diff options
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r-- | source4/heimdal/kdc/kdc_locl.h | 5 | ||||
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 36 | ||||
-rwxr-xr-x | source4/heimdal/kdc/pkinit.c | 44 | ||||
-rw-r--r-- | source4/heimdal/kdc/process.c | 18 |
4 files changed, 77 insertions, 26 deletions
diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h index d347c6080c..b87895d56c 100644 --- a/source4/heimdal/kdc/kdc_locl.h +++ b/source4/heimdal/kdc/kdc_locl.h @@ -32,7 +32,7 @@ */ /* - * $Id: kdc_locl.h,v 1.71 2005/07/01 15:36:16 lha Exp $ + * $Id: kdc_locl.h,v 1.72 2005/08/12 08:46:39 lha Exp $ */ #ifndef __KDC_LOCL_H__ @@ -61,7 +61,8 @@ extern struct timeval _kdc_now; krb5_error_code _kdc_as_rep(krb5_context context, krb5_kdc_configuration *config, - KDC_REQ*, krb5_data*, const char*, struct sockaddr*); + KDC_REQ*, const krb5_data*, krb5_data*, + const char*, struct sockaddr*); krb5_kdc_configuration * configure(krb5_context context, int argc, char **argv); diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index e85a269a01..27a25d95ff 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -189,7 +189,8 @@ log_timestamp(krb5_context context, KerberosTime authtime, KerberosTime *starttime, KerberosTime endtime, KerberosTime *renew_till) { - char authtime_str[100], starttime_str[100], endtime_str[100], renewtime_str[100]; + char authtime_str[100], starttime_str[100], + endtime_str[100], renewtime_str[100]; krb5_format_time(context, authtime, authtime_str, sizeof(authtime_str), TRUE); @@ -728,6 +729,7 @@ krb5_error_code _kdc_as_rep(krb5_context context, krb5_kdc_configuration *config, KDC_REQ *req, + const krb5_data *req_buffer, krb5_data *reply, const char *from, struct sockaddr *from_addr) @@ -940,7 +942,8 @@ _kdc_as_rep(krb5_context context, kdc_log(context, config, 5, "Failed to decrypt PA-DATA -- %s " "(enctype %s) error %s", - client_name, str ? str : "unknown enctype", + client_name, + str ? str : "unknown enctype", krb5_get_err_text(context, ret)); free(str); @@ -1308,8 +1311,9 @@ _kdc_as_rep(krb5_context context, reply_key = &ckey->key; #if PKINIT if (pkp) { - ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, req, - &reply_key, rep.padata); + ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, + req, req_buffer, + &reply_key, rep.padata); if (ret) goto out; } @@ -1372,30 +1376,35 @@ check_tgs_flags(krb5_context context, if(f.validate){ if(!tgt->flags.invalid || tgt->starttime == NULL){ - kdc_log(context, config, 0, "Bad request to validate ticket"); + kdc_log(context, config, 0, + "Bad request to validate ticket"); return KRB5KDC_ERR_BADOPTION; } if(*tgt->starttime > kdc_time){ - kdc_log(context, config, 0, "Early request to validate ticket"); + kdc_log(context, config, 0, + "Early request to validate ticket"); return KRB5KRB_AP_ERR_TKT_NYV; } /* XXX tkt = tgt */ et->flags.invalid = 0; }else if(tgt->flags.invalid){ - kdc_log(context, config, 0, "Ticket-granting ticket has INVALID flag set"); + kdc_log(context, config, 0, + "Ticket-granting ticket has INVALID flag set"); return KRB5KRB_AP_ERR_TKT_INVALID; } if(f.forwardable){ if(!tgt->flags.forwardable){ - kdc_log(context, config, 0, "Bad request for forwardable ticket"); + kdc_log(context, config, 0, + "Bad request for forwardable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.forwardable = 1; } if(f.forwarded){ if(!tgt->flags.forwardable){ - kdc_log(context, config, 0, "Request to forward non-forwardable ticket"); + kdc_log(context, config, 0, + "Request to forward non-forwardable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.forwarded = 1; @@ -1906,7 +1915,8 @@ tgs_check_authenticator(krb5_context context, free(buf); krb5_crypto_destroy(context, crypto); if(ret){ - kdc_log(context, config, 0, "Failed to verify authenticator checksum: %s", + kdc_log(context, config, 0, + "Failed to verify authenticator checksum: %s", krb5_get_err_text(context, ret)); } out: @@ -2102,11 +2112,11 @@ tgs_rep2(krb5_context context, ret = tgs_check_authenticator(context, config, ac, b, &e_text, &tgt->key); - if(ret){ + if (ret) { krb5_auth_con_free(context, ac); goto out2; } - + if (b->enc_authorization_data) { krb5_keyblock *subkey; krb5_data ad; @@ -2167,6 +2177,8 @@ tgs_rep2(krb5_context context, } } + krb5_auth_con_free(context, ac); + { PrincipalName *s; Realm r; diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index f591aa8fc1..fdeaf27ac4 100755 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: pkinit.c,v 1.37 2005/07/26 18:37:02 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.41 2005/08/12 09:21:40 lha Exp $"); #ifdef PKINIT @@ -66,7 +66,7 @@ struct krb5_pk_cert { enum pkinit_type { PKINIT_COMPAT_WIN2K = 1, PKINIT_COMPAT_19 = 2, - PKINIT_COMPAT_25 = 3 + PKINIT_COMPAT_27 = 3 }; struct pk_client_params { @@ -640,7 +640,7 @@ _kdc_pk_rd_padata(krb5_context context, PA_PK_AS_REQ r; ContentInfo info; - type = "PK-INIT-25"; + type = "PK-INIT-27"; pa_contentType = oid_id_pkauthdata(); ret = decode_PA_PK_AS_REQ(pa->padata_value.data, @@ -796,7 +796,7 @@ _kdc_pk_rd_padata(krb5_context context, goto out; } - client_params->type = PKINIT_COMPAT_25; + client_params->type = PKINIT_COMPAT_27; client_params->nonce = ap.pkAuthenticator.nonce; if (ap.clientPublicValue) { @@ -851,6 +851,7 @@ static krb5_error_code pk_mk_pa_reply_enckey(krb5_context context, pk_client_params *client_params, const KDC_REQ *req, + const krb5_data *req_buffer, krb5_keyblock *reply_key, ContentInfo *content_info) { @@ -945,7 +946,8 @@ pk_mk_pa_reply_enckey(krb5_context context, &kp, &size,ret); free_ReplyKeyPack_19(&kp); } - case PKINIT_COMPAT_25: { + case PKINIT_COMPAT_27: { + krb5_crypto ascrypto; ReplyKeyPack kp; memset(&kp, 0, sizeof(kp)); @@ -954,9 +956,29 @@ pk_mk_pa_reply_enckey(krb5_context context, krb5_clear_error_string(context); goto out; } - /* XXX add whatever is the outcome of asChecksum discussion here */ + + ret = krb5_crypto_init(context, reply_key, 0, &ascrypto); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + + ret = krb5_create_checksum(context, ascrypto, 6, 0, + req_buffer->data, req_buffer->length, + &kp.asChecksum); + if (ret) { + krb5_clear_error_string(context); + goto out; + } + + ret = krb5_crypto_destroy(context, ascrypto); + if (ret) { + krb5_clear_error_string(context); + goto out; + } ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret); free_ReplyKeyPack(&kp); + break; } default: krb5_abortx(context, "internal pkinit error"); @@ -1194,6 +1216,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, pk_client_params *client_params, const hdb_entry *client, const KDC_REQ *req, + const krb5_data *req_buffer, krb5_keyblock **reply_key, METHOD_DATA *md) { @@ -1223,7 +1246,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, } else enctype = ETYPE_DES3_CBC_SHA1; - if (client_params->type == PKINIT_COMPAT_25) { + if (client_params->type == PKINIT_COMPAT_27) { PA_PK_AS_REP rep; pa_type = KRB5_PADATA_PK_AS_REP; @@ -1239,6 +1262,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, ret = pk_mk_pa_reply_enckey(context, client_params, req, + req_buffer, &client_params->reply_key, &info); if (ret) { @@ -1259,7 +1283,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, krb5_abortx(context, "Internal ASN.1 encoder error"); } else { - krb5_set_error_string(context, "DH -25 not implemented"); + krb5_set_error_string(context, "DH -27 not implemented"); ret = KRB5KRB_ERR_GENERIC; } if (ret) { @@ -1291,6 +1315,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, ret = pk_mk_pa_reply_enckey(context, client_params, req, + req_buffer, &client_params->reply_key, &rep.u.encKeyPack); } else { @@ -1332,7 +1357,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, memset(&rep, 0, sizeof(rep)); if (client_params->dh) { - krb5_set_error_string(context, "DH -25 not implemented"); + krb5_set_error_string(context, "DH -27 not implemented"); ret = KRB5KRB_ERR_GENERIC; } else { rep.element = choice_PA_PK_AS_REP_encKeyPack; @@ -1343,6 +1368,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, ret = pk_mk_pa_reply_enckey(context, client_params, req, + req_buffer, &client_params->reply_key, &info); if (ret) { diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c index 22cf23c48d..d0f8245bf9 100644 --- a/source4/heimdal/kdc/process.c +++ b/source4/heimdal/kdc/process.c @@ -34,7 +34,7 @@ #include "kdc_locl.h" -RCSID("$Id: process.c,v 1.2 2005/06/30 01:54:49 lha Exp $"); +RCSID("$Id: process.c,v 1.3 2005/08/12 08:25:48 lha Exp $"); /* * handle the request in `buf, len', from `addr' (or `from' as a string), @@ -58,7 +58,13 @@ krb5_kdc_process_generic_request(krb5_context context, gettimeofday(&_kdc_now, NULL); if(decode_AS_REQ(buf, len, &req, &i) == 0){ - ret = _kdc_as_rep(context, config, &req, reply, from, addr); + krb5_data req_buffer; + + req_buffer.data = buf; + req_buffer.length = len; + + ret = _kdc_as_rep(context, config, &req, &req_buffer, + reply, from, addr); free_AS_REQ(&req); return ret; }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){ @@ -105,7 +111,13 @@ krb5_kdc_process_krb5_request(krb5_context context, gettimeofday(&_kdc_now, NULL); if(decode_AS_REQ(buf, len, &req, &i) == 0){ - ret = _kdc_as_rep(context, config, &req, reply, from, addr); + krb5_data req_buffer; + + req_buffer.data = buf; + req_buffer.length = len; + + ret = _kdc_as_rep(context, config, &req, &req_buffer, + reply, from, addr); free_AS_REQ(&req); return ret; }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){ |