70
77
extern void mit_des_fixup_key_parity (mit_des_cblock );
71
78
extern int mit_des_is_weak_key (mit_des_cblock );
73
typedef krb5_error_code (*verify_proc)
74
(krb5_context, krb5_db_entry *client,
75
krb5_kdc_req *request,
76
krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
78
typedef krb5_error_code (*edata_proc)
79
(krb5_context, krb5_kdc_req *request,
80
krb5_db_entry *client, krb5_db_entry *server,
83
typedef krb5_error_code (*return_proc)
84
(krb5_context, krb5_pa_data * padata,
85
krb5_db_entry *client,
86
krb5_kdc_req *request, krb5_kdc_rep *reply,
87
krb5_key_data *client_key,
88
krb5_keyblock *encrypting_key,
89
krb5_pa_data **send_pa);
91
80
typedef struct _krb5_preauth_systems {
96
verify_proc verify_padata;
97
return_proc return_padata;
85
preauth_server_init_proc init;
86
preauth_server_fini_proc fini;
87
preauth_server_edata_proc get_edata;
88
preauth_server_verify_proc verify_padata;
89
preauth_server_return_proc return_padata;
90
preauth_server_free_reqcontext_proc free_pa_reqctx;
98
91
} krb5_preauth_systems;
100
93
static krb5_error_code verify_enc_timestamp
101
94
(krb5_context, krb5_db_entry *client,
102
96
krb5_kdc_req *request,
103
krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
97
krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
98
preauth_get_entry_data_proc get_entry_data,
99
void *pa_system_context,
100
void **pa_request_context,
102
krb5_authdata ***authz_data);
105
104
static krb5_error_code get_etype_info
106
105
(krb5_context, krb5_kdc_req *request,
107
106
krb5_db_entry *client, krb5_db_entry *server,
107
preauth_get_entry_data_proc get_entry_data,
108
void *pa_system_context,
108
109
krb5_pa_data *data);
109
110
static krb5_error_code
110
111
get_etype_info2(krb5_context context, krb5_kdc_req *request,
111
krb5_db_entry *client, krb5_db_entry *server,
112
krb5_pa_data *pa_data);
112
krb5_db_entry *client, krb5_db_entry *server,
113
preauth_get_entry_data_proc get_entry_data,
114
void *pa_system_context,
115
krb5_pa_data *pa_data);
113
116
static krb5_error_code
114
117
etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata,
115
118
krb5_db_entry *client,
122
125
static krb5_error_code
123
126
return_etype_info(krb5_context, krb5_pa_data * padata,
124
127
krb5_db_entry *client,
125
129
krb5_kdc_req *request, krb5_kdc_rep *reply,
126
130
krb5_key_data *client_key,
127
131
krb5_keyblock *encrypting_key,
128
krb5_pa_data **send_pa);
132
krb5_pa_data **send_pa,
133
preauth_get_entry_data_proc get_entry_data,
134
void *pa_system_context,
135
void **pa_request_context);
130
137
static krb5_error_code
131
138
return_etype_info2(krb5_context, krb5_pa_data * padata,
132
139
krb5_db_entry *client,
133
141
krb5_kdc_req *request, krb5_kdc_rep *reply,
134
142
krb5_key_data *client_key,
135
143
krb5_keyblock *encrypting_key,
136
krb5_pa_data **send_pa);
144
krb5_pa_data **send_pa,
145
preauth_get_entry_data_proc get_entry_data,
146
void *pa_system_context,
147
void **pa_request_context);
138
149
static krb5_error_code return_pw_salt
139
150
(krb5_context, krb5_pa_data * padata,
140
151
krb5_db_entry *client,
141
153
krb5_kdc_req *request, krb5_kdc_rep *reply,
142
154
krb5_key_data *client_key,
143
155
krb5_keyblock *encrypting_key,
144
krb5_pa_data **send_pa);
156
krb5_pa_data **send_pa,
157
preauth_get_entry_data_proc get_entry_data,
158
void *pa_system_context,
159
void **pa_request_context);
146
161
/* SAM preauth support */
147
162
static krb5_error_code verify_sam_response
148
163
(krb5_context, krb5_db_entry *client,
149
165
krb5_kdc_req *request,
150
krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
166
krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
167
preauth_get_entry_data_proc get_entry_data,
168
void *pa_module_context,
169
void **pa_request_context,
171
krb5_authdata ***authz_data);
152
173
static krb5_error_code get_sam_edata
153
174
(krb5_context, krb5_kdc_req *request,
154
175
krb5_db_entry *client, krb5_db_entry *server,
176
preauth_get_entry_data_proc get_entry_data,
177
void *pa_module_context,
155
178
krb5_pa_data *data);
156
179
static krb5_error_code return_sam_data
157
180
(krb5_context, krb5_pa_data * padata,
158
181
krb5_db_entry *client,
159
183
krb5_kdc_req *request, krb5_kdc_rep *reply,
160
184
krb5_key_data *client_key,
161
185
krb5_keyblock *encrypting_key,
162
krb5_pa_data **send_pa);
164
* Preauth property flags
166
#define PA_HARDWARE 0x00000001
167
#define PA_REQUIRED 0x00000002
168
#define PA_SUFFICIENT 0x00000004
169
/* Not really a padata, so don't include it in the etype list*/
170
#define PA_PSEUDO 0x00000008
186
krb5_pa_data **send_pa,
187
preauth_get_entry_data_proc get_entry_data,
188
void *pa_module_context,
189
void **pa_request_context);
172
static krb5_preauth_systems preauth_systems[] = {
191
static krb5_preauth_systems static_preauth_systems[] = {
175
194
KRB5_PADATA_ENC_TIMESTAMP,
178
200
verify_enc_timestamp,
224
#define MAX_PREAUTH_SYSTEMS (sizeof(preauth_systems)/sizeof(preauth_systems[0]))
261
static krb5_preauth_systems *preauth_systems;
262
static int n_preauth_systems;
263
static struct plugin_dir_handle preauth_plugins;
266
load_preauth_plugins(krb5_context context)
269
void **preauth_plugins_ftables;
270
struct krb5plugin_preauth_server_ftable_v1 *ftable;
271
int module_count, i, j, k;
272
void *plugin_context;
273
preauth_server_init_proc server_init_proc = NULL;
274
char **kdc_realm_names = NULL;
276
memset(&err, 0, sizeof(err));
278
/* Attempt to load all of the preauth plugins we can find. */
279
PLUGIN_DIR_INIT(&preauth_plugins);
280
if (PLUGIN_DIR_OPEN(&preauth_plugins) == 0) {
281
if (krb5int_open_plugin_dirs(objdirs, NULL,
282
&preauth_plugins, &err) != 0) {
283
return KRB5_PLUGIN_NO_HANDLE;
287
/* Get the method tables provided by the loaded plugins. */
288
preauth_plugins_ftables = NULL;
289
if (krb5int_get_plugin_dir_data(&preauth_plugins,
290
"preauthentication_server_1",
291
&preauth_plugins_ftables, &err) != 0) {
292
return KRB5_PLUGIN_NO_HANDLE;
295
/* Count the valid modules. */
296
module_count = sizeof(static_preauth_systems)
297
/ sizeof(static_preauth_systems[0]);
298
if (preauth_plugins_ftables != NULL) {
299
for (i = 0; preauth_plugins_ftables[i] != NULL; i++) {
300
ftable = preauth_plugins_ftables[i];
301
if ((ftable->flags_proc == NULL) &&
302
(ftable->edata_proc == NULL) &&
303
(ftable->verify_proc == NULL) &&
304
(ftable->return_proc == NULL)) {
308
ftable->pa_type_list != NULL &&
309
ftable->pa_type_list[j] > 0;
316
/* Build the complete list of supported preauthentication options, and
317
* leave room for a terminator entry. */
318
preauth_systems = malloc(sizeof(krb5_preauth_systems) * (module_count + 1));
319
if (preauth_systems == NULL) {
320
krb5int_free_plugin_dir_data(preauth_plugins_ftables);
324
/* Build a list of the names of the supported realms for this KDC.
325
* The list of names is terminated with a NULL. */
326
kdc_realm_names = malloc(sizeof(char *) * (kdc_numrealms + 1));
327
if (kdc_realm_names == NULL) {
328
krb5int_free_plugin_dir_data(preauth_plugins_ftables);
331
for (i = 0; i < kdc_numrealms; i++) {
332
kdc_realm_names[i] = kdc_realmlist[i]->realm_name;
334
kdc_realm_names[i] = NULL;
336
/* Add the locally-supplied mechanisms to the dynamic list first. */
338
i < sizeof(static_preauth_systems) / sizeof(static_preauth_systems[0]);
340
if (static_preauth_systems[i].type == -1)
342
preauth_systems[k] = static_preauth_systems[i];
343
/* Try to initialize the preauth system. If it fails, we'll remove it
344
* from the list of systems we'll be using. */
345
plugin_context = NULL;
346
server_init_proc = static_preauth_systems[i].init;
347
if ((server_init_proc != NULL) &&
348
((*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names) != 0)) {
349
memset(&preauth_systems[k], 0, sizeof(preauth_systems[k]));
352
preauth_systems[k].plugin_context = plugin_context;
356
/* Now add the dynamically-loaded mechanisms to the list. */
357
if (preauth_plugins_ftables != NULL) {
358
for (i = 0; preauth_plugins_ftables[i] != NULL; i++) {
359
ftable = preauth_plugins_ftables[i];
360
if ((ftable->flags_proc == NULL) &&
361
(ftable->edata_proc == NULL) &&
362
(ftable->verify_proc == NULL) &&
363
(ftable->return_proc == NULL)) {
366
plugin_context = NULL;
368
ftable->pa_type_list != NULL &&
369
ftable->pa_type_list[j] > 0;
371
/* Try to initialize the plugin. If it fails, we'll remove it
372
* from the list of modules we'll be using. */
374
server_init_proc = ftable->init_proc;
375
if (server_init_proc != NULL) {
376
krb5_error_code initerr;
377
initerr = (*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names);
380
emsg = krb5_get_error_message(context, initerr);
382
krb5_klog_syslog(LOG_ERR,
383
"preauth %s failed to initialize: %s",
385
krb5_free_error_message(context, emsg);
387
memset(&preauth_systems[k], 0, sizeof(preauth_systems[k]));
389
break; /* skip all modules in this plugin */
393
preauth_systems[k].name = ftable->name;
394
preauth_systems[k].type = ftable->pa_type_list[j];
395
if (ftable->flags_proc != NULL)
396
preauth_systems[k].flags = ftable->flags_proc(context, preauth_systems[k].type);
398
preauth_systems[k].flags = 0;
399
preauth_systems[k].plugin_context = plugin_context;
400
preauth_systems[k].init = server_init_proc;
401
/* Only call fini once for each plugin */
403
preauth_systems[k].fini = ftable->fini_proc;
405
preauth_systems[k].fini = NULL;
406
preauth_systems[k].get_edata = ftable->edata_proc;
407
preauth_systems[k].verify_padata = ftable->verify_proc;
408
preauth_systems[k].return_padata = ftable->return_proc;
409
preauth_systems[k].free_pa_reqctx =
410
ftable->freepa_reqcontext_proc;
414
krb5int_free_plugin_dir_data(preauth_plugins_ftables);
416
free(kdc_realm_names);
417
n_preauth_systems = k;
418
/* Add the end-of-list marker. */
419
preauth_systems[k].name = "[end]";
420
preauth_systems[k].type = -1;
425
unload_preauth_plugins(krb5_context context)
428
if (preauth_systems != NULL) {
429
for (i = 0; i < n_preauth_systems; i++) {
430
if (preauth_systems[i].fini != NULL) {
431
(*preauth_systems[i].fini)(context,
432
preauth_systems[i].plugin_context);
434
memset(&preauth_systems[i], 0, sizeof(preauth_systems[i]));
436
free(preauth_systems);
437
preauth_systems = NULL;
438
n_preauth_systems = 0;
439
krb5int_close_plugin_dirs(&preauth_plugins);
445
* The make_padata_context() function creates a space for storing any context
446
* information which will be needed by return_padata() later. Each preauth
447
* type gets a context storage location of its own.
449
struct request_pa_context {
452
krb5_preauth_systems *pa_system;
457
static krb5_error_code
458
make_padata_context(krb5_context context, void **padata_context)
461
struct request_pa_context *ret;
463
ret = malloc(sizeof(*ret));
468
ret->n_contexts = n_preauth_systems;
469
ret->contexts = malloc(sizeof(ret->contexts[0]) * ret->n_contexts);
470
if (ret->contexts == NULL) {
475
memset(ret->contexts, 0, sizeof(ret->contexts[0]) * ret->n_contexts);
477
for (i = 0; i < ret->n_contexts; i++) {
478
ret->contexts[i].pa_system = &preauth_systems[i];
479
ret->contexts[i].pa_context = NULL;
482
*padata_context = ret;
488
* The free_padata_context function frees any context information pointers
489
* which the check_padata() function created but which weren't already cleaned
490
* up by return_padata().
493
free_padata_context(krb5_context kcontext, void **padata_context)
495
struct request_pa_context *context;
496
krb5_preauth_systems *preauth_system;
500
if (padata_context == NULL)
503
context = *padata_context;
505
for (i = 0; i < context->n_contexts; i++) {
506
if (context->contexts[i].pa_context != NULL) {
507
preauth_system = context->contexts[i].pa_system;
508
mctx = preauth_system->plugin_context;
509
if (preauth_system->free_pa_reqctx != NULL) {
510
pctx = &context->contexts[i].pa_context;
511
(*preauth_system->free_pa_reqctx)(kcontext, mctx, pctx);
513
context->contexts[i].pa_context = NULL;
517
free(context->contexts);
523
/* Retrieve a specified tl_data item from the given entry, and return its
524
* contents in a new krb5_data, which must be freed by the caller. */
525
static krb5_error_code
526
get_entry_tl_data(krb5_context context, krb5_db_entry *entry,
527
krb5_int16 tl_data_type, krb5_data **result)
530
for (tl = entry->tl_data; tl != NULL; tl = tl->tl_data_next) {
531
if (tl->tl_data_type == tl_data_type) {
532
*result = malloc(sizeof(krb5_data));
533
if (*result == NULL) {
536
(*result)->magic = KV5M_DATA;
537
(*result)->data = malloc(tl->tl_data_length);
538
if ((*result)->data == NULL) {
543
memcpy((*result)->data, tl->tl_data_contents, tl->tl_data_length);
551
* Retrieve a specific piece of information pertaining to the entry or the
552
* request and return it in a new krb5_data item which the caller must free.
554
* This may require massaging data into a contrived format, but it will
555
* hopefully keep us from having to reveal library-internal functions to
558
static krb5_error_code
559
get_entry_data(krb5_context context,
560
krb5_kdc_req *request, krb5_db_entry *entry,
568
krb5_key_data *entry_key;
571
case krb5plugin_preauth_entry_request_certificate:
572
return get_entry_tl_data(context, entry,
573
KRB5_TL_USER_CERTIFICATE, result);
575
case krb5plugin_preauth_entry_max_time_skew:
576
ret = malloc(sizeof(krb5_data));
579
delta = malloc(sizeof(krb5_deltat));
584
*delta = context->clockskew;
585
ret->data = (char *) delta;
586
ret->length = sizeof(*delta);
590
case krb5plugin_preauth_keys:
591
ret = malloc(sizeof(krb5_data));
594
keys = malloc(sizeof(krb5_keyblock) * (request->nktypes + 1));
599
ret->data = (char *) keys;
600
ret->length = sizeof(krb5_keyblock) * (request->nktypes + 1);
601
memset(ret->data, 0, ret->length);
603
for (i = 0; i < request->nktypes; i++) {
605
if (krb5_dbe_find_enctype(context, entry, request->ktype[i],
606
-1, 0, &entry_key) != 0)
608
if (krb5_dbekd_decrypt_key_data(context, &master_keyblock,
609
entry_key, &keys[k], NULL) != 0) {
610
if (keys[k].contents != NULL)
611
krb5_free_keyblock_contents(context, &keys[k]);
612
memset(&keys[k], 0, sizeof(keys[k]));
625
case krb5plugin_preauth_request_body:
627
encode_krb5_kdc_req_body(request, &ret);
632
return ASN1_PARSE_ERROR;
226
640
static krb5_error_code
227
641
find_pa_system(int type, krb5_preauth_systems **preauth)
229
krb5_preauth_systems *ap = preauth_systems;
643
krb5_preauth_systems *ap;
645
ap = preauth_systems ? preauth_systems : static_preauth_systems;
231
646
while ((ap->type != -1) && (ap->type != type))
233
648
if (ap->type == -1)
654
static krb5_error_code
655
find_pa_context(krb5_preauth_systems *pa_sys,
656
struct request_pa_context *context,
664
return KRB5KRB_ERR_GENERIC;
666
for (i = 0; i < context->n_contexts; i++) {
667
if (context->contexts[i].pa_system == pa_sys) {
668
*pa_context = &context->contexts[i].pa_context;
673
return KRB5KRB_ERR_GENERIC;
677
* Create a list of indices into the preauth_systems array, sorted by order of
681
pa_list_includes(krb5_pa_data **pa_data, krb5_preauthtype pa_type)
683
while (*pa_data != NULL) {
684
if ((*pa_data)->pa_type == pa_type)
691
sort_pa_order(krb5_context context, krb5_kdc_req *request, int *pa_order)
693
int i, j, k, n_repliers, n_key_replacers;
695
/* First, set up the default order. */
697
for (j = 0; j < n_preauth_systems; j++) {
698
if (preauth_systems[j].return_padata != NULL)
702
pa_order[n_repliers] = -1;
704
/* Reorder so that PA_REPLACES_KEY modules are listed first. */
705
for (i = 0; i < n_repliers; i++) {
706
/* If this module replaces the key, then it's okay to leave it where it
707
* is in the order. */
708
if (preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY)
710
/* If not, search for a module which does, and swap in the first one we
712
for (j = i + 1; j < n_repliers; j++) {
713
if (preauth_systems[pa_order[j]].flags & PA_REPLACES_KEY) {
715
pa_order[j] = pa_order[i];
722
if (request->padata != NULL) {
723
/* Now reorder the subset of modules which replace the key,
724
* bubbling those which handle pa_data types provided by the
725
* client ahead of the others. */
726
for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
730
for (i = 0; i < n_key_replacers; i++) {
731
if (pa_list_includes(request->padata,
732
preauth_systems[pa_order[i]].type))
734
for (j = i + 1; j < n_key_replacers; j++) {
735
if (pa_list_includes(request->padata,
736
preauth_systems[pa_order[j]].type)) {
738
pa_order[j] = pa_order[i];
746
krb5_klog_syslog(LOG_DEBUG, "original preauth mechanism list:");
747
for (i = 0; i < n_preauth_systems; i++) {
748
if (preauth_systems[i].return_padata != NULL)
749
krb5_klog_syslog(LOG_DEBUG, "... %s(%d)", preauth_systems[i].name,
750
preauth_systems[i].type);
752
krb5_klog_syslog(LOG_DEBUG, "sorted preauth mechanism list:");
753
for (i = 0; pa_order[i] != -1; i++) {
754
krb5_klog_syslog(LOG_DEBUG, "... %s(%d)",
755
preauth_systems[pa_order[i]].name,
756
preauth_systems[pa_order[i]].type);
239
761
const char *missing_required_preauth(krb5_db_entry *client,
240
762
krb5_db_entry *server,
241
763
krb5_enc_tkt_part *enc_tkt_reply)
859
* Add authorization data returned from preauth modules to the ticket
860
* It is assumed that ad is a "null-terminated" array of krb5_authdata ptrs
862
static krb5_error_code
863
add_authorization_data(krb5_enc_tkt_part *enc_tkt_part, krb5_authdata **ad)
865
krb5_authdata **newad;
866
int oldones, newones;
869
if (enc_tkt_part == NULL || ad == NULL)
872
for (newones = 0; ad[newones] != NULL; newones++);
874
return 0; /* nothing to add */
876
if (enc_tkt_part->authorization_data == NULL)
880
enc_tkt_part->authorization_data[oldones] != NULL; oldones++);
882
newad = malloc((oldones + newones + 1) * sizeof(krb5_authdata *));
886
/* Copy any existing pointers */
887
for (i = 0; i < oldones; i++)
888
newad[i] = enc_tkt_part->authorization_data[i];
890
/* Add the new ones */
891
for (i = 0; i < newones; i++)
892
newad[oldones+i] = ad[i];
894
/* Terminate the new list */
895
newad[oldones+i] = NULL;
897
/* Free any existing list */
898
if (enc_tkt_part->authorization_data != NULL)
899
free(enc_tkt_part->authorization_data);
901
/* Install our new list */
902
enc_tkt_part->authorization_data = newad;
336
908
* This routine is called to verify the preauthentication information
337
909
* for a V5 request.
339
911
* Returns 0 if the pre-authentication is valid, non-zero to indicate
340
912
* an error code of some sort.
344
check_padata (krb5_context context, krb5_db_entry *client,
345
krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply)
916
check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
917
krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
918
void **padata_context, krb5_data *e_data)
347
920
krb5_error_code retval = 0;
348
921
krb5_pa_data **padata;
349
922
krb5_preauth_systems *pa_sys;
350
int pa_ok = 0, pa_found = 0;
924
krb5_data *pa_e_data = NULL, *tmp_e_data = NULL;
925
int pa_ok = 0, pa_found = 0;
926
krb5_error_code saved_retval = 0;
927
int use_saved_retval = 0;
929
krb5_authdata **tmp_authz_data = NULL;
352
931
if (request->padata == 0)
934
if (make_padata_context(context, padata_context) != 0) {
935
return KRB5KRB_ERR_GENERIC;
356
939
krb5_klog_syslog (LOG_DEBUG, "checking padata");
362
945
if (find_pa_system((*padata)->pa_type, &pa_sys))
947
if (find_pa_context(pa_sys, *padata_context, &pa_context))
365
950
krb5_klog_syslog (LOG_DEBUG, ".. pa_type %s", pa_sys->name);
367
952
if (pa_sys->verify_padata == 0)
370
retval = pa_sys->verify_padata(context, client, request,
371
enc_tkt_reply, *padata);
955
retval = pa_sys->verify_padata(context, client, req_pkt, request,
956
enc_tkt_reply, *padata,
957
get_entry_data, pa_sys->plugin_context,
958
pa_context, &tmp_e_data, &tmp_authz_data);
960
emsg = krb5_get_error_message (context, retval);
373
961
krb5_klog_syslog (LOG_INFO, "preauth (%s) verify failure: %s",
374
pa_sys->name, error_message (retval));
963
krb5_free_error_message (context, emsg);
964
/* Ignore authorization data returned from modules that fail */
965
if (tmp_authz_data != NULL) {
966
krb5_free_authdata(context, tmp_authz_data);
967
tmp_authz_data = NULL;
375
969
if (pa_sys->flags & PA_REQUIRED) {
970
/* free up any previous edata we might have been saving */
971
if (pa_e_data != NULL)
972
krb5_free_data(context, pa_e_data);
973
pa_e_data = tmp_e_data;
975
use_saved_retval = 0; /* Make sure we use the current retval */
980
* We'll return edata from either the first PA_REQUIRED module
981
* that fails, or the first non-PA_REQUIRED module that fails.
982
* Hang on to edata from the first non-PA_REQUIRED module.
983
* If we've already got one saved, simply discard this one.
985
if (tmp_e_data != NULL) {
986
if (pa_e_data == NULL) {
987
/* save the first error code and e-data */
988
pa_e_data = tmp_e_data;
990
saved_retval = retval;
991
use_saved_retval = 1;
993
/* discard this extra e-data from non-PA_REQUIRED module */
994
krb5_free_data(context, tmp_e_data);
381
1000
krb5_klog_syslog (LOG_DEBUG, ".. .. ok");
1002
/* Ignore any edata returned on success */
1003
if (tmp_e_data != NULL) {
1004
krb5_free_data(context, tmp_e_data);
1007
/* Add any authorization data to the ticket */
1008
if (tmp_authz_data != NULL) {
1009
add_authorization_data(enc_tkt_reply, tmp_authz_data);
1010
free(tmp_authz_data);
1011
tmp_authz_data = NULL;
384
if (pa_sys->flags & PA_SUFFICIENT)
1014
if (pa_sys->flags & PA_SUFFICIENT)
1019
/* Don't bother copying and returning e-data on success */
1020
if (pa_ok && pa_e_data != NULL) {
1021
krb5_free_data(context, pa_e_data);
1024
/* Return any e-data from the preauth that caused us to exit the loop */
1025
if (pa_e_data != NULL) {
1026
e_data->data = malloc(pa_e_data->length);
1027
if (e_data->data == NULL) {
1028
krb5_free_data(context, pa_e_data);
1029
return KRB5KRB_ERR_GENERIC;
1031
memcpy(e_data->data, pa_e_data->data, pa_e_data->length);
1032
e_data->length = pa_e_data->length;
1033
krb5_free_data(context, pa_e_data);
1035
if (use_saved_retval != 0)
1036
retval = saved_retval;
391
1042
/* pa system was not found, but principal doesn't require preauth */
392
1043
if (!pa_found &&
393
!isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
394
!isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
1044
!isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
1045
!isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
398
krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s",
399
error_message (retval));
400
/* The following switch statement allows us
401
* to return some preauth system errors back to the client.
404
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
1049
emsg = krb5_get_error_message(context, retval);
1050
krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg);
1051
krb5_free_error_message(context, emsg);
1053
/* The following switch statement allows us
1054
* to return some preauth system errors back to the client.
1057
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
405
1058
case KRB5KRB_AP_ERR_SKEW:
1059
case KRB5KDC_ERR_ETYPE_NOSUPP:
1061
case KRB5KDC_ERR_CLIENT_NOT_TRUSTED:
1062
case KRB5KDC_ERR_INVALID_SIG:
1063
case KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED:
1064
case KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE:
1065
case KRB5KDC_ERR_INVALID_CERTIFICATE:
1066
case KRB5KDC_ERR_REVOKED_CERTIFICATE:
1067
case KRB5KDC_ERR_REVOCATION_STATUS_UNKNOWN:
1068
case KRB5KDC_ERR_CLIENT_NAME_MISMATCH:
1069
case KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE:
1070
case KRB5KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED:
1071
case KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED:
1072
case KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED:
1073
case KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED:
1074
/* earlier drafts of what became rfc 4556 */
1075
case KRB5KDC_ERR_CERTIFICATE_MISMATCH:
1076
case KRB5KDC_ERR_KDC_NOT_TRUSTED:
1077
case KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE:
1078
/* This value is shared with KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. */
1079
/* case KRB5KDC_ERR_KEY_TOO_WEAK: */
408
1082
return KRB5KDC_ERR_PREAUTH_FAILED;