/*
* kdc/dispatch.c
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990, 2009 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
#endif
#endif /* APPLE_PKINIT */
-static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *,
- krb5_principal, krb5_data **,
- const char *);
+static krb5_error_code
+prepare_error_as(struct kdc_request_state *, krb5_kdc_req *,
+ int, krb5_data *, krb5_principal, krb5_data **,
+ const char *);
/*ARGSUSED*/
krb5_error_code
status = "Finding req_body";
goto errout;
}
- errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state);
+ errcode = kdc_find_fast(&request, &encoded_req_body,
+ NULL /*TGS key*/, NULL, state);
if (errcode) {
status = "error decoding FAST";
goto errout;
setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL);
- /* It should be noted that local policy may affect the */
- /* processing of any of these flags. For example, some */
- /* realms may refuse to issue renewable tickets */
+ /*
+ * It should be noted that local policy may affect the
+ * processing of any of these flags. For example, some
+ * realms may refuse to issue renewable tickets
+ */
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE))
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
} else
enc_tkt_reply.times.renew_till = 0; /* XXX */
- /* starttime is optional, and treated as authtime if not present.
- so we can nuke it if it matches */
+ /*
+ * starttime is optional, and treated as authtime if not present.
+ * so we can nuke it if it matches
+ */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
* Find the server key
*/
if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
- -1, /* ignore keytype */
- -1, /* Ignore salttype */
- 0, /* Get highest kvno */
+ -1, /* ignore keytype */
+ -1, /* Ignore salttype */
+ 0, /* Get highest kvno */
&server_key))) {
status = "FINDING_SERVER_KEY";
goto errout;
}
}
- /* convert server.key into a real key (it may be encrypted
- in the database) */
+ /*
+ * Convert server.key into a real key
+ * (it may be encrypted in the database)
+ *
+ * server_keyblock is later used to generate auth data signatures
+ */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr,
- /* server_keyblock is later used to generate auth data signatures */
server_key, &server_keyblock,
NULL))) {
status = "DECRYPT_SERVER_KEY";
reply_encpart.server = ticket_reply.server;
/* copy the time fields EXCEPT for authtime; it's location
- is used for ktime */
+ * is used for ktime
+ */
reply_encpart.times = enc_tkt_reply.times;
reply_encpart.times.authtime = authtime = kdc_time;
reply_encpart.enc_padata = NULL;
/* Fetch the padata info to be returned (do this before
- authdata to handle possible replacement of reply key */
+ * authdata to handle possible replacement of reply key
+ */
errcode = return_padata(kdc_context, &client, req_pkt, request,
&reply, client_key, &client_keyblock, &pa_context);
if (errcode) {
goto errout;
}
- errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock, &ticket_reply);
+ errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock,
+ &ticket_reply);
if (errcode) {
status = "ENCRYPTING_TICKET";
goto errout;
}
ticket_reply.enc_part.kvno = server_key->key_data_kvno;
- errcode = kdc_fast_response_handle_padata(state, request, &reply, client_keyblock.enctype);
+ errcode = kdc_fast_response_handle_padata(state, request, &reply,
+ client_keyblock.enctype);
if (errcode) {
status = "fast response handling";
goto errout;
reply.enc_part.enctype = client_keyblock.enctype;
- errcode = kdc_fast_handle_reply_key(state, &client_keyblock, &as_encrypting_key);
+ errcode = kdc_fast_handle_reply_key(state, &client_keyblock,
+ &as_encrypting_key);
if (errcode) {
status = "generating reply key";
goto errout;
response, status);
status = 0;
}
+
if (emsg)
krb5_free_error_message(kdc_context, emsg);
-
if (enc_tkt_reply.authorization_data != NULL)
krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
if (server_keyblock.contents != NULL)
request->kdc_state = NULL;
krb5_free_kdc_req(kdc_context, request);
assert(did_log != 0);
+
return errcode;
}
static krb5_error_code
-prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int error, krb5_data *e_data,
+prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
+ int error, krb5_data *e_data,
krb5_principal canon_client, krb5_data **response,
const char *status)
{
pa = calloc(size+1, sizeof(*pa));
if (pa == NULL)
retval = ENOMEM;
- else for (size = 0; td[size]; size++) {
+ else
+ for (size = 0; td[size]; size++) {
krb5_pa_data *pad = malloc(sizeof(krb5_pa_data ));
if (pad == NULL) {
retval = ENOMEM;
request, pa, &errpkt);
if (retval == 0)
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+
free(errpkt.text.data);
if (retval)
free(scratch);
else
*response = scratch;
krb5_free_pa_data(kdc_context, pa);
+
return retval;
}
register int i;
int firstpass = 1;
const char *status = 0;
- krb5_enc_tkt_part *header_enc_tkt = NULL; /* ticket granting or evidence ticket */
+ krb5_enc_tkt_part *header_enc_tkt = NULL; /* TG or evidence ticket */
krb5_db_entry client, krbtgt;
int c_nprincs = 0, k_nprincs = 0;
krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
}
scratch.length = pa_tgs_req->length;
scratch.data = (char *) pa_tgs_req->contents;
- errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state);
+ errcode = kdc_find_fast(&request, &scratch, subkey,
+ header_ticket->enc_part2->session, state);
if (errcode !=0) {
status = "kdc_find_fast";
goto cleanup;
}
-
/*
* Pointer to the encrypted part of the header ticket, which may be
* replaced to point to the encrypted part of the evidence ticket
*/
if (firstpass ) {
- if ( krb5_is_tgs_principal(request->server) == TRUE) { /* Principal is a name of krb ticket service */
+ if ( krb5_is_tgs_principal(request->server) == TRUE) {
+ /* Principal is a name of krb ticket service */
if (krb5_princ_size(kdc_context, request->server) == 2) {
- server_1 = krb5_princ_component(kdc_context, request->server, 1);
+ server_1 = krb5_princ_component(kdc_context,
+ request->server, 1);
tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
retval = prep_reprocess_req(request, &krbtgt_princ);
if (!retval) {
krb5_free_principal(kdc_context, request->server);
- retval = krb5_copy_principal(kdc_context, krbtgt_princ, &(request->server));
+ retval = krb5_copy_principal(kdc_context, krbtgt_princ,
+ &(request->server));
if (!retval) {
db_ref_done = TRUE;
if (sname != NULL)
useenctype = 0;
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY |
KDC_OPT_CNAME_IN_ADDL_TKT)) {
- krb5_keyblock * st_sealing_key;
- krb5_kvno st_srv_kvno;
- krb5_enctype etype;
+ krb5_keyblock st_sealing_key;
+ krb5_kvno st_srv_kvno;
+ krb5_enctype etype;
krb5_db_entry st_client;
- int st_nprincs = 0;
+ int st_nprincs = 0;
/*
* Get the key for the second ticket, and decrypt it.
if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
/* Do constrained delegation protocol and authorization checks */
errcode = kdc_process_s4u2proxy_req(kdc_context,
- request,
- request->second_ticket[st_idx]->enc_part2,
- &st_client,
- header_ticket->enc_part2->client,
- request->server,
- &status);
+ request,
+ request->second_ticket[st_idx]->enc_part2,
+ &st_client,
+ header_ticket->enc_part2->client,
+ request->server,
+ &status);
if (errcode)
goto cleanup;
reply_encpart.caddrs = 0;/* optional...don't put it in */
reply_encpart.enc_padata = NULL;
- /* It should be noted that local policy may affect the */
- /* processing of any of these flags. For example, some */
- /* realms may refuse to issue renewable tickets */
+ /*
+ * It should be noted that local policy may affect the
+ * processing of any of these flags. For example, some
+ * realms may refuse to issue renewable tickets
+ */
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
* S4U2Self in order for forwardable tickets to be returned.
*/
else if (!is_referral &&
- !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+ !isflagset(server.attributes,
+ KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
}
enc_tkt_reply.times.starttime = 0;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
- errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user, &s4u_name);
+ errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user,
+ &s4u_name);
} else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
- errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name);
+ errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client,
+ &s4u_name);
} else {
errcode = 0;
}
if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
-1, /* ignore keytype */
-1, /* Ignore salttype */
- 0,/* Get highest kvno */
+ 0, /* Get highest kvno */
&server_key))) {
status = "FINDING_SERVER_KEY";
goto cleanup;
/* try refreshing master key list */
/* XXX it would nice if we had the mkvno here for optimization */
if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
+ &master_keyblock, 0, &tmp_mkey_list) == 0) {
krb5_dbe_free_key_list(kdc_context, master_keylist);
master_keylist = tmp_mkey_list;
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
}
}
- /* convert server.key into a real key (it may be encrypted
- * in the database) */
+ /*
+ * Convert server.key into a real key
+ * (it may be encrypted in the database)
+ */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
mkey_ptr,
server_key, &encrypting_key,
* implicitly part of the transited list and should not be explicitly
* listed).
*/
-
/* realm compare is like strcmp, but knows how to deal with these args */
if (realm_compare(header_ticket->server, tgs_server) ||
realm_compare(header_ticket->server, enc_tkt_reply.client)) {
char *tdots;
errcode = kdc_check_transited_list (kdc_context,
- &enc_tkt_reply.transited.tr_contents,
- krb5_princ_realm (kdc_context, header_enc_tkt->client),
- krb5_princ_realm (kdc_context, request->server));
+ &enc_tkt_reply.transited.tr_contents,
+ krb5_princ_realm (kdc_context, header_enc_tkt->client),
+ krb5_princ_realm (kdc_context, request->server));
tlen = enc_tkt_reply.transited.tr_contents.length;
tdots = tlen > 125 ? "..." : "";
tlen = tlen > 125 ? 125 : tlen;
/* use the session key in the ticket, unless there's a subsession key
in the AP_REQ */
-
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
errcode = kdc_fast_response_handle_padata(state, request, &reply,
- subkey?subkey->enctype:header_ticket->enc_part2->session->enctype);
+ subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
if (errcode !=0 ) {
status = "Preparing FAST padata";
goto cleanup;
}
- errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key);
+ errcode =kdc_fast_handle_reply_key(state,
+ subkey?subkey:header_ticket->enc_part2->session, &reply_key);
if (errcode) {
status = "generating reply key";
goto cleanup;
* the principal.
*/
if ((retval = krb5_walk_realm_tree(kdc_context,
- krb5_princ_realm(kdc_context, request->server),
- krb5_princ_component(kdc_context, request->server, 1),
- &plist, KRB5_REALM_BRANCH_CHAR)))
+ krb5_princ_realm(kdc_context, request->server),
+ krb5_princ_component(kdc_context, request->server, 1),
+ &plist, KRB5_REALM_BRANCH_CHAR)))
return;
/* move to the end */
if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
(krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
kdc_active_realm->realm_host_based_services != NULL &&
- (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, comp1_str) == TRUE ||
- krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE))) &&
+ (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
+ comp1_str) == TRUE ||
+ krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
+ KRB5_CONF_ASTERISK) == TRUE))) &&
(kdc_active_realm->realm_no_host_referral == NULL ||
- (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, KRB5_CONF_ASTERISK) == FALSE &&
- krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, comp1_str) == FALSE))) {
+ (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral,
+ KRB5_CONF_ASTERISK) == FALSE &&
+ krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral,
+ comp1_str) == FALSE))) {
if (memchr(comp2->data, '.', comp2->length) == NULL)
goto cleanup;
temp_buf = calloc(1, comp2->length+1);
- if (!temp_buf){
+ if (!temp_buf) {
retval = ENOMEM;
goto cleanup;
}
}
cleanup:
free(comp1_str);
+
return retval;
}
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
- *
- *
*/
#include <k5-int.h>
krb5_clear_error_message(kdc_context);
retval = krb5_auth_con_init(kdc_context, &authcontext);
if (retval == 0)
- retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/
+ retval = krb5_auth_con_setflags(kdc_context,
+ authcontext, 0); /*disable replay cache*/
retval = krb5_rd_req(kdc_context, &authcontext,
&armor->armor_value, NULL /*server*/,
kdc_active_realm->realm_keytab, NULL, &ticket);
- if (retval !=0) {
+ if (retval != 0) {
const char * errmsg = krb5_get_error_message(kdc_context, retval);
krb5_set_error_message(kdc_context, retval,
"%s while handling ap-request armor", errmsg);
tgs_server,
ticket->server)) {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH,
- "ap-request armor for something other than the local TGS");
+ "ap-request armor for something other than the local TGS");
retval = KRB5KDC_ERR_SERVER_NOMATCH;
}
}
- if (retval ==0) {
+ if (retval == 0) {
retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey);
- if (retval !=0 || subkey == NULL) {
+ if (retval != 0 || subkey == NULL) {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
"ap-request armor without subkey");
retval = KRB5KDC_ERR_POLICY;
}
}
- if (retval==0)
+ if (retval == 0)
retval = krb5_c_fx_cf2_simple(kdc_context,
subkey, "subkeyarmor",
ticket->enc_part2->session, "ticketarmor",
return retval;
}
-static krb5_error_code encrypt_fast_reply
-(struct kdc_request_state *state, const krb5_fast_response *response,
- krb5_data **fx_fast_reply)
+static krb5_error_code
+encrypt_fast_reply(struct kdc_request_state *state,
+ const krb5_fast_response *response,
+ krb5_data **fx_fast_reply)
{
krb5_error_code retval = 0;
krb5_enc_data encrypted_reply;
}
-krb5_error_code kdc_find_fast
-(krb5_kdc_req **requestptr, krb5_data *checksummed_data,
- krb5_keyblock *tgs_subkey,
- krb5_keyblock *tgs_session,
- struct kdc_request_state *state)
+krb5_error_code
+kdc_find_fast(krb5_kdc_req **requestptr,
+ krb5_data *checksummed_data,
+ krb5_keyblock *tgs_subkey,
+ krb5_keyblock *tgs_session,
+ struct kdc_request_state *state)
{
krb5_error_code retval = 0;
krb5_pa_data *fast_padata, *cookie_padata;
&state->armor_key);
else {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
- "No armor key but FAST armored request present");
+ "No armor key but FAST armored request present");
retval = KRB5KDC_ERR_PREAUTH_FAILED;
}
}
if (retval == 0)
retval = krb5_c_verify_checksum(kdc_context, state->armor_key,
KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
- checksummed_data, &fast_armored_req->req_checksum,
+ checksummed_data,
+ &fast_armored_req->req_checksum,
&cksum_valid);
if (retval == 0 && !cksum_valid) {
retval = KRB5KRB_AP_ERR_MODIFIED;
}
if (retval == 0) {
krb5_error_code ret;
- /* We need to confirm that a keyed checksum is used for the
+ /*
+ * We need to confirm that a keyed checksum is used for the
* fast_req checksum. In April 2009, the best way to do this is
* to try verifying the checksum with a keyblock with an zero
- * length; if it succeeds, then an unkeyed checksum is used.*/
+ * length; if it succeeds, then an unkeyed checksum is used.
+ */
ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock,
KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
- checksummed_data, &fast_armored_req->req_checksum,
+ checksummed_data,
+ &fast_armored_req->req_checksum,
&cksum_valid);
if (ret == 0) {
retval = KRB5KDC_ERR_POLICY;
}
}
if (retval == 0) {
- if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0)
+ if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) != 0)
retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION;
}
if (retval == 0)
- cookie_padata = find_pa_data(fast_req->req_body->padata, KRB5_PADATA_FX_COOKIE);
+ cookie_padata = find_pa_data(fast_req->req_body->padata,
+ KRB5_PADATA_FX_COOKIE);
if (retval == 0) {
state->fast_options = fast_req->fast_options;
if (request->kdc_state == state)
krb5_free_kdc_req( kdc_context, request);
*requestptr = fast_req->req_body;
fast_req->req_body = NULL;
-
}
}
else cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE);
retval = ENOMEM;
free(new_padata);
} else {
- memcpy(new_padata->contents, cookie_padata->contents, new_padata->length);
+ memcpy(new_padata->contents, cookie_padata->contents,
+ new_padata->length);
state->cookie = new_padata;
}
}
}
-krb5_error_code kdc_make_rstate(struct kdc_request_state **out)
+krb5_error_code
+kdc_make_rstate(struct kdc_request_state **out)
{
struct kdc_request_state *state = malloc( sizeof(struct kdc_request_state));
if (state == NULL)
return 0;
}
-void kdc_free_rstate
-(struct kdc_request_state *s)
+void
+kdc_free_rstate (struct kdc_request_state *s)
{
if (s == NULL)
return;
free(s);
}
-krb5_error_code kdc_fast_response_handle_padata
-(struct kdc_request_state *state,
- krb5_kdc_req *request,
- krb5_kdc_rep *rep, krb5_enctype enctype)
+krb5_error_code
+kdc_fast_response_handle_padata(struct kdc_request_state *state,
+ krb5_kdc_req *request,
+ krb5_kdc_rep *rep, krb5_enctype enctype)
{
krb5_error_code retval = 0;
krb5_fast_finished finish;
if (retval == 0)
retval = encode_krb5_ticket(rep->ticket, &encoded_ticket);
if (retval == 0)
- retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype);
+ retval = krb5int_c_mandatory_cksumtype(kdc_context,
+ state->armor_key->enctype,
+ &cksumtype);
if (retval == 0)
retval = krb5_c_make_checksum(kdc_context, cksumtype,
- state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED,
+ state->armor_key,
+ KRB5_KEYUSAGE_FAST_FINISHED,
encoded_ticket, &finish.ticket_checksum);
if (retval == 0)
retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply);
* throw away the e_data in the error (if any); in the non-FAST case
* we will not use the in_padata.
*/
-krb5_error_code kdc_fast_handle_error
-(krb5_context context, struct kdc_request_state *state,
- krb5_kdc_req *request,
- krb5_pa_data **in_padata, krb5_error *err)
+krb5_error_code
+kdc_fast_handle_error(krb5_context context,
+ struct kdc_request_state *state,
+ krb5_kdc_req *request,
+ krb5_pa_data **in_padata, krb5_error *err)
{
krb5_error_code retval = 0;
krb5_fast_response resp;
return retval;
}
-krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
- krb5_keyblock *existing_key,
- krb5_keyblock **out_key)
+krb5_error_code
+kdc_fast_handle_reply_key(struct kdc_request_state *state,
+ krb5_keyblock *existing_key,
+ krb5_keyblock **out_key)
{
krb5_error_code retval = 0;
if (state->armor_key)
state->strengthen_key, "strengthenkey",
existing_key,
"replykey", out_key);
- else retval = krb5_copy_keyblock(kdc_context, existing_key, out_key);
+ else
+ retval = krb5_copy_keyblock(kdc_context, existing_key, out_key);
return retval;
}
-krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state,
- krb5_pa_data **cookie)
+krb5_error_code
+kdc_preauth_get_cookie(struct kdc_request_state *state,
+ krb5_pa_data **cookie)
{
char *contents;
krb5_pa_data *pa = NULL;
#include "../include/krb5/authdata_plugin.h"
#if TARGET_OS_MAC
-static const char *objdirs[] = { KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/authdata", NULL }; /* should be a list */
+static const char *objdirs[] = { KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR,
+ LIBDIR "/krb5/plugins/authdata",
+ NULL }; /* should be a list */
#else
static const char *objdirs[] = { LIBDIR "/krb5/plugins/authdata", NULL };
#endif
/* MIT Kerberos 1.6 (V0) authdata plugin callback */
typedef krb5_error_code (*authdata_proc_0)
-(krb5_context, krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply);
+ (krb5_context, krb5_db_entry *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part * enc_tkt_reply);
/* MIT Kerberos 1.8 (V2) authdata plugin callback */
typedef krb5_error_code (*authdata_proc_2)
-(krb5_context, unsigned int flags,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal for_user_princ,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_enc_tkt_part *enc_tkt_reply);
+ (krb5_context, unsigned int flags,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
typedef krb5_error_code (*init_proc)
-(krb5_context, void **);
+ (krb5_context, void **);
typedef void (*fini_proc)
-(krb5_context, void *);
+ (krb5_context, void *);
/* Internal authdata system for copying TGS-REQ authdata to ticket */
static krb5_error_code handle_request_authdata
-(krb5_context context,
- unsigned int flags,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal for_user_princ,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_enc_tkt_part *enc_tkt_reply);
+ (krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
/* Internal authdata system for handling KDC-issued authdata */
static krb5_error_code handle_tgt_authdata
-(krb5_context context,
- unsigned int flags,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal for_user_princ,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_enc_tkt_part *enc_tkt_reply);
+ (krb5_context context,
+ unsigned int flags,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_enc_tkt_part *enc_tkt_reply);
typedef struct _krb5_authdata_systems {
const char *name;
} krb5_authdata_systems;
static krb5_authdata_systems static_authdata_systems[] = {
- { "tgs_req", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_request_authdata } },
- { "tgt", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_tgt_authdata } },
+ { "tgs_req", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL,
+ NULL, NULL, NULL, { handle_request_authdata } },
+ { "tgt", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL,
+ NULL, NULL, NULL, { handle_tgt_authdata } },
};
static krb5_authdata_systems *authdata_systems;
if (krb5int_get_plugin_dir_data(&authdata_plugins,
"authdata_server_2",
- &authdata_plugins_ftables_v2, &context->err) != 0 ||
+ &authdata_plugins_ftables_v2,
+ &context->err) != 0 ||
krb5int_get_plugin_dir_data(&authdata_plugins,
"authdata_server_0",
- &authdata_plugins_ftables_v0, &context->err) != 0) {
+ &authdata_plugins_ftables_v0,
+ &context->err) != 0) {
code = KRB5_PLUGIN_NO_HANDLE;
goto cleanup;
}
/ sizeof(static_authdata_systems[0]);
/* Build the complete list of supported authdata options, and
- * leave room for a terminator entry. */
+ * leave room for a terminator entry.
+ */
authdata_systems = calloc(module_count + 1, sizeof(krb5_authdata_systems));
if (authdata_systems == NULL) {
code = ENOMEM;
authdata = (krb5_authdata **)calloc(i + 1, sizeof(krb5_authdata *));
} else {
authdata = (krb5_authdata **)realloc(authdata,
- ((nadata + i + 1) * sizeof(krb5_authdata *)));
+ ((nadata + i + 1) * sizeof(krb5_authdata *)));
}
if (authdata == NULL)
return ENOMEM;
}
/* scratch now has the authorization data, so we decode it, and make
- * it available to subsequent authdata plugins */
+ * it available to subsequent authdata plugins
+ */
code = decode_krb5_authdata(&scratch, &request->unenc_authdata);
if (code != 0) {
free(scratch.data);
/*
* kdc/kdc_preauth.c
*
- * Copyright 1995, 2003, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 2003, 2007, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
#include "../include/krb5/preauth_plugin.h"
#if TARGET_OS_MAC
-static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/preauth", NULL }; /* should be a list */
+static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR,
+ LIBDIR "/krb5/plugins/preauth",
+ NULL }; /* should be a list */
#else
static const char *objdirs[] = { LIBDIR "/krb5/plugins/preauth", NULL };
#endif
preauth_server_free_reqcontext_proc free_pa_reqctx;
} krb5_preauth_systems;
-static krb5_error_code verify_enc_timestamp
-(krb5_context, krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_system_context,
- void **pa_request_context,
- krb5_data **e_data,
- krb5_authdata ***authz_data);
-
-static krb5_error_code get_enc_ts
-(krb5_context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_system_context,
- krb5_pa_data *data);
-static krb5_error_code get_etype_info
-(krb5_context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_system_context,
- krb5_pa_data *data);
+static krb5_error_code
+verify_enc_timestamp (krb5_context, krb5_db_entry *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
+ preauth_get_entry_data_proc get_entry_data,
+ void *pa_system_context,
+ void **pa_request_context,
+ krb5_data **e_data,
+ krb5_authdata ***authz_data);
+
+static krb5_error_code
+get_enc_ts(krb5_context, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ preauth_get_entry_data_proc get_entry_data,
+ void *pa_system_context,
+ krb5_pa_data *data);
+
+static krb5_error_code
+get_etype_info(krb5_context, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ preauth_get_entry_data_proc get_entry_data,
+ void *pa_system_context,
+ krb5_pa_data *data);
+
static krb5_error_code
get_etype_info2(krb5_context context, krb5_kdc_req *request,
krb5_db_entry *client, krb5_db_entry *server,
preauth_get_entry_data_proc get_entry_data,
void *pa_system_context,
krb5_pa_data *pa_data);
+
static krb5_error_code
etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata,
krb5_db_entry *client,
void *pa_system_context,
void **pa_request_context);
-static krb5_error_code return_pw_salt
-(krb5_context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_system_context,
- void **pa_request_context);
+static krb5_error_code
+return_pw_salt(krb5_context, krb5_pa_data * padata,
+ krb5_db_entry *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa,
+ preauth_get_entry_data_proc get_entry_data,
+ void *pa_system_context,
+ void **pa_request_context);
/* SAM preauth support */
-static krb5_error_code verify_sam_response
-(krb5_context, krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_module_context,
- void **pa_request_context,
- krb5_data **e_data,
- krb5_authdata ***authz_data);
-
-static krb5_error_code get_sam_edata
-(krb5_context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_module_context,
- krb5_pa_data *data);
-static krb5_error_code return_sam_data
-(krb5_context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_module_context,
- void **pa_request_context);
+static krb5_error_code
+verify_sam_response(krb5_context, krb5_db_entry *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
+ preauth_get_entry_data_proc get_entry_data,
+ void *pa_module_context,
+ void **pa_request_context,
+ krb5_data **e_data,
+ krb5_authdata ***authz_data);
+
+static krb5_error_code
+get_sam_edata(krb5_context, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ preauth_get_entry_data_proc get_entry_data,
+ void *pa_module_context,
+ krb5_pa_data *data);
+static krb5_error_code
+return_sam_data(krb5_context, krb5_pa_data * padata,
+ krb5_db_entry *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa,
+ preauth_get_entry_data_proc get_entry_data,
+ void *pa_module_context,
+ void **pa_request_context);
#if APPLE_PKINIT
/* PKINIT preauth support */
plugin_context = NULL;
server_init_proc = static_preauth_systems[i].init;
if ((server_init_proc != NULL) &&
- ((*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names) != 0)) {
+ ((*server_init_proc)(context, &plugin_context,
+ (const char **)kdc_realm_names) != 0)) {
memset(&preauth_systems[k], 0, sizeof(preauth_systems[k]));
continue;
}
server_init_proc = ftable->init_proc;
if (server_init_proc != NULL) {
krb5_error_code initerr;
- initerr = (*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names);
+ initerr = (*server_init_proc)(context, &plugin_context,
+ (const char **)kdc_realm_names);
if (initerr) {
const char *emsg;
emsg = krb5_get_error_message(context, initerr);
if (emsg) {
krb5_klog_syslog(LOG_ERR,
- "preauth %s failed to initialize: %s",
- ftable->name, emsg);
+ "preauth %s failed to initialize: %s",
+ ftable->name, emsg);
krb5_free_error_message(context, emsg);
}
- memset(&preauth_systems[k], 0, sizeof(preauth_systems[k]));
+ memset(&preauth_systems[k], 0,
+ sizeof(preauth_systems[k]));
break; /* skip all modules in this plugin */
}
preauth_systems[k].name = ftable->name;
preauth_systems[k].type = ftable->pa_type_list[j];
if (ftable->flags_proc != NULL)
- preauth_systems[k].flags = ftable->flags_proc(context, preauth_systems[k].type);
+ preauth_systems[k].flags = ftable->flags_proc(context,
+ preauth_systems[k].type);
else
preauth_systems[k].flags = 0;
preauth_systems[k].plugin_context = plugin_context;
for (i = 0; i < n_preauth_systems; i++) {
if (preauth_systems[i].fini != NULL) {
(*preauth_systems[i].fini)(context,
- preauth_systems[i].plugin_context);
+ preauth_systems[i].plugin_context);
}
memset(&preauth_systems[i], 0, sizeof(preauth_systems[i]));
}
}
/* Retrieve a specified tl_data item from the given entry, and return its
- * contents in a new krb5_data, which must be freed by the caller. */
+ * contents in a new krb5_data, which must be freed by the caller.
+ */
static krb5_error_code
get_entry_tl_data(krb5_context context, krb5_db_entry *entry,
krb5_int16 tl_data_type, krb5_data **result)
if (request->padata != NULL) {
/* Now reorder the subset of modules which replace the key,
* bubbling those which handle pa_data types provided by the
- * client ahead of the others. */
+ * client ahead of the others.
+ */
for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
continue;
}
#endif
#ifdef DEBUG
- krb5_klog_syslog (LOG_DEBUG,
- "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth",
- isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ",
- isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ",
- isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ",
- isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no ");
+ krb5_klog_syslog (
+ LOG_DEBUG,
+ "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth",
+ isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ",
+ isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ",
+ isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ",
+ isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no ");
#endif
if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
return 0;
}
-void get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
- krb5_db_entry *server, krb5_data *e_data)
+void
+get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_data *e_data)
{
int hw_only;
krb5_preauth_systems *ap;
"%spreauth required but hint list is empty",
hw_only ? "hw" : "");
}
-/* If we fail to get the cookie it is probably still reasonable to continue with the response*/
+ /*
+ * If we fail to get the cookie it is probably
+ * still reasonable to continue with the response
+ */
kdc_preauth_get_cookie(request->kdc_state, pa);
retval = encode_krb5_padata_sequence(pa_data, &edat);
if (retval)
void ** pa_context;
krb5_boolean key_modified;
krb5_keyblock original_key;
- if ((!*padata_context)&& (make_padata_context(context, padata_context) != 0)) {
+ if ((!*padata_context) &&
+ (make_padata_context(context, padata_context) != 0)) {
return KRB5KRB_ERR_GENERIC;
}
}
}
}
- if ((retval = ap->return_padata(context, pa, client, req_pkt, request, reply,
+ if ((retval = ap->return_padata(context, pa, client, req_pkt,
+ request, reply,
client_key, encrypting_key, send_pa,
get_entry_data, ap->plugin_context,
pa_context))) {
free(pa_order);
if (send_pa_list)
krb5_free_pa_data(context, send_pa_list);
+
return (retval);
}
static krb5_boolean
-request_contains_enctype (krb5_context context, const krb5_kdc_req *request,
+request_contains_enctype(krb5_context context, const krb5_kdc_req *request,
krb5_enctype enctype)
{
int i;
return 0;
}
-static krb5_error_code get_enc_ts
-(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- preauth_get_entry_data_proc get_entry_data_proc,
- void *pa_system_context,
- krb5_pa_data *data)
+static krb5_error_code
+get_enc_ts(krb5_context context, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ preauth_get_entry_data_proc get_entry_data_proc,
+ void *pa_system_context,
+ krb5_pa_data *data)
{
struct kdc_request_state *state = request->kdc_state;
if (state->armor_key)
*/
if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
retval = decrypt_err;
+
return retval;
}
memset(&sc, 0, sizeof(sc));
memset(&psr, 0, sizeof(psr));
- /* Given the client name we can figure out what type of preauth
- they need. The spec is currently for querying the database for
- names that match the types of preauth used. Later we should
- make this mapping show up in kdc.conf. In the meantime, we
- hardcode the following:
- /SNK4 -- Digital Pathways SNK/4 preauth.
- /GRAIL -- experimental preauth
- The first one found is used. See sam_inst_map above.
-
- For SNK4 in particular, the key in the database is the key for
- the device; kadmin needs a special interface for it.
- */
+ /*
+ * Given the client name we can figure out what type of preauth
+ * they need. The spec is currently for querying the database for
+ * names that match the types of preauth used. Later we should
+ * make this mapping show up in kdc.conf. In the meantime, we
+ * hardcode the following:
+ * /SNK4 -- Digital Pathways SNK/4 preauth.
+ * /GRAIL -- experimental preauth
+ * The first one found is used. See sam_inst_map above.
+ *
+ * For SNK4 in particular, the key in the database is the key for
+ * the device; kadmin needs a special interface for it.
+ */
{
int npr = 1;
&tmp_mkey_list) == 0) {
krb5_dbe_free_key_list(context, master_keylist);
master_keylist = tmp_mkey_list;
- if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc,
- &mkey_ptr))) {
+ if ((retval = krb5_dbe_find_mkey(context, master_keylist,
+ &assoc, &mkey_ptr))) {
return (retval);
}
} else {
retval = krb5_dbe_find_enctype(kdc_context, &assoc,
ENCTYPE_DES_CBC_RAW,
KRB5_KDB_SALTTYPE_NORMAL,
- 0, /* Get highest kvno */
+ 0, /* Get highest kvno */
&assoc_key);
if (retval) {
char *sname;
&client_ctime, &client_cusec,
&nonce, &pa_cksum,
&cert_sig_status,
- NULL, NULL, /* num_cms_types, cms_types */
+ NULL, NULL,/* num_cms_types, cms_types */
&client_cert, /* signer_cert */
/* remaining fields unused (for now) */
- NULL, NULL, /* num_all_certs, all_certs */
- NULL, NULL, /* num_trusted_CAs, trusted_CAs */
- NULL); /* kdc_cert */
+ NULL, NULL,/* num_all_certs, all_certs */
+ NULL, NULL,/* num_trusted_CAs, trusted_CAs */
+ NULL); /* kdc_cert */
if(krtn) {
kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n",
(int)krtn);
* We've already verified; just obtain the fields we need to create a response
*/
krtn = krb5int_pkinit_as_req_parse(context,
- &pa_data,
- NULL, NULL, &nonce, /* ctime, cusec, nonce */
- NULL, NULL, /* pa_cksum, cert_status */
- &num_cms_types, &cms_types,
- &client_cert, /* signer_cert: we encrypt for this */
- /* remaining fields unused (for now) */
- NULL, NULL, /* num_all_certs, all_certs */
- &num_trusted_CAs, &trusted_CAs,
- &kdc_cert);
+ &pa_data,
+ NULL, NULL, &nonce, /* ctime, cusec, nonce */
+ NULL, NULL, /* pa_cksum, cert_status */
+ &num_cms_types, &cms_types,
+ &client_cert, /* signer_cert: we encrypt for this */
+ /* remaining fields unused (for now) */
+ NULL, NULL, /* num_all_certs, all_certs */
+ &num_trusted_CAs, &trusted_CAs,
+ &kdc_cert);
if(krtn) {
- kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", (int)krtn);
+ kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n",
+ (int)krtn);
goto cleanup;
}
if(client_cert.data == NULL) {
* ReplyKeyPack with here. This may need rethinking.
*/
krtn = krb5int_pkinit_as_rep_create(context,
- encrypting_key, &as_req_checksum, signing_cert, TRUE,
+ encrypting_key, &as_req_checksum,
+ signing_cert, TRUE,
&client_cert,
num_cms_types, cms_types,
num_trusted_CAs, trusted_CAs,
(kdc_cert.data ? &kdc_cert : NULL),
&pa_data);
if(krtn) {
- kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n", (int)krtn);
+ kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n",
+ (int)krtn);
goto cleanup;
}
krb5_pa_data * padata,
krb5_db_entry *client,
krb5_db_entry *server,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_kdc_req *request,
+ krb5_kdc_rep *reply,
krb5_key_data *client_key,
krb5_keyblock *encrypting_key,
krb5_pa_data **send_pa)