oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Don't pollute namespace, generate public headerfile

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15532 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-06-30 01:54:49 +00:00
parent 43e3b9ca50
commit 7a3fc5e663
15 changed files with 285 additions and 291 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
kdc/524.c
View File

@@ -44,7 +44,7 @@ RCSID("$Id$");
static krb5_error_code static krb5_error_code
fetch_server (krb5_context context, fetch_server (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const Ticket *t, const Ticket *t,
char **spn, char **spn,
hdb_entry **server, hdb_entry **server,
@@ -66,7 +66,7 @@ fetch_server (krb5_context context,
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
return ret; return ret;
} }
ret = db_fetch(context, config, sprinc, server); ret = _kdc_db_fetch(context, config, sprinc, server);
krb5_free_principal(context, sprinc); krb5_free_principal(context, sprinc);
if (ret) { if (ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
@@ -81,7 +81,7 @@ fetch_server (krb5_context context,
static krb5_error_code static krb5_error_code
log_524 (krb5_context context, log_524 (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const EncTicketPart *et, const EncTicketPart *et,
const char *from, const char *from,
const char *spn) const char *spn)
@@ -111,7 +111,7 @@ log_524 (krb5_context context,
static krb5_error_code static krb5_error_code
verify_flags (krb5_context context, verify_flags (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const EncTicketPart *et, const EncTicketPart *et,
const char *spn) const char *spn)
{ {
@@ -133,7 +133,7 @@ verify_flags (krb5_context context,
static krb5_error_code static krb5_error_code
set_address (krb5_context context, set_address (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
EncTicketPart *et, EncTicketPart *et,
struct sockaddr *addr, struct sockaddr *addr,
const char *from) const char *from)
@@ -185,7 +185,7 @@ set_address (krb5_context context,
static krb5_error_code static krb5_error_code
encrypt_v4_ticket(krb5_context context, encrypt_v4_ticket(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
void *buf, void *buf,
size_t len, size_t len,
krb5_keyblock *skey, krb5_keyblock *skey,
@@ -219,9 +219,10 @@ encrypt_v4_ticket(krb5_context context,
static krb5_error_code static krb5_error_code
encode_524_response(krb5_context context, encode_524_response(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const char *spn, const EncTicketPart et, const Ticket *t, const char *spn, const EncTicketPart et,
hdb_entry *server, EncryptedData *ticket, int *kvno) const Ticket *t, hdb_entry *server,
EncryptedData *ticket, int *kvno)
{ {
krb5_error_code ret; krb5_error_code ret;
int use_2b; int use_2b;
@@ -252,15 +253,15 @@ encode_524_response(krb5_context context,
return KRB5KDC_ERR_POLICY; return KRB5KDC_ERR_POLICY;
} }
ret = encode_v4_ticket(context, config, ret = _kdc_encode_v4_ticket(context, config,
buf + sizeof(buf) - 1, sizeof(buf), buf + sizeof(buf) - 1, sizeof(buf),
&et, &t->sname, &len); &et, &t->sname, &len);
if(ret){ if(ret){
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Failed to encode v4 ticket (%s)", spn); "Failed to encode v4 ticket (%s)", spn);
return ret; return ret;
} }
ret = get_des_key(context, server, TRUE, FALSE, &skey); ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){ if(ret){
kdc_log(context, config, 0, kdc_log(context, config, 0,
"no suitable DES key for server (%s)", spn); "no suitable DES key for server (%s)", spn);
@@ -285,10 +286,10 @@ encode_524_response(krb5_context context,
*/ */
krb5_error_code krb5_error_code
do_524(krb5_context context, _kdc_do_524(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const Ticket *t, krb5_data *reply, const Ticket *t, krb5_data *reply,
const char *from, struct sockaddr *addr) const char *from, struct sockaddr *addr)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
krb5_crypto crypto; krb5_crypto crypto;
@@ -369,7 +370,7 @@ do_524(krb5_context context,
server, &ticket, &kvno); server, &ticket, &kvno);
free_EncTicketPart(&et); free_EncTicketPart(&et);
out: out:
/* make reply */ /* make reply */
memset(buf, 0, sizeof(buf)); memset(buf, 0, sizeof(buf));
sp = krb5_storage_from_mem(buf, sizeof(buf)); sp = krb5_storage_from_mem(buf, sizeof(buf));
@@ -389,6 +390,6 @@ out:
if(spn) if(spn)
free(spn); free(spn);
if(server) if(server)
free_ent (context, server); _kdc_free_ent (context, server);
return ret; return ret;
} }

13
kdc/Makefile.am
View File

@@ -35,11 +35,20 @@ libkdc_la_SOURCES = \
524.c \ 524.c \
kerberos4.c \ kerberos4.c \
kaserver.c \ kaserver.c \
process.c \ process.c \
rx.h rx.h
$(libkdc_la_OBJECTS): $(srcdir)/kdc-protos.h
libkdc_la_LDFLAGS = -version-info 1:0:0 libkdc_la_LDFLAGS = -version-info 1:0:0
CHECK_SYMBOLS = -lib kdc -version krb5_kdc kdc_ _kdc_
$(srcdir)/kdc-protos.h:
cd $(srcdir) && perl ../cf/make-proto.pl -q -P comment -o kdc-protos.h $(libkdc_la_SOURCES) || rm -f kdc-protos.h
hprop_LDADD = \ hprop_LDADD = \
$(top_builddir)/lib/hdb/libhdb.la \ $(top_builddir)/lib/hdb/libhdb.la \
$(LIB_openldap) \ $(LIB_openldap) \
@@ -81,4 +90,4 @@ LDADD = $(top_builddir)/lib/hdb/libhdb.la \
kdc_LDADD = libkdc.la $(LIB_pidfile) kdc_LDADD = libkdc.la $(LIB_pidfile)
include_HEADERS = kdc.h include_HEADERS = kdc.h kdc-protos.h

8
kdc/config.c
View File

@@ -132,7 +132,7 @@ usage(int ret)
} }
static void static void
get_dbinfo(krb5_context context, struct krb5_kdc_configuration *config) get_dbinfo(krb5_context context, krb5_kdc_configuration *config)
{ {
const krb5_config_binding *top_binding = NULL; const krb5_config_binding *top_binding = NULL;
const krb5_config_binding *db_binding; const krb5_config_binding *db_binding;
@@ -254,9 +254,9 @@ add_one_address (krb5_context context, const char *str, int first)
krb5_free_addresses (context, &tmp); krb5_free_addresses (context, &tmp);
} }
struct krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv) krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv)
{ {
struct krb5_kdc_configuration *config = malloc(sizeof(*config)); krb5_kdc_configuration *config = malloc(sizeof(*config));
krb5_error_code ret; krb5_error_code ret;
int optidx = 0; int optidx = 0;
const char *p; const char *p;
@@ -516,7 +516,7 @@ struct krb5_kdc_configuration *configure(krb5_context context, int argc, char **
if (x509_anchors == NULL) if (x509_anchors == NULL)
krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
pk_initialize(user_id, x509_anchors); _pk_initialize(user_id, x509_anchors);
config->enable_pkinit_princ_in_cert = config->enable_pkinit_princ_in_cert =
krb5_config_get_bool_default(context, krb5_config_get_bool_default(context,

24
kdc/connect.c
View File

@@ -137,7 +137,7 @@ add_port_string (krb5_context context,
static void static void
add_standard_ports (krb5_context context, add_standard_ports (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
int family) int family)
{ {
add_port_service(context, family, "kerberos", 88, "udp"); add_port_service(context, family, "kerberos", 88, "udp");
@@ -166,7 +166,7 @@ add_standard_ports (krb5_context context,
static void static void
parse_ports(krb5_context context, parse_ports(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const char *str) const char *str)
{ {
char *pos = NULL; char *pos = NULL;
@@ -248,7 +248,7 @@ reinit_descrs (struct descr *d, int n)
static void static void
init_socket(krb5_context context, init_socket(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct descr *d, krb5_address *a, int family, int type, int port) struct descr *d, krb5_address *a, int family, int type, int port)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -313,7 +313,7 @@ init_socket(krb5_context context,
static int static int
init_sockets(krb5_context context, init_sockets(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct descr **desc) struct descr **desc)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -400,7 +400,7 @@ addr_to_string(krb5_context context,
static void static void
do_request(krb5_context context, do_request(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
void *buf, size_t len, krb5_boolean prependlength, void *buf, size_t len, krb5_boolean prependlength,
struct descr *d) struct descr *d)
{ {
@@ -447,7 +447,7 @@ do_request(krb5_context context,
static void static void
handle_udp(krb5_context context, handle_udp(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct descr *d) struct descr *d)
{ {
unsigned char *buf; unsigned char *buf;
@@ -510,7 +510,7 @@ de_http(char *buf)
static void static void
add_new_tcp (krb5_context context, add_new_tcp (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct descr *d, int parent, int child) struct descr *d, int parent, int child)
{ {
int s; int s;
@@ -546,7 +546,7 @@ add_new_tcp (krb5_context context,
static int static int
grow_descr (krb5_context context, grow_descr (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct descr *d, size_t n) struct descr *d, size_t n)
{ {
if (d->size - d->len < n) { if (d->size - d->len < n) {
@@ -580,7 +580,7 @@ grow_descr (krb5_context context,
static int static int
handle_vanilla_tcp (krb5_context context, handle_vanilla_tcp (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct descr *d) struct descr *d)
{ {
krb5_storage *sp; krb5_storage *sp;
@@ -607,7 +607,7 @@ handle_vanilla_tcp (krb5_context context,
static int static int
handle_http_tcp (krb5_context context, handle_http_tcp (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct descr *d) struct descr *d)
{ {
char *s, *p, *t; char *s, *p, *t;
@@ -714,7 +714,7 @@ handle_http_tcp (krb5_context context,
static void static void
handle_tcp(krb5_context context, handle_tcp(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct descr *d, int idx, int min_free) struct descr *d, int idx, int min_free)
{ {
unsigned char buf[1024]; unsigned char buf[1024];
@@ -773,7 +773,7 @@ handle_tcp(krb5_context context,
void void
loop(krb5_context context, loop(krb5_context context,
struct krb5_kdc_configuration *config) krb5_kdc_configuration *config)
{ {
struct descr *d; struct descr *d;
int ndescr; int ndescr;

64
kdc/kaserver.c
View File

@@ -390,7 +390,7 @@ unparse_auth_args (krb5_storage *sp,
static void static void
do_authenticate (krb5_context context, do_authenticate (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct rx_header *hdr, struct rx_header *hdr,
krb5_storage *sp, krb5_storage *sp,
struct sockaddr_in *addr, struct sockaddr_in *addr,
@@ -432,7 +432,7 @@ do_authenticate (krb5_context context,
kdc_log(context, config, 0, "AS-REQ (kaserver) %s from %s for %s", kdc_log(context, config, 0, "AS-REQ (kaserver) %s from %s for %s",
client_name, from, server_name); client_name, from, server_name);
ret = db_fetch4 (context, config, name, instance, ret = _kdc_db_fetch4 (context, config, name, instance,
config->v4_realm, &client_entry); config->v4_realm, &client_entry);
if (ret) { if (ret) {
kdc_log(context, config, 0, "Client not found in database: %s: %s", kdc_log(context, config, 0, "Client not found in database: %s: %s",
@@ -441,7 +441,7 @@ do_authenticate (krb5_context context,
goto out; goto out;
} }
ret = db_fetch4 (context, config, "krbtgt", ret = _kdc_db_fetch4 (context, config, "krbtgt",
config->v4_realm, config->v4_realm, &server_entry); config->v4_realm, config->v4_realm, &server_entry);
if (ret) { if (ret) {
kdc_log(context, config, 0, "Server not found in database: %s: %s", kdc_log(context, config, 0, "Server not found in database: %s: %s",
@@ -450,17 +450,17 @@ do_authenticate (krb5_context context,
goto out; goto out;
} }
ret = check_flags (context, config, ret = _kdc_check_flags (context, config,
client_entry, client_name, client_entry, client_name,
server_entry, server_name, server_entry, server_name,
TRUE); TRUE);
if (ret) { if (ret) {
make_error_reply (hdr, KAPWEXPIRED, reply); make_error_reply (hdr, KAPWEXPIRED, reply);
goto out; goto out;
} }
/* find a DES key */ /* find a DES key */
ret = get_des_key(context, client_entry, FALSE, TRUE, &ckey); ret = _kdc_get_des_key(context, client_entry, FALSE, TRUE, &ckey);
if(ret){ if(ret){
kdc_log(context, config, 0, "no suitable DES key for client"); kdc_log(context, config, 0, "no suitable DES key for client");
make_error_reply (hdr, KANOKEYS, reply); make_error_reply (hdr, KANOKEYS, reply);
@@ -468,7 +468,7 @@ do_authenticate (krb5_context context,
} }
/* find a DES key */ /* find a DES key */
ret = get_des_key(context, server_entry, TRUE, TRUE, &skey); ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey);
if(ret){ if(ret){
kdc_log(context, config, 0, "no suitable DES key for server"); kdc_log(context, config, 0, "no suitable DES key for server");
make_error_reply (hdr, KANOKEYS, reply); make_error_reply (hdr, KANOKEYS, reply);
@@ -530,7 +530,7 @@ do_authenticate (krb5_context context,
chal + 1, "tgsT", chal + 1, "tgsT",
&ckey->key, reply); &ckey->key, reply);
out: out:
if (request.length) { if (request.length) {
memset (request.data, 0, request.length); memset (request.data, 0, request.length);
krb5_data_free (&request); krb5_data_free (&request);
@@ -540,9 +540,9 @@ out:
if (instance) if (instance)
free (instance); free (instance);
if (client_entry) if (client_entry)
free_ent (context, client_entry); _kdc_free_ent (context, client_entry);
if (server_entry) if (server_entry)
free_ent (context, server_entry); _kdc_free_ent (context, server_entry);
} }
static krb5_error_code static krb5_error_code
@@ -601,7 +601,7 @@ unparse_getticket_args (krb5_storage *sp,
static void static void
do_getticket (krb5_context context, do_getticket (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
struct rx_header *hdr, struct rx_header *hdr,
krb5_storage *sp, krb5_storage *sp,
struct sockaddr_in *addr, struct sockaddr_in *addr,
@@ -647,7 +647,7 @@ do_getticket (krb5_context context,
snprintf (server_name, sizeof(server_name), snprintf (server_name, sizeof(server_name),
"%s.%s@%s", name, instance, config->v4_realm); "%s.%s@%s", name, instance, config->v4_realm);
ret = db_fetch4 (context, config, name, instance, config->v4_realm, &server_entry); ret = _kdc_db_fetch4 (context, config, name, instance, config->v4_realm, &server_entry);
if (ret) { if (ret) {
kdc_log(context, config, 0, "Server not found in database: %s: %s", kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret)); server_name, krb5_get_err_text(context, ret));
@@ -655,7 +655,7 @@ do_getticket (krb5_context context,
goto out; goto out;
} }
ret = db_fetch4 (context, config, "krbtgt", ret = _kdc_db_fetch4 (context, config, "krbtgt",
config->v4_realm, config->v4_realm, &krbtgt_entry); config->v4_realm, config->v4_realm, &krbtgt_entry);
if (ret) { if (ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
@@ -667,7 +667,7 @@ do_getticket (krb5_context context,
} }
/* find a DES key */ /* find a DES key */
ret = get_des_key(context, krbtgt_entry, TRUE, TRUE, &kkey); ret = _kdc_get_des_key(context, krbtgt_entry, TRUE, TRUE, &kkey);
if(ret){ if(ret){
kdc_log(context, config, 0, "no suitable DES key for krbtgt"); kdc_log(context, config, 0, "no suitable DES key for krbtgt");
make_error_reply (hdr, KANOKEYS, reply); make_error_reply (hdr, KANOKEYS, reply);
@@ -675,7 +675,7 @@ do_getticket (krb5_context context,
} }
/* find a DES key */ /* find a DES key */
ret = get_des_key(context, server_entry, TRUE, TRUE, &skey); ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey);
if(ret){ if(ret){
kdc_log(context, config, 0, "no suitable DES key for server"); kdc_log(context, config, 0, "no suitable DES key for server");
make_error_reply (hdr, KANOKEYS, reply); make_error_reply (hdr, KANOKEYS, reply);
@@ -728,7 +728,7 @@ do_getticket (krb5_context context,
kdc_log(context, config, 0, "TGS-REQ (kaserver) %s from %s for %s", kdc_log(context, config, 0, "TGS-REQ (kaserver) %s from %s for %s",
client_name, from, server_name); client_name, from, server_name);
ret = db_fetch4 (context, config, ret = _kdc_db_fetch4 (context, config,
ad.pname, ad.pinst, ad.prealm, &client_entry); ad.pname, ad.pinst, ad.prealm, &client_entry);
if(ret && ret != HDB_ERR_NOENTRY) { if(ret && ret != HDB_ERR_NOENTRY) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
@@ -745,10 +745,10 @@ do_getticket (krb5_context context,
goto out; goto out;
} }
ret = check_flags (context, config, ret = _kdc_check_flags (context, config,
client_entry, client_name, client_entry, client_name,
server_entry, server_name, server_entry, server_name,
FALSE); FALSE);
if (ret) { if (ret) {
make_error_reply (hdr, KAPWEXPIRED, reply); make_error_reply (hdr, KAPWEXPIRED, reply);
goto out; goto out;
@@ -803,7 +803,7 @@ do_getticket (krb5_context context,
0, "gtkt", 0, "gtkt",
&ad.session, reply); &ad.session, reply);
out: out:
_krb5_krb_free_auth_data(context, &ad); _krb5_krb_free_auth_data(context, &ad);
if (aticket.length) { if (aticket.length) {
memset (aticket.data, 0, aticket.length); memset (aticket.data, 0, aticket.length);
@@ -820,19 +820,19 @@ out:
if (instance) if (instance)
free (instance); free (instance);
if (krbtgt_entry) if (krbtgt_entry)
free_ent (context, krbtgt_entry); _kdc_free_ent (context, krbtgt_entry);
if (server_entry) if (server_entry)
free_ent (context, server_entry); _kdc_free_ent (context, server_entry);
} }
krb5_error_code krb5_error_code
do_kaserver(krb5_context context, _kdc_do_kaserver(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
unsigned char *buf, unsigned char *buf,
size_t len, size_t len,
krb5_data *reply, krb5_data *reply,
const char *from, const char *from,
struct sockaddr_in *addr) struct sockaddr_in *addr)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
struct rx_header hdr; struct rx_header hdr;

24
kdc/kdc-protos.h
View File

@@ -1,24 +0,0 @@
int
krb5_kdc_process_generic_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr);
int krb5_kdc_process_krb5_request(krb5_context context,
struct krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
struct sockaddr *addr);
void krb5_kdc_default_config(struct krb5_kdc_configuration *config);
void
kdc_openlog(krb5_context context,
struct krb5_kdc_configuration *config);

4
kdc/kdc.h
View File

@@ -49,7 +49,7 @@ enum krb5_kdc_trpolicy {
TRPOLICY_ALWAYS_HONOUR_REQUEST TRPOLICY_ALWAYS_HONOUR_REQUEST
}; };
struct krb5_kdc_configuration { typedef struct krb5_kdc_configuration {
krb5_boolean require_preauth; /* require preauth for all principals */ krb5_boolean require_preauth; /* require preauth for all principals */
time_t kdc_warn_pwexpire; /* time before expiration to print a warning */ time_t kdc_warn_pwexpire; /* time before expiration to print a warning */
@@ -74,7 +74,7 @@ struct krb5_kdc_configuration {
krb5_boolean enable_pkinit_princ_in_cert; krb5_boolean enable_pkinit_princ_in_cert;
krb5_log_facility *logf; krb5_log_facility *logf;
}; } krb5_kdc_configuration;
#include <kdc-protos.h> #include <kdc-protos.h>

96
kdc/kdc_locl.h
View File

@@ -55,59 +55,59 @@ extern int detach_from_console;
#define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf" #define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf"
#define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log" #define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log"
extern struct timeval now; extern struct timeval _kdc_now;
#define kdc_time (now.tv_sec) #define kdc_time (_kdc_now.tv_sec)
krb5_error_code as_rep (krb5_context context, krb5_error_code _kdc_as_rep (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ*, krb5_data*, const char*, struct sockaddr*); KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
struct krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv); krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv);
krb5_error_code krb5_error_code
db_fetch(krb5_context, struct krb5_kdc_configuration *, _kdc_db_fetch(krb5_context, krb5_kdc_configuration *,
krb5_principal, hdb_entry **); krb5_principal, hdb_entry **);
void free_ent(krb5_context context, hdb_entry *); void _kdc_free_ent(krb5_context context, hdb_entry *);
void kdc_log (krb5_context context, void kdc_log (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
int, const char*, ...) int, const char*, ...)
__attribute__ ((format (printf, 4,5))); __attribute__ ((format (printf, 4,5)));
char* kdc_log_msg (krb5_context context, char* kdc_log_msg (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
int, const char*, ...) int, const char*, ...)
__attribute__ ((format (printf, 4,5))); __attribute__ ((format (printf, 4,5)));
char* kdc_log_msg_va (krb5_context context, char* kdc_log_msg_va (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
int, const char*, va_list) int, const char*, va_list)
__attribute__ ((format (printf, 4,0))); __attribute__ ((format (printf, 4,0)));
void void
kdc_openlog(krb5_context context, kdc_openlog(krb5_context context,
struct krb5_kdc_configuration *config); krb5_kdc_configuration *config);
void void
loop(krb5_context context, loop(krb5_context context,
struct krb5_kdc_configuration *config); krb5_kdc_configuration *config);
void set_master_key (EncryptionKey); void set_master_key (EncryptionKey);
krb5_error_code tgs_rep (krb5_context context, krb5_error_code _kdc_tgs_rep (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ*, krb5_data*, const char*, struct sockaddr *); KDC_REQ*, krb5_data*, const char*, struct sockaddr *);
Key* unseal_key (Key*); Key* unseal_key (Key*);
krb5_error_code krb5_error_code
check_flags(krb5_context context, _kdc_check_flags(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
hdb_entry *client, const char *client_name, hdb_entry *client, const char *client_name,
hdb_entry *server, const char *server_name, hdb_entry *server, const char *server_name,
krb5_boolean is_as_req); krb5_boolean is_as_req);
krb5_error_code get_des_key(krb5_context context, hdb_entry*, krb5_boolean, krb5_boolean, Key**); krb5_error_code _kdc_get_des_key(krb5_context context, hdb_entry*, krb5_boolean, krb5_boolean, Key**);
krb5_error_code krb5_error_code
encode_v4_ticket(krb5_context context, _kdc_encode_v4_ticket(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
void *buf, size_t len, const EncTicketPart *et, void *buf, size_t len, const EncTicketPart *et,
const PrincipalName *service, size_t *size); const PrincipalName *service, size_t *size);
krb5_error_code krb5_error_code
do_524(krb5_context context, _kdc_do_524(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const Ticket *t, krb5_data *reply, const Ticket *t, krb5_data *reply,
const char *from, struct sockaddr *addr); const char *from, struct sockaddr *addr);
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
#define des_new_random_key des_random_key #define des_new_random_key des_random_key
@@ -115,41 +115,41 @@ do_524(krb5_context context,
#ifdef PKINIT #ifdef PKINIT
typedef struct pk_client_params pk_client_params; typedef struct pk_client_params pk_client_params;
krb5_error_code pk_initialize(const char *, const char *); krb5_error_code _pk_initialize(const char *, const char *);
krb5_error_code pk_rd_padata(krb5_context, KDC_REQ *, krb5_error_code _pk_rd_padata(krb5_context, KDC_REQ *,
PA_DATA *, pk_client_params **); PA_DATA *, pk_client_params **);
krb5_error_code pk_mk_pa_reply(krb5_context, krb5_error_code _pk_mk_pa_reply(krb5_context,
pk_client_params *, pk_client_params *,
const hdb_entry *, const hdb_entry *,
const KDC_REQ *, const KDC_REQ *,
krb5_keyblock **, krb5_keyblock **,
METHOD_DATA *); METHOD_DATA *);
krb5_error_code pk_check_client(krb5_context, krb5_principal, krb5_error_code _pk_check_client(krb5_context, krb5_principal,
const hdb_entry *, const hdb_entry *,
pk_client_params *, char **); pk_client_params *, char **);
void pk_free_client_param(krb5_context, pk_client_params *); void _pk_free_client_param(krb5_context, pk_client_params *);
#endif #endif
/* /*
* Kerberos 4 * Kerberos 4
*/ */
krb5_error_code db_fetch4 (krb5_context context, krb5_error_code _kdc_db_fetch4 (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const char*, const char*, const char*, hdb_entry**); const char*, const char*, const char*, hdb_entry**);
krb5_error_code do_version4 (krb5_context context, krb5_error_code _kdc_do_version4 (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
unsigned char*, size_t, krb5_data*, const char*, unsigned char*, size_t, krb5_data*, const char*,
struct sockaddr_in*); struct sockaddr_in*);
int maybe_version4 (unsigned char*, int); int _kdc_maybe_version4 (unsigned char*, int);
krb5_error_code do_kaserver (krb5_context context, krb5_error_code _kdc_do_kaserver (krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
unsigned char*, size_t, krb5_data*, const char*, unsigned char*, size_t, krb5_data*,
struct sockaddr_in*); const char*, struct sockaddr_in*);
int kdc_process_generic_request(krb5_context context, int kdc_process_generic_request(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
unsigned char *buf, unsigned char *buf,
size_t len, size_t len,
krb5_data *reply, krb5_data *reply,

82
kdc/kerberos4.c
View File

@@ -49,7 +49,7 @@ swap32(u_int32_t x)
#endif /* swap32 */ #endif /* swap32 */
int int
maybe_version4(unsigned char *buf, int len) _kdc_maybe_version4(unsigned char *buf, int len)
{ {
return len > 0 && *buf == 4; return len > 0 && *buf == 4;
} }
@@ -67,7 +67,7 @@ valid_princ(krb5_context context,
void *funcctx, void *funcctx,
krb5_principal princ) krb5_principal princ)
{ {
struct krb5_kdc_configuration *config = funcctx; krb5_kdc_configuration *config = funcctx;
krb5_error_code ret; krb5_error_code ret;
char *s; char *s;
hdb_entry *ent; hdb_entry *ent;
@@ -75,7 +75,7 @@ valid_princ(krb5_context context,
ret = krb5_unparse_name(context, princ, &s); ret = krb5_unparse_name(context, princ, &s);
if (ret) if (ret)
return FALSE; return FALSE;
ret = db_fetch(context, config, princ, &ent); ret = _kdc_db_fetch(context, config, princ, &ent);
if (ret) { if (ret) {
kdc_log(context, config, 7, "Lookup %s failed: %s", s, kdc_log(context, config, 7, "Lookup %s failed: %s", s,
krb5_get_err_text (context, ret)); krb5_get_err_text (context, ret));
@@ -84,13 +84,13 @@ valid_princ(krb5_context context,
} }
kdc_log(context, config, 7, "Lookup %s succeeded", s); kdc_log(context, config, 7, "Lookup %s succeeded", s);
free(s); free(s);
free_ent(context, ent); _kdc_free_ent(context, ent);
return TRUE; return TRUE;
} }
krb5_error_code krb5_error_code
db_fetch4(krb5_context context, _kdc_db_fetch4(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const char *name, const char *instance, const char *realm, const char *name, const char *instance, const char *realm,
hdb_entry **ent) hdb_entry **ent)
{ {
@@ -101,7 +101,7 @@ db_fetch4(krb5_context context,
valid_princ, config, 0, &p); valid_princ, config, 0, &p);
if(ret) if(ret)
return ret; return ret;
ret = db_fetch(context, config, p, ent); ret = _kdc_db_fetch(context, config, p, ent);
krb5_free_principal(context, p); krb5_free_principal(context, p);
return ret; return ret;
} }
@@ -115,13 +115,13 @@ db_fetch4(krb5_context context,
*/ */
krb5_error_code krb5_error_code
do_version4(krb5_context context, _kdc_do_version4(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
unsigned char *buf, unsigned char *buf,
size_t len, size_t len,
krb5_data *reply, krb5_data *reply,
const char *from, const char *from,
struct sockaddr_in *addr) struct sockaddr_in *addr)
{ {
krb5_storage *sp; krb5_storage *sp;
krb5_error_code ret; krb5_error_code ret;
@@ -181,7 +181,7 @@ do_version4(krb5_context context,
kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s", kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
client_name, from, server_name); client_name, from, server_name);
ret = db_fetch4(context, config, name, inst, realm, &client); ret = _kdc_db_fetch4(context, config, name, inst, realm, &client);
if(ret) { if(ret) {
kdc_log(context, config, 0, "Client not found in database: %s: %s", kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret)); client_name, krb5_get_err_text(context, ret));
@@ -189,7 +189,7 @@ do_version4(krb5_context context,
"principal unknown"); "principal unknown");
goto out1; goto out1;
} }
ret = db_fetch4(context, config, sname, sinst, ret = _kdc_db_fetch4(context, config, sname, sinst,
config->v4_realm, &server); config->v4_realm, &server);
if(ret){ if(ret){
kdc_log(context, config, 0, "Server not found in database: %s: %s", kdc_log(context, config, 0, "Server not found in database: %s: %s",
@@ -199,10 +199,10 @@ do_version4(krb5_context context,
goto out1; goto out1;
} }
ret = check_flags (context, config, ret = _kdc_check_flags (context, config,
client, client_name, client, client_name,
server, server_name, server, server_name,
TRUE); TRUE);
if (ret) { if (ret) {
/* good error code? */ /* good error code? */
make_err_reply(context, reply, KERB_ERR_NAME_EXP, make_err_reply(context, reply, KERB_ERR_NAME_EXP,
@@ -227,7 +227,7 @@ do_version4(krb5_context context,
goto out1; goto out1;
} }
ret = get_des_key(context, client, FALSE, FALSE, &ckey); ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
if(ret){ if(ret){
kdc_log(context, config, 0, "no suitable DES key for client"); kdc_log(context, config, 0, "no suitable DES key for client");
make_err_reply(context, reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
@@ -249,7 +249,7 @@ do_version4(krb5_context context,
} }
#endif #endif
ret = get_des_key(context, server, TRUE, FALSE, &skey); ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){ if(ret){
kdc_log(context, config, 0, "no suitable DES key for server"); kdc_log(context, config, 0, "no suitable DES key for server");
/* XXX */ /* XXX */
@@ -360,7 +360,7 @@ do_version4(krb5_context context,
goto out2; goto out2;
} }
ret = db_fetch(context, config, tgt_princ, &tgt); ret = _kdc_db_fetch(context, config, tgt_princ, &tgt);
if(ret){ if(ret){
char *s; char *s;
s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not " s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
@@ -382,7 +382,7 @@ do_version4(krb5_context context,
goto out2; goto out2;
} }
ret = get_des_key(context, tgt, TRUE, FALSE, &tkey); ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
if(ret){ if(ret){
kdc_log(context, config, 0, kdc_log(context, config, 0,
"no suitable DES key for krbtgt (krb4)"); "no suitable DES key for krbtgt (krb4)");
@@ -455,7 +455,7 @@ do_version4(krb5_context context,
goto out2; goto out2;
} }
ret = db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, &client); ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, &client);
if(ret && ret != HDB_ERR_NOENTRY) { if(ret && ret != HDB_ERR_NOENTRY) {
char *s; char *s;
s = kdc_log_msg(context, config, 0, s = kdc_log_msg(context, config, 0,
@@ -475,7 +475,7 @@ do_version4(krb5_context context,
goto out2; goto out2;
} }
ret = db_fetch4(context, config, sname, sinst, config->v4_realm, &server); ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, &server);
if(ret){ if(ret){
char *s; char *s;
s = kdc_log_msg(context, config, 0, s = kdc_log_msg(context, config, 0,
@@ -486,10 +486,10 @@ do_version4(krb5_context context,
goto out2; goto out2;
} }
ret = check_flags (context, config, ret = _kdc_check_flags (context, config,
client, client_name, client, client_name,
server, server_name, server, server_name,
FALSE); FALSE);
if (ret) { if (ret) {
/* good error code? */ /* good error code? */
make_err_reply(context, reply, KERB_ERR_NAME_EXP, make_err_reply(context, reply, KERB_ERR_NAME_EXP,
@@ -497,7 +497,7 @@ do_version4(krb5_context context,
goto out2; goto out2;
} }
ret = get_des_key(context, server, TRUE, FALSE, &skey); ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){ if(ret){
kdc_log(context, config, 0, kdc_log(context, config, 0,
"no suitable DES key for server (krb4)"); "no suitable DES key for server (krb4)");
@@ -598,7 +598,7 @@ do_version4(krb5_context context,
if(tgt_princ) if(tgt_princ)
krb5_free_principal(context, tgt_princ); krb5_free_principal(context, tgt_princ);
if(tgt) if(tgt)
free_ent(context, tgt); _kdc_free_ent(context, tgt);
break; break;
} }
case AUTH_MSG_ERR_REPLY: case AUTH_MSG_ERR_REPLY:
@@ -621,18 +621,18 @@ do_version4(krb5_context context,
if(sinst) if(sinst)
free(sinst); free(sinst);
if(client) if(client)
free_ent(context, client); _kdc_free_ent(context, client);
if(server) if(server)
free_ent(context, server); _kdc_free_ent(context, server);
krb5_storage_free(sp); krb5_storage_free(sp);
return 0; return 0;
} }
krb5_error_code krb5_error_code
encode_v4_ticket(krb5_context context, _kdc_encode_v4_ticket(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
void *buf, size_t len, const EncTicketPart *et, void *buf, size_t len, const EncTicketPart *et,
const PrincipalName *service, size_t *size) const PrincipalName *service, size_t *size)
{ {
krb5_storage *sp; krb5_storage *sp;
krb5_error_code ret; krb5_error_code ret;
@@ -718,9 +718,9 @@ encode_v4_ticket(krb5_context context,
} }
krb5_error_code krb5_error_code
get_des_key(krb5_context context, _kdc_get_des_key(krb5_context context,
hdb_entry *principal, krb5_boolean is_server, hdb_entry *principal, krb5_boolean is_server,
krb5_boolean prefer_afs_key, Key **ret_key) krb5_boolean prefer_afs_key, Key **ret_key)
{ {
Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL; Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
int i; int i;

125
kdc/kerberos5.c
View File

@@ -118,7 +118,7 @@ find_etype(krb5_context context, hdb_entry *princ,
static krb5_error_code static krb5_error_code
find_keys(krb5_context context, find_keys(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
hdb_entry *client, hdb_entry *client,
hdb_entry *server, hdb_entry *server,
Key **ckey, Key **ckey,
@@ -181,7 +181,7 @@ make_anonymous_principalname (PrincipalName *pn)
static void static void
log_timestamp(krb5_context context, log_timestamp(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const char *type, const char *type,
KerberosTime authtime, KerberosTime *starttime, KerberosTime authtime, KerberosTime *starttime,
KerberosTime endtime, KerberosTime *renew_till) KerberosTime endtime, KerberosTime *renew_till)
@@ -206,7 +206,7 @@ log_timestamp(krb5_context context,
static krb5_error_code static krb5_error_code
encode_reply(krb5_context context, encode_reply(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek, KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek,
krb5_enctype etype, krb5_enctype etype,
int skvno, EncryptionKey *skey, int skvno, EncryptionKey *skey,
@@ -356,7 +356,7 @@ make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key)
static krb5_error_code static krb5_error_code
get_pa_etype_info(krb5_context context, get_pa_etype_info(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
METHOD_DATA *md, hdb_entry *client, METHOD_DATA *md, hdb_entry *client,
ENCTYPE *etypes, unsigned int etypes_len) ENCTYPE *etypes, unsigned int etypes_len)
{ {
@@ -519,7 +519,7 @@ only_older_enctype_p(const KDC_REQ *req)
static krb5_error_code static krb5_error_code
get_pa_etype_info2(krb5_context context, get_pa_etype_info2(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
METHOD_DATA *md, hdb_entry *client, METHOD_DATA *md, hdb_entry *client,
ENCTYPE *etypes, unsigned int etypes_len) ENCTYPE *etypes, unsigned int etypes_len)
{ {
@@ -604,21 +604,23 @@ get_pa_etype_info2(krb5_context context,
*/ */
krb5_error_code krb5_error_code
check_flags(krb5_context context, _kdc_check_flags(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
hdb_entry *client, const char *client_name, hdb_entry *client, const char *client_name,
hdb_entry *server, const char *server_name, hdb_entry *server, const char *server_name,
krb5_boolean is_as_req) krb5_boolean is_as_req)
{ {
if(client != NULL) { if(client != NULL) {
/* check client */ /* check client */
if (client->flags.invalid) { if (client->flags.invalid) {
kdc_log(context, config, 0, "Client (%s) has invalid bit set", client_name); kdc_log(context, config, 0,
"Client (%s) has invalid bit set", client_name);
return KRB5KDC_ERR_POLICY; return KRB5KDC_ERR_POLICY;
} }
if(!client->flags.client){ if(!client->flags.client){
kdc_log(context, config, 0, "Principal may not act as client -- %s", kdc_log(context, config, 0,
"Principal may not act as client -- %s",
client_name); client_name);
return KRB5KDC_ERR_POLICY; return KRB5KDC_ERR_POLICY;
} }
@@ -685,7 +687,7 @@ check_flags(krb5_context context,
static krb5_boolean static krb5_boolean
check_addresses(krb5_context context, check_addresses(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
HostAddresses *addresses, const struct sockaddr *from) HostAddresses *addresses, const struct sockaddr *from)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -708,12 +710,12 @@ check_addresses(krb5_context context,
} }
krb5_error_code krb5_error_code
as_rep(krb5_context context, _kdc_as_rep(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ *req, KDC_REQ *req,
krb5_data *reply, krb5_data *reply,
const char *from, const char *from,
struct sockaddr *from_addr) struct sockaddr *from_addr)
{ {
KDC_REQ_BODY *b = &req->req_body; KDC_REQ_BODY *b = &req->req_body;
AS_REP rep; AS_REP rep;
@@ -764,7 +766,7 @@ as_rep(krb5_context context,
kdc_log(context, config, 0, "AS-REQ %s from %s for %s", kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
client_name, from, server_name); client_name, from, server_name);
ret = db_fetch(context, config, client_princ, &client); ret = _kdc_db_fetch(context, config, client_princ, &client);
if(ret){ if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
@@ -772,7 +774,7 @@ as_rep(krb5_context context,
goto out; goto out;
} }
ret = db_fetch(context, config, server_princ, &server); ret = _kdc_db_fetch(context, config, server_princ, &server);
if(ret){ if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name,
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
@@ -780,8 +782,10 @@ as_rep(krb5_context context,
goto out; goto out;
} }
ret = check_flags(context, config, ret = _kdc_check_flags(context, config,
client, client_name, server, server_name, TRUE); client, client_name,
server, server_name,
TRUE);
if(ret) if(ret)
goto out; goto out;
@@ -815,25 +819,26 @@ as_rep(krb5_context context,
if (pa) { if (pa) {
char *client_cert = NULL; char *client_cert = NULL;
ret = pk_rd_padata(context, req, pa, &pkp); ret = _pk_rd_padata(context, req, pa, &pkp);
if (ret) { if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 5, "Failed to decode PKINIT PA-DATA -- %s", kdc_log(context, config, 5,
"Failed to decode PKINIT PA-DATA -- %s",
client_name); client_name);
goto ts_enc; goto ts_enc;
} }
if (ret == 0 && pkp == NULL) if (ret == 0 && pkp == NULL)
goto ts_enc; goto ts_enc;
ret = pk_check_client(context, ret = _pk_check_client(context,
client_princ, client_princ,
client, client,
pkp, pkp,
&client_cert); &client_cert);
if (ret) { if (ret) {
e_text = "PKINIT certificate not allowed to " e_text = "PKINIT certificate not allowed to "
"impersonate principal"; "impersonate principal";
pk_free_client_param(context, pkp); _pk_free_client_param(context, pkp);
pkp = NULL; pkp = NULL;
goto ts_enc; goto ts_enc;
} }
@@ -917,7 +922,7 @@ as_rep(krb5_context context,
e_text = "Failed to decrypt PA-DATA"; e_text = "Failed to decrypt PA-DATA";
kdc_log(context, config, kdc_log(context, config,
5, "Failed to decrypt PA-DATA -- %s", 5, "Failed to decrypt PA-DATA -- %s",
client_name); client_name);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
continue; continue;
} }
@@ -932,7 +937,7 @@ as_rep(krb5_context context,
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, kdc_log(context, config,
5, "Failed to decode PA-ENC-TS_ENC -- %s", 5, "Failed to decode PA-ENC-TS_ENC -- %s",
client_name); client_name);
continue; continue;
} }
free_PA_ENC_TS_ENC(&p); free_PA_ENC_TS_ENC(&p);
@@ -1270,8 +1275,8 @@ as_rep(krb5_context context,
reply_key = &ckey->key; reply_key = &ckey->key;
#if PKINIT #if PKINIT
if (pkp) { if (pkp) {
ret = pk_mk_pa_reply(context, pkp, client, req, ret = _pk_mk_pa_reply(context, pkp, client, req,
&reply_key, rep.padata); &reply_key, rep.padata);
if (ret) if (ret)
goto out; goto out;
} }
@@ -1309,7 +1314,7 @@ as_rep(krb5_context context,
out2: out2:
#ifdef PKINIT #ifdef PKINIT
if (pkp) if (pkp)
pk_free_client_param(context, pkp); _pk_free_client_param(context, pkp);
#endif #endif
if (client_princ) if (client_princ)
krb5_free_principal(context, client_princ); krb5_free_principal(context, client_princ);
@@ -1318,16 +1323,16 @@ as_rep(krb5_context context,
krb5_free_principal(context, server_princ); krb5_free_principal(context, server_princ);
free(server_name); free(server_name);
if(client) if(client)
free_ent(context, client); _kdc_free_ent(context, client);
if(server) if(server)
free_ent(context, server); _kdc_free_ent(context, server);
return ret; return ret;
} }
static krb5_error_code static krb5_error_code
check_tgs_flags(krb5_context context, check_tgs_flags(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et) KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et)
{ {
KDCOptions f = b->kdc_options; KDCOptions f = b->kdc_options;
@@ -1448,7 +1453,7 @@ check_tgs_flags(krb5_context context,
static krb5_error_code static krb5_error_code
fix_transited_encoding(krb5_context context, fix_transited_encoding(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
krb5_boolean check_policy, krb5_boolean check_policy,
TransitedEncoding *tr, TransitedEncoding *tr,
EncTicketPart *et, EncTicketPart *et,
@@ -1545,7 +1550,7 @@ fix_transited_encoding(krb5_context context,
static krb5_error_code static krb5_error_code
tgs_make_reply(krb5_context context, tgs_make_reply(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ_BODY *b, KDC_REQ_BODY *b,
EncTicketPart *tgt, EncTicketPart *tgt,
EncTicketPart *adtkt, EncTicketPart *adtkt,
@@ -1755,7 +1760,7 @@ tgs_make_reply(krb5_context context,
static krb5_error_code static krb5_error_code
tgs_check_authenticator(krb5_context context, tgs_check_authenticator(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
krb5_auth_context ac, krb5_auth_context ac,
KDC_REQ_BODY *b, KDC_REQ_BODY *b,
const char **e_text, const char **e_text,
@@ -1869,7 +1874,7 @@ need_referral(krb5_context context, krb5_principal server, krb5_realm **realms)
static krb5_error_code static krb5_error_code
tgs_rep2(krb5_context context, tgs_rep2(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ_BODY *b, KDC_REQ_BODY *b,
PA_DATA *tgs_req, PA_DATA *tgs_req,
krb5_data *reply, krb5_data *reply,
@@ -1918,7 +1923,7 @@ tgs_rep2(krb5_context context,
ap_req.ticket.sname, ap_req.ticket.sname,
ap_req.ticket.realm); ap_req.ticket.realm);
ret = db_fetch(context, config, princ, &krbtgt); ret = _kdc_db_fetch(context, config, princ, &krbtgt);
if(ret) { if(ret) {
char *p; char *p;
@@ -2117,7 +2122,7 @@ tgs_rep2(krb5_context context,
goto out2; goto out2;
} }
_krb5_principalname2krb5_principal(&p, t->sname, t->realm); _krb5_principalname2krb5_principal(&p, t->sname, t->realm);
ret = db_fetch(context, config, p, &uu); ret = _kdc_db_fetch(context, config, p, &uu);
krb5_free_principal(context, p); krb5_free_principal(context, p);
if(ret){ if(ret){
if (ret == HDB_ERR_NOENTRY) if (ret == HDB_ERR_NOENTRY)
@@ -2156,7 +2161,7 @@ tgs_rep2(krb5_context context,
kdc_log(context, config, 0, kdc_log(context, config, 0,
"TGS-REQ %s from %s for %s", cpn, from, spn); "TGS-REQ %s from %s for %s", cpn, from, spn);
server_lookup: server_lookup:
ret = db_fetch(context, config, sp, &server); ret = _kdc_db_fetch(context, config, sp, &server);
if(ret){ if(ret){
const char *new_rlm; const char *new_rlm;
@@ -2205,7 +2210,7 @@ tgs_rep2(krb5_context context,
goto out; goto out;
} }
ret = db_fetch(context, config, cp, &client); ret = _kdc_db_fetch(context, config, cp, &client);
if(ret) if(ret)
kdc_log(context, config, 1, "Client not found in database: %s: %s", kdc_log(context, config, 1, "Client not found in database: %s: %s",
cpn, krb5_get_err_text(context, ret)); cpn, krb5_get_err_text(context, ret));
@@ -2235,8 +2240,10 @@ tgs_rep2(krb5_context context,
} }
ret = check_flags(context, config, ret = _kdc_check_flags(context, config,
client, cpn, server, spn, FALSE); client, cpn,
server, spn,
FALSE);
if(ret) if(ret)
goto out; goto out;
@@ -2274,11 +2281,11 @@ tgs_rep2(krb5_context context,
free(cpn); free(cpn);
if(server) if(server)
free_ent(context, server); _kdc_free_ent(context, server);
if(client) if(client)
free_ent(context, client); _kdc_free_ent(context, client);
} }
out2: out2:
if(ret) { if(ret) {
krb5_mk_error(context, krb5_mk_error(context,
ret, ret,
@@ -2305,19 +2312,19 @@ out2:
} }
if(krbtgt) if(krbtgt)
free_ent(context, krbtgt); _kdc_free_ent(context, krbtgt);
return ret; return ret;
} }
krb5_error_code krb5_error_code
tgs_rep(krb5_context context, _kdc_tgs_rep(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
KDC_REQ *req, KDC_REQ *req,
krb5_data *data, krb5_data *data,
const char *from, const char *from,
struct sockaddr *from_addr) struct sockaddr *from_addr)
{ {
krb5_error_code ret; krb5_error_code ret;
int i = 0; int i = 0;

8
kdc/log.c
View File

@@ -36,7 +36,7 @@ RCSID("$Id$");
void void
kdc_openlog(krb5_context context, kdc_openlog(krb5_context context,
struct krb5_kdc_configuration *config) krb5_kdc_configuration *config)
{ {
char **s = NULL, **p; char **s = NULL, **p;
krb5_initlog(context, "kdc", &config->logf); krb5_initlog(context, "kdc", &config->logf);
@@ -54,7 +54,7 @@ kdc_openlog(krb5_context context,
char* char*
kdc_log_msg_va(krb5_context context, kdc_log_msg_va(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
int level, const char *fmt, va_list ap) int level, const char *fmt, va_list ap)
{ {
char *msg; char *msg;
@@ -64,7 +64,7 @@ kdc_log_msg_va(krb5_context context,
char* char*
kdc_log_msg(krb5_context context, kdc_log_msg(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
int level, const char *fmt, ...) int level, const char *fmt, ...)
{ {
va_list ap; va_list ap;
@@ -77,7 +77,7 @@ kdc_log_msg(krb5_context context,
void void
kdc_log(krb5_context context, kdc_log(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
int level, const char *fmt, ...) int level, const char *fmt, ...)
{ {
va_list ap; va_list ap;

2
kdc/main.c
View File

@@ -53,7 +53,7 @@ main(int argc, char **argv)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_context context; krb5_context context;
struct krb5_kdc_configuration *config; krb5_kdc_configuration *config;
setprogname(argv[0]); setprogname(argv[0]);

12
kdc/misc.c
View File

@@ -35,13 +35,13 @@
RCSID("$Id$"); RCSID("$Id$");
struct timeval now; struct timeval _kdc_now;
krb5_error_code krb5_error_code
db_fetch(krb5_context context, _kdc_db_fetch(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
krb5_principal principal, krb5_principal principal,
hdb_entry **h) hdb_entry **h)
{ {
hdb_entry *ent; hdb_entry *ent;
krb5_error_code ret = HDB_ERR_NOENTRY; krb5_error_code ret = HDB_ERR_NOENTRY;
@@ -74,7 +74,7 @@ db_fetch(krb5_context context,
} }
void void
free_ent(krb5_context context, hdb_entry *ent) _kdc_free_ent(krb5_context context, hdb_entry *ent)
{ {
hdb_free_entry (context, ent); hdb_free_entry (context, ent);
free (ent); free (ent);

34
kdc/pkinit.c
View File

@@ -271,7 +271,7 @@ pk_encrypt_key(krb5_context context,
} }
void void
pk_free_client_param(krb5_context context, pk_client_params *client_params) _pk_free_client_param(krb5_context context, pk_client_params *client_params)
{ {
if (client_params->certificate) if (client_params->certificate)
_krb5_pk_cert_free(client_params->certificate); _krb5_pk_cert_free(client_params->certificate);
@@ -508,10 +508,10 @@ verify_trusted_ca(PA_PK_AS_REQ_19 *r)
#endif /* 0 */ #endif /* 0 */
krb5_error_code krb5_error_code
pk_rd_padata(krb5_context context, _pk_rd_padata(krb5_context context,
KDC_REQ *req, KDC_REQ *req,
PA_DATA *pa, PA_DATA *pa,
pk_client_params **ret_params) pk_client_params **ret_params)
{ {
pk_client_params *client_params; pk_client_params *client_params;
krb5_error_code ret; krb5_error_code ret;
@@ -1169,12 +1169,12 @@ pk_mk_pa_reply_dh(krb5_context context,
*/ */
krb5_error_code krb5_error_code
pk_mk_pa_reply(krb5_context context, _pk_mk_pa_reply(krb5_context context,
pk_client_params *client_params, pk_client_params *client_params,
const hdb_entry *client, const hdb_entry *client,
const KDC_REQ *req, const KDC_REQ *req,
krb5_keyblock **reply_key, krb5_keyblock **reply_key,
METHOD_DATA *md) METHOD_DATA *md)
{ {
krb5_error_code ret; krb5_error_code ret;
void *buf; void *buf;
@@ -1432,11 +1432,11 @@ pk_principal_from_X509(krb5_context context,
/* XXX match with issuer too ? */ /* XXX match with issuer too ? */
krb5_error_code krb5_error_code
pk_check_client(krb5_context context, _pk_check_client(krb5_context context,
krb5_principal client_princ, krb5_principal client_princ,
const hdb_entry *client, const hdb_entry *client,
pk_client_params *client_params, pk_client_params *client_params,
char **subject_name) char **subject_name)
{ {
struct krb5_pk_cert *client_cert = client_params->certificate; struct krb5_pk_cert *client_cert = client_params->certificate;
krb5_principal cert_princ; krb5_principal cert_princ;
@@ -1522,7 +1522,7 @@ add_principal_mapping(const char *principal_name, const char * subject)
krb5_error_code krb5_error_code
pk_initialize(const char *user_id, const char *x509_anchors) _pk_initialize(const char *user_id, const char *x509_anchors)
{ {
const char *mapping_file; const char *mapping_file;
krb5_error_code ret; krb5_error_code ret;

41
kdc/process.c
View File

@@ -43,7 +43,7 @@ RCSID("$Id$");
int int
krb5_kdc_process_generic_request(krb5_context context, krb5_kdc_process_generic_request(krb5_context context,
struct krb5_kdc_configuration *config, krb5_kdc_configuration *config,
unsigned char *buf, unsigned char *buf,
size_t len, size_t len,
krb5_data *reply, krb5_data *reply,
@@ -56,27 +56,27 @@ krb5_kdc_process_generic_request(krb5_context context,
krb5_error_code ret; krb5_error_code ret;
size_t i; size_t i;
gettimeofday(&now, NULL); gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){ if(decode_AS_REQ(buf, len, &req, &i) == 0){
ret = as_rep(context, config, &req, reply, from, addr); ret = _kdc_as_rep(context, config, &req, reply, from, addr);
free_AS_REQ(&req); free_AS_REQ(&req);
return ret; return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){ }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = tgs_rep(context, config, &req, reply, from, addr); ret = _kdc_tgs_rep(context, config, &req, reply, from, addr);
free_TGS_REQ(&req); free_TGS_REQ(&req);
return ret; return ret;
}else if(decode_Ticket(buf, len, &ticket, &i) == 0){ }else if(decode_Ticket(buf, len, &ticket, &i) == 0){
ret = do_524(context, config, &ticket, reply, from, addr); ret = _kdc_do_524(context, config, &ticket, reply, from, addr);
free_Ticket(&ticket); free_Ticket(&ticket);
return ret; return ret;
} else if(maybe_version4(buf, len)){ } else if(_kdc_maybe_version4(buf, len)){
*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */ *prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
do_version4(context, config, buf, len, reply, from, _kdc_do_version4(context, config, buf, len, reply, from,
(struct sockaddr_in*)addr); (struct sockaddr_in*)addr);
return 0; return 0;
} else if (config->enable_kaserver) { } else if (config->enable_kaserver) {
ret = do_kaserver(context, config, buf, len, reply, from, ret = _kdc_do_kaserver(context, config, buf, len, reply, from,
(struct sockaddr_in*)addr); (struct sockaddr_in*)addr);
return ret; return ret;
} }
@@ -90,25 +90,26 @@ krb5_kdc_process_generic_request(krb5_context context,
* This only processes krb5 requests * This only processes krb5 requests
*/ */
int krb5_kdc_process_krb5_request(krb5_context context, int
struct krb5_kdc_configuration *config, krb5_kdc_process_krb5_request(krb5_context context,
unsigned char *buf, krb5_kdc_configuration *config,
size_t len, unsigned char *buf,
krb5_data *reply, size_t len,
const char *from, krb5_data *reply,
struct sockaddr *addr) const char *from,
struct sockaddr *addr)
{ {
KDC_REQ req; KDC_REQ req;
krb5_error_code ret; krb5_error_code ret;
size_t i; size_t i;
gettimeofday(&now, NULL); gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){ if(decode_AS_REQ(buf, len, &req, &i) == 0){
ret = as_rep(context, config, &req, reply, from, addr); ret = _kdc_as_rep(context, config, &req, reply, from, addr);
free_AS_REQ(&req); free_AS_REQ(&req);
return ret; return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){ }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = tgs_rep(context, config, &req, reply, from, addr); ret = _kdc_tgs_rep(context, config, &req, reply, from, addr);
free_TGS_REQ(&req); free_TGS_REQ(&req);
return ret; return ret;
} }