oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Merge in the libkdc/kdc configuration split from Andrew Bartlet <abartlet@samba.org>

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15529 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-06-30 01:03:35 +00:00
parent 3fe2a9b92f
commit 7132a9b084
18 changed files with 1204 additions and 730 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
kdc/524.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997-2003 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997-2005 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -43,7 +43,9 @@ RCSID("$Id$");
*/
static krb5_error_code
fetch_server (const Ticket *t,
fetch_server (krb5_context context,
struct krb5_kdc_configuration *config,
const Ticket *t,
char **spn,
hdb_entry **server,
const char *from)
@@ -53,20 +55,21 @@ fetch_server (const Ticket *t,
ret = _krb5_principalname2krb5_principal(&sprinc, t->sname, t->realm);
if (ret) {
kdc_log(0, "_krb5_principalname2krb5_principal: %s",
kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text(context, ret));
return ret;
}
ret = krb5_unparse_name(context, sprinc, spn);
if (ret) {
krb5_free_principal(context, sprinc);
kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret));
kdc_log(context, config, 0, "krb5_unparse_name: %s",
krb5_get_err_text(context, ret));
return ret;
}
ret = db_fetch(sprinc, server);
ret = db_fetch(context, config, sprinc, server);
krb5_free_principal(context, sprinc);
if (ret) {
kdc_log(0,
kdc_log(context, config, 0,
"Request to convert ticket from %s for unknown principal %s: %s",
from, *spn, krb5_get_err_text(context, ret));
if (ret == HDB_ERR_NOENTRY)
@@ -77,7 +80,9 @@ fetch_server (const Ticket *t,
}
static krb5_error_code
log_524 (const EncTicketPart *et,
log_524 (krb5_context context,
struct krb5_kdc_configuration *config,
const EncTicketPart *et,
const char *from,
const char *spn)
{
@@ -87,33 +92,35 @@ log_524 (const EncTicketPart *et,
ret = _krb5_principalname2krb5_principal(&client, et->cname, et->crealm);
if (ret) {
kdc_log(0, "_krb5_principalname2krb5_principal: %s",
kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text (context, ret));
return ret;
}
ret = krb5_unparse_name(context, client, &cpn);
if (ret) {
krb5_free_principal(context, client);
kdc_log(0, "krb5_unparse_name: %s",
kdc_log(context, config, 0, "krb5_unparse_name: %s",
krb5_get_err_text (context, ret));
return ret;
}
kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
kdc_log(context, config, 1, "524-REQ %s from %s for %s", cpn, from, spn);
free(cpn);
krb5_free_principal(context, client);
return 0;
}
static krb5_error_code
verify_flags (const EncTicketPart *et,
verify_flags (krb5_context context,
struct krb5_kdc_configuration *config,
const EncTicketPart *et,
const char *spn)
{
if(et->endtime < kdc_time){
kdc_log(0, "Ticket expired (%s)", spn);
kdc_log(context, config, 0, "Ticket expired (%s)", spn);
return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
if(et->flags.invalid){
kdc_log(0, "Ticket not valid (%s)", spn);
kdc_log(context, config, 0, "Ticket not valid (%s)", spn);
return KRB5KRB_AP_ERR_TKT_NYV;
}
return 0;
@@ -125,7 +132,9 @@ verify_flags (const EncTicketPart *et,
*/
static krb5_error_code
set_address (EncTicketPart *et,
set_address (krb5_context context,
struct krb5_kdc_configuration *config,
EncTicketPart *et,
struct sockaddr *addr,
const char *from)
{
@@ -139,12 +148,12 @@ set_address (EncTicketPart *et,
ret = krb5_sockaddr2address(context, addr, v4_addr);
if(ret) {
free (v4_addr);
kdc_log(0, "Failed to convert address (%s)", from);
kdc_log(context, config, 0, "Failed to convert address (%s)", from);
return ret;
}
if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
kdc_log(0, "Incorrect network address (%s)", from);
kdc_log(context, config, 0, "Incorrect network address (%s)", from);
krb5_free_address(context, v4_addr);
free (v4_addr);
return KRB5KRB_AP_ERR_BADADDR;
@@ -175,7 +184,9 @@ set_address (EncTicketPart *et,
static krb5_error_code
encrypt_v4_ticket(void *buf,
encrypt_v4_ticket(krb5_context context,
struct krb5_kdc_configuration *config,
void *buf,
size_t len,
krb5_keyblock *skey,
EncryptedData *reply)
@@ -185,7 +196,7 @@ encrypt_v4_ticket(void *buf,
ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto);
if (ret) {
free(buf);
kdc_log(0, "krb5_crypto_init failed: %s",
kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
return ret;
}
@@ -199,7 +210,7 @@ encrypt_v4_ticket(void *buf,
reply);
krb5_crypto_destroy(context, crypto);
if(ret) {
kdc_log(0, "Failed to encrypt data: %s",
kdc_log(context, config, 0, "Failed to encrypt data: %s",
krb5_get_err_text(context, ret));
return ret;
}
@@ -207,7 +218,9 @@ encrypt_v4_ticket(void *buf,
}
static krb5_error_code
encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
encode_524_response(krb5_context context,
struct krb5_kdc_configuration *config,
const char *spn, const EncTicketPart et, const Ticket *t,
hdb_entry *server, EncryptedData *ticket, int *kvno)
{
krb5_error_code ret;
@@ -221,7 +234,8 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
&t->enc_part, &len, ret);
if (ret) {
kdc_log(0, "Failed to encode v4 (2b) ticket (%s)", spn);
kdc_log(context, config, 0,
"Failed to encode v4 (2b) ticket (%s)", spn);
return ret;
}
@@ -232,27 +246,31 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
unsigned char buf[MAX_KTXT_LEN + 4 * 4];
Key *skey;
if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm,
if (!config->enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
kdc_log(context, config, 0, "524 cross-realm %s -> %s disabled", et.crealm,
t->realm);
return KRB5KDC_ERR_POLICY;
}
ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
ret = encode_v4_ticket(context, config,
buf + sizeof(buf) - 1, sizeof(buf),
&et, &t->sname, &len);
if(ret){
kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
kdc_log(context, config, 0,
"Failed to encode v4 ticket (%s)", spn);
return ret;
}
ret = get_des_key(server, TRUE, FALSE, &skey);
ret = get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){
kdc_log(0, "no suitable DES key for server (%s)", spn);
kdc_log(context, config, 0,
"no suitable DES key for server (%s)", spn);
return ret;
}
ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len,
ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len,
&skey->key, ticket);
if(ret){
kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
kdc_log(context, config, 0,
"Failed to encrypt v4 ticket (%s)", spn);
return ret;
}
*kvno = server->kvno;
@@ -267,7 +285,9 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
*/
krb5_error_code
do_524(const Ticket *t, krb5_data *reply,
do_524(krb5_context context,
struct krb5_kdc_configuration *config,
const Ticket *t, krb5_data *reply,
const char *from, struct sockaddr *addr)
{
krb5_error_code ret = 0;
@@ -283,25 +303,27 @@ do_524(const Ticket *t, krb5_data *reply,
size_t len;
int kvno = 0;
if(!enable_524) {
if(!config->enable_524) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Rejected ticket conversion request from %s", from);
kdc_log(context, config, 0,
"Rejected ticket conversion request from %s", from);
goto out;
}
ret = fetch_server (t, &spn, &server, from);
ret = fetch_server (context, config, t, &spn, &server, from);
if (ret) {
goto out;
}
ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey);
if(ret){
kdc_log(0, "No suitable key found for server (%s) from %s", spn, from);
kdc_log(context, config, 0,
"No suitable key found for server (%s) from %s", spn, from);
goto out;
}
ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
if (ret) {
kdc_log(0, "krb5_crypto_init failed: %s",
kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -312,36 +334,39 @@ do_524(const Ticket *t, krb5_data *reply,
&et_data);
krb5_crypto_destroy(context, crypto);
if(ret){
kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
kdc_log(context, config, 0,
"Failed to decrypt ticket from %s for %s", from, spn);
goto out;
}
ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length,
&et, &len);
krb5_data_free(&et_data);
if(ret){
kdc_log(0, "Failed to decode ticket from %s for %s", from, spn);
kdc_log(context, config, 0,
"Failed to decode ticket from %s for %s", from, spn);
goto out;
}
ret = log_524 (&et, from, spn);
ret = log_524 (context, config, &et, from, spn);
if (ret) {
free_EncTicketPart(&et);
goto out;
}
ret = verify_flags (&et, spn);
ret = verify_flags (context, config, &et, spn);
if (ret) {
free_EncTicketPart(&et);
goto out;
}
ret = set_address (&et, addr, from);
ret = set_address (context, config, &et, addr, from);
if (ret) {
free_EncTicketPart(&et);
goto out;
}
ret = encode_524_response(spn, et, t, server, &ticket, &kvno);
ret = encode_524_response(context, config, spn, et, t,
server, &ticket, &kvno);
free_EncTicketPart(&et);
out:
@@ -364,6 +389,6 @@ out:
if(spn)
free(spn);
if(server)
free_ent (server);
free_ent (context, server);
return ret;
}

25
kdc/Makefile.am
View File

@@ -4,6 +4,8 @@ include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
lib_LTLIBRARIES = libkdc.la
bin_PROGRAMS = string2key
sbin_PROGRAMS = kstash
@@ -19,20 +21,24 @@ kstash_SOURCES = kstash.c headers.h
string2key_SOURCES = string2key.c headers.h
kdc_SOURCES = \
kdc_SOURCES = connect.c \
config.c \
connect.c \
main.c
libkdc_la_SOURCES = \
default_config.c \
kdc_locl.h \
kerberos5.c \
pkinit.c \
log.c \
main.c \
misc.c \
524.c \
kerberos4.c \
kaserver.c \
process.c \
rx.h
libkdc_la_LDFLAGS = -version-info 1:0:0 -Wl,--version-script,./exports
hprop_LDADD = \
$(top_builddir)/lib/hdb/libhdb.la \
@@ -54,6 +60,16 @@ hpropd_LDADD = \
$(LIB_roken) \
$(DBLIB)
libkdc_la_LIBADD = \
$(top_builddir)/lib/hdb/libhdb.la \
$(LIB_openldap) \
$(top_builddir)/lib/krb5/libkrb5.la \
$(LIB_kdb) $(LIB_krb4) \
$(LIB_des) \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_roken) \
$(DBLIB)
LDADD = $(top_builddir)/lib/hdb/libhdb.la \
$(LIB_openldap) \
$(top_builddir)/lib/krb5/libkrb5.la \
@@ -63,5 +79,6 @@ LDADD = $(top_builddir)/lib/hdb/libhdb.la \
$(LIB_roken) \
$(DBLIB)
kdc_LDADD = $(LDADD) $(LIB_pidfile)
kdc_LDADD = libkdc.la $(LIB_pidfile)
include_HEADERS = kdc.h

307
kdc/config.c
View File

@@ -1,6 +1,7 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997-2005 Kungliga Tekniska H<>skolan
* (Royal Institute of Technology, Stockholm, Sweden).
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -37,50 +38,34 @@
RCSID("$Id$");
struct dbinfo {
char *realm;
char *dbname;
char *mkey_file;
struct dbinfo *next;
};
static const char *config_file; /* location of kdc config file */
int require_preauth = -1; /* 1 == require preauth for all principals */
size_t max_request; /* maximal size of a request */
static int require_preauth = -1; /* 1 == require preauth for all principals */
static char *max_request_str; /* `max_request' as a string */
time_t kdc_warn_pwexpire; /* time before expiration to print a warning */
struct dbinfo *databases;
HDB **db;
int num_db;
const char *port_str;
int detach_from_console = -1;
#define DETACH_IS_DEFAULT FALSE
int enable_http = -1;
krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous;
int trpolicy;
static const char *trpolicy_str;
static struct getarg_strings addresses_str; /* addresses to listen on */
krb5_addresses explicit_addresses;
static int disable_des = -1;
char *v4_realm;
int enable_v4 = -1;
int enable_kaserver = -1;
int enable_524 = -1;
int enable_v4_cross_realm = -1;
static int enable_v4 = -1;
static int enable_kaserver = -1;
static int enable_524 = -1;
static int enable_v4_cross_realm = -1;
static int builtin_hdb_flag;
static int help_flag;
static int version_flag;
static struct getarg_strings addresses_str; /* addresses to listen on */
static char *v4_realm;
static struct getargs args[] = {
{
"config-file", 'c', arg_string, &config_file,
@@ -94,12 +79,6 @@ static struct getargs args[] = {
"max-request", 0, arg_string, &max_request,
"max size for a kdc-request", "size"
},
#if 0
{
"database", 'd', arg_string, &databases,
"location of database", "database"
},
#endif
{ "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
{ "524", 0, arg_negative_flag, &enable_524,
"don't respond to 524 requests"
@@ -153,7 +132,7 @@ usage(int ret)
}
static void
get_dbinfo(void)
get_dbinfo(krb5_context context, struct krb5_kdc_configuration *config)
{
const krb5_config_binding *top_binding = NULL;
const krb5_config_binding *db_binding;
@@ -162,8 +141,10 @@ get_dbinfo(void)
const char *default_dbname = HDB_DEFAULT_DB;
const char *default_mkey = HDB_DB_DIR "/m-key";
const char *p;
krb5_error_code ret;
struct dbinfo *databases = NULL;
databases = NULL;
dt = &databases;
while((db_binding = (const krb5_config_binding *)
krb5_config_get_next(context, NULL, &top_binding,
@@ -229,10 +210,36 @@ get_dbinfo(void)
(int)(p - di->dbname), di->dbname);
}
}
if (databases == NULL) {
config->db = malloc(sizeof(*config->db));
config->num_db = 1;
ret = hdb_create(context, &config->db[0], NULL);
if(ret)
krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB);
ret = hdb_set_master_keyfile(context, config->db[0], NULL);
if (ret)
krb5_err(context, 1, ret, "hdb_set_master_keyfile");
} else {
struct dbinfo *d;
int i;
/* count databases */
for(d = databases, i = 0; d; d = d->next, i++);
config->db = malloc(i * sizeof(*config->db));
for(d = databases, config->num_db = 0; d; d = d->next, config->num_db++) {
ret = hdb_create(context, &config->db[config->num_db], d->dbname);
if(ret)
krb5_err(context, 1, ret, "hdb_create %s", d->dbname);
ret = hdb_set_master_keyfile(context, config->db[config->num_db], d->mkey_file);
if (ret)
krb5_err(context, 1, ret, "hdb_set_master_keyfile");
}
}
}
static void
add_one_address (const char *str, int first)
add_one_address (krb5_context context, const char *str, int first)
{
krb5_error_code ret;
krb5_addresses tmp;
@@ -247,15 +254,21 @@ add_one_address (const char *str, int first)
krb5_free_addresses (context, &tmp);
}
void
configure(int argc, char **argv)
struct krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv)
{
struct krb5_kdc_configuration *config = malloc(sizeof(*config));
krb5_error_code ret;
int optind = 0;
int optidx = 0;
const char *p;
while(getarg(args, num_args, argc, argv, &optind))
warnx("error at argument `%s'", argv[optind]);
if (!config) {
return NULL;
}
krb5_kdc_default_config(config);
while(getarg(args, num_args, argc, argv, &optidx))
warnx("error at argument `%s'", argv[optidx]);
if(help_flag)
usage (0);
@@ -275,8 +288,8 @@ configure(int argc, char **argv)
exit(0);
}
argc -= optind;
argv += optind;
argc -= optidx;
argv += optidx;
if (argc != 0)
usage(1);
@@ -297,7 +310,9 @@ configure(int argc, char **argv)
krb5_err(context, 1, ret, "reading configuration files");
}
get_dbinfo();
kdc_openlog(context, config);
get_dbinfo(context, config);
if(max_request_str)
max_request = parse_bytes(max_request_str, NULL);
@@ -312,9 +327,14 @@ configure(int argc, char **argv)
max_request = parse_bytes(p, NULL);
}
if(require_preauth == -1)
require_preauth = krb5_config_get_bool(context, NULL, "kdc",
"require-preauth", NULL);
if(require_preauth == -1) {
config->require_preauth = krb5_config_get_bool_default(context, NULL,
config->require_preauth,
"kdc",
"require-preauth", NULL);
} else {
config->require_preauth = require_preauth;
}
if(port_str == NULL){
p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL);
@@ -328,58 +348,85 @@ configure(int argc, char **argv)
int i;
for (i = 0; i < addresses_str.num_strings; ++i)
add_one_address (addresses_str.strings[i], i == 0);
add_one_address (context, addresses_str.strings[i], i == 0);
free_getarg_strings (&addresses_str);
} else {
char **foo = krb5_config_get_strings (context, NULL,
"kdc", "addresses", NULL);
if (foo != NULL) {
add_one_address (*foo++, TRUE);
add_one_address (context, *foo++, TRUE);
while (*foo)
add_one_address (*foo++, FALSE);
add_one_address (context, *foo++, FALSE);
}
}
if(enable_v4 == -1)
enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc",
"enable-kerberos4", NULL);
if(enable_v4_cross_realm == -1)
enable_v4_cross_realm =
if(enable_v4 == -1) {
config->enable_v4 = krb5_config_get_bool_default(context, NULL,
config->enable_v4,
"kdc",
"enable-kerberos4",
NULL);
} else {
config->enable_v4 = enable_v4;
}
if(enable_v4_cross_realm == -1) {
config->enable_v4_cross_realm =
krb5_config_get_bool_default(context, NULL,
FALSE, "kdc",
config->enable_v4_cross_realm,
"kdc",
"enable-kerberos4-cross-realm",
NULL);
if(enable_524 == -1)
enable_524 = krb5_config_get_bool_default(context, NULL, enable_v4,
"kdc", "enable-524", NULL);
} else {
config->enable_v4_cross_realm = enable_v4_cross_realm;
}
if(enable_524 == -1) {
config->enable_524 = krb5_config_get_bool_default(context, NULL,
config->enable_v4,
"kdc", "enable-524",
NULL);
} else {
config->enable_524 = enable_524;
}
if(enable_http == -1)
enable_http = krb5_config_get_bool(context, NULL, "kdc",
"enable-http", NULL);
check_ticket_addresses =
krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
config->check_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
config->check_ticket_addresses,
"kdc",
"check-ticket-addresses", NULL);
allow_null_ticket_addresses =
krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
config->allow_null_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
config->allow_null_ticket_addresses,
"kdc",
"allow-null-ticket-addresses", NULL);
allow_anonymous =
krb5_config_get_bool(context, NULL, "kdc",
"allow-anonymous", NULL);
config->allow_anonymous =
krb5_config_get_bool_default(context, NULL,
config->allow_anonymous,
"kdc",
"allow-anonymous", NULL);
trpolicy_str =
krb5_config_get_string_default(context, NULL, "always-check", "kdc",
krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
"transited-policy", NULL);
if(strcasecmp(trpolicy_str, "always-check") == 0)
trpolicy = TRPOLICY_ALWAYS_CHECK;
else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0)
trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
else if(strcasecmp(trpolicy_str, "always-honour-request") == 0)
trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
else {
kdc_log(0, "unknown transited-policy: %s, reverting to always-check",
if(strcasecmp(trpolicy_str, "always-check") == 0) {
config->trpolicy = TRPOLICY_ALWAYS_CHECK;
} else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
} else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
} else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
/* default */
} else {
kdc_log(context, config,
0, "unknown transited-policy: %s, reverting to default (always-check)",
trpolicy_str);
trpolicy = TRPOLICY_ALWAYS_CHECK;
}
if (krb5_config_get_string(context, NULL, "kdc",
@@ -393,51 +440,72 @@ configure(int argc, char **argv)
"v4-realm",
NULL);
if(p != NULL) {
v4_realm = strdup(p);
if (v4_realm == NULL)
config->v4_realm = strdup(p);
if (config->v4_realm == NULL)
krb5_errx(context, 1, "out of memory");
} else {
config->v4_realm = NULL;
}
} else {
config->v4_realm = v4_realm;
}
if (enable_kaserver == -1)
enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE,
"kdc",
"enable-kaserver",
NULL);
encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, NULL, "kdc",
"encode_as_rep_as_tgs_rep",
NULL);
if (enable_kaserver == -1) {
config->enable_kaserver =
krb5_config_get_bool_default(context,
NULL,
config->enable_kaserver,
"kdc",
"enable-kaserver",
NULL);
} else {
config->enable_kaserver = enable_kaserver;
}
kdc_warn_pwexpire = krb5_config_get_time (context, NULL,
"kdc",
"kdc_warn_pwexpire",
NULL);
config->encode_as_rep_as_tgs_rep =
krb5_config_get_bool_default(context, NULL,
config->encode_as_rep_as_tgs_rep,
"kdc",
"encode_as_rep_as_tgs_rep",
NULL);
config->kdc_warn_pwexpire =
krb5_config_get_time_default (context, NULL,
config->kdc_warn_pwexpire,
"kdc",
"kdc_warn_pwexpire",
NULL);
if(detach_from_console == -1)
detach_from_console = krb5_config_get_bool_default(context, NULL,
DETACH_IS_DEFAULT,
"kdc",
"detach", NULL);
kdc_openlog();
if(max_request == 0)
max_request = 64 * 1024;
if(require_preauth == -1)
require_preauth = 1;
if(require_preauth != -1) {
config->require_preauth = require_preauth;
}
if (port_str == NULL)
port_str = "+";
#ifdef PKINIT
enable_pkinit = krb5_config_get_bool_default(context, NULL, FALSE,
"kdc",
"enable-pkinit",
NULL);
if (enable_pkinit) {
config->enable_pkinit =
krb5_config_get_bool_default(context,
NULL,
config->enable_pkinit,
"kdc",
"enable-pkinit",
NULL);
if (config->enable_pkinit) {
const char *user_id, *x509_anchors;
user_id = krb5_config_get_string(context, NULL,
"kdc",
"pki-identity",
NULL);
"kdc",
"pki-identity",
NULL);
if (user_id == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity");
@@ -450,28 +518,29 @@ configure(int argc, char **argv)
pk_initialize(user_id, x509_anchors);
enable_pkinit_princ_in_cert =
config->enable_pkinit_princ_in_cert =
krb5_config_get_bool_default(context,
NULL, TRUE,
NULL,
config->enable_pkinit_princ_in_cert,
"kdc",
"pkinit-principal-in-certificate",
NULL);
}
#endif
if(v4_realm == NULL && (enable_kaserver || enable_v4)){
if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){
#ifdef KRB4
v4_realm = malloc(40); /* REALM_SZ */
if (v4_realm == NULL)
config->v4_realm = malloc(40); /* REALM_SZ */
if (config->v4_realm == NULL)
krb5_errx(context, 1, "out of memory");
krb_get_lrealm(v4_realm, 1);
krb_get_lrealm(config->v4_realm, 1);
#else
krb5_errx(context, 1, "No Kerberos 4 realm configured");
#endif
}
if(disable_des == -1)
disable_des = krb5_config_get_bool_default(context, NULL,
0,
FALSE,
"kdc",
"disable-des", NULL);
if(disable_des) {
@@ -482,10 +551,12 @@ configure(int argc, char **argv)
krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
kdc_log(0, "DES was disabled, turned off Kerberos V4, 524 "
kdc_log(context, config,
0, "DES was disabled, turned off Kerberos V4, 524 "
"and kaserver");
enable_v4 = 0;
enable_524 = 0;
enable_kaserver = 0;
config->enable_v4 = 0;
config->enable_524 = 0;
config->enable_kaserver = 0;
}
return config;
}

306
kdc/connect.c
View File

@@ -35,6 +35,16 @@
RCSID("$Id$");
/* Should we enable the HTTP hack? */
int enable_http = -1;
/* A string describing on what ports to listen */
const char *port_str;
krb5_addresses explicit_addresses;
size_t max_request; /* maximal size of a request */
/*
* a tuple describing on what to listen
*/
@@ -55,7 +65,8 @@ static int num_ports;
*/
static void
add_port(int family, int port, const char *protocol)
add_port(krb5_context context,
int family, int port, const char *protocol)
{
int type;
int i;
@@ -87,11 +98,12 @@ add_port(int family, int port, const char *protocol)
*/
static void
add_port_service(int family, const char *service, int port,
add_port_service(krb5_context context,
int family, const char *service, int port,
const char *protocol)
{
port = krb5_getportbyname (context, service, protocol, port);
add_port (family, port, protocol);
add_port (context, family, port, protocol);
}
/*
@@ -100,22 +112,23 @@ add_port_service(int family, const char *service, int port,
*/
static void
add_port_string (int family, const char *port_str, const char *protocol)
add_port_string (krb5_context context,
int family, const char *str, const char *protocol)
{
struct servent *sp;
int port;
sp = roken_getservbyname (port_str, protocol);
sp = roken_getservbyname (str, protocol);
if (sp != NULL) {
port = sp->s_port;
} else {
char *end;
port = htons(strtol(port_str, &end, 0));
if (end == port_str)
port = htons(strtol(str, &end, 0));
if (end == str)
return;
}
add_port (family, port, protocol);
add_port (context, family, port, protocol);
}
/*
@@ -123,24 +136,26 @@ add_port_string (int family, const char *port_str, const char *protocol)
*/
static void
add_standard_ports (int family)
add_standard_ports (krb5_context context,
struct krb5_kdc_configuration *config,
int family)
{
add_port_service(family, "kerberos", 88, "udp");
add_port_service(family, "kerberos", 88, "tcp");
add_port_service(family, "kerberos-sec", 88, "udp");
add_port_service(family, "kerberos-sec", 88, "tcp");
add_port_service(context, family, "kerberos", 88, "udp");
add_port_service(context, family, "kerberos", 88, "tcp");
add_port_service(context, family, "kerberos-sec", 88, "udp");
add_port_service(context, family, "kerberos-sec", 88, "tcp");
if(enable_http)
add_port_service(family, "http", 80, "tcp");
if(enable_524) {
add_port_service(family, "krb524", 4444, "udp");
add_port_service(family, "krb524", 4444, "tcp");
add_port_service(context, family, "http", 80, "tcp");
if(config->enable_524) {
add_port_service(context, family, "krb524", 4444, "udp");
add_port_service(context, family, "krb524", 4444, "tcp");
}
if(enable_v4) {
add_port_service(family, "kerberos-iv", 750, "udp");
add_port_service(family, "kerberos-iv", 750, "tcp");
if(config->enable_v4) {
add_port_service(context, family, "kerberos-iv", 750, "udp");
add_port_service(context, family, "kerberos-iv", 750, "tcp");
}
if (enable_kaserver)
add_port_service(family, "afs3-kaserver", 7004, "udp");
if (config->enable_kaserver)
add_port_service(context, family, "afs3-kaserver", 7004, "udp");
}
/*
@@ -150,7 +165,9 @@ add_standard_ports (int family)
*/
static void
parse_ports(const char *str)
parse_ports(krb5_context context,
struct krb5_kdc_configuration *config,
const char *str)
{
char *pos = NULL;
char *p;
@@ -160,24 +177,24 @@ parse_ports(const char *str)
while(p != NULL) {
if(strcmp(p, "+") == 0) {
#ifdef HAVE_IPV6
add_standard_ports(AF_INET6);
add_standard_ports(context, config, AF_INET6);
#endif
add_standard_ports(AF_INET);
add_standard_ports(context, config, AF_INET);
} else {
char *q = strchr(p, '/');
if(q){
*q++ = 0;
#ifdef HAVE_IPV6
add_port_string(AF_INET6, p, q);
add_port_string(context, AF_INET6, p, q);
#endif
add_port_string(AF_INET, p, q);
add_port_string(context, AF_INET, p, q);
}else {
#ifdef HAVE_IPV6
add_port_string(AF_INET6, p, "udp");
add_port_string(AF_INET6, p, "tcp");
add_port_string(context, AF_INET6, p, "udp");
add_port_string(context, AF_INET6, p, "tcp");
#endif
add_port_string(AF_INET, p, "udp");
add_port_string(AF_INET, p, "tcp");
add_port_string(context, AF_INET, p, "udp");
add_port_string(context, AF_INET, p, "tcp");
}
}
@@ -230,7 +247,9 @@ reinit_descrs (struct descr *d, int n)
*/
static void
init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
init_socket(krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d, krb5_address *a, int family, int type, int port)
{
krb5_error_code ret;
struct sockaddr_storage __ss;
@@ -293,7 +312,9 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
*/
static int
init_sockets(struct descr **desc)
init_sockets(krb5_context context,
struct krb5_kdc_configuration *config,
struct descr **desc)
{
krb5_error_code ret;
int i, j;
@@ -308,7 +329,7 @@ init_sockets(struct descr **desc)
if (ret)
krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
}
parse_ports(port_str);
parse_ports(context, config, port_str);
d = malloc(addresses.len * num_ports * sizeof(*d));
if (d == NULL)
krb5_errx(context, 1, "malloc(%lu) failed",
@@ -316,7 +337,7 @@ init_sockets(struct descr **desc)
for (i = 0; i < num_ports; i++){
for (j = 0; j < addresses.len; ++j) {
init_socket(&d[num], &addresses.val[j],
init_socket(context, config, &d[num], &addresses.val[j],
ports[i].family, ports[i].type, ports[i].port);
if(d[num].s != -1){
char a_str[80];
@@ -325,7 +346,7 @@ init_sockets(struct descr **desc)
krb5_print_address (&addresses.val[j], a_str,
sizeof(a_str), &len);
kdc_log(5, "listening on %s port %u/%s",
kdc_log(context, config, 5, "listening on %s port %u/%s",
a_str,
ntohs(ports[i].port),
(ports[i].type == SOCK_STREAM) ? "tcp" : "udp");
@@ -358,51 +379,9 @@ descr_type(struct descr *d)
return "unknown";
}
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
* sending a reply in `reply'.
*/
static int
process_request(unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr)
{
KDC_REQ req;
Ticket ticket;
krb5_error_code ret;
size_t i;
gettimeofday(&now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
ret = as_rep(&req, reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = tgs_rep(&req, reply, from, addr);
free_TGS_REQ(&req);
return ret;
}else if(decode_Ticket(buf, len, &ticket, &i) == 0){
ret = do_524(&ticket, reply, from, addr);
free_Ticket(&ticket);
return ret;
} else if(maybe_version4(buf, len)){
*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
return 0;
} else if (enable_kaserver) {
ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr);
return ret;
}
return -1;
}
static void
addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len)
addr_to_string(krb5_context context,
struct sockaddr *addr, size_t addr_len, char *str, size_t len)
{
krb5_address a;
if(krb5_sockaddr2address(context, addr, &a) == 0) {
@@ -420,39 +399,45 @@ addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len)
*/
static void
do_request(void *buf, size_t len, krb5_boolean prependlength,
do_request(krb5_context context,
struct krb5_kdc_configuration *config,
void *buf, size_t len, krb5_boolean prependlength,
struct descr *d)
{
krb5_error_code ret;
krb5_data reply;
reply.length = 0;
ret = process_request(buf, len, &reply, &prependlength,
ret = krb5_kdc_process_generic_request(context, config,
buf, len, &reply, &prependlength,
d->addr_string, d->sa);
if(reply.length){
kdc_log(5, "sending %lu bytes to %s", (unsigned long)reply.length,
kdc_log(context, config, 5,
"sending %lu bytes to %s", (unsigned long)reply.length,
d->addr_string);
if(prependlength){
unsigned char len[4];
len[0] = (reply.length >> 24) & 0xff;
len[1] = (reply.length >> 16) & 0xff;
len[2] = (reply.length >> 8) & 0xff;
len[3] = reply.length & 0xff;
if(sendto(d->s, len, sizeof(len), 0, d->sa, d->sock_len) < 0) {
kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
unsigned char l[4];
l[0] = (reply.length >> 24) & 0xff;
l[1] = (reply.length >> 16) & 0xff;
l[2] = (reply.length >> 8) & 0xff;
l[3] = reply.length & 0xff;
if(sendto(d->s, l, sizeof(l), 0, d->sa, d->sock_len) < 0) {
kdc_log (context, config,
0, "sendto(%s): %s", d->addr_string, strerror(errno));
krb5_data_free(&reply);
return;
}
}
if(sendto(d->s, reply.data, reply.length, 0, d->sa, d->sock_len) < 0) {
kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
kdc_log (context, config,
0, "sendto(%s): %s", d->addr_string, strerror(errno));
krb5_data_free(&reply);
return;
}
krb5_data_free(&reply);
}
if(ret)
kdc_log(0, "Failed processing %lu byte request from %s",
kdc_log(context, config, 0, "Failed processing %lu byte request from %s",
(unsigned long)len, d->addr_string);
}
@@ -461,14 +446,16 @@ do_request(void *buf, size_t len, krb5_boolean prependlength,
*/
static void
handle_udp(struct descr *d)
handle_udp(krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d)
{
unsigned char *buf;
int n;
buf = malloc(max_request);
if(buf == NULL){
kdc_log(0, "Failed to allocate %lu bytes", (unsigned long)max_request);
kdc_log(context, config, 0, "Failed to allocate %lu bytes", (unsigned long)max_request);
return;
}
@@ -477,9 +464,9 @@ handle_udp(struct descr *d)
if(n < 0)
krb5_warn(context, errno, "recvfrom");
else {
addr_to_string (d->sa, d->sock_len,
addr_to_string (context, d->sa, d->sock_len,
d->addr_string, sizeof(d->addr_string));
do_request(buf, n, FALSE, d);
do_request(context, config, buf, n, FALSE, d);
}
free (buf);
}
@@ -522,7 +509,9 @@ de_http(char *buf)
*/
static void
add_new_tcp (struct descr *d, int parent, int child)
add_new_tcp (krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d, int parent, int child)
{
int s;
@@ -545,7 +534,8 @@ add_new_tcp (struct descr *d, int parent, int child)
d[child].s = s;
d[child].timeout = time(NULL) + TCP_TIMEOUT;
d[child].type = SOCK_STREAM;
addr_to_string (d[child].sa, d[child].sock_len,
addr_to_string (context,
d[child].sa, d[child].sock_len,
d[child].addr_string, sizeof(d[child].addr_string));
}
@@ -555,7 +545,9 @@ add_new_tcp (struct descr *d, int parent, int child)
*/
static int
grow_descr (struct descr *d, size_t n)
grow_descr (krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d, size_t n)
{
if (d->size - d->len < n) {
unsigned char *tmp;
@@ -563,14 +555,14 @@ grow_descr (struct descr *d, size_t n)
grow = max(1024, d->len + n);
if (d->size + grow > max_request) {
kdc_log(0, "Request exceeds max request size (%lu bytes).",
kdc_log(context, config, 0, "Request exceeds max request size (%lu bytes).",
(unsigned long)d->size + grow);
clear_descr(d);
return -1;
}
tmp = realloc (d->buf, d->size + grow);
if (tmp == NULL) {
kdc_log(0, "Failed to re-allocate %lu bytes.",
kdc_log(context, config, 0, "Failed to re-allocate %lu bytes.",
(unsigned long)d->size + grow);
clear_descr(d);
return -1;
@@ -587,14 +579,16 @@ grow_descr (struct descr *d, size_t n)
*/
static int
handle_vanilla_tcp (struct descr *d)
handle_vanilla_tcp (krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d)
{
krb5_storage *sp;
int32_t len;
sp = krb5_storage_from_mem(d->buf, d->len);
if (sp == NULL) {
kdc_log (0, "krb5_storage_from_mem failed");
kdc_log (context, config, 0, "krb5_storage_from_mem failed");
return -1;
}
krb5_ret_int32(sp, &len);
@@ -612,7 +606,9 @@ handle_vanilla_tcp (struct descr *d)
*/
static int
handle_http_tcp (struct descr *d)
handle_http_tcp (krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d)
{
char *s, *p, *t;
void *data;
@@ -623,7 +619,7 @@ handle_http_tcp (struct descr *d)
p = strstr(s, "\r\n");
if (p == NULL) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
return -1;
}
*p = 0;
@@ -631,31 +627,31 @@ handle_http_tcp (struct descr *d)
p = NULL;
t = strtok_r(s, " \t", &p);
if (t == NULL) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
return -1;
}
t = strtok_r(NULL, " \t", &p);
if(t == NULL) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
return -1;
}
data = malloc(strlen(t));
if (data == NULL) {
kdc_log(0, "Failed to allocate %lu bytes",
kdc_log(context, config, 0, "Failed to allocate %lu bytes",
(unsigned long)strlen(t));
return -1;
}
if(*t == '/')
t++;
if(de_http(t) != 0) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
kdc_log(5, "HTTP request: %s", t);
kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
kdc_log(context, config, 5, "HTTP request: %s", t);
free(data);
return -1;
}
proto = strtok_r(NULL, " \t", &p);
if (proto == NULL) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
free(data);
return -1;
}
@@ -672,16 +668,16 @@ handle_http_tcp (struct descr *d)
"<H1>404 Not found</H1>\r\n"
"That page doesn't exist, maybe you are looking for "
"<A HREF=\"http://www.pdc.kth.se/heimdal/\">Heimdal</A>?\r\n";
kdc_log(0, "HTTP request from %s is non KDC request", d->addr_string);
kdc_log(5, "HTTP request: %s", t);
kdc_log(context, config, 0, "HTTP request from %s is non KDC request", d->addr_string);
kdc_log(context, config, 5, "HTTP request: %s", t);
free(data);
if (write(d->s, proto, strlen(proto)) < 0) {
kdc_log(0, "HTTP write failed: %s: %s",
kdc_log(context, config, 0, "HTTP write failed: %s: %s",
d->addr_string, strerror(errno));
return -1;
}
if (write(d->s, msg, strlen(msg)) < 0) {
kdc_log(0, "HTTP write failed: %s: %s",
kdc_log(context, config, 0, "HTTP write failed: %s: %s",
d->addr_string, strerror(errno));
return -1;
}
@@ -696,12 +692,12 @@ handle_http_tcp (struct descr *d)
"Content-type: application/octet-stream\r\n"
"Content-transfer-encoding: binary\r\n\r\n";
if (write(d->s, proto, strlen(proto)) < 0) {
kdc_log(0, "HTTP write failed: %s: %s",
kdc_log(context, config, 0, "HTTP write failed: %s: %s",
d->addr_string, strerror(errno));
return -1;
}
if (write(d->s, msg, strlen(msg)) < 0) {
kdc_log(0, "HTTP write failed: %s: %s",
kdc_log(context, config, 0, "HTTP write failed: %s: %s",
d->addr_string, strerror(errno));
return -1;
}
@@ -717,67 +713,72 @@ handle_http_tcp (struct descr *d)
*/
static void
handle_tcp(struct descr *d, int index, int min_free)
handle_tcp(krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d, int idx, int min_free)
{
unsigned char buf[1024];
int n;
int ret = 0;
if (d[index].timeout == 0) {
add_new_tcp (d, index, min_free);
if (d[idx].timeout == 0) {
add_new_tcp (context, config, d, idx, min_free);
return;
}
n = recvfrom(d[index].s, buf, sizeof(buf), 0, NULL, NULL);
n = recvfrom(d[idx].s, buf, sizeof(buf), 0, NULL, NULL);
if(n < 0){
krb5_warn(context, errno, "recvfrom failed from %s to %s/%d",
d[index].addr_string, descr_type(d + index),
ntohs(d[index].port));
d[idx].addr_string, descr_type(d + idx),
ntohs(d[idx].port));
return;
} else if (n == 0) {
krb5_warnx(context, "connection closed before end of data after %lu "
"bytes from %s to %s/%d", (unsigned long)d[index].len,
d[index].addr_string, descr_type(d + index),
ntohs(d[index].port));
clear_descr (d + index);
"bytes from %s to %s/%d", (unsigned long)d[idx].len,
d[idx].addr_string, descr_type(d + idx),
ntohs(d[idx].port));
clear_descr (d + idx);
return;
}
if (grow_descr (&d[index], n))
if (grow_descr (context, config, &d[idx], n))
return;
memcpy(d[index].buf + d[index].len, buf, n);
d[index].len += n;
if(d[index].len > 4 && d[index].buf[0] == 0) {
ret = handle_vanilla_tcp (&d[index]);
memcpy(d[idx].buf + d[idx].len, buf, n);
d[idx].len += n;
if(d[idx].len > 4 && d[idx].buf[0] == 0) {
ret = handle_vanilla_tcp (context, config, &d[idx]);
} else if(enable_http &&
d[index].len >= 4 &&
strncmp((char *)d[index].buf, "GET ", 4) == 0 &&
strncmp((char *)d[index].buf + d[index].len - 4,
d[idx].len >= 4 &&
strncmp((char *)d[idx].buf, "GET ", 4) == 0 &&
strncmp((char *)d[idx].buf + d[idx].len - 4,
"\r\n\r\n", 4) == 0) {
ret = handle_http_tcp (&d[index]);
ret = handle_http_tcp (context, config, &d[idx]);
if (ret < 0)
clear_descr (d + index);
} else if (d[index].len > 4) {
kdc_log (0, "TCP data of strange type from %s to %s/%d",
d[index].addr_string, descr_type(d + index),
ntohs(d[index].port));
clear_descr(d + index);
clear_descr (d + idx);
} else if (d[idx].len > 4) {
kdc_log (context, config,
0, "TCP data of strange type from %s to %s/%d",
d[idx].addr_string, descr_type(d + idx),
ntohs(d[idx].port));
clear_descr(d + idx);
return;
}
if (ret < 0)
return;
else if (ret == 1) {
do_request(d[index].buf, d[index].len, TRUE, &d[index]);
clear_descr(d + index);
do_request(context, config,
d[idx].buf, d[idx].len, TRUE, &d[idx]);
clear_descr(d + idx);
}
}
void
loop(void)
loop(krb5_context context,
struct krb5_kdc_configuration *config)
{
struct descr *d;
int ndescr;
ndescr = init_sockets(&d);
ndescr = init_sockets(context, config, &d);
if(ndescr <= 0)
krb5_errx(context, 1, "No sockets!");
while(exit_flag == 0){
@@ -792,7 +793,8 @@ loop(void)
if(d[i].s >= 0){
if(d[i].type == SOCK_STREAM &&
d[i].timeout && d[i].timeout < time(NULL)) {
kdc_log(1, "TCP-connection from %s expired after %lu bytes",
kdc_log(context, config, 1,
"TCP-connection from %s expired after %lu bytes",
d[i].addr_string, (unsigned long)d[i].len);
clear_descr(&d[i]);
continue;
@@ -834,17 +836,17 @@ loop(void)
for(i = 0; i < ndescr; i++)
if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) {
if(d[i].type == SOCK_DGRAM)
handle_udp(&d[i]);
handle_udp(context, config, &d[i]);
else if(d[i].type == SOCK_STREAM)
handle_tcp(d, i, min_free);
handle_tcp(context, config, d, i, min_free);
}
}
}
if(exit_flag == SIGXCPU)
kdc_log(0, "CPU time limit exceeded");
kdc_log(context, config, 0, "CPU time limit exceeded");
else if(exit_flag == SIGINT || exit_flag == SIGTERM)
kdc_log(0, "Terminated");
kdc_log(context, config, 0, "Terminated");
else
kdc_log(0, "Unexpected exit reason: %d", exit_flag);
kdc_log(context, config, 0, "Unexpected exit reason: %d", exit_flag);
free (d);
}

26
kdc/hprop.c
View File

@@ -586,7 +586,7 @@ parse_source_type(const char *s)
static void
iterate (krb5_context context,
const char *database,
const char *database_name,
HDB *db,
int type,
struct prop_data *pd)
@@ -595,7 +595,7 @@ iterate (krb5_context context,
switch(type) {
case HPROP_KRB4_DUMP:
ret = v4_prop_dump(pd, database);
ret = v4_prop_dump(pd, database_name);
break;
#ifdef KRB4
case HPROP_KRB4_DB:
@@ -606,12 +606,12 @@ iterate (krb5_context context,
break;
#endif /* KRB4 */
case HPROP_KASERVER:
ret = ka_dump(pd, database);
ret = ka_dump(pd, database_name);
if(ret)
krb5_err(context, 1, ret, "ka_dump");
break;
case HPROP_MIT_DUMP:
ret = mit_prop_dump(pd, database);
ret = mit_prop_dump(pd, database_name);
if (ret)
krb5_errx(context, 1, "mit_prop_dump: %s",
krb5_get_err_text(context, ret));
@@ -626,7 +626,7 @@ iterate (krb5_context context,
static int
dump_database (krb5_context context, int type,
const char *database, HDB *db)
const char *database_name, HDB *db)
{
krb5_error_code ret;
struct prop_data pd;
@@ -636,7 +636,7 @@ dump_database (krb5_context context, int type,
pd.auth_context = NULL;
pd.sock = STDOUT_FILENO;
iterate (context, database, db, type, &pd);
iterate (context, database_name, db, type, &pd);
krb5_data_zero (&data);
ret = krb5_write_message (context, &pd.sock, &data);
if (ret)
@@ -647,15 +647,15 @@ dump_database (krb5_context context, int type,
static int
propagate_database (krb5_context context, int type,
const char *database,
const char *database_name,
HDB *db, krb5_ccache ccache,
int optind, int argc, char **argv)
int optidx, int argc, char **argv)
{
krb5_principal server;
krb5_error_code ret;
int i;
for(i = optind; i < argc; i++){
for(i = optidx; i < argc; i++){
krb5_auth_context auth_context;
int fd;
struct prop_data pd;
@@ -721,7 +721,7 @@ propagate_database (krb5_context context, int type,
pd.auth_context = auth_context;
pd.sock = fd;
iterate (context, database, db, type, &pd);
iterate (context, database_name, db, type, &pd);
krb5_data_zero (&data);
ret = krb5_write_priv_message(context, auth_context, &fd, &data);
@@ -747,13 +747,13 @@ main(int argc, char **argv)
krb5_context context;
krb5_ccache ccache = NULL;
HDB *db = NULL;
int optind = 0;
int optidx = 0;
int type = 0;
setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &optind))
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
@@ -865,7 +865,7 @@ main(int argc, char **argv)
dump_database (context, type, database, db);
else
propagate_database (context, type, database,
db, ccache, optind, argc, argv);
db, ccache, optidx, argc, argv);
if(ccache != NULL)
krb5_cc_destroy(context, ccache);

8
kdc/hpropd.c
View File

@@ -215,7 +215,7 @@ main(int argc, char **argv)
krb5_keytab keytab;
int fd;
HDB *db;
int optind = 0;
int optidx = 0;
char *tmp_db;
krb5_log_facility *fac;
int nprincs;
@@ -235,7 +235,7 @@ main(int argc, char **argv)
;
krb5_set_warn_dest(context, fac);
if(getarg(args, num_args, argc, argv, &optind))
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
#ifdef KRB4
@@ -253,8 +253,8 @@ main(int argc, char **argv)
exit(0);
}
argc -= optind;
argv += optind;
argc -= optidx;
argv += optidx;
if (argc != 0)
usage(1);

117
kdc/kaserver.c
View File

@@ -240,7 +240,8 @@ krb5_store_xdr_data(krb5_storage *sp,
static krb5_error_code
create_reply_ticket (struct rx_header *hdr,
create_reply_ticket (krb5_context context,
struct rx_header *hdr,
Key *skey,
char *name, char *instance, char *realm,
struct sockaddr_in *addr,
@@ -388,7 +389,9 @@ unparse_auth_args (krb5_storage *sp,
}
static void
do_authenticate (struct rx_header *hdr,
do_authenticate (krb5_context context,
struct krb5_kdc_configuration *config,
struct rx_header *hdr,
krb5_storage *sp,
struct sockaddr_in *addr,
const char *from,
@@ -422,30 +425,33 @@ do_authenticate (struct rx_header *hdr,
}
snprintf (client_name, sizeof(client_name), "%s.%s@%s",
name, instance, v4_realm);
name, instance, config->v4_realm);
snprintf (server_name, sizeof(server_name), "%s.%s@%s",
"krbtgt", v4_realm, v4_realm);
"krbtgt", config->v4_realm, config->v4_realm);
kdc_log(0, "AS-REQ (kaserver) %s from %s for %s",
kdc_log(context, config, 0, "AS-REQ (kaserver) %s from %s for %s",
client_name, from, server_name);
ret = db_fetch4 (name, instance, v4_realm, &client_entry);
ret = db_fetch4 (context, config, name, instance,
config->v4_realm, &client_entry);
if (ret) {
kdc_log(0, "Client not found in database: %s: %s",
kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &server_entry);
ret = db_fetch4 (context, config, "krbtgt",
config->v4_realm, config->v4_realm, &server_entry);
if (ret) {
kdc_log(0, "Server not found in database: %s: %s",
kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
ret = check_flags (client_entry, client_name,
ret = check_flags (context, config,
client_entry, client_name,
server_entry, server_name,
TRUE);
if (ret) {
@@ -454,17 +460,17 @@ do_authenticate (struct rx_header *hdr,
}
/* find a DES key */
ret = get_des_key(client_entry, FALSE, TRUE, &ckey);
ret = get_des_key(context, client_entry, FALSE, TRUE, &ckey);
if(ret){
kdc_log(0, "no suitable DES key for client");
kdc_log(context, config, 0, "no suitable DES key for client");
make_error_reply (hdr, KANOKEYS, reply);
goto out;
}
/* find a DES key */
ret = get_des_key(server_entry, TRUE, TRUE, &skey);
ret = get_des_key(context, server_entry, TRUE, TRUE, &skey);
if(ret){
kdc_log(0, "no suitable DES key for server");
kdc_log(context, config, 0, "no suitable DES key for server");
make_error_reply (hdr, KANOKEYS, reply);
goto out;
}
@@ -488,7 +494,7 @@ do_authenticate (struct rx_header *hdr,
/* check for the magic label */
if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
kdc_log(0, "preauth failed for %s", client_name);
kdc_log(context, config, 0, "preauth failed for %s", client_name);
make_error_reply (hdr, KABADREQUEST, reply);
goto out;
}
@@ -515,11 +521,12 @@ do_authenticate (struct rx_header *hdr,
life = krb_time_to_life(kdc_time, kdc_time + max_life);
create_reply_ticket (hdr, skey,
name, instance, v4_realm,
create_reply_ticket (context,
hdr, skey,
name, instance, config->v4_realm,
addr, life, server_entry->kvno,
max_seq_len,
"krbtgt", v4_realm,
"krbtgt", config->v4_realm,
chal + 1, "tgsT",
&ckey->key, reply);
@@ -533,9 +540,9 @@ out:
if (instance)
free (instance);
if (client_entry)
free_ent (client_entry);
free_ent (context, client_entry);
if (server_entry)
free_ent (server_entry);
free_ent (context, server_entry);
}
static krb5_error_code
@@ -593,7 +600,9 @@ unparse_getticket_args (krb5_storage *sp,
}
static void
do_getticket (struct rx_header *hdr,
do_getticket (krb5_context context,
struct krb5_kdc_configuration *config,
struct rx_header *hdr,
krb5_storage *sp,
struct sockaddr_in *addr,
const char *from,
@@ -636,36 +645,39 @@ do_getticket (struct rx_header *hdr,
}
snprintf (server_name, sizeof(server_name),
"%s.%s@%s", name, instance, v4_realm);
"%s.%s@%s", name, instance, config->v4_realm);
ret = db_fetch4 (name, instance, v4_realm, &server_entry);
ret = db_fetch4 (context, config, name, instance, config->v4_realm, &server_entry);
if (ret) {
kdc_log(0, "Server not found in database: %s: %s",
kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &krbtgt_entry);
ret = db_fetch4 (context, config, "krbtgt",
config->v4_realm, config->v4_realm, &krbtgt_entry);
if (ret) {
kdc_log(0, "Server not found in database: %s.%s@%s: %s",
"krbtgt", v4_realm, v4_realm, krb5_get_err_text(context, ret));
kdc_log(context, config, 0,
"Server not found in database: %s.%s@%s: %s",
"krbtgt", config->v4_realm, config->v4_realm,
krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
/* find a DES key */
ret = get_des_key(krbtgt_entry, TRUE, TRUE, &kkey);
ret = get_des_key(context, krbtgt_entry, TRUE, TRUE, &kkey);
if(ret){
kdc_log(0, "no suitable DES key for krbtgt");
kdc_log(context, config, 0, "no suitable DES key for krbtgt");
make_error_reply (hdr, KANOKEYS, reply);
goto out;
}
/* find a DES key */
ret = get_des_key(server_entry, TRUE, TRUE, &skey);
ret = get_des_key(context, server_entry, TRUE, TRUE, &skey);
if(ret){
kdc_log(0, "no suitable DES key for server");
kdc_log(context, config, 0, "no suitable DES key for server");
make_error_reply (hdr, KANOKEYS, reply);
goto out;
}
@@ -679,17 +691,19 @@ do_getticket (struct rx_header *hdr,
char *sinstance = NULL;
ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key,
v4_realm, &sname, &sinstance, &ad);
config->v4_realm, &sname,
&sinstance, &ad);
if (ret) {
kdc_log(0, "kaserver: decomp failed for %s.%s with %d",
kdc_log(context, config, 0,
"kaserver: decomp failed for %s.%s with %d",
sname, sinstance, ret);
make_error_reply (hdr, KABADTICKET, reply);
goto out;
}
if (strcmp (sname, "krbtgt") != 0
|| strcmp (sinstance, v4_realm) != 0) {
kdc_log(0, "no TGT: %s.%s for %s.%s@%s",
|| strcmp (sinstance, config->v4_realm) != 0) {
kdc_log(context, config, 0, "no TGT: %s.%s for %s.%s@%s",
sname, sinstance,
ad.pname, ad.pinst, ad.prealm);
make_error_reply (hdr, KABADTICKET, reply);
@@ -701,7 +715,7 @@ do_getticket (struct rx_header *hdr,
free(sinstance);
if (kdc_time > _krb5_krb_life_to_time(ad.time_sec, ad.life)) {
kdc_log(0, "TGT expired: %s.%s@%s",
kdc_log(context, config, 0, "TGT expired: %s.%s@%s",
ad.pname, ad.pinst, ad.prealm);
make_error_reply (hdr, KABADTICKET, reply);
goto out;
@@ -711,24 +725,28 @@ do_getticket (struct rx_header *hdr,
snprintf (client_name, sizeof(client_name),
"%s.%s@%s", ad.pname, ad.pinst, ad.prealm);
kdc_log(0, "TGS-REQ (kaserver) %s from %s for %s",
kdc_log(context, config, 0, "TGS-REQ (kaserver) %s from %s for %s",
client_name, from, server_name);
ret = db_fetch4 (ad.pname, ad.pinst, ad.prealm, &client_entry);
ret = db_fetch4 (context, config,
ad.pname, ad.pinst, ad.prealm, &client_entry);
if(ret && ret != HDB_ERR_NOENTRY) {
kdc_log(0, "Client not found in database: (krb4) %s: %s",
kdc_log(context, config, 0,
"Client not found in database: (krb4) %s: %s",
client_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
if (client_entry == NULL && strcmp(ad.prealm, v4_realm) == 0) {
kdc_log(0, "Local client not found in database: (krb4) "
if (client_entry == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
kdc_log(context, config, 0,
"Local client not found in database: (krb4) "
"%s", client_name);
make_error_reply (hdr, KANOENT, reply);
goto out;
}
ret = check_flags (client_entry, client_name,
ret = check_flags (context, config,
client_entry, client_name,
server_entry, server_name,
FALSE);
if (ret) {
@@ -776,7 +794,8 @@ do_getticket (struct rx_header *hdr,
life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life);
create_reply_ticket (hdr, skey,
create_reply_ticket (context,
hdr, skey,
ad.pname, ad.pinst, ad.prealm,
addr, life, server_entry->kvno,
max_seq_len,
@@ -801,13 +820,15 @@ out:
if (instance)
free (instance);
if (krbtgt_entry)
free_ent (krbtgt_entry);
free_ent (context, krbtgt_entry);
if (server_entry)
free_ent (server_entry);
free_ent (context, server_entry);
}
krb5_error_code
do_kaserver(unsigned char *buf,
do_kaserver(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
@@ -852,10 +873,10 @@ do_kaserver(unsigned char *buf,
switch (op) {
case AUTHENTICATE :
case AUTHENTICATE_V2 :
do_authenticate (&hdr, sp, addr, from, reply);
do_authenticate (context, config, &hdr, sp, addr, from, reply);
break;
case GETTICKET :
do_getticket (&hdr, sp, addr, from, reply);
do_getticket (context, config, &hdr, sp, addr, from, reply);
break;
case AUTHENTICATE_OLD :
case CHANGEPASSWORD :

24
kdc/kdc-protos.h Normal file
View File

@@ -0,0 +1,24 @@
int
krb5_kdc_process_generic_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr);
int krb5_kdc_process_krb5_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
struct sockaddr *addr);
void krb5_kdc_default_config(struct krb5_kdc_configuration *config);
void
kdc_openlog(krb5_context context,
struct krb5_kdc_configuration *config);

81
kdc/kdc.h Normal file
View File

@@ -0,0 +1,81 @@
/*
* Copyright (c) 1997-2003 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
*
* Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org>
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* $Id$
*/
#ifndef __KDC_H__
#define __KDC_H__
#include <krb5.h>
enum krb5_kdc_trpolicy {
TRPOLICY_ALWAYS_CHECK,
TRPOLICY_ALLOW_PER_PRINCIPAL,
TRPOLICY_ALWAYS_HONOUR_REQUEST
};
struct krb5_kdc_configuration {
krb5_boolean require_preauth; /* require preauth for all principals */
time_t kdc_warn_pwexpire; /* time before expiration to print a warning */
struct HDB **db;
int num_db;
krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous;
enum krb5_kdc_trpolicy trpolicy;
char *v4_realm;
krb5_boolean enable_v4;
krb5_boolean enable_kaserver;
krb5_boolean enable_524;
krb5_boolean enable_v4_cross_realm;
krb5_boolean enable_pkinit;
krb5_boolean enable_pkinit_princ_in_cert;
krb5_log_facility *logf;
};
#include <kdc-protos.h>
#endif

117
kdc/kdc_locl.h
View File

@@ -39,40 +39,18 @@
#define __KDC_LOCL_H__
#include "headers.h"
#include "kdc.h"
extern krb5_context context;
extern int require_preauth;
extern sig_atomic_t exit_flag;
extern size_t max_request;
extern time_t kdc_warn_pwexpire;
extern struct dbinfo {
char *realm;
char *dbname;
char *mkey_file;
struct dbinfo *next;
} *databases;
extern HDB **db;
extern int num_db;
extern const char *port_str;
extern krb5_addresses explicit_addresses;
extern int enable_http;
extern krb5_boolean encode_as_rep_as_tgs_rep;
extern krb5_boolean check_ticket_addresses;
extern krb5_boolean allow_null_ticket_addresses;
extern krb5_boolean allow_anonymous;
enum { TRPOLICY_ALWAYS_CHECK,
TRPOLICY_ALLOW_PER_PRINCIPAL,
TRPOLICY_ALWAYS_HONOUR_REQUEST };
extern int trpolicy;
extern int enable_524;
extern int enable_v4_cross_realm;
#ifdef PKINIT
extern int enable_pkinit;
extern int enable_pkinit_princ_in_cert;
#endif
#define DETACH_IS_DEFAULT FALSE
extern int detach_from_console;
#define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf"
#define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log"
@@ -80,30 +58,56 @@ extern int enable_pkinit_princ_in_cert;
extern struct timeval now;
#define kdc_time (now.tv_sec)
krb5_error_code as_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
void configure (int, char**);
krb5_error_code db_fetch (krb5_principal, hdb_entry**);
void free_ent(hdb_entry *);
void kdc_log (int, const char*, ...)
__attribute__ ((format (printf, 2,3)));
krb5_error_code as_rep (krb5_context context,
struct krb5_kdc_configuration *config,
KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
struct krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv);
krb5_error_code
db_fetch(krb5_context, struct krb5_kdc_configuration *,
krb5_principal, hdb_entry **);
void free_ent(krb5_context context, hdb_entry *);
void kdc_log (krb5_context context,
struct krb5_kdc_configuration *config,
int, const char*, ...)
__attribute__ ((format (printf, 4,5)));
char* kdc_log_msg (int, const char*, ...)
__attribute__ ((format (printf, 2,3)));
char* kdc_log_msg_va (int, const char*, va_list)
__attribute__ ((format (printf, 2,0)));
void kdc_openlog (void);
void loop (void);
char* kdc_log_msg (krb5_context context,
struct krb5_kdc_configuration *config,
int, const char*, ...)
__attribute__ ((format (printf, 4,5)));
char* kdc_log_msg_va (krb5_context context,
struct krb5_kdc_configuration *config,
int, const char*, va_list)
__attribute__ ((format (printf, 4,0)));
void
kdc_openlog(krb5_context context,
struct krb5_kdc_configuration *config);
void
loop(krb5_context context,
struct krb5_kdc_configuration *config);
void set_master_key (EncryptionKey);
krb5_error_code tgs_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr *);
krb5_error_code tgs_rep (krb5_context context,
struct krb5_kdc_configuration *config,
KDC_REQ*, krb5_data*, const char*, struct sockaddr *);
Key* unseal_key (Key*);
krb5_error_code check_flags(hdb_entry *client, const char *client_name,
krb5_error_code
check_flags(krb5_context context,
struct krb5_kdc_configuration *config,
hdb_entry *client, const char *client_name,
hdb_entry *server, const char *server_name,
krb5_boolean is_as_req);
krb5_error_code get_des_key(hdb_entry*, krb5_boolean, krb5_boolean, Key**);
krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*,
const PrincipalName*, size_t*);
krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*);
krb5_error_code get_des_key(krb5_context context, hdb_entry*, krb5_boolean, krb5_boolean, Key**);
krb5_error_code
encode_v4_ticket(krb5_context context,
struct krb5_kdc_configuration *config,
void *buf, size_t len, const EncTicketPart *et,
const PrincipalName *service, size_t *size);
krb5_error_code
do_524(krb5_context context,
struct krb5_kdc_configuration *config,
const Ticket *t, krb5_data *reply,
const char *from, struct sockaddr *addr);
#ifdef HAVE_OPENSSL
#define des_new_random_key des_random_key
@@ -130,18 +134,27 @@ void pk_free_client_param(krb5_context, pk_client_params *);
* Kerberos 4
*/
extern char *v4_realm;
extern int enable_v4;
extern krb5_boolean enable_kaserver;
krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**);
krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*,
krb5_error_code db_fetch4 (krb5_context context,
struct krb5_kdc_configuration *config,
const char*, const char*, const char*, hdb_entry**);
krb5_error_code do_version4 (krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char*, size_t, krb5_data*, const char*,
struct sockaddr_in*);
int maybe_version4 (unsigned char*, int);
krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*,
krb5_error_code do_kaserver (krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char*, size_t, krb5_data*, const char*,
struct sockaddr_in*);
int kdc_process_generic_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr);
#endif /* __KDC_LOCL_H__ */

155
kdc/kerberos4.c
View File

@@ -63,8 +63,11 @@ make_err_reply(krb5_context context, krb5_data *reply,
}
static krb5_boolean
valid_princ(krb5_context context, krb5_principal princ)
valid_princ(krb5_context context,
void *funcctx,
krb5_principal princ)
{
struct krb5_kdc_configuration *config = funcctx;
krb5_error_code ret;
char *s;
hdb_entry *ent;
@@ -72,31 +75,33 @@ valid_princ(krb5_context context, krb5_principal princ)
ret = krb5_unparse_name(context, princ, &s);
if (ret)
return FALSE;
ret = db_fetch(princ, &ent);
ret = db_fetch(context, config, princ, &ent);
if (ret) {
kdc_log(7, "Lookup %s failed: %s", s,
kdc_log(context, config, 7, "Lookup %s failed: %s", s,
krb5_get_err_text (context, ret));
free(s);
return FALSE;
}
kdc_log(7, "Lookup %s succeeded", s);
kdc_log(context, config, 7, "Lookup %s succeeded", s);
free(s);
free_ent(ent);
free_ent(context, ent);
return TRUE;
}
krb5_error_code
db_fetch4(const char *name, const char *instance, const char *realm,
db_fetch4(krb5_context context,
struct krb5_kdc_configuration *config,
const char *name, const char *instance, const char *realm,
hdb_entry **ent)
{
krb5_principal p;
krb5_error_code ret;
ret = krb5_425_conv_principal_ext(context, name, instance, realm,
valid_princ, 0, &p);
ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
valid_princ, config, 0, &p);
if(ret)
return ret;
ret = db_fetch(p, ent);
ret = db_fetch(context, config, p, ent);
krb5_free_principal(context, p);
return ret;
}
@@ -110,7 +115,9 @@ db_fetch4(const char *name, const char *instance, const char *realm,
*/
krb5_error_code
do_version4(unsigned char *buf,
do_version4(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
@@ -131,8 +138,9 @@ do_version4(unsigned char *buf,
char client_name[256];
char server_name[256];
if(!enable_v4) {
kdc_log(0, "Rejected version 4 request from %s", from);
if(!config->enable_v4) {
kdc_log(context, config, 0,
"Rejected version 4 request from %s", from);
make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled");
return 0;
}
@@ -140,7 +148,8 @@ do_version4(unsigned char *buf,
sp = krb5_storage_from_mem(buf, len);
RCHECK(krb5_ret_int8(sp, &pvno), out);
if(pvno != 4){
kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno);
kdc_log(context, config, 0,
"Protocol version mismatch (krb4) (%d)", pvno);
make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch");
goto out;
}
@@ -167,29 +176,31 @@ do_version4(unsigned char *buf,
snprintf (client_name, sizeof(client_name),
"%s.%s@%s", name, inst, realm);
snprintf (server_name, sizeof(server_name),
"%s.%s@%s", sname, sinst, v4_realm);
"%s.%s@%s", sname, sinst, config->v4_realm);
kdc_log(0, "AS-REQ (krb4) %s from %s for %s",
kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
client_name, from, server_name);
ret = db_fetch4(name, inst, realm, &client);
ret = db_fetch4(context, config, name, inst, realm, &client);
if(ret) {
kdc_log(0, "Client not found in database: %s: %s",
kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"principal unknown");
goto out1;
}
ret = db_fetch4(sname, sinst, v4_realm, &server);
ret = db_fetch4(context, config, sname, sinst,
config->v4_realm, &server);
if(ret){
kdc_log(0, "Server not found in database: %s: %s",
kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"principal unknown");
goto out1;
}
ret = check_flags (client, client_name,
ret = check_flags (context, config,
client, client_name,
server, server_name,
TRUE);
if (ret) {
@@ -204,10 +215,10 @@ do_version4(unsigned char *buf,
* good error code to return if preauthentication is required.
*/
if (require_preauth
if (config->require_preauth
|| client->flags.require_preauth
|| server->flags.require_preauth) {
kdc_log(0,
kdc_log(context, config, 0,
"Pre-authentication required for v4-request: "
"%s for %s",
client_name, server_name);
@@ -216,9 +227,9 @@ do_version4(unsigned char *buf,
goto out1;
}
ret = get_des_key(client, FALSE, FALSE, &ckey);
ret = get_des_key(context, client, FALSE, FALSE, &ckey);
if(ret){
kdc_log(0, "no suitable DES key for client");
kdc_log(context, config, 0, "no suitable DES key for client");
make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for client");
goto out1;
@@ -230,7 +241,7 @@ do_version4(unsigned char *buf,
while(ckey->salt == NULL || ckey->salt->salt.length != 0)
ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
if(ret){
kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s",
name, inst, realm);
make_err_reply(context, reply, KDC_NULL_KEY,
"No version-4 salted key in database");
@@ -238,9 +249,9 @@ do_version4(unsigned char *buf,
}
#endif
ret = get_des_key(server, TRUE, FALSE, &skey);
ret = get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){
kdc_log(0, "no suitable DES key for server");
kdc_log(context, config, 0, "no suitable DES key for server");
/* XXX */
make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for server");
@@ -268,7 +279,7 @@ do_version4(unsigned char *buf,
0,
name,
inst,
v4_realm,
config->v4_realm,
addr->sin_addr.s_addr,
&session,
life,
@@ -288,7 +299,7 @@ do_version4(unsigned char *buf,
&session,
sname,
sinst,
v4_realm,
config->v4_realm,
life,
server->kvno % 255,
&ticket,
@@ -337,22 +348,24 @@ do_version4(unsigned char *buf,
RCHECK(krb5_ret_int8(sp, &kvno), out2);
RCHECK(krb5_ret_stringz(sp, &realm), out2);
ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
ret = krb5_425_conv_principal(context, "krbtgt", realm,
config->v4_realm,
&tgt_princ);
if(ret){
kdc_log(0, "Converting krbtgt principal (krb4): %s",
kdc_log(context, config, 0,
"Converting krbtgt principal (krb4): %s",
krb5_get_err_text(context, ret));
make_err_reply(context, reply, KFAILURE,
"Failed to convert v4 principal (krbtgt)");
goto out2;
}
ret = db_fetch(tgt_princ, &tgt);
ret = db_fetch(context, config, tgt_princ, &tgt);
if(ret){
char *s;
s = kdc_log_msg(0, "Ticket-granting ticket not "
s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
"found in database (krb4): krbtgt.%s@%s: %s",
realm, v4_realm,
realm, config->v4_realm,
krb5_get_err_text(context, ret));
make_err_reply(context, reply, KFAILURE, s);
free(s);
@@ -360,16 +373,19 @@ do_version4(unsigned char *buf,
}
if(tgt->kvno % 256 != kvno){
kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for "
"krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm);
kdc_log(context, config, 0,
"tgs-req (krb4) with old kvno %d (current %d) for "
"krbtgt.%s@%s", kvno, tgt->kvno % 256,
realm, config->v4_realm);
make_err_reply(context, reply, KDC_AUTH_EXP,
"old krbtgt kvno used");
goto out2;
}
ret = get_des_key(tgt, TRUE, FALSE, &tkey);
ret = get_des_key(context, tgt, TRUE, FALSE, &tkey);
if(ret){
kdc_log(0, "no suitable DES key for krbtgt (krb4)");
kdc_log(context, config, 0,
"no suitable DES key for krbtgt (krb4)");
/* XXX */
make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for krbtgt");
@@ -384,15 +400,16 @@ do_version4(unsigned char *buf,
auth.data = buf;
auth.length = pos;
if (check_ticket_addresses)
if (config->check_ticket_addresses)
address = addr->sin_addr.s_addr;
else
address = 0;
ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm, v4_realm,
ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
config->v4_realm,
address, &tkey->key, &ad);
if(ret){
kdc_log(0, "krb_rd_req: %d", ret);
kdc_log(context, config, 0, "krb_rd_req: %d", ret);
make_err_reply(context, reply, ret, "failed to parse request");
goto out2;
}
@@ -405,64 +422,72 @@ do_version4(unsigned char *buf,
RCHECK(krb5_ret_stringz(sp, &sinst), out2);
snprintf (server_name, sizeof(server_name),
"%s.%s@%s",
sname, sinst, v4_realm);
sname, sinst, config->v4_realm);
snprintf (client_name, sizeof(client_name),
"%s.%s@%s",
ad.pname, ad.pinst, ad.prealm);
kdc_log(0, "TGS-REQ (krb4) %s from %s for %s",
kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
client_name, from, server_name);
if(strcmp(ad.prealm, realm)){
kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
kdc_log(context, config, 0,
"Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms");
goto out2;
}
if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) {
kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm);
if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
kdc_log(context, config, 0,
"krb4 Cross-realm %s -> %s disabled",
realm, config->v4_realm);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms");
goto out2;
}
if(strcmp(sname, "changepw") == 0){
kdc_log(0, "Bad request for changepw ticket (krb4)");
kdc_log(context, config, 0,
"Bad request for changepw ticket (krb4)");
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't authorize password change based on TGT");
goto out2;
}
ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
ret = db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, &client);
if(ret && ret != HDB_ERR_NOENTRY) {
char *s;
s = kdc_log_msg(0, "Client not found in database: (krb4) %s: %s",
s = kdc_log_msg(context, config, 0,
"Client not found in database: (krb4) %s: %s",
client_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s);
goto out2;
}
if (client == NULL && strcmp(ad.prealm, v4_realm) == 0) {
if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
char *s;
s = kdc_log_msg(0, "Local client not found in database: (krb4) "
s = kdc_log_msg(context, config, 0,
"Local client not found in database: (krb4) "
"%s", client_name);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s);
goto out2;
}
ret = db_fetch4(sname, sinst, v4_realm, &server);
ret = db_fetch4(context, config, sname, sinst, config->v4_realm, &server);
if(ret){
char *s;
s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s",
s = kdc_log_msg(context, config, 0,
"Server not found in database (krb4): %s: %s",
server_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s);
goto out2;
}
ret = check_flags (client, client_name,
ret = check_flags (context, config,
client, client_name,
server, server_name,
FALSE);
if (ret) {
@@ -472,9 +497,10 @@ do_version4(unsigned char *buf,
goto out2;
}
ret = get_des_key(server, TRUE, FALSE, &skey);
ret = get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){
kdc_log(0, "no suitable DES key for server (krb4)");
kdc_log(context, config, 0,
"no suitable DES key for server (krb4)");
/* XXX */
make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for server");
@@ -541,7 +567,7 @@ do_version4(unsigned char *buf,
&session,
sname,
sinst,
v4_realm,
config->v4_realm,
life,
server->kvno % 255,
&ticket,
@@ -572,13 +598,13 @@ do_version4(unsigned char *buf,
if(tgt_princ)
krb5_free_principal(context, tgt_princ);
if(tgt)
free_ent(tgt);
free_ent(context, tgt);
break;
}
case AUTH_MSG_ERR_REPLY:
break;
default:
kdc_log(0, "Unknown message type (krb4): %d from %s",
kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
msg_type, from);
make_err_reply(context, reply, KFAILURE, "Unknown message type");
@@ -595,15 +621,17 @@ do_version4(unsigned char *buf,
if(sinst)
free(sinst);
if(client)
free_ent(client);
free_ent(context, client);
if(server)
free_ent(server);
free_ent(context, server);
krb5_storage_free(sp);
return 0;
}
krb5_error_code
encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
encode_v4_ticket(krb5_context context,
struct krb5_kdc_configuration *config,
void *buf, size_t len, const EncTicketPart *et,
const PrincipalName *service, size_t *size)
{
krb5_storage *sp;
@@ -690,7 +718,8 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
}
krb5_error_code
get_des_key(hdb_entry *principal, krb5_boolean is_server,
get_des_key(krb5_context context,
hdb_entry *principal, krb5_boolean is_server,
krb5_boolean prefer_afs_key, Key **ret_key)
{
Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;

447
kdc/kerberos5.c
View File

File diff suppressed because it is too large Load Diff

31
kdc/log.c
View File

@@ -34,51 +34,56 @@
#include "kdc_locl.h"
RCSID("$Id$");
static krb5_log_facility *logf;
void
kdc_openlog(void)
kdc_openlog(krb5_context context,
struct krb5_kdc_configuration *config)
{
char **s = NULL, **p;
krb5_initlog(context, "kdc", &logf);
krb5_initlog(context, "kdc", &config->logf);
s = krb5_config_get_strings(context, NULL, "kdc", "logging", NULL);
if(s == NULL)
s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL);
if(s){
for(p = s; *p; p++)
krb5_addlog_dest(context, logf, *p);
krb5_addlog_dest(context, config->logf, *p);
krb5_config_free_strings(s);
}else
krb5_addlog_dest(context, logf, DEFAULT_LOG_DEST);
krb5_set_warn_dest(context, logf);
krb5_addlog_dest(context, config->logf, DEFAULT_LOG_DEST);
krb5_set_warn_dest(context, config->logf);
}
char*
kdc_log_msg_va(int level, const char *fmt, va_list ap)
kdc_log_msg_va(krb5_context context,
struct krb5_kdc_configuration *config,
int level, const char *fmt, va_list ap)
{
char *msg;
krb5_vlog_msg(context, logf, &msg, level, fmt, ap);
krb5_vlog_msg(context, config->logf, &msg, level, fmt, ap);
return msg;
}
char*
kdc_log_msg(int level, const char *fmt, ...)
kdc_log_msg(krb5_context context,
struct krb5_kdc_configuration *config,
int level, const char *fmt, ...)
{
va_list ap;
char *s;
va_start(ap, fmt);
s = kdc_log_msg_va(level, fmt, ap);
s = kdc_log_msg_va(context, config, level, fmt, ap);
va_end(ap);
return s;
}
void
kdc_log(int level, const char *fmt, ...)
kdc_log(krb5_context context,
struct krb5_kdc_configuration *config,
int level, const char *fmt, ...)
{
va_list ap;
char *s;
va_start(ap, fmt);
s = kdc_log_msg_va(level, fmt, ap);
s = kdc_log_msg_va(context, config, level, fmt, ap);
if(s) free(s);
va_end(ap);
}

35
kdc/main.c
View File

@@ -39,9 +39,8 @@
RCSID("$Id$");
sig_atomic_t exit_flag = 0;
krb5_context context;
extern int detach_from_console;
int detach_from_console = -1;
static RETSIGTYPE
sigterm(int sig)
@@ -53,6 +52,9 @@ int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
struct krb5_kdc_configuration *config;
setprogname(argv[0]);
ret = krb5_init_context(&context);
@@ -61,32 +63,7 @@ main(int argc, char **argv)
else if (ret)
errx (1, "krb5_init_context failed: %d", ret);
configure(argc, argv);
if(databases == NULL) {
db = malloc(sizeof(*db));
num_db = 1;
ret = hdb_create(context, &db[0], NULL);
if(ret)
krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB);
ret = hdb_set_master_keyfile(context, db[0], NULL);
if (ret)
krb5_err(context, 1, ret, "hdb_set_master_keyfile");
} else {
struct dbinfo *d;
int i;
/* count databases */
for(d = databases, i = 0; d; d = d->next, i++);
db = malloc(i * sizeof(*db));
for(d = databases, num_db = 0; d; d = d->next, num_db++) {
ret = hdb_create(context, &db[num_db], d->dbname);
if(ret)
krb5_err(context, 1, ret, "hdb_create %s", d->dbname);
ret = hdb_set_master_keyfile(context, db[num_db], d->mkey_file);
if (ret)
krb5_err(context, 1, ret, "hdb_set_master_keyfile");
}
}
config = configure(context, argc, argv);
#ifdef HAVE_SIGACTION
{
@@ -112,7 +89,7 @@ main(int argc, char **argv)
if (detach_from_console)
daemon(0, 0);
pidfile(NULL);
loop();
loop(context, config);
krb5_free_context(context);
return 0;
}

20
kdc/misc.c
View File

@@ -38,7 +38,10 @@ RCSID("$Id$");
struct timeval now;
krb5_error_code
db_fetch(krb5_principal principal, hdb_entry **h)
db_fetch(krb5_context context,
struct krb5_kdc_configuration *config,
krb5_principal principal,
hdb_entry **h)
{
hdb_entry *ent;
krb5_error_code ret = HDB_ERR_NOENTRY;
@@ -49,15 +52,18 @@ db_fetch(krb5_principal principal, hdb_entry **h)
return ENOMEM;
ent->principal = principal;
for(i = 0; i < num_db; i++) {
ret = db[i]->hdb_open(context, db[i], O_RDONLY, 0);
for(i = 0; i < config->num_db; i++) {
ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
if (ret) {
kdc_log(0, "Failed to open database: %s",
kdc_log(context, config, 0, "Failed to open database: %s",
krb5_get_err_text(context, ret));
continue;
}
ret = db[i]->hdb_fetch(context, db[i], HDB_F_DECRYPT, ent);
db[i]->hdb_close(context, db[i]);
ret = config->db[i]->hdb_fetch(context,
config->db[i],
HDB_F_DECRYPT,
ent);
config->db[i]->hdb_close(context, config->db[i]);
if(ret == 0) {
*h = ent;
return 0;
@@ -68,7 +74,7 @@ db_fetch(krb5_principal principal, hdb_entry **h)
}
void
free_ent(hdb_entry *ent)
free_ent(krb5_context context, hdb_entry *ent)
{
hdb_free_entry (context, ent);
free (ent);

7
kdc/mit_dump.c
View File

@@ -168,7 +168,6 @@ fix_salt(krb5_context context, hdb_entry *ent, int key_num)
{
size_t len;
int i;
krb5_error_code ret;
char *p;
len = 0;
@@ -219,7 +218,7 @@ int
mit_prop_dump(void *arg, const char *file)
{
krb5_error_code ret;
char buf [1024];
char line [2048];
FILE *f;
int lineno = 0;
struct hdb_entry ent;
@@ -230,8 +229,8 @@ mit_prop_dump(void *arg, const char *file)
if(f == NULL)
return errno;
while(fgets(buf, sizeof(buf), f)) {
char *p = buf, *q;
while(fgets(line, sizeof(line), f)) {
char *p = line, *q;
int i;

3
kdc/pkinit.c
View File

@@ -49,9 +49,6 @@ RCSID("$Id$");
#include <openssl/asn1.h>
#include <openssl/err.h>
int enable_pkinit = 0;
int enable_pkinit_princ_in_cert = 0;
/* XXX copied from lib/krb5/pkinit.c */
struct krb5_pk_identity {
EVP_PKEY *private_key;

116
kdc/process.c Normal file
View File

@@ -0,0 +1,116 @@
/*
* Copyright (c) 1997-2005 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
RCSID("$Id$");
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
* sending a reply in `reply'.
*/
int
krb5_kdc_process_generic_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr)
{
KDC_REQ req;
Ticket ticket;
krb5_error_code ret;
size_t i;
gettimeofday(&now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
ret = as_rep(context, config, &req, reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = tgs_rep(context, config, &req, reply, from, addr);
free_TGS_REQ(&req);
return ret;
}else if(decode_Ticket(buf, len, &ticket, &i) == 0){
ret = do_524(context, config, &ticket, reply, from, addr);
free_Ticket(&ticket);
return ret;
} else if(maybe_version4(buf, len)){
*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
do_version4(context, config, buf, len, reply, from,
(struct sockaddr_in*)addr);
return 0;
} else if (config->enable_kaserver) {
ret = do_kaserver(context, config, buf, len, reply, from,
(struct sockaddr_in*)addr);
return ret;
}
return -1;
}
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
* sending a reply in `reply'.
*
* This only processes krb5 requests
*/
int krb5_kdc_process_krb5_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
struct sockaddr *addr)
{
KDC_REQ req;
krb5_error_code ret;
size_t i;
gettimeofday(&now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
ret = as_rep(context, config, &req, reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = tgs_rep(context, config, &req, reply, from, addr);
free_TGS_REQ(&req);
return ret;
}
return -1;
}