Make context global.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2701 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -90,8 +90,7 @@ init_sockets(struct descr **d)
|
|||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
process_request(krb5_context context,
|
process_request(unsigned char *buf,
|
||||||
unsigned char *buf,
|
|
||||||
size_t len,
|
size_t len,
|
||||||
krb5_data *reply,
|
krb5_data *reply,
|
||||||
const char *from,
|
const char *from,
|
||||||
@@ -103,24 +102,24 @@ process_request(krb5_context context,
|
|||||||
|
|
||||||
gettimeofday(&now, NULL);
|
gettimeofday(&now, NULL);
|
||||||
if(decode_AS_REQ(buf, len, &req, &i) == 0){
|
if(decode_AS_REQ(buf, len, &req, &i) == 0){
|
||||||
err = as_rep(context, &req, reply, from);
|
err = as_rep(&req, reply, from);
|
||||||
free_AS_REQ(&req);
|
free_AS_REQ(&req);
|
||||||
return err;
|
return err;
|
||||||
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
|
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
|
||||||
err = tgs_rep(context, &req, reply, from);
|
err = tgs_rep(&req, reply, from);
|
||||||
free_TGS_REQ(&req);
|
free_TGS_REQ(&req);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
#ifdef KRB4
|
#ifdef KRB4
|
||||||
else if(maybe_version4(buf, len))
|
else if(maybe_version4(buf, len))
|
||||||
do_version4(context, buf, len, reply, from, (struct sockaddr_in*)addr);
|
do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
do_request(krb5_context context, void *buf, size_t len,
|
do_request(void *buf, size_t len,
|
||||||
int socket, struct sockaddr *from, size_t from_len)
|
int socket, struct sockaddr *from, size_t from_len)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
@@ -131,22 +130,22 @@ do_request(krb5_context context, void *buf, size_t len,
|
|||||||
strcpy(addr, inet_ntoa(((struct sockaddr_in*)from)->sin_addr));
|
strcpy(addr, inet_ntoa(((struct sockaddr_in*)from)->sin_addr));
|
||||||
|
|
||||||
reply.length = 0;
|
reply.length = 0;
|
||||||
ret = process_request(context, buf, len, &reply, addr, from);
|
ret = process_request(buf, len, &reply, addr, from);
|
||||||
if(reply.length){
|
if(reply.length){
|
||||||
kdc_log(context, 5, "sending %d bytes to %s", reply.length, addr);
|
kdc_log(5, "sending %d bytes to %s", reply.length, addr);
|
||||||
sendto(socket, reply.data, reply.length, 0, from, from_len);
|
sendto(socket, reply.data, reply.length, 0, from, from_len);
|
||||||
krb5_data_free(&reply);
|
krb5_data_free(&reply);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
handle_udp(krb5_context context, struct descr *d)
|
handle_udp(struct descr *d)
|
||||||
{
|
{
|
||||||
unsigned char buf[1024];
|
unsigned char buf[1024];
|
||||||
struct sockaddr_in from;
|
struct sockaddr_in from;
|
||||||
int from_len = sizeof(from);
|
int from_len = sizeof(from);
|
||||||
size_t n;
|
size_t n;
|
||||||
|
|
||||||
n = recvfrom(d->s, buf, sizeof(buf), 0,
|
n = recvfrom(d->s, buf, sizeof(buf), 0,
|
||||||
(struct sockaddr*)&from, &from_len);
|
(struct sockaddr*)&from, &from_len);
|
||||||
if(n < 0){
|
if(n < 0){
|
||||||
@@ -156,7 +155,7 @@ handle_udp(krb5_context context, struct descr *d)
|
|||||||
if(n == 0){
|
if(n == 0){
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
do_request(context, buf, n, d->s, (struct sockaddr*)&from, from_len);
|
do_request(buf, n, d->s, (struct sockaddr*)&from, from_len);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@@ -171,7 +170,7 @@ clear_descr(struct descr *d)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
handle_tcp(krb5_context context, struct descr *d, int index, int min_free)
|
handle_tcp(struct descr *d, int index, int min_free)
|
||||||
{
|
{
|
||||||
unsigned char buf[1024];
|
unsigned char buf[1024];
|
||||||
struct sockaddr_in from;
|
struct sockaddr_in from;
|
||||||
@@ -236,7 +235,7 @@ handle_tcp(krb5_context context, struct descr *d, int index, int min_free)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if(n == 0){
|
if(n == 0){
|
||||||
do_request(context, d[index].buf, d[index].len,
|
do_request(d[index].buf, d[index].len,
|
||||||
d[index].s, (struct sockaddr*)&from, from_len);
|
d[index].s, (struct sockaddr*)&from, from_len);
|
||||||
clear_descr(d + index);
|
clear_descr(d + index);
|
||||||
}
|
}
|
||||||
@@ -245,7 +244,7 @@ handle_tcp(krb5_context context, struct descr *d, int index, int min_free)
|
|||||||
|
|
||||||
|
|
||||||
void
|
void
|
||||||
loop(krb5_context context)
|
loop(void)
|
||||||
{
|
{
|
||||||
struct descr *d;
|
struct descr *d;
|
||||||
int ndescr;
|
int ndescr;
|
||||||
@@ -292,9 +291,9 @@ loop(krb5_context context)
|
|||||||
for(i = 0; i < ndescr; i++)
|
for(i = 0; i < ndescr; i++)
|
||||||
if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds))
|
if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds))
|
||||||
if(d[i].type == SOCK_DGRAM)
|
if(d[i].type == SOCK_DGRAM)
|
||||||
handle_udp(context, &d[i]);
|
handle_udp(&d[i]);
|
||||||
else if(d[i].type == SOCK_STREAM)
|
else if(d[i].type == SOCK_STREAM)
|
||||||
handle_tcp(context, d, i, min_free);
|
handle_tcp(d, i, min_free);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
free (d);
|
free (d);
|
||||||
|
|||||||
@@ -83,9 +83,12 @@
|
|||||||
|
|
||||||
#include "hdb.h"
|
#include "hdb.h"
|
||||||
|
|
||||||
|
extern krb5_context context;
|
||||||
|
|
||||||
extern int require_preauth;
|
extern int require_preauth;
|
||||||
extern sig_atomic_t exit_flag;
|
extern sig_atomic_t exit_flag;
|
||||||
extern char *keyfile;
|
extern char *keyfile;
|
||||||
|
extern size_t max_request;
|
||||||
|
|
||||||
#ifdef KRB4
|
#ifdef KRB4
|
||||||
extern char *v4_realm;
|
extern char *v4_realm;
|
||||||
@@ -94,22 +97,22 @@ extern char *v4_realm;
|
|||||||
extern struct timeval now;
|
extern struct timeval now;
|
||||||
#define kdc_time (now.tv_sec)
|
#define kdc_time (now.tv_sec)
|
||||||
|
|
||||||
hdb_entry *db_fetch (krb5_context, krb5_principal);
|
hdb_entry *db_fetch (krb5_principal);
|
||||||
|
|
||||||
krb5_error_code mk_des_keyblock (EncryptionKey *);
|
krb5_error_code mk_des_keyblock (EncryptionKey *);
|
||||||
|
|
||||||
krb5_error_code tgs_rep(krb5_context, KDC_REQ *, krb5_data *, const char*);
|
krb5_error_code tgs_rep(KDC_REQ *, krb5_data *, const char*);
|
||||||
krb5_error_code as_rep(krb5_context, KDC_REQ *, krb5_data *, const char*);
|
krb5_error_code as_rep(KDC_REQ *, krb5_data *, const char*);
|
||||||
|
|
||||||
int maybe_version4(unsigned char*, int);
|
int maybe_version4(unsigned char*, int);
|
||||||
krb5_error_code do_version4(krb5_context, unsigned char*, size_t, krb5_data*,
|
krb5_error_code do_version4(unsigned char*, size_t, krb5_data*,
|
||||||
const char*, struct sockaddr_in*);
|
const char*, struct sockaddr_in*);
|
||||||
|
|
||||||
void loop (krb5_context);
|
void loop (void);
|
||||||
|
|
||||||
void kdc_log(krb5_context, int, const char *fmt, ...);
|
void kdc_log(int, const char *fmt, ...);
|
||||||
char* kdc_log_msg_va(krb5_context, int, const char*, va_list);
|
char* kdc_log_msg_va(int, const char*, va_list);
|
||||||
char* kdc_log_msg(krb5_context, int, const char*, ...);
|
char* kdc_log_msg(int, const char*, ...);
|
||||||
|
|
||||||
Key *unseal_key(Key *key);
|
Key *unseal_key(Key *key);
|
||||||
|
|
||||||
|
|||||||
@@ -75,8 +75,7 @@ make_err_reply(krb5_data *reply, int code, const char *msg)
|
|||||||
#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
|
#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
|
||||||
|
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
do_version4(krb5_context context,
|
do_version4(unsigned char *buf,
|
||||||
unsigned char *buf,
|
|
||||||
size_t len,
|
size_t len,
|
||||||
krb5_data *reply,
|
krb5_data *reply,
|
||||||
const char *from,
|
const char *from,
|
||||||
@@ -99,7 +98,7 @@ do_version4(krb5_context context,
|
|||||||
sp = krb5_storage_from_mem(buf, len);
|
sp = krb5_storage_from_mem(buf, len);
|
||||||
RCHECK(krb5_ret_int8(sp, &pvno), out);
|
RCHECK(krb5_ret_int8(sp, &pvno), out);
|
||||||
if(pvno != 4){
|
if(pvno != 4){
|
||||||
kdc_log(context, 0, "Protocol version mismatch (%d)", pvno);
|
kdc_log(0, "Protocol version mismatch (%d)", pvno);
|
||||||
make_err_reply(reply, KDC_PKT_VER, NULL);
|
make_err_reply(reply, KDC_PKT_VER, NULL);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -117,14 +116,14 @@ do_version4(krb5_context context,
|
|||||||
RCHECK(krb5_ret_int8(sp, &life), out1);
|
RCHECK(krb5_ret_int8(sp, &life), out1);
|
||||||
RCHECK(krb5_ret_stringz(sp, &sname), out1);
|
RCHECK(krb5_ret_stringz(sp, &sname), out1);
|
||||||
RCHECK(krb5_ret_stringz(sp, &sinst), out1);
|
RCHECK(krb5_ret_stringz(sp, &sinst), out1);
|
||||||
kdc_log(context, 0, "AS-REQ %s.%s@%s from %s for %s.%s",
|
kdc_log(0, "AS-REQ %s.%s@%s from %s for %s.%s",
|
||||||
name, inst, realm, from, sname, sinst);
|
name, inst, realm, from, sname, sinst);
|
||||||
|
|
||||||
ret = krb5_425_conv_principal(context, name, inst, realm,
|
ret = krb5_425_conv_principal(context, name, inst, realm,
|
||||||
&client_princ);
|
&client_princ);
|
||||||
|
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Converting client principal: %s",
|
kdc_log(0, "Converting client principal: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
make_err_reply(reply, KFAILURE,
|
make_err_reply(reply, KFAILURE,
|
||||||
"Failed to convert v4 principal (client)");
|
"Failed to convert v4 principal (client)");
|
||||||
@@ -134,23 +133,23 @@ do_version4(krb5_context context,
|
|||||||
ret = krb5_425_conv_principal(context, sname, sinst, v4_realm,
|
ret = krb5_425_conv_principal(context, sname, sinst, v4_realm,
|
||||||
&server_princ);
|
&server_princ);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Converting server principal: %s",
|
kdc_log(0, "Converting server principal: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
make_err_reply(reply, KFAILURE,
|
make_err_reply(reply, KFAILURE,
|
||||||
"Failed to convert v4 principal (server)");
|
"Failed to convert v4 principal (server)");
|
||||||
goto out1;
|
goto out1;
|
||||||
}
|
}
|
||||||
|
|
||||||
client = db_fetch(context, client_princ);
|
client = db_fetch(client_princ);
|
||||||
if(client == NULL){
|
if(client == NULL){
|
||||||
kdc_log(context, 0, "Client not found in database: %s.%s@%s",
|
kdc_log(0, "Client not found in database: %s.%s@%s",
|
||||||
name, inst, realm);
|
name, inst, realm);
|
||||||
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
|
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
|
||||||
goto out1;
|
goto out1;
|
||||||
}
|
}
|
||||||
server = db_fetch(context, server_princ);
|
server = db_fetch(server_princ);
|
||||||
if(server == NULL){
|
if(server == NULL){
|
||||||
kdc_log(context, 0, "Server not found in database: %s.%s@%s",
|
kdc_log(0, "Server not found in database: %s.%s@%s",
|
||||||
sname, sinst, v4_realm);
|
sname, sinst, v4_realm);
|
||||||
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
|
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
|
||||||
goto out1;
|
goto out1;
|
||||||
@@ -158,7 +157,7 @@ do_version4(krb5_context context,
|
|||||||
|
|
||||||
ret = hdb_keytype2key(context, client, KEYTYPE_DES, &ckey);
|
ret = hdb_keytype2key(context, client, KEYTYPE_DES, &ckey);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
|
kdc_log(0, "%s", krb5_get_err_text(context, ret));
|
||||||
/* XXX */
|
/* XXX */
|
||||||
make_err_reply(reply, KDC_NULL_KEY,
|
make_err_reply(reply, KDC_NULL_KEY,
|
||||||
"No DES key in database (client)");
|
"No DES key in database (client)");
|
||||||
@@ -169,7 +168,7 @@ do_version4(krb5_context context,
|
|||||||
while(ckey->salt == NULL || ckey->salt->length != 0)
|
while(ckey->salt == NULL || ckey->salt->length != 0)
|
||||||
ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
|
ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "No version-4 salted key in database -- %s.%s@%s",
|
kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
|
||||||
name, inst, realm);
|
name, inst, realm);
|
||||||
make_err_reply(reply, KDC_NULL_KEY,
|
make_err_reply(reply, KDC_NULL_KEY,
|
||||||
"No version-4 salted key in database");
|
"No version-4 salted key in database");
|
||||||
@@ -178,7 +177,7 @@ do_version4(krb5_context context,
|
|||||||
|
|
||||||
ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
|
ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
|
kdc_log(0, "%s", krb5_get_err_text(context, ret));
|
||||||
/* XXX */
|
/* XXX */
|
||||||
make_err_reply(reply, KDC_NULL_KEY,
|
make_err_reply(reply, KDC_NULL_KEY,
|
||||||
"No DES key in database (server)");
|
"No DES key in database (server)");
|
||||||
@@ -238,14 +237,14 @@ do_version4(krb5_context context,
|
|||||||
ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
|
ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
|
||||||
&tgt_princ);
|
&tgt_princ);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Converting krbtgt principal: %s",
|
kdc_log(0, "Converting krbtgt principal: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
make_err_reply(reply, KFAILURE,
|
make_err_reply(reply, KFAILURE,
|
||||||
"Failed to convert v4 principal (krbtgt)");
|
"Failed to convert v4 principal (krbtgt)");
|
||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
|
|
||||||
tgt = db_fetch(context, tgt_princ);
|
tgt = db_fetch(tgt_princ);
|
||||||
if(tgt == NULL){
|
if(tgt == NULL){
|
||||||
char *s;
|
char *s;
|
||||||
s = kdc_log_msg(context, 0, "Ticket-granting ticket not "
|
s = kdc_log_msg(context, 0, "Ticket-granting ticket not "
|
||||||
@@ -262,7 +261,7 @@ do_version4(krb5_context context,
|
|||||||
|
|
||||||
ret = hdb_keytype2key(context, tgt, KEYTYPE_DES, &tkey);
|
ret = hdb_keytype2key(context, tgt, KEYTYPE_DES, &tkey);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
|
kdc_log(0, "%s", krb5_get_err_text(context, ret));
|
||||||
/* XXX */
|
/* XXX */
|
||||||
make_err_reply(reply, KDC_NULL_KEY,
|
make_err_reply(reply, KDC_NULL_KEY,
|
||||||
"No DES key in database (krbtgt)");
|
"No DES key in database (krbtgt)");
|
||||||
@@ -286,7 +285,7 @@ do_version4(krb5_context context,
|
|||||||
e = krb_rd_req(&auth, "krbtgt", realm,
|
e = krb_rd_req(&auth, "krbtgt", realm,
|
||||||
addr->sin_addr.s_addr, &ad, 0);
|
addr->sin_addr.s_addr, &ad, 0);
|
||||||
if(e){
|
if(e){
|
||||||
kdc_log(context, 0, "krb_rd_req: %s", krb_get_err_text(e));
|
kdc_log(0, "krb_rd_req: %s", krb_get_err_text(e));
|
||||||
make_err_reply(reply, ret, NULL);
|
make_err_reply(reply, ret, NULL);
|
||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
@@ -298,18 +297,18 @@ do_version4(krb5_context context,
|
|||||||
RCHECK(krb5_ret_int8(sp, &life), out2);
|
RCHECK(krb5_ret_int8(sp, &life), out2);
|
||||||
RCHECK(krb5_ret_stringz(sp, &sname), out2);
|
RCHECK(krb5_ret_stringz(sp, &sname), out2);
|
||||||
RCHECK(krb5_ret_stringz(sp, &sinst), out2);
|
RCHECK(krb5_ret_stringz(sp, &sinst), out2);
|
||||||
kdc_log(context, 0, "TGS-REQ %s.%s@%s from %s for %s.%s",
|
kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s.%s",
|
||||||
ad.pname, ad.pinst, ad.prealm, from, sname, sinst);
|
ad.pname, ad.pinst, ad.prealm, from, sname, sinst);
|
||||||
|
|
||||||
if(strcmp(ad.prealm, realm)){
|
if(strcmp(ad.prealm, realm)){
|
||||||
kdc_log(context, 0, "Can't hop realms %s -> %s", realm, ad.prealm);
|
kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
|
||||||
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
|
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
|
||||||
"Can't hop realms");
|
"Can't hop realms");
|
||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(strcmp(sname, "changepw") == 0){
|
if(strcmp(sname, "changepw") == 0){
|
||||||
kdc_log(context, 0, "Bad request for changepw ticket");
|
kdc_log(0, "Bad request for changepw ticket");
|
||||||
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
|
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
|
||||||
"Can't authorize password change based on TGT");
|
"Can't authorize password change based on TGT");
|
||||||
goto out2;
|
goto out2;
|
||||||
@@ -318,14 +317,14 @@ do_version4(krb5_context context,
|
|||||||
ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm,
|
ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm,
|
||||||
&client_princ);
|
&client_princ);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Converting client principal: %s",
|
kdc_log(0, "Converting client principal: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
make_err_reply(reply, KFAILURE,
|
make_err_reply(reply, KFAILURE,
|
||||||
"Failed to convert v4 principal (client)");
|
"Failed to convert v4 principal (client)");
|
||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
|
|
||||||
client = db_fetch(context, client_princ);
|
client = db_fetch(client_princ);
|
||||||
if(client == NULL){
|
if(client == NULL){
|
||||||
char *s;
|
char *s;
|
||||||
s = kdc_log_msg(context, 0,
|
s = kdc_log_msg(context, 0,
|
||||||
@@ -339,13 +338,13 @@ do_version4(krb5_context context,
|
|||||||
ret = krb5_425_conv_principal(context, sname, sinst, v4_realm,
|
ret = krb5_425_conv_principal(context, sname, sinst, v4_realm,
|
||||||
&server_princ);
|
&server_princ);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Converting server principal: %s",
|
kdc_log(0, "Converting server principal: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
make_err_reply(reply, KFAILURE,
|
make_err_reply(reply, KFAILURE,
|
||||||
"Failed to convert v4 principal (server)");
|
"Failed to convert v4 principal (server)");
|
||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
server = db_fetch(context, server_princ);
|
server = db_fetch(server_princ);
|
||||||
if(server == NULL){
|
if(server == NULL){
|
||||||
char *s;
|
char *s;
|
||||||
s = kdc_log_msg(context, 0,
|
s = kdc_log_msg(context, 0,
|
||||||
@@ -358,7 +357,7 @@ do_version4(krb5_context context,
|
|||||||
|
|
||||||
ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
|
ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "%s", krb5_get_err_text(context, ret));
|
kdc_log(0, "%s", krb5_get_err_text(context, ret));
|
||||||
/* XXX */
|
/* XXX */
|
||||||
make_err_reply(reply, KDC_NULL_KEY,
|
make_err_reply(reply, KDC_NULL_KEY,
|
||||||
"No DES key in database (server)");
|
"No DES key in database (server)");
|
||||||
@@ -410,7 +409,7 @@ do_version4(krb5_context context,
|
|||||||
case AUTH_MSG_ERR_REPLY:
|
case AUTH_MSG_ERR_REPLY:
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
kdc_log(context, 0, "Unknown message type: %d from %s",
|
kdc_log(0, "Unknown message type: %d from %s",
|
||||||
msg_type, from);
|
msg_type, from);
|
||||||
|
|
||||||
make_err_reply(reply, KFAILURE, "Unknown message type");
|
make_err_reply(reply, KFAILURE, "Unknown message type");
|
||||||
|
|||||||
162
kdc/kerberos5.c
162
kdc/kerberos5.c
@@ -43,8 +43,7 @@ RCSID("$Id$");
|
|||||||
#define MAX_TIME ((time_t)((1U << 31) - 1))
|
#define MAX_TIME ((time_t)((1U << 31) - 1))
|
||||||
|
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
as_rep(krb5_context context,
|
as_rep(KDC_REQ *req,
|
||||||
KDC_REQ *req,
|
|
||||||
krb5_data *reply,
|
krb5_data *reply,
|
||||||
const char *from)
|
const char *from)
|
||||||
{
|
{
|
||||||
@@ -80,60 +79,60 @@ as_rep(krb5_context context,
|
|||||||
principalname2krb5_principal (&client_princ, *(b->cname), b->realm);
|
principalname2krb5_principal (&client_princ, *(b->cname), b->realm);
|
||||||
krb5_unparse_name(context, client_princ, &client_name);
|
krb5_unparse_name(context, client_princ, &client_name);
|
||||||
}
|
}
|
||||||
kdc_log(context, 0, "AS-REQ %s from %s for %s",
|
kdc_log(0, "AS-REQ %s from %s for %s",
|
||||||
client_name, from, server_name);
|
client_name, from, server_name);
|
||||||
|
|
||||||
if(ret)
|
if(ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
client = db_fetch(context, client_princ);
|
client = db_fetch(client_princ);
|
||||||
if(client == NULL){
|
if(client == NULL){
|
||||||
kdc_log(context, 0, "UNKNOWN -- %s", client_name);
|
kdc_log(0, "UNKNOWN -- %s", client_name);
|
||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (client->valid_start && *client->valid_start > kdc_time) {
|
if (client->valid_start && *client->valid_start > kdc_time) {
|
||||||
kdc_log(context, 0, "Client not yet valid -- %s", client_name);
|
kdc_log(0, "Client not yet valid -- %s", client_name);
|
||||||
ret = KRB5KDC_ERR_CLIENT_NOTYET;
|
ret = KRB5KDC_ERR_CLIENT_NOTYET;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (client->valid_end && *client->valid_end < kdc_time) {
|
if (client->valid_end && *client->valid_end < kdc_time) {
|
||||||
kdc_log(context, 0, "Client expired -- %s", client_name);
|
kdc_log(0, "Client expired -- %s", client_name);
|
||||||
ret = KRB5KDC_ERR_NAME_EXP;
|
ret = KRB5KDC_ERR_NAME_EXP;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
server = db_fetch(context, server_princ);
|
server = db_fetch(server_princ);
|
||||||
|
|
||||||
if(server == NULL){
|
if(server == NULL){
|
||||||
kdc_log(context, 0, "UNKNOWN -- %s", server_name);
|
kdc_log(0, "UNKNOWN -- %s", server_name);
|
||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (server->valid_start && *server->valid_start > kdc_time) {
|
if (server->valid_start && *server->valid_start > kdc_time) {
|
||||||
kdc_log(context, 0, "Server not yet valid -- %s", server_name);
|
kdc_log(0, "Server not yet valid -- %s", server_name);
|
||||||
ret = KRB5KDC_ERR_SERVICE_NOTYET;
|
ret = KRB5KDC_ERR_SERVICE_NOTYET;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (server->valid_end && *server->valid_end < kdc_time) {
|
if (server->valid_end && *server->valid_end < kdc_time) {
|
||||||
kdc_log(context, 0, "Server expired -- %s", server_name);
|
kdc_log(0, "Server expired -- %s", server_name);
|
||||||
ret = KRB5KDC_ERR_SERVICE_EXP;
|
ret = KRB5KDC_ERR_SERVICE_EXP;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!client->flags.client){
|
if(!client->flags.client){
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
kdc_log(context, 0, "Principal may not act as client -- %s",
|
kdc_log(0, "Principal may not act as client -- %s",
|
||||||
client_name);
|
client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(!server->flags.server){
|
if(!server->flags.server){
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
kdc_log(context, 0, "Principal (%s) may not act as server -- %s",
|
kdc_log(0, "Principal (%s) may not act as server -- %s",
|
||||||
server_name, client_name);
|
server_name, client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -141,7 +140,7 @@ as_rep(krb5_context context,
|
|||||||
if (client->pw_end && *client->pw_end < kdc_time
|
if (client->pw_end && *client->pw_end < kdc_time
|
||||||
&& !server->flags.change_pw) {
|
&& !server->flags.change_pw) {
|
||||||
ret = KRB5KDC_ERR_KEY_EXPIRED;
|
ret = KRB5KDC_ERR_KEY_EXPIRED;
|
||||||
kdc_log(context, 0, "Client (%s)'s key has expired", client_name);
|
kdc_log(0, "Client (%s)'s key has expired", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -158,7 +157,7 @@ as_rep(krb5_context context,
|
|||||||
|
|
||||||
if(ret){
|
if(ret){
|
||||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||||
kdc_log(context, 0, "No support for etypes -- %s", client_name);
|
kdc_log(0, "No support for etypes -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -171,7 +170,7 @@ as_rep(krb5_context context,
|
|||||||
int i;
|
int i;
|
||||||
PA_DATA *pa;
|
PA_DATA *pa;
|
||||||
int found_pa = 0;
|
int found_pa = 0;
|
||||||
kdc_log(context, 5, "Looking for pa-data -- %s", client_name);
|
kdc_log(5, "Looking for pa-data -- %s", client_name);
|
||||||
for(i = 0; i < req->padata->len; i++){
|
for(i = 0; i < req->padata->len; i++){
|
||||||
PA_DATA *pa = &req->padata->val[i];
|
PA_DATA *pa = &req->padata->val[i];
|
||||||
if(pa->padata_type == pa_enc_timestamp){
|
if(pa->padata_type == pa_enc_timestamp){
|
||||||
@@ -181,7 +180,7 @@ as_rep(krb5_context context,
|
|||||||
size_t len;
|
size_t len;
|
||||||
EncryptedData enc_data;
|
EncryptedData enc_data;
|
||||||
|
|
||||||
kdc_log(context, 5, "Found pa-enc-timestamp -- %s",
|
kdc_log(5, "Found pa-enc-timestamp -- %s",
|
||||||
client_name);
|
client_name);
|
||||||
found_pa = 1;
|
found_pa = 1;
|
||||||
|
|
||||||
@@ -191,7 +190,7 @@ as_rep(krb5_context context,
|
|||||||
&len);
|
&len);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
||||||
kdc_log(context, 5, "Failed to decode PA-DATA -- %s",
|
kdc_log(5, "Failed to decode PA-DATA -- %s",
|
||||||
client_name);
|
client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -208,7 +207,7 @@ as_rep(krb5_context context,
|
|||||||
free_EncryptedData(&enc_data);
|
free_EncryptedData(&enc_data);
|
||||||
if(ret){
|
if(ret){
|
||||||
e_text = "Failed to decrypt PA-DATA";
|
e_text = "Failed to decrypt PA-DATA";
|
||||||
kdc_log (context, 5, "Failed to decrypt PA-DATA -- %s",
|
kdc_log (5, "Failed to decrypt PA-DATA -- %s",
|
||||||
client_name);
|
client_name);
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
||||||
continue;
|
continue;
|
||||||
@@ -221,7 +220,7 @@ as_rep(krb5_context context,
|
|||||||
if(ret){
|
if(ret){
|
||||||
e_text = "Failed to decode PA-ENC-TS-ENC";
|
e_text = "Failed to decode PA-ENC-TS-ENC";
|
||||||
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
||||||
kdc_log (context, 5, "Failed to decode PA-ENC-TS_ENC -- %s",
|
kdc_log (5, "Failed to decode PA-ENC-TS_ENC -- %s",
|
||||||
client_name);
|
client_name);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@@ -237,16 +236,16 @@ as_rep(krb5_context context,
|
|||||||
server_princ,
|
server_princ,
|
||||||
0,
|
0,
|
||||||
reply);
|
reply);
|
||||||
kdc_log(context, 0, "Too large time skew -- %s",
|
kdc_log(0, "Too large time skew -- %s",
|
||||||
client_name);
|
client_name);
|
||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
et.flags.pre_authent = 1;
|
et.flags.pre_authent = 1;
|
||||||
kdc_log(context, 2, "Pre-authentication succeded -- %s",
|
kdc_log(2, "Pre-authentication succeded -- %s",
|
||||||
client_name);
|
client_name);
|
||||||
break;
|
break;
|
||||||
} else {
|
} else {
|
||||||
kdc_log(context, 5, "Found pa-data of type %d -- %s",
|
kdc_log(5, "Found pa-data of type %d -- %s",
|
||||||
pa->padata_type, client_name);
|
pa->padata_type, client_name);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -256,7 +255,7 @@ as_rep(krb5_context context,
|
|||||||
/* We come here if we found a pa-enc-timestamp, but if there
|
/* We come here if we found a pa-enc-timestamp, but if there
|
||||||
was some problem with it, other than too large skew */
|
was some problem with it, other than too large skew */
|
||||||
if(et.flags.pre_authent == 0){
|
if(et.flags.pre_authent == 0){
|
||||||
kdc_log(context, 0, "%s -- %s", e_text, client_name);
|
kdc_log(0, "%s -- %s", e_text, client_name);
|
||||||
e_text = NULL;
|
e_text = NULL;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -293,11 +292,11 @@ as_rep(krb5_context context,
|
|||||||
0,
|
0,
|
||||||
reply);
|
reply);
|
||||||
|
|
||||||
kdc_log(context, 0, "No PA-ENC-TIMESTAMP -- %s", client_name);
|
kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
|
||||||
goto out2;
|
goto out2;
|
||||||
}
|
}
|
||||||
|
|
||||||
kdc_log(context, 2, "Using etype %d -- %s", etype, client_name);
|
kdc_log(2, "Using etype %d -- %s", etype, client_name);
|
||||||
|
|
||||||
memset(&rep, 0, sizeof(rep));
|
memset(&rep, 0, sizeof(rep));
|
||||||
rep.pvno = 5;
|
rep.pvno = 5;
|
||||||
@@ -310,7 +309,7 @@ as_rep(krb5_context context,
|
|||||||
|
|
||||||
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey){
|
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey){
|
||||||
ret = KRB5KDC_ERR_BADOPTION;
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
kdc_log(context, 0, "Bad KDC options -- %s", client_name);
|
kdc_log(0, "Bad KDC options -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -319,21 +318,21 @@ as_rep(krb5_context context,
|
|||||||
et.flags.forwardable = f.forwardable;
|
et.flags.forwardable = f.forwardable;
|
||||||
else{
|
else{
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
kdc_log(context, 0, "Ticket may not be forwardable -- %s", client_name);
|
kdc_log(0, "Ticket may not be forwardable -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(client->flags.proxiable && server->flags.proxiable)
|
if(client->flags.proxiable && server->flags.proxiable)
|
||||||
et.flags.proxiable = f.proxiable;
|
et.flags.proxiable = f.proxiable;
|
||||||
else{
|
else{
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
kdc_log(context, 0, "Ticket may not be proxiable -- %s", client_name);
|
kdc_log(0, "Ticket may not be proxiable -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if(client->flags.postdate && server->flags.postdate)
|
if(client->flags.postdate && server->flags.postdate)
|
||||||
et.flags.may_postdate = f.allow_postdate;
|
et.flags.may_postdate = f.allow_postdate;
|
||||||
else{
|
else{
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
kdc_log(context, 0, "Ticket may not be postdatable -- %s", client_name);
|
kdc_log(0, "Ticket may not be postdatable -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -352,7 +351,7 @@ as_rep(krb5_context context,
|
|||||||
start = *et.starttime = *req->req_body.from;
|
start = *et.starttime = *req->req_body.from;
|
||||||
et.flags.invalid = 1;
|
et.flags.invalid = 1;
|
||||||
et.flags.postdated = 1; /* XXX ??? */
|
et.flags.postdated = 1; /* XXX ??? */
|
||||||
kdc_log(context, 2, "Postdated ticket requested -- %s",
|
kdc_log(2, "Postdated ticket requested -- %s",
|
||||||
client_name);
|
client_name);
|
||||||
}
|
}
|
||||||
if(b->till == 0)
|
if(b->till == 0)
|
||||||
@@ -456,7 +455,7 @@ as_rep(krb5_context context,
|
|||||||
&et, &len);
|
&et, &len);
|
||||||
free_EncTicketPart(&et);
|
free_EncTicketPart(&et);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, 0, "Failed to encode ticket -- %s", client);
|
kdc_log(0, "Failed to encode ticket -- %s", client);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -473,7 +472,7 @@ as_rep(krb5_context context,
|
|||||||
&ek, &len);
|
&ek, &len);
|
||||||
free_EncKDCRepPart(&ek);
|
free_EncKDCRepPart(&ek);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, 0, "Failed to encode KDC-REP -- %s", client_name);
|
kdc_log(0, "Failed to encode KDC-REP -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ekey = unseal_key(ckey);
|
ekey = unseal_key(ckey);
|
||||||
@@ -495,7 +494,7 @@ as_rep(krb5_context context,
|
|||||||
ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
|
ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
|
||||||
free_AS_REP(&rep);
|
free_AS_REP(&rep);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, 0, "Failed to encode AS-REP -- %s", client_name);
|
kdc_log(0, "Failed to encode AS-REP -- %s", client_name);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -531,37 +530,36 @@ out2:
|
|||||||
|
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
|
check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et)
|
||||||
EncTicketPart *tgt, EncTicketPart *et)
|
|
||||||
{
|
{
|
||||||
KDCOptions f = b->kdc_options;
|
KDCOptions f = b->kdc_options;
|
||||||
|
|
||||||
if(f.validate){
|
if(f.validate){
|
||||||
if(!tgt->flags.invalid || tgt->starttime == NULL){
|
if(!tgt->flags.invalid || tgt->starttime == NULL){
|
||||||
kdc_log(context, 0, "Bad request to validate ticket");
|
kdc_log(0, "Bad request to validate ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
if(*tgt->starttime < kdc_time){
|
if(*tgt->starttime < kdc_time){
|
||||||
kdc_log(context, 0, "Early request to validate ticket");
|
kdc_log(0, "Early request to validate ticket");
|
||||||
return KRB5KRB_AP_ERR_TKT_NYV;
|
return KRB5KRB_AP_ERR_TKT_NYV;
|
||||||
}
|
}
|
||||||
/* XXX tkt = tgt */
|
/* XXX tkt = tgt */
|
||||||
et->flags.invalid = 0;
|
et->flags.invalid = 0;
|
||||||
}else if(tgt->flags.invalid){
|
}else if(tgt->flags.invalid){
|
||||||
kdc_log(context, 0, "Ticket-granting ticket has INVALID flag set");
|
kdc_log(0, "Ticket-granting ticket has INVALID flag set");
|
||||||
return KRB5KRB_AP_ERR_TKT_INVALID;
|
return KRB5KRB_AP_ERR_TKT_INVALID;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(f.forwardable){
|
if(f.forwardable){
|
||||||
if(!tgt->flags.forwardable){
|
if(!tgt->flags.forwardable){
|
||||||
kdc_log(context, 0, "Bad request for forwardable ticket");
|
kdc_log(0, "Bad request for forwardable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.forwardable = 1;
|
et->flags.forwardable = 1;
|
||||||
}
|
}
|
||||||
if(f.forwarded){
|
if(f.forwarded){
|
||||||
if(!tgt->flags.forwardable){
|
if(!tgt->flags.forwardable){
|
||||||
kdc_log(context, 0, "Request to forward non-forwardable ticket");
|
kdc_log(0, "Request to forward non-forwardable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.forwarded = 1;
|
et->flags.forwarded = 1;
|
||||||
@@ -572,14 +570,14 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
|
|||||||
|
|
||||||
if(f.proxiable){
|
if(f.proxiable){
|
||||||
if(!tgt->flags.proxiable){
|
if(!tgt->flags.proxiable){
|
||||||
kdc_log(context, 0, "Bad request for proxiable ticket");
|
kdc_log(0, "Bad request for proxiable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.proxiable = 1;
|
et->flags.proxiable = 1;
|
||||||
}
|
}
|
||||||
if(f.proxy){
|
if(f.proxy){
|
||||||
if(!tgt->flags.proxiable){
|
if(!tgt->flags.proxiable){
|
||||||
kdc_log(context, 0, "Request to proxy non-proxiable ticket");
|
kdc_log(0, "Request to proxy non-proxiable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.proxy = 1;
|
et->flags.proxy = 1;
|
||||||
@@ -590,14 +588,14 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
|
|||||||
|
|
||||||
if(f.allow_postdate){
|
if(f.allow_postdate){
|
||||||
if(!tgt->flags.may_postdate){
|
if(!tgt->flags.may_postdate){
|
||||||
kdc_log(context, 0, "Bad request for post-datable ticket");
|
kdc_log(0, "Bad request for post-datable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.may_postdate = 1;
|
et->flags.may_postdate = 1;
|
||||||
}
|
}
|
||||||
if(f.postdated){
|
if(f.postdated){
|
||||||
if(!tgt->flags.may_postdate){
|
if(!tgt->flags.may_postdate){
|
||||||
kdc_log(context, 0, "Bad request for postdated ticket");
|
kdc_log(0, "Bad request for postdated ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
if(b->from)
|
if(b->from)
|
||||||
@@ -605,13 +603,13 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
|
|||||||
et->flags.postdated = 1;
|
et->flags.postdated = 1;
|
||||||
et->flags.invalid = 1;
|
et->flags.invalid = 1;
|
||||||
}else if(b->from && *b->from > kdc_time + context->max_skew){
|
}else if(b->from && *b->from > kdc_time + context->max_skew){
|
||||||
kdc_log(context, 0, "Ticket cannot be postdated");
|
kdc_log(0, "Ticket cannot be postdated");
|
||||||
return KRB5KDC_ERR_CANNOT_POSTDATE;
|
return KRB5KDC_ERR_CANNOT_POSTDATE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(f.renewable){
|
if(f.renewable){
|
||||||
if(!tgt->flags.renewable){
|
if(!tgt->flags.renewable){
|
||||||
kdc_log(context, 0, "Bad request for renewable ticket");
|
kdc_log(0, "Bad request for renewable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.renewable = 1;
|
et->flags.renewable = 1;
|
||||||
@@ -621,7 +619,7 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
|
|||||||
if(f.renew){
|
if(f.renew){
|
||||||
time_t old_life;
|
time_t old_life;
|
||||||
if(!tgt->flags.renewable || tgt->renew_till == NULL){
|
if(!tgt->flags.renewable || tgt->renew_till == NULL){
|
||||||
kdc_log(context, 0, "Request to renew non-renewable ticket");
|
kdc_log(0, "Request to renew non-renewable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
old_life = tgt->endtime;
|
old_life = tgt->endtime;
|
||||||
@@ -637,7 +635,7 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
|
tgs_make_reply(KDC_REQ_BODY *b, EncTicketPart *tgt,
|
||||||
hdb_entry *server, hdb_entry *client, krb5_data *reply)
|
hdb_entry *server, hdb_entry *client, krb5_data *reply)
|
||||||
{
|
{
|
||||||
KDC_REP rep;
|
KDC_REP rep;
|
||||||
@@ -657,7 +655,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Failed to find requested etype");
|
kdc_log(0, "Failed to find requested etype");
|
||||||
return KRB5KDC_ERR_ETYPE_NOSUPP;
|
return KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -675,7 +673,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
|
|||||||
ALLOC(et.starttime);
|
ALLOC(et.starttime);
|
||||||
*et.starttime = kdc_time;
|
*et.starttime = kdc_time;
|
||||||
|
|
||||||
ret = check_tgs_flags(context, b, tgt, &et);
|
ret = check_tgs_flags(b, tgt, &et);
|
||||||
if(ret)
|
if(ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
@@ -766,7 +764,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
|
|||||||
ret = encode_EncTicketPart(buf + sizeof(buf) - 1,
|
ret = encode_EncTicketPart(buf + sizeof(buf) - 1,
|
||||||
sizeof(buf), &et, &len);
|
sizeof(buf), &et, &len);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Failed to encode EncTicketPart: %s",
|
kdc_log(0, "Failed to encode EncTicketPart: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -780,7 +778,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
|
|||||||
ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1,
|
ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1,
|
||||||
sizeof(buf), &ek, &len);
|
sizeof(buf), &ek, &len);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Failed to encode EncTicketPart: %s",
|
kdc_log(0, "Failed to encode EncTicketPart: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -805,7 +803,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
|
|||||||
|
|
||||||
ret = encode_TGS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
|
ret = encode_TGS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Failed to encode TGS-REP: %s",
|
kdc_log(0, "Failed to encode TGS-REP: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -824,7 +822,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
|
tgs_check_authenticator(krb5_auth_context ac,
|
||||||
KDC_REQ_BODY *b, krb5_keyblock *key)
|
KDC_REQ_BODY *b, krb5_keyblock *key)
|
||||||
{
|
{
|
||||||
krb5_authenticator auth;
|
krb5_authenticator auth;
|
||||||
@@ -834,7 +832,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
|
|||||||
|
|
||||||
krb5_auth_getauthenticator(context, ac, &auth);
|
krb5_auth_getauthenticator(context, ac, &auth);
|
||||||
if(auth->cksum == NULL){
|
if(auth->cksum == NULL){
|
||||||
kdc_log(context, 0, "No authenticator in request");
|
kdc_log(0, "No authenticator in request");
|
||||||
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -842,7 +840,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
|
|||||||
if (auth->cksum->cksumtype != CKSUMTYPE_RSA_MD4 &&
|
if (auth->cksum->cksumtype != CKSUMTYPE_RSA_MD4 &&
|
||||||
auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5 &&
|
auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5 &&
|
||||||
auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5_DES){
|
auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5_DES){
|
||||||
kdc_log(context, 0, "Bad checksum type in authenticator: %d",
|
kdc_log(0, "Bad checksum type in authenticator: %d",
|
||||||
auth->cksum->cksumtype);
|
auth->cksum->cksumtype);
|
||||||
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -852,7 +850,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
|
|||||||
ret = encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf),
|
ret = encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf),
|
||||||
b, &len);
|
b, &len);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Failed to encode KDC-REQ-BODY: %s",
|
kdc_log(0, "Failed to encode KDC-REQ-BODY: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -860,7 +858,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac,
|
|||||||
key,
|
key,
|
||||||
auth->cksum);
|
auth->cksum);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Failed to verify checksum: %s",
|
kdc_log(0, "Failed to verify checksum: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
}
|
}
|
||||||
out:
|
out:
|
||||||
@@ -872,8 +870,7 @@ out:
|
|||||||
|
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
tgs_rep2(krb5_context context,
|
tgs_rep2(KDC_REQ_BODY *b,
|
||||||
KDC_REQ_BODY *b,
|
|
||||||
krb5_principal sp,
|
krb5_principal sp,
|
||||||
PA_DATA *pa_data,
|
PA_DATA *pa_data,
|
||||||
krb5_data *reply,
|
krb5_data *reply,
|
||||||
@@ -895,14 +892,14 @@ tgs_rep2(krb5_context context,
|
|||||||
|
|
||||||
ret = krb5_decode_ap_req(context, &pa_data->padata_value, &ap_req);
|
ret = krb5_decode_ap_req(context, &pa_data->padata_value, &ap_req);
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Failed to decode AP-REQ: %s",
|
kdc_log(0, "Failed to decode AP-REQ: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(ap_req.ticket.sname.name_string.len != 2 ||
|
if(ap_req.ticket.sname.name_string.len != 2 ||
|
||||||
strcmp(ap_req.ticket.sname.name_string.val[0], "krbtgt")){
|
strcmp(ap_req.ticket.sname.name_string.val[0], "krbtgt")){
|
||||||
kdc_log(context, 0, "PA-DATA is not a ticket-granting ticket");
|
kdc_log(0, "PA-DATA is not a ticket-granting ticket");
|
||||||
ret = KRB5KDC_ERR_POLICY; /* ? */
|
ret = KRB5KDC_ERR_POLICY; /* ? */
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -911,12 +908,12 @@ tgs_rep2(krb5_context context,
|
|||||||
ap_req.ticket.sname,
|
ap_req.ticket.sname,
|
||||||
ap_req.ticket.realm);
|
ap_req.ticket.realm);
|
||||||
|
|
||||||
krbtgt = db_fetch(context, princ);
|
krbtgt = db_fetch(princ);
|
||||||
|
|
||||||
if(krbtgt == NULL) {
|
if(krbtgt == NULL) {
|
||||||
char *p;
|
char *p;
|
||||||
krb5_unparse_name(context, princ, &p);
|
krb5_unparse_name(context, princ, &p);
|
||||||
kdc_log(context, 0, "Ticket-granting ticket not found in database: %s",
|
kdc_log(0, "Ticket-granting ticket not found in database: %s",
|
||||||
p);
|
p);
|
||||||
free(p);
|
free(p);
|
||||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||||
@@ -935,19 +932,19 @@ tgs_rep2(krb5_context context,
|
|||||||
|
|
||||||
krb5_free_principal(context, princ);
|
krb5_free_principal(context, princ);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, 0, "Failed to verify AP-REQ: %s",
|
kdc_log(0, "Failed to verify AP-REQ: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
tgt = &ticket->ticket;
|
tgt = &ticket->ticket;
|
||||||
|
|
||||||
ret = tgs_check_authenticator(context, ac, b, &tgt->key);
|
ret = tgs_check_authenticator(ac, b, &tgt->key);
|
||||||
|
|
||||||
krb5_auth_con_free(context, ac);
|
krb5_auth_con_free(context, ac);
|
||||||
|
|
||||||
if(ret){
|
if(ret){
|
||||||
kdc_log(context, 0, "Failed to verify authenticator: %s",
|
kdc_log(0, "Failed to verify authenticator: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -969,7 +966,7 @@ tgs_rep2(krb5_context context,
|
|||||||
principalname2krb5_principal(&p,
|
principalname2krb5_principal(&p,
|
||||||
b->additional_tickets->val[0].sname,
|
b->additional_tickets->val[0].sname,
|
||||||
b->additional_tickets->val[0].realm);
|
b->additional_tickets->val[0].realm);
|
||||||
uu = db_fetch(context, p);
|
uu = db_fetch(p);
|
||||||
krb5_free_principal(context, p);
|
krb5_free_principal(context, p);
|
||||||
if(uu == NULL){
|
if(uu == NULL){
|
||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
@@ -985,23 +982,23 @@ tgs_rep2(krb5_context context,
|
|||||||
principalname2krb5_principal(&sp, *s, r);
|
principalname2krb5_principal(&sp, *s, r);
|
||||||
#endif
|
#endif
|
||||||
krb5_unparse_name(context, sp, &spn);
|
krb5_unparse_name(context, sp, &spn);
|
||||||
server = db_fetch(context, sp);
|
server = db_fetch(sp);
|
||||||
|
|
||||||
principalname2krb5_principal(&cp, tgt->cname, tgt->crealm);
|
principalname2krb5_principal(&cp, tgt->cname, tgt->crealm);
|
||||||
krb5_unparse_name(context, cp, &cpn);
|
krb5_unparse_name(context, cp, &cpn);
|
||||||
client = db_fetch(context, cp);
|
client = db_fetch(cp);
|
||||||
|
|
||||||
kdc_log(context, 0, "TGS-REQ %s from %s for %s", cpn, from, spn);
|
kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn);
|
||||||
|
|
||||||
if(server == NULL){
|
if(server == NULL){
|
||||||
kdc_log(context, 0, "Server not found in database: %s", spn);
|
kdc_log(0, "Server not found in database: %s", spn);
|
||||||
/* do foreign realm stuff */
|
/* do foreign realm stuff */
|
||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(client == NULL){
|
if(client == NULL){
|
||||||
kdc_log(context, 0, "Client not found in database: %s", cpn);
|
kdc_log(0, "Client not found in database: %s", cpn);
|
||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1010,12 +1007,12 @@ tgs_rep2(krb5_context context,
|
|||||||
!krb5_principal_compare(context,
|
!krb5_principal_compare(context,
|
||||||
krbtgt->principal,
|
krbtgt->principal,
|
||||||
server->principal)){
|
server->principal)){
|
||||||
kdc_log(context, 0, "Inconsistent request.");
|
kdc_log(0, "Inconsistent request.");
|
||||||
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = tgs_make_reply(context, b, tgt, server, client, reply);
|
ret = tgs_make_reply(b, tgt, server, client, reply);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
if(ret)
|
if(ret)
|
||||||
@@ -1054,7 +1051,7 @@ tgs_rep2(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
request_server(krb5_context context, KDC_REQ *req, krb5_principal *server)
|
request_server(KDC_REQ *req, krb5_principal *server)
|
||||||
{
|
{
|
||||||
PrincipalName *s = NULL;
|
PrincipalName *s = NULL;
|
||||||
Realm r;
|
Realm r;
|
||||||
@@ -1075,8 +1072,7 @@ request_server(krb5_context context, KDC_REQ *req, krb5_principal *server)
|
|||||||
|
|
||||||
|
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
tgs_rep(krb5_context context,
|
tgs_rep(KDC_REQ *req,
|
||||||
KDC_REQ *req,
|
|
||||||
krb5_data *data,
|
krb5_data *data,
|
||||||
const char *from)
|
const char *from)
|
||||||
{
|
{
|
||||||
@@ -1085,11 +1081,11 @@ tgs_rep(krb5_context context,
|
|||||||
PA_DATA *pa_data = NULL;
|
PA_DATA *pa_data = NULL;
|
||||||
krb5_principal server;
|
krb5_principal server;
|
||||||
|
|
||||||
request_server(context, req, &server);
|
request_server(req, &server);
|
||||||
|
|
||||||
if(req->padata == NULL){
|
if(req->padata == NULL){
|
||||||
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
|
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
|
||||||
kdc_log(context, 0, "TGS-REQ from %s without PA-DATA", from);
|
kdc_log(0, "TGS-REQ from %s without PA-DATA", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1101,10 +1097,10 @@ tgs_rep(krb5_context context,
|
|||||||
if(pa_data == NULL){
|
if(pa_data == NULL){
|
||||||
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
||||||
|
|
||||||
kdc_log(context, 0, "TGS-REQ from %s without PA-TGS-REQ", from);
|
kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = tgs_rep2(context, &req->req_body, server, pa_data, data, from);
|
ret = tgs_rep2(&req->req_body, server, pa_data, data, from);
|
||||||
out:
|
out:
|
||||||
if(ret && data->data == NULL)
|
if(ret && data->data == NULL)
|
||||||
krb5_mk_error(context,
|
krb5_mk_error(context,
|
||||||
|
|||||||
10
kdc/log.c
10
kdc/log.c
@@ -43,7 +43,7 @@ extern int loglevel;
|
|||||||
static krb5_log_facility *logf;
|
static krb5_log_facility *logf;
|
||||||
|
|
||||||
char*
|
char*
|
||||||
kdc_log_msg_va(krb5_context context, int level, const char *fmt, va_list ap)
|
kdc_log_msg_va(int level, const char *fmt, va_list ap)
|
||||||
{
|
{
|
||||||
char *msg;
|
char *msg;
|
||||||
if(level > loglevel)
|
if(level > loglevel)
|
||||||
@@ -56,23 +56,23 @@ kdc_log_msg_va(krb5_context context, int level, const char *fmt, va_list ap)
|
|||||||
}
|
}
|
||||||
|
|
||||||
char*
|
char*
|
||||||
kdc_log_msg(krb5_context context, int level, const char *fmt, ...)
|
kdc_log_msg(int level, const char *fmt, ...)
|
||||||
{
|
{
|
||||||
va_list ap;
|
va_list ap;
|
||||||
char *s;
|
char *s;
|
||||||
va_start(ap, fmt);
|
va_start(ap, fmt);
|
||||||
s = kdc_log_msg_va(context, level, fmt, ap);
|
s = kdc_log_msg_va(level, fmt, ap);
|
||||||
va_end(ap);
|
va_end(ap);
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
kdc_log(krb5_context context, int level, const char *fmt, ...)
|
kdc_log(int level, const char *fmt, ...)
|
||||||
{
|
{
|
||||||
va_list ap;
|
va_list ap;
|
||||||
char *s;
|
char *s;
|
||||||
va_start(ap, fmt);
|
va_start(ap, fmt);
|
||||||
s = kdc_log_msg_va(context, level, fmt, ap);
|
s = kdc_log_msg_va(level, fmt, ap);
|
||||||
if(s) free(s);
|
if(s) free(s);
|
||||||
va_end(ap);
|
va_end(ap);
|
||||||
}
|
}
|
||||||
|
|||||||
10
kdc/main.c
10
kdc/main.c
@@ -41,6 +41,7 @@
|
|||||||
RCSID("$Id$");
|
RCSID("$Id$");
|
||||||
|
|
||||||
sig_atomic_t exit_flag = 0;
|
sig_atomic_t exit_flag = 0;
|
||||||
|
krb5_context context;
|
||||||
|
|
||||||
static RETSIGTYPE
|
static RETSIGTYPE
|
||||||
sigterm(int sig)
|
sigterm(int sig)
|
||||||
@@ -58,7 +59,6 @@ usage(void)
|
|||||||
int
|
int
|
||||||
main(int argc, char **argv)
|
main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
krb5_context context;
|
|
||||||
int c;
|
int c;
|
||||||
set_progname(argv[0]);
|
set_progname(argv[0]);
|
||||||
|
|
||||||
@@ -73,15 +73,13 @@ main(int argc, char **argv)
|
|||||||
EncryptionKey key;
|
EncryptionKey key;
|
||||||
f = fopen(keyfile, "r");
|
f = fopen(keyfile, "r");
|
||||||
if(f == NULL){
|
if(f == NULL){
|
||||||
kdc_log(context, 0, "Failed to open master key file %s",
|
kdc_log(0, "Failed to open master key file %s", keyfile);
|
||||||
keyfile);
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
len = fread(buf, 1, sizeof(buf), f);
|
len = fread(buf, 1, sizeof(buf), f);
|
||||||
fclose(f);
|
fclose(f);
|
||||||
if(decode_EncryptionKey(buf, len, &key, &len)){
|
if(decode_EncryptionKey(buf, len, &key, &len)){
|
||||||
kdc_log(context, 0,
|
kdc_log(0, "Failed to parse contents of master key file %s", keyfile);
|
||||||
"Failed to parse contents of master key file %s", keyfile);
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
set_master_key(&key);
|
set_master_key(&key);
|
||||||
@@ -95,7 +93,7 @@ main(int argc, char **argv)
|
|||||||
|
|
||||||
|
|
||||||
signal(SIGINT, sigterm);
|
signal(SIGINT, sigterm);
|
||||||
loop(context);
|
loop();
|
||||||
krb5_free_context(context);
|
krb5_free_context(context);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -43,7 +43,7 @@ RCSID("$Id$");
|
|||||||
struct timeval now;
|
struct timeval now;
|
||||||
|
|
||||||
hdb_entry*
|
hdb_entry*
|
||||||
db_fetch(krb5_context context, krb5_principal principal)
|
db_fetch(krb5_principal principal)
|
||||||
{
|
{
|
||||||
HDB *db;
|
HDB *db;
|
||||||
hdb_entry *ent;
|
hdb_entry *ent;
|
||||||
@@ -51,7 +51,7 @@ db_fetch(krb5_context context, krb5_principal principal)
|
|||||||
|
|
||||||
ret = hdb_open(context, &db, NULL, O_RDONLY, 0);
|
ret = hdb_open(context, &db, NULL, O_RDONLY, 0);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, 0, "Failed to open database: %s",
|
kdc_log(0, "Failed to open database: %s",
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user