From de92125f9d631dbc34ebd66932c85083c8e9f9ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 1 Jul 2005 04:42:59 +0000
Subject: [PATCH] adapt pkinit code to libkdc split

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15540 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/config.c    |  2 +-
 kdc/kdc_locl.h  | 14 ++++++++++----
 kdc/kerberos5.c |  7 ++++---
 kdc/main.c      |  1 +
 kdc/pkinit.c    | 33 ++++++++++++++++++++++-----------
 5 files changed, 38 insertions(+), 19 deletions(-)

diff --git a/kdc/config.c b/kdc/config.c
index d9cc34894..c8c6fd5b0 100644
--- a/kdc/config.c
+++ b/kdc/config.c
@@ -516,7 +516,7 @@ krb5_kdc_configuration *configure(krb5_context context, int argc, char **argv)
 	if (x509_anchors == NULL)
 	    krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
 
-	_pk_initialize(user_id, x509_anchors);
+	_pk_initialize(context, config, user_id, x509_anchors);
 
 	config->enable_pkinit_princ_in_cert = 
 	    krb5_config_get_bool_default(context, 
diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h
index 203342c19..1bd0a1db3 100644
--- a/kdc/kdc_locl.h
+++ b/kdc/kdc_locl.h
@@ -106,16 +106,22 @@ _kdc_do_524(krb5_context context,
 
 #ifdef PKINIT
 typedef struct pk_client_params pk_client_params;
-krb5_error_code _pk_initialize(const char *, const char *);
-krb5_error_code _pk_rd_padata(krb5_context, KDC_REQ *,
-			      PA_DATA *, pk_client_params **);
+krb5_error_code _pk_initialize(krb5_context,
+			       krb5_kdc_configuration *, 
+			       const char *,
+			       const char *);
+krb5_error_code _pk_rd_padata(krb5_context, krb5_kdc_configuration *, 
+			      KDC_REQ *, PA_DATA *, pk_client_params **);
 krb5_error_code	_pk_mk_pa_reply(krb5_context,
+				krb5_kdc_configuration *, 
 				pk_client_params *,
 				const hdb_entry *,
 				const KDC_REQ *,
 				krb5_keyblock **,
 				METHOD_DATA *);
-krb5_error_code _pk_check_client(krb5_context, krb5_principal,
+krb5_error_code _pk_check_client(krb5_context, 
+				 krb5_kdc_configuration *,
+				 krb5_principal,
 				 const hdb_entry *, 
 				 pk_client_params *, char **);
 void _pk_free_client_param(krb5_context, pk_client_params *);
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index ac4c3a382..65c97ef58 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -819,7 +819,7 @@ _kdc_as_rep(krb5_context context,
 	if (pa) {
 	    char *client_cert = NULL;
 
-	    ret = _pk_rd_padata(context, req, pa, &pkp);
+	    ret = _pk_rd_padata(context, config, req, pa, &pkp);
 	    if (ret) {
 		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 		kdc_log(context, config, 5, 
@@ -830,7 +830,8 @@ _kdc_as_rep(krb5_context context,
 	    if (ret == 0 && pkp == NULL)
 		goto ts_enc;
 
-	    ret = _pk_check_client(context, 
+	    ret = _pk_check_client(context,
+				   config,
 				   client_princ, 
 				   client,
 				   pkp,
@@ -1275,7 +1276,7 @@ _kdc_as_rep(krb5_context context,
     reply_key = &ckey->key;
 #if PKINIT
     if (pkp) {
-	ret = _pk_mk_pa_reply(context, pkp, client, req,
+	ret = _pk_mk_pa_reply(context, config, pkp, client, req,
 			      &reply_key, rep.padata);
 	if (ret)
 	    goto out;
diff --git a/kdc/main.c b/kdc/main.c
index 6c07a38c6..4598f185d 100644
--- a/kdc/main.c
+++ b/kdc/main.c
@@ -46,6 +46,7 @@ static RETSIGTYPE
 sigterm(int sig)
 {
     exit_flag = sig;
+    _exit(3);
 }
 
 int
diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 98ff57ad6..6ed64a25e 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -509,6 +509,7 @@ verify_trusted_ca(PA_PK_AS_REQ_19 *r)
 
 krb5_error_code
 _pk_rd_padata(krb5_context context,
+	      krb5_kdc_configuration *config,
 	      KDC_REQ *req,
 	      PA_DATA *pa,
 	      pk_client_params **ret_params)
@@ -523,7 +524,7 @@ _pk_rd_padata(krb5_context context,
 
     *ret_params = NULL;
     
-    if (!enable_pkinit) {
+    if (!config->enable_pkinit) {
 	krb5_clear_error_string(context);
 	return 0;
     }
@@ -812,7 +813,7 @@ _pk_rd_padata(krb5_context context,
      * are ignored for now.
      */
 
-    kdc_log(0, "PK-INIT request of type %s", type);
+    kdc_log(context, config, 0, "PK-INIT request of type %s", type);
 
  out:
 
@@ -821,7 +822,7 @@ _pk_rd_padata(krb5_context context,
     krb5_data_free(&eContent);
     free_oid(&eContentType);
     if (ret)
-	pk_free_client_param(context, client_params);
+	_pk_free_client_param(context, client_params);
     else
 	*ret_params = client_params;
     return ret;
@@ -1170,6 +1171,7 @@ pk_mk_pa_reply_dh(krb5_context context,
 
 krb5_error_code
 _pk_mk_pa_reply(krb5_context context,
+		krb5_kdc_configuration *config,
 		pk_client_params *client_params,
 		const hdb_entry *client,
 		const KDC_REQ *req,
@@ -1183,7 +1185,7 @@ _pk_mk_pa_reply(krb5_context context,
     int pa_type;
     int i;
 
-    if (!enable_pkinit) {
+    if (!config->enable_pkinit) {
 	krb5_clear_error_string(context);
 	return 0;
     }
@@ -1375,6 +1377,7 @@ _pk_mk_pa_reply(krb5_context context,
 
 static int
 pk_principal_from_X509(krb5_context context, 
+		       krb5_kdc_configuration *config,
 		       struct krb5_pk_cert *client_cert, 
 		       krb5_principal *principal)
 {
@@ -1410,7 +1413,8 @@ pk_principal_from_X509(krb5_context context,
 
 	ret = decode_KRB5PrincipalName(p, len, &kn, &size);
 	if (ret) {
-	    kdc_log(0, "Decoding kerberos name in certificate failed: %s",
+	    kdc_log(context, config, 0,
+		    "Decoding kerberos name in certificate failed: %s",
 		    krb5_get_err_text(context, ret));
 	    continue;
 	}
@@ -1433,6 +1437,7 @@ pk_principal_from_X509(krb5_context context,
 
 krb5_error_code
 _pk_check_client(krb5_context context,
+		 krb5_kdc_configuration *config,
 		 krb5_principal client_princ,
 		 const hdb_entry *client,
 		 pk_client_params *client_params,
@@ -1465,8 +1470,9 @@ _pk_check_client(krb5_context context,
     }
     OPENSSL_free(subject);
 
-    if (enable_pkinit_princ_in_cert) {
-	ret = pk_principal_from_X509(context, client_cert, &cert_princ);
+    if (config->enable_pkinit_princ_in_cert) {
+	ret = pk_principal_from_X509(context, config, 
+				     client_cert, &cert_princ);
 	if (ret == 0) {
 	    b = krb5_principal_compare(context, client_princ, cert_princ);
 	    krb5_free_principal(context, cert_princ);
@@ -1492,7 +1498,9 @@ _pk_check_client(krb5_context context,
 }
 
 static krb5_error_code
-add_principal_mapping(const char *principal_name, const char * subject)
+add_principal_mapping(krb5_context context, 
+		      const char *principal_name,
+		      const char * subject)
 {
    struct pk_allowed_princ *tmp;
    krb5_principal principal;
@@ -1522,7 +1530,10 @@ add_principal_mapping(const char *principal_name, const char * subject)
 
 
 krb5_error_code
-_pk_initialize(const char *user_id, const char *x509_anchors)
+_pk_initialize(krb5_context context,
+	       krb5_kdc_configuration *config,
+	       const char *user_id,
+	       const char *x509_anchors)
 {
     const char *mapping_file; 
     krb5_error_code ret;
@@ -1542,7 +1553,7 @@ _pk_initialize(const char *user_id, const char *x509_anchors)
 				   NULL);
     if (ret) {
 	krb5_warn(context, ret, "PKINIT: failed to load");
-	enable_pkinit = 0;
+	config->enable_pkinit = 0;
 	return ret;
     }
 
@@ -1579,7 +1590,7 @@ _pk_initialize(const char *user_id, const char *x509_anchors)
 	}
 	*subject_name++ = '\0';
 
-	ret = add_principal_mapping(p, subject_name);
+	ret = add_principal_mapping(context, p, subject_name);
 	if (ret) {
 	    krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
 		      lineno, buf);