oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Merge in the libkdc/kdc configuration split from Andrew Bartlet <abartlet@samba.org>

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15529 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-06-30 01:03:35 +00:00
parent 3fe2a9b92f
commit 7132a9b084
18 changed files with 1204 additions and 730 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
kdc/524.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1997-2003 Kungliga Tekniska H<>gskolan * Copyright (c) 1997-2005 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden). * (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved. * All rights reserved.
* *
@@ -43,7 +43,9 @@ RCSID("$Id$");
*/ */
static krb5_error_code static krb5_error_code
fetch_server (const Ticket *t, fetch_server (krb5_context context,
struct krb5_kdc_configuration *config,
const Ticket *t,
char **spn, char **spn,
hdb_entry **server, hdb_entry **server,
const char *from) const char *from)
@@ -53,20 +55,21 @@ fetch_server (const Ticket *t,
ret = _krb5_principalname2krb5_principal(&sprinc, t->sname, t->realm); ret = _krb5_principalname2krb5_principal(&sprinc, t->sname, t->realm);
if (ret) { if (ret) {
kdc_log(0, "_krb5_principalname2krb5_principal: %s", kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
return ret; return ret;
} }
ret = krb5_unparse_name(context, sprinc, spn); ret = krb5_unparse_name(context, sprinc, spn);
if (ret) { if (ret) {
krb5_free_principal(context, sprinc); krb5_free_principal(context, sprinc);
kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret)); kdc_log(context, config, 0, "krb5_unparse_name: %s",
krb5_get_err_text(context, ret));
return ret; return ret;
} }
ret = db_fetch(sprinc, server); ret = db_fetch(context, config, sprinc, server);
krb5_free_principal(context, sprinc); krb5_free_principal(context, sprinc);
if (ret) { if (ret) {
kdc_log(0, kdc_log(context, config, 0,
"Request to convert ticket from %s for unknown principal %s: %s", "Request to convert ticket from %s for unknown principal %s: %s",
from, *spn, krb5_get_err_text(context, ret)); from, *spn, krb5_get_err_text(context, ret));
if (ret == HDB_ERR_NOENTRY) if (ret == HDB_ERR_NOENTRY)
@@ -77,7 +80,9 @@ fetch_server (const Ticket *t,
} }
static krb5_error_code static krb5_error_code
log_524 (const EncTicketPart *et, log_524 (krb5_context context,
struct krb5_kdc_configuration *config,
const EncTicketPart *et,
const char *from, const char *from,
const char *spn) const char *spn)
{ {
@@ -87,33 +92,35 @@ log_524 (const EncTicketPart *et,
ret = _krb5_principalname2krb5_principal(&client, et->cname, et->crealm); ret = _krb5_principalname2krb5_principal(&client, et->cname, et->crealm);
if (ret) { if (ret) {
kdc_log(0, "_krb5_principalname2krb5_principal: %s", kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text (context, ret)); krb5_get_err_text (context, ret));
return ret; return ret;
} }
ret = krb5_unparse_name(context, client, &cpn); ret = krb5_unparse_name(context, client, &cpn);
if (ret) { if (ret) {
krb5_free_principal(context, client); krb5_free_principal(context, client);
kdc_log(0, "krb5_unparse_name: %s", kdc_log(context, config, 0, "krb5_unparse_name: %s",
krb5_get_err_text (context, ret)); krb5_get_err_text (context, ret));
return ret; return ret;
} }
kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn); kdc_log(context, config, 1, "524-REQ %s from %s for %s", cpn, from, spn);
free(cpn); free(cpn);
krb5_free_principal(context, client); krb5_free_principal(context, client);
return 0; return 0;
} }
static krb5_error_code static krb5_error_code
verify_flags (const EncTicketPart *et, verify_flags (krb5_context context,
struct krb5_kdc_configuration *config,
const EncTicketPart *et,
const char *spn) const char *spn)
{ {
if(et->endtime < kdc_time){ if(et->endtime < kdc_time){
kdc_log(0, "Ticket expired (%s)", spn); kdc_log(context, config, 0, "Ticket expired (%s)", spn);
return KRB5KRB_AP_ERR_TKT_EXPIRED; return KRB5KRB_AP_ERR_TKT_EXPIRED;
} }
if(et->flags.invalid){ if(et->flags.invalid){
kdc_log(0, "Ticket not valid (%s)", spn); kdc_log(context, config, 0, "Ticket not valid (%s)", spn);
return KRB5KRB_AP_ERR_TKT_NYV; return KRB5KRB_AP_ERR_TKT_NYV;
} }
return 0; return 0;
@@ -125,7 +132,9 @@ verify_flags (const EncTicketPart *et,
*/ */
static krb5_error_code static krb5_error_code
set_address (EncTicketPart *et, set_address (krb5_context context,
struct krb5_kdc_configuration *config,
EncTicketPart *et,
struct sockaddr *addr, struct sockaddr *addr,
const char *from) const char *from)
{ {
@@ -139,12 +148,12 @@ set_address (EncTicketPart *et,
ret = krb5_sockaddr2address(context, addr, v4_addr); ret = krb5_sockaddr2address(context, addr, v4_addr);
if(ret) { if(ret) {
free (v4_addr); free (v4_addr);
kdc_log(0, "Failed to convert address (%s)", from); kdc_log(context, config, 0, "Failed to convert address (%s)", from);
return ret; return ret;
} }
if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) { if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
kdc_log(0, "Incorrect network address (%s)", from); kdc_log(context, config, 0, "Incorrect network address (%s)", from);
krb5_free_address(context, v4_addr); krb5_free_address(context, v4_addr);
free (v4_addr); free (v4_addr);
return KRB5KRB_AP_ERR_BADADDR; return KRB5KRB_AP_ERR_BADADDR;
@@ -175,7 +184,9 @@ set_address (EncTicketPart *et,
static krb5_error_code static krb5_error_code
encrypt_v4_ticket(void *buf, encrypt_v4_ticket(krb5_context context,
struct krb5_kdc_configuration *config,
void *buf,
size_t len, size_t len,
krb5_keyblock *skey, krb5_keyblock *skey,
EncryptedData *reply) EncryptedData *reply)
@@ -185,7 +196,7 @@ encrypt_v4_ticket(void *buf,
ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto); ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto);
if (ret) { if (ret) {
free(buf); free(buf);
kdc_log(0, "krb5_crypto_init failed: %s", kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
return ret; return ret;
} }
@@ -199,7 +210,7 @@ encrypt_v4_ticket(void *buf,
reply); reply);
krb5_crypto_destroy(context, crypto); krb5_crypto_destroy(context, crypto);
if(ret) { if(ret) {
kdc_log(0, "Failed to encrypt data: %s", kdc_log(context, config, 0, "Failed to encrypt data: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
return ret; return ret;
} }
@@ -207,7 +218,9 @@ encrypt_v4_ticket(void *buf,
} }
static krb5_error_code static krb5_error_code
encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t, encode_524_response(krb5_context context,
struct krb5_kdc_configuration *config,
const char *spn, const EncTicketPart et, const Ticket *t,
hdb_entry *server, EncryptedData *ticket, int *kvno) hdb_entry *server, EncryptedData *ticket, int *kvno)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -221,7 +234,8 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
&t->enc_part, &len, ret); &t->enc_part, &len, ret);
if (ret) { if (ret) {
kdc_log(0, "Failed to encode v4 (2b) ticket (%s)", spn); kdc_log(context, config, 0,
"Failed to encode v4 (2b) ticket (%s)", spn);
return ret; return ret;
} }
@@ -232,27 +246,31 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
unsigned char buf[MAX_KTXT_LEN + 4 * 4]; unsigned char buf[MAX_KTXT_LEN + 4 * 4];
Key *skey; Key *skey;
if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) { if (!config->enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm, kdc_log(context, config, 0, "524 cross-realm %s -> %s disabled", et.crealm,
t->realm); t->realm);
return KRB5KDC_ERR_POLICY; return KRB5KDC_ERR_POLICY;
} }
ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf), ret = encode_v4_ticket(context, config,
buf + sizeof(buf) - 1, sizeof(buf),
&et, &t->sname, &len); &et, &t->sname, &len);
if(ret){ if(ret){
kdc_log(0, "Failed to encode v4 ticket (%s)", spn); kdc_log(context, config, 0,
"Failed to encode v4 ticket (%s)", spn);
return ret; return ret;
} }
ret = get_des_key(server, TRUE, FALSE, &skey); ret = get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for server (%s)", spn); kdc_log(context, config, 0,
"no suitable DES key for server (%s)", spn);
return ret; return ret;
} }
ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len,
&skey->key, ticket); &skey->key, ticket);
if(ret){ if(ret){
kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn); kdc_log(context, config, 0,
"Failed to encrypt v4 ticket (%s)", spn);
return ret; return ret;
} }
*kvno = server->kvno; *kvno = server->kvno;
@@ -267,7 +285,9 @@ encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
*/ */
krb5_error_code krb5_error_code
do_524(const Ticket *t, krb5_data *reply, do_524(krb5_context context,
struct krb5_kdc_configuration *config,
const Ticket *t, krb5_data *reply,
const char *from, struct sockaddr *addr) const char *from, struct sockaddr *addr)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
@@ -283,25 +303,27 @@ do_524(const Ticket *t, krb5_data *reply,
size_t len; size_t len;
int kvno = 0; int kvno = 0;
if(!enable_524) { if(!config->enable_524) {
ret = KRB5KDC_ERR_POLICY; ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Rejected ticket conversion request from %s", from); kdc_log(context, config, 0,
"Rejected ticket conversion request from %s", from);
goto out; goto out;
} }
ret = fetch_server (t, &spn, &server, from); ret = fetch_server (context, config, t, &spn, &server, from);
if (ret) { if (ret) {
goto out; goto out;
} }
ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey); ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey);
if(ret){ if(ret){
kdc_log(0, "No suitable key found for server (%s) from %s", spn, from); kdc_log(context, config, 0,
"No suitable key found for server (%s) from %s", spn, from);
goto out; goto out;
} }
ret = krb5_crypto_init(context, &skey->key, 0, &crypto); ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
if (ret) { if (ret) {
kdc_log(0, "krb5_crypto_init failed: %s", kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
goto out; goto out;
} }
@@ -312,36 +334,39 @@ do_524(const Ticket *t, krb5_data *reply,
&et_data); &et_data);
krb5_crypto_destroy(context, crypto); krb5_crypto_destroy(context, crypto);
if(ret){ if(ret){
kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn); kdc_log(context, config, 0,
"Failed to decrypt ticket from %s for %s", from, spn);
goto out; goto out;
} }
ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length, ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length,
&et, &len); &et, &len);
krb5_data_free(&et_data); krb5_data_free(&et_data);
if(ret){ if(ret){
kdc_log(0, "Failed to decode ticket from %s for %s", from, spn); kdc_log(context, config, 0,
"Failed to decode ticket from %s for %s", from, spn);
goto out; goto out;
} }
ret = log_524 (&et, from, spn); ret = log_524 (context, config, &et, from, spn);
if (ret) { if (ret) {
free_EncTicketPart(&et); free_EncTicketPart(&et);
goto out; goto out;
} }
ret = verify_flags (&et, spn); ret = verify_flags (context, config, &et, spn);
if (ret) { if (ret) {
free_EncTicketPart(&et); free_EncTicketPart(&et);
goto out; goto out;
} }
ret = set_address (&et, addr, from); ret = set_address (context, config, &et, addr, from);
if (ret) { if (ret) {
free_EncTicketPart(&et); free_EncTicketPart(&et);
goto out; goto out;
} }
ret = encode_524_response(spn, et, t, server, &ticket, &kvno); ret = encode_524_response(context, config, spn, et, t,
server, &ticket, &kvno);
free_EncTicketPart(&et); free_EncTicketPart(&et);
out: out:
@@ -364,6 +389,6 @@ out:
if(spn) if(spn)
free(spn); free(spn);
if(server) if(server)
free_ent (server); free_ent (context, server);
return ret; return ret;
} }

25
kdc/Makefile.am
View File

@@ -4,6 +4,8 @@ include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
lib_LTLIBRARIES = libkdc.la
bin_PROGRAMS = string2key bin_PROGRAMS = string2key
sbin_PROGRAMS = kstash sbin_PROGRAMS = kstash
@@ -19,20 +21,24 @@ kstash_SOURCES = kstash.c headers.h
string2key_SOURCES = string2key.c headers.h string2key_SOURCES = string2key.c headers.h
kdc_SOURCES = \ kdc_SOURCES = connect.c \
config.c \ config.c \
connect.c \ main.c
libkdc_la_SOURCES = \
default_config.c \
kdc_locl.h \ kdc_locl.h \
kerberos5.c \ kerberos5.c \
pkinit.c \ pkinit.c \
log.c \ log.c \
main.c \
misc.c \ misc.c \
524.c \ 524.c \
kerberos4.c \ kerberos4.c \
kaserver.c \ kaserver.c \
process.c \
rx.h rx.h
libkdc_la_LDFLAGS = -version-info 1:0:0 -Wl,--version-script,./exports
hprop_LDADD = \ hprop_LDADD = \
$(top_builddir)/lib/hdb/libhdb.la \ $(top_builddir)/lib/hdb/libhdb.la \
@@ -54,6 +60,16 @@ hpropd_LDADD = \
$(LIB_roken) \ $(LIB_roken) \
$(DBLIB) $(DBLIB)
libkdc_la_LIBADD = \
$(top_builddir)/lib/hdb/libhdb.la \
$(LIB_openldap) \
$(top_builddir)/lib/krb5/libkrb5.la \
$(LIB_kdb) $(LIB_krb4) \
$(LIB_des) \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_roken) \
$(DBLIB)
LDADD = $(top_builddir)/lib/hdb/libhdb.la \ LDADD = $(top_builddir)/lib/hdb/libhdb.la \
$(LIB_openldap) \ $(LIB_openldap) \
$(top_builddir)/lib/krb5/libkrb5.la \ $(top_builddir)/lib/krb5/libkrb5.la \
@@ -63,5 +79,6 @@ LDADD = $(top_builddir)/lib/hdb/libhdb.la \
$(LIB_roken) \ $(LIB_roken) \
$(DBLIB) $(DBLIB)
kdc_LDADD = $(LDADD) $(LIB_pidfile) kdc_LDADD = libkdc.la $(LIB_pidfile)
include_HEADERS = kdc.h

307
kdc/config.c
View File

@@ -1,6 +1,7 @@
/* /*
* Copyright (c) 1997-2004 Kungliga Tekniska H<>gskolan * Copyright (c) 1997-2005 Kungliga Tekniska H<>skolan
* (Royal Institute of Technology, Stockholm, Sweden). * (Royal Institute of Technology, Stockholm, Sweden).
*
* All rights reserved. * All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
@@ -37,50 +38,34 @@
RCSID("$Id$"); RCSID("$Id$");
struct dbinfo {
char *realm;
char *dbname;
char *mkey_file;
struct dbinfo *next;
};
static const char *config_file; /* location of kdc config file */ static const char *config_file; /* location of kdc config file */
int require_preauth = -1; /* 1 == require preauth for all principals */ static int require_preauth = -1; /* 1 == require preauth for all principals */
size_t max_request; /* maximal size of a request */
static char *max_request_str; /* `max_request' as a string */ static char *max_request_str; /* `max_request' as a string */
time_t kdc_warn_pwexpire; /* time before expiration to print a warning */
struct dbinfo *databases;
HDB **db;
int num_db;
const char *port_str;
int detach_from_console = -1;
#define DETACH_IS_DEFAULT FALSE
int enable_http = -1;
krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous;
int trpolicy;
static const char *trpolicy_str; static const char *trpolicy_str;
static struct getarg_strings addresses_str; /* addresses to listen on */
krb5_addresses explicit_addresses;
static int disable_des = -1; static int disable_des = -1;
static int enable_v4 = -1;
char *v4_realm; static int enable_kaserver = -1;
int enable_v4 = -1; static int enable_524 = -1;
int enable_kaserver = -1; static int enable_v4_cross_realm = -1;
int enable_524 = -1;
int enable_v4_cross_realm = -1;
static int builtin_hdb_flag; static int builtin_hdb_flag;
static int help_flag; static int help_flag;
static int version_flag; static int version_flag;
static struct getarg_strings addresses_str; /* addresses to listen on */
static char *v4_realm;
static struct getargs args[] = { static struct getargs args[] = {
{ {
"config-file", 'c', arg_string, &config_file, "config-file", 'c', arg_string, &config_file,
@@ -94,12 +79,6 @@ static struct getargs args[] = {
"max-request", 0, arg_string, &max_request, "max-request", 0, arg_string, &max_request,
"max size for a kdc-request", "size" "max size for a kdc-request", "size"
}, },
#if 0
{
"database", 'd', arg_string, &databases,
"location of database", "database"
},
#endif
{ "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" }, { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
{ "524", 0, arg_negative_flag, &enable_524, { "524", 0, arg_negative_flag, &enable_524,
"don't respond to 524 requests" "don't respond to 524 requests"
@@ -153,7 +132,7 @@ usage(int ret)
} }
static void static void
get_dbinfo(void) get_dbinfo(krb5_context context, struct krb5_kdc_configuration *config)
{ {
const krb5_config_binding *top_binding = NULL; const krb5_config_binding *top_binding = NULL;
const krb5_config_binding *db_binding; const krb5_config_binding *db_binding;
@@ -162,8 +141,10 @@ get_dbinfo(void)
const char *default_dbname = HDB_DEFAULT_DB; const char *default_dbname = HDB_DEFAULT_DB;
const char *default_mkey = HDB_DB_DIR "/m-key"; const char *default_mkey = HDB_DB_DIR "/m-key";
const char *p; const char *p;
krb5_error_code ret;
struct dbinfo *databases = NULL;
databases = NULL;
dt = &databases; dt = &databases;
while((db_binding = (const krb5_config_binding *) while((db_binding = (const krb5_config_binding *)
krb5_config_get_next(context, NULL, &top_binding, krb5_config_get_next(context, NULL, &top_binding,
@@ -229,10 +210,36 @@ get_dbinfo(void)
(int)(p - di->dbname), di->dbname); (int)(p - di->dbname), di->dbname);
} }
} }
if (databases == NULL) {
config->db = malloc(sizeof(*config->db));
config->num_db = 1;
ret = hdb_create(context, &config->db[0], NULL);
if(ret)
krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB);
ret = hdb_set_master_keyfile(context, config->db[0], NULL);
if (ret)
krb5_err(context, 1, ret, "hdb_set_master_keyfile");
} else {
struct dbinfo *d;
int i;
/* count databases */
for(d = databases, i = 0; d; d = d->next, i++);
config->db = malloc(i * sizeof(*config->db));
for(d = databases, config->num_db = 0; d; d = d->next, config->num_db++) {
ret = hdb_create(context, &config->db[config->num_db], d->dbname);
if(ret)
krb5_err(context, 1, ret, "hdb_create %s", d->dbname);
ret = hdb_set_master_keyfile(context, config->db[config->num_db], d->mkey_file);
if (ret)
krb5_err(context, 1, ret, "hdb_set_master_keyfile");
}
}
} }
static void static void
add_one_address (const char *str, int first) add_one_address (krb5_context context, const char *str, int first)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_addresses tmp; krb5_addresses tmp;
@@ -247,15 +254,21 @@ add_one_address (const char *str, int first)
krb5_free_addresses (context, &tmp); krb5_free_addresses (context, &tmp);
} }
void struct krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv)
configure(int argc, char **argv)
{ {
struct krb5_kdc_configuration *config = malloc(sizeof(*config));
krb5_error_code ret; krb5_error_code ret;
int optind = 0; int optidx = 0;
const char *p; const char *p;
while(getarg(args, num_args, argc, argv, &optind)) if (!config) {
warnx("error at argument `%s'", argv[optind]); return NULL;
}
krb5_kdc_default_config(config);
while(getarg(args, num_args, argc, argv, &optidx))
warnx("error at argument `%s'", argv[optidx]);
if(help_flag) if(help_flag)
usage (0); usage (0);
@@ -275,8 +288,8 @@ configure(int argc, char **argv)
exit(0); exit(0);
} }
argc -= optind; argc -= optidx;
argv += optind; argv += optidx;
if (argc != 0) if (argc != 0)
usage(1); usage(1);
@@ -297,7 +310,9 @@ configure(int argc, char **argv)
krb5_err(context, 1, ret, "reading configuration files"); krb5_err(context, 1, ret, "reading configuration files");
} }
get_dbinfo(); kdc_openlog(context, config);
get_dbinfo(context, config);
if(max_request_str) if(max_request_str)
max_request = parse_bytes(max_request_str, NULL); max_request = parse_bytes(max_request_str, NULL);
@@ -312,9 +327,14 @@ configure(int argc, char **argv)
max_request = parse_bytes(p, NULL); max_request = parse_bytes(p, NULL);
} }
if(require_preauth == -1) if(require_preauth == -1) {
require_preauth = krb5_config_get_bool(context, NULL, "kdc", config->require_preauth = krb5_config_get_bool_default(context, NULL,
"require-preauth", NULL); config->require_preauth,
"kdc",
"require-preauth", NULL);
} else {
config->require_preauth = require_preauth;
}
if(port_str == NULL){ if(port_str == NULL){
p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL); p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL);
@@ -328,58 +348,85 @@ configure(int argc, char **argv)
int i; int i;
for (i = 0; i < addresses_str.num_strings; ++i) for (i = 0; i < addresses_str.num_strings; ++i)
add_one_address (addresses_str.strings[i], i == 0); add_one_address (context, addresses_str.strings[i], i == 0);
free_getarg_strings (&addresses_str); free_getarg_strings (&addresses_str);
} else { } else {
char **foo = krb5_config_get_strings (context, NULL, char **foo = krb5_config_get_strings (context, NULL,
"kdc", "addresses", NULL); "kdc", "addresses", NULL);
if (foo != NULL) { if (foo != NULL) {
add_one_address (*foo++, TRUE); add_one_address (context, *foo++, TRUE);
while (*foo) while (*foo)
add_one_address (*foo++, FALSE); add_one_address (context, *foo++, FALSE);
} }
} }
if(enable_v4 == -1) if(enable_v4 == -1) {
enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", config->enable_v4 = krb5_config_get_bool_default(context, NULL,
"enable-kerberos4", NULL); config->enable_v4,
if(enable_v4_cross_realm == -1) "kdc",
enable_v4_cross_realm = "enable-kerberos4",
NULL);
} else {
config->enable_v4 = enable_v4;
}
if(enable_v4_cross_realm == -1) {
config->enable_v4_cross_realm =
krb5_config_get_bool_default(context, NULL, krb5_config_get_bool_default(context, NULL,
FALSE, "kdc", config->enable_v4_cross_realm,
"kdc",
"enable-kerberos4-cross-realm", "enable-kerberos4-cross-realm",
NULL); NULL);
if(enable_524 == -1) } else {
enable_524 = krb5_config_get_bool_default(context, NULL, enable_v4, config->enable_v4_cross_realm = enable_v4_cross_realm;
"kdc", "enable-524", NULL); }
if(enable_524 == -1) {
config->enable_524 = krb5_config_get_bool_default(context, NULL,
config->enable_v4,
"kdc", "enable-524",
NULL);
} else {
config->enable_524 = enable_524;
}
if(enable_http == -1) if(enable_http == -1)
enable_http = krb5_config_get_bool(context, NULL, "kdc", enable_http = krb5_config_get_bool(context, NULL, "kdc",
"enable-http", NULL); "enable-http", NULL);
check_ticket_addresses =
krb5_config_get_bool_default(context, NULL, TRUE, "kdc", config->check_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
config->check_ticket_addresses,
"kdc",
"check-ticket-addresses", NULL); "check-ticket-addresses", NULL);
allow_null_ticket_addresses = config->allow_null_ticket_addresses =
krb5_config_get_bool_default(context, NULL, TRUE, "kdc", krb5_config_get_bool_default(context, NULL,
config->allow_null_ticket_addresses,
"kdc",
"allow-null-ticket-addresses", NULL); "allow-null-ticket-addresses", NULL);
allow_anonymous = config->allow_anonymous =
krb5_config_get_bool(context, NULL, "kdc", krb5_config_get_bool_default(context, NULL,
"allow-anonymous", NULL); config->allow_anonymous,
"kdc",
"allow-anonymous", NULL);
trpolicy_str = trpolicy_str =
krb5_config_get_string_default(context, NULL, "always-check", "kdc", krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
"transited-policy", NULL); "transited-policy", NULL);
if(strcasecmp(trpolicy_str, "always-check") == 0) if(strcasecmp(trpolicy_str, "always-check") == 0) {
trpolicy = TRPOLICY_ALWAYS_CHECK; config->trpolicy = TRPOLICY_ALWAYS_CHECK;
else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
else { } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
kdc_log(0, "unknown transited-policy: %s, reverting to always-check", /* default */
} else {
kdc_log(context, config,
0, "unknown transited-policy: %s, reverting to default (always-check)",
trpolicy_str); trpolicy_str);
trpolicy = TRPOLICY_ALWAYS_CHECK;
} }
if (krb5_config_get_string(context, NULL, "kdc", if (krb5_config_get_string(context, NULL, "kdc",
@@ -393,51 +440,72 @@ configure(int argc, char **argv)
"v4-realm", "v4-realm",
NULL); NULL);
if(p != NULL) { if(p != NULL) {
v4_realm = strdup(p); config->v4_realm = strdup(p);
if (v4_realm == NULL) if (config->v4_realm == NULL)
krb5_errx(context, 1, "out of memory"); krb5_errx(context, 1, "out of memory");
} else {
config->v4_realm = NULL;
} }
} else {
config->v4_realm = v4_realm;
} }
if (enable_kaserver == -1)
enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE,
"kdc",
"enable-kaserver",
NULL);
encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, NULL, "kdc", if (enable_kaserver == -1) {
"encode_as_rep_as_tgs_rep", config->enable_kaserver =
NULL); krb5_config_get_bool_default(context,
NULL,
config->enable_kaserver,
"kdc",
"enable-kaserver",
NULL);
} else {
config->enable_kaserver = enable_kaserver;
}
kdc_warn_pwexpire = krb5_config_get_time (context, NULL, config->encode_as_rep_as_tgs_rep =
"kdc", krb5_config_get_bool_default(context, NULL,
"kdc_warn_pwexpire", config->encode_as_rep_as_tgs_rep,
NULL); "kdc",
"encode_as_rep_as_tgs_rep",
NULL);
config->kdc_warn_pwexpire =
krb5_config_get_time_default (context, NULL,
config->kdc_warn_pwexpire,
"kdc",
"kdc_warn_pwexpire",
NULL);
if(detach_from_console == -1) if(detach_from_console == -1)
detach_from_console = krb5_config_get_bool_default(context, NULL, detach_from_console = krb5_config_get_bool_default(context, NULL,
DETACH_IS_DEFAULT, DETACH_IS_DEFAULT,
"kdc", "kdc",
"detach", NULL); "detach", NULL);
kdc_openlog();
if(max_request == 0) if(max_request == 0)
max_request = 64 * 1024; max_request = 64 * 1024;
if(require_preauth == -1)
require_preauth = 1; if(require_preauth != -1) {
config->require_preauth = require_preauth;
}
if (port_str == NULL) if (port_str == NULL)
port_str = "+"; port_str = "+";
#ifdef PKINIT #ifdef PKINIT
enable_pkinit = krb5_config_get_bool_default(context, NULL, FALSE, config->enable_pkinit =
"kdc", krb5_config_get_bool_default(context,
"enable-pkinit", NULL,
NULL); config->enable_pkinit,
if (enable_pkinit) { "kdc",
"enable-pkinit",
NULL);
if (config->enable_pkinit) {
const char *user_id, *x509_anchors; const char *user_id, *x509_anchors;
user_id = krb5_config_get_string(context, NULL, user_id = krb5_config_get_string(context, NULL,
"kdc", "kdc",
"pki-identity", "pki-identity",
NULL); NULL);
if (user_id == NULL) if (user_id == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity"); krb5_errx(context, 1, "pkinit enabled but no identity");
@@ -450,28 +518,29 @@ configure(int argc, char **argv)
pk_initialize(user_id, x509_anchors); pk_initialize(user_id, x509_anchors);
enable_pkinit_princ_in_cert = config->enable_pkinit_princ_in_cert =
krb5_config_get_bool_default(context, krb5_config_get_bool_default(context,
NULL, TRUE, NULL,
config->enable_pkinit_princ_in_cert,
"kdc", "kdc",
"pkinit-principal-in-certificate", "pkinit-principal-in-certificate",
NULL); NULL);
} }
#endif #endif
if(v4_realm == NULL && (enable_kaserver || enable_v4)){ if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){
#ifdef KRB4 #ifdef KRB4
v4_realm = malloc(40); /* REALM_SZ */ config->v4_realm = malloc(40); /* REALM_SZ */
if (v4_realm == NULL) if (config->v4_realm == NULL)
krb5_errx(context, 1, "out of memory"); krb5_errx(context, 1, "out of memory");
krb_get_lrealm(v4_realm, 1); krb_get_lrealm(config->v4_realm, 1);
#else #else
krb5_errx(context, 1, "No Kerberos 4 realm configured"); krb5_errx(context, 1, "No Kerberos 4 realm configured");
#endif #endif
} }
if(disable_des == -1) if(disable_des == -1)
disable_des = krb5_config_get_bool_default(context, NULL, disable_des = krb5_config_get_bool_default(context, NULL,
0, FALSE,
"kdc", "kdc",
"disable-des", NULL); "disable-des", NULL);
if(disable_des) { if(disable_des) {
@@ -482,10 +551,12 @@ configure(int argc, char **argv)
krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
kdc_log(0, "DES was disabled, turned off Kerberos V4, 524 " kdc_log(context, config,
0, "DES was disabled, turned off Kerberos V4, 524 "
"and kaserver"); "and kaserver");
enable_v4 = 0; config->enable_v4 = 0;
enable_524 = 0; config->enable_524 = 0;
enable_kaserver = 0; config->enable_kaserver = 0;
} }
return config;
} }

306
kdc/connect.c
View File

@@ -35,6 +35,16 @@
RCSID("$Id$"); RCSID("$Id$");
/* Should we enable the HTTP hack? */
int enable_http = -1;
/* A string describing on what ports to listen */
const char *port_str;
krb5_addresses explicit_addresses;
size_t max_request; /* maximal size of a request */
/* /*
* a tuple describing on what to listen * a tuple describing on what to listen
*/ */
@@ -55,7 +65,8 @@ static int num_ports;
*/ */
static void static void
add_port(int family, int port, const char *protocol) add_port(krb5_context context,
int family, int port, const char *protocol)
{ {
int type; int type;
int i; int i;
@@ -87,11 +98,12 @@ add_port(int family, int port, const char *protocol)
*/ */
static void static void
add_port_service(int family, const char *service, int port, add_port_service(krb5_context context,
int family, const char *service, int port,
const char *protocol) const char *protocol)
{ {
port = krb5_getportbyname (context, service, protocol, port); port = krb5_getportbyname (context, service, protocol, port);
add_port (family, port, protocol); add_port (context, family, port, protocol);
} }
/* /*
@@ -100,22 +112,23 @@ add_port_service(int family, const char *service, int port,
*/ */
static void static void
add_port_string (int family, const char *port_str, const char *protocol) add_port_string (krb5_context context,
int family, const char *str, const char *protocol)
{ {
struct servent *sp; struct servent *sp;
int port; int port;
sp = roken_getservbyname (port_str, protocol); sp = roken_getservbyname (str, protocol);
if (sp != NULL) { if (sp != NULL) {
port = sp->s_port; port = sp->s_port;
} else { } else {
char *end; char *end;
port = htons(strtol(port_str, &end, 0)); port = htons(strtol(str, &end, 0));
if (end == port_str) if (end == str)
return; return;
} }
add_port (family, port, protocol); add_port (context, family, port, protocol);
} }
/* /*
@@ -123,24 +136,26 @@ add_port_string (int family, const char *port_str, const char *protocol)
*/ */
static void static void
add_standard_ports (int family) add_standard_ports (krb5_context context,
struct krb5_kdc_configuration *config,
int family)
{ {
add_port_service(family, "kerberos", 88, "udp"); add_port_service(context, family, "kerberos", 88, "udp");
add_port_service(family, "kerberos", 88, "tcp"); add_port_service(context, family, "kerberos", 88, "tcp");
add_port_service(family, "kerberos-sec", 88, "udp"); add_port_service(context, family, "kerberos-sec", 88, "udp");
add_port_service(family, "kerberos-sec", 88, "tcp"); add_port_service(context, family, "kerberos-sec", 88, "tcp");
if(enable_http) if(enable_http)
add_port_service(family, "http", 80, "tcp"); add_port_service(context, family, "http", 80, "tcp");
if(enable_524) { if(config->enable_524) {
add_port_service(family, "krb524", 4444, "udp"); add_port_service(context, family, "krb524", 4444, "udp");
add_port_service(family, "krb524", 4444, "tcp"); add_port_service(context, family, "krb524", 4444, "tcp");
} }
if(enable_v4) { if(config->enable_v4) {
add_port_service(family, "kerberos-iv", 750, "udp"); add_port_service(context, family, "kerberos-iv", 750, "udp");
add_port_service(family, "kerberos-iv", 750, "tcp"); add_port_service(context, family, "kerberos-iv", 750, "tcp");
} }
if (enable_kaserver) if (config->enable_kaserver)
add_port_service(family, "afs3-kaserver", 7004, "udp"); add_port_service(context, family, "afs3-kaserver", 7004, "udp");
} }
/* /*
@@ -150,7 +165,9 @@ add_standard_ports (int family)
*/ */
static void static void
parse_ports(const char *str) parse_ports(krb5_context context,
struct krb5_kdc_configuration *config,
const char *str)
{ {
char *pos = NULL; char *pos = NULL;
char *p; char *p;
@@ -160,24 +177,24 @@ parse_ports(const char *str)
while(p != NULL) { while(p != NULL) {
if(strcmp(p, "+") == 0) { if(strcmp(p, "+") == 0) {
#ifdef HAVE_IPV6 #ifdef HAVE_IPV6
add_standard_ports(AF_INET6); add_standard_ports(context, config, AF_INET6);
#endif #endif
add_standard_ports(AF_INET); add_standard_ports(context, config, AF_INET);
} else { } else {
char *q = strchr(p, '/'); char *q = strchr(p, '/');
if(q){ if(q){
*q++ = 0; *q++ = 0;
#ifdef HAVE_IPV6 #ifdef HAVE_IPV6
add_port_string(AF_INET6, p, q); add_port_string(context, AF_INET6, p, q);
#endif #endif
add_port_string(AF_INET, p, q); add_port_string(context, AF_INET, p, q);
}else { }else {
#ifdef HAVE_IPV6 #ifdef HAVE_IPV6
add_port_string(AF_INET6, p, "udp"); add_port_string(context, AF_INET6, p, "udp");
add_port_string(AF_INET6, p, "tcp"); add_port_string(context, AF_INET6, p, "tcp");
#endif #endif
add_port_string(AF_INET, p, "udp"); add_port_string(context, AF_INET, p, "udp");
add_port_string(AF_INET, p, "tcp"); add_port_string(context, AF_INET, p, "tcp");
} }
} }
@@ -230,7 +247,9 @@ reinit_descrs (struct descr *d, int n)
*/ */
static void static void
init_socket(struct descr *d, krb5_address *a, int family, int type, int port) init_socket(krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d, krb5_address *a, int family, int type, int port)
{ {
krb5_error_code ret; krb5_error_code ret;
struct sockaddr_storage __ss; struct sockaddr_storage __ss;
@@ -293,7 +312,9 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
*/ */
static int static int
init_sockets(struct descr **desc) init_sockets(krb5_context context,
struct krb5_kdc_configuration *config,
struct descr **desc)
{ {
krb5_error_code ret; krb5_error_code ret;
int i, j; int i, j;
@@ -308,7 +329,7 @@ init_sockets(struct descr **desc)
if (ret) if (ret)
krb5_err (context, 1, ret, "krb5_get_all_server_addrs"); krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
} }
parse_ports(port_str); parse_ports(context, config, port_str);
d = malloc(addresses.len * num_ports * sizeof(*d)); d = malloc(addresses.len * num_ports * sizeof(*d));
if (d == NULL) if (d == NULL)
krb5_errx(context, 1, "malloc(%lu) failed", krb5_errx(context, 1, "malloc(%lu) failed",
@@ -316,7 +337,7 @@ init_sockets(struct descr **desc)
for (i = 0; i < num_ports; i++){ for (i = 0; i < num_ports; i++){
for (j = 0; j < addresses.len; ++j) { for (j = 0; j < addresses.len; ++j) {
init_socket(&d[num], &addresses.val[j], init_socket(context, config, &d[num], &addresses.val[j],
ports[i].family, ports[i].type, ports[i].port); ports[i].family, ports[i].type, ports[i].port);
if(d[num].s != -1){ if(d[num].s != -1){
char a_str[80]; char a_str[80];
@@ -325,7 +346,7 @@ init_sockets(struct descr **desc)
krb5_print_address (&addresses.val[j], a_str, krb5_print_address (&addresses.val[j], a_str,
sizeof(a_str), &len); sizeof(a_str), &len);
kdc_log(5, "listening on %s port %u/%s", kdc_log(context, config, 5, "listening on %s port %u/%s",
a_str, a_str,
ntohs(ports[i].port), ntohs(ports[i].port),
(ports[i].type == SOCK_STREAM) ? "tcp" : "udp"); (ports[i].type == SOCK_STREAM) ? "tcp" : "udp");
@@ -358,51 +379,9 @@ descr_type(struct descr *d)
return "unknown"; return "unknown";
} }
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
* sending a reply in `reply'.
*/
static int
process_request(unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr)
{
KDC_REQ req;
Ticket ticket;
krb5_error_code ret;
size_t i;
gettimeofday(&now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
ret = as_rep(&req, reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = tgs_rep(&req, reply, from, addr);
free_TGS_REQ(&req);
return ret;
}else if(decode_Ticket(buf, len, &ticket, &i) == 0){
ret = do_524(&ticket, reply, from, addr);
free_Ticket(&ticket);
return ret;
} else if(maybe_version4(buf, len)){
*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
return 0;
} else if (enable_kaserver) {
ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr);
return ret;
}
return -1;
}
static void static void
addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len) addr_to_string(krb5_context context,
struct sockaddr *addr, size_t addr_len, char *str, size_t len)
{ {
krb5_address a; krb5_address a;
if(krb5_sockaddr2address(context, addr, &a) == 0) { if(krb5_sockaddr2address(context, addr, &a) == 0) {
@@ -420,39 +399,45 @@ addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len)
*/ */
static void static void
do_request(void *buf, size_t len, krb5_boolean prependlength, do_request(krb5_context context,
struct krb5_kdc_configuration *config,
void *buf, size_t len, krb5_boolean prependlength,
struct descr *d) struct descr *d)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_data reply; krb5_data reply;
reply.length = 0; reply.length = 0;
ret = process_request(buf, len, &reply, &prependlength, ret = krb5_kdc_process_generic_request(context, config,
buf, len, &reply, &prependlength,
d->addr_string, d->sa); d->addr_string, d->sa);
if(reply.length){ if(reply.length){
kdc_log(5, "sending %lu bytes to %s", (unsigned long)reply.length, kdc_log(context, config, 5,
"sending %lu bytes to %s", (unsigned long)reply.length,
d->addr_string); d->addr_string);
if(prependlength){ if(prependlength){
unsigned char len[4]; unsigned char l[4];
len[0] = (reply.length >> 24) & 0xff; l[0] = (reply.length >> 24) & 0xff;
len[1] = (reply.length >> 16) & 0xff; l[1] = (reply.length >> 16) & 0xff;
len[2] = (reply.length >> 8) & 0xff; l[2] = (reply.length >> 8) & 0xff;
len[3] = reply.length & 0xff; l[3] = reply.length & 0xff;
if(sendto(d->s, len, sizeof(len), 0, d->sa, d->sock_len) < 0) { if(sendto(d->s, l, sizeof(l), 0, d->sa, d->sock_len) < 0) {
kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno)); kdc_log (context, config,
0, "sendto(%s): %s", d->addr_string, strerror(errno));
krb5_data_free(&reply); krb5_data_free(&reply);
return; return;
} }
} }
if(sendto(d->s, reply.data, reply.length, 0, d->sa, d->sock_len) < 0) { if(sendto(d->s, reply.data, reply.length, 0, d->sa, d->sock_len) < 0) {
kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno)); kdc_log (context, config,
0, "sendto(%s): %s", d->addr_string, strerror(errno));
krb5_data_free(&reply); krb5_data_free(&reply);
return; return;
} }
krb5_data_free(&reply); krb5_data_free(&reply);
} }
if(ret) if(ret)
kdc_log(0, "Failed processing %lu byte request from %s", kdc_log(context, config, 0, "Failed processing %lu byte request from %s",
(unsigned long)len, d->addr_string); (unsigned long)len, d->addr_string);
} }
@@ -461,14 +446,16 @@ do_request(void *buf, size_t len, krb5_boolean prependlength,
*/ */
static void static void
handle_udp(struct descr *d) handle_udp(krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d)
{ {
unsigned char *buf; unsigned char *buf;
int n; int n;
buf = malloc(max_request); buf = malloc(max_request);
if(buf == NULL){ if(buf == NULL){
kdc_log(0, "Failed to allocate %lu bytes", (unsigned long)max_request); kdc_log(context, config, 0, "Failed to allocate %lu bytes", (unsigned long)max_request);
return; return;
} }
@@ -477,9 +464,9 @@ handle_udp(struct descr *d)
if(n < 0) if(n < 0)
krb5_warn(context, errno, "recvfrom"); krb5_warn(context, errno, "recvfrom");
else { else {
addr_to_string (d->sa, d->sock_len, addr_to_string (context, d->sa, d->sock_len,
d->addr_string, sizeof(d->addr_string)); d->addr_string, sizeof(d->addr_string));
do_request(buf, n, FALSE, d); do_request(context, config, buf, n, FALSE, d);
} }
free (buf); free (buf);
} }
@@ -522,7 +509,9 @@ de_http(char *buf)
*/ */
static void static void
add_new_tcp (struct descr *d, int parent, int child) add_new_tcp (krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d, int parent, int child)
{ {
int s; int s;
@@ -545,7 +534,8 @@ add_new_tcp (struct descr *d, int parent, int child)
d[child].s = s; d[child].s = s;
d[child].timeout = time(NULL) + TCP_TIMEOUT; d[child].timeout = time(NULL) + TCP_TIMEOUT;
d[child].type = SOCK_STREAM; d[child].type = SOCK_STREAM;
addr_to_string (d[child].sa, d[child].sock_len, addr_to_string (context,
d[child].sa, d[child].sock_len,
d[child].addr_string, sizeof(d[child].addr_string)); d[child].addr_string, sizeof(d[child].addr_string));
} }
@@ -555,7 +545,9 @@ add_new_tcp (struct descr *d, int parent, int child)
*/ */
static int static int
grow_descr (struct descr *d, size_t n) grow_descr (krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d, size_t n)
{ {
if (d->size - d->len < n) { if (d->size - d->len < n) {
unsigned char *tmp; unsigned char *tmp;
@@ -563,14 +555,14 @@ grow_descr (struct descr *d, size_t n)
grow = max(1024, d->len + n); grow = max(1024, d->len + n);
if (d->size + grow > max_request) { if (d->size + grow > max_request) {
kdc_log(0, "Request exceeds max request size (%lu bytes).", kdc_log(context, config, 0, "Request exceeds max request size (%lu bytes).",
(unsigned long)d->size + grow); (unsigned long)d->size + grow);
clear_descr(d); clear_descr(d);
return -1; return -1;
} }
tmp = realloc (d->buf, d->size + grow); tmp = realloc (d->buf, d->size + grow);
if (tmp == NULL) { if (tmp == NULL) {
kdc_log(0, "Failed to re-allocate %lu bytes.", kdc_log(context, config, 0, "Failed to re-allocate %lu bytes.",
(unsigned long)d->size + grow); (unsigned long)d->size + grow);
clear_descr(d); clear_descr(d);
return -1; return -1;
@@ -587,14 +579,16 @@ grow_descr (struct descr *d, size_t n)
*/ */
static int static int
handle_vanilla_tcp (struct descr *d) handle_vanilla_tcp (krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d)
{ {
krb5_storage *sp; krb5_storage *sp;
int32_t len; int32_t len;
sp = krb5_storage_from_mem(d->buf, d->len); sp = krb5_storage_from_mem(d->buf, d->len);
if (sp == NULL) { if (sp == NULL) {
kdc_log (0, "krb5_storage_from_mem failed"); kdc_log (context, config, 0, "krb5_storage_from_mem failed");
return -1; return -1;
} }
krb5_ret_int32(sp, &len); krb5_ret_int32(sp, &len);
@@ -612,7 +606,9 @@ handle_vanilla_tcp (struct descr *d)
*/ */
static int static int
handle_http_tcp (struct descr *d) handle_http_tcp (krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d)
{ {
char *s, *p, *t; char *s, *p, *t;
void *data; void *data;
@@ -623,7 +619,7 @@ handle_http_tcp (struct descr *d)
p = strstr(s, "\r\n"); p = strstr(s, "\r\n");
if (p == NULL) { if (p == NULL) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string); kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
return -1; return -1;
} }
*p = 0; *p = 0;
@@ -631,31 +627,31 @@ handle_http_tcp (struct descr *d)
p = NULL; p = NULL;
t = strtok_r(s, " \t", &p); t = strtok_r(s, " \t", &p);
if (t == NULL) { if (t == NULL) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string); kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
return -1; return -1;
} }
t = strtok_r(NULL, " \t", &p); t = strtok_r(NULL, " \t", &p);
if(t == NULL) { if(t == NULL) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string); kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
return -1; return -1;
} }
data = malloc(strlen(t)); data = malloc(strlen(t));
if (data == NULL) { if (data == NULL) {
kdc_log(0, "Failed to allocate %lu bytes", kdc_log(context, config, 0, "Failed to allocate %lu bytes",
(unsigned long)strlen(t)); (unsigned long)strlen(t));
return -1; return -1;
} }
if(*t == '/') if(*t == '/')
t++; t++;
if(de_http(t) != 0) { if(de_http(t) != 0) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string); kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
kdc_log(5, "HTTP request: %s", t); kdc_log(context, config, 5, "HTTP request: %s", t);
free(data); free(data);
return -1; return -1;
} }
proto = strtok_r(NULL, " \t", &p); proto = strtok_r(NULL, " \t", &p);
if (proto == NULL) { if (proto == NULL) {
kdc_log(0, "Malformed HTTP request from %s", d->addr_string); kdc_log(context, config, 0, "Malformed HTTP request from %s", d->addr_string);
free(data); free(data);
return -1; return -1;
} }
@@ -672,16 +668,16 @@ handle_http_tcp (struct descr *d)
"<H1>404 Not found</H1>\r\n" "<H1>404 Not found</H1>\r\n"
"That page doesn't exist, maybe you are looking for " "That page doesn't exist, maybe you are looking for "
"<A HREF=\"http://www.pdc.kth.se/heimdal/\">Heimdal</A>?\r\n"; "<A HREF=\"http://www.pdc.kth.se/heimdal/\">Heimdal</A>?\r\n";
kdc_log(0, "HTTP request from %s is non KDC request", d->addr_string); kdc_log(context, config, 0, "HTTP request from %s is non KDC request", d->addr_string);
kdc_log(5, "HTTP request: %s", t); kdc_log(context, config, 5, "HTTP request: %s", t);
free(data); free(data);
if (write(d->s, proto, strlen(proto)) < 0) { if (write(d->s, proto, strlen(proto)) < 0) {
kdc_log(0, "HTTP write failed: %s: %s", kdc_log(context, config, 0, "HTTP write failed: %s: %s",
d->addr_string, strerror(errno)); d->addr_string, strerror(errno));
return -1; return -1;
} }
if (write(d->s, msg, strlen(msg)) < 0) { if (write(d->s, msg, strlen(msg)) < 0) {
kdc_log(0, "HTTP write failed: %s: %s", kdc_log(context, config, 0, "HTTP write failed: %s: %s",
d->addr_string, strerror(errno)); d->addr_string, strerror(errno));
return -1; return -1;
} }
@@ -696,12 +692,12 @@ handle_http_tcp (struct descr *d)
"Content-type: application/octet-stream\r\n" "Content-type: application/octet-stream\r\n"
"Content-transfer-encoding: binary\r\n\r\n"; "Content-transfer-encoding: binary\r\n\r\n";
if (write(d->s, proto, strlen(proto)) < 0) { if (write(d->s, proto, strlen(proto)) < 0) {
kdc_log(0, "HTTP write failed: %s: %s", kdc_log(context, config, 0, "HTTP write failed: %s: %s",
d->addr_string, strerror(errno)); d->addr_string, strerror(errno));
return -1; return -1;
} }
if (write(d->s, msg, strlen(msg)) < 0) { if (write(d->s, msg, strlen(msg)) < 0) {
kdc_log(0, "HTTP write failed: %s: %s", kdc_log(context, config, 0, "HTTP write failed: %s: %s",
d->addr_string, strerror(errno)); d->addr_string, strerror(errno));
return -1; return -1;
} }
@@ -717,67 +713,72 @@ handle_http_tcp (struct descr *d)
*/ */
static void static void
handle_tcp(struct descr *d, int index, int min_free) handle_tcp(krb5_context context,
struct krb5_kdc_configuration *config,
struct descr *d, int idx, int min_free)
{ {
unsigned char buf[1024]; unsigned char buf[1024];
int n; int n;
int ret = 0; int ret = 0;
if (d[index].timeout == 0) { if (d[idx].timeout == 0) {
add_new_tcp (d, index, min_free); add_new_tcp (context, config, d, idx, min_free);
return; return;
} }
n = recvfrom(d[index].s, buf, sizeof(buf), 0, NULL, NULL); n = recvfrom(d[idx].s, buf, sizeof(buf), 0, NULL, NULL);
if(n < 0){ if(n < 0){
krb5_warn(context, errno, "recvfrom failed from %s to %s/%d", krb5_warn(context, errno, "recvfrom failed from %s to %s/%d",
d[index].addr_string, descr_type(d + index), d[idx].addr_string, descr_type(d + idx),
ntohs(d[index].port)); ntohs(d[idx].port));
return; return;
} else if (n == 0) { } else if (n == 0) {
krb5_warnx(context, "connection closed before end of data after %lu " krb5_warnx(context, "connection closed before end of data after %lu "
"bytes from %s to %s/%d", (unsigned long)d[index].len, "bytes from %s to %s/%d", (unsigned long)d[idx].len,
d[index].addr_string, descr_type(d + index), d[idx].addr_string, descr_type(d + idx),
ntohs(d[index].port)); ntohs(d[idx].port));
clear_descr (d + index); clear_descr (d + idx);
return; return;
} }
if (grow_descr (&d[index], n)) if (grow_descr (context, config, &d[idx], n))
return; return;
memcpy(d[index].buf + d[index].len, buf, n); memcpy(d[idx].buf + d[idx].len, buf, n);
d[index].len += n; d[idx].len += n;
if(d[index].len > 4 && d[index].buf[0] == 0) { if(d[idx].len > 4 && d[idx].buf[0] == 0) {
ret = handle_vanilla_tcp (&d[index]); ret = handle_vanilla_tcp (context, config, &d[idx]);
} else if(enable_http && } else if(enable_http &&
d[index].len >= 4 && d[idx].len >= 4 &&
strncmp((char *)d[index].buf, "GET ", 4) == 0 && strncmp((char *)d[idx].buf, "GET ", 4) == 0 &&
strncmp((char *)d[index].buf + d[index].len - 4, strncmp((char *)d[idx].buf + d[idx].len - 4,
"\r\n\r\n", 4) == 0) { "\r\n\r\n", 4) == 0) {
ret = handle_http_tcp (&d[index]); ret = handle_http_tcp (context, config, &d[idx]);
if (ret < 0) if (ret < 0)
clear_descr (d + index); clear_descr (d + idx);
} else if (d[index].len > 4) { } else if (d[idx].len > 4) {
kdc_log (0, "TCP data of strange type from %s to %s/%d", kdc_log (context, config,
d[index].addr_string, descr_type(d + index), 0, "TCP data of strange type from %s to %s/%d",
ntohs(d[index].port)); d[idx].addr_string, descr_type(d + idx),
clear_descr(d + index); ntohs(d[idx].port));
clear_descr(d + idx);
return; return;
} }
if (ret < 0) if (ret < 0)
return; return;
else if (ret == 1) { else if (ret == 1) {
do_request(d[index].buf, d[index].len, TRUE, &d[index]); do_request(context, config,
clear_descr(d + index); d[idx].buf, d[idx].len, TRUE, &d[idx]);
clear_descr(d + idx);
} }
} }
void void
loop(void) loop(krb5_context context,
struct krb5_kdc_configuration *config)
{ {
struct descr *d; struct descr *d;
int ndescr; int ndescr;
ndescr = init_sockets(&d); ndescr = init_sockets(context, config, &d);
if(ndescr <= 0) if(ndescr <= 0)
krb5_errx(context, 1, "No sockets!"); krb5_errx(context, 1, "No sockets!");
while(exit_flag == 0){ while(exit_flag == 0){
@@ -792,7 +793,8 @@ loop(void)
if(d[i].s >= 0){ if(d[i].s >= 0){
if(d[i].type == SOCK_STREAM && if(d[i].type == SOCK_STREAM &&
d[i].timeout && d[i].timeout < time(NULL)) { d[i].timeout && d[i].timeout < time(NULL)) {
kdc_log(1, "TCP-connection from %s expired after %lu bytes", kdc_log(context, config, 1,
"TCP-connection from %s expired after %lu bytes",
d[i].addr_string, (unsigned long)d[i].len); d[i].addr_string, (unsigned long)d[i].len);
clear_descr(&d[i]); clear_descr(&d[i]);
continue; continue;
@@ -834,17 +836,17 @@ loop(void)
for(i = 0; i < ndescr; i++) for(i = 0; i < ndescr; i++)
if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) { if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) {
if(d[i].type == SOCK_DGRAM) if(d[i].type == SOCK_DGRAM)
handle_udp(&d[i]); handle_udp(context, config, &d[i]);
else if(d[i].type == SOCK_STREAM) else if(d[i].type == SOCK_STREAM)
handle_tcp(d, i, min_free); handle_tcp(context, config, d, i, min_free);
} }
} }
} }
if(exit_flag == SIGXCPU) if(exit_flag == SIGXCPU)
kdc_log(0, "CPU time limit exceeded"); kdc_log(context, config, 0, "CPU time limit exceeded");
else if(exit_flag == SIGINT || exit_flag == SIGTERM) else if(exit_flag == SIGINT || exit_flag == SIGTERM)
kdc_log(0, "Terminated"); kdc_log(context, config, 0, "Terminated");
else else
kdc_log(0, "Unexpected exit reason: %d", exit_flag); kdc_log(context, config, 0, "Unexpected exit reason: %d", exit_flag);
free (d); free (d);
} }

26
kdc/hprop.c
View File

@@ -586,7 +586,7 @@ parse_source_type(const char *s)
static void static void
iterate (krb5_context context, iterate (krb5_context context,
const char *database, const char *database_name,
HDB *db, HDB *db,
int type, int type,
struct prop_data *pd) struct prop_data *pd)
@@ -595,7 +595,7 @@ iterate (krb5_context context,
switch(type) { switch(type) {
case HPROP_KRB4_DUMP: case HPROP_KRB4_DUMP:
ret = v4_prop_dump(pd, database); ret = v4_prop_dump(pd, database_name);
break; break;
#ifdef KRB4 #ifdef KRB4
case HPROP_KRB4_DB: case HPROP_KRB4_DB:
@@ -606,12 +606,12 @@ iterate (krb5_context context,
break; break;
#endif /* KRB4 */ #endif /* KRB4 */
case HPROP_KASERVER: case HPROP_KASERVER:
ret = ka_dump(pd, database); ret = ka_dump(pd, database_name);
if(ret) if(ret)
krb5_err(context, 1, ret, "ka_dump"); krb5_err(context, 1, ret, "ka_dump");
break; break;
case HPROP_MIT_DUMP: case HPROP_MIT_DUMP:
ret = mit_prop_dump(pd, database); ret = mit_prop_dump(pd, database_name);
if (ret) if (ret)
krb5_errx(context, 1, "mit_prop_dump: %s", krb5_errx(context, 1, "mit_prop_dump: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
@@ -626,7 +626,7 @@ iterate (krb5_context context,
static int static int
dump_database (krb5_context context, int type, dump_database (krb5_context context, int type,
const char *database, HDB *db) const char *database_name, HDB *db)
{ {
krb5_error_code ret; krb5_error_code ret;
struct prop_data pd; struct prop_data pd;
@@ -636,7 +636,7 @@ dump_database (krb5_context context, int type,
pd.auth_context = NULL; pd.auth_context = NULL;
pd.sock = STDOUT_FILENO; pd.sock = STDOUT_FILENO;
iterate (context, database, db, type, &pd); iterate (context, database_name, db, type, &pd);
krb5_data_zero (&data); krb5_data_zero (&data);
ret = krb5_write_message (context, &pd.sock, &data); ret = krb5_write_message (context, &pd.sock, &data);
if (ret) if (ret)
@@ -647,15 +647,15 @@ dump_database (krb5_context context, int type,
static int static int
propagate_database (krb5_context context, int type, propagate_database (krb5_context context, int type,
const char *database, const char *database_name,
HDB *db, krb5_ccache ccache, HDB *db, krb5_ccache ccache,
int optind, int argc, char **argv) int optidx, int argc, char **argv)
{ {
krb5_principal server; krb5_principal server;
krb5_error_code ret; krb5_error_code ret;
int i; int i;
for(i = optind; i < argc; i++){ for(i = optidx; i < argc; i++){
krb5_auth_context auth_context; krb5_auth_context auth_context;
int fd; int fd;
struct prop_data pd; struct prop_data pd;
@@ -721,7 +721,7 @@ propagate_database (krb5_context context, int type,
pd.auth_context = auth_context; pd.auth_context = auth_context;
pd.sock = fd; pd.sock = fd;
iterate (context, database, db, type, &pd); iterate (context, database_name, db, type, &pd);
krb5_data_zero (&data); krb5_data_zero (&data);
ret = krb5_write_priv_message(context, auth_context, &fd, &data); ret = krb5_write_priv_message(context, auth_context, &fd, &data);
@@ -747,13 +747,13 @@ main(int argc, char **argv)
krb5_context context; krb5_context context;
krb5_ccache ccache = NULL; krb5_ccache ccache = NULL;
HDB *db = NULL; HDB *db = NULL;
int optind = 0; int optidx = 0;
int type = 0; int type = 0;
setprogname(argv[0]); setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &optind)) if(getarg(args, num_args, argc, argv, &optidx))
usage(1); usage(1);
if(help_flag) if(help_flag)
@@ -865,7 +865,7 @@ main(int argc, char **argv)
dump_database (context, type, database, db); dump_database (context, type, database, db);
else else
propagate_database (context, type, database, propagate_database (context, type, database,
db, ccache, optind, argc, argv); db, ccache, optidx, argc, argv);
if(ccache != NULL) if(ccache != NULL)
krb5_cc_destroy(context, ccache); krb5_cc_destroy(context, ccache);

8
kdc/hpropd.c
View File

@@ -215,7 +215,7 @@ main(int argc, char **argv)
krb5_keytab keytab; krb5_keytab keytab;
int fd; int fd;
HDB *db; HDB *db;
int optind = 0; int optidx = 0;
char *tmp_db; char *tmp_db;
krb5_log_facility *fac; krb5_log_facility *fac;
int nprincs; int nprincs;
@@ -235,7 +235,7 @@ main(int argc, char **argv)
; ;
krb5_set_warn_dest(context, fac); krb5_set_warn_dest(context, fac);
if(getarg(args, num_args, argc, argv, &optind)) if(getarg(args, num_args, argc, argv, &optidx))
usage(1); usage(1);
#ifdef KRB4 #ifdef KRB4
@@ -253,8 +253,8 @@ main(int argc, char **argv)
exit(0); exit(0);
} }
argc -= optind; argc -= optidx;
argv += optind; argv += optidx;
if (argc != 0) if (argc != 0)
usage(1); usage(1);

117
kdc/kaserver.c
View File

@@ -240,7 +240,8 @@ krb5_store_xdr_data(krb5_storage *sp,
static krb5_error_code static krb5_error_code
create_reply_ticket (struct rx_header *hdr, create_reply_ticket (krb5_context context,
struct rx_header *hdr,
Key *skey, Key *skey,
char *name, char *instance, char *realm, char *name, char *instance, char *realm,
struct sockaddr_in *addr, struct sockaddr_in *addr,
@@ -388,7 +389,9 @@ unparse_auth_args (krb5_storage *sp,
} }
static void static void
do_authenticate (struct rx_header *hdr, do_authenticate (krb5_context context,
struct krb5_kdc_configuration *config,
struct rx_header *hdr,
krb5_storage *sp, krb5_storage *sp,
struct sockaddr_in *addr, struct sockaddr_in *addr,
const char *from, const char *from,
@@ -422,30 +425,33 @@ do_authenticate (struct rx_header *hdr,
} }
snprintf (client_name, sizeof(client_name), "%s.%s@%s", snprintf (client_name, sizeof(client_name), "%s.%s@%s",
name, instance, v4_realm); name, instance, config->v4_realm);
snprintf (server_name, sizeof(server_name), "%s.%s@%s", snprintf (server_name, sizeof(server_name), "%s.%s@%s",
"krbtgt", v4_realm, v4_realm); "krbtgt", config->v4_realm, config->v4_realm);
kdc_log(0, "AS-REQ (kaserver) %s from %s for %s", kdc_log(context, config, 0, "AS-REQ (kaserver) %s from %s for %s",
client_name, from, server_name); client_name, from, server_name);
ret = db_fetch4 (name, instance, v4_realm, &client_entry); ret = db_fetch4 (context, config, name, instance,
config->v4_realm, &client_entry);
if (ret) { if (ret) {
kdc_log(0, "Client not found in database: %s: %s", kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret)); client_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply); make_error_reply (hdr, KANOENT, reply);
goto out; goto out;
} }
ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &server_entry); ret = db_fetch4 (context, config, "krbtgt",
config->v4_realm, config->v4_realm, &server_entry);
if (ret) { if (ret) {
kdc_log(0, "Server not found in database: %s: %s", kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret)); server_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply); make_error_reply (hdr, KANOENT, reply);
goto out; goto out;
} }
ret = check_flags (client_entry, client_name, ret = check_flags (context, config,
client_entry, client_name,
server_entry, server_name, server_entry, server_name,
TRUE); TRUE);
if (ret) { if (ret) {
@@ -454,17 +460,17 @@ do_authenticate (struct rx_header *hdr,
} }
/* find a DES key */ /* find a DES key */
ret = get_des_key(client_entry, FALSE, TRUE, &ckey); ret = get_des_key(context, client_entry, FALSE, TRUE, &ckey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for client"); kdc_log(context, config, 0, "no suitable DES key for client");
make_error_reply (hdr, KANOKEYS, reply); make_error_reply (hdr, KANOKEYS, reply);
goto out; goto out;
} }
/* find a DES key */ /* find a DES key */
ret = get_des_key(server_entry, TRUE, TRUE, &skey); ret = get_des_key(context, server_entry, TRUE, TRUE, &skey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for server"); kdc_log(context, config, 0, "no suitable DES key for server");
make_error_reply (hdr, KANOKEYS, reply); make_error_reply (hdr, KANOKEYS, reply);
goto out; goto out;
} }
@@ -488,7 +494,7 @@ do_authenticate (struct rx_header *hdr,
/* check for the magic label */ /* check for the magic label */
if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) { if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
kdc_log(0, "preauth failed for %s", client_name); kdc_log(context, config, 0, "preauth failed for %s", client_name);
make_error_reply (hdr, KABADREQUEST, reply); make_error_reply (hdr, KABADREQUEST, reply);
goto out; goto out;
} }
@@ -515,11 +521,12 @@ do_authenticate (struct rx_header *hdr,
life = krb_time_to_life(kdc_time, kdc_time + max_life); life = krb_time_to_life(kdc_time, kdc_time + max_life);
create_reply_ticket (hdr, skey, create_reply_ticket (context,
name, instance, v4_realm, hdr, skey,
name, instance, config->v4_realm,
addr, life, server_entry->kvno, addr, life, server_entry->kvno,
max_seq_len, max_seq_len,
"krbtgt", v4_realm, "krbtgt", config->v4_realm,
chal + 1, "tgsT", chal + 1, "tgsT",
&ckey->key, reply); &ckey->key, reply);
@@ -533,9 +540,9 @@ out:
if (instance) if (instance)
free (instance); free (instance);
if (client_entry) if (client_entry)
free_ent (client_entry); free_ent (context, client_entry);
if (server_entry) if (server_entry)
free_ent (server_entry); free_ent (context, server_entry);
} }
static krb5_error_code static krb5_error_code
@@ -593,7 +600,9 @@ unparse_getticket_args (krb5_storage *sp,
} }
static void static void
do_getticket (struct rx_header *hdr, do_getticket (krb5_context context,
struct krb5_kdc_configuration *config,
struct rx_header *hdr,
krb5_storage *sp, krb5_storage *sp,
struct sockaddr_in *addr, struct sockaddr_in *addr,
const char *from, const char *from,
@@ -636,36 +645,39 @@ do_getticket (struct rx_header *hdr,
} }
snprintf (server_name, sizeof(server_name), snprintf (server_name, sizeof(server_name),
"%s.%s@%s", name, instance, v4_realm); "%s.%s@%s", name, instance, config->v4_realm);
ret = db_fetch4 (name, instance, v4_realm, &server_entry); ret = db_fetch4 (context, config, name, instance, config->v4_realm, &server_entry);
if (ret) { if (ret) {
kdc_log(0, "Server not found in database: %s: %s", kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret)); server_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply); make_error_reply (hdr, KANOENT, reply);
goto out; goto out;
} }
ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &krbtgt_entry); ret = db_fetch4 (context, config, "krbtgt",
config->v4_realm, config->v4_realm, &krbtgt_entry);
if (ret) { if (ret) {
kdc_log(0, "Server not found in database: %s.%s@%s: %s", kdc_log(context, config, 0,
"krbtgt", v4_realm, v4_realm, krb5_get_err_text(context, ret)); "Server not found in database: %s.%s@%s: %s",
"krbtgt", config->v4_realm, config->v4_realm,
krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply); make_error_reply (hdr, KANOENT, reply);
goto out; goto out;
} }
/* find a DES key */ /* find a DES key */
ret = get_des_key(krbtgt_entry, TRUE, TRUE, &kkey); ret = get_des_key(context, krbtgt_entry, TRUE, TRUE, &kkey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for krbtgt"); kdc_log(context, config, 0, "no suitable DES key for krbtgt");
make_error_reply (hdr, KANOKEYS, reply); make_error_reply (hdr, KANOKEYS, reply);
goto out; goto out;
} }
/* find a DES key */ /* find a DES key */
ret = get_des_key(server_entry, TRUE, TRUE, &skey); ret = get_des_key(context, server_entry, TRUE, TRUE, &skey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for server"); kdc_log(context, config, 0, "no suitable DES key for server");
make_error_reply (hdr, KANOKEYS, reply); make_error_reply (hdr, KANOKEYS, reply);
goto out; goto out;
} }
@@ -679,17 +691,19 @@ do_getticket (struct rx_header *hdr,
char *sinstance = NULL; char *sinstance = NULL;
ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key, ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key,
v4_realm, &sname, &sinstance, &ad); config->v4_realm, &sname,
&sinstance, &ad);
if (ret) { if (ret) {
kdc_log(0, "kaserver: decomp failed for %s.%s with %d", kdc_log(context, config, 0,
"kaserver: decomp failed for %s.%s with %d",
sname, sinstance, ret); sname, sinstance, ret);
make_error_reply (hdr, KABADTICKET, reply); make_error_reply (hdr, KABADTICKET, reply);
goto out; goto out;
} }
if (strcmp (sname, "krbtgt") != 0 if (strcmp (sname, "krbtgt") != 0
|| strcmp (sinstance, v4_realm) != 0) { || strcmp (sinstance, config->v4_realm) != 0) {
kdc_log(0, "no TGT: %s.%s for %s.%s@%s", kdc_log(context, config, 0, "no TGT: %s.%s for %s.%s@%s",
sname, sinstance, sname, sinstance,
ad.pname, ad.pinst, ad.prealm); ad.pname, ad.pinst, ad.prealm);
make_error_reply (hdr, KABADTICKET, reply); make_error_reply (hdr, KABADTICKET, reply);
@@ -701,7 +715,7 @@ do_getticket (struct rx_header *hdr,
free(sinstance); free(sinstance);
if (kdc_time > _krb5_krb_life_to_time(ad.time_sec, ad.life)) { if (kdc_time > _krb5_krb_life_to_time(ad.time_sec, ad.life)) {
kdc_log(0, "TGT expired: %s.%s@%s", kdc_log(context, config, 0, "TGT expired: %s.%s@%s",
ad.pname, ad.pinst, ad.prealm); ad.pname, ad.pinst, ad.prealm);
make_error_reply (hdr, KABADTICKET, reply); make_error_reply (hdr, KABADTICKET, reply);
goto out; goto out;
@@ -711,24 +725,28 @@ do_getticket (struct rx_header *hdr,
snprintf (client_name, sizeof(client_name), snprintf (client_name, sizeof(client_name),
"%s.%s@%s", ad.pname, ad.pinst, ad.prealm); "%s.%s@%s", ad.pname, ad.pinst, ad.prealm);
kdc_log(0, "TGS-REQ (kaserver) %s from %s for %s", kdc_log(context, config, 0, "TGS-REQ (kaserver) %s from %s for %s",
client_name, from, server_name); client_name, from, server_name);
ret = db_fetch4 (ad.pname, ad.pinst, ad.prealm, &client_entry); ret = db_fetch4 (context, config,
ad.pname, ad.pinst, ad.prealm, &client_entry);
if(ret && ret != HDB_ERR_NOENTRY) { if(ret && ret != HDB_ERR_NOENTRY) {
kdc_log(0, "Client not found in database: (krb4) %s: %s", kdc_log(context, config, 0,
"Client not found in database: (krb4) %s: %s",
client_name, krb5_get_err_text(context, ret)); client_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply); make_error_reply (hdr, KANOENT, reply);
goto out; goto out;
} }
if (client_entry == NULL && strcmp(ad.prealm, v4_realm) == 0) { if (client_entry == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
kdc_log(0, "Local client not found in database: (krb4) " kdc_log(context, config, 0,
"Local client not found in database: (krb4) "
"%s", client_name); "%s", client_name);
make_error_reply (hdr, KANOENT, reply); make_error_reply (hdr, KANOENT, reply);
goto out; goto out;
} }
ret = check_flags (client_entry, client_name, ret = check_flags (context, config,
client_entry, client_name,
server_entry, server_name, server_entry, server_name,
FALSE); FALSE);
if (ret) { if (ret) {
@@ -776,7 +794,8 @@ do_getticket (struct rx_header *hdr,
life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life); life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life);
create_reply_ticket (hdr, skey, create_reply_ticket (context,
hdr, skey,
ad.pname, ad.pinst, ad.prealm, ad.pname, ad.pinst, ad.prealm,
addr, life, server_entry->kvno, addr, life, server_entry->kvno,
max_seq_len, max_seq_len,
@@ -801,13 +820,15 @@ out:
if (instance) if (instance)
free (instance); free (instance);
if (krbtgt_entry) if (krbtgt_entry)
free_ent (krbtgt_entry); free_ent (context, krbtgt_entry);
if (server_entry) if (server_entry)
free_ent (server_entry); free_ent (context, server_entry);
} }
krb5_error_code krb5_error_code
do_kaserver(unsigned char *buf, do_kaserver(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len, size_t len,
krb5_data *reply, krb5_data *reply,
const char *from, const char *from,
@@ -852,10 +873,10 @@ do_kaserver(unsigned char *buf,
switch (op) { switch (op) {
case AUTHENTICATE : case AUTHENTICATE :
case AUTHENTICATE_V2 : case AUTHENTICATE_V2 :
do_authenticate (&hdr, sp, addr, from, reply); do_authenticate (context, config, &hdr, sp, addr, from, reply);
break; break;
case GETTICKET : case GETTICKET :
do_getticket (&hdr, sp, addr, from, reply); do_getticket (context, config, &hdr, sp, addr, from, reply);
break; break;
case AUTHENTICATE_OLD : case AUTHENTICATE_OLD :
case CHANGEPASSWORD : case CHANGEPASSWORD :

24
kdc/kdc-protos.h Normal file
View File

@@ -0,0 +1,24 @@
int
krb5_kdc_process_generic_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr);
int krb5_kdc_process_krb5_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
struct sockaddr *addr);
void krb5_kdc_default_config(struct krb5_kdc_configuration *config);
void
kdc_openlog(krb5_context context,
struct krb5_kdc_configuration *config);

81
kdc/kdc.h Normal file
View File

@@ -0,0 +1,81 @@
/*
* Copyright (c) 1997-2003 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
*
* Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org>
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* $Id$
*/
#ifndef __KDC_H__
#define __KDC_H__
#include <krb5.h>
enum krb5_kdc_trpolicy {
TRPOLICY_ALWAYS_CHECK,
TRPOLICY_ALLOW_PER_PRINCIPAL,
TRPOLICY_ALWAYS_HONOUR_REQUEST
};
struct krb5_kdc_configuration {
krb5_boolean require_preauth; /* require preauth for all principals */
time_t kdc_warn_pwexpire; /* time before expiration to print a warning */
struct HDB **db;
int num_db;
krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous;
enum krb5_kdc_trpolicy trpolicy;
char *v4_realm;
krb5_boolean enable_v4;
krb5_boolean enable_kaserver;
krb5_boolean enable_524;
krb5_boolean enable_v4_cross_realm;
krb5_boolean enable_pkinit;
krb5_boolean enable_pkinit_princ_in_cert;
krb5_log_facility *logf;
};
#include <kdc-protos.h>
#endif

117
kdc/kdc_locl.h
View File

@@ -39,40 +39,18 @@
#define __KDC_LOCL_H__ #define __KDC_LOCL_H__
#include "headers.h" #include "headers.h"
#include "kdc.h"
extern krb5_context context;
extern int require_preauth;
extern sig_atomic_t exit_flag; extern sig_atomic_t exit_flag;
extern size_t max_request; extern size_t max_request;
extern time_t kdc_warn_pwexpire;
extern struct dbinfo {
char *realm;
char *dbname;
char *mkey_file;
struct dbinfo *next;
} *databases;
extern HDB **db;
extern int num_db;
extern const char *port_str; extern const char *port_str;
extern krb5_addresses explicit_addresses; extern krb5_addresses explicit_addresses;
extern int enable_http; extern int enable_http;
extern krb5_boolean encode_as_rep_as_tgs_rep;
extern krb5_boolean check_ticket_addresses;
extern krb5_boolean allow_null_ticket_addresses;
extern krb5_boolean allow_anonymous;
enum { TRPOLICY_ALWAYS_CHECK,
TRPOLICY_ALLOW_PER_PRINCIPAL,
TRPOLICY_ALWAYS_HONOUR_REQUEST };
extern int trpolicy;
extern int enable_524;
extern int enable_v4_cross_realm;
#ifdef PKINIT #define DETACH_IS_DEFAULT FALSE
extern int enable_pkinit;
extern int enable_pkinit_princ_in_cert; extern int detach_from_console;
#endif
#define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf" #define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf"
#define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log" #define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log"
@@ -80,30 +58,56 @@ extern int enable_pkinit_princ_in_cert;
extern struct timeval now; extern struct timeval now;
#define kdc_time (now.tv_sec) #define kdc_time (now.tv_sec)
krb5_error_code as_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr*); krb5_error_code as_rep (krb5_context context,
void configure (int, char**); struct krb5_kdc_configuration *config,
krb5_error_code db_fetch (krb5_principal, hdb_entry**); KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
void free_ent(hdb_entry *); struct krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv);
void kdc_log (int, const char*, ...) krb5_error_code
__attribute__ ((format (printf, 2,3))); db_fetch(krb5_context, struct krb5_kdc_configuration *,
krb5_principal, hdb_entry **);
void free_ent(krb5_context context, hdb_entry *);
void kdc_log (krb5_context context,
struct krb5_kdc_configuration *config,
int, const char*, ...)
__attribute__ ((format (printf, 4,5)));
char* kdc_log_msg (int, const char*, ...) char* kdc_log_msg (krb5_context context,
__attribute__ ((format (printf, 2,3))); struct krb5_kdc_configuration *config,
char* kdc_log_msg_va (int, const char*, va_list) int, const char*, ...)
__attribute__ ((format (printf, 2,0))); __attribute__ ((format (printf, 4,5)));
void kdc_openlog (void); char* kdc_log_msg_va (krb5_context context,
void loop (void); struct krb5_kdc_configuration *config,
int, const char*, va_list)
__attribute__ ((format (printf, 4,0)));
void
kdc_openlog(krb5_context context,
struct krb5_kdc_configuration *config);
void
loop(krb5_context context,
struct krb5_kdc_configuration *config);
void set_master_key (EncryptionKey); void set_master_key (EncryptionKey);
krb5_error_code tgs_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr *); krb5_error_code tgs_rep (krb5_context context,
struct krb5_kdc_configuration *config,
KDC_REQ*, krb5_data*, const char*, struct sockaddr *);
Key* unseal_key (Key*); Key* unseal_key (Key*);
krb5_error_code check_flags(hdb_entry *client, const char *client_name, krb5_error_code
check_flags(krb5_context context,
struct krb5_kdc_configuration *config,
hdb_entry *client, const char *client_name,
hdb_entry *server, const char *server_name, hdb_entry *server, const char *server_name,
krb5_boolean is_as_req); krb5_boolean is_as_req);
krb5_error_code get_des_key(hdb_entry*, krb5_boolean, krb5_boolean, Key**); krb5_error_code get_des_key(krb5_context context, hdb_entry*, krb5_boolean, krb5_boolean, Key**);
krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*, krb5_error_code
const PrincipalName*, size_t*); encode_v4_ticket(krb5_context context,
krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*); struct krb5_kdc_configuration *config,
void *buf, size_t len, const EncTicketPart *et,
const PrincipalName *service, size_t *size);
krb5_error_code
do_524(krb5_context context,
struct krb5_kdc_configuration *config,
const Ticket *t, krb5_data *reply,
const char *from, struct sockaddr *addr);
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
#define des_new_random_key des_random_key #define des_new_random_key des_random_key
@@ -130,18 +134,27 @@ void pk_free_client_param(krb5_context, pk_client_params *);
* Kerberos 4 * Kerberos 4
*/ */
extern char *v4_realm; krb5_error_code db_fetch4 (krb5_context context,
extern int enable_v4; struct krb5_kdc_configuration *config,
extern krb5_boolean enable_kaserver; const char*, const char*, const char*, hdb_entry**);
krb5_error_code do_version4 (krb5_context context,
krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**); struct krb5_kdc_configuration *config,
krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, unsigned char*, size_t, krb5_data*, const char*,
struct sockaddr_in*); struct sockaddr_in*);
int maybe_version4 (unsigned char*, int); int maybe_version4 (unsigned char*, int);
krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*, krb5_error_code do_kaserver (krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char*, size_t, krb5_data*, const char*,
struct sockaddr_in*); struct sockaddr_in*);
int kdc_process_generic_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr);
#endif /* __KDC_LOCL_H__ */ #endif /* __KDC_LOCL_H__ */

155
kdc/kerberos4.c
View File

@@ -63,8 +63,11 @@ make_err_reply(krb5_context context, krb5_data *reply,
} }
static krb5_boolean static krb5_boolean
valid_princ(krb5_context context, krb5_principal princ) valid_princ(krb5_context context,
void *funcctx,
krb5_principal princ)
{ {
struct krb5_kdc_configuration *config = funcctx;
krb5_error_code ret; krb5_error_code ret;
char *s; char *s;
hdb_entry *ent; hdb_entry *ent;
@@ -72,31 +75,33 @@ valid_princ(krb5_context context, krb5_principal princ)
ret = krb5_unparse_name(context, princ, &s); ret = krb5_unparse_name(context, princ, &s);
if (ret) if (ret)
return FALSE; return FALSE;
ret = db_fetch(princ, &ent); ret = db_fetch(context, config, princ, &ent);
if (ret) { if (ret) {
kdc_log(7, "Lookup %s failed: %s", s, kdc_log(context, config, 7, "Lookup %s failed: %s", s,
krb5_get_err_text (context, ret)); krb5_get_err_text (context, ret));
free(s); free(s);
return FALSE; return FALSE;
} }
kdc_log(7, "Lookup %s succeeded", s); kdc_log(context, config, 7, "Lookup %s succeeded", s);
free(s); free(s);
free_ent(ent); free_ent(context, ent);
return TRUE; return TRUE;
} }
krb5_error_code krb5_error_code
db_fetch4(const char *name, const char *instance, const char *realm, db_fetch4(krb5_context context,
struct krb5_kdc_configuration *config,
const char *name, const char *instance, const char *realm,
hdb_entry **ent) hdb_entry **ent)
{ {
krb5_principal p; krb5_principal p;
krb5_error_code ret; krb5_error_code ret;
ret = krb5_425_conv_principal_ext(context, name, instance, realm, ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
valid_princ, 0, &p); valid_princ, config, 0, &p);
if(ret) if(ret)
return ret; return ret;
ret = db_fetch(p, ent); ret = db_fetch(context, config, p, ent);
krb5_free_principal(context, p); krb5_free_principal(context, p);
return ret; return ret;
} }
@@ -110,7 +115,9 @@ db_fetch4(const char *name, const char *instance, const char *realm,
*/ */
krb5_error_code krb5_error_code
do_version4(unsigned char *buf, do_version4(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len, size_t len,
krb5_data *reply, krb5_data *reply,
const char *from, const char *from,
@@ -131,8 +138,9 @@ do_version4(unsigned char *buf,
char client_name[256]; char client_name[256];
char server_name[256]; char server_name[256];
if(!enable_v4) { if(!config->enable_v4) {
kdc_log(0, "Rejected version 4 request from %s", from); kdc_log(context, config, 0,
"Rejected version 4 request from %s", from);
make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled"); make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled");
return 0; return 0;
} }
@@ -140,7 +148,8 @@ do_version4(unsigned char *buf,
sp = krb5_storage_from_mem(buf, len); sp = krb5_storage_from_mem(buf, len);
RCHECK(krb5_ret_int8(sp, &pvno), out); RCHECK(krb5_ret_int8(sp, &pvno), out);
if(pvno != 4){ if(pvno != 4){
kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno); kdc_log(context, config, 0,
"Protocol version mismatch (krb4) (%d)", pvno);
make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch"); make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch");
goto out; goto out;
} }
@@ -167,29 +176,31 @@ do_version4(unsigned char *buf,
snprintf (client_name, sizeof(client_name), snprintf (client_name, sizeof(client_name),
"%s.%s@%s", name, inst, realm); "%s.%s@%s", name, inst, realm);
snprintf (server_name, sizeof(server_name), snprintf (server_name, sizeof(server_name),
"%s.%s@%s", sname, sinst, v4_realm); "%s.%s@%s", sname, sinst, config->v4_realm);
kdc_log(0, "AS-REQ (krb4) %s from %s for %s", kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
client_name, from, server_name); client_name, from, server_name);
ret = db_fetch4(name, inst, realm, &client); ret = db_fetch4(context, config, name, inst, realm, &client);
if(ret) { if(ret) {
kdc_log(0, "Client not found in database: %s: %s", kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret)); client_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"principal unknown"); "principal unknown");
goto out1; goto out1;
} }
ret = db_fetch4(sname, sinst, v4_realm, &server); ret = db_fetch4(context, config, sname, sinst,
config->v4_realm, &server);
if(ret){ if(ret){
kdc_log(0, "Server not found in database: %s: %s", kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret)); server_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"principal unknown"); "principal unknown");
goto out1; goto out1;
} }
ret = check_flags (client, client_name, ret = check_flags (context, config,
client, client_name,
server, server_name, server, server_name,
TRUE); TRUE);
if (ret) { if (ret) {
@@ -204,10 +215,10 @@ do_version4(unsigned char *buf,
* good error code to return if preauthentication is required. * good error code to return if preauthentication is required.
*/ */
if (require_preauth if (config->require_preauth
|| client->flags.require_preauth || client->flags.require_preauth
|| server->flags.require_preauth) { || server->flags.require_preauth) {
kdc_log(0, kdc_log(context, config, 0,
"Pre-authentication required for v4-request: " "Pre-authentication required for v4-request: "
"%s for %s", "%s for %s",
client_name, server_name); client_name, server_name);
@@ -216,9 +227,9 @@ do_version4(unsigned char *buf,
goto out1; goto out1;
} }
ret = get_des_key(client, FALSE, FALSE, &ckey); ret = get_des_key(context, client, FALSE, FALSE, &ckey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for client"); kdc_log(context, config, 0, "no suitable DES key for client");
make_err_reply(context, reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for client"); "no suitable DES key for client");
goto out1; goto out1;
@@ -230,7 +241,7 @@ do_version4(unsigned char *buf,
while(ckey->salt == NULL || ckey->salt->salt.length != 0) while(ckey->salt == NULL || ckey->salt->salt.length != 0)
ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey); ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
if(ret){ if(ret){
kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s",
name, inst, realm); name, inst, realm);
make_err_reply(context, reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"No version-4 salted key in database"); "No version-4 salted key in database");
@@ -238,9 +249,9 @@ do_version4(unsigned char *buf,
} }
#endif #endif
ret = get_des_key(server, TRUE, FALSE, &skey); ret = get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for server"); kdc_log(context, config, 0, "no suitable DES key for server");
/* XXX */ /* XXX */
make_err_reply(context, reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for server"); "no suitable DES key for server");
@@ -268,7 +279,7 @@ do_version4(unsigned char *buf,
0, 0,
name, name,
inst, inst,
v4_realm, config->v4_realm,
addr->sin_addr.s_addr, addr->sin_addr.s_addr,
&session, &session,
life, life,
@@ -288,7 +299,7 @@ do_version4(unsigned char *buf,
&session, &session,
sname, sname,
sinst, sinst,
v4_realm, config->v4_realm,
life, life,
server->kvno % 255, server->kvno % 255,
&ticket, &ticket,
@@ -337,22 +348,24 @@ do_version4(unsigned char *buf,
RCHECK(krb5_ret_int8(sp, &kvno), out2); RCHECK(krb5_ret_int8(sp, &kvno), out2);
RCHECK(krb5_ret_stringz(sp, &realm), out2); RCHECK(krb5_ret_stringz(sp, &realm), out2);
ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm, ret = krb5_425_conv_principal(context, "krbtgt", realm,
config->v4_realm,
&tgt_princ); &tgt_princ);
if(ret){ if(ret){
kdc_log(0, "Converting krbtgt principal (krb4): %s", kdc_log(context, config, 0,
"Converting krbtgt principal (krb4): %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
make_err_reply(context, reply, KFAILURE, make_err_reply(context, reply, KFAILURE,
"Failed to convert v4 principal (krbtgt)"); "Failed to convert v4 principal (krbtgt)");
goto out2; goto out2;
} }
ret = db_fetch(tgt_princ, &tgt); ret = db_fetch(context, config, tgt_princ, &tgt);
if(ret){ if(ret){
char *s; char *s;
s = kdc_log_msg(0, "Ticket-granting ticket not " s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
"found in database (krb4): krbtgt.%s@%s: %s", "found in database (krb4): krbtgt.%s@%s: %s",
realm, v4_realm, realm, config->v4_realm,
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
make_err_reply(context, reply, KFAILURE, s); make_err_reply(context, reply, KFAILURE, s);
free(s); free(s);
@@ -360,16 +373,19 @@ do_version4(unsigned char *buf,
} }
if(tgt->kvno % 256 != kvno){ if(tgt->kvno % 256 != kvno){
kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for " kdc_log(context, config, 0,
"krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm); "tgs-req (krb4) with old kvno %d (current %d) for "
"krbtgt.%s@%s", kvno, tgt->kvno % 256,
realm, config->v4_realm);
make_err_reply(context, reply, KDC_AUTH_EXP, make_err_reply(context, reply, KDC_AUTH_EXP,
"old krbtgt kvno used"); "old krbtgt kvno used");
goto out2; goto out2;
} }
ret = get_des_key(tgt, TRUE, FALSE, &tkey); ret = get_des_key(context, tgt, TRUE, FALSE, &tkey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for krbtgt (krb4)"); kdc_log(context, config, 0,
"no suitable DES key for krbtgt (krb4)");
/* XXX */ /* XXX */
make_err_reply(context, reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for krbtgt"); "no suitable DES key for krbtgt");
@@ -384,15 +400,16 @@ do_version4(unsigned char *buf,
auth.data = buf; auth.data = buf;
auth.length = pos; auth.length = pos;
if (check_ticket_addresses) if (config->check_ticket_addresses)
address = addr->sin_addr.s_addr; address = addr->sin_addr.s_addr;
else else
address = 0; address = 0;
ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm, v4_realm, ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
config->v4_realm,
address, &tkey->key, &ad); address, &tkey->key, &ad);
if(ret){ if(ret){
kdc_log(0, "krb_rd_req: %d", ret); kdc_log(context, config, 0, "krb_rd_req: %d", ret);
make_err_reply(context, reply, ret, "failed to parse request"); make_err_reply(context, reply, ret, "failed to parse request");
goto out2; goto out2;
} }
@@ -405,64 +422,72 @@ do_version4(unsigned char *buf,
RCHECK(krb5_ret_stringz(sp, &sinst), out2); RCHECK(krb5_ret_stringz(sp, &sinst), out2);
snprintf (server_name, sizeof(server_name), snprintf (server_name, sizeof(server_name),
"%s.%s@%s", "%s.%s@%s",
sname, sinst, v4_realm); sname, sinst, config->v4_realm);
snprintf (client_name, sizeof(client_name), snprintf (client_name, sizeof(client_name),
"%s.%s@%s", "%s.%s@%s",
ad.pname, ad.pinst, ad.prealm); ad.pname, ad.pinst, ad.prealm);
kdc_log(0, "TGS-REQ (krb4) %s from %s for %s", kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
client_name, from, server_name); client_name, from, server_name);
if(strcmp(ad.prealm, realm)){ if(strcmp(ad.prealm, realm)){
kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm); kdc_log(context, config, 0,
"Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms"); "Can't hop realms");
goto out2; goto out2;
} }
if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) { if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm); kdc_log(context, config, 0,
"krb4 Cross-realm %s -> %s disabled",
realm, config->v4_realm);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms"); "Can't hop realms");
goto out2; goto out2;
} }
if(strcmp(sname, "changepw") == 0){ if(strcmp(sname, "changepw") == 0){
kdc_log(0, "Bad request for changepw ticket (krb4)"); kdc_log(context, config, 0,
"Bad request for changepw ticket (krb4)");
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't authorize password change based on TGT"); "Can't authorize password change based on TGT");
goto out2; goto out2;
} }
ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client); ret = db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, &client);
if(ret && ret != HDB_ERR_NOENTRY) { if(ret && ret != HDB_ERR_NOENTRY) {
char *s; char *s;
s = kdc_log_msg(0, "Client not found in database: (krb4) %s: %s", s = kdc_log_msg(context, config, 0,
"Client not found in database: (krb4) %s: %s",
client_name, krb5_get_err_text(context, ret)); client_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s); free(s);
goto out2; goto out2;
} }
if (client == NULL && strcmp(ad.prealm, v4_realm) == 0) { if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
char *s; char *s;
s = kdc_log_msg(0, "Local client not found in database: (krb4) " s = kdc_log_msg(context, config, 0,
"Local client not found in database: (krb4) "
"%s", client_name); "%s", client_name);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s); free(s);
goto out2; goto out2;
} }
ret = db_fetch4(sname, sinst, v4_realm, &server); ret = db_fetch4(context, config, sname, sinst, config->v4_realm, &server);
if(ret){ if(ret){
char *s; char *s;
s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s", s = kdc_log_msg(context, config, 0,
"Server not found in database (krb4): %s: %s",
server_name, krb5_get_err_text(context, ret)); server_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s); free(s);
goto out2; goto out2;
} }
ret = check_flags (client, client_name, ret = check_flags (context, config,
client, client_name,
server, server_name, server, server_name,
FALSE); FALSE);
if (ret) { if (ret) {
@@ -472,9 +497,10 @@ do_version4(unsigned char *buf,
goto out2; goto out2;
} }
ret = get_des_key(server, TRUE, FALSE, &skey); ret = get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for server (krb4)"); kdc_log(context, config, 0,
"no suitable DES key for server (krb4)");
/* XXX */ /* XXX */
make_err_reply(context, reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for server"); "no suitable DES key for server");
@@ -541,7 +567,7 @@ do_version4(unsigned char *buf,
&session, &session,
sname, sname,
sinst, sinst,
v4_realm, config->v4_realm,
life, life,
server->kvno % 255, server->kvno % 255,
&ticket, &ticket,
@@ -572,13 +598,13 @@ do_version4(unsigned char *buf,
if(tgt_princ) if(tgt_princ)
krb5_free_principal(context, tgt_princ); krb5_free_principal(context, tgt_princ);
if(tgt) if(tgt)
free_ent(tgt); free_ent(context, tgt);
break; break;
} }
case AUTH_MSG_ERR_REPLY: case AUTH_MSG_ERR_REPLY:
break; break;
default: default:
kdc_log(0, "Unknown message type (krb4): %d from %s", kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
msg_type, from); msg_type, from);
make_err_reply(context, reply, KFAILURE, "Unknown message type"); make_err_reply(context, reply, KFAILURE, "Unknown message type");
@@ -595,15 +621,17 @@ do_version4(unsigned char *buf,
if(sinst) if(sinst)
free(sinst); free(sinst);
if(client) if(client)
free_ent(client); free_ent(context, client);
if(server) if(server)
free_ent(server); free_ent(context, server);
krb5_storage_free(sp); krb5_storage_free(sp);
return 0; return 0;
} }
krb5_error_code krb5_error_code
encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et, encode_v4_ticket(krb5_context context,
struct krb5_kdc_configuration *config,
void *buf, size_t len, const EncTicketPart *et,
const PrincipalName *service, size_t *size) const PrincipalName *service, size_t *size)
{ {
krb5_storage *sp; krb5_storage *sp;
@@ -690,7 +718,8 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
} }
krb5_error_code krb5_error_code
get_des_key(hdb_entry *principal, krb5_boolean is_server, get_des_key(krb5_context context,
hdb_entry *principal, krb5_boolean is_server,
krb5_boolean prefer_afs_key, Key **ret_key) krb5_boolean prefer_afs_key, Key **ret_key)
{ {
Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL; Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;

447
kdc/kerberos5.c
View File

File diff suppressed because it is too large Load Diff

31
kdc/log.c
View File

@@ -34,51 +34,56 @@
#include "kdc_locl.h" #include "kdc_locl.h"
RCSID("$Id$"); RCSID("$Id$");
static krb5_log_facility *logf;
void void
kdc_openlog(void) kdc_openlog(krb5_context context,
struct krb5_kdc_configuration *config)
{ {
char **s = NULL, **p; char **s = NULL, **p;
krb5_initlog(context, "kdc", &logf); krb5_initlog(context, "kdc", &config->logf);
s = krb5_config_get_strings(context, NULL, "kdc", "logging", NULL); s = krb5_config_get_strings(context, NULL, "kdc", "logging", NULL);
if(s == NULL) if(s == NULL)
s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL); s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL);
if(s){ if(s){
for(p = s; *p; p++) for(p = s; *p; p++)
krb5_addlog_dest(context, logf, *p); krb5_addlog_dest(context, config->logf, *p);
krb5_config_free_strings(s); krb5_config_free_strings(s);
}else }else
krb5_addlog_dest(context, logf, DEFAULT_LOG_DEST); krb5_addlog_dest(context, config->logf, DEFAULT_LOG_DEST);
krb5_set_warn_dest(context, logf); krb5_set_warn_dest(context, config->logf);
} }
char* char*
kdc_log_msg_va(int level, const char *fmt, va_list ap) kdc_log_msg_va(krb5_context context,
struct krb5_kdc_configuration *config,
int level, const char *fmt, va_list ap)
{ {
char *msg; char *msg;
krb5_vlog_msg(context, logf, &msg, level, fmt, ap); krb5_vlog_msg(context, config->logf, &msg, level, fmt, ap);
return msg; return msg;
} }
char* char*
kdc_log_msg(int level, const char *fmt, ...) kdc_log_msg(krb5_context context,
struct krb5_kdc_configuration *config,
int level, const char *fmt, ...)
{ {
va_list ap; va_list ap;
char *s; char *s;
va_start(ap, fmt); va_start(ap, fmt);
s = kdc_log_msg_va(level, fmt, ap); s = kdc_log_msg_va(context, config, level, fmt, ap);
va_end(ap); va_end(ap);
return s; return s;
} }
void void
kdc_log(int level, const char *fmt, ...) kdc_log(krb5_context context,
struct krb5_kdc_configuration *config,
int level, const char *fmt, ...)
{ {
va_list ap; va_list ap;
char *s; char *s;
va_start(ap, fmt); va_start(ap, fmt);
s = kdc_log_msg_va(level, fmt, ap); s = kdc_log_msg_va(context, config, level, fmt, ap);
if(s) free(s); if(s) free(s);
va_end(ap); va_end(ap);
} }

35
kdc/main.c
View File

@@ -39,9 +39,8 @@
RCSID("$Id$"); RCSID("$Id$");
sig_atomic_t exit_flag = 0; sig_atomic_t exit_flag = 0;
krb5_context context;
extern int detach_from_console; int detach_from_console = -1;
static RETSIGTYPE static RETSIGTYPE
sigterm(int sig) sigterm(int sig)
@@ -53,6 +52,9 @@ int
main(int argc, char **argv) main(int argc, char **argv)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_context context;
struct krb5_kdc_configuration *config;
setprogname(argv[0]); setprogname(argv[0]);
ret = krb5_init_context(&context); ret = krb5_init_context(&context);
@@ -61,32 +63,7 @@ main(int argc, char **argv)
else if (ret) else if (ret)
errx (1, "krb5_init_context failed: %d", ret); errx (1, "krb5_init_context failed: %d", ret);
configure(argc, argv); config = configure(context, argc, argv);
if(databases == NULL) {
db = malloc(sizeof(*db));
num_db = 1;
ret = hdb_create(context, &db[0], NULL);
if(ret)
krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB);
ret = hdb_set_master_keyfile(context, db[0], NULL);
if (ret)
krb5_err(context, 1, ret, "hdb_set_master_keyfile");
} else {
struct dbinfo *d;
int i;
/* count databases */
for(d = databases, i = 0; d; d = d->next, i++);
db = malloc(i * sizeof(*db));
for(d = databases, num_db = 0; d; d = d->next, num_db++) {
ret = hdb_create(context, &db[num_db], d->dbname);
if(ret)
krb5_err(context, 1, ret, "hdb_create %s", d->dbname);
ret = hdb_set_master_keyfile(context, db[num_db], d->mkey_file);
if (ret)
krb5_err(context, 1, ret, "hdb_set_master_keyfile");
}
}
#ifdef HAVE_SIGACTION #ifdef HAVE_SIGACTION
{ {
@@ -112,7 +89,7 @@ main(int argc, char **argv)
if (detach_from_console) if (detach_from_console)
daemon(0, 0); daemon(0, 0);
pidfile(NULL); pidfile(NULL);
loop(); loop(context, config);
krb5_free_context(context); krb5_free_context(context);
return 0; return 0;
} }

20
kdc/misc.c
View File

@@ -38,7 +38,10 @@ RCSID("$Id$");
struct timeval now; struct timeval now;
krb5_error_code krb5_error_code
db_fetch(krb5_principal principal, hdb_entry **h) db_fetch(krb5_context context,
struct krb5_kdc_configuration *config,
krb5_principal principal,
hdb_entry **h)
{ {
hdb_entry *ent; hdb_entry *ent;
krb5_error_code ret = HDB_ERR_NOENTRY; krb5_error_code ret = HDB_ERR_NOENTRY;
@@ -49,15 +52,18 @@ db_fetch(krb5_principal principal, hdb_entry **h)
return ENOMEM; return ENOMEM;
ent->principal = principal; ent->principal = principal;
for(i = 0; i < num_db; i++) { for(i = 0; i < config->num_db; i++) {
ret = db[i]->hdb_open(context, db[i], O_RDONLY, 0); ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
if (ret) { if (ret) {
kdc_log(0, "Failed to open database: %s", kdc_log(context, config, 0, "Failed to open database: %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
continue; continue;
} }
ret = db[i]->hdb_fetch(context, db[i], HDB_F_DECRYPT, ent); ret = config->db[i]->hdb_fetch(context,
db[i]->hdb_close(context, db[i]); config->db[i],
HDB_F_DECRYPT,
ent);
config->db[i]->hdb_close(context, config->db[i]);
if(ret == 0) { if(ret == 0) {
*h = ent; *h = ent;
return 0; return 0;
@@ -68,7 +74,7 @@ db_fetch(krb5_principal principal, hdb_entry **h)
} }
void void
free_ent(hdb_entry *ent) free_ent(krb5_context context, hdb_entry *ent)
{ {
hdb_free_entry (context, ent); hdb_free_entry (context, ent);
free (ent); free (ent);

7
kdc/mit_dump.c
View File

@@ -168,7 +168,6 @@ fix_salt(krb5_context context, hdb_entry *ent, int key_num)
{ {
size_t len; size_t len;
int i; int i;
krb5_error_code ret;
char *p; char *p;
len = 0; len = 0;
@@ -219,7 +218,7 @@ int
mit_prop_dump(void *arg, const char *file) mit_prop_dump(void *arg, const char *file)
{ {
krb5_error_code ret; krb5_error_code ret;
char buf [1024]; char line [2048];
FILE *f; FILE *f;
int lineno = 0; int lineno = 0;
struct hdb_entry ent; struct hdb_entry ent;
@@ -230,8 +229,8 @@ mit_prop_dump(void *arg, const char *file)
if(f == NULL) if(f == NULL)
return errno; return errno;
while(fgets(buf, sizeof(buf), f)) { while(fgets(line, sizeof(line), f)) {
char *p = buf, *q; char *p = line, *q;
int i; int i;

3
kdc/pkinit.c
View File

@@ -49,9 +49,6 @@ RCSID("$Id$");
#include <openssl/asn1.h> #include <openssl/asn1.h>
#include <openssl/err.h> #include <openssl/err.h>
int enable_pkinit = 0;
int enable_pkinit_princ_in_cert = 0;
/* XXX copied from lib/krb5/pkinit.c */ /* XXX copied from lib/krb5/pkinit.c */
struct krb5_pk_identity { struct krb5_pk_identity {
EVP_PKEY *private_key; EVP_PKEY *private_key;

116
kdc/process.c Normal file
View File

@@ -0,0 +1,116 @@
/*
* Copyright (c) 1997-2005 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
RCSID("$Id$");
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
* sending a reply in `reply'.
*/
int
krb5_kdc_process_generic_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr)
{
KDC_REQ req;
Ticket ticket;
krb5_error_code ret;
size_t i;
gettimeofday(&now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
ret = as_rep(context, config, &req, reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = tgs_rep(context, config, &req, reply, from, addr);
free_TGS_REQ(&req);
return ret;
}else if(decode_Ticket(buf, len, &ticket, &i) == 0){
ret = do_524(context, config, &ticket, reply, from, addr);
free_Ticket(&ticket);
return ret;
} else if(maybe_version4(buf, len)){
*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
do_version4(context, config, buf, len, reply, from,
(struct sockaddr_in*)addr);
return 0;
} else if (config->enable_kaserver) {
ret = do_kaserver(context, config, buf, len, reply, from,
(struct sockaddr_in*)addr);
return ret;
}
return -1;
}
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
* sending a reply in `reply'.
*
* This only processes krb5 requests
*/
int krb5_kdc_process_krb5_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
struct sockaddr *addr)
{
KDC_REQ req;
krb5_error_code ret;
size_t i;
gettimeofday(&now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
ret = as_rep(context, config, &req, reply, from, addr);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = tgs_rep(context, config, &req, reply, from, addr);
free_TGS_REQ(&req);
return ret;
}
return -1;
}