summaryrefslogtreecommitdiffstats
path: root/source4/heimdal/kdc/kerberos5.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/kdc/kerberos5.c')
-rw-r--r--source4/heimdal/kdc/kerberos5.c97
1 files changed, 74 insertions, 23 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 3f9dcd12f8..68720d692e 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: kerberos5.c,v 1.201 2005/12/14 12:17:58 lha Exp $");
+RCSID("$Id: kerberos5.c,v 1.206 2006/04/02 01:54:37 lha Exp $");
#define MAX_TIME ((time_t)((1U << 31) - 1))
@@ -209,6 +209,50 @@ log_timestamp(krb5_context context,
type, authtime_str, starttime_str, endtime_str, renewtime_str);
}
+static void
+log_patypes(krb5_context context,
+ krb5_kdc_configuration *config,
+ METHOD_DATA *padata)
+{
+ struct rk_strpool *p = NULL;
+ char *str;
+ int i;
+
+ for (i = 0; i < padata->len; i++) {
+ switch(padata->val[i].padata_type) {
+ case KRB5_PADATA_PK_AS_REQ:
+ p = rk_strpoolprintf(p, "PK-INIT(ietf)");
+ break;
+ case KRB5_PADATA_PK_AS_REQ_WIN:
+ p = rk_strpoolprintf(p, "PK-INIT(win2k)");
+ break;
+ case KRB5_PADATA_PA_PK_OCSP_RESPONSE:
+ p = rk_strpoolprintf(p, "OCSP");
+ break;
+ case KRB5_PADATA_ENC_TIMESTAMP:
+ p = rk_strpoolprintf(p, "encrypted-timestamp");
+ break;
+ default:
+ p = rk_strpoolprintf(p, "%d", padata->val[i].padata_type);
+ break;
+ }
+ if (p && i + 1 < padata->len)
+ p = rk_strpoolprintf(p, ", ");
+ if (p == NULL) {
+ kdc_log(context, config, 0, "out of memory");
+ return;
+ }
+ }
+ str = rk_strpoolcollect(p);
+ kdc_log(context, config, 0, "Client sent patypes: %s", str);
+ free(str);
+}
+
+/*
+ *
+ */
+
+
static krb5_error_code
encode_reply(krb5_context context,
krb5_kdc_configuration *config,
@@ -642,11 +686,13 @@ get_pa_etype_info2(krb5_context context,
krb5_error_code
_kdc_check_flags(krb5_context context,
krb5_kdc_configuration *config,
- hdb_entry *client, const char *client_name,
- hdb_entry *server, const char *server_name,
+ hdb_entry_ex *client_ex, const char *client_name,
+ hdb_entry_ex *server_ex, const char *server_name,
krb5_boolean is_as_req)
{
- if(client != NULL) {
+ if(client_ex != NULL) {
+ hdb_entry *client = &client_ex->entry;
+
/* check client */
if (client->flags.invalid) {
kdc_log(context, config, 0,
@@ -680,8 +726,8 @@ _kdc_check_flags(krb5_context context,
return KRB5KDC_ERR_NAME_EXP;
}
- if (client->pw_end && *client->pw_end < kdc_time
- && !server->flags.change_pw) {
+ if (client->pw_end && *client->pw_end < kdc_time
+ && (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
char pwend_str[100];
krb5_format_time(context, *client->pw_end,
pwend_str, sizeof(pwend_str), TRUE);
@@ -694,7 +740,9 @@ _kdc_check_flags(krb5_context context,
/* check server */
- if (server != NULL) {
+ if (server_ex != NULL) {
+ hdb_entry *server = &server_ex->entry;
+
if (server->flags.invalid) {
kdc_log(context, config, 0,
"Server has invalid flag set -- %s", server_name);
@@ -762,27 +810,28 @@ check_addresses(krb5_context context,
krb5_boolean result;
krb5_boolean only_netbios = TRUE;
int i;
-
+
if(config->check_ticket_addresses == 0)
return TRUE;
- if(addresses == NULL)
+ if(addresses == NULL)
return config->allow_null_ticket_addresses;
-
+
for (i = 0; i < addresses->len; ++i) {
- if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) {
- only_netbios = FALSE;
- }
+ if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) {
+ only_netbios = FALSE;
+ }
}
/* Windows sends it's netbios name, which I can only assume is
- * used for the 'allowed workstations' check. This is painful, but
- * we still want to check IP addresses if they happen to be
- * present. */
+ * used for the 'allowed workstations' check. This is painful,
+ * but we still want to check IP addresses if they happen to be
+ * present.
+ */
if(only_netbios)
return config->allow_null_ticket_addresses;
-
+
ret = krb5_sockaddr2address (context, from, &addr);
if(ret)
return FALSE;
@@ -867,8 +916,8 @@ _kdc_as_rep(krb5_context context,
}
ret = _kdc_check_flags(context, config,
- &client->entry, client_name,
- &server->entry, server_name,
+ client, client_name,
+ server, server_name,
TRUE);
if(ret)
goto out;
@@ -884,10 +933,12 @@ _kdc_as_rep(krb5_context context,
memset(&ek, 0, sizeof(ek));
if(req->padata){
- int i = 0;
+ int i;
PA_DATA *pa;
int found_pa = 0;
+ log_patypes(context, config, req->padata);
+
#ifdef PKINIT
kdc_log(context, config, 5,
"Looking for PKINIT pa-data -- %s", client_name);
@@ -1171,7 +1222,7 @@ _kdc_as_rep(krb5_context context,
if (p && i + 1 < b->etype.len)
p = rk_strpoolprintf(p, ", ");
if (p == NULL) {
- kdc_log(context, config, 0, "out of meory");
+ kdc_log(context, config, 0, "out of memory");
goto out;
}
}
@@ -2410,8 +2461,8 @@ tgs_rep2(krb5_context context,
}
ret = _kdc_check_flags(context, config,
- &client->entry, cpn,
- &server->entry, spn,
+ client, cpn,
+ server, spn,
FALSE);
if(ret)
goto out;