diff options
| author | John Kohl <jtkohl@mit.edu> | 1990-02-02 15:58:41 +0000 |
|---|---|---|
| committer | John Kohl <jtkohl@mit.edu> | 1990-02-02 15:58:41 +0000 |
| commit | 9fd71821ea20d849f34eb0eff8851b1043baee41 (patch) | |
| tree | 001e712a5e667319024cc97b3ca46b4baf2a9dcc /src | |
| parent | 66538ed1ed2314758869e780dd839bdc2fe4348b (diff) | |
fix errors in error-generating code
convert key when retrieved from database.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@231 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/kdc/do_as_req.c | 29 | ||||
| -rw-r--r-- | src/kdc/do_tgs_req.c | 18 |
2 files changed, 41 insertions, 6 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index f677933bb..472af5621 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -65,6 +65,7 @@ krb5_data **response; /* filled in with a response packet */ krb5_boolean more; krb5_timestamp kdc_time; krb5_keyblock *session_key; + krb5_keyblock encrypting_key; krb5_timestamp until, rtime; @@ -199,7 +200,18 @@ krb5_data **response; /* filled in with a response packet */ /* XXX need separate etypes for ticket encryption and kdc_rep encryption */ ticket_reply.enc_part2 = &enc_tkt_reply; - if (retval = krb5_encrypt_tkt_part(&server.key, &ticket_reply)) { + + /* convert server.key into a real key (it may be encrypted + in the database) */ + if (retval = kdc_convert_key(&server.key, &encrypting_key, + CONVERT_OUTOF_DB)) { + cleanup(); + return retval; + } + retval = krb5_encrypt_tkt_part(&encrypting_key, &ticket_reply); + bzero((char *)encrypting_key.contents, encrypting_key.length); + free((char *)encrypting_key.contents); + if (retval) { cleanup(); return retval; } @@ -236,8 +248,17 @@ krb5_data **response; /* filled in with a response packet */ /* now encode/encrypt the response */ + /* convert client.key into a real key (it may be encrypted + in the database) */ + if (retval = kdc_convert_key(&client.key, &encrypting_key, + CONVERT_OUTOF_DB)) { + cleanup(); + return retval; + } retval = krb5_encode_kdc_rep(KRB5_AS_REP, &reply, &reply_encpart, - &client.key, response); + &encrypting_key, response); + bzero((char *)encrypting_key.contents, encrypting_key.length); + free((char *)encrypting_key.contents); cleanup(); return retval; } @@ -266,10 +287,10 @@ krb5_data **response; (void) strcpy(errpkt.text.data, error_message(error+KRB5KDC_ERR_NONE)); if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { - free(errpkt.txt.data); + free(errpkt.text.data); return ENOMEM; } - retval = encode_krb5_error(&errpkt, scratch); + retval = krb5_mk_error(&errpkt, scratch); free(errpkt.text.data); *response = scratch; return retval; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 3fc58b1ef..74b6a4e8f 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -62,6 +62,7 @@ krb5_data **response; /* filled in with a response packet */ krb5_keyblock *session_key; int newtransited = 0; krb5_timestamp until, rtime; + krb5_keyblock encrypting_key; /* assume that we've already dealt with the AP_REQ header, so @@ -328,7 +329,20 @@ krb5_data **response; /* filled in with a response packet */ return retval; } } else { - if (retval = krb5_encrypt_tkt_part(&server.key, &ticket_reply)) { + /* convert server.key into a real key (it may be encrypted + in the database) */ + if (retval = kdc_convert_key(&server.key, &encrypting_key, + CONVERT_OUTOF_DB)) { + cleanup(); + return retval; + } + + retval = krb5_encrypt_tkt_part(&encrypting_key, &ticket_reply); + + bzero((char *)encrypting_key.contents, encrypting_key.length); + free((char *)encrypting_key.contents); + + if (retval) { cleanup(); return retval; } @@ -397,7 +411,7 @@ krb5_data **response; (void) strcpy(errpkt.text.data, error_message(error+KRB5KDC_ERR_NONE)); if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { - free(errpkt.txt.data); + free(errpkt.text.data); return ENOMEM; } retval = krb5_mk_error(&errpkt, scratch); |