From b1b547a0b8d9bdb8bbde647e20b0bbab7efc274e Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 1 Mar 2000 10:42:16 +0000 Subject: [PATCH] * main.c: Move kdc_initialize_rcache() to kdc_util.c * kdc_util.c (kdc_initialize_rcache): Move kdc_initialize_rcache() back here since it's needed for rtest to work. process_tgs_req() which is called from rtest needs to call kdc_intiialize_rcache() and we can't very well link rtest with main.o * kdc_preauth.c (verify_sam_response): Ooops. Get rc_lifetime from kdc_util, since it's actually declared there. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12093 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/ChangeLog | 10 +++++++++ src/kdc/kdc_preauth.c | 7 +----- src/kdc/kdc_util.c | 48 +++++++++++++++++++++++++++++++++++++++++ src/kdc/main.c | 50 ------------------------------------------- 4 files changed, 59 insertions(+), 56 deletions(-) diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 89520df5b..62a1f21dc 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,5 +1,15 @@ 2000-03-01 Tom Yu + * main.c: Move kdc_initialize_rcache() to kdc_util.c + + * kdc_util.c (kdc_initialize_rcache): Move kdc_initialize_rcache() + back here since it's needed for rtest to work. process_tgs_req() + which is called from rtest needs to call kdc_intiialize_rcache() + and we can't very well link rtest with main.o + + * kdc_preauth.c (verify_sam_response): Ooops. Get rc_lifetime + from kdc_util, since it's actually declared there. + * configure.in: Fix --enable-kdc-replay-cache to actually default to "yes". diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index cc957016b..41152f2f6 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1267,17 +1267,12 @@ verify_sam_response(context, client, request, enc_tkt_reply, pa) #ifdef USE_RCACHE { krb5_donot_replay rep; - krb5_deltat rc_lifetime; + extern krb5_deltat rc_lifetime; /* * Verify this response came back in a timely manner. * We do this b/c otherwise very old (expunged from the rcache) * psr's would be able to be replayed. */ - retval = krb5_rc_get_lifespan(kdc_context, kdc_rcache, &rc_lifetime); - if (retval) { - com_err("krb5kdc", retval, "while getting rcache lifespan"); - goto cleanup; - } if (timenow - psr->stime > rc_lifetime) { com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED, "SAM psr came back too late! -- replay attack?"); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a988b28cc..f5a0016b7 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -35,6 +35,54 @@ #include "adm.h" #include "adm_proto.h" +#ifdef USE_RCACHE +static char *kdc_current_rcname = (char *) NULL; +krb5_deltat rc_lifetime; /* See kdc_initialize_rcache() */ +#endif + +#ifdef USE_RCACHE +/* + * initialize the replay cache. + */ +krb5_error_code +kdc_initialize_rcache(kcontext, rcache_name) + krb5_context kcontext; + char *rcache_name; +{ + krb5_error_code retval; + char *rcname; + char *sname; + + rcname = (rcache_name) ? rcache_name : kdc_current_rcname; + + /* rc_lifetime used elsewhere to verify we're not */ + /* replaying really old data */ + rc_lifetime = kcontext->clockskew; + + if (!rcname) + rcname = KDCRCACHE; + if (!(retval = krb5_rc_resolve_full(kcontext, &kdc_rcache, rcname))) { + /* Recover or initialize the replay cache */ + if (!(retval = krb5_rc_recover(kcontext, kdc_rcache)) || + !(retval = krb5_rc_initialize(kcontext, + kdc_rcache, + kcontext->clockskew)) + ) { + /* Expunge the replay cache */ + if (!(retval = krb5_rc_expunge(kcontext, kdc_rcache))) { + sname = kdc_current_rcname; + kdc_current_rcname = strdup(rcname); + if (sname) + free(sname); + } + } + if (retval) + krb5_rc_close(kcontext, kdc_rcache); + } + return(retval); +} +#endif + /* * concatenate first two authdata arrays, returning an allocated replacement. * The replacement should be freed with krb5_free_authdata(). diff --git a/src/kdc/main.c b/src/kdc/main.c index aca5165e7..473b902d0 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -60,64 +60,14 @@ void initialize_realms PROTOTYPE((krb5_context, int, char **)); void finish_realms PROTOTYPE((char *)); static int nofork = 0; -#ifdef USE_RCACHE -static char *kdc_current_rcname = (char *) NULL; -#endif static int rkey_init_done = 0; -#ifdef USE_RCACHE -krb5_deltat rc_lifetime; /* See kdc_initialize_rcache() */ -#endif /* USE_RCACHE */ - #ifdef POSIX_SIGNALS static struct sigaction s_action; #endif /* POSIX_SIGNALS */ #define KRB5_KDC_MAX_REALMS 32 -#ifdef USE_RCACHE -/* - * initialize the replay cache. - */ -krb5_error_code -kdc_initialize_rcache(kcontext, rcache_name) - krb5_context kcontext; - char *rcache_name; -{ - krb5_error_code retval; - char *rcname; - char *sname; - - rcname = (rcache_name) ? rcache_name : kdc_current_rcname; - - /* rc_lifetime used elsewhere to verify we're not */ - /* replaying really old data */ - rc_lifetime = kcontext->clockskew; - - if (!rcname) - rcname = KDCRCACHE; - if (!(retval = krb5_rc_resolve_full(kcontext, &kdc_rcache, rcname))) { - /* Recover or initialize the replay cache */ - if (!(retval = krb5_rc_recover(kcontext, kdc_rcache)) || - !(retval = krb5_rc_initialize(kcontext, - kdc_rcache, - kcontext->clockskew)) - ) { - /* Expunge the replay cache */ - if (!(retval = krb5_rc_expunge(kcontext, kdc_rcache))) { - sname = kdc_current_rcname; - kdc_current_rcname = strdup(rcname); - if (sname) - free(sname); - } - } - if (retval) - krb5_rc_close(kcontext, kdc_rcache); - } - return(retval); -} -#endif - /* * Find the realm entry for a given realm. */ -- 2.26.2