From: John Kohl Date: Fri, 2 Feb 1990 15:58:41 +0000 (+0000) Subject: fix errors in error-generating code X-Git-Tag: krb5-1.0-alpha2~1152 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9fd71821ea20d849f34eb0eff8851b1043baee41;p=krb5.git fix errors in error-generating code convert key when retrieved from database. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@231 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index f677933bb..472af5621 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -65,6 +65,7 @@ krb5_data **response; /* filled in with a response packet */ krb5_boolean more; krb5_timestamp kdc_time; krb5_keyblock *session_key; + krb5_keyblock encrypting_key; krb5_timestamp until, rtime; @@ -199,7 +200,18 @@ krb5_data **response; /* filled in with a response packet */ /* XXX need separate etypes for ticket encryption and kdc_rep encryption */ ticket_reply.enc_part2 = &enc_tkt_reply; - if (retval = krb5_encrypt_tkt_part(&server.key, &ticket_reply)) { + + /* convert server.key into a real key (it may be encrypted + in the database) */ + if (retval = kdc_convert_key(&server.key, &encrypting_key, + CONVERT_OUTOF_DB)) { + cleanup(); + return retval; + } + retval = krb5_encrypt_tkt_part(&encrypting_key, &ticket_reply); + bzero((char *)encrypting_key.contents, encrypting_key.length); + free((char *)encrypting_key.contents); + if (retval) { cleanup(); return retval; } @@ -236,8 +248,17 @@ krb5_data **response; /* filled in with a response packet */ /* now encode/encrypt the response */ + /* convert client.key into a real key (it may be encrypted + in the database) */ + if (retval = kdc_convert_key(&client.key, &encrypting_key, + CONVERT_OUTOF_DB)) { + cleanup(); + return retval; + } retval = krb5_encode_kdc_rep(KRB5_AS_REP, &reply, &reply_encpart, - &client.key, response); + &encrypting_key, response); + bzero((char *)encrypting_key.contents, encrypting_key.length); + free((char *)encrypting_key.contents); cleanup(); return retval; } @@ -266,10 +287,10 @@ krb5_data **response; (void) strcpy(errpkt.text.data, error_message(error+KRB5KDC_ERR_NONE)); if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { - free(errpkt.txt.data); + free(errpkt.text.data); return ENOMEM; } - retval = encode_krb5_error(&errpkt, scratch); + retval = krb5_mk_error(&errpkt, scratch); free(errpkt.text.data); *response = scratch; return retval; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 3fc58b1ef..74b6a4e8f 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -62,6 +62,7 @@ krb5_data **response; /* filled in with a response packet */ krb5_keyblock *session_key; int newtransited = 0; krb5_timestamp until, rtime; + krb5_keyblock encrypting_key; /* assume that we've already dealt with the AP_REQ header, so @@ -328,7 +329,20 @@ krb5_data **response; /* filled in with a response packet */ return retval; } } else { - if (retval = krb5_encrypt_tkt_part(&server.key, &ticket_reply)) { + /* convert server.key into a real key (it may be encrypted + in the database) */ + if (retval = kdc_convert_key(&server.key, &encrypting_key, + CONVERT_OUTOF_DB)) { + cleanup(); + return retval; + } + + retval = krb5_encrypt_tkt_part(&encrypting_key, &ticket_reply); + + bzero((char *)encrypting_key.contents, encrypting_key.length); + free((char *)encrypting_key.contents); + + if (retval) { cleanup(); return retval; } @@ -397,7 +411,7 @@ krb5_data **response; (void) strcpy(errpkt.text.data, error_message(error+KRB5KDC_ERR_NONE)); if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { - free(errpkt.txt.data); + free(errpkt.text.data); return ENOMEM; } retval = krb5_mk_error(&errpkt, scratch);