svn rev #24193: trunk/src/plugins/kdb/hdb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue Jul 20 04:52:41 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24193
Commit By: ghudson
Log Message:
ticket: 6749
Get the kdb_hdb module to compile again. Probably still buggy,
particularly around the master key logic.
Changed Files:
U trunk/src/plugins/kdb/hdb/kdb_hdb.c
U trunk/src/plugins/kdb/hdb/kdb_hdb.h
U trunk/src/plugins/kdb/hdb/kdb_marshal.c
U trunk/src/plugins/kdb/hdb/kdb_windc.c
Modified: trunk/src/plugins/kdb/hdb/kdb_hdb.c
===================================================================
--- trunk/src/plugins/kdb/hdb/kdb_hdb.c 2010-07-19 10:05:13 UTC (rev 24192)
+++ trunk/src/plugins/kdb/hdb/kdb_hdb.c 2010-07-20 08:52:41 UTC (rev 24193)
@@ -40,8 +40,10 @@
#include "kdb_hdb.h"
static krb5_error_code
-kh_init(void)
+kh_init(int dal_version)
{
+ if (dal_version != KRB5_KDB_DAL_VERSION)
+ return KRB5_KDB_DBTYPE_MISMATCH;
return 0;
}
@@ -92,7 +94,7 @@
code = KRB5_KDB_NOMASTERKEY;
break;
case HDB_ERR_MANDATORY_OPTION:
- code = KRB5_KDB_DBTYPE_NOSUP;
+ code = KRB5_PLUGIN_OP_NOTSUPP;
break;
default:
break;
@@ -190,7 +192,7 @@
(void **)&hdb_interface_version,
&errinfo) == 0 &&
*hdb_interface_version != HDB_INTERFACE_VERSION) {
- code = KRB5_KDB_DBTYPE_NOSUP;
+ code = KRB5_PLUGIN_OP_NOTSUPP;
goto cleanup;
}
@@ -413,7 +415,7 @@
heim_error_code hcode;
if (kh->hdb->hdb_rename == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
hcode = (*kh->hdb->hdb_rename)(kh->hcontext, kh->hdb, name);
@@ -462,18 +464,6 @@
return kh_map_error(hcode);
}
-static krb5_error_code
-kh_hdb_set_master_key(krb5_context context,
- kh_db_context *kh,
- EncryptionKey *key)
-{
- heim_error_code hcode;
-
- hcode = (*kh->hdb_set_master_key)(kh->hcontext, kh->hdb, key);
-
- return kh_map_error(hcode);
-}
-
void
kh_hdb_free_entry(krb5_context context,
kh_db_context *kh,
@@ -491,6 +481,8 @@
krb5_tl_data *tl_data = NULL;
int i, j;
+ if (entry == NULL)
+ return;
if (entry->e_data != NULL) {
assert(entry->e_length == sizeof(hdb_entry_ex));
kh_hdb_free_entry(context, kh, KH_DB_ENTRY(entry));
@@ -525,7 +517,7 @@
free(entry->key_data);
}
- memset(entry, 0, sizeof(*entry));
+ free(entry);
}
static krb5_error_code
@@ -537,7 +529,7 @@
krb5_error_code code;
if (kh == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
code = k5_mutex_lock(kh->lock);
if (code != 0)
@@ -551,22 +543,6 @@
}
static krb5_error_code
-kh_db_destroy(krb5_context context,
- char *conf_section,
- char **db_args)
-{
- return KRB5_KDB_DBTYPE_NOSUP;
-}
-
-static krb5_error_code
-kh_db_get_age(krb5_context context,
- char *db_name,
- time_t *age)
-{
- return KRB5_KDB_DBTYPE_NOSUP;
-}
-
-static krb5_error_code
kh_db_lock(krb5_context context, int kmode)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
@@ -574,7 +550,7 @@
enum hdb_lockop hmode;
if (kh == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
code = k5_mutex_lock(kh->lock);
if (code != 0)
@@ -599,7 +575,7 @@
krb5_error_code code;
if (kh == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
code = k5_mutex_lock(kh->lock);
if (code != 0)
@@ -617,12 +593,14 @@
kh_db_context *kh,
krb5_const_principal princ,
unsigned int hflags,
- krb5_db_entry *kentry)
+ krb5_db_entry **kentry)
{
krb5_error_code code;
Principal *hprinc = NULL;
hdb_entry_ex *hentry = NULL;
+ *kentry = NULL;
+
code = kh_marshal_Principal(context, princ, &hprinc);
if (code != 0)
return code;
@@ -648,8 +626,8 @@
code = kh_unmarshal_hdb_entry(context, &hentry->entry, kentry);
if (code == 0) {
- kentry->e_length = sizeof(*hentry);
- kentry->e_data = (krb5_octet *)hentry;
+ (*kentry)->e_length = sizeof(*hentry);
+ (*kentry)->e_data = (krb5_octet *)hentry;
} else {
kh_hdb_free_entry(context, kh, hentry);
free(hentry);
@@ -682,16 +660,19 @@
kh_get_master_key_principal(krb5_context context,
kh_db_context *kh,
krb5_const_principal princ,
- krb5_db_entry *kentry,
- int *nentries)
+ krb5_db_entry **kentry_ptr)
{
krb5_error_code code;
krb5_key_data *key_data;
krb5_timestamp now;
+ krb5_db_entry *kentry;
- memset(kentry, 0, sizeof(*kentry));
- *nentries = 0;
+ *kentry_ptr = NULL;
+ kentry = k5alloc(sizeof(*kentry), &code);
+ if (kentry == NULL)
+ return code;
+
kentry->magic = KRB5_KDB_MAGIC_NUMBER;
kentry->len = KRB5_KDB_V1_BASE_LENGTH;
kentry->attributes = KRB5_KDB_DISALLOW_ALL_TIX;
@@ -725,7 +706,7 @@
key_data->key_data_kvno = 1;
key_data->key_data_type[0] = ENCTYPE_UNKNOWN;
- *nentries = 1;
+ *kentry_ptr = kentry;
return 0;
}
@@ -734,24 +715,19 @@
kh_db_get_principal(krb5_context context,
krb5_const_principal princ,
unsigned int kflags,
- krb5_db_entry *kentry,
- int *nentries,
- krb5_boolean *more)
+ krb5_db_entry **kentry)
{
krb5_error_code code;
kh_db_context *kh = KH_DB_CONTEXT(context);
unsigned int hflags;
- *nentries = 0;
- *more = FALSE;
- memset(kentry, 0, sizeof(*kentry));
+ *kentry = NULL;
if (kh == NULL)
return KRB5_KDB_DBNOTINITED;
if (kh_is_master_key_principal(context, princ))
- return kh_get_master_key_principal(context, kh, princ,
- kentry, nentries);
+ return kh_get_master_key_principal(context, kh, princ, kentry);
code = k5_mutex_lock(kh->lock);
if (code != 0)
@@ -769,41 +745,25 @@
hflags |= HDB_F_GET_ANY;
code = kh_get_principal(context, kh, princ, hflags, kentry);
- switch (code) {
- case 0:
- *nentries = 1;
- break;
- case KRB5_KDB_NOENTRY:
- code = 0;
- break;
- default:
- break;
- }
-
k5_mutex_unlock(kh->lock);
return code;
}
-static krb5_error_code
+static void
kh_db_free_principal(krb5_context context,
- krb5_db_entry *entry,
- int count)
+ krb5_db_entry *entry)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
krb5_error_code code;
- int i;
code = k5_mutex_lock(kh->lock);
if (code != 0)
- return code;
+ return;
- for (i = 0; i < count; i++)
- kh_kdb_free_entry(context, kh, &entry[i]);
+ kh_kdb_free_entry(context, kh, entry);
k5_mutex_unlock(kh->lock);
-
- return 0;
}
static krb5_error_code
@@ -861,13 +821,11 @@
static krb5_error_code
kh_db_put_principal(krb5_context context,
- krb5_db_entry *entries,
- int *nentries,
+ krb5_db_entry *entry,
char **db_args)
{
krb5_error_code code;
kh_db_context *kh = KH_DB_CONTEXT(context);
- int i;
if (kh == NULL)
return KRB5_KDB_DBNOTINITED;
@@ -876,11 +834,7 @@
if (code != 0)
return code;
- for (i = 0; i < *nentries; i++) {
- code = kh_put_principal(context, kh, &entries[i]);
- if (code != 0)
- break;
- }
+ code = kh_put_principal(context, kh, entry);
k5_mutex_unlock(kh->lock);
@@ -915,8 +869,7 @@
static krb5_error_code
kh_db_delete_principal(krb5_context context,
- krb5_const_principal princ,
- int *nentries)
+ krb5_const_principal princ)
{
krb5_error_code code;
kh_db_context *kh = KH_DB_CONTEXT(context);
@@ -930,8 +883,6 @@
code = kh_delete_principal(context, kh, princ);
- *nentries = (code == 0) ? 1 : 0;
-
k5_mutex_unlock(kh->lock);
return code;
@@ -963,11 +914,11 @@
code = kh_hdb_firstkey(context, kh, hflags, &hentry);
while (code == 0) {
- krb5_db_entry kentry;
+ krb5_db_entry *kentry;
if (kh_unmarshal_hdb_entry(context, &hentry.entry, &kentry) == 0) {
- code = (*func)(func_arg, &kentry);
- kh_kdb_free_entry(context, kh, &kentry);
+ code = (*func)(func_arg, kentry);
+ kh_kdb_free_entry(context, kh, kentry);
}
kh_hdb_free_entry(context, kh, &hentry);
@@ -979,14 +930,12 @@
}
if (code == KRB5_KDB_NOENTRY) {
- krb5_db_entry kentry;
- int nentries;
+ krb5_db_entry *kentry;
/* Return the fake master key principal */
- if (kh_get_master_key_principal(context, kh, NULL,
- &kentry, &nentries) == 0) {
- code = (*func)(func_arg, &kentry);
- kh_kdb_free_entry(context, kh, &kentry);
+ if (kh_get_master_key_principal(context, kh, NULL, &kentry) == 0) {
+ code = (*func)(func_arg, kentry);
+ kh_kdb_free_entry(context, kh, kentry);
}
code = 0;
@@ -1047,59 +996,6 @@
}
static krb5_error_code
-kh_set_master_key(krb5_context context,
- char *pwd,
- krb5_keyblock *kkey)
-{
- kh_db_context *kh = KH_DB_CONTEXT(context);
- krb5_error_code code;
- EncryptionKey hkey;
-
- if (kh == NULL)
- return KRB5_KDB_DBNOTINITED;
-
- if (kkey->enctype == ENCTYPE_UNKNOWN)
- return 0;
-
- code = k5_mutex_lock(kh->lock);
- if (code != 0)
- return code;
-
- KH_MARSHAL_KEY(kkey, &hkey);
-
- code = kh_hdb_set_master_key(context, kh, &hkey);
-
- k5_mutex_unlock(kh->lock);
-
- return code;
-}
-
-static krb5_error_code
-kh_get_master_key(krb5_context context,
- krb5_keyblock **pkey)
-{
- krb5_error_code code;
- krb5_keyblock *key;
-
- /*
- * The Heimdal master key interface is opaque; we can't
- * return the master key without poking into internal data
- * structures that would make this bridge even more brittle.
- * So, we just return a dummy key.
- */
- key = k5alloc(sizeof(krb5_keyblock), &code);
- if (code != 0)
- return code;
-
- key->magic = KV5M_KEYBLOCK;
- key->enctype = ENCTYPE_UNKNOWN;
-
- *pkey = key;
-
- return 0;
-}
-
-static krb5_error_code
kh_promote_db(krb5_context context,
char *conf_section,
char **db_args)
@@ -1112,7 +1008,7 @@
return KRB5_KDB_DBNOTINITED;
if (kh->hdb->hdb_name == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
+ return KRB5_PLUGIN_OP_NOTSUPP;
if (asprintf(&name, "%s~", kh->hdb->hdb_name) < 0)
return ENOMEM;
@@ -1195,7 +1091,7 @@
return KRB5_KDB_DBNOTINITED;
if (mkey->enctype != ENCTYPE_UNKNOWN)
- code = krb5_dbekd_def_decrypt_key_data(context, mkey, key_data,
+ code = krb5_dbe_def_decrypt_key_data(context, mkey, key_data,
kkey, keysalt);
else
code = kh_decrypt_key(context, kh, key_data, kkey, keysalt);
@@ -1271,8 +1167,8 @@
/* For migration */
if (mkey->enctype != ENCTYPE_UNKNOWN)
- code = krb5_dbekd_def_encrypt_key_data(context, mkey, kkey,
- keysalt, keyver, key_data);
+ code = krb5_dbe_def_encrypt_key_data(context, mkey, kkey,
+ keysalt, keyver, key_data);
else
code = kh_encrypt_key(context, kh, kkey, keysalt, keyver, key_data);
@@ -1285,19 +1181,17 @@
static krb5_error_code
kh_db_check_allowed_to_delegate(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data)
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy)
{
- kdb_check_allowed_to_delegate_req *req;
krb5_error_code code;
hdb_entry_ex *hentry;
HDB_extension *ext;
HDB_Ext_Constrained_delegation_acl *acl;
unsigned int i;
- req = (kdb_check_allowed_to_delegate_req *)req_data->data;
- hentry = KH_DB_ENTRY(req->server);
+ hentry = KH_DB_ENTRY(server);
ext = kh_hdb_find_extension(&hentry->entry,
choice_HDB_extension_data_allowed_to_delegate_to);
@@ -1310,7 +1204,7 @@
krb5_principal princ;
if (kh_unmarshal_Principal(context, &acl->val[i], &princ) == 0) {
- if (krb5_principal_compare(context, req->proxy, princ)) {
+ if (krb5_principal_compare(context, proxy, princ)) {
code = 0;
krb5_free_principal(context, princ);
break;
@@ -1323,51 +1217,6 @@
return code;
}
-static struct _kh_invoke_fn {
- unsigned int method;
- krb5_error_code (*function)(krb5_context, unsigned int,
- const krb5_data *, krb5_data *);
-} kh_invoke_vtable[] = {
- { KRB5_KDB_METHOD_CHECK_POLICY_AS, kh_db_check_policy_as },
- { KRB5_KDB_METHOD_SIGN_AUTH_DATA, kh_db_sign_auth_data },
- { KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE, kh_db_check_allowed_to_delegate },
-};
-
-static krb5_error_code
-kh_db_invoke(krb5_context context,
- unsigned int method,
- const krb5_data *req,
- krb5_data *rep)
-{
- kh_db_context *kh = KH_DB_CONTEXT(context);
- size_t i;
- krb5_error_code code;
-
- if (kh == NULL)
- return KRB5_KDB_DBNOTINITED;
-
- code = k5_mutex_lock(kh->lock);
- if (code != 0)
- return code;
-
- code = KRB5_KDB_DBTYPE_NOSUP;
-
- for (i = 0;
- i < sizeof(kh_invoke_vtable) / sizeof(kh_invoke_vtable[0]);
- i++) {
- struct _kh_invoke_fn *fn = &kh_invoke_vtable[i];
-
- if (fn->method == method) {
- code = (*fn->function)(context, method, req, rep);
- break;
- }
- }
-
- k5_mutex_unlock(kh->lock);
-
- return code;
-}
-
kdb_vftabl kdb_function_table = {
1,
0,
@@ -1376,8 +1225,8 @@
kh_init_module,
kh_fini_module,
kh_db_create,
- kh_db_destroy,
- kh_db_get_age,
+ NULL, /* destroy */
+ NULL, /* get_age */
kh_db_lock,
kh_db_unlock,
kh_db_get_principal,
@@ -1385,32 +1234,29 @@
kh_db_put_principal,
kh_db_delete_principal,
kh_db_iterate,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
+ NULL, /* create_policy */
+ NULL, /* get_policy */
+ NULL, /* put_policy */
+ NULL, /* iter_policy */
+ NULL, /* delete_policy */
+ NULL, /* free_policy */
kh_db_alloc,
kh_db_free,
- kh_set_master_key,
- kh_get_master_key,
- NULL,
- NULL,
- NULL,
- NULL,
+ NULL, /* set_master_key_list */
+ NULL, /* get_master_key_list */
kh_fetch_master_key,
- NULL,
kh_fetch_master_key_list,
- NULL,
- NULL,
- NULL,
+ NULL, /* store_master_key_list */
+ NULL, /* dbe_search_enctype */
+ NULL, /* change_pwd */
kh_promote_db,
kh_dbekd_decrypt_key_data,
kh_dbekd_encrypt_key_data,
- kh_db_invoke,
+ kh_db_sign_auth_data,
+ NULL, /* check_transited_realms */
+ kh_db_check_policy_as,
+ NULL, /* check_policy_tgs */
+ NULL, /* audit_as_req */
+ NULL, /* refresh_config */
+ kh_db_check_allowed_to_delegate
};
Modified: trunk/src/plugins/kdb/hdb/kdb_hdb.h
===================================================================
--- trunk/src/plugins/kdb/hdb/kdb_hdb.h 2010-07-19 10:05:13 UTC (rev 24192)
+++ trunk/src/plugins/kdb/hdb/kdb_hdb.h 2010-07-20 08:52:41 UTC (rev 24193)
@@ -90,7 +90,7 @@
kh_db_context *kh,
krb5_const_principal princ,
unsigned int hflags,
- krb5_db_entry *kentry);
+ krb5_db_entry **kentry);
void
kh_kdb_free_entry(krb5_context context,
@@ -142,7 +142,7 @@
krb5_error_code
kh_unmarshal_hdb_entry(krb5_context context,
const hdb_entry *hentry,
- krb5_db_entry *kentry);
+ krb5_db_entry **kentry);
krb5_error_code
kh_marshal_hdb_entry(krb5_context context,
@@ -152,16 +152,28 @@
/* kdb_windc.c */
krb5_error_code
-kh_db_sign_auth_data(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data);
+kh_db_sign_auth_data(krb5_context kcontext,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data);
krb5_error_code
-kh_db_check_policy_as(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data);
+kh_db_check_policy_as(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp kdc_time,
+ const char **status,
+ krb5_data *e_data);
krb5_error_code
kh_hdb_windc_init(krb5_context context,
Modified: trunk/src/plugins/kdb/hdb/kdb_marshal.c
===================================================================
--- trunk/src/plugins/kdb/hdb/kdb_marshal.c 2010-07-19 10:05:13 UTC (rev 24192)
+++ trunk/src/plugins/kdb/hdb/kdb_marshal.c 2010-07-20 08:52:41 UTC (rev 24193)
@@ -743,13 +743,16 @@
krb5_error_code
kh_unmarshal_hdb_entry(krb5_context context,
const hdb_entry *hentry,
- krb5_db_entry *kentry)
+ krb5_db_entry **kentry_ptr)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
+ krb5_db_entry *kentry;
krb5_error_code code;
unsigned int i;
- memset(kentry, 0, sizeof(*kentry));
+ kentry = k5alloc(sizeof(*kentry), &code);
+ if (kentry == NULL)
+ return code;
kentry->magic = KRB5_KDB_MAGIC_NUMBER;
kentry->len = KRB5_KDB_V1_BASE_LENGTH;
@@ -801,9 +804,10 @@
kentry->n_key_data++;
}
+ *kentry_ptr = kentry;
+ kentry = NULL;
+
cleanup:
- if (code != 0)
- kh_kdb_free_entry(context, kh, kentry);
-
+ kh_kdb_free_entry(context, kh, kentry);
return code;
}
Modified: trunk/src/plugins/kdb/hdb/kdb_windc.c
===================================================================
--- trunk/src/plugins/kdb/hdb/kdb_windc.c 2010-07-19 10:05:13 UTC (rev 24192)
+++ trunk/src/plugins/kdb/hdb/kdb_windc.c 2010-07-20 08:52:41 UTC (rev 24193)
@@ -173,7 +173,7 @@
krb5_error_code code;
krb5_principal tgsname = NULL;
krb5_key_data *krbtgt_key = NULL;
- krb5_db_entry krbtgt;
+ krb5_db_entry *krbtgt;
memset(&krbtgt, 0, sizeof(krbtgt));
krbtgt_keyblock->contents = NULL;
@@ -195,7 +195,7 @@
goto cleanup;
code = krb5_dbe_find_enctype(context,
- &krbtgt,
+ krbtgt,
-1, /* ignore enctype */
-1, /* ignore salttype */
0, /* highest kvno */
@@ -216,7 +216,7 @@
goto cleanup;
cleanup:
- kh_kdb_free_entry(context, KH_DB_CONTEXT(context), &krbtgt);
+ kh_kdb_free_entry(context, KH_DB_CONTEXT(context), krbtgt);
krb5_free_principal(context, tgsname);
return code;
@@ -224,13 +224,20 @@
krb5_error_code
kh_db_sign_auth_data(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data)
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
- kdb_sign_auth_data_req *req = (kdb_sign_auth_data_req *)req_data->data;
- kdb_sign_auth_data_rep *rep = (kdb_sign_auth_data_rep *)rep_data->data;
heim_pac hpac = NULL;
heim_octet_string pac_data;
krb5_boolean is_as_req;
@@ -241,31 +248,32 @@
EncryptionKey krbtgt_hkey;
krb5_keyblock krbtgt_kkey;
+ *signed_auth_data = NULL;
+
if (kh->windc == NULL)
return KRB5_KDB_DBTYPE_NOSUP; /* short circuit */
- memset(rep, 0, sizeof(*rep));
memset(&krbtgt_kkey, 0, sizeof(krbtgt_kkey));
pac_data.data = NULL;
- is_as_req = ((req->flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+ is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
/* Prefer canonicalised name from client entry */
- if (req->client != NULL) {
- client_hprinc = KH_DB_ENTRY(req->client)->entry.principal;
+ if (client != NULL) {
+ client_hprinc = KH_DB_ENTRY(client)->entry.principal;
} else {
- code = kh_marshal_Principal(context, req->client_princ, &client_hprinc);
+ code = kh_marshal_Principal(context, client_princ, &client_hprinc);
if (code != 0)
goto cleanup;
}
- KH_MARSHAL_KEY(req->server_key, &server_hkey);
- KH_MARSHAL_KEY(req->krbtgt_key, &krbtgt_hkey);
+ KH_MARSHAL_KEY(server_key, &server_hkey);
+ KH_MARSHAL_KEY(krbtgt_key, &krbtgt_hkey);
if (!is_as_req) {
/* find the existing PAC, if present */
code = krb5int_find_authdata(context,
- req->auth_data,
+ tgt_auth_data,
NULL,
KRB5_AUTHDATA_WIN2K_PAC,
&authdata);
@@ -273,10 +281,9 @@
goto cleanup;
}
- if ((is_as_req && (req->flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
- (authdata == NULL && req->client != NULL)) {
- code = kh_windc_pac_generate(context, kh,
- KH_DB_ENTRY(req->client), &hpac);
+ if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
+ (authdata == NULL && client != NULL)) {
+ code = kh_windc_pac_generate(context, kh, KH_DB_ENTRY(client), &hpac);
if (code != 0)
goto cleanup;
} else if (authdata != NULL) {
@@ -299,20 +306,19 @@
* ticket rather than a TGT; we must verify the server and KDC
* signatures to assert that the server did not forge the PAC.
*/
- if (req->flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
- code = kh_pac_verify(context, hpac, req->authtime,
+ if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+ code = kh_pac_verify(context, hpac, authtime,
client_hprinc, &server_hkey, &krbtgt_hkey);
} else {
- code = kh_pac_verify(context, hpac, req->authtime,
+ code = kh_pac_verify(context, hpac, authtime,
client_hprinc, &krbtgt_hkey, NULL);
}
if (code != 0)
goto cleanup;
code = kh_windc_pac_verify(context, kh, client_hprinc,
- req->client ?
- KH_DB_ENTRY(req->client) : NULL,
- KH_DB_ENTRY(req->server),
+ client ? KH_DB_ENTRY(client) : NULL,
+ KH_DB_ENTRY(server),
&hpac);
if (code != 0)
goto cleanup;
@@ -325,17 +331,17 @@
* In the cross-realm case, krbtgt_hkey refers to the cross-realm
* TGS key, so we need to explicitly lookup our TGS key.
*/
- if (req->flags & KRB5_KDB_FLAG_CROSS_REALM) {
+ if (flags & KRB5_KDB_FLAG_CROSS_REALM) {
assert(!is_as_req);
- code = kh_get_tgs_key(context, kh, req->server->princ, &krbtgt_kkey);
+ code = kh_get_tgs_key(context, kh, server->princ, &krbtgt_kkey);
if (code != 0)
goto cleanup;
KH_MARSHAL_KEY(&krbtgt_kkey, &krbtgt_hkey);
}
- code = kh_pac_sign(context, hpac, req->authtime, client_hprinc,
+ code = kh_pac_sign(context, hpac, authtime, client_hprinc,
&server_hkey, &krbtgt_hkey, &pac_data);
if (code != 0)
goto cleanup;
@@ -367,12 +373,12 @@
code = krb5_encode_authdata_container(context,
KRB5_AUTHDATA_IF_RELEVANT,
authdata,
- &rep->auth_data);
+ signed_auth_data);
if (code != 0)
goto cleanup;
cleanup:
- if (req->client == NULL)
+ if (client == NULL)
kh_free_Principal(context, client_hprinc);
kh_pac_free(context, hpac);
if (pac_data.data != NULL)
@@ -486,16 +492,16 @@
krb5_error_code
kh_db_check_policy_as(krb5_context context,
- unsigned int method,
- const krb5_data *req_data,
- krb5_data *rep_data)
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp kdc_time,
+ const char **status,
+ krb5_data *e_data)
{
kh_db_context *kh = KH_DB_CONTEXT(context);
- kdb_check_policy_as_req *req = (kdb_check_policy_as_req *)req_data->data;
- kdb_check_policy_as_rep *rep = (kdb_check_policy_as_rep *)rep_data->data;
krb5_error_code code;
- heim_octet_string e_data;
- krb5_kdc_req *kkdcreq = req->request;
+ heim_octet_string he_data;
KDC_REQ hkdcreq;
Principal *hclient = NULL;
Principal *hserver = NULL;
@@ -507,19 +513,19 @@
memset(&hkdcreq, 0, sizeof(hkdcreq));
hkdcreq.pvno = KRB5_PVNO;
- hkdcreq.msg_type = kkdcreq->msg_type;
+ hkdcreq.msg_type = request->msg_type;
hkdcreq.padata = NULL; /* FIXME */
code = kh_marshal_KDCOptions(context,
- kkdcreq->kdc_options,
+ request->kdc_options,
&hkdcreq.req_body.kdc_options);
if (code != 0)
goto cleanup;
- code = kh_marshal_Principal(context, kkdcreq->client, &hclient);
+ code = kh_marshal_Principal(context, request->client, &hclient);
if (code != 0)
goto cleanup;
- code = kh_marshal_Principal(context, kkdcreq->server, &hserver);
+ code = kh_marshal_Principal(context, request->server, &hserver);
if (code != 0)
goto cleanup;
@@ -527,16 +533,16 @@
hkdcreq.req_body.realm = hserver->realm;
hkdcreq.req_body.sname = &hserver->name;
- from = kkdcreq->from; hkdcreq.req_body.from = &from;
- till = kkdcreq->till; hkdcreq.req_body.till = &till;
- rtime = kkdcreq->rtime; hkdcreq.req_body.rtime = &rtime;
+ from = request->from; hkdcreq.req_body.from = &from;
+ till = request->till; hkdcreq.req_body.till = &till;
+ rtime = request->rtime; hkdcreq.req_body.rtime = &rtime;
- hkdcreq.req_body.nonce = kkdcreq->nonce;
- hkdcreq.req_body.etype.len = kkdcreq->nktypes;
- hkdcreq.req_body.etype.val = kkdcreq->ktype;
+ hkdcreq.req_body.nonce = request->nonce;
+ hkdcreq.req_body.etype.len = request->nktypes;
+ hkdcreq.req_body.etype.val = request->ktype;
code = kh_marshall_HostAddresses(context,
- kkdcreq->addresses,
+ request->addresses,
&hkdcreq.req_body.addresses);
if (code != 0)
goto cleanup;
@@ -545,11 +551,11 @@
/* FIXME hkdcreq.req_body.additional_tickets */
code = kh_windc_client_access(context, kh,
- KH_DB_ENTRY(req->client),
- &hkdcreq, &e_data);
+ KH_DB_ENTRY(client),
+ &hkdcreq, &he_data);
- rep->e_data.data = e_data.data;
- rep->e_data.length = e_data.length;
+ e_data->data = he_data.data;
+ e_data->length = he_data.length;
cleanup:
kh_free_HostAddresses(context, hkdcreq.req_body.addresses);
More information about the cvs-krb5
mailing list