_ret_int32(sp, &h->serialno); - krb5_ret_int8(sp, &h->type); - krb5_ret_int8(sp, &h->flags); - krb5_ret_int8(sp, &h->status); - krb5_ret_int8(sp, &h->secindex); - krb5_ret_int16(sp, &h->reserved); - krb5_ret_int16(sp, &h->serviceid); + krb5_error_code ret; + + ret = krb5_ret_uint32(sp, &h->epoch); + if (ret) return ret; + ret = krb5_ret_uint32(sp, &h->connid); + if (ret) return ret; + ret = krb5_ret_uint32(sp, &h->callid); + if (ret) return ret; + ret = krb5_ret_uint32(sp, &h->seqno); + if (ret) return ret; + ret = krb5_ret_uint32(sp, &h->serialno); + if (ret) return ret; + ret = krb5_ret_uint8(sp, &h->type); + if (ret) return ret; + ret = krb5_ret_uint8(sp, &h->flags); + if (ret) return ret; + ret = krb5_ret_uint8(sp, &h->status); + if (ret) return ret; + ret = krb5_ret_uint8(sp, &h->secindex); + if (ret) return ret; + ret = krb5_ret_uint16(sp, &h->reserved); + if (ret) return ret; + ret = krb5_ret_uint16(sp, &h->serviceid); + if (ret) return ret; + + return 0; } -static void +static krb5_error_code encode_rx_header (struct rx_header *h, krb5_storage *sp) { - krb5_store_int32(sp, h->epoch); - krb5_store_int32(sp, h->connid); - krb5_store_int32(sp, h->callid); - krb5_store_int32(sp, h->seqno); - krb5_store_int32(sp, h->serialno); - krb5_store_int8(sp, h->type); - krb5_store_int8(sp, h->flags); - krb5_store_int8(sp, h->status); - krb5_store_int8(sp, h->secindex); - krb5_store_int16(sp, h->reserved); - krb5_store_int16(sp, h->serviceid); + krb5_error_code ret; + + ret = krb5_store_uint32(sp, h->epoch); + if (ret) return ret; + ret = krb5_store_uint32(sp, h->connid); + if (ret) return ret; + ret = krb5_store_uint32(sp, h->callid); + if (ret) return ret; + ret = krb5_store_uint32(sp, h->seqno); + if (ret) return ret; + ret = krb5_store_uint32(sp, h->serialno); + if (ret) return ret; + ret = krb5_store_uint8(sp, h->type); + if (ret) return ret; + ret = krb5_store_uint8(sp, h->flags); + if (ret) return ret; + ret = krb5_store_uint8(sp, h->status); + if (ret) return ret; + ret = krb5_store_uint8(sp, h->secindex); + if (ret) return ret; + ret = krb5_store_uint16(sp, h->reserved); + if (ret) return ret; + ret = krb5_store_uint16(sp, h->serviceid); + if (ret) return ret; + + return 0; } static void @@ -162,7 +193,7 @@ init_reply_header (struct rx_header *hdr, static void make_error_reply (struct rx_header *hdr, - u_int32_t ret, + uint32_t ret, krb5_data *reply) { @@ -171,7 +202,7 @@ make_error_reply (struct rx_header *hdr, init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST); sp = krb5_storage_emem(); - encode_rx_header (&reply_hdr, sp); + ret = encode_rx_header (&reply_hdr, sp); krb5_store_int32(sp, ret); krb5_storage_to_data (sp, reply); krb5_storage_free (sp); @@ -249,11 +280,12 @@ create_reply_ticket (krb5_context context, int kvno, int32_t max_seq_len, const char *sname, const char *sinstance, - u_int32_t challenge, + uint32_t challenge, const char *label, krb5_keyblock *key, krb5_data *reply) { + krb5_error_code ret; krb5_data ticket; krb5_keyblock session; krb5_storage *sp; @@ -339,7 +371,7 @@ create_reply_ticket (krb5_context context, /* create the reply packet */ init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST); sp = krb5_storage_emem (); - encode_rx_header (&reply_hdr, sp); + ret = encode_rx_header (&reply_hdr, sp); krb5_store_int32 (sp, max_seq_len); krb5_store_xdr_data (sp, enc_data); krb5_data_free (&enc_data); @@ -410,7 +442,7 @@ do_authenticate (krb5_context context, Key *skey = NULL; krb5_storage *reply_sp; time_t max_life; - u_int8_t life; + uint8_t life; int32_t chal; char client_name[256]; char server_name[256]; @@ -433,8 +465,7 @@ do_authenticate (krb5_context context, client_name, from, server_name); ret = _kdc_db_fetch4 (context, config, name, instance, - config->v4_realm, HDB_ENT_TYPE_CLIENT, - &client_entry); + config->v4_realm, HDB_F_GET_CLIENT, &client_entry); if (ret) { kdc_log(context, config, 0, "Client not found in database: %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -444,7 +475,7 @@ do_authenticate (krb5_context context, ret = _kdc_db_fetch4 (context, config, "krbtgt", config->v4_realm, config->v4_realm, - HDB_ENT_TYPE_SERVER, &server_entry); + HDB_F_GET_KRBTGT, &server_entry); if (ret) { kdc_log(context, config, 0, "Server not found in database: %s: %s", server_name, krb5_get_err_text(context, ret)); @@ -650,8 +681,7 @@ do_getticket (krb5_context context, "%s.%s@%s", name, instance, config->v4_realm); ret = _kdc_db_fetch4 (context, config, name, instance, - config->v4_realm, HDB_ENT_TYPE_SERVER, - &server_entry); + config->v4_realm, HDB_F_GET_SERVER, &server_entry); if (ret) { kdc_log(context, config, 0, "Server not found in database: %s: %s", server_name, krb5_get_err_text(context, ret)); @@ -660,8 +690,7 @@ do_getticket (krb5_context context, } ret = _kdc_db_fetch4 (context, config, "krbtgt", - config->v4_realm, config->v4_realm, - HDB_ENT_TYPE_CLIENT, &krbtgt_entry); + config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &krbtgt_entry); if (ret) { kdc_log(context, config, 0, "Server not found in database: %s.%s@%s: %s", @@ -734,8 +763,8 @@ do_getticket (krb5_context context, client_name, from, server_name); ret = _kdc_db_fetch4 (context, config, - ad.pname, ad.pinst, ad.prealm, - HDB_ENT_TYPE_CLIENT, &client_entry); + ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT, + &client_entry); if(ret && ret != HDB_ERR_NOENTRY) { kdc_log(context, config, 0, "Client not found in database: (krb4) %s: %s", @@ -842,14 +871,16 @@ _kdc_do_kaserver(krb5_context context, { krb5_error_code ret = 0; struct rx_header hdr; - u_int32_t op; + uint32_t op; krb5_storage *sp; if (len < RX_HEADER_SIZE) return -1; sp = krb5_storage_from_mem (buf, len); - decode_rx_header (sp, &hdr); + ret = decode_rx_header (sp, &hdr); + if (ret) + goto out; buf += RX_HEADER_SIZE; len -= RX_HEADER_SIZE; @@ -875,7 +906,9 @@ _kdc_do_kaserver(krb5_context context, goto out; } - krb5_ret_int32(sp, &op); + ret = krb5_ret_uint32(sp, &op); + if (ret) + goto out; switch (op) { case AUTHENTICATE : case AUTHENTICATE_V2 : diff --git a/source4/heimdal/kdc/kdc-private.h b/source4/heimdal/kdc/kdc-private.h index c718b1fd52..251e06b14a 100644 --- a/source4/heimdal/kdc/kdc-private.h +++ b/source4/heimdal/kdc/kdc-private.h @@ -28,8 +28,8 @@ krb5_error_code _kdc_db_fetch ( krb5_context /*context*/, krb5_kdc_configuration */*config*/, - krb5_principal /*principal*/, - enum hdb_ent_type /*ent_type*/, + krb5_const_principal /*principal*/, + unsigned /*flags*/, hdb_entry_ex **/*h*/); krb5_error_code @@ -39,7 +39,7 @@ _kdc_db_fetch4 ( const char */*name*/, const char */*instance*/, const char */*realm*/, - enum hdb_ent_type /*ent_type*/, + unsigned /*flags*/, hdb_entry_ex **/*ent*/); krb5_error_code diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h index 3d25729d4e..2948570e3a 100644 --- a/source4/heimdal/kdc/kdc.h +++ b/source4/heimdal/kdc/kdc.h @@ -35,7 +35,7 @@ */ /* - * $Id: kdc.h,v 1.5 2005/10/21 17:11:21 lha Exp $ + * $Id: kdc.h,v 1.6 2006/05/03 12:03:29 lha Exp $ */ #ifndef __KDC_H__ @@ -72,6 +72,7 @@ typedef struct krb5_kdc_configuration { krb5_boolean enable_pkinit; krb5_boolean enable_pkinit_princ_in_cert; + char *pkinit_kdc_ocsp_file; krb5_log_facility *logf; diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c index 030405adc2..4ece1a47d6 100644 --- a/source4/heimdal/kdc/kerberos4.c +++ b/source4/heimdal/kdc/kerberos4.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,11 +35,11 @@ #include <krb5-v4compat.h> -RCSID("$Id: kerberos4.c,v 1.57 2006/04/02 01:54:37 lha Exp $"); +RCSID("$Id: kerberos4.c,v 1.60 2006/05/05 10:50:44 lha Exp $"); #ifndef swap32 -static u_int32_t -swap32(u_int32_t x) +static uint32_t +swap32(uint32_t x) { return ((x << 24) & 0xff000000) | ((x << 8) & 0xff0000) | @@ -62,12 +62,17 @@ make_err_reply(krb5_context context, krb5_data *reply, kdc_time, code, msg, reply); } +struct valid_princ_ctx { + krb5_kdc_configuration *config; + unsigned flags; +}; + static krb5_boolean valid_princ(krb5_context context, void *funcctx, krb5_principal princ) { - krb5_kdc_configuration *config = funcctx; + struct valid_princ_ctx *ctx = funcctx; krb5_error_code ret; char *s; hdb_entry_ex *ent; @@ -75,14 +80,14 @@ valid_princ(krb5_context context, ret = krb5_unparse_name(context, princ, &s); if (ret) return FALSE; - ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_ANY, &ent); + ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, &ent); if (ret) { - kdc_log(context, config, 7, "Lookup %s failed: %s", s, + kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s, krb5_get_err_text (context, ret)); free(s); return FALSE; } - kdc_log(context, config, 7, "Lookup %s succeeded", s); + kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s); free(s); _kdc_free_ent(context, ent); return TRUE; @@ -90,19 +95,23 @@ valid_princ(krb5_context context, krb5_error_code _kdc_db_fetch4(krb5_context context, - krb5_kdc_configuration *config, - const char *name, const char *instance, const char *realm, - enum hdb_ent_type ent_type, - hdb_entry_ex **ent) + krb5_kdc_configuration *config, + const char *name, const char *instance, const char *realm, + unsigned flags, + hdb_entry_ex **ent) { krb5_principal p; krb5_error_code ret; + struct valid_princ_ctx ctx; + + ctx.config = config; + ctx.flags = flags; ret = krb5_425_conv_principal_ext2(context, name, instance, realm, - valid_princ, config, 0, &p); + valid_princ, &ctx, 0, &p); if(ret) return ret; - ret = _kdc_db_fetch(context, config, p, ent_type, ent); + ret = _kdc_db_fetch(context, config, p, flags, ent); krb5_free_principal(context, p); return ret; } @@ -135,7 +144,7 @@ _kdc_do_version4(krb5_context context, char *sname = NULL, *sinst = NULL; int32_t req_time; time_t max_life; - u_int8_t life; + uint8_t life; char client_name[256]; char server_name[256]; @@ -171,7 +180,7 @@ _kdc_do_version4(krb5_context context, RCHECK(krb5_ret_int32(sp, &req_time), out1); if(lsb) req_time = swap32(req_time); - RCHECK(krb5_ret_int8(sp, &life), out1); + RCHECK(krb5_ret_uint8(sp, &life), out1); RCHECK(krb5_ret_stringz(sp, &sname), out1); RCHECK(krb5_ret_stringz(sp, &sinst), out1); snprintf (client_name, sizeof(client_name), @@ -182,7 +191,8 @@ _kdc_do_version4(krb5_context context, kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s", client_name, from, server_name); - ret = _kdc_db_fetch4(context, config, name, inst, realm, HDB_ENT_TYPE_CLIENT, &client); + ret = _kdc_db_fetch4(context, config, name, inst, realm, + HDB_F_GET_CLIENT, &client); if(ret) { kdc_log(context, config, 0, "Client not found in database: %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -190,8 +200,8 @@ _kdc_do_version4(krb5_context context, "principal unknown"); goto out1; } - ret = _kdc_db_fetch4(context, config, sname, sinst, - config->v4_realm, HDB_ENT_TYPE_SERVER, &server); + ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, + HDB_F_GET_SERVER, &server); if(ret){ kdc_log(context, config, 0, "Server not found in database: %s: %s", server_name, krb5_get_err_text(context, ret)); @@ -361,7 +371,8 @@ _kdc_do_version4(krb5_context context, goto out2; } - ret = _kdc_db_fetch(context, config, tgt_princ, HDB_ENT_TYPE_SERVER, &tgt); + ret = _kdc_db_fetch(context, config, tgt_princ, + HDB_F_GET_KRBTGT, &tgt); if(ret){ char *s; s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not " @@ -418,7 +429,7 @@ _kdc_do_version4(krb5_context context, RCHECK(krb5_ret_int32(sp, &req_time), out2); if(lsb) req_time = swap32(req_time); - RCHECK(krb5_ret_int8(sp, &life), out2); + RCHECK(krb5_ret_uint8(sp, &life), out2); RCHECK(krb5_ret_stringz(sp, &sname), out2); RCHECK(krb5_ret_stringz(sp, &sinst), out2); snprintf (server_name, sizeof(server_name), @@ -456,7 +467,8 @@ _kdc_do_version4(krb5_context context, goto out2; } - ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, HDB_ENT_TYPE_CLIENT, &client); + ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, + HDB_F_GET_CLIENT, &client); if(ret && ret != HDB_ERR_NOENTRY) { char *s; s = kdc_log_msg(context, config, 0, @@ -476,8 +488,8 @@ _kdc_do_version4(krb5_context context, goto out2; } - ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, - HDB_ENT_TYPE_SERVER, &server); + ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, + HDB_F_GET_SERVER, &server); if(ret){ char *s; s = kdc_log_msg(context, config, 0, diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 68720d692e..877b88c155 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.206 2006/04/02 01:54:37 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.211 2006/04/27 12:01:09 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -120,7 +120,9 @@ static krb5_error_code find_keys(krb5_context context, krb5_kdc_configuration *config, const hdb_entry_ex *client, - const hdb_entry_ex *server, + const char *client_name, + const hdb_entry_ex *server, + const char *server_name, Key **ckey, krb5_enctype *cetype, Key **skey, @@ -128,20 +130,14 @@ find_keys(krb5_context context, krb5_enctype *etypes, unsigned num_etypes) { - char unparse_name[] = "krb5_unparse_name failed"; krb5_error_code ret; - char *name; if(client){ /* find client key */ ret = find_etype(context, client, etypes, num_etypes, ckey, cetype); if (ret) { - if (krb5_unparse_name(context, client->entry.principal, &name) != 0) - name = unparse_name; kdc_log(context, config, 0, - "Client (%s) has no support for etypes", name); - if (name != unparse_name) - free(name); + "Client (%s) has no support for etypes", client_name); return ret; } } @@ -150,12 +146,8 @@ find_keys(krb5_context context, /* find server key */ ret = find_etype(context, server, etypes, num_etypes, skey, setype); if (ret) { - if (krb5_unparse_name(context, server->entry.principal, &name) != 0) - name = unparse_name; kdc_log(context, config, 0, - "Server (%s) has no support for etypes", name); - if (name != unparse_name) - free(name); + "Server (%s) has no support for etypes", server_name); return ret; } } @@ -243,6 +235,9 @@ log_patypes(krb5_context context, return; } } + if (p == NULL) + p = rk_strpoolprintf(p, "none"); + str = rk_strpoolcollect(p); kdc_log(context, config, 0, "Client sent patypes: %s", str); free(str); @@ -899,7 +894,8 @@ _kdc_as_rep(krb5_context context, kdc_log(context, config, 0, "AS-REQ %s from %s for %s", client_name, from, server_name); - ret = _kdc_db_fetch(context, config, client_princ, HDB_ENT_TYPE_CLIENT, &client); + ret = _kdc_db_fetch(context, config, client_princ, + HDB_F_GET_CLIENT, &client); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -907,7 +903,8 @@ _kdc_as_rep(krb5_context context, goto out; } - ret = _kdc_db_fetch(context, config, server_princ, HDB_ENT_TYPE_SERVER, &server); + ret = _kdc_db_fetch(context, config, server_princ, + HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, &server); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, krb5_get_err_text(context, ret)); @@ -1166,6 +1163,7 @@ _kdc_as_rep(krb5_context context, * - If the client is 'modern', because it knows about 'new' * enctype types, then only send the 'info2' reply. */ + /* XXX check ret */ if (only_older_enctype_p(req)) ret = get_pa_etype_info(context, config, @@ -1200,12 +1198,12 @@ _kdc_as_rep(krb5_context context, } ret = find_keys(context, config, - client, server, &ckey, &cetype, &skey, &setype, + client, client_name, + server, server_name, + &ckey, &cetype, &skey, &setype, b->etype.val, b->etype.len); - if(ret) { - kdc_log(context, config, 0, "Server/client has no support for etypes"); + if(ret) goto out; - } { struct rk_strpool *p = NULL; @@ -1226,6 +1224,9 @@ _kdc_as_rep(krb5_context context, goto out; } } + if (p == NULL) + p = rk_strpoolprintf(p, "no encryption types"); + str = rk_strpoolcollect(p); kdc_log(context, config, 0, "Client supported enctypes: %s", str); free(str); @@ -1757,6 +1758,7 @@ tgs_make_reply(krb5_context context, AuthorizationData *auth_data, krb5_ticket *tgs_ticket, hdb_entry_ex *server, + const char *server_name, hdb_entry_ex *client, krb5_principal client_principal, hdb_entry_ex *krbtgt, @@ -1788,12 +1790,11 @@ tgs_make_reply(krb5_context context, etype = b->etype.val[i]; }else{ ret = find_keys(context, config, - NULL, server, NULL, NULL, &skey, &etype, + NULL, NULL, server, server_name, + NULL, NULL, &skey, &etype, b->etype.val, b->etype.len); - if(ret) { - kdc_log(context, config, 0, "Server has no support for etypes"); + if(ret) return ret; - } ekey = &skey->key; } @@ -2140,7 +2141,7 @@ tgs_rep2(krb5_context context, ap_req.ticket.sname, ap_req.ticket.realm); - ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_SERVER, &krbtgt); + ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, &krbtgt); if(ret) { char *p; @@ -2340,7 +2341,8 @@ tgs_rep2(krb5_context context, goto out2; } _krb5_principalname2krb5_principal(&p, t->sname, t->realm); - ret = _kdc_db_fetch(context, config, p, HDB_ENT_TYPE_SERVER, &uu); + ret = _kdc_db_fetch(context, config, p, + HDB_F_GET_CLIENT|HDB_F_GET_SERVER, &uu); krb5_free_principal(context, p); if(ret){ if (ret == HDB_ERR_NOENTRY) @@ -2381,7 +2383,7 @@ tgs_rep2(krb5_context context, kdc_log(context, config, 0, "TGS-REQ %s from %s for %s", cpn, from, spn); server_lookup: - ret = _kdc_db_fetch(context, config, sp, HDB_ENT_TYPE_SERVER, &server); + ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, &server); if(ret){ const char *new_rlm; @@ -2430,24 +2432,28 @@ tgs_rep2(krb5_context context, goto out; } - ret = _kdc_db_fetch(context, config, cp, HDB_ENT_TYPE_CLIENT, &client); + ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, &client); if(ret) kdc_log(context, config, 1, "Client not found in database: %s: %s", cpn, krb5_get_err_text(context, ret)); -#if 0 - /* XXX check client only if same realm as krbtgt-instance */ - if(ret){ - kdc_log(context, config, 0, - "Client not found in database: %s: %s", - cpn, krb5_get_err_text(context, ret)); - if (ret == HDB_ERR_NOENTRY) - ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - goto out; - } -#endif + + /* + * If the client belongs to the same realm as our krbtgt, it + * should exist in the local database. + * + * If its not the same, check the "direction" on the krbtgt, + * so its not a backward uni-directional trust. + */ if(strcmp(krb5_principal_get_realm(context, sp), - krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) { + krb5_principal_get_comp_string(context, + krbtgt->entry.principal, 1)) == 0) { + if(ret) { + if (ret == HDB_ERR_NOENTRY) + ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + goto out; + } + } else { char *tpn; ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); kdc_log(context, config, 0, @@ -2491,6 +2497,7 @@ tgs_rep2(krb5_context context, auth_data, ticket, server, + spn, client, cp, krbtgt, diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index 4d38e1f12d..a61c647f71 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,14 +33,15 @@ #include "kdc_locl.h" -RCSID("$Id: misc.c,v 1.27 2006/01/01 23:17:16 lha Exp $"); +RCSID("$Id: misc.c,v 1.29 2006/04/27 11:33:21 lha Exp $"); struct timeval _kdc_now; krb5_error_code _kdc_db_fetch(krb5_context context, krb5_kdc_configuration *config, - krb5_principal principal, enum hdb_ent_type ent_type, + krb5_const_principal principal, + unsigned flags, hdb_entry_ex **h) { hdb_entry_ex *ent; @@ -60,9 +61,8 @@ _kdc_db_fetch(krb5_context context, } ret = config->db[i]->hdb_fetch(context, config->db[i], - HDB_F_DECRYPT, - principal, - ent_type, + principal, + flags | HDB_F_DECRYPT, ent); config->db[i]->hdb_close(context, config->db[i]); if(ret == 0) { diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index 3f064f9d50..c220e70ddd 100755 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: pkinit.c,v 1.59 2006/04/22 12:10:16 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.65 2006/05/06 13:22:33 lha Exp $"); #ifdef PKINIT @@ -82,6 +82,12 @@ static struct krb5_pk_identity *kdc_identity; static struct pk_principal_mapping principal_mappings; static struct krb5_dh_moduli **moduli; +static struct { + krb5_data data; + time_t expire; + time_t next_update; +} ocsp; + /* * */ @@ -260,7 +266,6 @@ get_dh_param(krb5_context context, DomainParameters dhparam; DH *dh = NULL; krb5_error_code ret; - int dhret; memset(&dhparam, 0, sizeof(dhparam)); @@ -338,14 +343,6 @@ get_dh_param(krb5_context context, goto out; } - - if (DH_check_pubkey(dh, client_params->dh_public_key, &dhret) != 1 || - dhret != 0) { - krb5_set_error_string(context, "PKINIT DH data not ok"); - ret = KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; - goto out; - } - client_params->dh = dh; dh = NULL; ret = 0; @@ -754,7 +751,8 @@ pk_mk_pa_reply_dh(krb5_context context, DH *kdc_dh, pk_client_params *client_params, krb5_keyblock *reply_key, - ContentInfo *content_info) + ContentInfo *content_info, + hx509_cert *kdc_cert) { KDCDHKeyInfo dh_info; krb5_data signed_data, buf; @@ -768,6 +766,8 @@ pk_mk_pa_reply_dh(krb5_context context, krb5_data_zero(&buf); krb5_data_zero(&signed_data); + *kdc_cert = NULL; + ret = BN_to_integer(context, kdc_dh->pub_key, &i); if (ret) return ret; @@ -803,8 +803,8 @@ pk_mk_pa_reply_dh(krb5_context context, */ { - hx509_cert cert; hx509_query *q; + hx509_cert cert; ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); if (ret) @@ -830,7 +830,7 @@ pk_mk_pa_reply_dh(krb5_context context, kdc_identity->anchors, kdc_identity->certpool, &signed_data); - hx509_cert_free(cert); + *kdc_cert = cert; } if (ret) goto out; @@ -843,6 +843,11 @@ pk_mk_pa_reply_dh(krb5_context context, goto out; out: + if (ret && *kdc_cert) { + hx509_cert_free(*kdc_cert); + *kdc_cert = NULL; + } + krb5_data_free(&buf); krb5_data_free(&signed_data); free_KDCDHKeyInfo(&dh_info); @@ -869,6 +874,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, size_t len, size; krb5_enctype enctype; int pa_type; + hx509_cert kdc_cert = NULL; int i; if (!config->enable_pkinit) { @@ -947,7 +953,8 @@ _kdc_pk_mk_pa_reply(krb5_context context, ret = pk_mk_pa_reply_dh(context, client_params->dh, client_params, &client_params->reply_key, - &info); + &info, + &kdc_cert); ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data, rep.u.dhInfo.dhSignedData.length, &info, &size, @@ -982,48 +989,43 @@ _kdc_pk_mk_pa_reply(krb5_context context, } else if (client_params->type == PKINIT_COMPAT_WIN2K) { PA_PK_AS_REP_Win2k rep; - - pa_type = KRB5_PADATA_PK_AS_REP_19; - - memset(&rep, 0, sizeof(rep)); + ContentInfo info; if (client_params->dh) { - krb5_set_error_string(context, "DH -27 not implemented"); + krb5_set_error_string(context, "Windows PK-INIT doesn't support DH"); ret = KRB5KRB_ERR_GENERIC; - } else { - rep.element = choice_PA_PK_AS_REP_encKeyPack; - ContentInfo info; + goto out; + } - krb5_generate_random_keyblock(context, enctype, - &client_params->reply_key); - ret = pk_mk_pa_reply_enckey(context, - client_params, - req, - req_buffer, - &client_params->reply_key, - &info); - if (ret) { - free_PA_PK_AS_REP_Win2k(&rep); - goto out; - } - ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, - rep.u.encKeyPack.length, &info, &size, - ret); - free_ContentInfo(&info); - if (ret) { - krb5_set_error_string(context, "encoding of Key ContentInfo " - "failed %d", ret); - free_PA_PK_AS_REP_Win2k(&rep); - goto out; - } - if (rep.u.encKeyPack.length != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); + memset(&rep, 0, sizeof(rep)); + pa_type = KRB5_PADATA_PK_AS_REP_19; + rep.element = choice_PA_PK_AS_REP_encKeyPack; + + krb5_generate_random_keyblock(context, enctype, + &client_params->reply_key); + ret = pk_mk_pa_reply_enckey(context, + client_params, + req, + req_buffer, + &client_params->reply_key, + &info); + if (ret) { + free_PA_PK_AS_REP_Win2k(&rep); + goto out; } + ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, + rep.u.encKeyPack.length, &info, &size, + ret); + free_ContentInfo(&info); if (ret) { + krb5_set_error_string(context, "encoding of Key ContentInfo " + "failed %d", ret); free_PA_PK_AS_REP_Win2k(&rep); goto out; } + if (rep.u.encKeyPack.length != size) + krb5_abortx(context, "Internal ASN.1 encoder error"); ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret); free_PA_PK_AS_REP_Win2k(&rep); @@ -1041,11 +1043,88 @@ _kdc_pk_mk_pa_reply(krb5_context context, ret = krb5_padata_add(context, md, pa_type, buf, len); if (ret) { - krb5_set_error_string(context, "failed adding " - "PA-PK-AS-REP-19 %d", ret); + krb5_set_error_string(context, "failed adding PA-PK-AS-REP %d", ret); free(buf); + goto out; } - out: + + if (config->pkinit_kdc_ocsp_file) { + + if (ocsp.expire == 0 && ocsp.next_update > kdc_time) { + struct stat sb; + int fd; + + krb5_data_free(&ocsp.data); + + ocsp.expire = 0; + + fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY); + if (fd < 0) { + kdc_log(context, config, 0, + "PK-INIT failed to open ocsp data file %d", errno); + goto out_ocsp; + } + ret = fstat(fd, &sb); + if (ret) { + ret = errno; + close(fd); + kdc_log(context, config, 0, + "PK-INIT failed to stat ocsp data %d", ret); + goto out_ocsp; + } + + ret = krb5_data_alloc(&ocsp.data, sb.st_size); + if (ret) { + close(fd); + kdc_log(context, config, 0, + "PK-INIT failed to stat ocsp data %d", ret); + goto out_ocsp; + } + ocsp.data.length = sb.st_size; + ret = read(fd, ocsp.data.data, sb.st_size); + close(fd); + if (ret != sb.st_size) { + kdc_log(context, config, 0, + "PK-INIT failed to read ocsp data %d", errno); + goto out_ocsp; + } + + ret = hx509_ocsp_verify(kdc_identity->hx509ctx, + kdc_time, + kdc_cert, + 0, + ocsp.data.data, ocsp.data.length, + &ocsp.expire); + if (ret) { + kdc_log(context, config, 0, + "PK-INIT failed to verify ocsp data %d", ret); + krb5_data_free(&ocsp.data); + ocsp.expire = 0; + } else if (ocsp.expire > 180) + ocsp.expire -= 180; /* refetch the ocsp before it expire */ + + out_ocsp: + ocsp.next_update = kdc_time + 3600; + ret = 0; + } + + if (ocsp.expire != 0 && ocsp.expire > kdc_time) { + + ret = krb5_padata_add(context, md, + KRB5_PADATA_PA_PK_OCSP_RESPONSE, + ocsp.data.data, ocsp.data.length); + if (ret) { + krb5_set_error_string(context, + "Failed adding OCSP response %d", ret); + goto out; + } + } + } + +out: + if (kdc_cert) + hx509_cert_free(kdc_cert); + if (ret == 0) *reply_key = &client_params->reply_key; return ret; @@ -1120,15 +1199,9 @@ _kdc_pk_check_client(krb5_context context, hx509_name name; int i; - if (config->enable_pkinit_princ_in_cert) { - ret = pk_principal_from_X509(context, config, - client_params->cert, - client_princ); - if (ret == 0) - return 0; - } - - ret = hx509_cert_get_subject(client_params->cert, &name); + ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx, + client_params->cert, + &name); if (ret) return ret; @@ -1141,6 +1214,17 @@ _kdc_pk_check_client(krb5_context context, "Trying to authorize subject DN %s", *subject_name); + if (config->enable_pkinit_princ_in_cert) { + ret = pk_principal_from_X509(context, config, + client_params->cert, + client_princ); + if (ret == 0) { + kdc_log(context, config, 5, + "Found matching PK-INIT SAN in certificate"); + return 0; + } + } + for (i = 0; i < principal_mappings.len; i++) { krb5_boolean b; @@ -1231,6 +1315,14 @@ _kdc_pk_initialize(krb5_context context, return ret; } + ret = krb5_config_get_bool_default(context, + NULL, + FALSE, + "kdc", + "pki-allow-proxy-certificate", + NULL); + _krb5_pk_allow_proxy_certificate(kdc_identity, ret); + file = krb5_config_get_string_default(context, NULL, HDB_DB_DIR "/pki-mapping", diff --git a/source4/heimdal/kdc/rx.h b/source4/heimdal/kdc/rx.h index ab8ec80523..370e33732f 100644 --- a/source4/heimdal/kdc/rx.h +++ b/source4/heimdal/kdc/rx.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: rx.h,v 1.4 1999/12/02 17:05:00 joda Exp $ */ +/* $Id: rx.h,v 1.5 2006/05/05 10:51:10 lha Exp $ */ #ifndef __RX_H__ #define __RX_H__ @@ -59,17 +59,17 @@ enum rx_header_flag { }; struct rx_header { - u_int32_t epoch; - u_int32_t connid; /* And channel ID */ - u_int32_t callid; - u_int32_t seqno; - u_int32_t serialno; + uint32_t epoch; + uint32_t connid; /* And channel ID */ + uint32_t callid; + uint32_t seqno; + uint32_t serialno; u_char type; u_char flags; u_char status; u_char secindex; - u_int16_t reserved; /* ??? verifier? */ - u_int16_t serviceid; + uint16_t reserved; /* ??? verifier? */ + uint16_t serviceid; /* This should be the other way around according to everything but */ /* tcpdump */ }; |