From b802a4d4ec3e94a7ae8766e702c4cf1be47b5bf6 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 20 Jul 2010 08:52:41 +0000 Subject: [PATCH] Get the kdb_hdb module to compile again. Probably still buggy, particularly around the master key logic. ticket: 6749 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24193 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/kdb/hdb/kdb_hdb.c | 296 +++++++----------------------- src/plugins/kdb/hdb/kdb_hdb.h | 32 +++- src/plugins/kdb/hdb/kdb_marshal.c | 14 +- src/plugins/kdb/hdb/kdb_windc.c | 112 +++++------ 4 files changed, 161 insertions(+), 293 deletions(-) diff --git a/src/plugins/kdb/hdb/kdb_hdb.c b/src/plugins/kdb/hdb/kdb_hdb.c index 89b06513d..23039b7be 100644 --- a/src/plugins/kdb/hdb/kdb_hdb.c +++ b/src/plugins/kdb/hdb/kdb_hdb.c @@ -40,8 +40,10 @@ #include "kdb_hdb.h" static krb5_error_code -kh_init(void) +kh_init(int dal_version) { + if (dal_version != KRB5_KDB_DAL_VERSION) + return KRB5_KDB_DBTYPE_MISMATCH; return 0; } @@ -92,7 +94,7 @@ kh_map_error(heim_error_code code) code = KRB5_KDB_NOMASTERKEY; break; case HDB_ERR_MANDATORY_OPTION: - code = KRB5_KDB_DBTYPE_NOSUP; + code = KRB5_PLUGIN_OP_NOTSUPP; break; default: break; @@ -190,7 +192,7 @@ kh_db_context_init(krb5_context context, (void **)&hdb_interface_version, &errinfo) == 0 && *hdb_interface_version != HDB_INTERFACE_VERSION) { - code = KRB5_KDB_DBTYPE_NOSUP; + code = KRB5_PLUGIN_OP_NOTSUPP; goto cleanup; } @@ -413,7 +415,7 @@ kh_hdb_rename(krb5_context context, heim_error_code hcode; if (kh->hdb->hdb_rename == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_PLUGIN_OP_NOTSUPP; hcode = (*kh->hdb->hdb_rename)(kh->hcontext, kh->hdb, name); @@ -462,18 +464,6 @@ kh_hdb_unseal_key(krb5_context context, return kh_map_error(hcode); } -static krb5_error_code -kh_hdb_set_master_key(krb5_context context, - kh_db_context *kh, - EncryptionKey *key) -{ - heim_error_code hcode; - - hcode = (*kh->hdb_set_master_key)(kh->hcontext, kh->hdb, key); - - return kh_map_error(hcode); -} - void kh_hdb_free_entry(krb5_context context, kh_db_context *kh, @@ -491,6 +481,8 @@ kh_kdb_free_entry(krb5_context context, krb5_tl_data *tl_data = NULL; int i, j; + if (entry == NULL) + return; if (entry->e_data != NULL) { assert(entry->e_length == sizeof(hdb_entry_ex)); kh_hdb_free_entry(context, kh, KH_DB_ENTRY(entry)); @@ -525,7 +517,7 @@ kh_kdb_free_entry(krb5_context context, free(entry->key_data); } - memset(entry, 0, sizeof(*entry)); + free(entry); } static krb5_error_code @@ -537,7 +529,7 @@ kh_db_create(krb5_context context, krb5_error_code code; if (kh == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_PLUGIN_OP_NOTSUPP; code = k5_mutex_lock(kh->lock); if (code != 0) @@ -550,22 +542,6 @@ kh_db_create(krb5_context context, return code; } -static krb5_error_code -kh_db_destroy(krb5_context context, - char *conf_section, - char **db_args) -{ - return KRB5_KDB_DBTYPE_NOSUP; -} - -static krb5_error_code -kh_db_get_age(krb5_context context, - char *db_name, - time_t *age) -{ - return KRB5_KDB_DBTYPE_NOSUP; -} - static krb5_error_code kh_db_lock(krb5_context context, int kmode) { @@ -574,7 +550,7 @@ kh_db_lock(krb5_context context, int kmode) enum hdb_lockop hmode; if (kh == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_PLUGIN_OP_NOTSUPP; code = k5_mutex_lock(kh->lock); if (code != 0) @@ -599,7 +575,7 @@ kh_db_unlock(krb5_context context) krb5_error_code code; if (kh == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_PLUGIN_OP_NOTSUPP; code = k5_mutex_lock(kh->lock); if (code != 0) @@ -617,12 +593,14 @@ kh_get_principal(krb5_context context, kh_db_context *kh, krb5_const_principal princ, unsigned int hflags, - krb5_db_entry *kentry) + krb5_db_entry **kentry) { krb5_error_code code; Principal *hprinc = NULL; hdb_entry_ex *hentry = NULL; + *kentry = NULL; + code = kh_marshal_Principal(context, princ, &hprinc); if (code != 0) return code; @@ -648,8 +626,8 @@ kh_get_principal(krb5_context context, code = kh_unmarshal_hdb_entry(context, &hentry->entry, kentry); if (code == 0) { - kentry->e_length = sizeof(*hentry); - kentry->e_data = (krb5_octet *)hentry; + (*kentry)->e_length = sizeof(*hentry); + (*kentry)->e_data = (krb5_octet *)hentry; } else { kh_hdb_free_entry(context, kh, hentry); free(hentry); @@ -682,15 +660,18 @@ static krb5_error_code kh_get_master_key_principal(krb5_context context, kh_db_context *kh, krb5_const_principal princ, - krb5_db_entry *kentry, - int *nentries) + krb5_db_entry **kentry_ptr) { krb5_error_code code; krb5_key_data *key_data; krb5_timestamp now; + krb5_db_entry *kentry; + + *kentry_ptr = NULL; - memset(kentry, 0, sizeof(*kentry)); - *nentries = 0; + kentry = k5alloc(sizeof(*kentry), &code); + if (kentry == NULL) + return code; kentry->magic = KRB5_KDB_MAGIC_NUMBER; kentry->len = KRB5_KDB_V1_BASE_LENGTH; @@ -725,7 +706,7 @@ kh_get_master_key_principal(krb5_context context, key_data->key_data_kvno = 1; key_data->key_data_type[0] = ENCTYPE_UNKNOWN; - *nentries = 1; + *kentry_ptr = kentry; return 0; } @@ -734,24 +715,19 @@ static krb5_error_code kh_db_get_principal(krb5_context context, krb5_const_principal princ, unsigned int kflags, - krb5_db_entry *kentry, - int *nentries, - krb5_boolean *more) + krb5_db_entry **kentry) { krb5_error_code code; kh_db_context *kh = KH_DB_CONTEXT(context); unsigned int hflags; - *nentries = 0; - *more = FALSE; - memset(kentry, 0, sizeof(*kentry)); + *kentry = NULL; if (kh == NULL) return KRB5_KDB_DBNOTINITED; if (kh_is_master_key_principal(context, princ)) - return kh_get_master_key_principal(context, kh, princ, - kentry, nentries); + return kh_get_master_key_principal(context, kh, princ, kentry); code = k5_mutex_lock(kh->lock); if (code != 0) @@ -769,41 +745,25 @@ kh_db_get_principal(krb5_context context, hflags |= HDB_F_GET_ANY; code = kh_get_principal(context, kh, princ, hflags, kentry); - switch (code) { - case 0: - *nentries = 1; - break; - case KRB5_KDB_NOENTRY: - code = 0; - break; - default: - break; - } - k5_mutex_unlock(kh->lock); return code; } -static krb5_error_code +static void kh_db_free_principal(krb5_context context, - krb5_db_entry *entry, - int count) + krb5_db_entry *entry) { kh_db_context *kh = KH_DB_CONTEXT(context); krb5_error_code code; - int i; code = k5_mutex_lock(kh->lock); if (code != 0) - return code; + return; - for (i = 0; i < count; i++) - kh_kdb_free_entry(context, kh, &entry[i]); + kh_kdb_free_entry(context, kh, entry); k5_mutex_unlock(kh->lock); - - return 0; } static krb5_error_code @@ -861,13 +821,11 @@ cleanup: static krb5_error_code kh_db_put_principal(krb5_context context, - krb5_db_entry *entries, - int *nentries, + krb5_db_entry *entry, char **db_args) { krb5_error_code code; kh_db_context *kh = KH_DB_CONTEXT(context); - int i; if (kh == NULL) return KRB5_KDB_DBNOTINITED; @@ -876,11 +834,7 @@ kh_db_put_principal(krb5_context context, if (code != 0) return code; - for (i = 0; i < *nentries; i++) { - code = kh_put_principal(context, kh, &entries[i]); - if (code != 0) - break; - } + code = kh_put_principal(context, kh, entry); k5_mutex_unlock(kh->lock); @@ -915,8 +869,7 @@ kh_delete_principal(krb5_context context, static krb5_error_code kh_db_delete_principal(krb5_context context, - krb5_const_principal princ, - int *nentries) + krb5_const_principal princ) { krb5_error_code code; kh_db_context *kh = KH_DB_CONTEXT(context); @@ -930,8 +883,6 @@ kh_db_delete_principal(krb5_context context, code = kh_delete_principal(context, kh, princ); - *nentries = (code == 0) ? 1 : 0; - k5_mutex_unlock(kh->lock); return code; @@ -963,11 +914,11 @@ kh_db_iterate(krb5_context context, code = kh_hdb_firstkey(context, kh, hflags, &hentry); while (code == 0) { - krb5_db_entry kentry; + krb5_db_entry *kentry; if (kh_unmarshal_hdb_entry(context, &hentry.entry, &kentry) == 0) { - code = (*func)(func_arg, &kentry); - kh_kdb_free_entry(context, kh, &kentry); + code = (*func)(func_arg, kentry); + kh_kdb_free_entry(context, kh, kentry); } kh_hdb_free_entry(context, kh, &hentry); @@ -979,14 +930,12 @@ kh_db_iterate(krb5_context context, } if (code == KRB5_KDB_NOENTRY) { - krb5_db_entry kentry; - int nentries; + krb5_db_entry *kentry; /* Return the fake master key principal */ - if (kh_get_master_key_principal(context, kh, NULL, - &kentry, &nentries) == 0) { - code = (*func)(func_arg, &kentry); - kh_kdb_free_entry(context, kh, &kentry); + if (kh_get_master_key_principal(context, kh, NULL, &kentry) == 0) { + code = (*func)(func_arg, kentry); + kh_kdb_free_entry(context, kh, kentry); } code = 0; @@ -1046,59 +995,6 @@ kh_db_free(krb5_context context, void *ptr) free(ptr); } -static krb5_error_code -kh_set_master_key(krb5_context context, - char *pwd, - krb5_keyblock *kkey) -{ - kh_db_context *kh = KH_DB_CONTEXT(context); - krb5_error_code code; - EncryptionKey hkey; - - if (kh == NULL) - return KRB5_KDB_DBNOTINITED; - - if (kkey->enctype == ENCTYPE_UNKNOWN) - return 0; - - code = k5_mutex_lock(kh->lock); - if (code != 0) - return code; - - KH_MARSHAL_KEY(kkey, &hkey); - - code = kh_hdb_set_master_key(context, kh, &hkey); - - k5_mutex_unlock(kh->lock); - - return code; -} - -static krb5_error_code -kh_get_master_key(krb5_context context, - krb5_keyblock **pkey) -{ - krb5_error_code code; - krb5_keyblock *key; - - /* - * The Heimdal master key interface is opaque; we can't - * return the master key without poking into internal data - * structures that would make this bridge even more brittle. - * So, we just return a dummy key. - */ - key = k5alloc(sizeof(krb5_keyblock), &code); - if (code != 0) - return code; - - key->magic = KV5M_KEYBLOCK; - key->enctype = ENCTYPE_UNKNOWN; - - *pkey = key; - - return 0; -} - static krb5_error_code kh_promote_db(krb5_context context, char *conf_section, @@ -1112,7 +1008,7 @@ kh_promote_db(krb5_context context, return KRB5_KDB_DBNOTINITED; if (kh->hdb->hdb_name == NULL) - return KRB5_KDB_DBTYPE_NOSUP; + return KRB5_PLUGIN_OP_NOTSUPP; if (asprintf(&name, "%s~", kh->hdb->hdb_name) < 0) return ENOMEM; @@ -1195,7 +1091,7 @@ kh_dbekd_decrypt_key_data(krb5_context context, return KRB5_KDB_DBNOTINITED; if (mkey->enctype != ENCTYPE_UNKNOWN) - code = krb5_dbekd_def_decrypt_key_data(context, mkey, key_data, + code = krb5_dbe_def_decrypt_key_data(context, mkey, key_data, kkey, keysalt); else code = kh_decrypt_key(context, kh, key_data, kkey, keysalt); @@ -1271,8 +1167,8 @@ kh_dbekd_encrypt_key_data(krb5_context context, /* For migration */ if (mkey->enctype != ENCTYPE_UNKNOWN) - code = krb5_dbekd_def_encrypt_key_data(context, mkey, kkey, - keysalt, keyver, key_data); + code = krb5_dbe_def_encrypt_key_data(context, mkey, kkey, + keysalt, keyver, key_data); else code = kh_encrypt_key(context, kh, kkey, keysalt, keyver, key_data); @@ -1285,19 +1181,17 @@ kh_dbekd_encrypt_key_data(krb5_context context, static krb5_error_code kh_db_check_allowed_to_delegate(krb5_context context, - unsigned int method, - const krb5_data *req_data, - krb5_data *rep_data) + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy) { - kdb_check_allowed_to_delegate_req *req; krb5_error_code code; hdb_entry_ex *hentry; HDB_extension *ext; HDB_Ext_Constrained_delegation_acl *acl; unsigned int i; - req = (kdb_check_allowed_to_delegate_req *)req_data->data; - hentry = KH_DB_ENTRY(req->server); + hentry = KH_DB_ENTRY(server); ext = kh_hdb_find_extension(&hentry->entry, choice_HDB_extension_data_allowed_to_delegate_to); @@ -1310,7 +1204,7 @@ kh_db_check_allowed_to_delegate(krb5_context context, krb5_principal princ; if (kh_unmarshal_Principal(context, &acl->val[i], &princ) == 0) { - if (krb5_principal_compare(context, req->proxy, princ)) { + if (krb5_principal_compare(context, proxy, princ)) { code = 0; krb5_free_principal(context, princ); break; @@ -1323,51 +1217,6 @@ kh_db_check_allowed_to_delegate(krb5_context context, return code; } -static struct _kh_invoke_fn { - unsigned int method; - krb5_error_code (*function)(krb5_context, unsigned int, - const krb5_data *, krb5_data *); -} kh_invoke_vtable[] = { - { KRB5_KDB_METHOD_CHECK_POLICY_AS, kh_db_check_policy_as }, - { KRB5_KDB_METHOD_SIGN_AUTH_DATA, kh_db_sign_auth_data }, - { KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE, kh_db_check_allowed_to_delegate }, -}; - -static krb5_error_code -kh_db_invoke(krb5_context context, - unsigned int method, - const krb5_data *req, - krb5_data *rep) -{ - kh_db_context *kh = KH_DB_CONTEXT(context); - size_t i; - krb5_error_code code; - - if (kh == NULL) - return KRB5_KDB_DBNOTINITED; - - code = k5_mutex_lock(kh->lock); - if (code != 0) - return code; - - code = KRB5_KDB_DBTYPE_NOSUP; - - for (i = 0; - i < sizeof(kh_invoke_vtable) / sizeof(kh_invoke_vtable[0]); - i++) { - struct _kh_invoke_fn *fn = &kh_invoke_vtable[i]; - - if (fn->method == method) { - code = (*fn->function)(context, method, req, rep); - break; - } - } - - k5_mutex_unlock(kh->lock); - - return code; -} - kdb_vftabl kdb_function_table = { 1, 0, @@ -1376,8 +1225,8 @@ kdb_vftabl kdb_function_table = { kh_init_module, kh_fini_module, kh_db_create, - kh_db_destroy, - kh_db_get_age, + NULL, /* destroy */ + NULL, /* get_age */ kh_db_lock, kh_db_unlock, kh_db_get_principal, @@ -1385,32 +1234,29 @@ kdb_vftabl kdb_function_table = { kh_db_put_principal, kh_db_delete_principal, kh_db_iterate, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, + NULL, /* create_policy */ + NULL, /* get_policy */ + NULL, /* put_policy */ + NULL, /* iter_policy */ + NULL, /* delete_policy */ + NULL, /* free_policy */ kh_db_alloc, kh_db_free, - kh_set_master_key, - kh_get_master_key, - NULL, - NULL, - NULL, - NULL, + NULL, /* set_master_key_list */ + NULL, /* get_master_key_list */ kh_fetch_master_key, - NULL, kh_fetch_master_key_list, - NULL, - NULL, - NULL, + NULL, /* store_master_key_list */ + NULL, /* dbe_search_enctype */ + NULL, /* change_pwd */ kh_promote_db, kh_dbekd_decrypt_key_data, kh_dbekd_encrypt_key_data, - kh_db_invoke, + kh_db_sign_auth_data, + NULL, /* check_transited_realms */ + kh_db_check_policy_as, + NULL, /* check_policy_tgs */ + NULL, /* audit_as_req */ + NULL, /* refresh_config */ + kh_db_check_allowed_to_delegate }; diff --git a/src/plugins/kdb/hdb/kdb_hdb.h b/src/plugins/kdb/hdb/kdb_hdb.h index 0d04059b5..161b68ab0 100644 --- a/src/plugins/kdb/hdb/kdb_hdb.h +++ b/src/plugins/kdb/hdb/kdb_hdb.h @@ -90,7 +90,7 @@ kh_get_principal(krb5_context context, kh_db_context *kh, krb5_const_principal princ, unsigned int hflags, - krb5_db_entry *kentry); + krb5_db_entry **kentry); void kh_kdb_free_entry(krb5_context context, @@ -142,7 +142,7 @@ kh_free_HostAddresses(krb5_context context, krb5_error_code kh_unmarshal_hdb_entry(krb5_context context, const hdb_entry *hentry, - krb5_db_entry *kentry); + krb5_db_entry **kentry); krb5_error_code kh_marshal_hdb_entry(krb5_context context, @@ -152,16 +152,28 @@ kh_marshal_hdb_entry(krb5_context context, /* kdb_windc.c */ krb5_error_code -kh_db_sign_auth_data(krb5_context context, - unsigned int method, - const krb5_data *req_data, - krb5_data *rep_data); +kh_db_sign_auth_data(krb5_context kcontext, + unsigned int flags, + krb5_const_principal client_princ, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_keyblock *session_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, + krb5_authdata ***signed_auth_data); krb5_error_code -kh_db_check_policy_as(krb5_context context, - unsigned int method, - const krb5_data *req_data, - krb5_data *rep_data); +kh_db_check_policy_as(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp kdc_time, + const char **status, + krb5_data *e_data); krb5_error_code kh_hdb_windc_init(krb5_context context, diff --git a/src/plugins/kdb/hdb/kdb_marshal.c b/src/plugins/kdb/hdb/kdb_marshal.c index 624b17fc7..ca5883552 100644 --- a/src/plugins/kdb/hdb/kdb_marshal.c +++ b/src/plugins/kdb/hdb/kdb_marshal.c @@ -743,13 +743,16 @@ cleanup: krb5_error_code kh_unmarshal_hdb_entry(krb5_context context, const hdb_entry *hentry, - krb5_db_entry *kentry) + krb5_db_entry **kentry_ptr) { kh_db_context *kh = KH_DB_CONTEXT(context); + krb5_db_entry *kentry; krb5_error_code code; unsigned int i; - memset(kentry, 0, sizeof(*kentry)); + kentry = k5alloc(sizeof(*kentry), &code); + if (kentry == NULL) + return code; kentry->magic = KRB5_KDB_MAGIC_NUMBER; kentry->len = KRB5_KDB_V1_BASE_LENGTH; @@ -801,9 +804,10 @@ kh_unmarshal_hdb_entry(krb5_context context, kentry->n_key_data++; } -cleanup: - if (code != 0) - kh_kdb_free_entry(context, kh, kentry); + *kentry_ptr = kentry; + kentry = NULL; +cleanup: + kh_kdb_free_entry(context, kh, kentry); return code; } diff --git a/src/plugins/kdb/hdb/kdb_windc.c b/src/plugins/kdb/hdb/kdb_windc.c index 6c8db85ff..fdd4efcbf 100644 --- a/src/plugins/kdb/hdb/kdb_windc.c +++ b/src/plugins/kdb/hdb/kdb_windc.c @@ -173,7 +173,7 @@ kh_get_tgs_key(krb5_context context, krb5_error_code code; krb5_principal tgsname = NULL; krb5_key_data *krbtgt_key = NULL; - krb5_db_entry krbtgt; + krb5_db_entry *krbtgt; memset(&krbtgt, 0, sizeof(krbtgt)); krbtgt_keyblock->contents = NULL; @@ -195,7 +195,7 @@ kh_get_tgs_key(krb5_context context, goto cleanup; code = krb5_dbe_find_enctype(context, - &krbtgt, + krbtgt, -1, /* ignore enctype */ -1, /* ignore salttype */ 0, /* highest kvno */ @@ -216,7 +216,7 @@ kh_get_tgs_key(krb5_context context, goto cleanup; cleanup: - kh_kdb_free_entry(context, KH_DB_CONTEXT(context), &krbtgt); + kh_kdb_free_entry(context, KH_DB_CONTEXT(context), krbtgt); krb5_free_principal(context, tgsname); return code; @@ -224,13 +224,20 @@ cleanup: krb5_error_code kh_db_sign_auth_data(krb5_context context, - unsigned int method, - const krb5_data *req_data, - krb5_data *rep_data) + unsigned int flags, + krb5_const_principal client_princ, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_keyblock *session_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, + krb5_authdata ***signed_auth_data) { kh_db_context *kh = KH_DB_CONTEXT(context); - kdb_sign_auth_data_req *req = (kdb_sign_auth_data_req *)req_data->data; - kdb_sign_auth_data_rep *rep = (kdb_sign_auth_data_rep *)rep_data->data; heim_pac hpac = NULL; heim_octet_string pac_data; krb5_boolean is_as_req; @@ -241,31 +248,32 @@ kh_db_sign_auth_data(krb5_context context, EncryptionKey krbtgt_hkey; krb5_keyblock krbtgt_kkey; + *signed_auth_data = NULL; + if (kh->windc == NULL) return KRB5_KDB_DBTYPE_NOSUP; /* short circuit */ - memset(rep, 0, sizeof(*rep)); memset(&krbtgt_kkey, 0, sizeof(krbtgt_kkey)); pac_data.data = NULL; - is_as_req = ((req->flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); /* Prefer canonicalised name from client entry */ - if (req->client != NULL) { - client_hprinc = KH_DB_ENTRY(req->client)->entry.principal; + if (client != NULL) { + client_hprinc = KH_DB_ENTRY(client)->entry.principal; } else { - code = kh_marshal_Principal(context, req->client_princ, &client_hprinc); + code = kh_marshal_Principal(context, client_princ, &client_hprinc); if (code != 0) goto cleanup; } - KH_MARSHAL_KEY(req->server_key, &server_hkey); - KH_MARSHAL_KEY(req->krbtgt_key, &krbtgt_hkey); + KH_MARSHAL_KEY(server_key, &server_hkey); + KH_MARSHAL_KEY(krbtgt_key, &krbtgt_hkey); if (!is_as_req) { /* find the existing PAC, if present */ code = krb5int_find_authdata(context, - req->auth_data, + tgt_auth_data, NULL, KRB5_AUTHDATA_WIN2K_PAC, &authdata); @@ -273,10 +281,9 @@ kh_db_sign_auth_data(krb5_context context, goto cleanup; } - if ((is_as_req && (req->flags & KRB5_KDB_FLAG_INCLUDE_PAC)) || - (authdata == NULL && req->client != NULL)) { - code = kh_windc_pac_generate(context, kh, - KH_DB_ENTRY(req->client), &hpac); + if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) || + (authdata == NULL && client != NULL)) { + code = kh_windc_pac_generate(context, kh, KH_DB_ENTRY(client), &hpac); if (code != 0) goto cleanup; } else if (authdata != NULL) { @@ -299,20 +306,19 @@ kh_db_sign_auth_data(krb5_context context, * ticket rather than a TGT; we must verify the server and KDC * signatures to assert that the server did not forge the PAC. */ - if (req->flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { - code = kh_pac_verify(context, hpac, req->authtime, + if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { + code = kh_pac_verify(context, hpac, authtime, client_hprinc, &server_hkey, &krbtgt_hkey); } else { - code = kh_pac_verify(context, hpac, req->authtime, + code = kh_pac_verify(context, hpac, authtime, client_hprinc, &krbtgt_hkey, NULL); } if (code != 0) goto cleanup; code = kh_windc_pac_verify(context, kh, client_hprinc, - req->client ? - KH_DB_ENTRY(req->client) : NULL, - KH_DB_ENTRY(req->server), + client ? KH_DB_ENTRY(client) : NULL, + KH_DB_ENTRY(server), &hpac); if (code != 0) goto cleanup; @@ -325,17 +331,17 @@ kh_db_sign_auth_data(krb5_context context, * In the cross-realm case, krbtgt_hkey refers to the cross-realm * TGS key, so we need to explicitly lookup our TGS key. */ - if (req->flags & KRB5_KDB_FLAG_CROSS_REALM) { + if (flags & KRB5_KDB_FLAG_CROSS_REALM) { assert(!is_as_req); - code = kh_get_tgs_key(context, kh, req->server->princ, &krbtgt_kkey); + code = kh_get_tgs_key(context, kh, server->princ, &krbtgt_kkey); if (code != 0) goto cleanup; KH_MARSHAL_KEY(&krbtgt_kkey, &krbtgt_hkey); } - code = kh_pac_sign(context, hpac, req->authtime, client_hprinc, + code = kh_pac_sign(context, hpac, authtime, client_hprinc, &server_hkey, &krbtgt_hkey, &pac_data); if (code != 0) goto cleanup; @@ -367,12 +373,12 @@ kh_db_sign_auth_data(krb5_context context, code = krb5_encode_authdata_container(context, KRB5_AUTHDATA_IF_RELEVANT, authdata, - &rep->auth_data); + signed_auth_data); if (code != 0) goto cleanup; cleanup: - if (req->client == NULL) + if (client == NULL) kh_free_Principal(context, client_hprinc); kh_pac_free(context, hpac); if (pac_data.data != NULL) @@ -486,16 +492,16 @@ kh_marshall_HostAddresses(krb5_context context, krb5_error_code kh_db_check_policy_as(krb5_context context, - unsigned int method, - const krb5_data *req_data, - krb5_data *rep_data) + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp kdc_time, + const char **status, + krb5_data *e_data) { kh_db_context *kh = KH_DB_CONTEXT(context); - kdb_check_policy_as_req *req = (kdb_check_policy_as_req *)req_data->data; - kdb_check_policy_as_rep *rep = (kdb_check_policy_as_rep *)rep_data->data; krb5_error_code code; - heim_octet_string e_data; - krb5_kdc_req *kkdcreq = req->request; + heim_octet_string he_data; KDC_REQ hkdcreq; Principal *hclient = NULL; Principal *hserver = NULL; @@ -507,19 +513,19 @@ kh_db_check_policy_as(krb5_context context, memset(&hkdcreq, 0, sizeof(hkdcreq)); hkdcreq.pvno = KRB5_PVNO; - hkdcreq.msg_type = kkdcreq->msg_type; + hkdcreq.msg_type = request->msg_type; hkdcreq.padata = NULL; /* FIXME */ code = kh_marshal_KDCOptions(context, - kkdcreq->kdc_options, + request->kdc_options, &hkdcreq.req_body.kdc_options); if (code != 0) goto cleanup; - code = kh_marshal_Principal(context, kkdcreq->client, &hclient); + code = kh_marshal_Principal(context, request->client, &hclient); if (code != 0) goto cleanup; - code = kh_marshal_Principal(context, kkdcreq->server, &hserver); + code = kh_marshal_Principal(context, request->server, &hserver); if (code != 0) goto cleanup; @@ -527,16 +533,16 @@ kh_db_check_policy_as(krb5_context context, hkdcreq.req_body.realm = hserver->realm; hkdcreq.req_body.sname = &hserver->name; - from = kkdcreq->from; hkdcreq.req_body.from = &from; - till = kkdcreq->till; hkdcreq.req_body.till = &till; - rtime = kkdcreq->rtime; hkdcreq.req_body.rtime = &rtime; + from = request->from; hkdcreq.req_body.from = &from; + till = request->till; hkdcreq.req_body.till = &till; + rtime = request->rtime; hkdcreq.req_body.rtime = &rtime; - hkdcreq.req_body.nonce = kkdcreq->nonce; - hkdcreq.req_body.etype.len = kkdcreq->nktypes; - hkdcreq.req_body.etype.val = kkdcreq->ktype; + hkdcreq.req_body.nonce = request->nonce; + hkdcreq.req_body.etype.len = request->nktypes; + hkdcreq.req_body.etype.val = request->ktype; code = kh_marshall_HostAddresses(context, - kkdcreq->addresses, + request->addresses, &hkdcreq.req_body.addresses); if (code != 0) goto cleanup; @@ -545,11 +551,11 @@ kh_db_check_policy_as(krb5_context context, /* FIXME hkdcreq.req_body.additional_tickets */ code = kh_windc_client_access(context, kh, - KH_DB_ENTRY(req->client), - &hkdcreq, &e_data); + KH_DB_ENTRY(client), + &hkdcreq, &he_data); - rep->e_data.data = e_data.data; - rep->e_data.length = e_data.length; + e_data->data = he_data.data; + e_data->length = he_data.length; cleanup: kh_free_HostAddresses(context, hkdcreq.req_body.addresses); -- 2.26.2