From ae71de2a2f05b94f3238e4ee1edf49eb18cf1c8a Mon Sep 17 00:00:00 2001 From: Paul Park Date: Fri, 23 Jun 1995 14:02:19 +0000 Subject: [PATCH] Multiple realm support and remove KDB_CONVERT_KEY_OUTOF_DB git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6138 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/ChangeLog | 26 ++++++++++++++++++++++++++ src/kdc/kdc_util.c | 45 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 64 insertions(+), 7 deletions(-) diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 286d9b98c..bcaa4a2ca 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,4 +1,30 @@ +Thu Jun 22 15:24:16 EDT 1995 Paul Park (pjpark@mit.edu) + * main.c - Change option parsing logic to support multiple realms. + Use alternate profile routines from libkadm to support reading + values from it. + * dispatch.c - Setup global realm context before calling process_as_ + req(). + * do_as_req.c - Change KDB_CONVERT_KEY_OUTOF_DB to decrypt_key call. + * do_tgs_req.c - Setup global realm context from our service principal + name. + * extern.c - Remove per-realm global data. Replace this with list + of per-realm data with a pointer to the active request's realm. + * extern.h - Change per-realm global data names to #define's. This + is to avoid having to rewrite everything to pass a pointer to + the active realm. + * kdc_util.c - Change "kdc_context" to "kcontext" because of #defines + in extern.h. Also add logic after call to rd_req_decoded + to see if it failed because of a rcache error. If so, then + reinitialize the replay cache and retry it. + Also change KDB_CONVERT_KEY_OUTOF_DB to decrypt_key. + * kerberos_v4.c - Remove extraneous definition of master_encblock. + * krb5kdc.M - Add definition of -p, add vague reference to kdc.conf + manpage and describe multiple realms briefly. + * network.c - Change udp_port_fd to a list of fds to support having + multiple ports to listen on. + + Thu Jun 15 17:55:21 EDT 1995 Paul Park (pjpark@mit.edu) * Makefile.in - Change explicit library names to -l form, and change target link line to use $(LD) and associated flags. diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index abd7ea8b0..982b4edb3 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -117,8 +117,8 @@ krb5_boolean krb5_is_tgs_principal(principal) * is provided. */ static krb5_error_code -comp_cksum(kdc_context, source, ticket, his_cksum) - krb5_context kdc_context; +comp_cksum(kcontext, source, ticket, his_cksum) + krb5_context kcontext; krb5_data * source; krb5_ticket * ticket; krb5_checksum * his_cksum; @@ -135,11 +135,11 @@ comp_cksum(kdc_context, source, ticket, his_cksum) return KRB5KRB_AP_ERR_INAPP_CKSUM; if (!(our_cksum.contents = (krb5_octet *) - malloc(krb5_checksum_size(kdc_context, our_cksum.checksum_type)))) + malloc(krb5_checksum_size(kcontext, our_cksum.checksum_type)))) return ENOMEM; /* compute checksum */ - if ((retval = krb5_calculate_checksum(kdc_context, our_cksum.checksum_type, + if ((retval = krb5_calculate_checksum(kcontext, our_cksum.checksum_type, source->data, source->length, ticket->enc_part2->session->contents, ticket->enc_part2->session->length,&our_cksum))) { @@ -242,8 +242,38 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey) if ((retval = krb5_rd_req_decoded(kdc_context, &auth_context, apreq, apreq->ticket->server, NULL, - NULL, ticket))) - goto cleanup_auth_context; + NULL, ticket))) { + /* + * I'm not so sure that this is right, but it's better than nothing + * at all. + * + * If we choke in the rd_req because of the replay cache, then attempt + * to reinitialize the replay cache because somebody could have deleted + * it from underneath us (e.g. a cron job) + */ + if ((retval == KRB5_RC_IO_IO) || + (retval == KRB5_RC_IO_UNKNOWN)) { + (void) krb5_rc_close(kdc_context, kdc_rcache); + kdc_rcache = (krb5_rcache) NULL; + if (!(retval = kdc_initialize_rcache(kdc_context, + (char *) NULL))) { + if ((retval = krb5_auth_con_setrcache(kdc_context, + auth_context, + kdc_rcache)) || + (retval = krb5_rd_req_decoded(kdc_context, + &auth_context, + apreq, + apreq->ticket->server, + NULL, + NULL, + ticket)) + ) + goto cleanup_auth_context; + } + } + else + goto cleanup_auth_context; + } if ((retval = krb5_auth_con_getremotesubkey(kdc_context, auth_context, subkey))) @@ -341,7 +371,8 @@ krb5_kvno *kvno; /* convert server.key into a real key (it may be encrypted in the database) */ if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { - retval = KDB_CONVERT_KEY_OUTOF_DB(kdc_context, &server.key, *key); + retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock, + &server.key, *key); } else retval = ENOMEM; *kvno = server.kvno; -- 2.26.2