oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Make context global.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2701 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1997-08-04 18:20:36 +00:00
parent 5cd6b4ba84
commit a0464f4b20
7 changed files with 141 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
kdc/connect.c
View File

@@ -90,8 +90,7 @@ init_sockets(struct descr **d)
static int
process_request(krb5_context context,
unsigned char *buf,
process_request(unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
@@ -103,24 +102,24 @@ process_request(krb5_context context,
gettimeofday(&now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
err = as_rep(context, &req, reply, from);
err = as_rep(&req, reply, from);
free_AS_REQ(&req);
return err;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
err = tgs_rep(context, &req, reply, from);
err = tgs_rep(&req, reply, from);
free_TGS_REQ(&req);
return err;
}
#ifdef KRB4
else if(maybe_version4(buf, len))
do_version4(context, buf, len, reply, from, (struct sockaddr_in*)addr);
do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
#endif
return -1;
}
static void
do_request(krb5_context context, void *buf, size_t len,
do_request(void *buf, size_t len,
int socket, struct sockaddr *from, size_t from_len)
{
krb5_error_code ret;
@@ -131,22 +130,22 @@ do_request(krb5_context context, void *buf, size_t len,
strcpy(addr, inet_ntoa(((struct sockaddr_in*)from)->sin_addr));
reply.length = 0;
ret = process_request(context, buf, len, &reply, addr, from);
ret = process_request(buf, len, &reply, addr, from);
if(reply.length){
kdc_log(context, 5, "sending %d bytes to %s", reply.length, addr);
kdc_log(5, "sending %d bytes to %s", reply.length, addr);
sendto(socket, reply.data, reply.length, 0, from, from_len);
krb5_data_free(&reply);
}
}
static void
handle_udp(krb5_context context, struct descr *d)
handle_udp(struct descr *d)
{
unsigned char buf[1024];
struct sockaddr_in from;
int from_len = sizeof(from);
size_t n;
n = recvfrom(d->s, buf, sizeof(buf), 0,
(struct sockaddr*)&from, &from_len);
if(n < 0){
@@ -156,7 +155,7 @@ handle_udp(krb5_context context, struct descr *d)
if(n == 0){
return;
}
do_request(context, buf, n, d->s, (struct sockaddr*)&from, from_len);
do_request(buf, n, d->s, (struct sockaddr*)&from, from_len);
}
static void
@@ -171,7 +170,7 @@ clear_descr(struct descr *d)
}
static void
handle_tcp(krb5_context context, struct descr *d, int index, int min_free)
handle_tcp(struct descr *d, int index, int min_free)
{
unsigned char buf[1024];
struct sockaddr_in from;
@@ -236,7 +235,7 @@ handle_tcp(krb5_context context, struct descr *d, int index, int min_free)
}
}
if(n == 0){
do_request(context, d[index].buf, d[index].len,
do_request(d[index].buf, d[index].len,
d[index].s, (struct sockaddr*)&from, from_len);
clear_descr(d + index);
}
@@ -245,7 +244,7 @@ handle_tcp(krb5_context context, struct descr *d, int index, int min_free)
void
loop(krb5_context context)
loop(void)
{
struct descr *d;
int ndescr;
@@ -292,9 +291,9 @@ loop(krb5_context context)
for(i = 0; i < ndescr; i++)
if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds))
if(d[i].type == SOCK_DGRAM)
handle_udp(context, &d[i]);
handle_udp(&d[i]);
else if(d[i].type == SOCK_STREAM)
handle_tcp(context, d, i, min_free);
handle_tcp(d, i, min_free);
}
}
free (d);

19
kdc/kdc_locl.h
View File

@@ -83,9 +83,12 @@
#include "hdb.h"
extern krb5_context context;
extern int require_preauth;
extern sig_atomic_t exit_flag;
extern char *keyfile;
extern size_t max_request;
#ifdef KRB4
extern char *v4_realm;
@@ -94,22 +97,22 @@ extern char *v4_realm;
extern struct timeval now;
#define kdc_time (now.tv_sec)
hdb_entry *db_fetch (krb5_context, krb5_principal);
hdb_entry *db_fetch (krb5_principal);
krb5_error_code mk_des_keyblock (EncryptionKey *);
krb5_error_code tgs_rep(krb5_context, KDC_REQ *, krb5_data *, const char*);
krb5_error_code as_rep(krb5_context, KDC_REQ *, krb5_data *, const char*);
krb5_error_code tgs_rep(KDC_REQ *, krb5_data *, const char*);
krb5_error_code as_rep(KDC_REQ *, krb5_data *, const char*);
int maybe_version4(unsigned char*, int);
krb5_error_code do_version4(krb5_context, unsigned char*, size_t, krb5_data*,
krb5_error_code do_version4(unsigned char*, size_t, krb5_data*,
const char*, struct sockaddr_in*);
void loop (krb5_context);
void loop (void);
void kdc_log(krb5_context, int, const char *fmt, ...);
char* kdc_log_msg_va(krb5_context, int, const char*, va_list);
char* kdc_log_msg(krb5_context, int, const char*, ...);
void kdc_log(int, const char *fmt, ...);
char* kdc_log_msg_va(int, const char*, va_list);
char* kdc_log_msg(int, const char*, ...);
Key *unseal_key(Key *key);

51
kdc/kerberos4.c
View File

@@ -75,8 +75,7 @@ make_err_reply(krb5_data *reply, int code, const char *msg)
#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
krb5_error_code
do_version4(krb5_context context,
unsigned char *buf,
do_version4(unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
@@ -99,7 +98,7 @@ do_version4(krb5_context context,
sp = krb5_storage_from_mem(buf, len);
RCHECK(krb5_ret_int8(sp, &pvno), out);
if(pvno != 4){
kdc_log(context, 0, "Protocol version mismatch (%d)", pvno);
kdc_log(0, "Protocol version mismatch (%d)", pvno);
make_err_reply(reply, KDC_PKT_VER, NULL);
goto out;
}
@@ -117,14 +116,14 @@ do_version4(krb5_context context,
RCHECK(krb5_ret_int8(sp, &life), out1);
RCHECK(krb5_ret_stringz(sp, &sname), out1);
RCHECK(krb5_ret_stringz(sp, &sinst), out1);
kdc_log(context, 0, "AS-REQ %s.%s@%s from %s for %s.%s",
kdc_log(0, "AS-REQ %s.%s@%s from %s for %s.%s",
name, inst, realm, from, sname, sinst);
ret = krb5_425_conv_principal(context, name, inst, realm,
&client_princ);
if(ret){
kdc_log(context, 0, "Converting client principal: %s",
kdc_log(0, "Converting client principal: %s",
krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (client)");
@@ -134,23 +133,23 @@ do_version4(krb5_context context,
ret = krb5_425_conv_principal(context, sname, sinst, v4_realm,
&server_princ);
if(ret){
kdc_log(context, 0, "Converting server principal: %s",
kdc_log(0, "Converting server principal: %s",
krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (server)");
goto out1;
}
client = db_fetch(context, client_princ);
client = db_fetch(client_princ);
if(client == NULL){
kdc_log(context, 0, "Client not found in database: %s.%s@%s",
kdc_log(0, "Client not found in database: %s.%s@%s",
name, inst, realm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
goto out1;
}
server = db_fetch(context, server_princ);
server = db_fetch(server_princ);
if(server == NULL){
kdc_log(context, 0, "Server not found in database: %s.%s@%s",
kdc_log(0, "Server not found in database: %s.%s@%s",
sname, sinst, v4_realm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
goto out1;
@@ -158,7 +157,7 @@ do_version4(krb5_context context,
ret = hdb_keytype2key(context, client, KEYTYPE_DES, &ckey);
if(ret){
kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
kdc_log(0, "%s", krb5_get_err_text(context, ret));
/* XXX */
make_err_reply(reply, KDC_NULL_KEY,
"No DES key in database (client)");
@@ -169,7 +168,7 @@ do_version4(krb5_context context,
while(ckey->salt == NULL || ckey->salt->length != 0)
ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
if(ret){
kdc_log(context, 0, "No version-4 salted key in database -- %s.%s@%s",
kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
name, inst, realm);
make_err_reply(reply, KDC_NULL_KEY,
"No version-4 salted key in database");
@@ -178,7 +177,7 @@ do_version4(krb5_context context,
ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
if(ret){
kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
kdc_log(0, "%s", krb5_get_err_text(context, ret));
/* XXX */
make_err_reply(reply, KDC_NULL_KEY,
"No DES key in database (server)");
@@ -238,14 +237,14 @@ do_version4(krb5_context context,
ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
&tgt_princ);
if(ret){
kdc_log(context, 0, "Converting krbtgt principal: %s",
kdc_log(0, "Converting krbtgt principal: %s",
krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (krbtgt)");
goto out2;
}
tgt = db_fetch(context, tgt_princ);
tgt = db_fetch(tgt_princ);
if(tgt == NULL){
char *s;
s = kdc_log_msg(context, 0, "Ticket-granting ticket not "
@@ -262,7 +261,7 @@ do_version4(krb5_context context,
ret = hdb_keytype2key(context, tgt, KEYTYPE_DES, &tkey);
if(ret){
kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
kdc_log(0, "%s", krb5_get_err_text(context, ret));
/* XXX */
make_err_reply(reply, KDC_NULL_KEY,
"No DES key in database (krbtgt)");
@@ -286,7 +285,7 @@ do_version4(krb5_context context,
e = krb_rd_req(&auth, "krbtgt", realm,
addr->sin_addr.s_addr, &ad, 0);
if(e){
kdc_log(context, 0, "krb_rd_req: %s", krb_get_err_text(e));
kdc_log(0, "krb_rd_req: %s", krb_get_err_text(e));
make_err_reply(reply, ret, NULL);
goto out2;
}
@@ -298,18 +297,18 @@ do_version4(krb5_context context,
RCHECK(krb5_ret_int8(sp, &life), out2);
RCHECK(krb5_ret_stringz(sp, &sname), out2);
RCHECK(krb5_ret_stringz(sp, &sinst), out2);
kdc_log(context, 0, "TGS-REQ %s.%s@%s from %s for %s.%s",
kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s.%s",
ad.pname, ad.pinst, ad.prealm, from, sname, sinst);
if(strcmp(ad.prealm, realm)){
kdc_log(context, 0, "Can't hop realms %s -> %s", realm, ad.prealm);
kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms");
goto out2;
}
if(strcmp(sname, "changepw") == 0){
kdc_log(context, 0, "Bad request for changepw ticket");
kdc_log(0, "Bad request for changepw ticket");
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't authorize password change based on TGT");
goto out2;
@@ -318,14 +317,14 @@ do_version4(krb5_context context,
ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm,
&client_princ);
if(ret){
kdc_log(context, 0, "Converting client principal: %s",
kdc_log(0, "Converting client principal: %s",
krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (client)");
goto out2;
}
client = db_fetch(context, client_princ);
client = db_fetch(client_princ);
if(client == NULL){
char *s;
s = kdc_log_msg(context, 0,
@@ -339,13 +338,13 @@ do_version4(krb5_context context,
ret = krb5_425_conv_principal(context, sname, sinst, v4_realm,
&server_princ);
if(ret){
kdc_log(context, 0, "Converting server principal: %s",
kdc_log(0, "Converting server principal: %s",
krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE,
"Failed to convert v4 principal (server)");
goto out2;
}
server = db_fetch(context, server_princ);
server = db_fetch(server_princ);
if(server == NULL){
char *s;
s = kdc_log_msg(context, 0,
@@ -358,7 +357,7 @@ do_version4(krb5_context context,
ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
if(ret){
kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
kdc_log(0, "%s", krb5_get_err_text(context, ret));
/* XXX */
make_err_reply(reply, KDC_NULL_KEY,
"No DES key in database (server)");
@@ -410,7 +409,7 @@ do_version4(krb5_context context,
case AUTH_MSG_ERR_REPLY:
break;
default:
kdc_log(context, 0, "Unknown message type: %d from %s",
kdc_log(0, "Unknown message type: %d from %s",
msg_type, from);
make_err_reply(reply, KFAILURE, "Unknown message type");

162
kdc/kerberos5.c
View File

@@ -43,8 +43,7 @@ RCSID("$Id$");
#define MAX_TIME ((time_t)((1U << 31) - 1))
krb5_error_code
as_rep(krb5_context context,
KDC_REQ *req,
as_rep(KDC_REQ *req,
krb5_data *reply,
const char *from)
{
@@ -80,60 +79,60 @@ as_rep(krb5_context context,
principalname2krb5_principal (&client_princ, *(b->cname), b->realm);
krb5_unparse_name(context, client_princ, &client_name);
}
kdc_log(context, 0, "AS-REQ %s from %s for %s",
kdc_log(0, "AS-REQ %s from %s for %s",
client_name, from, server_name);
if(ret)
goto out;
client = db_fetch(context, client_princ);
client = db_fetch(client_princ);
if(client == NULL){
kdc_log(context, 0, "UNKNOWN -- %s", client_name);
kdc_log(0, "UNKNOWN -- %s", client_name);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
if (client->valid_start && *client->valid_start > kdc_time) {
kdc_log(context, 0, "Client not yet valid -- %s", client_name);
kdc_log(0, "Client not yet valid -- %s", client_name);
ret = KRB5KDC_ERR_CLIENT_NOTYET;
goto out;
}
if (client->valid_end && *client->valid_end < kdc_time) {
kdc_log(context, 0, "Client expired -- %s", client_name);
kdc_log(0, "Client expired -- %s", client_name);
ret = KRB5KDC_ERR_NAME_EXP;
goto out;
}
server = db_fetch(context, server_princ);
server = db_fetch(server_princ);
if(server == NULL){
kdc_log(context, 0, "UNKNOWN -- %s", server_name);
kdc_log(0, "UNKNOWN -- %s", server_name);
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
if (server->valid_start && *server->valid_start > kdc_time) {
kdc_log(context, 0, "Server not yet valid -- %s", server_name);
kdc_log(0, "Server not yet valid -- %s", server_name);
ret = KRB5KDC_ERR_SERVICE_NOTYET;
goto out;
}
if (server->valid_end && *server->valid_end < kdc_time) {
kdc_log(context, 0, "Server expired -- %s", server_name);
kdc_log(0, "Server expired -- %s", server_name);
ret = KRB5KDC_ERR_SERVICE_EXP;
goto out;
}
if(!client->flags.client){
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, 0, "Principal may not act as client -- %s",
kdc_log(0, "Principal may not act as client -- %s",
client_name);
goto out;
}
if(!server->flags.server){
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, 0, "Principal (%s) may not act as server -- %s",
kdc_log(0, "Principal (%s) may not act as server -- %s",
server_name, client_name);
goto out;
}
@@ -141,7 +140,7 @@ as_rep(krb5_context context,
if (client->pw_end && *client->pw_end < kdc_time
&& !server->flags.change_pw) {
ret = KRB5KDC_ERR_KEY_EXPIRED;
kdc_log(context, 0, "Client (%s)'s key has expired", client_name);
kdc_log(0, "Client (%s)'s key has expired", client_name);
goto out;
}
@@ -158,7 +157,7 @@ as_rep(krb5_context context,
if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
kdc_log(context, 0, "No support for etypes -- %s", client_name);
kdc_log(0, "No support for etypes -- %s", client_name);
goto out;
}
@@ -171,7 +170,7 @@ as_rep(krb5_context context,
int i;
PA_DATA *pa;
int found_pa = 0;
kdc_log(context, 5, "Looking for pa-data -- %s", client_name);
kdc_log(5, "Looking for pa-data -- %s", client_name);
for(i = 0; i < req->padata->len; i++){
PA_DATA *pa = &req->padata->val[i];
if(pa->padata_type == pa_enc_timestamp){
@@ -181,7 +180,7 @@ as_rep(krb5_context context,
size_t len;
EncryptedData enc_data;
kdc_log(context, 5, "Found pa-enc-timestamp -- %s",
kdc_log(5, "Found pa-enc-timestamp -- %s",
client_name);
found_pa = 1;
@@ -191,7 +190,7 @@ as_rep(krb5_context context,
&len);
if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, 5, "Failed to decode PA-DATA -- %s",
kdc_log(5, "Failed to decode PA-DATA -- %s",
client_name);
goto out;
}
@@ -208,7 +207,7 @@ as_rep(krb5_context context,
free_EncryptedData(&enc_data);
if(ret){
e_text = "Failed to decrypt PA-DATA";
kdc_log (context, 5, "Failed to decrypt PA-DATA -- %s",
kdc_log (5, "Failed to decrypt PA-DATA -- %s",
client_name);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
continue;
@@ -221,7 +220,7 @@ as_rep(krb5_context context,
if(ret){
e_text = "Failed to decode PA-ENC-TS-ENC";
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log (context, 5, "Failed to decode PA-ENC-TS_ENC -- %s",
kdc_log (5, "Failed to decode PA-ENC-TS_ENC -- %s",
client_name);
continue;
}
@@ -237,16 +236,16 @@ as_rep(krb5_context context,
server_princ,
0,
reply);
kdc_log(context, 0, "Too large time skew -- %s",
kdc_log(0, "Too large time skew -- %s",
client_name);
goto out2;
}
et.flags.pre_authent = 1;
kdc_log(context, 2, "Pre-authentication succeded -- %s",
kdc_log(2, "Pre-authentication succeded -- %s",
client_name);
break;
} else {
kdc_log(context, 5, "Found pa-data of type %d -- %s",
kdc_log(5, "Found pa-data of type %d -- %s",
pa->padata_type, client_name);
}
}
@@ -256,7 +255,7 @@ as_rep(krb5_context context,
/* We come here if we found a pa-enc-timestamp, but if there
was some problem with it, other than too large skew */
if(et.flags.pre_authent == 0){
kdc_log(context, 0, "%s -- %s", e_text, client_name);
kdc_log(0, "%s -- %s", e_text, client_name);
e_text = NULL;
goto out;
}
@@ -293,11 +292,11 @@ as_rep(krb5_context context,
0,
reply);
kdc_log(context, 0, "No PA-ENC-TIMESTAMP -- %s", client_name);
kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
goto out2;
}
kdc_log(context, 2, "Using etype %d -- %s", etype, client_name);
kdc_log(2, "Using etype %d -- %s", etype, client_name);
memset(&rep, 0, sizeof(rep));
rep.pvno = 5;
@@ -310,7 +309,7 @@ as_rep(krb5_context context,
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey){
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, 0, "Bad KDC options -- %s", client_name);
kdc_log(0, "Bad KDC options -- %s", client_name);
goto out;
}
@@ -319,21 +318,21 @@ as_rep(krb5_context context,
et.flags.forwardable = f.forwardable;
else{
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, 0, "Ticket may not be forwardable -- %s", client_name);
kdc_log(0, "Ticket may not be forwardable -- %s", client_name);
goto out;
}
if(client->flags.proxiable && server->flags.proxiable)
et.flags.proxiable = f.proxiable;
else{
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, 0, "Ticket may not be proxiable -- %s", client_name);
kdc_log(0, "Ticket may not be proxiable -- %s", client_name);
goto out;
}
if(client->flags.postdate && server->flags.postdate)
et.flags.may_postdate = f.allow_postdate;
else{
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, 0, "Ticket may not be postdatable -- %s", client_name);
kdc_log(0, "Ticket may not be postdatable -- %s", client_name);
goto out;
}
@@ -352,7 +351,7 @@ as_rep(krb5_context context,
start = *et.starttime = *req->req_body.from;
et.flags.invalid = 1;
et.flags.postdated = 1; /* XXX ??? */
kdc_log(context, 2, "Postdated ticket requested -- %s",
kdc_log(2, "Postdated ticket requested -- %s",
client_name);
}
if(b->till == 0)
@@ -456,7 +455,7 @@ as_rep(krb5_context context,
&et, &len);
free_EncTicketPart(&et);
if(ret) {
kdc_log(context, 0, "Failed to encode ticket -- %s", client);
kdc_log(0, "Failed to encode ticket -- %s", client);
goto out;
}
@@ -473,7 +472,7 @@ as_rep(krb5_context context,
&ek, &len);
free_EncKDCRepPart(&ek);
if(ret) {
kdc_log(context, 0, "Failed to encode KDC-REP -- %s", client_name);
kdc_log(0, "Failed to encode KDC-REP -- %s", client_name);
goto out;
}
ekey = unseal_key(ckey);
@@ -495,7 +494,7 @@ as_rep(krb5_context context,
ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
free_AS_REP(&rep);
if(ret) {
kdc_log(context, 0, "Failed to encode AS-REP -- %s", client_name);
kdc_log(0, "Failed to encode AS-REP -- %s", client_name);
goto out;
}
@@ -531,37 +530,36 @@ out2:
static krb5_error_code
check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
EncTicketPart *tgt, EncTicketPart *et)
check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et)
{
KDCOptions f = b->kdc_options;
if(f.validate){
if(!tgt->flags.invalid || tgt->starttime == NULL){
kdc_log(context, 0, "Bad request to validate ticket");
kdc_log(0, "Bad request to validate ticket");
return KRB5KDC_ERR_BADOPTION;
}
if(*tgt->starttime < kdc_time){
kdc_log(context, 0, "Early request to validate ticket");
kdc_log(0, "Early request to validate ticket");
return KRB5KRB_AP_ERR_TKT_NYV;
}
/* XXX tkt = tgt */
et->flags.invalid = 0;
}else if(tgt->flags.invalid){
kdc_log(context, 0, "Ticket-granting ticket has INVALID flag set");
kdc_log(0, "Ticket-granting ticket has INVALID flag set");
return KRB5KRB_AP_ERR_TKT_INVALID;
}
if(f.forwardable){
if(!tgt->flags.forwardable){
kdc_log(context, 0, "Bad request for forwardable ticket");
kdc_log(0, "Bad request for forwardable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.forwardable = 1;
}
if(f.forwarded){
if(!tgt->flags.forwardable){
kdc_log(context, 0, "Request to forward non-forwardable ticket");
kdc_log(0, "Request to forward non-forwardable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.forwarded = 1;
@@ -572,14 +570,14 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
if(f.proxiable){
if(!tgt->flags.proxiable){
kdc_log(context, 0, "Bad request for proxiable ticket");
kdc_log(0, "Bad request for proxiable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.proxiable = 1;
}
if(f.proxy){
if(!tgt->flags.proxiable){
kdc_log(context, 0, "Request to proxy non-proxiable ticket");
kdc_log(0, "Request to proxy non-proxiable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.proxy = 1;
@@ -590,14 +588,14 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
if(f.allow_postdate){
if(!tgt->flags.may_postdate){
kdc_log(context, 0, "Bad request for post-datable ticket");
kdc_log(0, "Bad request for post-datable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.may_postdate = 1;
}
if(f.postdated){
if(!tgt->flags.may_postdate){
kdc_log(context, 0, "Bad request for postdated ticket");
kdc_log(0, "Bad request for postdated ticket");
return KRB5KDC_ERR_BADOPTION;
}
if(b->from)
@@ -605,13 +603,13 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
et->flags.postdated = 1;
et->flags.invalid = 1;
}else if(b->from && *b->from > kdc_time + context->max_skew){
kdc_log(context, 0, "Ticket cannot be postdated");
kdc_log(0, "Ticket cannot be postdated");
return KRB5KDC_ERR_CANNOT_POSTDATE;
}
if(f.renewable){
if(!tgt->flags.renewable){
kdc_log(context, 0, "Bad request for renewable ticket");
kdc_log(0, "Bad request for renewable ticket");
return KRB5KDC_ERR_BADOPTION;
}
et->flags.renewable = 1;
@@ -621,7 +619,7 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
if(f.renew){
time_t old_life;
if(!tgt->flags.renewable || tgt->renew_till == NULL){
kdc_log(context, 0, "Request to renew non-renewable ticket");
kdc_log(0, "Request to renew non-renewable ticket");
return KRB5KDC_ERR_BADOPTION;
}
old_life = tgt->endtime;
@@ -637,7 +635,7 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
}
static krb5_error_code
tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
tgs_make_reply(KDC_REQ_BODY *b, EncTicketPart *tgt,
hdb_entry *server, hdb_entry *client, krb5_data *reply)
{
KDC_REP rep;
@@ -657,7 +655,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
}
if(ret){
kdc_log(context, 0, "Failed to find requested etype");
kdc_log(0, "Failed to find requested etype");
return KRB5KDC_ERR_ETYPE_NOSUPP;
}
@@ -675,7 +673,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
ALLOC(et.starttime);
*et.starttime = kdc_time;
ret = check_tgs_flags(context, b, tgt, &et);
ret = check_tgs_flags(b, tgt, &et);
if(ret)
return ret;
@@ -766,7 +764,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
ret = encode_EncTicketPart(buf + sizeof(buf) - 1,
sizeof(buf), &et, &len);
if(ret){
kdc_log(context, 0, "Failed to encode EncTicketPart: %s",
kdc_log(0, "Failed to encode EncTicketPart: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -780,7 +778,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1,
sizeof(buf), &ek, &len);
if(ret){
kdc_log(context, 0, "Failed to encode EncTicketPart: %s",
kdc_log(0, "Failed to encode EncTicketPart: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -805,7 +803,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
ret = encode_TGS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
if(ret){
kdc_log(context, 0, "Failed to encode TGS-REP: %s",
kdc_log(0, "Failed to encode TGS-REP: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -824,7 +822,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
}
static krb5_error_code
tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
tgs_check_authenticator(krb5_auth_context ac,
KDC_REQ_BODY *b, krb5_keyblock *key)
{
krb5_authenticator auth;
@@ -834,7 +832,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
krb5_auth_getauthenticator(context, ac, &auth);
if(auth->cksum == NULL){
kdc_log(context, 0, "No authenticator in request");
kdc_log(0, "No authenticator in request");
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
}
@@ -842,7 +840,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
if (auth->cksum->cksumtype != CKSUMTYPE_RSA_MD4 &&
auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5 &&
auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5_DES){
kdc_log(context, 0, "Bad checksum type in authenticator: %d",
kdc_log(0, "Bad checksum type in authenticator: %d",
auth->cksum->cksumtype);
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
@@ -852,7 +850,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
ret = encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf),
b, &len);
if(ret){
kdc_log(context, 0, "Failed to encode KDC-REQ-BODY: %s",
kdc_log(0, "Failed to encode KDC-REQ-BODY: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -860,7 +858,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
key,
auth->cksum);
if(ret){
kdc_log(context, 0, "Failed to verify checksum: %s",
kdc_log(0, "Failed to verify checksum: %s",
krb5_get_err_text(context, ret));
}
out:
@@ -872,8 +870,7 @@ out:
static krb5_error_code
tgs_rep2(krb5_context context,
KDC_REQ_BODY *b,
tgs_rep2(KDC_REQ_BODY *b,
krb5_principal sp,
PA_DATA *pa_data,
krb5_data *reply,
@@ -895,14 +892,14 @@ tgs_rep2(krb5_context context,
ret = krb5_decode_ap_req(context, &pa_data->padata_value, &ap_req);
if(ret){
kdc_log(context, 0, "Failed to decode AP-REQ: %s",
kdc_log(0, "Failed to decode AP-REQ: %s",
krb5_get_err_text(context, ret));
goto out;
}
if(ap_req.ticket.sname.name_string.len != 2 ||
strcmp(ap_req.ticket.sname.name_string.val[0], "krbtgt")){
kdc_log(context, 0, "PA-DATA is not a ticket-granting ticket");
kdc_log(0, "PA-DATA is not a ticket-granting ticket");
ret = KRB5KDC_ERR_POLICY; /* ? */
goto out;
}
@@ -911,12 +908,12 @@ tgs_rep2(krb5_context context,
ap_req.ticket.sname,
ap_req.ticket.realm);
krbtgt = db_fetch(context, princ);
krbtgt = db_fetch(princ);
if(krbtgt == NULL) {
char *p;
krb5_unparse_name(context, princ, &p);
kdc_log(context, 0, "Ticket-granting ticket not found in database: %s",
kdc_log(0, "Ticket-granting ticket not found in database: %s",
p);
free(p);
ret = KRB5KRB_AP_ERR_NOT_US;
@@ -935,19 +932,19 @@ tgs_rep2(krb5_context context,
krb5_free_principal(context, princ);
if(ret) {
kdc_log(context, 0, "Failed to verify AP-REQ: %s",
kdc_log(0, "Failed to verify AP-REQ: %s",
krb5_get_err_text(context, ret));
goto out;
}
tgt = &ticket->ticket;
ret = tgs_check_authenticator(context, ac, b, &tgt->key);
ret = tgs_check_authenticator(ac, b, &tgt->key);
krb5_auth_con_free(context, ac);
if(ret){
kdc_log(context, 0, "Failed to verify authenticator: %s",
kdc_log(0, "Failed to verify authenticator: %s",
krb5_get_err_text(context, ret));
goto out;
}
@@ -969,7 +966,7 @@ tgs_rep2(krb5_context context,
principalname2krb5_principal(&p,
b->additional_tickets->val[0].sname,
b->additional_tickets->val[0].realm);
uu = db_fetch(context, p);
uu = db_fetch(p);
krb5_free_principal(context, p);
if(uu == NULL){
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
@@ -985,23 +982,23 @@ tgs_rep2(krb5_context context,
principalname2krb5_principal(&sp, *s, r);
#endif
krb5_unparse_name(context, sp, &spn);
server = db_fetch(context, sp);
server = db_fetch(sp);
principalname2krb5_principal(&cp, tgt->cname, tgt->crealm);
krb5_unparse_name(context, cp, &cpn);
client = db_fetch(context, cp);
client = db_fetch(cp);
kdc_log(context, 0, "TGS-REQ %s from %s for %s", cpn, from, spn);
kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn);
if(server == NULL){
kdc_log(context, 0, "Server not found in database: %s", spn);
kdc_log(0, "Server not found in database: %s", spn);
/* do foreign realm stuff */
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
if(client == NULL){
kdc_log(context, 0, "Client not found in database: %s", cpn);
kdc_log(0, "Client not found in database: %s", cpn);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
@@ -1010,12 +1007,12 @@ tgs_rep2(krb5_context context,
!krb5_principal_compare(context,
krbtgt->principal,
server->principal)){
kdc_log(context, 0, "Inconsistent request.");
kdc_log(0, "Inconsistent request.");
ret = KRB5KDC_ERR_SERVER_NOMATCH;
goto out;
}
ret = tgs_make_reply(context, b, tgt, server, client, reply);
ret = tgs_make_reply(b, tgt, server, client, reply);
out:
if(ret)
@@ -1054,7 +1051,7 @@ tgs_rep2(krb5_context context,
}
static krb5_error_code
request_server(krb5_context context, KDC_REQ *req, krb5_principal *server)
request_server(KDC_REQ *req, krb5_principal *server)
{
PrincipalName *s = NULL;
Realm r;
@@ -1075,8 +1072,7 @@ request_server(krb5_context context, KDC_REQ *req, krb5_principal *server)
krb5_error_code
tgs_rep(krb5_context context,
KDC_REQ *req,
tgs_rep(KDC_REQ *req,
krb5_data *data,
const char *from)
{
@@ -1085,11 +1081,11 @@ tgs_rep(krb5_context context,
PA_DATA *pa_data = NULL;
krb5_principal server;
request_server(context, req, &server);
request_server(req, &server);
if(req->padata == NULL){
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
kdc_log(context, 0, "TGS-REQ from %s without PA-DATA", from);
kdc_log(0, "TGS-REQ from %s without PA-DATA", from);
goto out;
}
@@ -1101,10 +1097,10 @@ tgs_rep(krb5_context context,
if(pa_data == NULL){
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
kdc_log(context, 0, "TGS-REQ from %s without PA-TGS-REQ", from);
kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from);
goto out;
}
ret = tgs_rep2(context, &req->req_body, server, pa_data, data, from);
ret = tgs_rep2(&req->req_body, server, pa_data, data, from);
out:
if(ret && data->data == NULL)
krb5_mk_error(context,

10
kdc/log.c
View File

@@ -43,7 +43,7 @@ extern int loglevel;
static krb5_log_facility *logf;
char*
kdc_log_msg_va(krb5_context context, int level, const char *fmt, va_list ap)
kdc_log_msg_va(int level, const char *fmt, va_list ap)
{
char *msg;
if(level > loglevel)
@@ -56,23 +56,23 @@ kdc_log_msg_va(krb5_context context, int level, const char *fmt, va_list ap)
}
char*
kdc_log_msg(krb5_context context, int level, const char *fmt, ...)
kdc_log_msg(int level, const char *fmt, ...)
{
va_list ap;
char *s;
va_start(ap, fmt);
s = kdc_log_msg_va(context, level, fmt, ap);
s = kdc_log_msg_va(level, fmt, ap);
va_end(ap);
return s;
}
void
kdc_log(krb5_context context, int level, const char *fmt, ...)
kdc_log(int level, const char *fmt, ...)
{
va_list ap;
char *s;
va_start(ap, fmt);
s = kdc_log_msg_va(context, level, fmt, ap);
s = kdc_log_msg_va(level, fmt, ap);
if(s) free(s);
va_end(ap);
}

10
kdc/main.c
View File

@@ -41,6 +41,7 @@
RCSID("$Id$");
sig_atomic_t exit_flag = 0;
krb5_context context;
static RETSIGTYPE
sigterm(int sig)
@@ -58,7 +59,6 @@ usage(void)
int
main(int argc, char **argv)
{
krb5_context context;
int c;
set_progname(argv[0]);
@@ -73,15 +73,13 @@ main(int argc, char **argv)
EncryptionKey key;
f = fopen(keyfile, "r");
if(f == NULL){
kdc_log(context, 0, "Failed to open master key file %s",
keyfile);
kdc_log(0, "Failed to open master key file %s", keyfile);
exit(1);
}
len = fread(buf, 1, sizeof(buf), f);
fclose(f);
if(decode_EncryptionKey(buf, len, &key, &len)){
kdc_log(context, 0,
"Failed to parse contents of master key file %s", keyfile);
kdc_log(0, "Failed to parse contents of master key file %s", keyfile);
exit(1);
}
set_master_key(&key);
@@ -95,7 +93,7 @@ main(int argc, char **argv)
signal(SIGINT, sigterm);
loop(context);
loop();
krb5_free_context(context);
return 0;
}

4
kdc/misc.c
View File

@@ -43,7 +43,7 @@ RCSID("$Id$");
struct timeval now;
hdb_entry*
db_fetch(krb5_context context, krb5_principal principal)
db_fetch(krb5_principal principal)
{
HDB *db;
hdb_entry *ent;
@@ -51,7 +51,7 @@ db_fetch(krb5_context context, krb5_principal principal)
ret = hdb_open(context, &db, NULL, O_RDONLY, 0);
if (ret) {
kdc_log(context, 0, "Failed to open database: %s",
kdc_log(0, "Failed to open database: %s",
krb5_get_err_text(context, ret));
return NULL;
}