kdc_preauth.c (check_padata): Fixed error handling; in order for
authorTheodore Tso <tytso@mit.edu>
Thu, 7 Nov 1996 17:31:20 +0000 (17:31 +0000)
committerTheodore Tso <tytso@mit.edu>
Thu, 7 Nov 1996 17:31:20 +0000 (17:31 +0000)
check_preauth to return successfully, there must be at least one
preauth which succeeded, and no REQUIRED preauth system which failed.
If a preauth is marked SUFFICIENT, then the rest of the preauth list
aren't checked.  Fixed bug where when none of the preauth types were
recognized, an error message corresponding to stack garbage was
printed.

main.c (argv): Check the error return from krb5_init_context(), and
print an error message if necessary.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9323 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/kdc_preauth.c
src/kdc/main.c

index 53b5dc034d6eebaedb1b71e7105af044bb00747c..dd74460814fa8166f5a1d7f2eff30d1ef1b46450 100644 (file)
@@ -1,3 +1,18 @@
+Thu Nov  7 12:27:21 1996  Theodore Ts'o  <tytso@rsts-11.mit.edu>
+
+       * kdc_preauth.c (check_padata): Fixed error handling; in order for
+               check_preauth to return successfully, there must be at
+               least one preauth which succeeded, and no REQUIRED preauth
+               system which failed.  If a preauth is marked SUFFICIENT,
+               then the rest of the preauth list aren't checked.  Fixed
+               bug where when none of the preauth types were recognized,
+               an error message corresponding to stack garbage was printed.
+
+Wed Nov  6 12:00:48 1996  Theodore Ts'o  <tytso@rsts-11.mit.edu>
+
+       * main.c (argv): Check the error return from krb5_init_context(),
+               and print an error message if necessary.
+
 Mon Nov  4 22:29:30 1996  Theodore Y. Ts'o  <tytso@mit.edu>
 
        * main.c (initialize_realms): Remove rather pointless use of
index 67b348bcea157f2057a9bc12154d2658988ffe53..0350068f998b186b738ed329486936ab4065ccb3 100644 (file)
@@ -234,9 +234,10 @@ check_padata (context, client, request, enc_tkt_reply)
     krb5_kdc_req *     request;
     krb5_enc_tkt_part * enc_tkt_reply;
 {
-    krb5_error_code retval;
+    krb5_error_code retval = 0;
     krb5_pa_data **padata;
     krb5_preauth_systems *pa_sys;
+    int                        pa_ok = 0, pa_found = 0;
 
     if (request->padata == 0)
        return 0;
@@ -246,20 +247,26 @@ check_padata (context, client, request, enc_tkt_reply)
            continue;
        if (pa_sys->verify_padata == 0)
            continue;
+       pa_found++;
        retval = pa_sys->verify_padata(context, client, request,
                                       enc_tkt_reply, *padata);
        if (retval) {
-           if (pa_sys->flags & PA_REQUIRED)
+           com_err("krb5kdc", retval, "pa verify failure");
+           if (pa_sys->flags & PA_REQUIRED) {
+               pa_ok = 0;
                break;
+           }
        } else {
-           if (pa_sys->flags & PA_SUFFICIENT)
+           pa_ok = 1;
+           if (pa_sys->flags & PA_SUFFICIENT) 
                break;
        }
     }
-if (retval) com_err("krb5kdc", retval, "pa verify failure");
-    if (retval)
-       retval = KRB5KDC_ERR_PREAUTH_FAILED;
-    return retval;
+    if (pa_ok)
+       return 0;
+    if (!pa_found)
+       com_err("krb5kdc", retval, "no valid preauth type found");
+    return KRB5KDC_ERR_PREAUTH_FAILED;
 }
 
 /*
index 5ade65930da3571bf2682327ee7c5a38e824f25a..dd4ae76871c8e0dd14ec00ead3de84a2c45736ba 100644 (file)
@@ -882,8 +882,11 @@ char *argv[];
      * reporting.  The per-realm operations use the "realm_context"
      * associated with each realm.
      */
-    krb5_init_context(&kcontext);
-    krb5_init_ets(kcontext);
+    retval = krb5_init_context(&kcontext);
+    if (retval) {
+           com_err(argv[0], retval, "while initializing krb5");
+           exit(1);
+    }
     krb5_klog_init(kcontext, "kdc", argv[0], 1);
 
     /*