From 8d8208c2f63dca49b0cff1bb7f6d6c649b72b53b Mon Sep 17 00:00:00 2001 From: Chris Provenzano Date: Mon, 27 Mar 1995 14:47:28 +0000 Subject: [PATCH] * adm_process.c, adm_kadmin.c, adm_adm_func.c, adm_kpasswd.c, * adm_funcs, adm_nego.c adm_extern.c and adm_listen.c Use new calling convention for krb5_recvauth(), krb5_mk_priv(), krb5_rd_priv(), krb5_mk_safe(), and krb5_rd_safe(). (Redid many of the internal functions to accomidate new a uth_context structure and remove old unnecessary structures.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5262 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/server/ChangeLog | 10 +++ src/kadmin/server/adm_adm_func.c | 121 +++++++++---------------------- src/kadmin/server/adm_extern.c | 1 - src/kadmin/server/adm_extern.h | 41 ++++------- src/kadmin/server/adm_funcs.c | 6 +- src/kadmin/server/adm_kadmin.c | 72 +++++++----------- src/kadmin/server/adm_kpasswd.c | 9 +-- src/kadmin/server/adm_listen.c | 6 +- src/kadmin/server/adm_nego.c | 28 ++----- src/kadmin/server/adm_process.c | 121 +++++++++++++------------------ 10 files changed, 149 insertions(+), 266 deletions(-) diff --git a/src/kadmin/server/ChangeLog b/src/kadmin/server/ChangeLog index 2d34d2c13..8cf428b4b 100644 --- a/src/kadmin/server/ChangeLog +++ b/src/kadmin/server/ChangeLog @@ -1,3 +1,13 @@ + +Mon Mar 27 07:56:26 1995 Chris Provenzano (proven@mit.edu) + + * adm_process.c, adm_kadmin.c, adm_adm_func.c, adm_kpasswd.c, + * adm_funcs, adm_nego.c adm_extern.c and adm_listen.c + Use new calling convention for krb5_recvauth(), krb5_mk_priv(), + krb5_rd_priv(), krb5_mk_safe(), and krb5_rd_safe(). + (Redid many of the internal functions to accomidate new a + uth_context structure and remove old unnecessary structures.) + Fri Mar 24 14:38:06 1995 * adm_network.c (setup_network): If /etc/services doesn't have the diff --git a/src/kadmin/server/adm_adm_func.c b/src/kadmin/server/adm_adm_func.c index 7da1dd3c3..8fd57b6e8 100644 --- a/src/kadmin/server/adm_adm_func.c +++ b/src/kadmin/server/adm_adm_func.c @@ -46,14 +46,14 @@ extern int classification; #endif krb5_error_code -adm_build_key (context, newprinc, client_creds, new_passwd, oper_type, entry) +adm_build_key (context, auth_context, new_passwd, oper_type, entry) krb5_context context; - krb5_principal newprinc; - krb5_ticket *client_creds; + krb5_auth_context * auth_context; char *new_passwd; int oper_type; krb5_db_entry entry; { + krb5_replay_data replaydata; krb5_data outbuf; int retval; #if defined(MACH_PASS) || defined(SANDIA) @@ -114,16 +114,8 @@ adm_build_key (context, newprinc, client_creds, new_passwd, oper_type, entry) #endif /* Encrypt Password and Phrase */ - if (retval = krb5_mk_priv(context, &outbuf, - ETYPE_DES_CBC_CRC, - client_creds->enc_part2->session, - &client_server_info.server_addr, - &client_server_info.client_addr, - send_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data)) { + if (retval = krb5_mk_priv(context, auth_context, &outbuf, + &msg_data, &replaydata)) { com_err("adm_build_key", retval, "during mk_priv"); #if defined(MACH_PASS) || defined(SANDIA) free(tmp_passwd); @@ -159,15 +151,8 @@ adm_build_key (context, newprinc, client_creds, new_passwd, oper_type, entry) } /* Decrypt Client Response */ - if (retval = krb5_rd_priv(context, &inbuf, - client_creds->enc_part2->session, - &client_server_info.client_addr, - &client_server_info.server_addr, - recv_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data)) { + if (retval = krb5_rd_priv(context, auth_context, &inbuf, + &msg_data, &replaydata)) { syslog(LOG_ERR | LOG_INFO, "adm_build_key krb5_rd_priv error"); free(inbuf.data); return(5); /* Protocol Failure */ @@ -184,11 +169,11 @@ adm_build_key (context, newprinc, client_creds, new_passwd, oper_type, entry) /* kadmin change password request */ krb5_error_code -adm_change_pwd(context, prog, customer_name, client_creds, salttype) +adm_change_pwd(context, auth_context, prog, customer_name, salttype) krb5_context context; + krb5_auth_context * auth_context; char *prog; char *customer_name; - krb5_ticket *client_creds; int salttype; { krb5_db_entry entry; @@ -227,8 +212,8 @@ adm_change_pwd(context, prog, customer_name, client_creds, salttype) oper_type = (salttype == KRB5_KDB_SALTTYPE_NORMAL) ? CHGOPER : CH4OPER; - if (retval = adm_build_key(context, newprinc, client_creds, - new_passwd, oper_type, entry)) { + if (retval = adm_build_key(context, auth_context, new_passwd, + oper_type, entry)) { krb5_free_principal(context, newprinc); krb5_db_free_principal(context, &entry, nprincs); free(new_passwd); @@ -258,11 +243,10 @@ adm_change_pwd(context, prog, customer_name, client_creds, salttype) /* kadmin add new random key function */ krb5_error_code -adm_change_pwd_rnd(context, cmdname, customer_name, client_creds) +adm_change_pwd_rnd(context, cmdname, customer_name) krb5_context context; char *cmdname; char *customer_name; - krb5_ticket *client_creds; { krb5_db_entry entry; int nprincs = 1; @@ -309,11 +293,11 @@ adm_change_pwd_rnd(context, cmdname, customer_name, client_creds) /* kadmin add new key function */ krb5_error_code -adm_add_new_key(context, cmdname, customer_name, client_creds, salttype) +adm_add_new_key(context, auth_context, cmdname, customer_name, salttype) krb5_context context; + krb5_auth_context *auth_context; char *cmdname; char *customer_name; - krb5_ticket *client_creds; int salttype; { krb5_db_entry entry; @@ -356,11 +340,8 @@ adm_add_new_key(context, cmdname, customer_name, client_creds, salttype) return(3); /* No Memory */ } - if (retval = adm_build_key(context, newprinc, - client_creds, - new_passwd, - ADDOPER, - entry)) { + if (retval = adm_build_key(context, auth_context, new_passwd, + ADDOPER, entry)) { krb5_free_principal(context, newprinc); krb5_db_free_principal(context, &entry, nprincs); free(new_passwd); @@ -385,11 +366,10 @@ adm_add_new_key(context, cmdname, customer_name, client_creds, salttype) /* kadmin add new random key function */ krb5_error_code -adm_add_new_key_rnd(context, cmdname, customer_name, client_creds) +adm_add_new_key_rnd(context, cmdname, customer_name) krb5_context context; char *cmdname; char *customer_name; - krb5_ticket *client_creds; { krb5_db_entry entry; int nprincs = 1; @@ -488,12 +468,13 @@ adm_del_old_key(context, cmdname, customer_name) /* kadmin modify existing Principal function */ krb5_error_code -adm_mod_old_key(context, cmdname, customer_name, client_creds) +adm_mod_old_key(context, auth_context, cmdname, customer_name) krb5_context context; + krb5_auth_context * auth_context; char *cmdname; char *customer_name; - krb5_ticket *client_creds; { + krb5_replay_data replaydata; krb5_db_entry entry; int nprincs = 1; extern int errno; @@ -540,16 +521,8 @@ adm_mod_old_key(context, cmdname, customer_name, client_creds) outbuf.data[1] = MODOPER; outbuf.data[2] = SENDDATA3; - if (retval = krb5_mk_priv(context, &outbuf, - ETYPE_DES_CBC_CRC, - client_creds->enc_part2->session, - &client_server_info.server_addr, - &client_server_info.client_addr, - send_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data)) { + if (retval = krb5_mk_priv(context, auth_context, &outbuf, + &msg_data, &replaydata)) { krb5_free_principal(context, newprinc); krb5_db_free_principal(context, &entry, nprincs); com_err("adm_mod_old_key", retval, "during mk_priv"); @@ -579,15 +552,8 @@ adm_mod_old_key(context, cmdname, customer_name, client_creds) } /* Decrypt Client Response */ - if (retval = krb5_rd_priv(context, &inbuf, - client_creds->enc_part2->session, - &client_server_info.client_addr, - &client_server_info.server_addr, - recv_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data)) { + if (retval = krb5_rd_priv(context, auth_context, &inbuf, + &msg_data, &replaydata)) { com_err("adm_mod_old_key", retval, "krb5_rd_priv error %s", error_message(retval)); free(inbuf.data); @@ -698,15 +664,8 @@ adm_mod_old_key(context, cmdname, customer_name, client_creds) } /* Decrypt Client Response */ - if (retval = krb5_rd_priv(context, &inbuf, - client_creds->enc_part2->session, - &client_server_info.client_addr, - &client_server_info.server_addr, - recv_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data)) { + if (retval = krb5_rd_priv(context, auth_context, &inbuf, + &msg_data, &replaydata)) { com_err("adm_mod_old_key", retval, "krb5_rd_priv error %s", error_message(retval)); free(inbuf.data); @@ -721,12 +680,13 @@ adm_mod_old_key(context, cmdname, customer_name, client_creds) /* kadmin inquire existing Principal function */ krb5_error_code -adm_inq_old_key(context, cmdname, customer_name, client_creds) +adm_inq_old_key(context, auth_context, cmdname, customer_name) krb5_context context; + krb5_auth_context * auth_context; char *cmdname; char *customer_name; - krb5_ticket *client_creds; { + krb5_replay_data replaydata; krb5_db_entry entry; int nprincs = 1; @@ -782,16 +742,8 @@ adm_inq_old_key(context, cmdname, customer_name, client_creds) free(fullname); /* Encrypt Inquiry Data */ - if (retval = krb5_mk_priv(context, &outbuf, - ETYPE_DES_CBC_CRC, - client_creds->enc_part2->session, - &client_server_info.server_addr, - &client_server_info.client_addr, - send_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data)) { + if (retval = krb5_mk_priv(context, auth_context, &outbuf, + &msg_data, &replaydata)) { com_err("adm_inq_old_key", retval, "during mk_priv"); free(outbuf.data); return(5); /* Protocol Failure */ @@ -816,15 +768,8 @@ adm_inq_old_key(context, cmdname, customer_name, client_creds) } /* Decrypt Client Response */ - if (retval = krb5_rd_priv(context, &inbuf, - client_creds->enc_part2->session, - &client_server_info.client_addr, - &client_server_info.server_addr, - recv_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data)) { + if (retval = krb5_rd_priv(context, auth_context, &inbuf, + &msg_data, &replaydata)) { com_err("adm_inq_old_key", retval, "krb5_rd_priv error %s", error_message(retval)); free(inbuf.data); diff --git a/src/kadmin/server/adm_extern.c b/src/kadmin/server/adm_extern.c index ca27149e6..5bcf5e58e 100644 --- a/src/kadmin/server/adm_extern.c +++ b/src/kadmin/server/adm_extern.c @@ -45,7 +45,6 @@ krb5_data inbuf; krb5_data msg_data; int send_seqno; -int recv_seqno; /* static krb5_data tgs_name = {KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME}; diff --git a/src/kadmin/server/adm_extern.h b/src/kadmin/server/adm_extern.h index fb43d37f0..d5c4cafe5 100644 --- a/src/kadmin/server/adm_extern.h +++ b/src/kadmin/server/adm_extern.h @@ -71,7 +71,6 @@ extern int adm5_ver_len; extern int adm_debug_flag; extern int send_seqno; -extern int recv_seqno; extern int exit_now; @@ -89,37 +88,34 @@ extern char *kadmind_kadmin_response[]; krb5_error_code adm_build_key PROTOTYPE((krb5_context, - krb5_principal, - krb5_ticket *, + krb5_auth_context *, char *, int, krb5_db_entry)); krb5_error_code adm_change_pwd PROTOTYPE((krb5_context, + krb5_auth_context *, char *, char *, - krb5_ticket *, int)); krb5_error_code adm_change_pwd_rnd PROTOTYPE((krb5_context, char *, - char *, - krb5_ticket *)); + char *)); krb5_error_code adm_add_new_key PROTOTYPE((krb5_context, + krb5_auth_context *, char *, char *, - krb5_ticket *, int)); krb5_error_code adm_add_new_key_rnd PROTOTYPE((krb5_context, char *, - char *, - krb5_ticket *)); + char *)); krb5_error_code adm_del_old_key PROTOTYPE((krb5_context, @@ -128,15 +124,15 @@ krb5_error_code adm_del_old_key krb5_error_code adm_mod_old_key PROTOTYPE((krb5_context, + krb5_auth_context *, char *, - char *, - krb5_ticket* )); + char *)); krb5_error_code adm_inq_old_key PROTOTYPE((krb5_context, + krb5_auth_context *, char *, - char *, - krb5_ticket *)); + char *)); krb5_error_code adm_print_exp_time PROTOTYPE((krb5_context, @@ -159,30 +155,21 @@ krb5_error_code adm_enter_rnd_pwd_key krb5_error_code adm5_kadmin PROTOTYPE((krb5_context, + krb5_auth_context *, char *, - krb5_authenticator *, - krb5_ticket *, char *, int *)); krb5_error_code adm_negotiate_key PROTOTYPE((krb5_context, + krb5_auth_context *, char const *, - krb5_ticket *, char *)); krb5_error_code setup_network PROTOTYPE((krb5_context, const char *)); -krb5_error_code cpw_keyproc - PROTOTYPE((krb5_context, - krb5_pointer, - krb5_principal, - krb5_kvno, - krb5_keytype, - krb5_keyblock **)); - krb5_error_code process_client PROTOTYPE((krb5_context, char *)); @@ -226,9 +213,9 @@ krb5_error_code adm_enter_pwd_key krb5_error_code adm5_change PROTOTYPE((krb5_context, + krb5_auth_context *, char *, - krb5_principal , - krb5_ticket *)); + krb5_principal)); int adm5_listen_and_process PROTOTYPE((krb5_context, @@ -236,9 +223,9 @@ int adm5_listen_and_process krb5_error_code adm5_kpasswd PROTOTYPE((krb5_context, + krb5_auth_context *, char *, kadmin_requests *, - krb5_ticket *, char *, int *)); diff --git a/src/kadmin/server/adm_funcs.c b/src/kadmin/server/adm_funcs.c index 5f86e1c24..7d61c7e06 100644 --- a/src/kadmin/server/adm_funcs.c +++ b/src/kadmin/server/adm_funcs.c @@ -403,11 +403,11 @@ cleanup: } krb5_error_code -adm5_change(context, prog, newprinc, client_creds) +adm5_change(context, auth_context, prog, newprinc) krb5_context context; + krb5_auth_context * auth_context; char *prog; krb5_principal newprinc; - krb5_ticket *client_creds; { krb5_db_entry entry; int nprincs = 1; @@ -426,7 +426,7 @@ adm5_change(context, prog, newprinc, client_creds) memset((char *) new_passwd, 0, ADM_MAX_PW_LENGTH + 1); /* Negotiate for New Key */ - if (retval = adm_negotiate_key(context, "adm5_change", client_creds, + if (retval = adm_negotiate_key(context, auth_context, "adm5_change", new_passwd)) { krb5_db_free_principal(context, &entry, nprincs); krb5_free_principal(context, newprinc); diff --git a/src/kadmin/server/adm_kadmin.c b/src/kadmin/server/adm_kadmin.c index e58774b54..556c35739 100644 --- a/src/kadmin/server/adm_kadmin.c +++ b/src/kadmin/server/adm_kadmin.c @@ -33,14 +33,14 @@ #include "adm_extern.h" krb5_error_code -adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) +adm5_kadmin(context, auth_context, prog, retbuf, otype) krb5_context context; + krb5_auth_context * auth_context; char *prog; - krb5_authenticator *client_auth_data; - krb5_ticket *client_creds; char *retbuf; /* Allocated in Calling Routine */ int *otype; { + krb5_replay_data replaydata; krb5_error_code retval; kadmin_requests request_type; krb5_data msg_data, outbuf, inbuf; @@ -62,16 +62,8 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) retbuf[2] = SENDDATA2; outbuf.length = 3; - retval = krb5_mk_priv(context, &outbuf, - ETYPE_DES_CBC_CRC, - client_creds->enc_part2->session, - &client_server_info.server_addr, - &client_server_info.client_addr, - send_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data); + retval = krb5_mk_priv(context, auth_context, &outbuf, + &msg_data, &replaydata); if (retval ) { syslog(LOG_ERR, "adm5_kadmin - Error Performing Acknowledgement mk_priv"); @@ -96,15 +88,8 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) } /* Decrypt Client Response */ - if ((retval = krb5_rd_priv(context, &inbuf, - client_creds->enc_part2->session, - &client_server_info.client_addr, - &client_server_info.server_addr, - recv_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data))) { + if ((retval = krb5_rd_priv(context, auth_context, &inbuf, + &msg_data, &replaydata))) { free(inbuf.data); syslog(LOG_ERR | LOG_INFO, "Error decoding Username - rd_priv"); return(5); /* Protocol Failure */ @@ -165,8 +150,8 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) } *otype = 1; salttype = KRB5_KDB_SALTTYPE_NORMAL; - retval = adm_add_new_key(context, "adm5_kadmin", customer_name, - client_creds, salttype); + retval = adm_add_new_key(context, auth_context, "adm5_kadmin", + customer_name, salttype); goto process_retval; case CHGOPER: @@ -178,8 +163,8 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) } *otype = 2; salttype = KRB5_KDB_SALTTYPE_NORMAL; - retval = adm_change_pwd(context, "adm5_kadmin", customer_name, - client_creds, salttype); + retval = adm_change_pwd(context, auth_context, "adm5_kadmin", + customer_name, salttype); goto process_retval; case ADROPER: @@ -191,7 +176,7 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) } *otype = 3; retval = adm_add_new_key_rnd(context, "adm5_kadmin", - customer_name, client_creds); + customer_name); goto process_retval; case CHROPER: @@ -203,7 +188,7 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) } *otype = 4; retval = adm_change_pwd_rnd(context, "adm5_kadmin", - customer_name, client_creds); + customer_name); goto process_retval; case DELOPER: @@ -225,8 +210,8 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) goto process_retval; } *otype = 6; - retval = adm_mod_old_key(context, "adm5_kadmin", customer_name, - client_creds); + retval = adm_mod_old_key(context, auth_context, "adm5_kadmin", + customer_name); goto process_retval; case INQOPER: @@ -237,8 +222,8 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) goto process_retval; } *otype = 7; - retval = adm_inq_old_key(context, "adm5_kadmin", customer_name, - client_creds); + retval = adm_inq_old_key(context, auth_context, "adm5_kadmin", + customer_name); goto process_retval; case AD4OPER: @@ -250,8 +235,8 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) } *otype = 8; salttype = KRB5_KDB_SALTTYPE_V4; - retval = adm_add_new_key(context, "adm5_kadmin", customer_name, - client_creds, salttype); + retval = adm_add_new_key(context, auth_context, "adm5_kadmin", + customer_name, salttype); goto process_retval; case CH4OPER: @@ -263,8 +248,8 @@ adm5_kadmin(context, prog, client_auth_data, client_creds, retbuf, otype) } *otype = 9; salttype = KRB5_KDB_SALTTYPE_V4; - retval = adm_change_pwd(context, "adm5_kadmin", customer_name, - client_creds, salttype); + retval = adm_change_pwd(context, auth_context, "adm5_kadmin", + customer_name, salttype); goto process_retval; default: @@ -333,22 +318,15 @@ send_last: outbuf.length = strlen(retbuf) + 1; /* Send Completion Message */ - if (retval = krb5_mk_priv(context, &outbuf, - ETYPE_DES_CBC_CRC, - client_creds->enc_part2->session, - &client_server_info.server_addr, - &client_server_info.client_addr, - send_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data)) { + if (retval = krb5_mk_priv(context, auth_context, &outbuf, + &msg_data, &replaydata)) { syslog(LOG_ERR, "adm5_kadmin - Error Performing Final mk_priv"); return(1); } /* Send Final Reply to Client */ - if (retval = krb5_write_message(context, &client_server_info.client_socket, + if (retval = krb5_write_message(context, + &client_server_info.client_socket, &msg_data)){ free(msg_data.data); syslog(LOG_ERR, "adm5_kadmin - Error Performing Final Write: %s", diff --git a/src/kadmin/server/adm_kpasswd.c b/src/kadmin/server/adm_kpasswd.c index 033533e55..5ab7c74d3 100644 --- a/src/kadmin/server/adm_kpasswd.c +++ b/src/kadmin/server/adm_kpasswd.c @@ -42,11 +42,11 @@ struct cpw_keyproc_arg { }; krb5_error_code -adm5_kpasswd(context, prog, request_type, client_creds, retbuf, otype) +adm5_kpasswd(context, auth_context, prog, request_type, retbuf, otype) krb5_context context; + krb5_auth_context *auth_context; char *prog; kadmin_requests *request_type; - krb5_ticket *client_creds; char *retbuf; int *otype; { @@ -58,9 +58,8 @@ adm5_kpasswd(context, prog, request_type, client_creds, retbuf, otype) *otype = 3; syslog(LOG_AUTH | LOG_INFO, "adm_kpasswd: kpasswd change received"); - retval = adm5_change(context, "adm5_kpasswd", - client_server_info.client, - client_creds); + retval = adm5_change(context, auth_context, "adm5_kpasswd", + client_server_info.client); switch(retval) { case 0: diff --git a/src/kadmin/server/adm_listen.c b/src/kadmin/server/adm_listen.c index d1b8d9a55..a784b306b 100644 --- a/src/kadmin/server/adm_listen.c +++ b/src/kadmin/server/adm_listen.c @@ -151,7 +151,8 @@ adm5_listen_and_process(context, prog) } if (adm_debug_flag) { - retval = process_client(context, "adm5_listen_and_process"); + retval = process_client(context, + "adm5_listen_and_process"); exit(retval); } @@ -160,7 +161,8 @@ adm5_listen_and_process(context, prog) /* child */ (void) close(client_server_info.server_socket); - retval = process_client(context, "adm5_listen_and_process"); + retval = process_client(context, + "adm5_listen_and_process"); exit(retval); } else { /* parent */ diff --git a/src/kadmin/server/adm_nego.c b/src/kadmin/server/adm_nego.c index d7c09b633..abde3419a 100644 --- a/src/kadmin/server/adm_nego.c +++ b/src/kadmin/server/adm_nego.c @@ -43,12 +43,13 @@ #include "adm_extern.h" krb5_error_code -adm_negotiate_key(context, prog, client_creds, new_passwd) +adm_negotiate_key(context, auth_context, prog, new_passwd) krb5_context context; + krb5_auth_context *auth_context; char const * prog; - krb5_ticket * client_creds; char * new_passwd; { + krb5_replay_data replaydata; krb5_data msg_data, inbuf; krb5_error_code retval; #if defined(MACH_PASS) || defined(SANDIA) /* Machine-generated passwords. */ @@ -221,16 +222,8 @@ adm_negotiate_key(context, prog, client_creds, new_passwd) free_phrases(); /* Encrypt Password/Phrases Encoding */ - retval = krb5_mk_priv(context, encoded_pw_string, - ETYPE_DES_CBC_CRC, - client_creds->enc_part2->session, - &client_server_info.server_addr, - &client_server_info.client_addr, - send_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data); + retval = krb5_mk_priv(context, auth_context, encoded_pw_string, + &msg_data, &replaydata); if (retval ) { free_passwds(); free_pwd_and_phrase_structures(); @@ -266,15 +259,8 @@ adm_negotiate_key(context, prog, client_creds, new_passwd) } /* Decrypt Client Response */ - if ((retval = krb5_rd_priv(context, &inbuf, - client_creds->enc_part2->session, - &client_server_info.client_addr, - &client_server_info.server_addr, - recv_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data))) { + if ((retval = krb5_rd_priv(context, auth_context, &inbuf, + &msg_data, &replaydata))) { free(inbuf.data); #if defined(MACH_PASS) || defined(SANDIA) free_passwds(); diff --git a/src/kadmin/server/adm_process.c b/src/kadmin/server/adm_process.c index 786c6898c..ab9add4ef 100644 --- a/src/kadmin/server/adm_process.c +++ b/src/kadmin/server/adm_process.c @@ -37,38 +37,21 @@ extern krb5_encrypt_block master_encblock; extern krb5_keyblock master_keyblock; -struct cpw_keyproc_arg { - krb5_keyblock *key; -}; - -krb5_error_code -cpw_keyproc(context, keyprocarg, server, key_vno, keytype, key) +static krb5_error_code +cpw_keyproc(context, keyblock) krb5_context context; - krb5_pointer keyprocarg; - krb5_principal server; - krb5_kvno key_vno; - krb5_keytype keytype; - krb5_keyblock ** key; + krb5_keyblock ** keyblock; { krb5_error_code retval; krb5_db_entry cpw_entry; krb5_principal cpw_krb; krb5_keyblock *realkey; - - struct cpw_keyproc_arg *arg; - krb5_boolean more; - int nprincs = 1; - arg = ( struct cpw_keyproc_arg *) keyprocarg; - - if (arg->key) { - retval = krb5_copy_keyblock(context, arg->key, key); - if (retval) - return retval; - } else { - if (retval = krb5_parse_name(context, client_server_info.name_of_service, + if (*keyblock == NULL) { + if (retval = krb5_parse_name(context, + client_server_info.name_of_service, &cpw_krb)) { syslog(LOG_ERR, "cpw_keyproc %d while attempting to parse \"%s\"", @@ -77,7 +60,7 @@ cpw_keyproc(context, keyprocarg, server, key_vno, keytype, key) } if (retval = krb5_db_get_principal(context, cpw_krb, &cpw_entry, - &nprincs, &more)) { + &nprincs, &more)) { syslog(LOG_ERR, "cpw_keyproc %d while extracting %s entry", client_server_info.name_of_service, retval); @@ -107,9 +90,8 @@ cpw_keyproc(context, keyprocarg, server, key_vno, keytype, key) exit(retval); } - *key = realkey; + *keyblock = realkey; } - return(0); } @@ -120,18 +102,19 @@ process_client(context, prog) { krb5_error_code retval; - struct cpw_keyproc_arg cpw_key; + krb5_keyblock * cpw_keyblock = NULL; int on = 1; krb5_db_entry server_entry; - krb5_ticket *client_creds; - krb5_authenticator *client_auth_data; char retbuf[512]; krb5_data final_msg; char completion_msg[520]; kadmin_requests request_type; + krb5_auth_context *auth_context = NULL; + krb5_ticket * client_ticket = NULL; + krb5_replay_data replaydata; int number_of_entries; krb5_boolean more; @@ -196,7 +179,7 @@ process_client(context, prog) exit(0); } - if ((cpw_key.key = (krb5_keyblock *) calloc (1, + if ((cpw_keyblock = (krb5_keyblock *) calloc (1, sizeof(krb5_keyblock))) == (krb5_keyblock *) 0) { krb5_db_free_principal(context, &server_entry, number_of_entries); syslog(LOG_ERR, @@ -209,9 +192,9 @@ process_client(context, prog) if (retval = krb5_kdb_decrypt_key(context, &master_encblock, &server_entry.key, - (krb5_keyblock *) cpw_key.key)) { + cpw_keyblock)) { krb5_db_free_principal(context, &server_entry, number_of_entries); - free(cpw_key.key); + free(cpw_keyblock); syslog(LOG_ERR, "kadmind error: Cannot extract kadmin/ from master key"); close(client_server_info.client_socket); @@ -250,36 +233,48 @@ process_client(context, prog) syslog(LOG_AUTH | LOG_INFO, "Request for Administrative Service Received from %s - Authenticating.", inet_ntoa( client_server_info.client_name.sin_addr )); + + cpw_keyproc(context, &cpw_keyblock); - if ((retval = krb5_recvauth(context, + if (krb5_auth_con_init(context, &auth_context)) + exit(1); + + krb5_auth_con_setflags(context,auth_context,KRB5_AUTH_CONTEXT_RET_SEQUENCE); + + krb5_auth_con_setaddrs(context, auth_context, + &client_server_info.server_addr, + &client_server_info.client_addr); + + if (krb5_auth_con_setuseruserkey(context, auth_context, cpw_keyblock)) + exit(1); + + if ((retval = krb5_recvauth(context, &auth_context, (krb5_pointer) &client_server_info.client_socket, ADM5_CPW_VERSION, client_server_info.server, - &client_server_info.client_addr, + NULL, 0, - cpw_keyproc, - (krb5_pointer) &cpw_key, - 0, - 0, - &send_seqno, - &client_server_info.client, - &client_creds, - &client_auth_data + NULL, + &client_ticket ))) { syslog(LOG_ERR, "kadmind error: %s during recvauth\n", error_message(retval)); (void) sprintf(retbuf, "kadmind error during recvauth: %s\n", error_message(retval)); - krb5_free_keyblock(context, cpw_key.key); + krb5_free_keyblock(context, cpw_keyblock); goto finish; } - krb5_free_keyblock(context, cpw_key.key); + krb5_free_keyblock(context, cpw_keyblock); + if (retval = krb5_copy_principal(context, client_ticket->enc_part2->client, + &client_server_info.client)) + goto finish; + /* Check if ticket was issued using password (and not tgt) * within the last 5 minutes */ - if (!(client_creds->enc_part2->flags & TKT_FLG_INITIAL)) { + if (!(client_ticket->enc_part2->flags & TKT_FLG_INITIAL)) { syslog(LOG_ERR, "Client ticket not initial"); close(client_server_info.client_socket); exit(0); @@ -291,14 +286,12 @@ process_client(context, prog) exit(0); } - if ((adm_time - client_creds->enc_part2->times.authtime) > 60*5) { + if ((adm_time - client_ticket->enc_part2->times.authtime) > 60*5) { syslog(LOG_ERR, "Client ticket not recent"); close(client_server_info.client_socket); exit(0); } - recv_seqno = client_auth_data->seq_number; - if ((client_server_info.name_of_client = (char *) calloc (1, 3 * 255)) == (char *) 0) { syslog(LOG_ERR, "kadmind error: No Memory for name_of_client"); @@ -341,15 +334,8 @@ process_client(context, prog) goto finish; } - if ((retval = krb5_rd_priv(context, &inbuf, - client_creds->enc_part2->session, - &client_server_info.client_addr, - &client_server_info.server_addr, - client_auth_data->seq_number, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data))) { + if ((retval = krb5_rd_priv(context, auth_context, &inbuf, + &msg_data, &replaydata))) { free(inbuf.data); syslog(LOG_ERR, "kadmind error: rd_priv:%s\n", error_message(retval)); goto finish; @@ -364,16 +350,15 @@ process_client(context, prog) switch (request_type.appl_code) { case KPASSWD: req_type = "kpasswd"; - if (retval = adm5_kpasswd(context, "process_client", &request_type, - client_creds, retbuf, &otype)) { + if (retval = adm5_kpasswd(context, auth_context, "process_client", + &request_type, retbuf, &otype)) { goto finish; } break; case KADMIN: req_type = "kadmin"; - if (retval = adm5_kadmin(context, "process_client", - client_auth_data, client_creds, + if (retval = adm5_kadmin(context, auth_context, "process_client", retbuf, &otype)) { goto finish; } @@ -404,17 +389,9 @@ process_client(context, prog) final_msg.data = retbuf; final_msg.length = strlen(retbuf) + 1; - /* Send Completion Message */ - if (retval = krb5_mk_priv(context, &final_msg, - ETYPE_DES_CBC_CRC, - client_creds->enc_part2->session, - &client_server_info.server_addr, - &client_server_info.client_addr, - send_seqno, - KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, - 0, - 0, - &msg_data)) { + /* Send Completion Message */ + if (retval = krb5_mk_priv(context, auth_context, &final_msg, + &msg_data, &replaydata)) { syslog(LOG_ERR, "kadmind error Error Performing Final mk_priv"); goto finish; } -- 2.26.2