security/mit-krb5/patches/patch-aw

   1 $NetBSD$
   2
   3 --- kdc/do_tgs_req.c.orig       2005-07-12 22:59:51.000000000 +0200
   4 +++ kdc/do_tgs_req.c
   5 @@ -490,27 +490,38 @@ tgt_again:
   6         newtransited = 1;
   7      }
   8      if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
   9 +       unsigned int tlen;
  10 +       char *tdots;
  11 +
  12         errcode = krb5_check_transited_list (kdc_context,
  13                                              &enc_tkt_reply.transited.tr_contents,
  14                                              krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
  15                                              krb5_princ_realm (kdc_context, request->server));
  16 +       tlen = enc_tkt_reply.transited.tr_contents.length;
  17 +       tdots = tlen > 125 ? "..." : "";
  18 +       tlen = tlen > 125 ? 125 : tlen;
  19 +
  20         if (errcode == 0) {
  21             setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
  22         } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
  23             krb5_klog_syslog (LOG_INFO,
  24 -                             "bad realm transit path from '%s' to '%s' via '%.*s'",
  25 +                             "bad realm transit path from '%s' to '%s' "
  26 +                             "via '%.*s%s'",
  27                               cname ? cname : "<unknown client>",
  28                               sname ? sname : "<unknown server>",
  29 -                             enc_tkt_reply.transited.tr_contents.length,
  30 -                             enc_tkt_reply.transited.tr_contents.data);
  31 -       else
  32 +                             tlen,
  33 +                             enc_tkt_reply.transited.tr_contents.data,
  34 +                             tdots);
  35 +       else {
  36             krb5_klog_syslog (LOG_ERR,
  37 -                             "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
  38 +                             "unexpected error checking transit from "
  39 +                             "'%s' to '%s' via '%.*s%s': %s",
  40                               cname ? cname : "<unknown client>",
  41                               sname ? sname : "<unknown server>",
  42 -                             enc_tkt_reply.transited.tr_contents.length,
  43 +                             tlen,
  44                               enc_tkt_reply.transited.tr_contents.data,
  45 -                             error_message (errcode));
  46 +                             tdots, error_message (errcode));
  47 +       }
  48      } else
  49         krb5_klog_syslog (LOG_INFO, "not checking transit path");
  50      if (reject_bad_transit
  51 @@ -538,6 +549,9 @@ tgt_again:
  52         if (!krb5_principal_compare(kdc_context, request->server, client2)) {
  53                 if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
  54                         tmp = 0;
  55 +               if (tmp != NULL)
  56 +                       limit_string(tmp);
  57 +
  58                 krb5_klog_syslog(LOG_INFO,
  59                                  "TGS_REQ %s: 2ND_TKT_MISMATCH: "
  60                                  "authtime %d, %s for %s, 2nd tkt client %s",
  61 @@ -800,6 +814,7 @@ find_alternate_tgs(krb5_kdc_req *request
  62                 krb5_klog_syslog(LOG_INFO,
  63                        "TGS_REQ: issuing alternate <un-unparseable> TGT");
  64             } else {
  65 +               limit_string(sname);
  66                 krb5_klog_syslog(LOG_INFO,
  67                        "TGS_REQ: issuing TGT %s", sname);
  68                 free(sname);