/*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
#include "krb5_locl.h"
-RCSID("$Id: init_creds_pw.c,v 1.87 2005/06/17 04:15:20 lha Exp $");
+RCSID("$Id: init_creds_pw.c,v 1.94 2006/04/24 08:49:08 lha Exp $");
typedef struct krb5_get_init_creds_ctx {
krb5_kdc_flags flags;
unsigned nonce;
unsigned pk_nonce;
+ krb5_data req_buffer;
AS_REQ as_req;
int pa_counter;
return ENOMEM;
ret = krb5_string_to_key_data_salt_opaque(context, type, password,
salt, opaque, *key);
- if (ret)
+ if (ret) {
free(*key);
+ *key = NULL;
+ }
return ret;
}
options = &default_opt;
}
- if (options->private) {
- ctx->password = options->private->password;
- ctx->key_proc = options->private->key_proc;
- ctx->req_pac = options->private->req_pac;
- ctx->pk_init_ctx = options->private->pk_init_ctx;
+ if (options->opt_private) {
+ ctx->password = options->opt_private->password;
+ ctx->key_proc = options->opt_private->key_proc;
+ ctx->req_pac = options->opt_private->req_pac;
+ ctx->pk_init_ctx = options->opt_private->pk_init_ctx;
} else
ctx->req_pac = KRB5_PA_PAC_DONT_CARE;
krb5_set_error_string(context, "malloc: out of memory");
goto fail;
}
- if (creds->client) {
- ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
- if (ret)
- goto fail;
- ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
- if (ret)
- goto fail;
- } else {
- krb5_realm realm;
- a->req_body.cname = NULL;
- ret = krb5_get_default_realm(context, &realm);
- if (ret)
- goto fail;
- ret = copy_Realm(&realm, &a->req_body.realm);
- free(realm);
- }
+ ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
+ if (ret)
+ goto fail;
+ ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
+ if (ret)
+ goto fail;
+
ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
if (ret)
goto fail;
return 0;
#ifdef PKINIT
return _krb5_pk_mk_padata(context,
- ctx->pk_init_ctx,
- &a->req_body,
- ctx->pk_nonce,
- md);
+ ctx->pk_init_ctx,
+ &a->req_body,
+ ctx->pk_nonce,
+ md);
#else
krb5_set_error_string(context, "no support for PKINIT compiled in");
return EINVAL;
krb5_creds *creds,
AS_REQ *a,
krb5_kdc_rep *rep,
+ const krb5_krbhst_info *hi,
krb5_keyblock **key)
{
struct pa_info_data paid, *ppaid = NULL;
if (pa && ctx->pk_init_ctx) {
#ifdef PKINIT
ret = _krb5_pk_rd_pa_reply(context,
+ a->req_body.realm,
ctx->pk_init_ctx,
etype,
+ hi,
ctx->pk_nonce,
+ &ctx->req_buffer,
pa,
key);
#else
size_t len;
size_t size;
int send_to_kdc_flags = 0;
+ krb5_krbhst_info *hi = NULL;
+
memset(&md, 0, sizeof(md));
memset(&rep, 0, sizeof(rep));
ctx->pk_nonce = ctx->nonce;
/*
- * Increase counter when we want other pre-auth types then
+ * Increase counter when we want other pre-auth types than
* KRB5_PA_ENC_TIMESTAMP.
*/
#define MAX_PA_COUNTER 3
ctx->pa_counter = 0;
while (ctx->pa_counter < MAX_PA_COUNTER) {
- krb5_data req;
ctx->pa_counter++;
prompter, prompter_data);
if (ret)
goto out;
- ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length,
+
+ krb5_data_free(&ctx->req_buffer);
+
+ ASN1_MALLOC_ENCODE(AS_REQ,
+ ctx->req_buffer.data, ctx->req_buffer.length,
&ctx->as_req, &len, ret);
if (ret)
goto out;
- if(len != req.length)
+ if(len != ctx->req_buffer.length)
krb5_abortx(context, "internal error in ASN.1 encoder");
- ret = krb5_sendto_kdc_flags (context, &req,
+ ret = krb5_sendto_kdc_flags (context, &ctx->req_buffer,
&creds->client->realm, &resp,
send_to_kdc_flags);
- krb5_data_free(&req);
if (ret)
goto out;
krb5_keyblock *key = NULL;
ret = process_pa_data_to_key(context, ctx, creds,
- &ctx->as_req, &rep, &key);
+ &ctx->as_req, &rep, hi, &key);
if (ret)
goto out;
krb5_free_keyblock(context, key);
}
out:
+ krb5_data_free(&ctx->req_buffer);
free_METHOD_DATA(&md);
memset(&md, 0, sizeof(md));
case KRB5KDC_ERR_KEY_EXPIRED :
/* try to avoid recursion */
- /* don't try to change password where then where none */
+ /* don't try to change password where there where none */
if (prompter == NULL || ctx.password == NULL)
goto out;
return ret;
if (password == NULL &&
- options->private->password == NULL &&
- options->private->pk_init_ctx == NULL)
+ options->opt_private->password == NULL &&
+ options->opt_private->pk_init_ctx == NULL)
{
krb5_prompt prompt;
krb5_data password_data;
password = password_data.data;
}
- if (options->private->password == NULL) {
+ if (options->opt_private->password == NULL) {
ret = krb5_get_init_creds_opt_set_pa_password(context, options,
password, NULL);
if (ret) {