Changeset 745 for trunk/server/source4/heimdal/kdc
- Timestamp:
- Nov 27, 2012, 4:43:17 PM (13 years ago)
- Location:
- trunk/server
- Files:
-
- 1 deleted
- 15 edited
-
. (modified) (1 prop)
-
source4/heimdal/kdc/default_config.c (modified) (5 diffs)
-
source4/heimdal/kdc/digest.c (modified) (24 diffs)
-
source4/heimdal/kdc/headers.h (modified) (2 diffs)
-
source4/heimdal/kdc/kaserver.c (deleted)
-
source4/heimdal/kdc/kdc.h (modified) (2 diffs)
-
source4/heimdal/kdc/kdc_locl.h (modified) (2 diffs)
-
source4/heimdal/kdc/kerberos5.c (modified) (33 diffs)
-
source4/heimdal/kdc/krb5tgs.c (modified) (55 diffs)
-
source4/heimdal/kdc/kx509.c (modified) (14 diffs)
-
source4/heimdal/kdc/log.c (modified) (2 diffs)
-
source4/heimdal/kdc/misc.c (modified) (4 diffs)
-
source4/heimdal/kdc/pkinit.c (modified) (36 diffs)
-
source4/heimdal/kdc/process.c (modified) (2 diffs)
-
source4/heimdal/kdc/windc.c (modified) (4 diffs)
-
source4/heimdal/kdc/windc_plugin.h (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/server
- Property svn:mergeinfo changed
/vendor/current merged: 581,587,591,594,597,600,615,618,740
- Property svn:mergeinfo changed
-
trunk/server/source4/heimdal/kdc/default_config.c
r414 r745 2 2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan 3 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 *5 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 6 7 * 7 8 * Redistribution and use in source and binary forms, with or without … … 36 37 #include <getarg.h> 37 38 #include <parse_bytes.h> 38 39 RCSID("$Id$");40 39 41 40 krb5_error_code … … 216 215 217 216 218 #ifdef PKINIT219 217 c->enable_pkinit = 220 218 krb5_config_get_bool_default(context, … … 224 222 "enable-pkinit", 225 223 NULL); 226 if (c->enable_pkinit) { 227 const char *user_id, *anchors, *file; 228 char **pool_list, **revoke_list; 229 230 user_id = 231 krb5_config_get_string(context, NULL, 232 "kdc", "pkinit_identity", NULL); 233 if (user_id == NULL) 234 krb5_errx(context, 1, "pkinit enabled but no identity"); 235 236 anchors = krb5_config_get_string(context, NULL, 237 "kdc", "pkinit_anchors", NULL); 238 if (anchors == NULL) 239 krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); 240 241 pool_list = 242 krb5_config_get_strings(context, NULL, 243 "kdc", "pkinit_pool", NULL); 244 245 revoke_list = 246 krb5_config_get_strings(context, NULL, 247 "kdc", "pkinit_revoke", NULL); 248 249 file = krb5_config_get_string(context, NULL, 250 "kdc", "pkinit_kdc_ocsp", NULL); 251 if (file) { 252 c->pkinit_kdc_ocsp_file = strdup(file); 253 if (c->pkinit_kdc_ocsp_file == NULL) 254 krb5_errx(context, 1, "out of memory"); 255 } 256 257 file = krb5_config_get_string(context, NULL, 258 "kdc", "pkinit_kdc_friendly_name", NULL); 259 if (file) { 260 c->pkinit_kdc_friendly_name = strdup(file); 261 if (c->pkinit_kdc_friendly_name == NULL) 262 krb5_errx(context, 1, "out of memory"); 263 } 264 265 266 _kdc_pk_initialize(context, c, user_id, anchors, 267 pool_list, revoke_list); 268 269 krb5_config_free_strings(pool_list); 270 krb5_config_free_strings(revoke_list); 271 272 c->pkinit_princ_in_cert = 273 krb5_config_get_bool_default(context, NULL, 274 c->pkinit_princ_in_cert, 275 "kdc", 276 "pkinit_principal_in_certificate", 277 NULL); 278 279 c->pkinit_require_binding = 280 krb5_config_get_bool_default(context, NULL, 281 c->pkinit_require_binding, 282 "kdc", 283 "pkinit_win2k_require_binding", 284 NULL); 285 } 286 224 225 226 c->pkinit_kdc_identity = 227 krb5_config_get_string(context, NULL, 228 "kdc", "pkinit_identity", NULL); 229 c->pkinit_kdc_anchors = 230 krb5_config_get_string(context, NULL, 231 "kdc", "pkinit_anchors", NULL); 232 c->pkinit_kdc_cert_pool = 233 krb5_config_get_strings(context, NULL, 234 "kdc", "pkinit_pool", NULL); 235 c->pkinit_kdc_revoke = 236 krb5_config_get_strings(context, NULL, 237 "kdc", "pkinit_revoke", NULL); 238 c->pkinit_kdc_ocsp_file = 239 krb5_config_get_string(context, NULL, 240 "kdc", "pkinit_kdc_ocsp", NULL); 241 c->pkinit_kdc_friendly_name = 242 krb5_config_get_string(context, NULL, 243 "kdc", "pkinit_kdc_friendly_name", NULL); 244 c->pkinit_princ_in_cert = 245 krb5_config_get_bool_default(context, NULL, 246 c->pkinit_princ_in_cert, 247 "kdc", 248 "pkinit_principal_in_certificate", 249 NULL); 250 c->pkinit_require_binding = 251 krb5_config_get_bool_default(context, NULL, 252 c->pkinit_require_binding, 253 "kdc", 254 "pkinit_win2k_require_binding", 255 NULL); 287 256 c->pkinit_dh_min_bits = 288 257 krb5_config_get_int_default(context, NULL, … … 290 259 "kdc", "pkinit_dh_min_bits", NULL); 291 260 292 #endif293 294 261 *config = c; 295 262 296 263 return 0; 297 264 } 265 266 krb5_error_code 267 krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config) 268 { 269 #ifdef PKINIT 270 #ifdef __APPLE__ 271 config->enable_pkinit = 1; 272 273 if (config->pkinit_kdc_identity == NULL) { 274 if (config->pkinit_kdc_friendly_name == NULL) 275 config->pkinit_kdc_friendly_name = 276 strdup("O=System Identity,CN=com.apple.kerberos.kdc"); 277 config->pkinit_kdc_identity = strdup("KEYCHAIN:"); 278 } 279 if (config->pkinit_kdc_anchors == NULL) 280 config->pkinit_kdc_anchors = strdup("KEYCHAIN:"); 281 282 #endif /* __APPLE__ */ 283 284 if (config->enable_pkinit) { 285 if (config->pkinit_kdc_identity == NULL) 286 krb5_errx(context, 1, "pkinit enabled but no identity"); 287 288 if (config->pkinit_kdc_anchors == NULL) 289 krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); 290 291 krb5_kdc_pk_initialize(context, config, 292 config->pkinit_kdc_identity, 293 config->pkinit_kdc_anchors, 294 config->pkinit_kdc_cert_pool, 295 config->pkinit_kdc_revoke); 296 297 } 298 299 return 0; 300 #endif /* PKINIT */ 301 } -
trunk/server/source4/heimdal/kdc/digest.c
r414 r745 178 178 179 179 ret = _kdc_db_fetch(context, config, clientprincipal, 180 HDB_F_GET_CLIENT, &db, &user);180 HDB_F_GET_CLIENT, NULL, &db, &user); 181 181 krb5_free_principal(context, clientprincipal); 182 182 if (ret) … … 293 293 294 294 ret = _kdc_db_fetch(context, config, principal, 295 HDB_F_GET_SERVER, NULL, &server);295 HDB_F_GET_SERVER, NULL, NULL, &server); 296 296 if (ret) 297 297 goto out; … … 315 315 316 316 ret = _kdc_db_fetch(context, config, principal, 317 HDB_F_GET_CLIENT, NULL, &client);317 HDB_F_GET_CLIENT, NULL, NULL, &client); 318 318 krb5_free_principal(context, principal); 319 319 if (ret) … … 614 614 615 615 if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) { 616 MD5_CTXctx;616 EVP_MD_CTX *ctx; 617 617 unsigned char md[MD5_DIGEST_LENGTH]; 618 618 char *mdx; … … 643 643 goto out; 644 644 645 MD5_Init(&ctx); 646 MD5_Update(&ctx, &id, 1); 647 MD5_Update(&ctx, password, strlen(password)); 648 MD5_Update(&ctx, serverNonce.data, serverNonce.length); 649 MD5_Final(md, &ctx); 645 ctx = EVP_MD_CTX_create(); 646 647 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 648 EVP_DigestUpdate(ctx, &id, 1); 649 EVP_DigestUpdate(ctx, password, strlen(password)); 650 EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length); 651 EVP_DigestFinal_ex(ctx, md, NULL); 652 653 EVP_MD_CTX_destroy(ctx); 650 654 651 655 hex_encode(md, sizeof(md), &mdx); … … 670 674 671 675 } else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) { 672 MD5_CTXctx;676 EVP_MD_CTX *ctx; 673 677 unsigned char md[MD5_DIGEST_LENGTH]; 674 678 char *mdx; … … 695 699 goto failed; 696 700 697 MD5_Init(&ctx); 698 MD5_Update(&ctx, ireq.u.digestRequest.username, 701 ctx = EVP_MD_CTX_create(); 702 703 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 704 EVP_DigestUpdate(ctx, ireq.u.digestRequest.username, 699 705 strlen(ireq.u.digestRequest.username)); 700 MD5_Update(&ctx, ":", 1);701 MD5_Update(&ctx, *ireq.u.digestRequest.realm,706 EVP_DigestUpdate(ctx, ":", 1); 707 EVP_DigestUpdate(ctx, *ireq.u.digestRequest.realm, 702 708 strlen(*ireq.u.digestRequest.realm)); 703 MD5_Update(&ctx, ":", 1);704 MD5_Update(&ctx, password, strlen(password));705 MD5_Final(md, &ctx);706 707 MD5_Init(&ctx);708 MD5_Update(&ctx, md, sizeof(md));709 MD5_Update(&ctx, ":", 1);710 MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,709 EVP_DigestUpdate(ctx, ":", 1); 710 EVP_DigestUpdate(ctx, password, strlen(password)); 711 EVP_DigestFinal_ex(ctx, md, NULL); 712 713 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 714 EVP_DigestUpdate(ctx, md, sizeof(md)); 715 EVP_DigestUpdate(ctx, ":", 1); 716 EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce, 711 717 strlen(ireq.u.digestRequest.serverNonce)); 712 MD5_Update(&ctx, ":", 1);713 MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,718 EVP_DigestUpdate(ctx, ":", 1); 719 EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount, 714 720 strlen(*ireq.u.digestRequest.nonceCount)); 715 721 if (ireq.u.digestRequest.authid) { 716 MD5_Update(&ctx, ":", 1);717 MD5_Update(&ctx, *ireq.u.digestRequest.authid,722 EVP_DigestUpdate(ctx, ":", 1); 723 EVP_DigestUpdate(ctx, *ireq.u.digestRequest.authid, 718 724 strlen(*ireq.u.digestRequest.authid)); 719 725 } 720 MD5_Final(md, &ctx);726 EVP_DigestFinal_ex(ctx, md, NULL); 721 727 hex_encode(md, sizeof(md), &A1); 722 728 if (A1 == NULL) { 723 729 ret = ENOMEM; 724 730 krb5_set_error_message(context, ret, "malloc: out of memory"); 731 EVP_MD_CTX_destroy(ctx); 725 732 goto failed; 726 733 } 727 734 728 MD5_Init(&ctx); 729 MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); 730 MD5_Update(&ctx, *ireq.u.digestRequest.uri, 735 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 736 EVP_DigestUpdate(ctx, 737 "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); 738 EVP_DigestUpdate(ctx, *ireq.u.digestRequest.uri, 731 739 strlen(*ireq.u.digestRequest.uri)); 732 740 … … 734 742 if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) { 735 743 static char conf_zeros[] = ":00000000000000000000000000000000"; 736 MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1); 737 } 738 739 MD5_Final(md, &ctx); 744 EVP_DigestUpdate(ctx, conf_zeros, sizeof(conf_zeros) - 1); 745 } 746 747 EVP_DigestFinal_ex(ctx, md, NULL); 748 740 749 hex_encode(md, sizeof(md), &A2); 741 750 if (A2 == NULL) { … … 746 755 } 747 756 748 MD5_Init(&ctx);749 MD5_Update(&ctx, A1, strlen(A2));750 MD5_Update(&ctx, ":", 1);751 MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,757 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 758 EVP_DigestUpdate(ctx, A1, strlen(A2)); 759 EVP_DigestUpdate(ctx, ":", 1); 760 EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce, 752 761 strlen(ireq.u.digestRequest.serverNonce)); 753 MD5_Update(&ctx, ":", 1);754 MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,762 EVP_DigestUpdate(ctx, ":", 1); 763 EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount, 755 764 strlen(*ireq.u.digestRequest.nonceCount)); 756 MD5_Update(&ctx, ":", 1);757 MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce,765 EVP_DigestUpdate(ctx, ":", 1); 766 EVP_DigestUpdate(ctx, *ireq.u.digestRequest.clientNonce, 758 767 strlen(*ireq.u.digestRequest.clientNonce)); 759 MD5_Update(&ctx, ":", 1);760 MD5_Update(&ctx, *ireq.u.digestRequest.qop,768 EVP_DigestUpdate(ctx, ":", 1); 769 EVP_DigestUpdate(ctx, *ireq.u.digestRequest.qop, 761 770 strlen(*ireq.u.digestRequest.qop)); 762 MD5_Update(&ctx, ":", 1); 763 MD5_Update(&ctx, A2, strlen(A2)); 764 765 MD5_Final(md, &ctx); 771 EVP_DigestUpdate(ctx, ":", 1); 772 EVP_DigestUpdate(ctx, A2, strlen(A2)); 773 774 EVP_DigestFinal_ex(ctx, md, NULL); 775 776 EVP_MD_CTX_destroy(ctx); 766 777 767 778 free(A1); … … 794 805 struct ntlm_buf answer; 795 806 Key *key = NULL; 796 SHA_CTXctx;807 EVP_MD_CTX *ctx; 797 808 798 809 if ((config->digests_allowed & MS_CHAP_V2) == 0) { … … 821 832 username++; 822 833 834 ctx = EVP_MD_CTX_create(); 835 823 836 /* ChallangeHash */ 824 SHA1_Init(&ctx);837 EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); 825 838 { 826 839 ssize_t ssize; … … 831 844 if (clientNonce.data == NULL) { 832 845 ret = ENOMEM; 833 krb5_set_error_message(context, ret, "malloc: out of memory"); 846 krb5_set_error_message(context, ret, 847 "malloc: out of memory"); 848 EVP_MD_CTX_destroy(ctx); 834 849 goto out; 835 850 } … … 841 856 krb5_set_error_message(context, ret, 842 857 "Failed to decode clientNonce"); 858 EVP_MD_CTX_destroy(ctx); 843 859 goto out; 844 860 } 845 SHA1_Update(&ctx, clientNonce.data, ssize);861 EVP_DigestUpdate(ctx, clientNonce.data, ssize); 846 862 free(clientNonce.data); 847 863 } 848 SHA1_Update(&ctx, serverNonce.data, serverNonce.length); 849 SHA1_Update(&ctx, username, strlen(username)); 850 SHA1_Final(challange, &ctx); 864 EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length); 865 EVP_DigestUpdate(ctx, username, strlen(username)); 866 867 EVP_DigestFinal_ex(ctx, challange, NULL); 868 869 EVP_MD_CTX_destroy(ctx); 851 870 852 871 /* NtPasswordHash */ … … 856 875 857 876 ret = _kdc_db_fetch(context, config, clientprincipal, 858 HDB_F_GET_CLIENT, NULL, &user);877 HDB_F_GET_CLIENT, NULL, NULL, &user); 859 878 krb5_free_principal(context, clientprincipal); 860 879 if (ret) { … … 905 924 if (r.u.response.success) { 906 925 unsigned char hashhash[MD4_DIGEST_LENGTH]; 926 EVP_MD_CTX *ctx; 927 928 ctx = EVP_MD_CTX_create(); 907 929 908 930 /* hashhash */ 909 931 { 910 MD4_CTX hctx; 911 912 MD4_Init(&hctx); 913 MD4_Update(&hctx, key->key.keyvalue.data, 914 key->key.keyvalue.length); 915 MD4_Final(hashhash, &hctx); 932 EVP_DigestInit_ex(ctx, EVP_md4(), NULL); 933 EVP_DigestUpdate(ctx, 934 key->key.keyvalue.data, 935 key->key.keyvalue.length); 936 EVP_DigestFinal_ex(ctx, hashhash, NULL); 916 937 } 917 938 918 939 /* GenerateAuthenticatorResponse */ 919 SHA1_Init(&ctx); 920 SHA1_Update(&ctx, hashhash, sizeof(hashhash)); 921 SHA1_Update(&ctx, answer.data, answer.length); 922 SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1)); 923 SHA1_Final(md, &ctx); 924 925 SHA1_Init(&ctx); 926 SHA1_Update(&ctx, md, sizeof(md)); 927 SHA1_Update(&ctx, challange, 8); 928 SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2)); 929 SHA1_Final(md, &ctx); 940 EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); 941 EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash)); 942 EVP_DigestUpdate(ctx, answer.data, answer.length); 943 EVP_DigestUpdate(ctx, ms_chap_v2_magic1, 944 sizeof(ms_chap_v2_magic1)); 945 EVP_DigestFinal_ex(ctx, md, NULL); 946 947 EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); 948 EVP_DigestUpdate(ctx, md, sizeof(md)); 949 EVP_DigestUpdate(ctx, challange, 8); 950 EVP_DigestUpdate(ctx, ms_chap_v2_magic2, 951 sizeof(ms_chap_v2_magic2)); 952 EVP_DigestFinal_ex(ctx, md, NULL); 930 953 931 954 r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp)); … … 933 956 free(answer.data); 934 957 krb5_clear_error_message(context); 958 EVP_MD_CTX_destroy(ctx); 935 959 ret = ENOMEM; 936 960 goto out; … … 941 965 free(answer.data); 942 966 krb5_clear_error_message(context); 967 EVP_MD_CTX_destroy(ctx); 943 968 ret = ENOMEM; 944 969 goto out; … … 946 971 947 972 /* get_master, rfc 3079 3.4 */ 948 SHA1_Init(&ctx); 949 SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */ 950 SHA1_Update(&ctx, answer.data, answer.length); 951 SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1)); 952 SHA1_Final(md, &ctx); 973 EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); 974 EVP_DigestUpdate(ctx, hashhash, 16); 975 EVP_DigestUpdate(ctx, answer.data, answer.length); 976 EVP_DigestUpdate(ctx, ms_rfc3079_magic1, 977 sizeof(ms_rfc3079_magic1)); 978 EVP_DigestFinal_ex(ctx, md, NULL); 953 979 954 980 free(answer.data); 981 982 EVP_MD_CTX_destroy(ctx); 955 983 956 984 r.u.response.session_key = … … 1131 1159 1132 1160 ret = _kdc_db_fetch(context, config, clientprincipal, 1133 HDB_F_GET_CLIENT, NULL, &user);1161 HDB_F_GET_CLIENT, NULL, NULL, &user); 1134 1162 krb5_free_principal(context, clientprincipal); 1135 1163 if (ret) { … … 1238 1266 if (flags & NTLM_NEG_NTLM2_SESSION) { 1239 1267 unsigned char sessionhash[MD5_DIGEST_LENGTH]; 1240 MD5_CTX md5ctx;1268 EVP_MD_CTX *ctx; 1241 1269 1242 1270 if ((config->digests_allowed & NTLM_V1_SESSION) == 0) { … … 1253 1281 } 1254 1282 1255 MD5_Init(&md5ctx); 1256 MD5_Update(&md5ctx, challange, sizeof(challange)); 1257 MD5_Update(&md5ctx, ireq.u.ntlmRequest.lm.data, 8); 1258 MD5_Final(sessionhash, &md5ctx); 1283 ctx = EVP_MD_CTX_create(); 1284 1285 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 1286 1287 EVP_DigestUpdate(ctx, challange, sizeof(challange)); 1288 EVP_DigestUpdate(ctx, ireq.u.ntlmRequest.lm.data, 8); 1289 EVP_DigestFinal_ex(ctx, sessionhash, NULL); 1259 1290 memcpy(challange, sessionhash, sizeof(challange)); 1291 1292 EVP_MD_CTX_destroy(ctx); 1293 1260 1294 } else { 1261 1295 if ((config->digests_allowed & NTLM_V1) == 0) { … … 1284 1318 1285 1319 { 1286 MD4_CTX ctx; 1287 1288 MD4_Init(&ctx); 1289 MD4_Update(&ctx, 1290 key->key.keyvalue.data, key->key.keyvalue.length); 1291 MD4_Final(sessionkey, &ctx); 1320 EVP_MD_CTX *ctx; 1321 1322 ctx = EVP_MD_CTX_create(); 1323 1324 EVP_DigestInit_ex(ctx, EVP_md4(), NULL); 1325 EVP_DigestUpdate(ctx, 1326 key->key.keyvalue.data, 1327 key->key.keyvalue.length); 1328 EVP_DigestFinal_ex(ctx, sessionkey, NULL); 1329 1330 EVP_MD_CTX_destroy(ctx); 1292 1331 } 1293 1332 } … … 1295 1334 if (ireq.u.ntlmRequest.sessionkey) { 1296 1335 unsigned char masterkey[MD4_DIGEST_LENGTH]; 1297 RC4_KEYrc4;1336 EVP_CIPHER_CTX rc4; 1298 1337 size_t len; 1299 1338 … … 1315 1354 } 1316 1355 1317 RC4_set_key(&rc4, sizeof(sessionkey), sessionkey); 1318 1319 RC4(&rc4, sizeof(masterkey), 1320 ireq.u.ntlmRequest.sessionkey->data, 1321 masterkey); 1322 memset(&rc4, 0, sizeof(rc4)); 1356 1357 EVP_CIPHER_CTX_init(&rc4); 1358 EVP_CipherInit_ex(&rc4, EVP_rc4(), NULL, sessionkey, NULL, 1); 1359 EVP_Cipher(&rc4, 1360 masterkey, ireq.u.ntlmRequest.sessionkey->data, 1361 sizeof(masterkey)); 1362 EVP_CIPHER_CTX_cleanup(&rc4); 1323 1363 1324 1364 r.u.ntlmResponse.sessionkey = -
trunk/server/source4/heimdal/kdc/headers.h
r414 r745 39 39 #define __HEADERS_H__ 40 40 41 #ifdef HAVE_CONFIG_H42 41 #include <config.h> 43 #endif 42 44 43 #include <limits.h> 45 44 #include <stdio.h> … … 109 108 110 109 #undef ALLOC 111 #define ALLOC(X) ((X) = malloc(sizeof(*(X))))110 #define ALLOC(X) ((X) = calloc(1, sizeof(*(X)))) 112 111 #undef ALLOC_SEQ 113 112 #define ALLOC_SEQ(X, N) do { (X)->len = (N); \ -
trunk/server/source4/heimdal/kdc/kdc.h
r414 r745 42 42 #define __KDC_H__ 43 43 44 #include <hdb.h> 44 45 #include <krb5.h> 45 46 … … 75 76 krb5_boolean enable_pkinit; 76 77 krb5_boolean pkinit_princ_in_cert; 77 char *pkinit_kdc_ocsp_file; 78 char *pkinit_kdc_friendly_name; 78 const char *pkinit_kdc_identity; 79 const char *pkinit_kdc_anchors; 80 const char *pkinit_kdc_friendly_name; 81 const char *pkinit_kdc_ocsp_file; 82 char **pkinit_kdc_cert_pool; 83 char **pkinit_kdc_revoke; 79 84 int pkinit_dh_min_bits; 80 85 int pkinit_require_binding; -
trunk/server/source4/heimdal/kdc/kdc_locl.h
r414 r745 47 47 48 48 extern sig_atomic_t exit_flag; 49 extern size_t max_request; 49 extern size_t max_request_udp; 50 extern size_t max_request_tcp; 50 51 extern const char *request_log; 51 52 extern const char *port_str; … … 77 78 configure(krb5_context context, int argc, char **argv); 78 79 80 #ifdef __APPLE__ 81 void bonjour_announce(krb5_context, krb5_kdc_configuration *); 82 #endif 83 79 84 #endif /* __KDC_LOCL_H__ */ -
trunk/server/source4/heimdal/kdc/kerberos5.c
r414 r745 34 34 #include "kdc_locl.h" 35 35 36 RCSID("$Id$");37 38 36 #define MAX_TIME ((time_t)((1U << 31) - 1)) 39 37 … … 61 59 62 60 static void 63 set_salt_padata 61 set_salt_padata(METHOD_DATA *md, Salt *salt) 64 62 { 65 63 if (salt) { 66 67 68 69 64 realloc_method_data(md); 65 md->val[md->len - 1].padata_type = salt->type; 66 der_copy_octet_string(&salt->salt, 67 &md->val[md->len - 1].padata_value); 70 68 } 71 69 } … … 128 126 _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ, 129 127 krb5_enctype *etypes, unsigned len, 130 Key **ret_key , krb5_enctype *ret_etype)128 Key **ret_key) 131 129 { 132 130 int i; … … 149 147 } 150 148 *ret_key = key; 151 *ret_etype = etypes[i];152 149 ret = 0; 153 150 if (is_default_salt_p(&def_salt, key)) { … … 262 259 int skvno, const EncryptionKey *skey, 263 260 int ckvno, const EncryptionKey *reply_key, 261 int rk_is_subkey, 264 262 const char **e_text, 265 263 krb5_data *reply) … … 273 271 ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret); 274 272 if(ret) { 275 kdc_log(context, config, 0, "Failed to encode ticket: %s", 276 krb5_get_err_text(context, ret)); 273 const char *msg = krb5_get_error_message(context, ret); 274 kdc_log(context, config, 0, "Failed to encode ticket: %s", msg); 275 krb5_free_error_message(context, msg); 277 276 return ret; 278 277 } … … 286 285 ret = krb5_crypto_init(context, skey, etype, &crypto); 287 286 if (ret) { 287 const char *msg; 288 288 free(buf); 289 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", 290 krb5_get_err_text(context, ret)); 289 msg = krb5_get_error_message(context, ret); 290 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); 291 krb5_free_error_message(context, msg); 291 292 return ret; 292 293 } … … 302 303 krb5_crypto_destroy(context, crypto); 303 304 if(ret) { 304 kdc_log(context, config, 0, "Failed to encrypt data: %s", 305 krb5_get_err_text(context, ret)); 305 const char *msg = krb5_get_error_message(context, ret); 306 kdc_log(context, config, 0, "Failed to encrypt data: %s", msg); 307 krb5_free_error_message(context, msg); 306 308 return ret; 307 309 } … … 312 314 ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret); 313 315 if(ret) { 314 kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", 315 krb5_get_err_text(context, ret)); 316 const char *msg = krb5_get_error_message(context, ret); 317 kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg); 318 krb5_free_error_message(context, msg); 316 319 return ret; 317 320 } … … 324 327 ret = krb5_crypto_init(context, reply_key, 0, &crypto); 325 328 if (ret) { 329 const char *msg = krb5_get_error_message(context, ret); 326 330 free(buf); 327 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", 328 krb5_get_err_text(context, ret));331 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); 332 krb5_free_error_message(context, msg); 329 333 return ret; 330 334 } … … 342 346 krb5_encrypt_EncryptedData(context, 343 347 crypto, 344 KRB5_KU_TGS_REP_ENC_PART_SESSION,348 rk_is_subkey ? KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : KRB5_KU_TGS_REP_ENC_PART_SESSION, 345 349 buf, 346 350 len, … … 352 356 krb5_crypto_destroy(context, crypto); 353 357 if(ret) { 354 kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", 355 krb5_get_err_text(context, ret)); 358 const char *msg = krb5_get_error_message(context, ret); 359 kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg); 360 krb5_free_error_message(context, msg); 356 361 return ret; 357 362 } … … 896 901 hdb_entry_ex *client = NULL, *server = NULL; 897 902 HDB *clientdb; 898 krb5_enctype cetype,setype, sessionetype;903 krb5_enctype setype, sessionetype; 899 904 krb5_data e_data; 900 905 EncTicketPart et; … … 906 911 krb5_crypto crypto; 907 912 Key *ckey, *skey; 908 EncryptionKey *reply_key ;913 EncryptionKey *reply_key = NULL, session_key; 909 914 int flags = 0; 910 915 #ifdef PKINIT … … 913 918 914 919 memset(&rep, 0, sizeof(rep)); 920 memset(&session_key, 0, sizeof(session_key)); 915 921 krb5_data_zero(&e_data); 922 923 ALLOC(rep.padata); 924 rep.padata->len = 0; 925 rep.padata->val = NULL; 916 926 917 927 if (f.canonicalize) … … 979 989 980 990 ret = _kdc_db_fetch(context, config, client_princ, 981 HDB_F_GET_CLIENT | flags, &clientdb, &client); 982 if(ret){ 983 kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, 984 krb5_get_err_text(context, ret)); 991 HDB_F_GET_CLIENT | flags, NULL, 992 &clientdb, &client); 993 if(ret == HDB_ERR_NOT_FOUND_HERE) { 994 kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name); 995 goto out; 996 } else if(ret){ 997 const char *msg = krb5_get_error_message(context, ret); 998 kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg); 999 krb5_free_error_message(context, msg); 985 1000 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; 986 1001 goto out; 987 1002 } 988 989 1003 ret = _kdc_db_fetch(context, config, server_princ, 990 HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, 991 NULL, &server); 992 if(ret){ 993 kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, 994 krb5_get_err_text(context, ret)); 1004 HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags, 1005 NULL, NULL, &server); 1006 if(ret == HDB_ERR_NOT_FOUND_HERE) { 1007 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name); 1008 goto out; 1009 } else if(ret){ 1010 const char *msg = krb5_get_error_message(context, ret); 1011 kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg); 1012 krb5_free_error_message(context, msg); 995 1013 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; 996 1014 goto out; … … 1001 1019 1002 1020 /* 1003 * Find the client key for reply encryption and pa-type salt, Pick 1004 * the client key upfront before the other keys because that is 1005 * going to affect what enctypes we are going to use in 1006 * ETYPE-INFO{,2}. 1021 * Select a session enctype from the list of the crypto systems 1022 * supported enctype, is supported by the client and is one of the 1023 * enctype of the enctype of the krbtgt. 1024 * 1025 * The later is used as a hint what enctype all KDC are supporting 1026 * to make sure a newer version of KDC wont generate a session 1027 * enctype that and older version of a KDC in the same realm can't 1028 * decrypt. 1029 * 1030 * But if the KDC admin is paranoid and doesn't want to have "no 1031 * the best" enctypes on the krbtgt, lets save the best pick from 1032 * the client list and hope that that will work for any other 1033 * KDCs. 1007 1034 */ 1008 1009 ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len, 1010 &ckey, &cetype); 1011 if (ret) { 1012 kdc_log(context, config, 0, 1013 "Client (%s) has no support for etypes", client_name); 1014 goto out; 1035 { 1036 const krb5_enctype *p; 1037 krb5_enctype clientbest = ETYPE_NULL; 1038 int i, j; 1039 1040 p = krb5_kerberos_enctypes(context); 1041 1042 sessionetype = ETYPE_NULL; 1043 1044 for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) { 1045 if (krb5_enctype_valid(context, p[i]) != 0) 1046 continue; 1047 1048 for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) { 1049 Key *dummy; 1050 /* check with client */ 1051 if (p[i] != b->etype.val[j]) 1052 continue; 1053 /* save best of union of { client, crypto system } */ 1054 if (clientbest == ETYPE_NULL) 1055 clientbest = p[i]; 1056 /* check with krbtgt */ 1057 ret = hdb_enctype2key(context, &server->entry, p[i], &dummy); 1058 if (ret) 1059 continue; 1060 sessionetype = p[i]; 1061 } 1062 } 1063 /* if krbtgt had no shared keys with client, pick clients best */ 1064 if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) { 1065 sessionetype = clientbest; 1066 } else if (sessionetype == ETYPE_NULL) { 1067 kdc_log(context, config, 0, 1068 "Client (%s) from %s has no common enctypes with KDC" 1069 "to use for the session key", 1070 client_name, from); 1071 goto out; 1072 } 1015 1073 } 1016 1074 … … 1136 1194 ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto); 1137 1195 if (ret) { 1138 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", 1139 krb5_get_err_text(context, ret)); 1196 const char *msg = krb5_get_error_message(context, ret); 1197 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); 1198 krb5_free_error_message(context, msg); 1140 1199 free_EncryptedData(&enc_data); 1141 1200 continue; … … 1155 1214 if(ret){ 1156 1215 krb5_error_code ret2; 1216 const char *msg = krb5_get_error_message(context, ret); 1217 1157 1218 ret2 = krb5_enctype_to_string(context, 1158 1219 pa_key->key.keytype, &str); … … 1162 1223 "Failed to decrypt PA-DATA -- %s " 1163 1224 "(enctype %s) error %s", 1164 client_name, 1165 str ? str : "unknown enctype", 1166 krb5_get_err_text(context, ret)); 1225 client_name, str ? str : "unknown enctype", msg); 1226 krb5_free_error_message(context, msg); 1167 1227 free(str); 1168 1228 … … 1220 1280 et.flags.pre_authent = 1; 1221 1281 1222 ret = krb5_enctype_to_string(context,pa_key->key.keytype, &str); 1282 set_salt_padata(rep.padata, pa_key->salt); 1283 1284 reply_key = &pa_key->key; 1285 1286 ret = krb5_enctype_to_string(context, pa_key->key.keytype, &str); 1223 1287 if (ret) 1224 1288 str = NULL; … … 1290 1354 * If there is a client key, send ETYPE_INFO{,2} 1291 1355 */ 1292 if (ckey) { 1356 ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len, 1357 &ckey); 1358 if (ret == 0) { 1293 1359 1294 1360 /* … … 1361 1427 goto out; 1362 1428 1363 /*1364 * Select a session enctype from the list of the crypto systems1365 * supported enctype, is supported by the client and is one of the1366 * enctype of the enctype of the krbtgt.1367 *1368 * The later is used as a hint what enctype all KDC are supporting1369 * to make sure a newer version of KDC wont generate a session1370 * enctype that and older version of a KDC in the same realm can't1371 * decrypt.1372 *1373 * But if the KDC admin is paranoid and doesn't want to have "no1374 * the best" enctypes on the krbtgt, lets save the best pick from1375 * the client list and hope that that will work for any other1376 * KDCs.1377 */1378 {1379 const krb5_enctype *p;1380 krb5_enctype clientbest = ETYPE_NULL;1381 int i, j;1382 1383 p = krb5_kerberos_enctypes(context);1384 1385 sessionetype = ETYPE_NULL;1386 1387 for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {1388 if (krb5_enctype_valid(context, p[i]) != 0)1389 continue;1390 1391 for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {1392 Key *dummy;1393 /* check with client */1394 if (p[i] != b->etype.val[j])1395 continue;1396 /* save best of union of { client, crypto system } */1397 if (clientbest == ETYPE_NULL)1398 clientbest = p[i];1399 /* check with krbtgt */1400 ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);1401 if (ret)1402 continue;1403 sessionetype = p[i];1404 }1405 }1406 /* if krbtgt had no shared keys with client, pick clients best */1407 if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {1408 sessionetype = clientbest;1409 } else if (sessionetype == ETYPE_NULL) {1410 kdc_log(context, config, 0,1411 "Client (%s) from %s has no common enctypes with KDC"1412 "to use for the session key",1413 client_name, from);1414 goto out;1415 }1416 }1417 1418 log_as_req(context, config, cetype, setype, b);1419 1420 1429 if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey 1421 1430 || (f.request_anonymous && !config->allow_anonymous)) { 1422 1431 ret = KRB5KDC_ERR_BADOPTION; 1432 e_text = "Bad KDC options"; 1423 1433 kdc_log(context, config, 0, "Bad KDC options -- %s", client_name); 1424 1434 goto out; … … 1450 1460 et.flags.forwardable = f.forwardable; 1451 1461 else if (f.forwardable) { 1462 e_text = "Ticket may not be forwardable"; 1452 1463 ret = KRB5KDC_ERR_POLICY; 1453 1464 kdc_log(context, config, 0, … … 1458 1469 et.flags.proxiable = f.proxiable; 1459 1470 else if (f.proxiable) { 1471 e_text = "Ticket may not be proxiable"; 1460 1472 ret = KRB5KDC_ERR_POLICY; 1461 1473 kdc_log(context, config, 0, … … 1466 1478 et.flags.may_postdate = f.allow_postdate; 1467 1479 else if (f.allow_postdate){ 1480 e_text = "Ticket may not be postdate"; 1468 1481 ret = KRB5KDC_ERR_POLICY; 1469 1482 kdc_log(context, config, 0, … … 1474 1487 /* check for valid set of addresses */ 1475 1488 if(!_kdc_check_addresses(context, config, b->addresses, from_addr)) { 1489 e_text = "Bad address list in requested"; 1476 1490 ret = KRB5KRB_AP_ERR_BADADDR; 1477 1491 kdc_log(context, config, 0, … … 1612 1626 } 1613 1627 1614 ALLOC(rep.padata);1615 rep.padata->len = 0;1616 rep.padata->val = NULL;1617 1618 1628 #if PKINIT 1619 1629 if (pkp) { … … 1630 1640 if (ret) 1631 1641 goto out; 1642 1632 1643 } else 1633 1644 #endif 1634 if (ckey) { 1635 reply_key = &ckey->key; 1645 { 1636 1646 ret = krb5_generate_random_keyblock(context, sessionetype, &et.key); 1637 1647 if (ret) 1638 1648 goto out; 1639 } else { 1649 } 1650 1651 if (reply_key == NULL) { 1640 1652 e_text = "Client have no reply key"; 1641 1653 ret = KRB5KDC_ERR_CLIENT_NOTYET; … … 1646 1658 if (ret) 1647 1659 goto out; 1648 1649 if (ckey)1650 set_salt_padata (rep.padata, ckey->salt);1651 1660 1652 1661 /* Add signing of alias referral */ … … 1748 1757 server, 1749 1758 setype, 1759 client->entry.principal, 1750 1760 NULL, 1751 1761 NULL, … … 1754 1764 goto out; 1755 1765 1766 log_as_req(context, config, reply_key->keytype, setype, b); 1767 1756 1768 ret = _kdc_encode_reply(context, config, 1757 1769 &rep, &et, &ek, setype, server->entry.kvno, 1758 1770 &skey->key, client->entry.kvno, 1759 reply_key, &e_text, reply);1771 reply_key, 0, &e_text, reply); 1760 1772 free_EncTicketPart(&et); 1761 1773 free_EncKDCRepPart(&ek); … … 1772 1784 out: 1773 1785 free_AS_REP(&rep); 1774 if(ret ){1786 if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE){ 1775 1787 krb5_mk_error(context, 1776 1788 ret, -
trunk/server/source4/heimdal/kdc/krb5tgs.c
r414 r745 34 34 #include "kdc_locl.h" 35 35 36 RCSID("$Id$");37 38 36 /* 39 37 * return the realm of a krbtgt-ticket or NULL … … 107 105 hdb_entry_ex *krbtgt, 108 106 krb5_enctype enctype, 107 krb5_principal client, 109 108 krb5_const_principal server, 110 109 krb5_principals principals, … … 126 125 KRB5SignedPathData spd; 127 126 128 spd.encticket = *tkt; 127 spd.client = client; 128 spd.authtime = tkt->authtime; 129 129 spd.delegated = principals; 130 spd.method_data = NULL; 130 131 131 132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length, … … 154 155 sp.etype = enctype; 155 156 sp.delegated = principals; 157 sp.method_data = NULL; 156 158 157 159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0, … … 186 188 krb5_kdc_configuration *config, 187 189 hdb_entry_ex *krbtgt, 190 krb5_principal cp, 188 191 EncTicketPart *tkt, 189 192 krb5_principals *delegated, … … 201 204 KRB5SignedPathData spd; 202 205 KRB5SignedPath sp; 203 AuthorizationData *ad;204 206 size_t size; 205 207 … … 209 211 return ret; 210 212 211 spd.encticket = *tkt; 212 /* the KRB5SignedPath is the last entry */ 213 ad = spd.encticket.authorization_data; 214 if (--ad->len == 0) 215 spd.encticket.authorization_data = NULL; 213 spd.client = cp; 214 spd.authtime = tkt->authtime; 216 215 spd.delegated = sp.delegated; 216 spd.method_data = sp.method_data; 217 217 218 218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length, 219 219 &spd, &size, ret); 220 ad->len++;221 spd.encticket.authorization_data = ad;222 220 if (ret) { 223 221 free_KRB5SignedPath(&sp); … … 245 243 if (ret) { 246 244 free_KRB5SignedPath(&sp); 247 return ret; 245 kdc_log(context, config, 5, 246 "KRB5SignedPath not signed correctly, not marking as signed"); 247 return 0; 248 248 } 249 249 … … 282 282 hdb_entry_ex *client, 283 283 hdb_entry_ex *server, 284 hdb_entry_ex *krbtgt, 284 285 const EncryptionKey *server_key, 285 const EncryptionKey *krbtgt_key, 286 const EncryptionKey *krbtgt_check_key, 287 const EncryptionKey *krbtgt_sign_key, 286 288 EncTicketPart *tkt, 287 289 krb5_data *rspac, … … 313 315 314 316 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) { 317 int signed_pac = 0; 315 318 krb5_pac pac; 316 319 … … 326 329 ret = krb5_pac_verify(context, pac, tkt->authtime, 327 330 client_principal, 328 krbtgt_ key, NULL);331 krbtgt_check_key, NULL); 329 332 if (ret) { 330 333 krb5_pac_free(context, pac); … … 333 336 334 337 ret = _kdc_pac_verify(context, client_principal, 335 client, server, &pac);338 client, server, krbtgt, &pac, &signed_pac); 336 339 if (ret) { 337 340 krb5_pac_free(context, pac); 338 341 return ret; 339 342 } 340 *signedpath = 1; 341 342 ret = _krb5_pac_sign(context, pac, tkt->authtime, 343 client_principal, 344 server_key, krbtgt_key, rspac); 345 343 344 /* 345 * Only re-sign PAC if we could verify it with the PAC 346 * function. The no-verify case happens when we get in 347 * a PAC from cross realm from a Windows domain and 348 * that there is no PAC verification function. 349 */ 350 if (signed_pac) { 351 *signedpath = 1; 352 ret = _krb5_pac_sign(context, pac, tkt->authtime, 353 client_principal, 354 server_key, krbtgt_sign_key, rspac); 355 } 346 356 krb5_pac_free(context, pac); 347 357 348 358 return ret; 349 359 } … … 448 458 449 459 if(f.renewable){ 450 if(!tgt->flags.renewable ){460 if(!tgt->flags.renewable || tgt->renew_till == NULL){ 451 461 kdc_log(context, config, 0, 452 462 "Bad request for renewable ticket"); … … 487 497 488 498 /* 489 * 499 * Determine if constrained delegation is allowed from this client to this server 490 500 */ 491 501 … … 526 536 kdc_log(context, config, 0, 527 537 "Bad request for constrained delegation"); 538 return ret; 539 } 540 541 /* 542 * Determine if s4u2self is allowed from this client to this server 543 * 544 * For example, regardless of the principal being impersonated, if the 545 * 'client' and 'server' are the same, then it's safe. 546 */ 547 548 static krb5_error_code 549 check_s4u2self(krb5_context context, 550 krb5_kdc_configuration *config, 551 HDB *clientdb, 552 hdb_entry_ex *client, 553 krb5_const_principal server) 554 { 555 krb5_error_code ret; 556 557 /* if client does a s4u2self to itself, that ok */ 558 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE) 559 return 0; 560 561 if (clientdb->hdb_check_s4u2self) { 562 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server); 563 if (ret == 0) 564 return 0; 565 } else { 566 ret = KRB5KDC_ERR_BADOPTION; 567 } 528 568 return ret; 529 569 } … … 670 710 krb5_const_principal tgt_name, 671 711 const EncTicketPart *tgt, 712 const krb5_keyblock *replykey, 713 int rk_is_subkey, 672 714 const EncryptionKey *serverkey, 673 715 const krb5_keyblock *sessionkey, … … 769 811 } 770 812 if(f.renewable_ok && tgt->flags.renewable && 771 et.renew_till == NULL && et.endtime < *b->till){ 813 et.renew_till == NULL && et.endtime < *b->till && 814 tgt->renew_till != NULL) 815 { 772 816 et.flags.renewable = 1; 773 817 ALLOC(et.renew_till); … … 822 866 823 867 /* XXX check authdata */ 868 824 869 if (et.authorization_data == NULL) { 825 ret = ENOMEM; 826 krb5_set_error_message(context, ret, "malloc: out of memory"); 827 goto out; 870 et.authorization_data = calloc(1, sizeof(*et.authorization_data)); 871 if (et.authorization_data == NULL) { 872 ret = ENOMEM; 873 krb5_set_error_message(context, ret, "malloc: out of memory"); 874 goto out; 875 } 828 876 } 829 877 for(i = 0; i < auth_data->len ; i++) { … … 885 933 krbtgt, 886 934 krbtgt_etype, 935 client_principal, 887 936 NULL, 888 937 spp, … … 925 974 &rep, &et, &ek, et.key.keytype, 926 975 kvno, 927 serverkey, 0, &tgt->key, e_text, reply); 976 serverkey, 0, replykey, rk_is_subkey, 977 e_text, reply); 928 978 if (is_weak) 929 979 krb5_enctype_disable(context, et.key.keytype); … … 986 1036 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); 987 1037 if(ret){ 988 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", 989 krb5_get_err_text(context, ret)); 1038 const char *msg = krb5_get_error_message(context, ret); 1039 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg); 1040 krb5_free_error_message(context, msg); 990 1041 goto out; 991 1042 } … … 999 1050 ret = krb5_crypto_init(context, key, 0, &crypto); 1000 1051 if (ret) { 1052 const char *msg = krb5_get_error_message(context, ret); 1001 1053 free(buf); 1002 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", 1003 krb5_get_err_text(context, ret));1054 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); 1055 krb5_free_error_message(context, msg); 1004 1056 goto out; 1005 1057 } … … 1013 1065 krb5_crypto_destroy(context, crypto); 1014 1066 if(ret){ 1067 const char *msg = krb5_get_error_message(context, ret); 1015 1068 kdc_log(context, config, 0, 1016 "Failed to verify authenticator checksum: %s", 1017 krb5_get_err_text(context, ret));1069 "Failed to verify authenticator checksum: %s", msg); 1070 krb5_free_error_message(context, msg); 1018 1071 } 1019 1072 out: … … 1075 1128 time_t **csec, 1076 1129 int **cusec, 1077 AuthorizationData **auth_data) 1130 AuthorizationData **auth_data, 1131 krb5_keyblock **replykey, 1132 int *rk_is_subkey) 1078 1133 { 1079 1134 krb5_ap_req ap_req; … … 1085 1140 krb5_crypto crypto; 1086 1141 Key *tkey; 1142 krb5_keyblock *subkey = NULL; 1143 unsigned usage; 1087 1144 1088 1145 *auth_data = NULL; 1089 1146 *csec = NULL; 1090 1147 *cusec = NULL; 1148 *replykey = NULL; 1091 1149 1092 1150 memset(&ap_req, 0, sizeof(ap_req)); 1093 1151 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); 1094 1152 if(ret){ 1095 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", 1096 krb5_get_err_text(context, ret)); 1153 const char *msg = krb5_get_error_message(context, ret); 1154 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg); 1155 krb5_free_error_message(context, msg); 1097 1156 goto out; 1098 1157 } … … 1110 1169 ap_req.ticket.realm); 1111 1170 1112 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt); 1113 1114 if(ret) { 1171 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt); 1172 1173 if(ret == HDB_ERR_NOT_FOUND_HERE) { 1174 char *p; 1175 ret = krb5_unparse_name(context, princ, &p); 1176 if (ret != 0) 1177 p = "<unparse_name failed>"; 1178 krb5_free_principal(context, princ); 1179 kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p); 1180 if (ret == 0) 1181 free(p); 1182 ret = HDB_ERR_NOT_FOUND_HERE; 1183 goto out; 1184 } else if(ret){ 1185 const char *msg = krb5_get_error_message(context, ret); 1115 1186 char *p; 1116 1187 ret = krb5_unparse_name(context, princ, &p); … … 1119 1190 krb5_free_principal(context, princ); 1120 1191 kdc_log(context, config, 0, 1121 "Ticket-granting ticket not found in database: %s : %s",1122 p, krb5_get_err_text(context, ret));1192 "Ticket-granting ticket not found in database: %s", msg); 1193 krb5_free_error_message(context, msg); 1123 1194 if (ret == 0) 1124 1195 free(p); … … 1182 1253 krb5_free_principal(context, princ); 1183 1254 if(ret) { 1184 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", 1185 krb5_get_err_text(context, ret)); 1255 const char *msg = krb5_get_error_message(context, ret); 1256 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg); 1257 krb5_free_error_message(context, msg); 1186 1258 goto out; 1187 1259 } … … 1217 1289 } 1218 1290 1291 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY; 1292 *rk_is_subkey = 1; 1293 1294 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey); 1295 if(ret){ 1296 const char *msg = krb5_get_error_message(context, ret); 1297 krb5_auth_con_free(context, ac); 1298 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg); 1299 krb5_free_error_message(context, msg); 1300 goto out; 1301 } 1302 if(subkey == NULL){ 1303 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; 1304 *rk_is_subkey = 0; 1305 1306 ret = krb5_auth_con_getkey(context, ac, &subkey); 1307 if(ret) { 1308 const char *msg = krb5_get_error_message(context, ret); 1309 krb5_auth_con_free(context, ac); 1310 kdc_log(context, config, 0, "Failed to get session key: %s", msg); 1311 krb5_free_error_message(context, msg); 1312 goto out; 1313 } 1314 } 1315 if(subkey == NULL){ 1316 krb5_auth_con_free(context, ac); 1317 kdc_log(context, config, 0, 1318 "Failed to get key for enc-authorization-data"); 1319 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ 1320 goto out; 1321 } 1322 1323 *replykey = subkey; 1324 1219 1325 if (b->enc_authorization_data) { 1220 unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;1221 krb5_keyblock *subkey;1222 1326 krb5_data ad; 1223 1327 1224 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey); 1225 if(ret){ 1328 ret = krb5_crypto_init(context, subkey, 0, &crypto); 1329 if (ret) { 1330 const char *msg = krb5_get_error_message(context, ret); 1226 1331 krb5_auth_con_free(context, ac); 1227 kdc_log(context, config, 0, "Failed to get remote subkey: %s", 1228 krb5_get_err_text(context, ret)); 1229 goto out; 1230 } 1231 if(subkey == NULL){ 1232 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; 1233 ret = krb5_auth_con_getkey(context, ac, &subkey); 1234 if(ret) { 1235 krb5_auth_con_free(context, ac); 1236 kdc_log(context, config, 0, "Failed to get session key: %s", 1237 krb5_get_err_text(context, ret)); 1238 goto out; 1239 } 1240 } 1241 if(subkey == NULL){ 1242 krb5_auth_con_free(context, ac); 1243 kdc_log(context, config, 0, 1244 "Failed to get key for enc-authorization-data"); 1245 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ 1246 goto out; 1247 } 1248 ret = krb5_crypto_init(context, subkey, 0, &crypto); 1249 krb5_free_keyblock(context, subkey); 1250 if (ret) { 1251 krb5_auth_con_free(context, ac); 1252 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", 1253 krb5_get_err_text(context, ret)); 1332 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); 1333 krb5_free_error_message(context, msg); 1254 1334 goto out; 1255 1335 } … … 1375 1455 hdb_entry_ex *krbtgt, 1376 1456 krb5_enctype krbtgt_etype, 1457 const krb5_keyblock *replykey, 1458 int rk_is_subkey, 1377 1459 krb5_ticket *ticket, 1378 1460 krb5_data *reply, … … 1385 1467 krb5_principal cp = NULL, sp = NULL; 1386 1468 krb5_principal client_principal = NULL; 1469 krb5_principal krbtgt_principal = NULL; 1387 1470 char *spn = NULL, *cpn = NULL; 1388 hdb_entry_ex *server = NULL, *client = NULL ;1389 HDB *clientdb ;1471 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL; 1472 HDB *clientdb, *s4u2self_impersonated_clientdb; 1390 1473 krb5_realm ref_realm = NULL; 1391 1474 EncTicketPart *tgt = &ticket->ticket; … … 1396 1479 krb5_data rspac; 1397 1480 1481 hdb_entry_ex *krbtgt_out = NULL; 1482 1398 1483 METHOD_DATA enc_pa_data; 1399 1484 … … 1405 1490 int signedpath = 0; 1406 1491 1407 Key *tkey; 1492 Key *tkey_check; 1493 Key *tkey_sign; 1408 1494 1409 1495 memset(&sessionkey, 0, sizeof(sessionkey)); … … 1437 1523 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm); 1438 1524 ret = _kdc_db_fetch(context, config, p, 1439 HDB_F_GET_ CLIENT|HDB_F_GET_SERVER,1525 HDB_F_GET_KRBTGT, t->enc_part.kvno, 1440 1526 NULL, &uu); 1441 1527 krb5_free_principal(context, p); … … 1490 1576 server_lookup: 1491 1577 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON, 1492 NULL, &server); 1493 1494 if(ret){ 1495 const char *new_rlm; 1578 NULL, NULL, &server); 1579 1580 if(ret == HDB_ERR_NOT_FOUND_HERE) { 1581 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp); 1582 goto out; 1583 } else if(ret){ 1584 const char *new_rlm, *msg; 1496 1585 Realm req_rlm; 1497 1586 krb5_realm *realms; … … 1541 1630 krb5_free_host_realm(context, realms); 1542 1631 } 1632 msg = krb5_get_error_message(context, ret); 1543 1633 kdc_log(context, config, 0, 1544 "Server not found in database: %s: %s", spn, 1545 krb5_get_err_text(context, ret));1634 "Server not found in database: %s: %s", spn, msg); 1635 krb5_free_error_message(context, msg); 1546 1636 if (ret == HDB_ERR_NOENTRY) 1547 1637 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; 1548 1638 goto out; 1549 }1550 1551 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,1552 &clientdb, &client);1553 if(ret) {1554 const char *krbtgt_realm;1555 1556 /*1557 * If the client belongs to the same realm as our krbtgt, it1558 * should exist in the local database.1559 *1560 */1561 1562 krbtgt_realm =1563 krb5_principal_get_comp_string(context,1564 krbtgt->entry.principal, 1);1565 1566 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {1567 if (ret == HDB_ERR_NOENTRY)1568 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;1569 kdc_log(context, config, 1, "Client no longer in database: %s",1570 cpn);1571 goto out;1572 }1573 1574 kdc_log(context, config, 1, "Client not found in database: %s: %s",1575 cpn, krb5_get_err_text(context, ret));1576 1639 } 1577 1640 … … 1601 1664 Key *skey; 1602 1665 1603 ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,1604 &skey, &etype);1666 ret = _kdc_find_etype(context, server, 1667 b->etype.val, b->etype.len, &skey); 1605 1668 if(ret) { 1606 1669 kdc_log(context, config, 0, … … 1609 1672 } 1610 1673 ekey = &skey->key; 1674 etype = skey->key.keytype; 1611 1675 kvno = server->entry.kvno; 1612 1676 } … … 1623 1687 */ 1624 1688 1625 if (strcmp(krb5_principal_get_realm(context, sp), 1626 krb5_principal_get_comp_string(context, 1627 krbtgt->entry.principal, 1628 1)) != 0) { 1689 /* 1690 * Validate authoriation data 1691 */ 1692 1693 ret = hdb_enctype2key(context, &krbtgt->entry, 1694 krbtgt_etype, &tkey_check); 1695 if(ret) { 1696 kdc_log(context, config, 0, 1697 "Failed to find key for krbtgt PAC check"); 1698 goto out; 1699 } 1700 1701 /* Now refetch the primary krbtgt, and get the current kvno (the 1702 * sign check may have been on an old kvno, and the server may 1703 * have been an incoming trust) */ 1704 ret = krb5_make_principal(context, &krbtgt_principal, 1705 krb5_principal_get_comp_string(context, 1706 krbtgt->entry.principal, 1707 1), 1708 KRB5_TGS_NAME, 1709 krb5_principal_get_comp_string(context, 1710 krbtgt->entry.principal, 1711 1), NULL); 1712 if(ret) { 1713 kdc_log(context, config, 0, 1714 "Failed to generate krbtgt principal"); 1715 goto out; 1716 } 1717 1718 ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out); 1719 krb5_free_principal(context, krbtgt_principal); 1720 if (ret) { 1721 krb5_error_code ret2; 1722 char *tpn, *tpn2; 1723 ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); 1724 ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2); 1725 kdc_log(context, config, 0, 1726 "Request with wrong krbtgt: %s, %s not found in our database", 1727 (ret == 0) ? tpn : "<unknown>", (ret2 == 0) ? tpn2 : "<unknown>"); 1728 if(ret == 0) 1729 free(tpn); 1730 if(ret2 == 0) 1731 free(tpn2); 1732 ret = KRB5KRB_AP_ERR_NOT_US; 1733 goto out; 1734 } 1735 1736 /* The first realm is the realm of the service, the second is 1737 * krbtgt/<this>/@REALM component of the krbtgt DN the request was 1738 * encrypted to. The redirection via the krbtgt_out entry allows 1739 * the DB to possibly correct the case of the realm (Samba4 does 1740 * this) before the strcmp() */ 1741 if (strcmp(krb5_principal_get_realm(context, server->entry.principal), 1742 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) { 1629 1743 char *tpn; 1630 ret = krb5_unparse_name(context, krbtgt ->entry.principal, &tpn);1744 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn); 1631 1745 kdc_log(context, config, 0, 1632 1746 "Request with wrong krbtgt: %s", … … 1635 1749 free(tpn); 1636 1750 ret = KRB5KRB_AP_ERR_NOT_US; 1637 goto out; 1638 } 1639 1640 /* 1641 * Validate authoriation data 1642 */ 1643 1644 ret = hdb_enctype2key(context, &krbtgt->entry, 1645 krbtgt_etype, &tkey); 1751 } 1752 1753 ret = hdb_enctype2key(context, &krbtgt_out->entry, 1754 krbtgt_etype, &tkey_sign); 1646 1755 if(ret) { 1647 1756 kdc_log(context, config, 0, 1648 "Failed to find key for krbtgt PAC check"); 1649 goto out; 1757 "Failed to find key for krbtgt PAC signature"); 1758 goto out; 1759 } 1760 1761 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON, 1762 NULL, &clientdb, &client); 1763 if(ret == HDB_ERR_NOT_FOUND_HERE) { 1764 /* This is OK, we are just trying to find out if they have 1765 * been disabled or deleted in the meantime, missing secrets 1766 * is OK */ 1767 } else if(ret){ 1768 const char *krbtgt_realm, *msg; 1769 1770 /* 1771 * If the client belongs to the same realm as our krbtgt, it 1772 * should exist in the local database. 1773 * 1774 */ 1775 1776 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal); 1777 1778 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) { 1779 if (ret == HDB_ERR_NOENTRY) 1780 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; 1781 kdc_log(context, config, 1, "Client no longer in database: %s", 1782 cpn); 1783 goto out; 1784 } 1785 1786 msg = krb5_get_error_message(context, ret); 1787 kdc_log(context, config, 1, "Client not found in database: %s", msg); 1788 krb5_free_error_message(context, msg); 1650 1789 } 1651 1790 1652 1791 ret = check_PAC(context, config, cp, 1653 client, server, ekey, &tkey->key,1792 client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key, 1654 1793 tgt, &rspac, &signedpath); 1655 1794 if (ret) { 1795 const char *msg = krb5_get_error_message(context, ret); 1656 1796 kdc_log(context, config, 0, 1657 1797 "Verify PAC failed for %s (%s) from %s with %s", 1658 spn, cpn, from, krb5_get_err_text(context, ret)); 1798 spn, cpn, from, msg); 1799 krb5_free_error_message(context, msg); 1659 1800 goto out; 1660 1801 } … … 1664 1805 config, 1665 1806 krbtgt, 1807 cp, 1666 1808 tgt, 1667 1809 &spp, 1668 1810 &signedpath); 1669 1811 if (ret) { 1812 const char *msg = krb5_get_error_message(context, ret); 1670 1813 kdc_log(context, config, 0, 1671 1814 "KRB5SignedPath check failed for %s (%s) from %s with %s", 1672 spn, cpn, from, krb5_get_err_text(context, ret)); 1815 spn, cpn, from, msg); 1816 krb5_free_error_message(context, msg); 1673 1817 goto out; 1674 1818 } … … 1706 1850 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto); 1707 1851 if (ret) { 1852 const char *msg = krb5_get_error_message(context, ret); 1708 1853 free_PA_S4U2Self(&self); 1709 1854 krb5_data_free(&datack); 1710 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", 1711 krb5_get_err_text(context, ret));1855 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); 1856 krb5_free_error_message(context, msg); 1712 1857 goto out; 1713 1858 } … … 1722 1867 krb5_crypto_destroy(context, crypto); 1723 1868 if (ret) { 1869 const char *msg = krb5_get_error_message(context, ret); 1724 1870 free_PA_S4U2Self(&self); 1725 1871 kdc_log(context, config, 0, 1726 "krb5_verify_checksum failed for S4U2Self: %s", 1727 krb5_get_err_text(context, ret));1872 "krb5_verify_checksum failed for S4U2Self: %s", msg); 1873 krb5_free_error_message(context, msg); 1728 1874 goto out; 1729 1875 } … … 1741 1887 goto out; 1742 1888 1889 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */ 1890 if(rspac.data) { 1891 krb5_pac p = NULL; 1892 krb5_data_free(&rspac); 1893 ret = _kdc_db_fetch(context, config, client_principal, HDB_F_GET_CLIENT | HDB_F_CANON, 1894 NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client); 1895 if (ret) { 1896 const char *msg; 1897 1898 /* 1899 * If the client belongs to the same realm as our krbtgt, it 1900 * should exist in the local database. 1901 * 1902 */ 1903 1904 if (ret == HDB_ERR_NOENTRY) 1905 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; 1906 msg = krb5_get_error_message(context, ret); 1907 kdc_log(context, config, 1, "S2U4Self principal to impersonate %s not found in database: %s", cpn, msg); 1908 krb5_free_error_message(context, msg); 1909 goto out; 1910 } 1911 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p); 1912 if (ret) { 1913 kdc_log(context, config, 0, "PAC generation failed for -- %s", 1914 selfcpn); 1915 goto out; 1916 } 1917 if (p != NULL) { 1918 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime, 1919 s4u2self_impersonated_client->entry.principal, 1920 ekey, &tkey_sign->key, 1921 &rspac); 1922 krb5_pac_free(context, p); 1923 if (ret) { 1924 kdc_log(context, config, 0, "PAC signing failed for -- %s", 1925 selfcpn); 1926 goto out; 1927 } 1928 } 1929 } 1930 1743 1931 /* 1744 1932 * Check that service doing the impersonating is 1745 1933 * requesting a ticket to it-self. 1746 1934 */ 1747 if (krb5_principal_compare(context, cp, sp) != TRUE) { 1935 ret = check_s4u2self(context, config, clientdb, client, sp); 1936 if (ret) { 1748 1937 kdc_log(context, config, 0, "S4U2Self: %s is not allowed " 1749 "to impersonate some other user"1938 "to impersonate to service " 1750 1939 "(tried for user %s to service %s)", 1751 1940 cpn, selfcpn, spn); 1752 1941 free(selfcpn); 1753 ret = KRB5KDC_ERR_BADOPTION; /* ? */1754 1942 goto out; 1755 1943 } … … 1856 2044 config, 1857 2045 krbtgt, 2046 cp, 1858 2047 &adtkt, 1859 2048 NULL, … … 1862 2051 ret = KRB5KDC_ERR_BADOPTION; 1863 2052 if (ret) { 2053 const char *msg = krb5_get_error_message(context, ret); 1864 2054 kdc_log(context, config, 0, 1865 2055 "KRB5SignedPath check from service %s failed " 1866 2056 "for delegation to %s for client %s " 1867 2057 "from %s failed with %s", 1868 spn, str, cpn, from, krb5_get_err_text(context, ret)); 2058 spn, str, cpn, from, msg); 2059 krb5_free_error_message(context, msg); 1869 2060 free(str); 1870 2061 goto out; … … 1946 2137 client_principal, 1947 2138 tgt, 2139 replykey, 2140 rk_is_subkey, 1948 2141 ekey, 1949 2142 &sessionkey, … … 1951 2144 *auth_data, 1952 2145 server, 1953 s p,2146 server->entry.principal, 1954 2147 spn, 1955 2148 client, 1956 2149 cp, 1957 krbtgt ,2150 krbtgt_out, 1958 2151 krbtgt_etype, 1959 2152 spp, … … 1969 2162 krb5_data_free(&rspac); 1970 2163 krb5_free_keyblock_contents(context, &sessionkey); 2164 if(krbtgt_out) 2165 _kdc_free_ent(context, krbtgt_out); 1971 2166 if(server) 1972 2167 _kdc_free_ent(context, server); 1973 2168 if(client) 1974 2169 _kdc_free_ent(context, client); 2170 if(s4u2self_impersonated_client) 2171 _kdc_free_ent(context, s4u2self_impersonated_client); 1975 2172 1976 2173 if (client_principal && client_principal != cp) … … 2012 2209 krb5_enctype krbtgt_etype = ETYPE_NULL; 2013 2210 2211 krb5_keyblock *replykey = NULL; 2212 int rk_is_subkey = 0; 2014 2213 time_t *csec = NULL; 2015 2214 int *cusec = NULL; … … 2039 2238 from, from_addr, 2040 2239 &csec, &cusec, 2041 &auth_data); 2240 &auth_data, 2241 &replykey, 2242 &rk_is_subkey); 2243 if (ret == HDB_ERR_NOT_FOUND_HERE) { 2244 /* kdc_log() is called in tgs_parse_request() */ 2245 goto out; 2246 } 2042 2247 if (ret) { 2043 2248 kdc_log(context, config, 0, … … 2052 2257 krbtgt, 2053 2258 krbtgt_etype, 2259 replykey, 2260 rk_is_subkey, 2054 2261 ticket, 2055 2262 data, … … 2072 2279 2073 2280 out: 2074 if(ret && data->data == NULL){ 2281 if (replykey) 2282 krb5_free_keyblock(context, replykey); 2283 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){ 2075 2284 krb5_mk_error(context, 2076 2285 ret, … … 2082 2291 cusec, 2083 2292 data); 2293 ret = 0; 2084 2294 } 2085 2295 free(csec); … … 2095 2305 } 2096 2306 2097 return 0;2307 return ret; 2098 2308 } -
trunk/server/source4/heimdal/kdc/kx509.c
r414 r745 144 144 krb5_data *certificate) 145 145 { 146 hx509_context hxctx = NULL;147 146 hx509_ca_tbs tbs = NULL; 148 147 hx509_env env = NULL; … … 156 155 } 157 156 158 ret = hx509_context_init(&hxctx); 159 if (ret) 160 goto out; 161 162 ret = hx509_env_add(hxctx, &env, "principal-name", 157 ret = hx509_env_add(context->hx509ctx, &env, "principal-name", 163 158 krb5_principal_get_comp_string(context, principal, 0)); 164 159 if (ret) … … 169 164 hx509_query *q; 170 165 171 ret = hx509_certs_init( hxctx, config->kx509_ca, 0,166 ret = hx509_certs_init(context->hx509ctx, config->kx509_ca, 0, 172 167 NULL, &certs); 173 168 if (ret) { … … 176 171 goto out; 177 172 } 178 ret = hx509_query_alloc( hxctx, &q);173 ret = hx509_query_alloc(context->hx509ctx, &q); 179 174 if (ret) { 180 175 hx509_certs_free(&certs); … … 185 180 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN); 186 181 187 ret = hx509_certs_find( hxctx, certs, q, &signer);188 hx509_query_free( hxctx, q);182 ret = hx509_certs_find(context->hx509ctx, certs, q, &signer); 183 hx509_query_free(context->hx509ctx, q); 189 184 hx509_certs_free(&certs); 190 185 if (ret) { … … 195 190 } 196 191 197 ret = hx509_ca_tbs_init( hxctx, &tbs);192 ret = hx509_ca_tbs_init(context->hx509ctx, &tbs); 198 193 if (ret) 199 194 goto out; … … 215 210 spki.algorithm.parameters = &any; 216 211 217 ret = hx509_ca_tbs_set_spki( hxctx, tbs, &spki);212 ret = hx509_ca_tbs_set_spki(context->hx509ctx, tbs, &spki); 218 213 der_free_oid(&spki.algorithm.algorithm); 219 214 if (ret) … … 225 220 hx509_cert template; 226 221 227 ret = hx509_certs_init( hxctx, config->kx509_template, 0,222 ret = hx509_certs_init(context->hx509ctx, config->kx509_template, 0, 228 223 NULL, &certs); 229 224 if (ret) { … … 232 227 goto out; 233 228 } 234 ret = hx509_get_one_cert( hxctx, certs, &template);229 ret = hx509_get_one_cert(context->hx509ctx, certs, &template); 235 230 hx509_certs_free(&certs); 236 231 if (ret) { … … 239 234 goto out; 240 235 } 241 ret = hx509_ca_tbs_set_template( hxctx, tbs,236 ret = hx509_ca_tbs_set_template(context->hx509ctx, tbs, 242 237 HX509_CA_TEMPLATE_SUBJECT| 243 238 HX509_CA_TEMPLATE_KU| … … 249 244 } 250 245 251 hx509_ca_tbs_set_notAfter( hxctx, tbs, endtime);252 253 hx509_ca_tbs_subject_expand( hxctx, tbs, env);246 hx509_ca_tbs_set_notAfter(context->hx509ctx, tbs, endtime); 247 248 hx509_ca_tbs_subject_expand(context->hx509ctx, tbs, env); 254 249 hx509_env_free(&env); 255 250 256 ret = hx509_ca_sign( hxctx, tbs, signer, &cert);251 ret = hx509_ca_sign(context->hx509ctx, tbs, signer, &cert); 257 252 hx509_cert_free(signer); 258 253 if (ret) … … 261 256 hx509_ca_tbs_free(&tbs); 262 257 263 ret = hx509_cert_binary( hxctx, cert, certificate);258 ret = hx509_cert_binary(context->hx509ctx, cert, certificate); 264 259 hx509_cert_free(cert); 265 260 if (ret) 266 261 goto out; 267 262 268 hx509_context_free(&hxctx);269 270 263 return 0; 271 264 out: … … 276 269 if (signer) 277 270 hx509_cert_free(signer); 278 if (hxctx)279 hx509_context_free(&hxctx);280 271 krb5_set_error_message(context, ret, "cert creation failed"); 281 272 return ret; … … 355 346 krb5_free_principal(context, principal); 356 347 if (ret != TRUE) { 348 char *expected, *used; 349 350 ret = krb5_unparse_name(context, sprincipal, &expected); 351 if (ret) 352 goto out; 353 ret = krb5_unparse_name(context, principal, &used); 354 if (ret) { 355 krb5_xfree(expected); 356 goto out; 357 } 358 357 359 ret = KRB5KDC_ERR_SERVER_NOMATCH; 358 360 krb5_set_error_message(context, ret, 359 "User %s used wrong Kx509 service principal", 360 cname); 361 "User %s used wrong Kx509 service " 362 "principal, expected: %s, used %s", 363 cname, expected, used); 364 krb5_xfree(expected); 365 krb5_xfree(used); 361 366 goto out; 362 367 } -
trunk/server/source4/heimdal/kdc/log.c
r414 r745 3 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 5 7 * 6 8 * Redistribution and use in source and binary forms, with or without … … 33 35 34 36 #include "kdc_locl.h" 35 RCSID("$Id$");36 37 37 38 void 38 39 kdc_openlog(krb5_context context, 40 const char *service, 39 41 krb5_kdc_configuration *config) 40 42 { 41 43 char **s = NULL, **p; 42 44 krb5_initlog(context, "kdc", &config->logf); 43 s = krb5_config_get_strings(context, NULL, "kdc", "logging", NULL);45 s = krb5_config_get_strings(context, NULL, service, "logging", NULL); 44 46 if(s == NULL) 45 s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL);47 s = krb5_config_get_strings(context, NULL, "logging", service, NULL); 46 48 if(s){ 47 49 for(p = s; *p; p++) -
trunk/server/source4/heimdal/kdc/misc.c
r414 r745 34 34 #include "kdc_locl.h" 35 35 36 RCSID("$Id$");37 38 36 struct timeval _kdc_now; 39 37 … … 43 41 krb5_const_principal principal, 44 42 unsigned flags, 43 krb5int32 *kvno_ptr, 45 44 HDB **db, 46 45 hdb_entry_ex **h) 47 46 { 48 47 hdb_entry_ex *ent; 49 krb5_error_code ret ;48 krb5_error_code ret = HDB_ERR_NOENTRY; 50 49 int i; 50 unsigned kvno = 0; 51 52 if (kvno_ptr) { 53 kvno = *kvno_ptr; 54 flags |= HDB_F_KVNO_SPECIFIED; 55 } 51 56 52 57 ent = calloc (1, sizeof (*ent)); … … 81 86 ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0); 82 87 if (ret) { 83 kdc_log(context, config, 0, "Failed to open database: %s", 84 krb5_get_err_text(context, ret)); 88 const char *msg = krb5_get_error_message(context, ret); 89 kdc_log(context, config, 0, "Failed to open database: %s", msg); 90 krb5_free_error_message(context, msg); 85 91 continue; 86 92 } 87 93 88 ret = config->db[i]->hdb_fetch(context, 89 config->db[i], 90 principal, 91 flags | HDB_F_DECRYPT, 92 ent); 94 ret = config->db[i]->hdb_fetch_kvno(context, 95 config->db[i], 96 principal, 97 flags | HDB_F_DECRYPT, 98 kvno, 99 ent); 100 93 101 krb5_free_principal(context, enterprise_principal); 94 102 … … 102 110 } 103 111 free(ent); 104 krb5_set_error_message(context, HDB_ERR_NOENTRY,112 krb5_set_error_message(context, ret, 105 113 "no such entry found in hdb"); 106 return HDB_ERR_NOENTRY;114 return ret; 107 115 } 108 116 -
trunk/server/source4/heimdal/kdc/pkinit.c
r414 r745 3 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 5 7 * 6 8 * Redistribution and use in source and binary forms, with or without … … 34 36 #include "kdc_locl.h" 35 37 36 RCSID("$Id$");37 38 38 #ifdef PKINIT 39 39 … … 228 228 } 229 229 230 dh_gen_keylen = DH_size(client_params->u.dh.key); 231 size = BN_num_bytes(client_params->u.dh.key->p); 232 if (size < dh_gen_keylen) 233 size = dh_gen_keylen; 230 size = DH_size(client_params->u.dh.key); 234 231 235 232 dh_gen_key = malloc(size); … … 239 236 goto out; 240 237 } 241 memset(dh_gen_key, 0, size - dh_gen_keylen); 242 243 dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen), 244 client_params->u.dh.public_key, 245 client_params->u.dh.key); 238 239 dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key); 246 240 if (dh_gen_keylen == -1) { 247 241 ret = KRB5KRB_ERR_GENERIC; … … 250 244 goto out; 251 245 } 246 if (dh_gen_keylen < size) { 247 size -= dh_gen_keylen; 248 memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen); 249 memset(dh_gen_key, 0, size); 250 } 251 252 252 ret = 0; 253 253 #ifdef HAVE_OPENSSL … … 518 518 } 519 519 520 ret = hx509_certs_init( kdc_identity->hx509ctx,520 ret = hx509_certs_init(context->hx509ctx, 521 521 "MEMORY:trust-anchors", 522 522 0, NULL, &trust_anchors); … … 526 526 } 527 527 528 ret = hx509_certs_merge( kdc_identity->hx509ctx, trust_anchors,528 ret = hx509_certs_merge(context->hx509ctx, trust_anchors, 529 529 kdc_identity->anchors); 530 530 if (ret) { … … 541 541 542 542 for (i = 0; i < pc->len; i++) { 543 ret = hx509_cert_init_data( kdc_identity->hx509ctx,543 ret = hx509_cert_init_data(context->hx509ctx, 544 544 pc->val[i].cert.data, 545 545 pc->val[i].cert.length, … … 547 547 if (ret) 548 548 continue; 549 hx509_certs_add( kdc_identity->hx509ctx, trust_anchors, cert);549 hx509_certs_add(context->hx509ctx, trust_anchors, cert); 550 550 hx509_cert_free(cert); 551 551 } 552 552 } 553 553 554 ret = hx509_verify_init_ctx( kdc_identity->hx509ctx, &cp->verify_ctx);554 ret = hx509_verify_init_ctx(context->hx509ctx, &cp->verify_ctx); 555 555 if (ret) { 556 556 hx509_certs_free(&trust_anchors); … … 619 619 unsigned int i, maxedi; 620 620 621 ret = hx509_certs_init( kdc_identity->hx509ctx,621 ret = hx509_certs_init(context->hx509ctx, 622 622 "MEMORY:client-anchors", 623 623 0, NULL, … … 646 646 continue; 647 647 648 ret = hx509_query_alloc( kdc_identity->hx509ctx, &q);648 ret = hx509_query_alloc(context->hx509ctx, &q); 649 649 if (ret) { 650 650 krb5_set_error_message(context, ret, … … 658 658 &size); 659 659 if (ret) { 660 hx509_query_free( kdc_identity->hx509ctx, q);660 hx509_query_free(context->hx509ctx, q); 661 661 continue; 662 662 } … … 664 664 free_IssuerAndSerialNumber(&iasn); 665 665 if (ret) { 666 hx509_query_free( kdc_identity->hx509ctx, q);666 hx509_query_free(context->hx509ctx, q); 667 667 continue; 668 668 } 669 669 670 ret = hx509_certs_find( kdc_identity->hx509ctx,670 ret = hx509_certs_find(context->hx509ctx, 671 671 kdc_identity->certs, 672 672 q, 673 673 &cert); 674 hx509_query_free( kdc_identity->hx509ctx, q);674 hx509_query_free(context->hx509ctx, q); 675 675 if (ret) 676 676 continue; 677 hx509_certs_add( kdc_identity->hx509ctx,677 hx509_certs_add(context->hx509ctx, 678 678 cp->client_anchors, cert); 679 679 hx509_cert_free(cert); … … 720 720 flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER; 721 721 722 ret = hx509_cms_verify_signed( kdc_identity->hx509ctx,722 ret = hx509_cms_verify_signed(context->hx509ctx, 723 723 cp->verify_ctx, 724 724 flags, … … 731 731 &signer_certs); 732 732 if (ret) { 733 char *s = hx509_get_error_string( kdc_identity->hx509ctx, ret);733 char *s = hx509_get_error_string(context->hx509ctx, ret); 734 734 krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d", 735 735 s, ret); … … 739 739 740 740 if (signer_certs) { 741 ret = hx509_get_one_cert( kdc_identity->hx509ctx, signer_certs,741 ret = hx509_get_one_cert(context->hx509ctx, signer_certs, 742 742 &cp->cert); 743 743 hx509_certs_free(&signer_certs); … … 844 844 cp->keyex = USE_RSA; 845 845 846 ret = hx509_peer_info_alloc( kdc_identity->hx509ctx,846 ret = hx509_peer_info_alloc(context->hx509ctx, 847 847 &cp->peer); 848 848 if (ret) { … … 852 852 853 853 if (ap.supportedCMSTypes) { 854 ret = hx509_peer_info_set_cms_algs( kdc_identity->hx509ctx,854 ret = hx509_peer_info_set_cms_algs(context->hx509ctx, 855 855 cp->peer, 856 856 ap.supportedCMSTypes->val, … … 862 862 } else { 863 863 /* assume old client */ 864 hx509_peer_info_add_cms_alg( kdc_identity->hx509ctx, cp->peer,864 hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer, 865 865 hx509_crypto_des_rsdi_ede3_cbc()); 866 hx509_peer_info_add_cms_alg( kdc_identity->hx509ctx, cp->peer,866 hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer, 867 867 hx509_signature_rsa_with_sha1()); 868 hx509_peer_info_add_cms_alg( kdc_identity->hx509ctx, cp->peer,868 hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer, 869 869 hx509_signature_sha1()); 870 870 } … … 1017 1017 hx509_cert cert; 1018 1018 1019 ret = hx509_query_alloc( kdc_identity->hx509ctx, &q);1019 ret = hx509_query_alloc(context->hx509ctx, &q); 1020 1020 if (ret) 1021 1021 goto out; … … 1025 1025 hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); 1026 1026 1027 ret = hx509_certs_find( kdc_identity->hx509ctx,1027 ret = hx509_certs_find(context->hx509ctx, 1028 1028 kdc_identity->certs, 1029 1029 q, 1030 1030 &cert); 1031 hx509_query_free( kdc_identity->hx509ctx, q);1031 hx509_query_free(context->hx509ctx, q); 1032 1032 if (ret) 1033 1033 goto out; 1034 1034 1035 ret = hx509_cms_create_signed_1( kdc_identity->hx509ctx,1035 ret = hx509_cms_create_signed_1(context->hx509ctx, 1036 1036 0, 1037 1037 sdAlg, … … 1061 1061 } 1062 1062 1063 ret = hx509_cms_envelope_1( kdc_identity->hx509ctx,1063 ret = hx509_cms_envelope_1(context->hx509ctx, 1064 1064 HX509_CMS_EV_NO_KU_CHECK, 1065 1065 cp->cert, … … 1173 1173 */ 1174 1174 1175 ret = hx509_query_alloc( kdc_identity->hx509ctx, &q);1175 ret = hx509_query_alloc(context->hx509ctx, &q); 1176 1176 if (ret) 1177 1177 goto out; … … 1181 1181 hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); 1182 1182 1183 ret = hx509_certs_find( kdc_identity->hx509ctx,1183 ret = hx509_certs_find(context->hx509ctx, 1184 1184 kdc_identity->certs, 1185 1185 q, 1186 1186 &cert); 1187 hx509_query_free( kdc_identity->hx509ctx, q);1187 hx509_query_free(context->hx509ctx, q); 1188 1188 if (ret) 1189 1189 goto out; 1190 1190 1191 ret = hx509_cms_create_signed_1( kdc_identity->hx509ctx,1191 ret = hx509_cms_create_signed_1(context->hx509ctx, 1192 1192 0, 1193 1193 &asn1_oid_id_pkdhkeydata, … … 1380 1380 } 1381 1381 1382 ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret); 1382 #define use_btmm_with_enckey 0 1383 if (use_btmm_with_enckey && rep.element == choice_PA_PK_AS_REP_encKeyPack) { 1384 PA_PK_AS_REP_BTMM btmm; 1385 heim_any any; 1386 1387 any.data = rep.u.encKeyPack.data; 1388 any.length = rep.u.encKeyPack.length; 1389 1390 btmm.dhSignedData = NULL; 1391 btmm.encKeyPack = &any; 1392 1393 ASN1_MALLOC_ENCODE(PA_PK_AS_REP_BTMM, buf, len, &btmm, &size, ret); 1394 } else { 1395 ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret); 1396 } 1397 1383 1398 free_PA_PK_AS_REP(&rep); 1384 1399 if (ret) { … … 1510 1525 } 1511 1526 1512 ret = hx509_ocsp_verify( kdc_identity->hx509ctx,1527 ret = hx509_ocsp_verify(context->hx509ctx, 1513 1528 kdc_time, 1514 1529 kdc_cert, … … 1581 1596 &kn, &size); 1582 1597 if (ret) { 1598 const char *msg = krb5_get_error_message(context, ret); 1583 1599 kdc_log(context, config, 0, 1584 "Decoding kerberos name in certificate failed: %s", 1585 krb5_get_err_text(context, ret));1600 "Decoding kerberos name in certificate failed: %s", msg); 1601 krb5_free_error_message(context, msg); 1586 1602 break; 1587 1603 } … … 1645 1661 goto out; 1646 1662 } 1663 if (size != list.val[0].length) { 1664 free_MS_UPN_SAN(&upn); 1665 kdc_log(context, config, 0, "Trailing data in "); 1666 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; 1667 goto out; 1668 } 1647 1669 1648 1670 kdc_log(context, config, 0, "found MS UPN SAN: %s", upn); … … 1698 1720 } 1699 1721 1700 ret = hx509_cert_get_base_subject( kdc_identity->hx509ctx,1722 ret = hx509_cert_get_base_subject(context->hx509ctx, 1701 1723 cp->cert, 1702 1724 &name); … … 1719 1741 1720 1742 for (i = 0; i < pc->len; i++) { 1721 ret = hx509_cert_init_data( kdc_identity->hx509ctx,1743 ret = hx509_cert_init_data(context->hx509ctx, 1722 1744 pc->val[i].cert.data, 1723 1745 pc->val[i].cert.length, … … 1738 1760 if (config->pkinit_princ_in_cert) { 1739 1761 ret = match_rfc_san(context, config, 1740 kdc_identity->hx509ctx,1762 context->hx509ctx, 1741 1763 cp->cert, 1742 1764 client->entry.principal); … … 1747 1769 } 1748 1770 ret = match_ms_upn_san(context, config, 1749 kdc_identity->hx509ctx,1771 context->hx509ctx, 1750 1772 cp->cert, 1751 1773 clientdb, … … 1922 1944 1923 1945 krb5_error_code 1924 _kdc_pk_initialize(krb5_context context,1925 krb5_kdc_configuration *config,1926 const char *user_id,1927 const char *anchors,1928 char **pool,1929 char **revoke_list)1946 krb5_kdc_pk_initialize(krb5_context context, 1947 krb5_kdc_configuration *config, 1948 const char *user_id, 1949 const char *anchors, 1950 char **pool, 1951 char **revoke_list) 1930 1952 { 1931 1953 const char *file; … … 1945 1967 ret = _krb5_pk_load_id(context, 1946 1968 &kdc_identity, 1947 0,1948 1969 user_id, 1949 1970 anchors, … … 1963 1984 hx509_cert cert; 1964 1985 1965 ret = hx509_query_alloc( kdc_identity->hx509ctx, &q);1986 ret = hx509_query_alloc(context->hx509ctx, &q); 1966 1987 if (ret) { 1967 1988 krb5_warnx(context, "PKINIT: out of memory"); … … 1973 1994 hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); 1974 1995 1975 ret = hx509_certs_find( kdc_identity->hx509ctx,1996 ret = hx509_certs_find(context->hx509ctx, 1976 1997 kdc_identity->certs, 1977 1998 q, 1978 1999 &cert); 1979 hx509_query_free( kdc_identity->hx509ctx, q);2000 hx509_query_free(context->hx509ctx, q); 1980 2001 if (ret == 0) { 1981 if (hx509_cert_check_eku( kdc_identity->hx509ctx, cert,2002 if (hx509_cert_check_eku(context->hx509ctx, cert, 1982 2003 &asn1_oid_id_pkkdcekuoid, 0)) { 1983 2004 hx509_name name; -
trunk/server/source4/heimdal/kdc/process.c
r414 r745 162 162 163 163 164 #ifdef KRB4165 166 static krb5_error_code167 kdc_524(krb5_context context,168 krb5_kdc_configuration *config,169 krb5_data *req_buffer,170 krb5_data *reply,171 const char *from,172 struct sockaddr *addr,173 int datagram_reply,174 int *claim)175 {176 krb5_error_code ret;177 Ticket ticket;178 size_t len;179 180 ret = decode_Ticket(req_buffer->data, req_buffer->length, &ticket, &len);181 if (ret)182 return ret;183 184 *claim = 1;185 186 ret = _kdc_do_524(context, config, &ticket, reply, from, addr);187 free_Ticket(&ticket);188 return ret;189 }190 191 static krb5_error_code192 kdc_krb4(krb5_context context,193 krb5_kdc_configuration *config,194 krb5_data *req_buffer,195 krb5_data *reply,196 const char *from,197 struct sockaddr *addr,198 int datagram_reply,199 int *claim)200 {201 if (_kdc_maybe_version4(req_buffer->data, req_buffer->length) == 0)202 return -1;203 204 *claim = 1;205 206 return _kdc_do_version4(context, config,207 req_buffer->data, req_buffer->length,208 reply, from,209 (struct sockaddr_in*)addr);210 }211 212 static krb5_error_code213 kdc_kaserver(krb5_context context,214 krb5_kdc_configuration *config,215 krb5_data *req_buffer,216 krb5_data *reply,217 const char *from,218 struct sockaddr *addr,219 int datagram_reply,220 int *claim)221 {222 if (config->enable_kaserver == 0)223 return -1;224 225 *claim = 1;226 227 return _kdc_do_kaserver(context, config,228 req_buffer->data, req_buffer->length,229 reply, from,230 (struct sockaddr_in*)addr);231 }232 233 #endif /* KRB4 */234 235 236 164 static struct krb5_kdc_service services[] = { 237 165 { KS_KRB5, kdc_as_req }, … … 242 170 #ifdef KX509 243 171 { 0, kdc_kx509 }, 244 #endif245 #ifdef KRB4246 { 0, kdc_524 },247 { KS_NO_LENGTH, kdc_krb4 },248 { 0, kdc_kaserver },249 172 #endif 250 173 { 0, NULL } -
trunk/server/source4/heimdal/kdc/windc.c
r414 r745 34 34 #include "kdc_locl.h" 35 35 36 RCSID("$Id$");37 38 36 static krb5plugin_windc_ftable *windcft; 39 37 static void *windcctx; … … 56 54 57 55 windcft = _krb5_plugin_get_symbol(e); 58 if (windcft->minor_version < KRB5_WINDC_PLUGIN G_MINOR)56 if (windcft->minor_version < KRB5_WINDC_PLUGIN_MINOR) 59 57 continue; 60 58 … … 62 60 break; 63 61 } 62 _krb5_plugin_free(list); 64 63 if (e == NULL) { 65 _krb5_plugin_free(list);66 64 krb5_set_error_message(context, ENOENT, "Did not find any WINDC plugin"); 67 65 windcft = NULL; … … 89 87 hdb_entry_ex *client, 90 88 hdb_entry_ex *server, 91 krb5_pac *pac) 89 hdb_entry_ex *krbtgt, 90 krb5_pac *pac, 91 int *verified) 92 92 { 93 if (windcft == NULL) { 94 krb5_set_error_message(context, EINVAL, "Can't verify PAC, no function"); 95 return EINVAL; 96 } 97 return (windcft->pac_verify)(windcctx, context, 98 client_principal, client, server, pac); 93 krb5_error_code ret; 94 95 if (windcft == NULL) 96 return 0; 97 98 ret = windcft->pac_verify(windcctx, context, 99 client_principal, client, server, krbtgt, pac); 100 if (ret == 0) 101 *verified = 1; 102 return ret; 99 103 } 100 104 -
trunk/server/source4/heimdal/kdc/windc_plugin.h
r414 r745 61 61 struct hdb_entry_ex *, 62 62 struct hdb_entry_ex *, 63 struct hdb_entry_ex *, 63 64 krb5_pac *); 64 65 … … 73 74 74 75 #define KRB5_WINDC_PLUGING_MINOR 4 76 #define KRB5_WINDC_PLUGIN_MINOR 4 75 77 76 78 typedef struct krb5plugin_windc_ftable {
Note:
See TracChangeset
for help on using the changeset viewer.
