Bug Summary

File:src/kdc.c
Warning:line 176, column 16
Although the value stored to 'rc' is used in the enclosing expression, the value is never actually read from 'rc'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-redhat-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name kdc.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/builds/gsasl/shishi/src -resource-dir /usr/lib64/clang/14.0.0 -D HAVE_CONFIG_H -I . -I .. -I ./gl -I ./gl -I ../lib/gl -I ../lib/gl -I ../lib -I ../lib -I ../db -D LOCALEDIR="/usr/local/share/locale" -D SYSTEMCFGFILE="/usr/local/etc/shishi/shishi.conf" -D HOSTKEYSFILE="/usr/local/etc/shishi/shishi.keys" -internal-isystem /usr/lib64/clang/14.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/builds/gsasl/shishi/src -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/gsasl/shishi/clang-analyzer/2022-08-08-065803-50050-1 -x c kdc.c
1/* kdc.c --- Process AS and TGS requests.
2 * Copyright (C) 2002-2022 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, see http://www.gnu.org/licenses or write
18 * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
19 * Floor, Boston, MA 02110-1301, USA
20 *
21 */
22
23/* Note: only use syslog to report errors in this file.
24 *
25 * XXX: Examine in detail the made choices of syslog facility.
26 * Messages should not exessively use 'auth', be it as default
27 * by openlog(), or explicitly.
28 */
29
30/* Get Shishid stuff. */
31#include "kdc.h"
32
33static int
34asreq1 (Shishi_as * as)
35{
36 Shishi_tkt *tkt;
37 Shishi_key *serverkey = NULL((void*)0), *sessionkey = NULL((void*)0), *userkey = NULL((void*)0);
38 Shisa_key *userdbkey = NULL((void*)0);
39 Shisa_key **serverkeys = NULL((void*)0), **userkeys = NULL((void*)0);
40 size_t nserverkeys, nuserkeys;
41 int rc;
42 char *username = NULL((void*)0), *servername = NULL((void*)0), *realm = NULL((void*)0);
43 Shisa_principal server, user;
44 int32_t sessionkeytype = -1;
45 int32_t etype;
46 int i;
47
48 /*
49 * The authentication server looks up the client and server principals
50 * named in the KRB_AS_REQ in its database, extracting their respective
51 * keys. If the requested client principal named in the request is not
52 * known because it doesn't exist in the KDC's principal database, then
53 * an error message with a KDC_ERR_C_PRINCIPAL_UNKNOWN is returned.
54 */
55
56 rc = shishi_kdcreq_realm (handle, shishi_as_req (as), &realm, NULL((void*)0));
57 if (rc != SHISHI_OK)
58 {
59 syslog (LOG_ERR3, "shishi_kdcreq_realm failed (%d): %s",
60 rc, shishi_strerror (rc));
61 goto fatal;
62 }
63
64 rc = shishi_kdcreq_client (handle, shishi_as_req (as), &username, NULL((void*)0));
65 if (rc != SHISHI_OK)
66 {
67 syslog (LOG_ERR3, "shishi_kdcreq_client failed (%d): %s",
68 rc, shishi_strerror (rc));
69 goto fatal;
70 }
71
72 rc = shishi_kdcreq_server (handle, shishi_as_req (as), &servername, NULL((void*)0));
73 if (rc != SHISHI_OK)
74 {
75 syslog (LOG_ERR3, "shishi_kdcreq_server failed (%d): %s",
76 rc, shishi_strerror (rc));
77 goto fatal;
78 }
79
80 /* Find the client, e.g., simon@JOSEFSSON.ORG. */
81
82 rc = shisa_principal_find (dbh, realm, username, &user);
83 if (rc != SHISA_OK && rc != SHISA_NO_PRINCIPAL)
84 {
85 syslog (LOG_ERR3, "shisa_principal_find failed (%d): %s",
86 rc, shisa_strerror (rc));
87 rc = SHISHI_INVALID_PRINCIPAL_NAME;
88 goto fatal;
89 }
90 if (rc == SHISA_NO_PRINCIPAL)
91 {
92 syslog (LOG_NOTICE5, "AS-REQ from %s@%s for %s@%s failed: no such user",
93 username, realm, servername, realm);
94 rc = shishi_krberror_errorcode_set (handle, shishi_as_krberror (as),
95 SHISHI_KDC_ERR_C_PRINCIPAL_UNKNOWN);
96 if (rc != SHISHI_OK)
97 goto fatal;
98 rc = SHISHI_INVALID_PRINCIPAL_NAME;
99 goto fatal;
100 }
101
102 rc = shisa_keys_find (dbh, realm, username, NULL((void*)0), &userkeys, &nuserkeys);
103 if (rc != SHISA_OK || nuserkeys == 0)
104 {
105 syslog (LOG_ERR3, "shisa_keys_find(%s@%s) failed (%d): %s",
106 username, realm, rc, shisa_strerror (rc));
107 rc = SHISHI_INVALID_PRINCIPAL_NAME;
108 goto fatal;
109 }
110
111 /* Find the server, e.g., krbtgt/JOSEFSSON.ORG@JOSEFSSON.ORG. */
112
113 rc = shisa_principal_find (dbh, realm, servername, &server);
114 if (rc != SHISA_OK && rc != SHISA_NO_PRINCIPAL)
115 {
116 syslog (LOG_ERR3, "shisa_principal_find failed (%d): %s",
117 rc, shisa_strerror (rc));
118 rc = SHISHI_INVALID_PRINCIPAL_NAME;
119 goto fatal;
120 }
121 if (rc == SHISA_NO_PRINCIPAL)
122 {
123 syslog (LOG_NOTICE5,
124 "AS-REQ from %s@%s for %s@%s failed: no such server",
125 username, realm, servername, realm);
126 rc =
127 shishi_krberror_errorcode_set (handle, shishi_as_krberror (as),
128 SHISHI_KDC_ERR_S_PRINCIPAL_UNKNOWN);
129 if (rc != SHISHI_OK)
130 goto fatal;
131 rc = SHISHI_INVALID_PRINCIPAL_NAME;
132 goto fatal;
133 }
134
135 rc = shisa_keys_find (dbh, realm, servername, NULL((void*)0),
136 &serverkeys, &nserverkeys);
137 if (rc != SHISA_OK || nserverkeys == 0)
138 {
139 syslog (LOG_ERR3, "shisa_keys_find(%s@%s) failed (%d): %s",
140 servername, realm, rc, shisa_strerror (rc));
141 rc = SHISHI_INVALID_PRINCIPAL_NAME;
142 goto fatal;
143 }
144
145 syslog (LOG_INFO6, "AS-REQ from %s@%s for %s@%s", username, realm,
146 servername, realm);
147
148 /*
149 * If required, the server pre-authenticates the request, and if the
150 * pre-authentication check fails, an error message with the code
151 * KDC_ERR_PREAUTH_FAILED is returned. If pre-authentication is
152 * required, but was not present in the request, an error message with
153 * the code KDC_ERR_PREAUTH_REQUIRED is returned and a METHOD-DATA
154 * object will be stored in the e-data field of the KRB-ERROR message to
155 * specify which pre-authentication mechanisms are acceptable. Usually
156 * this will include PA-ETYPE-INFO and/or PA-ETYPE-INFO2 elements as
157 * described below. If the server cannot accommodate any encryption type
158 * requested by the client, an error message with code
159 * KDC_ERR_ETYPE_NOSUPP is returned. Otherwise the KDC generates a
160 * 'random' session key[7].
161 */
162
163 /* XXX support pre-auth. */
164
165 /*
166 * When responding to an AS request, if there are multiple encryption
167 * keys registered for a client in the Kerberos database, then the etype
168 * field from the AS request is used by the KDC to select the encryption
169 * method to be used to protect the encrypted part of the KRB_AS_REP
170 * message which is sent to the client. If there is more than one
171 * supported strong encryption type in the etype list, the KDC SHOULD
172 * use the first valid strong etype for which an encryption key is
173 * available.
174 */
175
176 for (i = 1; (rc = shishi_kdcreq_etype (handle, shishi_as_req (as),
Although the value stored to 'rc' is used in the enclosing expression, the value is never actually read from 'rc'
177 &etype, i)) == SHISHI_OK; i++)
178 {
179 size_t j;
180
181 if (!shishi_cipher_supported_p (etype))
182 continue;
183
184 if (sessionkeytype == -1)
185 for (j = 0; j < nserverkeys; j++)
186 if (serverkeys[j]->etype == etype)
187 sessionkeytype = serverkeys[j]->etype;
188
189 if (userdbkey == NULL((void*)0))
190 for (j = 0; j < nuserkeys; j++)
191 {
192 /* Keep facility coordinated with 'AS-REQ from ...'. */
193 syslog (LOG_DEBUG7,
194 "Matching client etype %d against user key etype %d",
195 etype, userkeys[j]->etype);
196 if (userkeys[j]->etype == etype)
197 userdbkey = userkeys[j];
198 }
199 }
200
201 if (userdbkey == NULL((void*)0))
202 {
203 /* Again keeping facility coordinated with 'AS-REQ from ...'. */
204 syslog (LOG_NOTICE5, "No matching client keys for %s@%s",
205 username, realm);
206 rc = shishi_krberror_errorcode_set (handle, shishi_as_krberror (as),
207 SHISHI_KDC_ERR_ETYPE_NOSUPP);
208 if (rc != SHISHI_OK)
209 goto fatal;
210 rc = SHISHI_INVALID_PRINCIPAL_NAME;
211 goto fatal;
212 }
213
214
215 rc = shishi_key_from_value (handle, userdbkey->etype,
216 userdbkey->key, &userkey);
217 if (rc != SHISHI_OK)
218 {
219 syslog (LOG_ERR3, "shishi_key_from_value (user) failed (%d): %s",
220 rc, shishi_strerror (rc));
221 goto fatal;
222 }
223
224 /* XXX Select "best" available key (highest kvno, best algorithm?)
225 here. The client etype should not influence this. */
226 rc = shishi_key_from_value (handle, serverkeys[0]->etype,
227 serverkeys[0]->key, &serverkey);
228 if (rc != SHISHI_OK)
229 {
230 syslog (LOG_ERR3, "shishi_key_from_value (server) failed (%d): %s",
231 rc, shishi_strerror (rc));
232 goto fatal;
233 }
234 /*
235 * When the user's key is generated from a password or pass phrase, the
236 * string-to-key function for the particular encryption key type is
237 * used, as specified in [@KCRYPTO]. The salt value and additional
238 * parameters for the string-to-key function have default values
239 * (specified by section 4 and by the encryption mechanism
240 * specification, respectively) that may be overridden by pre-
241 * authentication data (PA-PW-SALT, PA-AFS3-SALT, PA-ETYPE-INFO, PA-
242 * ETYPE-INFO2, etc). Since the KDC is presumed to store a copy of the
243 * resulting key only, these values should not be changed for password-
244 * based keys except when changing the principal's key.
245 *
246 * When the AS server is to include pre-authentication data in a KRB-
247 * ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not PA-ETYPE-INFO,
248 * if the etype field of the client's AS-REQ lists at least one "newer"
249 * encryption type. Otherwise (when the etype field of the client's AS-
250 * REQ does not list any "newer" encryption types) it MUST send both,
251 * PA-ETYPE-INFO2 and PA-ETYPE-INFO (both with an entry for each
252 * enctype). A "newer" enctype is any enctype first officially
253 * specified concurrently with or subsequent to the issue of this RFC.
254 * The enctypes DES, 3DES or RC4 and any defined in [RFC1510] are not
255 * newer enctypes.
256 *
257 * It is not possible to reliably generate a user's key given a pass
258 * phrase without contacting the KDC, since it will not be known whether
259 * alternate salt or parameter values are required.
260 *
261 */
262
263 /* XXX support pre-auth. */
264
265 /*
266 * The KDC will attempt to assign the type of the random session key
267 * from the list of methods in the etype field. The KDC will select the
268 * appropriate type using the list of methods provided together with
269 * information from the Kerberos database indicating acceptable
270 * encryption methods for the application server. The KDC will not issue
271 * tickets with a weak session key encryption type.
272 */
273
274 if (sessionkeytype == -1)
275 sessionkeytype = shishi_cfg_clientkdcetype_fast (handle);
276
277 rc = shishi_key_random (handle, sessionkeytype, &sessionkey);
278 if (rc != SHISHI_OK)
279 {
280 syslog (LOG_ERR3, "shishi_key_random (session key) failed (%d): %s",
281 rc, shishi_strerror (rc));
282 goto fatal;
283 }
284
285 /*
286 * If the requested start time is absent, indicates a time in the past,
287 * or is within the window of acceptable clock skew for the KDC and the
288 * POSTDATE option has not been specified, then the start time of the
289 * ticket is set to the authentication server's current time. If it
290 * indicates a time in the future beyond the acceptable clock skew, but
291 * the POSTDATED option has not been specified then the error
292 * KDC_ERR_CANNOT_POSTDATE is returned. Otherwise the requested start
293 * time is checked against the policy of the local realm (the
294 * administrator might decide to prohibit certain types or ranges of
295 * postdated tickets), and if acceptable, the ticket's start time is set
296 * as requested and the INVALID flag is set in the new ticket. The
297 * postdated ticket MUST be validated before use by presenting it to the
298 * KDC after the start time has been reached.
299 *
300 * The expiration time of the ticket will be set to the earlier of the
301 * requested endtime and a time determined by local policy, possibly
302 * determined using realm or principal specific factors. For example,
303 * the expiration time MAY be set to the earliest of the following:
304 *
305 * * The expiration time (endtime) requested in the KRB_AS_REQ
306 * message.
307 *
308 * * The ticket's start time plus the maximum allowable lifetime
309 * associated with the client principal from the authentication
310 * server's database.
311 *
312 * * The ticket's start time plus the maximum allowable lifetime
313 * associated with the server principal.
314 *
315 * * The ticket's start time plus the maximum lifetime set by the
316 * policy of the local realm.
317 *
318 * If the requested expiration time minus the start time (as determined
319 * above) is less than a site-determined minimum lifetime, an error
320 * message with code KDC_ERR_NEVER_VALID is returned. If the requested
321 * expiration time for the ticket exceeds what was determined as above,
322 * and if the 'RENEWABLE-OK' option was requested, then the 'RENEWABLE'
323 * flag is set in the new ticket, and the renew-till value is set as if
324 * the 'RENEWABLE' option were requested (the field and option names are
325 * described fully in section 5.4.1).
326 *
327 * If the RENEWABLE option has been requested or if the RENEWABLE-OK
328 * option has been set and a renewable ticket is to be issued, then the
329 * renew-till field MAY be set to the earliest of:
330 *
331 * * Its requested value.
332 *
333 * * The start time of the ticket plus the minimum of the two
334 * maximum renewable lifetimes associated with the principals'
335 * database entries.
336 *
337 * * The start time of the ticket plus the maximum renewable
338 * lifetime set by the policy of the local realm.
339 *
340 */
341
342 tkt = shishi_as_tkt (as);
343 if (tkt == NULL((void*)0))
344 {
345 syslog (LOG_ERR3, "shishi_as_tkt failed");
346 goto fatal;
347 }
348
349 {
350 char *till;
351 size_t tilllen;
352
353 rc = shishi_kdcreq_till (handle, shishi_as_req (as), &till, &tilllen);
354 if (rc != SHISHI_OK)
355 {
356 syslog (LOG_ERR3, "shishi_kdcreq_till failed (%d): %s",
357 rc, shishi_strerror (rc));
358 goto fatal;
359 }
360
361 if (tilllen != 16 || strlen (till) != 15)
362 {
363 syslog (LOG_ERR3, "Invalid 'till' field in request (%zu): %s",
364 tilllen, till);
365 goto fatal;
366 }
367
368 rc = shishi_encticketpart_endtime_set (handle,
369 shishi_tkt_encticketpart (tkt),
370 till);
371
372 free (till);
373 }
374
375 /* XXX Do the time stuff above. */
376
377 /*
378 * The flags field of the new ticket will have the following options set
379 * if they have been requested and if the policy of the local realm
380 * allows: FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE.
381 * If the new ticket is postdated (the start time is in the future), its
382 * INVALID flag will also be set.
383 */
384
385 if (shishi_kdcreq_forwardable_p (handle, shishi_as_req (as)))
386 shishi_tkt_flags_add (tkt, SHISHI_TICKETFLAGS_FORWARDABLE);
387
388 if (shishi_kdcreq_allow_postdate_p (handle, shishi_as_req (as)))
389 shishi_tkt_flags_add (tkt, SHISHI_TICKETFLAGS_MAY_POSTDATE);
390
391 if (shishi_kdcreq_postdated_p (handle, shishi_as_req (as)))
392 {
393 /* XXX policy check from time. */
394 shishi_tkt_flags_add (tkt, SHISHI_TICKETFLAGS_POSTDATED);
395 shishi_tkt_flags_add (tkt, SHISHI_TICKETFLAGS_INVALID);
396 /* XXX set starttime to from */
397 }
398
399 if (shishi_kdcreq_proxiable_p (handle, shishi_as_req (as)))
400 shishi_tkt_flags_add (tkt, SHISHI_TICKETFLAGS_PROXIABLE);
401
402 if (shishi_kdcreq_renewable_p (handle, shishi_as_req (as)))
403 {
404 shishi_tkt_flags_add (tkt, SHISHI_TICKETFLAGS_RENEWABLE);
405 /* XXX set renew-till from rtime */
406 }
407
408 /*
409 * If all of the above succeed, the server will encrypt the ciphertext
410 * part of the ticket using the encryption key extracted from the server
411 * principal's record in the Kerberos database using the encryption type
412 * associated with the server principal's key (this choice is NOT
413 * affected by the etype field in the request). It then formats a
414 * KRB_AS_REP message (see section 5.4.2), copying the addresses in the
415 * request into the caddr of the response, placing any required pre-
416 * authentication data into the padata of the response, and encrypts the
417 * ciphertext part in the client's key using an acceptable encryption
418 * method requested in the etype field of the request, or in some key
419 * specified by pre-authentication mechanisms being used.
420 */
421
422 rc = shishi_tkt_key_set (tkt, sessionkey);
423 if (rc != SHISHI_OK)
424 {
425 syslog (LOG_ERR3, "shishi_tkt_key_set failed (%d): %s",
426 rc, shishi_strerror (rc));
427 goto fatal;
428 }
429
430 rc = shishi_tkt_clientrealm_set (tkt, realm, username);
431 if (rc != SHISHI_OK)
432 {
433 syslog (LOG_ERR3, "shishi_tkt_clientrealm_set failed (%d): %s",
434 rc, shishi_strerror (rc));
435 goto fatal;
436 }
437
438 rc = shishi_tkt_serverrealm_set (tkt, realm, servername);
439 if (rc != SHISHI_OK)
440 {
441 syslog (LOG_ERR3, "shishi_tkt_serverrealm_set failed (%d): %s",
442 rc, shishi_strerror (rc));
443 goto fatal;
444 }
445
446 rc = shishi_tkt_build (tkt, serverkey);
447 if (rc != SHISHI_OK)
448 {
449 syslog (LOG_ERR3, "shishi_tkt_build failed (%d): %s",
450 rc, shishi_strerror (rc));
451 goto fatal;
452 }
453
454 rc = shishi_as_rep_build (as, userkey);
455 if (rc != SHISHI_OK)
456 {
457 syslog (LOG_ERR3, "shishi_as_rep_build failed (%d): %s",
458 rc, shishi_strerror (rc));
459 goto fatal;
460 }
461
462 if (arg.verbose_given)
463 {
464 shishi_kdcreq_print (handle, stderrstderr, shishi_as_req (as));
465 shishi_encticketpart_print (handle, stderrstderr,
466 shishi_tkt_encticketpart (tkt));
467 shishi_ticket_print (handle, stderrstderr, shishi_tkt_ticket (tkt));
468 shishi_enckdcreppart_print (handle, stderrstderr,
469 shishi_tkt_enckdcreppart (tkt));
470 shishi_kdcrep_print (handle, stderrstderr, shishi_as_rep (as));
471 }
472
473 rc = SHISHI_OK;
474
475fatal:
476 if (rc != SHISHI_OK)
477 syslog (LOG_ERR3, "AS-REQ failed (%d): %s", rc, shishi_strerror (rc));
478 free (realm);
479 free (username);
480 free (servername);
481 if (userkeys)
482 shisa_keys_free (dbh, userkeys, nuserkeys);
483 if (serverkeys)
484 shisa_keys_free (dbh, serverkeys, nserverkeys);
485 if (userkey)
486 shishi_key_done (userkey);
487 if (serverkey)
488 shishi_key_done (serverkey);
489 if (sessionkey)
490 shishi_key_done (sessionkey);
491
492 return rc;
493}
494
495static int
496tgsreq1 (Shishi_tgs * tgs)
497{
498 int rc;
499 Shishi_tkt *tkt;
500 Shishi_key *newsessionkey = NULL((void*)0), *oldsessionkey = NULL((void*)0);
501 Shishi_key *serverkey = NULL((void*)0), *subkey = NULL((void*)0), *tgkey = NULL((void*)0);
502 char *servername = NULL((void*)0), *serverrealm = NULL((void*)0);
503 char *tgname = NULL((void*)0), *tgrealm = NULL((void*)0);
504 char *clientname = NULL((void*)0), *clientrealm = NULL((void*)0);
505 Shisa_principal krbtgt, server;
506 Shisa_key **tgkeys = NULL((void*)0), **serverkeys = NULL((void*)0);
507 size_t ntgkeys, nserverkeys;
508
509 rc = shishi_tgs_req_process (tgs);
510 if (rc != SHISHI_OK)
511 {
512 syslog (LOG_ERR3, "shishi_tgs_req_process failed (%d): %s",
513 rc, shishi_strerror (rc));
514 goto fatal;
515 }
516
517 /*
518 * The KRB_TGS_REQ message is processed in a manner similar to the
519 * KRB_AS_REQ message, but there are many additional checks to be
520 * performed. First, the Kerberos server MUST determine which server the
521 * accompanying ticket is for and it MUST select the appropriate key to
522 * decrypt it. For a normal KRB_TGS_REQ message, it will be for the
523 * ticket granting service, and the TGS's key will be used. If the TGT
524 * was issued by another realm, then the appropriate inter-realm key
525 * MUST be used. If the accompanying ticket is not a ticket-granting
526 * ticket for the current realm, but is for an application server in the
527 * current realm, the RENEW, VALIDATE, or PROXY options are specified in
528 * the request, and the server for which a ticket is requested is the
529 * server named in the accompanying ticket, then the KDC will decrypt
530 * the ticket in the authentication header using the key of the server
531 * for which it was issued. If no ticket can be found in the padata
532 * field, the KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
533 */
534
535 /* Find name of ticket granter, e.g., krbtgt/JOSEFSSON.ORG@JOSEFSSON.ORG. */
536
537 rc = shishi_tkt_realm (shishi_ap_tkt (shishi_tgs_ap (tgs)), &tgrealm, NULL((void*)0));
538 if (rc != SHISHI_OK)
539 {
540 syslog (LOG_ERR3, "shishi_tkt_realm failed (%d): %s",
541 rc, shishi_strerror (rc));
542 goto fatal;
543 }
544
545 rc = shishi_tkt_server (shishi_ap_tkt (shishi_tgs_ap (tgs)), &tgname, NULL((void*)0));
546 if (rc != SHISHI_OK)
547 {
548 syslog (LOG_ERR3, "shishi_tkt_server failed (%d): %s",
549 rc, shishi_strerror (rc));
550 goto fatal;
551 }
552
553 syslog (LOG_DEBUG7, "TGS-REQ uses ticket granter %s@%s", tgname, tgrealm);
554
555 rc = shisa_principal_find (dbh, tgrealm, tgname, &krbtgt);
556 if (rc != SHISA_OK && rc != SHISA_NO_PRINCIPAL)
557 {
558 syslog (LOG_ERR3, "shisa_principal_find(%s@%s) failed (%d): %s",
559 tgname, tgrealm, rc, shisa_strerror (rc));
560 rc = SHISHI_INVALID_PRINCIPAL_NAME;
561 goto fatal;
562 }
563 if (rc == SHISA_NO_PRINCIPAL)
564 {
565 syslog (LOG_NOTICE5, "TGS-REQ using %s@%s failed: no such tgt",
566 tgname, tgrealm);
567 rc = shishi_krberror_errorcode_set (handle, shishi_tgs_krberror (tgs),
568 SHISHI_KRB_AP_ERR_NOT_US);
569 if (rc != SHISHI_OK)
570 goto fatal;
571 rc = SHISHI_INVALID_PRINCIPAL_NAME;
572 goto fatal;
573 }
574
575 rc = shisa_keys_find (dbh, tgrealm, tgname, NULL((void*)0), &tgkeys, &ntgkeys);
576 if (rc != SHISA_OK || ntgkeys == 0)
577 {
578 syslog (LOG_ERR3, "shisa_keys_find(%s@%s) failed (%d): %s",
579 tgname, tgrealm, rc, shisa_strerror (rc));
580 rc = SHISHI_INVALID_PRINCIPAL_NAME;
581 goto fatal;
582 }
583
584 /* XXX use etype/kvno to select key. */
585
586 rc = shishi_key_from_value (handle, tgkeys[0]->etype,
587 tgkeys[0]->key, &tgkey);
588 if (rc != SHISHI_OK)
589 {
590 syslog (LOG_ERR3, "shishi_key_from_value (tgt) failed (%d): %s",
591 rc, shishi_strerror (rc));
592 goto fatal;
593 }
594
595 rc = shishi_ap_req_process_keyusage
596 (shishi_tgs_ap (tgs), tgkey, SHISHI_KEYUSAGE_TGSREQ_APREQ_AUTHENTICATOR);
597 if (rc != SHISHI_OK)
598 {
599 syslog (LOG_ERR3, "shishi_ap_req_process_keyusage failed (%d): %s",
600 rc, shishi_strerror (rc));
601 goto fatal;
602 }
603
604 /*
605 * 3.3.3.1. Checking for revoked tickets
606 *
607 * Whenever a request is made to the ticket-granting server, the
608 * presented ticket(s) is(are) checked against a hot-list of tickets
609 * which have been canceled. This hot-list might be implemented by
610 * storing a range of issue timestamps for 'suspect tickets'; if a
611 * presented ticket had an authtime in that range, it would be rejected.
612 * In this way, a stolen ticket-granting ticket or renewable ticket
613 * cannot be used to gain additional tickets (renewals or otherwise)
614 * once the theft has been reported to the KDC for the realm in which
615 * the server resides. Any normal ticket obtained before it was reported
616 * stolen will still be valid (because they require no interaction with
617 * the KDC), but only until their normal expiration time. If TGT's have
618 * been issued for cross-realm authentication, use of the cross-realm
619 * TGT will not be affected unless the hot-list is propagated to the
620 * KDCs for the realms for which such cross-realm tickets were issued.
621 */
622
623 /* XXX Check if tgname@tgrealm is a valid TGT. */
624
625 /*
626 * Once the accompanying ticket has been decrypted, the user-supplied
627 * checksum in the Authenticator MUST be verified against the contents
628 * of the request, and the message rejected if the checksums do not
629 * match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum
630 * is not collision-proof (with an error code of
631 * KRB_AP_ERR_INAPP_CKSUM). If the checksum type is not supported, the
632 * KDC_ERR_SUMTYPE_NOSUPP error is returned. If the authorization-data
633 * are present, they are decrypted using the sub-session key from the
634 * Authenticator.
635 *
636 * If any of the decryptions indicate failed integrity checks, the
637 * KRB_AP_ERR_BAD_INTEGRITY error is returned.
638 */
639
640 /* XXX check that checksum in authenticator match tgsreq.req-body */
641
642 syslog (LOG_DEBUG7, "TGS-REQ authentication OK using %s@%s", tgname,
643 tgrealm);
644
645 /*
646 * As discussed in section 3.1.2, the KDC MUST send a valid KRB_TGS_REP
647 * message if it receives a KRB_TGS_REQ message identical to one it has
648 * recently processed. However, if the authenticator is a replay, but
649 * the rest of the request is not identical, then the KDC SHOULD return
650 * KRB_AP_ERR_REPEAT.
651 */
652
653 /* XXX Do replay stuff. */
654
655 /*
656 * The response will include a ticket for the requested server or for a
657 * ticket granting server of an intermediate KDC to be contacted to
658 * obtain the requested ticket. The Kerberos database is queried to
659 * retrieve the record for the appropriate server (including the key
660 * with which the ticket will be encrypted). If the request is for a
661 * ticket-granting ticket for a remote realm, and if no key is shared
662 * with the requested realm, then the Kerberos server will select the
663 * realm 'closest' to the requested realm with which it does share a
664 * key, and use that realm instead. Thss is theonly cases where the
665 * response for the KDC will be for a different server than that
666 * requested by the client.
667 */
668
669 rc = shishi_kdcreq_realm (handle, shishi_tgs_req (tgs), &serverrealm, NULL((void*)0));
670 if (rc != SHISHI_OK)
671 {
672 syslog (LOG_ERR3, "shishi_kdcreq_realm failed (%d): %s",
673 rc, shishi_strerror (rc));
674 goto fatal;
675 }
676
677 /* XXX Do cross-realm handling. */
678
679 rc = shishi_kdcreq_server (handle, shishi_tgs_req (tgs), &servername, NULL((void*)0));
680 if (rc != SHISHI_OK)
681 {
682 syslog (LOG_ERR3, "shishi_kdcreq_server failed (%d): %s",
683 rc, shishi_strerror (rc));
684 goto fatal;
685 }
686
687 rc = shisa_principal_find (dbh, serverrealm, servername, &server);
688 if (rc != SHISA_OK && rc != SHISA_NO_PRINCIPAL)
689 {
690 syslog (LOG_ERR3, "shisa_principal_find(%s@%s) failed (%d): %s",
691 servername, serverrealm, rc, shisa_strerror (rc));
692 rc = SHISHI_INVALID_PRINCIPAL_NAME;
693 goto fatal;
694 }
695 if (rc == SHISA_NO_PRINCIPAL)
696 {
697 syslog (LOG_NOTICE5, "TGS-REQ for %s@%s failed: no such server",
698 servername, serverrealm);
699 rc = shishi_krberror_errorcode_set (handle, shishi_tgs_krberror (tgs),
700 SHISHI_KDC_ERR_S_PRINCIPAL_UNKNOWN);
701 if (rc != SHISHI_OK)
702 goto fatal;
703 rc = SHISHI_INVALID_PRINCIPAL_NAME;
704 goto fatal;
705 }
706
707 rc = shisa_keys_find (dbh, serverrealm, servername, NULL((void*)0),
708 &serverkeys, &nserverkeys);
709 if (rc != SHISA_OK || nserverkeys == 0)
710 {
711 syslog (LOG_ERR3, "shisa_keys_find(%s@%s) failed (%d): %s",
712 servername, serverrealm, rc, shisa_strerror (rc));
713 rc = SHISHI_INVALID_PRINCIPAL_NAME;
714 goto fatal;
715 }
716
717 /* XXX Select "best" available key (highest kvno, best algorithm?)
718 here. The client etype should not influence this. */
719 rc = shishi_key_from_value (handle, serverkeys[0]->etype,
720 serverkeys[0]->key, &serverkey);
721 if (rc != SHISHI_OK)
722 {
723 syslog (LOG_ERR3, "shisa_key_from_value (server) failed (%d): %s",
724 rc, shishi_strerror (rc));
725 goto fatal;
726 }
727
728 /* Generate session key for the newly generated ticket, of same key
729 type as the selected long-term server key. XXX let the client
730 influence the etype? think of AES only server and RFC 1510
731 client. if client etype is not used here, the client cannot talk
732 to the server. perhaps just as good though. */
733
734 rc = shishi_key_random (handle, shishi_key_type (serverkey),
735 &newsessionkey);
736 if (rc != SHISHI_OK)
737 {
738 syslog (LOG_ERR3, "shishi_key_random failed (%d): %s",
739 rc, shishi_strerror (rc));
740 goto fatal;
741 }
742
743 /*
744 * By default, the address field, the client's name and realm, the list
745 * of transited realms, the time of initial authentication, the
746 * expiration time, and the authorization data of the newly-issued
747 * ticket will be copied from the ticket-granting ticket (TGT) or
748 * renewable ticket. If the transited field needs to be updated, but the
749 * transited type is not supported, the KDC_ERR_TRTYPE_NOSUPP error is
750 * returned.
751 */
752
753 tkt = shishi_tgs_tkt (tgs);
754 if (tkt == NULL((void*)0))
755 {
756 syslog (LOG_ERR3, "shishi_tgs_tkt failed");
757 goto fatal;
758 }
759
760 rc = shishi_encticketpart_crealm
761 (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))),
762 &clientrealm, NULL((void*)0));
763 if (rc != SHISHI_OK)
764 {
765 syslog (LOG_ERR3, "shishi_encticketpart_crealm failed (%d): %s",
766 rc, shishi_strerror (rc));
767 goto fatal;
768 }
769
770 rc = shishi_encticketpart_client
771 (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))),
772 &clientname, NULL((void*)0));
773 if (rc != SHISHI_OK)
774 {
775 syslog (LOG_ERR3, "shishi_encticketpart_client failed (%d): %s",
776 rc, shishi_strerror (rc));
777 goto fatal;
778 }
779
780 rc = shishi_tkt_clientrealm_set (tkt, clientrealm, clientname);
781 if (rc != SHISHI_OK)
782 {
783 syslog (LOG_ERR3, "shishi_tkt_clientrealm_set failed (%d): %s",
784 rc, shishi_strerror (rc));
785 goto fatal;
786 }
787
788 /* XXX Copy more fields. Move copying into lib/? */
789
790 rc = shishi_encticketpart_endtime_set
791 (handle, shishi_tkt_encticketpart (tkt),
792 shishi_generalize_time (handle,
793 shishi_kdcreq_tillc (handle,
794 shishi_tgs_req (tgs))));
795 if (rc != SHISHI_OK)
796 {
797 syslog (LOG_ERR3, "shishi_encticketpart_endtime_set failed (%d): %s",
798 rc, shishi_strerror (rc));
799 goto fatal;
800 }
801
802 rc = shishi_tkt_key_set (tkt, newsessionkey);
803 if (rc != SHISHI_OK)
804 {
805 syslog (LOG_ERR3, "shishi_tkt_key_set failed (%d): %s",
806 rc, shishi_strerror (rc));
807 goto fatal;
808 }
809
810 rc = shishi_tkt_serverrealm_set (tkt, serverrealm, servername);
811 if (rc != SHISHI_OK)
812 {
813 syslog (LOG_ERR3, "shishi_tkt_serverrealm_set failed (%d): %s",
814 rc, shishi_strerror (rc));
815 goto fatal;
816 }
817
818 syslog (LOG_DEBUG7, "TGS-REQ from %s@%s for %s@%s",
819 clientname, clientrealm, servername, serverrealm);
820
821 /*
822 * If the request specifies an endtime, then the endtime of the new
823 * ticket is set to the minimum of (a) that request, (b) the endtime
824 * from the TGT, and (c) the starttime of the TGT plus the minimum of
825 * the maximum life for the application server and the maximum life for
826 * the local realm (the maximum life for the requesting principal was
827 * already applied when the TGT was issued). If the new ticket is to be
828 * a renewal, then the endtime above is replaced by the minimum of (a)
829 * the value of the renew_till field of the ticket and (b) the starttime
830 * for the new ticket plus the life (endtime-starttime) of the old
831 * ticket.
832 *
833 * If the FORWARDED option has been requested, then the resulting ticket
834 * will contain the addresses specified by the client. This option will
835 * only be honored if the FORWARDABLE flag is set in the TGT. The PROXY
836 * option is similar; the resulting ticket will contain the addresses
837 * specified by the client. It will be honored only if the PROXIABLE
838 * flag in the TGT is set. The PROXY option will not be honored on
839 * requests for additional ticket-granting tickets.
840 *
841 * If the requested start time is absent, indicates a time in the past,
842 * or is within the window of acceptable clock skew for the KDC and the
843 * POSTDATE option has not been specified, then the start time of the
844 * ticket is set to the authentication server's current time. If it
845 * indicates a time in the future beyond the acceptable clock skew, but
846 * the POSTDATED option has not been specified or the MAY-POSTDATE flag
847 * is not set in the TGT, then the error KDC_ERR_CANNOT_POSTDATE is
848 * returned. Otherwise, if the ticket-granting ticket has the MAY-
849 * POSTDATE flag set, then the resulting ticket will be postdated and
850 * the requested starttime is checked against the policy of the local
851 * realm. If acceptable, the ticket's start time is set as requested,
852 * and the INVALID flag is set. The postdated ticket MUST be validated
853 * before use by presenting it to the KDC after the starttime has been
854 * reached. However, in no case may the starttime, endtime, or renew-
855 * till time of a newly-issued postdated ticket extend beyond the renew-
856 * till time of the ticket-granting ticket.
857 *
858 * If the ENC-TKT-IN-SKEY option has been specified and an additional
859 * ticket has been included in the request, it indicates that the client
860 * is using user- to-user authentication to prove its identity to a
861 * server that does not have access to a persistent key. Section 3.7
862 * describes the affect of this option on the entire Kerberos protocol.
863 * When generating the KRB_TGS_REP message, this option in the
864 * KRB_TGS_REQ message tells the KDC to decrypt the additional ticket
865 * using the key for the server to which the additional ticket was
866 * issued and verify that it is a ticket-granting ticket. If the name of
867 * the requested server is missing from the request, the name of the
868 * client in the additional ticket will be used. Otherwise the name of
869 * the requested server will be compared to the name of the client in
870 * the additional ticket and if different, the request will be rejected.
871 * If the request succeeds, the session key from the additional ticket
872 * will be used to encrypt the new ticket that is issued instead of
873 * using the key of the server for which the new ticket will be used.
874 *
875 * If the name of the server in the ticket that is presented to the KDC
876 * as part of the authentication header is not that of the ticket-
877 * granting server itself, the server is registered in the realm of the
878 * KDC, and the RENEW option is requested, then the KDC will verify that
879 * the RENEWABLE flag is set in the ticket, that the INVALID flag is not
880 * set in the ticket, and that the renew_till time is still in the
881 * future. If the VALIDATE option is requested, the KDC will check that
882 * the starttime has passed and the INVALID flag is set. If the PROXY
883 * option is requested, then the KDC will check that the PROXIABLE flag
884 * is set in the ticket. If the tests succeed, and the ticket passes the
885 * hotlist check described in the next section, the KDC will issue the
886 * appropriate new ticket.
887 */
888
889 /* XXX Set more things in ticket, as described above. */
890
891 rc = shishi_tkt_build (tkt, serverkey);
892 if (rc != SHISHI_OK)
893 {
894 syslog (LOG_ERR3, "shishi_tkt_build failed (%d): %s",
895 rc, shishi_strerror (rc));
896 goto fatal;
897 }
898
899 /*
900 * The ciphertext part of the response in the KRB_TGS_REP message is
901 * encrypted in the sub-session key from the Authenticator, if present,
902 * or the session key from the ticket-granting ticket. It is not
903 * encrypted using the client's secret key. Furthermore, the client's
904 * key's expiration date and the key version number fields are left out
905 * since these values are stored along with the client's database
906 * record, and that record is not needed to satisfy a request based on a
907 * ticket-granting ticket.
908 */
909
910 rc = shishi_encticketpart_get_key
911 (handle, shishi_tkt_encticketpart (shishi_ap_tkt (shishi_tgs_ap (tgs))),
912 &oldsessionkey);
913 if (rc != SHISHI_OK)
914 {
915 syslog (LOG_ERR3, "shishi_encticketpart_get_key failed (%d): %s",
916 rc, shishi_strerror (rc));
917 goto fatal;
918 }
919
920 rc = shishi_authenticator_get_subkey
921 (handle, shishi_ap_authenticator (shishi_tgs_ap (tgs)), &subkey);
922 if (rc != SHISHI_OK && rc != SHISHI_ASN1_NO_ELEMENT)
923 {
924 syslog (LOG_ERR3, "shishi_authenticator_get_subkey failed (%d): %s",
925 rc, shishi_strerror (rc));
926 goto fatal;
927 }
928
929 if (rc == SHISHI_OK)
930 rc = shishi_tgs_rep_build
931 (tgs, SHISHI_KEYUSAGE_ENCTGSREPPART_AUTHENTICATOR_KEY, subkey);
932 else
933 rc = shishi_tgs_rep_build
934 (tgs, SHISHI_KEYUSAGE_ENCTGSREPPART_SESSION_KEY, oldsessionkey);
935 if (rc != SHISHI_OK)
936 {
937 syslog (LOG_ERR3, "shishi_tgs_rep_build failed (%d): %s",
938 rc, shishi_strerror (rc));
939 goto fatal;
940 }
941
942 if (arg.verbose_given)
943 {
944 puts ("KDC-REQ in:");
945 shishi_kdcreq_print (handle, stderrstderr, shishi_tgs_req (tgs));
946 puts ("AP-REQ in KDC-REQ:");
947 shishi_apreq_print (handle, stderrstderr,
948 shishi_ap_req (shishi_tgs_ap (tgs)));
949 puts ("Authenticator in AP-REQ in KDC-REQ:");
950 shishi_authenticator_print (handle, stderrstderr, shishi_ap_authenticator
951 (shishi_tgs_ap (tgs)));
952 puts ("Ticket in AP-REQ:");
953 shishi_ticket_print (handle, stdoutstdout,
954 shishi_tkt_ticket
955 (shishi_ap_tkt (shishi_tgs_ap (tgs))));
956 puts ("EncTicketPart in AP-REQ:");
957 shishi_encticketpart_print (handle, stdoutstdout,
958 shishi_tkt_encticketpart
959 (shishi_ap_tkt (shishi_tgs_ap (tgs))));
960 puts ("Ticket in TGS-REP:");
961 shishi_ticket_print (handle, stdoutstdout, shishi_tkt_ticket (tkt));
962 puts ("EncTicketPart in TGS-REP:");
963 shishi_encticketpart_print (handle, stderrstderr,
964 shishi_tkt_encticketpart (tkt));
965 puts ("EncKDCRepPart in TGS-REP:");
966 shishi_enckdcreppart_print (handle, stderrstderr,
967 shishi_tkt_enckdcreppart (tkt));
968 puts ("KDC-REP:");
969 shishi_kdcrep_print (handle, stderrstderr, shishi_tgs_rep (tgs));
970 }
971
972 rc = SHISHI_OK;
973
974fatal:
975 free (tgrealm);
976 free (tgname);
977 free (servername);
978 free (serverrealm);
979 free (clientname);
980 free (clientrealm);
981 if (tgkeys)
982 shisa_keys_free (dbh, tgkeys, ntgkeys);
983 if (serverkeys)
984 shisa_keys_free (dbh, serverkeys, nserverkeys);
985 if (tgkey)
986 shishi_key_done (tgkey);
987 if (serverkey)
988 shishi_key_done (serverkey);
989 if (newsessionkey)
990 shishi_key_done (newsessionkey);
991 if (oldsessionkey)
992 shishi_key_done (oldsessionkey);
993 if (subkey)
994 shishi_key_done (subkey);
995
996 return rc;
997}
998
999static int
1000asreq (Shishi_asn1 kdcreq, char **out, size_t *outlen)
1001{
1002 Shishi_as *as;
1003 int rc;
1004
1005 rc = shishi_as (handle, &as);
1006 if (rc != SHISHI_OK)
1007 {
1008 syslog (LOG_ERR3, "shishi_as failed (%d): %s", rc, shishi_strerror (rc));
1009 return rc;
1010 }
1011
1012 shishi_as_req_set (as, kdcreq);
1013
1014 rc = asreq1 (as);
1015 if (rc != SHISHI_OK)
1016 {
1017 syslog (LOG_NOTICE5, "AS-REQ failing with KRB-ERROR: %s",
1018 shishi_krberror_message (handle, shishi_as_krberror (as)));
1019 rc = shishi_as_krberror_der (as, out, outlen);
1020 }
1021 else
1022 rc = shishi_as_rep_der (as, out, outlen);
1023 if (rc != SHISHI_OK)
1024 {
1025 syslog (LOG_ERR3, "shishi_as_rep_der failed (%d): %s",
1026 rc, shishi_strerror (rc));
1027 return rc;
1028 }
1029
1030 return SHISHI_OK;
1031}
1032
1033static int
1034tgsreq (Shishi_asn1 kdcreq, char **out, size_t *outlen)
1035{
1036 Shishi_tgs *tgs;
1037 int rc;
1038
1039 rc = shishi_tgs (handle, &tgs);
1040 if (rc != SHISHI_OK)
1041 {
1042 syslog (LOG_ERR3, "shishi_tgs failed (%d): %s", rc,
1043 shishi_strerror (rc));
1044 return rc;
1045 }
1046
1047 shishi_tgs_req_set (tgs, kdcreq);
1048
1049 rc = tgsreq1 (tgs);
1050 if (rc != SHISHI_OK)
1051 {
1052 syslog (LOG_NOTICE5, "TGS-REQ failing with KRB-ERROR: %s",
1053 shishi_krberror_message (handle, shishi_tgs_krberror (tgs)));
1054 rc = shishi_tgs_krberror_der (tgs, out, outlen);
1055 }
1056 else
1057 rc = shishi_tgs_rep_der (tgs, out, outlen);
1058 if (rc != SHISHI_OK)
1059 {
1060 syslog (LOG_ERR3, "shishi_tgs_rep_der failed (%d): %s",
1061 rc, shishi_strerror (rc));
1062 return rc;
1063 }
1064
1065 return SHISHI_OK;
1066}
1067
1068ssize_t
1069process (const char *in, size_t inlen, char **out)
1070{
1071 Shishi_asn1 node;
1072 size_t outlen;
1073 int rc;
1074
1075 node = shishi_der2asn1 (handle, in, inlen);
1076 if (node == NULL((void*)0))
1077 {
1078 syslog (LOG_ERR3, "Received %zu bytes of unknown data", inlen);
1079 return -1;
1080 }
1081
1082 switch (shishi_asn1_msgtype (handle, node))
1083 {
1084 case SHISHI_MSGTYPE_AS_REQ:
1085 rc = asreq (node, out, &outlen);
1086 break;
1087
1088 case SHISHI_MSGTYPE_TGS_REQ:
1089 rc = tgsreq (node, out, &outlen);
1090 break;
1091
1092 case SHISHI_MSGTYPE_AS_REP:
1093 case SHISHI_MSGTYPE_TGS_REP:
1094 case SHISHI_MSGTYPE_AP_REQ:
1095 case SHISHI_MSGTYPE_AP_REP:
1096 case SHISHI_MSGTYPE_RESERVED16:
1097 case SHISHI_MSGTYPE_RESERVED17:
1098 case SHISHI_MSGTYPE_SAFE:
1099 case SHISHI_MSGTYPE_PRIV:
1100 case SHISHI_MSGTYPE_CRED:
1101 case SHISHI_MSGTYPE_ERROR:
1102 default:
1103 syslog (LOG_ERR3, "Unsupported KDC message type %u (0x%x)",
1104 shishi_asn1_msgtype (handle, node),
1105 shishi_asn1_msgtype (handle, node));
1106 rc = SHISHI_ASN1_ERROR;
1107 break;
1108 }
1109
1110 if (rc != SHISHI_OK)
1111 {
1112 syslog (LOG_ERR3, "Fatal error answering request (%d): %s",
1113 rc, shishi_strerror (rc));
1114 return -1;
1115 }
1116
1117 return outlen;
1118}