From 4325964a5d472422cb0a1600676787d7bcfde5d2 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 27 Sep 2014 16:14:02 -0400 Subject: [PATCH] Modernize kdc_authdata.c Adjust whitespace, identifier names, and in some cases flow control. No functional changes. --- src/kdc/kdc_authdata.c | 670 +++++++++++++++++------------------------ 1 file changed, 282 insertions(+), 388 deletions(-) diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index afe18f086d..704e130633 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -105,26 +105,22 @@ unload_authdata_plugins(krb5_context context) return 0; } -/* - * Returns TRUE if authdata should be filtered when copying from - * untrusted authdata. - */ +/* Return true if authdata should be filtered when copying from untrusted + * authdata. If desired_type is non-zero, look only for that type. */ static krb5_boolean -is_kdc_issued_authdatum (krb5_context context, - krb5_authdata *authdata, - krb5_authdatatype desired_type) +is_kdc_issued_authdatum(krb5_context context, krb5_authdata *authdata, + krb5_authdatatype desired_type) { - krb5_boolean ret = FALSE; + krb5_boolean result = FALSE; krb5_authdatatype ad_type; unsigned int i, count = 0; - krb5_authdatatype *ad_types = NULL; + krb5_authdatatype *ad_types, *containee_types = NULL; if (authdata->ad_type == KRB5_AUTHDATA_IF_RELEVANT) { - if (krb5int_get_authdata_containee_types(context, - authdata, - &count, - &ad_types) != 0) + if (krb5int_get_authdata_containee_types(context, authdata, &count, + &containee_types) != 0) goto cleanup; + ad_types = containee_types; } else { ad_type = authdata->ad_type; count = 1; @@ -136,79 +132,66 @@ is_kdc_issued_authdatum (krb5_context context, case KRB5_AUTHDATA_SIGNTICKET: case KRB5_AUTHDATA_KDC_ISSUED: case KRB5_AUTHDATA_WIN2K_PAC: - ret = desired_type ? (desired_type == ad_types[i]) : TRUE; + result = desired_type ? (desired_type == ad_types[i]) : TRUE; break; default: - ret = FALSE; + result = FALSE; break; } - if (ret) + if (result) break; } cleanup: - if (authdata->ad_type == KRB5_AUTHDATA_IF_RELEVANT && - ad_types != NULL) - free(ad_types); - - return ret; + free(containee_types); + return result; } +/* Return true if authdata contains any elements which should only come from + * the KDC. If desired_type is non-zero, look only for that type. */ static krb5_boolean -has_kdc_issued_authdata (krb5_context context, - krb5_authdata **authdata, - krb5_authdatatype desired_type) +has_kdc_issued_authdata(krb5_context context, krb5_authdata **authdata, + krb5_authdatatype desired_type) { int i; - krb5_boolean ret = FALSE; - if (authdata != NULL) { - for (i = 0; authdata[i] != NULL; i++) { - if (is_kdc_issued_authdatum(context, authdata[i], desired_type)) { - ret = TRUE; - break; - } - } + if (authdata == NULL) + return FALSE; + for (i = 0; authdata[i] != NULL; i++) { + if (is_kdc_issued_authdatum(context, authdata[i], desired_type)) + return TRUE; } - - return ret; + return FALSE; } +/* Return true if authdata contains any mandatory-for-KDC elements. */ static krb5_boolean -has_mandatory_for_kdc_authdata (krb5_context context, - krb5_authdata **authdata) +has_mandatory_for_kdc_authdata(krb5_context context, krb5_authdata **authdata) { int i; - krb5_boolean ret = FALSE; - if (authdata != NULL) { - for (i = 0; authdata[i] != NULL; i++) { - if (authdata[i]->ad_type == KRB5_AUTHDATA_MANDATORY_FOR_KDC) { - ret = TRUE; - break; - } - } + if (authdata == NULL) + return FALSE; + for (i = 0; authdata[i] != NULL; i++) { + if (authdata[i]->ad_type == KRB5_AUTHDATA_MANDATORY_FOR_KDC) + return TRUE; } - - return ret; + return FALSE; } /* - * Merge authdata. - * - * If copy is FALSE, in_authdata is invalid on successful return. - * If ignore_kdc_issued is TRUE, KDC-issued authdata is not copied. + * Add the elements of in_authdata to out_authdata. If copy is false, + * in_authdata is invalid on successful return. If ignore_kdc_issued is true, + * KDC-issued authdata is not copied. */ static krb5_error_code -merge_authdata (krb5_context context, - krb5_authdata **in_authdata, - krb5_authdata ***out_authdata, - krb5_boolean copy, - krb5_boolean ignore_kdc_issued) +merge_authdata(krb5_context context, krb5_authdata **in_authdata, + krb5_authdata ***out_authdata, krb5_boolean copy, + krb5_boolean ignore_kdc_issued) { + krb5_error_code ret; size_t i, j, nadata = 0; krb5_authdata **in_copy = NULL, **authdata = *out_authdata; - krb5_error_code code; if (in_authdata == NULL || in_authdata[0] == NULL) return 0; @@ -222,9 +205,9 @@ merge_authdata (krb5_context context, ; if (copy) { - code = krb5_copy_authdata(context, in_authdata, &in_copy); - if (code != 0) - return code; + ret = krb5_copy_authdata(context, in_authdata, &in_copy); + if (ret) + return ret; in_authdata = in_copy; } @@ -239,8 +222,9 @@ merge_authdata (krb5_context context, is_kdc_issued_authdatum(context, in_authdata[i], 0)) { free(in_authdata[i]->contents); free(in_authdata[i]); - } else + } else { authdata[nadata + j++] = in_authdata[i]; + } } authdata[nadata + j] = NULL; @@ -260,69 +244,57 @@ merge_authdata (krb5_context context, /* Copy TGS-REQ authorization data into the ticket authdata. */ static krb5_error_code copy_request_authdata(krb5_context context, krb5_keyblock *client_key, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_request, + krb5_kdc_req *req, krb5_enc_tkt_part *enc_tkt_req, krb5_authdata ***tkt_authdata) { - krb5_error_code code; - krb5_data scratch; + krb5_error_code ret; + krb5_data plaintext; - assert(enc_tkt_request != NULL); + assert(enc_tkt_req != NULL); - scratch.length = request->authorization_data.ciphertext.length; - scratch.data = malloc(scratch.length); - if (scratch.data == NULL) - return ENOMEM; + ret = alloc_data(&plaintext, req->authorization_data.ciphertext.length); + if (ret) + return ret; /* - * RFC 4120 requires authdata in the TGS body to be encrypted in - * the subkey with usage 5 if a subkey is present, and in the TGS - * session key with key usage 4 if it is not. Prior to krb5 1.7, - * we got this wrong, always decrypting the authorization data - * with the TGS session key and usage 4. For the sake of - * conservatism, try the decryption the old way (wrong if - * client_key is a subkey) first, and then try again the right way - * (in the case where client_key is a subkey) if the first way - * fails. - */ - code = krb5_c_decrypt(context, - enc_tkt_request->session, - KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, - 0, &request->authorization_data, - &scratch); - if (code != 0) - code = krb5_c_decrypt(context, - client_key, - KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, - 0, &request->authorization_data, - &scratch); - - if (code != 0) { - free(scratch.data); - return code; - } - - /* scratch now has the authorization data, so we decode it, and make - * it available to subsequent authdata plugins + * RFC 4120 requires authdata in the TGS body to be encrypted in the subkey + * with usage 5 if a subkey is present, and in the TGS session key with key + * usage 4 if it is not. Prior to krb5 1.7, we got this wrong, always + * decrypting the authorization data with the TGS session key and usage 4. + * For the sake of conservatism, try the decryption the old way (wrong if + * client_key is a subkey) first, and then try again the right way (in the + * case where client_key is a subkey) if the first way fails. */ - code = decode_krb5_authdata(&scratch, &request->unenc_authdata); - if (code != 0) { - free(scratch.data); - return code; + ret = krb5_c_decrypt(context, enc_tkt_req->session, + KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, 0, + &req->authorization_data, &plaintext); + if (ret) { + ret = krb5_c_decrypt(context, client_key, + KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, 0, + &req->authorization_data, &plaintext); } + if (ret) + goto cleanup; - free(scratch.data); + /* Decode the decrypted authdata and make it available to modules in the + * request. */ + ret = decode_krb5_authdata(&plaintext, &req->unenc_authdata); + if (ret) + goto cleanup; - if (has_mandatory_for_kdc_authdata(context, request->unenc_authdata)) - return KRB5KDC_ERR_POLICY; + if (has_mandatory_for_kdc_authdata(context, req->unenc_authdata)) { + ret = KRB5KDC_ERR_POLICY; + goto cleanup; + } - code = merge_authdata(context, - request->unenc_authdata, - tkt_authdata, - TRUE, /* copy */ - TRUE); /* ignore_kdc_issued */ + /* Add a copy of the requested authdata to the ticket, ignoring KDC-issued + * types. */ + ret = merge_authdata(context, req->unenc_authdata, tkt_authdata, TRUE, + TRUE); - return code; +cleanup: + free(plaintext.data); + return ret; } /* Copy TGT authorization data into the ticket authdata. */ @@ -333,11 +305,9 @@ copy_tgt_authdata(krb5_context context, krb5_kdc_req *request, if (has_mandatory_for_kdc_authdata(context, tgt_authdata)) return KRB5KDC_ERR_POLICY; - return merge_authdata(context, - tgt_authdata, - tkt_authdata, - TRUE, /* copy */ - TRUE); /* ignore_kdc_issued */ + /* Add a copy of the TGT authdata to the ticket, ignoring KDC-issued + * types. */ + return merge_authdata(context, tgt_authdata, tkt_authdata, TRUE, TRUE); } /* Fetch authorization data from KDB module. */ @@ -346,13 +316,13 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags, krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, krb5_keyblock *client_key, krb5_keyblock *server_key, krb5_keyblock *krbtgt_key, - krb5_kdc_req *request, krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, + krb5_kdc_req *req, krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_req, krb5_enc_tkt_part *enc_tkt_reply) { - krb5_error_code code; + krb5_error_code ret; krb5_authdata **tgt_authdata, **db_authdata = NULL; - krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ); + krb5_boolean tgs_req = (req->msg_type == KRB5_TGS_REQ); krb5_const_principal actual_client; /* @@ -366,16 +336,16 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags, * be present. */ if (tgs_req) { - assert(enc_tkt_request != NULL); + assert(enc_tkt_req != NULL); if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED)) return 0; - if (enc_tkt_request->authorization_data == NULL && + if (enc_tkt_req->authorization_data == NULL && !isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM | KRB5_KDB_FLAGS_S4U)) return 0; - assert(enc_tkt_reply->times.authtime == enc_tkt_request->times.authtime); + assert(enc_tkt_reply->times.authtime == enc_tkt_req->times.authtime); } else { if (!isflagset(flags, KRB5_KDB_FLAG_INCLUDE_PAC)) return 0; @@ -391,52 +361,42 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags, else actual_client = enc_tkt_reply->client; - tgt_authdata = tgs_req ? enc_tkt_request->authorization_data : NULL; - code = krb5_db_sign_authdata(context, flags, actual_client, client, - server, krbtgt, client_key, server_key, - krbtgt_key, enc_tkt_reply->session, - enc_tkt_reply->times.authtime, tgt_authdata, - &db_authdata); - if (code == 0) { - code = merge_authdata(context, - db_authdata, - &enc_tkt_reply->authorization_data, - FALSE, /* !copy */ - FALSE); /* !ignore_kdc_issued */ - if (code != 0) - krb5_free_authdata(context, db_authdata); - } else if (code == KRB5_PLUGIN_OP_NOTSUPP) - code = 0; - - return code; + tgt_authdata = tgs_req ? enc_tkt_req->authorization_data : NULL; + ret = krb5_db_sign_authdata(context, flags, actual_client, client, + server, krbtgt, client_key, server_key, + krbtgt_key, enc_tkt_reply->session, + enc_tkt_reply->times.authtime, tgt_authdata, + &db_authdata); + if (ret) + return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret; + + /* Add the KDB authdata to the ticket, without copying or filtering. */ + ret = merge_authdata(context, db_authdata, + &enc_tkt_reply->authorization_data, FALSE, FALSE); + if (ret) + krb5_free_authdata(context, db_authdata); + return ret; } static krb5_error_code -make_ad_signedpath_data(krb5_context context, - krb5_const_principal client, - krb5_timestamp authtime, - krb5_principal *deleg_path, - krb5_pa_data **method_data, - krb5_authdata **authdata, - krb5_data **data) +make_signedpath_data(krb5_context context, krb5_const_principal client, + krb5_timestamp authtime, krb5_principal *deleg_path, + krb5_pa_data **method_data, krb5_authdata **authdata, + krb5_data **data) { - krb5_ad_signedpath_data sp_data; - krb5_authdata **sign_authdata = NULL; - int i, j; - krb5_error_code code; + krb5_error_code ret; + krb5_ad_signedpath_data sp_data; + krb5_authdata **sign_authdata = NULL; + size_t i, j, count; memset(&sp_data, 0, sizeof(sp_data)); - if (authdata != NULL) { - for (i = 0; authdata[i] != NULL; i++) - ; - } else - i = 0; - - if (i != 0) { - sign_authdata = k5calloc(i + 1, sizeof(krb5_authdata *), &code); + for (count = 0; authdata != NULL && authdata[count] != NULL; count++); + if (count != 0) { + /* Make a shallow copy with AD-SIGNTICKET filtered out. */ + sign_authdata = k5calloc(count + 1, sizeof(krb5_authdata *), &ret); if (sign_authdata == NULL) - return code; + return ret; for (i = 0, j = 0; authdata[i] != NULL; i++) { if (is_kdc_issued_authdatum(context, authdata[i], @@ -455,71 +415,60 @@ make_ad_signedpath_data(krb5_context context, sp_data.method_data = method_data; sp_data.authorization_data = sign_authdata; - code = encode_krb5_ad_signedpath_data(&sp_data, data); + ret = encode_krb5_ad_signedpath_data(&sp_data, data); if (sign_authdata != NULL) free(sign_authdata); - return code; + return ret; } static krb5_error_code -verify_ad_signedpath_checksum(krb5_context context, - krb5_keyblock *krbtgt_key, - krb5_enc_tkt_part *enc_tkt_part, - krb5_principal *deleg_path, - krb5_pa_data **method_data, - krb5_checksum *cksum, - krb5_boolean *valid) +verify_signedpath_checksum(krb5_context context, krb5_keyblock *krbtgt_key, + krb5_enc_tkt_part *enc_tkt_part, + krb5_principal *deleg_path, + krb5_pa_data **method_data, krb5_checksum *cksum, + krb5_boolean *valid) { - krb5_error_code code; - krb5_data *data; + krb5_error_code ret; + krb5_data *data; *valid = FALSE; if (!krb5_c_is_keyed_cksum(cksum->checksum_type)) return KRB5KRB_AP_ERR_INAPP_CKSUM; - code = make_ad_signedpath_data(context, - enc_tkt_part->client, - enc_tkt_part->times.authtime, - deleg_path, - method_data, - enc_tkt_part->authorization_data, - &data); - if (code != 0) - return code; - - code = krb5_c_verify_checksum(context, - krbtgt_key, - KRB5_KEYUSAGE_AD_SIGNEDPATH, - data, - cksum, - valid); + ret = make_signedpath_data(context, enc_tkt_part->client, + enc_tkt_part->times.authtime, deleg_path, + method_data, enc_tkt_part->authorization_data, + &data); + if (ret) + return ret; + ret = krb5_c_verify_checksum(context, krbtgt_key, + KRB5_KEYUSAGE_AD_SIGNEDPATH, data, cksum, + valid); krb5_free_data(context, data); - return code; + return ret; } static krb5_error_code -verify_ad_signedpath(krb5_context context, - krb5_keyblock *krbtgt_key, - krb5_enc_tkt_part *enc_tkt_part, - krb5_principal **pdelegated, - krb5_boolean *path_is_signed) +verify_signedpath(krb5_context context, krb5_keyblock *krbtgt_key, + krb5_enc_tkt_part *enc_tkt_part, + krb5_principal **delegated_out, krb5_boolean *pathsigned_out) { - krb5_error_code code; - krb5_ad_signedpath *sp = NULL; - krb5_authdata **sp_authdata = NULL; - krb5_data enc_sp; + krb5_error_code ret; + krb5_ad_signedpath *sp = NULL; + krb5_authdata **sp_authdata = NULL; + krb5_data enc_sp; - *pdelegated = NULL; - *path_is_signed = FALSE; + *delegated_out = NULL; + *pathsigned_out = FALSE; - code = krb5_find_authdata(context, enc_tkt_part->authorization_data, NULL, - KRB5_AUTHDATA_SIGNTICKET, &sp_authdata); - if (code != 0) + ret = krb5_find_authdata(context, enc_tkt_part->authorization_data, NULL, + KRB5_AUTHDATA_SIGNTICKET, &sp_authdata); + if (ret) goto cleanup; if (sp_authdata == NULL || @@ -530,71 +479,57 @@ verify_ad_signedpath(krb5_context context, enc_sp.data = (char *)sp_authdata[0]->contents; enc_sp.length = sp_authdata[0]->length; - code = decode_krb5_ad_signedpath(&enc_sp, &sp); - if (code != 0) { + ret = decode_krb5_ad_signedpath(&enc_sp, &sp); + if (ret) { /* Treat an invalid signedpath authdata element as a missing one, since * we believe MS is using the same number for something else. */ - code = 0; + ret = 0; goto cleanup; } - code = verify_ad_signedpath_checksum(context, - krbtgt_key, - enc_tkt_part, - sp->delegated, - sp->method_data, - &sp->checksum, - path_is_signed); - if (code != 0) + ret = verify_signedpath_checksum(context, krbtgt_key, enc_tkt_part, + sp->delegated, sp->method_data, + &sp->checksum, pathsigned_out); + if (ret) goto cleanup; - if (*path_is_signed) { - *pdelegated = sp->delegated; + if (*pathsigned_out) { + *delegated_out = sp->delegated; sp->delegated = NULL; } cleanup: krb5_free_ad_signedpath(context, sp); krb5_free_authdata(context, sp_authdata); - - return code; + return ret; } static krb5_error_code -make_ad_signedpath_checksum(krb5_context context, - krb5_const_principal for_user_princ, - krb5_keyblock *krbtgt_key, - krb5_enc_tkt_part *enc_tkt_part, - krb5_principal *deleg_path, - krb5_pa_data **method_data, - krb5_checksum *cksum) +make_signedpath_checksum(krb5_context context, + krb5_const_principal for_user_princ, + krb5_keyblock *krbtgt_key, + krb5_enc_tkt_part *enc_tkt_part, + krb5_principal *deleg_path, + krb5_pa_data **method_data, krb5_checksum *cksum) { - krb5_error_code code; - krb5_data *data; - krb5_cksumtype cksumtype; - krb5_const_principal client; + krb5_error_code ret; + krb5_data *data; + krb5_cksumtype cksumtype; + krb5_const_principal client; - if (for_user_princ != NULL) - client = for_user_princ; - else - client = enc_tkt_part->client; - - code = make_ad_signedpath_data(context, - client, - enc_tkt_part->times.authtime, - deleg_path, - method_data, - enc_tkt_part->authorization_data, - &data); - if (code != 0) - return code; - - code = krb5int_c_mandatory_cksumtype(context, - krbtgt_key->enctype, - &cksumtype); - if (code != 0) { + client = (for_user_princ != NULL) ? for_user_princ : enc_tkt_part->client; + + ret = make_signedpath_data(context, client, enc_tkt_part->times.authtime, + deleg_path, method_data, + enc_tkt_part->authorization_data, &data); + if (ret) + return ret; + + ret = krb5int_c_mandatory_cksumtype(context, krbtgt_key->enctype, + &cksumtype); + if (ret) { krb5_free_data(context, data); - return code; + return ret; } if (!krb5_c_is_keyed_cksum(cksumtype)) { @@ -602,74 +537,59 @@ make_ad_signedpath_checksum(krb5_context context, return KRB5KRB_AP_ERR_INAPP_CKSUM; } - code = krb5_c_make_checksum(context, cksumtype, krbtgt_key, - KRB5_KEYUSAGE_AD_SIGNEDPATH, data, - cksum); - + ret = krb5_c_make_checksum(context, cksumtype, krbtgt_key, + KRB5_KEYUSAGE_AD_SIGNEDPATH, data, cksum); krb5_free_data(context, data); - - return code; + return ret; } static krb5_error_code -make_ad_signedpath(krb5_context context, - krb5_const_principal for_user_princ, - krb5_principal server, - krb5_keyblock *krbtgt_key, - krb5_principal *deleg_path, - krb5_enc_tkt_part *enc_tkt_reply) +make_signedpath(krb5_context context, krb5_const_principal for_user_princ, + krb5_principal server, krb5_keyblock *krbtgt_key, + krb5_principal *deleg_path, krb5_enc_tkt_part *enc_tkt_reply) { - krb5_error_code code; - krb5_ad_signedpath sp; - int i; - krb5_data *data = NULL; - krb5_authdata ad_datum, *ad_data[2]; - krb5_authdata **if_relevant = NULL; + krb5_error_code ret; + krb5_ad_signedpath sp; + krb5_data *data = NULL; + krb5_authdata ad_datum, *ad_data[2]; + krb5_authdata **if_relevant = NULL; + size_t count; memset(&sp, 0, sizeof(sp)); sp.enctype = krbtgt_key->enctype; - if (deleg_path != NULL) { - for (i = 0; deleg_path[i] != NULL; i++) - ; - } else - i = 0; + for (count = 0; deleg_path != NULL && deleg_path[count] != NULL; count++); - sp.delegated = k5calloc(i + (server ? 1 : 0) + 1, sizeof(krb5_principal), - &code); - if (code != 0) + sp.delegated = k5calloc(count + 2, sizeof(krb5_principal), &ret); + if (sp.delegated == NULL) goto cleanup; /* Combine existing and new transited services, if any */ if (deleg_path != NULL) - memcpy(sp.delegated, deleg_path, i * sizeof(krb5_principal)); + memcpy(sp.delegated, deleg_path, count * sizeof(krb5_principal)); if (server != NULL) - sp.delegated[i++] = server; - sp.delegated[i] = NULL; + sp.delegated[count++] = server; + sp.delegated[count] = NULL; sp.method_data = NULL; - code = make_ad_signedpath_checksum(context, - for_user_princ, - krbtgt_key, - enc_tkt_reply, - sp.delegated, - sp.method_data, - &sp.checksum); - if (code != 0) { - if (code == KRB5KRB_AP_ERR_INAPP_CKSUM) { + ret = make_signedpath_checksum(context, for_user_princ, krbtgt_key, + enc_tkt_reply, sp.delegated, sp.method_data, + &sp.checksum); + if (ret) { + if (ret == KRB5KRB_AP_ERR_INAPP_CKSUM) { /* - * In the hopefully unlikely case the TGS key enctype - * has an unkeyed mandatory checksum type, do not fail - * so we do not prevent the KDC from servicing requests. + * In the hopefully unlikely case the TGS key enctype has an + * unkeyed mandatory checksum type, do not fail so we do not + * prevent the KDC from servicing requests. */ - code = 0; + ret = 0; } goto cleanup; } - code = encode_krb5_ad_signedpath(&sp, &data); - if (code != 0) + ret = encode_krb5_ad_signedpath(&sp, &data); + if (ret) goto cleanup; ad_datum.ad_type = KRB5_AUTHDATA_SIGNTICKET; @@ -679,56 +599,45 @@ make_ad_signedpath(krb5_context context, ad_data[0] = &ad_datum; ad_data[1] = NULL; - code = krb5_encode_authdata_container(context, - KRB5_AUTHDATA_IF_RELEVANT, - ad_data, - &if_relevant); - if (code != 0) + ret = krb5_encode_authdata_container(context, KRB5_AUTHDATA_IF_RELEVANT, + ad_data, &if_relevant); + if (ret) goto cleanup; - code = merge_authdata(context, - if_relevant, - &enc_tkt_reply->authorization_data, - FALSE, /* !copy */ - FALSE); /* !ignore_kdc_issued */ - if (code != 0) + /* Add the authdata to the ticket, without copying or filtering. */ + ret = merge_authdata(context, if_relevant, + &enc_tkt_reply->authorization_data, FALSE, FALSE); + if (ret) goto cleanup; - - if_relevant = NULL; /* merge_authdata() freed */ + if_relevant = NULL; /* merge_authdata() freed */ cleanup: - if (sp.delegated != NULL) - free(sp.delegated); + free(sp.delegated); krb5_free_authdata(context, if_relevant); krb5_free_data(context, data); krb5_free_checksum_contents(context, &sp.checksum); krb5_free_pa_data(context, sp.method_data); - - return code; + return ret; } static void free_deleg_path(krb5_context context, krb5_principal *deleg_path) { - if (deleg_path != NULL) { - int i; + int i; - for (i = 0; deleg_path[i] != NULL; i++) - krb5_free_principal(context, deleg_path[i]); - free(deleg_path); - } + for (i = 0; deleg_path != NULL && deleg_path[i] != NULL; i++) + krb5_free_principal(context, deleg_path[i]); + free(deleg_path); } -/* - * Returns TRUE if the Windows 2000 PAC is the only element in the - * supplied authorization data. - */ +/* Return true if the Windows 2000 PAC is the only element in the supplied + * authorization data. */ static krb5_boolean only_pac_p(krb5_context context, krb5_authdata **authdata) { - return has_kdc_issued_authdata(context, - authdata, KRB5_AUTHDATA_WIN2K_PAC) && - (authdata[1] == NULL); + return has_kdc_issued_authdata(context, authdata, + KRB5_AUTHDATA_WIN2K_PAC) && + authdata[1] == NULL; } /* Verify AD-SIGNTICKET authdata if we need to, and insert an AD-SIGNEDPATH @@ -736,12 +645,12 @@ only_pac_p(krb5_context context, krb5_authdata **authdata) static krb5_error_code handle_signticket(krb5_context context, unsigned int flags, krb5_db_entry *client, krb5_db_entry *server, - krb5_keyblock *krbtgt_key, krb5_kdc_req *request, + krb5_keyblock *krbtgt_key, krb5_kdc_req *req, krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_req, krb5_enc_tkt_part *enc_tkt_reply) { - krb5_error_code code = 0; + krb5_error_code ret = 0; krb5_principal *deleg_path = NULL; krb5_boolean signed_path = FALSE; krb5_boolean s4u2proxy; @@ -752,18 +661,15 @@ handle_signticket(krb5_context context, unsigned int flags, * The Windows PAC fulfils the same role as the signed path * if it is the only authorization data element. */ - if (request->msg_type == KRB5_TGS_REQ && - !only_pac_p(context, enc_tkt_request->authorization_data)) { - code = verify_ad_signedpath(context, - krbtgt_key, - enc_tkt_request, - &deleg_path, - &signed_path); - if (code != 0) + if (req->msg_type == KRB5_TGS_REQ && + !only_pac_p(context, enc_tkt_req->authorization_data)) { + ret = verify_signedpath(context, krbtgt_key, enc_tkt_req, &deleg_path, + &signed_path); + if (ret) goto cleanup; if (s4u2proxy && signed_path == FALSE) { - code = KRB5KDC_ERR_BADOPTION; + ret = KRB5KDC_ERR_BADOPTION; goto cleanup; } } @@ -773,90 +679,78 @@ handle_signticket(krb5_context context, unsigned int flags, if (!isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) && !is_cross_tgs_principal(server->princ) && !only_pac_p(context, enc_tkt_reply->authorization_data)) { - code = make_ad_signedpath(context, - for_user_princ, - s4u2proxy ? client->princ : NULL, - krbtgt_key, - deleg_path, - enc_tkt_reply); - if (code != 0) + ret = make_signedpath(context, for_user_princ, + s4u2proxy ? client->princ : NULL, krbtgt_key, + deleg_path, enc_tkt_reply); + if (ret) goto cleanup; } cleanup: free_deleg_path(context, deleg_path); - - return code; + return ret; } krb5_error_code -handle_authdata (krb5_context context, - unsigned int flags, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_const_principal for_user_princ, - krb5_enc_tkt_part *enc_tkt_request, - krb5_enc_tkt_part *enc_tkt_reply) +handle_authdata(krb5_context context, unsigned int flags, + krb5_db_entry *client, krb5_db_entry *server, + krb5_db_entry *krbtgt, krb5_keyblock *client_key, + krb5_keyblock *server_key, krb5_keyblock *krbtgt_key, + krb5_data *req_pkt, krb5_kdc_req *req, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_req, + krb5_enc_tkt_part *enc_tkt_reply) { kdcauthdata_handle *h; - krb5_error_code code = 0; + krb5_error_code ret = 0; size_t i; - if (request->msg_type == KRB5_TGS_REQ && - request->authorization_data.ciphertext.data != NULL) { + if (req->msg_type == KRB5_TGS_REQ && + req->authorization_data.ciphertext.data != NULL) { /* Copy TGS request authdata. This must be done first so that modules * have access to the unencrypted request authdata. */ - code = copy_request_authdata(context, client_key, request, - enc_tkt_request, - &enc_tkt_reply->authorization_data); - if (code) - return code; + ret = copy_request_authdata(context, client_key, req, enc_tkt_req, + &enc_tkt_reply->authorization_data); + if (ret) + return ret; } /* Invoke loaded module handlers. */ if (!isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS)) { for (i = 0; i < n_authdata_modules; i++) { h = &authdata_modules[i]; - code = h->vt.handle(context, h->data, flags, client, server, - krbtgt, client_key, server_key, krbtgt_key, - req_pkt, request, for_user_princ, - enc_tkt_request, enc_tkt_reply); - if (code) - kdc_err(context, code, "from authdata module %s", h->vt.name); + ret = h->vt.handle(context, h->data, flags, client, server, + krbtgt, client_key, server_key, krbtgt_key, + req_pkt, req, for_user_princ, enc_tkt_req, + enc_tkt_reply); + if (ret) + kdc_err(context, ret, "from authdata module %s", h->vt.name); } } - if (request->msg_type == KRB5_TGS_REQ) { + if (req->msg_type == KRB5_TGS_REQ) { /* Copy authdata from the TGT to the issued ticket. */ - code = copy_tgt_authdata(context, request, - enc_tkt_request->authorization_data, - &enc_tkt_reply->authorization_data); - if (code) - return code; + ret = copy_tgt_authdata(context, req, enc_tkt_req->authorization_data, + &enc_tkt_reply->authorization_data); + if (ret) + return ret; } if (!isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS)) { /* Fetch authdata from the KDB if appropriate. */ - code = fetch_kdb_authdata(context, flags, client, server, krbtgt, - client_key, server_key, krbtgt_key, request, - for_user_princ, enc_tkt_request, - enc_tkt_reply); - if (code) - return code; + ret = fetch_kdb_authdata(context, flags, client, server, krbtgt, + client_key, server_key, krbtgt_key, req, + for_user_princ, enc_tkt_req, enc_tkt_reply); + if (ret) + return ret; /* Validate and insert AD-SIGNTICKET authdata. This must happen last * since it contains a signature over the other authdata. */ - code = handle_signticket(context, flags, client, server, krbtgt_key, - request, for_user_princ, enc_tkt_request, - enc_tkt_reply); - if (code) - return code; + ret = handle_signticket(context, flags, client, server, krbtgt_key, + req, for_user_princ, enc_tkt_req, + enc_tkt_reply); + if (ret) + return ret; } return 0; -- 2.47.2