summaryrefslogtreecommitdiffstats
path: root/src/kdc/dispatch.c
Commit message (Collapse)AuthorAgeFilesLines
* Move KDC PRNG reseed logic to a helper functionTom Yu2012-10-151-20/+29
|
* Eliminate some KDC globalsTom Yu2012-10-151-15/+33
| | | | | | Make kdc_active_realm a local variable in every function that needs it. Pass it around in various state structures as needed. Keep the macros that reference its members remain for now.
* Cache TGS-REPs tooTom Yu2012-09-271-1/+1
| | | | | | | | | | Changes in r25660 inadvertently failed to insert TGS-REPs into the lookaside cache. Call finish_dispatch_cache() at the end of dispatch() to handle this case. ticket: 7388 (new) target_version: 1.10.4 tags: pullup
* Clean up dispatch lookaside code slightlyGreg Hudson2012-01-261-17/+14
| | | | | | | | | | | | | Always log when we get a lookaside cache hit, eliminating a confusing conditional. This is a slight behavior change because we never used to log a lookaside cache hit when we can't deliver the response via UDP, but that was never really deliberate or important--we log all sorts of stuff about responses which might turn out to be too big. Also eliminate a signed/unsigned comparison warning in finish_dispatch. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25661 dc483132-0cff-0310-8789-dd5450dbe970
* Various lookaside cache fixesGreg Hudson2012-01-261-18/+22
| | | | | | | | | | | | | | | | | | | | | | | | | Don't touch the lookaside cache if we're responding with a lookaside cache entry. Also, leave the null entry behind if we're deliberately dropping a request (a rare case) so that we don't have to process it again. Fixes several lookaside problems in 1.10: * When dropping a request because it was already being processed, we were erroneously removing the null entry, causing us to process the request again upon a second retransmit. * When responding to a finished request with a lookaside entry, we were removing and re-adding the entry to the cache, resetting its time and performing unnecessary work. * We were not caching responses we couldn't deliver because they were too big for UDP, causing us to re-process the request when it came in again via TCP instead of simply delivering the cached response. ticket: 7082 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25660 dc483132-0cff-0310-8789-dd5450dbe970
* Make verto context available to kdcpreauth modulesGreg Hudson2011-11-151-3/+5
| | | | | | | | | | | | Add an event_context callback to kdcpreauth. Adjust the internal KDC and main loop interfaces to pass around the event context, and expose it to kdcpreauth modules via the rock. ticket: 7019 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25475 dc483132-0cff-0310-8789-dd5450dbe970
* Use zero-filled states for all async ops in KDCGreg Hudson2011-10-281-3/+3
| | | | | | | | | There have been a couple of uninitialized field bugs in the restructured KDC code, partly because compilers can't find these bugs as easily as they can find uninitialized local variable bugs. Use zero-filled state structures to make this type of bug less likely. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25422 dc483132-0cff-0310-8789-dd5450dbe970
* Drop retransmits while processing requestsGreg Hudson2011-10-151-7/+22
| | | | | | | | Supporting asynchronous preauth modules means that the KDC can receive a retransmitted request before it finishes processing the initial request. Ignore those retransmits instead of processing them. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25350 dc483132-0cff-0310-8789-dd5450dbe970
* Make do_as_req() respond via a callbackGreg Hudson2011-10-031-34/+70
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25292 dc483132-0cff-0310-8789-dd5450dbe970
* Make dispatch() respond via a callbackGreg Hudson2011-10-031-14/+15
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25291 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-091-5/+1
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 ↵Tom Yu2011-02-091-1/+2
| | | | | | | | | | | | | | | CVE-2011-0282 CVE-2011-0283] [CVE-2011-0281 CVE-2011-0282] Fix some LDAP back end principal name handling that could cause the KDC to hang or crash. [CVE-2011-0283] Fix a KDC null pointer dereference introduced in krb5-1.9. ticket: 6860 tags: pullup target_version: 1.9.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24622 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate a non-useful NULL check in the KDC's dispatch() function.Greg Hudson2010-04-221-1/+1
| | | | | | | | If process_as_req or process_tgs_req return successfully, they will always fill in *response. (If they didn't, the subsequence (*response)->length check would crash anyway.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23922 dc483132-0cff-0310-8789-dd5450dbe970
* Merge users/raeburn/branches/network-mergeKen Raeburn2010-03-171-1/+51
| | | | | | | | | | Re-integrates the forked versions of network.c in kdc and kadmin/server. Server-specific initialization and SIGHUP-reset code is moved into other source files; the more generic network-servicing code is merged and moved into apputils library already used by both programs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811 dc483132-0cff-0310-8789-dd5450dbe970
* Post-great-reindent check. Part IZhanna Tsitkov2009-11-121-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23151 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-44/+45
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Implement FAST from draft-ietf-krb-wg-preauth-frameworkSam Hartman2009-03-311-1/+2
| | | | | | | | | | | | Merge fast branch at 22146 onto trunk Implement the kerberos pre-authentication framework FAST feature per Projects/FAST on the wiki. ticket: 6436 Target_Version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22149 dc483132-0cff-0310-8789-dd5450dbe970
* In the KDC, remove krb4 request handling support and fakeka codeGreg Hudson2008-12-151-4/+0
| | | | | | | ticket: 6303 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21448 dc483132-0cff-0310-8789-dd5450dbe970
* Fix MITKRB5-SA-2008-001 on trunk. Patch differs from the released oneKen Raeburn2008-03-181-1/+1
| | | | | | | | for 1.6 because of code divergence. ticket: 5919 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20280 dc483132-0cff-0310-8789-dd5450dbe970
* Preauthentication Plugin FrameworkSam Hartman2006-10-031-1/+1
| | | | | | | | | | | | | Patch from Nalin Dahyabhai at Redhat to implement a preauthentication framework based on the plugin architecture. Currently. the API is considered internal and the header is not installed. See src/include/krb5/preauth_plugin.h for the interface. ticket: new Tags: enhancement Status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18641 dc483132-0cff-0310-8789-dd5450dbe970
* ipv4+ipv6 messages can trip up KDC replay detectionKen Raeburn2006-04-291-2/+2
| | | | | | | | | | | | | | | | | | | | The replay lookaside cache includes the sending address, but the krb5 library replay cache does not. So, if the same message arrives from two different source addresses, it is considered a replay by the KDC. If the client isn't receiving the replies for some reason, and the client has multiple addresses it uses to contact different addresses on the KDC (and trying to reach the KDC via both IPv4 and IPv6 is an obvious such case), this can cause errors to be returned by the KDC. * replay.c (krb5_kdc_replay_ent): Remove "addrs" field. (MATCH): Don't check it. (kdc_check_lookaside, kdc_insert_lookaside): Remove "from" argument. * kdc_util.h (kdc_check_lookaside, kdc_insert_lookaside): Update decls. * dispatch.c (dispatch): Update calls. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17970 dc483132-0cff-0310-8789-dd5450dbe970
* Delete definitions of unused macros NEED_SOCKETS and NEED_LOWLEVEL_IOKen Raeburn2005-04-131-1/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17177 dc483132-0cff-0310-8789-dd5450dbe970
* protoizeKen Raeburn2002-09-111-4/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14841 dc483132-0cff-0310-8789-dd5450dbe970
* * dispatch.c, do_as_req.c, do_tgs_req.c: Define NEED_SOCKETS before ↵Ken Raeburn2002-07-051-0/+1
| | | | | | including k5-int.h git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14603 dc483132-0cff-0310-8789-dd5450dbe970
* Reduce or localize dependencies on address families.Ken Raeburn2002-07-051-11/+2
| | | | | | | | | | | | | | | | * kdc_util.h (ADDRTYPE2FAMILY): New macro. * do_as_req.c (process_as_req): Use inet_ntop instead of inet_ntoa. * do_tgs_req.c (process_tgs_req): Ditto. * dispatch.c (dispatch): Fix inet_ntop code, and use it always. * kerberos_v4.c (process_v4): Check address family before copying out an IPv4 address. Log if not IPv4, but continue. * network.c (set_sa_port): New function. (setup_port): Use it. Combine IPv4 and IPv6 paths; IPv6 still disabled for now. Modify supplied sockaddr instead of making a copy. (process_packet): SADDR is now sockaddr_storage. Use socket-utils macros instead of casting. Enable the IPv6 code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14602 dc483132-0cff-0310-8789-dd5450dbe970
* * dispatch.c (dispatch): Remove arg "portnum"; update callers.Ken Raeburn2002-06-261-7/+6
| | | | | | | | | | | * do_as_req.c (process_as_req): Ditto. * do_tgs_req.c (process_tgs_req): Ditto. * kerberos_v4.c (process_v4): Remove arg "is_secondary"; update callers. * kdc_util.h (dispatch, process_as_req, process_tgs_req, process_v4): Update prototypes. * main.c (init_realm): Remove unused variable. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14585 dc483132-0cff-0310-8789-dd5450dbe970
* KDC support for new PRNGSam Hartman2002-01-081-1/+23
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14090 dc483132-0cff-0310-8789-dd5450dbe970
* * dispatch.c (dispatch): inet_ntop() returns const char *Ezra Peisach2000-09-201-4/+3
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12660 dc483132-0cff-0310-8789-dd5450dbe970
* * kdc_preauth.c (verify_sam_response): Declare and set rc_lifetimeTom Yu2000-03-011-1/+4
| | | | | | | | | for real. * dispatch.c: Include some more net-related headers. (dispatch): Fix ifndef HAVE_INET_NTOP branch. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12091 dc483132-0cff-0310-8789-dd5450dbe970
* * dispatch.c (dispatch): Log address and port number of detected retransmitsKen Raeburn2000-01-271-1/+20
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11977 dc483132-0cff-0310-8789-dd5450dbe970
* * dispatch.c (dispatch): Make message in lookaside case less suggestive ofKen Raeburn1999-10-291-1/+1
| | | | | | | replay attacks, since it can result from normal packet loss causing retransmissions. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11889 dc483132-0cff-0310-8789-dd5450dbe970
* copyright notice updates from 1.1 branchKen Raeburn1999-09-241-1/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11853 dc483132-0cff-0310-8789-dd5450dbe970
* Disable lookaside cache. It's needed if the replay cache is enabled, and couldKen Raeburn1999-06-301-0/+4
| | | | | | | | | theoretically make certain attacks more difficult, but the replay cache is disabled, the attack is very difficult compared to other existing attacks (would need huge numbers of queries), and under heavy load the lookaside cache degrades performance. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11538 dc483132-0cff-0310-8789-dd5450dbe970
* * replay.c (kdc_check_lookaside):Tom Yu1998-07-221-2/+2
| | | | | | | | | | | | | | | | (kdc_insert_lookaside): Add code to originating address of packet, as krb4 initial ticket requests don't contain an address. This would cause a subtle problem wherein two simultaneous krb4 initial ticket requests for the same principal originating from different addresses would result in both replies containing the same address. * kdc_util.h: Modify prototype for lookaside functions. * dispatch.c (dispatch): Update to new calling conventions of the lookaside functions. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10713 dc483132-0cff-0310-8789-dd5450dbe970
* network.c (setup_network):Theodore Tso1995-10-061-5/+5
| | | | | | | | | | | | | | | | | | | | | main.c (initialize_realms): Massive revamp of how the network ports are setup. The default port list for a realm is read from [kdcdefaults]/kdc_ports from the kdc.conf file. For each realm, a list of ports can be specified in [realms]/<realm>/kdc_ports. extern.h (kdc_realm_t): Remove realm_pport and realm_sport, and added realm_ports. do_tgs_req.c (process_tgs_req): do_as_req.c (process_as_req): dispatch.c (dispatch): Pass the portnumber of the incoming request down to process_as_req and process_tgs_req, instead of the boolean "is_secondary". kerberos_v4.c (kerb_get_principal, kerberos_v4): Fix gcc -Wall flames, by fixing signed vs. unsigned types. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6937 dc483132-0cff-0310-8789-dd5450dbe970
* Multiple realm supportPaul Park1995-06-231-1/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6137 dc483132-0cff-0310-8789-dd5450dbe970
* dispatch.c, kdc_util.h, kerberos_v4.c: Use KRB5_KRB4_COMPAT instead ofTheodore Tso1995-06-091-1/+1
| | | | | | | | | | | | | KRB4 for determining whether to compile in Kerberos V4 backwards compatibility configure.in: Remove standardized set of autoconf macros, which are now handled by CONFIG_RULES. do_as_req.c, do_tgs_req.c, kdc_util.c, kerberos_v4.c, main.c, network.c: Fix -Wall nits. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6016 dc483132-0cff-0310-8789-dd5450dbe970
* Update kadmind5 to use new logging routinesPaul Park1995-06-081-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5976 dc483132-0cff-0310-8789-dd5450dbe970
* * *.[ch]: Avoid <krb5/...> and <com_err.h> includesJohn Gilmore1995-02-281-5/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5031 dc483132-0cff-0310-8789-dd5450dbe970
* Removed all references to DECLARG and OLDDECLARG.Chris Provenzano1995-01-131-1/+2
| | | | | | Added krb5_context to all krb5_*() routines. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4815 dc483132-0cff-0310-8789-dd5450dbe970
* stamp out rcs keywordsMark Eichin1994-08-181-6/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4190 dc483132-0cff-0310-8789-dd5450dbe970
* Change export warning notice from "is assumed to require an export license"Theodore Tso1993-09-011-2/+2
| | | | | | to "may require..." git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2638 dc483132-0cff-0310-8789-dd5450dbe970
* Pass in actual packet to process_tgs_req so that two different checksummingTheodore Tso1993-06-031-5/+1
| | | | | | can be done, in case of ASN.1 screwup. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2578 dc483132-0cff-0310-8789-dd5450dbe970
* Modifications so that whether something came in on the secondary orTheodore Tso1992-09-011-7/+8
| | | | | | primary port is logged. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2377 dc483132-0cff-0310-8789-dd5450dbe970
* Update copyright noticeJohn Kohl1991-06-061-2/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2156 dc483132-0cff-0310-8789-dd5450dbe970
* XXX not appropriateJohn Kohl1991-04-191-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2017 dc483132-0cff-0310-8789-dd5450dbe970
* only insert the replay if we succeeded in generating a replyJohn Kohl1991-02-141-1/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1693 dc483132-0cff-0310-8789-dd5450dbe970
* add replay lookaside call-outsJohn Kohl1991-02-131-1/+12
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1683 dc483132-0cff-0310-8789-dd5450dbe970
* conditionalize v4 supportJohn Kohl1990-12-201-1/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1577 dc483132-0cff-0310-8789-dd5450dbe970
* changed process_v4() stub & its call to have three arguments,Donald Davis1990-10-111-1/+1
| | | | | | | so that dispatch() will correspond to the real process_v4() in kerberos_v4.c . git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1248 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-07 09:50:50 +0000