pull up r18817 as prereq for r19536
authorTom Yu <tlyu@mit.edu>
Wed, 20 Jun 2007 01:40:34 +0000 (01:40 +0000)
committerTom Yu <tlyu@mit.edu>
Wed, 20 Jun 2007 01:40:34 +0000 (01:40 +0000)
 r18817@cathode-dark-space:  raeburn | 2006-11-15 20:20:47 -0500
 * rd_req_dec.c: Whitespace changes in function headers.
 (krb5_rd_req_decoded_opt): Include more info in error text for AP_WRONG_PRINC
 and NOPERM_ETYPE errors.

ticket: 5551

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19597 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/rd_req_dec.c

index 3c398aed1a947addb1c4d6be0c083c265f0623a8..6f53b11c95d16fb7d132f140588a3a36560f1972 100644 (file)
@@ -87,13 +87,25 @@ krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, krb5_
 }
 
 static krb5_error_code
-krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket, int check_valid_flag)
+krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
+                       const krb5_ap_req *req, krb5_const_principal server,
+                       krb5_keytab keytab, krb5_flags *ap_req_options,
+                       krb5_ticket **ticket, int check_valid_flag)
 {
     krb5_error_code      retval = 0;
     krb5_timestamp       currenttime;
 
-    if (server && !krb5_principal_compare(context, server, req->ticket->server))
+    if (server && !krb5_principal_compare(context, server, req->ticket->server)) {
+       char *found_name = 0, *wanted_name = 0;
+       if (krb5_unparse_name(context, server, &wanted_name) == 0
+           && krb5_unparse_name(context, req->ticket->server, &found_name) == 0)
+           krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
+                                  "Wrong principal in request (found %s, wanted %s)",
+                                  found_name, wanted_name);
+       krb5_free_unparsed_name(context, wanted_name);
+       krb5_free_unparsed_name(context, found_name);
        return KRB5KRB_AP_WRONG_PRINC;
+    }
 
     /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
        do we need special processing here ?    */
@@ -241,15 +253,21 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c
     if ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) {
        /* no etype check needed */;
     } else if ((*auth_context)->permitted_etypes == NULL) {
+       int etype;
        /* check against the default set */
        if ((!krb5_is_permitted_enctype(context,
-                                       req->ticket->enc_part.enctype)) ||
+                                       etype = req->ticket->enc_part.enctype)) ||
            (!krb5_is_permitted_enctype(context,
-                                       req->ticket->enc_part2->session->enctype)) ||
+                                       etype = req->ticket->enc_part2->session->enctype)) ||
            (((*auth_context)->authentp->subkey) &&
             !krb5_is_permitted_enctype(context,
-                                       (*auth_context)->authentp->subkey->enctype))) {
+                                       etype = (*auth_context)->authentp->subkey->enctype))) {
+           char enctype_name[30];
            retval = KRB5_NOPERM_ETYPE;
+           if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0)
+               krb5_set_error_message(context, retval,
+                                      "Encryption type %s not permitted",
+                                      enctype_name);
            goto cleanup;
        }
     } else {
@@ -261,7 +279,13 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c
                req->ticket->enc_part.enctype)
                break;
        if (!(*auth_context)->permitted_etypes[i]) {
+           char enctype_name[30];
            retval = KRB5_NOPERM_ETYPE;
+           if (krb5_enctype_to_string(req->ticket->enc_part.enctype,
+                                      enctype_name, sizeof(enctype_name)) == 0)
+               krb5_set_error_message(context, retval,
+                                      "Encryption type %s not permitted",
+                                      enctype_name);
            goto cleanup;
        }
        
@@ -270,7 +294,13 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c
                req->ticket->enc_part2->session->enctype)
                break;
        if (!(*auth_context)->permitted_etypes[i]) {
+           char enctype_name[30];
            retval = KRB5_NOPERM_ETYPE;
+           if (krb5_enctype_to_string(req->ticket->enc_part2->session->enctype,
+                                      enctype_name, sizeof(enctype_name)) == 0)
+               krb5_set_error_message(context, retval,
+                                      "Encryption type %s not permitted",
+                                      enctype_name);
            goto cleanup;
        }
        
@@ -280,7 +310,14 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c
                    (*auth_context)->authentp->subkey->enctype)
                    break;
            if (!(*auth_context)->permitted_etypes[i]) {
+               char enctype_name[30];
                retval = KRB5_NOPERM_ETYPE;
+               if (krb5_enctype_to_string((*auth_context)->authentp->subkey->enctype,
+                                          enctype_name,
+                                          sizeof(enctype_name)) == 0)
+                   krb5_set_error_message(context, retval,
+                                          "Encryption type %s not permitted",
+                                          enctype_name);
                goto cleanup;
            }
        }
@@ -337,7 +374,10 @@ cleanup:
 }
 
 krb5_error_code
-krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket)
+krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context,
+                   const krb5_ap_req *req, krb5_const_principal server,
+                   krb5_keytab keytab, krb5_flags *ap_req_options,
+                   krb5_ticket **ticket)
 {
   krb5_error_code retval;
   retval = krb5_rd_req_decoded_opt(context, auth_context,
@@ -348,7 +388,11 @@ krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, const
 }
 
 krb5_error_code
-krb5_rd_req_decoded_anyflag(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket)
+krb5_rd_req_decoded_anyflag(krb5_context context,
+                           krb5_auth_context *auth_context,
+                           const krb5_ap_req *req,
+                           krb5_const_principal server, krb5_keytab keytab,
+                           krb5_flags *ap_req_options, krb5_ticket **ticket)
 {
   krb5_error_code retval;
   retval = krb5_rd_req_decoded_opt(context, auth_context,
@@ -359,7 +403,8 @@ krb5_rd_req_decoded_anyflag(krb5_context context, krb5_auth_context *auth_contex
 }
 
 static krb5_error_code
-decrypt_authenticator(krb5_context context, const krb5_ap_req *request, krb5_authenticator **authpp, int is_ap_req)
+decrypt_authenticator(krb5_context context, const krb5_ap_req *request,
+                     krb5_authenticator **authpp, int is_ap_req)
 {
     krb5_authenticator *local_auth;
     krb5_error_code retval;
@@ -390,4 +435,3 @@ free(scratch.data);}
     clean_scratch();
     return retval;
 }
-