diff options
Diffstat (limited to 'src/kdc/kdc_util.c')
-rw-r--r-- | src/kdc/kdc_util.c | 115 |
1 files changed, 51 insertions, 64 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 863ffd1..51d4d78 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -124,6 +124,7 @@ comp_cksum(kcontext, source, ticket, his_cksum) krb5_checksum * his_cksum; { krb5_error_code retval; + krb5_boolean valid; if (!valid_cksumtype(his_cksum->checksum_type)) return KRB5KDC_ERR_SUMTYPE_NOSUPP; @@ -133,14 +134,15 @@ comp_cksum(kcontext, source, ticket, his_cksum) return KRB5KRB_AP_ERR_INAPP_CKSUM; /* verify checksum */ - if ((retval = krb5_verify_checksum(kcontext, his_cksum->checksum_type, - his_cksum, - source->data, source->length, - ticket->enc_part2->session->contents, - ticket->enc_part2->session->length))) { - retval = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } - return retval; + if ((retval = krb5_c_verify_checksum(kcontext, ticket->enc_part2->session, + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + source, his_cksum, &valid))) + return(retval); + + if (!valid) + return(KRB5KRB_AP_ERR_BAD_INTEGRITY); + + return(0); } krb5_error_code @@ -333,12 +335,15 @@ cleanup: /* XXX This function should no longer be necessary. * The KDC should take the keytab associated with the realm and pass that to * the krb5_rd_req_decode(). --proven + * + * It's actually still used by do_tgs_req() for u2u auth, and not too + * much else. -- tlyu */ krb5_error_code kdc_get_server_key(ticket, key, kvno) krb5_ticket * ticket; krb5_keyblock ** key; - krb5_kvno * kvno; + krb5_kvno * kvno; /* XXX nothing uses this */ { krb5_error_code retval; krb5_db_entry server; @@ -347,64 +352,46 @@ kdc_get_server_key(ticket, key, kvno) krb5_key_data * server_key; int i; - if (krb5_principal_compare(kdc_context, tgs_server, ticket->server)) { - retval = krb5_copy_keyblock(kdc_context, &tgs_key, key); - *kvno = tgs_kvno; - return retval; - } else { - nprincs = 1; + nprincs = 1; - if ((retval = krb5_db_get_principal(kdc_context, ticket->server, - &server, &nprincs, - &more))) { - return(retval); - } - if (more) { - krb5_db_free_principal(kdc_context, &server, nprincs); - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } else if (nprincs != 1) { - char *sname; - - krb5_db_free_principal(kdc_context, &server, nprincs); - if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { - krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", - sname); - free(sname); - } - return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); - } - /* - * Get the latest version of the server key_data and - * convert the key into a real key (it may be encrypted in the database) - * - * Search the key list in the order specified by the key/salt list. - */ - server_key = (krb5_key_data *) NULL; - for (i=0; i<kdc_active_realm->realm_nkstypes; i++) { - krb5_key_salt_tuple *kslist; - - kslist = (krb5_key_salt_tuple *) kdc_active_realm->realm_kstypes; - if (!krb5_dbe_find_enctype(kdc_context, - &server, - kslist[i].ks_enctype, - -1, - -1, - &server_key)) - break; - } - if (!server_key) - return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); - - *kvno = server_key->key_data_kvno; - if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { - retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, - server_key, - *key, NULL); - } else - retval = ENOMEM; + if ((retval = krb5_db_get_principal(kdc_context, ticket->server, + &server, &nprincs, + &more))) { + return(retval); + } + if (more) { krb5_db_free_principal(kdc_context, &server, nprincs); - return retval; + return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); + } else if (nprincs != 1) { + char *sname; + + krb5_db_free_principal(kdc_context, &server, nprincs); + if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { + krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", + sname); + free(sname); + } + return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); } + retval = krb5_dbe_find_enctype(kdc_context, &server, + ticket->enc_part.enctype, -1, + ticket->enc_part.kvno, &server_key); + if (retval) + goto errout; + if (!server_key) { + retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto errout; + } + *kvno = server_key->key_data_kvno; + if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { + retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_keyblock, + server_key, + *key, NULL); + } else + retval = ENOMEM; +errout: + krb5_db_free_principal(kdc_context, &server, nprincs); + return retval; } /* This probably wants to be updated if you support last_req stuff */ |