summaryrefslogtreecommitdiffstats
path: root/src/kdc/do_as_req.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/kdc/do_as_req.c')
-rw-r--r--src/kdc/do_as_req.c557
1 files changed, 279 insertions, 278 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 1feb468be..5067ff8fd 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* kdc/do_as_req.c
*
@@ -9,7 +10,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -23,7 +24,7 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*
* KDC Routines to deal with AS_REQ's
*/
@@ -64,7 +65,7 @@
#include <netinet/in.h>
#ifndef hpux
#include <arpa/inet.h>
-#endif /* hpux */
+#endif /* hpux */
#endif /* HAVE_NETINET_IN_H */
#include "kdc_util.h"
@@ -75,21 +76,21 @@
#if APPLE_PKINIT
#define AS_REQ_DEBUG 0
-#if AS_REQ_DEBUG
+#if AS_REQ_DEBUG
#define asReqDebug(args...) printf(args)
#else
#define asReqDebug(args...)
#endif
#endif /* APPLE_PKINIT */
-static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *,
- krb5_principal, krb5_data **,
- const char *);
+static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *,
+ krb5_principal, krb5_data **,
+ const char *);
/*ARGSUSED*/
krb5_error_code
process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
- const krb5_fulladdr *from, krb5_data **response)
+ const krb5_fulladdr *from, krb5_data **response)
{
krb5_db_entry client, server;
krb5_kdc_rep reply;
@@ -119,11 +120,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
struct kdc_request_state *state = NULL;
krb5_data encoded_req_body;
krb5_keyblock *as_encrypting_key = NULL;
-
+
#if APPLE_PKINIT
- asReqDebug("process_as_req top realm %s name %s\n",
- request->client->realm.data, request->client->data->data);
+ asReqDebug("process_as_req top realm %s name %s\n",
+ request->client->realm.data, request->client->data->data);
#endif /* APPLE_PKINIT */
ticket_reply.enc_part.ciphertext.data = 0;
@@ -138,42 +139,42 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
errcode = kdc_make_rstate(&state);
if (errcode != 0) {
- status = "constructing state";
- goto errout;
+ status = "constructing state";
+ goto errout;
}
if (fetch_asn1_field((unsigned char *) req_pkt->data,
- 1, 4, &encoded_req_body) != 0) {
+ 1, 4, &encoded_req_body) != 0) {
errcode = ASN1_BAD_ID;
status = "Finding req_body";
- goto errout;
+ goto errout;
}
errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state);
if (errcode) {
- status = "error decoding FAST";
- goto errout;
+ status = "error decoding FAST";
+ goto errout;
}
request->kdc_state = state;
if (!request->client) {
- status = "NULL_CLIENT";
- errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- goto errout;
+ status = "NULL_CLIENT";
+ errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ goto errout;
}
if ((errcode = krb5_unparse_name(kdc_context, request->client, &cname))) {
- status = "UNPARSING_CLIENT";
- goto errout;
+ status = "UNPARSING_CLIENT";
+ goto errout;
}
limit_string(cname);
if (!request->server) {
- status = "NULL_SERVER";
- errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto errout;
+ status = "NULL_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto errout;
}
if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
- status = "UNPARSING_SERVER";
- goto errout;
+ status = "UNPARSING_SERVER";
+ goto errout;
}
limit_string(sname);
-
+
/*
* We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
* to the backend to return naming information in lieu
@@ -185,109 +186,109 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
* always canonicalize enterprise principal names.
*/
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) ||
- krb5_princ_type(kdc_context,
- request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
- setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ krb5_princ_type(kdc_context,
+ request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
if (include_pac_p(kdc_context, request)) {
- setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
+ setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
}
c_nprincs = 1;
if ((errcode = krb5_db_get_principal_ext(kdc_context, request->client,
- c_flags, &client, &c_nprincs,
- &more))) {
- status = "LOOKING_UP_CLIENT";
- c_nprincs = 0;
- goto errout;
+ c_flags, &client, &c_nprincs,
+ &more))) {
+ status = "LOOKING_UP_CLIENT";
+ c_nprincs = 0;
+ goto errout;
}
if (more) {
- status = "NON-UNIQUE_CLIENT";
- errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- goto errout;
+ status = "NON-UNIQUE_CLIENT";
+ errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
+ goto errout;
} else if (c_nprincs != 1) {
- status = "CLIENT_NOT_FOUND";
- if (vague_errors)
- errcode = KRB5KRB_ERR_GENERIC;
- else
- errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- goto errout;
- }
-
+ status = "CLIENT_NOT_FOUND";
+ if (vague_errors)
+ errcode = KRB5KRB_ERR_GENERIC;
+ else
+ errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ goto errout;
+ }
+
/*
* If the backend returned a principal that is not in the local
* realm, then we need to refer the client to that realm.
*/
if (!is_local_principal(client.princ)) {
- /* Entry is a referral to another realm */
- status = "REFERRAL";
- errcode = KRB5KDC_ERR_WRONG_REALM;
- goto errout;
+ /* Entry is a referral to another realm */
+ status = "REFERRAL";
+ errcode = KRB5KDC_ERR_WRONG_REALM;
+ goto errout;
}
-#if 0
+#if 0
/*
* Turn off canonicalization if client is marked DES only
* (unless enterprise principal name was requested)
*/
if (isflagset(client.attributes, KRB5_KDB_NON_MS_PRINCIPAL) &&
- krb5_princ_type(kdc_context,
- request->client) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
- clear(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ krb5_princ_type(kdc_context,
+ request->client) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ clear(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
#endif
-
+
s_flags = 0;
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
- setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
s_nprincs = 1;
if ((errcode = krb5_db_get_principal_ext(kdc_context, request->server,
- s_flags, &server,
- &s_nprincs, &more))) {
- status = "LOOKING_UP_SERVER";
- goto errout;
+ s_flags, &server,
+ &s_nprincs, &more))) {
+ status = "LOOKING_UP_SERVER";
+ goto errout;
}
if (more) {
- status = "NON-UNIQUE_SERVER";
- errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- goto errout;
+ status = "NON-UNIQUE_SERVER";
+ errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
+ goto errout;
} else if (s_nprincs != 1) {
- status = "SERVER_NOT_FOUND";
- errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto errout;
+ status = "SERVER_NOT_FOUND";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto errout;
}
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
- status = "TIMEOFDAY";
- goto errout;
+ status = "TIMEOFDAY";
+ goto errout;
}
authtime = kdc_time; /* for audit_as_request() */
if ((errcode = validate_as_request(request, client, server,
- kdc_time, &status, &e_data))) {
- if (!status)
- status = "UNKNOWN_REASON";
- errcode += ERROR_TABLE_BASE_krb5;
- goto errout;
+ kdc_time, &status, &e_data))) {
+ if (!status)
+ status = "UNKNOWN_REASON";
+ errcode += ERROR_TABLE_BASE_krb5;
+ goto errout;
}
-
+
/*
* Select the keytype for the ticket session key.
*/
if ((useenctype = select_session_keytype(kdc_context, &server,
- request->nktypes,
- request->ktype)) == 0) {
- /* unsupported ktype */
- status = "BAD_ENCRYPTION_TYPE";
- errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
- goto errout;
+ request->nktypes,
+ request->ktype)) == 0) {
+ /* unsupported ktype */
+ status = "BAD_ENCRYPTION_TYPE";
+ errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
+ goto errout;
}
if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
- &session_key))) {
- status = "RANDOM_KEY_FAILED";
- goto errout;
+ &session_key))) {
+ status = "RANDOM_KEY_FAILED";
+ goto errout;
}
/*
@@ -296,11 +297,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
* aliases, nothing more).
*/
if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
- krb5_is_tgs_principal(request->server) &&
- krb5_is_tgs_principal(server.princ)) {
- ticket_reply.server = server.princ;
+ krb5_is_tgs_principal(request->server) &&
+ krb5_is_tgs_principal(server.princ)) {
+ ticket_reply.server = server.princ;
} else {
- ticket_reply.server = request->server;
+ ticket_reply.server = request->server;
}
enc_tkt_reply.flags = 0;
@@ -308,94 +309,94 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL);
- /* It should be noted that local policy may affect the */
- /* processing of any of these flags. For example, some */
- /* realms may refuse to issue renewable tickets */
+ /* It should be noted that local policy may affect the */
+ /* processing of any of these flags. For example, some */
+ /* realms may refuse to issue renewable tickets */
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE))
- setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
- setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
+ setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
- setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
+ setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
enc_tkt_reply.session = &session_key;
if (isflagset(c_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
- client_princ = *(client.princ);
+ client_princ = *(client.princ);
} else {
- client_princ = *(request->client);
- /* The realm is always canonicalized */
- client_princ.realm = *(krb5_princ_realm(context, client.princ));
+ client_princ = *(request->client);
+ /* The realm is always canonicalized */
+ client_princ.realm = *(krb5_princ_realm(context, client.princ));
}
enc_tkt_reply.client = &client_princ;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
- setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
- setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
- enc_tkt_reply.times.starttime = request->from;
+ setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
+ setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
+ enc_tkt_reply.times.starttime = request->from;
} else
- enc_tkt_reply.times.starttime = kdc_time;
+ enc_tkt_reply.times.starttime = kdc_time;
kdc_get_ticket_endtime(kdc_context,
- enc_tkt_reply.times.starttime,
- kdc_infinity,
- request->till,
- &client,
- &server,
- &enc_tkt_reply.times.endtime);
+ enc_tkt_reply.times.starttime,
+ kdc_infinity,
+ request->till,
+ &client,
+ &server,
+ &enc_tkt_reply.times.endtime);
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
- !isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
- (enc_tkt_reply.times.endtime < request->till)) {
+ !isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
+ (enc_tkt_reply.times.endtime < request->till)) {
- /* we set the RENEWABLE option for later processing */
+ /* we set the RENEWABLE option for later processing */
- setflag(request->kdc_options, KDC_OPT_RENEWABLE);
- request->rtime = request->till;
+ setflag(request->kdc_options, KDC_OPT_RENEWABLE);
+ request->rtime = request->till;
}
rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) {
- /*
- * XXX Should we squelch the output renew_till to be no
- * earlier than the endtime of the ticket?
- */
- setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
- enc_tkt_reply.times.renew_till =
- min(rtime, enc_tkt_reply.times.starttime +
- min(client.max_renewable_life,
- min(server.max_renewable_life,
- max_renewable_life_for_realm)));
+ /*
+ * XXX Should we squelch the output renew_till to be no
+ * earlier than the endtime of the ticket?
+ */
+ setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
+ enc_tkt_reply.times.renew_till =
+ min(rtime, enc_tkt_reply.times.starttime +
+ min(client.max_renewable_life,
+ min(server.max_renewable_life,
+ max_renewable_life_for_realm)));
} else
- enc_tkt_reply.times.renew_till = 0; /* XXX */
+ enc_tkt_reply.times.renew_till = 0; /* XXX */
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
- enc_tkt_reply.times.starttime = 0;
+ enc_tkt_reply.times.starttime = 0;
enc_tkt_reply.caddrs = request->addresses;
enc_tkt_reply.authorization_data = 0;
- /*
+ /*
* Check the preauthentication if it is there.
*/
if (request->padata) {
- errcode = check_padata(kdc_context, &client, req_pkt, request,
- &enc_tkt_reply, &pa_context, &e_data);
- if (errcode) {
- if (errcode == KRB5KDC_ERR_PREAUTH_FAILED)
- get_preauth_hint_list(request, &client, &server, &e_data);
-
- status = "PREAUTH_FAILED";
- if (vague_errors)
- errcode = KRB5KRB_ERR_GENERIC;
- goto errout;
- }
+ errcode = check_padata(kdc_context, &client, req_pkt, request,
+ &enc_tkt_reply, &pa_context, &e_data);
+ if (errcode) {
+ if (errcode == KRB5KDC_ERR_PREAUTH_FAILED)
+ get_preauth_hint_list(request, &client, &server, &e_data);
+
+ status = "PREAUTH_FAILED";
+ if (vague_errors)
+ errcode = KRB5KRB_ERR_GENERIC;
+ goto errout;
+ }
}
/*
@@ -405,15 +406,15 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
*/
status = missing_required_preauth(&client, &server, &enc_tkt_reply);
if (status) {
- errcode = KRB5KDC_ERR_PREAUTH_REQUIRED;
- get_preauth_hint_list(request, &client, &server, &e_data);
- goto errout;
+ errcode = KRB5KDC_ERR_PREAUTH_REQUIRED;
+ get_preauth_hint_list(request, &client, &server, &e_data);
+ goto errout;
}
if ((errcode = validate_forwardable(request, client, server,
- kdc_time, &status))) {
- errcode += ERROR_TABLE_BASE_krb5;
- goto errout;
+ kdc_time, &status))) {
+ errcode += ERROR_TABLE_BASE_krb5;
+ goto errout;
}
ticket_reply.enc_part2 = &enc_tkt_reply;
@@ -422,12 +423,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
* Find the server key
*/
if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
- -1, /* ignore keytype */
- -1, /* Ignore salttype */
- 0, /* Get highest kvno */
- &server_key))) {
- status = "FINDING_SERVER_KEY";
- goto errout;
+ -1, /* ignore keytype */
+ -1, /* Ignore salttype */
+ 0, /* Get highest kvno */
+ &server_key))) {
+ status = "FINDING_SERVER_KEY";
+ goto errout;
}
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server,
@@ -451,33 +452,33 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
/* convert server.key into a real key (it may be encrypted
in the database) */
- if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr,
- /* server_keyblock is later used to generate auth data signatures */
- server_key, &server_keyblock,
- NULL))) {
- status = "DECRYPT_SERVER_KEY";
- goto errout;
- }
-
+ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr,
+ /* server_keyblock is later used to generate auth data signatures */
+ server_key, &server_keyblock,
+ NULL))) {
+ status = "DECRYPT_SERVER_KEY";
+ goto errout;
+ }
+
/*
* Find the appropriate client key. We search in the order specified
* by request keytype list.
*/
client_key = (krb5_key_data *) NULL;
for (i = 0; i < request->nktypes; i++) {
- useenctype = request->ktype[i];
- if (!krb5_c_valid_enctype(useenctype))
- continue;
+ useenctype = request->ktype[i];
+ if (!krb5_c_valid_enctype(useenctype))
+ continue;
- if (!krb5_dbe_find_enctype(kdc_context, &client, useenctype, -1,
- 0, &client_key))
- break;
+ if (!krb5_dbe_find_enctype(kdc_context, &client, useenctype, -1,
+ 0, &client_key))
+ break;
}
if (!(client_key)) {
- /* Cannot find an appropriate key */
- status = "CANT_FIND_CLIENT_KEY";
- errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
- goto errout;
+ /* Cannot find an appropriate key */
+ status = "CANT_FIND_CLIENT_KEY";
+ errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
+ goto errout;
}
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &client,
@@ -500,11 +501,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
/* convert client.key_data into a real key */
- if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr,
- client_key, &client_keyblock,
- NULL))) {
- status = "DECRYPT_CLIENT_KEY";
- goto errout;
+ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr,
+ client_key, &client_keyblock,
+ NULL))) {
+ status = "DECRYPT_CLIENT_KEY";
+ goto errout;
}
client_keyblock.enctype = useenctype;
@@ -514,8 +515,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
if ((errcode = fetch_last_req_info(&client, &reply_encpart.last_req))) {
- status = "FETCH_LAST_REQ";
- goto errout;
+ status = "FETCH_LAST_REQ";
+ goto errout;
}
reply_encpart.nonce = request->nonce;
reply_encpart.key_exp = client.expiration;
@@ -533,54 +534,54 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
/* Fetch the padata info to be returned (do this before
authdata to handle possible replacement of reply key */
errcode = return_padata(kdc_context, &client, req_pkt, request,
- &reply, client_key, &client_keyblock, &pa_context);
+ &reply, client_key, &client_keyblock, &pa_context);
if (errcode) {
- status = "KDC_RETURN_PADATA";
- goto errout;
+ status = "KDC_RETURN_PADATA";
+ goto errout;
}
#if APPLE_PKINIT
- asReqDebug("process_as_req reply realm %s name %s\n",
- reply.client->realm.data, reply.client->data->data);
+ asReqDebug("process_as_req reply realm %s name %s\n",
+ reply.client->realm.data, reply.client->data->data);
#endif /* APPLE_PKINIT */
errcode = return_svr_referral_data(kdc_context,
- &server, &reply_encpart);
+ &server, &reply_encpart);
if (errcode) {
- status = "KDC_RETURN_ENC_PADATA";
- goto errout;
+ status = "KDC_RETURN_ENC_PADATA";
+ goto errout;
}
-
+
errcode = handle_authdata(kdc_context,
- c_flags,
- &client,
- &server,
- &server,
- &client_keyblock,
- &server_keyblock,
- &server_keyblock,
- req_pkt,
- request,
- NULL, /* for_user_princ */
- NULL, /* enc_tkt_request */
- &enc_tkt_reply);
+ c_flags,
+ &client,
+ &server,
+ &server,
+ &client_keyblock,
+ &server_keyblock,
+ &server_keyblock,
+ req_pkt,
+ request,
+ NULL, /* for_user_princ */
+ NULL, /* enc_tkt_request */
+ &enc_tkt_reply);
if (errcode) {
- krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode);
- status = "HANDLE_AUTHDATA";
- goto errout;
+ krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode);
+ status = "HANDLE_AUTHDATA";
+ goto errout;
}
errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock, &ticket_reply);
if (errcode) {
- status = "ENCRYPTING_TICKET";
- goto errout;
+ status = "ENCRYPTING_TICKET";
+ goto errout;
}
ticket_reply.enc_part.kvno = server_key->key_data_kvno;
errcode = kdc_fast_response_handle_padata(state, request, &reply, client_keyblock.enctype);
if (errcode) {
- status = "fast response handling";
- goto errout;
+ status = "fast response handling";
+ goto errout;
}
/* now encode/encrypt the response */
@@ -589,24 +590,24 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
errcode = kdc_fast_handle_reply_key(state, &client_keyblock, &as_encrypting_key);
if (errcode) {
- status = "generating reply key";
- goto errout;
+ status = "generating reply key";
+ goto errout;
}
- errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart,
- 0, as_encrypting_key, &reply, response);
+ errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart,
+ 0, as_encrypting_key, &reply, response);
reply.enc_part.kvno = client_key->key_data_kvno;
if (errcode) {
- status = "ENCODE_KDC_REP";
- goto errout;
+ status = "ENCODE_KDC_REP";
+ goto errout;
}
-
+
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
log_as_req(from, request, &reply, &client, cname, &server, sname,
- authtime, 0, 0, 0);
+ authtime, 0, 0, 0);
did_log = 1;
goto egress;
@@ -617,56 +618,56 @@ errout:
egress:
if (pa_context)
- free_padata_context(kdc_context, &pa_context);
+ free_padata_context(kdc_context, &pa_context);
if (as_encrypting_key)
- krb5_free_keyblock(kdc_context, as_encrypting_key);
+ krb5_free_keyblock(kdc_context, as_encrypting_key);
if (errcode)
- emsg = krb5_get_error_message(kdc_context, errcode);
+ emsg = krb5_get_error_message(kdc_context, errcode);
if (status) {
- log_as_req(from, request, &reply, &client, cname, &server, sname,
- authtime, status, errcode, emsg);
- did_log = 1;
+ log_as_req(from, request, &reply, &client, cname, &server, sname,
+ authtime, status, errcode, emsg);
+ did_log = 1;
}
if (errcode) {
- if (status == 0) {
- status = emsg;
- }
- errcode -= ERROR_TABLE_BASE_krb5;
- if (errcode < 0 || errcode > 128)
- errcode = KRB_ERR_GENERIC;
-
- errcode = prepare_error_as(state, request, errcode, &e_data,
- c_nprincs ? client.princ : NULL,
- response, status);
- status = 0;
+ if (status == 0) {
+ status = emsg;
+ }
+ errcode -= ERROR_TABLE_BASE_krb5;
+ if (errcode < 0 || errcode > 128)
+ errcode = KRB_ERR_GENERIC;
+
+ errcode = prepare_error_as(state, request, errcode, &e_data,
+ c_nprincs ? client.princ : NULL,
+ response, status);
+ status = 0;
}
if (emsg)
- krb5_free_error_message(kdc_context, emsg);
+ krb5_free_error_message(kdc_context, emsg);
if (enc_tkt_reply.authorization_data != NULL)
- krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
+ krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
if (server_keyblock.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &server_keyblock);
+ krb5_free_keyblock_contents(kdc_context, &server_keyblock);
if (client_keyblock.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &client_keyblock);
+ krb5_free_keyblock_contents(kdc_context, &client_keyblock);
if (reply.padata != NULL)
- krb5_free_pa_data(kdc_context, reply.padata);
+ krb5_free_pa_data(kdc_context, reply.padata);
if (cname != NULL)
- free(cname);
+ free(cname);
if (sname != NULL)
- free(sname);
+ free(sname);
if (c_nprincs)
- krb5_db_free_principal(kdc_context, &client, c_nprincs);
+ krb5_db_free_principal(kdc_context, &client, c_nprincs);
if (s_nprincs)
- krb5_db_free_principal(kdc_context, &server, s_nprincs);
+ krb5_db_free_principal(kdc_context, &server, s_nprincs);
if (session_key.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &session_key);
+ krb5_free_keyblock_contents(kdc_context, &session_key);
if (ticket_reply.enc_part.ciphertext.data != NULL) {
- memset(ticket_reply.enc_part.ciphertext.data , 0,
- ticket_reply.enc_part.ciphertext.length);
- free(ticket_reply.enc_part.ciphertext.data);
+ memset(ticket_reply.enc_part.ciphertext.data , 0,
+ ticket_reply.enc_part.ciphertext.length);
+ free(ticket_reply.enc_part.ciphertext.data);
}
krb5_free_data_contents(kdc_context, &e_data);
@@ -679,8 +680,8 @@ egress:
static krb5_error_code
prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int error, krb5_data *e_data,
- krb5_principal canon_client, krb5_data **response,
- const char *status)
+ krb5_principal canon_client, krb5_data **response,
+ const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
@@ -688,66 +689,66 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int e
krb5_pa_data **pa = NULL;
krb5_typed_data **td = NULL;
size_t size;
-
+
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
- &errpkt.susec)))
- return(retval);
+ &errpkt.susec)))
+ return(retval);
errpkt.error = error;
errpkt.server = request->server;
if (error == KRB5KDC_ERR_WRONG_REALM)
- errpkt.client = canon_client;
+ errpkt.client = canon_client;
else
- errpkt.client = request->client;
+ errpkt.client = request->client;
errpkt.text.length = strlen(status) + 1;
if (!(errpkt.text.data = strdup(status)))
- return ENOMEM;
+ return ENOMEM;
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
- free(errpkt.text.data);
- return ENOMEM;
+ free(errpkt.text.data);
+ return ENOMEM;
}
if (e_data != NULL&& e_data->data != NULL) {
- errpkt.e_data = *e_data;
+ errpkt.e_data = *e_data;
} else {
- errpkt.e_data.length = 0;
- errpkt.e_data.data = NULL;
+ errpkt.e_data.length = 0;
+ errpkt.e_data.data = NULL;
}
/*We need to try and produce a padata sequence for FAST*/
retval = decode_krb5_padata_sequence(e_data, &pa);
if (retval != 0) {
- retval = decode_krb5_typed_data(e_data, &td);
- if (retval == 0) {
- for (size =0; td[size]; size++);
- pa = calloc(size+1, sizeof(*pa));
- if (pa == NULL)
- retval = ENOMEM;
- else for (size = 0; td[size]; size++) {
- krb5_pa_data *pad = malloc(sizeof(krb5_pa_data ));
- if (pad == NULL) {
- retval = ENOMEM;
- break;
- }
- pad->pa_type = td[size]->type;
- pad->contents = td[size]->data;
- pad->length = td[size]->length;
- pa[size] = pad;
- }
- krb5_free_typed_data(kdc_context, td);
- }
+ retval = decode_krb5_typed_data(e_data, &td);
+ if (retval == 0) {
+ for (size =0; td[size]; size++);
+ pa = calloc(size+1, sizeof(*pa));
+ if (pa == NULL)
+ retval = ENOMEM;
+ else for (size = 0; td[size]; size++) {
+ krb5_pa_data *pad = malloc(sizeof(krb5_pa_data ));
+ if (pad == NULL) {
+ retval = ENOMEM;
+ break;
+ }
+ pad->pa_type = td[size]->type;
+ pad->contents = td[size]->data;
+ pad->length = td[size]->length;
+ pa[size] = pad;
+ }
+ krb5_free_typed_data(kdc_context, td);
+ }
}
retval = kdc_fast_handle_error(kdc_context, rstate,
- request, pa, &errpkt);
+ request, pa, &errpkt);
if (retval == 0)
- retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+ retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
if (retval)
- free(scratch);
- else
- *response = scratch;
+ free(scratch);
+ else
+ *response = scratch;
krb5_free_pa_data(kdc_context, pa);
return retval;
}
generated by cgit (git 2.34.1) at 2024-09-20 01:31:32 +0000