oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Pass context to kdc_log.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2664 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1997-08-01 14:47:43 +00:00
parent e26572056e
commit 584eb44cb9
5 changed files with 104 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kdc/connect.c
View File

@@ -133,7 +133,7 @@ do_request(krb5_context context, void *buf, size_t len,
reply.length = 0; reply.length = 0;
ret = process_request(context, buf, len, &reply, addr, from); ret = process_request(context, buf, len, &reply, addr, from);
if(reply.length){ if(reply.length){
kdc_log(5, "sending %d bytes to %s", reply.length, addr); kdc_log(context, 5, "sending %d bytes to %s", reply.length, addr);
sendto(socket, reply.data, reply.length, 0, from, from_len); sendto(socket, reply.data, reply.length, 0, from, from_len);
krb5_data_free(&reply); krb5_data_free(&reply);
} }

50
kdc/kerberos4.c
View File

@@ -40,6 +40,8 @@
RCSID("$Id$"); RCSID("$Id$");
#ifdef KRB4
static u_int32_t static u_int32_t
swap32(u_int32_t x) swap32(u_int32_t x)
{ {
@@ -97,7 +99,7 @@ do_version4(krb5_context context,
sp = krb5_storage_from_mem(buf, len); sp = krb5_storage_from_mem(buf, len);
RCHECK(krb5_ret_int8(sp, &pvno), out); RCHECK(krb5_ret_int8(sp, &pvno), out);
if(pvno != 4){ if(pvno != 4){
kdc_log(0, "Protocol version mismatch (%d)", pvno); kdc_log(context, 0, "Protocol version mismatch (%d)", pvno);
make_err_reply(reply, KDC_PKT_VER, NULL); make_err_reply(reply, KDC_PKT_VER, NULL);
goto out; goto out;
} }
@@ -115,14 +117,14 @@ do_version4(krb5_context context,
RCHECK(krb5_ret_int8(sp, &life), out1); RCHECK(krb5_ret_int8(sp, &life), out1);
RCHECK(krb5_ret_stringz(sp, &sname), out1); RCHECK(krb5_ret_stringz(sp, &sname), out1);
RCHECK(krb5_ret_stringz(sp, &sinst), out1); RCHECK(krb5_ret_stringz(sp, &sinst), out1);
kdc_log(0, "AS-REQ %s.%s@%s from %s for %s.%s", kdc_log(context, 0, "AS-REQ %s.%s@%s from %s for %s.%s",
name, inst, realm, from, sname, sinst); name, inst, realm, from, sname, sinst);
ret = krb5_425_conv_principal(context, name, inst, realm, ret = krb5_425_conv_principal(context, name, inst, realm,
&client_princ); &client_princ);
if(ret){ if(ret){
kdc_log(0, "Converting client principal: %s", kdc_log(context, 0, "Converting client principal: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE, make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (client)"); "Failed to convert v4 principal (client)");
@@ -132,7 +134,7 @@ do_version4(krb5_context context,
ret = krb5_425_conv_principal(context, sname, sinst, v4_realm, ret = krb5_425_conv_principal(context, sname, sinst, v4_realm,
&server_princ); &server_princ);
if(ret){ if(ret){
kdc_log(0, "Converting server principal: %s", kdc_log(context, 0, "Converting server principal: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE, make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (server)"); "Failed to convert v4 principal (server)");
@@ -141,14 +143,14 @@ do_version4(krb5_context context,
client = db_fetch(context, client_princ); client = db_fetch(context, client_princ);
if(client == NULL){ if(client == NULL){
kdc_log(0, "Client not found in database: %s.%s@%s", kdc_log(context, 0, "Client not found in database: %s.%s@%s",
name, inst, realm); name, inst, realm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
goto out1; goto out1;
} }
server = db_fetch(context, server_princ); server = db_fetch(context, server_princ);
if(server == NULL){ if(server == NULL){
kdc_log(0, "Server not found in database: %s.%s@%s", kdc_log(context, 0, "Server not found in database: %s.%s@%s",
sname, sinst, v4_realm); sname, sinst, v4_realm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
goto out1; goto out1;
@@ -156,7 +158,7 @@ do_version4(krb5_context context,
ret = hdb_keytype2key(context, client, KEYTYPE_DES, &ckey); ret = hdb_keytype2key(context, client, KEYTYPE_DES, &ckey);
if(ret){ if(ret){
kdc_log(0, "%s", krb5_get_err_text(context, ret)); kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
/* XXX */ /* XXX */
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(reply, KDC_NULL_KEY,
"No DES key in database (client)"); "No DES key in database (client)");
@@ -167,7 +169,7 @@ do_version4(krb5_context context,
while(ckey->salt == NULL || ckey->salt->length != 0) while(ckey->salt == NULL || ckey->salt->length != 0)
ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey); ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
if(ret){ if(ret){
kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", kdc_log(context, 0, "No version-4 salted key in database -- %s.%s@%s",
name, inst, realm); name, inst, realm);
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(reply, KDC_NULL_KEY,
"No version-4 salted key in database"); "No version-4 salted key in database");
@@ -176,7 +178,7 @@ do_version4(krb5_context context,
ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey); ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
if(ret){ if(ret){
kdc_log(0, "%s", krb5_get_err_text(context, ret)); kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
/* XXX */ /* XXX */
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(reply, KDC_NULL_KEY,
"No DES key in database (server)"); "No DES key in database (server)");
@@ -236,7 +238,7 @@ do_version4(krb5_context context,
ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm, ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
&tgt_princ); &tgt_princ);
if(ret){ if(ret){
kdc_log(0, "Converting krbtgt principal: %s", kdc_log(context, 0, "Converting krbtgt principal: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE, make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (krbtgt)"); "Failed to convert v4 principal (krbtgt)");
@@ -246,7 +248,7 @@ do_version4(krb5_context context,
tgt = db_fetch(context, tgt_princ); tgt = db_fetch(context, tgt_princ);
if(tgt == NULL){ if(tgt == NULL){
char *s; char *s;
s = kdc_log_msg(0, "Ticket-granting ticket not " s = kdc_log_msg(context, 0, "Ticket-granting ticket not "
"found in database: krbtgt.%s@%s", "found in database: krbtgt.%s@%s",
realm, v4_realm); realm, v4_realm);
make_err_reply(reply, KFAILURE, s); make_err_reply(reply, KFAILURE, s);
@@ -260,7 +262,7 @@ do_version4(krb5_context context,
ret = hdb_keytype2key(context, tgt, KEYTYPE_DES, &tkey); ret = hdb_keytype2key(context, tgt, KEYTYPE_DES, &tkey);
if(ret){ if(ret){
kdc_log(0, "%s", krb5_get_err_text(context, ret)); kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
/* XXX */ /* XXX */
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(reply, KDC_NULL_KEY,
"No DES key in database (krbtgt)"); "No DES key in database (krbtgt)");
@@ -284,7 +286,7 @@ do_version4(krb5_context context,
e = krb_rd_req(&auth, "krbtgt", realm, e = krb_rd_req(&auth, "krbtgt", realm,
addr->sin_addr.s_addr, &ad, 0); addr->sin_addr.s_addr, &ad, 0);
if(e){ if(e){
kdc_log(0, "krb_rd_req: %s", krb_get_err_text(e)); kdc_log(context, 0, "krb_rd_req: %s", krb_get_err_text(e));
make_err_reply(reply, ret, NULL); make_err_reply(reply, ret, NULL);
goto out2; goto out2;
} }
@@ -296,18 +298,18 @@ do_version4(krb5_context context,
RCHECK(krb5_ret_int8(sp, &life), out2); RCHECK(krb5_ret_int8(sp, &life), out2);
RCHECK(krb5_ret_stringz(sp, &sname), out2); RCHECK(krb5_ret_stringz(sp, &sname), out2);
RCHECK(krb5_ret_stringz(sp, &sinst), out2); RCHECK(krb5_ret_stringz(sp, &sinst), out2);
kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s.%s", kdc_log(context, 0, "TGS-REQ %s.%s@%s from %s for %s.%s",
ad.pname, ad.pinst, ad.prealm, from, sname, sinst); ad.pname, ad.pinst, ad.prealm, from, sname, sinst);
if(strcmp(ad.prealm, realm)){ if(strcmp(ad.prealm, realm)){
kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm); kdc_log(context, 0, "Can't hop realms %s -> %s", realm, ad.prealm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms"); "Can't hop realms");
goto out2; goto out2;
} }
if(strcmp(sname, "changepw") == 0){ if(strcmp(sname, "changepw") == 0){
kdc_log(0, "Bad request for changepw ticket"); kdc_log(context, 0, "Bad request for changepw ticket");
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't authorize password change based on TGT"); "Can't authorize password change based on TGT");
goto out2; goto out2;
@@ -316,7 +318,7 @@ do_version4(krb5_context context,
ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm, ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm,
&client_princ); &client_princ);
if(ret){ if(ret){
kdc_log(0, "Converting client principal: %s", kdc_log(context, 0, "Converting client principal: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE, make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (client)"); "Failed to convert v4 principal (client)");
@@ -326,7 +328,8 @@ do_version4(krb5_context context,
client = db_fetch(context, client_princ); client = db_fetch(context, client_princ);
if(client == NULL){ if(client == NULL){
char *s; char *s;
s = kdc_log_msg(0, "Client not found in database: %s.%s@%s", s = kdc_log_msg(context, 0,
"Client not found in database: %s.%s@%s",
ad.pname, ad.pinst, ad.prealm); ad.pname, ad.pinst, ad.prealm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s); free(s);
@@ -336,7 +339,7 @@ do_version4(krb5_context context,
ret = krb5_425_conv_principal(context, sname, sinst, v4_realm, ret = krb5_425_conv_principal(context, sname, sinst, v4_realm,
&server_princ); &server_princ);
if(ret){ if(ret){
kdc_log(0, "Converting server principal: %s", kdc_log(context, 0, "Converting server principal: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE, make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (server)"); "Failed to convert v4 principal (server)");
@@ -345,7 +348,8 @@ do_version4(krb5_context context,
server = db_fetch(context, server_princ); server = db_fetch(context, server_princ);
if(server == NULL){ if(server == NULL){
char *s; char *s;
s = kdc_log_msg(0, "Server not found in database: %s.%s@%s", s = kdc_log_msg(context, 0,
"Server not found in database: %s.%s@%s",
sname, sinst, v4_realm); sname, sinst, v4_realm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s); free(s);
@@ -354,7 +358,7 @@ do_version4(krb5_context context,
ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey); ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
if(ret){ if(ret){
kdc_log(0, "%s", krb5_get_err_text(context, ret)); kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
/* XXX */ /* XXX */
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(reply, KDC_NULL_KEY,
"No DES key in database (server)"); "No DES key in database (server)");
@@ -406,7 +410,7 @@ do_version4(krb5_context context,
case AUTH_MSG_ERR_REPLY: case AUTH_MSG_ERR_REPLY:
break; break;
default: default:
kdc_log(0, "Unknown message type: %d from %s", kdc_log(context, 0, "Unknown message type: %d from %s",
msg_type, from); msg_type, from);
make_err_reply(reply, KFAILURE, "Unknown message type"); make_err_reply(reply, KFAILURE, "Unknown message type");
@@ -433,3 +437,5 @@ out:
krb5_storage_free(sp); krb5_storage_free(sp);
return 0; return 0;
} }
#endif

128
kdc/kerberos5.c
View File

@@ -80,14 +80,15 @@ as_rep(krb5_context context,
principalname2krb5_principal (&client_princ, *(b->cname), b->realm); principalname2krb5_principal (&client_princ, *(b->cname), b->realm);
krb5_unparse_name(context, client_princ, &client_name); krb5_unparse_name(context, client_princ, &client_name);
} }
kdc_log(0, "AS-REQ %s from %s for %s", client_name, from, server_name); kdc_log(context, 0, "AS-REQ %s from %s for %s",
client_name, from, server_name);
if(ret) if(ret)
goto out; goto out;
client = db_fetch(context, client_princ); client = db_fetch(context, client_princ);
if(client == NULL){ if(client == NULL){
kdc_log(0, "UNKNOWN -- %s", client_name); kdc_log(context, 0, "UNKNOWN -- %s", client_name);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out; goto out;
} }
@@ -95,7 +96,7 @@ as_rep(krb5_context context,
server = db_fetch(context, server_princ); server = db_fetch(context, server_princ);
if(server == NULL){ if(server == NULL){
kdc_log(0, "UNKNOWN -- %s", server_name); kdc_log(context, 0, "UNKNOWN -- %s", server_name);
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out; goto out;
} }
@@ -103,12 +104,13 @@ as_rep(krb5_context context,
if(!client->flags.client){ if(!client->flags.client){
ret = KRB5KDC_ERR_POLICY; ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Principal may not act as client -- %s", client_name); kdc_log(context, 0, "Principal may not act as client -- %s",
client_name);
goto out; goto out;
} }
if(!server->flags.server){ if(!server->flags.server){
ret = KRB5KDC_ERR_POLICY; ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Principal (%s) may not act as server -- %s", kdc_log(context, 0, "Principal (%s) may not act as server -- %s",
server_name, client_name); server_name, client_name);
goto out; goto out;
} }
@@ -126,7 +128,7 @@ as_rep(krb5_context context,
if(ret){ if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP; ret = KRB5KDC_ERR_ETYPE_NOSUPP;
kdc_log(0, "No support for etypes -- %s", client_name); kdc_log(context, 0, "No support for etypes -- %s", client_name);
goto out; goto out;
} }
@@ -139,7 +141,7 @@ as_rep(krb5_context context,
int i; int i;
PA_DATA *pa; PA_DATA *pa;
int found_pa = 0; int found_pa = 0;
kdc_log(5, "Looking for pa-data -- %s", client_name); kdc_log(context, 5, "Looking for pa-data -- %s", client_name);
for(i = 0; i < req->padata->len; i++){ for(i = 0; i < req->padata->len; i++){
PA_DATA *pa = &req->padata->val[i]; PA_DATA *pa = &req->padata->val[i];
if(pa->padata_type == pa_enc_timestamp){ if(pa->padata_type == pa_enc_timestamp){
@@ -149,7 +151,8 @@ as_rep(krb5_context context,
size_t len; size_t len;
EncryptedData enc_data; EncryptedData enc_data;
kdc_log(5, "Found pa-enc-timestamp -- %s", client_name); kdc_log(context, 5, "Found pa-enc-timestamp -- %s",
client_name);
found_pa = 1; found_pa = 1;
ret = decode_EncryptedData(pa->padata_value.data, ret = decode_EncryptedData(pa->padata_value.data,
@@ -158,7 +161,8 @@ as_rep(krb5_context context,
&len); &len);
if (ret) { if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(5, "Failed to decode PA-DATA -- %s", client_name); kdc_log(context, 5, "Failed to decode PA-DATA -- %s",
client_name);
goto out; goto out;
} }
@@ -174,7 +178,7 @@ as_rep(krb5_context context,
free_EncryptedData(&enc_data); free_EncryptedData(&enc_data);
if(ret){ if(ret){
e_text = "Failed to decrypt PA-DATA"; e_text = "Failed to decrypt PA-DATA";
kdc_log (5, "Failed to decrypt PA-DATA -- %s", kdc_log (context, 5, "Failed to decrypt PA-DATA -- %s",
client_name); client_name);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
continue; continue;
@@ -187,7 +191,7 @@ as_rep(krb5_context context,
if(ret){ if(ret){
e_text = "Failed to decode PA-ENC-TS-ENC"; e_text = "Failed to decode PA-ENC-TS-ENC";
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log (5, "Failed to decode PA-ENC-TS_ENC -- %s", kdc_log (context, 5, "Failed to decode PA-ENC-TS_ENC -- %s",
client_name); client_name);
continue; continue;
} }
@@ -203,14 +207,16 @@ as_rep(krb5_context context,
server_princ, server_princ,
0, 0,
reply); reply);
kdc_log(0, "Too large time skew -- %s", client_name); kdc_log(context, 0, "Too large time skew -- %s",
client_name);
goto out2; goto out2;
} }
et.flags.pre_authent = 1; et.flags.pre_authent = 1;
kdc_log(2, "Pre-authentication succeded -- %s", client_name); kdc_log(context, 2, "Pre-authentication succeded -- %s",
client_name);
break; break;
} else { } else {
kdc_log(5, "Found pa-data of type %d -- %s", kdc_log(context, 5, "Found pa-data of type %d -- %s",
pa->padata_type, client_name); pa->padata_type, client_name);
} }
} }
@@ -220,7 +226,7 @@ as_rep(krb5_context context,
/* We come here if we found a pa-enc-timestamp, but if there /* We come here if we found a pa-enc-timestamp, but if there
was some problem with it, other than too large skew */ was some problem with it, other than too large skew */
if(et.flags.pre_authent == 0){ if(et.flags.pre_authent == 0){
kdc_log(0, "%s -- %s", e_text, client_name); kdc_log(context, 0, "%s -- %s", e_text, client_name);
e_text = NULL; e_text = NULL;
goto out; goto out;
} }
@@ -256,11 +262,11 @@ as_rep(krb5_context context,
0, 0,
reply); reply);
kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name); kdc_log(context, 0, "No PA-ENC-TIMESTAMP -- %s", client_name);
goto out2; goto out2;
} }
kdc_log(2, "Using etype %d -- %s", etype, client_name); kdc_log(context, 2, "Using etype %d -- %s", etype, client_name);
memset(&rep, 0, sizeof(rep)); memset(&rep, 0, sizeof(rep));
rep.pvno = 5; rep.pvno = 5;
@@ -273,7 +279,7 @@ as_rep(krb5_context context,
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey){ if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey){
ret = KRB5KDC_ERR_BADOPTION; ret = KRB5KDC_ERR_BADOPTION;
kdc_log(0, "Bad KDC options -- %s", client_name); kdc_log(context, 0, "Bad KDC options -- %s", client_name);
goto out; goto out;
} }
@@ -282,21 +288,21 @@ as_rep(krb5_context context,
et.flags.forwardable = f.forwardable; et.flags.forwardable = f.forwardable;
else{ else{
ret = KRB5KDC_ERR_POLICY; ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Ticket may not be forwardable -- %s", client_name); kdc_log(context, 0, "Ticket may not be forwardable -- %s", client_name);
goto out; goto out;
} }
if(client->flags.proxiable && server->flags.proxiable) if(client->flags.proxiable && server->flags.proxiable)
et.flags.proxiable = f.proxiable; et.flags.proxiable = f.proxiable;
else{ else{
ret = KRB5KDC_ERR_POLICY; ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Ticket may not be proxiable -- %s", client_name); kdc_log(context, 0, "Ticket may not be proxiable -- %s", client_name);
goto out; goto out;
} }
if(client->flags.postdate && server->flags.postdate) if(client->flags.postdate && server->flags.postdate)
et.flags.may_postdate = f.allow_postdate; et.flags.may_postdate = f.allow_postdate;
else{ else{
ret = KRB5KDC_ERR_POLICY; ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Ticket may not be postdatable -- %s", client_name); kdc_log(context, 0, "Ticket may not be postdatable -- %s", client_name);
goto out; goto out;
} }
@@ -315,7 +321,8 @@ as_rep(krb5_context context,
start = *et.starttime = *req->req_body.from; start = *et.starttime = *req->req_body.from;
et.flags.invalid = 1; et.flags.invalid = 1;
et.flags.postdated = 1; /* XXX ??? */ et.flags.postdated = 1; /* XXX ??? */
kdc_log(2, "Postdated ticket requested -- %s", client_name); kdc_log(context, 2, "Postdated ticket requested -- %s",
client_name);
} }
if(b->till == 0) if(b->till == 0)
b->till = MAX_TIME; b->till = MAX_TIME;
@@ -360,7 +367,13 @@ as_rep(krb5_context context,
} }
copy_EncryptionKey(&et.key, &ek.key); copy_EncryptionKey(&et.key, &ek.key);
/* MIT must have at least one last_req */
/* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
* as 0 and as 0x80 (meaning indefinite length) apart, and is thus
* incapable to correctly decode vectors of zero length.
*
* To fix this, always send at least one no-op last_req
*/
ek.last_req.len = 1; ek.last_req.len = 1;
ALLOC(ek.last_req.val); ALLOC(ek.last_req.val);
ek.last_req.val->lr_type = 0; ek.last_req.val->lr_type = 0;
@@ -394,7 +407,7 @@ as_rep(krb5_context context,
&et, &len); &et, &len);
free_EncTicketPart(&et); free_EncTicketPart(&et);
if(ret) { if(ret) {
kdc_log(0, "Failed to encode ticket -- %s", client); kdc_log(context, 0, "Failed to encode ticket -- %s", client);
goto out; goto out;
} }
@@ -411,7 +424,7 @@ as_rep(krb5_context context,
&ek, &len); &ek, &len);
free_EncKDCRepPart(&ek); free_EncKDCRepPart(&ek);
if(ret) { if(ret) {
kdc_log(0, "Failed to encode KDC-REP -- %s", client_name); kdc_log(context, 0, "Failed to encode KDC-REP -- %s", client_name);
goto out; goto out;
} }
ekey = unseal_key(ckey); ekey = unseal_key(ckey);
@@ -433,7 +446,7 @@ as_rep(krb5_context context,
ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len); ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
free_AS_REP(&rep); free_AS_REP(&rep);
if(ret) { if(ret) {
kdc_log(0, "Failed to encode AS-REP -- %s", client_name); kdc_log(context, 0, "Failed to encode AS-REP -- %s", client_name);
goto out; goto out;
} }
@@ -476,30 +489,30 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
if(f.validate){ if(f.validate){
if(!tgt->flags.invalid || tgt->starttime == NULL){ if(!tgt->flags.invalid || tgt->starttime == NULL){
kdc_log(0, "Bad request to validate ticket"); kdc_log(context, 0, "Bad request to validate ticket");
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
if(*tgt->starttime < kdc_time){ if(*tgt->starttime < kdc_time){
kdc_log(0, "Early request to validate ticket"); kdc_log(context, 0, "Early request to validate ticket");
return KRB5KRB_AP_ERR_TKT_NYV; return KRB5KRB_AP_ERR_TKT_NYV;
} }
/* XXX tkt = tgt */ /* XXX tkt = tgt */
et->flags.invalid = 0; et->flags.invalid = 0;
}else if(tgt->flags.invalid){ }else if(tgt->flags.invalid){
kdc_log(0, "Ticket-granting ticket has INVALID flag set"); kdc_log(context, 0, "Ticket-granting ticket has INVALID flag set");
return KRB5KRB_AP_ERR_TKT_INVALID; return KRB5KRB_AP_ERR_TKT_INVALID;
} }
if(f.forwardable){ if(f.forwardable){
if(!tgt->flags.forwardable){ if(!tgt->flags.forwardable){
kdc_log(0, "Bad request for forwardable ticket"); kdc_log(context, 0, "Bad request for forwardable ticket");
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
et->flags.forwardable = 1; et->flags.forwardable = 1;
} }
if(f.forwarded){ if(f.forwarded){
if(!tgt->flags.forwardable){ if(!tgt->flags.forwardable){
kdc_log(0, "Request to forward non-forwardable ticket"); kdc_log(context, 0, "Request to forward non-forwardable ticket");
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
et->flags.forwarded = 1; et->flags.forwarded = 1;
@@ -510,14 +523,14 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
if(f.proxiable){ if(f.proxiable){
if(!tgt->flags.proxiable){ if(!tgt->flags.proxiable){
kdc_log(0, "Bad request for proxiable ticket"); kdc_log(context, 0, "Bad request for proxiable ticket");
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
et->flags.proxiable = 1; et->flags.proxiable = 1;
} }
if(f.proxy){ if(f.proxy){
if(!tgt->flags.proxiable){ if(!tgt->flags.proxiable){
kdc_log(0, "Request to proxy non-proxiable ticket"); kdc_log(context, 0, "Request to proxy non-proxiable ticket");
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
et->flags.proxy = 1; et->flags.proxy = 1;
@@ -528,14 +541,14 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
if(f.allow_postdate){ if(f.allow_postdate){
if(!tgt->flags.may_postdate){ if(!tgt->flags.may_postdate){
kdc_log(0, "Bad request for post-datable ticket"); kdc_log(context, 0, "Bad request for post-datable ticket");
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
et->flags.may_postdate = 1; et->flags.may_postdate = 1;
} }
if(f.postdated){ if(f.postdated){
if(!tgt->flags.may_postdate){ if(!tgt->flags.may_postdate){
kdc_log(0, "Bad request for postdated ticket"); kdc_log(context, 0, "Bad request for postdated ticket");
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
if(b->from) if(b->from)
@@ -543,13 +556,13 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
et->flags.postdated = 1; et->flags.postdated = 1;
et->flags.invalid = 1; et->flags.invalid = 1;
}else if(b->from && *b->from > kdc_time + context->max_skew){ }else if(b->from && *b->from > kdc_time + context->max_skew){
kdc_log(0, "Ticket cannot be postdated"); kdc_log(context, 0, "Ticket cannot be postdated");
return KRB5KDC_ERR_CANNOT_POSTDATE; return KRB5KDC_ERR_CANNOT_POSTDATE;
} }
if(f.renewable){ if(f.renewable){
if(!tgt->flags.renewable){ if(!tgt->flags.renewable){
kdc_log(0, "Bad request for renewable ticket"); kdc_log(context, 0, "Bad request for renewable ticket");
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
et->flags.renewable = 1; et->flags.renewable = 1;
@@ -559,7 +572,7 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
if(f.renew){ if(f.renew){
time_t old_life; time_t old_life;
if(!tgt->flags.renewable || tgt->renew_till == NULL){ if(!tgt->flags.renewable || tgt->renew_till == NULL){
kdc_log(0, "Request to renew non-renewable ticket"); kdc_log(context, 0, "Request to renew non-renewable ticket");
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
old_life = tgt->endtime; old_life = tgt->endtime;
@@ -595,7 +608,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
} }
if(ret){ if(ret){
kdc_log(0, "Failed to find requested etype"); kdc_log(context, 0, "Failed to find requested etype");
return KRB5KDC_ERR_ETYPE_NOSUPP; return KRB5KDC_ERR_ETYPE_NOSUPP;
} }
@@ -704,7 +717,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
ret = encode_EncTicketPart(buf + sizeof(buf) - 1, ret = encode_EncTicketPart(buf + sizeof(buf) - 1,
sizeof(buf), &et, &len); sizeof(buf), &et, &len);
if(ret){ if(ret){
kdc_log(0, "Failed to encode EncTicketPart: %s", kdc_log(context, 0, "Failed to encode EncTicketPart: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -718,7 +731,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1, ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1,
sizeof(buf), &ek, &len); sizeof(buf), &ek, &len);
if(ret){ if(ret){
kdc_log(0, "Failed to encode EncTicketPart: %s", kdc_log(context, 0, "Failed to encode EncTicketPart: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -743,7 +756,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
ret = encode_TGS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len); ret = encode_TGS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
if(ret){ if(ret){
kdc_log(0, "Failed to encode TGS-REP: %s", kdc_log(context, 0, "Failed to encode TGS-REP: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -772,7 +785,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
krb5_auth_getauthenticator(context, ac, &auth); krb5_auth_getauthenticator(context, ac, &auth);
if(auth->cksum == NULL){ if(auth->cksum == NULL){
kdc_log(0, "No authenticator in request"); kdc_log(context, 0, "No authenticator in request");
ret = KRB5KRB_AP_ERR_INAPP_CKSUM; ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out; goto out;
} }
@@ -780,7 +793,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
if (auth->cksum->cksumtype != CKSUMTYPE_RSA_MD4 && if (auth->cksum->cksumtype != CKSUMTYPE_RSA_MD4 &&
auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5 && auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5 &&
auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5_DES){ auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5_DES){
kdc_log(0, "Bad checksum type in authenticator: %d", kdc_log(context, 0, "Bad checksum type in authenticator: %d",
auth->cksum->cksumtype); auth->cksum->cksumtype);
ret = KRB5KRB_AP_ERR_INAPP_CKSUM; ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out; goto out;
@@ -790,7 +803,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
ret = encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf), ret = encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf),
b, &len); b, &len);
if(ret){ if(ret){
kdc_log(0, "Failed to encode KDC-REQ-BODY: %s", kdc_log(context, 0, "Failed to encode KDC-REQ-BODY: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -798,7 +811,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
key, key,
auth->cksum); auth->cksum);
if(ret){ if(ret){
kdc_log(0, "Failed to verify checksum: %s", kdc_log(context, 0, "Failed to verify checksum: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
} }
out: out:
@@ -833,14 +846,14 @@ tgs_rep2(krb5_context context,
ret = krb5_decode_ap_req(context, &pa_data->padata_value, &ap_req); ret = krb5_decode_ap_req(context, &pa_data->padata_value, &ap_req);
if(ret){ if(ret){
kdc_log(0, "Failed to decode AP-REQ: %s", kdc_log(context, 0, "Failed to decode AP-REQ: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
if(ap_req.ticket.sname.name_string.len != 2 || if(ap_req.ticket.sname.name_string.len != 2 ||
strcmp(ap_req.ticket.sname.name_string.val[0], "krbtgt")){ strcmp(ap_req.ticket.sname.name_string.val[0], "krbtgt")){
kdc_log(0, "PA-DATA is not a ticket-granting ticket"); kdc_log(context, 0, "PA-DATA is not a ticket-granting ticket");
ret = KRB5KDC_ERR_POLICY; /* ? */ ret = KRB5KDC_ERR_POLICY; /* ? */
goto out; goto out;
} }
@@ -854,7 +867,8 @@ tgs_rep2(krb5_context context,
if(krbtgt == NULL) { if(krbtgt == NULL) {
char *p; char *p;
krb5_unparse_name(context, princ, &p); krb5_unparse_name(context, princ, &p);
kdc_log(0, "Ticket-granting ticket not found in database: %s", p); kdc_log(context, 0, "Ticket-granting ticket not found in database: %s",
p);
free(p); free(p);
ret = KRB5KRB_AP_ERR_NOT_US; ret = KRB5KRB_AP_ERR_NOT_US;
goto out; goto out;
@@ -872,7 +886,7 @@ tgs_rep2(krb5_context context,
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
if(ret) { if(ret) {
kdc_log(0, "Failed to verify AP-REQ: %s", kdc_log(context, 0, "Failed to verify AP-REQ: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -884,7 +898,7 @@ tgs_rep2(krb5_context context,
krb5_auth_con_free(context, ac); krb5_auth_con_free(context, ac);
if(ret){ if(ret){
kdc_log(0, "Failed to verify authenticator: %s", kdc_log(context, 0, "Failed to verify authenticator: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -928,17 +942,17 @@ tgs_rep2(krb5_context context,
krb5_unparse_name(context, cp, &cpn); krb5_unparse_name(context, cp, &cpn);
client = db_fetch(context, cp); client = db_fetch(context, cp);
kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn); kdc_log(context, 0, "TGS-REQ %s from %s for %s", cpn, from, spn);
if(server == NULL){ if(server == NULL){
kdc_log(0, "Server not found in database: %s", spn); kdc_log(context, 0, "Server not found in database: %s", spn);
/* do foreign realm stuff */ /* do foreign realm stuff */
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out; goto out;
} }
if(client == NULL){ if(client == NULL){
kdc_log(0, "Client not found in database: %s", cpn); kdc_log(context, 0, "Client not found in database: %s", cpn);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out; goto out;
} }
@@ -947,7 +961,7 @@ tgs_rep2(krb5_context context,
!krb5_principal_compare(context, !krb5_principal_compare(context,
krbtgt->principal, krbtgt->principal,
server->principal)){ server->principal)){
kdc_log(0, "Inconsistent request."); kdc_log(context, 0, "Inconsistent request.");
ret = KRB5KDC_ERR_SERVER_NOMATCH; ret = KRB5KDC_ERR_SERVER_NOMATCH;
goto out; goto out;
} }
@@ -1026,7 +1040,7 @@ tgs_rep(krb5_context context,
if(req->padata == NULL){ if(req->padata == NULL){
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */ ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
kdc_log(0, "TGS-REQ from %s without PA-DATA", from); kdc_log(context, 0, "TGS-REQ from %s without PA-DATA", from);
goto out; goto out;
} }
@@ -1038,7 +1052,7 @@ tgs_rep(krb5_context context,
if(pa_data == NULL){ if(pa_data == NULL){
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from); kdc_log(context, 0, "TGS-REQ from %s without PA-TGS-REQ", from);
goto out; goto out;
} }
ret = tgs_rep2(context, &req->req_body, server, pa_data, data, from); ret = tgs_rep2(context, &req->req_body, server, pa_data, data, from);

6
kdc/main.c
View File

@@ -71,15 +71,15 @@ main(int argc, char **argv)
EncryptionKey key; EncryptionKey key;
f = fopen(keyfile, "r"); f = fopen(keyfile, "r");
if(f == NULL){ if(f == NULL){
kdc_log(0, "Failed to open master key file %s", kdc_log(context, 0, "Failed to open master key file %s",
keyfile); keyfile);
exit(1); exit(1);
} }
len = fread(buf, 1, sizeof(buf), f); len = fread(buf, 1, sizeof(buf), f);
fclose(f); fclose(f);
if(decode_EncryptionKey(buf, len, &key, &len)){ if(decode_EncryptionKey(buf, len, &key, &len)){
kdc_log(0, "Failed to parse contents of master key file %s", kdc_log(context, 0,
keyfile); "Failed to parse contents of master key file %s", keyfile);
exit(1); exit(1);
} }
set_master_key(&key); set_master_key(&key);

2
kdc/misc.c
View File

@@ -51,7 +51,7 @@ db_fetch(krb5_context context, krb5_principal principal)
ret = hdb_open(context, &db, NULL, O_RDONLY, 0); ret = hdb_open(context, &db, NULL, O_RDONLY, 0);
if (ret) { if (ret) {
kdc_log(0, "Failed to open database: %s", kdc_log(context, 0, "Failed to open database: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
return NULL; return NULL;
} }