*/
#define PKI_CSSM_TO_KRB_DATA(cd, kd) \
(kd)->data = (char *)(cd)->Data; \
- (kd)->length = (cd)->Length;
+ (kd)->length = (cd)->Length;
#define PKI_KRB_TO_CSSM_DATA(kd, cd) \
(cd)->Data = (uint8 *)(kd)->data; \
- (cd)->Length = (kd)->length;
+ (cd)->Length = (kd)->length;
/*
* Compare to CSSM_DATAs. Return TRUE if they're the same else FALSE.
if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
/* Do constrained delegation protocol and authorization checks */
errcode = kdc_process_s4u2proxy_req(kdc_context,
- request,
- request->second_ticket[st_idx]->enc_part2,
- &st_client,
- header_ticket->enc_part2->client,
- request->server,
- &status);
+ request,
+ request->second_ticket[st_idx]->enc_part2,
+ &st_client,
+ header_ticket->enc_part2->client,
+ request->server,
+ &status);
if (errcode)
goto cleanup;
/* try refreshing master key list */
/* XXX it would nice if we had the mkvno here for optimization */
if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
+ &master_keyblock, 0, &tmp_mkey_list) == 0) {
krb5_dbe_free_key_list(kdc_context, master_keylist);
master_keylist = tmp_mkey_list;
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
char *tdots;
errcode = kdc_check_transited_list (kdc_context,
- &enc_tkt_reply.transited.tr_contents,
- krb5_princ_realm (kdc_context, header_enc_tkt->client),
- krb5_princ_realm (kdc_context, request->server));
+ &enc_tkt_reply.transited.tr_contents,
+ krb5_princ_realm (kdc_context, header_enc_tkt->client),
+ krb5_princ_realm (kdc_context, request->server));
tlen = enc_tkt_reply.transited.tr_contents.length;
tdots = tlen > 125 ? "..." : "";
tlen = tlen > 125 ? 125 : tlen;
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
errcode = kdc_fast_response_handle_padata(state, request, &reply,
- subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
+ subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
if (errcode !=0 ) {
status = "Preparing FAST padata";
goto cleanup;
}
errcode =kdc_fast_handle_reply_key(state,
- subkey?subkey:header_ticket->enc_part2->session, &reply_key);
+ subkey?subkey:header_ticket->enc_part2->session, &reply_key);
if (errcode) {
status = "generating reply key";
goto cleanup;
* the principal.
*/
if ((retval = krb5_walk_realm_tree(kdc_context,
- krb5_princ_realm(kdc_context, request->server),
- krb5_princ_component(kdc_context, request->server, 1),
- &plist, KRB5_REALM_BRANCH_CHAR)))
+ krb5_princ_realm(kdc_context, request->server),
+ krb5_princ_component(kdc_context, request->server, 1),
+ &plist, KRB5_REALM_BRANCH_CHAR)))
return;
/* move to the end */
tgs_server,
ticket->server)) {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH,
- "ap-request armor for something other than the local TGS");
+ "ap-request armor for something other than the local TGS");
retval = KRB5KDC_ERR_SERVER_NOMATCH;
}
}
&state->armor_key);
else {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
- "No armor key but FAST armored request present");
+ "No armor key but FAST armored request present");
retval = KRB5KDC_ERR_PREAUTH_FAILED;
}
}
#endif
/* MIT Kerberos 1.6 (V0) authdata plugin callback */
-typedef krb5_error_code (*authdata_proc_0)
- (krb5_context, krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply);
+typedef krb5_error_code (*authdata_proc_0)(
+ krb5_context,
+ krb5_db_entry *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part * enc_tkt_reply);
/* MIT Kerberos 1.8 (V2) authdata plugin callback */
-typedef krb5_error_code (*authdata_proc_2)
- (krb5_context, unsigned int flags,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal for_user_princ,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_enc_tkt_part *enc_tkt_reply);
-typedef krb5_error_code (*init_proc)
- (krb5_context, void **);
-typedef void (*fini_proc)
- (krb5_context, void *);
-
-static krb5_error_code handle_request_authdata
- (krb5_context context,
- unsigned int flags,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal for_user_princ,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_enc_tkt_part *enc_tkt_reply);
-
-static krb5_error_code handle_tgt_authdata
- (krb5_context context,
- unsigned int flags,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal for_user_princ,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_enc_tkt_part *enc_tkt_reply);
+typedef krb5_error_code (*authdata_proc_2)(
+ krb5_context, unsigned int flags,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
+typedef krb5_error_code (*init_proc)(krb5_context, void **);
+typedef void (*fini_proc)(krb5_context, void *);
+
+static krb5_error_code handle_request_authdata(
+ krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
+
+static krb5_error_code handle_tgt_authdata(
+ krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
static krb5_error_code
handle_kdb_authdata(krb5_context context, unsigned int flags,
if (server_init_proc != NULL) {
krb5_error_code initerr;
initerr = (*server_init_proc)(context, &plugin_context,
- (const char **)kdc_realm_names);
+ (const char **)kdc_realm_names);
if (initerr) {
const char *emsg;
emsg = krb5_get_error_message(context, initerr);
if (emsg) {
krb5_klog_syslog(LOG_ERR,
- "preauth %s failed to initialize: %s",
- ftable->name, emsg);
+ "preauth %s failed to initialize: %s",
+ ftable->name, emsg);
krb5_free_error_message(context, emsg);
}
memset(&preauth_systems[k], 0,
preauth_systems[k].type = ftable->pa_type_list[j];
if (ftable->flags_proc != NULL)
preauth_systems[k].flags = ftable->flags_proc(context,
- preauth_systems[k].type);
+ preauth_systems[k].type);
else
preauth_systems[k].flags = 0;
preauth_systems[k].plugin_context = plugin_context;
for (i = 0; i < n_preauth_systems; i++) {
if (preauth_systems[i].fini != NULL) {
(*preauth_systems[i].fini)(context,
- preauth_systems[i].plugin_context);
+ preauth_systems[i].plugin_context);
}
memset(&preauth_systems[i], 0, sizeof(preauth_systems[i]));
}
#ifdef DEBUG
krb5_klog_syslog (
- LOG_DEBUG,
- "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth",
- isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ",
- isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ",
- isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ",
- isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no ");
+ LOG_DEBUG,
+ "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth",
+ isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ",
+ isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ",
+ isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ",
+ isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no ");
#endif
if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
static krb5_boolean
request_contains_enctype(krb5_context context, const krb5_kdc_req *request,
- krb5_enctype enctype)
+ krb5_enctype enctype)
{
int i;
for (i =0; i < request->nktypes; i++)
* We've already verified; just obtain the fields we need to create a response
*/
krtn = krb5int_pkinit_as_req_parse(context,
- &pa_data,
- NULL, NULL, &nonce, /* ctime, cusec, nonce */
- NULL, NULL, /* pa_cksum, cert_status */
- &num_cms_types, &cms_types,
- &client_cert, /* signer_cert: we encrypt for this */
- /* remaining fields unused (for now) */
- NULL, NULL, /* num_all_certs, all_certs */
- &num_trusted_CAs, &trusted_CAs,
- &kdc_cert);
+ &pa_data,
+ NULL, NULL, &nonce, /* ctime, cusec, nonce */
+ NULL, NULL, /* pa_cksum, cert_status */
+ &num_cms_types, &cms_types,
+ &client_cert, /* signer_cert: we encrypt for this */
+ /* remaining fields unused (for now) */
+ NULL, NULL, /* num_all_certs, all_certs */
+ &num_trusted_CAs, &trusted_CAs,
+ &kdc_cert);
if(krtn) {
kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n",
(int)krtn);
&pa_data);
if(krtn) {
kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n",
- (int)krtn);
+ (int)krtn);
goto cleanup;
}
krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
krb5_error_code
add_to_transited (krb5_data *,
- krb5_data *,
- krb5_principal,
- krb5_principal,
- krb5_principal);
+ krb5_data *,
+ krb5_principal,
+ krb5_principal,
+ krb5_principal);
krb5_error_code
compress_transited (krb5_data *,
- krb5_principal,
- krb5_data *);
+ krb5_principal,
+ krb5_data *);
krb5_error_code
concat_authorization_data (krb5_authdata **,
krb5_authdata **,
/* do_as_req.c */
krb5_error_code
process_as_req (krb5_kdc_req *, krb5_data *,
- const krb5_fulladdr *,
- krb5_data ** );
+ const krb5_fulladdr *,
+ krb5_data ** );
/* do_tgs_req.c */
krb5_error_code
process_tgs_req (krb5_data *,
- const krb5_fulladdr *,
- krb5_data ** );
+ const krb5_fulladdr *,
+ krb5_data ** );
/* dispatch.c */
krb5_error_code
dispatch (krb5_data *,
- const krb5_fulladdr *,
- krb5_data **);
+ const krb5_fulladdr *,
+ krb5_data **);
/* main.c */
krb5_error_code kdc_initialize_rcache (krb5_context, char *);
/* policy.c */
int
against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
- krb5_db_entry, krb5_timestamp,
- const char **, krb5_data *);
+ krb5_db_entry, krb5_timestamp,
+ const char **, krb5_data *);
int
against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
- krb5_ticket *, const char **,
- krb5_data *);
+ krb5_ticket *, const char **,
+ krb5_data *);
/* kdc_preauth.c */
krb5_boolean
const char *
missing_required_preauth (krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_enc_tkt_part *enc_tkt_reply);
+ krb5_db_entry *server,
+ krb5_enc_tkt_part *enc_tkt_reply);
void
get_preauth_hint_list (krb5_kdc_req * request,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_data *e_data);
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_data *e_data);
krb5_error_code
load_preauth_plugins(krb5_context context);
krb5_error_code
if (!rdp->realm_no_host_referral)
retval = ENOMEM;
} else if (no_refrls && (asprintf(&(rdp->realm_no_host_referral),
- "%s%s%s%s%s", " ", no_refrls," ",
- rparams->realm_no_host_referral, " ") < 0))
+ "%s%s%s%s%s", " ", no_refrls," ",
+ rparams->realm_no_host_referral, " ") < 0))
retval = ENOMEM;
else if (asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ",
rparams->realm_no_host_referral, " ") < 0)
retval = ENOMEM;
} else if( no_refrls != NULL) {
if ( asprintf(&(rdp->realm_no_host_referral),
- "%s%s%s", " ", no_refrls, " ") < 0)
+ "%s%s%s", " ", no_refrls, " ") < 0)
retval = ENOMEM;
} else
rdp->realm_no_host_referral = NULL;
}
if (host_based_srvcs &&
- (krb5_match_config_pattern(host_based_srvcs, KRB5_CONF_ASTERISK) == TRUE)) {
+ (krb5_match_config_pattern(host_based_srvcs, KRB5_CONF_ASTERISK) == TRUE)) {
rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK);
if (!rdp->realm_host_based_services)
retval = ENOMEM;
default_tcp_ports, manual, db_args,
no_refrls, host_based_srvcs))) {
fprintf(stderr,
- "%s: cannot initialize realm %s - see log file for details\n",
+ "%s: cannot initialize realm %s - see log file for details\n",
argv[0], optarg);
exit(1);
}
extern const struct krb5_keyhash_provider krb5int_keyhash_md5des;
extern const struct krb5_keyhash_provider krb5int_keyhash_hmac_md5;
extern const struct krb5_keyhash_provider krb5int_keyhash_md5_hmac;
-