aboutsummaryrefslogtreecommitdiff
path: root/src/kdc/do_tgs_req.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/kdc/do_tgs_req.c')
-rw-r--r--src/kdc/do_tgs_req.c59
1 files changed, 18 insertions, 41 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index ff6f214..7faf748 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -62,7 +62,6 @@ int portnum;
krb5_data **response; /* filled in with a response packet */
{
krb5_keyblock * subkey;
- krb5_encrypt_block eblock;
krb5_kdc_req *request = 0;
krb5_db_entry server;
krb5_kdc_rep reply;
@@ -76,7 +75,7 @@ krb5_data **response; /* filled in with a response packet */
int nprincs = 0;
krb5_boolean more;
krb5_timestamp kdc_time, authtime=0;
- krb5_keyblock *session_key = 0;
+ krb5_keyblock session_key;
krb5_timestamp until, rtime;
krb5_keyblock encrypting_key;
krb5_key_data *server_key;
@@ -88,6 +87,8 @@ krb5_data **response; /* filled in with a response packet */
register int i;
int firstpass = 1;
const char *status = 0;
+
+ session_key.contents = 0;
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
@@ -258,10 +259,8 @@ tgt_again:
goto cleanup;
}
- krb5_use_enctype(kdc_context, &eblock, useenctype);
- errcode = krb5_random_key(kdc_context, &eblock,
- krb5_enctype_array[useenctype]->random_sequence,
- &session_key);
+ errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key);
+
if (errcode) {
/* random key failed */
status = "RANDOM_KEY_FAILED";
@@ -404,20 +403,8 @@ tgt_again:
/* assemble any authorization data */
if (request->authorization_data.ciphertext.data) {
- krb5_encrypt_block eblock;
krb5_data scratch;
- /* decrypt the authdata in the request */
- if (!valid_enctype(request->authorization_data.enctype)) {
- status = "BAD_AUTH_ETYPE";
- errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
- goto cleanup;
- }
- /* put together an eblock for this encryption */
-
- krb5_use_enctype(kdc_context, &eblock,
- request->authorization_data.enctype);
-
scratch.length = request->authorization_data.ciphertext.length;
if (!(scratch.data =
malloc(request->authorization_data.ciphertext.length))) {
@@ -425,28 +412,17 @@ tgt_again:
errcode = ENOMEM;
goto cleanup;
}
- /* do any necessary key pre-processing */
- if ((errcode = krb5_process_key(kdc_context, &eblock,
- header_ticket->enc_part2->session))) {
- status = "AUTH_PROCESS_KEY";
- free(scratch.data);
- goto cleanup;
- }
- /* call the encryption routine */
- if ((errcode = krb5_decrypt(kdc_context, (krb5_pointer) request->authorization_data.ciphertext.data,
- (krb5_pointer) scratch.data,
- scratch.length, &eblock, 0))) {
+ if ((errcode = krb5_c_decrypt(kdc_context,
+ header_ticket->enc_part2->session,
+ KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY,
+ 0, &request->authorization_data,
+ &scratch))) {
status = "AUTH_ENCRYPT_FAIL";
- (void) krb5_finish_key(kdc_context, &eblock);
- free(scratch.data);
- goto cleanup;
- }
- if ((errcode = krb5_finish_key(kdc_context, &eblock))) {
- status = "AUTH_FINISH_KEY";
free(scratch.data);
goto cleanup;
}
+
/* scratch now has the authorization data, so we decode it */
errcode = decode_krb5_authdata(&scratch, &(request->unenc_authdata));
free(scratch.data);
@@ -466,7 +442,7 @@ tgt_again:
enc_tkt_reply.authorization_data =
header_ticket->enc_part2->authorization_data;
- enc_tkt_reply.session = session_key;
+ enc_tkt_reply.session = &session_key;
enc_tkt_reply.client = header_ticket->enc_part2->client;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
@@ -562,7 +538,7 @@ tgt_again:
/* convert server.key into a real key (it may be encrypted
* in the database) */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
- &master_encblock,
+ &master_keyblock,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
@@ -571,7 +547,6 @@ tgt_again:
if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) &&
(isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)))
encrypting_key.enctype = ENCTYPE_DES_CBC_MD5;
- ticket_reply.enc_part.kvno = server_key->key_data_kvno;
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
&ticket_reply);
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
@@ -579,6 +554,7 @@ tgt_again:
status = "TKT_ENCRYPT";
goto cleanup;
}
+ ticket_reply.enc_part.kvno = server_key->key_data_kvno;
}
/* Start assembling the response */
@@ -588,7 +564,7 @@ tgt_again:
reply.enc_part.kvno = 0; /* We are using the session key */
reply.ticket = &ticket_reply;
- reply_encpart.session = session_key;
+ reply_encpart.session = &session_key;
reply_encpart.nonce = request->nonce;
/* copy the time fields EXCEPT for authtime; its location
@@ -616,6 +592,7 @@ tgt_again:
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
+ subkey ? 1 : 0,
subkey ? subkey :
header_ticket->enc_part2->session,
&reply, response);
@@ -661,8 +638,8 @@ cleanup:
free(sname);
if (nprincs)
krb5_db_free_principal(kdc_context, &server, 1);
- if (session_key)
- krb5_free_keyblock(kdc_context, session_key);
+ if (session_key.contents)
+ krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
generated by cgit v1.1 at 2024-08-03 23:10:12 +0000