aboutsummaryrefslogtreecommitdiff
path: root/crypto/heimdal/kdc/524.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/kdc/524.c')
-rw-r--r--crypto/heimdal/kdc/524.c167
1 files changed, 98 insertions, 69 deletions
diff --git a/crypto/heimdal/kdc/524.c b/crypto/heimdal/kdc/524.c
index 225594e6fcd1..3e4ad292537b 100644
--- a/crypto/heimdal/kdc/524.c
+++ b/crypto/heimdal/kdc/524.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,11 +33,9 @@
#include "kdc_locl.h"
-RCSID("$Id: 524.c,v 1.29 2003/03/17 05:35:47 assar Exp $");
+RCSID("$Id: 524.c 18270 2006-10-06 17:06:30Z lha $");
-#ifndef KRB4
#include <krb5-v4compat.h>
-#endif
/*
* fetch the server from `t', returning the name in malloced memory in
@@ -45,30 +43,35 @@ RCSID("$Id: 524.c,v 1.29 2003/03/17 05:35:47 assar Exp $");
*/
static krb5_error_code
-fetch_server (const Ticket *t,
+fetch_server (krb5_context context,
+ krb5_kdc_configuration *config,
+ const Ticket *t,
char **spn,
- hdb_entry **server,
+ hdb_entry_ex **server,
const char *from)
{
krb5_error_code ret;
krb5_principal sprinc;
- ret = principalname2krb5_principal(&sprinc, t->sname, t->realm);
+ ret = _krb5_principalname2krb5_principal(context, &sprinc,
+ t->sname, t->realm);
if (ret) {
- kdc_log(0, "principalname2krb5_principal: %s",
+ kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text(context, ret));
return ret;
}
ret = krb5_unparse_name(context, sprinc, spn);
if (ret) {
krb5_free_principal(context, sprinc);
- kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret));
+ kdc_log(context, config, 0, "krb5_unparse_name: %s",
+ krb5_get_err_text(context, ret));
return ret;
}
- ret = db_fetch(sprinc, server);
+ ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER,
+ NULL, server);
krb5_free_principal(context, sprinc);
if (ret) {
- kdc_log(0,
+ kdc_log(context, config, 0,
"Request to convert ticket from %s for unknown principal %s: %s",
from, *spn, krb5_get_err_text(context, ret));
if (ret == HDB_ERR_NOENTRY)
@@ -79,7 +82,9 @@ fetch_server (const Ticket *t,
}
static krb5_error_code
-log_524 (const EncTicketPart *et,
+log_524 (krb5_context context,
+ krb5_kdc_configuration *config,
+ const EncTicketPart *et,
const char *from,
const char *spn)
{
@@ -87,35 +92,38 @@ log_524 (const EncTicketPart *et,
char *cpn;
krb5_error_code ret;
- ret = principalname2krb5_principal(&client, et->cname, et->crealm);
+ ret = _krb5_principalname2krb5_principal(context, &client,
+ et->cname, et->crealm);
if (ret) {
- kdc_log(0, "principalname2krb5_principal: %s",
+ kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text (context, ret));
return ret;
}
ret = krb5_unparse_name(context, client, &cpn);
if (ret) {
krb5_free_principal(context, client);
- kdc_log(0, "krb5_unparse_name: %s",
+ kdc_log(context, config, 0, "krb5_unparse_name: %s",
krb5_get_err_text (context, ret));
return ret;
}
- kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
+ kdc_log(context, config, 1, "524-REQ %s from %s for %s", cpn, from, spn);
free(cpn);
krb5_free_principal(context, client);
return 0;
}
static krb5_error_code
-verify_flags (const EncTicketPart *et,
+verify_flags (krb5_context context,
+ krb5_kdc_configuration *config,
+ const EncTicketPart *et,
const char *spn)
{
if(et->endtime < kdc_time){
- kdc_log(0, "Ticket expired (%s)", spn);
+ kdc_log(context, config, 0, "Ticket expired (%s)", spn);
return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
if(et->flags.invalid){
- kdc_log(0, "Ticket not valid (%s)", spn);
+ kdc_log(context, config, 0, "Ticket not valid (%s)", spn);
return KRB5KRB_AP_ERR_TKT_NYV;
}
return 0;
@@ -127,7 +135,9 @@ verify_flags (const EncTicketPart *et,
*/
static krb5_error_code
-set_address (EncTicketPart *et,
+set_address (krb5_context context,
+ krb5_kdc_configuration *config,
+ EncTicketPart *et,
struct sockaddr *addr,
const char *from)
{
@@ -141,12 +151,12 @@ set_address (EncTicketPart *et,
ret = krb5_sockaddr2address(context, addr, v4_addr);
if(ret) {
free (v4_addr);
- kdc_log(0, "Failed to convert address (%s)", from);
+ kdc_log(context, config, 0, "Failed to convert address (%s)", from);
return ret;
}
if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
- kdc_log(0, "Incorrect network address (%s)", from);
+ kdc_log(context, config, 0, "Incorrect network address (%s)", from);
krb5_free_address(context, v4_addr);
free (v4_addr);
return KRB5KRB_AP_ERR_BADADDR;
@@ -177,7 +187,9 @@ set_address (EncTicketPart *et,
static krb5_error_code
-encrypt_v4_ticket(void *buf,
+encrypt_v4_ticket(krb5_context context,
+ krb5_kdc_configuration *config,
+ void *buf,
size_t len,
krb5_keyblock *skey,
EncryptedData *reply)
@@ -187,7 +199,7 @@ encrypt_v4_ticket(void *buf,
ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto);
if (ret) {
free(buf);
- kdc_log(0, "krb5_crypto_init failed: %s",
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
return ret;
}
@@ -201,7 +213,7 @@ encrypt_v4_ticket(void *buf,
reply);
krb5_crypto_destroy(context, crypto);
if(ret) {
- kdc_log(0, "Failed to encrypt data: %s",
+ kdc_log(context, config, 0, "Failed to encrypt data: %s",
krb5_get_err_text(context, ret));
return ret;
}
@@ -209,8 +221,11 @@ encrypt_v4_ticket(void *buf,
}
static krb5_error_code
-encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
- hdb_entry *server, EncryptedData *ticket, int *kvno)
+encode_524_response(krb5_context context,
+ krb5_kdc_configuration *config,
+ const char *spn, const EncTicketPart et,
+ const Ticket *t, hdb_entry_ex *server,
+ EncryptedData *ticket, int *kvno)
{
krb5_error_code ret;
int use_2b;
@@ -223,7 +238,8 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
&t->enc_part, &len, ret);
if (ret) {
- kdc_log(0, "Failed to encode v4 (2b) ticket (%s)", spn);
+ kdc_log(context, config, 0,
+ "Failed to encode v4 (2b) ticket (%s)", spn);
return ret;
}
@@ -234,30 +250,34 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
unsigned char buf[MAX_KTXT_LEN + 4 * 4];
Key *skey;
- if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
- kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm,
+ if (!config->enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
+ kdc_log(context, config, 0, "524 cross-realm %s -> %s disabled", et.crealm,
t->realm);
return KRB5KDC_ERR_POLICY;
}
- ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
- &et, &t->sname, &len);
+ ret = _kdc_encode_v4_ticket(context, config,
+ buf + sizeof(buf) - 1, sizeof(buf),
+ &et, &t->sname, &len);
if(ret){
- kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
+ kdc_log(context, config, 0,
+ "Failed to encode v4 ticket (%s)", spn);
return ret;
}
- ret = get_des_key(server, TRUE, FALSE, &skey);
+ ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){
- kdc_log(0, "no suitable DES key for server (%s)", spn);
+ kdc_log(context, config, 0,
+ "no suitable DES key for server (%s)", spn);
return ret;
}
- ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len,
+ ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len,
&skey->key, ticket);
if(ret){
- kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
+ kdc_log(context, config, 0,
+ "Failed to encrypt v4 ticket (%s)", spn);
return ret;
}
- *kvno = server->kvno;
+ *kvno = server->entry.kvno;
}
return 0;
@@ -269,12 +289,14 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
*/
krb5_error_code
-do_524(const Ticket *t, krb5_data *reply,
- const char *from, struct sockaddr *addr)
+_kdc_do_524(krb5_context context,
+ krb5_kdc_configuration *config,
+ const Ticket *t, krb5_data *reply,
+ const char *from, struct sockaddr *addr)
{
krb5_error_code ret = 0;
krb5_crypto crypto;
- hdb_entry *server = NULL;
+ hdb_entry_ex *server = NULL;
Key *skey;
krb5_data et_data;
EncTicketPart et;
@@ -283,27 +305,29 @@ do_524(const Ticket *t, krb5_data *reply,
char *spn = NULL;
unsigned char buf[MAX_KTXT_LEN + 4 * 4];
size_t len;
- int kvno;
+ int kvno = 0;
- if(!enable_524) {
+ if(!config->enable_524) {
ret = KRB5KDC_ERR_POLICY;
- kdc_log(0, "Rejected ticket conversion request from %s", from);
+ kdc_log(context, config, 0,
+ "Rejected ticket conversion request from %s", from);
goto out;
}
- ret = fetch_server (t, &spn, &server, from);
+ ret = fetch_server (context, config, t, &spn, &server, from);
if (ret) {
goto out;
}
- ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey);
+ ret = hdb_enctype2key(context, &server->entry, t->enc_part.etype, &skey);
if(ret){
- kdc_log(0, "No suitable key found for server (%s) from %s", spn, from);
+ kdc_log(context, config, 0,
+ "No suitable key found for server (%s) from %s", spn, from);
goto out;
}
ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
if (ret) {
- kdc_log(0, "krb5_crypto_init failed: %s",
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -314,58 +338,63 @@ do_524(const Ticket *t, krb5_data *reply,
&et_data);
krb5_crypto_destroy(context, crypto);
if(ret){
- kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
+ kdc_log(context, config, 0,
+ "Failed to decrypt ticket from %s for %s", from, spn);
goto out;
}
ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length,
&et, &len);
krb5_data_free(&et_data);
if(ret){
- kdc_log(0, "Failed to decode ticket from %s for %s", from, spn);
+ kdc_log(context, config, 0,
+ "Failed to decode ticket from %s for %s", from, spn);
goto out;
}
- ret = log_524 (&et, from, spn);
+ ret = log_524 (context, config, &et, from, spn);
if (ret) {
free_EncTicketPart(&et);
goto out;
}
- ret = verify_flags (&et, spn);
+ ret = verify_flags (context, config, &et, spn);
if (ret) {
free_EncTicketPart(&et);
goto out;
}
- ret = set_address (&et, addr, from);
+ ret = set_address (context, config, &et, addr, from);
if (ret) {
free_EncTicketPart(&et);
goto out;
}
- ret = encode_524_response(spn, et, t, server, &ticket, &kvno);
+ ret = encode_524_response(context, config, spn, et, t,
+ server, &ticket, &kvno);
free_EncTicketPart(&et);
-out:
+ out:
/* make reply */
memset(buf, 0, sizeof(buf));
sp = krb5_storage_from_mem(buf, sizeof(buf));
- krb5_store_int32(sp, ret);
- if(ret == 0){
- krb5_store_int32(sp, kvno);
- krb5_store_data(sp, ticket.cipher);
- /* Aargh! This is coded as a KTEXT_ST. */
- krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
- krb5_store_int32(sp, 0); /* mbz */
- free_EncryptedData(&ticket);
- }
- ret = krb5_storage_to_data(sp, reply);
- reply->length = krb5_storage_seek(sp, 0, SEEK_CUR);
- krb5_storage_free(sp);
-
+ if (sp) {
+ krb5_store_int32(sp, ret);
+ if(ret == 0){
+ krb5_store_int32(sp, kvno);
+ krb5_store_data(sp, ticket.cipher);
+ /* Aargh! This is coded as a KTEXT_ST. */
+ krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
+ krb5_store_int32(sp, 0); /* mbz */
+ free_EncryptedData(&ticket);
+ }
+ ret = krb5_storage_to_data(sp, reply);
+ reply->length = krb5_storage_seek(sp, 0, SEEK_CUR);
+ krb5_storage_free(sp);
+ } else
+ krb5_data_zero(reply);
if(spn)
free(spn);
if(server)
- free_ent (server);
+ _kdc_free_ent (context, server);
return ret;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-18 01:19:15 +0000