krb5_flags *,
krb5_ticket **);
-#define RD_REQ_CHECK_VALID_FLAG 0x1
-
-krb5_error_code KRB5_CALLCONV krb5_rd_req_extended
- (krb5_context,
- krb5_auth_context *,
- const krb5_data *,
- krb5_const_principal,
- krb5_keytab,
- krb5_flags,
- krb5_flags *,
- krb5_ticket **,
- krb5_authdata_context *);
-
krb5_error_code KRB5_CALLCONV krb5_cc_register
(krb5_context,
const krb5_cc_ops *,
krb5_auth_context,
krb5_enctype *);
+krb5_error_code
+krb5_auth_con_get_authdata_context
+ (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context *ad_context);
+
+krb5_error_code
+krb5_auth_con_set_authdata_context
+ (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context ad_context);
+
krb5_error_code KRB5_CALLCONV
krb5int_server_decrypt_ticket_keyblock
(krb5_context context,
goto fail;
}
- if ((code = krb5_rd_req_extended(context, &auth_context, &ap_req,
- cred->name->princ,
- cred->keytab, RD_REQ_CHECK_VALID_FLAG,
- &ap_req_options,
- &ticket, &ad_context))) {
+ if ((code = krb5_rd_req(context, &auth_context, &ap_req,
+ cred->name->princ,
+ cred->keytab,
+ &ap_req_options,
+ &ticket))) {
major_status = GSS_S_FAILURE;
goto fail;
}
major_status = GSS_S_FAILURE;
goto fail;
}
-
+ if ((code = krb5_auth_con_get_authdata_context(context, auth_context,
+ &ad_context))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
if ((code = kg_init_name(context, authdat->client,
- ad_context, KG_INIT_NAME_NO_COPY, &ctx->there))) {
+ ad_context, 0, &ctx->there))) {
major_status = GSS_S_FAILURE;
goto fail;
}
authdat->client = NULL;
- ad_context = NULL;
if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
&ctx->subkey))) {
if (!verifier_cred_handle && cred_handle) {
krb5_gss_release_cred(&tmp_minor_status, &cred_handle);
}
- if (ad_context)
- krb5_authdata_context_free(context, ad_context);
if (context) {
if (major_status && *minor_status)
save_error_info(*minor_status, context);
if (ctx->authdata)
krb5_free_authdata(context, ctx->authdata);
- if (ctx->ad_context)
- krb5_authdata_context_free(context, ctx->ad_context);
-
if (ctx->k5_context)
krb5_free_context(ctx->k5_context);
krb5_cksumtype acceptor_subkey_cksumtype;
int cred_rcache; /* did we get rcache from creds? */
krb5_authdata **authdata;
- krb5_authdata_context ad_context;
} krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
extern g_set kg_vdb;
krb5_rc_close(context, auth_context->rcache);
if (auth_context->permitted_etypes)
free(auth_context->permitted_etypes);
+ if (auth_context->ad_context)
+ krb5_authdata_context_free(context, auth_context->ad_context);
free(auth_context);
return 0;
}
return 0;
}
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_get_authdata_context(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context *ad_context)
+{
+ *ad_context = auth_context->ad_context;
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_set_authdata_context(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context ad_context)
+{
+ auth_context->ad_context = ad_context;
+ return 0;
+}
+
krb5_mk_req_checksum_func checksum_func;
void *checksum_func_data;
krb5_enctype negotiated_etype;
+ krb5_authdata_context ad_context;
};
krb5_creds *in_cred, krb5_creds **out_cred,
krb5_creds ***tgts, int kdcopt);
-krb5_error_code
-krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
- const krb5_ap_req *req, krb5_const_principal server,
- krb5_keytab keytab, krb5_flags flags,
- krb5_flags *ap_req_options, krb5_ticket **ticket,
- krb5_authdata_context *ad_context);
-
#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
#define IS_TGS_PRINC(c, p) \
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*
* krb5_rd_req()
*/
#include "k5-int.h"
#include "auth_con.h"
-#include "int-proto.h"
/*
* Parses a KRB_AP_REQ message, returning its contents.
- *
+ *
* server specifies the expected server's name for the ticket.
- *
+ *
* keyproc specifies a procedure to generate a decryption key for the
* ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result
* used as a decryption key. If keyproc is NULL, then fetchfrom is checked;
* if it is non-NULL, it specifies a parameter name from which to retrieve the
* decryption key. If fetchfrom is NULL, then the default key store is
* consulted.
- *
+ *
* returns system errors, encryption errors, replay errors
*/
krb5_error_code KRB5_CALLCONV
-krb5_rd_req_extended(krb5_context context, krb5_auth_context *auth_context,
- const krb5_data *inbuf, krb5_const_principal server,
- krb5_keytab keytab, krb5_flags flags,
- krb5_flags *ap_req_options, krb5_ticket **ticket,
- krb5_authdata_context *ad_context)
+krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
+ const krb5_data *inbuf, krb5_const_principal server,
+ krb5_keytab keytab, krb5_flags *ap_req_options,
+ krb5_ticket **ticket)
{
krb5_error_code retval;
krb5_ap_req * request;
krb5_auth_context new_auth_context;
krb5_keytab new_keytab = NULL;
- if (ad_context != NULL)
- *ad_context = NULL;
-
if (!krb5_is_ap_req(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
-#ifndef LEAN_CLIENT
+#ifndef LEAN_CLIENT
if ((retval = decode_krb5_ap_req(inbuf, &request))) {
switch (retval) {
case KRB5_BADMSGTYPE:
- return KRB5KRB_AP_ERR_BADVERSION;
+ return KRB5KRB_AP_ERR_BADVERSION;
default:
return(retval);
- }
+ }
}
#endif /* LEAN_CLIENT */
}
-#ifndef LEAN_CLIENT
+#ifndef LEAN_CLIENT
/* Get a keytab if necessary. */
if (keytab == NULL) {
if ((retval = krb5_kt_default(context, &new_keytab)))
}
#endif /* LEAN_CLIENT */
- retval = krb5_rd_req_decoded_opt(context, auth_context, request, server,
- keytab, flags,
- ap_req_options, ticket, ad_context);
+ retval = krb5_rd_req_decoded(context, auth_context, request, server,
+ keytab, ap_req_options, ticket);
-#ifndef LEAN_CLIENT
+#ifndef LEAN_CLIENT
if (new_keytab != NULL)
(void) krb5_kt_close(context, new_keytab);
#endif /* LEAN_CLIENT */
return retval;
}
-krb5_error_code KRB5_CALLCONV
-krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
- const krb5_data *inbuf, krb5_const_principal server,
- krb5_keytab keytab, krb5_flags *ap_req_options,
- krb5_ticket **ticket)
-{
- krb5_error_code retval;
- krb5_authdata_context ad_context = NULL;
-
- retval = krb5_rd_req_extended(context, auth_context, inbuf, server,
- keytab, RD_REQ_CHECK_VALID_FLAG,
- ap_req_options, ticket, &ad_context);
-
- if (retval == 0)
- krb5_authdata_context_free(context, ad_context);
-
- return retval;
-}
-
}
#endif
-krb5_error_code
+static krb5_error_code
krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
const krb5_ap_req *req, krb5_const_principal server,
- krb5_keytab keytab, krb5_flags flags,
- krb5_flags *ap_req_options, krb5_ticket **ticket,
- krb5_authdata_context *ad_context)
+ krb5_keytab keytab, krb5_flags *ap_req_options,
+ krb5_ticket **ticket, int check_valid_flag)
{
krb5_error_code retval = 0;
krb5_principal_data princ_data;
int permitted_etypes_len = 0;
krb5_keyblock decrypt_key;
- assert((flags & RD_REQ_CHECK_VALID_FLAG) == 0 || ad_context != NULL);
-
- if (ad_context != NULL)
- *ad_context = NULL;
-
decrypt_key.enctype = ENCTYPE_NULL;
decrypt_key.contents = NULL;
if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
req->ticket)))
goto cleanup;
- if (flags & RD_REQ_CHECK_VALID_FLAG) {
+ if (check_valid_flag) {
decrypt_key = *((*auth_context)->keyblock);
free((*auth_context)->keyblock);
} else
} else {
if ((retval = krb5_rd_req_decrypt_tkt_part(context, req,
server, keytab,
- (flags & RD_REQ_CHECK_VALID_FLAG) ? &decrypt_key : NULL)))
+ check_valid_flag ? &decrypt_key : NULL)))
goto cleanup;
}
#ifndef LEAN_CLIENT
if ((retval = decrypt_authenticator(context, req,
&((*auth_context)->authentp),
- (flags & RD_REQ_CHECK_VALID_FLAG) != 0)))
+ check_valid_flag)))
goto cleanup;
#endif
if (!krb5_principal_compare(context, (*auth_context)->authentp->client,
if ((retval = krb5int_check_clockskew(context, (*auth_context)->authentp->ctime)))
goto cleanup;
- if (flags & RD_REQ_CHECK_VALID_FLAG) {
+ if (check_valid_flag) {
if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
retval = KRB5KRB_AP_ERR_TKT_INVALID;
goto cleanup;
}
- assert(ad_context != NULL);
- if ((retval = krb5_authdata_context_init(context, ad_context)))
+ if ((retval = krb5_authdata_context_init(context,
+ &(*auth_context)->ad_context)))
goto cleanup;
if ((retval = krb5int_verify_authdata(context,
- *ad_context,
+ (*auth_context)->ad_context,
auth_context,
&decrypt_key,
req,
if (req->ticket->enc_part2)
krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
req->ticket->enc_part2 = NULL;
- if (ad_context != NULL && *ad_context != NULL) {
- krb5_authdata_context_free(context, *ad_context);
- *ad_context = NULL;
- }
}
- if (flags & RD_REQ_CHECK_VALID_FLAG)
+ if (check_valid_flag)
krb5_free_keyblock_contents(context, &decrypt_key);
return retval;
krb5_error_code
krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context,
- const krb5_ap_req *req, krb5_const_principal server,
- krb5_keytab keytab, krb5_flags *ap_req_options,
- krb5_ticket **ticket)
+ const krb5_ap_req *req, krb5_const_principal server,
+ krb5_keytab keytab, krb5_flags *ap_req_options,
+ krb5_ticket **ticket)
{
krb5_error_code retval;
- krb5_authdata_context ad_context;
retval = krb5_rd_req_decoded_opt(context, auth_context,
- req, server, keytab, RD_REQ_CHECK_VALID_FLAG,
+ req, server, keytab,
ap_req_options, ticket,
- &ad_context);
- if (retval == 0)
- krb5_authdata_context_free(context, ad_context);
+ 1); /* check_valid_flag */
return retval;
}
krb5_error_code
krb5_rd_req_decoded_anyflag(krb5_context context,
- krb5_auth_context *auth_context,
- const krb5_ap_req *req,
- krb5_const_principal server, krb5_keytab keytab,
- krb5_flags *ap_req_options, krb5_ticket **ticket)
+ krb5_auth_context *auth_context,
+ const krb5_ap_req *req,
+ krb5_const_principal server, krb5_keytab keytab,
+ krb5_flags *ap_req_options, krb5_ticket **ticket)
{
krb5_error_code retval;
retval = krb5_rd_req_decoded_opt(context, auth_context,
- req, server, keytab,
- 0, /* don't check valid flag */
- ap_req_options, ticket, NULL);
+ req, server, keytab,
+ ap_req_options, ticket,
+ 0); /* don't check_valid_flag */
return retval;
}
krb5_auth_con_free
krb5_auth_con_genaddrs
krb5_auth_con_get_checksum_func
+krb5_auth_con_get_authdata_context
krb5_auth_con_getaddrs
krb5_auth_con_getauthenticator
krb5_auth_con_getflags
krb5_auth_con_getsendsubkey
krb5_auth_con_init
krb5_auth_con_initivector
+krb5_auth_con_set_authdata_context
krb5_auth_con_set_checksum_func
krb5_auth_con_set_req_cksumtype
krb5_auth_con_set_safe_cksumtype
krb5_rd_req
krb5_rd_req_decoded
krb5_rd_req_decoded_anyflag
-krb5_rd_req_extended
krb5_rd_safe
krb5_read_message
krb5_read_password
projects / thirdparty / krb5.git / commitdiff
