From: Theodore Tso Date: Thu, 7 Nov 1996 17:31:20 +0000 (+0000) Subject: kdc_preauth.c (check_padata): Fixed error handling; in order for X-Git-Tag: krb5-1.0-freeze1~102 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9412bbd6ae0af969d7621a071034b42143c3e1b9;p=krb5.git kdc_preauth.c (check_padata): Fixed error handling; in order for check_preauth to return successfully, there must be at least one preauth which succeeded, and no REQUIRED preauth system which failed. If a preauth is marked SUFFICIENT, then the rest of the preauth list aren't checked. Fixed bug where when none of the preauth types were recognized, an error message corresponding to stack garbage was printed. main.c (argv): Check the error return from krb5_init_context(), and print an error message if necessary. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9323 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 53b5dc034..dd7446081 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,18 @@ +Thu Nov 7 12:27:21 1996 Theodore Ts'o + + * kdc_preauth.c (check_padata): Fixed error handling; in order for + check_preauth to return successfully, there must be at + least one preauth which succeeded, and no REQUIRED preauth + system which failed. If a preauth is marked SUFFICIENT, + then the rest of the preauth list aren't checked. Fixed + bug where when none of the preauth types were recognized, + an error message corresponding to stack garbage was printed. + +Wed Nov 6 12:00:48 1996 Theodore Ts'o + + * main.c (argv): Check the error return from krb5_init_context(), + and print an error message if necessary. + Mon Nov 4 22:29:30 1996 Theodore Y. Ts'o * main.c (initialize_realms): Remove rather pointless use of diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 67b348bce..0350068f9 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -234,9 +234,10 @@ check_padata (context, client, request, enc_tkt_reply) krb5_kdc_req * request; krb5_enc_tkt_part * enc_tkt_reply; { - krb5_error_code retval; + krb5_error_code retval = 0; krb5_pa_data **padata; krb5_preauth_systems *pa_sys; + int pa_ok = 0, pa_found = 0; if (request->padata == 0) return 0; @@ -246,20 +247,26 @@ check_padata (context, client, request, enc_tkt_reply) continue; if (pa_sys->verify_padata == 0) continue; + pa_found++; retval = pa_sys->verify_padata(context, client, request, enc_tkt_reply, *padata); if (retval) { - if (pa_sys->flags & PA_REQUIRED) + com_err("krb5kdc", retval, "pa verify failure"); + if (pa_sys->flags & PA_REQUIRED) { + pa_ok = 0; break; + } } else { - if (pa_sys->flags & PA_SUFFICIENT) + pa_ok = 1; + if (pa_sys->flags & PA_SUFFICIENT) break; } } -if (retval) com_err("krb5kdc", retval, "pa verify failure"); - if (retval) - retval = KRB5KDC_ERR_PREAUTH_FAILED; - return retval; + if (pa_ok) + return 0; + if (!pa_found) + com_err("krb5kdc", retval, "no valid preauth type found"); + return KRB5KDC_ERR_PREAUTH_FAILED; } /* diff --git a/src/kdc/main.c b/src/kdc/main.c index 5ade65930..dd4ae7687 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -882,8 +882,11 @@ char *argv[]; * reporting. The per-realm operations use the "realm_context" * associated with each realm. */ - krb5_init_context(&kcontext); - krb5_init_ets(kcontext); + retval = krb5_init_context(&kcontext); + if (retval) { + com_err(argv[0], retval, "while initializing krb5"); + exit(1); + } krb5_klog_init(kcontext, "kdc", argv[0], 1); /*