Post-great-reindent check. Part I
authorZhanna Tsitkov <tsitkova@mit.edu>
Thu, 12 Nov 2009 19:12:51 +0000 (19:12 +0000)
committerZhanna Tsitkov <tsitkova@mit.edu>
Thu, 12 Nov 2009 19:12:51 +0000 (19:12 +0000)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23151 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/dispatch.c
src/kdc/do_as_req.c
src/kdc/do_tgs_req.c
src/kdc/fast_util.c
src/kdc/kdc_authdata.c
src/kdc/kdc_preauth.c

index 3885b4ee4c0c30571bb461c13d8be78fa87e9e7d..a8d95229d133db80274b860e5823bb6c091ffae2 100644 (file)
@@ -2,7 +2,7 @@
 /*
  * kdc/dispatch.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990, 2009 by the Massachusetts Institute of Technology.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
index 5067ff8fd118e3ab0d7bdd8b978a4dc0536bccc7..45ae4963321cbfcbf2ca772bedcfa2cd07ce7cd5 100644 (file)
 #endif
 #endif /* APPLE_PKINIT */
 
-static krb5_error_code prepare_error_as (struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *,
-                                         krb5_principal, krb5_data **,
-                                         const char *);
+static krb5_error_code
+prepare_error_as(struct kdc_request_state *, krb5_kdc_req *,
+                 int, krb5_data *, krb5_principal, krb5_data **,
+                 const char *);
 
 /*ARGSUSED*/
 krb5_error_code
@@ -148,7 +149,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         status = "Finding req_body";
         goto errout;
     }
-    errcode = kdc_find_fast(&request, &encoded_req_body, NULL /*TGS key*/, NULL, state);
+    errcode = kdc_find_fast(&request, &encoded_req_body,
+                            NULL /*TGS key*/, NULL, state);
     if (errcode) {
         status = "error decoding FAST";
         goto errout;
@@ -309,9 +311,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 
     setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL);
 
-    /* It should be noted that local policy may affect the  */
-    /* processing of any of these flags.  For example, some */
-    /* realms may refuse to issue renewable tickets         */
+    /*
+     * It should be noted that local policy may affect the
+     * processing of any of these flags.  For example, some
+     * realms may refuse to issue renewable tickets
+     */
 
     if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE))
         setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
@@ -374,8 +378,10 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     } else
         enc_tkt_reply.times.renew_till = 0; /* XXX */
 
-    /* starttime is optional, and treated as authtime if not present.
-       so we can nuke it if it matches */
+    /*
+     * starttime is optional, and treated as authtime if not present.
+     * so we can nuke it if it matches
+     */
     if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
         enc_tkt_reply.times.starttime = 0;
 
@@ -423,9 +429,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
      * Find the server key
      */
     if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
-                                         -1, /* ignore keytype */
-                                         -1,            /* Ignore salttype */
-                                         0,             /* Get highest kvno */
+                                         -1, /* ignore keytype   */
+                                         -1, /* Ignore salttype  */
+                                         0,  /* Get highest kvno */
                                          &server_key))) {
         status = "FINDING_SERVER_KEY";
         goto errout;
@@ -450,10 +456,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         }
     }
 
-    /* convert server.key into a real key (it may be encrypted
-       in the database) */
+    /*
+     * Convert server.key into a real key
+     * (it may be encrypted in the database)
+     *
+     *  server_keyblock is later used to generate auth data signatures
+     */
     if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr,
-                                               /* server_keyblock is later used to generate auth data signatures */
                                                server_key, &server_keyblock,
                                                NULL))) {
         status = "DECRYPT_SERVER_KEY";
@@ -524,7 +533,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     reply_encpart.server = ticket_reply.server;
 
     /* copy the time fields EXCEPT for authtime; it's location
-       is used for ktime */
+     *  is used for ktime
+     */
     reply_encpart.times = enc_tkt_reply.times;
     reply_encpart.times.authtime = authtime = kdc_time;
 
@@ -532,7 +542,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     reply_encpart.enc_padata = NULL;
 
     /* Fetch the padata info to be returned (do this before
-       authdata to handle possible replacement of reply key */
+     *  authdata to handle possible replacement of reply key
+     */
     errcode = return_padata(kdc_context, &client, req_pkt, request,
                             &reply, client_key, &client_keyblock, &pa_context);
     if (errcode) {
@@ -572,13 +583,15 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         goto errout;
     }
 
-    errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock, &ticket_reply);
+    errcode = krb5_encrypt_tkt_part(kdc_context, &server_keyblock,
+                                    &ticket_reply);
     if (errcode) {
         status = "ENCRYPTING_TICKET";
         goto errout;
     }
     ticket_reply.enc_part.kvno = server_key->key_data_kvno;
-    errcode = kdc_fast_response_handle_padata(state, request, &reply, client_keyblock.enctype);
+    errcode = kdc_fast_response_handle_padata(state, request, &reply,
+                                              client_keyblock.enctype);
     if (errcode) {
         status = "fast response handling";
         goto errout;
@@ -588,7 +601,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
 
     reply.enc_part.enctype = client_keyblock.enctype;
 
-    errcode = kdc_fast_handle_reply_key(state, &client_keyblock, &as_encrypting_key);
+    errcode = kdc_fast_handle_reply_key(state, &client_keyblock,
+                                        &as_encrypting_key);
     if (errcode) {
         status = "generating reply key";
         goto errout;
@@ -642,9 +656,9 @@ egress:
                                    response, status);
         status = 0;
     }
+
     if (emsg)
         krb5_free_error_message(kdc_context, emsg);
-
     if (enc_tkt_reply.authorization_data != NULL)
         krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
     if (server_keyblock.contents != NULL)
@@ -675,11 +689,13 @@ egress:
     request->kdc_state = NULL;
     krb5_free_kdc_req(kdc_context, request);
     assert(did_log != 0);
+
     return errcode;
 }
 
 static krb5_error_code
-prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int error, krb5_data *e_data,
+prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
+                  int error, krb5_data *e_data,
                   krb5_principal canon_client, krb5_data **response,
                   const char *status)
 {
@@ -726,7 +742,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int e
             pa = calloc(size+1, sizeof(*pa));
             if (pa == NULL)
                 retval = ENOMEM;
-            else                for (size = 0; td[size]; size++) {
+            else
+                for (size = 0; td[size]; size++) {
                     krb5_pa_data *pad = malloc(sizeof(krb5_pa_data ));
                     if (pad == NULL) {
                         retval = ENOMEM;
@@ -744,11 +761,13 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int e
                                    request, pa, &errpkt);
     if (retval == 0)
         retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+
     free(errpkt.text.data);
     if (retval)
         free(scratch);
     else
         *response = scratch;
     krb5_free_pa_data(kdc_context, pa);
+
     return retval;
 }
index 24e32df446380da0312c5e4b5e051a17651b627d..b312288470d48e7ebfe35a57f8acb6597b05222e 100644 (file)
@@ -116,7 +116,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     register int i;
     int firstpass = 1;
     const char        *status = 0;
-    krb5_enc_tkt_part *header_enc_tkt = NULL; /* ticket granting or evidence ticket */
+    krb5_enc_tkt_part *header_enc_tkt = NULL; /* TG or evidence ticket */
     krb5_db_entry client, krbtgt;
     int c_nprincs = 0, k_nprincs = 0;
     krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
@@ -179,13 +179,13 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     }
     scratch.length = pa_tgs_req->length;
     scratch.data = (char *) pa_tgs_req->contents;
-    errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state);
+    errcode = kdc_find_fast(&request, &scratch, subkey,
+                            header_ticket->enc_part2->session, state);
     if (errcode !=0) {
         status = "kdc_find_fast";
         goto cleanup;
     }
 
-
     /*
      * Pointer to the encrypted part of the header ticket, which may be
      * replaced to point to the encrypted part of the evidence ticket
@@ -240,10 +240,12 @@ tgt_again:
          */
         if (firstpass ) {
 
-            if ( krb5_is_tgs_principal(request->server) == TRUE) { /* Principal is a name of krb ticket service */
+            if ( krb5_is_tgs_principal(request->server) == TRUE) {
+                /* Principal is a name of krb ticket service */
                 if (krb5_princ_size(kdc_context, request->server) == 2) {
 
-                    server_1 = krb5_princ_component(kdc_context, request->server, 1);
+                    server_1 = krb5_princ_component(kdc_context,
+                                                    request->server, 1);
                     tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
 
                     if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
@@ -262,7 +264,8 @@ tgt_again:
                 retval = prep_reprocess_req(request, &krbtgt_princ);
                 if (!retval) {
                     krb5_free_principal(kdc_context, request->server);
-                    retval = krb5_copy_principal(kdc_context, krbtgt_princ, &(request->server));
+                    retval = krb5_copy_principal(kdc_context, krbtgt_princ,
+                                                 &(request->server));
                     if (!retval) {
                         db_ref_done = TRUE;
                         if (sname != NULL)
@@ -329,11 +332,11 @@ tgt_again:
     useenctype = 0;
     if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY |
                   KDC_OPT_CNAME_IN_ADDL_TKT)) {
-        krb5_keyblock *        st_sealing_key;
-        krb5_kvno       st_srv_kvno;
-        krb5_enctype    etype;
+        krb5_keyblock    st_sealing_key;
+        krb5_kvno        st_srv_kvno;
+        krb5_enctype     etype;
         krb5_db_entry    st_client;
-        int             st_nprincs = 0;
+        int              st_nprincs = 0;
 
         /*
          * Get the key for the second ticket, and decrypt it.
@@ -375,12 +378,12 @@ tgt_again:
         if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
             /* Do constrained delegation protocol and authorization checks */
             errcode = kdc_process_s4u2proxy_req(kdc_context,
-                                                request,
-                                                request->second_ticket[st_idx]->enc_part2,
-                                                &st_client,
-                                                header_ticket->enc_part2->client,
-                                                request->server,
-                                                &status);
+                                  request,
+                                  request->second_ticket[st_idx]->enc_part2,
+                                  &st_client,
+                                  header_ticket->enc_part2->client,
+                                  request->server,
+                                  &status);
             if (errcode)
                 goto cleanup;
 
@@ -449,9 +452,11 @@ tgt_again:
     reply_encpart.caddrs = 0;/* optional...don't put it in */
     reply_encpart.enc_padata = NULL;
 
-    /* It should be noted that local policy may affect the  */
-    /* processing of any of these flags.  For example, some */
-    /* realms may refuse to issue renewable tickets         */
+    /*
+     * It should be noted that local policy may affect the
+     * processing of any of these flags.  For example, some
+     * realms may refuse to issue renewable tickets
+     */
 
     if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
         setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
@@ -479,7 +484,8 @@ tgt_again:
              * S4U2Self in order for forwardable tickets to be returned.
              */
             else if (!is_referral &&
-                     !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+                     !isflagset(server.attributes,
+                                KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
                 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
         }
     }
@@ -597,9 +603,11 @@ tgt_again:
         enc_tkt_reply.times.starttime = 0;
 
     if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
-        errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user, &s4u_name);
+        errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user,
+                                    &s4u_name);
     } else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
-        errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name);
+        errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client,
+                                    &s4u_name);
     } else {
         errcode = 0;
     }
@@ -618,7 +626,7 @@ tgt_again:
         if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
                                              -1, /* ignore keytype */
                                              -1, /* Ignore salttype */
-                                             0,/* Get highest kvno */
+                                             0,  /* Get highest kvno */
                                              &server_key))) {
             status = "FINDING_SERVER_KEY";
             goto cleanup;
@@ -630,7 +638,7 @@ tgt_again:
             /* try refreshing master key list */
             /* XXX it would nice if we had the mkvno here for optimization */
             if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
-                                        &master_keyblock, 0, &tmp_mkey_list) == 0) {
+                                   &master_keyblock, 0, &tmp_mkey_list) == 0) {
                 krb5_dbe_free_key_list(kdc_context, master_keylist);
                 master_keylist = tmp_mkey_list;
                 if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
@@ -644,8 +652,10 @@ tgt_again:
             }
         }
 
-        /* convert server.key into a real key (it may be encrypted
-         *        in the database) */
+        /*
+         * Convert server.key into a real key
+         * (it may be encrypted in the database)
+         */
         if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
                                                    mkey_ptr,
                                                    server_key, &encrypting_key,
@@ -753,7 +763,6 @@ tgt_again:
      * implicitly part of the transited list and should not be explicitly
      * listed).
      */
-
     /* realm compare is like strcmp, but knows how to deal with these args */
     if (realm_compare(header_ticket->server, tgs_server) ||
         realm_compare(header_ticket->server, enc_tkt_reply.client)) {
@@ -799,9 +808,9 @@ tgt_again:
         char *tdots;
 
         errcode = kdc_check_transited_list (kdc_context,
-                                            &enc_tkt_reply.transited.tr_contents,
-                                            krb5_princ_realm (kdc_context, header_enc_tkt->client),
-                                            krb5_princ_realm (kdc_context, request->server));
+                        &enc_tkt_reply.transited.tr_contents,
+                        krb5_princ_realm (kdc_context, header_enc_tkt->client),
+                        krb5_princ_realm (kdc_context, request->server));
         tlen = enc_tkt_reply.transited.tr_contents.length;
         tdots = tlen > 125 ? "..." : "";
         tlen = tlen > 125 ? 125 : tlen;
@@ -925,16 +934,16 @@ tgt_again:
 
     /* use the session key in the ticket, unless there's a subsession key
        in the AP_REQ */
-
     reply.enc_part.enctype = subkey ? subkey->enctype :
         header_ticket->enc_part2->session->enctype;
     errcode  = kdc_fast_response_handle_padata(state, request, &reply,
-                                               subkey?subkey->enctype:header_ticket->enc_part2->session->enctype);
+                  subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
     if (errcode !=0 ) {
         status = "Preparing FAST padata";
         goto cleanup;
     }
-    errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key);
+    errcode =kdc_fast_handle_reply_key(state,
+                  subkey?subkey:header_ticket->enc_part2->session, &reply_key);
     if (errcode) {
         status  = "generating reply key";
         goto cleanup;
@@ -1101,9 +1110,9 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server,
      * the principal.
      */
     if ((retval = krb5_walk_realm_tree(kdc_context,
-                                       krb5_princ_realm(kdc_context, request->server),
-                                       krb5_princ_component(kdc_context, request->server, 1),
-                                       &plist, KRB5_REALM_BRANCH_CHAR)))
+                         krb5_princ_realm(kdc_context, request->server),
+                         krb5_princ_component(kdc_context, request->server, 1),
+                         &plist, KRB5_REALM_BRANCH_CHAR)))
         return;
 
     /* move to the end */
@@ -1195,16 +1204,20 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
         if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
              (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
               kdc_active_realm->realm_host_based_services != NULL &&
-              (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, comp1_str) == TRUE ||
-               krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE))) &&
+              (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
+                                         comp1_str) == TRUE ||
+               krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
+                                         KRB5_CONF_ASTERISK) == TRUE))) &&
             (kdc_active_realm->realm_no_host_referral == NULL ||
-             (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, KRB5_CONF_ASTERISK) == FALSE &&
-              krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, comp1_str) == FALSE))) {
+             (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral,
+                                        KRB5_CONF_ASTERISK) == FALSE &&
+              krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral,
+                                        comp1_str) == FALSE))) {
 
             if (memchr(comp2->data, '.', comp2->length) == NULL)
                 goto cleanup;
             temp_buf = calloc(1, comp2->length+1);
-            if (!temp_buf){
+            if (!temp_buf) {
                 retval = ENOMEM;
                 goto cleanup;
             }
@@ -1239,5 +1252,6 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
     }
 cleanup:
     free(comp1_str);
+
     return retval;
 }
index f7a1ac43a21b031adbc77431f5ddd2970a0652b1..543db1d5569c4c062fdc588ed99e11bb5417720e 100644 (file)
@@ -23,9 +23,6 @@
  * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- *
- *
- *
  */
 
 #include <k5-int.h>
@@ -55,11 +52,12 @@ static krb5_error_code armor_ap_request
     krb5_clear_error_message(kdc_context);
     retval = krb5_auth_con_init(kdc_context, &authcontext);
     if (retval == 0)
-        retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/
+        retval = krb5_auth_con_setflags(kdc_context,
+                                        authcontext, 0); /*disable replay cache*/
     retval = krb5_rd_req(kdc_context, &authcontext,
                          &armor->armor_value, NULL /*server*/,
                          kdc_active_realm->realm_keytab,  NULL, &ticket);
-    if (retval !=0) {
+    if (retval != 0) {
         const char * errmsg = krb5_get_error_message(kdc_context, retval);
         krb5_set_error_message(kdc_context, retval,
                                "%s while handling ap-request armor", errmsg);
@@ -70,19 +68,19 @@ static krb5_error_code armor_ap_request
                                               tgs_server,
                                               ticket->server)) {
             krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH,
-                                   "ap-request armor for something other than  the local TGS");
+                   "ap-request armor for something other than  the local TGS");
             retval = KRB5KDC_ERR_SERVER_NOMATCH;
         }
     }
-    if (retval ==0) {
+    if (retval == 0) {
         retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey);
-        if (retval !=0 || subkey == NULL) {
+        if (retval != 0 || subkey == NULL) {
             krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
                                    "ap-request armor without subkey");
             retval = KRB5KDC_ERR_POLICY;
         }
     }
-    if (retval==0)
+    if (retval == 0)
         retval = krb5_c_fx_cf2_simple(kdc_context,
                                       subkey, "subkeyarmor",
                                       ticket->enc_part2->session, "ticketarmor",
@@ -96,9 +94,10 @@ static krb5_error_code armor_ap_request
     return retval;
 }
 
-static krb5_error_code encrypt_fast_reply
-(struct kdc_request_state *state,  const krb5_fast_response *response,
- krb5_data **fx_fast_reply)
+static krb5_error_code
+encrypt_fast_reply(struct kdc_request_state *state,
+                   const krb5_fast_response *response,
+                   krb5_data **fx_fast_reply)
 {
     krb5_error_code retval = 0;
     krb5_enc_data encrypted_reply;
@@ -121,11 +120,12 @@ static krb5_error_code encrypt_fast_reply
 }
 
 
-krb5_error_code  kdc_find_fast
-(krb5_kdc_req **requestptr,  krb5_data *checksummed_data,
- krb5_keyblock *tgs_subkey,
- krb5_keyblock *tgs_session,
- struct kdc_request_state *state)
+krb5_error_code
+kdc_find_fast(krb5_kdc_req **requestptr,
+              krb5_data *checksummed_data,
+              krb5_keyblock *tgs_subkey,
+              krb5_keyblock *tgs_session,
+              struct kdc_request_state *state)
 {
     krb5_error_code retval = 0;
     krb5_pa_data *fast_padata, *cookie_padata;
@@ -165,7 +165,7 @@ krb5_error_code  kdc_find_fast
                                               &state->armor_key);
             else {
                 krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
-                                       "No armor key but FAST armored request present");
+                              "No armor key but FAST armored request present");
                 retval = KRB5KDC_ERR_PREAUTH_FAILED;
             }
         }
@@ -188,7 +188,8 @@ krb5_error_code  kdc_find_fast
         if (retval == 0)
             retval = krb5_c_verify_checksum(kdc_context, state->armor_key,
                                             KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
-                                            checksummed_data, &fast_armored_req->req_checksum,
+                                            checksummed_data,
+                                            &fast_armored_req->req_checksum,
                                             &cksum_valid);
         if (retval == 0 && !cksum_valid) {
             retval = KRB5KRB_AP_ERR_MODIFIED;
@@ -197,13 +198,16 @@ krb5_error_code  kdc_find_fast
         }
         if (retval == 0) {
             krb5_error_code ret;
-            /* We need to confirm that a keyed checksum is used for the
+            /*
+             * We need to confirm that a keyed checksum is used for the
              * fast_req checksum.  In April 2009, the best way to do this is
              * to try verifying the checksum with a keyblock with an zero
-             * length; if it succeeds, then an unkeyed checksum is used.*/
+             * length; if it succeeds, then an unkeyed checksum is used.
+             */
             ret  = krb5_c_verify_checksum(kdc_context, &empty_keyblock,
                                           KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
-                                          checksummed_data, &fast_armored_req->req_checksum,
+                                          checksummed_data,
+                                          &fast_armored_req->req_checksum,
                                           &cksum_valid);
             if (ret == 0) {
                 retval = KRB5KDC_ERR_POLICY;
@@ -212,11 +216,12 @@ krb5_error_code  kdc_find_fast
             }
         }
         if (retval == 0) {
-            if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0)
+            if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) != 0)
                 retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION;
         }
         if (retval == 0)
-            cookie_padata = find_pa_data(fast_req->req_body->padata, KRB5_PADATA_FX_COOKIE);
+            cookie_padata = find_pa_data(fast_req->req_body->padata,
+                                         KRB5_PADATA_FX_COOKIE);
         if (retval == 0) {
             state->fast_options = fast_req->fast_options;
             if (request->kdc_state == state)
@@ -224,7 +229,6 @@ krb5_error_code  kdc_find_fast
             krb5_free_kdc_req( kdc_context, request);
             *requestptr = fast_req->req_body;
             fast_req->req_body = NULL;
-
         }
     }
     else cookie_padata = find_pa_data(request->padata, KRB5_PADATA_FX_COOKIE);
@@ -240,7 +244,8 @@ krb5_error_code  kdc_find_fast
                 retval = ENOMEM;
                 free(new_padata);
             } else {
-                memcpy(new_padata->contents, cookie_padata->contents, new_padata->length);
+                memcpy(new_padata->contents, cookie_padata->contents,
+                       new_padata->length);
                 state->cookie = new_padata;
             }
         }
@@ -253,7 +258,8 @@ krb5_error_code  kdc_find_fast
 }
 
 
-krb5_error_code kdc_make_rstate(struct kdc_request_state **out)
+krb5_error_code
+kdc_make_rstate(struct kdc_request_state **out)
 {
     struct kdc_request_state *state = malloc( sizeof(struct kdc_request_state));
     if (state == NULL)
@@ -263,8 +269,8 @@ krb5_error_code kdc_make_rstate(struct kdc_request_state **out)
     return 0;
 }
 
-void kdc_free_rstate
-(struct kdc_request_state *s)
+void
+kdc_free_rstate (struct kdc_request_state *s)
 {
     if (s == NULL)
         return;
@@ -279,10 +285,10 @@ void kdc_free_rstate
     free(s);
 }
 
-krb5_error_code kdc_fast_response_handle_padata
-(struct kdc_request_state *state,
- krb5_kdc_req *request,
- krb5_kdc_rep *rep, krb5_enctype enctype)
+krb5_error_code
+kdc_fast_response_handle_padata(struct kdc_request_state *state,
                               krb5_kdc_req *request,
                               krb5_kdc_rep *rep, krb5_enctype enctype)
 {
     krb5_error_code retval = 0;
     krb5_fast_finished finish;
@@ -323,10 +329,13 @@ krb5_error_code kdc_fast_response_handle_padata
     if (retval == 0)
         retval = encode_krb5_ticket(rep->ticket, &encoded_ticket);
     if (retval == 0)
-        retval = krb5int_c_mandatory_cksumtype(kdc_context, state->armor_key->enctype, &cksumtype);
+        retval = krb5int_c_mandatory_cksumtype(kdc_context,
+                                               state->armor_key->enctype,
+                                               &cksumtype);
     if (retval == 0)
         retval = krb5_c_make_checksum(kdc_context, cksumtype,
-                                      state->armor_key, KRB5_KEYUSAGE_FAST_FINISHED,
+                                      state->armor_key,
+                                      KRB5_KEYUSAGE_FAST_FINISHED,
                                       encoded_ticket, &finish.ticket_checksum);
     if (retval == 0)
         retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply);
@@ -363,10 +372,11 @@ krb5_error_code kdc_fast_response_handle_padata
  * throw away the e_data in the error (if any); in the non-FAST case
  * we will not use the in_padata.
  */
-krb5_error_code kdc_fast_handle_error
-(krb5_context context, struct kdc_request_state *state,
- krb5_kdc_req *request,
- krb5_pa_data  **in_padata, krb5_error *err)
+krb5_error_code
+kdc_fast_handle_error(krb5_context context,
+                      struct kdc_request_state *state,
+                      krb5_kdc_req *request,
+                      krb5_pa_data  **in_padata, krb5_error *err)
 {
     krb5_error_code retval = 0;
     krb5_fast_response resp;
@@ -441,9 +451,10 @@ krb5_error_code kdc_fast_handle_error
     return retval;
 }
 
-krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
-                                          krb5_keyblock *existing_key,
-                                          krb5_keyblock **out_key)
+krb5_error_code
+kdc_fast_handle_reply_key(struct kdc_request_state *state,
+                          krb5_keyblock *existing_key,
+                          krb5_keyblock **out_key)
 {
     krb5_error_code retval = 0;
     if (state->armor_key)
@@ -451,13 +462,15 @@ krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
                                       state->strengthen_key, "strengthenkey",
                                       existing_key,
                                       "replykey", out_key);
-    else retval = krb5_copy_keyblock(kdc_context, existing_key, out_key);
+    else
+        retval = krb5_copy_keyblock(kdc_context, existing_key, out_key);
     return retval;
 }
 
 
-krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state,
-                                       krb5_pa_data **cookie)
+krb5_error_code
+kdc_preauth_get_cookie(struct kdc_request_state *state,
+                       krb5_pa_data **cookie)
 {
     char *contents;
     krb5_pa_data *pa = NULL;
index e6d4bd2b6eb2adaceff3075ac30807ac4fe08f1c..3cef2d714533659e832fa6fda8043d7e639a9124 100644 (file)
 #include "../include/krb5/authdata_plugin.h"
 
 #if TARGET_OS_MAC
-static const char *objdirs[] = { KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/authdata", NULL }; /* should be a list */
+static const char *objdirs[] = { KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR,
+                                 LIBDIR "/krb5/plugins/authdata",
+                                 NULL }; /* should be a list */
 #else
 static const char *objdirs[] = { LIBDIR "/krb5/plugins/authdata", NULL };
 #endif
 
 /* MIT Kerberos 1.6 (V0) authdata plugin callback */
 typedef krb5_error_code (*authdata_proc_0)
-(krb5_context, krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply);
+    (krb5_context, krb5_db_entry *client,
    krb5_data *req_pkt,
    krb5_kdc_req *request,
    krb5_enc_tkt_part * enc_tkt_reply);
 /* MIT Kerberos 1.8 (V2) authdata plugin callback */
 typedef krb5_error_code (*authdata_proc_2)
-(krb5_context, unsigned int flags,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal for_user_princ,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_enc_tkt_part *enc_tkt_reply);
+    (krb5_context, unsigned int flags,
    krb5_db_entry *client, krb5_db_entry *server,
    krb5_db_entry *krbtgt,
    krb5_keyblock *client_key,
    krb5_keyblock *server_key,
    krb5_keyblock *krbtgt_key,
    krb5_data *req_pkt,
    krb5_kdc_req *request,
    krb5_const_principal for_user_princ,
    krb5_enc_tkt_part *enc_tkt_request,
    krb5_enc_tkt_part *enc_tkt_reply);
 typedef krb5_error_code (*init_proc)
-(krb5_context, void **);
+    (krb5_context, void **);
 typedef void (*fini_proc)
-(krb5_context, void *);
+    (krb5_context, void *);
 
 /* Internal authdata system for copying TGS-REQ authdata to ticket */
 static krb5_error_code handle_request_authdata
-(krb5_context context,
- unsigned int flags,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal for_user_princ,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_enc_tkt_part *enc_tkt_reply);
+    (krb5_context context,
    unsigned int flags,
    krb5_db_entry *client,
    krb5_db_entry *server,
    krb5_db_entry *krbtgt,
    krb5_keyblock *client_key,
    krb5_keyblock *server_key,
    krb5_keyblock *krbtgt_key,
    krb5_data *req_pkt,
    krb5_kdc_req *request,
    krb5_const_principal for_user_princ,
    krb5_enc_tkt_part *enc_tkt_request,
    krb5_enc_tkt_part *enc_tkt_reply);
 
 /* Internal authdata system for handling KDC-issued authdata */
 static krb5_error_code handle_tgt_authdata
-(krb5_context context,
- unsigned int flags,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_const_principal for_user_princ,
- krb5_enc_tkt_part *enc_tkt_request,
- krb5_enc_tkt_part *enc_tkt_reply);
+    (krb5_context context,
    unsigned int flags,
    krb5_db_entry *client,
    krb5_db_entry *server,
    krb5_db_entry *krbtgt,
    krb5_keyblock *client_key,
    krb5_keyblock *server_key,
    krb5_keyblock *krbtgt_key,
    krb5_data *req_pkt,
    krb5_kdc_req *request,
    krb5_const_principal for_user_princ,
    krb5_enc_tkt_part *enc_tkt_request,
    krb5_enc_tkt_part *enc_tkt_reply);
 
 typedef struct _krb5_authdata_systems {
     const char *name;
@@ -118,8 +120,10 @@ typedef struct _krb5_authdata_systems {
 } krb5_authdata_systems;
 
 static krb5_authdata_systems static_authdata_systems[] = {
-    { "tgs_req", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_request_authdata } },
-    { "tgt", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL, NULL, NULL, NULL, { handle_tgt_authdata } },
+    { "tgs_req", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL,
+      NULL, NULL, NULL, { handle_request_authdata } },
+    { "tgt", AUTHDATA_SYSTEM_V2, AUTHDATA_FLAG_CRITICAL,
+       NULL, NULL, NULL, { handle_tgt_authdata } },
 };
 
 static krb5_authdata_systems *authdata_systems;
@@ -153,10 +157,12 @@ load_authdata_plugins(krb5_context context)
 
     if (krb5int_get_plugin_dir_data(&authdata_plugins,
                                     "authdata_server_2",
-                                    &authdata_plugins_ftables_v2, &context->err) != 0 ||
+                                    &authdata_plugins_ftables_v2,
+                                    &context->err) != 0 ||
         krb5int_get_plugin_dir_data(&authdata_plugins,
                                     "authdata_server_0",
-                                    &authdata_plugins_ftables_v0, &context->err) != 0) {
+                                    &authdata_plugins_ftables_v0,
+                                    &context->err) != 0) {
         code = KRB5_PLUGIN_NO_HANDLE;
         goto cleanup;
     }
@@ -188,7 +194,8 @@ load_authdata_plugins(krb5_context context)
         / sizeof(static_authdata_systems[0]);
 
     /* Build the complete list of supported authdata options, and
-     * leave room for a terminator entry. */
+     * leave room for a terminator entry.
+     */
     authdata_systems = calloc(module_count + 1, sizeof(krb5_authdata_systems));
     if (authdata_systems == NULL) {
         code = ENOMEM;
@@ -349,7 +356,7 @@ merge_authdata (krb5_context context,
         authdata = (krb5_authdata **)calloc(i + 1, sizeof(krb5_authdata *));
     } else {
         authdata = (krb5_authdata **)realloc(authdata,
-                                             ((nadata + i + 1) * sizeof(krb5_authdata *)));
+                                    ((nadata + i + 1) * sizeof(krb5_authdata *)));
     }
     if (authdata == NULL)
         return ENOMEM;
@@ -436,7 +443,8 @@ handle_request_authdata (krb5_context context,
     }
 
     /* scratch now has the authorization data, so we decode it, and make
-     * it available to subsequent authdata plugins */
+     * it available to subsequent authdata plugins
+     */
     code = decode_krb5_authdata(&scratch, &request->unenc_authdata);
     if (code != 0) {
         free(scratch.data);
index 1eda93ba92422bb3c3b1a2988fb91c648dde5537..f547f5351b86cc74cf980484b2aba08351cfa268 100644 (file)
@@ -2,7 +2,7 @@
 /*
  * kdc/kdc_preauth.c
  *
- * Copyright 1995, 2003, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 2003, 2007, 2009 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -96,7 +96,9 @@
 #include "../include/krb5/preauth_plugin.h"
 
 #if TARGET_OS_MAC
-static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/preauth", NULL }; /* should be a list */
+static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR,
+                                 LIBDIR "/krb5/plugins/preauth",
+                                 NULL }; /* should be a list */
 #else
 static const char *objdirs[] = { LIBDIR "/krb5/plugins/preauth", NULL };
 #endif
@@ -123,35 +125,38 @@ typedef struct _krb5_preauth_systems {
     preauth_server_free_reqcontext_proc free_pa_reqctx;
 } krb5_preauth_systems;
 
-static krb5_error_code verify_enc_timestamp
-(krb5_context, krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_system_context,
- void **pa_request_context,
- krb5_data **e_data,
- krb5_authdata ***authz_data);
-
-static krb5_error_code get_enc_ts
-(krb5_context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_system_context,
- krb5_pa_data *data);
-static krb5_error_code get_etype_info
-(krb5_context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_system_context,
- krb5_pa_data *data);
+static krb5_error_code
+verify_enc_timestamp (krb5_context, krb5_db_entry *client,
+                      krb5_data *req_pkt,
+                      krb5_kdc_req *request,
+                      krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
+                      preauth_get_entry_data_proc get_entry_data,
+                      void *pa_system_context,
+                      void **pa_request_context,
+                      krb5_data **e_data,
+                      krb5_authdata ***authz_data);
+
+static krb5_error_code
+get_enc_ts(krb5_context, krb5_kdc_req *request,
+           krb5_db_entry *client, krb5_db_entry *server,
+           preauth_get_entry_data_proc get_entry_data,
+           void *pa_system_context,
+           krb5_pa_data *data);
+
+static krb5_error_code
+get_etype_info(krb5_context, krb5_kdc_req *request,
+               krb5_db_entry *client, krb5_db_entry *server,
+               preauth_get_entry_data_proc get_entry_data,
+               void *pa_system_context,
+               krb5_pa_data *data);
+
 static krb5_error_code
 get_etype_info2(krb5_context context, krb5_kdc_req *request,
                 krb5_db_entry *client, krb5_db_entry *server,
                 preauth_get_entry_data_proc get_entry_data,
                 void *pa_system_context,
                 krb5_pa_data *pa_data);
+
 static krb5_error_code
 etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata,
                          krb5_db_entry *client,
@@ -185,47 +190,47 @@ return_etype_info2(krb5_context, krb5_pa_data * padata,
                    void *pa_system_context,
                    void **pa_request_context);
 
-static krb5_error_code return_pw_salt
-(krb5_context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_system_context,
- void **pa_request_context);
+static krb5_error_code
+return_pw_salt(krb5_context, krb5_pa_data * padata,
              krb5_db_entry *client,
              krb5_data *req_pkt,
              krb5_kdc_req *request, krb5_kdc_rep *reply,
              krb5_key_data *client_key,
              krb5_keyblock *encrypting_key,
              krb5_pa_data **send_pa,
              preauth_get_entry_data_proc get_entry_data,
              void *pa_system_context,
              void **pa_request_context);
 
 /* SAM preauth support */
-static krb5_error_code verify_sam_response
-(krb5_context, krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_module_context,
- void **pa_request_context,
- krb5_data **e_data,
- krb5_authdata ***authz_data);
-
-static krb5_error_code get_sam_edata
-(krb5_context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_module_context,
- krb5_pa_data *data);
-static krb5_error_code return_sam_data
-(krb5_context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_module_context,
- void **pa_request_context);
+static krb5_error_code
+verify_sam_response(krb5_context, krb5_db_entry *client,
                   krb5_data *req_pkt,
                   krb5_kdc_req *request,
                   krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data,
                   preauth_get_entry_data_proc get_entry_data,
                   void *pa_module_context,
                   void **pa_request_context,
                   krb5_data **e_data,
                   krb5_authdata ***authz_data);
+
+static krb5_error_code
+get_sam_edata(krb5_context, krb5_kdc_req *request,
             krb5_db_entry *client, krb5_db_entry *server,
             preauth_get_entry_data_proc get_entry_data,
             void *pa_module_context,
             krb5_pa_data *data);
+static krb5_error_code
+return_sam_data(krb5_context, krb5_pa_data * padata,
               krb5_db_entry *client,
               krb5_data *req_pkt,
               krb5_kdc_req *request, krb5_kdc_rep *reply,
               krb5_key_data *client_key,
               krb5_keyblock *encrypting_key,
               krb5_pa_data **send_pa,
               preauth_get_entry_data_proc get_entry_data,
               void *pa_module_context,
               void **pa_request_context);
 
 #if APPLE_PKINIT
 /* PKINIT preauth support */
@@ -464,7 +469,8 @@ load_preauth_plugins(krb5_context context)
         plugin_context = NULL;
         server_init_proc = static_preauth_systems[i].init;
         if ((server_init_proc != NULL) &&
-            ((*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names) != 0)) {
+            ((*server_init_proc)(context, &plugin_context,
+                                 (const char **)kdc_realm_names) != 0)) {
             memset(&preauth_systems[k], 0, sizeof(preauth_systems[k]));
             continue;
         }
@@ -493,17 +499,19 @@ load_preauth_plugins(krb5_context context)
                     server_init_proc = ftable->init_proc;
                     if (server_init_proc != NULL) {
                         krb5_error_code initerr;
-                        initerr = (*server_init_proc)(context, &plugin_context, (const char **)kdc_realm_names);
+                        initerr = (*server_init_proc)(context, &plugin_context,
+                                               (const char **)kdc_realm_names);
                         if (initerr) {
                             const char *emsg;
                             emsg = krb5_get_error_message(context, initerr);
                             if (emsg) {
                                 krb5_klog_syslog(LOG_ERR,
-                                                 "preauth %s failed to initialize: %s",
-                                                 ftable->name, emsg);
+                                          "preauth %s failed to initialize: %s",
+                                          ftable->name, emsg);
                                 krb5_free_error_message(context, emsg);
                             }
-                            memset(&preauth_systems[k], 0, sizeof(preauth_systems[k]));
+                            memset(&preauth_systems[k], 0,
+                                   sizeof(preauth_systems[k]));
 
                             break;      /* skip all modules in this plugin */
                         }
@@ -512,7 +520,8 @@ load_preauth_plugins(krb5_context context)
                 preauth_systems[k].name = ftable->name;
                 preauth_systems[k].type = ftable->pa_type_list[j];
                 if (ftable->flags_proc != NULL)
-                    preauth_systems[k].flags = ftable->flags_proc(context, preauth_systems[k].type);
+                    preauth_systems[k].flags = ftable->flags_proc(context,
+                                                     preauth_systems[k].type);
                 else
                     preauth_systems[k].flags = 0;
                 preauth_systems[k].plugin_context = plugin_context;
@@ -548,7 +557,7 @@ unload_preauth_plugins(krb5_context context)
         for (i = 0; i < n_preauth_systems; i++) {
             if (preauth_systems[i].fini != NULL) {
                 (*preauth_systems[i].fini)(context,
-                                           preauth_systems[i].plugin_context);
+                                      preauth_systems[i].plugin_context);
             }
             memset(&preauth_systems[i], 0, sizeof(preauth_systems[i]));
         }
@@ -640,7 +649,8 @@ free_padata_context(krb5_context kcontext, void **padata_context)
 }
 
 /* Retrieve a specified tl_data item from the given entry, and return its
- * contents in a new krb5_data, which must be freed by the caller. */
+ * contents in a new krb5_data, which must be freed by the caller.
+ */
 static krb5_error_code
 get_entry_tl_data(krb5_context context, krb5_db_entry *entry,
                   krb5_int16 tl_data_type, krb5_data **result)
@@ -886,7 +896,8 @@ sort_pa_order(krb5_context context, krb5_kdc_req *request, int *pa_order)
     if (request->padata != NULL) {
         /* Now reorder the subset of modules which replace the key,
          * bubbling those which handle pa_data types provided by the
-         * client ahead of the others. */
+         * client ahead of the others.
+         */
         for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
             continue;
         }
@@ -940,12 +951,13 @@ const char *missing_required_preauth(krb5_db_entry *client,
 #endif
 
 #ifdef DEBUG
-    krb5_klog_syslog (LOG_DEBUG,
-                      "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth",
-                      isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ",
-                      isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ",
-                      isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ",
-                      isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no ");
+    krb5_klog_syslog (
+      LOG_DEBUG,
+      "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth",
+      isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ",
+      isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ",
+      isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ",
+      isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no ");
 #endif
 
     if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
@@ -959,8 +971,9 @@ const char *missing_required_preauth(krb5_db_entry *client,
     return 0;
 }
 
-void get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
-                           krb5_db_entry *server, krb5_data *e_data)
+void
+get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
+                      krb5_db_entry *server, krb5_data *e_data)
 {
     int hw_only;
     krb5_preauth_systems *ap;
@@ -1007,7 +1020,10 @@ void get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
                           "%spreauth required but hint list is empty",
                           hw_only ? "hw" : "");
     }
-/* If we fail to get the cookie it is probably still reasonable to continue with the response*/
+    /*
+     * If we fail to get the cookie it is probably
+     * still reasonable to continue with the response
+     */
     kdc_preauth_get_cookie(request->kdc_state, pa);
     retval = encode_krb5_padata_sequence(pa_data, &edat);
     if (retval)
@@ -1266,7 +1282,8 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
     void **                     pa_context;
     krb5_boolean                key_modified;
     krb5_keyblock               original_key;
-    if ((!*padata_context)&& (make_padata_context(context, padata_context) != 0)) {
+    if ((!*padata_context) &&
+        (make_padata_context(context, padata_context) != 0)) {
         return KRB5KRB_ERR_GENERIC;
     }
 
@@ -1322,7 +1339,8 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
                 }
             }
         }
-        if ((retval = ap->return_padata(context, pa, client, req_pkt, request, reply,
+        if ((retval = ap->return_padata(context, pa, client, req_pkt,
+                                        request, reply,
                                         client_key, encrypting_key, send_pa,
                                         get_entry_data, ap->plugin_context,
                                         pa_context))) {
@@ -1346,11 +1364,12 @@ cleanup:
     free(pa_order);
     if (send_pa_list)
         krb5_free_pa_data(context, send_pa_list);
+
     return (retval);
 }
 
 static krb5_boolean
-request_contains_enctype (krb5_context context,  const krb5_kdc_req *request,
+request_contains_enctype(krb5_context context,  const krb5_kdc_req *request,
                           krb5_enctype enctype)
 {
     int i;
@@ -1360,12 +1379,12 @@ request_contains_enctype (krb5_context context,  const krb5_kdc_req *request,
     return 0;
 }
 
-static krb5_error_code get_enc_ts
-(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- preauth_get_entry_data_proc get_entry_data_proc,
- void *pa_system_context,
- krb5_pa_data *data)
+static krb5_error_code
+get_enc_ts(krb5_context context, krb5_kdc_req *request,
          krb5_db_entry *client, krb5_db_entry *server,
          preauth_get_entry_data_proc get_entry_data_proc,
          void *pa_system_context,
          krb5_pa_data *data)
 {
     struct kdc_request_state *state = request->kdc_state;
     if (state->armor_key)
@@ -1480,6 +1499,7 @@ cleanup:
      */
     if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
         retval = decrypt_err;
+
     return retval;
 }
 
@@ -2025,18 +2045,19 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request,
     memset(&sc, 0, sizeof(sc));
     memset(&psr, 0, sizeof(psr));
 
-    /* Given the client name we can figure out what type of preauth
-       they need. The spec is currently for querying the database for
-       names that match the types of preauth used. Later we should
-       make this mapping show up in kdc.conf. In the meantime, we
-       hardcode the following:
-       /SNK4 -- Digital Pathways SNK/4 preauth.
-       /GRAIL -- experimental preauth
-       The first one found is used. See sam_inst_map above.
-
-       For SNK4 in particular, the key in the database is the key for
-       the device; kadmin needs a special interface for it.
-    */
+    /*
+     *  Given the client name we can figure out what type of preauth
+     *  they need. The spec is currently for querying the database for
+     *  names that match the types of preauth used. Later we should
+     *  make this mapping show up in kdc.conf. In the meantime, we
+     *  hardcode the following:
+     *  /SNK4 -- Digital Pathways SNK/4 preauth.
+     *  /GRAIL -- experimental preauth
+     *  The first one found is used. See sam_inst_map above.
+     *
+     *  For SNK4 in particular, the key in the database is the key for
+     *  the device; kadmin needs a special interface for it.
+     */
 
     {
         int npr = 1;
@@ -2090,8 +2111,8 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request,
                                                 &tmp_mkey_list) == 0) {
                         krb5_dbe_free_key_list(context, master_keylist);
                         master_keylist = tmp_mkey_list;
-                        if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc,
-                                                         &mkey_ptr))) {
+                        if ((retval = krb5_dbe_find_mkey(context, master_keylist,
+                                                         &assoc, &mkey_ptr))) {
                             return (retval);
                         }
                     } else {
@@ -2103,7 +2124,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request,
                 retval = krb5_dbe_find_enctype(kdc_context, &assoc,
                                                ENCTYPE_DES_CBC_RAW,
                                                KRB5_KDB_SALTTYPE_NORMAL,
-                                               0,             /* Get highest kvno */
+                                               0,    /* Get highest kvno */
                                                &assoc_key);
                 if (retval) {
                     char *sname;
@@ -2626,12 +2647,12 @@ static krb5_error_code verify_pkinit_request(
                                        &client_ctime, &client_cusec,
                                        &nonce, &pa_cksum,
                                        &cert_sig_status,
-                                       NULL, NULL,         /* num_cms_types, cms_types */
+                                       NULL, NULL,/* num_cms_types, cms_types */
                                        &client_cert,       /* signer_cert */
                                        /* remaining fields unused (for now) */
-                                       NULL, NULL,         /* num_all_certs, all_certs */
-                                       NULL, NULL,         /* num_trusted_CAs, trusted_CAs */
-                                       NULL);              /* kdc_cert */
+                                       NULL, NULL,/* num_all_certs, all_certs */
+                                       NULL, NULL,/* num_trusted_CAs, trusted_CAs */
+                                       NULL);     /* kdc_cert */
     if(krtn) {
         kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n",
                        (int)krtn);
@@ -2870,17 +2891,18 @@ static krb5_error_code return_pkinit_response(
      * We've already verified; just obtain the fields we need to create a response
      */
     krtn = krb5int_pkinit_as_req_parse(context,
-                                       &pa_data,
-                                       NULL, NULL, &nonce,     /* ctime, cusec, nonce */
-                                       NULL, NULL,             /* pa_cksum, cert_status */
-                                       &num_cms_types, &cms_types,
-                                       &client_cert,           /* signer_cert: we encrypt for this */
-                                       /* remaining fields unused (for now) */
-                                       NULL, NULL,             /* num_all_certs, all_certs */
-                                       &num_trusted_CAs, &trusted_CAs,
-                                       &kdc_cert);
+                         &pa_data,
+                         NULL, NULL, &nonce,     /* ctime, cusec, nonce */
+                         NULL, NULL,             /* pa_cksum, cert_status */
+                         &num_cms_types, &cms_types,
+                         &client_cert,   /* signer_cert: we encrypt for this */
+                         /* remaining fields unused (for now) */
+                         NULL, NULL,     /* num_all_certs, all_certs */
+                         &num_trusted_CAs, &trusted_CAs,
+                         &kdc_cert);
     if(krtn) {
-        kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", (int)krtn);
+        kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n",
+                       (int)krtn);
         goto cleanup;
     }
     if(client_cert.data == NULL) {
@@ -2933,14 +2955,16 @@ static krb5_error_code return_pkinit_response(
      * ReplyKeyPack with here. This may need rethinking.
      */
     krtn = krb5int_pkinit_as_rep_create(context,
-                                        encrypting_key, &as_req_checksum, signing_cert, TRUE,
+                                        encrypting_key, &as_req_checksum,
+                                        signing_cert, TRUE,
                                         &client_cert,
                                         num_cms_types, cms_types,
                                         num_trusted_CAs, trusted_CAs,
                                         (kdc_cert.data ? &kdc_cert : NULL),
                                         &pa_data);
     if(krtn) {
-        kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n", (int)krtn);
+        kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n",
+                      (int)krtn);
         goto cleanup;
     }
 
@@ -3089,7 +3113,8 @@ static krb5_error_code return_server_referral(krb5_context context,
                                               krb5_pa_data * padata,
                                               krb5_db_entry *client,
                                               krb5_db_entry *server,
-                                              krb5_kdc_req *request, krb5_kdc_rep *reply,
+                                              krb5_kdc_req *request,
+                                              krb5_kdc_rep *reply,
                                               krb5_key_data *client_key,
                                               krb5_keyblock *encrypting_key,
                                               krb5_pa_data **send_pa)