diff options
Diffstat (limited to 'crypto/heimdal/kdc/524.c')
-rw-r--r-- | crypto/heimdal/kdc/524.c | 167 |
1 files changed, 98 insertions, 69 deletions
diff --git a/crypto/heimdal/kdc/524.c b/crypto/heimdal/kdc/524.c index 225594e6fcd1..3e4ad292537b 100644 --- a/crypto/heimdal/kdc/524.c +++ b/crypto/heimdal/kdc/524.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,11 +33,9 @@ #include "kdc_locl.h" -RCSID("$Id: 524.c,v 1.29 2003/03/17 05:35:47 assar Exp $"); +RCSID("$Id: 524.c 18270 2006-10-06 17:06:30Z lha $"); -#ifndef KRB4 #include <krb5-v4compat.h> -#endif /* * fetch the server from `t', returning the name in malloced memory in @@ -45,30 +43,35 @@ RCSID("$Id: 524.c,v 1.29 2003/03/17 05:35:47 assar Exp $"); */ static krb5_error_code -fetch_server (const Ticket *t, +fetch_server (krb5_context context, + krb5_kdc_configuration *config, + const Ticket *t, char **spn, - hdb_entry **server, + hdb_entry_ex **server, const char *from) { krb5_error_code ret; krb5_principal sprinc; - ret = principalname2krb5_principal(&sprinc, t->sname, t->realm); + ret = _krb5_principalname2krb5_principal(context, &sprinc, + t->sname, t->realm); if (ret) { - kdc_log(0, "principalname2krb5_principal: %s", + kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s", krb5_get_err_text(context, ret)); return ret; } ret = krb5_unparse_name(context, sprinc, spn); if (ret) { krb5_free_principal(context, sprinc); - kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret)); + kdc_log(context, config, 0, "krb5_unparse_name: %s", + krb5_get_err_text(context, ret)); return ret; } - ret = db_fetch(sprinc, server); + ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, + NULL, server); krb5_free_principal(context, sprinc); if (ret) { - kdc_log(0, + kdc_log(context, config, 0, "Request to convert ticket from %s for unknown principal %s: %s", from, *spn, krb5_get_err_text(context, ret)); if (ret == HDB_ERR_NOENTRY) @@ -79,7 +82,9 @@ fetch_server (const Ticket *t, } static krb5_error_code -log_524 (const EncTicketPart *et, +log_524 (krb5_context context, + krb5_kdc_configuration *config, + const EncTicketPart *et, const char *from, const char *spn) { @@ -87,35 +92,38 @@ log_524 (const EncTicketPart *et, char *cpn; krb5_error_code ret; - ret = principalname2krb5_principal(&client, et->cname, et->crealm); + ret = _krb5_principalname2krb5_principal(context, &client, + et->cname, et->crealm); if (ret) { - kdc_log(0, "principalname2krb5_principal: %s", + kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s", krb5_get_err_text (context, ret)); return ret; } ret = krb5_unparse_name(context, client, &cpn); if (ret) { krb5_free_principal(context, client); - kdc_log(0, "krb5_unparse_name: %s", + kdc_log(context, config, 0, "krb5_unparse_name: %s", krb5_get_err_text (context, ret)); return ret; } - kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn); + kdc_log(context, config, 1, "524-REQ %s from %s for %s", cpn, from, spn); free(cpn); krb5_free_principal(context, client); return 0; } static krb5_error_code -verify_flags (const EncTicketPart *et, +verify_flags (krb5_context context, + krb5_kdc_configuration *config, + const EncTicketPart *et, const char *spn) { if(et->endtime < kdc_time){ - kdc_log(0, "Ticket expired (%s)", spn); + kdc_log(context, config, 0, "Ticket expired (%s)", spn); return KRB5KRB_AP_ERR_TKT_EXPIRED; } if(et->flags.invalid){ - kdc_log(0, "Ticket not valid (%s)", spn); + kdc_log(context, config, 0, "Ticket not valid (%s)", spn); return KRB5KRB_AP_ERR_TKT_NYV; } return 0; @@ -127,7 +135,9 @@ verify_flags (const EncTicketPart *et, */ static krb5_error_code -set_address (EncTicketPart *et, +set_address (krb5_context context, + krb5_kdc_configuration *config, + EncTicketPart *et, struct sockaddr *addr, const char *from) { @@ -141,12 +151,12 @@ set_address (EncTicketPart *et, ret = krb5_sockaddr2address(context, addr, v4_addr); if(ret) { free (v4_addr); - kdc_log(0, "Failed to convert address (%s)", from); + kdc_log(context, config, 0, "Failed to convert address (%s)", from); return ret; } if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) { - kdc_log(0, "Incorrect network address (%s)", from); + kdc_log(context, config, 0, "Incorrect network address (%s)", from); krb5_free_address(context, v4_addr); free (v4_addr); return KRB5KRB_AP_ERR_BADADDR; @@ -177,7 +187,9 @@ set_address (EncTicketPart *et, static krb5_error_code -encrypt_v4_ticket(void *buf, +encrypt_v4_ticket(krb5_context context, + krb5_kdc_configuration *config, + void *buf, size_t len, krb5_keyblock *skey, EncryptedData *reply) @@ -187,7 +199,7 @@ encrypt_v4_ticket(void *buf, ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto); if (ret) { free(buf); - kdc_log(0, "krb5_crypto_init failed: %s", + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", krb5_get_err_text(context, ret)); return ret; } @@ -201,7 +213,7 @@ encrypt_v4_ticket(void *buf, reply); krb5_crypto_destroy(context, crypto); if(ret) { - kdc_log(0, "Failed to encrypt data: %s", + kdc_log(context, config, 0, "Failed to encrypt data: %s", krb5_get_err_text(context, ret)); return ret; } @@ -209,8 +221,11 @@ encrypt_v4_ticket(void *buf, } static krb5_error_code -encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t, - hdb_entry *server, EncryptedData *ticket, int *kvno) +encode_524_response(krb5_context context, + krb5_kdc_configuration *config, + const char *spn, const EncTicketPart et, + const Ticket *t, hdb_entry_ex *server, + EncryptedData *ticket, int *kvno) { krb5_error_code ret; int use_2b; @@ -223,7 +238,8 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t, &t->enc_part, &len, ret); if (ret) { - kdc_log(0, "Failed to encode v4 (2b) ticket (%s)", spn); + kdc_log(context, config, 0, + "Failed to encode v4 (2b) ticket (%s)", spn); return ret; } @@ -234,30 +250,34 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t, unsigned char buf[MAX_KTXT_LEN + 4 * 4]; Key *skey; - if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) { - kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm, + if (!config->enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) { + kdc_log(context, config, 0, "524 cross-realm %s -> %s disabled", et.crealm, t->realm); return KRB5KDC_ERR_POLICY; } - ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf), - &et, &t->sname, &len); + ret = _kdc_encode_v4_ticket(context, config, + buf + sizeof(buf) - 1, sizeof(buf), + &et, &t->sname, &len); if(ret){ - kdc_log(0, "Failed to encode v4 ticket (%s)", spn); + kdc_log(context, config, 0, + "Failed to encode v4 ticket (%s)", spn); return ret; } - ret = get_des_key(server, TRUE, FALSE, &skey); + ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey); if(ret){ - kdc_log(0, "no suitable DES key for server (%s)", spn); + kdc_log(context, config, 0, + "no suitable DES key for server (%s)", spn); return ret; } - ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, + ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len, &skey->key, ticket); if(ret){ - kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn); + kdc_log(context, config, 0, + "Failed to encrypt v4 ticket (%s)", spn); return ret; } - *kvno = server->kvno; + *kvno = server->entry.kvno; } return 0; @@ -269,12 +289,14 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t, */ krb5_error_code -do_524(const Ticket *t, krb5_data *reply, - const char *from, struct sockaddr *addr) +_kdc_do_524(krb5_context context, + krb5_kdc_configuration *config, + const Ticket *t, krb5_data *reply, + const char *from, struct sockaddr *addr) { krb5_error_code ret = 0; krb5_crypto crypto; - hdb_entry *server = NULL; + hdb_entry_ex *server = NULL; Key *skey; krb5_data et_data; EncTicketPart et; @@ -283,27 +305,29 @@ do_524(const Ticket *t, krb5_data *reply, char *spn = NULL; unsigned char buf[MAX_KTXT_LEN + 4 * 4]; size_t len; - int kvno; + int kvno = 0; - if(!enable_524) { + if(!config->enable_524) { ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Rejected ticket conversion request from %s", from); + kdc_log(context, config, 0, + "Rejected ticket conversion request from %s", from); goto out; } - ret = fetch_server (t, &spn, &server, from); + ret = fetch_server (context, config, t, &spn, &server, from); if (ret) { goto out; } - ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey); + ret = hdb_enctype2key(context, &server->entry, t->enc_part.etype, &skey); if(ret){ - kdc_log(0, "No suitable key found for server (%s) from %s", spn, from); + kdc_log(context, config, 0, + "No suitable key found for server (%s) from %s", spn, from); goto out; } ret = krb5_crypto_init(context, &skey->key, 0, &crypto); if (ret) { - kdc_log(0, "krb5_crypto_init failed: %s", + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", krb5_get_err_text(context, ret)); goto out; } @@ -314,58 +338,63 @@ do_524(const Ticket *t, krb5_data *reply, &et_data); krb5_crypto_destroy(context, crypto); if(ret){ - kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn); + kdc_log(context, config, 0, + "Failed to decrypt ticket from %s for %s", from, spn); goto out; } ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length, &et, &len); krb5_data_free(&et_data); if(ret){ - kdc_log(0, "Failed to decode ticket from %s for %s", from, spn); + kdc_log(context, config, 0, + "Failed to decode ticket from %s for %s", from, spn); goto out; } - ret = log_524 (&et, from, spn); + ret = log_524 (context, config, &et, from, spn); if (ret) { free_EncTicketPart(&et); goto out; } - ret = verify_flags (&et, spn); + ret = verify_flags (context, config, &et, spn); if (ret) { free_EncTicketPart(&et); goto out; } - ret = set_address (&et, addr, from); + ret = set_address (context, config, &et, addr, from); if (ret) { free_EncTicketPart(&et); goto out; } - ret = encode_524_response(spn, et, t, server, &ticket, &kvno); + ret = encode_524_response(context, config, spn, et, t, + server, &ticket, &kvno); free_EncTicketPart(&et); -out: + out: /* make reply */ memset(buf, 0, sizeof(buf)); sp = krb5_storage_from_mem(buf, sizeof(buf)); - krb5_store_int32(sp, ret); - if(ret == 0){ - krb5_store_int32(sp, kvno); - krb5_store_data(sp, ticket.cipher); - /* Aargh! This is coded as a KTEXT_ST. */ - krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR); - krb5_store_int32(sp, 0); /* mbz */ - free_EncryptedData(&ticket); - } - ret = krb5_storage_to_data(sp, reply); - reply->length = krb5_storage_seek(sp, 0, SEEK_CUR); - krb5_storage_free(sp); - + if (sp) { + krb5_store_int32(sp, ret); + if(ret == 0){ + krb5_store_int32(sp, kvno); + krb5_store_data(sp, ticket.cipher); + /* Aargh! This is coded as a KTEXT_ST. */ + krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR); + krb5_store_int32(sp, 0); /* mbz */ + free_EncryptedData(&ticket); + } + ret = krb5_storage_to_data(sp, reply); + reply->length = krb5_storage_seek(sp, 0, SEEK_CUR); + krb5_storage_free(sp); + } else + krb5_data_zero(reply); if(spn) free(spn); if(server) - free_ent (server); + _kdc_free_ent (context, server); return ret; } |