From 5cd45040077a48edecffa5eddb264bf8e1bf39f5 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 20 Jun 2007 01:40:34 +0000 Subject: [PATCH] pull up r18817 as prereq for r19536 r18817@cathode-dark-space: raeburn | 2006-11-15 20:20:47 -0500 * rd_req_dec.c: Whitespace changes in function headers. (krb5_rd_req_decoded_opt): Include more info in error text for AP_WRONG_PRINC and NOPERM_ETYPE errors. ticket: 5551 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19597 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/rd_req_dec.c | 62 ++++++++++++++++++++++++++++++----- 1 file changed, 53 insertions(+), 9 deletions(-) diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 3c398aed1..6f53b11c9 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -87,13 +87,25 @@ krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, krb5_ } static krb5_error_code -krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket, int check_valid_flag) +krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, + const krb5_ap_req *req, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket, int check_valid_flag) { krb5_error_code retval = 0; krb5_timestamp currenttime; - if (server && !krb5_principal_compare(context, server, req->ticket->server)) + if (server && !krb5_principal_compare(context, server, req->ticket->server)) { + char *found_name = 0, *wanted_name = 0; + if (krb5_unparse_name(context, server, &wanted_name) == 0 + && krb5_unparse_name(context, req->ticket->server, &found_name) == 0) + krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC, + "Wrong principal in request (found %s, wanted %s)", + found_name, wanted_name); + krb5_free_unparsed_name(context, wanted_name); + krb5_free_unparsed_name(context, found_name); return KRB5KRB_AP_WRONG_PRINC; + } /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) do we need special processing here ? */ @@ -241,15 +253,21 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c if ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) { /* no etype check needed */; } else if ((*auth_context)->permitted_etypes == NULL) { + int etype; /* check against the default set */ if ((!krb5_is_permitted_enctype(context, - req->ticket->enc_part.enctype)) || + etype = req->ticket->enc_part.enctype)) || (!krb5_is_permitted_enctype(context, - req->ticket->enc_part2->session->enctype)) || + etype = req->ticket->enc_part2->session->enctype)) || (((*auth_context)->authentp->subkey) && !krb5_is_permitted_enctype(context, - (*auth_context)->authentp->subkey->enctype))) { + etype = (*auth_context)->authentp->subkey->enctype))) { + char enctype_name[30]; retval = KRB5_NOPERM_ETYPE; + if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0) + krb5_set_error_message(context, retval, + "Encryption type %s not permitted", + enctype_name); goto cleanup; } } else { @@ -261,7 +279,13 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c req->ticket->enc_part.enctype) break; if (!(*auth_context)->permitted_etypes[i]) { + char enctype_name[30]; retval = KRB5_NOPERM_ETYPE; + if (krb5_enctype_to_string(req->ticket->enc_part.enctype, + enctype_name, sizeof(enctype_name)) == 0) + krb5_set_error_message(context, retval, + "Encryption type %s not permitted", + enctype_name); goto cleanup; } @@ -270,7 +294,13 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c req->ticket->enc_part2->session->enctype) break; if (!(*auth_context)->permitted_etypes[i]) { + char enctype_name[30]; retval = KRB5_NOPERM_ETYPE; + if (krb5_enctype_to_string(req->ticket->enc_part2->session->enctype, + enctype_name, sizeof(enctype_name)) == 0) + krb5_set_error_message(context, retval, + "Encryption type %s not permitted", + enctype_name); goto cleanup; } @@ -280,7 +310,14 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c (*auth_context)->authentp->subkey->enctype) break; if (!(*auth_context)->permitted_etypes[i]) { + char enctype_name[30]; retval = KRB5_NOPERM_ETYPE; + if (krb5_enctype_to_string((*auth_context)->authentp->subkey->enctype, + enctype_name, + sizeof(enctype_name)) == 0) + krb5_set_error_message(context, retval, + "Encryption type %s not permitted", + enctype_name); goto cleanup; } } @@ -337,7 +374,10 @@ cleanup: } krb5_error_code -krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) +krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, + const krb5_ap_req *req, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket) { krb5_error_code retval; retval = krb5_rd_req_decoded_opt(context, auth_context, @@ -348,7 +388,11 @@ krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, const } krb5_error_code -krb5_rd_req_decoded_anyflag(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) +krb5_rd_req_decoded_anyflag(krb5_context context, + krb5_auth_context *auth_context, + const krb5_ap_req *req, + krb5_const_principal server, krb5_keytab keytab, + krb5_flags *ap_req_options, krb5_ticket **ticket) { krb5_error_code retval; retval = krb5_rd_req_decoded_opt(context, auth_context, @@ -359,7 +403,8 @@ krb5_rd_req_decoded_anyflag(krb5_context context, krb5_auth_context *auth_contex } static krb5_error_code -decrypt_authenticator(krb5_context context, const krb5_ap_req *request, krb5_authenticator **authpp, int is_ap_req) +decrypt_authenticator(krb5_context context, const krb5_ap_req *request, + krb5_authenticator **authpp, int is_ap_req) { krb5_authenticator *local_auth; krb5_error_code retval; @@ -390,4 +435,3 @@ free(scratch.data);} clean_scratch(); return retval; } - -- 2.26.2