From: Greg Hudson Date: Mon, 18 Jul 2022 21:36:15 +0000 (-0400) Subject: Remove kdc_context, tgs_server macros in KDC X-Git-Tag: krb5-1.21-beta1~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ecb797fb512faa80d1e03e4282e540745fc4341;p=thirdparty%2Fkrb5.git Remove kdc_context, tgs_server macros in KDC Eliminate the last two kdc_active_realm macros from realm_data.h (left behind after commits 0a2f14f752c32a24200363cc6b6ae64a92f81379 and e987546b4ff1689bb711cc46118ad9fc0a5613f6). Where code is affected, use the names "context" and "realm". Pass contexts instead of realm data structures to several functions which only need a context. --- diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c index f24f5fd8f3..28def3be47 100644 --- a/src/kdc/dispatch.c +++ b/src/kdc/dispatch.c @@ -33,8 +33,7 @@ #include #include -static krb5_error_code make_too_big_error(kdc_realm_t *kdc_active_realm, - krb5_data **out); +static krb5_error_code make_too_big_error(kdc_realm_t *realm, krb5_data **out); struct dispatch_state { loop_respond_fn respond; @@ -51,13 +50,12 @@ finish_dispatch(struct dispatch_state *state, krb5_error_code code, { loop_respond_fn oldrespond = state->respond; void *oldarg = state->arg; - kdc_realm_t *kdc_active_realm = state->active_realm; if (state->is_tcp == 0 && response && response->length > (unsigned int)max_dgram_reply_size) { - krb5_free_data(kdc_context, response); + krb5_free_data(NULL, response); response = NULL; - code = make_too_big_error(kdc_active_realm, &response); + code = make_too_big_error(state->active_realm, &response); if (code) krb5_klog_syslog(LOG_ERR, "error constructing " "KRB_ERR_RESPONSE_TOO_BIG error: %s", @@ -178,8 +176,9 @@ done: } static krb5_error_code -make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out) +make_too_big_error(kdc_realm_t *realm, krb5_data **out) { + krb5_context context = realm->realm_context; krb5_error errpkt; krb5_error_code retval; krb5_data *scratch; @@ -187,11 +186,11 @@ make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out) *out = NULL; memset(&errpkt, 0, sizeof(errpkt)); - retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec); + retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec); if (retval) return retval; errpkt.error = KRB_ERR_RESPONSE_TOO_BIG; - errpkt.server = tgs_server; + errpkt.server = realm->realm_tgsprinc; errpkt.client = NULL; errpkt.text.length = 0; errpkt.text.data = 0; @@ -200,7 +199,7 @@ make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out) scratch = malloc(sizeof(*scratch)); if (scratch == NULL) return ENOMEM; - retval = krb5_mk_error(kdc_context, &errpkt, scratch); + retval = krb5_mk_error(context, &errpkt, scratch); if (retval) { free(scratch); return retval; diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 40c0ec2abe..0d3af592fc 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -193,13 +193,14 @@ struct as_req_state { static void finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) { + kdc_realm_t *realm = state->active_realm; + krb5_context context = realm->realm_context; krb5_keyblock *as_encrypting_key = NULL; krb5_data *response = NULL; const char *emsg = 0; int did_log = 0; loop_respond_fn oldrespond; void *oldarg; - kdc_realm_t *kdc_active_realm = state->active_realm; krb5_audit_state *au_state = state->au_state; krb5_keyblock *replaced_reply_key = NULL; @@ -214,14 +215,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->ticket_reply.enc_part2 = &state->enc_tkt_reply; - errcode = check_kdcpolicy_as(kdc_context, state->request, state->client, + errcode = check_kdcpolicy_as(context, state->request, state->client, state->server, state->auth_indicators, state->kdc_time, &state->enc_tkt_reply.times, &state->status); if (errcode) goto egress; - errcode = get_first_current_key(kdc_context, state->server, + errcode = get_first_current_key(context, state->server, &state->server_keyblock); if (errcode) { state->status = "FINDING_SERVER_KEY"; @@ -247,7 +248,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) /* Fetch the padata info to be returned (do this before * authdata to handle possible replacement of reply key */ - errcode = return_padata(kdc_context, &state->rock, state->req_pkt, + errcode = return_padata(context, &state->rock, state->req_pkt, state->request, &state->reply, &state->client_keyblock, &state->pa_context); if (errcode) { @@ -266,7 +267,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) if (state->rock.replaced_reply_key) replaced_reply_key = &state->client_keyblock; - errcode = handle_authdata(kdc_active_realm, state->c_flags, state->client, + errcode = handle_authdata(realm, state->c_flags, state->client, state->server, NULL, state->local_tgt, &state->local_tgt_key, &state->client_keyblock, &state->server_keyblock, NULL, @@ -280,19 +281,18 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) goto egress; } - errcode = check_indicators(kdc_context, state->server, - state->auth_indicators); + errcode = check_indicators(context, state->server, state->auth_indicators); if (errcode) { state->status = "HIGHER_AUTHENTICATION_REQUIRED"; goto egress; } - errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock, + errcode = krb5_encrypt_tkt_part(context, &state->server_keyblock, &state->ticket_reply); if (errcode) goto egress; - errcode = kau_make_tkt_id(kdc_context, &state->ticket_reply, + errcode = kau_make_tkt_id(context, &state->ticket_reply, &au_state->tkt_out_id); if (errcode) goto egress; @@ -313,7 +313,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) &as_encrypting_key); if (errcode) goto egress; - errcode = return_enc_padata(kdc_context, state->req_pkt, state->request, + errcode = return_enc_padata(context, state->req_pkt, state->request, as_encrypting_key, state->server, &state->reply_encpart, FALSE); if (errcode) { @@ -323,10 +323,9 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) if (kdc_fast_hide_client(state->rstate)) state->reply.client = (krb5_principal)krb5_anonymous_principal(); - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, - &state->reply_encpart, 0, - as_encrypting_key, - &state->reply, &response); + errcode = krb5_encode_kdc_rep(context, KRB5_AS_REP, &state->reply_encpart, + 0, as_encrypting_key, &state->reply, + &response); if (state->client_key != NULL) state->reply.enc_part.kvno = state->client_key->key_data_kvno; if (errcode) @@ -338,7 +337,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->reply.enc_part.ciphertext.length); free(state->reply.enc_part.ciphertext.data); - log_as_req(kdc_context, state->local_addr, state->remote_addr, + log_as_req(context, state->local_addr, state->remote_addr, state->request, &state->reply, state->client, state->cname, state->server, state->sname, state->kdc_time, 0, 0, 0); did_log = 1; @@ -349,18 +348,18 @@ egress: au_state->status = state->status; au_state->reply = &state->reply; - kau_as_req(kdc_context, - (errcode || state->preauth_err) ? FALSE : TRUE, au_state); + kau_as_req(context, (errcode || state->preauth_err) ? FALSE : TRUE, + au_state); kau_free_kdc_req(au_state); - free_padata_context(kdc_context, state->pa_context); + free_padata_context(context, state->pa_context); if (as_encrypting_key) - krb5_free_keyblock(kdc_context, as_encrypting_key); + krb5_free_keyblock(context, as_encrypting_key); if (errcode) - emsg = krb5_get_error_message(kdc_context, errcode); + emsg = krb5_get_error_message(context, errcode); if (state->status) { - log_as_req(kdc_context, state->local_addr, state->remote_addr, + log_as_req(context, state->local_addr, state->remote_addr, state->request, &state->reply, state->client, state->cname, state->server, state->sname, state->kdc_time, state->status, errcode, emsg); @@ -387,40 +386,39 @@ egress: } if (emsg) - krb5_free_error_message(kdc_context, emsg); + krb5_free_error_message(context, emsg); if (state->enc_tkt_reply.authorization_data != NULL) - krb5_free_authdata(kdc_context, - state->enc_tkt_reply.authorization_data); + krb5_free_authdata(context, state->enc_tkt_reply.authorization_data); if (state->local_tgt_key.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &state->local_tgt_key); + krb5_free_keyblock_contents(context, &state->local_tgt_key); if (state->server_keyblock.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &state->server_keyblock); + krb5_free_keyblock_contents(context, &state->server_keyblock); if (state->client_keyblock.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &state->client_keyblock); + krb5_free_keyblock_contents(context, &state->client_keyblock); if (state->reply.padata != NULL) - krb5_free_pa_data(kdc_context, state->reply.padata); + krb5_free_pa_data(context, state->reply.padata); if (state->reply_encpart.enc_padata) - krb5_free_pa_data(kdc_context, state->reply_encpart.enc_padata); + krb5_free_pa_data(context, state->reply_encpart.enc_padata); if (state->cname != NULL) free(state->cname); if (state->sname != NULL) free(state->sname); - krb5_db_free_principal(kdc_context, state->client); - krb5_db_free_principal(kdc_context, state->server); - krb5_db_free_principal(kdc_context, state->local_tgt_storage); + krb5_db_free_principal(context, state->client); + krb5_db_free_principal(context, state->server); + krb5_db_free_principal(context, state->local_tgt_storage); if (state->session_key.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &state->session_key); + krb5_free_keyblock_contents(context, &state->session_key); if (state->ticket_reply.enc_part.ciphertext.data != NULL) { memset(state->ticket_reply.enc_part.ciphertext.data , 0, state->ticket_reply.enc_part.ciphertext.length); free(state->ticket_reply.enc_part.ciphertext.data); } - krb5_free_pa_data(kdc_context, state->e_data); - krb5_free_data(kdc_context, state->inner_body); + krb5_free_pa_data(context, state->e_data); + krb5_free_data(context, state->inner_body); kdc_free_rstate(state->rstate); - krb5_free_kdc_req(kdc_context, state->request); + krb5_free_kdc_req(context, state->request); k5_free_data_ptr_list(state->auth_indicators); assert(did_log != 0); @@ -475,9 +473,10 @@ finish_preauth(void *arg, krb5_error_code code) void process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, const krb5_fulladdr *local_addr, - const krb5_fulladdr *remote_addr, kdc_realm_t *kdc_active_realm, + const krb5_fulladdr *remote_addr, kdc_realm_t *realm, verto_ctx *vctx, loop_respond_fn respond, void *arg) { + krb5_context context = realm->realm_context; krb5_error_code errcode; krb5_data encoded_req_body; krb5_enctype useenctype; @@ -495,9 +494,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->req_pkt = req_pkt; state->local_addr = local_addr; state->remote_addr = remote_addr; - state->active_realm = kdc_active_realm; + state->active_realm = realm; - errcode = kdc_make_rstate(kdc_active_realm, &state->rstate); + errcode = kdc_make_rstate(realm, &state->rstate); if (errcode != 0) { (*respond)(arg, errcode, NULL); free(state); @@ -505,7 +504,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } /* Initialize audit state. */ - errcode = kau_init_kdc_req(kdc_context, state->request, remote_addr, + errcode = kau_init_kdc_req(context, state->request, remote_addr, &au_state); if (errcode) { (*respond)(arg, errcode, NULL); @@ -522,9 +521,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } /* Seed the audit trail with the request ID and basic information. */ - kau_as_req(kdc_context, TRUE, au_state); + kau_as_req(context, TRUE, au_state); - errcode = krb5_timeofday(kdc_context, &state->kdc_time); + errcode = krb5_timeofday(context, &state->kdc_time); if (errcode) goto errout; @@ -541,7 +540,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if (state->inner_body == NULL) { /* Not a FAST request; copy the encoded request body. */ - errcode = krb5_copy_data(kdc_context, &encoded_req_body, + errcode = krb5_copy_data(context, &encoded_req_body, &state->inner_body); if (errcode) goto errout; @@ -558,9 +557,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto errout; } - if ((errcode = krb5_unparse_name(kdc_context, - state->request->client, - &state->cname))) + errcode = krb5_unparse_name(context, state->request->client, + &state->cname); + if (errcode) goto errout; limit_string(state->cname); @@ -569,9 +568,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto errout; } - if ((errcode = krb5_unparse_name(kdc_context, - state->request->server, - &state->sname))) + errcode = krb5_unparse_name(context, state->request->server, + &state->sname); + if (errcode) goto errout; limit_string(state->sname); @@ -579,7 +578,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) || state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) setflag(state->c_flags, KRB5_KDB_FLAG_REFERRAL_OK); - errcode = lookup_client(kdc_context, state->request, state->c_flags, + errcode = lookup_client(context, state->request, state->c_flags, &state->client); if (errcode == KRB5_KDB_CANTLOCK_DB) errcode = KRB5KDC_ERR_SVC_UNAVAILABLE; @@ -598,7 +597,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, au_state->stage = SRVC_PRINC; - errcode = krb5_db_get_principal(kdc_context, state->request->server, 0, + errcode = krb5_db_get_principal(context, state->request->server, 0, &state->server); if (errcode == KRB5_KDB_CANTLOCK_DB) errcode = KRB5KDC_ERR_SVC_UNAVAILABLE; @@ -620,7 +619,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } - errcode = get_local_tgt(kdc_context, &state->request->server->realm, + errcode = get_local_tgt(context, &state->request->server->realm, state->server, &state->local_tgt, &state->local_tgt_storage, &state->local_tgt_key); if (errcode) { @@ -632,10 +631,10 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, au_state->stage = VALIDATE_POL; - if ((errcode = validate_as_request(kdc_active_realm, - state->request, state->client, - state->server, state->kdc_time, - &state->status, &state->e_data))) { + errcode = validate_as_request(realm, state->request, state->client, + state->server, state->kdc_time, + &state->status, &state->e_data); + if (errcode) { errcode += ERROR_TABLE_BASE_krb5; goto errout; } @@ -645,17 +644,18 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* * Select the keytype for the ticket session key. */ - if ((useenctype = select_session_keytype(kdc_active_realm, state->server, - state->request->nktypes, - state->request->ktype)) == 0) { + useenctype = select_session_keytype(context, state->server, + state->request->nktypes, + state->request->ktype); + if (useenctype == 0) { /* unsupported ktype */ state->status = "BAD_ENCRYPTION_TYPE"; errcode = KRB5KDC_ERR_ETYPE_NOSUPP; goto errout; } - if ((errcode = krb5_c_make_random_key(kdc_context, useenctype, - &state->session_key))) + errcode = krb5_c_make_random_key(context, useenctype, &state->session_key); + if (errcode) goto errout; /* @@ -700,14 +700,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, else state->enc_tkt_reply.times.starttime = state->kdc_time; - kdc_get_ticket_endtime(kdc_active_realm, - state->enc_tkt_reply.times.starttime, + kdc_get_ticket_endtime(realm, state->enc_tkt_reply.times.starttime, kdc_infinity, state->request->till, state->client, state->server, &state->enc_tkt_reply.times.endtime); - kdc_get_ticket_renewtime(kdc_active_realm, state->request, NULL, - state->client, state->server, - &state->enc_tkt_reply); + kdc_get_ticket_renewtime(realm, state->request, NULL, state->client, + state->server, &state->enc_tkt_reply); /* * starttime is optional, and treated as authtime if not present. @@ -723,17 +721,16 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* If anonymous requests are being used, adjust the realm of the client * principal. */ if (isflagset(state->request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS)) { - if (!krb5_principal_compare_any_realm(kdc_context, - state->request->client, + if (!krb5_principal_compare_any_realm(context, state->request->client, krb5_anonymous_principal())) { errcode = KRB5KDC_ERR_BADOPTION; /* Anonymous requested but anonymous principal not used.*/ state->status = "VALIDATE_ANONYMOUS_PRINCIPAL"; goto errout; } - krb5_free_principal(kdc_context, state->request->client); + krb5_free_principal(context, state->request->client); state->request->client = NULL; - errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(), + errcode = krb5_copy_principal(context, krb5_anonymous_principal(), &state->request->client); if (errcode) goto errout; @@ -741,8 +738,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH); } - errcode = select_client_key(kdc_context, state->client, - state->request->ktype, state->request->nktypes, + errcode = select_client_key(context, state->client, state->request->ktype, + state->request->nktypes, &state->client_keyblock, &state->client_key); if (errcode) { state->status = "DECRYPT_CLIENT_KEY"; @@ -752,7 +749,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->rock.client_key = state->client_key; state->rock.client_keyblock = &state->client_keyblock; - errcode = kdc_fast_read_cookie(kdc_context, state->rstate, state->request, + errcode = kdc_fast_read_cookie(context, state->rstate, state->request, state->local_tgt, &state->local_tgt_key); if (errcode) { state->status = "READ_COOKIE"; @@ -763,10 +760,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, * Check the preauthentication if it is there. */ if (state->request->padata) { - check_padata(kdc_context, &state->rock, state->req_pkt, - state->request, &state->enc_tkt_reply, &state->pa_context, - &state->e_data, &state->typed_e_data, finish_preauth, - state); + check_padata(context, &state->rock, state->req_pkt, state->request, + &state->enc_tkt_reply, &state->pa_context, &state->e_data, + &state->typed_e_data, finish_preauth, state); } else finish_preauth(state, 0); return; @@ -782,11 +778,11 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, krb5_boolean typed_e_data, krb5_principal canon_client, krb5_data **response, const char *status) { + krb5_context context = rstate->realm_data->realm_context; krb5_error errpkt; krb5_error_code retval; krb5_data *scratch = NULL, *e_data_asn1 = NULL, *fast_edata = NULL; krb5_pa_data **e_data = NULL, *cookie = NULL; - kdc_realm_t *kdc_active_realm = rstate->realm_data; size_t count; errpkt.magic = KV5M_ERROR; @@ -799,16 +795,15 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, if (e_data == NULL) return ENOMEM; memcpy(e_data, e_data_in, count * sizeof(*e_data)); - retval = kdc_fast_make_cookie(kdc_context, rstate, local_tgt, - local_tgt_key, request->client, - &cookie); + retval = kdc_fast_make_cookie(context, rstate, local_tgt, + local_tgt_key, request->client, &cookie); e_data[count] = cookie; } errpkt.ctime = 0; errpkt.cusec = 0; - retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec); + retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec); if (retval) goto cleanup; errpkt.error = error; @@ -828,8 +823,8 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, } else errpkt.e_data = empty_data(); - retval = kdc_fast_handle_error(kdc_context, rstate, request, e_data, - &errpkt, &fast_edata); + retval = kdc_fast_handle_error(context, rstate, request, e_data, &errpkt, + &fast_edata); if (retval) goto cleanup; if (fast_edata != NULL) @@ -840,7 +835,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, goto cleanup; if (kdc_fast_hide_client(rstate) && errpkt.client != NULL) errpkt.client = (krb5_principal)krb5_anonymous_principal(); - retval = krb5_mk_error(kdc_context, &errpkt, scratch); + retval = krb5_mk_error(context, &errpkt, scratch); if (retval) goto cleanup; @@ -848,8 +843,8 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, scratch = NULL; cleanup: - krb5_free_data(kdc_context, fast_edata); - krb5_free_data(kdc_context, e_data_asn1); + krb5_free_data(context, fast_edata); + krb5_free_data(context, e_data_asn1); free(scratch); free(e_data); if (cookie != NULL) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index f90c7cf0ff..b64aaf1da4 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -69,21 +69,17 @@ #include "adm_proto.h" #include -static krb5_error_code -find_alternate_tgs(kdc_realm_t *, krb5_principal, krb5_db_entry **, - const char**); - static krb5_error_code prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int, krb5_principal,krb5_data **,const char *, krb5_pa_data **); static krb5_error_code -decrypt_2ndtkt(kdc_realm_t *, krb5_kdc_req *, krb5_flags, krb5_db_entry *, +decrypt_2ndtkt(krb5_context, krb5_kdc_req *, krb5_flags, krb5_db_entry *, krb5_keyblock *, const krb5_ticket **, krb5_pac *, krb5_db_entry **, krb5_keyblock **, const char **); static krb5_error_code -gen_session_key(kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *, +gen_session_key(krb5_context, krb5_kdc_req *, krb5_db_entry *, krb5_keyblock *, const char **); static krb5_int32 @@ -100,9 +96,10 @@ search_sprinc(kdc_realm_t *, krb5_kdc_req *, krb5_flags, /*ARGSUSED*/ krb5_error_code process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, - const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm, + const krb5_fulladdr *from, kdc_realm_t *realm, krb5_data **response) { + krb5_context context = realm->realm_context; krb5_keyblock * subkey = 0; krb5_keyblock *header_key = NULL; krb5_keyblock *stkt_server_key = NULL; @@ -157,24 +154,23 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, sprinc = request->server; if (request->msg_type != KRB5_TGS_REQ) { - krb5_free_kdc_req(kdc_context, request); + krb5_free_kdc_req(context, request); return KRB5_BADMSGTYPE; } - errcode = kdc_make_rstate(kdc_active_realm, &state); + errcode = kdc_make_rstate(realm, &state); if (errcode != 0) goto cleanup; /* Initialize audit state. */ - errcode = kau_init_kdc_req(kdc_context, request, from, &au_state); + errcode = kau_init_kdc_req(context, request, from, &au_state); if (errcode) goto cleanup; /* Seed the audit trail with the request ID and basic information. */ - kau_tgs_req(kdc_context, TRUE, au_state); + kau_tgs_req(context, TRUE, au_state); - errcode = kdc_process_tgs_req(kdc_active_realm, - request, from, pkt, &header_ticket, + errcode = kdc_process_tgs_req(realm, request, from, pkt, &header_ticket, &header_server, &header_key, &subkey, &pa_tgs_req); if (header_ticket && header_ticket->enc_part2) @@ -189,8 +185,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */ goto cleanup; } - errcode = kau_make_tkt_id(kdc_context, header_ticket, - &au_state->tkt_in_id); + errcode = kau_make_tkt_id(context, header_ticket, &au_state->tkt_in_id); if (errcode) goto cleanup; @@ -210,14 +205,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, goto cleanup; } - errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server, + errcode = get_local_tgt(context, &sprinc->realm, header_server, &local_tgt, &local_tgt_storage, &local_tgt_key); if (errcode) { status = "GET_LOCAL_TGT"; goto cleanup; } - errcode = get_verified_pac(kdc_context, header_ticket->enc_part2, + errcode = get_verified_pac(context, header_ticket->enc_part2, header_server->princ, header_key, local_tgt, &local_tgt_key, &header_pac); if (errcode) { @@ -250,8 +245,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) setflag(s_flags, KRB5_KDB_FLAG_REFERRAL_OK); - errcode = search_sprinc(kdc_active_realm, request, s_flags, &server, - &status); + errcode = search_sprinc(realm, request, s_flags, &server, &status); if (errcode != 0) goto cleanup; sprinc = server->princ; @@ -259,11 +253,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, /* If we got a cross-realm TGS which is not the requested server, we are * issuing a referral (or alternate TGT, which we treat similarly). */ is_referral = is_cross_tgs_principal(server->princ) && - !krb5_principal_compare(kdc_context, request->server, server->princ); + !krb5_principal_compare(context, request->server, server->princ); au_state->stage = VALIDATE_POL; - if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) + errcode = krb5_timeofday(context, &kdc_time); + if (errcode) goto cleanup; is_crossrealm = !data_eq(header_server->princ->realm, sprinc->realm); @@ -273,14 +268,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, setflag(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL); /* Check for protocol transition */ - errcode = kdc_process_s4u2self_req(kdc_active_realm, request, server, - subkey, header_enc_tkt->session, - &s4u_x509_user, &client, &status); + errcode = kdc_process_s4u2self_req(context, request, server, subkey, + header_enc_tkt->session, &s4u_x509_user, + &client, &status); if (s4u_x509_user != NULL || errcode != 0) { if (s4u_x509_user != NULL) au_state->s4u2self_user = s4u_x509_user->user_id.user; au_state->status = status; - kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state); + kau_s4u2self(context, errcode ? FALSE : TRUE, au_state); au_state->s4u2self_user = NULL; if (errcode) goto cleanup; @@ -289,17 +284,17 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION); /* For user-to-user and S4U2Proxy requests, decrypt the second ticket. */ - errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags, local_tgt, + errcode = decrypt_2ndtkt(context, request, c_flags, local_tgt, &local_tgt_key, &stkt, &stkt_pac, &stkt_server, &stkt_server_key, &status); if (errcode) goto cleanup; - retval = validate_tgs_request(kdc_active_realm, request, server, - header_ticket, header_pac, stkt, stkt_pac, - stkt_server, kdc_time, s4u_x509_user, - client, is_crossrealm, is_referral, - &status, &e_data); + retval = validate_tgs_request(realm, request, server, header_ticket, + header_pac, stkt, stkt_pac, stkt_server, + kdc_time, s4u_x509_user, client, + is_crossrealm, is_referral, &status, + &e_data); if (retval) { if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION) au_state->violation = PROT_CONSTRAINT; @@ -311,10 +306,10 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, /* Do constrained delegation protocol and authorization checks. */ setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION); - errcode = kdc_process_s4u2proxy_req(kdc_active_realm, c_flags, - request, header_pac, - stkt->enc_part2, stkt_pac, - stkt_server, stkt_server_key, + errcode = kdc_process_s4u2proxy_req(context, c_flags, request, + header_pac, stkt->enc_part2, + stkt_pac, stkt_server, + stkt_server_key, header_ticket->enc_part2->client, server, &stkt_authdata_client, &status); @@ -323,12 +318,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, else if (errcode) au_state->violation = LOCAL_POLICY; au_state->status = status; - retval = kau_make_tkt_id(kdc_context, stkt, &au_state->evid_tkt_id); + retval = kau_make_tkt_id(context, stkt, &au_state->evid_tkt_id); if (retval) { errcode = retval; goto cleanup; } - kau_s4u2proxy(kdc_context, errcode ? FALSE : TRUE, au_state); + kau_s4u2proxy(context, errcode ? FALSE : TRUE, au_state); if (errcode) goto cleanup; @@ -337,8 +332,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, au_state->stage = ISSUE_TKT; - errcode = gen_session_key(kdc_active_realm, request, server, &session_key, - &status); + errcode = gen_session_key(context, request, server, &session_key, &status); if (errcode) goto cleanup; @@ -365,14 +359,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, /* Extract and check auth indicators from the subject ticket, except for * S4U2Self requests (where the client didn't authenticate). */ if (s4u_x509_user == NULL) { - errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt, + errcode = get_auth_indicators(context, subject_tkt, local_tgt, &local_tgt_key, &auth_indicators); if (errcode) { status = "GET_AUTH_INDICATORS"; goto cleanup; } - errcode = check_indicators(kdc_context, server, auth_indicators); + errcode = check_indicators(context, server, auth_indicators); if (errcode) { status = "HIGHER_AUTHENTICATION_REQUIRED"; goto cleanup; @@ -390,7 +384,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, if (s4u_x509_user != NULL && !is_referral) { /* Check if we need to suppress the forwardable ticket flag. */ - errcode = s4u2self_forwardable(kdc_context, server, &enc_tkt_reply); + errcode = s4u2self_forwardable(context, server, &enc_tkt_reply); if (errcode) goto cleanup; } @@ -455,15 +449,15 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, /* not a renew request */ enc_tkt_reply.times.starttime = kdc_time; - kdc_get_ticket_endtime(kdc_active_realm, enc_tkt_reply.times.starttime, + kdc_get_ticket_endtime(realm, enc_tkt_reply.times.starttime, header_enc_tkt->times.endtime, request->till, client, server, &enc_tkt_reply.times.endtime); } - kdc_get_ticket_renewtime(kdc_active_realm, request, header_enc_tkt, client, - server, &enc_tkt_reply); + kdc_get_ticket_renewtime(realm, request, header_enc_tkt, client, server, + &enc_tkt_reply); - errcode = check_kdcpolicy_tgs(kdc_context, request, server, header_ticket, + errcode = check_kdcpolicy_tgs(context, request, server, header_ticket, auth_indicators, kdc_time, &enc_tkt_reply.times, &status); if (errcode) @@ -491,7 +485,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) { encrypting_key = stkt->enc_part2->session; } else { - errcode = get_first_current_key(kdc_context, server, &server_keyblock); + errcode = get_first_current_key(context, server, &server_keyblock); if (errcode) { status = "FINDING_SERVER_KEY"; goto cleanup; @@ -518,7 +512,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, assert(client == NULL); /* should not have been set already */ - errcode = krb5_db_get_principal(kdc_context, subject_tkt->client, + errcode = krb5_db_get_principal(context, subject_tkt->client, c_flags, &client); } } @@ -540,7 +534,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, * listed). */ if (!is_crossrealm || - krb5_realm_compare(kdc_context, header_ticket->server, + krb5_realm_compare(context, header_ticket->server, enc_tkt_reply.client)) { /* tgt issued by local realm or issued by realm of client */ enc_tkt_reply.transited = header_enc_tkt->transited; @@ -567,19 +561,19 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, newtransited = 1; } if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { - errcode = kdc_check_transited_list (kdc_active_realm, - &enc_tkt_reply.transited.tr_contents, - krb5_princ_realm (kdc_context, header_enc_tkt->client), - krb5_princ_realm (kdc_context, request->server)); + errcode = kdc_check_transited_list(context, + &enc_tkt_reply.transited.tr_contents, + &header_enc_tkt->client->realm, + &request->server->realm); if (errcode == 0) { setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); } else { - log_tgs_badtrans(kdc_context, cprinc, sprinc, + log_tgs_badtrans(context, cprinc, sprinc, &enc_tkt_reply.transited.tr_contents, errcode); } } else krb5_klog_syslog(LOG_INFO, _("not checking transit path")); - if (kdc_active_realm->realm_reject_bad_transit && + if (realm->realm_reject_bad_transit && !isflagset(enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) { errcode = KRB5KDC_ERR_POLICY; status = "BAD_TRANSIT"; @@ -587,8 +581,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, goto cleanup; } - errcode = handle_authdata(kdc_active_realm, c_flags, client, server, - subject_server, local_tgt, &local_tgt_key, + errcode = handle_authdata(realm, c_flags, client, server, subject_server, + local_tgt, &local_tgt_key, subkey != NULL ? subkey : header_ticket->enc_part2->session, encrypting_key, subject_key, NULL, pkt, request, @@ -608,13 +602,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) { ticket_kvno = 0; ticket_reply.enc_part.enctype = stkt->enc_part2->session->enctype; - kau_u2u(kdc_context, TRUE, au_state); + kau_u2u(context, TRUE, au_state); } else { ticket_kvno = current_kvno(server); } - errcode = krb5_encrypt_tkt_part(kdc_context, encrypting_key, - &ticket_reply); + errcode = krb5_encrypt_tkt_part(context, encrypting_key, &ticket_reply); if (errcode) goto cleanup; ticket_reply.enc_part.kvno = ticket_kvno; @@ -622,17 +615,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, au_state->stage = ENCR_REP; reply.msg_type = KRB5_TGS_REP; if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && - krb5int_find_pa_data(kdc_context, request->padata, + krb5int_find_pa_data(context, request->padata, KRB5_PADATA_S4U_X509_USER) != NULL) { - errcode = kdc_make_s4u2self_rep(kdc_context, - subkey, + errcode = kdc_make_s4u2self_rep(context, subkey, header_ticket->enc_part2->session, - s4u_x509_user, - &reply, - &reply_encpart); + s4u_x509_user, &reply, &reply_encpart); if (errcode) au_state->status = status; - kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state); + kau_s4u2self(context, errcode ? FALSE : TRUE, au_state); if (errcode) goto cleanup; } @@ -669,8 +659,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, subkey?subkey:header_ticket->enc_part2->session, &reply_key); if (errcode) goto cleanup; - errcode = return_enc_padata(kdc_context, pkt, request, - reply_key, server, &reply_encpart, + errcode = return_enc_padata(context, pkt, request, reply_key, server, + &reply_encpart, is_referral && isflagset(s_flags, KRB5_KDB_FLAG_REFERRAL_OK)); if (errcode) { @@ -678,16 +668,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, goto cleanup; } - errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id); + errcode = kau_make_tkt_id(context, &ticket_reply, &au_state->tkt_out_id); if (errcode) goto cleanup; if (kdc_fast_hide_client(state)) reply.client = (krb5_principal)krb5_anonymous_principal(); - errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, - subkey ? 1 : 0, - reply_key, - &reply, response); + errcode = krb5_encode_kdc_rep(context, KRB5_TGS_REP, &reply_encpart, + subkey ? 1 : 0, reply_key, &reply, response); if (!errcode) status = "ISSUE"; @@ -703,34 +691,33 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, cleanup: if (status == NULL) status = "UNKNOWN_REASON"; - krb5_free_keyblock_contents(kdc_context, &server_keyblock); + krb5_free_keyblock_contents(context, &server_keyblock); if (reply_key) - krb5_free_keyblock(kdc_context, reply_key); + krb5_free_keyblock(context, reply_key); if (stkt_server_key) - krb5_free_keyblock(kdc_context, stkt_server_key); + krb5_free_keyblock(context, stkt_server_key); if (errcode) - emsg = krb5_get_error_message (kdc_context, errcode); + emsg = krb5_get_error_message(context, errcode); if (au_state != NULL) { au_state->status = status; if (!errcode) au_state->reply = &reply; - kau_tgs_req(kdc_context, errcode ? FALSE : TRUE, au_state); + kau_tgs_req(context, errcode ? FALSE : TRUE, au_state); kau_free_kdc_req(au_state); } - log_tgs_req(kdc_context, from, request, &reply, cprinc, - sprinc, altcprinc, authtime, - c_flags, status, errcode, emsg); + log_tgs_req(context, from, request, &reply, cprinc, sprinc, altcprinc, + authtime, c_flags, status, errcode, emsg); if (errcode) { - krb5_free_error_message (kdc_context, emsg); + krb5_free_error_message(context, emsg); emsg = NULL; } if (errcode && state != NULL) { int got_err = 0; if (status == 0) { - status = krb5_get_error_message (kdc_context, errcode); + status = krb5_get_error_message(context, errcode); got_err = 1; } errcode -= ERROR_TABLE_BASE_krb5; @@ -741,47 +728,47 @@ cleanup: (server != NULL) ? server->princ : NULL, response, status, e_data); if (got_err) { - krb5_free_error_message (kdc_context, status); + krb5_free_error_message(context, status); status = 0; } } if (header_ticket != NULL) - krb5_free_ticket(kdc_context, header_ticket); + krb5_free_ticket(context, header_ticket); if (request != NULL) - krb5_free_kdc_req(kdc_context, request); + krb5_free_kdc_req(context, request); if (state) kdc_free_rstate(state); - krb5_db_free_principal(kdc_context, server); - krb5_db_free_principal(kdc_context, stkt_server); - krb5_db_free_principal(kdc_context, header_server); - krb5_db_free_principal(kdc_context, client); - krb5_db_free_principal(kdc_context, local_tgt_storage); + krb5_db_free_principal(context, server); + krb5_db_free_principal(context, stkt_server); + krb5_db_free_principal(context, header_server); + krb5_db_free_principal(context, client); + krb5_db_free_principal(context, local_tgt_storage); if (local_tgt_key.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &local_tgt_key); + krb5_free_keyblock_contents(context, &local_tgt_key); if (session_key.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &session_key); + krb5_free_keyblock_contents(context, &session_key); if (newtransited) free(enc_tkt_reply.transited.tr_contents.data); if (s4u_x509_user != NULL) - krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user); + krb5_free_pa_s4u_x509_user(context, s4u_x509_user); if (kdc_issued_auth_data != NULL) - krb5_free_authdata(kdc_context, kdc_issued_auth_data); + krb5_free_authdata(context, kdc_issued_auth_data); if (subkey != NULL) - krb5_free_keyblock(kdc_context, subkey); + krb5_free_keyblock(context, subkey); if (header_key != NULL) - krb5_free_keyblock(kdc_context, header_key); + krb5_free_keyblock(context, header_key); if (reply.padata) - krb5_free_pa_data(kdc_context, reply.padata); + krb5_free_pa_data(context, reply.padata); if (reply_encpart.enc_padata) - krb5_free_pa_data(kdc_context, reply_encpart.enc_padata); + krb5_free_pa_data(context, reply_encpart.enc_padata); if (enc_tkt_reply.authorization_data != NULL) - krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data); - krb5_free_pa_data(kdc_context, e_data); + krb5_free_authdata(context, enc_tkt_reply.authorization_data); + krb5_free_pa_data(context, e_data); k5_free_data_ptr_list(auth_indicators); - krb5_pac_free(kdc_context, header_pac); - krb5_pac_free(kdc_context, stkt_pac); - krb5_free_principal(kdc_context, stkt_authdata_client); + krb5_pac_free(context, header_pac); + krb5_pac_free(context, stkt_pac); + krb5_free_principal(context, stkt_authdata_client); return retval; } @@ -793,17 +780,17 @@ prepare_error_tgs (struct kdc_request_state *state, krb5_data **response, const char *status, krb5_pa_data **e_data) { + krb5_context context = state->realm_data->realm_context; krb5_error errpkt; krb5_error_code retval = 0; krb5_data *scratch, *e_data_asn1 = NULL, *fast_edata = NULL; - kdc_realm_t *kdc_active_realm = state->realm_data; errpkt.magic = KV5M_ERROR; errpkt.ctime = 0; errpkt.cusec = 0; - if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime, - &errpkt.susec))) + retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec); + if (retval) return(retval); errpkt.error = error; errpkt.server = request->server; @@ -831,22 +818,22 @@ prepare_error_tgs (struct kdc_request_state *state, } else errpkt.e_data = empty_data(); - retval = kdc_fast_handle_error(kdc_context, state, request, e_data, + retval = kdc_fast_handle_error(context, state, request, e_data, &errpkt, &fast_edata); if (retval) { free(scratch); free(errpkt.text.data); - krb5_free_data(kdc_context, e_data_asn1); + krb5_free_data(context, e_data_asn1); return retval; } if (fast_edata) errpkt.e_data = *fast_edata; if (kdc_fast_hide_client(state) && errpkt.client != NULL) errpkt.client = (krb5_principal)krb5_anonymous_principal(); - retval = krb5_mk_error(kdc_context, &errpkt, scratch); + retval = krb5_mk_error(context, &errpkt, scratch); free(errpkt.text.data); - krb5_free_data(kdc_context, e_data_asn1); - krb5_free_data(kdc_context, fast_edata); + krb5_free_data(context, e_data_asn1); + krb5_free_data(context, fast_edata); if (retval) free(scratch); else @@ -864,11 +851,11 @@ prepare_error_tgs (struct kdc_request_state *state, * key. */ static krb5_error_code -decrypt_2ndtkt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, - krb5_flags flags, krb5_db_entry *local_tgt, - krb5_keyblock *local_tgt_key, const krb5_ticket **stkt_out, - krb5_pac *pac_out, krb5_db_entry **server_out, - krb5_keyblock **key_out, const char **status) +decrypt_2ndtkt(krb5_context context, krb5_kdc_req *req, krb5_flags flags, + krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key, + const krb5_ticket **stkt_out, krb5_pac *pac_out, + krb5_db_entry **server_out, krb5_keyblock **key_out, + const char **status) { krb5_error_code retval; krb5_db_entry *server = NULL; @@ -886,19 +873,19 @@ decrypt_2ndtkt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, return 0; stkt = req->second_ticket[0]; - retval = kdc_get_server_key(kdc_context, stkt, flags, TRUE, - &server, &key, &kvno); + retval = kdc_get_server_key(context, stkt, flags, TRUE, &server, &key, + &kvno); if (retval != 0) { *status = "2ND_TKT_SERVER"; goto cleanup; } - retval = krb5_decrypt_tkt_part(kdc_context, key, stkt); + retval = krb5_decrypt_tkt_part(context, key, stkt); if (retval != 0) { *status = "2ND_TKT_DECRYPT"; goto cleanup; } - retval = get_verified_pac(kdc_context, stkt->enc_part2, server->princ, - key, local_tgt, local_tgt_key, pac_out); + retval = get_verified_pac(context, stkt->enc_part2, server->princ, key, + local_tgt, local_tgt_key, pac_out); if (retval != 0) { *status = "2ND_TKT_PAC"; goto cleanup; @@ -910,14 +897,14 @@ decrypt_2ndtkt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, key = NULL; cleanup: - krb5_db_free_principal(kdc_context, server); - krb5_free_keyblock(kdc_context, key); + krb5_db_free_principal(context, server); + krb5_free_keyblock(context, key); return retval; } static krb5_error_code -get_2ndtkt_enctype(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, - krb5_enctype *useenctype, const char **status) +get_2ndtkt_enctype(krb5_kdc_req *req, krb5_enctype *useenctype, + const char **status) { krb5_enctype etype; krb5_ticket *stkt = req->second_ticket[0]; @@ -938,9 +925,8 @@ get_2ndtkt_enctype(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, } static krb5_error_code -gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, - krb5_db_entry *server, krb5_keyblock *skey, - const char **status) +gen_session_key(krb5_context context, krb5_kdc_req *req, krb5_db_entry *server, + krb5_keyblock *skey, const char **status) { krb5_error_code retval; krb5_enctype useenctype = 0; @@ -955,15 +941,13 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, * to anything else. */ if (req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) { - retval = get_2ndtkt_enctype(kdc_active_realm, req, &useenctype, - status); + retval = get_2ndtkt_enctype(req, &useenctype, status); if (retval != 0) return retval; } if (useenctype == 0) { - useenctype = select_session_keytype(kdc_active_realm, server, - req->nktypes, - req->ktype); + useenctype = select_session_keytype(context, server, + req->nktypes, req->ktype); } if (useenctype == 0) { /* unsupported ktype */ @@ -971,7 +955,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, return KRB5KDC_ERR_ETYPE_NOSUPP; } - return krb5_c_make_random_key(kdc_context, useenctype, skey); + return krb5_c_make_random_key(context, useenctype, skey); } /* @@ -980,7 +964,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, * some intermediate realm. */ static krb5_error_code -find_alternate_tgs(kdc_realm_t *kdc_active_realm, krb5_principal princ, +find_alternate_tgs(krb5_context context, krb5_principal princ, krb5_db_entry **server_ptr, const char **status) { krb5_error_code retval; @@ -990,29 +974,26 @@ find_alternate_tgs(kdc_realm_t *kdc_active_realm, krb5_principal princ, *server_ptr = NULL; assert(is_cross_tgs_principal(princ)); - if ((retval = krb5_walk_realm_tree(kdc_context, - krb5_princ_realm(kdc_context, princ), - krb5_princ_component(kdc_context, princ, 1), - &plist, KRB5_REALM_BRANCH_CHAR))) { + retval = krb5_walk_realm_tree(context, &princ->realm, &princ->data[1], + &plist, KRB5_REALM_BRANCH_CHAR); + if (retval) goto cleanup; - } /* move to the end */ for (pl2 = plist; *pl2; pl2++); /* the first entry in this array is for krbtgt/local@local, so we ignore it */ while (--pl2 > plist) { - tmp = *krb5_princ_realm(kdc_context, *pl2); - krb5_princ_set_realm(kdc_context, *pl2, - krb5_princ_realm(kdc_context, princ)); - retval = db_get_svc_princ(kdc_context, *pl2, 0, &server, status); - krb5_princ_set_realm(kdc_context, *pl2, &tmp); + tmp = *krb5_princ_realm(context, *pl2); + krb5_princ_set_realm(context, *pl2, &princ->realm); + retval = db_get_svc_princ(context, *pl2, 0, &server, status); + krb5_princ_set_realm(context, *pl2, &tmp); if (retval == KRB5_KDB_NOENTRY) continue; else if (retval) goto cleanup; - log_tgs_alt_tgt(kdc_context, server->princ); + log_tgs_alt_tgt(context, server->princ); *server_ptr = server; server = NULL; goto cleanup; @@ -1023,8 +1004,8 @@ cleanup: if (retval != 0) *status = "UNKNOWN_SERVER"; - krb5_free_realm_tree(kdc_context, plist); - krb5_db_free_principal(kdc_context, server); + krb5_free_realm_tree(context, plist); + krb5_db_free_principal(context, server); return retval; } @@ -1051,12 +1032,12 @@ in_list(const char *list, const char *item) * TGT. The caller checks whether the hostname component looks like a FQDN. */ static krb5_boolean -is_referral_req(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request) +is_referral_req(kdc_realm_t *realm, krb5_kdc_req *request) { krb5_boolean ret = FALSE; char *stype = NULL; - char *hostbased = kdc_active_realm->realm_hostbased; - char *no_referral = kdc_active_realm->realm_no_referral; + char *hostbased = realm->realm_hostbased; + char *no_referral = realm->realm_no_referral; if (!(request->kdc_options & KDC_OPT_CANONICALIZE)) return FALSE; @@ -1064,13 +1045,13 @@ is_referral_req(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request) if (request->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) return FALSE; - if (krb5_princ_size(kdc_context, request->server) != 2) + if (request->server->length != 2) return FALSE; - stype = data2string(krb5_princ_component(kdc_context, request->server, 0)); + stype = data2string(&request->server->data[0]); if (stype == NULL) return FALSE; - switch (krb5_princ_type(kdc_context, request->server)) { + switch (request->server->type) { case KRB5_NT_UNKNOWN: /* Allow referrals for NT-UNKNOWN principals, if configured. */ if (!in_list(hostbased, stype) && !in_list(hostbased, "*")) @@ -1096,18 +1077,18 @@ cleanup: * principal. */ static krb5_int32 -find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, +find_referral_tgs(kdc_realm_t *realm, krb5_kdc_req *request, krb5_principal *krbtgt_princ) { + krb5_context context = realm->realm_context; krb5_error_code retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; char **realms = NULL, *hostname = NULL; krb5_data srealm = request->server->realm; - if (!is_referral_req(kdc_active_realm, request)) + if (!is_referral_req(realm, request)) goto cleanup; - hostname = data2string(krb5_princ_component(kdc_context, - request->server, 1)); + hostname = data2string(&request->server->data[1]); if (hostname == NULL) { retval = ENOMEM; goto cleanup; @@ -1115,10 +1096,10 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, /* If the hostname doesn't contain a '.', it's not a FQDN. */ if (strchr(hostname, '.') == NULL) goto cleanup; - retval = krb5_get_host_realm(kdc_context, hostname, &realms); + retval = krb5_get_host_realm(context, hostname, &realms); if (retval) { /* no match found */ - kdc_err(kdc_context, retval, "unable to find realm of host"); + kdc_err(context, retval, "unable to find realm of host"); goto cleanup; } /* Don't return a referral to the empty realm or the service realm. */ @@ -1127,11 +1108,11 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto cleanup; } - retval = krb5_build_principal(kdc_context, krbtgt_princ, + retval = krb5_build_principal(context, krbtgt_princ, srealm.length, srealm.data, "krbtgt", realms[0], (char *)0); cleanup: - krb5_free_host_realm(kdc_context, realms); + krb5_free_host_realm(context, realms); free(hostname); return retval; @@ -1154,9 +1135,10 @@ db_get_svc_princ(krb5_context ctx, krb5_principal princ, } static krb5_error_code -search_sprinc(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, +search_sprinc(kdc_realm_t *realm, krb5_kdc_req *req, krb5_flags flags, krb5_db_entry **server, const char **status) { + krb5_context context = realm->realm_context; krb5_error_code ret; krb5_principal princ = req->server; krb5_principal reftgs = NULL; @@ -1168,21 +1150,21 @@ search_sprinc(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, if (!allow_referral) flags &= ~KRB5_KDB_FLAG_REFERRAL_OK; - ret = db_get_svc_princ(kdc_context, princ, flags, server, status); + ret = db_get_svc_princ(context, princ, flags, server, status); if (ret == 0 || ret != KRB5_KDB_NOENTRY || !allow_referral) goto cleanup; if (!is_cross_tgs_principal(req->server)) { - ret = find_referral_tgs(kdc_active_realm, req, &reftgs); + ret = find_referral_tgs(realm, req, &reftgs); if (ret != 0) goto cleanup; - ret = db_get_svc_princ(kdc_context, reftgs, flags, server, status); + ret = db_get_svc_princ(context, reftgs, flags, server, status); if (ret == 0 || ret != KRB5_KDB_NOENTRY) goto cleanup; princ = reftgs; } - ret = find_alternate_tgs(kdc_active_realm, princ, server, status); + ret = find_alternate_tgs(context, princ, server, status); cleanup: if (ret != 0 && ret != KRB5KDC_ERR_SVC_UNAVAILABLE) { @@ -1190,6 +1172,6 @@ cleanup: if (*status == NULL) *status = "LOOKING_UP_SERVER"; } - krb5_free_principal(kdc_context, reftgs); + krb5_free_principal(context, reftgs); return ret; } diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index ff3338e407..9044a18449 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -39,53 +39,53 @@ static krb5_error_code armor_ap_request krb5_auth_context authcontext = NULL; krb5_ticket *ticket = NULL; krb5_keyblock *subkey = NULL; - kdc_realm_t *kdc_active_realm = state->realm_data; + kdc_realm_t *realm = state->realm_data; + krb5_context context = realm->realm_context; assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST); - krb5_clear_error_message(kdc_context); - retval = krb5_auth_con_init(kdc_context, &authcontext); + krb5_clear_error_message(context); + retval = krb5_auth_con_init(context, &authcontext); + /*disable replay cache*/ if (retval == 0) - retval = krb5_auth_con_setflags(kdc_context, - authcontext, 0); /*disable replay cache*/ + retval = krb5_auth_con_setflags(context, authcontext, 0); if (retval == 0) - retval = krb5_rd_req(kdc_context, &authcontext, &armor->armor_value, - NULL /*server*/, kdc_active_realm->realm_keytab, + retval = krb5_rd_req(context, &authcontext, &armor->armor_value, + NULL /*server*/, realm->realm_keytab, NULL, &ticket); if (retval != 0) { - const char * errmsg = krb5_get_error_message(kdc_context, retval); - k5_setmsg(kdc_context, retval, _("%s while handling ap-request armor"), + const char * errmsg = krb5_get_error_message(context, retval); + k5_setmsg(context, retval, _("%s while handling ap-request armor"), errmsg); - krb5_free_error_message(kdc_context, errmsg); + krb5_free_error_message(context, errmsg); } if (retval == 0) { - if (!krb5_principal_compare_any_realm(kdc_context, - tgs_server, + if (!krb5_principal_compare_any_realm(context, realm->realm_tgsprinc, ticket->server)) { - k5_setmsg(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH, + k5_setmsg(context, KRB5KDC_ERR_SERVER_NOMATCH, _("ap-request armor for something other than the local " "TGS")); retval = KRB5KDC_ERR_SERVER_NOMATCH; } } if (retval == 0) { - retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey); + retval = krb5_auth_con_getrecvsubkey(context, authcontext, &subkey); if (retval != 0 || subkey == NULL) { - k5_setmsg(kdc_context, KRB5KDC_ERR_POLICY, + k5_setmsg(context, KRB5KDC_ERR_POLICY, _("ap-request armor without subkey")); retval = KRB5KDC_ERR_POLICY; } } if (retval == 0) - retval = krb5_c_fx_cf2_simple(kdc_context, + retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", ticket->enc_part2->session, "ticketarmor", &state->armor_key); if (ticket) - krb5_free_ticket(kdc_context, ticket); + krb5_free_ticket(context, ticket); if (subkey) - krb5_free_keyblock(kdc_context, subkey); + krb5_free_keyblock(context, subkey); if (authcontext) - krb5_auth_con_free(kdc_context, authcontext); + krb5_auth_con_free(context, authcontext); return retval; } @@ -94,24 +94,24 @@ encrypt_fast_reply(struct kdc_request_state *state, const krb5_fast_response *response, krb5_data **fx_fast_reply) { + krb5_context context = state->realm_data->realm_context; krb5_error_code retval = 0; krb5_enc_data encrypted_reply; krb5_data *encoded_response = NULL; - kdc_realm_t *kdc_active_realm = state->realm_data; assert(state->armor_key); retval = encode_krb5_fast_response(response, &encoded_response); if (retval== 0) - retval = krb5_encrypt_helper(kdc_context, state->armor_key, + retval = krb5_encrypt_helper(context, state->armor_key, KRB5_KEYUSAGE_FAST_REP, encoded_response, &encrypted_reply); if (encoded_response) - krb5_free_data(kdc_context, encoded_response); + krb5_free_data(context, encoded_response); encoded_response = NULL; if (retval == 0) { retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply, fx_fast_reply); - krb5_free_data_contents(kdc_context, &encrypted_reply.ciphertext); + krb5_free_data_contents(context, &encrypted_reply.ciphertext); } return retval; } @@ -131,6 +131,7 @@ kdc_find_fast(krb5_kdc_req **requestptr, struct kdc_request_state *state, krb5_data **inner_body_out) { + krb5_context context = state->realm_data->realm_context; krb5_error_code retval = 0; krb5_pa_data *fast_padata; krb5_data scratch, plaintext, *inner_body = NULL; @@ -140,15 +141,14 @@ kdc_find_fast(krb5_kdc_req **requestptr, krb5_checksum *cksum; krb5_boolean cksum_valid; krb5_keyblock empty_keyblock; - kdc_realm_t *kdc_active_realm = state->realm_data; if (inner_body_out != NULL) *inner_body_out = NULL; scratch.data = NULL; - krb5_clear_error_message(kdc_context); + krb5_clear_error_message(context); memset(&empty_keyblock, 0, sizeof(krb5_keyblock)); - fast_padata = krb5int_find_pa_data(kdc_context, - request->padata, KRB5_PADATA_FX_FAST); + fast_padata = krb5int_find_pa_data(context, request->padata, + KRB5_PADATA_FX_FAST); if (fast_padata != NULL){ scratch.length = fast_padata->length; scratch.data = (char *) fast_padata->contents; @@ -158,14 +158,14 @@ kdc_find_fast(krb5_kdc_req **requestptr, case KRB5_FAST_ARMOR_AP_REQUEST: if (tgs_subkey) { retval = KRB5KDC_ERR_PREAUTH_FAILED; - k5_setmsg(kdc_context, retval, + k5_setmsg(context, retval, _("Ap-request armor not permitted with TGS")); break; } retval = armor_ap_request(state, fast_armored_req->armor); break; default: - k5_setmsg(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED, + k5_setmsg(context, KRB5KDC_ERR_PREAUTH_FAILED, _("Unknown FAST armor type %d"), fast_armored_req->armor->armor_type); retval = KRB5KDC_ERR_PREAUTH_FAILED; @@ -173,13 +173,13 @@ kdc_find_fast(krb5_kdc_req **requestptr, } if (retval == 0 && !state->armor_key) { if (tgs_subkey) - retval = krb5_c_fx_cf2_simple(kdc_context, + retval = krb5_c_fx_cf2_simple(context, tgs_subkey, "subkeyarmor", tgs_session, "ticketarmor", &state->armor_key); else { retval = KRB5KDC_ERR_PREAUTH_FAILED; - k5_setmsg(kdc_context, retval, + k5_setmsg(context, retval, _("No armor key but FAST armored request present")); } } @@ -188,8 +188,7 @@ kdc_find_fast(krb5_kdc_req **requestptr, plaintext.data = k5alloc(plaintext.length, &retval); } if (retval == 0) { - retval = krb5_c_decrypt(kdc_context, - state->armor_key, + retval = krb5_c_decrypt(context, state->armor_key, KRB5_KEYUSAGE_FAST_ENC, NULL, &fast_armored_req->enc_part, &plaintext); @@ -199,8 +198,7 @@ kdc_find_fast(krb5_kdc_req **requestptr, retval = fetch_asn1_field((unsigned char *)plaintext.data, 1, 2, &scratch); if (retval == 0) { - retval = krb5_copy_data(kdc_context, &scratch, - &inner_body); + retval = krb5_copy_data(context, &scratch, &inner_body); } } if (plaintext.data) @@ -208,19 +206,19 @@ kdc_find_fast(krb5_kdc_req **requestptr, } cksum = &fast_armored_req->req_checksum; if (retval == 0) - retval = krb5_c_verify_checksum(kdc_context, state->armor_key, + retval = krb5_c_verify_checksum(context, state->armor_key, KRB5_KEYUSAGE_FAST_REQ_CHKSUM, checksummed_data, cksum, &cksum_valid); if (retval == 0 && !cksum_valid) { retval = KRB5KRB_AP_ERR_MODIFIED; - k5_setmsg(kdc_context, retval, + k5_setmsg(context, retval, _("FAST req_checksum invalid; request modified")); } if (retval == 0) { if (!krb5_c_is_keyed_cksum(cksum->checksum_type)) { retval = KRB5KDC_ERR_POLICY; - k5_setmsg(kdc_context, retval, + k5_setmsg(context, retval, _("Unkeyed checksum used in fast_req")); } } @@ -231,7 +229,7 @@ kdc_find_fast(krb5_kdc_req **requestptr, if (retval == 0) { state->fast_options = fast_req->fast_options; fast_req->req_body->msg_type = request->msg_type; - krb5_free_kdc_req( kdc_context, request); + krb5_free_kdc_req(context, request); *requestptr = fast_req->req_body; fast_req->req_body = NULL; } @@ -240,11 +238,11 @@ kdc_find_fast(krb5_kdc_req **requestptr, *inner_body_out = inner_body; inner_body = NULL; } - krb5_free_data(kdc_context, inner_body); + krb5_free_data(context, inner_body); if (fast_req) - krb5_free_fast_req( kdc_context, fast_req); + krb5_free_fast_req(context, fast_req); if (fast_armored_req) - krb5_free_fast_armored_req(kdc_context, fast_armored_req); + krb5_free_fast_armored_req(context, fast_armored_req); return retval; } @@ -264,12 +262,10 @@ kdc_make_rstate(kdc_realm_t *active_realm, struct kdc_request_state **out) void kdc_free_rstate (struct kdc_request_state *s) { - kdc_realm_t *kdc_active_realm = s->realm_data; - if (s->armor_key) - krb5_free_keyblock(kdc_context, s->armor_key); + krb5_free_keyblock(s->realm_data->realm_context, s->armor_key); if (s->strengthen_key) - krb5_free_keyblock(kdc_context, s->strengthen_key); + krb5_free_keyblock(s->realm_data->realm_context, s->strengthen_key); k5_zapfree_pa_data(s->in_cookie_padata); k5_zapfree_pa_data(s->out_cookie_padata); free(s); @@ -280,6 +276,7 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state, krb5_kdc_req *request, krb5_kdc_rep *rep, krb5_enctype enctype) { + krb5_context context = state->realm_data->realm_context; krb5_error_code retval = 0; krb5_fast_finished finish; krb5_fast_response fast_response; @@ -289,14 +286,13 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state, krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5; krb5_pa_data *empty_padata[] = {NULL}; krb5_keyblock *strengthen_key = NULL; - kdc_realm_t *kdc_active_realm = state->realm_data; if (!state->armor_key) return 0; memset(&finish, 0, sizeof(finish)); - retval = krb5_init_keyblock(kdc_context, enctype, 0, &strengthen_key); + retval = krb5_init_keyblock(context, enctype, 0, &strengthen_key); if (retval == 0) - retval = krb5_c_make_random_key(kdc_context, enctype, strengthen_key); + retval = krb5_c_make_random_key(context, enctype, strengthen_key); if (retval == 0) { state->strengthen_key = strengthen_key; strengthen_key = NULL; @@ -316,16 +312,15 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state, if (retval == 0 && pa == NULL) retval = ENOMEM; if (retval == 0) - retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec); + retval = krb5_us_timeofday(context, &finish.timestamp, &finish.usec); if (retval == 0) retval = encode_krb5_ticket(rep->ticket, &encoded_ticket); if (retval == 0) - retval = krb5int_c_mandatory_cksumtype(kdc_context, + retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, &cksumtype); if (retval == 0) - retval = krb5_c_make_checksum(kdc_context, cksumtype, - state->armor_key, + retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED, encoded_ticket, &finish.ticket_checksum); if (retval == 0) @@ -335,7 +330,7 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state, pa[0].length = encrypted_reply->length; pa[0].contents = (unsigned char *) encrypted_reply->data; pa_array[0] = &pa[0]; - krb5_free_pa_data(kdc_context, rep->padata); + krb5_free_pa_data(context, rep->padata); rep->padata = pa_array; pa_array = NULL; free(encrypted_reply); @@ -347,13 +342,13 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state, if (pa_array) free(pa_array); if (encrypted_reply) - krb5_free_data(kdc_context, encrypted_reply); + krb5_free_data(context, encrypted_reply); if (encoded_ticket) - krb5_free_data(kdc_context, encoded_ticket); + krb5_free_data(context, encoded_ticket); if (strengthen_key != NULL) - krb5_free_keyblock(kdc_context, strengthen_key); + krb5_free_keyblock(context, strengthen_key); if (finish.ticket_checksum.contents) - krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum); + krb5_free_checksum_contents(context, &finish.ticket_checksum); return retval; } @@ -379,7 +374,6 @@ kdc_fast_handle_error(krb5_context context, krb5_pa_data *outer_pa[3]; krb5_pa_data **inner_pa = NULL; size_t size = 0; - kdc_realm_t *kdc_active_realm = state->realm_data; *fast_edata_out = NULL; memset(outer_pa, 0, sizeof(outer_pa)); @@ -421,9 +415,9 @@ kdc_fast_handle_error(krb5_context context, } retval = encode_krb5_padata_sequence(outer_pa, fast_edata_out); if (encrypted_reply) - krb5_free_data(kdc_context, encrypted_reply); + krb5_free_data(context, encrypted_reply); if (encoded_fx_error) - krb5_free_data(kdc_context, encoded_fx_error); + krb5_free_data(context, encoded_fx_error); return retval; } @@ -432,16 +426,15 @@ kdc_fast_handle_reply_key(struct kdc_request_state *state, krb5_keyblock *existing_key, krb5_keyblock **out_key) { + krb5_context context = state->realm_data->realm_context; krb5_error_code retval = 0; - kdc_realm_t *kdc_active_realm = state->realm_data; if (state->armor_key) - retval = krb5_c_fx_cf2_simple(kdc_context, + retval = krb5_c_fx_cf2_simple(context, state->strengthen_key, "strengthenkey", - existing_key, - "replykey", out_key); + existing_key, "replykey", out_key); else - retval = krb5_copy_keyblock(kdc_context, existing_key, out_key); + retval = krb5_copy_keyblock(context, existing_key, out_key); return retval; } diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index ce80ac3fe5..1cded64d8d 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -459,18 +459,17 @@ copy_pac_buffer(krb5_context context, uint32_t buffer_type, krb5_pac old_pac, * method can alter the auth indicator list. */ static krb5_error_code -handle_pac(kdc_realm_t *kdc_active_realm, unsigned int flags, - krb5_db_entry *client, krb5_db_entry *server, - krb5_db_entry *subject_server, krb5_db_entry *local_tgt, - krb5_keyblock *local_tgt_key, krb5_keyblock *server_key, - krb5_keyblock *subject_key, krb5_keyblock *replaced_reply_key, - krb5_enc_tkt_part *subject_tkt, krb5_pac subject_pac, - krb5_kdc_req *req, krb5_const_principal altcprinc, - krb5_timestamp authtime, krb5_enc_tkt_part *enc_tkt_reply, - krb5_data ***auth_indicators) +handle_pac(kdc_realm_t *realm, unsigned int flags, krb5_db_entry *client, + krb5_db_entry *server, krb5_db_entry *subject_server, + krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key, + krb5_keyblock *server_key, krb5_keyblock *subject_key, + krb5_keyblock *replaced_reply_key, krb5_enc_tkt_part *subject_tkt, + krb5_pac subject_pac, krb5_kdc_req *req, + krb5_const_principal altcprinc, krb5_timestamp authtime, + krb5_enc_tkt_part *enc_tkt_reply, krb5_data ***auth_indicators) { + krb5_context context = realm->realm_context; krb5_error_code ret; - krb5_context context = kdc_context; krb5_pac new_pac = NULL; krb5_const_principal pac_client = NULL; krb5_boolean with_realm, is_as_req = (req->msg_type == KRB5_AS_REQ); @@ -485,7 +484,7 @@ handle_pac(kdc_realm_t *kdc_active_realm, unsigned int flags, * or for an AS-REQ if the client requested not to get one, or for a * TGS-REQ if the subject ticket didn't contain one. */ - if (kdc_active_realm->realm_disable_pac || + if (realm->realm_disable_pac || (enc_tkt_reply->flags & TKT_FLG_ANONYMOUS) || (is_as_req && !include_pac_p(context, req)) || (!is_as_req && subject_pac == NULL)) { @@ -570,20 +569,20 @@ cleanup: } krb5_error_code -handle_authdata(kdc_realm_t *kdc_active_realm, unsigned int flags, - krb5_db_entry *client, krb5_db_entry *server, - krb5_db_entry *subject_server, krb5_db_entry *local_tgt, - krb5_keyblock *local_tgt_key, krb5_keyblock *client_key, - krb5_keyblock *server_key, krb5_keyblock *subject_key, - krb5_keyblock *replaced_reply_key, krb5_data *req_pkt, - krb5_kdc_req *req, krb5_const_principal altcprinc, - krb5_pac subject_pac, krb5_enc_tkt_part *enc_tkt_req, - krb5_data ***auth_indicators, krb5_enc_tkt_part *enc_tkt_reply) +handle_authdata(kdc_realm_t *realm, unsigned int flags, krb5_db_entry *client, + krb5_db_entry *server, krb5_db_entry *subject_server, + krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key, + krb5_keyblock *client_key, krb5_keyblock *server_key, + krb5_keyblock *subject_key, krb5_keyblock *replaced_reply_key, + krb5_data *req_pkt, krb5_kdc_req *req, + krb5_const_principal altcprinc, krb5_pac subject_pac, + krb5_enc_tkt_part *enc_tkt_req, krb5_data ***auth_indicators, + krb5_enc_tkt_part *enc_tkt_reply) { + krb5_context context = realm->realm_context; kdcauthdata_handle *h; krb5_error_code ret = 0; size_t i; - krb5_context context = kdc_active_realm->realm_context; if (req->msg_type == KRB5_TGS_REQ && req->authorization_data.ciphertext.data != NULL) { @@ -616,8 +615,8 @@ handle_authdata(kdc_realm_t *kdc_active_realm, unsigned int flags, return ret; } - return handle_pac(kdc_active_realm, flags, client, server, subject_server, - local_tgt, local_tgt_key, server_key, subject_key, + return handle_pac(realm, flags, client, server, subject_server, local_tgt, + local_tgt_key, server_key, subject_key, replaced_reply_key, enc_tkt_req, subject_pac, req, altcprinc, enc_tkt_reply->times.authtime, enc_tkt_reply, auth_indicators); diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 5d3dfd86c3..3752be6a46 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -873,7 +873,7 @@ cleanup: struct hint_state { kdc_hint_respond_fn respond; void *arg; - kdc_realm_t *realm; + krb5_context context; krb5_kdcpreauth_rock rock; krb5_kdc_req *request; @@ -888,14 +888,14 @@ struct hint_state { static void hint_list_finish(struct hint_state *state, krb5_error_code code) { + krb5_context context = state->context; kdc_hint_respond_fn oldrespond = state->respond; void *oldarg = state->arg; - kdc_realm_t *kdc_active_realm = state->realm; /* Add a freshness token if a preauth module requested it and the client * request indicates support for it. */ if (!code) - code = add_freshness_token(kdc_context, state->rock, &state->pa_data); + code = add_freshness_token(context, state->rock, &state->pa_data); if (!code) { if (state->pa_data == NULL) { @@ -908,7 +908,7 @@ hint_list_finish(struct hint_state *state, krb5_error_code code) state->pa_data = NULL; } - krb5_free_pa_data(kdc_context, state->pa_data); + krb5_free_pa_data(context, state->pa_data); free(state); (*oldrespond)(oldarg); } @@ -945,8 +945,8 @@ error: static void hint_list_next(struct hint_state *state) { + krb5_context context = state->context; preauth_system *ap = state->ap; - kdc_realm_t *kdc_active_realm = state->realm; if (ap->type == -1) { hint_list_finish(state, 0); @@ -960,7 +960,7 @@ hint_list_next(struct hint_state *state) state->pa_type = ap->type; if (ap->get_edata) { - ap->get_edata(kdc_context, state->request, &callbacks, state->rock, + ap->get_edata(context, state->request, &callbacks, state->rock, ap->moddata, ap->type, finish_get_edata, state); } else finish_get_edata(state, 0, NULL); @@ -976,7 +976,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, krb5_pa_data ***e_data_out, kdc_hint_respond_fn respond, void *arg) { - kdc_realm_t *kdc_active_realm = rock->rstate->realm_data; + krb5_context context = rock->rstate->realm_data->realm_context; struct hint_state *state; *e_data_out = NULL; @@ -991,7 +991,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, state->arg = arg; state->request = request; state->rock = rock; - state->realm = rock->rstate->realm_data; + state->context = context; state->e_data_out = e_data_out; state->pa_data = NULL; state->ap = preauth_systems; @@ -1000,7 +1000,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, if (k5_add_empty_pa_data(&state->pa_data, KRB5_PADATA_FX_FAST) != 0) goto error; - if (add_etype_info(kdc_context, rock, &state->pa_data) != 0) + if (add_etype_info(context, rock, &state->pa_data) != 0) goto error; hint_list_next(state); @@ -1008,7 +1008,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, error: if (state != NULL) - krb5_free_pa_data(kdc_context, state->pa_data); + krb5_free_pa_data(context, state->pa_data); free(state); (*respond)(arg); } diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 9f2a67d189..01a4fdb1b3 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -68,8 +68,7 @@ const int vague_errors = 1; const int vague_errors = 0; #endif -static krb5_error_code kdc_rd_ap_req(kdc_realm_t *kdc_active_realm, - krb5_ap_req *apreq, +static krb5_error_code kdc_rd_ap_req(kdc_realm_t *realm, krb5_ap_req *apreq, krb5_auth_context auth_context, krb5_db_entry **server, krb5_keyblock **tgskey); @@ -142,14 +141,13 @@ comp_cksum(krb5_context kcontext, krb5_data *source, krb5_ticket *ticket, /* If a header ticket is decrypted, *ticket_out is filled in even on error. */ krb5_error_code -kdc_process_tgs_req(kdc_realm_t *kdc_active_realm, - krb5_kdc_req *request, const krb5_fulladdr *from, - krb5_data *pkt, krb5_ticket **ticket_out, - krb5_db_entry **krbtgt_ptr, - krb5_keyblock **tgskey, - krb5_keyblock **subkey, +kdc_process_tgs_req(kdc_realm_t *realm, krb5_kdc_req *request, + const krb5_fulladdr *from, krb5_data *pkt, + krb5_ticket **ticket_out, krb5_db_entry **krbtgt_ptr, + krb5_keyblock **tgskey, krb5_keyblock **subkey, krb5_pa_data **pa_tgs_req) { + krb5_context context = realm->realm_context; krb5_pa_data * tmppa; krb5_ap_req * apreq; krb5_error_code retval; @@ -166,8 +164,7 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm, *krbtgt_ptr = NULL; *tgskey = NULL; - tmppa = krb5int_find_pa_data(kdc_context, - request->padata, KRB5_PADATA_AP_REQ); + tmppa = krb5int_find_pa_data(context, request->padata, KRB5_PADATA_AP_REQ); if (!tmppa) return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; @@ -184,44 +181,46 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm, goto cleanup; } - if ((retval = krb5_auth_con_init(kdc_context, &auth_context))) + retval = krb5_auth_con_init(context, &auth_context); + if (retval) goto cleanup; /* Don't use a replay cache. */ - if ((retval = krb5_auth_con_setflags(kdc_context, auth_context, 0))) + retval = krb5_auth_con_setflags(context, auth_context, 0); + if (retval) goto cleanup; - if ((retval = krb5_auth_con_setaddrs(kdc_context, auth_context, NULL, - from->address)) ) + retval = krb5_auth_con_setaddrs(context, auth_context, NULL, + from->address); + if (retval) goto cleanup_auth_context; - retval = kdc_rd_ap_req(kdc_active_realm, - apreq, auth_context, &krbtgt, tgskey); + retval = kdc_rd_ap_req(realm, apreq, auth_context, &krbtgt, tgskey); if (retval) goto cleanup_auth_context; - if ((retval = krb5_auth_con_getrecvsubkey(kdc_context, - auth_context, subkey))) + retval = krb5_auth_con_getrecvsubkey(context, auth_context, subkey); + if (retval) goto cleanup_auth_context; - if ((retval = krb5_auth_con_getauthenticator(kdc_context, auth_context, - &authenticator))) + retval = krb5_auth_con_getauthenticator(context, auth_context, + &authenticator); + if (retval) goto cleanup_auth_context; - retval = krb5_find_authdata(kdc_context, - ticket->enc_part2->authorization_data, + retval = krb5_find_authdata(context, ticket->enc_part2->authorization_data, authenticator->authorization_data, KRB5_AUTHDATA_FX_ARMOR, &authdata); if (retval != 0) goto cleanup_authenticator; if (authdata&& authdata[0]) { - k5_setmsg(kdc_context, KRB5KDC_ERR_POLICY, + k5_setmsg(context, KRB5KDC_ERR_POLICY, "ticket valid only as FAST armor"); retval = KRB5KDC_ERR_POLICY; - krb5_free_authdata(kdc_context, authdata); + krb5_free_authdata(context, authdata); goto cleanup_authenticator; } - krb5_free_authdata(kdc_context, authdata); + krb5_free_authdata(context, authdata); /* Check for a checksum */ @@ -240,10 +239,10 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm, */ if (pkt && (fetch_asn1_field((unsigned char *) pkt->data, 1, 4, &scratch1) >= 0)) { - if (comp_cksum(kdc_context, &scratch1, ticket, his_cksum)) { + if (comp_cksum(context, &scratch1, ticket, his_cksum)) { if (!(retval = encode_krb5_kdc_req_body(request, &scratch))) - retval = comp_cksum(kdc_context, scratch, ticket, his_cksum); - krb5_free_data(kdc_context, scratch); + retval = comp_cksum(context, scratch, ticket, his_cksum); + krb5_free_data(context, scratch); if (retval) goto cleanup_authenticator; } @@ -254,14 +253,14 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm, krbtgt = NULL; cleanup_authenticator: - krb5_free_authenticator(kdc_context, authenticator); + krb5_free_authenticator(context, authenticator); cleanup_auth_context: - krb5_auth_con_free(kdc_context, auth_context); + krb5_auth_con_free(context, auth_context); cleanup: if (retval != 0) { - krb5_free_keyblock(kdc_context, *tgskey); + krb5_free_keyblock(context, *tgskey); *tgskey = NULL; } if (apreq->ticket->enc_part2 != NULL) { @@ -269,8 +268,8 @@ cleanup: *ticket_out = apreq->ticket; apreq->ticket = NULL; } - krb5_free_ap_req(kdc_context, apreq); - krb5_db_free_principal(kdc_context, krbtgt); + krb5_free_ap_req(context, apreq); + krb5_db_free_principal(context, krbtgt); return retval; } @@ -287,10 +286,11 @@ cleanup: */ static krb5_error_code -kdc_rd_ap_req(kdc_realm_t *kdc_active_realm, - krb5_ap_req *apreq, krb5_auth_context auth_context, - krb5_db_entry **server, krb5_keyblock **tgskey) +kdc_rd_ap_req(kdc_realm_t *realm, krb5_ap_req *apreq, + krb5_auth_context auth_context, krb5_db_entry **server, + krb5_keyblock **tgskey) { + krb5_context context = realm->realm_context; krb5_error_code retval; krb5_enctype search_enctype = apreq->ticket->enc_part.enctype; krb5_boolean match_enctype = 1; @@ -309,7 +309,7 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm, match_enctype = 0; } - retval = kdc_get_server_key(kdc_context, apreq->ticket, 0, match_enctype, + retval = kdc_get_server_key(context, apreq->ticket, 0, match_enctype, server, NULL, NULL); if (retval) return retval; @@ -317,22 +317,20 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm, *tgskey = NULL; kvno = apreq->ticket->enc_part.kvno; do { - krb5_free_keyblock(kdc_context, *tgskey); - retval = find_server_key(kdc_context, - *server, search_enctype, kvno, tgskey, &kvno); + krb5_free_keyblock(context, *tgskey); + retval = find_server_key(context, *server, search_enctype, kvno, + tgskey, &kvno); if (retval) continue; /* Make the TGS key available to krb5_rd_req_decoded_anyflag() */ - retval = krb5_auth_con_setuseruserkey(kdc_context, auth_context, - *tgskey); + retval = krb5_auth_con_setuseruserkey(context, auth_context, *tgskey); if (retval) return retval; - retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, + retval = krb5_rd_req_decoded_anyflag(context, &auth_context, apreq, apreq->ticket->server, - kdc_active_realm->realm_keytab, - NULL, NULL); + realm->realm_keytab, NULL, NULL); /* If the ticket was decrypted, don't try any more keys. */ if (apreq->ticket->enc_part2 != NULL) @@ -649,13 +647,12 @@ errcode_to_protocol(krb5_error_code code) /* Return -1 if the AS or TGS request is disallowed due to KDC policy on * anonymous tickets. */ int -check_anon(kdc_realm_t *kdc_active_realm, - krb5_principal client, krb5_principal server) +check_anon(kdc_realm_t *realm, krb5_principal client, krb5_principal server) { /* If restrict_anon is set, reject requests from anonymous clients to * server principals other than local TGTs. */ - if (kdc_active_realm->realm_restrict_anon && - krb5_principal_compare_any_realm(kdc_context, client, + if (realm->realm_restrict_anon && + krb5_principal_compare_any_realm(realm->realm_context, client, krb5_anonymous_principal()) && !is_local_tgs_principal(server)) return -1; @@ -669,11 +666,12 @@ check_anon(kdc_realm_t *kdc_active_realm, * as a com_err error number! */ int -validate_as_request(kdc_realm_t *kdc_active_realm, - krb5_kdc_req *request, krb5_db_entry *client, - krb5_db_entry *server, krb5_timestamp kdc_time, - const char **status, krb5_pa_data ***e_data) +validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_timestamp kdc_time, const char **status, + krb5_pa_data ***e_data) { + krb5_context context = realm->realm_context; krb5_error_code ret; /* @@ -747,14 +745,14 @@ validate_as_request(kdc_realm_t *kdc_active_realm, return(KDC_ERR_MUST_USE_USER2USER); } - if (check_anon(kdc_active_realm, client->princ, request->server) != 0) { + if (check_anon(realm, client->princ, request->server) != 0) { *status = "ANONYMOUS NOT ALLOWED"; return(KDC_ERR_POLICY); } /* Perform KDB module policy checks. */ - ret = krb5_db_check_policy_as(kdc_context, request, client, server, - kdc_time, status, e_data); + ret = krb5_db_check_policy_as(context, request, client, server, kdc_time, + status, e_data); if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) return errcode_to_protocol(ret); @@ -993,7 +991,7 @@ fetch_asn1_field(unsigned char *astream, unsigned int level, /* Return true if we believe server can support enctype as a session key. */ static krb5_boolean -dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, +dbentry_supports_enctype(krb5_context context, krb5_db_entry *server, krb5_enctype enctype) { krb5_error_code retval; @@ -1004,12 +1002,11 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, krb5_boolean in_list; /* Look up the supported session key enctypes list in the KDB. */ - retval = krb5_dbe_get_string(kdc_context, server, - KRB5_KDB_SK_SESSION_ENCTYPES, + retval = krb5_dbe_get_string(context, server, KRB5_KDB_SK_SESSION_ENCTYPES, &etypes_str); if (retval == 0 && etypes_str != NULL && *etypes_str != '\0') { /* Pass a fake profile key for tracing of unrecognized tokens. */ - retval = krb5int_parse_enctype_list(kdc_context, "KDB-session_etypes", + retval = krb5int_parse_enctype_list(context, "KDB-session_etypes", etypes_str, default_enctypes, &etypes); if (retval == 0 && etypes != NULL && etypes[0]) { @@ -1024,7 +1021,7 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, free(etypes); /* Assume the server supports any enctype it has a long-term key for. */ - return !krb5_dbe_find_enctype(kdc_context, server, enctype, -1, 0, &datap); + return !krb5_dbe_find_enctype(context, server, enctype, -1, 0, &datap); } /* @@ -1033,7 +1030,7 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, * requested, and what the KDC and the application server can support. */ krb5_enctype -select_session_keytype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, +select_session_keytype(krb5_context context, krb5_db_entry *server, int nktypes, krb5_enctype *ktype) { int i; @@ -1042,10 +1039,10 @@ select_session_keytype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, if (!krb5_c_valid_enctype(ktype[i])) continue; - if (!krb5_is_permitted_enctype(kdc_context, ktype[i])) + if (!krb5_is_permitted_enctype(context, ktype[i])) continue; - if (dbentry_supports_enctype(kdc_active_realm, server, ktype[i])) + if (dbentry_supports_enctype(context, server, ktype[i])) return ktype[i]; } @@ -1246,8 +1243,7 @@ verify_for_user_checksum(krb5_context context, * Legacy protocol transition (Windows 2003 and above) */ static krb5_error_code -kdc_process_for_user(kdc_realm_t *kdc_active_realm, - krb5_pa_data *pa_data, +kdc_process_for_user(krb5_context context, krb5_pa_data *pa_data, krb5_keyblock *tgs_session, krb5_pa_s4u_x509_user **s4u_x509_user, const char **status) @@ -1265,22 +1261,22 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm, return code; } - code = verify_for_user_checksum(kdc_context, tgs_session, for_user); + code = verify_for_user_checksum(context, tgs_session, for_user); if (code) { *status = "INVALID_S4U2SELF_CHECKSUM"; - krb5_free_pa_for_user(kdc_context, for_user); + krb5_free_pa_for_user(context, for_user); return code; } *s4u_x509_user = calloc(1, sizeof(krb5_pa_s4u_x509_user)); if (*s4u_x509_user == NULL) { - krb5_free_pa_for_user(kdc_context, for_user); + krb5_free_pa_for_user(context, for_user); return ENOMEM; } (*s4u_x509_user)->user_id.user = for_user->user; for_user->user = NULL; - krb5_free_pa_for_user(kdc_context, for_user); + krb5_free_pa_for_user(context, for_user); return 0; } @@ -1496,14 +1492,11 @@ is_client_db_alias(krb5_context context, const krb5_db_entry *entry, * local, look up the client and set *princ_ptr to its DB entry. */ krb5_error_code -kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, - krb5_kdc_req *request, +kdc_process_s4u2self_req(krb5_context context, krb5_kdc_req *request, const krb5_db_entry *server, - krb5_keyblock *tgs_subkey, - krb5_keyblock *tgs_session, + krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, krb5_pa_s4u_x509_user **s4u_x509_user, - krb5_db_entry **princ_ptr, - const char **status) + krb5_db_entry **princ_ptr, const char **status) { krb5_error_code code; krb5_pa_data *pa_data; @@ -1512,27 +1505,19 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, *princ_ptr = NULL; - pa_data = krb5int_find_pa_data(kdc_context, - request->padata, KRB5_PADATA_S4U_X509_USER); + pa_data = krb5int_find_pa_data(context, request->padata, + KRB5_PADATA_S4U_X509_USER); if (pa_data != NULL) { - code = kdc_process_s4u_x509_user(kdc_context, - request, - pa_data, - tgs_subkey, - tgs_session, - s4u_x509_user, - status); + code = kdc_process_s4u_x509_user(context, request, pa_data, tgs_subkey, + tgs_session, s4u_x509_user, status); if (code != 0) return code; } else { - pa_data = krb5int_find_pa_data(kdc_context, - request->padata, KRB5_PADATA_FOR_USER); + pa_data = krb5int_find_pa_data(context, request->padata, + KRB5_PADATA_FOR_USER); if (pa_data != NULL) { - code = kdc_process_for_user(kdc_active_realm, - pa_data, - tgs_session, - s4u_x509_user, - status); + code = kdc_process_for_user(context, pa_data, tgs_session, + s4u_x509_user, status); if (code != 0) return code; } else @@ -1542,17 +1527,16 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, if (data_eq(server->princ->realm, id->user->realm)) { if (id->subject_cert.length != 0) { - code = krb5_db_get_s4u_x509_principal(kdc_context, + code = krb5_db_get_s4u_x509_principal(context, &id->subject_cert, id->user, KRB5_KDB_FLAG_CLIENT, &princ); if (code == 0 && id->user->length == 0) { - krb5_free_principal(kdc_context, id->user); - code = krb5_copy_principal(kdc_context, princ->princ, - &id->user); + krb5_free_principal(context, id->user); + code = krb5_copy_principal(context, princ->princ, &id->user); } } else { - code = krb5_db_get_principal(kdc_context, id->user, + code = krb5_db_get_principal(context, id->user, KRB5_KDB_FLAG_CLIENT, &princ); } if (code == KRB5_KDB_NOENTRY) { @@ -1604,7 +1588,7 @@ s4u2self_forwardable(krb5_context context, krb5_db_entry *server, * supplied one; it must do so for a cross-realm request to be authorized. */ krb5_error_code -kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags, +kdc_process_s4u2proxy_req(krb5_context context, unsigned int flags, krb5_kdc_req *request, krb5_pac header_pac, const krb5_enc_tkt_part *t2enc, krb5_pac t2_pac, const krb5_db_entry *server, @@ -1621,14 +1605,14 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags, *stkt_pac_client = NULL; /* Check if the client supports resource-based constrained delegation. */ - errcode = kdc_get_pa_pac_rbcd(kdc_context, request->padata, &support_rbcd); + errcode = kdc_get_pa_pac_rbcd(context, request->padata, &support_rbcd); if (errcode) return errcode; /* For an RBCD final request, recover the reply ticket client name from * the evidence ticket PAC. */ if (flags & KRB5_KDB_FLAG_CROSS_REALM) { - if (get_pac_princ_with_realm(kdc_context, t2_pac, &t2_pac_princ, + if (get_pac_princ_with_realm(context, t2_pac, &t2_pac_princ, NULL) != 0) { *status = "RBCD_PAC_PRINC"; errcode = KRB5KDC_ERR_BADOPTION; @@ -1638,9 +1622,9 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags, } /* If both are in the same realm, try allowed_to_delegate first. */ - if (krb5_realm_compare(kdc_context, server->princ, request->server)) { + if (krb5_realm_compare(context, server->princ, request->server)) { - errcode = krb5_db_check_allowed_to_delegate(kdc_context, client_princ, + errcode = krb5_db_check_allowed_to_delegate(context, client_princ, server, request->server); if (errcode != KRB5KDC_ERR_BADOPTION && errcode != KRB5_PLUGIN_OP_NOTSUPP) @@ -1662,7 +1646,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags, goto done; } - errcode = krb5_db_allowed_to_delegate_from(kdc_context, client_princ, + errcode = krb5_db_allowed_to_delegate_from(context, client_princ, server_princ, header_pac, proxy); if (errcode == KRB5_PLUGIN_OP_NOTSUPP) { @@ -1678,26 +1662,24 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags, t2_pac_princ = NULL; done: - krb5_free_principal(kdc_context, t2_pac_princ); + krb5_free_principal(context, t2_pac_princ); return errcode; } krb5_error_code -kdc_check_transited_list(kdc_realm_t *kdc_active_realm, - const krb5_data *trans, - const krb5_data *realm1, - const krb5_data *realm2) +kdc_check_transited_list(krb5_context context, const krb5_data *trans, + const krb5_data *realm1, const krb5_data *realm2) { krb5_error_code code; /* Check against the KDB module. Treat this answer as authoritative if the * method is supported and doesn't explicitly pass control. */ - code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2); + code = krb5_db_check_transited_realms(context, trans, realm1, realm2); if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE) return code; /* Check using krb5.conf [capaths] or hierarchical relationships. */ - return krb5_check_transited_list(kdc_context, trans, realm1, realm2); + return krb5_check_transited_list(context, trans, realm1, realm2); } krb5_boolean @@ -1715,12 +1697,9 @@ enctype_requires_etype_info_2(krb5_enctype enctype) } void -kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, - krb5_timestamp starttime, - krb5_timestamp endtime, - krb5_timestamp till, - krb5_db_entry *client, - krb5_db_entry *server, +kdc_get_ticket_endtime(kdc_realm_t *realm, krb5_timestamp starttime, + krb5_timestamp endtime, krb5_timestamp till, + krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp *out_endtime) { krb5_timestamp until; @@ -1741,8 +1720,8 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, life = min(life, client->max_life); if (server->max_life != 0) life = min(life, server->max_life); - if (kdc_active_realm->realm_maxlife != 0) - life = min(life, kdc_active_realm->realm_maxlife); + if (realm->realm_maxlife != 0) + life = min(life, realm->realm_maxlife); *out_endtime = ts_incr(starttime, life); } diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 4aa8e7e425..070a27a0e1 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -84,9 +84,8 @@ validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *, const char **, krb5_pa_data ***); int -validate_tgs_request(kdc_realm_t *kdc_active_realm, - krb5_kdc_req *request, krb5_db_entry *server, - krb5_ticket *ticket, krb5_pac pac, +validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request, + krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac, const krb5_ticket *stkt, krb5_pac stkt_pac, krb5_db_entry *stkt_server, krb5_timestamp kdc_time, krb5_pa_s4u_x509_user *s4u_x509_user, @@ -106,10 +105,8 @@ int fetch_asn1_field (unsigned char *, unsigned int, unsigned int, krb5_data *); krb5_enctype -select_session_keytype (kdc_realm_t *kdc_active_realm, - krb5_db_entry *server, - int nktypes, - krb5_enctype *ktypes); +select_session_keytype (krb5_context context, krb5_db_entry *server, + int nktypes, krb5_enctype *ktypes); void limit_string (char *name); @@ -226,24 +223,16 @@ get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt, krb5_data ***indicators_out); krb5_error_code -handle_authdata (kdc_realm_t *kdc_active_realm, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *subject_server, - krb5_db_entry *local_tgt, - krb5_keyblock *local_tgt_key, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *header_key, - krb5_keyblock *replaced_reply_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal altcprinc, - krb5_pac subject_pac, - krb5_enc_tkt_part *enc_tkt_request, - krb5_data ***auth_indicators, - krb5_enc_tkt_part *enc_tkt_reply); +handle_authdata(kdc_realm_t *realm, unsigned int flags, krb5_db_entry *client, + krb5_db_entry *server, krb5_db_entry *subject_server, + krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key, + krb5_keyblock *client_key, krb5_keyblock *server_key, + krb5_keyblock *header_key, krb5_keyblock *replaced_reply_key, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_const_principal altcprinc, krb5_pac subject_pac, + krb5_enc_tkt_part *enc_tkt_request, + krb5_data ***auth_indicators, + krb5_enc_tkt_part *enc_tkt_reply); /* replay.c */ krb5_error_code kdc_init_lookaside(krb5_context context); @@ -278,14 +267,11 @@ return_enc_padata(krb5_context context, krb5_boolean is_referral); krb5_error_code -kdc_process_s4u2self_req (kdc_realm_t *kdc_active_realm, - krb5_kdc_req *request, - const krb5_db_entry *server, - krb5_keyblock *tgs_subkey, - krb5_keyblock *tgs_session, - krb5_pa_s4u_x509_user **s4u2self_req, - krb5_db_entry **princ_ptr, - const char **status); +kdc_process_s4u2self_req(krb5_context context, krb5_kdc_req *request, + const krb5_db_entry *server, + krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, + krb5_pa_s4u_x509_user **s4u2self_req, + krb5_db_entry **princ_ptr, const char **status); krb5_error_code s4u2self_forwardable(krb5_context context, krb5_db_entry *server, @@ -300,7 +286,7 @@ kdc_make_s4u2self_rep (krb5_context context, krb5_enc_kdc_rep_part *reply_encpart); krb5_error_code -kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags, +kdc_process_s4u2proxy_req(krb5_context context, unsigned int flags, krb5_kdc_req *request, krb5_pac header_pac, const krb5_enc_tkt_part *t2enc, krb5_pac t2_pac, const krb5_db_entry *server, @@ -311,18 +297,13 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, unsigned int flags, const char **status); krb5_error_code -kdc_check_transited_list (kdc_realm_t *kdc_active_realm, - const krb5_data *trans, - const krb5_data *realm1, - const krb5_data *realm2); +kdc_check_transited_list(krb5_context context, const krb5_data *trans, + const krb5_data *realm1, const krb5_data *realm2); void -kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, - krb5_timestamp now, - krb5_timestamp endtime, - krb5_timestamp till, - krb5_db_entry *client, - krb5_db_entry *server, +kdc_get_ticket_endtime(kdc_realm_t *realm, krb5_timestamp now, + krb5_timestamp endtime, krb5_timestamp till, + krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp *out_endtime); void @@ -545,8 +526,8 @@ struct krb5_kdcpreauth_rock_st { /* Copy appropriate header ticket flags to new ticket. */ #define COPY_TKT_FLAGS(x) (x & TGS_COPIED_FLAGS_MASK) -int check_anon(kdc_realm_t *kdc_active_realm, - krb5_principal client, krb5_principal server); +int check_anon(kdc_realm_t *realm, krb5_principal client, + krb5_principal server); int errcode_to_protocol(krb5_error_code code); char *data2string(krb5_data *d); diff --git a/src/kdc/realm_data.h b/src/kdc/realm_data.h index 2d669154f4..68eed771d5 100644 --- a/src/kdc/realm_data.h +++ b/src/kdc/realm_data.h @@ -85,12 +85,4 @@ struct server_handle { kdc_realm_t *find_realm_data(struct server_handle *, char *, krb5_ui_4); kdc_realm_t *setup_server_realm(struct server_handle *, krb5_principal); -/* - * These macros used to refer to a global pointer to the active realm state - * structure for a request. They now refer to a local variable that must be - * properly declared in each function that uses these macros. - */ -#define kdc_context kdc_active_realm->realm_context -#define tgs_server kdc_active_realm->realm_tgsprinc - #endif /* REALM_DATA_H */ diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c index f33ad504f4..dfa836a132 100644 --- a/src/kdc/tgs_policy.c +++ b/src/kdc/tgs_policy.c @@ -259,18 +259,19 @@ check_tgs_lineage(krb5_db_entry *server, krb5_ticket *tkt, } static int -check_tgs_s4u2self(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, +check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac, krb5_timestamp kdc_time, krb5_pa_s4u_x509_user *s4u_x509_user, krb5_db_entry *client, krb5_boolean is_crossrealm, krb5_boolean is_referral, const char **status, krb5_pa_data ***e_data) { + krb5_context context = realm->realm_context; krb5_db_entry empty_server = { 0 }; /* If the server is local, check that the request is for self. */ if (!is_referral && - !is_client_db_alias(kdc_context, server, tkt->enc_part2->client)) { + !is_client_db_alias(context, server, tkt->enc_part2->client)) { *status = "INVALID_S4U2SELF_REQUEST_SERVER_MISMATCH"; return KRB_AP_ERR_BADMATCH; } @@ -333,7 +334,7 @@ check_tgs_s4u2self(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, if (client != NULL) { /* The header ticket PAC must be for the impersonator. */ - if (krb5_pac_verify(kdc_context, pac, tkt->enc_part2->times.authtime, + if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime, tkt->enc_part2->client, NULL, NULL) != 0) { *status = "S4U2SELF_LOCAL_PAC_CLIENT"; return KDC_ERR_BADOPTION; @@ -341,12 +342,11 @@ check_tgs_s4u2self(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, /* Validate the client policy. Use an empty server principal to bypass * server policy checks. */ - return validate_as_request(kdc_active_realm, req, client, - &empty_server, kdc_time, status, e_data); + return validate_as_request(realm, req, client, &empty_server, kdc_time, + status, e_data); } else { /* The header ticket PAC must be for the subject, with realm. */ - if (krb5_pac_verify_ext(kdc_context, pac, - tkt->enc_part2->times.authtime, + if (krb5_pac_verify_ext(context, pac, tkt->enc_part2->times.authtime, s4u_x509_user->user_id.user, NULL, NULL, TRUE) != 0) { *status = "S4U2SELF_FOREIGN_PAC_CLIENT"; @@ -421,7 +421,7 @@ cleanup: } static int -check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, +check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac, const krb5_ticket *stkt, krb5_pac stkt_pac, krb5_db_entry *stkt_server, krb5_boolean is_crossrealm, @@ -455,7 +455,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, *status = "S4U2PROXY_NO_HEADER_PAC"; return KDC_ERR_TGT_REVOKED; } - if (krb5_pac_verify(kdc_context, pac, tkt->enc_part2->times.authtime, + if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime, tkt->enc_part2->client, NULL, NULL) != 0) { *status = "S4U2PROXY_HEADER_PAC"; return KDC_ERR_BADOPTION; @@ -475,7 +475,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, if (!is_crossrealm) { /* For an initial or same-realm request, the second ticket server and * header ticket client must be the same principal. */ - if (!is_client_db_alias(kdc_context, stkt_server, + if (!is_client_db_alias(context, stkt_server, tkt->enc_part2->client)) { *status = "EVIDENCE_TICKET_MISMATCH"; return KDC_ERR_SERVER_NOMATCH; @@ -483,8 +483,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, /* The second ticket client and PAC client are the subject, and must * match. */ - if (krb5_pac_verify(kdc_context, stkt_pac, - stkt->enc_part2->times.authtime, + if (krb5_pac_verify(context, stkt_pac, stkt->enc_part2->times.authtime, stkt->enc_part2->client, NULL, NULL) != 0) { *status = "S4U2PROXY_LOCAL_STKT_PAC"; return KDC_ERR_BADOPTION; @@ -499,7 +498,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, */ if (is_referral || !is_cross_tgs_principal(stkt_server->princ) || !data_eq(stkt_server->princ->data[1], server->princ->realm) || - !krb5_principal_compare(kdc_context, stkt->enc_part2->client, + !krb5_principal_compare(context, stkt->enc_part2->client, tkt->enc_part2->client)) { *status = "XREALM_EVIDENCE_TICKET_MISMATCH"; return KDC_ERR_BADOPTION; @@ -508,7 +507,7 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, /* The second ticket PAC must be present and for the impersonated * client, with delegation info. */ if (stkt_pac == NULL || - verify_deleg_pac(kdc_context, stkt_pac, stkt->enc_part2, + verify_deleg_pac(context, stkt_pac, stkt->enc_part2, req->server) != 0) { *status = "S4U2PROXY_CROSS_STKT_PAC"; return KDC_ERR_BADOPTION; @@ -519,9 +518,8 @@ check_tgs_s4u2proxy(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, } static int -check_tgs_u2u(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, - const krb5_ticket *stkt, krb5_db_entry *server, - const char **status) +check_tgs_u2u(krb5_context context, krb5_kdc_req *req, const krb5_ticket *stkt, + krb5_db_entry *server, const char **status) { /* A second ticket must be present in the request. */ if (stkt == NULL) { @@ -537,7 +535,7 @@ check_tgs_u2u(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, } /* The second ticket client must match the requested server. */ - if (!is_client_db_alias(kdc_context, server, stkt->enc_part2->client)) { + if (!is_client_db_alias(context, server, stkt->enc_part2->client)) { *status = "2ND_TKT_MISMATCH"; return KDC_ERR_SERVER_NOMATCH; } @@ -577,10 +575,10 @@ check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt, * matches requested service principal) */ static int -check_tgs_nontgt(kdc_realm_t *kdc_active_realm, - krb5_kdc_req *req, krb5_ticket *tkt, const char **status) +check_tgs_nontgt(krb5_context context, krb5_kdc_req *req, krb5_ticket *tkt, + const char **status) { - if (!krb5_principal_compare(kdc_context, tkt->server, req->server)) { + if (!krb5_principal_compare(context, tkt->server, req->server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return KDC_ERR_SERVER_NOMATCH; } @@ -598,8 +596,7 @@ check_tgs_nontgt(kdc_realm_t *kdc_active_realm, * principal). */ static int -check_tgs_tgt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, - krb5_ticket *tkt, const char **status) +check_tgs_tgt(krb5_kdc_req *req, krb5_ticket *tkt, const char **status) { /* Make sure it's a TGS principal. */ if (!krb5_is_tgs_principal(tkt->server)) { @@ -607,8 +604,7 @@ check_tgs_tgt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, return KRB_AP_ERR_NOT_US; } /* TGS principal second component must match service realm. */ - if (!data_eq(*krb5_princ_component(kdc_context, tkt->server, 1), - *krb5_princ_realm(kdc_context, req->server))) { + if (!data_eq(tkt->server->data[1], req->server->realm)) { *status = "BAD TGS SERVER INSTANCE"; return KRB_AP_ERR_NOT_US; } @@ -616,9 +612,8 @@ check_tgs_tgt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, } int -validate_tgs_request(kdc_realm_t *kdc_active_realm, - krb5_kdc_req *request, krb5_db_entry *server, - krb5_ticket *ticket, krb5_pac pac, +validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request, + krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac, const krb5_ticket *stkt, krb5_pac stkt_pac, krb5_db_entry *stkt_server, krb5_timestamp kdc_time, krb5_pa_s4u_x509_user *s4u_x509_user, @@ -626,6 +621,7 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, krb5_boolean is_crossrealm, krb5_boolean is_referral, const char **status, krb5_pa_data ***e_data) { + krb5_context context = realm->realm_context; int errcode; krb5_error_code ret; @@ -645,9 +641,9 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, return errcode; if (request->kdc_options & NON_TGT_OPTION) - errcode = check_tgs_nontgt(kdc_active_realm, request, ticket, status); + errcode = check_tgs_nontgt(context, request, ticket, status); else - errcode = check_tgs_tgt(kdc_active_realm, request, ticket, status); + errcode = check_tgs_tgt(request, ticket, status); if (errcode != 0) return errcode; @@ -658,10 +654,10 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, } if (s4u_x509_user != NULL) { - errcode = check_tgs_s4u2self(kdc_active_realm, request, server, ticket, - pac, kdc_time, s4u_x509_user, - s4u2self_client, is_crossrealm, - is_referral, status, e_data); + errcode = check_tgs_s4u2self(realm, request, server, ticket, pac, + kdc_time, s4u_x509_user, s4u2self_client, + is_crossrealm, is_referral, status, + e_data); } else { errcode = check_tgs_lineage(server, ticket, is_crossrealm, status); } @@ -669,34 +665,32 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, return errcode; if (request->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) { - errcode = check_tgs_u2u(kdc_active_realm, request, stkt, server, - status); + errcode = check_tgs_u2u(context, request, stkt, server, status); if (errcode != 0) return errcode; } if (request->kdc_options & KDC_OPT_CNAME_IN_ADDL_TKT) { - errcode = check_tgs_s4u2proxy(kdc_active_realm, request, server, - ticket, pac, stkt, stkt_pac, stkt_server, + errcode = check_tgs_s4u2proxy(context, request, server, ticket, pac, + stkt, stkt_pac, stkt_server, is_crossrealm, is_referral, status); if (errcode != 0) return errcode; } else if (s4u_x509_user == NULL) { - errcode = check_normal_tgs_pac(kdc_context, ticket->enc_part2, pac, - server, is_crossrealm, status); + errcode = check_normal_tgs_pac(context, ticket->enc_part2, pac, server, + is_crossrealm, status); if (errcode != 0) return errcode; } - if (check_anon(kdc_active_realm, ticket->enc_part2->client, - request->server) != 0) { + if (check_anon(realm, ticket->enc_part2->client, request->server) != 0) { *status = "ANONYMOUS NOT ALLOWED"; return(KDC_ERR_POLICY); } /* Perform KDB module policy checks. */ - ret = krb5_db_check_policy_tgs(kdc_context, request, server, ticket, - status, e_data); + ret = krb5_db_check_policy_tgs(context, request, server, ticket, status, + e_data); if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) return errcode_to_protocol(ret);