diff options
author | Ken Raeburn <raeburn@mit.edu> | 2008-08-25 19:43:03 +0000 |
---|---|---|
committer | Ken Raeburn <raeburn@mit.edu> | 2008-08-25 19:43:03 +0000 |
commit | 2f2343584826983a4920fbad2a0248a42b584cf8 (patch) | |
tree | fb1dac3ca2b6bbd66bb701336d5fa52498b5b78e /src/lib/krb5/krb/rd_req_dec.c | |
parent | 57bd520a5037c2194adefb80cc7c13a06dbee42d (diff) | |
download | krb5-2f2343584826983a4920fbad2a0248a42b584cf8.tar.gz krb5-2f2343584826983a4920fbad2a0248a42b584cf8.tar.xz krb5-2f2343584826983a4920fbad2a0248a42b584cf8.zip |
Incorporate Apple's patch
Add a test authorization data scheme, in both built-in and plugin
forms; built-in version is #ifdef'ed out. Update configury to create
the build directory for the plugin, but don't build or install it by
default.
Create the new (and normally empty) authorization data plugin
directory at install time.
Add some (normally disabled) code to log authz data from rd_req.
Fix up some comments that still refer to preauth plugins. Add some
details in comments on the API, and why it's private for now.
Make the plugin init context support work, by not passing null
pointers.
ticket: 5565
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20691 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb/rd_req_dec.c')
-rw-r--r-- | src/lib/krb5/krb/rd_req_dec.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index ed707d11e..e93551a54 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -103,6 +103,30 @@ krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, return retval; } +#if 0 +#include <syslog.h> +static void +debug_log_authz_data(const char *which, krb5_authdata **a) +{ + if (a) { + syslog(LOG_ERR|LOG_DAEMON, "%s authz data:", which); + while (*a) { + syslog(LOG_ERR|LOG_DAEMON, " ad_type:%d length:%d '%.*s'", + (*a)->ad_type, (*a)->length, (*a)->length, + (char *) (*a)->contents); + a++; + } + syslog(LOG_ERR|LOG_DAEMON, " [end]"); + } else + syslog(LOG_ERR|LOG_DAEMON, "no %s authz data", which); +} +#else +static void +debug_log_authz_data(const char *which, krb5_authdata **a) +{ +} +#endif + static krb5_error_code krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, @@ -143,7 +167,7 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, if ((*auth_context)->keyblock) { /* User to User authentication */ if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock, req->ticket))) -goto cleanup; + goto cleanup; krb5_free_keyblock(context, (*auth_context)->keyblock); (*auth_context)->keyblock = NULL; } else { @@ -368,6 +392,8 @@ goto cleanup; &((*auth_context)->keyblock)))) goto cleanup; + debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data); + /* * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used * then the default sequence number is the one's complement of the @@ -457,6 +483,7 @@ free(scratch.data);} /* now decode the decrypted stuff */ if (!(retval = decode_krb5_authenticator(&scratch, &local_auth))) { *authpp = local_auth; + debug_log_authz_data("authenticator", local_auth->authorization_data); } clean_scratch(); return retval; |