krb5 commit: Remove kdc_context, tgs_server macros in KDC
ghudson at mit.edu
ghudson at mit.edu
Thu Jul 21 00:20:50 EDT 2022
https://github.com/krb5/krb5/commit/8ecb797fb512faa80d1e03e4282e540745fc4341
commit 8ecb797fb512faa80d1e03e4282e540745fc4341
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Jul 18 17:36:15 2022 -0400
Remove kdc_context, tgs_server macros in KDC
Eliminate the last two kdc_active_realm macros from realm_data.h (left
behind after commits 0a2f14f752c32a24200363cc6b6ae64a92f81379 and
e987546b4ff1689bb711cc46118ad9fc0a5613f6). Where code is affected,
use the names "context" and "realm". Pass contexts instead of realm
data structures to several functions which only need a context.
src/kdc/dispatch.c | 17 ++-
src/kdc/do_as_req.c | 169 +++++++++++++-------------
src/kdc/do_tgs_req.c | 322 +++++++++++++++++++++++--------------------------
src/kdc/fast_util.c | 125 +++++++++----------
src/kdc/kdc_authdata.c | 45 ++++---
src/kdc/kdc_preauth.c | 20 +--
src/kdc/kdc_util.c | 215 +++++++++++++++------------------
src/kdc/kdc_util.h | 73 +++++------
src/kdc/realm_data.h | 8 --
src/kdc/tgs_policy.c | 82 ++++++-------
10 files changed, 495 insertions(+), 581 deletions(-)
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
index f24f5fd8f..28def3be4 100644
--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
@@ -33,8 +33,7 @@
#include <arpa/inet.h>
#include <string.h>
-static krb5_error_code make_too_big_error(kdc_realm_t *kdc_active_realm,
- krb5_data **out);
+static krb5_error_code make_too_big_error(kdc_realm_t *realm, krb5_data **out);
struct dispatch_state {
loop_respond_fn respond;
@@ -51,13 +50,12 @@ finish_dispatch(struct dispatch_state *state, krb5_error_code code,
{
loop_respond_fn oldrespond = state->respond;
void *oldarg = state->arg;
- kdc_realm_t *kdc_active_realm = state->active_realm;
if (state->is_tcp == 0 && response &&
response->length > (unsigned int)max_dgram_reply_size) {
- krb5_free_data(kdc_context, response);
+ krb5_free_data(NULL, response);
response = NULL;
- code = make_too_big_error(kdc_active_realm, &response);
+ code = make_too_big_error(state->active_realm, &response);
if (code)
krb5_klog_syslog(LOG_ERR, "error constructing "
"KRB_ERR_RESPONSE_TOO_BIG error: %s",
@@ -178,8 +176,9 @@ done:
}
static krb5_error_code
-make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out)
+make_too_big_error(kdc_realm_t *realm, krb5_data **out)
{
+ krb5_context context = realm->realm_context;
krb5_error errpkt;
krb5_error_code retval;
krb5_data *scratch;
@@ -187,11 +186,11 @@ make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out)
*out = NULL;
memset(&errpkt, 0, sizeof(errpkt));
- retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
+ retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
if (retval)
return retval;
errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
- errpkt.server = tgs_server;
+ errpkt.server = realm->realm_tgsprinc;
errpkt.client = NULL;
errpkt.text.length = 0;
errpkt.text.data = 0;
@@ -200,7 +199,7 @@ make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out)
scratch = malloc(sizeof(*scratch));
if (scratch == NULL)
return ENOMEM;
- retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+ retval = krb5_mk_error(context, &errpkt, scratch);
if (retval) {
free(scratch);
return retval;
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 40c0ec2ab..0d3af592f 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -193,13 +193,14 @@ struct as_req_state {
static void
finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
{
+ kdc_realm_t *realm = state->active_realm;
+ krb5_context context = realm->realm_context;
krb5_keyblock *as_encrypting_key = NULL;
krb5_data *response = NULL;
const char *emsg = 0;
int did_log = 0;
loop_respond_fn oldrespond;
void *oldarg;
- kdc_realm_t *kdc_active_realm = state->active_realm;
krb5_audit_state *au_state = state->au_state;
krb5_keyblock *replaced_reply_key = NULL;
@@ -214,14 +215,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
state->ticket_reply.enc_part2 = &state->enc_tkt_reply;
- errcode = check_kdcpolicy_as(kdc_context, state->request, state->client,
+ errcode = check_kdcpolicy_as(context, state->request, state->client,
state->server, state->auth_indicators,
state->kdc_time, &state->enc_tkt_reply.times,
&state->status);
if (errcode)
goto egress;
- errcode = get_first_current_key(kdc_context, state->server,
+ errcode = get_first_current_key(context, state->server,
&state->server_keyblock);
if (errcode) {
state->status = "FINDING_SERVER_KEY";
@@ -247,7 +248,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
/* Fetch the padata info to be returned (do this before
* authdata to handle possible replacement of reply key
*/
- errcode = return_padata(kdc_context, &state->rock, state->req_pkt,
+ errcode = return_padata(context, &state->rock, state->req_pkt,
state->request, &state->reply,
&state->client_keyblock, &state->pa_context);
if (errcode) {
@@ -266,7 +267,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
if (state->rock.replaced_reply_key)
replaced_reply_key = &state->client_keyblock;
- errcode = handle_authdata(kdc_active_realm, state->c_flags, state->client,
+ errcode = handle_authdata(realm, state->c_flags, state->client,
state->server, NULL, state->local_tgt,
&state->local_tgt_key, &state->client_keyblock,
&state->server_keyblock, NULL,
@@ -280,19 +281,18 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
goto egress;
}
- errcode = check_indicators(kdc_context, state->server,
- state->auth_indicators);
+ errcode = check_indicators(context, state->server, state->auth_indicators);
if (errcode) {
state->status = "HIGHER_AUTHENTICATION_REQUIRED";
goto egress;
}
- errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock,
+ errcode = krb5_encrypt_tkt_part(context, &state->server_keyblock,
&state->ticket_reply);
if (errcode)
goto egress;
- errcode = kau_make_tkt_id(kdc_context, &state->ticket_reply,
+ errcode = kau_make_tkt_id(context, &state->ticket_reply,
&au_state->tkt_out_id);
if (errcode)
goto egress;
@@ -313,7 +313,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
&as_encrypting_key);
if (errcode)
goto egress;
- errcode = return_enc_padata(kdc_context, state->req_pkt, state->request,
+ errcode = return_enc_padata(context, state->req_pkt, state->request,
as_encrypting_key, state->server,
&state->reply_encpart, FALSE);
if (errcode) {
@@ -323,10 +323,9 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
if (kdc_fast_hide_client(state->rstate))
state->reply.client = (krb5_principal)krb5_anonymous_principal();
- errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP,
- &state->reply_encpart, 0,
- as_encrypting_key,
- &state->reply, &response);
+ errcode = krb5_encode_kdc_rep(context, KRB5_AS_REP, &state->reply_encpart,
+ 0, as_encrypting_key, &state->reply,
+ &response);
if (state->client_key != NULL)
state->reply.enc_part.kvno = state->client_key->key_data_kvno;
if (errcode)
@@ -338,7 +337,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
state->reply.enc_part.ciphertext.length);
free(state->reply.enc_part.ciphertext.data);
- log_as_req(kdc_context, state->local_addr, state->remote_addr,
+ log_as_req(context, state->local_addr, state->remote_addr,
state->request, &state->reply, state->client, state->cname,
state->server, state->sname, state->kdc_time, 0, 0, 0);
did_log = 1;
@@ -349,18 +348,18 @@ egress:
au_state->status = state->status;
au_state->reply = &state->reply;
- kau_as_req(kdc_context,
- (errcode || state->preauth_err) ? FALSE : TRUE, au_state);
+ kau_as_req(context, (errcode || state->preauth_err) ? FALSE : TRUE,
+ au_state);
kau_free_kdc_req(au_state);
- free_padata_context(kdc_context, state->pa_context);
+ free_padata_context(context, state->pa_context);
if (as_encrypting_key)
- krb5_free_keyblock(kdc_context, as_encrypting_key);
+ krb5_free_keyblock(context, as_encrypting_key);
if (errcode)
- emsg = krb5_get_error_message(kdc_context, errcode);
+ emsg = krb5_get_error_message(context, errcode);
if (state->status) {
- log_as_req(kdc_context, state->local_addr, state->remote_addr,
+ log_as_req(context, state->local_addr, state->remote_addr,
state->request, &state->reply, state->client,
state->cname, state->server, state->sname, state->kdc_time,
state->status, errcode, emsg);
@@ -387,40 +386,39 @@ egress:
}
if (emsg)
- krb5_free_error_message(kdc_context, emsg);
+ krb5_free_error_message(context, emsg);
if (state->enc_tkt_reply.authorization_data != NULL)
- krb5_free_authdata(kdc_context,
- state->enc_tkt_reply.authorization_data);
+ krb5_free_authdata(context, state->enc_tkt_reply.authorization_data);
if (state->local_tgt_key.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &state->local_tgt_key);
+ krb5_free_keyblock_contents(context, &state->local_tgt_key);
if (state->server_keyblock.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &state->server_keyblock);
+ krb5_free_keyblock_contents(context, &state->server_keyblock);
if (state->client_keyblock.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &state->client_keyblock);
+ krb5_free_keyblock_contents(context, &state->client_keyblock);
if (state->reply.padata != NULL)
- krb5_free_pa_data(kdc_context, state->reply.padata);
+ krb5_free_pa_data(context, state->reply.padata);
if (state->reply_encpart.enc_padata)
- krb5_free_pa_data(kdc_context, state->reply_encpart.enc_padata);
+ krb5_free_pa_data(context, state->reply_encpart.enc_padata);
if (state->cname != NULL)
free(state->cname);
if (state->sname != NULL)
free(state->sname);
- krb5_db_free_principal(kdc_context, state->client);
- krb5_db_free_principal(kdc_context, state->server);
- krb5_db_free_principal(kdc_context, state->local_tgt_storage);
+ krb5_db_free_principal(context, state->client);
+ krb5_db_free_principal(context, state->server);
+ krb5_db_free_principal(context, state->local_tgt_storage);
if (state->session_key.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &state->session_key);
+ krb5_free_keyblock_contents(context, &state->session_key);
if (state->ticket_reply.enc_part.ciphertext.data != NULL) {
memset(state->ticket_reply.enc_part.ciphertext.data , 0,
state->ticket_reply.enc_part.ciphertext.length);
free(state->ticket_reply.enc_part.ciphertext.data);
}
- krb5_free_pa_data(kdc_context, state->e_data);
- krb5_free_data(kdc_context, state->inner_body);
+ krb5_free_pa_data(context, state->e_data);
+ krb5_free_data(context, state->inner_body);
kdc_free_rstate(state->rstate);
- krb5_free_kdc_req(kdc_context, state->request);
+ krb5_free_kdc_req(context, state->request);
k5_free_data_ptr_list(state->auth_indicators);
assert(did_log != 0);
@@ -475,9 +473,10 @@ finish_preauth(void *arg, krb5_error_code code)
void
process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
const krb5_fulladdr *local_addr,
- const krb5_fulladdr *remote_addr, kdc_realm_t *kdc_active_realm,
+ const krb5_fulladdr *remote_addr, kdc_realm_t *realm,
verto_ctx *vctx, loop_respond_fn respond, void *arg)
{
+ krb5_context context = realm->realm_context;
krb5_error_code errcode;
krb5_data encoded_req_body;
krb5_enctype useenctype;
@@ -495,9 +494,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
state->req_pkt = req_pkt;
state->local_addr = local_addr;
state->remote_addr = remote_addr;
- state->active_realm = kdc_active_realm;
+ state->active_realm = realm;
- errcode = kdc_make_rstate(kdc_active_realm, &state->rstate);
+ errcode = kdc_make_rstate(realm, &state->rstate);
if (errcode != 0) {
(*respond)(arg, errcode, NULL);
free(state);
@@ -505,7 +504,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
/* Initialize audit state. */
- errcode = kau_init_kdc_req(kdc_context, state->request, remote_addr,
+ errcode = kau_init_kdc_req(context, state->request, remote_addr,
&au_state);
if (errcode) {
(*respond)(arg, errcode, NULL);
@@ -522,9 +521,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
/* Seed the audit trail with the request ID and basic information. */
- kau_as_req(kdc_context, TRUE, au_state);
+ kau_as_req(context, TRUE, au_state);
- errcode = krb5_timeofday(kdc_context, &state->kdc_time);
+ errcode = krb5_timeofday(context, &state->kdc_time);
if (errcode)
goto errout;
@@ -541,7 +540,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
if (state->inner_body == NULL) {
/* Not a FAST request; copy the encoded request body. */
- errcode = krb5_copy_data(kdc_context, &encoded_req_body,
+ errcode = krb5_copy_data(context, &encoded_req_body,
&state->inner_body);
if (errcode)
goto errout;
@@ -558,9 +557,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto errout;
}
- if ((errcode = krb5_unparse_name(kdc_context,
- state->request->client,
- &state->cname)))
+ errcode = krb5_unparse_name(context, state->request->client,
+ &state->cname);
+ if (errcode)
goto errout;
limit_string(state->cname);
@@ -569,9 +568,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto errout;
}
- if ((errcode = krb5_unparse_name(kdc_context,
- state->request->server,
- &state->sname)))
+ errcode = krb5_unparse_name(context, state->request->server,
+ &state->sname);
+ if (errcode)
goto errout;
limit_string(state->sname);
@@ -579,7 +578,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) ||
state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
setflag(state->c_flags, KRB5_KDB_FLAG_REFERRAL_OK);
- errcode = lookup_client(kdc_context, state->request, state->c_flags,
+ errcode = lookup_client(context, state->request, state->c_flags,
&state->client);
if (errcode == KRB5_KDB_CANTLOCK_DB)
errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
@@ -598,7 +597,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
au_state->stage = SRVC_PRINC;
- errcode = krb5_db_get_principal(kdc_context, state->request->server, 0,
+ errcode = krb5_db_get_principal(context, state->request->server, 0,
&state->server);
if (errcode == KRB5_KDB_CANTLOCK_DB)
errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
@@ -620,7 +619,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
goto errout;
}
- errcode = get_local_tgt(kdc_context, &state->request->server->realm,
+ errcode = get_local_tgt(context, &state->request->server->realm,
state->server, &state->local_tgt,
&state->local_tgt_storage, &state->local_tgt_key);
if (errcode) {
@@ -632,10 +631,10 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
au_state->stage = VALIDATE_POL;
- if ((errcode = validate_as_request(kdc_active_realm,
- state->request, state->client,
- state->server, state->kdc_time,
- &state->status, &state->e_data))) {
+ errcode = validate_as_request(realm, state->request, state->client,
+ state->server, state->kdc_time,
+ &state->status, &state->e_data);
+ if (errcode) {
errcode += ERROR_TABLE_BASE_krb5;
goto errout;
}
@@ -645,17 +644,18 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
/*
* Select the keytype for the ticket session key.
*/
- if ((useenctype = select_session_keytype(kdc_active_realm, state->server,
- state->request->nktypes,
- state->request->ktype)) == 0) {
+ useenctype = select_session_keytype(context, state->server,
+ state->request->nktypes,
+ state->request->ktype);
+ if (useenctype == 0) {
/* unsupported ktype */
state->status = "BAD_ENCRYPTION_TYPE";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto errout;
}
- if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
- &state->session_key)))
+ errcode = krb5_c_make_random_key(context, useenctype, &state->session_key);
+ if (errcode)
goto errout;
/*
@@ -700,14 +700,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
else
state->enc_tkt_reply.times.starttime = state->kdc_time;
- kdc_get_ticket_endtime(kdc_active_realm,
- state->enc_tkt_reply.times.starttime,
+ kdc_get_ticket_endtime(realm, state->enc_tkt_reply.times.starttime,
kdc_infinity, state->request->till, state->client,
state->server, &state->enc_tkt_reply.times.endtime);
- kdc_get_ticket_renewtime(kdc_active_realm, state->request, NULL,
- state->client, state->server,
- &state->enc_tkt_reply);
+ kdc_get_ticket_renewtime(realm, state->request, NULL, state->client,
+ state->server, &state->enc_tkt_reply);
/*
* starttime is optional, and treated as authtime if not present.
@@ -723,17 +721,16 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
/* If anonymous requests are being used, adjust the realm of the client
* principal. */
if (isflagset(state->request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS)) {
- if (!krb5_principal_compare_any_realm(kdc_context,
- state->request->client,
+ if (!krb5_principal_compare_any_realm(context, state->request->client,
krb5_anonymous_principal())) {
errcode = KRB5KDC_ERR_BADOPTION;
/* Anonymous requested but anonymous principal not used.*/
state->status = "VALIDATE_ANONYMOUS_PRINCIPAL";
goto errout;
}
- krb5_free_principal(kdc_context, state->request->client);
+ krb5_free_principal(context, state->request->client);
state->request->client = NULL;
- errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
+ errcode = krb5_copy_principal(context, krb5_anonymous_principal(),
&state->request->client);
if (errcode)
goto errout;
@@ -741,8 +738,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
}
- errcode = select_client_key(kdc_context, state->client,
- state->request->ktype, state->request->nktypes,
+ errcode = select_client_key(context, state->client, state->request->ktype,
+ state->request->nktypes,
&state->client_keyblock, &state->client_key);
if (errcode) {
state->status = "DECRYPT_CLIENT_KEY";
@@ -752,7 +749,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
state->rock.client_key = state->client_key;
state->rock.client_keyblock = &state->client_keyblock;
- errcode = kdc_fast_read_cookie(kdc_context, state->rstate, state->request,
+ errcode = kdc_fast_read_cookie(context, state->rstate, state->request,
state->local_tgt, &state->local_tgt_key);
if (errcode) {
state->status = "READ_COOKIE";
@@ -763,10 +760,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
* Check the preauthentication if it is there.
*/
if (state->request->padata) {
- check_padata(kdc_context, &state->rock, state->req_pkt,
- state->request, &state->enc_tkt_reply, &state->pa_context,
- &state->e_data, &state->typed_e_data, finish_preauth,
- state);
+ check_padata(context, &state->rock, state->req_pkt, state->request,
+ &state->enc_tkt_reply, &state->pa_context, &state->e_data,
+ &state->typed_e_data, finish_preauth, state);
} else
finish_preauth(state, 0);
return;
@@ -782,11 +778,11 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
krb5_boolean typed_e_data, krb5_principal canon_client,
krb5_data **response, const char *status)
{
+ krb5_context context = rstate->realm_data->realm_context;
krb5_error errpkt;
krb5_error_code retval;
krb5_data *scratch = NULL, *e_data_asn1 = NULL, *fast_edata = NULL;
krb5_pa_data **e_data = NULL, *cookie = NULL;
- kdc_realm_t *kdc_active_realm = rstate->realm_data;
size_t count;
errpkt.magic = KV5M_ERROR;
@@ -799,16 +795,15 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
if (e_data == NULL)
return ENOMEM;
memcpy(e_data, e_data_in, count * sizeof(*e_data));
- retval = kdc_fast_make_cookie(kdc_context, rstate, local_tgt,
- local_tgt_key, request->client,
- &cookie);
+ retval = kdc_fast_make_cookie(context, rstate, local_tgt,
+ local_tgt_key, request->client, &cookie);
e_data[count] = cookie;
}
errpkt.ctime = 0;
errpkt.cusec = 0;
- retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
+ retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
if (retval)
goto cleanup;
errpkt.error = error;
@@ -828,8 +823,8 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
} else
errpkt.e_data = empty_data();
- retval = kdc_fast_handle_error(kdc_context, rstate, request, e_data,
- &errpkt, &fast_edata);
+ retval = kdc_fast_handle_error(context, rstate, request, e_data, &errpkt,
+ &fast_edata);
if (retval)
goto cleanup;
if (fast_edata != NULL)
@@ -840,7 +835,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
goto cleanup;
if (kdc_fast_hide_client(rstate) && errpkt.client != NULL)
errpkt.client = (krb5_principal)krb5_anonymous_principal();
- retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+ retval = krb5_mk_error(context, &errpkt, scratch);
if (retval)
goto cleanup;
@@ -848,8 +843,8 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
scratch = NULL;
cleanup:
- krb5_free_data(kdc_context, fast_edata);
- krb5_free_data(kdc_context, e_data_asn1);
+ krb5_free_data(context, fast_edata);
+ krb5_free_data(context, e_data_asn1);
free(scratch);
free(e_data);
if (cookie != NULL)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index f90c7cf0f..b64aaf1da 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -69,21 +69,17 @@
#include "adm_proto.h"
#include <ctype.h>
-static krb5_error_code
-find_alternate_tgs(kdc_realm_t *, krb5_principal, krb5_db_entry **,
- const char**);
-
static krb5_error_code
prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
krb5_principal,krb5_data **,const char *, krb5_pa_data **);
static krb5_error_code
-decrypt_2ndtkt(kdc_realm_t *, krb5_kdc_req *, krb5_flags, krb5_db_entry *,
+decrypt_2ndtkt(krb5_context, krb5_kdc_req *, krb5_flags, krb5_db_entry *,
krb5_keyblock *, const krb5_ticket **, krb5_pac *,
krb5_db_entry **, krb5_keyblock **, const char **);
static krb5_error_code
-gen_session_key(kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *,
+gen_session_key(krb5_context, krb5_kdc_req *, krb5_db_entry *,
krb5_keyblock *, const char **);
static krb5_int32
@@ -100,9 +96,10 @@ search_sprinc(kdc_realm_t *, krb5_kdc_req *, krb5_flags,
/*ARGSUSED*/
krb5_error_code
process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
- const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm,
+ const krb5_fulladdr *from, kdc_realm_t *realm,
krb5_data **response)
{
+ krb5_context context = realm->realm_context;
krb5_keyblock * subkey = 0;
krb5_keyblock *header_key = NULL;
krb5_keyblock *stkt_server_key = NULL;
@@ -157,24 +154,23 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
sprinc = request->server;
if (request->msg_type != KRB5_TGS_REQ) {
- krb5_free_kdc_req(kdc_context, request);
+ krb5_free_kdc_req(context, request);
return KRB5_BADMSGTYPE;
}
- errcode = kdc_make_rstate(kdc_active_realm, &state);
+ errcode = kdc_make_rstate(realm, &state);
if (errcode != 0)
goto cleanup;
/* Initialize audit state. */
- errcode = kau_init_kdc_req(kdc_context, request, from, &au_state);
+ errcode = kau_init_kdc_req(context, request, from, &au_state);
if (errcode)
goto cleanup;
/* Seed the audit trail with the request ID and basic information. */
- kau_tgs_req(kdc_context, TRUE, au_state);
+ kau_tgs_req(context, TRUE, au_state);
- errcode = kdc_process_tgs_req(kdc_active_realm,
- request, from, pkt, &header_ticket,
+ errcode = kdc_process_tgs_req(realm, request, from, pkt, &header_ticket,
&header_server, &header_key, &subkey,
&pa_tgs_req);
if (header_ticket && header_ticket->enc_part2)
@@ -189,8 +185,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
goto cleanup;
}
- errcode = kau_make_tkt_id(kdc_context, header_ticket,
- &au_state->tkt_in_id);
+ errcode = kau_make_tkt_id(context, header_ticket, &au_state->tkt_in_id);
if (errcode)
goto cleanup;
@@ -210,14 +205,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
goto cleanup;
}
- errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
+ errcode = get_local_tgt(context, &sprinc->realm, header_server,
&local_tgt, &local_tgt_storage, &local_tgt_key);
if (errcode) {
status = "GET_LOCAL_TGT";
goto cleanup;
}
- errcode = get_verified_pac(kdc_context, header_ticket->enc_part2,
+ errcode = get_verified_pac(context, header_ticket->enc_part2,
header_server->princ, header_key, local_tgt,
&local_tgt_key, &header_pac);
if (errcode) {
@@ -250,8 +245,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE))
setflag(s_flags, KRB5_KDB_FLAG_REFERRAL_OK);
- errcode = search_sprinc(kdc_active_realm, request, s_flags, &server,
- &status);
+ errcode = search_sprinc(realm, request, s_flags, &server, &status);
if (errcode != 0)
goto cleanup;
sprinc = server->princ;
@@ -259,11 +253,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
/* If we got a cross-realm TGS which is not the requested server, we are
* issuing a referral (or alternate TGT, which we treat similarly). */
is_referral = is_cross_tgs_principal(server->princ) &&
- !krb5_principal_compare(kdc_context, request->server, server->princ);
+ !krb5_principal_compare(context, request->server, server->princ);
au_state->stage = VALIDATE_POL;
- if ((errcode = krb5_timeofday(kdc_context, &kdc_time)))
+ errcode = krb5_timeofday(context, &kdc_time);
+ if (errcode)
goto cleanup;
is_crossrealm = !data_eq(header_server->princ->realm, sprinc->realm);
@@ -273,14 +268,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
setflag(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL);
/* Check for protocol transition */
- errcode = kdc_process_s4u2self_req(kdc_active_realm, request, server,
- subkey, header_enc_tkt->session,
- &s4u_x509_user, &client, &status);
+ errcode = kdc_process_s4u2self_req(context, request, server, subkey,
+ header_enc_tkt->session, &s4u_x509_user,
+ &client, &status);
if (s4u_x509_user != NULL || errcode != 0) {
if (s4u_x509_user != NULL)
au_state->s4u2self_user = s4u_x509_user->user_id.user;
au_state->status = status;
- kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
+ kau_s4u2self(context, errcode ? FALSE : TRUE, au_state);
au_state->s4u2self_user = NULL;
if (errcode)
goto cleanup;
@@ -289,17 +284,17 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
/* For user-to-user and S4U2Proxy requests, decrypt the second ticket. */
- errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags, local_tgt,
+ errcode = decrypt_2ndtkt(context, request, c_flags, local_tgt,
&local_tgt_key, &stkt, &stkt_pac, &stkt_server,
&stkt_server_key, &status);
if (errcode)
goto cleanup;
- retval = validate_tgs_request(kdc_active_realm, request, server,
- header_ticket, header_pac, stkt, stkt_pac,
- stkt_server, kdc_time, s4u_x509_user,
- client, is_crossrealm, is_referral,
- &status, &e_data);
+ retval = validate_tgs_request(realm, request, server, header_ticket,
+ header_pac, stkt, stkt_pac, stkt_server,
+ kdc_time, s4u_x509_user, client,
+ is_crossrealm, is_referral, &status,
+ &e_data);
if (retval) {
if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
@@ -311,10 +306,10 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
/* Do constrained delegation protocol and authorization checks. */
setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
- errcode = kdc_process_s4u2proxy_req(kdc_active_realm, c_flags,
- request, header_pac,
- stkt->enc_part2, stkt_pac,
- stkt_server, stkt_server_key,
+ errcode = kdc_process_s4u2proxy_req(context, c_flags, request,
+ header_pac, stkt->enc_part2,
+ stkt_pac, stkt_server,
+ stkt_server_key,
header_ticket->enc_part2->client,
server, &stkt_authdata_client,
&status);
@@ -323,12 +318,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
else if (errcode)
au_state->violation = LOCAL_POLICY;
au_state->status = status;
- retval = kau_make_tkt_id(kdc_context, stkt, &au_state->evid_tkt_id);
+ retval = kau_make_tkt_id(context, stkt, &au_state->evid_tkt_id);
if (retval) {
errcode = retval;
goto cleanup;
}
- kau_s4u2proxy(kdc_context, errcode ? FALSE : TRUE, au_state);
+ kau_s4u2proxy(context, errcode ? FALSE : TRUE, au_state);
if (errcode)
goto cleanup;
@@ -337,8 +332,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
au_state->stage = ISSUE_TKT;
- errcode = gen_session_key(kdc_active_realm, request, server, &session_key,
- &status);
+ errcode = gen_session_key(context, request, server, &session_key, &status);
if (errcode)
goto cleanup;
@@ -365,14 +359,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
/* Extract and check auth indicators from the subject ticket, except for
* S4U2Self requests (where the client didn't authenticate). */
if (s4u_x509_user == NULL) {
- errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
+ errcode = get_auth_indicators(context, subject_tkt, local_tgt,
&local_tgt_key, &auth_indicators);
if (errcode) {
status = "GET_AUTH_INDICATORS";
goto cleanup;
}
- errcode = check_indicators(kdc_context, server, auth_indicators);
+ errcode = check_indicators(context, server, auth_indicators);
if (errcode) {
status = "HIGHER_AUTHENTICATION_REQUIRED";
goto cleanup;
@@ -390,7 +384,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
if (s4u_x509_user != NULL && !is_referral) {
/* Check if we need to suppress the forwardable ticket flag. */
- errcode = s4u2self_forwardable(kdc_context, server, &enc_tkt_reply);
+ errcode = s4u2self_forwardable(context, server, &enc_tkt_reply);
if (errcode)
goto cleanup;
}
@@ -455,15 +449,15 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
/* not a renew request */
enc_tkt_reply.times.starttime = kdc_time;
- kdc_get_ticket_endtime(kdc_active_realm, enc_tkt_reply.times.starttime,
+ kdc_get_ticket_endtime(realm, enc_tkt_reply.times.starttime,
header_enc_tkt->times.endtime, request->till,
client, server, &enc_tkt_reply.times.endtime);
}
- kdc_get_ticket_renewtime(kdc_active_realm, request, header_enc_tkt, client,
- server, &enc_tkt_reply);
+ kdc_get_ticket_renewtime(realm, request, header_enc_tkt, client, server,
+ &enc_tkt_reply);
- errcode = check_kdcpolicy_tgs(kdc_context, request, server, header_ticket,
+ errcode = check_kdcpolicy_tgs(context, request, server, header_ticket,
auth_indicators, kdc_time,
&enc_tkt_reply.times, &status);
if (errcode)
@@ -491,7 +485,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
encrypting_key = stkt->enc_part2->session;
} else {
- errcode = get_first_current_key(kdc_context, server, &server_keyblock);
+ errcode = get_first_current_key(context, server, &server_keyblock);
if (errcode) {
status = "FINDING_SERVER_KEY";
goto cleanup;
@@ -518,7 +512,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
assert(client == NULL); /* should not have been set already */
- errcode = krb5_db_get_principal(kdc_context, subject_tkt->client,
+ errcode = krb5_db_get_principal(context, subject_tkt->client,
c_flags, &client);
}
}
@@ -540,7 +534,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
* listed).
*/
if (!is_crossrealm ||
- krb5_realm_compare(kdc_context, header_ticket->server,
+ krb5_realm_compare(context, header_ticket->server,
enc_tkt_reply.client)) {
/* tgt issued by local realm or issued by realm of client */
enc_tkt_reply.transited = header_enc_tkt->transited;
@@ -567,19 +561,19 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
newtransited = 1;
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
- errcode = kdc_check_transited_list (kdc_active_realm,
- &enc_tkt_reply.transited.tr_contents,
- krb5_princ_realm (kdc_context, header_enc_tkt->client),
- krb5_princ_realm (kdc_context, request->server));
+ errcode = kdc_check_transited_list(context,
+ &enc_tkt_reply.transited.tr_contents,
+ &header_enc_tkt->client->realm,
+ &request->server->realm);
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else {
- log_tgs_badtrans(kdc_context, cprinc, sprinc,
+ log_tgs_badtrans(context, cprinc, sprinc,
&enc_tkt_reply.transited.tr_contents, errcode);
}
} else
krb5_klog_syslog(LOG_INFO, _("not checking transit path"));
- if (kdc_active_realm->realm_reject_bad_transit &&
+ if (realm->realm_reject_bad_transit &&
!isflagset(enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
errcode = KRB5KDC_ERR_POLICY;
status = "BAD_TRANSIT";
@@ -587,8 +581,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
goto cleanup;
}
- errcode = handle_authdata(kdc_active_realm, c_flags, client, server,
- subject_server, local_tgt, &local_tgt_key,
+ errcode = handle_authdata(realm, c_flags, client, server, subject_server,
+ local_tgt, &local_tgt_key,
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
encrypting_key, subject_key, NULL, pkt, request,
@@ -608,13 +602,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
ticket_kvno = 0;
ticket_reply.enc_part.enctype = stkt->enc_part2->session->enctype;
- kau_u2u(kdc_context, TRUE, au_state);
+ kau_u2u(context, TRUE, au_state);
} else {
ticket_kvno = current_kvno(server);
}
- errcode = krb5_encrypt_tkt_part(kdc_context, encrypting_key,
- &ticket_reply);
+ errcode = krb5_encrypt_tkt_part(context, encrypting_key, &ticket_reply);
if (errcode)
goto cleanup;
ticket_reply.enc_part.kvno = ticket_kvno;
@@ -622,17 +615,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
au_state->stage = ENCR_REP;
reply.msg_type = KRB5_TGS_REP;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
- krb5int_find_pa_data(kdc_context, request->padata,
+ krb5int_find_pa_data(context, request->padata,
KRB5_PADATA_S4U_X509_USER) != NULL) {
- errcode = kdc_make_s4u2self_rep(kdc_context,
- subkey,
+ errcode = kdc_make_s4u2self_rep(context, subkey,
header_ticket->enc_part2->session,
- s4u_x509_user,
- &reply,
- &reply_encpart);
+ s4u_x509_user, &reply, &reply_encpart);
if (errcode)
au_state->status = status;
- kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
+ kau_s4u2self(context, errcode ? FALSE : TRUE, au_state);
if (errcode)
goto cleanup;
}
@@ -669,8 +659,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
subkey?subkey:header_ticket->enc_part2->session, &reply_key);
if (errcode)
goto cleanup;
- errcode = return_enc_padata(kdc_context, pkt, request,
- reply_key, server, &reply_encpart,
+ errcode = return_enc_padata(context, pkt, request, reply_key, server,
+ &reply_encpart,
is_referral &&
isflagset(s_flags, KRB5_KDB_FLAG_REFERRAL_OK));
if (errcode) {
@@ -678,16 +668,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
goto cleanup;
}
- errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id);
+ errcode = kau_make_tkt_id(context, &ticket_reply, &au_state->tkt_out_id);
if (errcode)
goto cleanup;
if (kdc_fast_hide_client(state))
reply.client = (krb5_principal)krb5_anonymous_principal();
- errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
- subkey ? 1 : 0,
- reply_key,
- &reply, response);
+ errcode = krb5_encode_kdc_rep(context, KRB5_TGS_REP, &reply_encpart,
+ subkey ? 1 : 0, reply_key, &reply, response);
if (!errcode)
status = "ISSUE";
@@ -703,34 +691,33 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
cleanup:
if (status == NULL)
status = "UNKNOWN_REASON";
- krb5_free_keyblock_contents(kdc_context, &server_keyblock);
+ krb5_free_keyblock_contents(context, &server_keyblock);
if (reply_key)
- krb5_free_keyblock(kdc_context, reply_key);
+ krb5_free_keyblock(context, reply_key);
if (stkt_server_key)
- krb5_free_keyblock(kdc_context, stkt_server_key);
+ krb5_free_keyblock(context, stkt_server_key);
if (errcode)
- emsg = krb5_get_error_message (kdc_context, errcode);
+ emsg = krb5_get_error_message(context, errcode);
if (au_state != NULL) {
au_state->status = status;
if (!errcode)
au_state->reply = &reply;
- kau_tgs_req(kdc_context, errcode ? FALSE : TRUE, au_state);
+ kau_tgs_req(context, errcode ? FALSE : TRUE, au_state);
kau_free_kdc_req(au_state);
}
- log_tgs_req(kdc_context, from, request, &reply, cprinc,
- sprinc, altcprinc, authtime,
- c_flags, status, errcode, emsg);
+ log_tgs_req(context, from, request, &reply, cprinc, sprinc, altcprinc,
+ authtime, c_flags, status, errcode, emsg);
if (errcode) {
- krb5_free_error_message (kdc_context, emsg);
+ krb5_free_error_message(context, emsg);
emsg = NULL;
}
if (errcode && state != NULL) {
int got_err = 0;
if (status == 0) {
- status = krb5_get_error_message (kdc_context, errcode);
+ status = krb5_get_error_message(context, errcode);
got_err = 1;
}
errcode -= ERROR_TABLE_BASE_krb5;
@@ -741,47 +728,47 @@ cleanup:
(server != NULL) ? server->princ : NULL,
response, status, e_data);
if (got_err) {
- krb5_free_error_message (kdc_context, status);
+ krb5_free_error_message(context, status);
status = 0;
}
}
if (header_ticket != NULL)
- krb5_free_ticket(kdc_context, header_ticket);
+ krb5_free_ticket(context, header_ticket);
if (request != NULL)
- krb5_free_kdc_req(kdc_context, request);
+ krb5_free_kdc_req(context, request);
if (state)
kdc_free_rstate(state);
- krb5_db_free_principal(kdc_context, server);
- krb5_db_free_principal(kdc_context, stkt_server);
- krb5_db_free_principal(kdc_context, header_server);
- krb5_db_free_principal(kdc_context, client);
- krb5_db_free_principal(kdc_context, local_tgt_storage);
+ krb5_db_free_principal(context, server);
+ krb5_db_free_principal(context, stkt_server);
+ krb5_db_free_principal(context, header_server);
+ krb5_db_free_principal(context, client);
+ krb5_db_free_principal(context, local_tgt_storage);
if (local_tgt_key.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &local_tgt_key);
+ krb5_free_keyblock_contents(context, &local_tgt_key);
if (session_key.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &session_key);
+ krb5_free_keyblock_contents(context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
if (s4u_x509_user != NULL)
- krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
+ krb5_free_pa_s4u_x509_user(context, s4u_x509_user);
if (kdc_issued_auth_data != NULL)
- krb5_free_authdata(kdc_context, kdc_issued_auth_data);
+ krb5_free_authdata(context, kdc_issued_auth_data);
if (subkey != NULL)
- krb5_free_keyblock(kdc_context, subkey);
+ krb5_free_keyblock(context, subkey);
if (header_key != NULL)
- krb5_free_keyblock(kdc_context, header_key);
+ krb5_free_keyblock(context, header_key);
if (reply.padata)
- krb5_free_pa_data(kdc_context, reply.padata);
+ krb5_free_pa_data(context, reply.padata);
if (reply_encpart.enc_padata)
- krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
+ krb5_free_pa_data(context, reply_encpart.enc_padata);
if (enc_tkt_reply.authorization_data != NULL)
- krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
- krb5_free_pa_data(kdc_context, e_data);
+ krb5_free_authdata(context, enc_tkt_reply.authorization_data);
+ krb5_free_pa_data(context, e_data);
k5_free_data_ptr_list(auth_indicators);
- krb5_pac_free(kdc_context, header_pac);
- krb5_pac_free(kdc_context, stkt_pac);
- krb5_free_principal(kdc_context, stkt_authdata_client);
+ krb5_pac_free(context, header_pac);
+ krb5_pac_free(context, stkt_pac);
+ krb5_free_principal(context, stkt_authdata_client);
return retval;
}
@@ -793,17 +780,17 @@ prepare_error_tgs (struct kdc_request_state *state,
krb5_data **response, const char *status,
krb5_pa_data **e_data)
{
+ krb5_context context = state->realm_data->realm_context;
krb5_error errpkt;
krb5_error_code retval = 0;
krb5_data *scratch, *e_data_asn1 = NULL, *fast_edata = NULL;
- kdc_realm_t *kdc_active_realm = state->realm_data;
errpkt.magic = KV5M_ERROR;
errpkt.ctime = 0;
errpkt.cusec = 0;
- if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
- &errpkt.susec)))
+ retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
+ if (retval)
return(retval);
errpkt.error = error;
errpkt.server = request->server;
@@ -831,22 +818,22 @@ prepare_error_tgs (struct kdc_request_state *state,
} else
errpkt.e_data = empty_data();
- retval = kdc_fast_handle_error(kdc_context, state, request, e_data,
+ retval = kdc_fast_handle_error(context, state, request, e_data,
&errpkt, &fast_edata);
if (retval) {
free(scratch);
free(errpkt.text.data);
- krb5_free_data(kdc_context, e_data_asn1);
+ krb5_free_data(context, e_data_asn1);
return retval;
}
if (fast_edata)
errpkt.e_data = *fast_edata;
if (kdc_fast_hide_client(state) && errpkt.client != NULL)
errpkt.client = (krb5_principal)krb5_anonymous_principal();
- retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+ retval = krb5_mk_error(context, &errpkt, scratch);
free(errpkt.text.data);
- krb5_free_data(kdc_context, e_data_asn1);
- krb5_free_data(kdc_context, fast_edata);
+ krb5_free_data(context, e_data_asn1);
+ krb5_free_data(context, fast_edata);
if (retval)
free(scratch);
else
@@ -864,11 +851,11 @@ prepare_error_tgs (struct kdc_request_state *state,
* key.
*/
static krb5_error_code
-decrypt_2ndtkt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
- krb5_flags flags, krb5_db_entry *local_tgt,
- krb5_keyblock *local_tgt_key, const krb5_ticket **stkt_out,
- krb5_pac *pac_out, krb5_db_entry **server_out,
- krb5_keyblock **key_out, const char **status)
+decrypt_2ndtkt(krb5_context context, krb5_kdc_req *req, krb5_flags flags,
+ krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key,
+ const krb5_ticket **stkt_out, krb5_pac *pac_out,
+ krb5_db_entry **server_out, krb5_keyblock **key_out,
+ const char **status)
{
krb5_error_code retval;
krb5_db_entry *server = NULL;
@@ -886,19 +873,19 @@ decrypt_2ndtkt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
return 0;
stkt = req->second_ticket[0];
- retval = kdc_get_server_key(kdc_context, stkt, flags, TRUE,
- &server, &key, &kvno);
+ retval = kdc_get_server_key(context, stkt, flags, TRUE, &server, &key,
+ &kvno);
if (retval != 0) {
*status = "2ND_TKT_SERVER";
goto cleanup;
}
- retval = krb5_decrypt_tkt_part(kdc_context, key, stkt);
+ retval = krb5_decrypt_tkt_part(context, key, stkt);
if (retval != 0) {
*status = "2ND_TKT_DECRYPT";
goto cleanup;
}
- retval = get_verified_pac(kdc_context, stkt->enc_part2, server->princ,
- key, local_tgt, local_tgt_key, pac_out);
+ retval = get_verified_pac(context, stkt->enc_part2, server->princ, key,
+ local_tgt, local_tgt_key, pac_out);
if (retval != 0) {
*status = "2ND_TKT_PAC";
goto cleanup;
@@ -910,14 +897,14 @@ decrypt_2ndtkt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
key = NULL;
cleanup:
- krb5_db_free_principal(kdc_context, server);
- krb5_free_keyblock(kdc_context, key);
+ krb5_db_free_principal(context, server);
+ krb5_free_keyblock(context, key);
return retval;
}
static krb5_error_code
-get_2ndtkt_enctype(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
- krb5_enctype *useenctype, const char **status)
+get_2ndtkt_enctype(krb5_kdc_req *req, krb5_enctype *useenctype,
+ const char **status)
{
krb5_enctype etype;
krb5_ticket *stkt = req->second_ticket[0];
@@ -938,9 +925,8 @@ get_2ndtkt_enctype(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
}
static krb5_error_code
-gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
- krb5_db_entry *server, krb5_keyblock *skey,
- const char **status)
+gen_session_key(krb5_context context, krb5_kdc_req *req, krb5_db_entry *server,
+ krb5_keyblock *skey, const char **status)
{
krb5_error_code retval;
krb5_enctype useenctype = 0;
@@ -955,15 +941,13 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
* to anything else.
*/
if (req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) {
- retval = get_2ndtkt_enctype(kdc_active_realm, req, &useenctype,
- status);
+ retval = get_2ndtkt_enctype(req, &useenctype, status);
if (retval != 0)
return retval;
}
if (useenctype == 0) {
- useenctype = select_session_keytype(kdc_active_realm, server,
- req->nktypes,
- req->ktype);
+ useenctype = select_session_keytype(context, server,
+ req->nktypes, req->ktype);
}
if (useenctype == 0) {
/* unsupported ktype */
@@ -971,7 +955,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
return KRB5KDC_ERR_ETYPE_NOSUPP;
}
- return krb5_c_make_random_key(kdc_context, useenctype, skey);
+ return krb5_c_make_random_key(context, useenctype, skey);
}
/*
@@ -980,7 +964,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
* some intermediate realm.
*/
static krb5_error_code
-find_alternate_tgs(kdc_realm_t *kdc_active_realm, krb5_principal princ,
+find_alternate_tgs(krb5_context context, krb5_principal princ,
krb5_db_entry **server_ptr, const char **status)
{
krb5_error_code retval;
@@ -990,29 +974,26 @@ find_alternate_tgs(kdc_realm_t *kdc_active_realm, krb5_principal princ,
*server_ptr = NULL;
assert(is_cross_tgs_principal(princ));
- if ((retval = krb5_walk_realm_tree(kdc_context,
- krb5_princ_realm(kdc_context, princ),
- krb5_princ_component(kdc_context, princ, 1),
- &plist, KRB5_REALM_BRANCH_CHAR))) {
+ retval = krb5_walk_realm_tree(context, &princ->realm, &princ->data[1],
+ &plist, KRB5_REALM_BRANCH_CHAR);
+ if (retval)
goto cleanup;
- }
/* move to the end */
for (pl2 = plist; *pl2; pl2++);
/* the first entry in this array is for krbtgt/local at local, so we
ignore it */
while (--pl2 > plist) {
- tmp = *krb5_princ_realm(kdc_context, *pl2);
- krb5_princ_set_realm(kdc_context, *pl2,
- krb5_princ_realm(kdc_context, princ));
- retval = db_get_svc_princ(kdc_context, *pl2, 0, &server, status);
- krb5_princ_set_realm(kdc_context, *pl2, &tmp);
+ tmp = *krb5_princ_realm(context, *pl2);
+ krb5_princ_set_realm(context, *pl2, &princ->realm);
+ retval = db_get_svc_princ(context, *pl2, 0, &server, status);
+ krb5_princ_set_realm(context, *pl2, &tmp);
if (retval == KRB5_KDB_NOENTRY)
continue;
else if (retval)
goto cleanup;
- log_tgs_alt_tgt(kdc_context, server->princ);
+ log_tgs_alt_tgt(context, server->princ);
*server_ptr = server;
server = NULL;
goto cleanup;
@@ -1023,8 +1004,8 @@ cleanup:
if (retval != 0)
*status = "UNKNOWN_SERVER";
- krb5_free_realm_tree(kdc_context, plist);
- krb5_db_free_principal(kdc_context, server);
+ krb5_free_realm_tree(context, plist);
+ krb5_db_free_principal(context, server);
return retval;
}
@@ -1051,12 +1032,12 @@ in_list(const char *list, const char *item)
* TGT. The caller checks whether the hostname component looks like a FQDN.
*/
static krb5_boolean
-is_referral_req(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request)
+is_referral_req(kdc_realm_t *realm, krb5_kdc_req *request)
{
krb5_boolean ret = FALSE;
char *stype = NULL;
- char *hostbased = kdc_active_realm->realm_hostbased;
- char *no_referral = kdc_active_realm->realm_no_referral;
+ char *hostbased = realm->realm_hostbased;
+ char *no_referral = realm->realm_no_referral;
if (!(request->kdc_options & KDC_OPT_CANONICALIZE))
return FALSE;
@@ -1064,13 +1045,13 @@ is_referral_req(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request)
if (request->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)
return FALSE;
- if (krb5_princ_size(kdc_context, request->server) != 2)
+ if (request->server->length != 2)
return FALSE;
- stype = data2string(krb5_princ_component(kdc_context, request->server, 0));
+ stype = data2string(&request->server->data[0]);
if (stype == NULL)
return FALSE;
- switch (krb5_princ_type(kdc_context, request->server)) {
+ switch (request->server->type) {
case KRB5_NT_UNKNOWN:
/* Allow referrals for NT-UNKNOWN principals, if configured. */
if (!in_list(hostbased, stype) && !in_list(hostbased, "*"))
@@ -1096,18 +1077,18 @@ cleanup:
* principal.
*/
static krb5_int32
-find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
+find_referral_tgs(kdc_realm_t *realm, krb5_kdc_req *request,
krb5_principal *krbtgt_princ)
{
+ krb5_context context = realm->realm_context;
krb5_error_code retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
char **realms = NULL, *hostname = NULL;
krb5_data srealm = request->server->realm;
- if (!is_referral_req(kdc_active_realm, request))
+ if (!is_referral_req(realm, request))
goto cleanup;
- hostname = data2string(krb5_princ_component(kdc_context,
- request->server, 1));
+ hostname = data2string(&request->server->data[1]);
if (hostname == NULL) {
retval = ENOMEM;
goto cleanup;
@@ -1115,10 +1096,10 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
/* If the hostname doesn't contain a '.', it's not a FQDN. */
if (strchr(hostname, '.') == NULL)
goto cleanup;
- retval = krb5_get_host_realm(kdc_context, hostname, &realms);
+ retval = krb5_get_host_realm(context, hostname, &realms);
if (retval) {
/* no match found */
- kdc_err(kdc_context, retval, "unable to find realm of host");
+ kdc_err(context, retval, "unable to find realm of host");
goto cleanup;
}
/* Don't return a referral to the empty realm or the service realm. */
@@ -1127,11 +1108,11 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
}
- retval = krb5_build_principal(kdc_context, krbtgt_princ,
+ retval = krb5_build_principal(context, krbtgt_princ,
srealm.length, srealm.data,
"krbtgt", realms[0], (char *)0);
cleanup:
- krb5_free_host_realm(kdc_context, realms);
+ krb5_free_host_realm(context, realms);
free(hostname);
return retval;
@@ -1154,9 +1135,10 @@ db_get_svc_princ(krb5_context ctx, krb5_principal princ,
}
static krb5_error_code
-search_sprinc(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
+search_sprinc(kdc_realm_t *realm, krb5_kdc_req *req,
krb5_flags flags, krb5_db_entry **server, const char **status)
{
+ krb5_context context = realm->realm_context;
krb5_error_code ret;
krb5_principal princ = req->server;
krb5_principal reftgs = NULL;
@@ -1168,21 +1150,21 @@ search_sprinc(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
if (!allow_referral)
flags &= ~KRB5_KDB_FLAG_REFERRAL_OK;
- ret = db_get_svc_princ(kdc_context, princ, flags, server, status);
+ ret = db_get_svc_princ(context, princ, flags, server, status);
if (ret == 0 || ret != KRB5_KDB_NOENTRY || !allow_referral)
goto cleanup;
if (!is_cross_tgs_principal(req->server)) {
- ret = find_referral_tgs(kdc_active_realm, req, &reftgs);
+ ret = find_referral_tgs(realm, req, &reftgs);
if (ret != 0)
goto cleanup;
- ret = db_get_svc_princ(kdc_context, reftgs, flags, server, status);
+ ret = db_get_svc_princ(context, reftgs, flags, server, status);
if (ret == 0 || ret != KRB5_KDB_NOENTRY)
goto cleanup;
princ = reftgs;
}
- ret = find_alternate_tgs(kdc_active_realm, princ, server, status);
+ ret = find_alternate_tgs(context, princ, server, status);
cleanup:
if (ret != 0 && ret != KRB5KDC_ERR_SVC_UNAVAILABLE) {
@@ -1190,6 +1172,6 @@ cleanup:
if (*status == NULL)
*status = "LOOKING_UP_SERVER";
}
- krb5_free_principal(kdc_context, reftgs);
+ krb5_free_principal(context, reftgs);
return ret;
}
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index ff3338e40..9044a1844 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -39,53 +39,53 @@ static krb5_error_code armor_ap_request
krb5_auth_context authcontext = NULL;
krb5_ticket *ticket = NULL;
krb5_keyblock *subkey = NULL;
- kdc_realm_t *kdc_active_realm = state->realm_data;
+ kdc_realm_t *realm = state->realm_data;
+ krb5_context context = realm->realm_context;
assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST);
- krb5_clear_error_message(kdc_context);
- retval = krb5_auth_con_init(kdc_context, &authcontext);
+ krb5_clear_error_message(context);
+ retval = krb5_auth_con_init(context, &authcontext);
+ /*disable replay cache*/
if (retval == 0)
- retval = krb5_auth_con_setflags(kdc_context,
- authcontext, 0); /*disable replay cache*/
+ retval = krb5_auth_con_setflags(context, authcontext, 0);
if (retval == 0)
- retval = krb5_rd_req(kdc_context, &authcontext, &armor->armor_value,
- NULL /*server*/, kdc_active_realm->realm_keytab,
+ retval = krb5_rd_req(context, &authcontext, &armor->armor_value,
+ NULL /*server*/, realm->realm_keytab,
NULL, &ticket);
if (retval != 0) {
- const char * errmsg = krb5_get_error_message(kdc_context, retval);
- k5_setmsg(kdc_context, retval, _("%s while handling ap-request armor"),
+ const char * errmsg = krb5_get_error_message(context, retval);
+ k5_setmsg(context, retval, _("%s while handling ap-request armor"),
errmsg);
- krb5_free_error_message(kdc_context, errmsg);
+ krb5_free_error_message(context, errmsg);
}
if (retval == 0) {
- if (!krb5_principal_compare_any_realm(kdc_context,
- tgs_server,
+ if (!krb5_principal_compare_any_realm(context, realm->realm_tgsprinc,
ticket->server)) {
- k5_setmsg(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH,
+ k5_setmsg(context, KRB5KDC_ERR_SERVER_NOMATCH,
_("ap-request armor for something other than the local "
"TGS"));
retval = KRB5KDC_ERR_SERVER_NOMATCH;
}
}
if (retval == 0) {
- retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey);
+ retval = krb5_auth_con_getrecvsubkey(context, authcontext, &subkey);
if (retval != 0 || subkey == NULL) {
- k5_setmsg(kdc_context, KRB5KDC_ERR_POLICY,
+ k5_setmsg(context, KRB5KDC_ERR_POLICY,
_("ap-request armor without subkey"));
retval = KRB5KDC_ERR_POLICY;
}
}
if (retval == 0)
- retval = krb5_c_fx_cf2_simple(kdc_context,
+ retval = krb5_c_fx_cf2_simple(context,
subkey, "subkeyarmor",
ticket->enc_part2->session, "ticketarmor",
&state->armor_key);
if (ticket)
- krb5_free_ticket(kdc_context, ticket);
+ krb5_free_ticket(context, ticket);
if (subkey)
- krb5_free_keyblock(kdc_context, subkey);
+ krb5_free_keyblock(context, subkey);
if (authcontext)
- krb5_auth_con_free(kdc_context, authcontext);
+ krb5_auth_con_free(context, authcontext);
return retval;
}
@@ -94,24 +94,24 @@ encrypt_fast_reply(struct kdc_request_state *state,
const krb5_fast_response *response,
krb5_data **fx_fast_reply)
{
+ krb5_context context = state->realm_data->realm_context;
krb5_error_code retval = 0;
krb5_enc_data encrypted_reply;
krb5_data *encoded_response = NULL;
- kdc_realm_t *kdc_active_realm = state->realm_data;
assert(state->armor_key);
retval = encode_krb5_fast_response(response, &encoded_response);
if (retval== 0)
- retval = krb5_encrypt_helper(kdc_context, state->armor_key,
+ retval = krb5_encrypt_helper(context, state->armor_key,
KRB5_KEYUSAGE_FAST_REP,
encoded_response, &encrypted_reply);
if (encoded_response)
- krb5_free_data(kdc_context, encoded_response);
+ krb5_free_data(context, encoded_response);
encoded_response = NULL;
if (retval == 0) {
retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply,
fx_fast_reply);
- krb5_free_data_contents(kdc_context, &encrypted_reply.ciphertext);
+ krb5_free_data_contents(context, &encrypted_reply.ciphertext);
}
return retval;
}
@@ -131,6 +131,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
struct kdc_request_state *state,
krb5_data **inner_body_out)
{
+ krb5_context context = state->realm_data->realm_context;
krb5_error_code retval = 0;
krb5_pa_data *fast_padata;
krb5_data scratch, plaintext, *inner_body = NULL;
@@ -140,15 +141,14 @@ kdc_find_fast(krb5_kdc_req **requestptr,
krb5_checksum *cksum;
krb5_boolean cksum_valid;
krb5_keyblock empty_keyblock;
- kdc_realm_t *kdc_active_realm = state->realm_data;
if (inner_body_out != NULL)
*inner_body_out = NULL;
scratch.data = NULL;
- krb5_clear_error_message(kdc_context);
+ krb5_clear_error_message(context);
memset(&empty_keyblock, 0, sizeof(krb5_keyblock));
- fast_padata = krb5int_find_pa_data(kdc_context,
- request->padata, KRB5_PADATA_FX_FAST);
+ fast_padata = krb5int_find_pa_data(context, request->padata,
+ KRB5_PADATA_FX_FAST);
if (fast_padata != NULL){
scratch.length = fast_padata->length;
scratch.data = (char *) fast_padata->contents;
@@ -158,14 +158,14 @@ kdc_find_fast(krb5_kdc_req **requestptr,
case KRB5_FAST_ARMOR_AP_REQUEST:
if (tgs_subkey) {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
- k5_setmsg(kdc_context, retval,
+ k5_setmsg(context, retval,
_("Ap-request armor not permitted with TGS"));
break;
}
retval = armor_ap_request(state, fast_armored_req->armor);
break;
default:
- k5_setmsg(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
+ k5_setmsg(context, KRB5KDC_ERR_PREAUTH_FAILED,
_("Unknown FAST armor type %d"),
fast_armored_req->armor->armor_type);
retval = KRB5KDC_ERR_PREAUTH_FAILED;
@@ -173,13 +173,13 @@ kdc_find_fast(krb5_kdc_req **requestptr,
}
if (retval == 0 && !state->armor_key) {
if (tgs_subkey)
- retval = krb5_c_fx_cf2_simple(kdc_context,
+ retval = krb5_c_fx_cf2_simple(context,
tgs_subkey, "subkeyarmor",
tgs_session, "ticketarmor",
&state->armor_key);
else {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
- k5_setmsg(kdc_context, retval,
+ k5_setmsg(context, retval,
_("No armor key but FAST armored request present"));
}
}
@@ -188,8 +188,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
plaintext.data = k5alloc(plaintext.length, &retval);
}
if (retval == 0) {
- retval = krb5_c_decrypt(kdc_context,
- state->armor_key,
+ retval = krb5_c_decrypt(context, state->armor_key,
KRB5_KEYUSAGE_FAST_ENC, NULL,
&fast_armored_req->enc_part,
&plaintext);
@@ -199,8 +198,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
retval = fetch_asn1_field((unsigned char *)plaintext.data,
1, 2, &scratch);
if (retval == 0) {
- retval = krb5_copy_data(kdc_context, &scratch,
- &inner_body);
+ retval = krb5_copy_data(context, &scratch, &inner_body);
}
}
if (plaintext.data)
@@ -208,19 +206,19 @@ kdc_find_fast(krb5_kdc_req **requestptr,
}
cksum = &fast_armored_req->req_checksum;
if (retval == 0)
- retval = krb5_c_verify_checksum(kdc_context, state->armor_key,
+ retval = krb5_c_verify_checksum(context, state->armor_key,
KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
checksummed_data, cksum,
&cksum_valid);
if (retval == 0 && !cksum_valid) {
retval = KRB5KRB_AP_ERR_MODIFIED;
- k5_setmsg(kdc_context, retval,
+ k5_setmsg(context, retval,
_("FAST req_checksum invalid; request modified"));
}
if (retval == 0) {
if (!krb5_c_is_keyed_cksum(cksum->checksum_type)) {
retval = KRB5KDC_ERR_POLICY;
- k5_setmsg(kdc_context, retval,
+ k5_setmsg(context, retval,
_("Unkeyed checksum used in fast_req"));
}
}
@@ -231,7 +229,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
if (retval == 0) {
state->fast_options = fast_req->fast_options;
fast_req->req_body->msg_type = request->msg_type;
- krb5_free_kdc_req( kdc_context, request);
+ krb5_free_kdc_req(context, request);
*requestptr = fast_req->req_body;
fast_req->req_body = NULL;
}
@@ -240,11 +238,11 @@ kdc_find_fast(krb5_kdc_req **requestptr,
*inner_body_out = inner_body;
inner_body = NULL;
}
- krb5_free_data(kdc_context, inner_body);
+ krb5_free_data(context, inner_body);
if (fast_req)
- krb5_free_fast_req( kdc_context, fast_req);
+ krb5_free_fast_req(context, fast_req);
if (fast_armored_req)
- krb5_free_fast_armored_req(kdc_context, fast_armored_req);
+ krb5_free_fast_armored_req(context, fast_armored_req);
return retval;
}
@@ -264,12 +262,10 @@ kdc_make_rstate(kdc_realm_t *active_realm, struct kdc_request_state **out)
void
kdc_free_rstate (struct kdc_request_state *s)
{
- kdc_realm_t *kdc_active_realm = s->realm_data;
-
if (s->armor_key)
- krb5_free_keyblock(kdc_context, s->armor_key);
+ krb5_free_keyblock(s->realm_data->realm_context, s->armor_key);
if (s->strengthen_key)
- krb5_free_keyblock(kdc_context, s->strengthen_key);
+ krb5_free_keyblock(s->realm_data->realm_context, s->strengthen_key);
k5_zapfree_pa_data(s->in_cookie_padata);
k5_zapfree_pa_data(s->out_cookie_padata);
free(s);
@@ -280,6 +276,7 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state,
krb5_kdc_req *request,
krb5_kdc_rep *rep, krb5_enctype enctype)
{
+ krb5_context context = state->realm_data->realm_context;
krb5_error_code retval = 0;
krb5_fast_finished finish;
krb5_fast_response fast_response;
@@ -289,14 +286,13 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state,
krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5;
krb5_pa_data *empty_padata[] = {NULL};
krb5_keyblock *strengthen_key = NULL;
- kdc_realm_t *kdc_active_realm = state->realm_data;
if (!state->armor_key)
return 0;
memset(&finish, 0, sizeof(finish));
- retval = krb5_init_keyblock(kdc_context, enctype, 0, &strengthen_key);
+ retval = krb5_init_keyblock(context, enctype, 0, &strengthen_key);
if (retval == 0)
- retval = krb5_c_make_random_key(kdc_context, enctype, strengthen_key);
+ retval = krb5_c_make_random_key(context, enctype, strengthen_key);
if (retval == 0) {
state->strengthen_key = strengthen_key;
strengthen_key = NULL;
@@ -316,16 +312,15 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state,
if (retval == 0 && pa == NULL)
retval = ENOMEM;
if (retval == 0)
- retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec);
+ retval = krb5_us_timeofday(context, &finish.timestamp, &finish.usec);
if (retval == 0)
retval = encode_krb5_ticket(rep->ticket, &encoded_ticket);
if (retval == 0)
- retval = krb5int_c_mandatory_cksumtype(kdc_context,
+ retval = krb5int_c_mandatory_cksumtype(context,
state->armor_key->enctype,
&cksumtype);
if (retval == 0)
- retval = krb5_c_make_checksum(kdc_context, cksumtype,
- state->armor_key,
+ retval = krb5_c_make_checksum(context, cksumtype, state->armor_key,
KRB5_KEYUSAGE_FAST_FINISHED,
encoded_ticket, &finish.ticket_checksum);
if (retval == 0)
@@ -335,7 +330,7 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state,
pa[0].length = encrypted_reply->length;
pa[0].contents = (unsigned char *) encrypted_reply->data;
pa_array[0] = &pa[0];
- krb5_free_pa_data(kdc_context, rep->padata);
+ krb5_free_pa_data(context, rep->padata);
rep->padata = pa_array;
pa_array = NULL;
free(encrypted_reply);
@@ -347,13 +342,13 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state,
if (pa_array)
free(pa_array);
if (encrypted_reply)
- krb5_free_data(kdc_context, encrypted_reply);
+ krb5_free_data(context, encrypted_reply);
if (encoded_ticket)
- krb5_free_data(kdc_context, encoded_ticket);
+ krb5_free_data(context, encoded_ticket);
if (strengthen_key != NULL)
- krb5_free_keyblock(kdc_context, strengthen_key);
+ krb5_free_keyblock(context, strengthen_key);
if (finish.ticket_checksum.contents)
- krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum);
+ krb5_free_checksum_contents(context, &finish.ticket_checksum);
return retval;
}
@@ -379,7 +374,6 @@ kdc_fast_handle_error(krb5_context context,
krb5_pa_data *outer_pa[3];
krb5_pa_data **inner_pa = NULL;
size_t size = 0;
- kdc_realm_t *kdc_active_realm = state->realm_data;
*fast_edata_out = NULL;
memset(outer_pa, 0, sizeof(outer_pa));
@@ -421,9 +415,9 @@ kdc_fast_handle_error(krb5_context context,
}
retval = encode_krb5_padata_sequence(outer_pa, fast_edata_out);
if (encrypted_reply)
- krb5_free_data(kdc_context, encrypted_reply);
+ krb5_free_data(context, encrypted_reply);
if (encoded_fx_error)
- krb5_free_data(kdc_context, encoded_fx_error);
+ krb5_free_data(context, encoded_fx_error);
return retval;
}
@@ -432,16 +426,15 @@ kdc_fast_handle_reply_key(struct kdc_request_state *state,
krb5_keyblock *existing_key,
krb5_keyblock **out_key)
{
+ krb5_context context = state->realm_data->realm_context;
krb5_error_code retval = 0;
- kdc_realm_t *kdc_active_realm = state->realm_data;
if (state->armor_key)
- retval = krb5_c_fx_cf2_simple(kdc_context,
+ retval = krb5_c_fx_cf2_simple(context,
state->strengthen_key, "strengthenkey",
- existing_key,
- "replykey", out_key);
+ existing_key, "replykey", out_key);
else
- retval = krb5_copy_keyblock(kdc_context, existing_key, out_key);
+ retval = krb5_copy_keyblock(context, existing_key, out_key);
return retval;
}
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index ce80ac3fe..1cded64d8 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -459,18 +459,17 @@ copy_pac_buffer(krb5_context context, uint32_t buffer_type, krb5_pac old_pac,
* method can alter the auth indicator list.
*/
static krb5_error_code
-handle_pac(kdc_realm_t *kdc_active_realm, unsigned int flags,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_db_entry *subject_server, krb5_db_entry *local_tgt,
- krb5_keyblock *local_tgt_key, krb5_keyblock *server_key,
- krb5_keyblock *subject_key, krb5_keyblock *replaced_reply_key,
- krb5_enc_tkt_part *subject_tkt, krb5_pac subject_pac,
- krb5_kdc_req *req, krb5_const_principal altcprinc,
- krb5_timestamp authtime, krb5_enc_tkt_part *enc_tkt_reply,
- krb5_data ***auth_indicators)
+handle_pac(kdc_realm_t *realm, unsigned int flags, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_db_entry *subject_server,
+ krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key,
+ krb5_keyblock *server_key, krb5_keyblock *subject_key,
+ krb5_keyblock *replaced_reply_key, krb5_enc_tkt_part *subject_tkt,
+ krb5_pac subject_pac, krb5_kdc_req *req,
+ krb5_const_principal altcprinc, krb5_timestamp authtime,
+ krb5_enc_tkt_part *enc_tkt_reply, krb5_data ***auth_indicators)
{
+ krb5_context context = realm->realm_context;
krb5_error_code ret;
- krb5_context context = kdc_context;
krb5_pac new_pac = NULL;
krb5_const_principal pac_client = NULL;
krb5_boolean with_realm, is_as_req = (req->msg_type == KRB5_AS_REQ);
@@ -485,7 +484,7 @@ handle_pac(kdc_realm_t *kdc_active_realm, unsigned int flags,
* or for an AS-REQ if the client requested not to get one, or for a
* TGS-REQ if the subject ticket didn't contain one.
*/
- if (kdc_active_realm->realm_disable_pac ||
+ if (realm->realm_disable_pac ||
(enc_tkt_reply->flags & TKT_FLG_ANONYMOUS) ||
(is_as_req && !include_pac_p(context, req)) ||
(!is_as_req && subject_pac == NULL)) {
@@ -570,20 +569,20 @@ cleanup:
}
krb5_error_code
-handle_authdata(kdc_realm_t *kdc_active_realm, unsigned int flags,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_db_entry *subject_server, krb5_db_entry *local_tgt,
- krb5_keyblock *local_tgt_key, krb5_keyblock *client_key,
- krb5_keyblock *server_key, krb5_keyblock *subject_key,
- krb5_keyblock *replaced_reply_key, krb5_data *req_pkt,
- krb5_kdc_req *req, krb5_const_principal altcprinc,
- krb5_pac subject_pac, krb5_enc_tkt_part *enc_tkt_req,
- krb5_data ***auth_indicators, krb5_enc_tkt_part *enc_tkt_reply)
+handle_authdata(kdc_realm_t *realm, unsigned int flags, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_db_entry *subject_server,
+ krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key,
+ krb5_keyblock *client_key, krb5_keyblock *server_key,
+ krb5_keyblock *subject_key, krb5_keyblock *replaced_reply_key,
+ krb5_data *req_pkt, krb5_kdc_req *req,
+ krb5_const_principal altcprinc, krb5_pac subject_pac,
+ krb5_enc_tkt_part *enc_tkt_req, krb5_data ***auth_indicators,
+ krb5_enc_tkt_part *enc_tkt_reply)
{
+ krb5_context context = realm->realm_context;
kdcauthdata_handle *h;
krb5_error_code ret = 0;
size_t i;
- krb5_context context = kdc_active_realm->realm_context;
if (req->msg_type == KRB5_TGS_REQ &&
req->authorization_data.ciphertext.data != NULL) {
@@ -616,8 +615,8 @@ handle_authdata(kdc_realm_t *kdc_active_realm, unsigned int flags,
return ret;
}
- return handle_pac(kdc_active_realm, flags, client, server, subject_server,
- local_tgt, local_tgt_key, server_key, subject_key,
+ return handle_pac(realm, flags, client, server, subject_server, local_tgt,
+ local_tgt_key, server_key, subject_key,
replaced_reply_key, enc_tkt_req, subject_pac, req,
altcprinc, enc_tkt_reply->times.authtime, enc_tkt_reply,
auth_indicators);
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 5d3dfd86c..3752be6a4 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -873,7 +873,7 @@ cleanup:
struct hint_state {
kdc_hint_respond_fn respond;
void *arg;
- kdc_realm_t *realm;
+ krb5_context context;
krb5_kdcpreauth_rock rock;
krb5_kdc_req *request;
@@ -888,14 +888,14 @@ struct hint_state {
static void
hint_list_finish(struct hint_state *state, krb5_error_code code)
{
+ krb5_context context = state->context;
kdc_hint_respond_fn oldrespond = state->respond;
void *oldarg = state->arg;
- kdc_realm_t *kdc_active_realm = state->realm;
/* Add a freshness token if a preauth module requested it and the client
* request indicates support for it. */
if (!code)
- code = add_freshness_token(kdc_context, state->rock, &state->pa_data);
+ code = add_freshness_token(context, state->rock, &state->pa_data);
if (!code) {
if (state->pa_data == NULL) {
@@ -908,7 +908,7 @@ hint_list_finish(struct hint_state *state, krb5_error_code code)
state->pa_data = NULL;
}
- krb5_free_pa_data(kdc_context, state->pa_data);
+ krb5_free_pa_data(context, state->pa_data);
free(state);
(*oldrespond)(oldarg);
}
@@ -945,8 +945,8 @@ error:
static void
hint_list_next(struct hint_state *state)
{
+ krb5_context context = state->context;
preauth_system *ap = state->ap;
- kdc_realm_t *kdc_active_realm = state->realm;
if (ap->type == -1) {
hint_list_finish(state, 0);
@@ -960,7 +960,7 @@ hint_list_next(struct hint_state *state)
state->pa_type = ap->type;
if (ap->get_edata) {
- ap->get_edata(kdc_context, state->request, &callbacks, state->rock,
+ ap->get_edata(context, state->request, &callbacks, state->rock,
ap->moddata, ap->type, finish_get_edata, state);
} else
finish_get_edata(state, 0, NULL);
@@ -976,7 +976,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
krb5_pa_data ***e_data_out, kdc_hint_respond_fn respond,
void *arg)
{
- kdc_realm_t *kdc_active_realm = rock->rstate->realm_data;
+ krb5_context context = rock->rstate->realm_data->realm_context;
struct hint_state *state;
*e_data_out = NULL;
@@ -991,7 +991,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
state->arg = arg;
state->request = request;
state->rock = rock;
- state->realm = rock->rstate->realm_data;
+ state->context = context;
state->e_data_out = e_data_out;
state->pa_data = NULL;
state->ap = preauth_systems;
@@ -1000,7 +1000,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
if (k5_add_empty_pa_data(&state->pa_data, KRB5_PADATA_FX_FAST) != 0)
goto error;
- if (add_etype_info(kdc_context, rock, &state->pa_data) != 0)
+ if (add_etype_info(context, rock, &state->pa_data) != 0)
goto error;
hint_list_next(state);
@@ -1008,7 +1008,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
error:
if (state != NULL)
- krb5_free_pa_data(kdc_context, state->pa_data);
+ krb5_free_pa_data(context, state->pa_data);
free(state);
(*respond)(arg);
}
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 9f2a67d18..01a4fdb1b 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -68,8 +68,7 @@ const int vague_errors = 1;
const int vague_errors = 0;
#endif
-static krb5_error_code kdc_rd_ap_req(kdc_realm_t *kdc_active_realm,
- krb5_ap_req *apreq,
+static krb5_error_code kdc_rd_ap_req(kdc_realm_t *realm, krb5_ap_req *apreq,
krb5_auth_context auth_context,
krb5_db_entry **server,
krb5_keyblock **tgskey);
@@ -142,14 +141,13 @@ comp_cksum(krb5_context kcontext, krb5_data *source, krb5_ticket *ticket,
/* If a header ticket is decrypted, *ticket_out is filled in even on error. */
krb5_error_code
-kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
- krb5_kdc_req *request, const krb5_fulladdr *from,
- krb5_data *pkt, krb5_ticket **ticket_out,
- krb5_db_entry **krbtgt_ptr,
- krb5_keyblock **tgskey,
- krb5_keyblock **subkey,
+kdc_process_tgs_req(kdc_realm_t *realm, krb5_kdc_req *request,
+ const krb5_fulladdr *from, krb5_data *pkt,
+ krb5_ticket **ticket_out, krb5_db_entry **krbtgt_ptr,
+ krb5_keyblock **tgskey, krb5_keyblock **subkey,
krb5_pa_data **pa_tgs_req)
{
+ krb5_context context = realm->realm_context;
krb5_pa_data * tmppa;
krb5_ap_req * apreq;
krb5_error_code retval;
@@ -166,8 +164,7 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
*krbtgt_ptr = NULL;
*tgskey = NULL;
- tmppa = krb5int_find_pa_data(kdc_context,
- request->padata, KRB5_PADATA_AP_REQ);
+ tmppa = krb5int_find_pa_data(context, request->padata, KRB5_PADATA_AP_REQ);
if (!tmppa)
return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
@@ -184,44 +181,46 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
goto cleanup;
}
- if ((retval = krb5_auth_con_init(kdc_context, &auth_context)))
+ retval = krb5_auth_con_init(context, &auth_context);
+ if (retval)
goto cleanup;
/* Don't use a replay cache. */
- if ((retval = krb5_auth_con_setflags(kdc_context, auth_context, 0)))
+ retval = krb5_auth_con_setflags(context, auth_context, 0);
+ if (retval)
goto cleanup;
- if ((retval = krb5_auth_con_setaddrs(kdc_context, auth_context, NULL,
- from->address)) )
+ retval = krb5_auth_con_setaddrs(context, auth_context, NULL,
+ from->address);
+ if (retval)
goto cleanup_auth_context;
- retval = kdc_rd_ap_req(kdc_active_realm,
- apreq, auth_context, &krbtgt, tgskey);
+ retval = kdc_rd_ap_req(realm, apreq, auth_context, &krbtgt, tgskey);
if (retval)
goto cleanup_auth_context;
- if ((retval = krb5_auth_con_getrecvsubkey(kdc_context,
- auth_context, subkey)))
+ retval = krb5_auth_con_getrecvsubkey(context, auth_context, subkey);
+ if (retval)
goto cleanup_auth_context;
- if ((retval = krb5_auth_con_getauthenticator(kdc_context, auth_context,
- &authenticator)))
+ retval = krb5_auth_con_getauthenticator(context, auth_context,
+ &authenticator);
+ if (retval)
goto cleanup_auth_context;
- retval = krb5_find_authdata(kdc_context,
- ticket->enc_part2->authorization_data,
+ retval = krb5_find_authdata(context, ticket->enc_part2->authorization_data,
authenticator->authorization_data,
KRB5_AUTHDATA_FX_ARMOR, &authdata);
if (retval != 0)
goto cleanup_authenticator;
if (authdata&& authdata[0]) {
- k5_setmsg(kdc_context, KRB5KDC_ERR_POLICY,
+ k5_setmsg(context, KRB5KDC_ERR_POLICY,
"ticket valid only as FAST armor");
retval = KRB5KDC_ERR_POLICY;
- krb5_free_authdata(kdc_context, authdata);
+ krb5_free_authdata(context, authdata);
goto cleanup_authenticator;
}
- krb5_free_authdata(kdc_context, authdata);
+ krb5_free_authdata(context, authdata);
/* Check for a checksum */
@@ -240,10 +239,10 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
*/
if (pkt && (fetch_asn1_field((unsigned char *) pkt->data,
1, 4, &scratch1) >= 0)) {
- if (comp_cksum(kdc_context, &scratch1, ticket, his_cksum)) {
+ if (comp_cksum(context, &scratch1, ticket, his_cksum)) {
if (!(retval = encode_krb5_kdc_req_body(request, &scratch)))
- retval = comp_cksum(kdc_context, scratch, ticket, his_cksum);
- krb5_free_data(kdc_context, scratch);
+ retval = comp_cksum(context, scratch, ticket, his_cksum);
+ krb5_free_data(context, scratch);
if (retval)
goto cleanup_authenticator;
}
@@ -254,14 +253,14 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
krbtgt = NULL;
cleanup_authenticator:
- krb5_free_authenticator(kdc_context, authenticator);
+ krb5_free_authenticator(context, authenticator);
cleanup_auth_context:
- krb5_auth_con_free(kdc_context, auth_context);
+ krb5_auth_con_free(context, auth_context);
cleanup:
if (retval != 0) {
- krb5_free_keyblock(kdc_context, *tgskey);
+ krb5_free_keyblock(context, *tgskey);
*tgskey = NULL;
}
if (apreq->ticket->enc_part2 != NULL) {
@@ -269,8 +268,8 @@ cleanup:
*ticket_out = apreq->ticket;
apreq->ticket = NULL;
}
- krb5_free_ap_req(kdc_context, apreq);
- krb5_db_free_principal(kdc_context, krbtgt);
+ krb5_free_ap_req(context, apreq);
+ krb5_db_free_principal(context, krbtgt);
return retval;
}
@@ -287,10 +286,11 @@ cleanup:
*/
static
krb5_error_code
-kdc_rd_ap_req(kdc_realm_t *kdc_active_realm,
- krb5_ap_req *apreq, krb5_auth_context auth_context,
- krb5_db_entry **server, krb5_keyblock **tgskey)
+kdc_rd_ap_req(kdc_realm_t *realm, krb5_ap_req *apreq,
+ krb5_auth_context auth_context, krb5_db_entry **server,
+ krb5_keyblock **tgskey)
{
+ krb5_context context = realm->realm_context;
krb5_error_code retval;
krb5_enctype search_enctype = apreq->ticket->enc_part.enctype;
krb5_boolean match_enctype = 1;
@@ -309,7 +309,7 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm,
match_enctype = 0;
}
- retval = kdc_get_server_key(kdc_context, apreq->ticket, 0, match_enctype,
+ retval = kdc_get_server_key(context, apreq->ticket, 0, match_enctype,
server, NULL, NULL);
if (retval)
return retval;
@@ -317,22 +317,20 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm,
*tgskey = NULL;
kvno = apreq->ticket->enc_part.kvno;
do {
- krb5_free_keyblock(kdc_context, *tgskey);
- retval = find_server_key(kdc_context,
- *server, search_enctype, kvno, tgskey, &kvno);
+ krb5_free_keyblock(context, *tgskey);
+ retval = find_server_key(context, *server, search_enctype, kvno,
+ tgskey, &kvno);
if (retval)
continue;
/* Make the TGS key available to krb5_rd_req_decoded_anyflag() */
- retval = krb5_auth_con_setuseruserkey(kdc_context, auth_context,
- *tgskey);
+ retval = krb5_auth_con_setuseruserkey(context, auth_context, *tgskey);
if (retval)
return retval;
- retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq,
+ retval = krb5_rd_req_decoded_anyflag(context, &auth_context, apreq,
apreq->ticket->server,
- kdc_active_realm->realm_keytab,
- NULL, NULL);
+ realm->realm_keytab, NULL, NULL);
/* If the ticket was decrypted, don't try any more keys. */
if (apreq->ticket->enc_part2 != NULL)
@@ -649,13 +647,12 @@ errcode_to_protocol(krb5_error_code code)
/* Return -1 if the AS or TGS request is disallowed due to KDC policy on
* anonymous tickets. */
int
-check_anon(kdc_realm_t *kdc_active_realm,
- krb5_principal client, krb5_principal server)
+check_anon(kdc_realm_t *realm, krb5_principal client, krb5_principal server)
{
/* If restrict_anon is set, reject requests from anonymous clients to
* server principals other than local TGTs. */
- if (kdc_active_realm->realm_restrict_anon &&
- krb5_principal_compare_any_realm(kdc_context, client,
+ if (realm->realm_restrict_anon &&
+ krb5_principal_compare_any_realm(realm->realm_context, client,
krb5_anonymous_principal()) &&
!is_local_tgs_principal(server))
return -1;
@@ -669,11 +666,12 @@ check_anon(kdc_realm_t *kdc_active_realm,
* as a com_err error number!
*/
int
-validate_as_request(kdc_realm_t *kdc_active_realm,
- krb5_kdc_req *request, krb5_db_entry *client,
- krb5_db_entry *server, krb5_timestamp kdc_time,
- const char **status, krb5_pa_data ***e_data)
+validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp kdc_time, const char **status,
+ krb5_pa_data ***e_data)
{
+ krb5_context context = realm->realm_context;
krb5_error_code ret;
/*
@@ -747,14 +745,14 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
return(KDC_ERR_MUST_USE_USER2USER);
}
- if (check_anon(kdc_active_realm, client->princ, request->server) != 0) {
+ if (check_anon(realm, client->princ, request->server) != 0) {
*status = "ANONYMOUS NOT ALLOWED";
return(KDC_ERR_POLICY);
}
/* Perform KDB module policy checks. */
- ret = krb5_db_check_policy_as(kdc_context, request, client, server,
- kdc_time, status, e_data);
+ ret = krb5_db_check_policy_as(context, request, client, server, kdc_time,
+ status, e_data);
if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
return errcode_to_protocol(ret);
@@ -993,7 +991,7 @@ fetch_asn1_field(unsigned char *astream, unsigned int level,
/* Return true if we believe server can support enctype as a session key. */
static krb5_boolean
-dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server,
+dbentry_supports_enctype(krb5_context context, krb5_db_entry *server,
krb5_enctype enctype)
{
krb5_error_code retval;
@@ -1004,12 +1002,11 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server,
krb5_boolean in_list;
/* Look up the supported session key enctypes list in the KDB. */
- retval = krb5_dbe_get_string(kdc_context, server,
- KRB5_KDB_SK_SESSION_ENCTYPES,
+ retval = krb5_dbe_get_string(context, server, KRB5_KDB_SK_SESSION_ENCTYPES,
&etypes_str);
if (retval == 0 && etypes_str != NULL && *etypes_str != '\0') {
/* Pass a fake profile key for tracing of unrecognized tokens. */
- retval = krb5int_parse_enctype_list(kdc_context, "KDB-session_etypes",
+ retval = krb5int_parse_enctype_list(context, "KDB-session_etypes",
etypes_str, default_enctypes,
&etypes);
if (retval == 0 && etypes != NULL && etypes[0]) {
@@ -1024,7 +1021,7 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server,
free(etypes);
/* Assume the server supports any enctype it has a long-term key for. */
- return !krb5_dbe_find_enctype(kdc_context, server, enctype, -1, 0, &datap);
+ return !krb5_dbe_find_enctype(context, server, enctype, -1, 0, &datap);
}
/*
@@ -1033,7 +1030,7 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server,
* requested, and what the KDC and the application server can support.
*/
krb5_enctype
-select_session_keytype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server,
+select_session_keytype(krb5_context context, krb5_db_entry *server,
int nktypes, krb5_enctype *ktype)
{
int i;
@@ -1042,10 +1039,10 @@ select_session_keytype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server,
if (!krb5_c_valid_enctype(ktype[i]))
continue;
- if (!krb5_is_permitted_enctype(kdc_context, ktype[i]))
+ if (!krb5_is_permitted_enctype(context, ktype[i]))
continue;
- if (dbentry_supports_enctype(kdc_active_realm, server, ktype[i]))
+ if (dbentry_supports_enctype(context, server, ktype[i]))
return ktype[i];
}
@@ -1246,8 +1243,7 @@ verify_for_user_checksum(krb5_context context,
* Legacy protocol transition (Windows 2003 and above)
*/
static krb5_error_code
-kdc_process_for_user(kdc_realm_t *kdc_active_realm,
- krb5_pa_data *pa_data,
+kdc_process_for_user(krb5_context context, krb5_pa_data *pa_data,
krb5_keyblock *tgs_session,
krb5_pa_s4u_x509_user **s4u_x509_user,
const char **status)
@@ -1265,22 +1261,22 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
return code;
}
- code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
+ code = verify_for_user_checksum(context, tgs_session, for_user);
if (code) {
*status = "INVALID_S4U2SELF_CHECKSUM";
- krb5_free_pa_for_user(kdc_context, for_user);
+ krb5_free_pa_for_user(context, for_user);
return code;
}
*s4u_x509_user = calloc(1, sizeof(krb5_pa_s4u_x509_user));
if (*s4u_x509_user == NULL) {
- krb5_free_pa_for_user(kdc_context, for_user);
+ krb5_free_pa_for_user(context, for_user);
return ENOMEM;
}
(*s4u_x509_user)->user_id.user = for_user->user;
for_user->user = NULL;
- krb5_free_pa_for_user(kdc_context, for_user);
+ krb5_free_pa_for_user(context, for_user);
return 0;
}
@@ -1496,14 +1492,11 @@ is_client_db_alias(krb5_context context, const krb5_db_entry *entry,
* local, look up the client and set *princ_ptr to its DB entry.
*/
krb5_error_code
-kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
- krb5_kdc_req *request,
+kdc_process_s4u2self_req(krb5_context context, krb5_kdc_req *request,
const krb5_db_entry *server,
- krb5_keyblock *tgs_subkey,
- krb5_keyblock *tgs_session,
+ krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,
krb5_pa_s4u_x509_user **s4u_x509_user,
- krb5_db_entry **princ_ptr,
- const char **status)
+ krb5_db_entry **princ_ptr, const char **status)
{
krb5_error_code code;
krb5_pa_data *pa_data;
@@ -1512,27 +1505,19 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
*princ_ptr = NULL;
- pa_data = krb5int_find_pa_data(kdc_context,
- request->padata, KRB5_PADATA_S4U_X509_USER);
+ pa_data = krb5int_find_pa_data(context, request->padata,
+ KRB5_PADATA_S4U_X509_USER);
if (pa_data != NULL) {
- code = kdc_process_s4u_x509_user(kdc_context,
- request,
- pa_data,
- tgs_subkey,
- tgs_session,
- s4u_x509_user,
- status);
+ code = kdc_process_s4u_x509_user(context, request, pa_data, tgs_subkey,
+ tgs_session, s4u_x509_user, status);
if (code != 0)
return code;
} else {
- pa_data = krb5int_find_pa_data(kdc_context,
- request->padata, KRB5_PADATA_FOR_USER);
+ pa_data = krb5int_find_pa_data(context, request->padata,
+ KRB5_PADATA_FOR_USER);
if (pa_data != NULL) {
- code = kdc_process_for_user(kdc_active_realm,
- pa_data,
- tgs_session,
- s4u_x509_user,
- status);
+ code = kdc_process_for_user(context, pa_data, tgs_session,
+ s4u_x509_user, status);
if (code != 0)
return code;
} else
@@ -1542,17 +1527,16 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
if (data_eq(server->princ->realm, id->user->realm)) {
if (id->subject_cert.length != 0) {
- code = krb5_db_get_s4u_x509_principal(kdc_context,
+ code = krb5_db_get_s4u_x509_principal(context,
&id->subject_cert, id->user,
KRB5_KDB_FLAG_CLIENT,
&princ);
if (code == 0 && id->user->length == 0) {
- krb5_free_principal(kdc_context, id->user);
- code = krb5_copy_principal(kdc_context, princ->princ,
- &id->user);
+ krb5_free_principal(context, id->user);
+ code = krb5_copy_principal(context, princ->princ, &id->user);
}
} else {
- code = krb5_db_get_principal(kdc_context, id->user,
+ code = krb5_db_get_principal(context, id->user,
KRB5_KDB_FLAG_CLIENT, &princ);
}
if (code == KRB5_KDB_NOENTRY) {
@@ -1604,7 +1588,7 @@ s4u2self_forwardable(krb5_context context, krb5_db_entry *server,
* supplied one; it must do so for a cross-realm request to be authorized.
*/
krb5_error_code
-kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags,
+kdc_process_s4u2proxy_req(krb5_context context, unsigned int flags,
krb5_kdc_req *request, krb5_pac header_pac,
const krb5_enc_tkt_part *t2enc, krb5_pac t2_pac,
const krb5_db_entry *server,
@@ -1621,14 +1605,14 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags,
*stkt_pac_client = NULL;
/* Check if the client supports resource-based constrained delegation. */
- errcode = kdc_get_pa_pac_rbcd(kdc_context, request->padata, &support_rbcd);
+ errcode = kdc_get_pa_pac_rbcd(context, request->padata, &support_rbcd);
if (errcode)
return errcode;
/* For an RBCD final request, recover the reply ticket client name from
* the evidence ticket PAC. */
if (flags & KRB5_KDB_FLAG_CROSS_REALM) {
- if (get_pac_princ_with_realm(kdc_context, t2_pac, &t2_pac_princ,
+ if (get_pac_princ_with_realm(context, t2_pac, &t2_pac_princ,
NULL) != 0) {
*status = "RBCD_PAC_PRINC";
errcode = KRB5KDC_ERR_BADOPTION;
@@ -1638,9 +1622,9 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags,
}
/* If both are in the same realm, try allowed_to_delegate first. */
- if (krb5_realm_compare(kdc_context, server->princ, request->server)) {
+ if (krb5_realm_compare(context, server->princ, request->server)) {
- errcode = krb5_db_check_allowed_to_delegate(kdc_context, client_princ,
+ errcode = krb5_db_check_allowed_to_delegate(context, client_princ,
server, request->server);
if (errcode != KRB5KDC_ERR_BADOPTION &&
errcode != KRB5_PLUGIN_OP_NOTSUPP)
@@ -1662,7 +1646,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags,
goto done;
}
- errcode = krb5_db_allowed_to_delegate_from(kdc_context, client_princ,
+ errcode = krb5_db_allowed_to_delegate_from(context, client_princ,
server_princ, header_pac,
proxy);
if (errcode == KRB5_PLUGIN_OP_NOTSUPP) {
@@ -1678,26 +1662,24 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags,
t2_pac_princ = NULL;
done:
- krb5_free_principal(kdc_context, t2_pac_princ);
+ krb5_free_principal(context, t2_pac_princ);
return errcode;
}
krb5_error_code
-kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
- const krb5_data *trans,
- const krb5_data *realm1,
- const krb5_data *realm2)
+kdc_check_transited_list(krb5_context context, const krb5_data *trans,
+ const krb5_data *realm1, const krb5_data *realm2)
{
krb5_error_code code;
/* Check against the KDB module. Treat this answer as authoritative if the
* method is supported and doesn't explicitly pass control. */
- code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
+ code = krb5_db_check_transited_realms(context, trans, realm1, realm2);
if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE)
return code;
/* Check using krb5.conf [capaths] or hierarchical relationships. */
- return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
+ return krb5_check_transited_list(context, trans, realm1, realm2);
}
krb5_boolean
@@ -1715,12 +1697,9 @@ enctype_requires_etype_info_2(krb5_enctype enctype)
}
void
-kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
- krb5_timestamp starttime,
- krb5_timestamp endtime,
- krb5_timestamp till,
- krb5_db_entry *client,
- krb5_db_entry *server,
+kdc_get_ticket_endtime(kdc_realm_t *realm, krb5_timestamp starttime,
+ krb5_timestamp endtime, krb5_timestamp till,
+ krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp *out_endtime)
{
krb5_timestamp until;
@@ -1741,8 +1720,8 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
life = min(life, client->max_life);
if (server->max_life != 0)
life = min(life, server->max_life);
- if (kdc_active_realm->realm_maxlife != 0)
- life = min(life, kdc_active_realm->realm_maxlife);
+ if (realm->realm_maxlife != 0)
+ life = min(life, realm->realm_maxlife);
*out_endtime = ts_incr(starttime, life);
}
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 4aa8e7e42..070a27a0e 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -84,9 +84,8 @@ validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *,
const char **, krb5_pa_data ***);
int
-validate_tgs_request(kdc_realm_t *kdc_active_realm,
- krb5_kdc_req *request, krb5_db_entry *server,
- krb5_ticket *ticket, krb5_pac pac,
+validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
+ krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac,
const krb5_ticket *stkt, krb5_pac stkt_pac,
krb5_db_entry *stkt_server, krb5_timestamp kdc_time,
krb5_pa_s4u_x509_user *s4u_x509_user,
@@ -106,10 +105,8 @@ int
fetch_asn1_field (unsigned char *, unsigned int, unsigned int, krb5_data *);
krb5_enctype
-select_session_keytype (kdc_realm_t *kdc_active_realm,
- krb5_db_entry *server,
- int nktypes,
- krb5_enctype *ktypes);
+select_session_keytype (krb5_context context, krb5_db_entry *server,
+ int nktypes, krb5_enctype *ktypes);
void limit_string (char *name);
@@ -226,24 +223,16 @@ get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt,
krb5_data ***indicators_out);
krb5_error_code
-handle_authdata (kdc_realm_t *kdc_active_realm,
- unsigned int flags,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_db_entry *subject_server,
- krb5_db_entry *local_tgt,
- krb5_keyblock *local_tgt_key,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *header_key,
- krb5_keyblock *replaced_reply_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal altcprinc,
- krb5_pac subject_pac,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_data ***auth_indicators,
- krb5_enc_tkt_part *enc_tkt_reply);
+handle_authdata(kdc_realm_t *realm, unsigned int flags, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_db_entry *subject_server,
+ krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key,
+ krb5_keyblock *client_key, krb5_keyblock *server_key,
+ krb5_keyblock *header_key, krb5_keyblock *replaced_reply_key,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_const_principal altcprinc, krb5_pac subject_pac,
+ krb5_enc_tkt_part *enc_tkt_request,
+ krb5_data ***auth_indicators,
+ krb5_enc_tkt_part *enc_tkt_reply);
/* replay.c */
krb5_error_code kdc_init_lookaside(krb5_context context);
@@ -278,14 +267,11 @@ return_enc_padata(krb5_context context,
krb5_boolean is_referral);
krb5_error_code
-kdc_process_s4u2self_req (kdc_realm_t *kdc_active_realm,
- krb5_kdc_req *request,
- const krb5_db_entry *server,
- krb5_keyblock *tgs_subkey,
- krb5_keyblock *tgs_session,
- krb5_pa_s4u_x509_user **s4u2self_req,
- krb5_db_entry **princ_ptr,
- const char **status);
+kdc_process_s4u2self_req(krb5_context context, krb5_kdc_req *request,
+ const krb5_db_entry *server,
+ krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,
+ krb5_pa_s4u_x509_user **s4u2self_req,
+ krb5_db_entry **princ_ptr, const char **status);
krb5_error_code
s4u2self_forwardable(krb5_context context, krb5_db_entry *server,
@@ -300,7 +286,7 @@ kdc_make_s4u2self_rep (krb5_context context,
krb5_enc_kdc_rep_part *reply_encpart);
krb5_error_code
-kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags,
+kdc_process_s4u2proxy_req(krb5_context context, unsigned int flags,
krb5_kdc_req *request, krb5_pac header_pac,
const krb5_enc_tkt_part *t2enc, krb5_pac t2_pac,
const krb5_db_entry *server,
@@ -311,18 +297,13 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags,
const char **status);
krb5_error_code
-kdc_check_transited_list (kdc_realm_t *kdc_active_realm,
- const krb5_data *trans,
- const krb5_data *realm1,
- const krb5_data *realm2);
+kdc_check_transited_list(krb5_context context, const krb5_data *trans,
+ const krb5_data *realm1, const krb5_data *realm2);
void
-kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
- krb5_timestamp now,
- krb5_timestamp endtime,
- krb5_timestamp till,
- krb5_db_entry *client,
- krb5_db_entry *server,
+kdc_get_ticket_endtime(kdc_realm_t *realm, krb5_timestamp now,
+ krb5_timestamp endtime, krb5_timestamp till,
+ krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp *out_endtime);
void
@@ -545,8 +526,8 @@ struct krb5_kdcpreauth_rock_st {
/* Copy appropriate header ticket flags to new ticket. */
#define COPY_TKT_FLAGS(x) (x & TGS_COPIED_FLAGS_MASK)
-int check_anon(kdc_realm_t *kdc_active_realm,
- krb5_principal client, krb5_principal server);
+int check_anon(kdc_realm_t *realm, krb5_principal client,
+ krb5_principal server);
int errcode_to_protocol(krb5_error_code code);
char *data2string(krb5_data *d);
diff --git a/src/kdc/realm_data.h b/src/kdc/realm_data.h
index 2d669154f..68eed771d 100644
--- a/src/kdc/realm_data.h
+++ b/src/kdc/realm_data.h
@@ -85,12 +85,4 @@ struct server_handle {
kdc_realm_t *find_realm_data(struct server_handle *, char *, krb5_ui_4);
kdc_realm_t *setup_server_realm(struct server_handle *, krb5_principal);
-/*
- * These macros used to refer to a global pointer to the active realm state
- * structure for a request. They now refer to a local variable that must be
- * properly declared in each function that uses these macros.
- */
-#define kdc_context kdc_active_realm->realm_context
-#define tgs_server kdc_active_realm->realm_tgsprinc
-
#endif /* REALM_DATA_H */
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index f33ad504f..dfa836a13 100644
--- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c
@@ -259,18 +259,19 @@ check_tgs_lineage(krb5_db_entry *server, krb5_ticket *tkt,
}
static int
-check_tgs_s4u2self(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
+check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac,
krb5_timestamp kdc_time,
krb5_pa_s4u_x509_user *s4u_x509_user, krb5_db_entry *client,
krb5_boolean is_crossrealm, krb5_boolean is_referral,
const char **status, krb5_pa_data ***e_data)
{
+ krb5_context context = realm->realm_context;
krb5_db_entry empty_server = { 0 };
/* If the server is local, check that the request is for self. */
if (!is_referral &&
- !is_client_db_alias(kdc_context, server, tkt->enc_part2->client)) {
+ !is_client_db_alias(context, server, tkt->enc_part2->client)) {
*status = "INVALID_S4U2SELF_REQUEST_SERVER_MISMATCH";
return KRB_AP_ERR_BADMATCH;
}
@@ -333,7 +334,7 @@ check_tgs_s4u2self(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
if (client != NULL) {
/* The header ticket PAC must be for the impersonator. */
- if (krb5_pac_verify(kdc_context, pac, tkt->enc_part2->times.authtime,
+ if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime,
tkt->enc_part2->client, NULL, NULL) != 0) {
*status = "S4U2SELF_LOCAL_PAC_CLIENT";
return KDC_ERR_BADOPTION;
@@ -341,12 +342,11 @@ check_tgs_s4u2self(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
/* Validate the client policy. Use an empty server principal to bypass
* server policy checks. */
- return validate_as_request(kdc_active_realm, req, client,
- &empty_server, kdc_time, status, e_data);
+ return validate_as_request(realm, req, client, &empty_server, kdc_time,
+ status, e_data);
} else {
/* The header ticket PAC must be for the subject, with realm. */
- if (krb5_pac_verify_ext(kdc_context, pac,
- tkt->enc_part2->times.authtime,
+ if (krb5_pac_verify_ext(context, pac, tkt->enc_part2->times.authtime,
s4u_x509_user->user_id.user, NULL, NULL,
TRUE) != 0) {
*status = "S4U2SELF_FOREIGN_PAC_CLIENT";
@@ -421,7 +421,7 @@ cleanup:
}
static int
-check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
+check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac,
const krb5_ticket *stkt, krb5_pac stkt_pac,
krb5_db_entry *stkt_server, krb5_boolean is_crossrealm,
@@ -455,7 +455,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
*status = "S4U2PROXY_NO_HEADER_PAC";
return KDC_ERR_TGT_REVOKED;
}
- if (krb5_pac_verify(kdc_context, pac, tkt->enc_part2->times.authtime,
+ if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime,
tkt->enc_part2->client, NULL, NULL) != 0) {
*status = "S4U2PROXY_HEADER_PAC";
return KDC_ERR_BADOPTION;
@@ -475,7 +475,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
if (!is_crossrealm) {
/* For an initial or same-realm request, the second ticket server and
* header ticket client must be the same principal. */
- if (!is_client_db_alias(kdc_context, stkt_server,
+ if (!is_client_db_alias(context, stkt_server,
tkt->enc_part2->client)) {
*status = "EVIDENCE_TICKET_MISMATCH";
return KDC_ERR_SERVER_NOMATCH;
@@ -483,8 +483,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
/* The second ticket client and PAC client are the subject, and must
* match. */
- if (krb5_pac_verify(kdc_context, stkt_pac,
- stkt->enc_part2->times.authtime,
+ if (krb5_pac_verify(context, stkt_pac, stkt->enc_part2->times.authtime,
stkt->enc_part2->client, NULL, NULL) != 0) {
*status = "S4U2PROXY_LOCAL_STKT_PAC";
return KDC_ERR_BADOPTION;
@@ -499,7 +498,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
*/
if (is_referral || !is_cross_tgs_principal(stkt_server->princ) ||
!data_eq(stkt_server->princ->data[1], server->princ->realm) ||
- !krb5_principal_compare(kdc_context, stkt->enc_part2->client,
+ !krb5_principal_compare(context, stkt->enc_part2->client,
tkt->enc_part2->client)) {
*status = "XREALM_EVIDENCE_TICKET_MISMATCH";
return KDC_ERR_BADOPTION;
@@ -508,7 +507,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
/* The second ticket PAC must be present and for the impersonated
* client, with delegation info. */
if (stkt_pac == NULL ||
- verify_deleg_pac(kdc_context, stkt_pac, stkt->enc_part2,
+ verify_deleg_pac(context, stkt_pac, stkt->enc_part2,
req->server) != 0) {
*status = "S4U2PROXY_CROSS_STKT_PAC";
return KDC_ERR_BADOPTION;
@@ -519,9 +518,8 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
}
static int
-check_tgs_u2u(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
- const krb5_ticket *stkt, krb5_db_entry *server,
- const char **status)
+check_tgs_u2u(krb5_context context, krb5_kdc_req *req, const krb5_ticket *stkt,
+ krb5_db_entry *server, const char **status)
{
/* A second ticket must be present in the request. */
if (stkt == NULL) {
@@ -537,7 +535,7 @@ check_tgs_u2u(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
}
/* The second ticket client must match the requested server. */
- if (!is_client_db_alias(kdc_context, server, stkt->enc_part2->client)) {
+ if (!is_client_db_alias(context, server, stkt->enc_part2->client)) {
*status = "2ND_TKT_MISMATCH";
return KDC_ERR_SERVER_NOMATCH;
}
@@ -577,10 +575,10 @@ check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt,
* matches requested service principal)
*/
static int
-check_tgs_nontgt(kdc_realm_t *kdc_active_realm,
- krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
+check_tgs_nontgt(krb5_context context, krb5_kdc_req *req, krb5_ticket *tkt,
+ const char **status)
{
- if (!krb5_principal_compare(kdc_context, tkt->server, req->server)) {
+ if (!krb5_principal_compare(context, tkt->server, req->server)) {
*status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC";
return KDC_ERR_SERVER_NOMATCH;
}
@@ -598,8 +596,7 @@ check_tgs_nontgt(kdc_realm_t *kdc_active_realm,
* principal).
*/
static int
-check_tgs_tgt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
- krb5_ticket *tkt, const char **status)
+check_tgs_tgt(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
{
/* Make sure it's a TGS principal. */
if (!krb5_is_tgs_principal(tkt->server)) {
@@ -607,8 +604,7 @@ check_tgs_tgt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
return KRB_AP_ERR_NOT_US;
}
/* TGS principal second component must match service realm. */
- if (!data_eq(*krb5_princ_component(kdc_context, tkt->server, 1),
- *krb5_princ_realm(kdc_context, req->server))) {
+ if (!data_eq(tkt->server->data[1], req->server->realm)) {
*status = "BAD TGS SERVER INSTANCE";
return KRB_AP_ERR_NOT_US;
}
@@ -616,9 +612,8 @@ check_tgs_tgt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
}
int
-validate_tgs_request(kdc_realm_t *kdc_active_realm,
- krb5_kdc_req *request, krb5_db_entry *server,
- krb5_ticket *ticket, krb5_pac pac,
+validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
+ krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac,
const krb5_ticket *stkt, krb5_pac stkt_pac,
krb5_db_entry *stkt_server, krb5_timestamp kdc_time,
krb5_pa_s4u_x509_user *s4u_x509_user,
@@ -626,6 +621,7 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm,
krb5_boolean is_crossrealm, krb5_boolean is_referral,
const char **status, krb5_pa_data ***e_data)
{
+ krb5_context context = realm->realm_context;
int errcode;
krb5_error_code ret;
@@ -645,9 +641,9 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm,
return errcode;
if (request->kdc_options & NON_TGT_OPTION)
- errcode = check_tgs_nontgt(kdc_active_realm, request, ticket, status);
+ errcode = check_tgs_nontgt(context, request, ticket, status);
else
- errcode = check_tgs_tgt(kdc_active_realm, request, ticket, status);
+ errcode = check_tgs_tgt(request, ticket, status);
if (errcode != 0)
return errcode;
@@ -658,10 +654,10 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm,
}
if (s4u_x509_user != NULL) {
- errcode = check_tgs_s4u2self(kdc_active_realm, request, server, ticket,
- pac, kdc_time, s4u_x509_user,
- s4u2self_client, is_crossrealm,
- is_referral, status, e_data);
+ errcode = check_tgs_s4u2self(realm, request, server, ticket, pac,
+ kdc_time, s4u_x509_user, s4u2self_client,
+ is_crossrealm, is_referral, status,
+ e_data);
} else {
errcode = check_tgs_lineage(server, ticket, is_crossrealm, status);
}
@@ -669,34 +665,32 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm,
return errcode;
if (request->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) {
- errcode = check_tgs_u2u(kdc_active_realm, request, stkt, server,
- status);
+ errcode = check_tgs_u2u(context, request, stkt, server, status);
if (errcode != 0)
return errcode;
}
if (request->kdc_options & KDC_OPT_CNAME_IN_ADDL_TKT) {
- errcode = check_tgs_s4u2proxy(kdc_active_realm, request, server,
- ticket, pac, stkt, stkt_pac, stkt_server,
+ errcode = check_tgs_s4u2proxy(context, request, server, ticket, pac,
+ stkt, stkt_pac, stkt_server,
is_crossrealm, is_referral, status);
if (errcode != 0)
return errcode;
} else if (s4u_x509_user == NULL) {
- errcode = check_normal_tgs_pac(kdc_context, ticket->enc_part2, pac,
- server, is_crossrealm, status);
+ errcode = check_normal_tgs_pac(context, ticket->enc_part2, pac, server,
+ is_crossrealm, status);
if (errcode != 0)
return errcode;
}
- if (check_anon(kdc_active_realm, ticket->enc_part2->client,
- request->server) != 0) {
+ if (check_anon(realm, ticket->enc_part2->client, request->server) != 0) {
*status = "ANONYMOUS NOT ALLOWED";
return(KDC_ERR_POLICY);
}
/* Perform KDB module policy checks. */
- ret = krb5_db_check_policy_tgs(kdc_context, request, server, ticket,
- status, e_data);
+ ret = krb5_db_check_policy_tgs(context, request, server, ticket, status,
+ e_data);
if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
return errcode_to_protocol(ret);
More information about the cvs-krb5
mailing list