aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/plugins/kdb/hdb/kdb_hdb.c296
-rw-r--r--src/plugins/kdb/hdb/kdb_hdb.h32
-rw-r--r--src/plugins/kdb/hdb/kdb_marshal.c14
-rw-r--r--src/plugins/kdb/hdb/kdb_windc.c112
4 files changed, 161 insertions, 293 deletions
diff --git a/src/plugins/kdb/hdb/kdb_hdb.c b/src/plugins/kdb/hdb/kdb_hdb.c
index 89b0651..23039b7 100644
--- a/src/plugins/kdb/hdb/kdb_hdb.c
+++ b/src/plugins/kdb/hdb/kdb_hdb.c
@@ -40,8 +40,10 @@
#include "kdb_hdb.h"
static krb5_error_code
-kh_init(void)
+kh_init(int dal_version)
{
+ if (dal_version != KRB5_KDB_DAL_VERSION)
+ return KRB5_KDB_DBTYPE_MISMATCH;
return 0;
}
@@ -92,7 +94,7 @@ kh_map_error(heim_error_code code)
code = KRB5_KDB_NOMASTERKEY;
break;
case HDB_ERR_MANDATORY_OPTION:
- code = KRB5_KDB_DBTYPE_NOSUP;
+ code = KRB5_PLUGIN_OP_NOTSUPP;
break;
default:
break;
@@ -190,7 +192,7 @@ kh_db_context_init(krb5_context context,
(void **)&hdb_interface_version,
&errinfo) == 0 &&
*hdb_interface_version != HDB_INTERFACE_VERSION) {
- code = KRB5_KDB_DBTYPE_NOSUP;
+ code = KRB5_PLUGIN_OP_NOTSUPP;
goto cleanup;
}
@@ -413,7 +415,7 @@ kh_hdb_rename(krb5_context context,
heim_error_code hcode;
if (kh->hdb->hdb_rename == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
hcode = (*kh->hdb->hdb_rename)(kh->hcontext, kh->hdb, name);
@@ -462,18 +464,6 @@ kh_hdb_unseal_key(krb5_context context,
return kh_map_error(hcode);
}
-static krb5_error_code
-kh_hdb_set_master_key(krb5_context context,
- kh_db_context *kh,
- EncryptionKey *key)
-{
- heim_error_code hcode;
-
- hcode = (*kh->hdb_set_master_key)(kh->hcontext, kh->hdb, key);
-
- return kh_map_error(hcode);
-}
-
void
kh_hdb_free_entry(krb5_context context,
kh_db_context *kh,
@@ -491,6 +481,8 @@ kh_kdb_free_entry(krb5_context context,
krb5_tl_data *tl_data = NULL;
int i, j;
+ if (entry == NULL)
+ return;
if (entry->e_data != NULL) {
assert(entry->e_length == sizeof(hdb_entry_ex));
kh_hdb_free_entry(context, kh, KH_DB_ENTRY(entry));
@@ -525,7 +517,7 @@ kh_kdb_free_entry(krb5_context context,
free(entry->key_data);
}
- memset(entry, 0, sizeof(*entry));
+ free(entry);
}
static krb5_error_code
@@ -537,7 +529,7 @@ kh_db_create(krb5_context context,
krb5_error_code code;
if (kh == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
code = k5_mutex_lock(kh->lock);
if (code != 0)
@@ -551,22 +543,6 @@ kh_db_create(krb5_context context,
}
static krb5_error_code
-kh_db_destroy(krb5_context context,
- char *conf_section,
- char **db_args)
-{
- return KRB5_KDB_DBTYPE_NOSUP;
-}
-
-static krb5_error_code
-kh_db_get_age(krb5_context context,
- char *db_name,
- time_t *age)
-{
- return KRB5_KDB_DBTYPE_NOSUP;
-}
-
-static krb5_error_code
kh_db_lock(krb5_context context, int kmode)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
@@ -574,7 +550,7 @@ kh_db_lock(krb5_context context, int kmode)
enum hdb_lockop hmode;
if (kh == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
code = k5_mutex_lock(kh->lock);
if (code != 0)
@@ -599,7 +575,7 @@ kh_db_unlock(krb5_context context)
krb5_error_code code;
if (kh == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
code = k5_mutex_lock(kh->lock);
if (code != 0)
@@ -617,12 +593,14 @@ kh_get_principal(krb5_context context,
kh_db_context *kh,
krb5_const_principal princ,
unsigned int hflags,
- krb5_db_entry *kentry)
+ krb5_db_entry **kentry)
{
krb5_error_code code;
Principal *hprinc = NULL;
hdb_entry_ex *hentry = NULL;
+ *kentry = NULL;
+
code = kh_marshal_Principal(context, princ, &hprinc);
if (code != 0)
return code;
@@ -648,8 +626,8 @@ kh_get_principal(krb5_context context,
code = kh_unmarshal_hdb_entry(context, &hentry->entry, kentry);
if (code == 0) {
- kentry->e_length = sizeof(*hentry);
- kentry->e_data = (krb5_octet *)hentry;
+ (*kentry)->e_length = sizeof(*hentry);
+ (*kentry)->e_data = (krb5_octet *)hentry;
} else {
kh_hdb_free_entry(context, kh, hentry);
free(hentry);
@@ -682,15 +660,18 @@ static krb5_error_code
kh_get_master_key_principal(krb5_context context,
kh_db_context *kh,
krb5_const_principal princ,
- krb5_db_entry *kentry,
- int *nentries)
+ krb5_db_entry **kentry_ptr)
{
krb5_error_code code;
krb5_key_data *key_data;
krb5_timestamp now;
+ krb5_db_entry *kentry;
+
+ *kentry_ptr = NULL;
- memset(kentry, 0, sizeof(*kentry));
- *nentries = 0;
+ kentry = k5alloc(sizeof(*kentry), &code);
+ if (kentry == NULL)
+ return code;
kentry->magic = KRB5_KDB_MAGIC_NUMBER;
kentry->len = KRB5_KDB_V1_BASE_LENGTH;
@@ -725,7 +706,7 @@ kh_get_master_key_principal(krb5_context context,
key_data->key_data_kvno = 1;
key_data->key_data_type[0] = ENCTYPE_UNKNOWN;
- *nentries = 1;
+ *kentry_ptr = kentry;
return 0;
}
@@ -734,24 +715,19 @@ static krb5_error_code
kh_db_get_principal(krb5_context context,
krb5_const_principal princ,
unsigned int kflags,
- krb5_db_entry *kentry,
- int *nentries,
- krb5_boolean *more)
+ krb5_db_entry **kentry)
{
krb5_error_code code;
kh_db_context *kh = KH_DB_CONTEXT(context);
unsigned int hflags;
- *nentries = 0;
- *more = FALSE;
- memset(kentry, 0, sizeof(*kentry));
+ *kentry = NULL;
if (kh == NULL)
return KRB5_KDB_DBNOTINITED;
if (kh_is_master_key_principal(context, princ))
- return kh_get_master_key_principal(context, kh, princ,
- kentry, nentries);
+ return kh_get_master_key_principal(context, kh, princ, kentry);
code = k5_mutex_lock(kh->lock);
if (code != 0)
@@ -769,41 +745,25 @@ kh_db_get_principal(krb5_context context,
hflags |= HDB_F_GET_ANY;
code = kh_get_principal(context, kh, princ, hflags, kentry);
- switch (code) {
- case 0:
- *nentries = 1;
- break;
- case KRB5_KDB_NOENTRY:
- code = 0;
- break;
- default:
- break;
- }
-
k5_mutex_unlock(kh->lock);
return code;
}
-static krb5_error_code
+static void
kh_db_free_principal(krb5_context context,
- krb5_db_entry *entry,
- int count)
+ krb5_db_entry *entry)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
krb5_error_code code;
- int i;
code = k5_mutex_lock(kh->lock);
if (code != 0)
- return code;
+ return;
- for (i = 0; i < count; i++)
- kh_kdb_free_entry(context, kh, &entry[i]);
+ kh_kdb_free_entry(context, kh, entry);
k5_mutex_unlock(kh->lock);
-
- return 0;
}
static krb5_error_code
@@ -861,13 +821,11 @@ cleanup:
static krb5_error_code
kh_db_put_principal(krb5_context context,
- krb5_db_entry *entries,
- int *nentries,
+ krb5_db_entry *entry,
char **db_args)
{
krb5_error_code code;
kh_db_context *kh = KH_DB_CONTEXT(context);
- int i;
if (kh == NULL)
return KRB5_KDB_DBNOTINITED;
@@ -876,11 +834,7 @@ kh_db_put_principal(krb5_context context,
if (code != 0)
return code;
- for (i = 0; i < *nentries; i++) {
- code = kh_put_principal(context, kh, &entries[i]);
- if (code != 0)
- break;
- }
+ code = kh_put_principal(context, kh, entry);
k5_mutex_unlock(kh->lock);
@@ -915,8 +869,7 @@ kh_delete_principal(krb5_context context,
static krb5_error_code
kh_db_delete_principal(krb5_context context,
- krb5_const_principal princ,
- int *nentries)
+ krb5_const_principal princ)
{
krb5_error_code code;
kh_db_context *kh = KH_DB_CONTEXT(context);
@@ -930,8 +883,6 @@ kh_db_delete_principal(krb5_context context,
code = kh_delete_principal(context, kh, princ);
- *nentries = (code == 0) ? 1 : 0;
-
k5_mutex_unlock(kh->lock);
return code;
@@ -963,11 +914,11 @@ kh_db_iterate(krb5_context context,
code = kh_hdb_firstkey(context, kh, hflags, &hentry);
while (code == 0) {
- krb5_db_entry kentry;
+ krb5_db_entry *kentry;
if (kh_unmarshal_hdb_entry(context, &hentry.entry, &kentry) == 0) {
- code = (*func)(func_arg, &kentry);
- kh_kdb_free_entry(context, kh, &kentry);
+ code = (*func)(func_arg, kentry);
+ kh_kdb_free_entry(context, kh, kentry);
}
kh_hdb_free_entry(context, kh, &hentry);
@@ -979,14 +930,12 @@ kh_db_iterate(krb5_context context,
}
if (code == KRB5_KDB_NOENTRY) {
- krb5_db_entry kentry;
- int nentries;
+ krb5_db_entry *kentry;
/* Return the fake master key principal */
- if (kh_get_master_key_principal(context, kh, NULL,
- &kentry, &nentries) == 0) {
- code = (*func)(func_arg, &kentry);
- kh_kdb_free_entry(context, kh, &kentry);
+ if (kh_get_master_key_principal(context, kh, NULL, &kentry) == 0) {
+ code = (*func)(func_arg, kentry);
+ kh_kdb_free_entry(context, kh, kentry);
}
code = 0;
@@ -1047,59 +996,6 @@ kh_db_free(krb5_context context, void *ptr)
}
static krb5_error_code
-kh_set_master_key(krb5_context context,
- char *pwd,
- krb5_keyblock *kkey)
-{
- kh_db_context *kh = KH_DB_CONTEXT(context);
- krb5_error_code code;
- EncryptionKey hkey;
-
- if (kh == NULL)
- return KRB5_KDB_DBNOTINITED;
-
- if (kkey->enctype == ENCTYPE_UNKNOWN)
- return 0;
-
- code = k5_mutex_lock(kh->lock);
- if (code != 0)
- return code;
-
- KH_MARSHAL_KEY(kkey, &hkey);
-
- code = kh_hdb_set_master_key(context, kh, &hkey);
-
- k5_mutex_unlock(kh->lock);
-
- return code;
-}
-
-static krb5_error_code
-kh_get_master_key(krb5_context context,
- krb5_keyblock **pkey)
-{
- krb5_error_code code;
- krb5_keyblock *key;
-
- /*
- * The Heimdal master key interface is opaque; we can't
- * return the master key without poking into internal data
- * structures that would make this bridge even more brittle.
- * So, we just return a dummy key.
- */
- key = k5alloc(sizeof(krb5_keyblock), &code);
- if (code != 0)
- return code;
-
- key->magic = KV5M_KEYBLOCK;
- key->enctype = ENCTYPE_UNKNOWN;
-
- *pkey = key;
-
- return 0;
-}
-
-static krb5_error_code
kh_promote_db(krb5_context context,
char *conf_section,
char **db_args)
@@ -1112,7 +1008,7 @@ kh_promote_db(krb5_context context,
return KRB5_KDB_DBNOTINITED;
if (kh->hdb->hdb_name == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
if (asprintf(&name, "%s~", kh->hdb->hdb_name) < 0)
return ENOMEM;
@@ -1195,7 +1091,7 @@ kh_dbekd_decrypt_key_data(krb5_context context,
return KRB5_KDB_DBNOTINITED;
if (mkey->enctype != ENCTYPE_UNKNOWN)
- code = krb5_dbekd_def_decrypt_key_data(context, mkey, key_data,
+ code = krb5_dbe_def_decrypt_key_data(context, mkey, key_data,
kkey, keysalt);
else
code = kh_decrypt_key(context, kh, key_data, kkey, keysalt);
@@ -1271,8 +1167,8 @@ kh_dbekd_encrypt_key_data(krb5_context context,
/* For migration */
if (mkey->enctype != ENCTYPE_UNKNOWN)
- code = krb5_dbekd_def_encrypt_key_data(context, mkey, kkey,
- keysalt, keyver, key_data);
+ code = krb5_dbe_def_encrypt_key_data(context, mkey, kkey,
+ keysalt, keyver, key_data);
else
code = kh_encrypt_key(context, kh, kkey, keysalt, keyver, key_data);
@@ -1285,19 +1181,17 @@ kh_dbekd_encrypt_key_data(krb5_context context,
static krb5_error_code
kh_db_check_allowed_to_delegate(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data)
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy)
{
- kdb_check_allowed_to_delegate_req *req;
krb5_error_code code;
hdb_entry_ex *hentry;
HDB_extension *ext;
HDB_Ext_Constrained_delegation_acl *acl;
unsigned int i;
- req = (kdb_check_allowed_to_delegate_req *)req_data->data;
- hentry = KH_DB_ENTRY(req->server);
+ hentry = KH_DB_ENTRY(server);
ext = kh_hdb_find_extension(&hentry->entry,
choice_HDB_extension_data_allowed_to_delegate_to);
@@ -1310,7 +1204,7 @@ kh_db_check_allowed_to_delegate(krb5_context context,
krb5_principal princ;
if (kh_unmarshal_Principal(context, &acl->val[i], &princ) == 0) {
- if (krb5_principal_compare(context, req->proxy, princ)) {
+ if (krb5_principal_compare(context, proxy, princ)) {
code = 0;
krb5_free_principal(context, princ);
break;
@@ -1323,51 +1217,6 @@ kh_db_check_allowed_to_delegate(krb5_context context,
return code;
}
-static struct _kh_invoke_fn {
- unsigned int method;
- krb5_error_code (*function)(krb5_context, unsigned int,
- const krb5_data *, krb5_data *);
-} kh_invoke_vtable[] = {
- { KRB5_KDB_METHOD_CHECK_POLICY_AS, kh_db_check_policy_as },
- { KRB5_KDB_METHOD_SIGN_AUTH_DATA, kh_db_sign_auth_data },
- { KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE, kh_db_check_allowed_to_delegate },
-};
-
-static krb5_error_code
-kh_db_invoke(krb5_context context,
- unsigned int method,
- const krb5_data *req,
- krb5_data *rep)
-{
- kh_db_context *kh = KH_DB_CONTEXT(context);
- size_t i;
- krb5_error_code code;
-
- if (kh == NULL)
- return KRB5_KDB_DBNOTINITED;
-
- code = k5_mutex_lock(kh->lock);
- if (code != 0)
- return code;
-
- code = KRB5_KDB_DBTYPE_NOSUP;
-
- for (i = 0;
- i < sizeof(kh_invoke_vtable) / sizeof(kh_invoke_vtable[0]);
- i++) {
- struct _kh_invoke_fn *fn = &kh_invoke_vtable[i];
-
- if (fn->method == method) {
- code = (*fn->function)(context, method, req, rep);
- break;
- }
- }
-
- k5_mutex_unlock(kh->lock);
-
- return code;
-}
-
kdb_vftabl kdb_function_table = {
1,
0,
@@ -1376,8 +1225,8 @@ kdb_vftabl kdb_function_table = {
kh_init_module,
kh_fini_module,
kh_db_create,
- kh_db_destroy,
- kh_db_get_age,
+ NULL, /* destroy */
+ NULL, /* get_age */
kh_db_lock,
kh_db_unlock,
kh_db_get_principal,
@@ -1385,32 +1234,29 @@ kdb_vftabl kdb_function_table = {
kh_db_put_principal,
kh_db_delete_principal,
kh_db_iterate,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
+ NULL, /* create_policy */
+ NULL, /* get_policy */
+ NULL, /* put_policy */
+ NULL, /* iter_policy */
+ NULL, /* delete_policy */
+ NULL, /* free_policy */
kh_db_alloc,
kh_db_free,
- kh_set_master_key,
- kh_get_master_key,
- NULL,
- NULL,
- NULL,
- NULL,
+ NULL, /* set_master_key_list */
+ NULL, /* get_master_key_list */
kh_fetch_master_key,
- NULL,
kh_fetch_master_key_list,
- NULL,
- NULL,
- NULL,
+ NULL, /* store_master_key_list */
+ NULL, /* dbe_search_enctype */
+ NULL, /* change_pwd */
kh_promote_db,
kh_dbekd_decrypt_key_data,
kh_dbekd_encrypt_key_data,
- kh_db_invoke,
+ kh_db_sign_auth_data,
+ NULL, /* check_transited_realms */
+ kh_db_check_policy_as,
+ NULL, /* check_policy_tgs */
+ NULL, /* audit_as_req */
+ NULL, /* refresh_config */
+ kh_db_check_allowed_to_delegate
};
diff --git a/src/plugins/kdb/hdb/kdb_hdb.h b/src/plugins/kdb/hdb/kdb_hdb.h
index 0d04059..161b68a 100644
--- a/src/plugins/kdb/hdb/kdb_hdb.h
+++ b/src/plugins/kdb/hdb/kdb_hdb.h
@@ -90,7 +90,7 @@ kh_get_principal(krb5_context context,
kh_db_context *kh,
krb5_const_principal princ,
unsigned int hflags,
- krb5_db_entry *kentry);
+ krb5_db_entry **kentry);
void
kh_kdb_free_entry(krb5_context context,
@@ -142,7 +142,7 @@ kh_free_HostAddresses(krb5_context context,
krb5_error_code
kh_unmarshal_hdb_entry(krb5_context context,
const hdb_entry *hentry,
- krb5_db_entry *kentry);
+ krb5_db_entry **kentry);
krb5_error_code
kh_marshal_hdb_entry(krb5_context context,
@@ -152,16 +152,28 @@ kh_marshal_hdb_entry(krb5_context context,
/* kdb_windc.c */
krb5_error_code
-kh_db_sign_auth_data(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data);
+kh_db_sign_auth_data(krb5_context kcontext,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data);
krb5_error_code
-kh_db_check_policy_as(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data);
+kh_db_check_policy_as(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp kdc_time,
+ const char **status,
+ krb5_data *e_data);
krb5_error_code
kh_hdb_windc_init(krb5_context context,
diff --git a/src/plugins/kdb/hdb/kdb_marshal.c b/src/plugins/kdb/hdb/kdb_marshal.c
index 624b17f..ca58835 100644
--- a/src/plugins/kdb/hdb/kdb_marshal.c
+++ b/src/plugins/kdb/hdb/kdb_marshal.c
@@ -743,13 +743,16 @@ cleanup:
krb5_error_code
kh_unmarshal_hdb_entry(krb5_context context,
const hdb_entry *hentry,
- krb5_db_entry *kentry)
+ krb5_db_entry **kentry_ptr)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
+ krb5_db_entry *kentry;
krb5_error_code code;
unsigned int i;
- memset(kentry, 0, sizeof(*kentry));
+ kentry = k5alloc(sizeof(*kentry), &code);
+ if (kentry == NULL)
+ return code;
kentry->magic = KRB5_KDB_MAGIC_NUMBER;
kentry->len = KRB5_KDB_V1_BASE_LENGTH;
@@ -801,9 +804,10 @@ kh_unmarshal_hdb_entry(krb5_context context,
kentry->n_key_data++;
}
-cleanup:
- if (code != 0)
- kh_kdb_free_entry(context, kh, kentry);
+ *kentry_ptr = kentry;
+ kentry = NULL;
+cleanup:
+ kh_kdb_free_entry(context, kh, kentry);
return code;
}
diff --git a/src/plugins/kdb/hdb/kdb_windc.c b/src/plugins/kdb/hdb/kdb_windc.c
index 6c8db85..fdd4efc 100644
--- a/src/plugins/kdb/hdb/kdb_windc.c
+++ b/src/plugins/kdb/hdb/kdb_windc.c
@@ -173,7 +173,7 @@ kh_get_tgs_key(krb5_context context,
krb5_error_code code;
krb5_principal tgsname = NULL;
krb5_key_data *krbtgt_key = NULL;
- krb5_db_entry krbtgt;
+ krb5_db_entry *krbtgt;
memset(&krbtgt, 0, sizeof(krbtgt));
krbtgt_keyblock->contents = NULL;
@@ -195,7 +195,7 @@ kh_get_tgs_key(krb5_context context,
goto cleanup;
code = krb5_dbe_find_enctype(context,
- &krbtgt,
+ krbtgt,
-1, /* ignore enctype */
-1, /* ignore salttype */
0, /* highest kvno */
@@ -216,7 +216,7 @@ kh_get_tgs_key(krb5_context context,
goto cleanup;
cleanup:
- kh_kdb_free_entry(context, KH_DB_CONTEXT(context), &krbtgt);
+ kh_kdb_free_entry(context, KH_DB_CONTEXT(context), krbtgt);
krb5_free_principal(context, tgsname);
return code;
@@ -224,13 +224,20 @@ cleanup:
krb5_error_code
kh_db_sign_auth_data(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data)
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
- kdb_sign_auth_data_req *req = (kdb_sign_auth_data_req *)req_data->data;
- kdb_sign_auth_data_rep *rep = (kdb_sign_auth_data_rep *)rep_data->data;
heim_pac hpac = NULL;
heim_octet_string pac_data;
krb5_boolean is_as_req;
@@ -241,31 +248,32 @@ kh_db_sign_auth_data(krb5_context context,
EncryptionKey krbtgt_hkey;
krb5_keyblock krbtgt_kkey;
+ *signed_auth_data = NULL;
+
if (kh->windc == NULL)
return KRB5_KDB_DBTYPE_NOSUP; /* short circuit */
- memset(rep, 0, sizeof(*rep));
memset(&krbtgt_kkey, 0, sizeof(krbtgt_kkey));
pac_data.data = NULL;
- is_as_req = ((req->flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+ is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
/* Prefer canonicalised name from client entry */
- if (req->client != NULL) {
- client_hprinc = KH_DB_ENTRY(req->client)->entry.principal;
+ if (client != NULL) {
+ client_hprinc = KH_DB_ENTRY(client)->entry.principal;
} else {
- code = kh_marshal_Principal(context, req->client_princ, &client_hprinc);
+ code = kh_marshal_Principal(context, client_princ, &client_hprinc);
if (code != 0)
goto cleanup;
}
- KH_MARSHAL_KEY(req->server_key, &server_hkey);
- KH_MARSHAL_KEY(req->krbtgt_key, &krbtgt_hkey);
+ KH_MARSHAL_KEY(server_key, &server_hkey);
+ KH_MARSHAL_KEY(krbtgt_key, &krbtgt_hkey);
if (!is_as_req) {
/* find the existing PAC, if present */
code = krb5int_find_authdata(context,
- req->auth_data,
+ tgt_auth_data,
NULL,
KRB5_AUTHDATA_WIN2K_PAC,
&authdata);
@@ -273,10 +281,9 @@ kh_db_sign_auth_data(krb5_context context,
goto cleanup;
}
- if ((is_as_req && (req->flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
- (authdata == NULL && req->client != NULL)) {
- code = kh_windc_pac_generate(context, kh,
- KH_DB_ENTRY(req->client), &hpac);
+ if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
+ (authdata == NULL && client != NULL)) {
+ code = kh_windc_pac_generate(context, kh, KH_DB_ENTRY(client), &hpac);
if (code != 0)
goto cleanup;
} else if (authdata != NULL) {
@@ -299,20 +306,19 @@ kh_db_sign_auth_data(krb5_context context,
* ticket rather than a TGT; we must verify the server and KDC
* signatures to assert that the server did not forge the PAC.
*/
- if (req->flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
- code = kh_pac_verify(context, hpac, req->authtime,
+ if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+ code = kh_pac_verify(context, hpac, authtime,
client_hprinc, &server_hkey, &krbtgt_hkey);
} else {
- code = kh_pac_verify(context, hpac, req->authtime,
+ code = kh_pac_verify(context, hpac, authtime,
client_hprinc, &krbtgt_hkey, NULL);
}
if (code != 0)
goto cleanup;
code = kh_windc_pac_verify(context, kh, client_hprinc,
- req->client ?
- KH_DB_ENTRY(req->client) : NULL,
- KH_DB_ENTRY(req->server),
+ client ? KH_DB_ENTRY(client) : NULL,
+ KH_DB_ENTRY(server),
&hpac);
if (code != 0)
goto cleanup;
@@ -325,17 +331,17 @@ kh_db_sign_auth_data(krb5_context context,
* In the cross-realm case, krbtgt_hkey refers to the cross-realm
* TGS key, so we need to explicitly lookup our TGS key.
*/
- if (req->flags & KRB5_KDB_FLAG_CROSS_REALM) {
+ if (flags & KRB5_KDB_FLAG_CROSS_REALM) {
assert(!is_as_req);
- code = kh_get_tgs_key(context, kh, req->server->princ, &krbtgt_kkey);
+ code = kh_get_tgs_key(context, kh, server->princ, &krbtgt_kkey);
if (code != 0)
goto cleanup;
KH_MARSHAL_KEY(&krbtgt_kkey, &krbtgt_hkey);
}
- code = kh_pac_sign(context, hpac, req->authtime, client_hprinc,
+ code = kh_pac_sign(context, hpac, authtime, client_hprinc,
&server_hkey, &krbtgt_hkey, &pac_data);
if (code != 0)
goto cleanup;
@@ -367,12 +373,12 @@ kh_db_sign_auth_data(krb5_context context,
code = krb5_encode_authdata_container(context,
KRB5_AUTHDATA_IF_RELEVANT,
authdata,
- &rep->auth_data);
+ signed_auth_data);
if (code != 0)
goto cleanup;
cleanup:
- if (req->client == NULL)
+ if (client == NULL)
kh_free_Principal(context, client_hprinc);
kh_pac_free(context, hpac);
if (pac_data.data != NULL)
@@ -486,16 +492,16 @@ kh_marshall_HostAddresses(krb5_context context,
krb5_error_code
kh_db_check_policy_as(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data)
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp kdc_time,
+ const char **status,
+ krb5_data *e_data)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
- kdb_check_policy_as_req *req = (kdb_check_policy_as_req *)req_data->data;
- kdb_check_policy_as_rep *rep = (kdb_check_policy_as_rep *)rep_data->data;
krb5_error_code code;
- heim_octet_string e_data;
- krb5_kdc_req *kkdcreq = req->request;
+ heim_octet_string he_data;
KDC_REQ hkdcreq;
Principal *hclient = NULL;
Principal *hserver = NULL;
@@ -507,19 +513,19 @@ kh_db_check_policy_as(krb5_context context,
memset(&hkdcreq, 0, sizeof(hkdcreq));
hkdcreq.pvno = KRB5_PVNO;
- hkdcreq.msg_type = kkdcreq->msg_type;
+ hkdcreq.msg_type = request->msg_type;
hkdcreq.padata = NULL; /* FIXME */
code = kh_marshal_KDCOptions(context,
- kkdcreq->kdc_options,
+ request->kdc_options,
&hkdcreq.req_body.kdc_options);
if (code != 0)
goto cleanup;
- code = kh_marshal_Principal(context, kkdcreq->client, &hclient);
+ code = kh_marshal_Principal(context, request->client, &hclient);
if (code != 0)
goto cleanup;
- code = kh_marshal_Principal(context, kkdcreq->server, &hserver);
+ code = kh_marshal_Principal(context, request->server, &hserver);
if (code != 0)
goto cleanup;
@@ -527,16 +533,16 @@ kh_db_check_policy_as(krb5_context context,
hkdcreq.req_body.realm = hserver->realm;
hkdcreq.req_body.sname = &hserver->name;
- from = kkdcreq->from; hkdcreq.req_body.from = &from;
- till = kkdcreq->till; hkdcreq.req_body.till = &till;
- rtime = kkdcreq->rtime; hkdcreq.req_body.rtime = &rtime;
+ from = request->from; hkdcreq.req_body.from = &from;
+ till = request->till; hkdcreq.req_body.till = &till;
+ rtime = request->rtime; hkdcreq.req_body.rtime = &rtime;
- hkdcreq.req_body.nonce = kkdcreq->nonce;
- hkdcreq.req_body.etype.len = kkdcreq->nktypes;
- hkdcreq.req_body.etype.val = kkdcreq->ktype;
+ hkdcreq.req_body.nonce = request->nonce;
+ hkdcreq.req_body.etype.len = request->nktypes;
+ hkdcreq.req_body.etype.val = request->ktype;
code = kh_marshall_HostAddresses(context,
- kkdcreq->addresses,
+ request->addresses,
&hkdcreq.req_body.addresses);
if (code != 0)
goto cleanup;
@@ -545,11 +551,11 @@ kh_db_check_policy_as(krb5_context context,
/* FIXME hkdcreq.req_body.additional_tickets */
code = kh_windc_client_access(context, kh,
- KH_DB_ENTRY(req->client),
- &hkdcreq, &e_data);
+ KH_DB_ENTRY(client),
+ &hkdcreq, &he_data);
- rep->e_data.data = e_data.data;
- rep->e_data.length = e_data.length;
+ e_data->data = he_data.data;
+ e_data->length = he_data.length;
cleanup:
kh_free_HostAddresses(context, hkdcreq.req_body.addresses);
generated by cgit v1.1 at 2024-07-08 19:17:38 +0000