check_preauth to return successfully, there must be at least one
preauth which succeeded, and no REQUIRED preauth system which failed.
If a preauth is marked SUFFICIENT, then the rest of the preauth list
aren't checked. Fixed bug where when none of the preauth types were
recognized, an error message corresponding to stack garbage was
printed.
main.c (argv): Check the error return from krb5_init_context(), and
print an error message if necessary.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9323
dc483132-0cff-0310-8789-
dd5450dbe970
+Thu Nov 7 12:27:21 1996 Theodore Ts'o <tytso@rsts-11.mit.edu>
+
+ * kdc_preauth.c (check_padata): Fixed error handling; in order for
+ check_preauth to return successfully, there must be at
+ least one preauth which succeeded, and no REQUIRED preauth
+ system which failed. If a preauth is marked SUFFICIENT,
+ then the rest of the preauth list aren't checked. Fixed
+ bug where when none of the preauth types were recognized,
+ an error message corresponding to stack garbage was printed.
+
+Wed Nov 6 12:00:48 1996 Theodore Ts'o <tytso@rsts-11.mit.edu>
+
+ * main.c (argv): Check the error return from krb5_init_context(),
+ and print an error message if necessary.
+
Mon Nov 4 22:29:30 1996 Theodore Y. Ts'o <tytso@mit.edu>
* main.c (initialize_realms): Remove rather pointless use of
krb5_kdc_req * request;
krb5_enc_tkt_part * enc_tkt_reply;
{
- krb5_error_code retval;
+ krb5_error_code retval = 0;
krb5_pa_data **padata;
krb5_preauth_systems *pa_sys;
+ int pa_ok = 0, pa_found = 0;
if (request->padata == 0)
return 0;
continue;
if (pa_sys->verify_padata == 0)
continue;
+ pa_found++;
retval = pa_sys->verify_padata(context, client, request,
enc_tkt_reply, *padata);
if (retval) {
- if (pa_sys->flags & PA_REQUIRED)
+ com_err("krb5kdc", retval, "pa verify failure");
+ if (pa_sys->flags & PA_REQUIRED) {
+ pa_ok = 0;
break;
+ }
} else {
- if (pa_sys->flags & PA_SUFFICIENT)
+ pa_ok = 1;
+ if (pa_sys->flags & PA_SUFFICIENT)
break;
}
}
-if (retval) com_err("krb5kdc", retval, "pa verify failure");
- if (retval)
- retval = KRB5KDC_ERR_PREAUTH_FAILED;
- return retval;
+ if (pa_ok)
+ return 0;
+ if (!pa_found)
+ com_err("krb5kdc", retval, "no valid preauth type found");
+ return KRB5KDC_ERR_PREAUTH_FAILED;
}
/*
* reporting. The per-realm operations use the "realm_context"
* associated with each realm.
*/
- krb5_init_context(&kcontext);
- krb5_init_ets(kcontext);
+ retval = krb5_init_context(&kcontext);
+ if (retval) {
+ com_err(argv[0], retval, "while initializing krb5");
+ exit(1);
+ }
krb5_klog_init(kcontext, "kdc", argv[0], 1);
/*