diff options
Diffstat (limited to 'source4/heimdal/kdc/kerberos5.c')
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 97 |
1 files changed, 74 insertions, 23 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 3f9dcd12f8..68720d692e 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.201 2005/12/14 12:17:58 lha Exp $"); +RCSID("$Id: kerberos5.c,v 1.206 2006/04/02 01:54:37 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -209,6 +209,50 @@ log_timestamp(krb5_context context, type, authtime_str, starttime_str, endtime_str, renewtime_str); } +static void +log_patypes(krb5_context context, + krb5_kdc_configuration *config, + METHOD_DATA *padata) +{ + struct rk_strpool *p = NULL; + char *str; + int i; + + for (i = 0; i < padata->len; i++) { + switch(padata->val[i].padata_type) { + case KRB5_PADATA_PK_AS_REQ: + p = rk_strpoolprintf(p, "PK-INIT(ietf)"); + break; + case KRB5_PADATA_PK_AS_REQ_WIN: + p = rk_strpoolprintf(p, "PK-INIT(win2k)"); + break; + case KRB5_PADATA_PA_PK_OCSP_RESPONSE: + p = rk_strpoolprintf(p, "OCSP"); + break; + case KRB5_PADATA_ENC_TIMESTAMP: + p = rk_strpoolprintf(p, "encrypted-timestamp"); + break; + default: + p = rk_strpoolprintf(p, "%d", padata->val[i].padata_type); + break; + } + if (p && i + 1 < padata->len) + p = rk_strpoolprintf(p, ", "); + if (p == NULL) { + kdc_log(context, config, 0, "out of memory"); + return; + } + } + str = rk_strpoolcollect(p); + kdc_log(context, config, 0, "Client sent patypes: %s", str); + free(str); +} + +/* + * + */ + + static krb5_error_code encode_reply(krb5_context context, krb5_kdc_configuration *config, @@ -642,11 +686,13 @@ get_pa_etype_info2(krb5_context context, krb5_error_code _kdc_check_flags(krb5_context context, krb5_kdc_configuration *config, - hdb_entry *client, const char *client_name, - hdb_entry *server, const char *server_name, + hdb_entry_ex *client_ex, const char *client_name, + hdb_entry_ex *server_ex, const char *server_name, krb5_boolean is_as_req) { - if(client != NULL) { + if(client_ex != NULL) { + hdb_entry *client = &client_ex->entry; + /* check client */ if (client->flags.invalid) { kdc_log(context, config, 0, @@ -680,8 +726,8 @@ _kdc_check_flags(krb5_context context, return KRB5KDC_ERR_NAME_EXP; } - if (client->pw_end && *client->pw_end < kdc_time - && !server->flags.change_pw) { + if (client->pw_end && *client->pw_end < kdc_time + && (server_ex == NULL || !server_ex->entry.flags.change_pw)) { char pwend_str[100]; krb5_format_time(context, *client->pw_end, pwend_str, sizeof(pwend_str), TRUE); @@ -694,7 +740,9 @@ _kdc_check_flags(krb5_context context, /* check server */ - if (server != NULL) { + if (server_ex != NULL) { + hdb_entry *server = &server_ex->entry; + if (server->flags.invalid) { kdc_log(context, config, 0, "Server has invalid flag set -- %s", server_name); @@ -762,27 +810,28 @@ check_addresses(krb5_context context, krb5_boolean result; krb5_boolean only_netbios = TRUE; int i; - + if(config->check_ticket_addresses == 0) return TRUE; - if(addresses == NULL) + if(addresses == NULL) return config->allow_null_ticket_addresses; - + for (i = 0; i < addresses->len; ++i) { - if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) { - only_netbios = FALSE; - } + if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) { + only_netbios = FALSE; + } } /* Windows sends it's netbios name, which I can only assume is - * used for the 'allowed workstations' check. This is painful, but - * we still want to check IP addresses if they happen to be - * present. */ + * used for the 'allowed workstations' check. This is painful, + * but we still want to check IP addresses if they happen to be + * present. + */ if(only_netbios) return config->allow_null_ticket_addresses; - + ret = krb5_sockaddr2address (context, from, &addr); if(ret) return FALSE; @@ -867,8 +916,8 @@ _kdc_as_rep(krb5_context context, } ret = _kdc_check_flags(context, config, - &client->entry, client_name, - &server->entry, server_name, + client, client_name, + server, server_name, TRUE); if(ret) goto out; @@ -884,10 +933,12 @@ _kdc_as_rep(krb5_context context, memset(&ek, 0, sizeof(ek)); if(req->padata){ - int i = 0; + int i; PA_DATA *pa; int found_pa = 0; + log_patypes(context, config, req->padata); + #ifdef PKINIT kdc_log(context, config, 5, "Looking for PKINIT pa-data -- %s", client_name); @@ -1171,7 +1222,7 @@ _kdc_as_rep(krb5_context context, if (p && i + 1 < b->etype.len) p = rk_strpoolprintf(p, ", "); if (p == NULL) { - kdc_log(context, config, 0, "out of meory"); + kdc_log(context, config, 0, "out of memory"); goto out; } } @@ -2410,8 +2461,8 @@ tgs_rep2(krb5_context context, } ret = _kdc_check_flags(context, config, - &client->entry, cpn, - &server->entry, spn, + client, cpn, + server, spn, FALSE); if(ret) goto out; |