summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r--source4/heimdal/kdc/kdc_locl.h5
-rw-r--r--source4/heimdal/kdc/kerberos5.c36
-rwxr-xr-xsource4/heimdal/kdc/pkinit.c44
-rw-r--r--source4/heimdal/kdc/process.c18
4 files changed, 77 insertions, 26 deletions
diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h
index d347c6080c..b87895d56c 100644
--- a/source4/heimdal/kdc/kdc_locl.h
+++ b/source4/heimdal/kdc/kdc_locl.h
@@ -32,7 +32,7 @@
*/
/*
- * $Id: kdc_locl.h,v 1.71 2005/07/01 15:36:16 lha Exp $
+ * $Id: kdc_locl.h,v 1.72 2005/08/12 08:46:39 lha Exp $
*/
#ifndef __KDC_LOCL_H__
@@ -61,7 +61,8 @@ extern struct timeval _kdc_now;
krb5_error_code
_kdc_as_rep(krb5_context context,
krb5_kdc_configuration *config,
- KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
+ KDC_REQ*, const krb5_data*, krb5_data*,
+ const char*, struct sockaddr*);
krb5_kdc_configuration *
configure(krb5_context context, int argc, char **argv);
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index e85a269a01..27a25d95ff 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -189,7 +189,8 @@ log_timestamp(krb5_context context,
KerberosTime authtime, KerberosTime *starttime,
KerberosTime endtime, KerberosTime *renew_till)
{
- char authtime_str[100], starttime_str[100], endtime_str[100], renewtime_str[100];
+ char authtime_str[100], starttime_str[100],
+ endtime_str[100], renewtime_str[100];
krb5_format_time(context, authtime,
authtime_str, sizeof(authtime_str), TRUE);
@@ -728,6 +729,7 @@ krb5_error_code
_kdc_as_rep(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
+ const krb5_data *req_buffer,
krb5_data *reply,
const char *from,
struct sockaddr *from_addr)
@@ -940,7 +942,8 @@ _kdc_as_rep(krb5_context context,
kdc_log(context, config, 5,
"Failed to decrypt PA-DATA -- %s "
"(enctype %s) error %s",
- client_name, str ? str : "unknown enctype",
+ client_name,
+ str ? str : "unknown enctype",
krb5_get_err_text(context, ret));
free(str);
@@ -1308,8 +1311,9 @@ _kdc_as_rep(krb5_context context,
reply_key = &ckey->key;
#if PKINIT
if (pkp) {
- ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, req,
- &reply_key, rep.padata);
+ ret = _kdc_pk_mk_pa_reply(context, config, pkp, client,
+ req, req_buffer,
+ &reply_key, rep.padata);
if (ret)
goto out;
}
@@ -1372,30 +1376,35 @@ check_tgs_flags(krb5_context context,
if(f.validate){
if(!tgt->flags.invalid || tgt->starttime == NULL){
- kdc_log(context, config, 0, "Bad request to validate ticket");
+ kdc_log(context, config, 0,
+ "Bad request to validate ticket");
return KRB5KDC_ERR_BADOPTION;
}
if(*tgt->starttime > kdc_time){
- kdc_log(context, config, 0, "Early request to validate ticket");
+ kdc_log(context, config, 0,
+ "Early request to validate ticket");
return KRB5KRB_AP_ERR_TKT_NYV;
}
/* XXX tkt = tgt */
et->flags.invalid = 0;
}else if(tgt->flags.invalid){
- kdc_log(context, config, 0, "Ticket-granting ticket has INVALID flag set");
+ kdc_log(context, config, 0,
+ "Ticket-granting ticket has INVALID flag set");
return KRB5KRB_AP_ERR_TKT_INVALID;
}
if(f.forwardable){
if(!tgt->flags.forwardable){
- kdc_log(context, config, 0, "Bad request for forwardable ticket");
+ kdc_log(context, config, 0,
+ "Bad request for forwardable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.forwardable = 1;
}
if(f.forwarded){
if(!tgt->flags.forwardable){
- kdc_log(context, config, 0, "Request to forward non-forwardable ticket");
+ kdc_log(context, config, 0,
+ "Request to forward non-forwardable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.forwarded = 1;
@@ -1906,7 +1915,8 @@ tgs_check_authenticator(krb5_context context,
free(buf);
krb5_crypto_destroy(context, crypto);
if(ret){
- kdc_log(context, config, 0, "Failed to verify authenticator checksum: %s",
+ kdc_log(context, config, 0,
+ "Failed to verify authenticator checksum: %s",
krb5_get_err_text(context, ret));
}
out:
@@ -2102,11 +2112,11 @@ tgs_rep2(krb5_context context,
ret = tgs_check_authenticator(context, config,
ac, b, &e_text, &tgt->key);
- if(ret){
+ if (ret) {
krb5_auth_con_free(context, ac);
goto out2;
}
-
+
if (b->enc_authorization_data) {
krb5_keyblock *subkey;
krb5_data ad;
@@ -2167,6 +2177,8 @@ tgs_rep2(krb5_context context,
}
}
+ krb5_auth_con_free(context, ac);
+
{
PrincipalName *s;
Realm r;
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index f591aa8fc1..fdeaf27ac4 100755
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: pkinit.c,v 1.37 2005/07/26 18:37:02 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.41 2005/08/12 09:21:40 lha Exp $");
#ifdef PKINIT
@@ -66,7 +66,7 @@ struct krb5_pk_cert {
enum pkinit_type {
PKINIT_COMPAT_WIN2K = 1,
PKINIT_COMPAT_19 = 2,
- PKINIT_COMPAT_25 = 3
+ PKINIT_COMPAT_27 = 3
};
struct pk_client_params {
@@ -640,7 +640,7 @@ _kdc_pk_rd_padata(krb5_context context,
PA_PK_AS_REQ r;
ContentInfo info;
- type = "PK-INIT-25";
+ type = "PK-INIT-27";
pa_contentType = oid_id_pkauthdata();
ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
@@ -796,7 +796,7 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
- client_params->type = PKINIT_COMPAT_25;
+ client_params->type = PKINIT_COMPAT_27;
client_params->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) {
@@ -851,6 +851,7 @@ static krb5_error_code
pk_mk_pa_reply_enckey(krb5_context context,
pk_client_params *client_params,
const KDC_REQ *req,
+ const krb5_data *req_buffer,
krb5_keyblock *reply_key,
ContentInfo *content_info)
{
@@ -945,7 +946,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
&kp, &size,ret);
free_ReplyKeyPack_19(&kp);
}
- case PKINIT_COMPAT_25: {
+ case PKINIT_COMPAT_27: {
+ krb5_crypto ascrypto;
ReplyKeyPack kp;
memset(&kp, 0, sizeof(kp));
@@ -954,9 +956,29 @@ pk_mk_pa_reply_enckey(krb5_context context,
krb5_clear_error_string(context);
goto out;
}
- /* XXX add whatever is the outcome of asChecksum discussion here */
+
+ ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);
+ if (ret) {
+ krb5_clear_error_string(context);
+ goto out;
+ }
+
+ ret = krb5_create_checksum(context, ascrypto, 6, 0,
+ req_buffer->data, req_buffer->length,
+ &kp.asChecksum);
+ if (ret) {
+ krb5_clear_error_string(context);
+ goto out;
+ }
+
+ ret = krb5_crypto_destroy(context, ascrypto);
+ if (ret) {
+ krb5_clear_error_string(context);
+ goto out;
+ }
ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
free_ReplyKeyPack(&kp);
+ break;
}
default:
krb5_abortx(context, "internal pkinit error");
@@ -1194,6 +1216,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
pk_client_params *client_params,
const hdb_entry *client,
const KDC_REQ *req,
+ const krb5_data *req_buffer,
krb5_keyblock **reply_key,
METHOD_DATA *md)
{
@@ -1223,7 +1246,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
} else
enctype = ETYPE_DES3_CBC_SHA1;
- if (client_params->type == PKINIT_COMPAT_25) {
+ if (client_params->type == PKINIT_COMPAT_27) {
PA_PK_AS_REP rep;
pa_type = KRB5_PADATA_PK_AS_REP;
@@ -1239,6 +1262,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = pk_mk_pa_reply_enckey(context,
client_params,
req,
+ req_buffer,
&client_params->reply_key,
&info);
if (ret) {
@@ -1259,7 +1283,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
krb5_abortx(context, "Internal ASN.1 encoder error");
} else {
- krb5_set_error_string(context, "DH -25 not implemented");
+ krb5_set_error_string(context, "DH -27 not implemented");
ret = KRB5KRB_ERR_GENERIC;
}
if (ret) {
@@ -1291,6 +1315,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = pk_mk_pa_reply_enckey(context,
client_params,
req,
+ req_buffer,
&client_params->reply_key,
&rep.u.encKeyPack);
} else {
@@ -1332,7 +1357,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
memset(&rep, 0, sizeof(rep));
if (client_params->dh) {
- krb5_set_error_string(context, "DH -25 not implemented");
+ krb5_set_error_string(context, "DH -27 not implemented");
ret = KRB5KRB_ERR_GENERIC;
} else {
rep.element = choice_PA_PK_AS_REP_encKeyPack;
@@ -1343,6 +1368,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = pk_mk_pa_reply_enckey(context,
client_params,
req,
+ req_buffer,
&client_params->reply_key,
&info);
if (ret) {
diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c
index 22cf23c48d..d0f8245bf9 100644
--- a/source4/heimdal/kdc/process.c
+++ b/source4/heimdal/kdc/process.c
@@ -34,7 +34,7 @@
#include "kdc_locl.h"
-RCSID("$Id: process.c,v 1.2 2005/06/30 01:54:49 lha Exp $");
+RCSID("$Id: process.c,v 1.3 2005/08/12 08:25:48 lha Exp $");
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
@@ -58,7 +58,13 @@ krb5_kdc_process_generic_request(krb5_context context,
gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
- ret = _kdc_as_rep(context, config, &req, reply, from, addr);
+ krb5_data req_buffer;
+
+ req_buffer.data = buf;
+ req_buffer.length = len;
+
+ ret = _kdc_as_rep(context, config, &req, &req_buffer,
+ reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
@@ -105,7 +111,13 @@ krb5_kdc_process_krb5_request(krb5_context context,
gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
- ret = _kdc_as_rep(context, config, &req, reply, from, addr);
+ krb5_data req_buffer;
+
+ req_buffer.data = buf;
+ req_buffer.length = len;
+
+ ret = _kdc_as_rep(context, config, &req, &req_buffer,
+ reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){