char * realm_mpname; /* Master principal name for realm */
krb5_principal realm_mprinc; /* Master principal for realm */
krb5_keyblock realm_mkey; /* Master key for this realm */
- krb5_kvno realm_mkvno; /* Master key vno for this realm */
/*
* TGS per-realm data.
*/
krb5_principal realm_tgsprinc; /* TGS principal for this realm */
- krb5_keyblock realm_tgskey; /* TGS' key for this realm */
- krb5_kvno realm_tgskvno; /* TGS' key vno for this realm */
/*
* Other per-realm data.
*/
*/
krb5_deltat realm_maxlife; /* Maximum ticket life for realm */
krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */
- void *realm_kstypes; /* Key/Salts supported for realm */
- krb5_int32 realm_nkstypes; /* Number of key/salts */
krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */
} kdc_realm_t;
#define max_renewable_life_for_realm kdc_active_realm->realm_maxrlife
#define master_keyblock kdc_active_realm->realm_mkey
#define master_princ kdc_active_realm->realm_mprinc
-#define tgs_key kdc_active_realm->realm_tgskey
-#define tgs_kvno kdc_active_realm->realm_tgskvno
#define tgs_server_struct *(kdc_active_realm->realm_tgsprinc)
#define tgs_server kdc_active_realm->realm_tgsprinc
#define dbm_db_name kdc_active_realm->realm_dbname
free(rdp->realm_ports);
if (rdp->realm_tcp_ports)
free(rdp->realm_tcp_ports);
- if (rdp->realm_kstypes)
- free(rdp->realm_kstypes);
if (rdp->realm_keytab)
krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
if (rdp->realm_context) {
memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length);
free(rdp->realm_mkey.contents);
}
- if (rdp->realm_tgskey.length && rdp->realm_tgskey.contents) {
- memset(rdp->realm_tgskey.contents, 0, rdp->realm_tgskey.length);
- free(rdp->realm_tgskey.contents);
- }
krb5_db_fini(rdp->realm_context);
if (rdp->realm_tgsprinc)
krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc);
{
krb5_error_code kret;
krb5_boolean manual;
- krb5_db_entry db_entry;
- int num2get;
- krb5_boolean more;
krb5_realm_params *rparams;
- krb5_key_data *kdata;
- krb5_key_salt_tuple *kslist;
- krb5_int32 nkslist;
- int i;
memset((char *) rdp, 0, sizeof(kdc_realm_t));
if (!realm) {
rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ?
rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE;
- /* Handle key/salt list */
- if (rparams && rparams->realm_num_keysalts) {
- rdp->realm_kstypes = rparams->realm_keysalts;
- rdp->realm_nkstypes = rparams->realm_num_keysalts;
- rparams->realm_keysalts = NULL;
- rparams->realm_num_keysalts = 0;
- kslist = (krb5_key_salt_tuple *) rdp->realm_kstypes;
- nkslist = rdp->realm_nkstypes;
- } else {
- /*
- * XXX Initialize default key/salt list.
- */
- if ((kslist = (krb5_key_salt_tuple *)
- malloc(sizeof(krb5_key_salt_tuple)))) {
- kslist->ks_enctype = ENCTYPE_DES_CBC_CRC;
- kslist->ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
- rdp->realm_kstypes = kslist;
- rdp->realm_nkstypes = 1;
- nkslist = 1;
- }
- else {
- com_err(progname, ENOMEM,
- "while setting up key/salt list for realm %s",
- realm);
- exit(1);
- }
- }
-
if (rparams)
krb5_free_realm_params(rdp->realm_context, rparams);
goto whoops;
}
- /* Fetch the master key and get its version number */
- num2get = 1;
- kret = krb5_db_get_principal(rdp->realm_context, rdp->realm_mprinc,
- &db_entry, &num2get, &more);
- if (!kret) {
- if (num2get != 1)
- kret = KRB5_KDB_NOMASTERKEY;
- else {
- if (more) {
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
- kret = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- }
- }
- }
- if (kret) {
- com_err(progname, kret,
- "while fetching master entry for realm %s", realm);
- goto whoops;
- }
-
- /*
- * Get the most recent master key. Search the key list in
- * the order specified by the key/salt list.
- */
- kdata = (krb5_key_data *) NULL;
- for (i=0; i<nkslist; i++) {
- if (!(kret = krb5_dbe_find_enctype(rdp->realm_context,
- &db_entry,
- kslist[i].ks_enctype,
- -1,
- -1,
- &kdata)))
- break;
- }
- if (!kdata) {
- com_err(progname, kret,
- "while finding master key for realm %s",
- realm);
- goto whoops;
- }
- rdp->realm_mkvno = kdata->key_data_kvno;
- krb5_db_free_principal(rdp->realm_context, &db_entry, num2get);
-
if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) {
com_err(progname, kret,
"while setting master key for realm %s", realm);
goto whoops;
}
- /* Get the TGS database entry */
- num2get = 1;
- if (!(kret = krb5_db_get_principal(rdp->realm_context,
- rdp->realm_tgsprinc,
- &db_entry,
- &num2get,
- &more))) {
- if (num2get != 1)
- kret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- else {
- if (more) {
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
- kret = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- }
- }
- }
- if (kret) {
- com_err(progname, kret,
- "while fetching TGS entry for realm %s", realm);
- goto whoops;
- }
- /*
- * Get the most recent TGS key. Search the key list in
- * the order specified by the key/salt list.
- */
- kdata = (krb5_key_data *) NULL;
- for (i=0; i<nkslist; i++) {
- if (!(kret = krb5_dbe_find_enctype(rdp->realm_context,
- &db_entry,
- kslist[i].ks_enctype,
- -1,
- -1,
- &kdata)))
- break;
- }
- if (!kdata) {
- com_err(progname, kret, "while finding TGS key for realm %s",
- realm);
- goto whoops;
- }
- if (!(kret = krb5_dbekd_decrypt_key_data(rdp->realm_context,
- &rdp->realm_mkey,
- kdata,
- &rdp->realm_tgskey, NULL))){
- rdp->realm_tgskvno = kdata->key_data_kvno;
- }
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
- if (kret) {
- com_err(progname, kret,
- "while decrypting TGS key for realm %s", realm);
- goto whoops;
- }
-
if (!rkey_init_done) {
krb5_data seed;
#ifdef KRB5_KRB4_COMPAT
krb5_xfree(svalue);
}
- /* Get the value for the supported enctype/salttype matrix */
- /* XXX This is so that the kdc will search a different
- enctype list than kadmind */
- if (!kret) {
- hierarchy[2] = "kdc_supported_enctypes";
- kret = krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
- if (kret) {
- hierarchy[2] = "supported_enctypes";
- kret = krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
- }
- if (!kret) {
- krb5_string_to_keysalts(svalue,
- ", \t", /* Tuple separators */
- ":.-", /* Key/salt separators */
- 0, /* No duplicates */
- &rparams->realm_keysalts,
- &rparams->realm_num_keysalts);
- krb5_xfree(svalue);
- }
- kret = 0;
- }
+ rparams->realm_keysalts = NULL;
+ rparams->realm_num_keysalts = 0;
cleanup:
if (aprofile)
projects / krb5.git / commitdiff