do_as_req.c revision 3125ebfc35130d243e775dc38a6a59be4df0b137
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
*
* Copyright 1990,1991 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* KDC Routines to deal with AS_REQ's
*/
#define NEED_SOCKETS
#include "k5-int.h"
#include "com_err.h"
#include <syslog.h>
#ifdef HAVE_NETINET_IN_H
#ifndef hpux
#endif /* hpux */
#endif /* HAVE_NETINET_IN_H */
#include "kdc_util.h"
#include "policy.h"
#include "adm.h"
#include "adm_proto.h"
#include "extern.h"
krb5_data **, const char *);
/*ARGSUSED*/
{
const char *status;
#ifdef KRBCONF_KDC_MODIFIES_KDB
#endif /* KRBCONF_KDC_MODIFIES_KDB */
register int i;
const char *fromstring = 0;
char ktypestr[128];
char rep_etypestr[128];
char fromstringbuf[70];
sizeof (struct in_addr));
&from_in4,
fromstringbuf, sizeof(fromstringbuf));
if (!fromstring)
fromstring = "<unknown>";
status = "NULL_CLIENT";
goto errout;
}
status = "UNPARSING_CLIENT";
goto errout;
}
status = "NULL_SERVER";
goto errout;
}
status = "UNPARSING_SERVER";
goto errout;
}
c_nprincs = 1;
status = "LOOKING_UP_CLIENT";
c_nprincs = 0;
goto errout;
}
if (more) {
status = "NON-UNIQUE_CLIENT";
goto errout;
} else if (c_nprincs != 1) {
status = "CLIENT_NOT_FOUND";
#ifdef KRBCONF_VAGUE_ERRORS
#else
#endif
goto errout;
}
s_nprincs = 1;
status = "LOOKING_UP_SERVER";
goto errout;
}
if (more) {
status = "NON-UNIQUE_SERVER";
goto errout;
} else if (s_nprincs != 1) {
status = "SERVER_NOT_FOUND";
goto errout;
}
status = "TIMEOFDAY";
goto errout;
}
if (!status)
status = "UNKNOWN_REASON";
goto errout;
}
/*
* Select the keytype for the ticket session key.
*/
/* unsupported ktype */
status = "BAD_ENCRYPTION_TYPE";
goto errout;
}
&session_key))) {
/* random key failed */
status = "RANDOM_KEY_FAILED";
goto errout;
}
enc_tkt_reply.flags = 0;
/* It should be noted that local policy may affect the */
/* processing of any of these flags. For example, some */
/* realms may refuse to issue renewable tickets */
} else
/* These numbers could easily be large
* use long long variables to ensure that they don't
* result in negative values when added.
*/
/* we set the RENEWABLE option for later processing */
}
/*
* XXX Should we squelch the output renew_till to be no
* earlier than the endtime of the ticket?
*/
} else
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
/*
* Check the preauthentication if it is there.
*/
if (errcode) {
#ifdef KRBCONF_KDC_MODIFIES_KDB
/*
* Note: this doesn't work if you're using slave servers!!!
* It also causes the database to be modified (and thus
* need to be locked) frequently.
*/
}
}
update_client = 1;
#endif
status = "PREAUTH_FAILED";
#ifdef KRBCONF_VAGUE_ERRORS
#endif
goto errout;
}
}
/*
* Final check before handing out ticket: If the client requires
* preauthentication, verify that the proper kind of
* preauthentication was carried out.
*/
if (status) {
goto errout;
}
/*
* Find the server key
*/
-1, /* ignore keytype */
-1, /* Ignore salttype */
0, /* Get highest kvno */
&server_key))) {
status = "FINDING_SERVER_KEY";
goto errout;
}
/* convert server.key into a real key (it may be encrypted
in the database) */
NULL))) {
status = "DECRYPT_SERVER_KEY";
goto errout;
}
encrypting_key.contents = 0;
if (errcode) {
status = "ENCRYPTING_TICKET";
goto errout;
}
/*
* Find the appropriate client key. We search in the order specified
* by request keytype list.
*/
if (!krb5_c_valid_enctype(useenctype))
continue;
0, &client_key))
break;
}
if (!(client_key)) {
/* Cannot find an appropriate key */
status = "CANT_FIND_CLIENT_KEY";
goto errout;
}
/* convert client.key_data into a real key */
NULL))) {
status = "DECRYPT_CLIENT_KEY";
goto errout;
}
/* Start assembling the response */
status = "FETCH_LAST_REQ";
goto errout;
}
/*
* Take the minimum of expiration or pw_expiration if not zero.
*/
else
/* copy the time fields EXCEPT for authtime; it's location
is used for ktime */
/* Fetch the padata info to be returned */
if (errcode) {
status = "KDC_RETURN_PADATA";
goto errout;
}
encrypting_key.contents = 0;
if (errcode) {
status = "ENCODE_KDC_REP";
goto errout;
}
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
/* SUNW14resync:
* The third argument to audit_krb5kdc_as_req() is zero as the local
* portnumber is no longer passed to process_as_req().
*/
"AS_REQ (%s) %s: ISSUE: authtime %d, "
"%s, %s for %s",
#ifdef KRBCONF_KDC_MODIFIES_KDB
/*
* If we get this far, we successfully did the AS_REQ.
*/
client.fail_auth_count = 0;
update_client = 1;
#endif /* KRBCONF_KDC_MODIFIES_KDB */
if (status) {
}
if (errcode) {
if (status == 0)
status);
}
if (encrypting_key.contents)
if (cname)
if (sname)
if (c_nprincs) {
#ifdef KRBCONF_KDC_MODIFIES_KDB
if (update_client) {
/*
* ptooey. We want krb5_db_sync() or something like that.
*/
if (kdc_active_realm->realm_dbname)
/* Reset master key */
}
#endif /* KRBCONF_KDC_MODIFIES_KDB */
}
if (s_nprincs)
if (session_key.contents)
}
return errcode;
}
static krb5_error_code
{
return(retval);
return ENOMEM;
return ENOMEM;
}
} else {
}
if (retval)
else
return retval;
}