From af0ce70cf1f6e9df9b95090d133114816c71ac77 Mon Sep 17 00:00:00 2001 From: Zhanna Tsitkov Date: Thu, 12 Nov 2009 19:12:51 +0000 Subject: [PATCH] Post-great-reindent check. Part I git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23151 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/dispatch.c | 2 +- src/kdc/do_as_req.c | 65 ++++++---- src/kdc/do_tgs_req.c | 96 ++++++++------- src/kdc/fast_util.c | 103 +++++++++------- src/kdc/kdc_authdata.c | 110 +++++++++-------- src/kdc/kdc_preauth.c | 271 ++++++++++++++++++++++------------------- 6 files changed, 363 insertions(+), 284 deletions(-) diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c index 3885b4ee4..a8d95229d 100644 --- a/src/kdc/dispatch.c +++ b/src/kdc/dispatch.c @@ -2,7 +2,7 @@ /* * kdc/dispatch.c * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990, 2009 by the Massachusetts Institute of Technology. * * Export of this software from the United States of America may * require a specific license from the United States Government. diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 5067ff8fd..45ae49633 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -83,9 +83,10 @@ #endif #endif /* APPLE_PKINIT */ -static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *, - krb5_principal, krb5_data **, - const char *); +static krb5_error_code +prepare_error_as(struct kdc_request_state *, krb5_kdc_req *, + int, krb5_data *, krb5_principal, krb5_data **, + const char *); /*ARGSUSED*/ krb5_error_code @@ -148,7 +149,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, status = "Finding req_body"; goto errout; } - errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state); + errcode = kdc_find_fast(&request, &encoded_req_body, + NULL /*TGS key*/, NULL, state); if (errcode) { status = "error decoding FAST"; goto errout; @@ -309,9 +311,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL); - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ + /* + * It should be noted that local policy may affect the + * processing of any of these flags. For example, some + * realms may refuse to issue renewable tickets + */ if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); @@ -374,8 +378,10 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } else enc_tkt_reply.times.renew_till = 0; /* XXX */ - /* starttime is optional, and treated as authtime if not present. - so we can nuke it if it matches */ + /* + * starttime is optional, and treated as authtime if not present. + * so we can nuke it if it matches + */ if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime) enc_tkt_reply.times.starttime = 0; @@ -423,9 +429,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, * Find the server key */ if ((errcode = krb5_dbe_find_enctype(kdc_context, &server, - -1, /* ignore keytype */ - -1, /* Ignore salttype */ - 0, /* Get highest kvno */ + -1, /* ignore keytype */ + -1, /* Ignore salttype */ + 0, /* Get highest kvno */ &server_key))) { status = "FINDING_SERVER_KEY"; goto errout; @@ -450,10 +456,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } } - /* convert server.key into a real key (it may be encrypted - in the database) */ + /* + * Convert server.key into a real key + * (it may be encrypted in the database) + * + * server_keyblock is later used to generate auth data signatures + */ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, - /* server_keyblock is later used to generate auth data signatures */ server_key, &server_keyblock, NULL))) { status = "DECRYPT_SERVER_KEY"; @@ -524,7 +533,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, reply_encpart.server = ticket_reply.server; /* copy the time fields EXCEPT for authtime; it's location - is used for ktime */ + * is used for ktime + */ reply_encpart.times = enc_tkt_reply.times; reply_encpart.times.authtime = authtime = kdc_time; @@ -532,7 +542,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, reply_encpart.enc_padata = NULL; /* Fetch the padata info to be returned (do this before - authdata to handle possible replacement of reply key */ + * authdata to handle possible replacement of reply key + */ errcode = return_padata(kdc_context, &client, req_pkt, request, &reply, client_key, &client_keyblock, &pa_context); if (errcode) { @@ -572,13 +583,15 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } - errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock, &ticket_reply); + errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock, + &ticket_reply); if (errcode) { status = "ENCRYPTING_TICKET"; goto errout; } ticket_reply.enc_part.kvno = server_key->key_data_kvno; - errcode = kdc_fast_response_handle_padata(state, request, &reply, client_keyblock.enctype); + errcode = kdc_fast_response_handle_padata(state, request, &reply, + client_keyblock.enctype); if (errcode) { status = "fast response handling"; goto errout; @@ -588,7 +601,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, reply.enc_part.enctype = client_keyblock.enctype; - errcode = kdc_fast_handle_reply_key(state, &client_keyblock, &as_encrypting_key); + errcode = kdc_fast_handle_reply_key(state, &client_keyblock, + &as_encrypting_key); if (errcode) { status = "generating reply key"; goto errout; @@ -642,9 +656,9 @@ egress: response, status); status = 0; } + if (emsg) krb5_free_error_message(kdc_context, emsg); - if (enc_tkt_reply.authorization_data != NULL) krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data); if (server_keyblock.contents != NULL) @@ -675,11 +689,13 @@ egress: request->kdc_state = NULL; krb5_free_kdc_req(kdc_context, request); assert(did_log != 0); + return errcode; } static krb5_error_code -prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int error, krb5_data *e_data, +prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, + int error, krb5_data *e_data, krb5_principal canon_client, krb5_data **response, const char *status) { @@ -726,7 +742,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int e pa = calloc(size+1, sizeof(*pa)); if (pa == NULL) retval = ENOMEM; - else for (size = 0; td[size]; size++) { + else + for (size = 0; td[size]; size++) { krb5_pa_data *pad = malloc(sizeof(krb5_pa_data )); if (pad == NULL) { retval = ENOMEM; @@ -744,11 +761,13 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int e request, pa, &errpkt); if (retval == 0) retval = krb5_mk_error(kdc_context, &errpkt, scratch); + free(errpkt.text.data); if (retval) free(scratch); else *response = scratch; krb5_free_pa_data(kdc_context, pa); + return retval; } diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 24e32df44..b31228847 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -116,7 +116,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, register int i; int firstpass = 1; const char *status = 0; - krb5_enc_tkt_part *header_enc_tkt = NULL; /* ticket granting or evidence ticket */ + krb5_enc_tkt_part *header_enc_tkt = NULL; /* TG or evidence ticket */ krb5_db_entry client, krbtgt; int c_nprincs = 0, k_nprincs = 0; krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */ @@ -179,13 +179,13 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, } scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; - errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state); + errcode = kdc_find_fast(&request, &scratch, subkey, + header_ticket->enc_part2->session, state); if (errcode !=0) { status = "kdc_find_fast"; goto cleanup; } - /* * Pointer to the encrypted part of the header ticket, which may be * replaced to point to the encrypted part of the evidence ticket @@ -240,10 +240,12 @@ tgt_again: */ if (firstpass ) { - if ( krb5_is_tgs_principal(request->server) == TRUE) { /* Principal is a name of krb ticket service */ + if ( krb5_is_tgs_principal(request->server) == TRUE) { + /* Principal is a name of krb ticket service */ if (krb5_princ_size(kdc_context, request->server) == 2) { - server_1 = krb5_princ_component(kdc_context, request->server, 1); + server_1 = krb5_princ_component(kdc_context, + request->server, 1); tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1); if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { @@ -262,7 +264,8 @@ tgt_again: retval = prep_reprocess_req(request, &krbtgt_princ); if (!retval) { krb5_free_principal(kdc_context, request->server); - retval = krb5_copy_principal(kdc_context, krbtgt_princ, &(request->server)); + retval = krb5_copy_principal(kdc_context, krbtgt_princ, + &(request->server)); if (!retval) { db_ref_done = TRUE; if (sname != NULL) @@ -329,11 +332,11 @@ tgt_again: useenctype = 0; if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) { - krb5_keyblock * st_sealing_key; - krb5_kvno st_srv_kvno; - krb5_enctype etype; + krb5_keyblock st_sealing_key; + krb5_kvno st_srv_kvno; + krb5_enctype etype; krb5_db_entry st_client; - int st_nprincs = 0; + int st_nprincs = 0; /* * Get the key for the second ticket, and decrypt it. @@ -375,12 +378,12 @@ tgt_again: if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) { /* Do constrained delegation protocol and authorization checks */ errcode = kdc_process_s4u2proxy_req(kdc_context, - request, - request->second_ticket[st_idx]->enc_part2, - &st_client, - header_ticket->enc_part2->client, - request->server, - &status); + request, + request->second_ticket[st_idx]->enc_part2, + &st_client, + header_ticket->enc_part2->client, + request->server, + &status); if (errcode) goto cleanup; @@ -449,9 +452,11 @@ tgt_again: reply_encpart.caddrs = 0;/* optional...don't put it in */ reply_encpart.enc_padata = NULL; - /* It should be noted that local policy may affect the */ - /* processing of any of these flags. For example, some */ - /* realms may refuse to issue renewable tickets */ + /* + * It should be noted that local policy may affect the + * processing of any of these flags. For example, some + * realms may refuse to issue renewable tickets + */ if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) { setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); @@ -479,7 +484,8 @@ tgt_again: * S4U2Self in order for forwardable tickets to be returned. */ else if (!is_referral && - !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) + !isflagset(server.attributes, + KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); } } @@ -597,9 +603,11 @@ tgt_again: enc_tkt_reply.times.starttime = 0; if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { - errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user, &s4u_name); + errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user, + &s4u_name); } else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) { - errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name); + errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, + &s4u_name); } else { errcode = 0; } @@ -618,7 +626,7 @@ tgt_again: if ((errcode = krb5_dbe_find_enctype(kdc_context, &server, -1, /* ignore keytype */ -1, /* Ignore salttype */ - 0,/* Get highest kvno */ + 0, /* Get highest kvno */ &server_key))) { status = "FINDING_SERVER_KEY"; goto cleanup; @@ -630,7 +638,7 @@ tgt_again: /* try refreshing master key list */ /* XXX it would nice if we had the mkvno here for optimization */ if (krb5_db_fetch_mkey_list(kdc_context, master_princ, - &master_keyblock, 0, &tmp_mkey_list) == 0) { + &master_keyblock, 0, &tmp_mkey_list) == 0) { krb5_dbe_free_key_list(kdc_context, master_keylist); master_keylist = tmp_mkey_list; if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, @@ -644,8 +652,10 @@ tgt_again: } } - /* convert server.key into a real key (it may be encrypted - * in the database) */ + /* + * Convert server.key into a real key + * (it may be encrypted in the database) + */ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, server_key, &encrypting_key, @@ -753,7 +763,6 @@ tgt_again: * implicitly part of the transited list and should not be explicitly * listed). */ - /* realm compare is like strcmp, but knows how to deal with these args */ if (realm_compare(header_ticket->server, tgs_server) || realm_compare(header_ticket->server, enc_tkt_reply.client)) { @@ -799,9 +808,9 @@ tgt_again: char *tdots; errcode = kdc_check_transited_list (kdc_context, - &enc_tkt_reply.transited.tr_contents, - krb5_princ_realm (kdc_context, header_enc_tkt->client), - krb5_princ_realm (kdc_context, request->server)); + &enc_tkt_reply.transited.tr_contents, + krb5_princ_realm (kdc_context, header_enc_tkt->client), + krb5_princ_realm (kdc_context, request->server)); tlen = enc_tkt_reply.transited.tr_contents.length; tdots = tlen > 125 ? "..." : ""; tlen = tlen > 125 ? 125 : tlen; @@ -925,16 +934,16 @@ tgt_again: /* use the session key in the ticket, unless there's a subsession key in the AP_REQ */ - reply.enc_part.enctype = subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype; errcode = kdc_fast_response_handle_padata(state, request, &reply, - subkey?subkey->enctype:header_ticket->enc_part2->session->enctype); + subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype); if (errcode !=0 ) { status = "Preparing FAST padata"; goto cleanup; } - errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key); + errcode =kdc_fast_handle_reply_key(state, + subkey?subkey:header_ticket->enc_part2->session, &reply_key); if (errcode) { status = "generating reply key"; goto cleanup; @@ -1101,9 +1110,9 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, * the principal. */ if ((retval = krb5_walk_realm_tree(kdc_context, - krb5_princ_realm(kdc_context, request->server), - krb5_princ_component(kdc_context, request->server, 1), - &plist, KRB5_REALM_BRANCH_CHAR))) + krb5_princ_realm(kdc_context, request->server), + krb5_princ_component(kdc_context, request->server, 1), + &plist, KRB5_REALM_BRANCH_CHAR))) return; /* move to the end */ @@ -1195,16 +1204,20 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && kdc_active_realm->realm_host_based_services != NULL && - (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, comp1_str) == TRUE || - krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE))) && + (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, + comp1_str) == TRUE || + krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, + KRB5_CONF_ASTERISK) == TRUE))) && (kdc_active_realm->realm_no_host_referral == NULL || - (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, KRB5_CONF_ASTERISK) == FALSE && - krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, comp1_str) == FALSE))) { + (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, + KRB5_CONF_ASTERISK) == FALSE && + krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, + comp1_str) == FALSE))) { if (memchr(comp2->data, '.', comp2->length) == NULL) goto cleanup; temp_buf = calloc(1, comp2->length+1); - if (!temp_buf){ + if (!temp_buf) { retval = ENOMEM; goto cleanup; } @@ -1239,5 +1252,6 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) } cleanup: free(comp1_str); + return retval; } diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index f7a1ac43a..543db1d55 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -23,9 +23,6 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * - * */ #include @@ -55,11 +52,12 @@ static krb5_error_code armor_ap_request krb5_clear_error_message(kdc_context); retval = krb5_auth_con_init(kdc_context, &authcontext); if (retval == 0) - retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/ + retval = krb5_auth_con_setflags(kdc_context, + authcontext, 0); /*disable replay cache*/ retval = krb5_rd_req(kdc_context, &authcontext, &armor->armor_value, NULL /*server*/, kdc_active_realm->realm_keytab, NULL, &ticket); - if (retval !=0) { + if (retval != 0) { const char * errmsg = krb5_get_error_message(kdc_context, retval); krb5_set_error_message(kdc_context, retval, "%s while handling ap-request armor", errmsg); @@ -70,19 +68,19 @@ static krb5_error_code armor_ap_request tgs_server, ticket->server)) { krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH, - "ap-request armor for something other than the local TGS"); + "ap-request armor for something other than the local TGS"); retval = KRB5KDC_ERR_SERVER_NOMATCH; } } - if (retval ==0) { + if (retval == 0) { retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey); - if (retval !=0 || subkey == NULL) { + if (retval != 0 || subkey == NULL) { krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, "ap-request armor without subkey"); retval = KRB5KDC_ERR_POLICY; } } - if (retval==0) + if (retval == 0) retval = krb5_c_fx_cf2_simple(kdc_context, subkey, "subkeyarmor", ticket->enc_part2->session, "ticketarmor", @@ -96,9 +94,10 @@ static krb5_error_code armor_ap_request return retval; } -static krb5_error_code encrypt_fast_reply -(struct kdc_request_state *state, const krb5_fast_response *response, - krb5_data **fx_fast_reply) +static krb5_error_code +encrypt_fast_reply(struct kdc_request_state *state, + const krb5_fast_response *response, + krb5_data **fx_fast_reply) { krb5_error_code retval = 0; krb5_enc_data encrypted_reply; @@ -121,11 +120,12 @@ static krb5_error_code encrypt_fast_reply } -krb5_error_code kdc_find_fast -(krb5_kdc_req **requestptr, krb5_data *checksummed_data, - krb5_keyblock *tgs_subkey, - krb5_keyblock *tgs_session, - struct kdc_request_state *state) +krb5_error_code +kdc_find_fast(krb5_kdc_req **requestptr, + krb5_data *checksummed_data, + krb5_keyblock *tgs_subkey, + krb5_keyblock *tgs_session, + struct kdc_request_state *state) { krb5_error_code retval = 0; krb5_pa_data *fast_padata, *cookie_padata; @@ -165,7 +165,7 @@ krb5_error_code kdc_find_fast &state->armor_key); else { krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, - "No armor key but FAST armored request present"); + "No armor key but FAST armored request present"); retval = KRB5KDC_ERR_PREAUTH_FAILED; } } @@ -188,7 +188,8 @@ krb5_error_code kdc_find_fast if (retval == 0) retval = krb5_c_verify_checksum(kdc_context, state->armor_key, KRB5_KEYUSAGE_FAST_REQ_CHKSUM, - checksummed_data, &fast_armored_req->req_checksum, + checksummed_data, + &fast_armored_req->req_checksum, &cksum_valid); if (retval == 0 && !cksum_valid) { retval = KRB5KRB_AP_ERR_MODIFIED; @@ -197,13 +198,16 @@ krb5_error_code kdc_find_fast } if (retval == 0) { krb5_error_code ret; - /* We need to confirm that a keyed checksum is used for the + /* + * We need to confirm that a keyed checksum is used for the * fast_req checksum. In April 2009, the best way to do this is * to try verifying the checksum with a keyblock with an zero - * length; if it succeeds, then an unkeyed checksum is used.*/ + * length; if it succeeds, then an unkeyed checksum is used. + */ ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock, KRB5_KEYUSAGE_FAST_REQ_CHKSUM, - checksummed_data, &fast_armored_req->req_checksum, + checksummed_data, + &fast_armored_req->req_checksum, &cksum_valid); if (ret == 0) { retval = KRB5KDC_ERR_POLICY; @@ -212,11 +216,12 @@ krb5_error_code kdc_find_fast } } if (retval == 0) { - if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) + if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) != 0) retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; } if (retval == 0) - cookie_padata = find_pa_data(fast_req->req_body->padata, KRB5_PADATA_FX_COOKIE); + cookie_padata = find_pa_data(fast_req->req_body->padata, + KRB5_PADATA_FX_COOKIE); if (retval == 0) { state->fast_options = fast_req->fast_options; if (request->kdc_state == state) @@ -224,7 +229,6 @@ krb5_error_code kdc_find_fast krb5_free_kdc_req( kdc_context, request); *requestptr = fast_req->req_body; fast_req->req_body = NULL; - } } else cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE); @@ -240,7 +244,8 @@ krb5_error_code kdc_find_fast retval = ENOMEM; free(new_padata); } else { - memcpy(new_padata->contents, cookie_padata->contents, new_padata->length); + memcpy(new_padata->contents, cookie_padata->contents, + new_padata->length); state->cookie = new_padata; } } @@ -253,7 +258,8 @@ krb5_error_code kdc_find_fast } -krb5_error_code kdc_make_rstate(struct kdc_request_state **out) +krb5_error_code +kdc_make_rstate(struct kdc_request_state **out) { struct kdc_request_state *state = malloc( sizeof(struct kdc_request_state)); if (state == NULL) @@ -263,8 +269,8 @@ krb5_error_code kdc_make_rstate(struct kdc_request_state **out) return 0; } -void kdc_free_rstate -(struct kdc_request_state *s) +void +kdc_free_rstate (struct kdc_request_state *s) { if (s == NULL) return; @@ -279,10 +285,10 @@ void kdc_free_rstate free(s); } -krb5_error_code kdc_fast_response_handle_padata -(struct kdc_request_state *state, - krb5_kdc_req *request, - krb5_kdc_rep *rep, krb5_enctype enctype) +krb5_error_code +kdc_fast_response_handle_padata(struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_kdc_rep *rep, krb5_enctype enctype) { krb5_error_code retval = 0; krb5_fast_finished finish; @@ -323,10 +329,13 @@ krb5_error_code kdc_fast_response_handle_padata if (retval == 0) retval = encode_krb5_ticket(rep->ticket, &encoded_ticket); if (retval == 0) - retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype); + retval = krb5int_c_mandatory_cksumtype(kdc_context, + state->armor_key->enctype, + &cksumtype); if (retval == 0) retval = krb5_c_make_checksum(kdc_context, cksumtype, - state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, + state->armor_key, + KRB5_KEYUSAGE_FAST_FINISHED, encoded_ticket, &finish.ticket_checksum); if (retval == 0) retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply); @@ -363,10 +372,11 @@ krb5_error_code kdc_fast_response_handle_padata * throw away the e_data in the error (if any); in the non-FAST case * we will not use the in_padata. */ -krb5_error_code kdc_fast_handle_error -(krb5_context context, struct kdc_request_state *state, - krb5_kdc_req *request, - krb5_pa_data **in_padata, krb5_error *err) +krb5_error_code +kdc_fast_handle_error(krb5_context context, + struct kdc_request_state *state, + krb5_kdc_req *request, + krb5_pa_data **in_padata, krb5_error *err) { krb5_error_code retval = 0; krb5_fast_response resp; @@ -441,9 +451,10 @@ krb5_error_code kdc_fast_handle_error return retval; } -krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, - krb5_keyblock *existing_key, - krb5_keyblock **out_key) +krb5_error_code +kdc_fast_handle_reply_key(struct kdc_request_state *state, + krb5_keyblock *existing_key, + krb5_keyblock **out_key) { krb5_error_code retval = 0; if (state->armor_key) @@ -451,13 +462,15 @@ krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, state->strengthen_key, "strengthenkey", existing_key, "replykey", out_key); - else retval = krb5_copy_keyblock(kdc_context, existing_key, out_key); + else + retval = krb5_copy_keyblock(kdc_context, existing_key, out_key); return retval; } -krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, - krb5_pa_data **cookie) +krb5_error_code +kdc_preauth_get_cookie(struct kdc_request_state *state, + krb5_pa_data **cookie) { char *contents; krb5_pa_data *pa = NULL; diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index e6d4bd2b6..3cef2d714 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -39,66 +39,68 @@ #include "../include/krb5/authdata_plugin.h" #if TARGET_OS_MAC -static const char *objdirs[] = { KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/authdata", NULL }; /* should be a list */ +static const char *objdirs[] = { KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR, + LIBDIR "/krb5/plugins/authdata", + NULL }; /* should be a list */ #else static const char *objdirs[] = { LIBDIR "/krb5/plugins/authdata", NULL }; #endif /* MIT Kerberos 1.6 (V0) authdata plugin callback */ typedef krb5_error_code (*authdata_proc_0) -(krb5_context, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply); + (krb5_context, krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply); /* MIT Kerberos 1.8 (V2) authdata plugin callback */ typedef krb5_error_code (*authdata_proc_2) -(krb5_context, unsigned int flags, - krb5_db_entry *client, krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply); + (krb5_context, unsigned int flags, + krb5_db_entry *client, krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); typedef krb5_error_code (*init_proc) -(krb5_context, void **); + (krb5_context, void **); typedef void (*fini_proc) -(krb5_context, void *); + (krb5_context, void *); /* Internal authdata system for copying TGS-REQ authdata to ticket */ static krb5_error_code handle_request_authdata -(krb5_context context, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply); + (krb5_context context, + unsigned int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); /* Internal authdata system for handling KDC-issued authdata */ static krb5_error_code handle_tgt_authdata -(krb5_context context, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply); + (krb5_context context, + unsigned int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply); typedef struct _krb5_authdata_systems { const char *name; @@ -118,8 +120,10 @@ typedef struct _krb5_authdata_systems { } krb5_authdata_systems; static krb5_authdata_systems static_authdata_systems[] = { - { "tgs_req", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_request_authdata } }, - { "tgt", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_tgt_authdata } }, + { "tgs_req", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL, + NULL, NULL, NULL, { handle_request_authdata } }, + { "tgt", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL, + NULL, NULL, NULL, { handle_tgt_authdata } }, }; static krb5_authdata_systems *authdata_systems; @@ -153,10 +157,12 @@ load_authdata_plugins(krb5_context context) if (krb5int_get_plugin_dir_data(&authdata_plugins, "authdata_server_2", - &authdata_plugins_ftables_v2, &context->err) != 0 || + &authdata_plugins_ftables_v2, + &context->err) != 0 || krb5int_get_plugin_dir_data(&authdata_plugins, "authdata_server_0", - &authdata_plugins_ftables_v0, &context->err) != 0) { + &authdata_plugins_ftables_v0, + &context->err) != 0) { code = KRB5_PLUGIN_NO_HANDLE; goto cleanup; } @@ -188,7 +194,8 @@ load_authdata_plugins(krb5_context context) / sizeof(static_authdata_systems[0]); /* Build the complete list of supported authdata options, and - * leave room for a terminator entry. */ + * leave room for a terminator entry. + */ authdata_systems = calloc(module_count + 1, sizeof(krb5_authdata_systems)); if (authdata_systems == NULL) { code = ENOMEM; @@ -349,7 +356,7 @@ merge_authdata (krb5_context context, authdata = (krb5_authdata **)calloc(i + 1, sizeof(krb5_authdata *)); } else { authdata = (krb5_authdata **)realloc(authdata, - ((nadata + i + 1) * sizeof(krb5_authdata *))); + ((nadata + i + 1) * sizeof(krb5_authdata *))); } if (authdata == NULL) return ENOMEM; @@ -436,7 +443,8 @@ handle_request_authdata (krb5_context context, } /* scratch now has the authorization data, so we decode it, and make - * it available to subsequent authdata plugins */ + * it available to subsequent authdata plugins + */ code = decode_krb5_authdata(&scratch, &request->unenc_authdata); if (code != 0) { free(scratch.data); diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 1eda93ba9..f547f5351 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -2,7 +2,7 @@ /* * kdc/kdc_preauth.c * - * Copyright 1995, 2003, 2007 by the Massachusetts Institute of Technology. + * Copyright 1995, 2003, 2007, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -96,7 +96,9 @@ #include "../include/krb5/preauth_plugin.h" #if TARGET_OS_MAC -static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/preauth", NULL }; /* should be a list */ +static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR, + LIBDIR "/krb5/plugins/preauth", + NULL }; /* should be a list */ #else static const char *objdirs[] = { LIBDIR "/krb5/plugins/preauth", NULL }; #endif @@ -123,35 +125,38 @@ typedef struct _krb5_preauth_systems { preauth_server_free_reqcontext_proc free_pa_reqctx; } krb5_preauth_systems; -static krb5_error_code verify_enc_timestamp -(krb5_context, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data); - -static krb5_error_code get_enc_ts -(krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - krb5_pa_data *data); -static krb5_error_code get_etype_info -(krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - krb5_pa_data *data); +static krb5_error_code +verify_enc_timestamp (krb5_context, krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data); + +static krb5_error_code +get_enc_ts(krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + krb5_pa_data *data); + +static krb5_error_code +get_etype_info(krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + krb5_pa_data *data); + static krb5_error_code get_etype_info2(krb5_context context, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, preauth_get_entry_data_proc get_entry_data, void *pa_system_context, krb5_pa_data *pa_data); + static krb5_error_code etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, krb5_db_entry *client, @@ -185,47 +190,47 @@ return_etype_info2(krb5_context, krb5_pa_data * padata, void *pa_system_context, void **pa_request_context); -static krb5_error_code return_pw_salt -(krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_data, - void *pa_system_context, - void **pa_request_context); +static krb5_error_code +return_pw_salt(krb5_context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_data, + void *pa_system_context, + void **pa_request_context); /* SAM preauth support */ -static krb5_error_code verify_sam_response -(krb5_context, krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, - preauth_get_entry_data_proc get_entry_data, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data); - -static krb5_error_code get_sam_edata -(krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data, - void *pa_module_context, - krb5_pa_data *data); -static krb5_error_code return_sam_data -(krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_data, - void *pa_module_context, - void **pa_request_context); +static krb5_error_code +verify_sam_response(krb5_context, krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_data, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data); + +static krb5_error_code +get_sam_edata(krb5_context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data, + void *pa_module_context, + krb5_pa_data *data); +static krb5_error_code +return_sam_data(krb5_context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_data, + void *pa_module_context, + void **pa_request_context); #if APPLE_PKINIT /* PKINIT preauth support */ @@ -464,7 +469,8 @@ load_preauth_plugins(krb5_context context) plugin_context = NULL; server_init_proc = static_preauth_systems[i].init; if ((server_init_proc != NULL) && - ((*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names) != 0)) { + ((*server_init_proc)(context, &plugin_context, + (const char **)kdc_realm_names) != 0)) { memset(&preauth_systems[k], 0, sizeof(preauth_systems[k])); continue; } @@ -493,17 +499,19 @@ load_preauth_plugins(krb5_context context) server_init_proc = ftable->init_proc; if (server_init_proc != NULL) { krb5_error_code initerr; - initerr = (*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names); + initerr = (*server_init_proc)(context, &plugin_context, + (const char **)kdc_realm_names); if (initerr) { const char *emsg; emsg = krb5_get_error_message(context, initerr); if (emsg) { krb5_klog_syslog(LOG_ERR, - "preauth %s failed to initialize: %s", - ftable->name, emsg); + "preauth %s failed to initialize: %s", + ftable->name, emsg); krb5_free_error_message(context, emsg); } - memset(&preauth_systems[k], 0, sizeof(preauth_systems[k])); + memset(&preauth_systems[k], 0, + sizeof(preauth_systems[k])); break; /* skip all modules in this plugin */ } @@ -512,7 +520,8 @@ load_preauth_plugins(krb5_context context) preauth_systems[k].name = ftable->name; preauth_systems[k].type = ftable->pa_type_list[j]; if (ftable->flags_proc != NULL) - preauth_systems[k].flags = ftable->flags_proc(context, preauth_systems[k].type); + preauth_systems[k].flags = ftable->flags_proc(context, + preauth_systems[k].type); else preauth_systems[k].flags = 0; preauth_systems[k].plugin_context = plugin_context; @@ -548,7 +557,7 @@ unload_preauth_plugins(krb5_context context) for (i = 0; i < n_preauth_systems; i++) { if (preauth_systems[i].fini != NULL) { (*preauth_systems[i].fini)(context, - preauth_systems[i].plugin_context); + preauth_systems[i].plugin_context); } memset(&preauth_systems[i], 0, sizeof(preauth_systems[i])); } @@ -640,7 +649,8 @@ free_padata_context(krb5_context kcontext, void **padata_context) } /* Retrieve a specified tl_data item from the given entry, and return its - * contents in a new krb5_data, which must be freed by the caller. */ + * contents in a new krb5_data, which must be freed by the caller. + */ static krb5_error_code get_entry_tl_data(krb5_context context, krb5_db_entry *entry, krb5_int16 tl_data_type, krb5_data **result) @@ -886,7 +896,8 @@ sort_pa_order(krb5_context context, krb5_kdc_req *request, int *pa_order) if (request->padata != NULL) { /* Now reorder the subset of modules which replace the key, * bubbling those which handle pa_data types provided by the - * client ahead of the others. */ + * client ahead of the others. + */ for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) { continue; } @@ -940,12 +951,13 @@ const char *missing_required_preauth(krb5_db_entry *client, #endif #ifdef DEBUG - krb5_klog_syslog (LOG_DEBUG, - "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth", - isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ", - isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ", - isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ", - isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no "); + krb5_klog_syslog ( + LOG_DEBUG, + "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth", + isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ", + isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ", + isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ", + isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no "); #endif if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && @@ -959,8 +971,9 @@ const char *missing_required_preauth(krb5_db_entry *client, return 0; } -void get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, - krb5_db_entry *server, krb5_data *e_data) +void +get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, + krb5_db_entry *server, krb5_data *e_data) { int hw_only; krb5_preauth_systems *ap; @@ -1007,7 +1020,10 @@ void get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, "%spreauth required but hint list is empty", hw_only ? "hw" : ""); } -/* If we fail to get the cookie it is probably still reasonable to continue with the response*/ + /* + * If we fail to get the cookie it is probably + * still reasonable to continue with the response + */ kdc_preauth_get_cookie(request->kdc_state, pa); retval = encode_krb5_padata_sequence(pa_data, &edat); if (retval) @@ -1266,7 +1282,8 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, void ** pa_context; krb5_boolean key_modified; krb5_keyblock original_key; - if ((!*padata_context)&& (make_padata_context(context, padata_context) != 0)) { + if ((!*padata_context) && + (make_padata_context(context, padata_context) != 0)) { return KRB5KRB_ERR_GENERIC; } @@ -1322,7 +1339,8 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, } } } - if ((retval = ap->return_padata(context, pa, client, req_pkt, request, reply, + if ((retval = ap->return_padata(context, pa, client, req_pkt, + request, reply, client_key, encrypting_key, send_pa, get_entry_data, ap->plugin_context, pa_context))) { @@ -1346,11 +1364,12 @@ cleanup: free(pa_order); if (send_pa_list) krb5_free_pa_data(context, send_pa_list); + return (retval); } static krb5_boolean -request_contains_enctype (krb5_context context, const krb5_kdc_req *request, +request_contains_enctype(krb5_context context, const krb5_kdc_req *request, krb5_enctype enctype) { int i; @@ -1360,12 +1379,12 @@ request_contains_enctype (krb5_context context, const krb5_kdc_req *request, return 0; } -static krb5_error_code get_enc_ts -(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data_proc, - void *pa_system_context, - krb5_pa_data *data) +static krb5_error_code +get_enc_ts(krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + preauth_get_entry_data_proc get_entry_data_proc, + void *pa_system_context, + krb5_pa_data *data) { struct kdc_request_state *state = request->kdc_state; if (state->armor_key) @@ -1480,6 +1499,7 @@ cleanup: */ if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) retval = decrypt_err; + return retval; } @@ -2025,18 +2045,19 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, memset(&sc, 0, sizeof(sc)); memset(&psr, 0, sizeof(psr)); - /* Given the client name we can figure out what type of preauth - they need. The spec is currently for querying the database for - names that match the types of preauth used. Later we should - make this mapping show up in kdc.conf. In the meantime, we - hardcode the following: - /SNK4 -- Digital Pathways SNK/4 preauth. - /GRAIL -- experimental preauth - The first one found is used. See sam_inst_map above. - - For SNK4 in particular, the key in the database is the key for - the device; kadmin needs a special interface for it. - */ + /* + * Given the client name we can figure out what type of preauth + * they need. The spec is currently for querying the database for + * names that match the types of preauth used. Later we should + * make this mapping show up in kdc.conf. In the meantime, we + * hardcode the following: + * /SNK4 -- Digital Pathways SNK/4 preauth. + * /GRAIL -- experimental preauth + * The first one found is used. See sam_inst_map above. + * + * For SNK4 in particular, the key in the database is the key for + * the device; kadmin needs a special interface for it. + */ { int npr = 1; @@ -2090,8 +2111,8 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, &tmp_mkey_list) == 0) { krb5_dbe_free_key_list(context, master_keylist); master_keylist = tmp_mkey_list; - if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc, - &mkey_ptr))) { + if ((retval = krb5_dbe_find_mkey(context, master_keylist, + &assoc, &mkey_ptr))) { return (retval); } } else { @@ -2103,7 +2124,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, retval = krb5_dbe_find_enctype(kdc_context, &assoc, ENCTYPE_DES_CBC_RAW, KRB5_KDB_SALTTYPE_NORMAL, - 0, /* Get highest kvno */ + 0, /* Get highest kvno */ &assoc_key); if (retval) { char *sname; @@ -2626,12 +2647,12 @@ static krb5_error_code verify_pkinit_request( &client_ctime, &client_cusec, &nonce, &pa_cksum, &cert_sig_status, - NULL, NULL, /* num_cms_types, cms_types */ + NULL, NULL,/* num_cms_types, cms_types */ &client_cert, /* signer_cert */ /* remaining fields unused (for now) */ - NULL, NULL, /* num_all_certs, all_certs */ - NULL, NULL, /* num_trusted_CAs, trusted_CAs */ - NULL); /* kdc_cert */ + NULL, NULL,/* num_all_certs, all_certs */ + NULL, NULL,/* num_trusted_CAs, trusted_CAs */ + NULL); /* kdc_cert */ if(krtn) { kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", (int)krtn); @@ -2870,17 +2891,18 @@ static krb5_error_code return_pkinit_response( * We've already verified; just obtain the fields we need to create a response */ krtn = krb5int_pkinit_as_req_parse(context, - &pa_data, - NULL, NULL, &nonce, /* ctime, cusec, nonce */ - NULL, NULL, /* pa_cksum, cert_status */ - &num_cms_types, &cms_types, - &client_cert, /* signer_cert: we encrypt for this */ - /* remaining fields unused (for now) */ - NULL, NULL, /* num_all_certs, all_certs */ - &num_trusted_CAs, &trusted_CAs, - &kdc_cert); + &pa_data, + NULL, NULL, &nonce, /* ctime, cusec, nonce */ + NULL, NULL, /* pa_cksum, cert_status */ + &num_cms_types, &cms_types, + &client_cert, /* signer_cert: we encrypt for this */ + /* remaining fields unused (for now) */ + NULL, NULL, /* num_all_certs, all_certs */ + &num_trusted_CAs, &trusted_CAs, + &kdc_cert); if(krtn) { - kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", (int)krtn); + kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", + (int)krtn); goto cleanup; } if(client_cert.data == NULL) { @@ -2933,14 +2955,16 @@ static krb5_error_code return_pkinit_response( * ReplyKeyPack with here. This may need rethinking. */ krtn = krb5int_pkinit_as_rep_create(context, - encrypting_key, &as_req_checksum, signing_cert, TRUE, + encrypting_key, &as_req_checksum, + signing_cert, TRUE, &client_cert, num_cms_types, cms_types, num_trusted_CAs, trusted_CAs, (kdc_cert.data ? &kdc_cert : NULL), &pa_data); if(krtn) { - kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n", (int)krtn); + kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n", + (int)krtn); goto cleanup; } @@ -3089,7 +3113,8 @@ static krb5_error_code return_server_referral(krb5_context context, krb5_pa_data * padata, krb5_db_entry *client, krb5_db_entry *server, - krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_key_data *client_key, krb5_keyblock *encrypting_key, krb5_pa_data **send_pa) -- 2.26.2