From 9412bbd6ae0af969d7621a071034b42143c3e1b9 Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Thu, 7 Nov 1996 17:31:20 +0000 Subject: [PATCH] kdc_preauth.c (check_padata): Fixed error handling; in order for check_preauth to return successfully, there must be at least one preauth which succeeded, and no REQUIRED preauth system which failed. If a preauth is marked SUFFICIENT, then the rest of the preauth list aren't checked. Fixed bug where when none of the preauth types were recognized, an error message corresponding to stack garbage was printed. main.c (argv): Check the error return from krb5_init_context(), and print an error message if necessary. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9323 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/ChangeLog | 15 +++++++++++++++ src/kdc/kdc_preauth.c | 21 ++++++++++++++------- src/kdc/main.c | 7 +++++-- 3 files changed, 34 insertions(+), 9 deletions(-) diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 53b5dc034..dd7446081 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,18 @@ +Thu Nov 7 12:27:21 1996 Theodore Ts'o + + * kdc_preauth.c (check_padata): Fixed error handling; in order for + check_preauth to return successfully, there must be at + least one preauth which succeeded, and no REQUIRED preauth + system which failed. If a preauth is marked SUFFICIENT, + then the rest of the preauth list aren't checked. Fixed + bug where when none of the preauth types were recognized, + an error message corresponding to stack garbage was printed. + +Wed Nov 6 12:00:48 1996 Theodore Ts'o + + * main.c (argv): Check the error return from krb5_init_context(), + and print an error message if necessary. + Mon Nov 4 22:29:30 1996 Theodore Y. Ts'o * main.c (initialize_realms): Remove rather pointless use of diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 67b348bce..0350068f9 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -234,9 +234,10 @@ check_padata (context, client, request, enc_tkt_reply) krb5_kdc_req * request; krb5_enc_tkt_part * enc_tkt_reply; { - krb5_error_code retval; + krb5_error_code retval = 0; krb5_pa_data **padata; krb5_preauth_systems *pa_sys; + int pa_ok = 0, pa_found = 0; if (request->padata == 0) return 0; @@ -246,20 +247,26 @@ check_padata (context, client, request, enc_tkt_reply) continue; if (pa_sys->verify_padata == 0) continue; + pa_found++; retval = pa_sys->verify_padata(context, client, request, enc_tkt_reply, *padata); if (retval) { - if (pa_sys->flags & PA_REQUIRED) + com_err("krb5kdc", retval, "pa verify failure"); + if (pa_sys->flags & PA_REQUIRED) { + pa_ok = 0; break; + } } else { - if (pa_sys->flags & PA_SUFFICIENT) + pa_ok = 1; + if (pa_sys->flags & PA_SUFFICIENT) break; } } -if (retval) com_err("krb5kdc", retval, "pa verify failure"); - if (retval) - retval = KRB5KDC_ERR_PREAUTH_FAILED; - return retval; + if (pa_ok) + return 0; + if (!pa_found) + com_err("krb5kdc", retval, "no valid preauth type found"); + return KRB5KDC_ERR_PREAUTH_FAILED; } /* diff --git a/src/kdc/main.c b/src/kdc/main.c index 5ade65930..dd4ae7687 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -882,8 +882,11 @@ char *argv[]; * reporting. The per-realm operations use the "realm_context" * associated with each realm. */ - krb5_init_context(&kcontext); - krb5_init_ets(kcontext); + retval = krb5_init_context(&kcontext); + if (retval) { + com_err(argv[0], retval, "while initializing krb5"); + exit(1); + } krb5_klog_init(kcontext, "kdc", argv[0], 1); /* -- 2.26.2