* $Source$
* $Author$
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* <krb5/copyright.h>.
krb5_checksum our_cksum;
krb5_data *scratch, scratch2;
krb5_pa_data **tmppa;
+ krb5_boolean freeprinc = FALSE;
if (!request->padata)
return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
return KRB5KDC_ERR_POLICY;
}
- /* XXX perhaps we should optimize the case of the TGS, by having
- the key always hanging around? */
-
- nprincs = 1;
- if (retval = krb5_db_get_principal(apreq->ticket->server,
- &server, &nprincs,
- &more)) {
- cleanup_apreq();
- return(retval);
- }
- if (more) {
- krb5_db_free_principal(&server, nprincs);
- cleanup_apreq();
- return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
- } else if (nprincs != 1) {
- krb5_db_free_principal(&server, nprincs);
- cleanup_apreq();
- return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN);
- }
- /* convert server.key into a real key (it may be encrypted
- in the database) */
- if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server.key, &encrypting_key)) {
- krb5_db_free_principal(&server, nprincs);
- cleanup_apreq();
- return retval;
+ if (krb5_principal_compare(tgs_server, apreq->ticket->server)) {
+ encrypting_key = tgs_key;
+ server.kvno = tgs_kvno;
+ server.principal = tgs_server;
+ } else {
+ nprincs = 1;
+ if (retval = krb5_db_get_principal(apreq->ticket->server,
+ &server, &nprincs,
+ &more)) {
+ cleanup_apreq();
+ return(retval);
+ }
+ if (more) {
+ krb5_db_free_principal(&server, nprincs);
+ cleanup_apreq();
+ return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
+ } else if (nprincs != 1) {
+ krb5_db_free_principal(&server, nprincs);
+ cleanup_apreq();
+ return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN);
+ }
+ /* convert server.key into a real key (it may be encrypted
+ in the database) */
+ if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server.key, &encrypting_key)) {
+ krb5_db_free_principal(&server, nprincs);
+ cleanup_apreq();
+ return retval;
+ }
+ freeprinc = TRUE;
}
who.dbentry = &server;
who.key = &encrypting_key;
(krb5_pointer)&who,
0, /* no replay cache */
&authdat);
- krb5_db_free_principal(&server, nprincs);
- memset((char *)encrypting_key.contents, 0, encrypting_key.length);
- free((char *)encrypting_key.contents);
+ if (freeprinc) {
+ krb5_db_free_principal(&server, nprincs);
+ memset((char *)encrypting_key.contents, 0, encrypting_key.length);
+ free((char *)encrypting_key.contents);
+ }
if (retval) {
cleanup_apreq();
return(retval);
krb5_keyblock *masterkeyblock;
{
krb5_error_code retval;
+ int nprincs;
+ krb5_boolean more;
+ krb5_db_entry server;
/* set db name if appropriate */
if (dbname && (retval = krb5_db_set_name(dbname)))
return(retval);
}
+ /* fetch the TGS key, and hold onto it; this is an efficiency hack */
+
+ /* the master key name here is from the master_princ global,
+ so we can safely share its substructure */
+
+ tgs_server[0] = krb5_princ_realm(masterkeyname);
+ /* tgs_server[1] is init data */
+ tgs_server[2] = krb5_princ_realm(masterkeyname);
+ /* tgs_server[3] is init data (0) */
+
+ nprincs = 1;
+ if (retval = krb5_db_get_principal(tgs_server,
+ &server, &nprincs,
+ &more)) {
+ return(retval);
+ }
+ if (more) {
+ krb5_db_free_principal(&server, nprincs);
+ (void) krb5_finish_key(&master_encblock);
+ memset((char *)&master_encblock, 0, sizeof(master_encblock));
+ (void) krb5_db_fini();
+ return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
+ } else if (nprincs != 1) {
+ krb5_db_free_principal(&server, nprincs);
+ (void) krb5_finish_key(&master_encblock);
+ memset((char *)&master_encblock, 0, sizeof(master_encblock));
+ (void) krb5_db_fini();
+ return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN);
+ }
+ /* convert server.key into a real key (it may be encrypted
+ in the database) */
+ if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server.key, &tgs_key)) {
+ krb5_db_free_principal(&server, nprincs);
+ (void) krb5_finish_key(&master_encblock);
+ memset((char *)&master_encblock, 0, sizeof(master_encblock));
+ (void) krb5_db_fini();
+ return retval;
+ }
+ tgs_kvno = server.kvno;
+ krb5_db_free_principal(&server, nprincs);
return 0;
}
memset((char *)&master_encblock, 0, sizeof(master_encblock));
+ memset((char *)tgs_key.contents, 0, tgs_key.length);
+
/* close database */
if (retval) {
(void) krb5_db_fini();