1
1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2
/* kdc/do_tgs_req.c - KDC Routines to deal with TGS_REQ's */
5
4
* Copyright 1990,1991,2001,2007,2008,2009 by the Massachusetts Institute of Technology.
6
5
* All Rights Reserved.
23
22
* M.I.T. makes no representations about the suitability of
24
23
* this software for any purpose. It is provided "as is" without express
25
24
* or implied warranty.
28
* KDC Routines to deal with TGS_REQ's
31
27
* Copyright (c) 2006-2008, Novell, Inc.
78
74
static krb5_error_code
79
75
prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
80
krb5_principal,krb5_data **,const char *, krb5_data *);
76
krb5_principal,krb5_data **,const char *, krb5_pa_data **);
83
79
prep_reprocess_req(krb5_kdc_req *,krb5_principal *);
127
123
struct kdc_request_state *state = NULL;
128
124
krb5_pa_data *pa_tgs_req; /*points into request*/
129
125
krb5_data scratch;
130
krb5_data e_data = empty_data(); /* backend-provided error data */
126
krb5_pa_data **e_data = NULL;
132
128
reply.padata = 0; /* For cleanup handler */
133
129
reply_encpart.enc_padata = 0;
134
130
enc_tkt_reply.authorization_data = NULL;
137
132
session_key.contents = NULL;
691
krb5_klog_syslog(LOG_INFO, "TGS_REQ : handle_authdata (%d)", errcode);
686
krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
692
688
status = "HANDLE_AUTHDATA";
755
751
if (errcode == 0) {
756
752
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
757
753
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
758
krb5_klog_syslog (LOG_INFO,
759
"bad realm transit path from '%s' to '%s' "
761
cname ? cname : "<unknown client>",
762
sname ? sname : "<unknown server>",
764
enc_tkt_reply.transited.tr_contents.data,
754
krb5_klog_syslog(LOG_INFO, _("bad realm transit path from '%s' "
755
"to '%s' via '%.*s%s'"),
756
cname ? cname : "<unknown client>",
757
sname ? sname : "<unknown server>", tlen,
758
enc_tkt_reply.transited.tr_contents.data, tdots);
767
760
emsg = krb5_get_error_message(kdc_context, errcode);
768
krb5_klog_syslog (LOG_ERR,
769
"unexpected error checking transit from "
770
"'%s' to '%s' via '%.*s%s': %s",
771
cname ? cname : "<unknown client>",
772
sname ? sname : "<unknown server>",
774
enc_tkt_reply.transited.tr_contents.data,
761
krb5_klog_syslog(LOG_ERR, _("unexpected error checking transit "
762
"from '%s' to '%s' via '%.*s%s': %s"),
763
cname ? cname : "<unknown client>",
764
sname ? sname : "<unknown server>", tlen,
765
enc_tkt_reply.transited.tr_contents.data, tdots,
776
767
krb5_free_error_message(kdc_context, emsg);
780
krb5_klog_syslog (LOG_INFO, "not checking transit path");
771
krb5_klog_syslog(LOG_INFO, _("not checking transit path"));
781
772
if (reject_bad_transit
782
773
&& !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
783
774
errcode = KRB5KDC_ERR_POLICY;
938
929
retval = prepare_error_tgs(state, request, header_ticket, errcode,
939
930
(server != NULL) ? server->princ : NULL,
940
response, status, &e_data);
931
response, status, e_data);
942
933
krb5_free_error_message (kdc_context, status);
977
968
krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
978
969
if (enc_tkt_reply.authorization_data != NULL)
979
970
krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
980
krb5_free_data_contents(kdc_context, &e_data);
971
krb5_free_pa_data(kdc_context, e_data);
987
978
krb5_kdc_req *request, krb5_ticket *ticket, int error,
988
979
krb5_principal canon_server,
989
980
krb5_data **response, const char *status,
981
krb5_pa_data **e_data)
992
983
krb5_error errpkt;
993
984
krb5_error_code retval = 0;
985
krb5_data *scratch, *e_data_asn1 = NULL, *fast_edata = NULL;
996
987
errpkt.ctime = request->nonce;
997
988
errpkt.cusec = 0;
1013
1004
free(errpkt.text.data);
1016
errpkt.e_data = *e_data;
1018
retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt);
1008
if (e_data != NULL) {
1009
retval = encode_krb5_padata_sequence(e_data, &e_data_asn1);
1012
free(errpkt.text.data);
1015
errpkt.e_data = *e_data_asn1;
1017
errpkt.e_data = empty_data();
1020
retval = kdc_fast_handle_error(kdc_context, state, request, e_data,
1021
&errpkt, &fast_edata);
1021
1025
free(errpkt.text.data);
1026
krb5_free_data(kdc_context, e_data_asn1);
1030
errpkt.e_data = *fast_edata;
1024
1031
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
1025
1032
free(errpkt.text.data);
1033
krb5_free_data(kdc_context, e_data_asn1);
1034
krb5_free_data(kdc_context, fast_edata);