Vendor import of Heimdal 0.2o

6 files changed, 175 insertions, 57 deletions

diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c
index ba76432..3db7173 100644
--- a/crypto/heimdal/kdc/config.c
+++ b/crypto/heimdal/kdc/config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -35,24 +35,33 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 
-RCSID("$Id: config.c,v 1.28 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: config.c,v 1.30 2000/02/11 17:47:19 assar Exp $");
+
+static char *config_file;	/* location of kdc config file */
+
+int require_preauth = -1;	/* 1 == require preauth for all principals */
+
+size_t max_request;		/* maximal size of a request */
+
+static char *max_request_str;	/* `max_request' as a string */
+
+time_t kdc_warn_pwexpire;	/* time before expiration to print a warning */
 
-static char *config_file;
-int require_preauth = -1;
-char *keyfile;
-static char *max_request_str;
-size_t max_request;
-time_t kdc_warn_pwexpire;
 struct dbinfo *databases;
 HDB **db;
 int num_db;
+
 char *port_str;
+
 int enable_http = -1;
 krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
 
 krb5_boolean check_ticket_addresses;
 krb5_boolean allow_null_ticket_addresses;
 
+static struct getarg_strings addresses_str;	/* addresses to listen on */
+krb5_addresses explicit_addresses;
+
 #ifdef KRB4
 char *v4_realm;
 #endif
@@ -73,10 +82,6 @@ static struct getargs args[] = {
 	"don't require pa-data in as-reqs"
     },
     { 
-	"key-file",	'k',	arg_string, &keyfile, 
-	"location of master key file", "file"
-    },
-    { 
 	"max-request",	0,	arg_string, &max_request, 
 	"max size for a kdc-request", "size"
     },
@@ -102,6 +107,8 @@ static struct getargs args[] = {
     {	"ports",	'P', 	arg_string, &port_str,
 	"ports to listen to" 
     },
+    {	"addresses",	0,	arg_strings, &addresses_str,
+	"addresses to listen on", "list of addresses" },
     {	"help",		'h',	arg_flag,   &help_flag },
     {	"version",	'v',	arg_flag,   &version_flag }
 };
@@ -190,6 +197,22 @@ get_dbinfo(krb5_config_section *cf)
     }
 }
 
+static void
+add_one_address (const char *str, int first)
+{
+    krb5_error_code ret;
+    krb5_addresses tmp;
+
+    ret = krb5_parse_address (context, str, &tmp);
+    if (ret)
+	krb5_err (context, 1, ret, "parse_address `%s'", str);
+    if (first)
+	krb5_copy_addresses(context, &tmp, &explicit_addresses);
+    else
+	krb5_append_addresses(context, &explicit_addresses, &tmp);
+    krb5_free_addresses (context, &tmp);
+}
+
 void
 configure(int argc, char **argv)
 {
@@ -221,16 +244,6 @@ configure(int argc, char **argv)
     if(krb5_config_parse_file(config_file, &cf))
 	cf = NULL;
     
-    if(keyfile == NULL){
-	p = krb5_config_get_string (context, cf, 
-				    "kdc",
-				    "key-file",
-				    NULL);
-	if(p)
-	    keyfile = strdup(p);
-    }
-
-
     get_dbinfo(cf);
     
     if(max_request_str){
@@ -256,6 +269,25 @@ configure(int argc, char **argv)
 	if (p != NULL)
 	    port_str = strdup(p);
     }
+
+    explicit_addresses.len = 0;
+
+    if (addresses_str.num_strings) {
+	int i;
+
+	for (i = 0; i < addresses_str.num_strings; ++i)
+	    add_one_address (addresses_str.strings[i], i == 0);
+    } else {
+	char **foo = krb5_config_get_strings (context, cf,
+					      "kdc", "addresses", NULL);
+
+	if (foo != NULL) {
+	    add_one_address (*foo++, TRUE);
+	    while (*foo)
+		add_one_address (*foo++, FALSE);
+	}
+    }
+
     if(enable_http == -1)
 	enable_http = krb5_config_get_bool(context, cf, "kdc", 
 					   "enable-http", NULL);
diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c
index 62b5bea..a1bbdcb 100644
--- a/crypto/heimdal/kdc/connect.c
+++ b/crypto/heimdal/kdc/connect.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,11 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: connect.c,v 1.68 1999/12/02 17:04:58 joda Exp $");
+RCSID("$Id: connect.c,v 1.69 2000/02/11 17:45:45 assar Exp $");
+
+/*
+ * a tuple describing on what to listen
+ */
 
 struct port_desc{
     int family;
@@ -41,9 +45,15 @@ struct port_desc{
     int port;
 };
 
+/* the current ones */
+
 static struct port_desc *ports;
 static int num_ports;
 
+/*
+ * add `family, port, protocol' to the list with duplicate suppresion.
+ */
+
 static void
 add_port(int family, int port, const char *protocol)
 {
@@ -63,12 +73,19 @@ add_port(int family, int port, const char *protocol)
 	    return;
     }
     ports = realloc(ports, (num_ports + 1) * sizeof(*ports));
+    if (ports == NULL)
+	krb5_err (context, 1, errno, "realloc");
     ports[num_ports].family = family;
     ports[num_ports].type   = type;
     ports[num_ports].port   = port;
     num_ports++;
 }
 
+/*
+ * add a triple but with service -> port lookup
+ * (this prints warnings for stuff that does not exist)
+ */
+
 static void
 add_port_service(int family, const char *service, int port,
 		 const char *protocol)
@@ -77,6 +94,11 @@ add_port_service(int family, const char *service, int port,
     add_port (family, port, protocol);
 }
 
+/*
+ * add the port with service -> port lookup or string -> number
+ * (no warning is printed)
+ */
+
 static void
 add_port_string (int family, const char *port_str, const char *protocol)
 {
@@ -96,6 +118,10 @@ add_port_string (int family, const char *port_str, const char *protocol)
     add_port (family, port, protocol);
 }
 
+/*
+ * add the standard collection of ports for `family'
+ */
+
 static void
 add_standard_ports (int family)
 {
@@ -113,6 +139,12 @@ add_standard_ports (int family)
 #endif
 }
 
+/*
+ * parse the set of space-delimited ports in `str' and add them.
+ * "+" => all the standard ones
+ * otherwise it's port|service[/protocol]
+ */
+
 static void
 parse_ports(const char *str)
 {
@@ -150,6 +182,10 @@ parse_ports(const char *str)
     free (str_copy);
 }
 
+/*
+ * every socket we listen on
+ */
+
 struct descr {
     int s;
     int type;
@@ -176,7 +212,7 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
 
     ret = krb5_addr2sockaddr (a, sa, &sa_size, port);
     if (ret) {
-	krb5_warn(context, ret, "krb5_anyaddr");
+	krb5_warn(context, ret, "krb5_addr2sockaddr");
 	close(d->s);
 	d->s = -1;
 	return;
@@ -200,14 +236,23 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
     d->type = type;
 
     if(bind(d->s, sa, sa_size) < 0){
-	krb5_warn(context, errno, "bind(%d)", ntohs(port));
+	char a_str[256];
+	size_t len;
+
+	krb5_print_address (a, a_str, sizeof(a_str), &len);
+	krb5_warn(context, errno, "bind %s/%d", a_str, ntohs(port));
 	close(d->s);
 	d->s = -1;
 	return;
     }
     if(type == SOCK_STREAM && listen(d->s, SOMAXCONN) < 0){
-	krb5_warn(context, errno, "listen");
+	char a_str[256];
+	size_t len;
+
+	krb5_print_address (a, a_str, sizeof(a_str), &len);
+	krb5_warn(context, errno, "listen %s/%d", a_str, ntohs(port));
 	close(d->s);
+	d->s = -1;
 	return;
     }
 }
@@ -226,9 +271,13 @@ init_sockets(struct descr **desc)
     int num = 0;
     krb5_addresses addresses;
 
-    ret = krb5_get_all_server_addrs (context, &addresses);
-    if (ret)
-	krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+    if (explicit_addresses.len) {
+	addresses = explicit_addresses;
+    } else {
+	ret = krb5_get_all_server_addrs (context, &addresses);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+    }
     parse_ports(port_str);
     d = malloc(addresses.len * num_ports * sizeof(*d));
     if (d == NULL)
@@ -262,7 +311,11 @@ init_sockets(struct descr **desc)
     return num;
 }
 
-    
+/*
+ * handle the request in `buf, len', from `addr' (or `from' as a string),
+ * sending a reply in `reply'.
+ */
+
 static int
 process_request(unsigned char *buf, 
 		size_t len, 
@@ -711,7 +764,8 @@ loop(void)
 	case 0:
 	    break;
 	case -1:
-	    krb5_warn(context, errno, "select");
+	    if (errno != EINTR)
+		krb5_warn(context, errno, "select");
 	    break;
 	default:
 	    for(i = 0; i < ndescr; i++)
diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c
index dc155fa..64121eb 100644
--- a/crypto/heimdal/kdc/kaserver.c
+++ b/crypto/heimdal/kdc/kaserver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c,v 1.9 1999/12/02 17:04:59 joda Exp $");
+RCSID("$Id: kaserver.c,v 1.10 2000/02/13 19:21:22 assar Exp $");
 
 #ifdef KASERVER
 
@@ -468,7 +468,7 @@ do_authenticate (struct rx_header *hdr,
 
     create_reply_ticket (hdr, skey,
 			 name, instance, v4_realm,
-			 addr, life, client_entry->kvno,
+			 addr, life, server_entry->kvno,
 			 max_seq_len,
 			 "krbtgt", v4_realm,
 			 chal + 1, "tgsT",
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8
index 8925111..181a3ce 100644
--- a/crypto/heimdal/kdc/kdc.8
+++ b/crypto/heimdal/kdc/kdc.8
@@ -1,4 +1,4 @@
-.\" $Id: kdc.8,v 1.3 1997/08/09 00:20:38 joda Exp $
+.\" $Id: kdc.8,v 1.5 2000/02/13 21:04:32 assar Exp $
 .\"
 .Dd July 27, 1997
 .Dt KDC 8
@@ -11,12 +11,16 @@ Kerberos 5 server
 .Nm
 .Op Fl c Ar file
 .Op Fl -config-file= Ns Ar file
-.Op Fl k Ar file
-.Op Fl -key-file= Ns Ar file
-.Op Fl p
-.Op Fl -no-require-preauth
+.Op Fl p | Fl -no-require-preauth
+.Op Fl -max-request= Ns Ar size
+.Op Fl H | Fl -enable-http
+.Op Fl K | Fl -no-kaserver
 .Op Fl r Ar realm
 .Op Fl -v4-realm= Ns Ar realm
+.Oo Fl P Ar string \*(Ba Xo
+.Fl -ports= Ns Ar string Oc
+.Xc
+.Op Fl -addresses= Ns Ar list of addresses
 
 .Sh DESCRIPTION
 .Nm
@@ -31,21 +35,32 @@ Options supported:
 Specifies the location of the config file, the default is
 .Pa /var/heimdal/kdc.conf .
 This is the only value that can't be specified in the config file.
-.It Fl k Ar file
-.It Fl -key-file= Ns Ar file
-The location of the master-key file. All keys in the database is
-encrypted with this master key. The use of a master key is currently
-optional, so there is no default. 
-.Em "Don't specify a master key file if your database is not encrypted."
 .It Fl p
 .It Fl -no-require-preauth
-Turn off the requirement for pre-autentication in the initial
-AS-REQ. The use of pre-authentication makes it more difficult to do
-offline password attacks. You might want to turn it off if you have
-clients that doesn't do pre-authentication. Since the version 4
-protocol doesn't support any pre-authentication, so serving version 4
-clients is just about the same as not requiring pre-athentication. The
-default is to require pre-authentication.
+Turn off the requirement for pre-autentication in the initial AS-REQ
+for all principals. The use of pre-authentication makes it more
+difficult to do offline password attacks. You might want to turn it
+off if you have clients that doesn't do pre-authentication. Since the
+version 4 protocol doesn't support any pre-authentication, so serving
+version 4 clients is just about the same as not requiring
+pre-athentication. The default is to require
+pre-authentication. Adding the require-preauth per principal is a more
+flexible way of handling this.
+.It Xo
+.Fl -max-request= Ns Ar size
+.Xc
+Gives an upper limit on the size of the requests that the kdc is
+willing to handle.
+.It Xo
+.Fl H Ns ,
+.Fl -enable-http
+.Xc
+Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
+.It Xo
+.Fl K Ns ,
+.Fl -no-kaserver
+.Xc
+Disables kaserver emulation (in case it's compiled in).
 .It Fl r Ar realm
 .It Fl -v4-realm= Ns Ar realm
 What realm this server should act as when dealing with version 4
@@ -55,6 +70,18 @@ explicitly specified. The default is whatever is returned by
 .Fn krb_get_lrealm .
 This option is only availabe if the KDC has been compiled with version
 4 support.
+.It Xo
+.Fl P Ar string Ns ,
+.Fl -ports= Ns Ar string
+.Xc
+Specifies the set of ports the KDC should listen on.  It is given as a
+white-space separated list of services or port numbers.
+.It Xo
+.Fl -addresses= Ns Ar list of addresses
+.Xc
+The list of addresses to listen for requests on.  By default, the kdc
+will listen on all the locally configured addresses.  If only a subset
+is desired, or the automatic detection fails, this option might be used.
 .El
 .Pp
 All activities , are logged to one or more destinations, see 
diff --git a/crypto/heimdal/kdc/kdc_locl.h b/crypto/heimdal/kdc/kdc_locl.h
index 7275576..c703030 100644
--- a/crypto/heimdal/kdc/kdc_locl.h
+++ b/crypto/heimdal/kdc/kdc_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: kdc_locl.h,v 1.39 1999/12/02 17:04:59 joda Exp $ 
+ * $Id: kdc_locl.h,v 1.40 2000/02/11 17:46:29 assar Exp $ 
  */
 
 #ifndef __KDC_LOCL_H__
@@ -44,7 +44,6 @@ extern krb5_context context;
 
 extern int require_preauth;
 extern sig_atomic_t exit_flag;
-extern char *keyfile;
 extern size_t max_request;
 extern time_t kdc_warn_pwexpire;
 extern struct dbinfo {
@@ -56,6 +55,8 @@ extern struct dbinfo {
 extern HDB **db;
 extern int num_db;
 extern char *port_str;
+extern krb5_addresses explicit_addresses;
+
 extern int enable_http;
 extern krb5_boolean encode_as_rep_as_tgs_rep;
 extern krb5_boolean check_ticket_addresses;
diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c
index 29e28b3..23d59dd 100644
--- a/crypto/heimdal/kdc/kerberos4.c
+++ b/crypto/heimdal/kdc/kerberos4.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos4.c,v 1.26 2000/02/02 01:26:41 assar Exp $");
+RCSID("$Id: kerberos4.c,v 1.27 2000/02/13 19:27:36 assar Exp $");
 
 #ifdef KRB4
 
@@ -307,6 +307,10 @@ do_version4(unsigned char *buf,
 	}
 	
 	if(tgt->kvno != kvno){
+	    kdc_log(0, "tgs-req with old kvno %d (current %d) for "
+		    "krbtgt.%s@%s", kvno, tgt->kvno, realm, v4_realm);
+	    make_err_reply(reply, KDC_AUTH_EXP,
+			   "old krbtgt kvno used");
 	    goto out2;
 	}