diff options
| author | nectar <nectar@FreeBSD.org> | 2004-04-03 21:22:55 +0000 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2004-04-03 21:22:55 +0000 |
| commit | bfc5316dea97d244a21b45ed0dce56f39074ba1b (patch) | |
| tree | f009994dd04757b68eff8742614cca170aff5bb3 /crypto/heimdal/lib/krb5 | |
| parent | 084fdb0d6e4fe40ab8ff47ca033fdbcb7899aae1 (diff) | |
| download | FreeBSD-src-bfc5316dea97d244a21b45ed0dce56f39074ba1b.zip FreeBSD-src-bfc5316dea97d244a21b45ed0dce56f39074ba1b.tar.gz | |
Vendor import of Heimdal 0.6.1.
Diffstat (limited to 'crypto/heimdal/lib/krb5')
23 files changed, 1205 insertions, 500 deletions
diff --git a/crypto/heimdal/lib/krb5/Makefile.am b/crypto/heimdal/lib/krb5/Makefile.am index 6f5a8fc..8d9d527 100644 --- a/crypto/heimdal/lib/krb5/Makefile.am +++ b/crypto/heimdal/lib/krb5/Makefile.am @@ -1,4 +1,4 @@ -# $Id: Makefile.am,v 1.156.2.1 2003/05/12 15:20:47 joda Exp $ +# $Id: Makefile.am,v 1.156.2.3 2003/10/28 15:49:31 joda Exp $ include $(top_srcdir)/Makefile.am.common @@ -132,7 +132,7 @@ libkrb5_la_SOURCES = \ write_message.c \ $(ERR_FILES) -libkrb5_la_LDFLAGS = -version-info 19:0:2 +libkrb5_la_LDFLAGS = -version-info 20:0:3 $(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h diff --git a/crypto/heimdal/lib/krb5/Makefile.in b/crypto/heimdal/lib/krb5/Makefile.in index 5395352..2fdb4fe 100644 --- a/crypto/heimdal/lib/krb5/Makefile.in +++ b/crypto/heimdal/lib/krb5/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.6.1 from Makefile.am. +# Makefile.in generated by automake 1.7.9 from Makefile.am. # @configure_input@ -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 +# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003 # Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,113 +14,195 @@ @SET_MAKE@ -# $Id: Makefile.am,v 1.156.2.1 2003/05/12 15:20:47 joda Exp $ +# $Id: Makefile.am,v 1.156.2.3 2003/10/28 15:49:31 joda Exp $ # $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ -# $Id: Makefile.am.common,v 1.37.2.1 2003/05/08 17:08:09 joda Exp $ -SHELL = @SHELL@ +# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ srcdir = @srcdir@ top_srcdir = @top_srcdir@ VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ top_builddir = ../.. -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ +install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ +transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : -host_alias = @host_alias@ host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ +ACLOCAL = @ACLOCAL@ +AIX4_FALSE = @AIX4_FALSE@ +AIX4_TRUE = @AIX4_TRUE@ +AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ +AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ +AIX_FALSE = @AIX_FALSE@ +AIX_TRUE = @AIX_TRUE@ AMTAR = @AMTAR@ -AS = @AS@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CANONICAL_HOST = @CANONICAL_HOST@ CATMAN = @CATMAN@ CATMANEXT = @CATMANEXT@ +CATMAN_FALSE = @CATMAN_FALSE@ +CATMAN_TRUE = @CATMAN_TRUE@ CC = @CC@ +CFLAGS = @CFLAGS@ COMPILE_ET = @COMPILE_ET@ CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ +DCE_FALSE = @DCE_FALSE@ +DCE_TRUE = @DCE_TRUE@ +DEFS = @DEFS@ DIR_com_err = @DIR_com_err@ DIR_des = @DIR_des@ DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ EXTRA_LIB45 = @EXTRA_LIB45@ +F77 = @F77@ +FFLAGS = @FFLAGS@ GROFF = @GROFF@ +HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ +HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ +HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ +HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ +HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ +HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ +HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ +HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ +HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ +HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ +HAVE_X_FALSE = @HAVE_X_FALSE@ +HAVE_X_TRUE = @HAVE_X_TRUE@ INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ INCLUDE_des = @INCLUDE_des@ +INCLUDE_hesiod = @INCLUDE_hesiod@ + +INCLUDE_krb4 = @INCLUDE_krb4@ + +INCLUDE_openldap = @INCLUDE_openldap@ + +INCLUDE_readline = @INCLUDE_readline@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +IRIX_FALSE = @IRIX_FALSE@ +IRIX_TRUE = @IRIX_TRUE@ +KRB4_FALSE = @KRB4_FALSE@ +KRB4_TRUE = @KRB4_TRUE@ +KRB5_FALSE = @KRB5_FALSE@ +KRB5_TRUE = @KRB5_TRUE@ +LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ LIB_NDBM = @LIB_NDBM@ +LIB_XauFileName = @LIB_XauFileName@ + +LIB_XauReadAuth = @LIB_XauReadAuth@ +LIB_XauWriteAuth = @LIB_XauWriteAuth@ +LIB_bswap16 = @LIB_bswap16@ +LIB_bswap32 = @LIB_bswap32@ LIB_com_err = @LIB_com_err@ LIB_com_err_a = @LIB_com_err_a@ LIB_com_err_so = @LIB_com_err_so@ +LIB_crypt = @LIB_crypt@ +LIB_db_create = @LIB_db_create@ +LIB_dbm_firstkey = @LIB_dbm_firstkey@ +LIB_dbopen = @LIB_dbopen@ LIB_des = @LIB_des@ LIB_des_a = @LIB_des_a@ LIB_des_appl = @LIB_des_appl@ LIB_des_so = @LIB_des_so@ +LIB_dlopen = @LIB_dlopen@ +LIB_dn_expand = @LIB_dn_expand@ +LIB_el_init = @LIB_el_init@ +LIB_freeaddrinfo = @LIB_freeaddrinfo@ +LIB_gai_strerror = @LIB_gai_strerror@ +LIB_getaddrinfo = @LIB_getaddrinfo@ +LIB_gethostbyname = @LIB_gethostbyname@ +LIB_gethostbyname2 = @LIB_gethostbyname2@ +LIB_getnameinfo = @LIB_getnameinfo@ +LIB_getpwnam_r = @LIB_getpwnam_r@ +LIB_getsockopt = @LIB_getsockopt@ +LIB_hesiod = @LIB_hesiod@ +LIB_hstrerror = @LIB_hstrerror@ LIB_kdb = @LIB_kdb@ +LIB_krb4 = @LIB_krb4@ +LIB_krb_disable_debug = @LIB_krb_disable_debug@ +LIB_krb_enable_debug = @LIB_krb_enable_debug@ +LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ +LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ +LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ +LIB_loadquery = @LIB_loadquery@ +LIB_logout = @LIB_logout@ +LIB_logwtmp = @LIB_logwtmp@ +LIB_openldap = @LIB_openldap@ +LIB_openpty = @LIB_openpty@ LIB_otp = @LIB_otp@ +LIB_pidfile = @LIB_pidfile@ +LIB_readline = @LIB_readline@ +LIB_res_nsearch = @LIB_res_nsearch@ +LIB_res_search = @LIB_res_search@ LIB_roken = @LIB_roken@ LIB_security = @LIB_security@ +LIB_setsockopt = @LIB_setsockopt@ +LIB_socket = @LIB_socket@ +LIB_syslog = @LIB_syslog@ +LIB_tgetent = @LIB_tgetent@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ +MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ +MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ +MAKEINFO = @MAKEINFO@ NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTP_FALSE = @OTP_FALSE@ +OTP_TRUE = @OTP_TRUE@ PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ RANLIB = @RANLIB@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ @@ -132,14 +214,57 @@ X_EXTRA_LIBS = @X_EXTRA_LIBS@ X_LIBS = @X_LIBS@ X_PRE_LIBS = @X_PRE_LIBS@ YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +ac_ct_RANLIB = @ac_ct_RANLIB@ +ac_ct_STRIP = @ac_ct_STRIP@ +am__leading_dot = @am__leading_dot@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +datadir = @datadir@ +do_roken_rename_FALSE = @do_roken_rename_FALSE@ +do_roken_rename_TRUE = @do_roken_rename_TRUE@ dpagaix_cflags = @dpagaix_cflags@ dpagaix_ldadd = @dpagaix_ldadd@ dpagaix_ldflags = @dpagaix_ldflags@ +el_compat_FALSE = @el_compat_FALSE@ +el_compat_TRUE = @el_compat_TRUE@ +exec_prefix = @exec_prefix@ +have_err_h_FALSE = @have_err_h_FALSE@ +have_err_h_TRUE = @have_err_h_TRUE@ +have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ +have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ +have_glob_h_FALSE = @have_glob_h_FALSE@ +have_glob_h_TRUE = @have_glob_h_TRUE@ +have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ +have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ +have_vis_h_FALSE = @have_vis_h_FALSE@ +have_vis_h_TRUE = @have_vis_h_TRUE@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +includedir = @includedir@ +infodir = @infodir@ install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 +libdir = @libdir@ +libexecdir = @libexecdir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +oldincludedir = @oldincludedir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 @@ -152,44 +277,13 @@ AM_CFLAGS = $(WFLAGS) CP = cp buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ HESIODLIB = @HESIODLIB@ HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ NROFF_MAN = groff -mandoc -Tascii @@ -334,7 +428,7 @@ libkrb5_la_SOURCES = \ $(ERR_FILES) -libkrb5_la_LDFLAGS = -version-info 19:0:2 +libkrb5_la_LDFLAGS = -version-info 20:0:3 #libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo @@ -379,6 +473,7 @@ include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h k524 CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h k524_err.c k524_err.h subdir = lib/krb5 +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/include/config.h CONFIG_CLEAN_FILES = @@ -386,7 +481,7 @@ LTLIBRARIES = $(lib_LTLIBRARIES) libkrb5_la_DEPENDENCIES = ../com_err/error.lo ../com_err/com_err.lo \ $(top_builddir)/lib/asn1/libasn1.la -am__objects_15 = krb5_err.lo heim_err.lo k524_err.lo +am__objects_1 = krb5_err.lo heim_err.lo k524_err.lo am_libkrb5_la_OBJECTS = acl.lo add_et_list.lo addr_families.lo \ aname_to_localname.lo appdefault.lo asn1_glue.lo \ auth_context.lo build_ap_req.lo build_auth.lo cache.lo \ @@ -410,7 +505,7 @@ am_libkrb5_la_OBJECTS = acl.lo add_et_list.lo addr_families.lo \ sendauth.lo set_default_realm.lo sock_principal.lo store.lo \ store_emem.lo store_fd.lo store_mem.lo ticket.lo time.lo \ transited.lo verify_init.lo verify_user.lo version.lo warn.lo \ - write_message.lo $(am__objects_15) + write_message.lo $(am__objects_1) libkrb5_la_OBJECTS = $(am_libkrb5_la_OBJECTS) bin_PROGRAMS = verify_krb5_conf$(EXEEXT) check_PROGRAMS = aes-test$(EXEEXT) n-fold-test$(EXEEXT) \ @@ -497,11 +592,7 @@ verify_krb5_conf_DEPENDENCIES = libkrb5.la \ $(top_builddir)/lib/asn1/libasn1.la verify_krb5_conf_LDFLAGS = -DEFS = @DEFS@ DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -511,7 +602,6 @@ LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ CCLD = $(CC) LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ DIST_SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c \ dump_config.c krbhst-test.c n-fold-test.c name-45-test.c \ parse-name-test.c store-test.c string-to-key-test.c \ @@ -519,7 +609,9 @@ DIST_SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c \ MANS = $(man_MANS) HEADERS = $(include_HEADERS) -DIST_COMMON = $(include_HEADERS) Makefile.am Makefile.in +DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.in \ + $(top_srcdir)/Makefile.am.common \ + $(top_srcdir)/cf/Makefile.am.common Makefile.am SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c dump_config.c krbhst-test.c n-fold-test.c name-45-test.c parse-name-test.c store-test.c string-to-key-test.c test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c all: all-am @@ -553,6 +645,12 @@ uninstall-libLTLIBRARIES: clean-libLTLIBRARIES: -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" = "$$p" && dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) $(LINK) -rpath $(libdir) $(libkrb5_la_LDFLAGS) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS) binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) @@ -564,30 +662,40 @@ install-binPROGRAMS: $(bin_PROGRAMS) if test -f $$p \ || test -f $$p1 \ ; then \ - p1=`echo "$$p1" | sed -e 's,^.*/,,'`; \ - f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f || exit 1; \ else :; fi; \ done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - f=`echo "$$f" | sed -e 's,^.*/,,'`; \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ rm -f $(DESTDIR)$(bindir)/$$f; \ done clean-binPROGRAMS: - -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) + @list='$(bin_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done clean-checkPROGRAMS: - -test -z "$(check_PROGRAMS)" || rm -f $(check_PROGRAMS) + @list='$(check_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done clean-noinstPROGRAMS: - -test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS) + @list='$(noinst_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done aes-test$(EXEEXT): $(aes_test_OBJECTS) $(aes_test_DEPENDENCIES) @rm -f aes-test$(EXEEXT) $(LINK) $(aes_test_LDFLAGS) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS) @@ -638,7 +746,7 @@ distclean-compile: $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< .c.obj: - $(COMPILE) -c `cygpath -w $<` + $(COMPILE) -c `if test -f '$<'; then $(CYGPATH_W) '$<'; else $(CYGPATH_W) '$(srcdir)/$<'; fi` .c.lo: $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< @@ -668,6 +776,10 @@ install-man3: $(man3_MANS) $(man_MANS) if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ else file=$$i; fi; \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 3*) ;; \ + *) ext='3' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -685,6 +797,10 @@ uninstall-man3: done; \ for i in $$list; do \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 3*) ;; \ + *) ext='3' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -707,6 +823,10 @@ install-man5: $(man5_MANS) $(man_MANS) if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ else file=$$i; fi; \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -724,6 +844,10 @@ uninstall-man5: done; \ for i in $$list; do \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -746,6 +870,10 @@ install-man8: $(man8_MANS) $(man_MANS) if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ else file=$$i; fi; \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -763,6 +891,10 @@ uninstall-man8: done; \ for i in $$list; do \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ @@ -791,6 +923,9 @@ uninstall-includeHEADERS: ETAGS = etags ETAGSFLAGS = +CTAGS = ctags +CTAGSFLAGS = + tags: TAGS ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -816,16 +951,31 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$tags $$unique +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && cd $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) $$here distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; \ + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ srcdir=$(srcdir); export srcdir; \ list='$(TESTS)'; \ if test -n "$$list"; then \ @@ -857,6 +1007,9 @@ check-TESTS: $(TESTS) echo "FAIL: $$tst"; \ ;; \ esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ fi; \ done; \ if test "$$failed" -eq 0; then \ @@ -872,9 +1025,24 @@ check-TESTS: $(TESTS) banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ fi; \ fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -gt `echo "$$banner" | wc -c` && \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -gt `echo "$$banner" | wc -c` && \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ echo "$$dashes"; \ echo "$$banner"; \ + test -n "$$skipped" && echo "$$skipped"; \ + test -n "$$report" && echo "$$report"; \ echo "$$dashes"; \ test "$$failed" -eq 0; \ else :; fi @@ -884,7 +1052,14 @@ top_distdir = ../.. distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) distdir: $(DISTFILES) - @for file in $(DISTFILES); do \ + $(mkinstalldirs) $(distdir)/../.. $(distdir)/../../cf + @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ + list='$(DISTFILES)'; for file in $$list; do \ + case $$file in \ + $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ + $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ + esac; \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ if test "$$dir" != "$$file" && test "$$dir" != "."; then \ @@ -905,7 +1080,7 @@ distdir: $(DISTFILES) fi; \ done $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ + top_distdir="$(top_distdir)" distdir="$(distdir)" \ dist-hook check-am: all-am $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) @@ -917,7 +1092,6 @@ install-binPROGRAMS: install-libLTLIBRARIES installdirs: $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) $(DESTDIR)$(man3dir) $(DESTDIR)$(man5dir) $(DESTDIR)$(man8dir) $(DESTDIR)$(includedir) - install: install-am install-exec: install-exec-am install-data: install-data-am @@ -929,7 +1103,7 @@ install-am: all-am installcheck: installcheck-am install-strip: $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ `test -z '$(STRIP)' || \ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install mostlyclean-generic: @@ -938,7 +1112,7 @@ clean-generic: -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) stamp-h stamp-h[0-9]* + -rm -f $(CONFIG_CLEAN_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -950,7 +1124,7 @@ clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \ mostlyclean-am distclean: distclean-am - + -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-libtool distclean-tags @@ -977,7 +1151,7 @@ install-man: install-man3 install-man5 install-man8 installcheck-am: maintainer-clean: maintainer-clean-am - + -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am @@ -985,15 +1159,23 @@ mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \ uninstall-info-am uninstall-libLTLIBRARIES uninstall-man uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8 -.PHONY: GTAGS all all-am all-local check check-TESTS check-am \ +.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \ check-local clean clean-binPROGRAMS clean-checkPROGRAMS \ clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstPROGRAMS distclean distclean-compile \ + clean-noinstPROGRAMS ctags distclean distclean-compile \ distclean-generic distclean-libtool distclean-tags distdir dvi \ dvi-am info info-am install install-am install-binPROGRAMS \ install-data install-data-am install-exec install-exec-am \ @@ -1002,8 +1184,8 @@ uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8 install-man8 install-strip installcheck installcheck-am \ installdirs maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-includeHEADERS \ + mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ + uninstall-am uninstall-binPROGRAMS uninstall-includeHEADERS \ uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \ uninstall-man3 uninstall-man5 uninstall-man8 diff --git a/crypto/heimdal/lib/krb5/config_file.c b/crypto/heimdal/lib/krb5/config_file.c index 845b14c..47c1a94 100644 --- a/crypto/heimdal/lib/krb5/config_file.c +++ b/crypto/heimdal/lib/krb5/config_file.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: config_file.c,v 1.46 2002/09/10 19:04:55 joda Exp $"); +RCSID("$Id: config_file.c,v 1.46.4.2 2003/10/13 13:46:10 lha Exp $"); #ifndef HAVE_NETINFO @@ -113,12 +113,12 @@ parse_section(char *p, krb5_config_section **s, krb5_config_section **parent, * Store the error message in `error_message'. */ -static int +static krb5_error_code parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, const char **error_message) { char buf[BUFSIZ]; - int ret; + krb5_error_code ret; krb5_config_binding *b = NULL; unsigned beg_lineno = *lineno; @@ -152,14 +152,14 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, * */ -static int +static krb5_error_code parse_binding(FILE *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, const char **error_message) { krb5_config_binding *tmp; char *p1, *p2; - int ret = 0; + krb5_error_code ret = 0; p1 = p; while (*p && *p != '=' && !isspace((unsigned char)*p)) @@ -250,6 +250,11 @@ krb5_config_parse_file_debug (const char *fname, ret = EINVAL; /* XXX */ goto out; } else if(*p != '\0') { + if (s == NULL) { + *error_message = "binding before section"; + ret = EINVAL; + goto out; + } ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message); if (ret) goto out; diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index a238c76..3da8d30 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.73 2003/04/01 16:51:54 lha Exp $"); +RCSID("$Id: crypto.c,v 1.73.2.4 2004/03/06 16:38:00 lha Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -139,14 +139,15 @@ static krb5_error_code derive_key(krb5_context context, struct key_data *key, const void *constant, size_t len); -static void hmac(krb5_context context, - struct checksum_type *cm, - const void *data, - size_t len, - unsigned usage, - struct key_data *keyblock, - Checksum *result); +static krb5_error_code hmac(krb5_context context, + struct checksum_type *cm, + const void *data, + size_t len, + unsigned usage, + struct key_data *keyblock, + Checksum *result); static void free_key_data(krb5_context context, struct key_data *key); +static krb5_error_code usage2arcfour (krb5_context, int *); /************************************************************ * * @@ -593,12 +594,16 @@ krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, _krb5_put_int(data + datalen - 4, keypart, 4); - hmac(context, c, data, datalen, 0, &ksign, &result); + ret = hmac(context, c, data, datalen, 0, &ksign, &result); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy(p, result.checksum.data, len); memcpy(tmpcksum, result.checksum.data, result.checksum.length); for (i = 0; i < iter; i++) { - hmac(context, c, tmpcksum, result.checksum.length, - 0, &ksign, &result); + ret = hmac(context, c, tmpcksum, result.checksum.length, + 0, &ksign, &result); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy(tmpcksum, result.checksum.data, result.checksum.length); for (j = 0; j < len; j++) p[j] ^= tmpcksum[j]; @@ -1384,7 +1389,7 @@ SHA1_checksum(krb5_context context, } /* HMAC according to RFC2104 */ -static void +static krb5_error_code hmac(krb5_context context, struct checksum_type *cm, const void *data, @@ -1398,6 +1403,17 @@ hmac(krb5_context context, size_t key_len; int i; + ipad = malloc(cm->blocksize + len); + if (ipad == NULL) + return ENOMEM; + opad = malloc(cm->blocksize + cm->checksumsize); + if (opad == NULL) { + free(ipad); + return ENOMEM; + } + memset(ipad, 0x36, cm->blocksize); + memset(opad, 0x5c, cm->blocksize); + if(keyblock->key->keyvalue.length > cm->blocksize){ (*cm->checksum)(context, keyblock, @@ -1411,10 +1427,6 @@ hmac(krb5_context context, key = keyblock->key->keyvalue.data; key_len = keyblock->key->keyvalue.length; } - ipad = malloc(cm->blocksize + len); - opad = malloc(cm->blocksize + cm->checksumsize); - memset(ipad, 0x36, cm->blocksize); - memset(opad, 0x5c, cm->blocksize); for(i = 0; i < key_len; i++){ ipad[i] ^= key[i]; opad[i] ^= key[i]; @@ -1430,8 +1442,40 @@ hmac(krb5_context context, free(ipad); memset(opad, 0, cm->blocksize + cm->checksumsize); free(opad); + + return 0; } +krb5_error_code +krb5_hmac(krb5_context context, + krb5_cksumtype cktype, + const void *data, + size_t len, + unsigned usage, + krb5_keyblock *key, + Checksum *result) +{ + struct checksum_type *c = _find_checksum(cktype); + struct key_data kd; + krb5_error_code ret; + + if (c == NULL) { + krb5_set_error_string (context, "checksum type %d not supported", + cktype); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + + kd.key = key; + kd.schedule = NULL; + + ret = hmac(context, c, data, len, usage, &kd, result); + + if (kd.schedule) + krb5_free_data(context, kd.schedule); + + return ret; + } + static void SP_HMAC_SHA1_checksum(krb5_context context, struct key_data *key, @@ -1443,11 +1487,14 @@ SP_HMAC_SHA1_checksum(krb5_context context, struct checksum_type *c = _find_checksum(CKSUMTYPE_SHA1); Checksum res; char sha1_data[20]; + krb5_error_code ret; res.checksum.data = sha1_data; res.checksum.length = sizeof(sha1_data); - hmac(context, c, data, len, usage, key, &res); + ret = hmac(context, c, data, len, usage, key, &res); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy(result->checksum.data, res.checksum.data, result->checksum.length); } @@ -1472,10 +1519,13 @@ HMAC_MD5_checksum(krb5_context context, unsigned char t[4]; unsigned char tmp[16]; unsigned char ksign_c_data[16]; + krb5_error_code ret; ksign_c.checksum.length = sizeof(ksign_c_data); ksign_c.checksum.data = ksign_c_data; - hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c); + ret = hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c); + if (ret) + krb5_abortx(context, "hmac failed"); ksign.key = &kb; kb.keyvalue = ksign_c.checksum; MD5_Init (&md5); @@ -1486,7 +1536,9 @@ HMAC_MD5_checksum(krb5_context context, MD5_Update (&md5, t, 4); MD5_Update (&md5, data, len); MD5_Final (tmp, &md5); - hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result); + ret = hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result); + if (ret) + krb5_abortx(context, "hmac failed"); } /* @@ -1507,6 +1559,7 @@ HMAC_MD5_checksum_enc(krb5_context context, krb5_keyblock kb; unsigned char t[4]; unsigned char ksign_c_data[16]; + krb5_error_code ret; t[0] = (usage >> 0) & 0xFF; t[1] = (usage >> 8) & 0xFF; @@ -1515,10 +1568,14 @@ HMAC_MD5_checksum_enc(krb5_context context, ksign_c.checksum.length = sizeof(ksign_c_data); ksign_c.checksum.data = ksign_c_data; - hmac(context, c, t, sizeof(t), 0, key, &ksign_c); + ret = hmac(context, c, t, sizeof(t), 0, key, &ksign_c); + if (ret) + krb5_abortx(context, "hmac failed"); ksign.key = &kb; kb.keyvalue = ksign_c.checksum; - hmac(context, c, data, len, 0, &ksign, result); + ret = hmac(context, c, data, len, 0, &ksign, result); + if (ret) + krb5_abortx(context, "hmac failed"); } struct checksum_type checksum_none = { @@ -1740,18 +1797,18 @@ get_checksum_key(krb5_context context, } static krb5_error_code -do_checksum (krb5_context context, - struct checksum_type *ct, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - Checksum *result) +create_checksum (krb5_context context, + struct checksum_type *ct, + krb5_crypto crypto, + unsigned usage, + void *data, + size_t len, + Checksum *result) { krb5_error_code ret; struct key_data *dkey; int keyed_checksum; - + keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { krb5_clear_error_string (context); @@ -1769,17 +1826,26 @@ do_checksum (krb5_context context, return 0; } -static krb5_error_code -create_checksum(krb5_context context, - krb5_crypto crypto, - unsigned usage, /* not krb5_key_usage */ - krb5_cksumtype type, /* 0 -> pick from crypto */ - void *data, - size_t len, - Checksum *result) +static int +arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto) +{ + return (ct->type == CKSUMTYPE_HMAC_MD5) && + (crypto->key.key->keytype == KEYTYPE_ARCFOUR); +} + +krb5_error_code +krb5_create_checksum(krb5_context context, + krb5_crypto crypto, + krb5_key_usage usage, + int type, + void *data, + size_t len, + Checksum *result) { struct checksum_type *ct = NULL; + unsigned keyusage; + /* type 0 -> pick from crypto */ if (type) { ct = _find_checksum(type); } else if (crypto) { @@ -1793,21 +1859,15 @@ create_checksum(krb5_context context, type); return KRB5_PROG_SUMTYPE_NOSUPP; } - return do_checksum (context, ct, crypto, usage, data, len, result); -} -krb5_error_code -krb5_create_checksum(krb5_context context, - krb5_crypto crypto, - krb5_key_usage usage, - int type, - void *data, - size_t len, - Checksum *result) -{ - return create_checksum(context, crypto, - CHECKSUM_USAGE(usage), - type, data, len, result); + if (arcfour_checksum_p(ct, crypto)) { + keyusage = usage; + usage2arcfour(context, &keyusage); + } else + keyusage = CHECKSUM_USAGE(usage); + + return create_checksum(context, ct, crypto, keyusage, + data, len, result); } static krb5_error_code @@ -1825,7 +1885,7 @@ verify_checksum(krb5_context context, struct checksum_type *ct; ct = _find_checksum(cksum->cksumtype); - if(ct == NULL) { + if (ct == NULL) { krb5_set_error_string (context, "checksum type %d not supported", cksum->cksumtype); return KRB5_PROG_SUMTYPE_NOSUPP; @@ -1871,8 +1931,24 @@ krb5_verify_checksum(krb5_context context, size_t len, Checksum *cksum) { - return verify_checksum(context, crypto, - CHECKSUM_USAGE(usage), data, len, cksum); + struct checksum_type *ct; + unsigned keyusage; + + ct = _find_checksum(cksum->cksumtype); + if(ct == NULL) { + krb5_set_error_string (context, "checksum type %d not supported", + cksum->cksumtype); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + + if (arcfour_checksum_p(ct, crypto)) { + keyusage = usage; + usage2arcfour(context, &keyusage); + } else + keyusage = CHECKSUM_USAGE(usage); + + return verify_checksum(context, crypto, keyusage, + data, len, cksum); } krb5_error_code @@ -2108,7 +2184,7 @@ AES_CTS_encrypt(krb5_context context, k = &k[1]; if (len < AES_BLOCK_SIZE) - abort(); + krb5_abortx(context, "invalid use of AES_CTS_encrypt"); if (len == AES_BLOCK_SIZE) { if (encrypt) AES_encrypt(data, data, k); @@ -2148,6 +2224,7 @@ ARCFOUR_subencrypt(krb5_context context, RC4_KEY rc4_key; unsigned char *cdata = data; unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; + krb5_error_code ret; t[0] = (usage >> 0) & 0xFF; t[1] = (usage >> 8) & 0xFF; @@ -2157,7 +2234,9 @@ ARCFOUR_subencrypt(krb5_context context, k1_c.checksum.length = sizeof(k1_c_data); k1_c.checksum.data = k1_c_data; - hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); @@ -2170,7 +2249,9 @@ ARCFOUR_subencrypt(krb5_context context, cksum.checksum.length = 16; cksum.checksum.data = data; - hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + if (ret) + krb5_abortx(context, "hmac failed"); ke.key = &kb; kb.keyvalue = k1_c.checksum; @@ -2178,7 +2259,9 @@ ARCFOUR_subencrypt(krb5_context context, k3_c.checksum.length = sizeof(k3_c_data); k3_c.checksum.data = k3_c_data; - hmac(NULL, c, data, 16, 0, &ke, &k3_c); + ret = hmac(NULL, c, data, 16, 0, &ke, &k3_c); + if (ret) + krb5_abortx(context, "hmac failed"); RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); @@ -2205,6 +2288,7 @@ ARCFOUR_subdecrypt(krb5_context context, unsigned char *cdata = data; unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; unsigned char cksum_data[16]; + krb5_error_code ret; t[0] = (usage >> 0) & 0xFF; t[1] = (usage >> 8) & 0xFF; @@ -2214,7 +2298,9 @@ ARCFOUR_subdecrypt(krb5_context context, k1_c.checksum.length = sizeof(k1_c_data); k1_c.checksum.data = k1_c_data; - hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); @@ -2227,7 +2313,9 @@ ARCFOUR_subdecrypt(krb5_context context, k3_c.checksum.length = sizeof(k3_c_data); k3_c.checksum.data = k3_c_data; - hmac(NULL, c, cdata, 16, 0, &ke, &k3_c); + ret = hmac(NULL, c, cdata, 16, 0, &ke, &k3_c); + if (ret) + krb5_abortx(context, "hmac failed"); RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); @@ -2238,7 +2326,9 @@ ARCFOUR_subdecrypt(krb5_context context, cksum.checksum.length = 16; cksum.checksum.data = cksum_data; - hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + if (ret) + krb5_abortx(context, "hmac failed"); memset (k1_c_data, 0, sizeof(k1_c_data)); memset (k2_c_data, 0, sizeof(k2_c_data)); @@ -2255,54 +2345,28 @@ ARCFOUR_subdecrypt(krb5_context context, /* * convert the usage numbers used in * draft-ietf-cat-kerb-key-derivation-00.txt to the ones in - * draft-brezak-win2k-krb-rc4-hmac-03.txt + * draft-brezak-win2k-krb-rc4-hmac-04.txt */ static krb5_error_code usage2arcfour (krb5_context context, int *usage) { switch (*usage) { - case KRB5_KU_PA_ENC_TIMESTAMP : - *usage = 1; - return 0; - case KRB5_KU_TICKET : - *usage = 2; - return 0; - case KRB5_KU_AS_REP_ENC_PART : + case KRB5_KU_AS_REP_ENC_PART : /* 3 */ + case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : /* 9 */ *usage = 8; return 0; - case KRB5_KU_TGS_REQ_AUTH_DAT_SESSION : - case KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY : - case KRB5_KU_TGS_REQ_AUTH_CKSUM : - case KRB5_KU_TGS_REQ_AUTH : - *usage = 7; + case KRB5_KU_USAGE_SEAL : /* 22 */ + *usage = 13; return 0; - case KRB5_KU_TGS_REP_ENC_PART_SESSION : - case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : - *usage = 8; - return 0; - case KRB5_KU_AP_REQ_AUTH_CKSUM : - case KRB5_KU_AP_REQ_AUTH : - case KRB5_KU_AP_REQ_ENC_PART : - *usage = 11; - return 0; - case KRB5_KU_KRB_PRIV : + case KRB5_KU_USAGE_SIGN : /* 23 */ + *usage = 15; + return 0; + case KRB5_KU_USAGE_SEQ: /* 24 */ *usage = 0; return 0; - case KRB5_KU_KRB_CRED : - case KRB5_KU_KRB_SAFE_CKSUM : - case KRB5_KU_OTHER_ENCRYPTED : - case KRB5_KU_OTHER_CKSUM : - case KRB5_KU_KRB_ERROR : - case KRB5_KU_AD_KDC_ISSUED : - case KRB5_KU_MANDATORY_TICKET_EXTENSION : - case KRB5_KU_AUTH_DATA_TICKET_EXTENSION : - case KRB5_KU_USAGE_SEAL : - case KRB5_KU_USAGE_SIGN : - case KRB5_KU_USAGE_SEQ : default : - krb5_set_error_string(context, "unknown arcfour usage type %d", *usage); - return KRB5_PROG_ETYPE_NOSUPP; + return 0; } } @@ -2730,9 +2794,9 @@ encrypt_internal_derived(krb5_context context, memcpy(q, data, len); ret = create_checksum(context, + et->keyed_checksum, crypto, INTEGRITY_USAGE(usage), - et->keyed_checksum->type, p, block_sz, &cksum); @@ -2799,9 +2863,9 @@ encrypt_internal(krb5_context context, memcpy(q, data, len); ret = create_checksum(context, + et->checksum, crypto, 0, - et->checksum->type, p, block_sz, &cksum); @@ -2895,6 +2959,11 @@ decrypt_internal_derived(krb5_context context, return EINVAL; /* XXX - better error code? */ } + if (((len - checksum_sz) % et->padsize) != 0) { + krb5_clear_error_string(context); + return KRB5_BAD_MSIZE; + } + p = malloc(len); if(len != 0 && p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); @@ -2963,6 +3032,11 @@ decrypt_internal(krb5_context context, size_t checksum_sz, l; struct encryption_type *et = crypto->et; + if ((len % et->padsize) != 0) { + krb5_clear_error_string(context); + return KRB5_BAD_MSIZE; + } + checksum_sz = CHECKSUMSIZE(et->checksum); p = malloc(len); if(len != 0 && p == NULL) { @@ -3021,25 +3095,34 @@ decrypt_internal_special(krb5_context context, struct encryption_type *et = crypto->et; size_t cksum_sz = CHECKSUMSIZE(et->checksum); size_t sz = len - cksum_sz - et->confoundersize; - char *cdata = (char *)data; - char *tmp; + unsigned char *p; krb5_error_code ret; - tmp = malloc (sz); - if (tmp == NULL) { + if ((len % et->padsize) != 0) { + krb5_clear_error_string(context); + return KRB5_BAD_MSIZE; + } + + p = malloc (len); + if (p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } + memcpy(p, data, len); - ret = (*et->encrypt)(context, &crypto->key, data, len, FALSE, usage, ivec); + ret = (*et->encrypt)(context, &crypto->key, p, len, FALSE, usage, ivec); if (ret) { - free(tmp); + free(p); return ret; } - memcpy (tmp, cdata + cksum_sz + et->confoundersize, sz); - - result->data = tmp; + memmove (p, p + cksum_sz + et->confoundersize, sz); + result->data = realloc(p, sz); + if(result->data == NULL) { + free(p); + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } result->length = sz; return 0; } diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c index 924be7c..b30640f 100644 --- a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c +++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: eai_to_heim_errno.c,v 1.3 2001/05/14 22:48:33 assar Exp $"); +RCSID("$Id: eai_to_heim_errno.c,v 1.3.8.1 2004/02/13 16:15:16 lha Exp $"); /* * convert the getaddrinfo error code in `eai_errno' into a @@ -47,8 +47,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error) switch(eai_errno) { case EAI_NOERROR: return 0; +#ifdef EAI_ADDRFAMILY case EAI_ADDRFAMILY: return HEIM_EAI_ADDRFAMILY; +#endif case EAI_AGAIN: return HEIM_EAI_AGAIN; case EAI_BADFLAGS: @@ -59,8 +61,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error) return HEIM_EAI_FAMILY; case EAI_MEMORY: return HEIM_EAI_MEMORY; +#if defined(EAI_NODATA) && EAI_NODATA != EAI_NONAME case EAI_NODATA: return HEIM_EAI_NODATA; +#endif case EAI_NONAME: return HEIM_EAI_NONAME; case EAI_SERVICE: diff --git a/crypto/heimdal/lib/krb5/fcache.c b/crypto/heimdal/lib/krb5/fcache.c index d166fd9..38006c3 100644 --- a/crypto/heimdal/lib/krb5/fcache.c +++ b/crypto/heimdal/lib/krb5/fcache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: fcache.c,v 1.34 2002/04/18 14:01:29 joda Exp $"); +RCSID("$Id: fcache.c,v 1.34.6.6 2004/03/10 13:30:59 lha Exp $"); typedef struct krb5_fcache{ char *filename; @@ -65,6 +65,73 @@ fcc_get_name(krb5_context context, return FILENAME(id); } +int +_krb5_xlock(krb5_context context, int fd, krb5_boolean exclusive, + const char *filename) +{ + int ret; +#ifdef HAVE_FCNTL + struct flock l; + + l.l_start = 0; + l.l_len = 0; + l.l_type = exclusive ? F_WRLCK : F_RDLCK; + l.l_whence = SEEK_SET; + ret = fcntl(fd, F_SETLKW, &l); +#else + ret = flock(fd, exclusive ? LOCK_EX : LOCK_SH); +#endif + if(ret < 0) + ret = errno; + if(ret == EACCES) /* fcntl can return EACCES instead of EAGAIN */ + ret = EAGAIN; + + switch (ret) { + case 0: + break; + case EINVAL: /* filesystem doesn't support locking, let the user have it */ + ret = 0; + break; + case EAGAIN: + krb5_set_error_string(context, "timed out locking cache file %s", + filename); + break; + default: + krb5_set_error_string(context, "error locking cache file %s: %s", + filename, strerror(ret)); + break; + } + return ret; +} + +int +_krb5_xunlock(int fd) +{ +#ifdef HAVE_FCNTL_LOCK + struct flock l; + l.l_start = 0; + l.l_len = 0; + l.l_type = F_UNLCK; + l.l_whence = SEEK_SET; + return fcntl(fd, F_SETLKW, &l); +#else + return flock(fd, LOCK_UN); +#endif +} + +static krb5_error_code +fcc_lock(krb5_context context, krb5_ccache id, + int fd, krb5_boolean exclusive) +{ + return _krb5_xlock(context, fd, exclusive, fcc_get_name(context, id)); +} + +static krb5_error_code +fcc_unlock(krb5_context context, int fd) +{ + return _krb5_xunlock(fd); +} + static krb5_error_code fcc_resolve(krb5_context context, krb5_ccache *id, const char *res) { @@ -142,7 +209,6 @@ erase_file(const char *filename) close (fd); return errno; } - ret = fstat (fd, &sb2); if (ret < 0) { close (fd); @@ -227,6 +293,34 @@ storage_set_flags(krb5_context context, krb5_storage *sp, int vno) } static krb5_error_code +fcc_open(krb5_context context, + krb5_ccache id, + int *fd_ret, + int flags, + mode_t mode) +{ + krb5_boolean exclusive = ((flags | O_WRONLY) == flags || + (flags | O_RDWR) == flags); + krb5_error_code ret; + const char *filename = FILENAME(id); + int fd; + fd = open(filename, flags, mode); + if(fd < 0) { + ret = errno; + krb5_set_error_string(context, "open(%s): %s", filename, + strerror(ret)); + return ret; + } + + if((ret = fcc_lock(context, id, fd, exclusive)) != 0) { + close(fd); + return ret; + } + *fd_ret = fd; + return 0; +} + +static krb5_error_code fcc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) @@ -238,13 +332,9 @@ fcc_initialize(krb5_context context, unlink (filename); - fd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); - if(fd == -1) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", filename, - strerror(ret)); + ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); + if(ret) return ret; - } { krb5_storage *sp; sp = krb5_storage_from_fd(fd); @@ -269,15 +359,16 @@ fcc_initialize(krb5_context context, } } ret |= krb5_store_principal(sp, primary_principal); + krb5_storage_free(sp); } - if(close(fd) < 0) + fcc_unlock(context, fd); + if (close(fd) < 0) if (ret == 0) { ret = errno; - krb5_set_error_string (context, "close %s: %s", filename, - strerror(ret)); + krb5_set_error_string (context, "close %s: %s", + FILENAME(id), strerror(ret)); } - return ret; } @@ -294,11 +385,7 @@ static krb5_error_code fcc_destroy(krb5_context context, krb5_ccache id) { - char *f; - f = FILENAME(id); - - erase_file(f); - + erase_file(FILENAME(id)); return 0; } @@ -309,49 +396,37 @@ fcc_store_cred(krb5_context context, { int ret; int fd; - char *f; - f = FILENAME(id); - - fd = open(f, O_WRONLY | O_APPEND | O_BINARY); - if(fd < 0) { - ret = errno; - krb5_set_error_string (context, "open(%s): %s", f, strerror(ret)); + ret = fcc_open(context, id, &fd, O_WRONLY | O_APPEND | O_BINARY, 0); + if(ret) return ret; - } { krb5_storage *sp; sp = krb5_storage_from_fd(fd); krb5_storage_set_eof_code(sp, KRB5_CC_END); storage_set_flags(context, sp, FCACHE(id)->version); - ret = krb5_store_creds(sp, creds); + if (krb5_config_get_bool_default(context, NULL, FALSE, + "libdefaults", + "fcc-mit-ticketflags", + NULL)) + ret = _krb5_store_creds_heimdal_0_7(sp, creds); + else + ret = _krb5_store_creds_heimdal_pre_0_7(sp, creds); krb5_storage_free(sp); } + fcc_unlock(context, fd); if (close(fd) < 0) if (ret == 0) { ret = errno; - krb5_set_error_string (context, "close %s: %s", f, strerror(ret)); + krb5_set_error_string (context, "close %s: %s", + FILENAME(id), strerror(ret)); } return ret; } static krb5_error_code -fcc_read_cred (krb5_context context, - krb5_fcache *fc, - krb5_storage *sp, - krb5_creds *creds) -{ - krb5_error_code ret; - - storage_set_flags(context, sp, fc->version); - - ret = krb5_ret_creds(sp, creds); - return ret; -} - -static krb5_error_code init_fcc (krb5_context context, - krb5_fcache *fcache, + krb5_ccache id, krb5_storage **ret_sp, int *ret_fd) { @@ -360,48 +435,79 @@ init_fcc (krb5_context context, krb5_storage *sp; krb5_error_code ret; - fd = open(fcache->filename, O_RDONLY | O_BINARY); - if(fd < 0) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", fcache->filename, - strerror(ret)); + ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY, 0); + + if(ret) return ret; - } + sp = krb5_storage_from_fd(fd); + if(sp == NULL) { + ret = ENOMEM; + goto out; + } krb5_storage_set_eof_code(sp, KRB5_CC_END); ret = krb5_ret_int8(sp, &pvno); - if(ret == KRB5_CC_END) - return ENOENT; - if(ret) - return ret; + if(ret != 0) { + if(ret == KRB5_CC_END) + ret = ENOENT; /* empty file */ + goto out; + } if(pvno != 5) { - krb5_storage_free(sp); - close(fd); - return KRB5_CCACHE_BADVNO; + ret = KRB5_CCACHE_BADVNO; + goto out; } - krb5_ret_int8(sp, &tag); /* should not be host byte order */ - fcache->version = tag; - storage_set_flags(context, sp, fcache->version); + ret = krb5_ret_int8(sp, &tag); /* should not be host byte order */ + if(ret != 0) { + ret = KRB5_CC_FORMAT; + goto out; + } + FCACHE(id)->version = tag; + storage_set_flags(context, sp, FCACHE(id)->version); switch (tag) { case KRB5_FCC_FVNO_4: { int16_t length; - krb5_ret_int16 (sp, &length); + ret = krb5_ret_int16 (sp, &length); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } while(length > 0) { int16_t tag, data_len; int i; int8_t dummy; - krb5_ret_int16 (sp, &tag); - krb5_ret_int16 (sp, &data_len); + ret = krb5_ret_int16 (sp, &tag); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } + ret = krb5_ret_int16 (sp, &data_len); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } switch (tag) { case FCC_TAG_DELTATIME : - krb5_ret_int32 (sp, &context->kdc_sec_offset); - krb5_ret_int32 (sp, &context->kdc_usec_offset); + ret = krb5_ret_int32 (sp, &context->kdc_sec_offset); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } + ret = krb5_ret_int32 (sp, &context->kdc_usec_offset); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } break; default : - for (i = 0; i < data_len; ++i) - krb5_ret_int8 (sp, &dummy); + for (i = 0; i < data_len; ++i) { + ret = krb5_ret_int8 (sp, &dummy); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } + } break; } length -= 4 + data_len; @@ -413,13 +519,19 @@ init_fcc (krb5_context context, case KRB5_FCC_FVNO_1: break; default : - krb5_storage_free (sp); - close (fd); - return KRB5_CCACHE_BADVNO; + ret = KRB5_CCACHE_BADVNO; + goto out; } *ret_sp = sp; *ret_fd = fd; + return 0; + out: + if(sp != NULL) + krb5_storage_free(sp); + fcc_unlock(context, fd); + close(fd); + return ret; } static krb5_error_code @@ -428,36 +540,47 @@ fcc_get_principal(krb5_context context, krb5_principal *principal) { krb5_error_code ret; - krb5_fcache *f = FCACHE(id); int fd; krb5_storage *sp; - ret = init_fcc (context, f, &sp, &fd); + ret = init_fcc (context, id, &sp, &fd); if (ret) return ret; ret = krb5_ret_principal(sp, principal); krb5_storage_free(sp); + fcc_unlock(context, fd); close(fd); return ret; } static krb5_error_code +fcc_end_get (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor); + +static krb5_error_code fcc_get_first (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { krb5_error_code ret; krb5_principal principal; - krb5_fcache *f = FCACHE(id); *cursor = malloc(sizeof(struct fcc_cursor)); - ret = init_fcc (context, f, &FCC_CURSOR(*cursor)->sp, + ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp, &FCC_CURSOR(*cursor)->fd); - if (ret) + if (ret) { + free(*cursor); + return ret; + } + ret = krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal); + if(ret) { + fcc_end_get(context, id, cursor); return ret; - krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal); + } krb5_free_principal (context, principal); + fcc_unlock(context, FCC_CURSOR(*cursor)->fd); return 0; } @@ -467,7 +590,14 @@ fcc_get_next (krb5_context context, krb5_cc_cursor *cursor, krb5_creds *creds) { - return fcc_read_cred (context, FCACHE(id), FCC_CURSOR(*cursor)->sp, creds); + krb5_error_code ret; + if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0) + return ret; + + ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds); + + fcc_unlock(context, FCC_CURSOR(*cursor)->fd); + return ret; } static krb5_error_code @@ -478,6 +608,7 @@ fcc_end_get (krb5_context context, krb5_storage_free(FCC_CURSOR(*cursor)->sp); close (FCC_CURSOR(*cursor)->fd); free(*cursor); + *cursor = NULL; return 0; } diff --git a/crypto/heimdal/lib/krb5/get_cred.c b/crypto/heimdal/lib/krb5/get_cred.c index 7aa61a3..cae47f5 100644 --- a/crypto/heimdal/lib/krb5/get_cred.c +++ b/crypto/heimdal/lib/krb5/get_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: get_cred.c,v 1.91 2002/09/04 21:12:46 joda Exp $"); +RCSID("$Id: get_cred.c,v 1.91.4.3 2004/01/09 00:47:17 lha Exp $"); /* * Take the `body' and encode it into `padata' using the credentials @@ -225,26 +225,37 @@ init_tgs_req (krb5_context context, { krb5_auth_context ac; - krb5_keyblock *key; + krb5_keyblock *key = NULL; ret = krb5_auth_con_init(context, &ac); if(ret) goto fail; - ret = krb5_generate_subkey (context, &krbtgt->session, &key); - if (ret) { - krb5_auth_con_free (context, ac); - goto fail; - } - ret = krb5_auth_con_setlocalsubkey(context, ac, key); - if (ret) { - krb5_free_keyblock (context, key); - krb5_auth_con_free (context, ac); - goto fail; + + if (krb5_config_get_bool_default(context, NULL, FALSE, + "realms", + krbtgt->server->realm, + "tgs_require_subkey", + NULL)) + { + ret = krb5_generate_subkey (context, &krbtgt->session, &key); + if (ret) { + krb5_auth_con_free (context, ac); + goto fail; + } + + ret = krb5_auth_con_setlocalsubkey(context, ac, key); + if (ret) { + if (key) + krb5_free_keyblock (context, key); + krb5_auth_con_free (context, ac); + goto fail; + } } ret = set_auth_data (context, &t->req_body, &in_creds->authdata, key); if (ret) { - krb5_free_keyblock (context, key); + if (key) + krb5_free_keyblock (context, key); krb5_auth_con_free (context, ac); goto fail; } @@ -256,7 +267,8 @@ init_tgs_req (krb5_context context, krbtgt, usage); if(ret) { - krb5_free_keyblock (context, key); + if (key) + krb5_free_keyblock (context, key); krb5_auth_con_free(context, ac); goto fail; } @@ -265,36 +277,44 @@ init_tgs_req (krb5_context context, krb5_auth_con_free(context, ac); } fail: - if (ret) - /* XXX - don't free addresses? */ + if (ret) { + t->req_body.addresses = NULL; free_TGS_REQ (t); + } return ret; } -static krb5_error_code -get_krbtgt(krb5_context context, - krb5_ccache id, - krb5_realm realm, - krb5_creds **cred) +krb5_error_code +_krb5_get_krbtgt(krb5_context context, + krb5_ccache id, + krb5_realm realm, + krb5_creds **cred) { krb5_error_code ret; krb5_creds tmp_cred; memset(&tmp_cred, 0, sizeof(tmp_cred)); + ret = krb5_cc_get_principal(context, id, &tmp_cred.client); + if (ret) + return ret; + ret = krb5_make_principal(context, &tmp_cred.server, realm, KRB5_TGS_NAME, realm, NULL); - if(ret) + if(ret) { + krb5_free_principal(context, tmp_cred.client); return ret; + } ret = krb5_get_credentials(context, KRB5_GC_CACHED, id, &tmp_cred, cred); + krb5_free_principal(context, tmp_cred.client); krb5_free_principal(context, tmp_cred.server); if(ret) return ret; @@ -467,7 +487,7 @@ get_cred_kdc_usage(krb5_context context, krb5_clear_error_string(context); } krb5_data_free(&resp); -out: + out: if(subkey){ krb5_free_keyblock_contents(context, subkey); free(subkey); @@ -537,10 +557,10 @@ krb5_get_kdc_cred(krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - ret = get_krbtgt (context, - id, - in_creds->server->realm, - &krbtgt); + ret = _krb5_get_krbtgt (context, + id, + in_creds->server->realm, + &krbtgt); if(ret) { free(*out_creds); return ret; @@ -635,8 +655,16 @@ get_cred_from_kdc_flags(krb5_context context, if(ret) return ret; - try_realm = krb5_config_get_string(context, NULL, "libdefaults", - "capath", server_realm, NULL); + try_realm = krb5_config_get_string(context, NULL, "capaths", + client_realm, server_realm, NULL); + +#if 1 + /* XXX remove in future release */ + if(try_realm == NULL) + try_realm = krb5_config_get_string(context, NULL, "libdefaults", + "capath", server_realm, NULL); +#endif + if (try_realm == NULL) try_realm = client_realm; @@ -644,7 +672,7 @@ get_cred_from_kdc_flags(krb5_context context, &tmp_creds.server, try_realm, KRB5_TGS_NAME, - server_realm, + server_realm, NULL); if(ret){ krb5_free_principal(context, tmp_creds.client); diff --git a/crypto/heimdal/lib/krb5/get_for_creds.c b/crypto/heimdal/lib/krb5/get_for_creds.c index 2bec9f7..6bdffe5 100644 --- a/crypto/heimdal/lib/krb5/get_for_creds.c +++ b/crypto/heimdal/lib/krb5/get_for_creds.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: get_for_creds.c,v 1.34 2002/09/04 16:26:04 joda Exp $"); +RCSID("$Id: get_for_creds.c,v 1.34.4.1 2004/01/09 00:51:55 lha Exp $"); static krb5_error_code add_addrs(krb5_context context, @@ -41,7 +41,7 @@ add_addrs(krb5_context context, struct addrinfo *ai) { krb5_error_code ret; - unsigned n, i, j; + unsigned n, i; void *tmp; struct addrinfo *a; @@ -49,29 +49,34 @@ add_addrs(krb5_context context, for (a = ai; a != NULL; a = a->ai_next) ++n; - i = addr->len; - addr->len += n; - tmp = realloc(addr->val, addr->len * sizeof(*addr->val)); + tmp = realloc(addr->val, (addr->len + n) * sizeof(*addr->val)); if (tmp == NULL) { krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; goto fail; } addr->val = tmp; - for (j = i; j < addr->len; ++j) { + for (i = addr->len; i < (addr->len + n); ++i) { addr->val[i].addr_type = 0; krb5_data_zero(&addr->val[i].address); } + i = addr->len; for (a = ai; a != NULL; a = a->ai_next) { - ret = krb5_sockaddr2address (context, a->ai_addr, &addr->val[i]); - if (ret == 0) - ++i; + krb5_address ad; + + ret = krb5_sockaddr2address (context, a->ai_addr, &ad); + if (ret == 0) { + if (krb5_address_search(context, &ad, addr)) + krb5_free_address(context, &ad); + else + addr->val[i++] = ad; + } else if (ret == KRB5_PROG_ATYPE_NOSUPP) krb5_clear_error_string (context); else goto fail; + addr->len = i; } - addr->len = i; return 0; fail: krb5_free_addresses (context, addr); @@ -157,42 +162,66 @@ krb5_get_forwarded_creds (krb5_context context, { krb5_error_code ret; krb5_creds *out_creds; - krb5_addresses addrs; + krb5_addresses addrs, *paddrs; KRB_CRED cred; KrbCredInfo *krb_cred_info; EncKrbCredPart enc_krb_cred_part; size_t len; unsigned char *buf; size_t buf_size; - int32_t sec, usec; krb5_kdc_flags kdc_flags; krb5_crypto crypto; struct addrinfo *ai; int save_errno; krb5_keyblock *key; + krb5_creds *ticket; + char *realm; + + if (in_creds->client && in_creds->client->realm) + realm = in_creds->client->realm; + else + realm = in_creds->server->realm; addrs.len = 0; addrs.val = NULL; - - ret = getaddrinfo (hostname, NULL, NULL, &ai); - if (ret) { - save_errno = errno; - krb5_set_error_string(context, "resolving %s: %s", - hostname, gai_strerror(ret)); - return krb5_eai_to_heim_errno(ret, save_errno); + paddrs = &addrs; + + /* + * If tickets are address-less, forward address-less tickets. + */ + + ret = _krb5_get_krbtgt (context, + ccache, + realm, + &ticket); + if(ret == 0) { + if (ticket->addresses.len == 0) + paddrs = NULL; + krb5_free_creds (context, ticket); } - - ret = add_addrs (context, &addrs, ai); - freeaddrinfo (ai); - if (ret) - return ret; - + + if (paddrs != NULL) { + + ret = getaddrinfo (hostname, NULL, NULL, &ai); + if (ret) { + save_errno = errno; + krb5_set_error_string(context, "resolving %s: %s", + hostname, gai_strerror(ret)); + return krb5_eai_to_heim_errno(ret, save_errno); + } + + ret = add_addrs (context, &addrs, ai); + freeaddrinfo (ai); + if (ret) + return ret; + } + kdc_flags.i = flags; ret = krb5_get_kdc_cred (context, ccache, kdc_flags, - &addrs, + paddrs, NULL, in_creds, &out_creds); @@ -224,29 +253,36 @@ krb5_get_forwarded_creds (krb5_context context, goto out4; } - krb5_us_timeofday (context, &sec, &usec); - - ALLOC(enc_krb_cred_part.timestamp, 1); - if (enc_krb_cred_part.timestamp == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto out4; - } - *enc_krb_cred_part.timestamp = sec; - ALLOC(enc_krb_cred_part.usec, 1); - if (enc_krb_cred_part.usec == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto out4; + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { + int32_t sec, usec; + + krb5_us_timeofday (context, &sec, &usec); + + ALLOC(enc_krb_cred_part.timestamp, 1); + if (enc_krb_cred_part.timestamp == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "malloc: out of memory"); + goto out4; + } + *enc_krb_cred_part.timestamp = sec; + ALLOC(enc_krb_cred_part.usec, 1); + if (enc_krb_cred_part.usec == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "malloc: out of memory"); + goto out4; + } + *enc_krb_cred_part.usec = usec; + } else { + enc_krb_cred_part.timestamp = NULL; + enc_krb_cred_part.usec = NULL; } - *enc_krb_cred_part.usec = usec; if (auth_context->local_address && auth_context->local_port) { krb5_boolean noaddr; - const krb5_realm *realm; + krb5_const_realm realm; - realm = krb5_princ_realm(context, out_creds->server); - krb5_appdefault_boolean(context, NULL, *realm, "no-addresses", FALSE, + realm = krb5_principal_get_realm(context, out_creds->server); + krb5_appdefault_boolean(context, NULL, realm, "no-addresses", FALSE, &noaddr); if (!noaddr) { ret = krb5_make_addrport (context, @@ -261,10 +297,10 @@ krb5_get_forwarded_creds (krb5_context context, if (auth_context->remote_address) { if (auth_context->remote_port) { krb5_boolean noaddr; - const krb5_realm *realm; + krb5_const_realm realm; - realm = krb5_princ_realm(context, out_creds->server); - krb5_appdefault_boolean(context, NULL, *realm, "no-addresses", + realm = krb5_principal_get_realm(context, out_creds->server); + krb5_appdefault_boolean(context, NULL, realm, "no-addresses", FALSE, &noaddr); if (!noaddr) { ret = krb5_make_addrport (context, @@ -367,11 +403,11 @@ krb5_get_forwarded_creds (krb5_context context, out_data->length = len; out_data->data = buf; return 0; -out4: + out4: free_EncKrbCredPart(&enc_krb_cred_part); -out3: + out3: free_KRB_CRED(&cred); -out2: + out2: krb5_free_creds (context, out_creds); return ret; } diff --git a/crypto/heimdal/lib/krb5/get_in_tkt.c b/crypto/heimdal/lib/krb5/get_in_tkt.c index 0e75a95..88943e7 100644 --- a/crypto/heimdal/lib/krb5/get_in_tkt.c +++ b/crypto/heimdal/lib/krb5/get_in_tkt.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: get_in_tkt.c,v 1.107 2003/02/16 06:41:25 nectar Exp $"); +RCSID("$Id: get_in_tkt.c,v 1.107.2.1 2003/09/18 21:00:09 lha Exp $"); krb5_error_code krb5_init_etype (krb5_context context, @@ -543,9 +543,9 @@ init_as_req (krb5_context context, else krb5_data_zero(&salt.saltvalue); ret = add_padata(context, a->padata, creds->client, - key_proc, keyseed, - &preauth->val[i].info.val[j].etype, 1, - sp); + key_proc, keyseed, + &preauth->val[i].info.val[j].etype, 1, + sp); if (ret == 0) break; } @@ -821,7 +821,7 @@ krb5_get_in_tkt(krb5_context context, ret_as_reply); if(ret) return ret; - ret = krb5_cc_store_cred (context, ccache, creds); - krb5_free_creds_contents (context, creds); + if (ccache) + ret = krb5_cc_store_cred (context, ccache, creds); return ret; } diff --git a/crypto/heimdal/lib/krb5/krb5-private.h b/crypto/heimdal/lib/krb5/krb5-private.h index b247131..669e954 100644 --- a/crypto/heimdal/lib/krb5/krb5-private.h +++ b/crypto/heimdal/lib/krb5/krb5-private.h @@ -43,6 +43,13 @@ _krb5_get_int ( unsigned long */*value*/, size_t /*size*/); +krb5_error_code +_krb5_get_krbtgt ( + krb5_context /*context*/, + krb5_ccache /*id*/, + krb5_realm /*realm*/, + krb5_creds **/*cred*/); + time_t _krb5_krb_life_to_time ( int /*start*/, @@ -66,4 +73,30 @@ _krb5_put_int ( unsigned long /*value*/, size_t /*size*/); +krb5_error_code +_krb5_store_creds_heimdal_0_7 ( + krb5_storage */*sp*/, + krb5_creds */*creds*/); + +krb5_error_code +_krb5_store_creds_heimdal_pre_0_7 ( + krb5_storage */*sp*/, + krb5_creds */*creds*/); + +krb5_error_code +_krb5_store_creds_internal ( + krb5_storage */*sp*/, + krb5_creds */*creds*/, + int /*v0_6*/); + +int +_krb5_xlock ( + krb5_context /*context*/, + int /*fd*/, + krb5_boolean /*exclusive*/, + const char */*filename*/); + +int +_krb5_xunlock (int /*fd*/); + #endif /* __krb5_private_h__ */ diff --git a/crypto/heimdal/lib/krb5/krb5-protos.h b/crypto/heimdal/lib/krb5/krb5-protos.h index 22fc669..4023744 100644 --- a/crypto/heimdal/lib/krb5/krb5-protos.h +++ b/crypto/heimdal/lib/krb5/krb5-protos.h @@ -541,6 +541,15 @@ krb5_change_password ( krb5_data */*result_string*/); krb5_error_code +krb5_check_transited ( + krb5_context /*context*/, + krb5_const_realm /*client_realm*/, + krb5_const_realm /*server_realm*/, + krb5_realm */*realms*/, + int /*num_realms*/, + int */*bad_realm*/); + +krb5_error_code krb5_check_transited_realms ( krb5_context /*context*/, const char *const */*realms*/, @@ -1640,6 +1649,16 @@ krb5_boolean krb5_have_error_string (krb5_context /*context*/); krb5_error_code +krb5_hmac ( + krb5_context /*context*/, + krb5_cksumtype /*cktype*/, + const void */*data*/, + size_t /*len*/, + unsigned /*usage*/, + krb5_keyblock */*key*/, + Checksum */*result*/); + +krb5_error_code krb5_init_context (krb5_context */*context*/); void diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5 index 9ee85aa..c9f8771 100644 --- a/crypto/heimdal/lib/krb5/krb5.conf.5 +++ b/crypto/heimdal/lib/krb5/krb5.conf.5 @@ -1,42 +1,44 @@ -.\" Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5.conf.5,v 1.35 2003/04/16 13:26:13 lha Exp $ +.\" $Id: krb5.conf.5,v 1.35.2.2 2004/03/09 19:52:07 lha Exp $ .\" -.Dd April 11, 1999 +.Dd March 9, 2004 .Dt KRB5.CONF 5 .Os HEIMDAL .Sh NAME -.Nm /etc/krb5.conf +.Nm krb5.conf .Nd configuration file for Kerberos 5 +.Sh SYNOPSIS +.In krb5.h .Sh DESCRIPTION The .Nm @@ -88,7 +90,8 @@ values can be a list of year, month, day, hour, min, second. Example: 1 month 2 days 30 min. .It etypes valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, -des3-cbc-sha1. +des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and +aes256-cts-hmac-sha1-96 . .It address an address can be either a IPv4 or a IPv6 address. .El @@ -124,6 +127,13 @@ addresses, making the tickets valid from any address. Default ticket lifetime. .It Li renew_lifetime = Va time Default renewable ticket lifetime. +.It Li encrypt = Va boolean +Use encryption, when available. +.It Li forward = Va boolean +Forward credentials to remote host (for +.Xr rsh 1 , +.Xr telnet 1 , +etc). .El .It Li [libdefaults] .Bl -tag -width "xxx" -offset indent @@ -147,23 +157,14 @@ manual page. .Bl -tag -width "xxx" -offset indent .It Va destination-realm Li = Va next-hop-realm .It ... -.El -Normally, all requests to realms different from the one of the current -client are sent to this KDC to get cross-realm tickets. -If this KDC does not have a cross-realm key with the desired realm and -the hierarchical path to that realm does not work, a path can be -configured using this directive. -The text shown above instructs the KDC to try to obtain a cross-realm -ticket to -.Va next-hop-realm -when the desired realm is -.Va destination-realm . -This configuration should preferably be done on the KDC where it will -help all its clients but can also be done on the client itself. .It Li } -.It Li default_etypes = Va etypes... +.El +This is deprecated, see the +.Li capaths +section below. +.It Li default_etypes = Va etypes ... A list of default encryption types to use. -.It Li default_etypes_des = Va etypes... +.It Li default_etypes_des = Va etypes ... A list of default encryption types to use when requesting a DES credential. .It Li default_keytab_name = Va keytab The keytab to use if no other is specified, default is @@ -193,7 +194,7 @@ fatal error. The application has to be able to read the corresponding service key for this to work. Some applications, like -.Xr su 8 , +.Xr su 1 , enable this option unconditionally. .It Li warn_pwexpire = Va time How soon to warn for expiring password. @@ -202,7 +203,7 @@ Default is seven days. A HTTP-proxy to use when talking to the KDC via HTTP. .It Li dns_proxy = Va proxy-spec Enable using DNS via HTTP. -.It Li extra_addresses = Va address... +.It Li extra_addresses = Va address ... A list of addresses to get tickets for along with all local addresses. .It Li time_format = Va string How to print time strings in logs, this string is passed to @@ -223,6 +224,13 @@ Also get Kerberos 4 tickets in .Nm login , and other programs. This option is also valid in the [realms] section. +.It Li fcc-mit-ticketflags = Va boolean +Use MIT compatible format for file credential cache. +It's the field ticketflags that is stored in reverse bit order for +older than Heimdal 0.7. +Setting this flag to +.Dv TRUE +make it store the MIT way, this is default for Heimdal 0.7. .El .It Li [domain_realm] This is a list of mappings from DNS domain to Kerberos realm. @@ -259,13 +267,13 @@ specifies over what medium the kdc should be contacted. Possible services are .Dq udp , -.Dq tcp , +.Dq tcp , and .Dq http . Http can also be written as .Dq http:// . Default service is -.Dq udp +.Dq udp and .Dq tcp . .It Li admin_server = Va host[:port] @@ -283,9 +291,31 @@ If it is not mentioned, the krb524 port on the kdcs will be tried. .It Li default_domain See .Xr krb5_425_conv_principal 3 . +.It Li tgs_require_subkey +a boolan variable that defaults to false. +Old DCE secd (pre 1.1) might need this to be true. .El .It Li } .El +.It Li [capaths] +.Bl -tag -width "xxx" -offset indent +.It Va client-realm Li = { +.Bl -tag -width "xxx" -offset indent +.It Va server-realm Li = Va hop-realm ... +This serves two purposes. First the first listed +.Va hop-realm +tells a client which realm it should contact in order to ultimately +obtain credentials for a service in the +.Va server-realm . +Secondly, it tells the KDC (and other servers) which realms are +allowed in a multi-hop traversal from +.Va client-realm +to +.Va server-realm . +Except for the client case, the order of the realms are not important. +.El +.It Va } +.El .It Li [logging] .Bl -tag -width "xxx" -offset indent .It Va entity Li = Va destination @@ -397,7 +427,12 @@ and is only left for backwards compatibility. .Sh ENVIRONMENT .Ev KRB5_CONFIG points to the configuration file to read. -.Sh EXAMPLE +.Sh FILES +.Bl -tag -width "/etc/krb5.conf" +.It Pa /etc/krb5.conf +configuration file for Kerberos 5. +.El +.Sh EXAMPLES .Bd -literal -offset indent [libdefaults] default_realm = FOO.SE diff --git a/crypto/heimdal/lib/krb5/krb5.h b/crypto/heimdal/lib/krb5/krb5.h index f157452..18a3079 100644 --- a/crypto/heimdal/lib/krb5/krb5.h +++ b/crypto/heimdal/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h,v 1.209 2003/03/16 18:30:02 lha Exp $ */ +/* $Id: krb5.h,v 1.209.2.1 2003/09/18 20:50:40 lha Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -221,7 +221,8 @@ typedef enum krb5_keytype { KEYTYPE_DES3 = 7, KEYTYPE_AES128 = 17, KEYTYPE_AES256 = 18, - KEYTYPE_ARCFOUR = 23 + KEYTYPE_ARCFOUR = 23, + KEYTYPE_ARCFOUR_56 = 24 } krb5_keytype; typedef EncryptionKey krb5_keyblock; diff --git a/crypto/heimdal/lib/krb5/mcache.c b/crypto/heimdal/lib/krb5/mcache.c index 63b45bb..1157604 100644 --- a/crypto/heimdal/lib/krb5/mcache.c +++ b/crypto/heimdal/lib/krb5/mcache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,11 +33,12 @@ #include "krb5_locl.h" -RCSID("$Id: mcache.c,v 1.15 2002/04/18 09:40:33 joda Exp $"); +RCSID("$Id: mcache.c,v 1.15.6.1 2004/03/06 16:57:16 lha Exp $"); typedef struct krb5_mcache { char *name; unsigned int refcnt; + int dead; krb5_principal primary_principal; struct link { krb5_creds cred; @@ -50,7 +51,7 @@ static struct krb5_mcache *mcc_head; #define MCACHE(X) ((krb5_mcache *)(X)->data.data) -#define MISDEAD(X) ((X)->primary_principal == NULL) +#define MISDEAD(X) ((X)->dead) #define MCC_CURSOR(C) ((struct link*)(C)) @@ -77,6 +78,7 @@ mcc_alloc(const char *name) free(m); return NULL; } + m->dead = 0; m->refcnt = 1; m->primary_principal = NULL; m->creds = NULL; @@ -137,9 +139,11 @@ mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) { + krb5_mcache *m = MCACHE(id); + m->dead = 0; return krb5_copy_principal (context, primary_principal, - &MCACHE(id)->primary_principal); + &m->primary_principal); } static krb5_error_code @@ -178,9 +182,12 @@ mcc_destroy(krb5_context context, break; } } - krb5_free_principal (context, m->primary_principal); - m->primary_principal = NULL; - + if (m->primary_principal != NULL) { + krb5_free_principal (context, m->primary_principal); + m->primary_principal = NULL; + } + m->dead = 1; + l = m->creds; while (l != NULL) { struct link *old; @@ -231,9 +238,8 @@ mcc_get_principal(krb5_context context, { krb5_mcache *m = MCACHE(id); - if (MISDEAD(m)) + if (MISDEAD(m) || m->primary_principal == NULL) return ENOENT; - return krb5_copy_principal (context, m->primary_principal, principal); diff --git a/crypto/heimdal/lib/krb5/mk_req_ext.c b/crypto/heimdal/lib/krb5/mk_req_ext.c index aa5e3c4..922be9e 100644 --- a/crypto/heimdal/lib/krb5/mk_req_ext.c +++ b/crypto/heimdal/lib/krb5/mk_req_ext.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: mk_req_ext.c,v 1.26 2002/09/02 17:13:52 joda Exp $"); +RCSID("$Id: mk_req_ext.c,v 1.26.4.1 2003/09/18 20:34:30 lha Exp $"); krb5_error_code krb5_mk_req_internal(krb5_context context, @@ -110,6 +110,15 @@ krb5_mk_req_internal(krb5_context context, in_data->data, in_data->length, &c); + } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5) { + /* this is to make MS kdc happy */ + ret = krb5_create_checksum(context, + NULL, + 0, + CKSUMTYPE_RSA_MD5, + in_data->data, + in_data->length, + &c); } else { krb5_crypto crypto; diff --git a/crypto/heimdal/lib/krb5/mk_safe.c b/crypto/heimdal/lib/krb5/mk_safe.c index a839df4..8bfa066 100644 --- a/crypto/heimdal/lib/krb5/mk_safe.c +++ b/crypto/heimdal/lib/krb5/mk_safe.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: mk_safe.c,v 1.28 2002/09/04 16:26:05 joda Exp $"); +RCSID("$Id: mk_safe.c,v 1.28.4.1 2004/03/07 12:46:43 lha Exp $"); krb5_error_code krb5_mk_safe(krb5_context context, @@ -69,7 +69,7 @@ krb5_mk_safe(krb5_context context, sec2 = sec; s.safe_body.timestamp = &sec2; - usec2 = usec2; + usec2 = usec; s.safe_body.usec = &usec2; if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { tmp_seq = auth_context->local_seqnumber; diff --git a/crypto/heimdal/lib/krb5/parse-name-test.c b/crypto/heimdal/lib/krb5/parse-name-test.c index 2920272..29bd6bb 100644 --- a/crypto/heimdal/lib/krb5/parse-name-test.c +++ b/crypto/heimdal/lib/krb5/parse-name-test.c @@ -32,7 +32,7 @@ #include "krb5_locl.h" -RCSID("$Id: parse-name-test.c,v 1.3 2002/08/30 03:20:11 assar Exp $"); +RCSID("$Id: parse-name-test.c,v 1.3.4.1 2004/03/22 19:27:36 joda Exp $"); enum { MAX_COMPONENTS = 3 }; @@ -60,7 +60,7 @@ static struct testcase { {"/a", "/a@", "", 2, {"", "a"}, FALSE}, {"\\@@\\@", "\\@@\\@", "@", 1, {"@"}, TRUE}, {"a/b/c", "a/b/c@", "", 3, {"a", "b", "c"}, FALSE}, - {NULL, NULL, "", 0, {}, FALSE}}; + {NULL, NULL, "", 0, { NULL }, FALSE}}; int main(int argc, char **argv) diff --git a/crypto/heimdal/lib/krb5/principal.c b/crypto/heimdal/lib/krb5/principal.c index fd218a1..d46f328 100644 --- a/crypto/heimdal/lib/krb5/principal.c +++ b/crypto/heimdal/lib/krb5/principal.c @@ -41,7 +41,7 @@ #include <fnmatch.h> #include "resolve.h" -RCSID("$Id: principal.c,v 1.82 2002/10/21 15:30:53 joda Exp $"); +RCSID("$Id: principal.c,v 1.82.2.1 2003/08/15 14:30:07 lha Exp $"); #define princ_num_comp(P) ((P)->name.name_string.len) #define princ_type(P) ((P)->name.name_type) @@ -321,14 +321,17 @@ unparse_name(krb5_context context, len += 2*plen; len++; } + len++; *name = malloc(len); - if(len != 0 && *name == NULL) { + if(*name == NULL) { krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } ret = unparse_name_fixed(context, principal, *name, len, short_flag); - if(ret) + if(ret) { free(*name); + *name = NULL; + } return ret; } diff --git a/crypto/heimdal/lib/krb5/rd_req.c b/crypto/heimdal/lib/krb5/rd_req.c index 69fb059..590952e 100644 --- a/crypto/heimdal/lib/krb5/rd_req.c +++ b/crypto/heimdal/lib/krb5/rd_req.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_req.c,v 1.47 2001/06/18 02:48:18 assar Exp $"); +RCSID("$Id: rd_req.c,v 1.47.8.3 2003/10/21 20:10:33 lha Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -129,6 +129,32 @@ krb5_decode_ap_req(krb5_context context, return 0; } +static krb5_error_code +check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) +{ + char **realms; + int num_realms; + krb5_error_code ret; + + if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) + return KRB5KDC_ERR_TRTYPE_NOSUPP; + + if(enc->transited.contents.length == 0) + return 0; + + ret = krb5_domain_x500_decode(context, enc->transited.contents, + &realms, &num_realms, + enc->crealm, + ticket->realm); + if(ret) + return ret; + ret = krb5_check_transited(context, enc->crealm, + ticket->realm, + realms, num_realms, NULL); + free(realms); + return ret; +} + krb5_error_code krb5_decrypt_ticket(krb5_context context, Ticket *ticket, @@ -161,6 +187,14 @@ krb5_decrypt_ticket(krb5_context context, krb5_clear_error_string (context); return KRB5KRB_AP_ERR_TKT_EXPIRED; } + + if(!t.flags.transited_policy_checked) { + ret = check_transited(context, ticket, &t); + if(ret) { + free_EncTicketPart(&t); + return ret; + } + } } if(out) @@ -209,29 +243,6 @@ out: return ret; } -#if 0 -static krb5_error_code -check_transited(krb5_context context, - krb5_ticket *ticket) -{ - char **realms; - int num_realms; - krb5_error_code ret; - - if(ticket->ticket.transited.tr_type != DOMAIN_X500_COMPRESS) - return KRB5KDC_ERR_TRTYPE_NOSUPP; - - ret = krb5_domain_x500_decode(ticket->ticket.transited.contents, - &realms, &num_realms, - ticket->client->realm, - ticket->server->realm); - if(ret) - return ret; - ret = krb5_check_transited_realms(context, realms, num_realms, NULL); - free(realms); - return ret; -} -#endif krb5_error_code krb5_verify_ap_req(krb5_context context, @@ -488,9 +499,15 @@ krb5_rd_req(krb5_context context, ap_req.ticket.realm); server = service; } + if (ap_req.ap_options.use_session_key && + (*auth_context)->keyblock == NULL) { + krb5_set_error_string(context, "krb5_rd_req: user to user auth " + "without session key given"); + ret = KRB5KRB_AP_ERR_NOKEY; + goto out; + } - if(ap_req.ap_options.use_session_key == 0 || - (*auth_context)->keyblock == NULL){ + if((*auth_context)->keyblock == NULL){ ret = get_key_from_keytab(context, auth_context, &ap_req, @@ -499,8 +516,13 @@ krb5_rd_req(krb5_context context, &keyblock); if(ret) goto out; + } else { + ret = krb5_copy_keyblock(context, + (*auth_context)->keyblock, + &keyblock); + if (ret) + goto out; } - ret = krb5_verify_ap_req(context, auth_context, diff --git a/crypto/heimdal/lib/krb5/store.c b/crypto/heimdal/lib/krb5/store.c index 4ea68f9..b0ca731 100644 --- a/crypto/heimdal/lib/krb5/store.c +++ b/crypto/heimdal/lib/krb5/store.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store.c,v 1.38 2002/08/21 12:21:57 joda Exp $"); +RCSID("$Id: store.c,v 1.38.4.1 2004/03/09 19:32:14 lha Exp $"); #define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V)) #define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE) @@ -607,12 +607,25 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) return ret; } +static int32_t +bitswap32(int32_t b) +{ + int32_t r = 0; + int i; + for (i = 0; i < 32; i++) { + r = r << 1 | (b & 1); + b = b >> 1; + } + return r; +} + + /* - * store `creds' on `sp' returning error or zero + * */ krb5_error_code -krb5_store_creds(krb5_storage *sp, krb5_creds *creds) +_krb5_store_creds_internal(krb5_storage *sp, krb5_creds *creds, int v0_6) { int ret; @@ -632,9 +645,15 @@ krb5_store_creds(krb5_storage *sp, krb5_creds *creds) enc-tkt-in-skey bit from KDCOptions */ if(ret) return ret; - ret = krb5_store_int32(sp, creds->flags.i); - if(ret) - return ret; + if (v0_6) { + ret = krb5_store_int32(sp, creds->flags.i); + if(ret) + return ret; + } else { + ret = krb5_store_int32(sp, bitswap32(TicketFlags2int(creds->flags.b))); + if(ret) + return ret; + } ret = krb5_store_addrs(sp, creds->addresses); if(ret) return ret; @@ -648,6 +667,28 @@ krb5_store_creds(krb5_storage *sp, krb5_creds *creds) return ret; } +/* + * store `creds' on `sp' returning error or zero + */ + +krb5_error_code +krb5_store_creds(krb5_storage *sp, krb5_creds *creds) +{ + return _krb5_store_creds_internal(sp, creds, 1); +} + +krb5_error_code +_krb5_store_creds_heimdal_0_7(krb5_storage *sp, krb5_creds *creds) +{ + return _krb5_store_creds_internal(sp, creds, 0); +} + +krb5_error_code +_krb5_store_creds_heimdal_pre_0_7(krb5_storage *sp, krb5_creds *creds) +{ + return _krb5_store_creds_internal(sp, creds, 1); +} + krb5_error_code krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) { @@ -668,6 +709,22 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) if(ret) goto cleanup; ret = krb5_ret_int32 (sp, &dummy32); if(ret) goto cleanup; + /* + * Runtime detect the what is the higher bits of the bitfield. If + * any of the higher bits are set in the input data, its either a + * new ticket flag (and this code need to be removed), or its a + * MIT cache (or new Heimdal cache), lets change it to our current + * format. + */ + { + u_int32_t mask = 0xffff0000; + creds->flags.i = 0; + creds->flags.b.anonymous = 1; + if (creds->flags.i & mask) + mask = ~mask; + if (dummy32 & mask) + dummy32 = bitswap32(dummy32); + } creds->flags.i = dummy32; ret = krb5_ret_addrs (sp, &creds->addresses); if(ret) goto cleanup; diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c index 8d2397b..888218e 100644 --- a/crypto/heimdal/lib/krb5/ticket.c +++ b/crypto/heimdal/lib/krb5/ticket.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: ticket.c,v 1.5 2001/05/14 06:14:51 assar Exp $"); +RCSID("$Id: ticket.c,v 1.5.8.1 2003/09/18 21:01:57 lha Exp $"); krb5_error_code krb5_free_ticket(krb5_context context, @@ -51,7 +51,10 @@ krb5_copy_ticket(krb5_context context, krb5_ticket **to) { krb5_error_code ret; - krb5_ticket *tmp = malloc(sizeof(*tmp)); + krb5_ticket *tmp; + + *to = NULL; + tmp = malloc(sizeof(*tmp)); if(tmp == NULL) { krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; @@ -63,12 +66,14 @@ krb5_copy_ticket(krb5_context context, ret = krb5_copy_principal(context, from->client, &tmp->client); if(ret){ free_EncTicketPart(&tmp->ticket); + free(tmp); return ret; } - ret = krb5_copy_principal(context, from->server, &(*to)->server); + ret = krb5_copy_principal(context, from->server, &tmp->server); if(ret){ krb5_free_principal(context, tmp->client); free_EncTicketPart(&tmp->ticket); + free(tmp); return ret; } *to = tmp; diff --git a/crypto/heimdal/lib/krb5/transited.c b/crypto/heimdal/lib/krb5/transited.c index c7732cb..8f48ff1 100644 --- a/crypto/heimdal/lib/krb5/transited.c +++ b/crypto/heimdal/lib/krb5/transited.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: transited.c,v 1.10 2003/04/16 16:11:27 lha Exp $"); +RCSID("$Id: transited.c,v 1.10.2.3 2003/10/22 06:07:41 lha Exp $"); /* this is an attempt at one of the most horrible `compression' schemes that has ever been invented; it's so amazingly brain-dead @@ -308,6 +308,12 @@ krb5_domain_x500_decode(krb5_context context, struct tr_realm *p, **q; int ret; + if(tr.length == 0) { + *realms = NULL; + *num_realms = 0; + return 0; + } + /* split string in components */ ret = decode_realms(context, tr.data, tr.length, &r); if(ret) @@ -362,6 +368,9 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) char *s = NULL; int len = 0; int i; + krb5_data_zero(encoding); + if (num_realms == 0) + return 0; for(i = 0; i < num_realms; i++){ len += strlen(realms[i]); if(realms[i][0] == '/') @@ -369,6 +378,8 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) } len += num_realms - 1; s = malloc(len + 1); + if (s == NULL) + return ENOMEM; *s = '\0'; for(i = 0; i < num_realms; i++){ if(i && i < num_realms - 1) @@ -383,6 +394,44 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) } krb5_error_code +krb5_check_transited(krb5_context context, + krb5_const_realm client_realm, + krb5_const_realm server_realm, + krb5_realm *realms, + int num_realms, + int *bad_realm) +{ + char **tr_realms; + char **p; + int i; + + if(num_realms == 0) + return 0; + + tr_realms = krb5_config_get_strings(context, NULL, + "capaths", + client_realm, + server_realm, + NULL); + for(i = 0; i < num_realms; i++) { + for(p = tr_realms; p && *p; p++) { + if(strcmp(*p, realms[i]) == 0) + break; + } + if(p == NULL || *p == NULL) { + krb5_config_free_strings(tr_realms); + krb5_set_error_string (context, "no transit through realm %s", + realms[i]); + if(bad_realm) + *bad_realm = i; + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + } + krb5_config_free_strings(tr_realms); + return 0; +} + +krb5_error_code krb5_check_transited_realms(krb5_context context, const char *const *realms, int num_realms, diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.c b/crypto/heimdal/lib/krb5/verify_krb5_conf.c index 7654e8c..6017dfc 100644 --- a/crypto/heimdal/lib/krb5/verify_krb5_conf.c +++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.c @@ -35,7 +35,7 @@ #include <getarg.h> #include <parse_bytes.h> #include <err.h> -RCSID("$Id: verify_krb5_conf.c,v 1.17.2.1 2003/09/22 18:46:58 lha Exp $"); +RCSID("$Id: verify_krb5_conf.c,v 1.17.2.2 2004/02/13 16:19:44 lha Exp $"); /* verify krb5.conf */ @@ -156,10 +156,7 @@ check_host(krb5_context context, const char *path, char *data) hostname[strcspn(hostname, "/")] = '\0'; ret = getaddrinfo(hostname, "telnet" /* XXX */, NULL, &ai); if(ret != 0) { - if(ret == EAI_NODATA) - krb5_warnx(context, "%s: host not found (%s)", path, hostname); - else - krb5_warnx(context, "%s: %s (%s)", path, gai_strerror(ret), hostname); + krb5_warnx(context, "%s: %s (%s)", path, gai_strerror(ret), hostname); return 1; } return 0; |
