Lines Matching refs:context
60 find_KRB5SignedPath(krb5_context context,
81 krb5_set_error_message(context, ret, "Failed to decode "
103 _kdc_add_KRB5SignedPath(krb5_context context,
137 krb5_abortx(context, "internal asn.1 encoder error");
142 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
161 krb5_crypto_destroy(context, crypto);
171 krb5_abortx(context, "internal asn.1 encoder error");
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
187 check_KRB5SignedPath(krb5_context context,
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
225 krb5_abortx(context, "internal asn.1 encoder error");
229 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
231 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
238 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
241 krb5_crypto_destroy(context, crypto);
245 kdc_log(context, config, 5,
279 check_PAC(krb5_context context,
312 krb5_set_error_message(context, ret, "Failed to decode "
323 ret = krb5_pac_parse(context,
331 ret = krb5_pac_verify(context, pac, tkt->authtime,
335 krb5_pac_free(context, pac);
339 ret = _kdc_pac_verify(context, client_principal,
343 krb5_pac_free(context, pac);
355 ret = _krb5_pac_sign(context, pac, tkt->authtime,
359 krb5_pac_free(context, pac);
374 check_tgs_flags(krb5_context context,
382 kdc_log(context, config, 0,
387 kdc_log(context, config, 0,
394 kdc_log(context, config, 0,
401 kdc_log(context, config, 0,
409 kdc_log(context, config, 0,
421 kdc_log(context, config, 0,
429 kdc_log(context, config, 0,
441 kdc_log(context, config, 0,
449 kdc_log(context, config, 0,
457 }else if(b->from && *b->from > kdc_time + context->max_skew){
458 kdc_log(context, config, 0, "Ticket cannot be postdated");
464 kdc_log(context, config, 0,
476 kdc_log(context, config, 0,
493 kdc_log(context, config, 0,
506 check_constrained_delegation(krb5_context context,
523 if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
525 kdc_log(context, config, 0,
531 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
536 if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
541 krb5_clear_error_message(context);
547 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
553 kdc_log(context, config, 0,
566 check_s4u2self(krb5_context context,
575 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
579 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
593 verify_flags (krb5_context context,
599 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
603 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
614 fix_transited_encoding(krb5_context context,
638 kdc_log(context, config, 0,
642 kdc_log(context, config, 0,
647 ret = krb5_domain_x500_decode(context,
654 krb5_warn(context, ret,
679 kdc_log(context, config, 0,
694 kdc_log(context, config, 0,
701 ret = krb5_check_transited(context, client_realm,
705 krb5_warn(context, ret, "cross-realm %s -> %s",
714 krb5_warn(context, ret, "Encoding transited encoding");
724 tgs_make_reply(krb5_context context,
768 ret = check_tgs_flags(context, config, b, tgt, &et);
791 ret = fix_transited_encoding(context, config,
799 krb5_principal_get_realm(context, client_principal),
800 krb5_principal_get_realm(context, server->entry.principal),
801 krb5_principal_get_realm(context, krbtgt->entry.principal));
875 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
890 krb5_set_error_message(context, ret, "malloc: out of memory");
897 krb5_set_error_message(context, ret, "malloc: out of memory");
903 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
917 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
940 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
948 ret = _kdc_add_KRB5SignedPath(context,
972 if (krb5_enctype_valid(context, et.key.keytype) != 0
975 krb5_enctype_enable(context, et.key.keytype);
990 ret = _kdc_encode_reply(context, config,
996 krb5_enctype_disable(context, et.key.keytype);
1016 tgs_check_authenticator(krb5_context context,
1030 krb5_auth_con_getauthenticator(context, ac, &auth);
1032 kdc_log(context, config, 0, "No authenticator in request");
1042 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1045 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1046 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1055 const char *msg = krb5_get_error_message(context, ret);
1056 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1057 krb5_free_error_message(context, msg);
1062 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1067 ret = krb5_crypto_init(context, key, 0, &crypto);
1069 const char *msg = krb5_get_error_message(context, ret);
1071 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1072 krb5_free_error_message(context, msg);
1075 ret = krb5_verify_checksum(context,
1082 krb5_crypto_destroy(context, crypto);
1084 const char *msg = krb5_get_error_message(context, ret);
1085 kdc_log(context, config, 0,
1087 krb5_free_error_message(context, msg);
1100 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1102 const char *new_realm = krb5_config_get_string(context,
1113 need_referral(krb5_context context, krb5_kdc_configuration *config,
1129 kdc_log(context, config, 0, "Searching referral for %s", name);
1131 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1135 tgs_parse_request(krb5_context context,
1169 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1171 const char *msg = krb5_get_error_message(context, ret);
1172 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1173 krb5_free_error_message(context, msg);
1179 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1184 _krb5_principalname2krb5_principal(context,
1189 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
1193 ret = krb5_unparse_name(context, princ, &p);
1196 krb5_free_principal(context, princ);
1197 kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
1203 const char *msg = krb5_get_error_message(context, ret);
1205 ret = krb5_unparse_name(context, princ, &p);
1208 krb5_free_principal(context, princ);
1209 kdc_log(context, config, 0,
1211 krb5_free_error_message(context, msg);
1222 ret = krb5_unparse_name (context, princ, &p);
1223 krb5_free_principal(context, princ);
1226 kdc_log(context, config, 0,
1239 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1244 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1245 krb5_unparse_name(context, princ, &p);
1246 kdc_log(context, config, 0,
1261 ret = krb5_verify_ap_req2(context,
1271 krb5_free_principal(context, princ);
1273 const char *msg = krb5_get_error_message(context, ret);
1274 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1275 krb5_free_error_message(context, msg);
1282 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1286 krb5_free_authenticator(context, &auth);
1287 kdc_log(context, config, 0, "malloc failed");
1293 krb5_free_authenticator(context, &auth);
1294 kdc_log(context, config, 0, "malloc failed");
1298 krb5_free_authenticator(context, &auth);
1302 ret = tgs_check_authenticator(context, config,
1305 krb5_auth_con_free(context, ac);
1312 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1314 const char *msg = krb5_get_error_message(context, ret);
1315 krb5_auth_con_free(context, ac);
1316 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1317 krb5_free_error_message(context, msg);
1324 ret = krb5_auth_con_getkey(context, ac, &subkey);
1326 const char *msg = krb5_get_error_message(context, ret);
1327 krb5_auth_con_free(context, ac);
1328 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1329 krb5_free_error_message(context, msg);
1334 krb5_auth_con_free(context, ac);
1335 kdc_log(context, config, 0,
1346 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1348 const char *msg = krb5_get_error_message(context, ret);
1349 krb5_auth_con_free(context, ac);
1350 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1351 krb5_free_error_message(context, msg);
1354 ret = krb5_decrypt_EncryptedData (context,
1359 krb5_crypto_destroy(context, crypto);
1361 krb5_auth_con_free(context, ac);
1362 kdc_log(context, config, 0,
1369 krb5_auth_con_free(context, ac);
1375 krb5_auth_con_free(context, ac);
1378 kdc_log(context, config, 0, "Failed to decode authorization data");
1384 krb5_auth_con_free(context, ac);
1393 build_server_referral(krb5_context context,
1442 krb5_abortx(context, "internal asn.1 encoder error");
1444 ret = krb5_encrypt_EncryptedData(context, session,
1459 krb5_abortx(context, "internal asn.1 encoder error");
1464 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1469 tgs_build_reply(krb5_context context,
1535 kdc_log(context, config, 0,
1541 kdc_log(context, config, 0,
1546 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1547 ret = _kdc_db_fetch(context, config, p,
1550 krb5_free_principal(context, p);
1556 ret = hdb_enctype2key(context, &uu->entry,
1559 _kdc_free_ent(context, uu);
1563 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1564 _kdc_free_ent(context, uu);
1568 ret = verify_flags(context, config, &adtkt, spn);
1576 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1577 ret = krb5_unparse_name(context, sp, &spn);
1580 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1581 ret = krb5_unparse_name(context, cp, &cpn);
1588 kdc_log(context, config, 0,
1592 kdc_log(context, config, 0,
1600 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
1604 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1613 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1615 kdc_log(context, config, 5, "krbtgt for realm %s "
1618 krb5_free_principal(context, sp);
1620 krb5_make_principal(context, &sp, r,
1622 ret = krb5_unparse_name(context, sp, &spn);
1632 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1634 kdc_log(context, config, 5,
1638 krb5_free_principal(context, sp);
1640 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1642 ret = krb5_unparse_name(context, sp, &spn);
1650 krb5_free_host_realm(context, realms);
1653 krb5_free_host_realm(context, realms);
1655 msg = krb5_get_error_message(context, ret);
1656 kdc_log(context, config, 0,
1658 krb5_free_error_message(context, msg);
1690 kdc_log(context, config, 0,
1692 krb5_clear_error_message(context);
1701 ret = _kdc_find_etype(context,
1702 krb5_principal_is_krbtgt(context, sp) ?
1708 kdc_log(context, config, 0,
1717 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1732 ret = hdb_enctype2key(context, &krbtgt->entry,
1735 kdc_log(context, config, 0,
1743 ret = krb5_make_principal(context, &krbtgt_principal,
1744 krb5_principal_get_comp_string(context,
1748 krb5_principal_get_comp_string(context,
1752 kdc_log(context, config, 0,
1757 ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1758 krb5_free_principal(context, krbtgt_principal);
1762 ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
1763 ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
1764 kdc_log(context, config, 0,
1780 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1781 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1783 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
1784 kdc_log(context, config, 0,
1792 ret = hdb_enctype2key(context, &krbtgt_out->entry,
1795 kdc_log(context, config, 0,
1800 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
1815 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1817 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1820 kdc_log(context, config, 1, "Client no longer in database: %s",
1825 msg = krb5_get_error_message(context, ret);
1826 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1827 krb5_free_error_message(context, msg);
1830 ret = check_PAC(context, config, cp, NULL,
1836 const char *msg = krb5_get_error_message(context, ret);
1837 kdc_log(context, config, 0,
1840 krb5_free_error_message(context, msg);
1845 ret = check_KRB5SignedPath(context,
1853 const char *msg = krb5_get_error_message(context, ret);
1854 kdc_log(context, config, 0,
1857 krb5_free_error_message(context, msg);
1884 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1888 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1892 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1894 const char *msg = krb5_get_error_message(context, ret);
1897 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1898 krb5_free_error_message(context, msg);
1902 ret = krb5_verify_checksum(context,
1909 krb5_crypto_destroy(context, crypto);
1911 const char *msg = krb5_get_error_message(context, ret);
1913 kdc_log(context, config, 0,
1915 krb5_free_error_message(context, msg);
1919 ret = _krb5_principalname2krb5_principal(context,
1927 ret = krb5_unparse_name(context, tp, &tpn);
1935 ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
1948 msg = krb5_get_error_message(context, ret);
1949 kdc_log(context, config, 1,
1952 krb5_free_error_message(context, msg);
1955 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
1957 kdc_log(context, config, 0, "PAC generation failed for -- %s",
1962 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
1966 krb5_pac_free(context, p);
1968 kdc_log(context, config, 0, "PAC signing failed for -- %s",
1979 ret = check_s4u2self(context, config, clientdb, client, sp);
1981 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1999 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
2023 kdc_log(context, config, 0,
2031 ret = hdb_enctype2key(context, &client->entry,
2038 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
2040 kdc_log(context, config, 0,
2046 ret = _krb5_principalname2krb5_principal(context,
2053 ret = krb5_unparse_name(context, tp, &tpn);
2057 ret = _krb5_principalname2krb5_principal(context,
2064 ret = krb5_unparse_name(context, dp, &dpn);
2070 kdc_log(context, config, 0,
2078 ret = check_constrained_delegation(context, config, clientdb,
2081 kdc_log(context, config, 0,
2087 ret = verify_flags(context, config, &adtkt, tpn);
2100 ret = check_PAC(context, config, tp, dp,
2106 const char *msg = krb5_get_error_message(context, ret);
2107 kdc_log(context, config, 0,
2111 krb5_free_error_message(context, msg);
2118 ret = check_KRB5SignedPath(context,
2126 const char *msg = krb5_get_error_message(context, ret);
2127 kdc_log(context, config, 0,
2132 krb5_free_error_message(context, msg);
2138 kdc_log(context, config, 0,
2146 kdc_log(context, config, 0, "constrained delegation for %s "
2154 ret = kdc_check_flags(context, config,
2162 !krb5_principal_compare(context,
2165 kdc_log(context, config, 0, "Inconsistent request.");
2171 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2173 kdc_log(context, config, 0, "Request from wrong address");
2185 kdc_log(context, config, 0,
2188 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2192 ret = build_server_referral(context, config, crypto, ref_realm,
2194 krb5_crypto_destroy(context, crypto);
2196 kdc_log(context, config, 0,
2205 kdc_log(context, config, 0,
2215 ret = tgs_make_reply(context,
2248 krb5_free_keyblock_contents(context, &sessionkey);
2250 _kdc_free_ent(context, krbtgt_out);
2252 _kdc_free_ent(context, server);
2254 _kdc_free_ent(context, client);
2256 _kdc_free_ent(context, s4u2self_impersonated_client);
2259 krb5_free_principal(context, tp);
2261 krb5_free_principal(context, cp);
2263 krb5_free_principal(context, dp);
2265 krb5_free_principal(context, sp);
2280 _kdc_tgs_rep(krb5_context context,
2305 kdc_log(context, config, 0,
2315 kdc_log(context, config, 0,
2319 ret = tgs_parse_request(context, config,
2335 kdc_log(context, config, 0,
2340 ret = tgs_build_reply(context,
2355 kdc_log(context, config, 0,
2369 krb5_free_keyblock(context, replykey);
2371 krb5_mk_error(context,
2385 krb5_free_ticket(context, ticket);
2387 _kdc_free_ent(context, krbtgt);