From 9ec25ed6ea8b1201228c6bf053a6ef775a9f9540 Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Tue, 19 Feb 1991 19:38:17 +0000 Subject: [PATCH] Changes to conform with API modifications git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1729 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/copy_athctr.c | 9 +- src/lib/krb5/krb/copy_creds.c | 15 +-- src/lib/krb5/krb/copy_key.c | 25 +++-- src/lib/krb5/krb/copy_tick.c | 7 +- src/lib/krb5/krb/get_in_tkt.c | 14 +-- src/lib/krb5/krb/in_tkt_sky.c | 16 +--- src/lib/krb5/krb/parse.c | 7 +- src/lib/krb5/krb/rd_error.c | 25 ++--- src/lib/krb5/krb/rd_priv.c | 2 + src/lib/krb5/krb/rd_rep.c | 25 +++-- src/lib/krb5/krb/rd_req.c | 44 ++++----- src/lib/krb5/krb/rd_req_dec.c | 167 ++++++++++++++++++--------------- src/lib/krb5/krb/rd_req_sim.c | 34 +++---- src/lib/krb5/krb/rd_safe.c | 4 +- 14 files changed, 194 insertions(+), 200 deletions(-) diff --git a/src/lib/krb5/krb/copy_athctr.c b/src/lib/krb5/krb/copy_athctr.c index 5756a991c..1f1a9bf6b 100644 --- a/src/lib/krb5/krb/copy_athctr.c +++ b/src/lib/krb5/krb/copy_athctr.c @@ -45,15 +45,8 @@ krb5_authenticator **authto; } if (authfrom->subkey) { - if (!(tempto->subkey = - (krb5_keyblock *)malloc(sizeof(*tempto->subkey)))) { - krb5_free_checksum(tempto->checksum); - krb5_free_principal(tempto->client); - xfree(tempto); - return ENOMEM; - } if (retval = krb5_copy_keyblock(authfrom->subkey, - tempto->subkey)) { + &tempto->subkey)) { xfree(tempto->subkey); krb5_free_checksum(tempto->checksum); krb5_free_principal(tempto->client); diff --git a/src/lib/krb5/krb/copy_creds.c b/src/lib/krb5/krb/copy_creds.c index 3043dd146..18fe77682 100644 --- a/src/lib/krb5/krb/copy_creds.c +++ b/src/lib/krb5/krb/copy_creds.c @@ -2,7 +2,8 @@ * $Source$ * $Author$ * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * All Rights Reserved. * * For copying and distribution information, please see the file * . @@ -15,7 +16,6 @@ static char rcsid_copy_creds_c [] = "$Id$"; #endif /* !lint & !SABER */ -#include #include #include @@ -41,20 +41,21 @@ krb5_creds **outcred; goto cleanlast; if (retval = krb5_copy_principal(incred->server, &tempcred->server)) goto cleanclient; - if (retval = krb5_copy_keyblock(&incred->keyblock, &tempcred->keyblock)) + if (retval = krb5_copy_keyblock_contents(&incred->keyblock, + &tempcred->keyblock)) goto cleanserver; if (retval = krb5_copy_addresses(incred->addresses, &tempcred->addresses)) goto cleanblock; if (retval = krb5_copy_data(&incred->ticket, &scratch)) goto cleanaddrs; tempcred->ticket = *scratch; - free((char *)scratch); + xfree(scratch); if (retval = krb5_copy_data(&incred->second_ticket, &scratch)) goto cleanticket; tempcred->second_ticket = *scratch; - free((char *)scratch); + xfree(scratch); *outcred = tempcred; return 0; @@ -64,12 +65,12 @@ krb5_creds **outcred; cleanaddrs: krb5_free_address(tempcred->addresses); cleanblock: - free((char *)tempcred->keyblock.contents); + xfree(tempcred->keyblock.contents); cleanserver: krb5_free_principal(tempcred->server); cleanclient: krb5_free_principal(tempcred->client); cleanlast: - free((char *)tempcred); + xfree(tempcred); return retval; } diff --git a/src/lib/krb5/krb/copy_key.c b/src/lib/krb5/krb/copy_key.c index f3aec81aa..b717071b6 100644 --- a/src/lib/krb5/krb/copy_key.c +++ b/src/lib/krb5/krb/copy_key.c @@ -2,7 +2,8 @@ * $Source$ * $Author$ * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * All Rights Reserved. * * For copying and distribution information, please see the file * . @@ -15,7 +16,6 @@ static char rcsid_copy_key_c[] = "$Id$"; #endif /* !lint & !SABER */ -#include #include #include @@ -25,12 +25,19 @@ static char rcsid_copy_key_c[] = krb5_error_code krb5_copy_keyblock(from, to) const krb5_keyblock *from; -krb5_keyblock *to; +krb5_keyblock **to; { - *to = *from; - to->contents = (krb5_octet *)malloc(to->length); - if (!to->contents) - return ENOMEM; - memcpy((char *)to->contents, (char *)from->contents, to->length); - return 0; + krb5_keyblock *new_key; + + if (!(new_key = (krb5_keyblock *) malloc(sizeof(krb5_keyblock)))) + return ENOMEM; + *new_key = *from; + if (!(new_key->contents = (krb5_octet *)malloc(new_key->length))) { + xfree(new_key); + return(ENOMEM); + } + memcpy((char *)new_key->contents, (char *)from->contents, + new_key->length); + *to = new_key; + return 0; } diff --git a/src/lib/krb5/krb/copy_tick.c b/src/lib/krb5/krb/copy_tick.c index ec6a9d4ec..f7569367d 100644 --- a/src/lib/krb5/krb/copy_tick.c +++ b/src/lib/krb5/krb/copy_tick.c @@ -31,13 +31,8 @@ krb5_enc_tkt_part **partto; if (!(tempto = (krb5_enc_tkt_part *)malloc(sizeof(*tempto)))) return ENOMEM; *tempto = *partfrom; - if (!(tempto->session = - (krb5_keyblock *)malloc(sizeof(*tempto->session)))) { - xfree(tempto); - return ENOMEM; - } if (retval = krb5_copy_keyblock(partfrom->session, - tempto->session)) { + &tempto->session)) { xfree(tempto->session); xfree(tempto); return retval; diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 4571f669f..14be24f38 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -2,7 +2,8 @@ * $Source$ * $Author$ * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * All Rights Reserved. * * For copying and distribution information, please see the file * . @@ -15,7 +16,6 @@ static char rcsid_get_in_tkt_c[] = "$Id$"; #endif /* !lint & !SABER */ -#include #include #include #include @@ -212,8 +212,8 @@ OLDDECLARG(krb5_ccache, ccache) /* XXX issue warning if as_reply->enc_part2->key_exp is nearby */ /* fill in the credentials */ - if (retval = krb5_copy_keyblock(as_reply->enc_part2->session, - &creds->keyblock)) { + if (retval = krb5_copy_keyblock_contents(as_reply->enc_part2->session, + &creds->keyblock)) { memset((char *)as_reply->enc_part2->session->contents, 0, as_reply->enc_part2->session->length); krb5_free_kdc_rep(as_reply); @@ -221,7 +221,7 @@ OLDDECLARG(krb5_ccache, ccache) } #define cleanup_key() {memset((char *)creds->keyblock.contents, 0,\ creds->keyblock.length); \ - free((char *)creds->keyblock.contents); \ + xfree(creds->keyblock.contents); \ creds->keyblock.contents = 0; \ creds->keyblock.length = 0;} @@ -245,12 +245,12 @@ OLDDECLARG(krb5_ccache, ccache) return retval; } creds->ticket = *packet; - free((char *) packet); + xfree(packet); /* store it in the ccache! */ if (retval = krb5_cc_store_cred(ccache, creds)) { /* clean up the pieces */ - free((char *)creds->ticket.data); + xfree(creds->ticket.data); krb5_free_address(creds->addresses); cleanup_key(); return retval; diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c index c8bee3923..b015a25da 100644 --- a/src/lib/krb5/krb/in_tkt_sky.c +++ b/src/lib/krb5/krb/in_tkt_sky.c @@ -2,7 +2,8 @@ * $Source$ * $Author$ * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * All Rights Reserved. * * For copying and distribution information, please see the file * . @@ -16,7 +17,6 @@ static char rcsid_in_tkt_skey_c [] = "$Id$"; #endif /* !lint & !SABER */ -#include #include #include @@ -64,18 +64,12 @@ OLDDECLARG(krb5_pa_data **,padata) } #define cleanup() {if (arg->client) (void) krb5_kt_free_entry(&kt_ent);} - realkey = (krb5_keyblock *)malloc(sizeof(*realkey)); - if (!realkey) { - cleanup(); - return ENOMEM; - } - if (arg->key) - retval = krb5_copy_keyblock(arg->key, realkey); + retval = krb5_copy_keyblock(arg->key, &realkey); else - retval = krb5_copy_keyblock(&kt_ent.key, realkey); + retval = krb5_copy_keyblock(&kt_ent.key, &realkey); if (retval) { - free((char *)realkey); + xfree(realkey); cleanup(); return retval; } diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c index de25f2e09..f87e22c3f 100644 --- a/src/lib/krb5/krb/parse.c +++ b/src/lib/krb5/krb/parse.c @@ -61,7 +61,7 @@ krb5_parse_name(name, nprincipal) int components = 0; const char *parsed_realm = NULL; int fcompsize[FCOMPNUM]; - char default_realm[512]; + static char *default_realm = NULL; krb5_data **principal; krb5_error_code retval; @@ -136,9 +136,8 @@ krb5_parse_name(name, nprincipal) * realm.... */ if (!parsed_realm) { - retval = krb5_get_default_realm(sizeof(default_realm), - default_realm); - if (retval) + if (!default_realm && + (retval = krb5_get_default_realm(&default_realm))) return(retval); principal[0]->length = fcompsize[0] = strlen(default_realm); } diff --git a/src/lib/krb5/krb/rd_error.c b/src/lib/krb5/krb/rd_error.c index 97e24f90d..8e9c3313c 100644 --- a/src/lib/krb5/krb/rd_error.c +++ b/src/lib/krb5/krb/rd_error.c @@ -23,29 +23,22 @@ static char rcsid_rd_error_c[] = #include /* - Parses an error message from enc_errbuf and fills in the contents of - dec_error. - - Upon return dec_error->client,server,text, if non-NULL, point to allocated - storage which the caller should free when finished. - - returns system errors + * Parses an error message from enc_errbuf and returns an allocated + * structure which contain the error message. + * + * Upon return dec_error will point to allocated storage which the + * caller should free when finished. + * + * returns system errors */ krb5_error_code krb5_rd_error( enc_errbuf, dec_error) const krb5_data *enc_errbuf; -krb5_error *dec_error; +krb5_error **dec_error; { - krb5_error_code retval; - krb5_error *new_dec_error; - if (!krb5_is_krb_error(enc_errbuf)) return KRB5KRB_AP_ERR_MSG_TYPE; - if (retval = decode_krb5_error(enc_errbuf, &new_dec_error)) - return(retval); - *dec_error = *new_dec_error; - (void)free((char *)new_dec_error); - return 0; + return(decode_krb5_error(enc_errbuf, dec_error)); } diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 936566962..1567dfe98 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -54,6 +54,7 @@ krb5_rd_priv(DECLARG(const krb5_data *, inbuf), DECLARG(krb5_int32, seq_number), DECLARG(krb5_int32, priv_flags), DECLARG(krb5_pointer, i_vector), + DECLARG(krb5_rcache, rcache), DECLARG(krb5_data *, outbuf)) OLDDECLARG(const krb5_data *, inbuf) OLDDECLARG(const krb5_keyblock *, key) @@ -62,6 +63,7 @@ OLDDECLARG(const krb5_address *, recv_addr) OLDDECLARG(krb5_int32, seq_number) OLDDECLARG(krb5_int32, priv_flags) OLDDECLARG(krb5_pointer, i_vector) +OLDDECLARG(krb5_rcache, rcache), OLDDECLARG(krb5_data *, outbuf) { krb5_error_code retval; diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 148835fce..72a68dd96 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -11,7 +11,7 @@ */ #if !defined(lint) && !defined(SABER) -static char rcsid_rd_req_dec_c[] = +static char rcsid_rd_rep_dec_c[] = "$Id$"; #endif /* !lint & !SABER */ @@ -22,26 +22,26 @@ static char rcsid_rd_req_dec_c[] = #include /* - Parses a KRB_AP_REP message, returning its contents. - - repl is filled in with the fields from the encrypted response. - - the key in kblock is used to decrypt the message. - - returns system errors, encryption errors, replay errors + * Parses a KRB_AP_REP message, returning its contents. + * + * repl is filled in with with a pointer to allocated memory containing + * the fields from the encrypted response. + * + * the key in kblock is used to decrypt the message. + * + * returns system errors, encryption errors, replay errors */ krb5_error_code krb5_rd_rep(inbuf, kblock, repl) const krb5_data *inbuf; const krb5_keyblock *kblock; -krb5_ap_rep_enc_part *repl; +krb5_ap_rep_enc_part **repl; { krb5_error_code retval; krb5_ap_rep *reply; krb5_encrypt_block eblock; krb5_data scratch; - krb5_ap_rep_enc_part *local_repl; if (!krb5_is_ap_rep(inbuf)) return KRB5KRB_AP_ERR_MSG_TYPE; @@ -93,10 +93,7 @@ free(scratch.data);} return retval; } /* now decode the decrypted stuff */ - if (!(retval = decode_krb5_ap_rep_enc_part(&scratch, &local_repl))) { - *repl = *local_repl; - free((char *)local_repl); - } + retval = decode_krb5_ap_rep_enc_part(&scratch, repl); clean_scratch(); return retval; } diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index 9fb100a8f..2db92e7e7 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -22,27 +22,27 @@ static char rcsid_rd_req_c[] = #include /* - Parses a KRB_AP_REQ message, returning its contents. - - server specifies the expected server's name for the ticket. - - sender_addr specifies the address(es) expected to be present in the - ticket. - - rcache specifies a replay detection cache used to store authenticators and - server names - - keyproc specifies a procedure to generate a decryption key for the - ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result - used as a decryption key. If keyproc is NULL, then fetchfrom is checked; - if it is non-NULL, it specifies a parameter name from which to retrieve the - decryption key. If fetchfrom is NULL, then the default key store is - consulted. - - authdat->ticket and authdat->authenticator are set to allocated storage - structures; the caller should free them when finished. - - returns system errors, encryption errors, replay errors + * Parses a KRB_AP_REQ message, returning its contents. + * + * server specifies the expected server's name for the ticket. + * + * sender_addr specifies the address(es) expected to be present in the + * ticket. + * + * rcache specifies a replay detection cache used to store authenticators and + * server names + * + * keyproc specifies a procedure to generate a decryption key for the + * ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result + * used as a decryption key. If keyproc is NULL, then fetchfrom is checked; + * if it is non-NULL, it specifies a parameter name from which to retrieve the + * decryption key. If fetchfrom is NULL, then the default key store is + * consulted. + * + * authdat is set to point at allocated storage structures; the caller + * should free them when finished. + * + * returns system errors, encryption errors, replay errors */ /* widen prototypes, if needed */ @@ -64,7 +64,7 @@ krb5_const_pointer fetchfrom; rdreq_key_proc keyproc; krb5_pointer keyprocarg; krb5_rcache rcache; -krb5_tkt_authent *authdat; +krb5_tkt_authent **authdat; { krb5_error_code retval; krb5_ap_req *request; diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 4d8c01e13..9bd5a5a4b 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -22,44 +22,43 @@ static char rcsid_rd_req_dec_c[] = #include /* - essentially the same as krb_rd_req, but uses a decoded AP_REQ as the input - rather than an encoded input. + * essentially the same as krb_rd_req, but uses a decoded AP_REQ as + * the input rather than an encoded input. */ /* - Parses a KRB_AP_REQ message, returning its contents. - - server specifies the expected server's name for the ticket; if NULL, then - any server will be accepted if the key can be found, and the caller should - verify that the principal is something it trusts. - - sender_addr specifies the address(es) expected to be present in the - ticket. - - rcache specifies a replay detection cache used to store authenticators and - server names - - keyproc specifies a procedure to generate a decryption key for the - ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result - used as a decryption key. If keyproc is NULL, then fetchfrom is checked; - if it is non-NULL, it specifies a parameter name from which to retrieve the - decryption key. If fetchfrom is NULL, then the default key store is - consulted. - - authdat->ticket and authdat->authenticator are set to allocated storage - structures; the caller should free them when finished. - - returns system errors, encryption errors, replay errors + * Parses a KRB_AP_REQ message, returning its contents. + * + * server specifies the expected server's name for the ticket; if NULL, then + * any server will be accepted if the key can be found, and the caller should + * verify that the principal is something it trusts. + * + * sender_addr specifies the address(es) expected to be present in the + * ticket. + * + * rcache specifies a replay detection cache used to store authenticators and + * server names + * + * keyproc specifies a procedure to generate a decryption key for the + * ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result + * used as a decryption key. If keyproc is NULL, then fetchfrom is checked; + * if it is non-NULL, it specifies a parameter name from which to retrieve the + * decryption key. If fetchfrom is NULL, then the default key store is + * consulted. + * + * authdat is set to point at allocated storage structures; the caller + * should free them when finished. + * + * returns system errors, encryption errors, replay errors */ /* widen prototypes, if needed */ #include -static krb5_error_code decrypt_authenticator PROTOTYPE((const krb5_ap_req *, - krb5_authenticator **)); -typedef krb5_error_code (*rdreq_key_proc) PROTOTYPE((krb5_pointer, - krb5_principal, - krb5_kvno, - krb5_keyblock **)); +static krb5_error_code decrypt_authenticator + PROTOTYPE((const krb5_ap_req *, krb5_authenticator **)); +typedef krb5_error_code (*rdreq_key_proc) + PROTOTYPE((krb5_pointer, krb5_principal, krb5_kvno, krb5_keyblock **)); + /* and back to normal... */ #include @@ -68,7 +67,7 @@ extern krb5_deltat krb5_clockskew; krb5_error_code krb5_rd_req_decoded(req, server, sender_addr, fetchfrom, keyproc, keyprocarg, - rcache, tktauthent) + rcache, authdat) const krb5_ap_req *req; krb5_const_principal server; const krb5_address *sender_addr; @@ -76,13 +75,12 @@ krb5_const_pointer fetchfrom; rdreq_key_proc keyproc; krb5_pointer keyprocarg; krb5_rcache rcache; -krb5_tkt_authent *tktauthent; +krb5_tkt_authent **authdat; { - krb5_error_code retval; - krb5_keyblock *tkt_key; - krb5_keyblock tkt_key_real; + krb5_error_code retval = 0; + krb5_keyblock *tkt_key = NULL; krb5_timestamp currenttime, starttime; - + krb5_tkt_authent *tktauthent = NULL; if (server && !krb5_principal_compare(server, req->ticket->server)) return KRB5KRB_AP_WRONG_PRINC; @@ -110,8 +108,7 @@ krb5_tkt_authent *tktauthent; req->ticket->enc_part.kvno, &ktentry); (void) krb5_kt_close(keytabid); if (!retval) { - retval = krb5_copy_keyblock(&ktentry.key, &tkt_key_real); - tkt_key = &tkt_key_real; + retval = krb5_copy_keyblock(&ktentry.key, &tkt_key); (void) krb5_kt_free_entry(&ktentry); } } @@ -120,34 +117,40 @@ krb5_tkt_authent *tktauthent; return retval; /* some error in getting the key */ /* decrypt the ticket */ - if (retval = krb5_decrypt_tkt_part(tkt_key, req->ticket)) + if (retval = krb5_decrypt_tkt_part(tkt_key, req->ticket)) { + krb5_free_keyblock(tkt_key); return(retval); + } -#define clean_ticket() krb5_free_enc_tkt_part(req->ticket->enc_part2) - - if (retval = decrypt_authenticator(req, &tktauthent->authenticator)) { - clean_ticket(); - return retval; + /* + * Now we allocate space for the krb5_tkt_authent structure. If + * we ever have an error, we're responsible for freeing it. + */ + if (!(tktauthent = + (krb5_tkt_authent *) malloc(sizeof(krb5_tkt_authent)))) { + retval = ENOMEM; + goto cleanup; } -#define clean_authenticator() {(void) krb5_free_authenticator(tktauthent->authenticator); tktauthent->authenticator = 0;} + + if (retval = decrypt_authenticator(req, &tktauthent->authenticator)) + goto cleanup; + *authdat = NULL; /* Set authdat to tktauthent when we finish */ if (!krb5_principal_compare(tktauthent->authenticator->client, req->ticket->enc_part2->client)) { - clean_authenticator(); - return KRB5KRB_AP_ERR_BADMATCH; + retval = KRB5KRB_AP_ERR_BADMATCH; + goto cleanup; } if (sender_addr && !krb5_address_search(sender_addr, req->ticket->enc_part2->caddrs)) { - clean_authenticator(); - return KRB5KRB_AP_ERR_BADADDR; + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; } - if (retval = krb5_timeofday(¤ttime)) { - clean_authenticator(); - return retval; - } + if (retval = krb5_timeofday(¤ttime)) + goto cleanup; if (!in_clock_skew(tktauthent->authenticator->ctime)) { - clean_authenticator(); - return KRB5KRB_AP_ERR_SKEW; + retval = KRB5KRB_AP_ERR_SKEW; + goto cleanup; } tktauthent->ticket = req->ticket; /* only temporarily...allocated @@ -158,20 +161,13 @@ krb5_tkt_authent *tktauthent; if (rcache) { krb5_donot_replay rep; - if (retval = krb5_auth_to_rep(tktauthent, &rep)) { - tktauthent->ticket = 0; - clean_authenticator(); - return retval; - } - if (retval = krb5_rc_store(rcache, &rep)) { - xfree(rep.server); - xfree(rep.client); - tktauthent->ticket = 0; - clean_authenticator(); - return retval; - } + if (retval = krb5_auth_to_rep(tktauthent, &rep)) + goto cleanup; + retval = krb5_rc_store(rcache, &rep); xfree(rep.server); xfree(rep.client); + if (retval) + goto cleanup; } tktauthent->ticket = 0; @@ -182,21 +178,36 @@ krb5_tkt_authent *tktauthent; starttime = req->ticket->enc_part2->times.authtime; if (starttime - currenttime > krb5_clockskew) { - clean_authenticator(); - return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ + retval = KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ + goto cleanup; } if (currenttime - req->ticket->enc_part2->times.endtime > krb5_clockskew) { - clean_authenticator(); - return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */ + retval = KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */ + goto cleanup; } if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) { - clean_authenticator(); - return KRB5KRB_AP_ERR_TKT_INVALID; + retval = KRB5KRB_AP_ERR_TKT_INVALID; + goto cleanup; + } + retval = krb5_copy_ticket(req->ticket, &tktauthent->ticket); + +cleanup: + if (tktauthent) { + if (retval) { + krb5_free_tkt_authent(tktauthent); + } else { + tktauthent->ap_options = req->ap_options; + *authdat = tktauthent; + } + } + if (retval && req->ticket->enc_part2) { + /* only free if we're erroring out...otherwise some + applications will need the output. */ + krb5_free_enc_tkt_part(req->ticket->enc_part2); + req->ticket->enc_part2 = NULL; } - if (retval = krb5_copy_ticket(req->ticket, &tktauthent->ticket)) { - clean_authenticator(); - } else - tktauthent->ap_options = req->ap_options; + if (tkt_key) + krb5_free_keyblock(tkt_key); return retval; } diff --git a/src/lib/krb5/krb/rd_req_sim.c b/src/lib/krb5/krb/rd_req_sim.c index 657309b9e..2c964e8ba 100644 --- a/src/lib/krb5/krb/rd_req_sim.c +++ b/src/lib/krb5/krb/rd_req_sim.c @@ -21,22 +21,22 @@ static char rcsid_rd_req_sim_c[] = #include /* - Parses a KRB_AP_REQ message, returning its contents. - - server specifies the expected server's name for the ticket. - - sender_addr specifies the address(es) expected to be present in the - ticket. - - A replay cache name derived from the first component of the service name - is used. - - The default key store is consulted to find the service key. - - authdat->ticket and authdat->authenticator are set to allocated storage - structures; the caller should free them when finished. - - returns system errors, encryption errors, replay errors + * Parses a KRB_AP_REQ message, returning its contents. + * + * server specifies the expected server's name for the ticket. + * + * sender_addr specifies the address(es) expected to be present in the + * ticket. + * + * A replay cache name derived from the first component of the service name + * is used. + * + * The default key store is consulted to find the service key. + * + * authdat isset to point at allocated structures; the caller should + * free it when finished. + * + * returns system errors, encryption errors, replay errors */ krb5_error_code @@ -44,7 +44,7 @@ krb5_rd_req_simple(inbuf, server, sender_addr, authdat) const krb5_data *inbuf; krb5_const_principal server; const krb5_address *sender_addr; -krb5_tkt_authent *authdat; +krb5_tkt_authent **authdat; { krb5_error_code retval; krb5_ap_req *request; diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 209760ae6..8426a8224 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -38,13 +38,15 @@ extern krb5_deltat krb5_clockskew; returns system errors, integrity errors */ krb5_error_code -krb5_rd_safe(inbuf, key, sender_addr, recv_addr, seq_number, safe_flags, outbuf) +krb5_rd_safe(inbuf, key, sender_addr, recv_addr, seq_number, safe_flags, + rcache, outbuf) const krb5_data *inbuf; const krb5_keyblock *key; const krb5_address *sender_addr; const krb5_address *recv_addr; krb5_int32 seq_number; krb5_int32 safe_flags; +krb5_rcache rcache; krb5_data *outbuf; { krb5_error_code retval; -- 2.26.2