From ebfe6dc471c206300fd82c7c0fd145f683aa52f6 Mon Sep 17 00:00:00 2001 From: assar Date: Tue, 13 Feb 2001 16:46:19 +0000 Subject: import of heimdal 0.3e --- crypto/heimdal/lib/krb5/Makefile.am | 54 +- crypto/heimdal/lib/krb5/Makefile.in | 716 +++++++++-------- crypto/heimdal/lib/krb5/acl.c | 189 +++++ crypto/heimdal/lib/krb5/addr_families.c | 4 +- crypto/heimdal/lib/krb5/appdefault.c | 123 +++ crypto/heimdal/lib/krb5/auth_context.c | 114 ++- crypto/heimdal/lib/krb5/build_auth.c | 11 +- crypto/heimdal/lib/krb5/cache.c | 8 +- crypto/heimdal/lib/krb5/changepw.c | 93 ++- crypto/heimdal/lib/krb5/config_file.c | 50 +- crypto/heimdal/lib/krb5/constants.c | 6 +- crypto/heimdal/lib/krb5/context.c | 49 +- crypto/heimdal/lib/krb5/convert_creds.c | 28 +- crypto/heimdal/lib/krb5/crc.c | 6 +- crypto/heimdal/lib/krb5/crypto.c | 895 ++++++++++++++++++---- crypto/heimdal/lib/krb5/eai_to_heim_errno.c | 69 ++ crypto/heimdal/lib/krb5/expand_hostname.c | 4 +- crypto/heimdal/lib/krb5/fcache.c | 137 +++- crypto/heimdal/lib/krb5/generate_seq_number.c | 6 +- crypto/heimdal/lib/krb5/get_addrs.c | 285 +++---- crypto/heimdal/lib/krb5/get_cred.c | 60 +- crypto/heimdal/lib/krb5/get_for_creds.c | 57 +- crypto/heimdal/lib/krb5/get_in_tkt.c | 46 +- crypto/heimdal/lib/krb5/get_port.c | 6 +- crypto/heimdal/lib/krb5/heim_err.et | 20 +- crypto/heimdal/lib/krb5/init_creds.c | 54 +- crypto/heimdal/lib/krb5/init_creds_pw.c | 27 +- crypto/heimdal/lib/krb5/kerberos.8 | 73 ++ crypto/heimdal/lib/krb5/keyblock.c | 4 +- crypto/heimdal/lib/krb5/keytab_keyfile.c | 79 +- crypto/heimdal/lib/krb5/keytab_krb4.c | 8 +- crypto/heimdal/lib/krb5/krb5-private.h | 3 +- crypto/heimdal/lib/krb5/krb5-protos.h | 295 ++++++- crypto/heimdal/lib/krb5/krb5.conf.5 | 139 +++- crypto/heimdal/lib/krb5/krb5.h | 107 +-- crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 | 11 +- crypto/heimdal/lib/krb5/krb5_appdefault.3 | 57 ++ crypto/heimdal/lib/krb5/krb5_auth_context.3 | 284 +++++++ crypto/heimdal/lib/krb5/krb5_build_principal.3 | 12 +- crypto/heimdal/lib/krb5/krb5_config.3 | 71 ++ crypto/heimdal/lib/krb5/krb5_context.3 | 20 + crypto/heimdal/lib/krb5/krb5_create_checksum.3 | 8 +- crypto/heimdal/lib/krb5/krb5_crypto_init.3 | 6 +- crypto/heimdal/lib/krb5/krb5_encrypt.3 | 8 +- crypto/heimdal/lib/krb5/krb5_err.et | 26 +- crypto/heimdal/lib/krb5/krb5_free_principal.3 | 7 +- crypto/heimdal/lib/krb5/krb5_init_context.3 | 38 + crypto/heimdal/lib/krb5/krb5_locl.h | 24 +- crypto/heimdal/lib/krb5/krb5_openlog.3 | 25 +- crypto/heimdal/lib/krb5/krb5_parse_name.3 | 6 +- crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 | 8 +- crypto/heimdal/lib/krb5/krb5_unparse_name.3 | 8 +- crypto/heimdal/lib/krb5/krb5_warn.3 | 14 +- crypto/heimdal/lib/krb5/krbhst.c | 38 +- crypto/heimdal/lib/krb5/log.c | 18 +- crypto/heimdal/lib/krb5/mcache.c | 163 +++- crypto/heimdal/lib/krb5/mk_priv.c | 17 +- crypto/heimdal/lib/krb5/mk_rep.c | 28 +- crypto/heimdal/lib/krb5/mk_req.c | 78 +- crypto/heimdal/lib/krb5/mk_req_ext.c | 25 +- crypto/heimdal/lib/krb5/mk_safe.c | 20 +- crypto/heimdal/lib/krb5/principal.c | 93 ++- crypto/heimdal/lib/krb5/prog_setup.c | 10 +- crypto/heimdal/lib/krb5/rd_cred.c | 142 +++- crypto/heimdal/lib/krb5/rd_priv.c | 26 +- crypto/heimdal/lib/krb5/rd_rep.c | 6 +- crypto/heimdal/lib/krb5/rd_req.c | 103 ++- crypto/heimdal/lib/krb5/rd_safe.c | 21 +- crypto/heimdal/lib/krb5/read_message.c | 42 +- crypto/heimdal/lib/krb5/recvauth.c | 6 +- crypto/heimdal/lib/krb5/replay.c | 57 +- crypto/heimdal/lib/krb5/send_to_kdc.c | 77 +- crypto/heimdal/lib/krb5/sock_principal.c | 20 +- crypto/heimdal/lib/krb5/store.c | 53 +- crypto/heimdal/lib/krb5/store_emem.c | 6 +- crypto/heimdal/lib/krb5/store_fd.c | 10 +- crypto/heimdal/lib/krb5/store_mem.c | 6 +- crypto/heimdal/lib/krb5/string-to-key-test.c | 11 +- crypto/heimdal/lib/krb5/test_get_addrs.c | 78 ++ crypto/heimdal/lib/krb5/time.c | 15 +- crypto/heimdal/lib/krb5/verify_krb5_conf.8 | 33 + crypto/heimdal/lib/krb5/verify_user.c | 10 +- crypto/heimdal/lib/krb5/warn.c | 5 +- crypto/heimdal/lib/krb5/write_message.c | 40 +- 84 files changed, 4357 insertions(+), 1358 deletions(-) create mode 100644 crypto/heimdal/lib/krb5/acl.c create mode 100644 crypto/heimdal/lib/krb5/appdefault.c create mode 100644 crypto/heimdal/lib/krb5/eai_to_heim_errno.c create mode 100644 crypto/heimdal/lib/krb5/kerberos.8 create mode 100644 crypto/heimdal/lib/krb5/krb5_appdefault.3 create mode 100644 crypto/heimdal/lib/krb5/krb5_auth_context.3 create mode 100644 crypto/heimdal/lib/krb5/krb5_config.3 create mode 100644 crypto/heimdal/lib/krb5/krb5_context.3 create mode 100644 crypto/heimdal/lib/krb5/krb5_init_context.3 create mode 100644 crypto/heimdal/lib/krb5/test_get_addrs.c create mode 100644 crypto/heimdal/lib/krb5/verify_krb5_conf.8 (limited to 'crypto/heimdal/lib/krb5') diff --git a/crypto/heimdal/lib/krb5/Makefile.am b/crypto/heimdal/lib/krb5/Makefile.am index df8ac6d..395f29d 100644 --- a/crypto/heimdal/lib/krb5/Makefile.am +++ b/crypto/heimdal/lib/krb5/Makefile.am @@ -1,24 +1,22 @@ -# $Id: Makefile.am,v 1.98 2000/02/19 18:53:56 assar Exp $ +# $Id: Makefile.am,v 1.119 2001/01/30 01:50:52 assar Exp $ include $(top_srcdir)/Makefile.am.common -INCLUDES += $(INCLUDE_krb4) - bin_PROGRAMS = verify_krb5_conf -noinst_PROGRAMS = dump_config +noinst_PROGRAMS = dump_config test_get_addrs check_PROGRAMS = n-fold-test string-to-key-test TESTS = n-fold-test string-to-key-test -if KRB4 -KRB4LIB = $(LIB_krb4) -keytab_krb4_c = keytab_krb4.c -endif - LDADD = libkrb5.la \ - $(KRB4LIB) \ - $(top_builddir)/lib/des/libdes.la \ + $(LIB_des) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(LIB_roken) + +libkrb5_la_LIBADD = \ + ../com_err/error.lo ../com_err/com_err.lo \ + $(LIB_des) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) @@ -27,10 +25,12 @@ lib_LTLIBRARIES = libkrb5.la ERR_FILES = krb5_err.c heim_err.c libkrb5_la_SOURCES = \ + acl.c \ add_et_list.c \ addr_families.c \ address.c \ aname_to_localname.c \ + appdefault.c \ asn1_glue.c \ auth_context.c \ build_ap_req.c \ @@ -48,6 +48,7 @@ libkrb5_la_SOURCES = \ creds.c \ crypto.c \ data.c \ + eai_to_heim_errno.c \ expand_hostname.c \ fcache.c \ free.c \ @@ -71,8 +72,8 @@ libkrb5_la_SOURCES = \ keytab.c \ keytab_file.c \ keytab_memory.c \ - $(keytab_krb4_c) \ keytab_keyfile.c \ + keytab_krb4.c \ krbhst.c \ kuserok.c \ log.c \ @@ -99,6 +100,7 @@ libkrb5_la_SOURCES = \ rd_safe.c \ read_message.c \ recvauth.c \ + replay.c \ send_to_kdc.c \ sendauth.c \ set_default_realm.c \ @@ -117,9 +119,7 @@ libkrb5_la_SOURCES = \ write_message.c \ $(ERR_FILES) -EXTRA_libkrb5_la_SOURCES = keytab_krb4.c - -libkrb5_la_LDFLAGS = -version-info 9:1:0 +libkrb5_la_LDFLAGS = -version-info 15:0:0 $(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h @@ -129,11 +129,25 @@ $(srcdir)/krb5-protos.h: $(srcdir)/krb5-private.h: cd $(srcdir); perl ../../cf/make-proto.pl -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h -libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo - -man_MANS = krb5.conf.5 krb5_warn.3 krb5_openlog.3 \ - krb5_425_conv_principal.3 krb5_build_principal.3 krb5_free_principal.3 \ - krb5_parse_name.3 krb5_sname_to_principal.3 krb5_unparse_name.3 +#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo + +man_MANS = \ + kerberos.8 \ + krb5.conf.5 \ + krb5_425_conv_principal.3 \ + krb5_appdefault.3 \ + krb5_build_principal.3 \ + krb5_config.3 \ + krb5_free_principal.3 \ + krb5_openlog.3 \ + krb5_parse_name.3 \ + krb5_sname_to_principal.3 \ + krb5_unparse_name.3 \ + krb5_warn.3 \ + verify_krb5_conf.8 \ + krb5_auth_context.3 \ + krb5_context.3 \ + krb5_init_context.3 include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h diff --git a/crypto/heimdal/lib/krb5/Makefile.in b/crypto/heimdal/lib/krb5/Makefile.in index dbca9de..be103d2 100644 --- a/crypto/heimdal/lib/krb5/Makefile.in +++ b/crypto/heimdal/lib/krb5/Makefile.in @@ -1,6 +1,6 @@ -# Makefile.in generated automatically by automake 1.4 from Makefile.am +# Makefile.in generated automatically by automake 1.4a from Makefile.am -# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc. +# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -10,15 +10,6 @@ # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. -# $Id: Makefile.am,v 1.98 2000/02/19 18:53:56 assar Exp $ - - -# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $ - - -# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $ - - SHELL = @SHELL@ srcdir = @srcdir@ @@ -40,8 +31,6 @@ mandir = @mandir@ includedir = @includedir@ oldincludedir = /usr/include -DESTDIR = - pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ @@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@ AUTOHEADER = @AUTOHEADER@ INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS) +INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_FLAG = transform = @program_transform_name@ NORMAL_INSTALL = : @@ -65,26 +55,39 @@ POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : + +@SET_MAKE@ host_alias = @host_alias@ host_triplet = @host@ -AFS_EXTRA_LD = @AFS_EXTRA_LD@ AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ +AMDEP = @AMDEP@ +AMTAR = @AMTAR@ +AS = @AS@ AWK = @AWK@ CANONICAL_HOST = @CANONICAL_HOST@ CATMAN = @CATMAN@ CATMANEXT = @CATMANEXT@ CC = @CC@ +CPP = @CPP@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ DBLIB = @DBLIB@ +DEPDIR = @DEPDIR@ +DIR_des = @DIR_des@ +DIR_roken = @DIR_roken@ +DLLTOOL = @DLLTOOL@ EXEEXT = @EXEEXT@ EXTRA_LIB45 = @EXTRA_LIB45@ GROFF = @GROFF@ +INCLUDES_roken = @INCLUDES_roken@ INCLUDE_ = @INCLUDE_@ -LD = @LD@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBTOOL = @LIBTOOL@ LIB_ = @LIB_@ LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ +LIB_des = @LIB_des@ +LIB_des_appl = @LIB_des_appl@ LIB_kdb = @LIB_kdb@ LIB_otp = @LIB_otp@ LIB_roken = @LIB_roken@ @@ -92,31 +95,43 @@ LIB_security = @LIB_security@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ -MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@ -MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@ -MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@ NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NM = @NM@ NROFF = @NROFF@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ RANLIB = @RANLIB@ +STRIP = @STRIP@ VERSION = @VERSION@ VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ WFLAGS = @WFLAGS@ WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ YACC = @YACC@ +dpagaix_CFLAGS = @dpagaix_CFLAGS@ +dpagaix_LDADD = @dpagaix_LDADD@ +install_sh = @install_sh@ + +# $Id: Makefile.am,v 1.119 2001/01/30 01:50:52 assar Exp $ + + +# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $ + + +# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $ + AUTOMAKE_OPTIONS = foreign no-dependencies SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x -INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4) +INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) AM_CFLAGS = $(WFLAGS) +CP = cp + COMPILE_ET = $(top_builddir)/lib/com_err/compile_et buildinclude = $(top_builddir)/include @@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@ LIB_logout = @LIB_logout@ LIB_logwtmp = @LIB_logwtmp@ LIB_odm_initialize = @LIB_odm_initialize@ +LIB_pidfile = @LIB_pidfile@ LIB_readline = @LIB_readline@ LIB_res_search = @LIB_res_search@ LIB_setpcred = @LIB_setpcred@ @@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@ LIB_syslog = @LIB_syslog@ LIB_tgetent = @LIB_tgetent@ +LIBS = @LIBS@ + HESIODLIB = @HESIODLIB@ HESIODINCLUDE = @HESIODINCLUDE@ INCLUDE_hesiod = @INCLUDE_hesiod@ @@ -152,59 +170,170 @@ LIB_hesiod = @LIB_hesiod@ INCLUDE_krb4 = @INCLUDE_krb4@ LIB_krb4 = @LIB_krb4@ +INCLUDE_openldap = @INCLUDE_openldap@ +LIB_openldap = @LIB_openldap@ + INCLUDE_readline = @INCLUDE_readline@ LEXLIB = @LEXLIB@ -cat1dir = $(mandir)/cat1 -cat3dir = $(mandir)/cat3 -cat5dir = $(mandir)/cat5 -cat8dir = $(mandir)/cat8 - -MANRX = \(.*\)\.\([0-9]\) -CATSUFFIX = @CATSUFFIX@ - NROFF_MAN = groff -mandoc -Tascii -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) +@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la +@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \ +@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la +@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la CHECK_LOCAL = $(PROGRAMS) bin_PROGRAMS = verify_krb5_conf -noinst_PROGRAMS = dump_config +noinst_PROGRAMS = dump_config test_get_addrs check_PROGRAMS = n-fold-test string-to-key-test TESTS = n-fold-test string-to-key-test -@KRB4_TRUE@KRB4LIB = $(LIB_krb4) -@KRB4_TRUE@keytab_krb4_c = keytab_krb4.c +LDADD = libkrb5.la \ + $(LIB_des) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(LIB_roken) + -LDADD = libkrb5.la $(KRB4LIB) $(top_builddir)/lib/des/libdes.la $(top_builddir)/lib/asn1/libasn1.la $(LIB_roken) +libkrb5_la_LIBADD = \ + ../com_err/error.lo ../com_err/com_err.lo \ + $(LIB_des) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(LIB_roken) lib_LTLIBRARIES = libkrb5.la ERR_FILES = krb5_err.c heim_err.c -libkrb5_la_SOURCES = add_et_list.c addr_families.c address.c aname_to_localname.c asn1_glue.c auth_context.c build_ap_req.c build_auth.c cache.c changepw.c codec.c config_file.c config_file_netinfo.c convert_creds.c constants.c context.c copy_host_realm.c crc.c creds.c crypto.c data.c expand_hostname.c fcache.c free.c free_host_realm.c generate_seq_number.c generate_subkey.c get_addrs.c get_cred.c get_default_principal.c get_default_realm.c get_for_creds.c get_host_realm.c get_in_tkt.c get_in_tkt_pw.c get_in_tkt_with_keytab.c get_in_tkt_with_skey.c get_port.c init_creds.c init_creds_pw.c keyblock.c keytab.c keytab_file.c keytab_memory.c $(keytab_krb4_c) keytab_keyfile.c krbhst.c kuserok.c log.c mcache.c misc.c mk_error.c mk_priv.c mk_rep.c mk_req.c mk_req_ext.c mk_safe.c net_read.c net_write.c n-fold.c padata.c principal.c prog_setup.c prompter_posix.c rd_cred.c rd_error.c rd_priv.c rd_rep.c rd_req.c rd_safe.c read_message.c recvauth.c send_to_kdc.c sendauth.c set_default_realm.c sock_principal.c store.c store_emem.c store_fd.c store_mem.c ticket.c time.c transited.c verify_init.c verify_user.c version.c warn.c write_message.c $(ERR_FILES) - - -EXTRA_libkrb5_la_SOURCES = keytab_krb4.c - -libkrb5_la_LDFLAGS = -version-info 9:1:0 - -libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo - -man_MANS = krb5.conf.5 krb5_warn.3 krb5_openlog.3 krb5_425_conv_principal.3 krb5_build_principal.3 krb5_free_principal.3 krb5_parse_name.3 krb5_sname_to_principal.3 krb5_unparse_name.3 +libkrb5_la_SOURCES = \ + acl.c \ + add_et_list.c \ + addr_families.c \ + address.c \ + aname_to_localname.c \ + appdefault.c \ + asn1_glue.c \ + auth_context.c \ + build_ap_req.c \ + build_auth.c \ + cache.c \ + changepw.c \ + codec.c \ + config_file.c \ + config_file_netinfo.c \ + convert_creds.c \ + constants.c \ + context.c \ + copy_host_realm.c \ + crc.c \ + creds.c \ + crypto.c \ + data.c \ + eai_to_heim_errno.c \ + expand_hostname.c \ + fcache.c \ + free.c \ + free_host_realm.c \ + generate_seq_number.c \ + generate_subkey.c \ + get_addrs.c \ + get_cred.c \ + get_default_principal.c \ + get_default_realm.c \ + get_for_creds.c \ + get_host_realm.c \ + get_in_tkt.c \ + get_in_tkt_pw.c \ + get_in_tkt_with_keytab.c \ + get_in_tkt_with_skey.c \ + get_port.c \ + init_creds.c \ + init_creds_pw.c \ + keyblock.c \ + keytab.c \ + keytab_file.c \ + keytab_memory.c \ + keytab_keyfile.c \ + keytab_krb4.c \ + krbhst.c \ + kuserok.c \ + log.c \ + mcache.c \ + misc.c \ + mk_error.c \ + mk_priv.c \ + mk_rep.c \ + mk_req.c \ + mk_req_ext.c \ + mk_safe.c \ + net_read.c \ + net_write.c \ + n-fold.c \ + padata.c \ + principal.c \ + prog_setup.c \ + prompter_posix.c \ + rd_cred.c \ + rd_error.c \ + rd_priv.c \ + rd_rep.c \ + rd_req.c \ + rd_safe.c \ + read_message.c \ + recvauth.c \ + replay.c \ + send_to_kdc.c \ + sendauth.c \ + set_default_realm.c \ + sock_principal.c \ + store.c \ + store_emem.c \ + store_fd.c \ + store_mem.c \ + ticket.c \ + time.c \ + transited.c \ + verify_init.c \ + verify_user.c \ + version.c \ + warn.c \ + write_message.c \ + $(ERR_FILES) + + +libkrb5_la_LDFLAGS = -version-info 15:0:0 + +#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo + +man_MANS = \ + kerberos.8 \ + krb5.conf.5 \ + krb5_425_conv_principal.3 \ + krb5_appdefault.3 \ + krb5_build_principal.3 \ + krb5_config.3 \ + krb5_free_principal.3 \ + krb5_openlog.3 \ + krb5_parse_name.3 \ + krb5_sname_to_principal.3 \ + krb5_unparse_name.3 \ + krb5_warn.3 \ + verify_krb5_conf.8 \ + krb5_auth_context.3 \ + krb5_context.3 \ + krb5_init_context.3 include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h +subdir = lib/krb5 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = ../../include/config.h CONFIG_CLEAN_FILES = @@ -214,128 +343,94 @@ LTLIBRARIES = $(lib_LTLIBRARIES) DEFS = @DEFS@ -I. -I$(srcdir) -I../../include CPPFLAGS = @CPPFLAGS@ LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ X_CFLAGS = @X_CFLAGS@ X_LIBS = @X_LIBS@ X_EXTRA_LIBS = @X_EXTRA_LIBS@ X_PRE_LIBS = @X_PRE_LIBS@ -libkrb5_la_DEPENDENCIES = ../com_err/error.lo ../com_err/com_err.lo -@KRB4_TRUE@libkrb5_la_OBJECTS = add_et_list.lo addr_families.lo \ -@KRB4_TRUE@address.lo aname_to_localname.lo asn1_glue.lo \ -@KRB4_TRUE@auth_context.lo build_ap_req.lo build_auth.lo cache.lo \ -@KRB4_TRUE@changepw.lo codec.lo config_file.lo config_file_netinfo.lo \ -@KRB4_TRUE@convert_creds.lo constants.lo context.lo copy_host_realm.lo \ -@KRB4_TRUE@crc.lo creds.lo crypto.lo data.lo expand_hostname.lo \ -@KRB4_TRUE@fcache.lo free.lo free_host_realm.lo generate_seq_number.lo \ -@KRB4_TRUE@generate_subkey.lo get_addrs.lo get_cred.lo \ -@KRB4_TRUE@get_default_principal.lo get_default_realm.lo \ -@KRB4_TRUE@get_for_creds.lo get_host_realm.lo get_in_tkt.lo \ -@KRB4_TRUE@get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \ -@KRB4_TRUE@get_in_tkt_with_skey.lo get_port.lo init_creds.lo \ -@KRB4_TRUE@init_creds_pw.lo keyblock.lo keytab.lo keytab_file.lo \ -@KRB4_TRUE@keytab_memory.lo keytab_krb4.lo keytab_keyfile.lo krbhst.lo \ -@KRB4_TRUE@kuserok.lo log.lo mcache.lo misc.lo mk_error.lo mk_priv.lo \ -@KRB4_TRUE@mk_rep.lo mk_req.lo mk_req_ext.lo mk_safe.lo net_read.lo \ -@KRB4_TRUE@net_write.lo n-fold.lo padata.lo principal.lo prog_setup.lo \ -@KRB4_TRUE@prompter_posix.lo rd_cred.lo rd_error.lo rd_priv.lo \ -@KRB4_TRUE@rd_rep.lo rd_req.lo rd_safe.lo read_message.lo recvauth.lo \ -@KRB4_TRUE@send_to_kdc.lo sendauth.lo set_default_realm.lo \ -@KRB4_TRUE@sock_principal.lo store.lo store_emem.lo store_fd.lo \ -@KRB4_TRUE@store_mem.lo ticket.lo time.lo transited.lo verify_init.lo \ -@KRB4_TRUE@verify_user.lo version.lo warn.lo write_message.lo \ -@KRB4_TRUE@krb5_err.lo heim_err.lo -@KRB4_FALSE@libkrb5_la_OBJECTS = add_et_list.lo addr_families.lo \ -@KRB4_FALSE@address.lo aname_to_localname.lo asn1_glue.lo \ -@KRB4_FALSE@auth_context.lo build_ap_req.lo build_auth.lo cache.lo \ -@KRB4_FALSE@changepw.lo codec.lo config_file.lo config_file_netinfo.lo \ -@KRB4_FALSE@convert_creds.lo constants.lo context.lo copy_host_realm.lo \ -@KRB4_FALSE@crc.lo creds.lo crypto.lo data.lo expand_hostname.lo \ -@KRB4_FALSE@fcache.lo free.lo free_host_realm.lo generate_seq_number.lo \ -@KRB4_FALSE@generate_subkey.lo get_addrs.lo get_cred.lo \ -@KRB4_FALSE@get_default_principal.lo get_default_realm.lo \ -@KRB4_FALSE@get_for_creds.lo get_host_realm.lo get_in_tkt.lo \ -@KRB4_FALSE@get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \ -@KRB4_FALSE@get_in_tkt_with_skey.lo get_port.lo init_creds.lo \ -@KRB4_FALSE@init_creds_pw.lo keyblock.lo keytab.lo keytab_file.lo \ -@KRB4_FALSE@keytab_memory.lo keytab_keyfile.lo krbhst.lo kuserok.lo \ -@KRB4_FALSE@log.lo mcache.lo misc.lo mk_error.lo mk_priv.lo mk_rep.lo \ -@KRB4_FALSE@mk_req.lo mk_req_ext.lo mk_safe.lo net_read.lo net_write.lo \ -@KRB4_FALSE@n-fold.lo padata.lo principal.lo prog_setup.lo \ -@KRB4_FALSE@prompter_posix.lo rd_cred.lo rd_error.lo rd_priv.lo \ -@KRB4_FALSE@rd_rep.lo rd_req.lo rd_safe.lo read_message.lo recvauth.lo \ -@KRB4_FALSE@send_to_kdc.lo sendauth.lo set_default_realm.lo \ -@KRB4_FALSE@sock_principal.lo store.lo store_emem.lo store_fd.lo \ -@KRB4_FALSE@store_mem.lo ticket.lo time.lo transited.lo verify_init.lo \ -@KRB4_FALSE@verify_user.lo version.lo warn.lo write_message.lo \ -@KRB4_FALSE@krb5_err.lo heim_err.lo +libkrb5_la_DEPENDENCIES = ../com_err/error.lo ../com_err/com_err.lo \ +$(top_builddir)/lib/asn1/libasn1.la +am_libkrb5_la_OBJECTS = acl.lo add_et_list.lo addr_families.lo \ +address.lo aname_to_localname.lo appdefault.lo asn1_glue.lo \ +auth_context.lo build_ap_req.lo build_auth.lo cache.lo changepw.lo \ +codec.lo config_file.lo config_file_netinfo.lo convert_creds.lo \ +constants.lo context.lo copy_host_realm.lo crc.lo creds.lo crypto.lo \ +data.lo eai_to_heim_errno.lo expand_hostname.lo fcache.lo free.lo \ +free_host_realm.lo generate_seq_number.lo generate_subkey.lo \ +get_addrs.lo get_cred.lo get_default_principal.lo get_default_realm.lo \ +get_for_creds.lo get_host_realm.lo get_in_tkt.lo get_in_tkt_pw.lo \ +get_in_tkt_with_keytab.lo get_in_tkt_with_skey.lo get_port.lo \ +init_creds.lo init_creds_pw.lo keyblock.lo keytab.lo keytab_file.lo \ +keytab_memory.lo keytab_keyfile.lo keytab_krb4.lo krbhst.lo kuserok.lo \ +log.lo mcache.lo misc.lo mk_error.lo mk_priv.lo mk_rep.lo mk_req.lo \ +mk_req_ext.lo mk_safe.lo net_read.lo net_write.lo n-fold.lo padata.lo \ +principal.lo prog_setup.lo prompter_posix.lo rd_cred.lo rd_error.lo \ +rd_priv.lo rd_rep.lo rd_req.lo rd_safe.lo read_message.lo recvauth.lo \ +replay.lo send_to_kdc.lo sendauth.lo set_default_realm.lo \ +sock_principal.lo store.lo store_emem.lo store_fd.lo store_mem.lo \ +ticket.lo time.lo transited.lo verify_init.lo verify_user.lo version.lo \ +warn.lo write_message.lo krb5_err.lo heim_err.lo +libkrb5_la_OBJECTS = $(am_libkrb5_la_OBJECTS) bin_PROGRAMS = verify_krb5_conf$(EXEEXT) check_PROGRAMS = n-fold-test$(EXEEXT) string-to-key-test$(EXEEXT) -noinst_PROGRAMS = dump_config$(EXEEXT) +noinst_PROGRAMS = dump_config$(EXEEXT) test_get_addrs$(EXEEXT) PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) -verify_krb5_conf_SOURCES = verify_krb5_conf.c -verify_krb5_conf_OBJECTS = verify_krb5_conf.$(OBJEXT) -verify_krb5_conf_LDADD = $(LDADD) -@KRB4_TRUE@verify_krb5_conf_DEPENDENCIES = libkrb5.la \ -@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \ -@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la -@KRB4_FALSE@verify_krb5_conf_DEPENDENCIES = libkrb5.la \ -@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \ -@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la -verify_krb5_conf_LDFLAGS = +dump_config_SOURCES = dump_config.c +dump_config_OBJECTS = dump_config.$(OBJEXT) +dump_config_LDADD = $(LDADD) +dump_config_DEPENDENCIES = libkrb5.la \ +$(top_builddir)/lib/asn1/libasn1.la +dump_config_LDFLAGS = n_fold_test_SOURCES = n-fold-test.c n_fold_test_OBJECTS = n-fold-test.$(OBJEXT) n_fold_test_LDADD = $(LDADD) -@KRB4_TRUE@n_fold_test_DEPENDENCIES = libkrb5.la \ -@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \ -@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la -@KRB4_FALSE@n_fold_test_DEPENDENCIES = libkrb5.la \ -@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \ -@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la +n_fold_test_DEPENDENCIES = libkrb5.la \ +$(top_builddir)/lib/asn1/libasn1.la n_fold_test_LDFLAGS = string_to_key_test_SOURCES = string-to-key-test.c string_to_key_test_OBJECTS = string-to-key-test.$(OBJEXT) string_to_key_test_LDADD = $(LDADD) -@KRB4_TRUE@string_to_key_test_DEPENDENCIES = libkrb5.la \ -@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \ -@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la -@KRB4_FALSE@string_to_key_test_DEPENDENCIES = libkrb5.la \ -@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \ -@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la +string_to_key_test_DEPENDENCIES = libkrb5.la \ +$(top_builddir)/lib/asn1/libasn1.la string_to_key_test_LDFLAGS = -dump_config_SOURCES = dump_config.c -dump_config_OBJECTS = dump_config.$(OBJEXT) -dump_config_LDADD = $(LDADD) -@KRB4_TRUE@dump_config_DEPENDENCIES = libkrb5.la \ -@KRB4_TRUE@$(top_builddir)/lib/des/libdes.la \ -@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la -@KRB4_FALSE@dump_config_DEPENDENCIES = libkrb5.la \ -@KRB4_FALSE@$(top_builddir)/lib/des/libdes.la \ -@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la -dump_config_LDFLAGS = -CFLAGS = @CFLAGS@ +test_get_addrs_SOURCES = test_get_addrs.c +test_get_addrs_OBJECTS = test_get_addrs.$(OBJEXT) +test_get_addrs_LDADD = $(LDADD) +test_get_addrs_DEPENDENCIES = libkrb5.la \ +$(top_builddir)/lib/asn1/libasn1.la +test_get_addrs_LDFLAGS = +verify_krb5_conf_SOURCES = verify_krb5_conf.c +verify_krb5_conf_OBJECTS = verify_krb5_conf.$(OBJEXT) +verify_krb5_conf_LDADD = $(LDADD) +verify_krb5_conf_DEPENDENCIES = libkrb5.la \ +$(top_builddir)/lib/asn1/libasn1.la +verify_krb5_conf_LDFLAGS = COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CFLAGS = @CFLAGS@ CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ +LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +DIST_SOURCES = $(libkrb5_la_SOURCES) dump_config.c n-fold-test.c \ +string-to-key-test.c test_get_addrs.c verify_krb5_conf.c man3dir = $(mandir)/man3 man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 MANS = $(man_MANS) HEADERS = $(include_HEADERS) -DIST_COMMON = Makefile.am Makefile.in +depcomp = +DIST_COMMON = $(include_HEADERS) Makefile.am Makefile.in -DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -TAR = tar GZIP_ENV = --best -SOURCES = $(libkrb5_la_SOURCES) $(EXTRA_libkrb5_la_SOURCES) verify_krb5_conf.c n-fold-test.c string-to-key-test.c dump_config.c -OBJECTS = $(libkrb5_la_OBJECTS) verify_krb5_conf.$(OBJEXT) n-fold-test.$(OBJEXT) string-to-key-test.$(OBJEXT) dump_config.$(OBJEXT) +SOURCES = $(libkrb5_la_SOURCES) dump_config.c n-fold-test.c string-to-key-test.c test_get_addrs.c verify_krb5_conf.c +OBJECTS = $(am_libkrb5_la_OBJECTS) dump_config.$(OBJEXT) n-fold-test.$(OBJEXT) string-to-key-test.$(OBJEXT) test_get_addrs.$(OBJEXT) verify_krb5_conf.$(OBJEXT) all: all-redirect .SUFFIXES: -.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x +.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/krb5/Makefile @@ -358,31 +453,18 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES) $(mkinstalldirs) $(DESTDIR)$(libdir) @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ if test -f $$p; then \ - echo "$(LIBTOOL) --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p"; \ - $(LIBTOOL) --mode=install $(INSTALL) $$p $(DESTDIR)$(libdir)/$$p; \ + echo " $(LIBTOOL) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \ + $(LIBTOOL) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \ else :; fi; \ done uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + echo " $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \ $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \ done -.c.o: - $(COMPILE) -c $< - -# FIXME: We should only use cygpath when building on Windows, -# and only if it is available. -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.s.o: - $(COMPILE) -c $< - -.S.o: - $(COMPILE) -c $< - mostlyclean-compile: -rm -f *.o core *.core -rm -f *.$(OBJEXT) @@ -394,15 +476,6 @@ distclean-compile: maintainer-clean-compile: -.c.lo: - $(LIBTOOL) --mode=compile $(COMPILE) -c $< - -.s.lo: - $(LIBTOOL) --mode=compile $(COMPILE) -c $< - -.S.lo: - $(LIBTOOL) --mode=compile $(COMPILE) -c $< - mostlyclean-libtool: -rm -f *.lo @@ -430,15 +503,18 @@ install-binPROGRAMS: $(bin_PROGRAMS) $(mkinstalldirs) $(DESTDIR)$(bindir) @list='$(bin_PROGRAMS)'; for p in $$list; do \ if test -f $$p; then \ - echo " $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \ - $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \ + f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \ + echo " $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \ + $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \ else :; fi; \ done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) - list='$(bin_PROGRAMS)'; for p in $$list; do \ - rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \ + @list='$(bin_PROGRAMS)'; for p in $$list; do \ + f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \ + echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ + rm -f $(DESTDIR)$(bindir)/$$f; \ done mostlyclean-checkPROGRAMS: @@ -459,9 +535,9 @@ distclean-noinstPROGRAMS: maintainer-clean-noinstPROGRAMS: -verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES) - @rm -f verify_krb5_conf$(EXEEXT) - $(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS) +dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES) + @rm -f dump_config$(EXEEXT) + $(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS) n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES) @rm -f n-fold-test$(EXEEXT) @@ -471,9 +547,19 @@ string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_ @rm -f string-to-key-test$(EXEEXT) $(LINK) $(string_to_key_test_LDFLAGS) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS) -dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES) - @rm -f dump_config$(EXEEXT) - $(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS) +test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES) + @rm -f test_get_addrs$(EXEEXT) + $(LINK) $(test_get_addrs_LDFLAGS) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS) + +verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES) + @rm -f verify_krb5_conf$(EXEEXT) + $(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS) +.c.o: + $(COMPILE) -c $< +.c.obj: + $(COMPILE) -c `cygpath -w $<` +.c.lo: + $(LTCOMPILE) -c -o $@ $< install-man3: $(mkinstalldirs) $(DESTDIR)$(man3dir) @@ -488,6 +574,7 @@ install-man3: else file=$$i; fi; \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \ $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \ @@ -503,6 +590,7 @@ uninstall-man3: for i in $$list; do \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \ rm -f $(DESTDIR)$(man3dir)/$$inst; \ @@ -521,6 +609,7 @@ install-man5: else file=$$i; fi; \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst"; \ $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst; \ @@ -536,51 +625,94 @@ uninstall-man5: for i in $$list; do \ ext=`echo $$i | sed -e 's/^.*\\.//'`; \ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ inst=`echo $$inst | sed '$(transform)'`.$$ext; \ echo " rm -f $(DESTDIR)$(man5dir)/$$inst"; \ rm -f $(DESTDIR)$(man5dir)/$$inst; \ done + +install-man8: + $(mkinstalldirs) $(DESTDIR)$(man8dir) + @list='$(man8_MANS)'; \ + l2='$(man_MANS)'; for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ + $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ + done + +uninstall-man8: + @list='$(man8_MANS)'; \ + l2='$(man_MANS)'; for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ + rm -f $(DESTDIR)$(man8dir)/$$inst; \ + done install-man: $(MANS) @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-man3 install-man5 + $(MAKE) $(AM_MAKEFLAGS) install-man3 install-man5 install-man8 uninstall-man: @$(NORMAL_UNINSTALL) - $(MAKE) $(AM_MAKEFLAGS) uninstall-man3 uninstall-man5 + $(MAKE) $(AM_MAKEFLAGS) uninstall-man3 uninstall-man5 uninstall-man8 install-includeHEADERS: $(include_HEADERS) @$(NORMAL_INSTALL) $(mkinstalldirs) $(DESTDIR)$(includedir) @list='$(include_HEADERS)'; for p in $$list; do \ if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \ - echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p"; \ - $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$p; \ + f="`echo $$p | sed -e 's|^.*/||'`"; \ + echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \ + $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \ done uninstall-includeHEADERS: @$(NORMAL_UNINSTALL) - list='$(include_HEADERS)'; for p in $$list; do \ - rm -f $(DESTDIR)$(includedir)/$$p; \ + @list='$(include_HEADERS)'; for p in $$list; do \ + f="`echo $$p | sed -e 's|^.*/||'`"; \ + echo " rm -f $(DESTDIR)$(includedir)/$$f"; \ + rm -f $(DESTDIR)$(includedir)/$$f; \ done tags: TAGS -ID: $(HEADERS) $(SOURCES) $(LISP) - list='$(SOURCES) $(HEADERS)'; \ - unique=`for i in $$list; do echo $$i; done | \ - awk ' { files[$$0] = 1; } \ +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ END { for (i in files) print i; }'`; \ - here=`pwd` && cd $(srcdir) \ - && mkid -f$$here/ID $$unique $(LISP) + mkid -fID $$unique $(LISP) -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) $(LISP) +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) tags=; \ here=`pwd`; \ - list='$(SOURCES) $(HEADERS)'; \ - unique=`for i in $$list; do echo $$i; done | \ - awk ' { files[$$0] = 1; } \ + list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ END { for (i in files) print i; }'`; \ test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \ - || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags $$unique $(LISP) -o $$here/TAGS) + || etags $(ETAGS_ARGS) $$tags $$unique $(LISP) mostlyclean-tags: @@ -590,48 +722,76 @@ distclean-tags: -rm -f TAGS ID maintainer-clean-tags: +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; \ + srcdir=$(srcdir); export srcdir; \ + list='$(TESTS)'; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *" $$tst "*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *" $$tst "*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes=`echo "$$banner" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + fi distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir) -subdir = lib/krb5 - distdir: $(DISTFILES) @for file in $(DISTFILES); do \ d=$(srcdir); \ if test -d $$d/$$file; then \ - cp -pr $$/$$file $(distdir)/$$file; \ + cp -pR $$d/$$file $(distdir) \ + || exit 1; \ else \ test -f $(distdir)/$$file \ - || ln $$d/$$file $(distdir)/$$file 2> /dev/null \ - || cp -p $$d/$$file $(distdir)/$$file || :; \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ fi; \ done $(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook -check-TESTS: $(TESTS) - @failed=0; all=0; \ - srcdir=$(srcdir); export srcdir; \ - for tst in $(TESTS); do \ - if test -f $$tst; then dir=.; \ - else dir="$(srcdir)"; fi; \ - if $(TESTS_ENVIRONMENT) $$dir/$$tst; then \ - all=`expr $$all + 1`; \ - echo "PASS: $$tst"; \ - elif test $$? -ne 77; then \ - all=`expr $$all + 1`; \ - failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0 info-am: info: info-am dvi-am: @@ -659,11 +819,11 @@ uninstall: uninstall-am all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) all-local all-redirect: all-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install + $(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install installdirs: $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) \ $(DESTDIR)$(mandir)/man3 $(DESTDIR)$(mandir)/man5 \ - $(DESTDIR)$(includedir) + $(DESTDIR)$(mandir)/man8 $(DESTDIR)$(includedir) mostlyclean-generic: @@ -676,6 +836,7 @@ distclean-generic: -rm -f config.cache config.log stamp-h stamp-h[0-9]* maintainer-clean-generic: + -rm -f Makefile.in mostlyclean-am: mostlyclean-libLTLIBRARIES mostlyclean-compile \ mostlyclean-libtool mostlyclean-binPROGRAMS \ mostlyclean-checkPROGRAMS mostlyclean-noinstPROGRAMS \ @@ -720,15 +881,16 @@ install-binPROGRAMS mostlyclean-checkPROGRAMS distclean-checkPROGRAMS \ clean-checkPROGRAMS maintainer-clean-checkPROGRAMS \ mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \ clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS install-man3 \ -uninstall-man3 install-man5 uninstall-man5 install-man uninstall-man \ -uninstall-includeHEADERS install-includeHEADERS tags mostlyclean-tags \ -distclean-tags clean-tags maintainer-clean-tags distdir check-TESTS \ -info-am info dvi-am dvi check-local check check-am installcheck-am \ -installcheck install-exec-am install-exec install-data-local \ -install-data-am install-data install-am install uninstall-am uninstall \ -all-local all-redirect all-am all installdirs mostlyclean-generic \ -distclean-generic clean-generic maintainer-clean-generic clean \ -mostlyclean distclean maintainer-clean +uninstall-man3 install-man5 uninstall-man5 install-man8 uninstall-man8 \ +install-man uninstall-man uninstall-includeHEADERS \ +install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \ +maintainer-clean-tags check-TESTS distdir info-am info dvi-am dvi \ +check-local check check-am installcheck-am installcheck install-exec-am \ +install-exec install-data-local install-data-am install-data install-am \ +install uninstall-am uninstall all-local all-redirect all-am all \ +install-strip installdirs mostlyclean-generic distclean-generic \ +clean-generic maintainer-clean-generic clean mostlyclean distclean \ +maintainer-clean install-suid-programs: @@ -736,7 +898,10 @@ install-suid-programs: for file in $$foo; do \ x=$(DESTDIR)$(bindir)/$$file; \ if chown 0:0 $$x && chmod u+s $$x; then :; else \ - chmod 0 $$x; fi; done + echo "*"; \ + echo "* Failed to install $$x setuid root"; \ + echo "*"; \ + fi; done install-exec-hook: install-suid-programs @@ -748,8 +913,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ) else file="$$f"; fi; \ if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ : ; else \ - echo " cp $$file $(buildinclude)/$$f"; \ - cp $$file $(buildinclude)/$$f; \ + echo " $(CP) $$file $(buildinclude)/$$f"; \ + $(CP) $$file $(buildinclude)/$$f; \ fi ; \ done @@ -818,87 +983,8 @@ dist-cat8-mans: dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans -install-cat1-mans: - @ext=1;\ - foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat1dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat3-mans: - @ext=3;\ - foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat3dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat5-mans: - @ext=5;\ - foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat5dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat8-mans: - @ext=8;\ - foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat8dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans +install-cat-mans: + $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) install-data-local: install-cat-mans diff --git a/crypto/heimdal/lib/krb5/acl.c b/crypto/heimdal/lib/krb5/acl.c new file mode 100644 index 0000000..0106251 --- /dev/null +++ b/crypto/heimdal/lib/krb5/acl.c @@ -0,0 +1,189 @@ +/* + * Copyright (c) 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" +#include + +RCSID("$Id: acl.c,v 1.1 2000/06/12 11:17:52 joda Exp $"); + +struct acl_field { + enum { acl_string, acl_fnmatch, acl_retval } type; + union { + const char *cstr; + char **retv; + } u; + struct acl_field *next, **last; +}; + +static void +acl_free_list(struct acl_field *acl) +{ + struct acl_field *next; + while(acl != NULL) { + next = acl->next; + free(acl); + acl = next; + } +} + +static krb5_error_code +acl_parse_format(krb5_context context, + struct acl_field **acl_ret, + const char *format, + va_list ap) +{ + const char *p; + struct acl_field *acl = NULL, *tmp; + + for(p = format; *p != '\0'; p++) { + tmp = malloc(sizeof(*tmp)); + if(tmp == NULL) { + acl_free_list(acl); + return ENOMEM; + } + if(*p == 's') { + tmp->type = acl_string; + tmp->u.cstr = va_arg(ap, const char*); + } else if(*p == 'f') { + tmp->type = acl_fnmatch; + tmp->u.cstr = va_arg(ap, const char*); + } else if(*p == 'r') { + tmp->type = acl_retval; + tmp->u.retv = va_arg(ap, char **); + } + tmp->next = NULL; + if(acl == NULL) + acl = tmp; + else + *acl->last = tmp; + acl->last = &tmp->next; + } + *acl_ret = acl; + return 0; +} + +static krb5_boolean +acl_match_field(krb5_context context, + const char *string, + struct acl_field *field) +{ + if(field->type == acl_string) { + return !strcmp(string, field->u.cstr); + } else if(field->type == acl_fnmatch) { + return !fnmatch(string, field->u.cstr, 0); + } else if(field->type == acl_retval) { + *field->u.retv = strdup(string); + return TRUE; + } + return FALSE; +} + +static krb5_boolean +acl_match_acl(krb5_context context, + struct acl_field *acl, + const char *string) +{ + char buf[256]; + for(;strsep_copy(&string, " \t", buf, sizeof(buf)) != -1; + acl = acl->next) { + if(buf[0] == '\0') + continue; /* skip ws */ + if(!acl_match_field(context, buf, acl)) { + return FALSE; + } + } + return TRUE; +} + + +krb5_error_code +krb5_acl_match_string(krb5_context context, + const char *acl_string, + const char *format, + ...) +{ + krb5_error_code ret; + struct acl_field *acl; + + va_list ap; + va_start(ap, format); + ret = acl_parse_format(context, &acl, format, ap); + va_end(ap); + if(ret) + return ret; + + ret = acl_match_acl(context, acl, acl_string); + + acl_free_list(acl); + return ret ? 0 : EACCES; +} + +krb5_error_code +krb5_acl_match_file(krb5_context context, + const char *file, + const char *format, + ...) +{ + krb5_error_code ret; + struct acl_field *acl; + char buf[256]; + va_list ap; + FILE *f; + + f = fopen(file, "r"); + if(f == NULL) + return errno; + + va_start(ap, format); + ret = acl_parse_format(context, &acl, format, ap); + va_end(ap); + if(ret) { + fclose(f); + return ret; + } + + ret = EACCES; /* XXX */ + while(fgets(buf, sizeof(buf), f)) { + if(buf[0] == '#') + continue; + if(acl_match_acl(context, acl, buf)) { + ret = 0; + goto out; + } + } + + out: + fclose(f); + acl_free_list(acl); + return ret; +} diff --git a/crypto/heimdal/lib/krb5/addr_families.c b/crypto/heimdal/lib/krb5/addr_families.c index 9b17abd..339d23b 100644 --- a/crypto/heimdal/lib/krb5/addr_families.c +++ b/crypto/heimdal/lib/krb5/addr_families.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: addr_families.c,v 1.23 2000/02/16 02:09:00 assar Exp $"); +RCSID("$Id: addr_families.c,v 1.24 2000/07/08 13:05:43 joda Exp $"); struct addr_operations { int af; @@ -523,7 +523,7 @@ krb5_parse_address(krb5_context context, error = getaddrinfo (string, NULL, NULL, &ai); if (error) - return -1; + return krb5_eai_to_heim_errno(error); n = 0; for (a = ai; a != NULL; a = a->ai_next) diff --git a/crypto/heimdal/lib/krb5/appdefault.c b/crypto/heimdal/lib/krb5/appdefault.c new file mode 100644 index 0000000..081dec0 --- /dev/null +++ b/crypto/heimdal/lib/krb5/appdefault.c @@ -0,0 +1,123 @@ +/* + * Copyright (c) 2000, 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +RCSID("$Id: appdefault.c,v 1.3 2001/01/10 00:19:58 assar Exp $"); + +void +krb5_appdefault_boolean(krb5_context context, const char *appname, + krb5_realm realm, const char *option, + krb5_boolean def_val, krb5_boolean *ret_val) +{ + + if(appname == NULL) + appname = __progname; + def_val = krb5_config_get_bool_default(context, NULL, def_val, + "appdefaults", + option, + NULL); + if(realm != NULL) + def_val = krb5_config_get_bool_default(context, NULL, def_val, + "appdefaults", + realm, + option, + NULL); + if(appname != NULL) { + def_val = krb5_config_get_bool_default(context, NULL, def_val, + "appdefaults", + appname, + option, + NULL); + if(realm != NULL) + def_val = krb5_config_get_bool_default(context, NULL, def_val, + "appdefaults", + appname, + realm, + option, + NULL); + } + *ret_val = def_val; +} + +void +krb5_appdefault_string(krb5_context context, const char *appname, + krb5_realm realm, const char *option, + const char *def_val, char **ret_val) +{ + if(appname == NULL) + appname = __progname; + def_val = krb5_config_get_string_default(context, NULL, def_val, + "appdefaults", + option, + NULL); + if(realm != NULL) + def_val = krb5_config_get_string_default(context, NULL, def_val, + "appdefaults", + realm, + option, + NULL); + if(appname != NULL) { + def_val = krb5_config_get_string_default(context, NULL, def_val, + "appdefaults", + appname, + option, + NULL); + if(realm != NULL) + def_val = krb5_config_get_string_default(context, NULL, def_val, + "appdefaults", + appname, + realm, + option, + NULL); + } + if(def_val != NULL) + *ret_val = strdup(def_val); + else + *ret_val = NULL; +} + +void +krb5_appdefault_time(krb5_context context, const char *appname, + krb5_realm realm, const char *option, + time_t def_val, time_t *ret_val) +{ + time_t t; + char tstr[32]; + char *val; + snprintf(tstr, sizeof(tstr), "%ld", (long)def_val); + krb5_appdefault_string(context, appname, realm, option, tstr, &val); + t = parse_time (val, NULL); + free(val); + *ret_val = t; +} diff --git a/crypto/heimdal/lib/krb5/auth_context.c b/crypto/heimdal/lib/krb5/auth_context.c index 94b1376..a37c4dd 100644 --- a/crypto/heimdal/lib/krb5/auth_context.c +++ b/crypto/heimdal/lib/krb5/auth_context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: auth_context.c,v 1.50 1999/12/02 17:05:07 joda Exp $"); +RCSID("$Id: auth_context.c,v 1.55 2000/12/10 20:01:05 assar Exp $"); krb5_error_code krb5_auth_con_init(krb5_context context, @@ -67,20 +67,21 @@ krb5_error_code krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) { - krb5_free_authenticator(context, &auth_context->authenticator); - if(auth_context->local_address){ - free_HostAddress(auth_context->local_address); - free(auth_context->local_address); - } - if(auth_context->remote_address){ - free_HostAddress(auth_context->remote_address); - free(auth_context->remote_address); - } - if(auth_context->keyblock) + if (auth_context != NULL) { + krb5_free_authenticator(context, &auth_context->authenticator); + if(auth_context->local_address){ + free_HostAddress(auth_context->local_address); + free(auth_context->local_address); + } + if(auth_context->remote_address){ + free_HostAddress(auth_context->remote_address); + free(auth_context->remote_address); + } krb5_free_keyblock(context, auth_context->keyblock); - krb5_free_keyblock(context, auth_context->remote_subkey); - krb5_free_keyblock(context, auth_context->local_subkey); - free (auth_context); + krb5_free_keyblock(context, auth_context->remote_subkey); + krb5_free_keyblock(context, auth_context->local_subkey); + free (auth_context); + } return 0; } @@ -128,49 +129,71 @@ krb5_auth_con_setaddrs(krb5_context context, } krb5_error_code -krb5_auth_con_setaddrs_from_fd (krb5_context context, - krb5_auth_context auth_context, - void *p_fd) +krb5_auth_con_genaddrs(krb5_context context, + krb5_auth_context auth_context, + int fd, int flags) { - int fd = *((int *)p_fd); krb5_error_code ret; krb5_address local_k_address, remote_k_address; krb5_address *lptr = NULL, *rptr = NULL; struct sockaddr_storage ss_local, ss_remote; struct sockaddr *local = (struct sockaddr *)&ss_local; struct sockaddr *remote = (struct sockaddr *)&ss_remote; - int len; - - if (auth_context->local_address == NULL) { - len = sizeof(ss_local); - if(getsockname(fd, local, &len) < 0) { - ret = errno; - goto out; + socklen_t len; + + if(flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR) { + if (auth_context->local_address == NULL) { + len = sizeof(ss_local); + if(getsockname(fd, local, &len) < 0) { + ret = errno; + goto out; + } + krb5_sockaddr2address (local, &local_k_address); + if(flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR) { + krb5_sockaddr2port (local, &auth_context->local_port); + } else + auth_context->local_port = 0; + lptr = &local_k_address; } - krb5_sockaddr2address (local, &local_k_address); - krb5_sockaddr2port (local, &auth_context->local_port); - lptr = &local_k_address; } - if (auth_context->remote_address == NULL) { + if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR) { len = sizeof(ss_remote); if(getpeername(fd, remote, &len) < 0) { ret = errno; goto out; } krb5_sockaddr2address (remote, &remote_k_address); - krb5_sockaddr2port (remote, &auth_context->remote_port); + if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR) { + krb5_sockaddr2port (remote, &auth_context->remote_port); + } else + auth_context->remote_port = 0; rptr = &remote_k_address; } ret = krb5_auth_con_setaddrs (context, auth_context, lptr, rptr); -out: + out: if (lptr) krb5_free_address (context, lptr); if (rptr) krb5_free_address (context, rptr); return ret; + +} + +krb5_error_code +krb5_auth_con_setaddrs_from_fd (krb5_context context, + krb5_auth_context auth_context, + void *p_fd) +{ + int fd = *(int*)p_fd; + int flags = 0; + if(auth_context->local_address == NULL) + flags |= KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR; + if(auth_context->remote_address == NULL) + flags |= KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR; + return krb5_auth_con_genaddrs(context, auth_context, fd, flags); } krb5_error_code @@ -396,6 +419,24 @@ krb5_auth_con_setuserkey(krb5_context context, return krb5_copy_keyblock(context, keyblock, &auth_context->keyblock); } +krb5_error_code +krb5_auth_con_getrcache(krb5_context context, + krb5_auth_context auth_context, + krb5_rcache *rcache) +{ + *rcache = auth_context->rcache; + return 0; +} + +krb5_error_code +krb5_auth_con_setrcache(krb5_context context, + krb5_auth_context auth_context, + krb5_rcache rcache) +{ + auth_context->rcache = rcache; + return 0; +} + #if 0 /* not implemented */ krb5_error_code @@ -414,13 +455,4 @@ krb5_auth_con_setivector(krb5_context context, krb5_abortx(context, "unimplemented krb5_auth_con_setivector called"); } - -krb5_error_code -krb5_auth_con_setrcache(krb5_context context, - krb5_auth_context auth_context, - krb5_rcache rcache) -{ - krb5_abortx(context, "unimplemented krb5_auth_con_setrcache called"); -} - #endif /* not implemented */ diff --git a/crypto/heimdal/lib/krb5/build_auth.c b/crypto/heimdal/lib/krb5/build_auth.c index a38393b..c75b2f1 100644 --- a/crypto/heimdal/lib/krb5/build_auth.c +++ b/crypto/heimdal/lib/krb5/build_auth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: build_auth.c,v 1.32 1999/12/02 17:05:08 joda Exp $"); +RCSID("$Id: build_auth.c,v 1.34 2000/11/15 06:58:51 assar Exp $"); krb5_error_code krb5_build_authenticator (krb5_context context, @@ -42,7 +42,8 @@ krb5_build_authenticator (krb5_context context, krb5_creds *cred, Checksum *cksum, Authenticator **auth_result, - krb5_data *result) + krb5_data *result, + krb5_key_usage usage) { Authenticator *auth; u_char *buf = NULL; @@ -126,9 +127,11 @@ krb5_build_authenticator (krb5_context context, } while(ret == ASN1_OVERFLOW); ret = krb5_crypto_init(context, &cred->session, enctype, &crypto); + if (ret) + goto fail; ret = krb5_encrypt (context, crypto, - KRB5_KU_AP_REQ_AUTH, + usage /* KRB5_KU_AP_REQ_AUTH */, buf + buf_size - len, len, result); diff --git a/crypto/heimdal/lib/krb5/cache.c b/crypto/heimdal/lib/krb5/cache.c index e78d4de..121f44f 100644 --- a/crypto/heimdal/lib/krb5/cache.c +++ b/crypto/heimdal/lib/krb5/cache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: cache.c,v 1.44 1999/12/02 17:05:08 joda Exp $"); +RCSID("$Id: cache.c,v 1.45 2000/12/05 09:18:29 joda Exp $"); /* * Add a new ccache type with operations `ops', overwriting any @@ -356,7 +356,9 @@ krb5_cc_remove_cred(krb5_context context, krb5_flags which, krb5_creds *cred) { - return id->ops->remove_cred(context, id, which, cred); + if(id->ops->remove_cred == NULL) + return EACCES; /* XXX */ + return (*id->ops->remove_cred)(context, id, which, cred); } /* diff --git a/crypto/heimdal/lib/krb5/changepw.c b/crypto/heimdal/lib/krb5/changepw.c index 56c89a0..407abf0 100644 --- a/crypto/heimdal/lib/krb5/changepw.c +++ b/crypto/heimdal/lib/krb5/changepw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: changepw.c,v 1.20 2000/02/07 13:40:18 joda Exp $"); +RCSID("$Id: changepw.c,v 1.30 2000/12/10 23:10:10 assar Exp $"); static krb5_error_code get_kdc_address (krb5_context context, @@ -52,10 +52,12 @@ get_kdc_address (krb5_context context, return ret; port = ntohs(krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT)); - error = roken_getaddrinfo_hostspec(*hostlist, port, ai); + error = roken_getaddrinfo_hostspec2(*hostlist, SOCK_DGRAM, port, ai); krb5_free_krbhst (context, hostlist); - return error; + if(error) + return krb5_eai_to_heim_errno(error); + return 0; } static krb5_error_code @@ -138,7 +140,12 @@ out2: static void str2data (krb5_data *d, - char *fmt, + const char *fmt, + ...) __attribute__ ((format (printf, 2, 3))); + +static void +str2data (krb5_data *d, + const char *fmt, ...) { va_list args; @@ -261,6 +268,7 @@ krb5_change_password (krb5_context context, int sock; int i; struct addrinfo *ai, *a; + int done = 0; ret = krb5_auth_con_init (context, &auth_context); if (ret) @@ -270,58 +278,71 @@ krb5_change_password (krb5_context context, if (ret) goto out; - krb5_auth_con_setflags (context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); + for (a = ai; !done && a != NULL; a = a->ai_next) { + int replied = 0; - for (a = ai; a != NULL; a = a->ai_next) { sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (sock < 0) continue; - for (i = 0; i < 5; ++i) { + for (i = 0; !done && i < 5; ++i) { fd_set fdset; struct timeval tv; - ret = send_request (context, - &auth_context, - creds, - sock, - a->ai_addr, - a->ai_addrlen, - newpw); - if (ret) + if (!replied) { + replied = 0; + ret = send_request (context, + &auth_context, + creds, + sock, + a->ai_addr, + a->ai_addrlen, + newpw); + if (ret) { + close(sock); + goto out; + } + } + + if (sock >= FD_SETSIZE) { + ret = ERANGE; + close (sock); goto out; + } FD_ZERO(&fdset); FD_SET(sock, &fdset); tv.tv_usec = 0; - tv.tv_sec = 1 << i; + tv.tv_sec = 1 + (1 << i); ret = select (sock + 1, &fdset, NULL, NULL, &tv); - if (ret < 0 && errno != EINTR) + if (ret < 0 && errno != EINTR) { + close(sock); goto out; - if (ret == 1) - break; - } - if (i == 5) { - ret = KRB5_KDC_UNREACH; - close (sock); - continue; + } + if (ret == 1) { + ret = process_reply (context, + auth_context, + sock, + result_code, + result_code_string, + result_string); + if (ret == 0) + done = 1; + else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL) + replied = 1; + } else { + ret = KRB5_KDC_UNREACH; + } } - - ret = process_reply (context, - auth_context, - sock, - result_code, - result_code_string, - result_string); close (sock); - if (ret == 0) - break; } freeaddrinfo (ai); out: krb5_auth_con_free (context, auth_context); - return ret; + if (done) + return 0; + else + return ret; } diff --git a/crypto/heimdal/lib/krb5/config_file.c b/crypto/heimdal/lib/krb5/config_file.c index 3d1ff1e..d5d8a42 100644 --- a/crypto/heimdal/lib/krb5/config_file.c +++ b/crypto/heimdal/lib/krb5/config_file.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997, 1998, 1999, 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: config_file.c,v 1.38 1999/12/02 17:05:08 joda Exp $"); +RCSID("$Id: config_file.c,v 1.41 2000/08/16 07:40:36 assar Exp $"); #ifndef HAVE_NETINFO @@ -210,7 +210,7 @@ krb5_config_parse_file_debug (const char *fname, krb5_config_section *s; krb5_config_binding *b; char buf[BUFSIZ]; - int ret; + int ret = 0; s = NULL; b = NULL; @@ -218,7 +218,7 @@ krb5_config_parse_file_debug (const char *fname, f = fopen (fname, "r"); if (f == NULL) { *error_message = "cannot open file"; - return -1; + return ENOENT; } *res = NULL; while (fgets(buf, sizeof(buf), f) != NULL) { @@ -234,20 +234,23 @@ krb5_config_parse_file_debug (const char *fname, continue; if (*p == '[') { ret = parse_section(p, &s, res, error_message); - if (ret) - return ret; + if (ret) { + goto out; + } b = NULL; } else if (*p == '}') { *error_message = "unmatched }"; - return -1; + ret = -1; + goto out; } else if(*p != '\0') { ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message); if (ret) - return ret; + goto out; } } +out: fclose (f); - return 0; + return ret; } krb5_error_code @@ -422,6 +425,35 @@ krb5_config_vget_string (krb5_context context, return krb5_config_vget (context, c, krb5_config_string, args); } +const char * +krb5_config_vget_string_default (krb5_context context, + krb5_config_section *c, + const char *def_value, + va_list args) +{ + const char *ret; + + ret = krb5_config_vget_string (context, c, args); + if (ret == NULL) + ret = def_value; + return ret; +} + +const char * +krb5_config_get_string_default (krb5_context context, + krb5_config_section *c, + const char *def_value, + ...) +{ + const char *ret; + va_list args; + + va_start(args, def_value); + ret = krb5_config_vget_string_default (context, c, def_value, args); + va_end(args); + return ret; +} + char ** krb5_config_vget_strings(krb5_context context, krb5_config_section *c, diff --git a/crypto/heimdal/lib/krb5/constants.c b/crypto/heimdal/lib/krb5/constants.c index 8314c26..946fd4d 100644 --- a/crypto/heimdal/lib/krb5/constants.c +++ b/crypto/heimdal/lib/krb5/constants.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: constants.c,v 1.4 1999/12/02 17:05:08 joda Exp $"); +RCSID("$Id: constants.c,v 1.5 2000/07/14 21:53:01 joda Exp $"); const char krb5_config_file[] = "/etc/krb5.conf"; -const char krb5_defkeyname[] = "/etc/v5srvtab"; +const char krb5_defkeyname[] = KEYTAB_DEFAULT; diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c index fb3fb61..0cfac9a 100644 --- a/crypto/heimdal/lib/krb5/context.c +++ b/crypto/heimdal/lib/krb5/context.c @@ -33,16 +33,12 @@ #include "krb5_locl.h" -RCSID("$Id: context.c,v 1.53 2000/02/11 17:43:43 assar Exp $"); +RCSID("$Id: context.c,v 1.59 2000/12/15 17:11:51 joda Exp $"); #define INIT_FIELD(C, T, E, D, F) \ (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ "libdefaults", F, NULL) -#ifdef KRB4 -extern krb5_kt_ops krb4_fkt_ops; -#endif - /* * Set the list of etypes `ret_etypes' from the configuration variable * `name' @@ -89,27 +85,26 @@ init_context_from_config_file(krb5_context context) INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout"); INIT_FIELD(context, int, max_retries, 3, "max_retries"); - context->http_proxy = krb5_config_get_string(context, NULL, "libdefaults", - "http_proxy", NULL); + INIT_FIELD(context, string, http_proxy, NULL, "http_proxy"); set_etypes (context, "default_etypes", &context->etypes); set_etypes (context, "default_etypes_des", &context->etypes_des); /* default keytab name */ - context->default_keytab = krb5_config_get_string(context, NULL, - "libdefaults", - "default_keytab_name", - NULL); - if(context->default_keytab == NULL) - context->default_keytab = KEYTAB_DEFAULT; - - context->time_fmt = krb5_config_get_string(context, NULL, "libdefaults", - "time_format", NULL); - if(context->time_fmt == NULL) - context->time_fmt = "%Y-%m-%dT%H:%M:%S"; - context->log_utc = krb5_config_get_bool(context, NULL, "libdefaults", - "log_utc", NULL); + INIT_FIELD(context, string, default_keytab, + KEYTAB_DEFAULT, "default_keytab_name"); + + INIT_FIELD(context, string, time_fmt, + "%Y-%m-%dT%H:%M:%S", "time_format"); + + INIT_FIELD(context, string, date_fmt, + "%Y-%m-%d", "date_format"); + INIT_FIELD(context, bool, log_utc, + FALSE, "log_utc"); + + + /* init dns-proxy slime */ tmp = krb5_config_get_string(context, NULL, "libdefaults", "dns_proxy", NULL); @@ -136,7 +131,6 @@ init_context_from_config_file(krb5_context context) INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces"); INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup"); INIT_FIELD(context, bool, srv_try_txt, FALSE, "srv_try_txt"); - INIT_FIELD(context, bool, srv_try_rfc2052, TRUE, "srv_try_rfc2052"); INIT_FIELD(context, int, fcache_vno, 0, "fcache_version"); context->cc_ops = NULL; @@ -148,10 +142,8 @@ init_context_from_config_file(krb5_context context) context->kt_types = NULL; krb5_kt_register (context, &krb5_fkt_ops); krb5_kt_register (context, &krb5_mkt_ops); -#ifdef KRB4 - krb5_kt_register (context, &krb4_fkt_ops); -#endif krb5_kt_register (context, &krb5_akf_ops); + krb5_kt_register (context, &krb4_fkt_ops); return 0; } @@ -187,8 +179,10 @@ krb5_init_context(krb5_context *context) #endif ret = init_context_from_config_file(p); - if(ret) + if(ret) { + krb5_free_context(p); return ret; + } *context = p; return 0; @@ -211,12 +205,17 @@ krb5_free_context(krb5_context context) free(context); } +/* + * set `etype' to a malloced list of the default enctypes + */ + static krb5_error_code default_etypes(krb5_enctype **etype) { krb5_enctype p[] = { ETYPE_DES3_CBC_SHA1, ETYPE_DES3_CBC_MD5, + ETYPE_ARCFOUR_HMAC_MD5, ETYPE_DES_CBC_MD5, ETYPE_DES_CBC_MD4, ETYPE_DES_CBC_CRC, diff --git a/crypto/heimdal/lib/krb5/convert_creds.c b/crypto/heimdal/lib/krb5/convert_creds.c index 24dea0b..8459ee3 100644 --- a/crypto/heimdal/lib/krb5/convert_creds.c +++ b/crypto/heimdal/lib/krb5/convert_creds.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: convert_creds.c,v 1.13 1999/12/02 17:05:08 joda Exp $"); +RCSID("$Id: convert_creds.c,v 1.15 2000/07/11 19:30:04 joda Exp $"); static krb5_error_code check_ticket_flags(TicketFlags f) @@ -166,10 +166,32 @@ krb524_convert_creds_kdc(krb5_context context, if(ret) goto out2; - ret = krb5_sendto_kdc (context, + { + char **hostlist; + int port; + port = krb5_getportbyname (context, "krb524", "udp", 4444); + + ret = krb5_get_krbhst (context, krb5_princ_realm(context, + v5_creds->server), + &hostlist); + if(ret) + goto out2; + + ret = krb5_sendto (context, &v5_creds->ticket, - krb5_princ_realm(context, v5_creds->server), + hostlist, + port, &reply); + if(ret == KRB5_KDC_UNREACH) { + port = krb5_getportbyname (context, "kerberos", "udp", 88); + ret = krb5_sendto (context, + &v5_creds->ticket, + hostlist, + port, + &reply); + } + krb5_free_krbhst (context, hostlist); + } if (ret) goto out2; sp = krb5_storage_from_mem(reply.data, reply.length); diff --git a/crypto/heimdal/lib/krb5/crc.c b/crypto/heimdal/lib/krb5/crc.c index 2f9ef95..c7cedd8 100644 --- a/crypto/heimdal/lib/krb5/crc.c +++ b/crypto/heimdal/lib/krb5/crc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: crc.c,v 1.8 1999/12/02 17:05:08 joda Exp $"); +RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $"); static u_long table[256]; @@ -63,7 +63,7 @@ _krb5_crc_init_table(void) } u_int32_t -_krb5_crc_update (char *p, size_t len, u_int32_t res) +_krb5_crc_update (const char *p, size_t len, u_int32_t res) { while (len--) res = table[(res ^ *p++) & 0xFF] ^ (res >> 8); diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index aef45b1..0415542 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.29 2000/01/25 23:06:55 assar Exp $"); +RCSID("$Id: crypto.c,v 1.43 2001/01/30 17:10:55 assar Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -65,6 +65,7 @@ struct krb5_crypto_data { #define F_DERIVED 4 /* uses derived keys */ #define F_VARIANT 8 /* uses `variant' keys (6.4.3) */ #define F_PSEUDO 16 /* not a real protocol type */ +#define F_SPECIAL 32 /* backwards */ struct salt_type { krb5_salttype type; @@ -93,9 +94,16 @@ struct checksum_type { size_t blocksize; size_t checksumsize; unsigned flags; - void (*checksum)(krb5_context, struct key_data*, void*, size_t, Checksum*); - krb5_error_code (*verify)(krb5_context, struct key_data*, - void*, size_t, Checksum*); + void (*checksum)(krb5_context context, + struct key_data *key, + const void *buf, size_t len, + unsigned usage, + Checksum *csum); + krb5_error_code (*verify)(krb5_context context, + struct key_data *key, + const void *buf, size_t len, + unsigned usage, + Checksum *csum); }; struct encryption_type { @@ -107,7 +115,11 @@ struct encryption_type { struct checksum_type *cksumtype; struct checksum_type *keyed_checksum; unsigned flags; - void (*encrypt)(struct key_data *, void *, size_t, int); + krb5_error_code (*encrypt)(struct key_data *key, + void *data, size_t len, + krb5_boolean encrypt, + int usage, + void *ivec); }; #define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA) @@ -189,7 +201,8 @@ DES_AFS3_CMU_string_to_key (krb5_data pw, for(i = 0; i < 8; i++) { char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^ - ((i < cell.length) ? ((char*)cell.data)[i] : 0); + ((i < cell.length) ? + tolower(((unsigned char*)cell.data)[i]) : 0); password[i] = c ? c : 'X'; } password[8] = '\0'; @@ -219,23 +232,25 @@ DES_AFS3_Transarc_string_to_key (krb5_data pw, size_t passlen; memcpy(password, pw.data, min(pw.length, sizeof(password))); - if(pw.length < sizeof(password)) - memcpy(password + pw.length, - cell.data, min(cell.length, - sizeof(password) - pw.length)); + if(pw.length < sizeof(password)) { + int len = min(cell.length, sizeof(password) - pw.length); + int i; + + memcpy(password + pw.length, cell.data, len); + for (i = pw.length; i < pw.length + len; ++i) + password[i] = tolower((unsigned char)password[i]); + } passlen = min(sizeof(password), pw.length + cell.length); memcpy(&ivec, "kerberos", 8); memcpy(&temp_key, "kerberos", 8); des_set_odd_parity (&temp_key); des_set_key (&temp_key, schedule); - des_cbc_cksum ((const void *)password, &ivec, passlen, - schedule, &ivec); + des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec); memcpy(&temp_key, &ivec, 8); des_set_odd_parity (&temp_key); des_set_key (&temp_key, schedule); - des_cbc_cksum ((const void *)password, key, passlen, - schedule, &ivec); + des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec); memset(&schedule, 0, sizeof(schedule)); memset(&temp_key, 0, sizeof(temp_key)); memset(&ivec, 0, sizeof(ivec)); @@ -339,8 +354,8 @@ DES3_string_to_key(krb5_context context, des_set_key(keys + i, s[i]); } memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt((const void *)tmp, - (void *)tmp, sizeof(tmp), + des_ede3_cbc_encrypt((des_cblock *)tmp, + (des_cblock *)tmp, sizeof(tmp), s[0], s[1], s[2], &ivec, DES_ENCRYPT); memset(s, 0, sizeof(s)); memset(&ivec, 0, sizeof(ivec)); @@ -416,7 +431,7 @@ ARCFOUR_string_to_key(krb5_context context, int i; MD4_CTX m; - len = 2 * (password.length + salt.saltvalue.length); + len = 2 * password.length; s = malloc (len); if (len != 0 && s == NULL) return ENOMEM; @@ -424,15 +439,11 @@ ARCFOUR_string_to_key(krb5_context context, *p++ = ((char *)password.data)[i]; *p++ = 0; } - for (i = 0; i < salt.saltvalue.length; ++i) { - *p++ = ((char *)salt.saltvalue.data)[i]; - *p++ = 0; - } - MD4Init (&m); - MD4Update (&m, s, len); + MD4_Init (&m); + MD4_Update (&m, s, len); key->keytype = enctype; krb5_data_alloc (&key->keyvalue, 16); - MD4Final (key->keyvalue.data, &m); + MD4_Final (key->keyvalue.data, &m); memset (s, 0, len); free (s); return 0; @@ -670,6 +681,11 @@ krb5_string_to_key (krb5_context context, return krb5_string_to_key_data(context, enctype, pw, principal, key); } +/* + * Do a string -> key for encryption type `enctype' operation on + * `password' (with salt `salt'), returning the resulting key in `key' + */ + krb5_error_code krb5_string_to_key_data_salt (krb5_context context, krb5_enctype enctype, @@ -687,6 +703,12 @@ krb5_string_to_key_data_salt (krb5_context context, return HEIM_ERR_SALTTYPE_NOSUPP; } +/* + * Do a string -> key for encryption type `enctype' operation on the + * string `password' (with salt `salt'), returning the resulting key + * in `key' + */ + krb5_error_code krb5_string_to_key_salt (krb5_context context, krb5_enctype enctype, @@ -759,6 +781,8 @@ _key_schedule(krb5_context context, if(kt->schedule == NULL) return 0; + if (key->schedule != NULL) + return 0; ALLOC(key->schedule, 1); if(key->schedule == NULL) return ENOMEM; @@ -779,8 +803,9 @@ _key_schedule(krb5_context context, static void NONE_checksum(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { } @@ -788,8 +813,9 @@ NONE_checksum(krb5_context context, static void CRC32_checksum(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { u_int32_t crc; @@ -805,22 +831,24 @@ CRC32_checksum(krb5_context context, static void RSA_MD4_checksum(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { MD4_CTX m; - MD4Init (&m); - MD4Update (&m, data, len); - MD4Final (C->checksum.data, &m); + MD4_Init (&m); + MD4_Update (&m, data, len); + MD4_Final (C->checksum.data, &m); } static void RSA_MD4_DES_checksum(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *cksum) { MD4_CTX md4; @@ -828,13 +856,13 @@ RSA_MD4_DES_checksum(krb5_context context, unsigned char *p = cksum->checksum.data; krb5_generate_random_block(p, 8); - MD4Init (&md4); - MD4Update (&md4, p, 8); - MD4Update (&md4, data, len); - MD4Final (p + 8, &md4); + MD4_Init (&md4); + MD4_Update (&md4, p, 8); + MD4_Update (&md4, data, len); + MD4_Final (p + 8, &md4); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt((const void *)p, - (void *)p, + des_cbc_encrypt((des_cblock*)p, + (des_cblock*)p, 24, key->schedule->data, &ivec, @@ -844,8 +872,9 @@ RSA_MD4_DES_checksum(krb5_context context, static krb5_error_code RSA_MD4_DES_verify(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { MD4_CTX md4; @@ -861,10 +890,10 @@ RSA_MD4_DES_verify(krb5_context context, key->schedule->data, &ivec, DES_DECRYPT); - MD4Init (&md4); - MD4Update (&md4, tmp, 8); /* confounder */ - MD4Update (&md4, data, len); - MD4Final (res, &md4); + MD4_Init (&md4); + MD4_Update (&md4, tmp, 8); /* confounder */ + MD4_Update (&md4, data, len); + MD4_Final (res, &md4); if(memcmp(res, tmp + 8, sizeof(res)) != 0) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; memset(tmp, 0, sizeof(tmp)); @@ -875,22 +904,24 @@ RSA_MD4_DES_verify(krb5_context context, static void RSA_MD5_checksum(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { MD5_CTX m; - MD5Init (&m); - MD5Update(&m, data, len); - MD5Final (C->checksum.data, &m); + MD5_Init (&m); + MD5_Update(&m, data, len); + MD5_Final (C->checksum.data, &m); } static void RSA_MD5_DES_checksum(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { MD5_CTX md5; @@ -898,13 +929,13 @@ RSA_MD5_DES_checksum(krb5_context context, unsigned char *p = C->checksum.data; krb5_generate_random_block(p, 8); - MD5Init (&md5); - MD5Update (&md5, p, 8); - MD5Update (&md5, data, len); - MD5Final (p + 8, &md5); + MD5_Init (&md5); + MD5_Update (&md5, p, 8); + MD5_Update (&md5, data, len); + MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt((const void *)p, - (void *)p, + des_cbc_encrypt((des_cblock*)p, + (des_cblock*)p, 24, key->schedule->data, &ivec, @@ -914,8 +945,9 @@ RSA_MD5_DES_checksum(krb5_context context, static krb5_error_code RSA_MD5_DES_verify(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { MD5_CTX md5; @@ -932,10 +964,10 @@ RSA_MD5_DES_verify(krb5_context context, sched[0], &ivec, DES_DECRYPT); - MD5Init (&md5); - MD5Update (&md5, tmp, 8); /* confounder */ - MD5Update (&md5, data, len); - MD5Final (res, &md5); + MD5_Init (&md5); + MD5_Update (&md5, tmp, 8); /* confounder */ + MD5_Update (&md5, data, len); + MD5_Final (res, &md5); if(memcmp(res, tmp + 8, sizeof(res)) != 0) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; memset(tmp, 0, sizeof(tmp)); @@ -946,8 +978,9 @@ RSA_MD5_DES_verify(krb5_context context, static void RSA_MD5_DES3_checksum(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { MD5_CTX md5; @@ -956,13 +989,13 @@ RSA_MD5_DES3_checksum(krb5_context context, des_key_schedule *sched = key->schedule->data; krb5_generate_random_block(p, 8); - MD5Init (&md5); - MD5Update (&md5, p, 8); - MD5Update (&md5, data, len); - MD5Final (p + 8, &md5); + MD5_Init (&md5); + MD5_Update (&md5, p, 8); + MD5_Update (&md5, data, len); + MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt((const void *)p, - (void *)p, + des_ede3_cbc_encrypt((des_cblock*)p, + (des_cblock*)p, 24, sched[0], sched[1], sched[2], &ivec, @@ -972,8 +1005,9 @@ RSA_MD5_DES3_checksum(krb5_context context, static krb5_error_code RSA_MD5_DES3_verify(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { MD5_CTX md5; @@ -990,10 +1024,10 @@ RSA_MD5_DES3_verify(krb5_context context, sched[0], sched[1], sched[2], &ivec, DES_DECRYPT); - MD5Init (&md5); - MD5Update (&md5, tmp, 8); /* confounder */ - MD5Update (&md5, data, len); - MD5Final (res, &md5); + MD5_Init (&md5); + MD5_Update (&md5, tmp, 8); /* confounder */ + MD5_Update (&md5, data, len); + MD5_Final (res, &md5); if(memcmp(res, tmp + 8, sizeof(res)) != 0) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; memset(tmp, 0, sizeof(tmp)); @@ -1004,23 +1038,25 @@ RSA_MD5_DES3_verify(krb5_context context, static void SHA1_checksum(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *C) { - SHA1_CTX m; + SHA_CTX m; - SHA1Init(&m); - SHA1Update(&m, data, len); - SHA1Final(C->checksum.data, &m); + SHA1_Init(&m); + SHA1_Update(&m, data, len); + SHA1_Final(C->checksum.data, &m); } /* HMAC according to RFC2104 */ static void hmac(krb5_context context, struct checksum_type *cm, - void *data, + const void *data, size_t len, + unsigned usage, struct key_data *keyblock, Checksum *result) { @@ -1034,6 +1070,7 @@ hmac(krb5_context context, keyblock, keyblock->key->keyvalue.data, keyblock->key->keyvalue.length, + usage, result); key = result->checksum.data; key_len = result->checksum.length; @@ -1050,11 +1087,12 @@ hmac(krb5_context context, opad[i] ^= key[i]; } memcpy(ipad + cm->blocksize, data, len); - (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len, result); + (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len, + usage, result); memcpy(opad + cm->blocksize, result->checksum.data, result->checksum.length); (*cm->checksum)(context, keyblock, opad, - cm->blocksize + cm->checksumsize, result); + cm->blocksize + cm->checksumsize, usage, result); memset(ipad, 0, cm->blocksize + len); free(ipad); memset(opad, 0, cm->blocksize + cm->checksumsize); @@ -1064,13 +1102,84 @@ hmac(krb5_context context, static void HMAC_SHA1_DES3_checksum(krb5_context context, struct key_data *key, - void *data, + const void *data, size_t len, + unsigned usage, Checksum *result) { struct checksum_type *c = _find_checksum(CKSUMTYPE_SHA1); - hmac(context, c, data, len, key, result); + hmac(context, c, data, len, usage, key, result); +} + +/* + * checksum according to section 5. of draft-brezak-win2k-krb-rc4-hmac-03.txt + */ + +static void +HMAC_MD5_checksum(krb5_context context, + struct key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *result) +{ + MD5_CTX md5; + struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); + const char signature[] = "signaturekey"; + Checksum ksign_c; + struct key_data ksign; + krb5_keyblock kb; + unsigned char t[4]; + unsigned char tmp[16]; + unsigned char ksign_c_data[16]; + + ksign_c.checksum.length = sizeof(ksign_c_data); + ksign_c.checksum.data = ksign_c_data; + hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c); + ksign.key = &kb; + kb.keyvalue = ksign_c.checksum; + MD5_Init (&md5); + t[0] = (usage >> 0) & 0xFF; + t[1] = (usage >> 8) & 0xFF; + t[2] = (usage >> 16) & 0xFF; + t[3] = (usage >> 24) & 0xFF; + MD5_Update (&md5, t, 4); + MD5_Update (&md5, data, len); + MD5_Final (tmp, &md5); + hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result); +} + +/* + * same as previous but being used while encrypting. + */ + +static void +HMAC_MD5_checksum_enc(krb5_context context, + struct key_data *key, + const void *data, + size_t len, + unsigned usage, + Checksum *result) +{ + struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); + Checksum ksign_c; + struct key_data ksign; + krb5_keyblock kb; + unsigned char t[4]; + unsigned char ksign_c_data[16]; + + t[0] = (usage >> 0) & 0xFF; + t[1] = (usage >> 8) & 0xFF; + t[2] = (usage >> 16) & 0xFF; + t[3] = (usage >> 24) & 0xFF; + + ksign_c.checksum.length = sizeof(ksign_c_data); + ksign_c.checksum.data = ksign_c_data; + hmac(context, c, t, sizeof(t), 0, key, &ksign_c); + ksign.key = &kb; + kb.keyvalue = ksign_c.checksum; + hmac(context, c, data, len, 0, &ksign, result); } struct checksum_type checksum_none = { @@ -1116,7 +1225,7 @@ struct checksum_type checksum_des_mac = { 0, 0, 0, - DES_MAC_checksum, + DES_MAC_checksum }; struct checksum_type checksum_des_mac_k = { CKSUMTYPE_DES_MAC_K, @@ -1124,7 +1233,7 @@ struct checksum_type checksum_des_mac_k = { 0, 0, 0, - DES_MAC_K_checksum, + DES_MAC_K_checksum }; struct checksum_type checksum_rsa_md4_des_k = { CKSUMTYPE_RSA_MD4_DES_K, @@ -1132,8 +1241,8 @@ struct checksum_type checksum_rsa_md4_des_k = { 0, 0, 0, - RSA_MD4_DES_K_checksum, - RSA_MD4_DES_K_verify, + RSA_MD4_DES_K_checksum, + RSA_MD4_DES_K_verify }; #endif struct checksum_type checksum_rsa_md5 = { @@ -1152,7 +1261,7 @@ struct checksum_type checksum_rsa_md5_des = { 24, F_KEYED | F_CPROOF | F_VARIANT, RSA_MD5_DES_checksum, - RSA_MD5_DES_verify, + RSA_MD5_DES_verify }; struct checksum_type checksum_rsa_md5_des3 = { CKSUMTYPE_RSA_MD5_DES3, @@ -1161,7 +1270,7 @@ struct checksum_type checksum_rsa_md5_des3 = { 24, F_KEYED | F_CPROOF | F_VARIANT, RSA_MD5_DES3_checksum, - RSA_MD5_DES3_verify, + RSA_MD5_DES3_verify }; struct checksum_type checksum_sha1 = { CKSUMTYPE_SHA1, @@ -1182,6 +1291,26 @@ struct checksum_type checksum_hmac_sha1_des3 = { NULL }; +struct checksum_type checksum_hmac_md5 = { + CKSUMTYPE_HMAC_MD5, + "hmac-md5", + 64, + 16, + F_KEYED | F_CPROOF, + HMAC_MD5_checksum, + NULL +}; + +struct checksum_type checksum_hmac_md5_enc = { + CKSUMTYPE_HMAC_MD5_ENC, + "hmac-md5-enc", + 64, + 16, + F_KEYED | F_CPROOF | F_PSEUDO, + HMAC_MD5_checksum_enc, + NULL +}; + struct checksum_type *checksum_types[] = { &checksum_none, &checksum_crc32, @@ -1196,7 +1325,9 @@ struct checksum_type *checksum_types[] = { &checksum_rsa_md5_des, &checksum_rsa_md5_des3, &checksum_sha1, - &checksum_hmac_sha1_des3 + &checksum_hmac_sha1_des3, + &checksum_hmac_md5, + &checksum_hmac_md5_enc }; static int num_checksums = sizeof(checksum_types) / sizeof(checksum_types[0]); @@ -1257,13 +1388,15 @@ do_checksum (krb5_context context, keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ - if(keyed_checksum) + if(keyed_checksum) { ret = get_checksum_key(context, crypto, usage, ct, &dkey); - else + if (ret) + return ret; + } else dkey = NULL; result->cksumtype = ct->type; krb5_data_alloc(&result->checksum, ct->checksumsize); - (*ct->checksum)(context, dkey, data, len, result); + (*ct->checksum)(context, dkey, data, len, usage, result); return 0; } @@ -1329,13 +1462,13 @@ verify_checksum(krb5_context context, else dkey = NULL; if(ct->verify) - return (*ct->verify)(context, dkey, data, len, cksum); + return (*ct->verify)(context, dkey, data, len, usage, cksum); ret = krb5_data_alloc (&c.checksum, ct->checksumsize); if (ret) return ret; - (*ct->checksum)(context, dkey, data, len, &c); + (*ct->checksum)(context, dkey, data, len, usage, &c); if(c.checksum.length != cksum->checksum.length || memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) @@ -1394,62 +1527,297 @@ krb5_checksum_is_collision_proof(krb5_context context, * * ************************************************************/ -static void +static krb5_error_code NULL_encrypt(struct key_data *key, void *data, size_t len, - krb5_boolean encrypt) + krb5_boolean encrypt, + int usage, + void *ivec) { + return 0; } -static void +static krb5_error_code DES_CBC_encrypt_null_ivec(struct key_data *key, void *data, size_t len, - krb5_boolean encrypt) + krb5_boolean encrypt, + int usage, + void *ignore_ivec) { des_cblock ivec; des_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + return 0; } -static void +static krb5_error_code DES_CBC_encrypt_key_ivec(struct key_data *key, void *data, size_t len, - krb5_boolean encrypt) + krb5_boolean encrypt, + int usage, + void *ignore_ivec) { des_cblock ivec; des_key_schedule *s = key->schedule->data; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + return 0; } -static void +static krb5_error_code DES3_CBC_encrypt(struct key_data *key, void *data, size_t len, - krb5_boolean encrypt) + krb5_boolean encrypt, + int usage, + void *ignore_ivec) { des_cblock ivec; des_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], &ivec, encrypt); + return 0; } -static void +static krb5_error_code +DES3_CBC_encrypt_ivec(struct key_data *key, + void *data, + size_t len, + krb5_boolean encrypt, + int usage, + void *ivec) +{ + des_key_schedule *s = key->schedule->data; + + des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], ivec, encrypt); + return 0; +} + +static krb5_error_code +DES_CFB64_encrypt_null_ivec(struct key_data *key, + void *data, + size_t len, + krb5_boolean encrypt, + int usage, + void *ignore_ivec) +{ + des_cblock ivec; + int num = 0; + des_key_schedule *s = key->schedule->data; + memset(&ivec, 0, sizeof(ivec)); + + des_cfb64_encrypt(data, data, len, *s, &ivec, &num, encrypt); + return 0; +} + +static krb5_error_code +DES_PCBC_encrypt_key_ivec(struct key_data *key, + void *data, + size_t len, + krb5_boolean encrypt, + int usage, + void *ignore_ivec) +{ + des_cblock ivec; + des_key_schedule *s = key->schedule->data; + memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); + + des_pcbc_encrypt(data, data, len, *s, &ivec, encrypt); + return 0; +} + +/* + * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 + * + * warning: not for small children + */ + +static krb5_error_code +ARCFOUR_subencrypt(struct key_data *key, + void *data, + size_t len, + int usage, + void *ivec) +{ + struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); + Checksum k1_c, k2_c, k3_c, cksum; + struct key_data ke; + krb5_keyblock kb; + unsigned char t[4]; + RC4_KEY rc4_key; + char *cdata = (char *)data; + unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; + + t[0] = (usage >> 0) & 0xFF; + t[1] = (usage >> 8) & 0xFF; + t[2] = (usage >> 16) & 0xFF; + t[3] = (usage >> 24) & 0xFF; + + k1_c.checksum.length = sizeof(k1_c_data); + k1_c.checksum.data = k1_c_data; + + hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + + memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); + + k2_c.checksum.length = sizeof(k2_c_data); + k2_c.checksum.data = k2_c_data; + + ke.key = &kb; + kb.keyvalue = k2_c.checksum; + + cksum.checksum.length = 16; + cksum.checksum.data = data; + + hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + + ke.key = &kb; + kb.keyvalue = k1_c.checksum; + + k3_c.checksum.length = sizeof(k3_c_data); + k3_c.checksum.data = k3_c_data; + + hmac(NULL, c, data, 16, 0, &ke, &k3_c); + + RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); + RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); + memset (k1_c_data, 0, sizeof(k1_c_data)); + memset (k2_c_data, 0, sizeof(k2_c_data)); + memset (k3_c_data, 0, sizeof(k3_c_data)); + return 0; +} + +static krb5_error_code +ARCFOUR_subdecrypt(struct key_data *key, + void *data, + size_t len, + int usage, + void *ivec) +{ + struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); + Checksum k1_c, k2_c, k3_c, cksum; + struct key_data ke; + krb5_keyblock kb; + unsigned char t[4]; + RC4_KEY rc4_key; + char *cdata = (char *)data; + unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; + unsigned char cksum_data[16]; + + t[0] = (usage >> 0) & 0xFF; + t[1] = (usage >> 8) & 0xFF; + t[2] = (usage >> 16) & 0xFF; + t[3] = (usage >> 24) & 0xFF; + + k1_c.checksum.length = sizeof(k1_c_data); + k1_c.checksum.data = k1_c_data; + + hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + + memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); + + k2_c.checksum.length = sizeof(k2_c_data); + k2_c.checksum.data = k2_c_data; + + ke.key = &kb; + kb.keyvalue = k1_c.checksum; + + k3_c.checksum.length = sizeof(k3_c_data); + k3_c.checksum.data = k3_c_data; + + hmac(NULL, c, cdata, 16, 0, &ke, &k3_c); + + RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); + RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); + + ke.key = &kb; + kb.keyvalue = k2_c.checksum; + + cksum.checksum.length = 16; + cksum.checksum.data = cksum_data; + + hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + + memset (k1_c_data, 0, sizeof(k1_c_data)); + memset (k2_c_data, 0, sizeof(k2_c_data)); + memset (k3_c_data, 0, sizeof(k3_c_data)); + + if (memcmp (cksum.checksum.data, data, 16) != 0) + return KRB5KRB_AP_ERR_BAD_INTEGRITY; + else + return 0; +} + +/* + * convert the usage numbers used in + * draft-ietf-cat-kerb-key-derivation-00.txt to the ones in + * draft-brezak-win2k-krb-rc4-hmac-03.txt + */ + +static int +usage2arcfour (int usage) +{ + switch (usage) { + case KRB5_KU_PA_ENC_TIMESTAMP : + return 1; + case KRB5_KU_TICKET : + return 8; + case KRB5_KU_AS_REP_ENC_PART : + return 8; + case KRB5_KU_TGS_REQ_AUTH_DAT_SESSION : + case KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY : + case KRB5_KU_TGS_REQ_AUTH_CKSUM : + case KRB5_KU_TGS_REQ_AUTH : + return 7; + case KRB5_KU_TGS_REP_ENC_PART_SESSION : + case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : + return 8; + case KRB5_KU_AP_REQ_AUTH_CKSUM : + case KRB5_KU_AP_REQ_AUTH : + case KRB5_KU_AP_REQ_ENC_PART : + return 11; + case KRB5_KU_KRB_PRIV : + return 0; + case KRB5_KU_KRB_CRED : + case KRB5_KU_KRB_SAFE_CKSUM : + case KRB5_KU_OTHER_ENCRYPTED : + case KRB5_KU_OTHER_CKSUM : + case KRB5_KU_KRB_ERROR : + case KRB5_KU_AD_KDC_ISSUED : + case KRB5_KU_MANDATORY_TICKET_EXTENSION : + case KRB5_KU_AUTH_DATA_TICKET_EXTENSION : + case KRB5_KU_USAGE_SEAL : + case KRB5_KU_USAGE_SIGN : + case KRB5_KU_USAGE_SEQ : + default : + abort (); + } +} + +static krb5_error_code ARCFOUR_encrypt(struct key_data *key, void *data, size_t len, - krb5_boolean encrypt) + krb5_boolean encrypt, + int usage, + void *ivec) { + usage = usage2arcfour (usage); + if (encrypt) + return ARCFOUR_subencrypt (key, data, len, usage, ivec); + else + return ARCFOUR_subdecrypt (key, data, len, usage, ivec); } + /* * these should currently be in reverse preference order. - */ + * (only relevant for !F_PSEUDO) */ static struct encryption_type etypes[] = { { @@ -1496,6 +1864,17 @@ static struct encryption_type etypes[] = { 0, DES_CBC_encrypt_null_ivec, }, + { + ETYPE_ARCFOUR_HMAC_MD5, + "arcfour-hmac-md5", + 1, + 8, + &keytype_arcfour, + &checksum_hmac_md5_enc, + &checksum_hmac_md5_enc, + F_SPECIAL, + ARCFOUR_encrypt + }, { ETYPE_DES3_CBC_MD5, "des3-cbc-md5", @@ -1541,6 +1920,28 @@ static struct encryption_type etypes[] = { DES_CBC_encrypt_null_ivec, }, { + ETYPE_DES_CFB64_NONE, + "des-cfb64-none", + 1, + 0, + &keytype_des, + &checksum_none, + NULL, + F_PSEUDO, + DES_CFB64_encrypt_null_ivec, + }, + { + ETYPE_DES_PCBC_NONE, + "des-pcbc-none", + 8, + 0, + &keytype_des, + &checksum_none, + NULL, + F_PSEUDO, + DES_PCBC_encrypt_key_ivec, + }, + { ETYPE_DES3_CBC_NONE, "des3-cbc-none", 8, @@ -1549,8 +1950,19 @@ static struct encryption_type etypes[] = { &checksum_none, NULL, F_PSEUDO, - DES_CBC_encrypt_null_ivec, + DES3_CBC_encrypt, }, + { + ETYPE_DES3_CBC_NONE_IVEC, + "des3-cbc-none-ivec", + 8, + 0, + &keytype_des3_derived, + &checksum_none, + NULL, + F_PSEUDO, + DES3_CBC_encrypt_ivec, + } }; static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]); @@ -1706,6 +2118,12 @@ derived_crypto(krb5_context context, return (crypto->et->flags & F_DERIVED) != 0; } +static krb5_boolean +special_crypto(krb5_context context, + krb5_crypto crypto) +{ + return (crypto->et->flags & F_SPECIAL) != 0; +} #define CHECKSUMSIZE(C) ((C)->checksumsize) #define CHECKSUMTYPE(C) ((C)->type) @@ -1716,7 +2134,8 @@ encrypt_internal_derived(krb5_context context, unsigned usage, void *data, size_t len, - krb5_data *result) + krb5_data *result, + void *ivec) { size_t sz, block_sz, checksum_sz; Checksum cksum; @@ -1745,14 +2164,17 @@ encrypt_internal_derived(krb5_context context, p, block_sz, &cksum); - if(ret == 0 && cksum.checksum.length != checksum_sz) - ret = KRB5_CRYPTO_INTERNAL; + if(ret == 0 && cksum.checksum.length != checksum_sz) { + free_Checksum (&cksum); + ret = KRB5_CRYPTO_INTERNAL; + } if(ret) { memset(p, 0, block_sz + checksum_sz); free(p); return ret; } memcpy(p + block_sz, cksum.checksum.data, cksum.checksum.length); + free_Checksum (&cksum); ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); if(ret) { memset(p, 0, block_sz + checksum_sz); @@ -1768,7 +2190,7 @@ encrypt_internal_derived(krb5_context context, #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 1, block_sz, dkey->key); #endif - (*et->encrypt)(dkey, p, block_sz, 1); + (*et->encrypt)(dkey, p, block_sz, 1, usage, ivec); result->data = p; result->length = block_sz + checksum_sz; return 0; @@ -1779,7 +2201,8 @@ encrypt_internal(krb5_context context, krb5_crypto crypto, void *data, size_t len, - krb5_data *result) + krb5_data *result, + void *ivec) { size_t sz, block_sz, checksum_sz; Checksum cksum; @@ -1830,19 +2253,49 @@ encrypt_internal(krb5_context context, #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 1, block_sz, crypto->key.key); #endif - (*et->encrypt)(&crypto->key, p, block_sz, 1); + (*et->encrypt)(&crypto->key, p, block_sz, 1, 0, ivec); result->data = p; result->length = block_sz; return 0; } static krb5_error_code +encrypt_internal_special(krb5_context context, + krb5_crypto crypto, + int usage, + void *data, + size_t len, + krb5_data *result, + void *ivec) +{ + struct encryption_type *et = crypto->et; + size_t cksum_sz = CHECKSUMSIZE(et->cksumtype); + size_t sz = len + cksum_sz + et->confoundersize; + char *tmp, *p; + + tmp = malloc (sz); + if (tmp == NULL) + return ENOMEM; + p = tmp; + memset (p, 0, cksum_sz); + p += cksum_sz; + krb5_generate_random_block(p, et->confoundersize); + p += et->confoundersize; + memcpy (p, data, len); + (*et->encrypt)(&crypto->key, tmp, sz, TRUE, usage, ivec); + result->data = tmp; + result->length = sz; + return 0; +} + +static krb5_error_code decrypt_internal_derived(krb5_context context, krb5_crypto crypto, unsigned usage, void *data, size_t len, - krb5_data *result) + krb5_data *result, + void *ivec) { size_t checksum_sz; Checksum cksum; @@ -1852,12 +2305,15 @@ decrypt_internal_derived(krb5_context context, struct encryption_type *et = crypto->et; unsigned long l; + checksum_sz = CHECKSUMSIZE(et->keyed_checksum); + if (len < checksum_sz) + return EINVAL; /* better error code? */ + p = malloc(len); if(len != 0 && p == NULL) return ENOMEM; memcpy(p, data, len); - checksum_sz = CHECKSUMSIZE(et->keyed_checksum); len -= checksum_sz; ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); @@ -1873,7 +2329,7 @@ decrypt_internal_derived(krb5_context context, #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 0, len, dkey->key); #endif - (*et->encrypt)(dkey, p, len, 0); + (*et->encrypt)(dkey, p, len, 0, usage, ivec); cksum.checksum.data = p + len; cksum.checksum.length = checksum_sz; @@ -1905,7 +2361,8 @@ decrypt_internal(krb5_context context, krb5_crypto crypto, void *data, size_t len, - krb5_data *result) + krb5_data *result, + void *ivec) { krb5_error_code ret; unsigned char *p; @@ -1927,11 +2384,11 @@ decrypt_internal(krb5_context context, #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 0, len, crypto->key.key); #endif - (*et->encrypt)(&crypto->key, p, len, 0); + (*et->encrypt)(&crypto->key, p, len, 0, 0, ivec); ret = krb5_data_copy(&cksum.checksum, p + et->confoundersize, checksum_sz); if(ret) { - free(p); - return ret; + free(p); + return ret; } memset(p + et->confoundersize, 0, checksum_sz); cksum.cksumtype = CHECKSUMTYPE(et->cksumtype); @@ -1952,6 +2409,54 @@ decrypt_internal(krb5_context context, return 0; } +static krb5_error_code +decrypt_internal_special(krb5_context context, + krb5_crypto crypto, + int usage, + void *data, + size_t len, + krb5_data *result, + void *ivec) +{ + struct encryption_type *et = crypto->et; + size_t cksum_sz = CHECKSUMSIZE(et->cksumtype); + size_t sz = len - cksum_sz - et->confoundersize; + char *cdata = (char *)data; + char *tmp; + + tmp = malloc (sz); + if (tmp == NULL) + return ENOMEM; + + (*et->encrypt)(&crypto->key, data, len, FALSE, usage, ivec); + + memcpy (tmp, cdata + cksum_sz + et->confoundersize, sz); + + result->data = tmp; + result->length = sz; + return 0; +} + + +krb5_error_code +krb5_encrypt_ivec(krb5_context context, + krb5_crypto crypto, + unsigned usage, + void *data, + size_t len, + krb5_data *result, + void *ivec) +{ + if(derived_crypto(context, crypto)) + return encrypt_internal_derived(context, crypto, usage, + data, len, result, ivec); + else if (special_crypto(context, crypto)) + return encrypt_internal_special (context, crypto, usage, + data, len, result, ivec); + else + return encrypt_internal(context, crypto, data, len, result, ivec); +} + krb5_error_code krb5_encrypt(krb5_context context, krb5_crypto crypto, @@ -1960,11 +2465,7 @@ krb5_encrypt(krb5_context context, size_t len, krb5_data *result) { - if(derived_crypto(context, crypto)) - return encrypt_internal_derived(context, crypto, usage, - data, len, result); - else - return encrypt_internal(context, crypto, data, len, result); + return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL); } krb5_error_code @@ -1986,6 +2487,25 @@ krb5_encrypt_EncryptedData(krb5_context context, } krb5_error_code +krb5_decrypt_ivec(krb5_context context, + krb5_crypto crypto, + unsigned usage, + void *data, + size_t len, + krb5_data *result, + void *ivec) +{ + if(derived_crypto(context, crypto)) + return decrypt_internal_derived(context, crypto, usage, + data, len, result, ivec); + else if (special_crypto (context, crypto)) + return decrypt_internal_special(context, crypto, usage, + data, len, result, ivec); + else + return decrypt_internal(context, crypto, data, len, result, ivec); +} + +krb5_error_code krb5_decrypt(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -1993,18 +2513,15 @@ krb5_decrypt(krb5_context context, size_t len, krb5_data *result) { - if(derived_crypto(context, crypto)) - return decrypt_internal_derived(context, crypto, usage, - data, len, result); - else - return decrypt_internal(context, crypto, data, len, result); + return krb5_decrypt_ivec (context, crypto, usage, data, len, result, + NULL); } krb5_error_code krb5_decrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, - EncryptedData *e, + const EncryptedData *e, krb5_data *result) { return krb5_decrypt(context, crypto, usage, @@ -2091,7 +2608,7 @@ derive_key(krb5_context context, ret = _key_schedule(context, key); if(ret) return ret; - if(et->blocksize * 8 < kt->bits || + if(et->blocksize * 8 < kt->bits || len != et->blocksize) { nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8); k = malloc(nblocks * et->blocksize); @@ -2103,16 +2620,18 @@ derive_key(krb5_context context, memcpy(k + i * et->blocksize, k + (i - 1) * et->blocksize, et->blocksize); - (*et->encrypt)(key, k + i * et->blocksize, et->blocksize, 1); + (*et->encrypt)(key, k + i * et->blocksize, et->blocksize, 1, 0, + NULL); } } else { + /* this case is probably broken, but won't be run anyway */ void *c = malloc(len); size_t res_len = (kt->bits + 7) / 8; if(len != 0 && c == NULL) return ENOMEM; memcpy(c, constant, len); - (*et->encrypt)(key, c, len, 1); + (*et->encrypt)(key, c, len, 1, 0, NULL); k = malloc(res_len); if(res_len != 0 && k == NULL) return ENOMEM; @@ -2265,6 +2784,35 @@ krb5_string_to_key_derived(krb5_context context, return ret; } +static size_t +wrapped_length (krb5_context context, + krb5_crypto crypto, + size_t data_len) +{ + struct encryption_type *et = crypto->et; + size_t blocksize = et->blocksize; + size_t res; + + res = et->confoundersize + et->cksumtype->checksumsize + data_len; + res = (res + blocksize - 1) / blocksize * blocksize; + return res; +} + +static size_t +wrapped_length_dervied (krb5_context context, + krb5_crypto crypto, + size_t data_len) +{ + struct encryption_type *et = crypto->et; + size_t blocksize = et->blocksize; + size_t res; + + res = et->confoundersize + data_len; + res = (res + blocksize - 1) / blocksize * blocksize; + res += et->cksumtype->checksumsize; + return res; +} + /* * Return the size of an encrypted packet of length `data_len' */ @@ -2274,13 +2822,10 @@ krb5_get_wrapped_length (krb5_context context, krb5_crypto crypto, size_t data_len) { - struct encryption_type *et = crypto->et; - size_t blocksize = et->blocksize; - size_t res; - - res = (data_len + blocksize - 1) / blocksize * blocksize; - res = res + et->confoundersize + et->cksumtype->checksumsize; - return res; + if (derived_crypto (context, crypto)) + return wrapped_length_dervied (context, crypto, data_len); + else + return wrapped_length (context, crypto, data_len); } #ifdef CRYPTO_DEBUG @@ -2293,9 +2838,9 @@ krb5_get_keyid(krb5_context context, MD5_CTX md5; unsigned char tmp[16]; - MD5Init (&md5); - MD5Update (&md5, key->keyvalue.data, key->keyvalue.length); - MD5Final (tmp, &md5); + MD5_Init (&md5); + MD5_Update (&md5, key->keyvalue.data, key->keyvalue.length); + MD5_Final (tmp, &md5); *keyid = (tmp[12] << 24) | (tmp[13] << 16) | (tmp[14] << 8) | tmp[15]; return 0; } @@ -2319,3 +2864,69 @@ krb5_crypto_debug(krb5_context context, } #endif /* CRYPTO_DEBUG */ + +#if 0 +int +main() +{ +#if 0 + int i; + krb5_context context; + krb5_crypto crypto; + struct key_data *d; + krb5_keyblock key; + char constant[4]; + unsigned usage = ENCRYPTION_USAGE(3); + krb5_error_code ret; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + key.keytype = ETYPE_NEW_DES3_CBC_SHA1; + key.keyvalue.data = "\xb3\x85\x58\x94\xd9\xdc\x7c\xc8" + "\x25\xe9\x85\xab\x3e\xb5\xfb\x0e" + "\xc8\xdf\xab\x26\x86\x64\x15\x25"; + key.keyvalue.length = 24; + + krb5_crypto_init(context, &key, 0, &crypto); + + d = _new_derived_key(crypto, usage); + if(d == NULL) + return ENOMEM; + krb5_copy_keyblock(context, crypto->key.key, &d->key); + _krb5_put_int(constant, usage, 4); + derive_key(context, crypto->et, d, constant, sizeof(constant)); + return 0; +#else + int i; + krb5_context context; + krb5_crypto crypto; + struct key_data *d; + krb5_keyblock key; + krb5_error_code ret; + Checksum res; + + char *data = "what do ya want for nothing?"; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + key.keytype = ETYPE_NEW_DES3_CBC_SHA1; + key.keyvalue.data = "Jefe"; + /* "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"; */ + key.keyvalue.length = 4; + + d = calloc(1, sizeof(*d)); + + d->key = &key; + res.checksum.length = 20; + res.checksum.data = malloc(res.checksum.length); + HMAC_SHA1_DES3_checksum(context, d, data, 28, &res); + + return 0; +#endif +} +#endif diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c new file mode 100644 index 0000000..b9272dd --- /dev/null +++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include + +RCSID("$Id: eai_to_heim_errno.c,v 1.1 2000/07/08 13:03:36 joda Exp $"); + +krb5_error_code +krb5_eai_to_heim_errno(int eai_errno) +{ + switch(eai_errno) { + case EAI_NOERROR: + return 0; + case EAI_ADDRFAMILY: + return HEIM_EAI_ADDRFAMILY; + case EAI_AGAIN: + return HEIM_EAI_AGAIN; + case EAI_BADFLAGS: + return HEIM_EAI_BADFLAGS; + case EAI_FAIL: + return HEIM_EAI_FAIL; + case EAI_FAMILY: + return HEIM_EAI_FAMILY; + case EAI_MEMORY: + return HEIM_EAI_MEMORY; + case EAI_NODATA: + return HEIM_EAI_NODATA; + case EAI_NONAME: + return HEIM_EAI_NONAME; + case EAI_SERVICE: + return HEIM_EAI_SERVICE; + case EAI_SOCKTYPE: + return HEIM_EAI_SOCKTYPE; + case EAI_SYSTEM: + return errno; + default: + return HEIM_EAI_UNKNOWN; /* XXX */ + } +} diff --git a/crypto/heimdal/lib/krb5/expand_hostname.c b/crypto/heimdal/lib/krb5/expand_hostname.c index 3e98e88..72c5718 100644 --- a/crypto/heimdal/lib/krb5/expand_hostname.c +++ b/crypto/heimdal/lib/krb5/expand_hostname.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: expand_hostname.c,v 1.8 2000/02/20 02:25:29 assar Exp $"); +RCSID("$Id: expand_hostname.c,v 1.9 2000/02/23 03:12:07 assar Exp $"); static krb5_error_code copy_hostname(krb5_context context, @@ -130,7 +130,7 @@ krb5_expand_hostname_realms (krb5_context context, for (a = ai; a != NULL; a = a->ai_next) { if (a->ai_canonname != NULL) { - ret = copy_hostname (context, orig_hostname, new_hostname); + ret = copy_hostname (context, a->ai_canonname, new_hostname); if (ret) { freeaddrinfo (ai); return ret; diff --git a/crypto/heimdal/lib/krb5/fcache.c b/crypto/heimdal/lib/krb5/fcache.c index df88e6f..fbdb3a1 100644 --- a/crypto/heimdal/lib/krb5/fcache.c +++ b/crypto/heimdal/lib/krb5/fcache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: fcache.c,v 1.22 1999/12/02 17:05:09 joda Exp $"); +RCSID("$Id: fcache.c,v 1.31 2000/12/05 09:15:10 joda Exp $"); typedef struct krb5_fcache{ char *filename; @@ -83,28 +83,86 @@ fcc_resolve(krb5_context context, krb5_ccache *id, const char *res) return 0; } +/* + * Try to scrub the contents of `filename' safely. + */ + +static int +scrub_file (int fd) +{ + off_t pos; + char buf[128]; + + pos = lseek(fd, 0, SEEK_END); + if (pos < 0) + return errno; + if (lseek(fd, 0, SEEK_SET) < 0) + return errno; + memset(buf, 0, sizeof(buf)); + while(pos > 0) { + ssize_t tmp = write(fd, buf, min(sizeof(buf), pos)); + + if (tmp < 0) + return errno; + pos -= tmp; + } + fsync (fd); + return 0; +} + +/* + * Erase `filename' if it exists, trying to remove the contents if + * it's `safe'. We always try to remove the file, it it exists. It's + * only overwritten if it's a regular file (not a symlink and not a + * hardlink) + */ + static krb5_error_code erase_file(const char *filename) { int fd; - off_t pos; - char buf[128]; + struct stat sb1, sb2; + int ret; + + ret = lstat (filename, &sb1); + if (ret < 0) + return errno; fd = open(filename, O_RDWR | O_BINARY); - if(fd < 0){ + if(fd < 0) { if(errno == ENOENT) return 0; else return errno; } - pos = lseek(fd, 0, SEEK_END); - lseek(fd, 0, SEEK_SET); - memset(buf, 0, sizeof(buf)); - while(pos > 0) - pos -= write(fd, buf, sizeof(buf)); - close(fd); - unlink(filename); - return 0; + if (unlink(filename) < 0) { + close (fd); + return errno; + } + + ret = fstat (fd, &sb2); + if (ret < 0) { + close (fd); + return errno; + } + + /* check if someone was playing with symlinks */ + + if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) { + close (fd); + return EPERM; + } + + /* there are still hard links to this file */ + + if (sb2.st_nlink != 0) { + close (fd); + return 0; + } + + ret = scrub_file (fd); + close (fd); + return ret; } static krb5_error_code @@ -116,7 +174,7 @@ fcc_gen_new(krb5_context context, krb5_ccache *id) f = malloc(sizeof(*f)); if(f == NULL) return KRB5_CC_NOMEM; - asprintf(&file, "/tmp/krb5cc_XXXXXX"); /* XXX */ + asprintf (&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT); if(file == NULL) { free(f); return KRB5_CC_NOMEM; @@ -166,12 +224,11 @@ fcc_initialize(krb5_context context, krb5_principal primary_principal) { krb5_fcache *f = FCACHE(id); - int ret; + int ret = 0; int fd; char *filename = f->filename; - if((ret = erase_file(filename))) - return ret; + unlink (filename); fd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); if(fd == -1) @@ -183,27 +240,29 @@ fcc_initialize(krb5_context context, f->version = context->fcache_vno; else f->version = KRB5_FCC_FVNO_4; - krb5_store_int8(sp, 5); - krb5_store_int8(sp, f->version); + ret |= krb5_store_int8(sp, 5); + ret |= krb5_store_int8(sp, f->version); storage_set_flags(context, sp, f->version); - if(f->version == KRB5_FCC_FVNO_4) { + if(f->version == KRB5_FCC_FVNO_4 && ret == 0) { /* V4 stuff */ if (context->kdc_sec_offset) { - krb5_store_int16 (sp, 12); /* length */ - krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */ - krb5_store_int16 (sp, 8); /* length of data */ - krb5_store_int32 (sp, context->kdc_sec_offset); - krb5_store_int32 (sp, context->kdc_usec_offset); + ret |= krb5_store_int16 (sp, 12); /* length */ + ret |= krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */ + ret |= krb5_store_int16 (sp, 8); /* length of data */ + ret |= krb5_store_int32 (sp, context->kdc_sec_offset); + ret |= krb5_store_int32 (sp, context->kdc_usec_offset); } else { - krb5_store_int16 (sp, 0); + ret |= krb5_store_int16 (sp, 0); } } - krb5_store_principal(sp, primary_principal); + ret |= krb5_store_principal(sp, primary_principal); krb5_storage_free(sp); } - close(fd); + if(close(fd) < 0) + if (ret == 0) + ret = errno; - return 0; + return ret; } static krb5_error_code @@ -232,6 +291,7 @@ fcc_store_cred(krb5_context context, krb5_ccache id, krb5_creds *creds) { + int ret; int fd; char *f; @@ -244,11 +304,13 @@ fcc_store_cred(krb5_context context, krb5_storage *sp; sp = krb5_storage_from_fd(fd); storage_set_flags(context, sp, FCACHE(id)->version); - krb5_store_creds(sp, creds); + ret = krb5_store_creds(sp, creds); krb5_storage_free(sp); } - close(fd); - return 0; /* XXX */ + if (close(fd) < 0) + if (ret == 0) + ret = errno; + return ret; } static krb5_error_code @@ -274,12 +336,17 @@ init_fcc (krb5_context context, int fd; int8_t pvno, tag; krb5_storage *sp; + krb5_error_code ret; fd = open(fcache->filename, O_RDONLY | O_BINARY); if(fd < 0) return errno; sp = krb5_storage_from_fd(fd); - krb5_ret_int8(sp, &pvno); + ret = krb5_ret_int8(sp, &pvno); + if(ret == KRB5_CC_END) + return ENOENT; + if(ret) + return ret; if(pvno != 5) { krb5_storage_free(sp); close(fd); @@ -341,10 +408,10 @@ fcc_get_principal(krb5_context context, ret = init_fcc (context, f, &sp, &fd); if (ret) return ret; - krb5_ret_principal(sp, principal); + ret = krb5_ret_principal(sp, principal); krb5_storage_free(sp); close(fd); - return 0; + return ret; } static krb5_error_code diff --git a/crypto/heimdal/lib/krb5/generate_seq_number.c b/crypto/heimdal/lib/krb5/generate_seq_number.c index a000ea1..3ebe562 100644 --- a/crypto/heimdal/lib/krb5/generate_seq_number.c +++ b/crypto/heimdal/lib/krb5/generate_seq_number.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,12 +33,12 @@ #include -RCSID("$Id: generate_seq_number.c,v 1.6 1999/12/02 17:05:09 joda Exp $"); +RCSID("$Id: generate_seq_number.c,v 1.7 2000/04/08 21:20:45 assar Exp $"); krb5_error_code krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, - int32_t *seqno) + u_int32_t *seqno) { krb5_error_code ret; krb5_keyblock *subkey; diff --git a/crypto/heimdal/lib/krb5/get_addrs.c b/crypto/heimdal/lib/krb5/get_addrs.c index 65a1b3c..7b9d74c 100644 --- a/crypto/heimdal/lib/krb5/get_addrs.c +++ b/crypto/heimdal/lib/krb5/get_addrs.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: get_addrs.c,v 1.35 1999/12/02 17:05:09 joda Exp $"); +RCSID("$Id: get_addrs.c,v 1.40 2000/12/10 20:07:05 assar Exp $"); #ifdef __osf__ /* hate */ @@ -43,42 +43,35 @@ struct mbuf; #ifdef HAVE_NET_IF_H #include #endif - -#ifdef HAVE_SYS_SOCKIO_H -#include -#endif /* HAVE_SYS_SOCKIO_H */ - -#ifdef HAVE_NETINET_IN6_VAR_H -#include -#endif /* HAVE_NETINET_IN6_VAR_H */ +#include static krb5_error_code gethostname_fallback (krb5_addresses *res) { - krb5_error_code err; - char hostname[MAXHOSTNAMELEN]; - struct hostent *hostent; - - if (gethostname (hostname, sizeof(hostname))) - return errno; - hostent = roken_gethostbyname (hostname); - if (hostent == NULL) - return errno; - res->len = 1; - res->val = malloc (sizeof(*res->val)); - if (res->val == NULL) - return ENOMEM; - res->val[0].addr_type = hostent->h_addrtype; - res->val[0].address.data = NULL; - res->val[0].address.length = 0; - err = krb5_data_copy (&res->val[0].address, - hostent->h_addr, - hostent->h_length); - if (err) { - free (res->val); - return err; - } - return 0; + krb5_error_code err; + char hostname[MAXHOSTNAMELEN]; + struct hostent *hostent; + + if (gethostname (hostname, sizeof(hostname))) + return errno; + hostent = roken_gethostbyname (hostname); + if (hostent == NULL) + return errno; + res->len = 1; + res->val = malloc (sizeof(*res->val)); + if (res->val == NULL) + return ENOMEM; + res->val[0].addr_type = hostent->h_addrtype; + res->val[0].address.data = NULL; + res->val[0].address.length = 0; + err = krb5_data_copy (&res->val[0].address, + hostent->h_addr, + hostent->h_length); + if (err) { + free (res->val); + return err; + } + return 0; } enum { @@ -94,143 +87,96 @@ enum { */ static krb5_error_code -find_all_addresses (krb5_context context, - krb5_addresses *res, int flags, - int af, int siocgifconf, int siocgifflags, - size_t ifreq_sz) +find_all_addresses (krb5_context context, krb5_addresses *res, int flags) { - krb5_error_code ret; - int fd; - size_t buf_size; - char *buf; - struct ifconf ifconf; - int num, j = 0; - char *p; - size_t sz; - struct sockaddr sa_zero; - struct ifreq *ifr; - krb5_address lo_addr; - int got_lo = FALSE; - - buf = NULL; - res->val = NULL; - - memset (&sa_zero, 0, sizeof(sa_zero)); - fd = socket(af, SOCK_DGRAM, 0); - if (fd < 0) - return -1; + struct sockaddr sa_zero; + struct ifaddrs *ifa0, *ifa; + krb5_error_code ret = ENXIO; + int num, idx; - buf_size = 8192; - for (;;) { - buf = malloc(buf_size); - if (buf == NULL) { - ret = ENOMEM; - goto error_out; - } - ifconf.ifc_len = buf_size; - ifconf.ifc_buf = buf; - if (ioctl (fd, siocgifconf, &ifconf) < 0) { - ret = errno; - goto error_out; - } - /* - * Can the difference between a full and a overfull buf - * be determined? - */ + res->val = NULL; - if (ifconf.ifc_len < buf_size) - break; - free (buf); - buf_size *= 2; - } + if (getifaddrs(&ifa0) == -1) + return (errno); - num = ifconf.ifc_len / ifreq_sz; - res->len = num; - res->val = calloc(num, sizeof(*res->val)); - if (res->val == NULL) { - ret = ENOMEM; - goto error_out; - } - - j = 0; - for (p = ifconf.ifc_buf; - p < ifconf.ifc_buf + ifconf.ifc_len; - p += sz) { - struct ifreq ifreq; - struct sockaddr *sa; - - ifr = (struct ifreq *)p; - sa = &ifr->ifr_addr; - - sz = ifreq_sz; -#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - sz = max(sz, sizeof(ifr->ifr_name) + sa->sa_len); -#endif -#ifdef SA_LEN - sz = max(sz, SA_LEN(sa)); -#endif - memcpy (ifreq.ifr_name, ifr->ifr_name, sizeof(ifr->ifr_name)); + memset(&sa_zero, 0, sizeof(sa_zero)); - if (ioctl(fd, siocgifflags, &ifreq) < 0) { - ret = errno; - goto error_out; - } + /* First, count all the ifaddrs. */ + for (ifa = ifa0, num = 0; ifa != NULL; ifa = ifa->ifa_next, num++) + /* nothing */; - if (!(ifreq.ifr_flags & IFF_UP)) - continue; - if (memcmp (sa, &sa_zero, sizeof(sa_zero)) == 0) - continue; - if (krb5_sockaddr_uninteresting (sa)) - continue; + if (num == 0) { + freeifaddrs(ifa0); + return (ENXIO); + } - if (ifreq.ifr_flags & IFF_LOOPBACK) { - if (flags & LOOP_IF_NONE) { - ret = krb5_sockaddr2address (sa, &lo_addr); - if (ret) - goto error_out; - got_lo = TRUE; - continue; - } else if((flags & LOOP) == 0) - continue; - } + /* Allocate storage for them. */ + res->val = calloc(num, sizeof(*res->val)); + if (res->val == NULL) { + freeifaddrs(ifa0); + return (ENOMEM); + } - ret = krb5_sockaddr2address (sa, &res->val[j]); - if (ret) - goto error_out; - ++j; - } - if ((flags & LOOP_IF_NONE) && got_lo) { - if (j == 0) - res->val[j++] = lo_addr; - else - krb5_free_address (context, &lo_addr); - } + /* Now traverse the list. */ + for (ifa = ifa0, idx = 0; ifa != NULL; ifa = ifa->ifa_next) { + if ((ifa->ifa_flags & IFF_UP) == 0) + continue; + if (memcmp(ifa->ifa_addr, &sa_zero, sizeof(sa_zero)) == 0) + continue; + if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) + continue; + + if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { + /* We'll deal with the LOOP_IF_NONE case later. */ + if ((flags & LOOP) == 0) + continue; + } - if (j != num) { - void *tmp; + ret = krb5_sockaddr2address(ifa->ifa_addr, &res->val[idx]); + if (ret) { + /* + * The most likely error here is going to be "Program + * lacks support for address type". This is no big + * deal -- just continue, and we'll listen on the + * addresses who's type we *do* support. + */ + continue; + } + idx++; + } - res->len = j; - tmp = realloc (res->val, j * sizeof(*res->val)); - if (j != 0 && tmp == NULL) { - ret = ENOMEM; - goto error_out; - } - res->val = tmp; - } - ret = 0; - goto cleanup; + /* + * If no addresses were found, and LOOP_IF_NONE is set, then find + * the loopback addresses and add them to our list. + */ + if ((flags & LOOP_IF_NONE) != 0 && idx == 0) { + for (ifa = ifa0; ifa != NULL; ifa = ifa->ifa_next) { + if ((ifa->ifa_flags & IFF_UP) == 0) + continue; + if (memcmp(ifa->ifa_addr, &sa_zero, sizeof(sa_zero)) == 0) + continue; + if (krb5_sockaddr_uninteresting(ifa->ifa_addr)) + continue; + + if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) { + ret = krb5_sockaddr2address(ifa->ifa_addr, &res->val[idx]); + if (ret) { + /* + * See comment above. + */ + continue; + } + idx++; + } + } + } -error_out: - if (got_lo) - krb5_free_address (context, &lo_addr); - while(j--) { - krb5_free_address (context, &res->val[j]); - } - free (res->val); -cleanup: - close (fd); - free (buf); - return ret; + freeifaddrs(ifa0); + if (ret) + free(res->val); + else + res->len = idx; /* Now a count. */ + return (ret); } static krb5_error_code @@ -239,26 +185,9 @@ get_addrs_int (krb5_context context, krb5_addresses *res, int flags) krb5_error_code ret = -1; if (flags & SCAN_INTERFACES) { -#if defined(AF_INET6) && defined(SIOCGIF6CONF) && defined(SIOCGIF6FLAGS) - if (ret) - ret = find_all_addresses (context, res, flags, - AF_INET6, SIOCGIF6CONF, SIOCGIF6FLAGS, - sizeof(struct in6_ifreq)); -#endif -#if defined(HAVE_IPV6) && defined(SIOCGIFCONF) - if (ret) - ret = find_all_addresses (context, res, flags, - AF_INET6, SIOCGIFCONF, SIOCGIFFLAGS, - sizeof(struct ifreq)); -#endif -#if defined(AF_INET) && defined(SIOCGIFCONF) && defined(SIOCGIFFLAGS) - if (ret) - ret = find_all_addresses (context, res, flags, - AF_INET, SIOCGIFCONF, SIOCGIFFLAGS, - sizeof(struct ifreq)); + ret = find_all_addresses (context, res, flags); if(ret || res->len == 0) ret = gethostname_fallback (res); -#endif } else ret = 0; diff --git a/crypto/heimdal/lib/krb5/get_cred.c b/crypto/heimdal/lib/krb5/get_cred.c index 61951c1..e649cfe 100644 --- a/crypto/heimdal/lib/krb5/get_cred.c +++ b/crypto/heimdal/lib/krb5/get_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: get_cred.c,v 1.75 1999/12/02 17:05:09 joda Exp $"); +RCSID("$Id: get_cred.c,v 1.82 2001/01/19 04:29:44 assar Exp $"); /* * Take the `body' and encode it into `padata' using the credentials @@ -82,12 +82,13 @@ make_pa_tgs_req(krb5_context context, in_data.data = buf + buf_size - len; ret = krb5_mk_req_internal(context, &ac, 0, &in_data, creds, &padata->padata_value, - KRB5_KU_TGS_REQ_AUTH_CKSUM); + KRB5_KU_TGS_REQ_AUTH_CKSUM, + KRB5_KU_TGS_REQ_AUTH); out: free (buf); if(ret) return ret; - padata->padata_type = pa_tgs_req; + padata->padata_type = KRB5_PADATA_TGS_REQ; return 0; } @@ -191,6 +192,10 @@ init_tgs_req (krb5_context context, ret = ENOMEM; goto fail; } + + /* some versions of some code might require that the client be + present in TGS-REQs, but this is clearly against the spec */ + ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname); if (ret) goto fail; @@ -273,6 +278,7 @@ init_tgs_req (krb5_context context, } fail: if (ret) + /* XXX - don't free addresses? */ free_TGS_REQ (t); return ret; } @@ -320,7 +326,9 @@ decrypt_tkt_with_subkey (krb5_context context, size_t size; krb5_crypto crypto; - krb5_crypto_init(context, key, 0, &crypto); + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; ret = krb5_decrypt_EncryptedData (context, crypto, usage, @@ -329,7 +337,9 @@ decrypt_tkt_with_subkey (krb5_context context, krb5_crypto_destroy(context, crypto); if(ret && subkey){ /* DCE compat -- try to decrypt with subkey */ - krb5_crypto_init(context, (krb5_keyblock*)subkey, 0, &crypto); + ret = krb5_crypto_init(context, (krb5_keyblock*)subkey, 0, &crypto); + if (ret) + return ret; ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TGS_REP_ENC_PART_SUB_KEY, @@ -471,6 +481,7 @@ get_cred_kdc(krb5_context context, &krbtgt->addresses, nonce, TRUE, + flags.b.request_anonymous, decrypt_tkt_with_subkey, subkey); krb5_free_kdc_rep(context, &rep); @@ -610,7 +621,7 @@ get_cred_from_kdc_flags(krb5_context context, { krb5_error_code ret; krb5_creds *tgt, tmp_creds; - krb5_realm client_realm, server_realm; + krb5_const_realm client_realm, server_realm, try_realm; *out_creds = NULL; @@ -620,9 +631,15 @@ get_cred_from_kdc_flags(krb5_context context, ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client); if(ret) return ret; + + try_realm = krb5_config_get_string(context, NULL, "libdefaults", + "capath", server_realm, NULL); + if (try_realm == NULL) + try_realm = client_realm; + ret = krb5_make_principal(context, &tmp_creds.server, - client_realm, + try_realm, KRB5_TGS_NAME, server_realm, NULL); @@ -642,8 +659,10 @@ get_cred_from_kdc_flags(krb5_context context, else { ret = get_cred_kdc_la(context, ccache, flags, in_creds, &tgts, *out_creds); - if (ret) + if (ret) { free (*out_creds); + *out_creds = NULL; + } } krb5_free_creds_contents(context, &tgts); krb5_free_principal(context, tmp_creds.server); @@ -656,8 +675,7 @@ get_cred_from_kdc_flags(krb5_context context, /* XXX this can loop forever */ while(1){ general_string tgt_inst; - krb5_kdc_flags f; - f.i = 0; + ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, &tgt, ret_tgts); if(ret) { @@ -698,8 +716,10 @@ get_cred_from_kdc_flags(krb5_context context, else { ret = get_cred_kdc_la(context, ccache, flags, in_creds, tgt, *out_creds); - if (ret) + if (ret) { free (*out_creds); + *out_creds = NULL; + } } krb5_free_creds(context, tgt); return ret; @@ -729,20 +749,24 @@ krb5_get_credentials_with_flags(krb5_context context, { krb5_error_code ret; krb5_creds **tgts; + krb5_creds *res_creds; int i; - *out_creds = calloc(1, sizeof(**out_creds)); - if (*out_creds == NULL) + *out_creds = NULL; + res_creds = calloc(1, sizeof(*res_creds)); + if (res_creds == NULL) return ENOMEM; ret = krb5_cc_retrieve_cred(context, ccache, in_creds->session.keytype ? KRB5_TC_MATCH_KEYTYPE : 0, - in_creds, *out_creds); - if(ret == 0) + in_creds, res_creds); + if(ret == 0) { + *out_creds = res_creds; return 0; - free(*out_creds); + } + free(res_creds); if(ret != KRB5_CC_END) return ret; if(options & KRB5_GC_CACHED) @@ -752,7 +776,7 @@ krb5_get_credentials_with_flags(krb5_context context, tgts = NULL; ret = get_cred_from_kdc_flags(context, flags, ccache, in_creds, out_creds, &tgts); - for(i = 0; tgts && tgts[i]; i++){ + for(i = 0; tgts && tgts[i]; i++) { krb5_cc_store_cred(context, ccache, tgts[i]); krb5_free_creds(context, tgts[i]); } diff --git a/crypto/heimdal/lib/krb5/get_for_creds.c b/crypto/heimdal/lib/krb5/get_for_creds.c index 977515f..103b757 100644 --- a/crypto/heimdal/lib/krb5/get_for_creds.c +++ b/crypto/heimdal/lib/krb5/get_for_creds.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: get_for_creds.c,v 1.21 1999/12/20 00:57:37 assar Exp $"); +RCSID("$Id: get_for_creds.c,v 1.27 2000/08/18 06:47:40 assar Exp $"); static krb5_error_code add_addrs(krb5_context context, @@ -41,7 +41,7 @@ add_addrs(krb5_context context, struct addrinfo *ai) { krb5_error_code ret; - unsigned n, i; + unsigned n, i, j; void *tmp; struct addrinfo *a; @@ -57,11 +57,18 @@ add_addrs(krb5_context context, goto fail; } addr->val = tmp; + for (j = i; j < addr->len; ++j) { + addr->val[i].addr_type = 0; + krb5_data_zero(&addr->val[i].address); + } for (a = ai; a != NULL; a = a->ai_next) { - ret = krb5_sockaddr2address (a->ai_addr, &addr->val[i++]); - if (ret) + ret = krb5_sockaddr2address (a->ai_addr, &addr->val[i]); + if (ret == 0) + ++i; + else if (ret != KRB5_PROG_ATYPE_NOSUPP) goto fail; } + addr->len = i; return 0; fail: krb5_free_addresses (context, addr); @@ -137,7 +144,7 @@ krb5_get_forwarded_creds (krb5_context context, ret = getaddrinfo (hostname, NULL, NULL, &ai); if (ret) - return ret; + return krb5_eai_to_heim_errno(ret); ret = add_addrs (context, &addrs, ai); freeaddrinfo (ai); @@ -194,22 +201,26 @@ krb5_get_forwarded_creds (krb5_context context, } *enc_krb_cred_part.usec = usec; - ret = krb5_make_addrport (&enc_krb_cred_part.s_address, - auth_context->local_address, - auth_context->local_port); - if (ret) - goto out4; - - ALLOC(enc_krb_cred_part.r_address, 1); - if (enc_krb_cred_part.r_address == NULL) { - ret = ENOMEM; - goto out4; + if (auth_context->local_address && auth_context->local_port) { + ret = krb5_make_addrport (&enc_krb_cred_part.s_address, + auth_context->local_address, + auth_context->local_port); + if (ret) + goto out4; } - ret = krb5_copy_address (context, auth_context->remote_address, - enc_krb_cred_part.r_address); - if (ret) - goto out4; + if (auth_context->remote_address) { + ALLOC(enc_krb_cred_part.r_address, 1); + if (enc_krb_cred_part.r_address == NULL) { + ret = ENOMEM; + goto out4; + } + + ret = krb5_copy_address (context, auth_context->remote_address, + enc_krb_cred_part.r_address); + if (ret) + goto out4; + } /* fill ticket_info.val[0] */ @@ -252,7 +263,11 @@ krb5_get_forwarded_creds (krb5_context context, return ret; } - krb5_crypto_init(context, auth_context->local_subkey, 0, &crypto); + ret = krb5_crypto_init(context, auth_context->local_subkey, 0, &crypto); + if (ret) { + free_KRB_CRED(&cred); + return ret; + } ret = krb5_encrypt_EncryptedData (context, crypto, KRB5_KU_KRB_CRED, diff --git a/crypto/heimdal/lib/krb5/get_in_tkt.c b/crypto/heimdal/lib/krb5/get_in_tkt.c index e043d1d..84afe5e 100644 --- a/crypto/heimdal/lib/krb5/get_in_tkt.c +++ b/crypto/heimdal/lib/krb5/get_in_tkt.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: get_in_tkt.c,v 1.94 2000/02/06 05:18:20 assar Exp $"); +RCSID("$Id: get_in_tkt.c,v 1.97 2000/08/18 06:47:54 assar Exp $"); krb5_error_code krb5_init_etype (krb5_context context, @@ -85,7 +85,9 @@ decrypt_tkt (krb5_context context, size_t size; krb5_crypto crypto; - krb5_crypto_init(context, key, 0, &crypto); + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; ret = krb5_decrypt_EncryptedData (context, crypto, @@ -124,6 +126,7 @@ _krb5_extract_ticket(krb5_context context, krb5_addresses *addrs, unsigned nonce, krb5_boolean allow_server_mismatch, + krb5_boolean ignore_cname, krb5_decrypt_proc decrypt_proc, krb5_const_pointer decryptarg) { @@ -133,20 +136,26 @@ _krb5_extract_ticket(krb5_context context, time_t tmp_time; krb5_timestamp sec_now; - /* compare client */ - ret = principalname2krb5_principal (&tmp_principal, rep->kdc_rep.cname, rep->kdc_rep.crealm); if (ret) goto out; - tmp = krb5_principal_compare (context, tmp_principal, creds->client); - krb5_free_principal (context, tmp_principal); - if (!tmp) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; + + /* compare client */ + + if (!ignore_cname) { + tmp = krb5_principal_compare (context, tmp_principal, creds->client); + if (!tmp) { + krb5_free_principal (context, tmp_principal); + ret = KRB5KRB_AP_ERR_MODIFIED; + goto out; + } } - + + krb5_free_principal (context, creds->client); + creds->client = tmp_principal; + /* extract ticket */ { unsigned char *buf; @@ -314,7 +323,9 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, if (ret) return ret; - krb5_crypto_init(context, key, 0, &crypto); + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_PA_ENC_TIMESTAMP, @@ -333,7 +344,7 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, free_EncryptedData(&encdata); if (ret) return ret; - pa->padata_type = pa_enc_timestamp; + pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP; pa->padata_value.length = 0; krb5_data_copy(&pa->padata_value, buf + sizeof(buf) - len, @@ -575,10 +586,10 @@ set_ptypes(krb5_context context, NULL); for(i = 0; i < md.len; i++){ switch(md.val[i].padata_type){ - case pa_enc_timestamp: + case KRB5_PADATA_ENC_TIMESTAMP: *ptypes = ptypes2; break; - case pa_etype_info: + case KRB5_PADATA_ETYPE_INFO: *preauth = &preauth2; ALLOC_SEQ(*preauth, 1); (*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP; @@ -588,6 +599,8 @@ set_ptypes(krb5_context context, &(*preauth)->val[0].info, NULL); break; + default: + break; } } free_METHOD_DATA(&md); @@ -707,12 +720,12 @@ krb5_get_in_cred(krb5_context context, if(rep.kdc_rep.padata){ int index = 0; pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, - pa_pw_salt, &index); + KRB5_PADATA_PW_SALT, &index); if(pa == NULL) { index = 0; pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, - pa_afs3_salt, &index); + KRB5_PADATA_AFS3_SALT, &index); } } if(pa) { @@ -741,6 +754,7 @@ krb5_get_in_cred(krb5_context context, NULL, nonce, FALSE, + opts.b.request_anonymous, decrypt_proc, decryptarg); memset (key->keyvalue.data, 0, key->keyvalue.length); diff --git a/crypto/heimdal/lib/krb5/get_port.c b/crypto/heimdal/lib/krb5/get_port.c index 17bb45f..6c51741 100644 --- a/crypto/heimdal/lib/krb5/get_port.c +++ b/crypto/heimdal/lib/krb5/get_port.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: get_port.c,v 1.7 1999/12/02 17:05:10 joda Exp $"); +RCSID("$Id: get_port.c,v 1.8 2001/01/27 19:24:34 joda Exp $"); int krb5_getportbyname (krb5_context context, @@ -44,8 +44,10 @@ krb5_getportbyname (krb5_context context, struct servent *sp; if ((sp = roken_getservbyname (service, proto)) == NULL) { +#if 0 krb5_warnx(context, "%s/%s unknown service, using default port %d", service, proto, default_port); +#endif return htons(default_port); } else return sp->s_port; diff --git a/crypto/heimdal/lib/krb5/heim_err.et b/crypto/heimdal/lib/krb5/heim_err.et index 5ec3543..09145f2 100644 --- a/crypto/heimdal/lib/krb5/heim_err.et +++ b/crypto/heimdal/lib/krb5/heim_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: heim_err.et,v 1.7 1999/08/25 20:49:17 joda Exp $" +id "$Id: heim_err.et,v 1.10 2000/07/08 13:02:11 joda Exp $" error_table heim @@ -14,5 +14,23 @@ error_code V4_PRINC_NO_CONV, "Failed to convert v4 principal" error_code SALTTYPE_NOSUPP, "Salt type is not supported by enctype" error_code NOHOST, "Host not found" error_code OPNOTSUPP, "Operation not supported" +error_code EOF, "End of file" +error_code BAD_MKEY, "Failed to get the master key" + +index 128 +prefix HEIM_EAI +#error_code NOERROR, "no error" +error_code UNKNOWN, "unknown error from getaddrinfo" +error_code ADDRFAMILY, "address family for nodename not supported" +error_code AGAIN, "temporary failure in name resolution" +error_code BADFLAGS, "invalid value for ai_flags" +error_code FAIL, "non-recoverable failure in name resolution" +error_code FAMILY, "ai_family not supported" +error_code MEMORY, "memory allocation failure" +error_code NODATA, "no address associated with nodename" +error_code NONAME, "nodename nor servname provided, or not known" +error_code SERVICE, "servname not supported for ai_socktype" +error_code SOCKTYPE, "ai_socktype not supported" +error_code SYSTEM, "system error returned in errno" end diff --git a/crypto/heimdal/lib/krb5/init_creds.c b/crypto/heimdal/lib/krb5/init_creds.c index 404fa5a..f6c571a 100644 --- a/crypto/heimdal/lib/krb5/init_creds.c +++ b/crypto/heimdal/lib/krb5/init_creds.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds.c,v 1.2 1999/12/02 17:05:10 joda Exp $"); +RCSID("$Id: init_creds.c,v 1.5 2001/01/05 16:27:39 joda Exp $"); void krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) @@ -43,6 +43,48 @@ krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) } void +krb5_get_init_creds_opt_set_default_flags(krb5_context context, + const char *appname, + krb5_realm realm, + krb5_get_init_creds_opt *opt) +{ + krb5_boolean b; + time_t t; + + krb5_appdefault_boolean(context, appname, realm, "forwardable", FALSE, &b); + krb5_get_init_creds_opt_set_forwardable(opt, b); + + krb5_appdefault_boolean(context, appname, realm, "proxiable", FALSE, &b); + krb5_get_init_creds_opt_set_proxiable (opt, b); + + krb5_appdefault_time(context, appname, realm, "ticket_life", 0, &t); + if(t != 0) + krb5_get_init_creds_opt_set_tkt_life(opt, t); + + krb5_appdefault_time(context, appname, realm, "renewable_life", 0, &t); + if(t != 0) + krb5_get_init_creds_opt_set_renew_life(opt, t); + +#if 0 + krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b); + krb5_get_init_creds_opt_set_anonymous (opt, b); + + krb5_get_init_creds_opt_set_etype_list(opt, enctype, + etype_str.num_strings); + + krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, + krb5_data *salt); + + krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, + krb5_preauthtype *preauth_list, + int preauth_list_length); + krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, + krb5_addresses *addresses); +#endif +} + + +void krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life) { @@ -109,3 +151,11 @@ krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; opt->salt = salt; } + +void +krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, + int anonymous) +{ + opt->flags |= KRB5_GET_INIT_CREDS_OPT_ANONYMOUS; + opt->anonymous = anonymous; +} diff --git a/crypto/heimdal/lib/krb5/init_creds_pw.c b/crypto/heimdal/lib/krb5/init_creds_pw.c index 3caf939..8881d13 100644 --- a/crypto/heimdal/lib/krb5/init_creds_pw.c +++ b/crypto/heimdal/lib/krb5/init_creds_pw.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds_pw.c,v 1.38 2000/02/07 03:17:20 assar Exp $"); +RCSID("$Id: init_creds_pw.c,v 1.44 2000/07/24 03:46:40 assar Exp $"); static int get_config_time (krb5_context context, @@ -178,9 +178,9 @@ print_expire (krb5_context context, if (lr->val[i].lr_type == 6 && lr->val[i].lr_value <= t) { char *p; + time_t tmp = lr->val[i].lr_value; - asprintf (&p, "Your password will expire at %s", - ctime(&lr->val[i].lr_value)); + asprintf (&p, "Your password will expire at %s", ctime(&tmp)); (*prompter) (context, data, p, 0, NULL); free (p); return; @@ -190,9 +190,9 @@ print_expire (krb5_context context, if (rep->enc_part.key_expiration && *rep->enc_part.key_expiration <= t) { char *p; + time_t t = *rep->enc_part.key_expiration; - asprintf (&p, "Your password/account will expire at %s", - ctime(rep->enc_part.key_expiration)); + asprintf (&p, "Your password/account will expire at %s", ctime(&t)); (*prompter) (context, data, p, 0, NULL); free (p); } @@ -263,6 +263,8 @@ get_init_creds_common(krb5_context context, } if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT) ; /* XXX */ + if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS) + flags->b.request_anonymous = options->anonymous; return 0; } @@ -291,9 +293,12 @@ change_password (krb5_context context, krb5_get_init_creds_opt_init (&options); krb5_get_init_creds_opt_set_tkt_life (&options, 60); - krb5_get_init_creds_opt_set_preauth_list (&options, - old_options->preauth_list, - old_options->preauth_list_length); + krb5_get_init_creds_opt_set_forwardable (&options, FALSE); + krb5_get_init_creds_opt_set_proxiable (&options, FALSE); + if (old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) + krb5_get_init_creds_opt_set_preauth_list (&options, + old_options->preauth_list, + old_options->preauth_list_length); krb5_data_zero (&result_code_string); krb5_data_zero (&result_string); @@ -438,6 +443,12 @@ krb5_get_init_creds_password(krb5_context context, done = 1; break; case KRB5KDC_ERR_KEY_EXPIRED : + /* try to avoid recursion */ + + if (in_tkt_service != NULL + && strcmp (in_tkt_service, "kadmin/changepw") == 0) + goto out; + ret = change_password (context, client, password, diff --git a/crypto/heimdal/lib/krb5/kerberos.8 b/crypto/heimdal/lib/krb5/kerberos.8 new file mode 100644 index 0000000..1b2ec91 --- /dev/null +++ b/crypto/heimdal/lib/krb5/kerberos.8 @@ -0,0 +1,73 @@ +.\" $Id: kerberos.8,v 1.1 2000/09/01 15:52:24 joda Exp $ +.\" +.Dd September 1, 2000 +.Dt KERBEROS 8 +.Os HEIMDAL +.Sh NAME +.Nm kerberos +.Nd introduction to the Kerberos system +.Sh DESCRIPTION +Kerberos is a network authentication system. It's purpose is to +securely authenticate users and services in an insecure network +environment. +.Pp +This is done with a Kerberos server acting as a trusted third party, +keeping a database with secret keys for all users and services +(collectively called +.Em principals ) . +.Pp +Each principal belongs to exactly one +.Em realm , +which is the administrative domain in Kerberos. A realm usually +corresponds to an organisation, and the realm should normally be +derived from that organisation's domain name. A realm is served by one +or more Kerberos servers. +.Pp +The authentication process involves exchange of +.Sq tickets +and +.Sq authenticators +which together prove the principal's identity. +.Pp +When you login to the Kerberos system, either through the normal +system login or with the +.Xr kinit 1 +program, you acquire a +.Em ticket granting ticket +which allows you to get new tickets for other services, such as +.Ic telnet +or +.Ic ftp , +without giving your password. +.Pp +For more information on how Kerberos works, and other general Kerberos +questions see the Kerberos FAQ at +.Ad http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html . + +For setup instructions see the Heimdal Texinfo manual. +.Sh SEE ALSO +.Xr ftp 1 +.Xr kdestroy 1 , +.Xr kinit 1 , +.Xr klist 1 , +.Xr kpasswd 1 , +.Xr telnet 1 +.Sh HISTORY +The Kerberos authentication system was developed in the late 1980's as +part of the Athena Project at the Massachusetts Institute of +Technology. Versions one through three never reached outside MIT, but +version 4 was (and still is) quite popular, especially in the academic +community, but is also used in commercial products like the AFS +filesystem. +.Pp +The problems with version 4 are that it has many limitations, the code +was not too well written (since it had been developed over a long +time), and it has a number of known security problems. To resolve many +of these issues work on version five started, and resulted in IETF +RFC1510 in 1993. Since then much work has been put into the further +development, and a new RFC will hopefully appear soon. +.Pp +This manual manual page is part of the +.Nm Heimdal +Kerberos 5 distribution, which has been in development at the Royal +Institute of Technology in Stockholm, Sweden, since about 1997. diff --git a/crypto/heimdal/lib/krb5/keyblock.c b/crypto/heimdal/lib/krb5/keyblock.c index 89732a0..124d9bc 100644 --- a/crypto/heimdal/lib/krb5/keyblock.c +++ b/crypto/heimdal/lib/krb5/keyblock.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,6 +33,8 @@ #include "krb5_locl.h" +RCSID("$Id: keyblock.c,v 1.11 2000/03/23 03:38:25 assar Exp $"); + void krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *keyblock) diff --git a/crypto/heimdal/lib/krb5/keytab_keyfile.c b/crypto/heimdal/lib/krb5/keytab_keyfile.c index fa14e62..ffdf35c 100644 --- a/crypto/heimdal/lib/krb5/keytab_keyfile.c +++ b/crypto/heimdal/lib/krb5/keytab_keyfile.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_keyfile.c,v 1.7 2000/01/02 04:00:22 assar Exp $"); +RCSID("$Id: keytab_keyfile.c,v 1.9 2000/07/02 16:14:16 assar Exp $"); /* afs keyfile operations --------------------------------------- */ @@ -221,7 +221,7 @@ akf_next_entry(krb5_context context, goto out; } - entry->vno = (int8_t) kvno; + entry->vno = kvno; entry->keyblock.keytype = ETYPE_DES_CBC_MD5; entry->keyblock.keyvalue.length = 8; @@ -235,6 +235,8 @@ akf_next_entry(krb5_context context, ret = cursor->sp->fetch(cursor->sp, entry->keyblock.keyvalue.data, 8); if(ret != 8) ret = (ret < 0) ? errno : KRB5_KT_END; + else + ret = 0; entry->timestamp = time(NULL); @@ -260,7 +262,7 @@ akf_add_entry(krb5_context context, { struct akf_data *d = id->data; int fd, created = 0; - int32_t kvno; + krb5_error_code ret; fd = open (d->filename, O_RDWR | O_BINARY); if (fd < 0) { @@ -274,29 +276,68 @@ akf_add_entry(krb5_context context, if (entry->keyblock.keyvalue.length == 8 && entry->keyblock.keytype == ETYPE_DES_CBC_MD5) { - int32_t len = 0; + int32_t len; + krb5_storage *sp; - if (!created) { - if (lseek (fd, 0, SEEK_SET)) + sp = krb5_storage_from_fd(fd); + if(sp == NULL) { + close(fd); + return ENOMEM; + } + if (created) + len = 0; + else { + if((*sp->seek)(sp, 0, SEEK_SET) < 0) { + krb5_storage_free(sp); + close(fd); return errno; + } - if (read (fd, &len, sizeof(len)) != sizeof(len)) - return errno; + ret = krb5_ret_int32(sp, &len); + if(ret) { + krb5_storage_free(sp); + close(fd); + return ret; + } } - len += 1; - - if (lseek (fd, 0, SEEK_SET)) - return errno; - - if (write (fd, &len, sizeof(len)) != sizeof(len)) + len++; + + if((*sp->seek)(sp, 0, SEEK_SET) < 0) { + krb5_storage_free(sp); + close(fd); return errno; + } + + ret = krb5_store_int32(sp, len); + if(ret) { + krb5_storage_free(sp); + close(fd); + return ret; + } + - if (lseek (fd, 4 + (len-1) * (8+4), SEEK_SET)) + if((*sp->seek)(sp, (len - 1) * (8 + 4), SEEK_CUR) < 0) { + krb5_storage_free(sp); + close(fd); return errno; - - kvno = entry->vno; - write(fd, &kvno, sizeof(kvno)); - write(fd, entry->keyblock.keyvalue.data, 8); + } + + ret = krb5_store_int32(sp, entry->vno); + if(ret) { + krb5_storage_free(sp); + close(fd); + return ret; + } + ret = sp->store(sp, entry->keyblock.keyvalue.data, + entry->keyblock.keyvalue.length); + if(ret != entry->keyblock.keyvalue.length) { + krb5_storage_free(sp); + close(fd); + if(ret < 0) + return errno; + return ENOTTY; + } + krb5_storage_free(sp); } close (fd); return 0; diff --git a/crypto/heimdal/lib/krb5/keytab_krb4.c b/crypto/heimdal/lib/krb5/keytab_krb4.c index b1f425c..e41f849 100644 --- a/crypto/heimdal/lib/krb5/keytab_krb4.c +++ b/crypto/heimdal/lib/krb5/keytab_krb4.c @@ -32,9 +32,8 @@ */ #include "krb5_locl.h" -#include -RCSID("$Id: keytab_krb4.c,v 1.5 2000/01/06 08:04:58 assar Exp $"); +RCSID("$Id: keytab_krb4.c,v 1.6 2000/12/15 17:10:40 joda Exp $"); struct krb4_kt_data { char *filename; @@ -227,6 +226,9 @@ krb4_kt_add_entry (krb5_context context, struct krb4_kt_data *d = id->data; krb5_error_code ret; int fd; +#define ANAME_SZ 40 +#define INST_SZ 40 +#define REALM_SZ 40 char service[ANAME_SZ]; char instance[INST_SZ]; char realm[REALM_SZ]; @@ -258,7 +260,7 @@ krb4_kt_add_entry (krb5_context context, return 0; } -krb5_kt_ops krb4_fkt_ops = { +const krb5_kt_ops krb4_fkt_ops = { "krb4", krb4_kt_resolve, krb4_kt_get_name, diff --git a/crypto/heimdal/lib/krb5/krb5-private.h b/crypto/heimdal/lib/krb5/krb5-private.h index b24328a..c653695 100644 --- a/crypto/heimdal/lib/krb5/krb5-private.h +++ b/crypto/heimdal/lib/krb5/krb5-private.h @@ -18,7 +18,7 @@ _krb5_crc_init_table __P((void)); u_int32_t _krb5_crc_update __P(( - char *p, + const char *p, size_t len, u_int32_t res)); @@ -33,6 +33,7 @@ _krb5_extract_ticket __P(( krb5_addresses *addrs, unsigned nonce, krb5_boolean allow_server_mismatch, + krb5_boolean ignore_cname, krb5_decrypt_proc decrypt_proc, krb5_const_pointer decryptarg)); diff --git a/crypto/heimdal/lib/krb5/krb5-protos.h b/crypto/heimdal/lib/krb5/krb5-protos.h index 59402a7..628f560 100644 --- a/crypto/heimdal/lib/krb5/krb5-protos.h +++ b/crypto/heimdal/lib/krb5/krb5-protos.h @@ -66,6 +66,20 @@ krb5_abortx __P(( __attribute__ ((noreturn, format (printf, 2, 3))); krb5_error_code +krb5_acl_match_file __P(( + krb5_context context, + const char *file, + const char *format, + ...)); + +krb5_error_code +krb5_acl_match_string __P(( + krb5_context context, + const char *acl_string, + const char *format, + ...)); + +krb5_error_code krb5_add_et_list __P(( krb5_context context, void (*func)(struct et_list **))); @@ -130,6 +144,33 @@ krb5_anyaddr __P(( int *sa_size, int port)); +void +krb5_appdefault_boolean __P(( + krb5_context context, + const char *appname, + krb5_realm realm, + const char *option, + krb5_boolean def_val, + krb5_boolean *ret_val)); + +void +krb5_appdefault_string __P(( + krb5_context context, + const char *appname, + krb5_realm realm, + const char *option, + const char *def_val, + char **ret_val)); + +void +krb5_appdefault_time __P(( + krb5_context context, + const char *appname, + krb5_realm realm, + const char *option, + time_t def_val, + time_t *ret_val)); + krb5_error_code krb5_append_addresses __P(( krb5_context context, @@ -142,6 +183,13 @@ krb5_auth_con_free __P(( krb5_auth_context auth_context)); krb5_error_code +krb5_auth_con_genaddrs __P(( + krb5_context context, + krb5_auth_context auth_context, + int fd, + int flags)); + +krb5_error_code krb5_auth_con_getaddrs __P(( krb5_context context, krb5_auth_context auth_context, @@ -167,6 +215,12 @@ krb5_auth_con_getlocalsubkey __P(( krb5_keyblock **keyblock)); krb5_error_code +krb5_auth_con_getrcache __P(( + krb5_context context, + krb5_auth_context auth_context, + krb5_rcache *rcache)); + +krb5_error_code krb5_auth_con_getremotesubkey __P(( krb5_context context, krb5_auth_context auth_context, @@ -209,6 +263,12 @@ krb5_auth_con_setlocalsubkey __P(( krb5_keyblock *keyblock)); krb5_error_code +krb5_auth_con_setrcache __P(( + krb5_context context, + krb5_auth_context auth_context, + krb5_rcache rcache)); + +krb5_error_code krb5_auth_con_setremotesubkey __P(( krb5_context context, krb5_auth_context auth_context, @@ -291,7 +351,8 @@ krb5_build_authenticator __P(( krb5_creds *cred, Checksum *cksum, Authenticator **auth_result, - krb5_data *result)); + krb5_data *result, + krb5_key_usage usage)); krb5_error_code krb5_build_principal __P(( @@ -545,6 +606,13 @@ krb5_config_get_string __P(( krb5_config_section *c, ...)); +const char * +krb5_config_get_string_default __P(( + krb5_context context, + krb5_config_section *c, + const char *def_value, + ...)); + char** krb5_config_get_strings __P(( krb5_context context, @@ -629,6 +697,13 @@ krb5_config_vget_string __P(( krb5_config_section *c, va_list args)); +const char * +krb5_config_vget_string_default __P(( + krb5_context context, + krb5_config_section *c, + const char *def_value, + va_list args)); + char ** krb5_config_vget_strings __P(( krb5_context context, @@ -827,10 +902,20 @@ krb5_decrypt_EncryptedData __P(( krb5_context context, krb5_crypto crypto, unsigned usage, - EncryptedData *e, + const EncryptedData *e, krb5_data *result)); krb5_error_code +krb5_decrypt_ivec __P(( + krb5_context context, + krb5_crypto crypto, + unsigned usage, + void *data, + size_t len, + krb5_data *result, + void *ivec)); + +krb5_error_code krb5_decrypt_ticket __P(( krb5_context context, Ticket *ticket, @@ -853,6 +938,9 @@ krb5_domain_x500_encode __P(( krb5_data *encoding)); krb5_error_code +krb5_eai_to_heim_errno __P((int eai_errno)); + +krb5_error_code krb5_encode_Authenticator __P(( krb5_context context, void *data, @@ -928,6 +1016,16 @@ krb5_encrypt_EncryptedData __P(( EncryptedData *result)); krb5_error_code +krb5_encrypt_ivec __P(( + krb5_context context, + krb5_crypto crypto, + unsigned usage, + void *data, + size_t len, + krb5_data *result, + void *ivec)); + +krb5_error_code krb5_enctype_to_keytype __P(( krb5_context context, krb5_enctype etype, @@ -988,6 +1086,14 @@ krb5_find_padata __P(( int *index)); krb5_error_code +krb5_format_time __P(( + krb5_context context, + time_t t, + char *s, + size_t len, + krb5_boolean include_time)); + +krb5_error_code krb5_free_address __P(( krb5_context context, krb5_address *address)); @@ -1106,7 +1212,7 @@ krb5_error_code krb5_generate_seq_number __P(( krb5_context context, const krb5_keyblock *key, - int32_t *seqno)); + u_int32_t *seqno)); krb5_error_code krb5_generate_subkey __P(( @@ -1291,6 +1397,18 @@ krb5_get_init_creds_opt_set_address_list __P(( krb5_addresses *addresses)); void +krb5_get_init_creds_opt_set_anonymous __P(( + krb5_get_init_creds_opt *opt, + int anonymous)); + +void +krb5_get_init_creds_opt_set_default_flags __P(( + krb5_context context, + const char *appname, + krb5_realm realm, + krb5_get_init_creds_opt *opt)); + +void krb5_get_init_creds_opt_set_etype_list __P(( krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, @@ -1373,6 +1491,12 @@ krb5_get_pw_salt __P(( krb5_const_principal principal, krb5_salt *salt)); +krb5_error_code +krb5_get_server_rcache __P(( + krb5_context context, + const krb5_data *piece, + krb5_rcache *id)); + krb5_boolean krb5_get_use_admin_kdc __P((krb5_context context)); @@ -1623,7 +1747,7 @@ krb5_mk_priv __P(( krb5_error_code krb5_mk_rep __P(( krb5_context context, - krb5_auth_context *auth_context, + krb5_auth_context auth_context, krb5_data *outbuf)); krb5_error_code @@ -1638,6 +1762,16 @@ krb5_mk_req __P(( krb5_data *outbuf)); krb5_error_code +krb5_mk_req_exact __P(( + krb5_context context, + krb5_auth_context *auth_context, + const krb5_flags ap_req_options, + const krb5_principal server, + krb5_data *in_data, + krb5_ccache ccache, + krb5_data *outbuf)); + +krb5_error_code krb5_mk_req_extended __P(( krb5_context context, krb5_auth_context *auth_context, @@ -1654,7 +1788,8 @@ krb5_mk_req_internal __P(( krb5_data *in_data, krb5_creds *in_creds, krb5_data *outbuf, - krb5_key_usage usage)); + krb5_key_usage checksum_usage, + krb5_key_usage encrypt_usage)); krb5_error_code krb5_mk_safe __P(( @@ -1732,6 +1867,12 @@ krb5_principal_compare_any_realm __P(( krb5_const_principal princ1, krb5_const_principal princ2)); +krb5_boolean +krb5_principal_match __P(( + krb5_context context, + krb5_const_principal princ, + krb5_const_principal pattern)); + krb5_error_code krb5_print_address __P(( const krb5_address *addr, @@ -1757,9 +1898,94 @@ krb5_prompter_posix __P(( krb5_prompt prompts[])); krb5_error_code +krb5_rc_close __P(( + krb5_context context, + krb5_rcache id)); + +krb5_error_code +krb5_rc_default __P(( + krb5_context context, + krb5_rcache *id)); + +const char * +krb5_rc_default_name __P((krb5_context context)); + +const char * +krb5_rc_default_type __P((krb5_context context)); + +krb5_error_code +krb5_rc_destroy __P(( + krb5_context context, + krb5_rcache id)); + +krb5_error_code +krb5_rc_expunge __P(( + krb5_context context, + krb5_rcache id)); + +krb5_error_code +krb5_rc_get_lifespan __P(( + krb5_context context, + krb5_rcache id, + krb5_deltat *auth_lifespan)); + +const char* +krb5_rc_get_name __P(( + krb5_context context, + krb5_rcache id)); + +const char* +krb5_rc_get_type __P(( + krb5_context context, + krb5_rcache id)); + +krb5_error_code +krb5_rc_initialize __P(( + krb5_context context, + krb5_rcache id, + krb5_deltat auth_lifespan)); + +krb5_error_code +krb5_rc_recover __P(( + krb5_context context, + krb5_rcache id)); + +krb5_error_code +krb5_rc_resolve __P(( + krb5_context context, + krb5_rcache id, + const char *name)); + +krb5_error_code +krb5_rc_resolve_full __P(( + krb5_context context, + krb5_rcache *id, + const char *string_name)); + +krb5_error_code +krb5_rc_resolve_type __P(( + krb5_context context, + krb5_rcache *id, + const char *type)); + +krb5_error_code +krb5_rc_store __P(( + krb5_context context, + krb5_rcache id, + krb5_donot_replay *rep)); + +krb5_error_code krb5_rd_cred __P(( krb5_context context, krb5_auth_context auth_context, + krb5_data *in_data, + krb5_creds ***ret_creds, + krb5_replay_data *out_data)); + +krb5_error_code +krb5_rd_cred2 __P(( + krb5_context context, + krb5_auth_context auth_context, krb5_ccache ccache, krb5_data *in_data)); @@ -1818,6 +2044,20 @@ krb5_read_message __P(( krb5_pointer p_fd, krb5_data *data)); +krb5_error_code +krb5_read_priv_message __P(( + krb5_context context, + krb5_auth_context ac, + krb5_pointer p_fd, + krb5_data *data)); + +krb5_error_code +krb5_read_safe_message __P(( + krb5_context context, + krb5_auth_context ac, + krb5_pointer p_fd, + krb5_data *data)); + krb5_boolean krb5_realm_compare __P(( krb5_context context, @@ -1936,6 +2176,14 @@ krb5_sendauth __P(( krb5_creds **out_creds)); krb5_error_code +krb5_sendto __P(( + krb5_context context, + const krb5_data *send, + char **hostlist, + int port, + krb5_data *receive)); + +krb5_error_code krb5_sendto_kdc __P(( krb5_context context, const krb5_data *send, @@ -1943,6 +2191,14 @@ krb5_sendto_kdc __P(( krb5_data *receive)); krb5_error_code +krb5_sendto_kdc2 __P(( + krb5_context context, + const krb5_data *send, + const krb5_realm *realm, + krb5_data *receive, + krb5_boolean master)); + +krb5_error_code krb5_set_default_in_tkt_etypes __P(( krb5_context context, const krb5_enctype *etypes)); @@ -2102,7 +2358,7 @@ krb5_store_string __P(( krb5_error_code krb5_store_stringz __P(( krb5_storage *sp, - char *s)); + const char *s)); krb5_error_code krb5_store_times __P(( @@ -2232,6 +2488,18 @@ krb5_verify_ap_req __P(( krb5_ticket **ticket)); krb5_error_code +krb5_verify_ap_req2 __P(( + krb5_context context, + krb5_auth_context *auth_context, + krb5_ap_req *ap_req, + krb5_const_principal server, + krb5_keyblock *keyblock, + krb5_flags flags, + krb5_flags *ap_req_options, + krb5_ticket **ticket, + krb5_key_usage usage)); + +krb5_error_code krb5_verify_authenticator_checksum __P(( krb5_context context, krb5_auth_context ac, @@ -2355,6 +2623,21 @@ krb5_write_message __P(( krb5_data *data)); krb5_error_code +krb5_write_priv_message __P(( + krb5_context context, + krb5_auth_context ac, + krb5_pointer p_fd, + krb5_data *data)); + +krb5_error_code +krb5_write_safe_message __P(( + krb5_context context, + krb5_auth_context ac, + krb5_boolean priv, + krb5_pointer p_fd, + krb5_data *data)); + +krb5_error_code krb5_xfree __P((void *ptr)); krb5_error_code diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5 index 2a0adb6..51f6cfb 100644 --- a/crypto/heimdal/lib/krb5/krb5.conf.5 +++ b/crypto/heimdal/lib/krb5/krb5.conf.5 @@ -1,4 +1,4 @@ -.\" $Id: krb5.conf.5,v 1.7 1999/11/04 01:57:28 assar Exp $ +.\" $Id: krb5.conf.5,v 1.12 2001/01/19 04:53:24 assar Exp $ .\" .Dd April 11, 1999 .Dt KRB5.CONF 5 @@ -46,7 +46,6 @@ name: .Li STRINGs consists of one or more non-white space characters. Currently recognised sections and bindings are: - .Bl -tag -width "xxx" -offset indent .It Li [libdefaults] .Bl -tag -width "xxx" -offset indent @@ -65,7 +64,24 @@ Maximum time to wait for a reply from the kdc, default is 3 seconds. These are decribed in the .Xr krb5_425_conv_principal 3 manual page. -.It Li capath = Va realm-routing-table +.It Li capath = { +.Bl -tag -width "xxx" -offset indent +.It Va destination-realm Li = Va next-hop-realm +.It ... +.El +Normally, all requests to realms different from the one of the current +client are sent to this KDC to get cross-realm tickets. +If this KDC does not have a cross-realm key with the desired realm and +the hierarchical path to that realm does not work, a path can be +configured using this directive. +The text shown above instructs the KDC to try to obtain a cross-realm +ticket to +.Va next-hop-realm +when the desired realm is +.Va destination-realm . +This configuration should preferably be done on the KDC where it will +help all its clients but can also be done on the client itself. +.It Li } .It Li default_etypes = Va etypes... A list of default etypes to use. .It Li default_etypes_des = Va etypes... @@ -113,10 +129,18 @@ perid. .It Va REALM Li = { .Bl -tag -width "xxx" -offset indent .It Li kdc = Va host[:port] -Specifies a kdc for this realm. If the optional port is absent, the +Specifies a list of kdcs for this realm. If the optional port is absent, the default value for the .Dq kerberos/udp service will be used. +The kdcs will be used in the order that they are specified. +.It Li admin_server = Va host[:port] +Specifies the admin server for this realm, where all the modifications +to the database are perfomed. +.It Li kpasswd_server = Va host[:port] +Points to the server where all the password changes are perfomed. +If there is no such entry, the kpasswd port on the admin_server host +will be tried. .It Li v4_instance_convert .It Li v4_name_convert .It Li default_domain @@ -136,7 +160,100 @@ for logging. See the .Xr krb5_openlog 3 manual page for a list of defined destinations. .El +.It Li [kdc] +.Bl -tag -width "xxx" -offset indent +.It database Li = { +.Bl -tag -width "xxx" -offset indent +.It dbname Li = Va DATABASENAME +use this database for this realm. +.It realm Li = Va REALM +specifies the realm that will be stored in this database. +.It mkey_file Li = Pa FILENAME +use this keytab file for the master key of this database. +If not specified +.Va DATABASENAME Ns .mkey +will be used. +.It acl_file Li = PA FILENAME +use this file for the ACL list of this database. +.It log_file Li = Pa FILENAME +use this file as the log of changes performed to the database. This +file is used by +.Nm ipropd-master +for propagating changes to slaves. +.El +.It Li } +.It max-request = Va SIZE +Maximum size of a kdc request. +.It require-preauth = Va BOOL +If set pre-authentication is required. Since krb4 requests are not +pre-authenticated they will be rejected. +.It ports = Va "list of ports" +list of ports the kdc should listen to. +.It addresses = Va "list of interfaces" +list of addresses the kdc should bind to. +.It enable-kerberos4 = Va BOOL +turn on kerberos4 support. +.It v4-realm = Va REALM +to what realm v4 requests should be mapped. +.It enable-524 = Va BOOL +should the Kerberos 524 converting facility be turned on. Default is same as +.Va enable-kerberos4 . +.It enable-http = Va BOOL +should the kdc answer kdc-requests over http. +.It enable-kaserver = Va BOOL +if this kdc should emulate the AFS kaserver. +.It check-ticket-addresses = Va BOOL +verify the addresses in the tickets used in tgs requests. +.\" XXX +.It allow-null-ticket-addresses = Va BOOL +allow addresses-less tickets. +.\" XXX +.It allow-anonymous = Va BOOL +if the kdc is allowed to hand out anonymous tickets. +.It encode_as_rep_as_tgs_rep = Va BOOL +encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. +.\" XXX +.It kdc_warn_pwexpire = Va TIME +the time before expiration that the user should be warned that her +password is about to expire. +.It logging = Va Logging +What type of logging the kdc should use, see also [logging]/kdc. .El +.It Li [kadmin] +.Bl -tag -width "xxx" -offset indent +.It require-preauth = Va BOOL +If pre-authentication is required to talk to the kadmin server. +.It default_keys = Va keytypes... +for each entry in +.Va default_keys +try to parse it as a sequence of +.Va etype:salttype:salt +syntax of this if something like: +.Pp +[(des|des3|etype):](pw-salt|afs3-salt)[:string] +.Pp +if +.Ar etype +is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are: +.Bl -tag -width "xxx" -offset indent +.It v5 +The kerberos 5 salt +.Va pw-salt +.It v4 +The kerberos 4 type +.Va des:pw-salt: +.El +.It use_v4_salt = Va BOOL +When true, this is the same as +.Pp +.Va default_keys = Va des3:pw-salt Va v4 +.Pp +and is only left for backwards compatability. +.El +.El +.Sh ENVIRONMENT +.Ev KRB5_CONFIG +points to the configuration file to read. .Sh EXAMPLE .Bd -literal -offset indent [lib_defaults] @@ -160,7 +277,21 @@ manual page for a list of defined destinations. kdc = SYSLOG:INFO default = SYSLOG:INFO:USER .Ed +.Sh DIAGNOSTICS +Since +.Nm +is read and parsed by the krb5 library, there is not a lot of +opportunities for programs to report parsing errors in any useful +format. +To help overcome this problem, there is a program +.Nm verify_krb5_conf +that reads +.Nm +and tries to emit useful diagnostics from parsing errors. Note that +this program does not have any way of knowing what options are +actually used and thus cannot warn about unknown or misspelt ones. .Sh SEE ALSO +.Xr verify_krb5_conf 8 , .Xr krb5_openlog 3 , .Xr krb5_425_conv_principal 3 , .Xr strftime 3 , diff --git a/crypto/heimdal/lib/krb5/krb5.h b/crypto/heimdal/lib/krb5/krb5.h index 15837e0..65a8a16 100644 --- a/crypto/heimdal/lib/krb5/krb5.h +++ b/crypto/heimdal/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h,v 1.164 2000/02/06 07:40:57 assar Exp $ */ +/* $Id: krb5.h,v 1.179 2000/12/15 17:11:12 joda Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -68,24 +68,7 @@ typedef octet_string krb5_data; struct krb5_crypto_data; typedef struct krb5_crypto_data *krb5_crypto; -typedef enum krb5_cksumtype { - CKSUMTYPE_NONE = 0, - CKSUMTYPE_CRC32 = 1, - CKSUMTYPE_RSA_MD4 = 2, - CKSUMTYPE_RSA_MD4_DES = 3, - CKSUMTYPE_DES_MAC = 4, - CKSUMTYPE_DES_MAC_K = 5, - CKSUMTYPE_RSA_MD4_DES_K = 6, - CKSUMTYPE_RSA_MD5 = 7, - CKSUMTYPE_RSA_MD5_DES = 8, - CKSUMTYPE_RSA_MD5_DES3 = 9, -/* CKSUMTYPE_SHA1 = 10,*/ - CKSUMTYPE_HMAC_SHA1_DES3 = 12, - CKSUMTYPE_SHA1 = 1000, /* correct value? */ - CKSUMTYPE_HMAC_MD5 = -138, /* unofficial microsoft number */ - CKSUMTYPE_HMAC_MD5_ENC = -1138 /* even more unofficial */ -} krb5_cksumtype; - +typedef CKSUMTYPE krb5_cksumtype; typedef enum krb5_enctype { ETYPE_NULL = 0, @@ -101,17 +84,14 @@ typedef enum krb5_enctype { ETYPE_ARCFOUR_HMAC_MD5 = 23, ETYPE_ARCFOUR_HMAC_MD5_56 = 24, ETYPE_ENCTYPE_PK_CROSS = 48, - ETYPE_DES_CBC_NONE = 0x1000, - ETYPE_DES3_CBC_NONE = 0x1001 + ETYPE_DES_CBC_NONE = -0x1000, + ETYPE_DES3_CBC_NONE = -0x1001, + ETYPE_DES_CFB64_NONE = -0x1002, + ETYPE_DES_PCBC_NONE = -0x1003, + ETYPE_DES3_CBC_NONE_IVEC = -0x1004 } krb5_enctype; -typedef enum krb5_preauthtype { - KRB5_PADATA_NONE = 0, - KRB5_PADATA_AP_REQ, - KRB5_PADATA_TGS_REQ = 1, - KRB5_PADATA_ENC_TIMESTAMP = 2, - KRB5_PADATA_ENC_SECURID -} krb5_preauthtype; +typedef PADATA_TYPE krb5_preauthtype; typedef enum krb5_key_usage { KRB5_KU_PA_ENC_TIMESTAMP = 1, @@ -165,14 +145,28 @@ typedef enum krb5_key_usage { KRB5_KU_OTHER_ENCRYPTED = 16, /* Data which is defined in some specification outside of Kerberos to be encrypted using an RFC1510 encryption type. */ - KRB5_KU_OTHER_CKSUM = 17 + KRB5_KU_OTHER_CKSUM = 17, /* Data which is defined in some specification outside of Kerberos to be checksummed using an RFC1510 checksum type. */ + KRB5_KU_KRB_ERROR = 18, + /* Krb-error checksum */ + KRB5_KU_AD_KDC_ISSUED = 19, + /* AD-KDCIssued checksum */ + KRB5_KU_MANDATORY_TICKET_EXTENSION = 20, + /* Checksum for Mandatory Ticket Extensions */ + KRB5_KU_AUTH_DATA_TICKET_EXTENSION = 21, + /* Checksum in Authorization Data in Ticket Extensions */ + KRB5_KU_USAGE_SEAL = 22, + /* seal in GSSAPI krb5 mechanism */ + KRB5_KU_USAGE_SIGN = 23, + /* sign in GSSAPI krb5 mechanism */ + KRB5_KU_USAGE_SEQ = 24 + /* SEQ in GSSAPI krb5 mechanism */ } krb5_key_usage; typedef enum krb5_salttype { - KRB5_PW_SALT = pa_pw_salt, - KRB5_AFS3_SALT = pa_afs3_salt + KRB5_PW_SALT = KRB5_PADATA_PW_SALT, + KRB5_AFS3_SALT = KRB5_PADATA_AFS3_SALT }krb5_salttype; typedef struct krb5_salt { @@ -221,7 +215,14 @@ typedef AP_REQ krb5_ap_req; struct krb5_cc_ops; -#define KRB5_DEFAULT_CCROOT "FILE:/tmp/krb5cc_" +#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_" + +#define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT + +#define KRB5_ACCEPT_NULL_ADDRESSES(C) \ + krb5_config_get_bool_default((C), NULL, TRUE, \ + "libdefaults", "accept_null_addresses", \ + NULL) typedef void *krb5_cc_cursor; @@ -373,18 +374,9 @@ typedef struct krb5_context_data { version */ int num_kt_types; /* # of registered keytab types */ struct krb5_keytab_data *kt_types; /* registered keytab types */ + const char *date_fmt; } krb5_context_data; -enum { - KRB5_NT_UNKNOWN = 0, - KRB5_NT_PRINCIPAL = 1, - KRB5_NT_SRV_INST = 2, - KRB5_NT_SRV_HST = 3, - KRB5_NT_SRV_XHST = 4, - KRB5_NT_UID = 5 -}; - - typedef struct krb5_ticket { EncTicketPart ticket; krb5_principal client; @@ -397,7 +389,7 @@ typedef krb5_authenticator_data *krb5_authenticator; struct krb5_rcache_data; typedef struct krb5_rcache_data *krb5_rcache; -typedef Authenticator krb5_donot_reply; +typedef Authenticator krb5_donot_replay; #define KRB5_STORAGE_HOST_BYTEORDER 0x01 #define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS 0x02 @@ -407,7 +399,7 @@ typedef Authenticator krb5_donot_reply; typedef struct krb5_storage { void *data; ssize_t (*fetch)(struct krb5_storage*, void*, size_t); - ssize_t (*store)(struct krb5_storage*, void*, size_t); + ssize_t (*store)(struct krb5_storage*, const void*, size_t); off_t (*seek)(struct krb5_storage*, off_t, int); void (*free)(struct krb5_storage*); krb5_flags flags; @@ -456,11 +448,27 @@ struct krb5_keytab_key_proc_args { typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args; +typedef struct krb5_replay_data { + krb5_timestamp timestamp; + u_int32_t usec; + u_int32_t seq; +} krb5_replay_data; + +/* flags for krb5_auth_con_setflags */ enum { KRB5_AUTH_CONTEXT_DO_TIME = 1, KRB5_AUTH_CONTEXT_RET_TIME = 2, KRB5_AUTH_CONTEXT_DO_SEQUENCE = 4, - KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8 + KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8, + KRB5_AUTH_CONTEXT_PERMIT_ALL = 16 +}; + +/* flags for krb5_auth_con_genaddrs */ +enum { + KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR = 1, + KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR = 3, + KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR = 4, + KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR = 12 }; typedef struct krb5_auth_context_data { @@ -474,8 +482,8 @@ typedef struct krb5_auth_context_data { krb5_keyblock *local_subkey; krb5_keyblock *remote_subkey; - int32_t local_seqnumber; - int32_t remote_seqnumber; + u_int32_t local_seqnumber; + u_int32_t remote_seqnumber; krb5_authenticator authenticator; @@ -494,7 +502,7 @@ typedef struct { KRB_ERROR error; } krb5_kdc_rep; -extern char *heimdal_version, *heimdal_long_version; +extern const char *heimdal_version, *heimdal_long_version; typedef void (*krb5_log_log_func_t)(const char*, const char*, void*); typedef void (*krb5_log_close_func_t)(void*); @@ -549,6 +557,7 @@ typedef struct _krb5_get_init_creds_opt { krb5_deltat renew_life; int forwardable; int proxiable; + int anonymous; krb5_enctype *etype_list; int etype_list_length; krb5_addresses *address_list; @@ -570,6 +579,7 @@ typedef struct _krb5_get_init_creds_opt { #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 +#define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0100 typedef struct _krb5_verify_init_creds_opt { krb5_flags flags; @@ -584,6 +594,7 @@ extern const krb5_cc_ops krb5_mcc_ops; extern const krb5_kt_ops krb5_fkt_ops; extern const krb5_kt_ops krb5_mkt_ops; extern const krb5_kt_ops krb5_akf_ops; +extern const krb5_kt_ops krb4_fkt_ops; #define KRB5_KPASSWD_SUCCESS 0 #define KRB5_KPASSWD_MALFORMED 0 diff --git a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 index 231c3ff..ff90c64 100644 --- a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 +++ b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_425_conv_principal.3,v 1.3 1999/04/11 01:47:22 joda Exp $ +.\" $Id: krb5_425_conv_principal.3,v 1.4 2001/01/26 22:43:21 assar Exp $ .Dd April 11, 1999 .Dt KRB5_425_CONV_PRINCIPAL 3 .Os HEIMDAL @@ -8,21 +8,15 @@ .Nm krb5_425_conv_principal_ext , .Nm krb5_524_conv_principal .Nd Converts to and from version 4 principals - .Sh SYNOPSIS .Fd #include - .Ft krb5_error_code .Fn krb5_425_conv_principal "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_principal *principal" - .Ft krb5_error_code .Fn krb5_425_conv_principal_ext "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_boolean (*func)(krb5_context, krb5_principal)" "krb5_boolean resolve" "krb5_principal *principal" - .Ft krb5_error_code .Fn krb5_524_conv_principal "krb5_context context" "const krb5_principal principal" "char *name" "char *instance" "char *realm" - .Sh DESCRIPTION - Converting between version 4 and version 5 principals can at best be described as a mess. .Pp @@ -124,9 +118,7 @@ instances found to belong to a host principal. The and .Fa realm should be at least 40 characters long. - .Sh EXAMPLES - Since this is confusing an example is in place. .Pp Assume that we have the @@ -188,7 +180,6 @@ the second example will result in .Dq ftp/b-host.foo.com (because of the default domain). And all of this is of course only valid if you have working name resolving. - .Sh SEE ALSO .Xr krb5_build_principal 3 , .Xr krb5_free_principal 3 , diff --git a/crypto/heimdal/lib/krb5/krb5_appdefault.3 b/crypto/heimdal/lib/krb5/krb5_appdefault.3 new file mode 100644 index 0000000..3ce6fc9 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_appdefault.3 @@ -0,0 +1,57 @@ +.\" Copyright (c) 2000 Kungliga Tekniska Högskolan +.\" $Id: krb5_appdefault.3,v 1.3 2001/01/05 16:29:42 joda Exp $ +.Dd July 25, 2000 +.Dt KRB5_APPDEFAULT 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_appdefault_boolean , +.Nm krb5_appdefault_string , +.Nm krb5_appdefault_time +.Nd Get application configuration value + +.Sh SYNOPSIS +.Fd #include + +.Ft void +.Fn krb5_appdefault_boolean "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "krb5_boolean def_val" "krb5_boolean *ret_val" +.Ft void +.Fn krb5_appdefault_string "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "const char *def_val" "char **ret_val" +.Ft void +.Fn krb5_appdefault_time "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "time_t def_val" "time_t *ret_val" + +.Sh DESCRIPTION + +These functions get application application defaults from the +.Dv appdefaults +section of the +.Xr krb5.conf 5 +configuration file. These defaults can be specified per application, +and/or per realm. + +These values will be looked for in +.Xr krb5.conf 5 , +in order of descending importance. +.Bd -literal -offset indent +[appdefaults] + appname = { + realm = { + option = value + } + } + appname = { + option = value + } + realm = { + option = value + } + option = value +.Ed + +If the realm is omitted it will not be used for resolving values. If +no value can be found, +.Fa def_val +is returned instead. + +.Sh SEE ALSO +.Xr krb5_config 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_auth_context.3 b/crypto/heimdal/lib/krb5/krb5_auth_context.3 new file mode 100644 index 0000000..42a96ec --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_auth_context.3 @@ -0,0 +1,284 @@ +.\" Copyright (c) 2001 Kungliga Tekniska Högskolan +.\" $Id: krb5_auth_context.3,v 1.1 2001/01/28 19:47:33 assar Exp $ +.Dd Jan 21, 2001 +.Dt KRB5_AUTH_CONTEXT 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_auth_context , +.Nm krb5_auth_con_init , +.Nm krb5_auth_con_free , +.Nm krb5_auth_con_setflags , +.Nm krb5_auth_con_getflags , +.Nm krb5_auth_con_setaddrs , +.Nm krb5_auth_con_setaddrs_from_fd , +.Nm krb5_auth_con_getaddrs , +.Nm krb5_auth_con_genaddrs , +.Nm krb5_auth_con_getkey , +.Nm krb5_auth_con_setkey , +.Nm krb5_auth_con_getuserkey , +.Nm krb5_auth_con_setuserkey , +.Nm krb5_auth_con_getlocalsubkey , +.Nm krb5_auth_con_setlocalsubkey , +.Nm krb5_auth_con_getremotesubkey , +.Nm krb5_auth_con_setremotesubkey , +.Nm krb5_auth_setcksumtype , +.Nm krb5_auth_getcksumtype , +.Nm krb5_auth_setkeytype , +.Nm krb5_auth_getkeytype , +.Nm krb5_auth_getlocalseqnumber , +.Nm krb5_auth_setlocalseqnumber , +.Nm krb5_auth_getremoteseqnumber , +.Nm krb5_auth_setremoteseqnumber , +.Nm krb5_auth_getauthenticator , +.Nm krb5_auth_con_getrcache , +.Nm krb5_auth_con_setrcache , +.Nm krb5_auth_con_initivector , +.Nm krb5_auth_con_setivector +.Nd manage authetication on connection level. +.Sh SYNOPSIS +.Fd #include +.Ft krb5_error_code +.Fo krb5_auth_con_init +.Fa "krb5_context context" +.Fa "krb5_auth_context *auth_context" +.Fc +.Ft void +.Fo krb5_auth_con_free +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_setflags +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "int32_t flags" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_getflags +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "int32_t *flags" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_setaddrs +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "krb5_address *local_addr" +.Fa "krb5_address *remote_addr" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_getaddrs +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "krb5_address **local_addr" +.Fa "krb5_address **remote_addr" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_genaddrs +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "int fd" +.Fa "int flags" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_setaddrs_from_fd +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "void *p_fd" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_getkey +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "krb5_keyblock **keyblock" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_getlocalsubkey +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "krb5_keyblock **keyblock" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_getremotesubkey +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "krb5_keyblock **keyblock" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_initivector +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_setivector +.Fa "krb5_context context" +.Fa "krb5_auth_context *auth_context" +.Fa "krb5_pointer ivector" +.Fc +.Sh DESCRIPTION +The +.Nm krb5_auth_context +structure holds all context related to an authenticated connection, in +a similar way to +.Nm krb5_context +that holds the context for the thread or process. +.Nm krb5_auth_context +is used by various functions that are directly related to +authentication between the server/client. Example of data that this +structure contains are varius flags, addresses of client and server, +port numbers, keyblocks (and subkeys), sequence numbers, replay cache, +and checksum-type. +.Pp +.Fn krb5_auth_con_init +allocates and initilizes the +.Nm krb5_auth_context +structure. Default values can be changed with +.Fn krb5_auth_con_setcksumtype +and +.Fn krb5_auth_con_setflags . +The +.Nm auth_context +structure must be freed by +.Fn krb5_auth_con_free . +.Pp +.Fn krb5_auth_con_getflags +and +.Fn krb5_auth_con_setflags +gets and modifies the flags for a +.Nm krb5_auth_context +structure. Possible flags to set are: +.Bl -tag -width Ds +.It Dv KRB5_AUTH_CONTEXT_DO_TIME +check timestamp on incoming packets. +.\".It Dv KRB5_AUTH_CONTEXT_RET_TIME +.It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE +Generate and check sequence-number on each packet. +.\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE +.\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL +.El +.Pp +.Fn krb5_auth_con_setaddrs , +.Fn krb5_auth_con_setaddrs_from_fd +and +.Fn krb5_auth_con_getaddrs +gets and sets the addresses that are checked when a packet is received. +It is mandatory to set an address for the remote +host. If the local address is not set, it iss deduced from the underlaying +operating system. +.Fn krb5_auth_con_getaddrs +will call +.Fn krb5_free_address +on any address that is passed in +.Fa local_addr +or +.Fa remote_addr . +.Fn krb5_auth_con_setaddr +allows passing in a +.Dv NULL +pointer as +.Fa local_addr +and +.Fa remote_addr , +in that case it will just not set that address. +.Pp +.Fn krb5_auth_con_setaddrs_from_fd +fetches the addresses from a file descriptor. +.Pp +.Fn krb5_auth_con_genaddrs +fetches the address information from the given file descriptor +.Fa fd +depending on the bitmap argument +.Fa flags . +.Pp +Possible values on +.Fa flags +are: +.Bl -tag -width Ds +.It Va KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR +fetches the local address from +.Fa fd . +.It Va KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR +fetches the remote address from +.Fa fd . +.El +.Pp +.Fn krb5_auth_con_setkey , +.Fn krb5_auth_con_setuserkey +and +.Fn krb5_auth_con_getkey +gets and sets the key used for this auth context. The keyblock returned by +.Fn krb5_auth_con_getkey +should be freed with +.Fn krb5_free_keyblock . +The keyblock send into +.Fn krb5_auth_con_setkey +is copied into the +.Nm krb5_auth_context , +and thus no special handling is needed. +.Dv NULL +is not a valid keyblock to +.Fn krb5_auth_con_setkey . +.Pp +.Fn krb5_auth_con_setuserkey +is only useful when doing user to user authentication. +.Fn krb5_auth_con_setkey +is equivalent to +.Fn krb5_auth_con_setuserkey . +.Pp +.Fn krb5_auth_con_getlocalsubkey , +.Fn krb5_auth_con_setlocalsubkey , +.Fn krb5_auth_con_getremotesubkey +and +.Fn krb5_auth_con_setremotesubkey +gets and sets the keyblock for the local and remote subkey. The keyblock returned by +.Fn krb5_auth_con_getlocalsubkey +and +.Fn krb5_auth_con_getremotesubkey +must be freed with +.Fn krb5_free_keyblock . +.Pp +.Fn krb5_auth_setcksumtype +and +.Fn krb5_auth_getcksumtype +sets and gets the checksum type that should be used for this +connection. +.Pp +.Fn krb5_auth_getremoteseqnumber +.Fn krb5_auth_setremoteseqnumber , +.Fn krb5_auth_getlocalseqnumber +and +.Fn krb5_auth_setlocalseqnumber +gets and sets the sequence-number for the local and remote +sequence-number counter. +.Pp +.Fn krb5_auth_setkeytype +and +.Fn krb5_auth_getkeytype +gets and gets the keytype of the keyblock in +.Nm krb5_auth_context . +.Pp +.Fn krb5_auth_getauthenticator +Retrieves the authenticator that was used during mutual +authentication. The +.Dv authenticator +returned should be freed by calling +.Fn krb5_free_authenticator . +.Pp +.Fn krb5_auth_con_getrcache +and +.Fn krb5_auth_con_setrcache +gets and sets the replay-cache. +.Pp +.Fn krb5_auth_con_initivector +allocates memory for and zeros the initial vector in the +.Fa auth_context +keyblock. +.Pp +.Fn krb5_auth_con_setivector +sets the i_vector portion of +.Fa auth_context +to +.Fa ivector . +.Sh SEE ALSO +.Xr krb5_context 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_build_principal.3 b/crypto/heimdal/lib/krb5/krb5_build_principal.3 index 16ccf72..db703a4 100644 --- a/crypto/heimdal/lib/krb5/krb5_build_principal.3 +++ b/crypto/heimdal/lib/krb5/krb5_build_principal.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_build_principal.3,v 1.1 1997/08/14 00:03:16 joda Exp $ +.\" $Id: krb5_build_principal.3,v 1.2 2001/01/26 22:43:21 assar Exp $ .Dd August 8, 1997 .Dt KRB5_BUILD_PRINCIPAL 3 .Os HEIMDAL @@ -10,28 +10,19 @@ .Nm krb5_build_principal_va_ext , .Nm krb5_make_principal .Nd Principal creation functions - .Sh SYNOPSIS .Fd #include - .Ft krb5_error_code .Fn krb5_build_principal "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..." - .Ft krb5_error_code .Fn krb5_build_principal_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..." - .Ft krb5_error_code .Fn krb5_build_principal_va "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap" - .Ft krb5_error_code .Fn krb5_build_principal_va_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap" - .Ft krb5_error_code .Fn krb5_make_principal "krb5_context context" "krb5_principal *principal" "krb5_const_realm realm" "..." - - .Sh DESCRIPTION - These functions create a Kerberos 5 principal from a realm and a list of components. All of these functions return an allocated principal in the @@ -65,7 +56,6 @@ is a wrapper around If the realm is .Dv NULL , the default realm will be used. - .Sh BUGS You can not have a NUL in a component. Until someone can give a good example of where it would be a good idea to have NUL's in a component, diff --git a/crypto/heimdal/lib/krb5/krb5_config.3 b/crypto/heimdal/lib/krb5/krb5_config.3 new file mode 100644 index 0000000..b5a74db --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_config.3 @@ -0,0 +1,71 @@ +.\" Copyright (c) 2000 Kungliga Tekniska Högskolan +.\" $Id: krb5_config.3,v 1.1 2000/07/25 10:22:46 joda Exp $ +.Dd July 25, 2000 +.Dt KRB5_CONFIG 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_config_get_bool_default , +.Nm krb5_config_get_int_default , +.Nm krb5_config_get_string_default , +.Nm krb5_config_get_time_default +.Nd Get configuration value + +.Sh SYNOPSIS +.Fd #include + +.Ft krb5_boolean +.Fn krb5_config_get_bool_default "krb5_context context" "krb5_config_section *c" "krb5_boolean def_value" "..." +.Ft int +.Fn krb5_config_get_int_default "krb5_context context" "krb5_config_section *c" "int def_value" "..." +.Ft const char* +.Fn krb5_config_get_string_default "krb5_context context" "krb5_config_section *c" "const char *def_value" "..." +.Ft int +.Fn krb5_config_get_time_default "krb5_context context" "krb5_config_section *c" "int def_value" "..." + +.Sh DESCRIPTION + +These functions get values from the +.Xr krb5.conf 5 +configuration file, or another configuration database specified by the +.Fa c +parameter. + +The variable arguments should be a list of strings naming each +subsection to look for. For example: + +.Bd -literal -offset indent +krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "log_utc", NULL) +.Ed + +gets the boolean value for the +.Dv log_utc +option, defaulting to +.Dv FALSE . + +.Fn krb5_config_get_bool_default +will convert the option value to a boolean value, where +.Sq yes , +.Sq true , +and any non-zero number means +.Dv TRUE , +and any other value +.Dv FALSE . + +.Fn krb5_config_get_int_default +will convert the value to an integer. + +.Fn krb5_config_get_time_default +will convert the value to a period of time (not a time stamp) in +seconds, so the string +.Sq 2 weeks +will be converted to +1209600 (2 * 7 * 24 * 60 * 60). + +.Sh BUGS + +Other than for the string case, there's no way to tell whether there +was a value specified or not. + +.Sh SEE ALSO +.Xr krb5_appdefault 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_context.3 b/crypto/heimdal/lib/krb5/krb5_context.3 new file mode 100644 index 0000000..83a768d --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_context.3 @@ -0,0 +1,20 @@ +.\" Copyright (c) 2001 Kungliga Tekniska Högskolan +.\" $Id: krb5_context.3,v 1.1 2001/01/28 21:39:29 assar Exp $ +.Dd Jan 21, 2001 +.Dt KRB5_CONTEXT 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_context +.Sh DESCRIPTION +The +.Nm +structure is designed to hold all per thread state. All global +variables that are context specific are stored in this struture, +including default encryption types, credential-cache (ticket file), and +default realms. +.Pp +The internals of the structure should never be accessed directly, +functions exist for extracting information. +.Sh SEE ALSO +.Xr krb5_init_context 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 b/crypto/heimdal/lib/krb5/krb5_create_checksum.3 index e2362a9..9472ed6 100644 --- a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 +++ b/crypto/heimdal/lib/krb5/krb5_create_checksum.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" $Id: krb5_create_checksum.3,v 1.1 1999/04/18 13:47:11 joda Exp $ +.\" $Id: krb5_create_checksum.3,v 1.2 2001/01/26 22:43:21 assar Exp $ .Dd April 7, 1999 .Dt NAME 3 .Os HEIMDAL @@ -12,19 +12,14 @@ .Nd creates and verifies checksums .Sh SYNOPSIS .Fd #include - .Ft krb5_error_code .Fn krb5_create_checksum "krb5_context context" "krb5_crypto crypto" "unsigned usage_or_type" "void *data" "size_t len" "Checksum *result" - .Ft krb5_error_code .Fn krb5_verify_checksum "krb5_context context" "krb5_crypto crypto" "krb5_key_usage usage" "void *data" "size_t len" "Checksum *cksum" - .Ft krb5_boolean .Fn krb5_checksum_is_collision_proof "krb5_context context" "krb5_cksumtype type" - .Ft krb5_boolean .Fn krb5_checksum_is_keyed "krb5_context context" "krb5_cksumtype type" - .Sh DESCRIPTION These functions are used to create and verify checksums. .Fn krb5_create_checksum @@ -60,7 +55,6 @@ value is a function of both the data, and a separate key). Examples of keyed hash algorithms are HMAC-SHA1-DES3, and RSA-MD5-DES. The .Dq plain hash functions MD5, and SHA1 are not keyed. - .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 b/crypto/heimdal/lib/krb5/krb5_crypto_init.3 index 29db8c1..7d46567 100644 --- a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 +++ b/crypto/heimdal/lib/krb5/krb5_crypto_init.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" $Id: krb5_crypto_init.3,v 1.1 1999/04/18 13:47:21 joda Exp $ +.\" $Id: krb5_crypto_init.3,v 1.2 2001/01/26 22:43:22 assar Exp $ .Dd April 7, 1999 .Dt NAME 3 .Os HEIMDAL @@ -9,13 +9,10 @@ .Nd initialize encryption context .Sh SYNOPSIS .Fd #include - .Ft krb5_error_code .Fn krb5_crypto_init "krb5_context context" "krb5_keyblock *key" "krb5_enctype enctype" "krb5_crypto *crypto" - .Ft krb5_error_code .Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto" - .Sh DESCRIPTION These functions are used to initialize an encryption context that can be used to encrypt or checksum data. @@ -33,7 +30,6 @@ with the .Pp .Fn krb5_crypto_destroy frees a previously allocated encrypion context. - .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/crypto/heimdal/lib/krb5/krb5_encrypt.3 b/crypto/heimdal/lib/krb5/krb5_encrypt.3 index d8cc89e..291e503 100644 --- a/crypto/heimdal/lib/krb5/krb5_encrypt.3 +++ b/crypto/heimdal/lib/krb5/krb5_encrypt.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" $Id: krb5_encrypt.3,v 1.1 1999/04/18 13:47:30 joda Exp $ +.\" $Id: krb5_encrypt.3,v 1.2 2001/01/26 22:43:22 assar Exp $ .Dd April 7, 1999 .Dt KRB5_ENCRYPT 3 .Os HEIMDAL @@ -11,19 +11,14 @@ .Nd encrypt and decrypt data .Sh SYNOPSIS .Fd #include - .Ft krb5_error_code .Fn krb5_encrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" - .Ft krb5_error_code .Fn krb5_encrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "int kvno" "EncryptedData *result" - .Ft krb5_error_code .Fn krb5_decrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" - .Ft krb5_error_code .Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result" - .Sh DESCRIPTION These functions are used to encrypt and decrypt data. .Pp @@ -52,7 +47,6 @@ is not zero, it will be put in the and .Fn krb5_decrypt_EncryptedData works similarly. - .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/crypto/heimdal/lib/krb5/krb5_err.et b/crypto/heimdal/lib/krb5/krb5_err.et index 895ae66..3427923 100644 --- a/crypto/heimdal/lib/krb5/krb5_err.et +++ b/crypto/heimdal/lib/krb5/krb5_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: krb5_err.et,v 1.8 2000/02/07 12:54:17 joda Exp $" +id "$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $" error_table krb5 @@ -68,10 +68,30 @@ index 60 error_code GENERIC, "Generic error (see e-text)" error_code FIELD_TOOLONG, "Field is too long for this implementation" -# 62-127 are reserved +# pkinit +index 62 +prefix KDC_ERROR +error_code CLIENT_NOT_TRUSTED, "Client not trusted" +error_code KDC_NOT_TRUSTED, "KDC not trusted" +error_code INVALID_SIG, "Invalid signature" +error_code KEY_TOO_WEAK, "Key too weak" +error_code CERTIFICATE_MISMATCH, "Certificate mismatch" +prefix KRB5_AP_ERR +error_code USER_TO_USER_REQUIRED, "User to user required" +prefix KDC_ERROR +error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate" +error_code INVALID_CERTIFICATE, "Invalid certificate" +error_code REVOKED_CERTIFICATE, "Revoked certificate" +error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown" +error_code REVOCATION_STATUS_UNAVAILABLE,"Revocation status unavailable" +error_code CLIENT_NAME_MISMATCH, "Client name mismatch" +error_code KDC_NAME_MISMATCH, "KDC name mismatch" + +# 77-127 are reserved + index 128 prefix -error_code KRB5_ERR_RCSID, "$Id: krb5_err.et,v 1.8 2000/02/07 12:54:17 joda Exp $" +error_code KRB5_ERR_RCSID, "$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $" error_code KRB5_LIBOS_BADLOCKFLAG, "Invalid flag for file lock mode" error_code KRB5_LIBOS_CANTREADPWD, "Cannot read password" diff --git a/crypto/heimdal/lib/krb5/krb5_free_principal.3 b/crypto/heimdal/lib/krb5/krb5_free_principal.3 index ba5888a..1f318cc 100644 --- a/crypto/heimdal/lib/krb5/krb5_free_principal.3 +++ b/crypto/heimdal/lib/krb5/krb5_free_principal.3 @@ -1,27 +1,22 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_free_principal.3,v 1.1 1997/08/14 00:03:17 joda Exp $ +.\" $Id: krb5_free_principal.3,v 1.2 2001/01/26 22:43:22 assar Exp $ .Dd August 8, 1997 .Dt KRB5_FREE_PRINCIPAL 3 .Os HEIMDAL .Sh NAME .Nm krb5_free_principal .Nd Principal free function - .Sh SYNOPSIS .Fd #include - .Ft void .Fn krb5_free_principal "krb5_context context" "krb5_principal principal" - .Sh DESCRIPTION - The .Fn krb5_free_principal will free a principal that has been created with .Fn krb5_build_principal , .Fn krb5_parse_name , or with some other function. - .Sh SEE ALSO .Xr krb5_425_conv_principal 3 , .Xr krb5_build_principal 3 , diff --git a/crypto/heimdal/lib/krb5/krb5_init_context.3 b/crypto/heimdal/lib/krb5/krb5_init_context.3 new file mode 100644 index 0000000..7e27ec2 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_init_context.3 @@ -0,0 +1,38 @@ +.\" Copyright (c) 2001 Kungliga Tekniska Högskolan +.\" $Id: krb5_init_context.3,v 1.1 2001/01/28 21:39:29 assar Exp $ +.Dd Jan 21, 2001 +.Dt KRB5_CONTEXT 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_init_context , +.Nm krb5_free_context +.Sh SYNOPSIS +.Fd #include +.Ft krb5_error_code +.Fn krb5_init_context "krb5_context *context" +.Ft void +.Fn krb5_free_context "krb5_context *context" +.Sh DESCRIPTION +The +.Fn krb5_init_context +function initializes the +.Fa context +structure and reads the configration file +.Pa /etc/krb5.conf . +.Pp +The structure should be freed by calling +.Fn krb5_free_context +when it is no longer being used. +.Sh RETURN VALUES +.Fn krb5_init_context +returns 0 to indicate success. +Otherwise an errno code is returned. +Failure means either that something bad happened during initialization +(typically +.Bq ENOMEM ) +or that Kerberos should not be used +.Bq ENXIO . +.Sh SEE ALSO +.Xr krb5_context 3 , +.Xr errno 2 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_locl.h b/crypto/heimdal/lib/krb5/krb5_locl.h index b7093b1..7ea9038 100644 --- a/crypto/heimdal/lib/krb5/krb5_locl.h +++ b/crypto/heimdal/lib/krb5/krb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5_locl.h,v 1.63 1999/12/02 17:05:11 joda Exp $ */ +/* $Id: krb5_locl.h,v 1.64 2001/01/29 02:09:00 assar Exp $ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -109,11 +109,31 @@ struct sockaddr_dl; #include #include +#ifdef HAVE_OPENSSL_DES_H +#include +#else #include +#endif +#ifdef HAVE_OPENSSL_MD4_H +#include +#else #include +#endif +#ifdef HAVE_OPENSSL_MD5_H +#include +#else #include +#endif +#ifdef HAVE_OPENSSL_SHA_H +#include +#else #include +#endif +#ifdef HAVE_OPENSSL_RC4_H +#include +#else #include +#endif #include #include diff --git a/crypto/heimdal/lib/krb5/krb5_openlog.3 b/crypto/heimdal/lib/krb5/krb5_openlog.3 index 87040ba..5576475 100644 --- a/crypto/heimdal/lib/krb5/krb5_openlog.3 +++ b/crypto/heimdal/lib/krb5/krb5_openlog.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_openlog.3,v 1.4 1999/04/07 14:06:32 joda Exp $ +.\" $Id: krb5_openlog.3,v 1.5 2001/01/26 22:43:22 assar Exp $ .Dd August 6, 1997 .Dt KRB5_OPENLOG 3 .Os HEIMDAL @@ -16,40 +16,28 @@ .Nd Heimdal logging functions .Sh SYNOPSIS .Fd #include - -.\" ouch! -.ds xx \\*(fP\fR(\fP\\*(lI*\\*(fP -.ds xy \fR)\|\fP -.Fn "\\*(lItypedef void \\*(xxkrb5_log_log_func_t\\*(xy" "const char *time" "const char *message" "void *data" -.Fn "\\*(lItypedef void \\*(xxkrb5_log_close_func_t\\*(xy" "void *data" - +.Ft "typedef void" +.Fn "\*(lp*krb5_log_log_func_t\*(rp" "const char *time" "const char *message" "void *data" +.Ft "typedef void" +.Fn "\*(lp*krb5_log_close_func_t\*(rp" "void *data" .Ft krb5_error_code .Fn krb5_addlog_dest "krb5_context context" "krb5_log_facility *facility" "const char *destination" - .Ft krb5_error_code .Fn krb5_addlog_func "krb5_context context" "krb5_log_facility *facility" "int min" "int max" "krb5_log_log_func_t log" "krb5_log_close_func_t close" "void *data" - .Ft krb5_error_code .Fn krb5_closelog "krb5_context context" "krb5_log_facility *facility" - .Ft krb5_error_code .Fn krb5_initlog "krb5_context context" "const char *program" "krb5_log_facility **facility" - .Ft krb5_error_code .Fn krb5_log "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "..." - .Ft krb5_error_code .Fn krb5_log_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "..." - .Ft krb5_error_code .Fn krb5_openlog "krb5_context context" "const char *program" "krb5_log_facility **facility" - .Ft krb5_error_code .Fn krb5_vlog "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "va_list arglist" - .Ft krb5_error_code .Fn krb5_vlog_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "va_list arglist" - .Sh DESCRIPTION These functions logs messages to one or more destinations. .Pp @@ -97,7 +85,6 @@ is a standard .Fn printf style format string (but see the BUGS section). .Pp - If you want better control of where things gets logged, you can instead of using .Fn krb5_openlog call @@ -135,9 +122,7 @@ calls and then calls .Fn krb5_addlog_dest for each destination found. - .Ss Destinations - The defined destinations (as specified in .Pa krb5.conf ) follows: diff --git a/crypto/heimdal/lib/krb5/krb5_parse_name.3 b/crypto/heimdal/lib/krb5/krb5_parse_name.3 index db9236c..c5b0c1d 100644 --- a/crypto/heimdal/lib/krb5/krb5_parse_name.3 +++ b/crypto/heimdal/lib/krb5/krb5_parse_name.3 @@ -1,20 +1,16 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_parse_name.3,v 1.1 1997/08/14 00:03:17 joda Exp $ +.\" $Id: krb5_parse_name.3,v 1.2 2001/01/26 22:43:22 assar Exp $ .Dd August 8, 1997 .Dt KRB5_PARSE_NAME 3 .Os HEIMDAL .Sh NAME .Nm krb5_parse_name .Nd String to principal conversion - .Sh SYNOPSIS .Fd #include - .Ft krb5_error_code .Fn krb5_parse_name "krb5_context context" "const char *name" "krb5_principal *principal" - .Sh DESCRIPTION - .Fn krb5_parse_name converts a string representation of a princpal name to .Nm krb5_principal . diff --git a/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 b/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 index aea4150..2c9f405 100644 --- a/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 +++ b/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_sname_to_principal.3,v 1.1 1997/08/14 00:03:18 joda Exp $ +.\" $Id: krb5_sname_to_principal.3,v 1.2 2001/01/26 22:43:22 assar Exp $ .Dd August 8, 1997 .Dt KRB5_PRINCIPAL 3 .Os HEIMDAL @@ -7,18 +7,13 @@ .Nm krb5_sname_to_principal , .Nm krb5_sock_to_principal .Nd Create a service principal - .Sh SYNOPSIS .Fd #include - .Ft krb5_error_code .Fn krb5_sname_to_principal "krb5_context context" "const char *hostname" "const char *sname" "int32_t type" "krb5_principal *principal" - .Ft krb5_error_code .Fn krb5_sock_to_principal "krb5_context context" "int socket" "const char *sname" "int32_t type" "krb5_principal *principal" - .Sh DESCRIPTION - These functions create a .Dq service principal that can, for instance, be used to lookup a key in a keytab. For both these function the @@ -49,7 +44,6 @@ of the passed which should be a bound .Dv AF_INET socket. - .Sh SEE ALSO .Xr krb5_425_conv_principal 3 , .Xr krb5_build_principal 3 , diff --git a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 b/crypto/heimdal/lib/krb5/krb5_unparse_name.3 index 13277d6..5a744af 100644 --- a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 +++ b/crypto/heimdal/lib/krb5/krb5_unparse_name.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_unparse_name.3,v 1.1 1997/08/14 00:03:19 joda Exp $ +.\" $Id: krb5_unparse_name.3,v 1.2 2001/01/26 22:43:22 assar Exp $ .Dd August 8, 1997 .Dt KRB5_UNPARSE_NAME 3 .Os HEIMDAL @@ -7,25 +7,19 @@ .Nm krb5_unparse_name .\" .Nm krb5_unparse_name_ext .Nd Principal to string conversion - .Sh SYNOPSIS .Fd #include - .Ft krb5_error_code .Fn krb5_unparse_name "krb5_context context" "krb5_principal principal" "char **name" - .\" .Ft krb5_error_code .\" .Fn krb5_unparse_name_ext "krb5_context context" "krb5_const_principal principal" "char **name" "size_t *size" - .Sh DESCRIPTION - This function takes a .Fa principal , and will convert in to a printable representation with the same syntax as decribed in .Xr krb5_parse_name 3 . .Fa *name will point to allocated data and should be freed by the caller. - .Sh SEE ALSO .Xr krb5_425_conv_principal 3 , .Xr krb5_build_principal 3 , diff --git a/crypto/heimdal/lib/krb5/krb5_warn.3 b/crypto/heimdal/lib/krb5/krb5_warn.3 index 521da0e..ae3a330 100644 --- a/crypto/heimdal/lib/krb5/krb5_warn.3 +++ b/crypto/heimdal/lib/krb5/krb5_warn.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_warn.3,v 1.2 1997/08/08 03:45:55 joda Exp $ +.\" $Id: krb5_warn.3,v 1.3 2001/01/26 22:43:23 assar Exp $ .Dd August 8, 1997 .Dt KRB5_WARN 3 .Os HEIMDAL @@ -16,36 +16,25 @@ .Nd Heimdal warning and error functions .Sh SYNOPSIS .Fd #include - .Ft krb5_error_code .Fn krb5_err "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "..." - .Ft krb5_error_code .Fn krb5_errx "krb5_context context" "int eval" "const char *format" "..." - .Ft krb5_error_code .Fn krb5_verr "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "va_list ap" - .Ft krb5_error_code .Fn krb5_verrx "krb5_context context" "int eval" "const char *format" "va_list ap" - .Ft krb5_error_code .Fn krb5_vwarn "krb5_context context" "krb5_error_code code" "const char *format" "va_list ap" - .Ft krb5_error_code .Fn krb5_vwarnx "krb5_context context" "const char *format" "va_list ap" - .Ft krb5_error_code .Fn krb5_warn "krb5_context context" "krb5_error_code code" "const char *format" "..." - .Ft krb5_error_code .Fn krb5_warnx "krb5_context context" "const char *format" "..." - .Ft krb5_error_code .Fn krb5_set_warn_dest "krb5_context context" "krb5_log_facility *facility" - .Sh DESCRIPTION - These functions prints a warning message to some destination. .Fa format is a printf style format specifying the message to print. The forms not ending in an @@ -68,6 +57,5 @@ Messages logged with the functions have a log level of 1, while the .Dq err functions logs with level 0. - .Sh SEE ALSO .Xr krb5_openlog 3 diff --git a/crypto/heimdal/lib/krb5/krbhst.c b/crypto/heimdal/lib/krb5/krbhst.c index 8d5c4e4..b257e8b 100644 --- a/crypto/heimdal/lib/krb5/krbhst.c +++ b/crypto/heimdal/lib/krb5/krbhst.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include -RCSID("$Id: krbhst.c,v 1.23 1999/12/11 23:14:25 assar Exp $"); +RCSID("$Id: krbhst.c,v 1.25 2001/01/19 04:30:54 assar Exp $"); /* * assuming that `*res' contains `*count' strings, add a copy of `string'. @@ -58,6 +58,11 @@ add_string(char ***res, int *count, const char *string) return 0; } +/* + * do a SRV lookup for `realm, proto, service' returning the result + * in `res, count' + */ + static krb5_error_code srv_find_realm(krb5_context context, char ***res, int *count, const char *realm, const char *proto, const char *service) @@ -131,7 +136,7 @@ get_krbhst (krb5_context context, "realms", *realm, conf_string, NULL); for(r = res, count = 0; r && *r; r++, count++); - if(context->srv_lookup) { + if(count == 0 && context->srv_lookup) { char *s[] = { "udp", "tcp", "http" }, **q; for(q = s; q < s + sizeof(s) / sizeof(s[0]); q++) { ret = srv_find_realm(context, &res, &count, *realm, *q, @@ -157,6 +162,10 @@ get_krbhst (krb5_context context, return 0; } +/* + * set `hostlist' to a malloced list of kadmin servers. + */ + krb5_error_code krb5_get_krb_admin_hst (krb5_context context, const krb5_realm *realm, @@ -166,15 +175,30 @@ krb5_get_krb_admin_hst (krb5_context context, hostlist); } +/* + * set `hostlist' to a malloced list of changepw servers. + */ + krb5_error_code krb5_get_krb_changepw_hst (krb5_context context, const krb5_realm *realm, char ***hostlist) { - return get_krbhst (context, realm, "admin_server", "kpasswd", - hostlist); + krb5_error_code ret; + + ret = get_krbhst (context, realm, "kpasswd_server", "kpasswd", + hostlist); + if (ret) + return ret; + ret = get_krbhst (context, realm, "admin_server", "kpasswd", + hostlist); + return ret; } +/* + * set `hostlist' to a malloced list of kerberos servers. + */ + krb5_error_code krb5_get_krbhst (krb5_context context, const krb5_realm *realm, @@ -183,6 +207,10 @@ krb5_get_krbhst (krb5_context context, return get_krbhst (context, realm, "kdc", "kerberos", hostlist); } +/* + * free all memory associated with `hostlist' + */ + krb5_error_code krb5_free_krbhst (krb5_context context, char **hostlist) diff --git a/crypto/heimdal/lib/krb5/log.c b/crypto/heimdal/lib/krb5/log.c index e1511e2..37bff1d 100644 --- a/crypto/heimdal/lib/krb5/log.c +++ b/crypto/heimdal/lib/krb5/log.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: log.c,v 1.21 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: log.c,v 1.25 2000/09/17 21:46:07 assar Exp $"); struct facility { int min; @@ -56,14 +56,14 @@ log_realloc(krb5_log_facility *f) return fp; } -struct s2i{ +struct s2i { char *s; int val; }; #define L(X) { #X, LOG_ ## X } -struct s2i syslogvals[] = { +static struct s2i syslogvals[] = { L(EMERG), L(ALERT), L(CRIT), @@ -356,18 +356,22 @@ krb5_vlog_msg(krb5_context context, __attribute__((format (printf, 5, 0))) { char *msg; + const char *actual; char buf[64]; time_t t; int i; vasprintf(&msg, fmt, ap); + if (msg != NULL) + actual = msg; + else + actual = fmt; t = time(NULL); - strftime(buf, sizeof(buf), context->time_fmt, - context->log_utc ? gmtime(&t) : localtime(&t)); + krb5_format_time(context, t, buf, sizeof(buf), TRUE); for(i = 0; i < fac->len; i++) if(fac->val[i].min <= level && (fac->val[i].max < 0 || fac->val[i].max >= level)) - (*fac->val[i].log)(buf, msg, fac->val[i].data); + (*fac->val[i].log)(buf, actual, fac->val[i].data); *reply = msg; return 0; } diff --git a/crypto/heimdal/lib/krb5/mcache.c b/crypto/heimdal/lib/krb5/mcache.c index d45deea..29c5cfd 100644 --- a/crypto/heimdal/lib/krb5/mcache.c +++ b/crypto/heimdal/lib/krb5/mcache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,43 +33,97 @@ #include "krb5_locl.h" -RCSID("$Id: mcache.c,v 1.10 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: mcache.c,v 1.12 2000/11/15 02:12:51 assar Exp $"); typedef struct krb5_mcache { + char *name; + unsigned int refcnt; krb5_principal primary_principal; struct link { krb5_creds cred; struct link *next; } *creds; + struct krb5_mcache *next; } krb5_mcache; +static struct krb5_mcache *mcc_head; + +#define MCACHE(X) ((krb5_mcache *)(X)->data.data) + +#define MISDEAD(X) ((X)->primary_principal == NULL) + #define MCC_CURSOR(C) ((struct link*)(C)) static char* mcc_get_name(krb5_context context, krb5_ccache id) { - return ""; /* XXX */ + return MCACHE(id)->name; +} + +static krb5_mcache * +mcc_alloc(const char *name) +{ + krb5_mcache *m; + ALLOC(m, 1); + if(m == NULL) + return NULL; + if(name == NULL) + asprintf(&m->name, "%p", m); + else + m->name = strdup(name); + if(m->name == NULL) { + free(m); + return NULL; + } + m->refcnt = 1; + m->primary_principal = NULL; + m->creds = NULL; + m->next = mcc_head; + mcc_head = m; + return m; } static krb5_error_code mcc_resolve(krb5_context context, krb5_ccache *id, const char *res) { - krb5_abortx(context, "unimplemented mcc_resolve called"); + krb5_mcache *m; + + for (m = mcc_head; m != NULL; m = m->next) + if (strcmp(m->name, res) == 0) + break; + + if (m != NULL) { + m->refcnt++; + (*id)->data.data = m; + (*id)->data.length = sizeof(*m); + return 0; + } + + m = mcc_alloc(res); + if (m == NULL) + return KRB5_CC_NOMEM; + + (*id)->data.data = m; + (*id)->data.length = sizeof(*m); + + return 0; } + static krb5_error_code mcc_gen_new(krb5_context context, krb5_ccache *id) { krb5_mcache *m; - m = malloc (sizeof(*m)); + m = mcc_alloc(NULL); + if (m == NULL) return KRB5_CC_NOMEM; - m->primary_principal = NULL; - m->creds = NULL; + (*id)->data.data = m; (*id)->data.length = sizeof(*m); + return 0; } @@ -78,37 +132,25 @@ mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) { - krb5_error_code ret; - krb5_mcache *m; - - m = (krb5_mcache *)id->data.data; - - ret = krb5_copy_principal (context, - primary_principal, - &m->primary_principal); - if (ret) - return ret; - return 0; + return krb5_copy_principal (context, + primary_principal, + &MCACHE(id)->primary_principal); } static krb5_error_code mcc_close(krb5_context context, krb5_ccache id) { - krb5_mcache *m = (krb5_mcache *)id->data.data; - struct link *l; + krb5_mcache *m = MCACHE(id); - krb5_free_principal (context, m->primary_principal); - l = m->creds; - while (l != NULL) { - struct link *old; + if (--m->refcnt != 0) + return 0; - krb5_free_creds_contents (context, &l->cred); - old = l; - l = l->next; - free (old); + if (MISDEAD(m)) { + free (m->name); + krb5_data_free(&id->data); } - krb5_data_free(&id->data); + return 0; } @@ -116,6 +158,35 @@ static krb5_error_code mcc_destroy(krb5_context context, krb5_ccache id) { + krb5_mcache **n, *m = MCACHE(id); + struct link *l; + + if (m->refcnt == 0) + krb5_abortx(context, "mcc_destroy: refcnt already 0"); + + if (!MISDEAD(m)) { + /* if this is an active mcache, remove it from the linked + list, and free all data */ + for(n = &mcc_head; n && *n; n = &(*n)->next) { + if(m == *n) { + *n = m->next; + break; + } + } + krb5_free_principal (context, m->primary_principal); + m->primary_principal = NULL; + + l = m->creds; + while (l != NULL) { + struct link *old; + + krb5_free_creds_contents (context, &l->cred); + old = l; + l = l->next; + free (old); + } + m->creds = NULL; + } return 0; } @@ -124,10 +195,13 @@ mcc_store_cred(krb5_context context, krb5_ccache id, krb5_creds *creds) { + krb5_mcache *m = MCACHE(id); krb5_error_code ret; - krb5_mcache *m = (krb5_mcache *)id->data.data; struct link *l; + if (MISDEAD(m)) + return ENOENT; + l = malloc (sizeof(*l)); if (l == NULL) return KRB5_CC_NOMEM; @@ -148,7 +222,10 @@ mcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *principal) { - krb5_mcache *m = (krb5_mcache *)id->data.data; + krb5_mcache *m = MCACHE(id); + + if (MISDEAD(m)) + return ENOENT; return krb5_copy_principal (context, m->primary_principal, @@ -160,7 +237,11 @@ mcc_get_first (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - krb5_mcache *m = (krb5_mcache *)id->data.data; + krb5_mcache *m = MCACHE(id); + + if (MISDEAD(m)) + return ENOENT; + *cursor = m->creds; return 0; } @@ -171,8 +252,12 @@ mcc_get_next (krb5_context context, krb5_cc_cursor *cursor, krb5_creds *creds) { + krb5_mcache *m = MCACHE(id); struct link *l; + if (MISDEAD(m)) + return ENOENT; + l = *cursor; if (l != NULL) { *cursor = l->next; @@ -195,9 +280,19 @@ static krb5_error_code mcc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags which, - krb5_creds *cred) + krb5_creds *mcreds) { - return 0; /* XXX */ + krb5_mcache *m = MCACHE(id); + struct link **q, *p; + for(q = &m->creds, p = *q; p; p = *q) { + if(krb5_compare_creds(context, which, mcreds, &p->cred)) { + *q = p->next; + krb5_free_cred_contents(context, &p->cred); + free(p); + } else + q = &p->next; + } + return 0; } static krb5_error_code diff --git a/crypto/heimdal/lib/krb5/mk_priv.c b/crypto/heimdal/lib/krb5/mk_priv.c index 1ee2bed..c880f10 100644 --- a/crypto/heimdal/lib/krb5/mk_priv.c +++ b/crypto/heimdal/lib/krb5/mk_priv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: mk_priv.c,v 1.25 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: mk_priv.c,v 1.28 2000/08/18 06:48:07 assar Exp $"); /* * @@ -52,7 +52,7 @@ krb5_mk_priv(krb5_context context, u_char *buf; size_t buf_size; size_t len; - int tmp_seq; + u_int32_t tmp_seq; krb5_keyblock *key; int32_t sec, usec; KerberosTime sec2; @@ -76,7 +76,7 @@ krb5_mk_priv(krb5_context context, usec2 = usec; part.usec = &usec2; if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - tmp_seq = ++auth_context->local_seqnumber; + tmp_seq = auth_context->local_seqnumber; part.seq_number = &tmp_seq; } else { part.seq_number = NULL; @@ -117,7 +117,11 @@ krb5_mk_priv(krb5_context context, s.enc_part.etype = key->keytype; s.enc_part.kvno = NULL; - krb5_crypto_init(context, key, 0, &crypto); + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) { + free (buf); + return ret; + } ret = krb5_encrypt (context, crypto, KRB5_KU_KRB_PRIV, @@ -159,6 +163,9 @@ krb5_mk_priv(krb5_context context, } memcpy (outbuf->data, buf + buf_size - len, len); free (buf); + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) + auth_context->local_seqnumber = + (auth_context->local_seqnumber + 1) & 0xFFFFFFFF; return 0; fail: diff --git a/crypto/heimdal/lib/krb5/mk_rep.c b/crypto/heimdal/lib/krb5/mk_rep.c index 060be03..ad750b0 100644 --- a/crypto/heimdal/lib/krb5/mk_rep.c +++ b/crypto/heimdal/lib/krb5/mk_rep.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,11 +33,11 @@ #include -RCSID("$Id: mk_rep.c,v 1.16 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: mk_rep.c,v 1.18 2000/12/06 20:57:23 joda Exp $"); krb5_error_code krb5_mk_rep(krb5_context context, - krb5_auth_context *auth_context, + krb5_auth_context auth_context, krb5_data *outbuf) { krb5_error_code ret; @@ -53,21 +53,21 @@ krb5_mk_rep(krb5_context context, memset (&body, 0, sizeof(body)); - body.ctime = (*auth_context)->authenticator->ctime; - body.cusec = (*auth_context)->authenticator->cusec; + body.ctime = auth_context->authenticator->ctime; + body.cusec = auth_context->authenticator->cusec; body.subkey = NULL; - if ((*auth_context)->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { krb5_generate_seq_number (context, - (*auth_context)->keyblock, - &(*auth_context)->local_seqnumber); + auth_context->keyblock, + &auth_context->local_seqnumber); body.seq_number = malloc (sizeof(*body.seq_number)); if (body.seq_number == NULL) return ENOMEM; - *(body.seq_number) = (*auth_context)->local_seqnumber; + *(body.seq_number) = auth_context->local_seqnumber; } else body.seq_number = NULL; - ap.enc_part.etype = (*auth_context)->keyblock->keytype; + ap.enc_part.etype = auth_context->keyblock->keytype; ap.enc_part.kvno = NULL; buf_size = length_EncAPRepPart(&body); @@ -84,8 +84,12 @@ krb5_mk_rep(krb5_context context, &len); free_EncAPRepPart (&body); - krb5_crypto_init(context, (*auth_context)->keyblock, - 0 /* ap.enc_part.etype */, &crypto); + ret = krb5_crypto_init(context, auth_context->keyblock, + 0 /* ap.enc_part.etype */, &crypto); + if (ret) { + free (buf); + return ret; + } ret = krb5_encrypt (context, crypto, KRB5_KU_AP_REQ_ENC_PART, diff --git a/crypto/heimdal/lib/krb5/mk_req.c b/crypto/heimdal/lib/krb5/mk_req.c index 55ecd46..a30c19e 100644 --- a/crypto/heimdal/lib/krb5/mk_req.c +++ b/crypto/heimdal/lib/krb5/mk_req.c @@ -33,23 +33,19 @@ #include -RCSID("$Id: mk_req.c,v 1.20 2000/01/16 10:22:42 assar Exp $"); +RCSID("$Id: mk_req.c,v 1.22 2000/11/15 06:50:53 assar Exp $"); krb5_error_code -krb5_mk_req(krb5_context context, - krb5_auth_context *auth_context, - const krb5_flags ap_req_options, - const char *service, - const char *hostname, - krb5_data *in_data, - krb5_ccache ccache, - krb5_data *outbuf) +krb5_mk_req_exact(krb5_context context, + krb5_auth_context *auth_context, + const krb5_flags ap_req_options, + const krb5_principal server, + krb5_data *in_data, + krb5_ccache ccache, + krb5_data *outbuf) { krb5_error_code ret; krb5_creds this_cred, *cred; - char **realms; - krb5_data realm_data; - char *real_hostname; memset(&this_cred, 0, sizeof(this_cred)); @@ -58,34 +54,18 @@ krb5_mk_req(krb5_context context, if(ret) return ret; - ret = krb5_expand_hostname_realms (context, hostname, - &real_hostname, &realms); + ret = krb5_copy_principal (context, server, &this_cred.server); if (ret) { - krb5_free_principal (context, this_cred.client); + krb5_free_creds_contents (context, &this_cred); return ret; } - realm_data.length = strlen(*realms); - realm_data.data = *realms; - - ret = krb5_build_principal (context, &this_cred.server, - strlen(*realms), - *realms, - service, - real_hostname, - NULL); - free (real_hostname); - krb5_free_host_realm (context, realms); - - if (ret) { - krb5_free_principal (context, this_cred.client); - return ret; - } this_cred.times.endtime = 0; if (auth_context && *auth_context && (*auth_context)->keytype) this_cred.session.keytype = (*auth_context)->keytype; ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred); + krb5_free_creds_contents(context, &this_cred); if (ret) return ret; @@ -96,3 +76,39 @@ krb5_mk_req(krb5_context context, cred, outbuf); } + +krb5_error_code +krb5_mk_req(krb5_context context, + krb5_auth_context *auth_context, + const krb5_flags ap_req_options, + const char *service, + const char *hostname, + krb5_data *in_data, + krb5_ccache ccache, + krb5_data *outbuf) +{ + krb5_error_code ret; + char **realms; + char *real_hostname; + krb5_principal server; + + ret = krb5_expand_hostname_realms (context, hostname, + &real_hostname, &realms); + if (ret) + return ret; + + ret = krb5_build_principal (context, &server, + strlen(*realms), + *realms, + service, + real_hostname, + NULL); + free (real_hostname); + krb5_free_host_realm (context, realms); + if (ret) + return ret; + ret = krb5_mk_req_exact (context, auth_context, ap_req_options, + server, in_data, ccache, outbuf); + krb5_free_principal (context, server); + return ret; +} diff --git a/crypto/heimdal/lib/krb5/mk_req_ext.c b/crypto/heimdal/lib/krb5/mk_req_ext.c index 2b7b886..f0f572c 100644 --- a/crypto/heimdal/lib/krb5/mk_req_ext.c +++ b/crypto/heimdal/lib/krb5/mk_req_ext.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: mk_req_ext.c,v 1.21 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: mk_req_ext.c,v 1.24 2000/11/15 07:01:26 assar Exp $"); krb5_error_code krb5_mk_req_internal(krb5_context context, @@ -42,7 +42,8 @@ krb5_mk_req_internal(krb5_context context, krb5_data *in_data, krb5_creds *in_creds, krb5_data *outbuf, - krb5_key_usage usage) + krb5_key_usage checksum_usage, + krb5_key_usage encrypt_usage) { krb5_error_code ret; krb5_data authenticator; @@ -88,6 +89,11 @@ krb5_mk_req_internal(krb5_context context, krb5_free_keyblock(context, ac->keyblock); krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock); + /* it's unclear what type of checksum we can use. try the best one, except: + * a) if it's configured differently for the current realm, or + * b) if the session key is des-cbc-crc + */ + if (in_data) { if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) { /* this is to make DCE secd (and older MIT kdcs?) happy */ @@ -99,10 +105,13 @@ krb5_mk_req_internal(krb5_context context, &c); } else { krb5_crypto crypto; - krb5_crypto_init(context, ac->keyblock, 0, &crypto); + + ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); + if (ret) + return ret; ret = krb5_create_checksum(context, crypto, - usage, + checksum_usage, in_data->data, in_data->length, &c); @@ -120,7 +129,8 @@ krb5_mk_req_internal(krb5_context context, in_creds, c_opt, NULL, - &authenticator); + &authenticator, + encrypt_usage); if (c_opt) free_Checksum (c_opt); if (ret) @@ -147,5 +157,6 @@ krb5_mk_req_extended(krb5_context context, in_data, in_creds, outbuf, - KRB5_KU_AP_REQ_AUTH_CKSUM); + KRB5_KU_AP_REQ_AUTH_CKSUM, + KRB5_KU_AP_REQ_AUTH); } diff --git a/crypto/heimdal/lib/krb5/mk_safe.c b/crypto/heimdal/lib/krb5/mk_safe.c index 4d848a6..2803d38 100644 --- a/crypto/heimdal/lib/krb5/mk_safe.c +++ b/crypto/heimdal/lib/krb5/mk_safe.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: mk_safe.c,v 1.20 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: mk_safe.c,v 1.24 2000/08/18 06:48:40 assar Exp $"); krb5_error_code krb5_mk_safe(krb5_context context, @@ -50,7 +50,7 @@ krb5_mk_safe(krb5_context context, u_char *buf = NULL; size_t buf_size; size_t len; - int tmp_seq; + u_int32_t tmp_seq; krb5_crypto crypto; s.pvno = 5; @@ -64,7 +64,7 @@ krb5_mk_safe(krb5_context context, usec2 = usec2; s.safe_body.usec = &usec2; if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - tmp_seq = ++auth_context->local_seqnumber; + tmp_seq = auth_context->local_seqnumber; s.safe_body.seq_number = &tmp_seq; } else s.safe_body.seq_number = NULL; @@ -76,13 +76,20 @@ krb5_mk_safe(krb5_context context, s.cksum.checksum.data = NULL; s.cksum.checksum.length = 0; - buf_size = length_KRB_SAFE(&s); buf = malloc(buf_size + 128); /* add some for checksum */ if(buf == NULL) return ENOMEM; ret = encode_KRB_SAFE (buf + buf_size - 1, buf_size, &s, &len); + if (ret) { + free (buf); + return ret; + } ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); + if (ret) { + free (buf); + return ret; + } ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB_SAFE_CKSUM, @@ -111,5 +118,8 @@ krb5_mk_safe(krb5_context context, } memcpy (outbuf->data, buf + buf_size - len, len); free (buf); + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) + auth_context->local_seqnumber = + (auth_context->local_seqnumber + 1) & 0xFFFFFFFF; return 0; } diff --git a/crypto/heimdal/lib/krb5/principal.c b/crypto/heimdal/lib/krb5/principal.c index 2999868..7be1d93 100644 --- a/crypto/heimdal/lib/krb5/principal.c +++ b/crypto/heimdal/lib/krb5/principal.c @@ -38,9 +38,10 @@ #ifdef HAVE_ARPA_NAMESER_H #include #endif +#include #include "resolve.h" -RCSID("$Id: principal.c,v 1.63 2000/02/07 03:19:05 assar Exp $"); +RCSID("$Id: principal.c,v 1.73 2000/10/16 03:42:14 assar Exp $"); #define princ_num_comp(P) ((P)->name.name_string.len) #define princ_type(P) ((P)->name.name_type) @@ -494,6 +495,9 @@ krb5_copy_principal(krb5_context context, return 0; } +/* + * return TRUE iff princ1 == princ2 (without considering the realm) + */ krb5_boolean krb5_principal_compare_any_realm(krb5_context context, @@ -510,6 +514,10 @@ krb5_principal_compare_any_realm(krb5_context context, return TRUE; } +/* + * return TRUE iff princ1 == princ2 + */ + krb5_boolean krb5_principal_compare(krb5_context context, krb5_const_principal princ1, @@ -520,6 +528,9 @@ krb5_principal_compare(krb5_context context, return krb5_principal_compare_any_realm(context, princ1, princ2); } +/* + * return TRUE iff realm(princ1) == realm(princ2) + */ krb5_boolean krb5_realm_compare(krb5_context context, @@ -529,22 +540,52 @@ krb5_realm_compare(krb5_context context, return strcmp(princ_realm(princ1), princ_realm(princ2)) == 0; } +/* + * return TRUE iff princ matches pattern + */ + +krb5_boolean +krb5_principal_match(krb5_context context, + krb5_const_principal princ, + krb5_const_principal pattern) +{ + int i; + if(princ_num_comp(princ) != princ_num_comp(pattern)) + return FALSE; + if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0) + return FALSE; + for(i = 0; i < princ_num_comp(princ); i++){ + if(fnmatch(princ_ncomp(pattern, i), princ_ncomp(princ, i), 0) != 0) + return FALSE; + } + return TRUE; +} + + struct v4_name_convert { const char *from; const char *to; } default_v4_name_convert[] = { - { "ftp", "ftp" }, - { "hprop", "hprop" }, - { "pop", "pop" }, - { "rcmd", "host" }, + { "ftp", "ftp" }, + { "hprop", "hprop" }, + { "pop", "pop" }, + { "imap", "imap" }, + { "rcmd", "host" }, { NULL, NULL } }; +/* + * return the converted instance name of `name' in `realm'. + * look in the configuration file and then in the default set above. + * return NULL if no conversion is appropriate. + */ + static const char* get_name_conversion(krb5_context context, const char *realm, const char *name) { struct v4_name_convert *q; const char *p; + p = krb5_config_get_string(context, NULL, "realms", realm, "v4_name_convert", "host", name, NULL); if(p == NULL) @@ -577,6 +618,12 @@ get_name_conversion(krb5_context context, const char *realm, const char *name) return NULL; } +/* + * convert the v4 principal `name.instance@realm' to a v5 principal in `princ'. + * if `resolve', use DNS. + * if `func', use that function for validating the conversion + */ + krb5_error_code krb5_425_conv_principal_ext(krb5_context context, const char *name, @@ -589,7 +636,7 @@ krb5_425_conv_principal_ext(krb5_context context, const char *p; krb5_error_code ret; krb5_principal pr; - char host[128]; + char host[MAXHOSTNAMELEN]; /* do the following: if the name is found in the `v4_name_convert:host' part, is is assumed to be a `host' type @@ -635,7 +682,17 @@ krb5_425_conv_principal_ext(krb5_context context, inst = hp->h_name; #endif if(inst) { - ret = krb5_make_principal(context, &pr, realm, name, inst, NULL); + char *low_inst = strdup(inst); + + if (low_inst == NULL) { +#ifdef USE_RESOLVER + dns_free_data(r); +#endif + return ENOMEM; + } + ret = krb5_make_principal(context, &pr, realm, name, low_inst, + NULL); + free (low_inst); if(ret == 0) { if(func == NULL || (*func)(context, pr)){ *princ = pr; @@ -673,8 +730,7 @@ krb5_425_conv_principal_ext(krb5_context context, p = krb5_config_get_string(context, NULL, "realms", realm, "default_domain", NULL); if(p == NULL){ - /* should this be an error or should it silently - succeed? */ + /* this should be an error, just faking a name is not good */ return HEIM_ERR_V4_PRINC_NO_CONV; } @@ -801,6 +857,13 @@ name_convert(krb5_context context, const char *name, const char *realm, return -1; } +/* + * convert the v5 principal in `principal' into a v4 corresponding one + * in `name, instance, realm' + * this is limited interface since there's no length given for these + * three parameters. They have to be 40 bytes each (ANAME_SZ). + */ + krb5_error_code krb5_524_conv_principal(krb5_context context, const krb5_principal principal, @@ -811,6 +874,7 @@ krb5_524_conv_principal(krb5_context context, const char *n, *i, *r; char tmpinst[40]; int type = princ_type(principal); + const int aname_sz = 40; r = principal->realm; @@ -846,15 +910,12 @@ krb5_524_conv_principal(krb5_context context, i = tmpinst; } - if(strlen(r) >= 40) + if (strlcpy (name, n, aname_sz) >= aname_sz) return KRB5_PARSE_MALFORMED; - if(strlen(n) >= 40) + if (strlcpy (instance, i, aname_sz) >= aname_sz) return KRB5_PARSE_MALFORMED; - if(strlen(i) >= 40) + if (strlcpy (realm, r, aname_sz) >= aname_sz) return KRB5_PARSE_MALFORMED; - strcpy(realm, r); - strcpy(name, n); - strcpy(instance, i); return 0; } @@ -870,7 +931,7 @@ krb5_sname_to_principal (krb5_context context, krb5_principal *ret_princ) { krb5_error_code ret; - char localhost[128]; + char localhost[MAXHOSTNAMELEN]; char **realms, *host = NULL; if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) diff --git a/crypto/heimdal/lib/krb5/prog_setup.c b/crypto/heimdal/lib/krb5/prog_setup.c index 4693d08..dc3b119 100644 --- a/crypto/heimdal/lib/krb5/prog_setup.c +++ b/crypto/heimdal/lib/krb5/prog_setup.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,8 +33,9 @@ #include "krb5_locl.h" #include +#include -RCSID("$Id: prog_setup.c,v 1.6 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: prog_setup.c,v 1.8 2001/01/25 11:20:32 assar Exp $"); void krb5_std_usage(int code, struct getargs *args, int num_args) @@ -48,13 +49,16 @@ krb5_program_setup(krb5_context *context, int argc, char **argv, struct getargs *args, int num_args, void (*usage)(int, struct getargs*, int)) { + krb5_error_code ret; int optind = 0; if(usage == NULL) usage = krb5_std_usage; set_progname(argv[0]); - krb5_init_context(context); + ret = krb5_init_context(context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); if(getarg(args, num_args, argc, argv, &optind)) (*usage)(1, args, num_args); diff --git a/crypto/heimdal/lib/krb5/rd_cred.c b/crypto/heimdal/lib/krb5/rd_cred.c index 71b79b1..ca8ff02 100644 --- a/crypto/heimdal/lib/krb5/rd_cred.c +++ b/crypto/heimdal/lib/krb5/rd_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,13 +33,14 @@ #include -RCSID("$Id: rd_cred.c,v 1.9 2000/02/06 05:19:52 assar Exp $"); +RCSID("$Id: rd_cred.c,v 1.12 2001/01/04 16:19:00 joda Exp $"); krb5_error_code -krb5_rd_cred (krb5_context context, - krb5_auth_context auth_context, - krb5_ccache ccache, - krb5_data *in_data) +krb5_rd_cred(krb5_context context, + krb5_auth_context auth_context, + krb5_data *in_data, + krb5_creds ***ret_creds, + krb5_replay_data *out_data) { krb5_error_code ret; size_t len; @@ -49,9 +50,9 @@ krb5_rd_cred (krb5_context context, krb5_crypto crypto; int i; - ret = decode_KRB_CRED (in_data->data, in_data->length, - &cred, &len); - if (ret) + ret = decode_KRB_CRED(in_data->data, in_data->length, + &cred, &len); + if(ret) return ret; if (cred.pvno != 5) { @@ -64,16 +65,32 @@ krb5_rd_cred (krb5_context context, goto out; } - krb5_crypto_init(context, auth_context->remote_subkey, 0, &crypto); - ret = krb5_decrypt_EncryptedData(context, - crypto, - KRB5_KU_KRB_CRED, - &cred.enc_part, - &enc_krb_cred_part_data); - krb5_crypto_destroy(context, crypto); - if (ret) - goto out; - + if (cred.enc_part.etype == ETYPE_NULL) { + /* DK: MIT GSS-API Compatibility */ + enc_krb_cred_part_data.length = cred.enc_part.cipher.length; + enc_krb_cred_part_data.data = cred.enc_part.cipher.data; + } else { + if (auth_context->remote_subkey) + ret = krb5_crypto_init(context, auth_context->remote_subkey, + 0, &crypto); + else + ret = krb5_crypto_init(context, auth_context->keyblock, + 0, &crypto); + /* DK: MIT rsh */ + + if (ret) + goto out; + + ret = krb5_decrypt_EncryptedData(context, + crypto, + KRB5_KU_KRB_CRED, + &cred.enc_part, + &enc_krb_cred_part_data); + + krb5_crypto_destroy(context, crypto); + if (ret) + goto out; + } ret = krb5_decode_EncKrbCredPart (context, enc_krb_cred_part_data.data, @@ -86,7 +103,8 @@ krb5_rd_cred (krb5_context context, /* check sender address */ if (enc_krb_cred_part.s_address - && auth_context->remote_address) { + && auth_context->remote_address + && auth_context->remote_port) { krb5_address *a; int cmp; @@ -113,6 +131,7 @@ krb5_rd_cred (krb5_context context, /* check receiver address */ if (enc_krb_cred_part.r_address + && auth_context->local_address && !krb5_address_compare (context, auth_context->local_address, enc_krb_cred_part.r_address)) { @@ -135,51 +154,104 @@ krb5_rd_cred (krb5_context context, } } - /* XXX - check replay cache */ + if(out_data != NULL) { + if(enc_krb_cred_part.timestamp) + out_data->timestamp = *enc_krb_cred_part.timestamp; + else + out_data->timestamp = 0; + if(enc_krb_cred_part.usec) + out_data->usec = *enc_krb_cred_part.usec; + else + out_data->usec = 0; + if(enc_krb_cred_part.nonce) + out_data->seq = *enc_krb_cred_part.nonce; + else + out_data->seq = 0; + } + + /* Convert to NULL terminated list of creds */ - /* Store the creds in the ccache */ + *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, + sizeof(**ret_creds)); for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) { KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i]; - krb5_creds creds; + krb5_creds *creds; u_char buf[1024]; size_t len; - memset (&creds, 0, sizeof(creds)); + creds = calloc(1, sizeof(*creds)); + if(creds == NULL) { + ret = ENOMEM; + goto out; + } ret = encode_Ticket (buf + sizeof(buf) - 1, sizeof(buf), &cred.tickets.val[i], &len); if (ret) goto out; - krb5_data_copy (&creds.ticket, buf + sizeof(buf) - len, len); - copy_EncryptionKey (&kci->key, &creds.session); + krb5_data_copy (&creds->ticket, buf + sizeof(buf) - len, len); + copy_EncryptionKey (&kci->key, &creds->session); if (kci->prealm && kci->pname) - principalname2krb5_principal (&creds.client, + principalname2krb5_principal (&creds->client, *kci->pname, *kci->prealm); if (kci->flags) - creds.flags.b = *kci->flags; + creds->flags.b = *kci->flags; if (kci->authtime) - creds.times.authtime = *kci->authtime; + creds->times.authtime = *kci->authtime; if (kci->starttime) - creds.times.starttime = *kci->starttime; + creds->times.starttime = *kci->starttime; if (kci->endtime) - creds.times.endtime = *kci->endtime; + creds->times.endtime = *kci->endtime; if (kci->renew_till) - creds.times.renew_till = *kci->renew_till; + creds->times.renew_till = *kci->renew_till; if (kci->srealm && kci->sname) - principalname2krb5_principal (&creds.server, + principalname2krb5_principal (&creds->server, *kci->sname, *kci->srealm); if (kci->caddr) krb5_copy_addresses (context, kci->caddr, - &creds.addresses); - krb5_cc_store_cred (context, ccache, &creds); + &creds->addresses); + + (*ret_creds)[i] = creds; + } + (*ret_creds)[i] = NULL; + return 0; out: free_KRB_CRED (&cred); + if(*ret_creds) { + for(i = 0; (*ret_creds)[i]; i++) + krb5_free_creds(context, (*ret_creds)[i]); + free(*ret_creds); + } return ret; } + +krb5_error_code +krb5_rd_cred2 (krb5_context context, + krb5_auth_context auth_context, + krb5_ccache ccache, + krb5_data *in_data) +{ + krb5_error_code ret; + krb5_creds **creds; + int i; + + ret = krb5_rd_cred(context, auth_context, in_data, &creds, NULL); + if(ret) + return ret; + + /* Store the creds in the ccache */ + + for(i = 0; creds && creds[i]; i++) { + krb5_cc_store_cred(context, ccache, creds[i]); + krb5_free_creds(context, creds[i]); + } + free(creds); + return 0; +} diff --git a/crypto/heimdal/lib/krb5/rd_priv.c b/crypto/heimdal/lib/krb5/rd_priv.c index c4d7bea..62350ba 100644 --- a/crypto/heimdal/lib/krb5/rd_priv.c +++ b/crypto/heimdal/lib/krb5/rd_priv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: rd_priv.c,v 1.23 2000/02/06 05:20:13 assar Exp $"); +RCSID("$Id: rd_priv.c,v 1.27 2001/01/19 04:27:09 assar Exp $"); krb5_error_code krb5_rd_priv(krb5_context context, @@ -72,7 +72,9 @@ krb5_rd_priv(krb5_context context, else key = auth_context->keyblock; - krb5_crypto_init(context, key, 0, &crypto); + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + goto failure; ret = krb5_decrypt_EncryptedData(context, crypto, KRB5_KU_KRB_PRIV, @@ -124,13 +126,19 @@ krb5_rd_priv(krb5_context context, /* XXX - check replay cache */ - /* check sequence number */ + /* check sequence number. since MIT krb5 cannot generate a sequence + number of zero but instead generates no sequence number, we accept that + */ + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (part.seq_number == NULL || - *part.seq_number != ++auth_context->remote_seqnumber) { - ret = KRB5KRB_AP_ERR_BADORDER; - goto failure_part; - } + if ((part.seq_number == NULL + && auth_context->remote_seqnumber != 0) + || (part.seq_number != NULL + && *part.seq_number != auth_context->remote_seqnumber)) { + ret = KRB5KRB_AP_ERR_BADORDER; + goto failure_part; + } + auth_context->remote_seqnumber++; } ret = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length); diff --git a/crypto/heimdal/lib/krb5/rd_rep.c b/crypto/heimdal/lib/krb5/rd_rep.c index e2c401c..20f2033 100644 --- a/crypto/heimdal/lib/krb5/rd_rep.c +++ b/crypto/heimdal/lib/krb5/rd_rep.c @@ -33,7 +33,7 @@ #include -RCSID("$Id: rd_rep.c,v 1.19 1999/12/02 17:05:12 joda Exp $"); +RCSID("$Id: rd_rep.c,v 1.20 2000/08/18 06:49:03 assar Exp $"); krb5_error_code krb5_rd_rep(krb5_context context, @@ -62,7 +62,9 @@ krb5_rd_rep(krb5_context context, goto out; } - krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); + if (ret) + goto out; ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_AP_REQ_ENC_PART, diff --git a/crypto/heimdal/lib/krb5/rd_req.c b/crypto/heimdal/lib/krb5/rd_req.c index bcf4ecf..922137a 100644 --- a/crypto/heimdal/lib/krb5/rd_req.c +++ b/crypto/heimdal/lib/krb5/rd_req.c @@ -33,7 +33,7 @@ #include -RCSID("$Id: rd_req.c,v 1.41 2000/02/07 13:31:55 joda Exp $"); +RCSID("$Id: rd_req.c,v 1.44 2000/11/15 23:16:28 assar Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -46,7 +46,9 @@ decrypt_tkt_enc_part (krb5_context context, size_t len; krb5_crypto crypto; - krb5_crypto_init(context, key, 0, &crypto); + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET, @@ -66,19 +68,29 @@ static krb5_error_code decrypt_authenticator (krb5_context context, EncryptionKey *key, EncryptedData *enc_part, - Authenticator *authenticator) + Authenticator *authenticator, + krb5_key_usage usage) { krb5_error_code ret; krb5_data plain; size_t len; krb5_crypto crypto; - krb5_crypto_init(context, key, 0, &crypto); + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; ret = krb5_decrypt_EncryptedData (context, crypto, - KRB5_KU_AP_REQ_AUTH, + usage /* KRB5_KU_AP_REQ_AUTH */, enc_part, &plain); + /* for backwards compatibility, also try the old usage */ + if (ret && usage == KRB5_KU_TGS_REQ_AUTH) + ret = krb5_decrypt_EncryptedData (context, + crypto, + KRB5_KU_AP_REQ_AUTH, + enc_part, + &plain); krb5_crypto_destroy(context, crypto); if (ret) return ret; @@ -136,10 +148,14 @@ krb5_decrypt_ticket(krb5_context context, start = *t.starttime; if(start - now > context->max_skew || (t.flags.invalid - && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) + && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) { + free_EncTicketPart(&t); return KRB5KRB_AP_ERR_TKT_NYV; - if(now - t.endtime > context->max_skew) + } + if(now - t.endtime > context->max_skew) { + free_EncTicketPart(&t); return KRB5KRB_AP_ERR_TKT_EXPIRED; + } } if(out) @@ -222,19 +238,40 @@ krb5_verify_ap_req(krb5_context context, krb5_flags *ap_req_options, krb5_ticket **ticket) { + return krb5_verify_ap_req2 (context, + auth_context, + ap_req, + server, + keyblock, + flags, + ap_req_options, + ticket, + KRB5_KU_AP_REQ_AUTH); +} + +krb5_error_code +krb5_verify_ap_req2(krb5_context context, + krb5_auth_context *auth_context, + krb5_ap_req *ap_req, + krb5_const_principal server, + krb5_keyblock *keyblock, + krb5_flags flags, + krb5_flags *ap_req_options, + krb5_ticket **ticket, + krb5_key_usage usage) +{ krb5_ticket t; krb5_auth_context ac; krb5_error_code ret; - if(auth_context) { - if(*auth_context == NULL){ - krb5_auth_con_init(context, &ac); - *auth_context = ac; - }else - ac = *auth_context; - } else - krb5_auth_con_init(context, &ac); - + if (auth_context && *auth_context) { + ac = *auth_context; + } else { + ret = krb5_auth_con_init (context, &ac); + if (ret) + return ret; + } + if (ap_req->ap_options.use_session_key && ac->keyblock){ ret = krb5_decrypt_ticket(context, &ap_req->ticket, ac->keyblock, @@ -249,7 +286,7 @@ krb5_verify_ap_req(krb5_context context, flags); if(ret) - return ret; + goto out; principalname2krb5_principal(&t.server, ap_req->ticket.sname, ap_req->ticket.realm); @@ -263,11 +300,10 @@ krb5_verify_ap_req(krb5_context context, ret = decrypt_authenticator (context, &t.ticket.key, &ap_req->authenticator, - ac->authenticator); - if (ret){ - /* XXX free data */ - return ret; - } + ac->authenticator, + usage); + if (ret) + goto out2; { krb5_principal p1, p2; @@ -282,8 +318,10 @@ krb5_verify_ap_req(krb5_context context, res = krb5_principal_compare (context, p1, p2); krb5_free_principal (context, p1); krb5_free_principal (context, p2); - if (!res) - return KRB5KRB_AP_ERR_BADMATCH; + if (!res) { + ret = KRB5KRB_AP_ERR_BADMATCH; + goto out2; + } } /* check addresses */ @@ -292,8 +330,10 @@ krb5_verify_ap_req(krb5_context context, && ac->remote_address && !krb5_address_search (context, ac->remote_address, - t.ticket.caddr)) - return KRB5KRB_AP_ERR_BADADDR; + t.ticket.caddr)) { + ret = KRB5KRB_AP_ERR_BADADDR; + goto out2; + } if (ac->authenticator->seq_number) ac->remote_seqnumber = *ac->authenticator->seq_number; @@ -322,7 +362,18 @@ krb5_verify_ap_req(krb5_context context, **ticket = t; } else krb5_free_ticket (context, &t); + if (auth_context) { + if (*auth_context == NULL) + *auth_context = ac; + } else + krb5_auth_con_free (context, ac); return 0; + out2: + krb5_free_ticket (context, &t); + out: + if (auth_context == NULL || *auth_context == NULL) + krb5_auth_con_free (context, ac); + return ret; } diff --git a/crypto/heimdal/lib/krb5/rd_safe.c b/crypto/heimdal/lib/krb5/rd_safe.c index fb7cc2d..07628d9 100644 --- a/crypto/heimdal/lib/krb5/rd_safe.c +++ b/crypto/heimdal/lib/krb5/rd_safe.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include -RCSID("$Id: rd_safe.c,v 1.19 2000/02/06 05:20:51 assar Exp $"); +RCSID("$Id: rd_safe.c,v 1.23 2001/01/19 04:25:37 assar Exp $"); static krb5_error_code verify_checksum(krb5_context context, @@ -65,7 +65,9 @@ verify_checksum(krb5_context context, buf_size, safe, &len); - krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); + if (ret) + goto out; ret = krb5_verify_checksum (context, crypto, KRB5_KU_KRB_SAFE_CKSUM, @@ -144,13 +146,20 @@ krb5_rd_safe(krb5_context context, } /* XXX - check replay cache */ - /* check sequence number */ + /* check sequence number. since MIT krb5 cannot generate a sequence + number of zero but instead generates no sequence number, we accept that + */ + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (safe.safe_body.seq_number == NULL || - *safe.safe_body.seq_number != ++auth_context->remote_seqnumber) { + if ((safe.safe_body.seq_number == NULL + && auth_context->remote_seqnumber != 0) + || (safe.safe_body.seq_number != NULL + && *safe.safe_body.seq_number != + auth_context->remote_seqnumber)) { ret = KRB5KRB_AP_ERR_BADORDER; goto failure; } + auth_context->remote_seqnumber++; } ret = verify_checksum (context, auth_context, &safe); diff --git a/crypto/heimdal/lib/krb5/read_message.c b/crypto/heimdal/lib/krb5/read_message.c index f2cae03..45d6b62 100644 --- a/crypto/heimdal/lib/krb5/read_message.c +++ b/crypto/heimdal/lib/krb5/read_message.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: read_message.c,v 1.5 1999/12/02 17:05:12 joda Exp $"); +RCSID("$Id: read_message.c,v 1.7 2000/07/21 22:54:09 joda Exp $"); krb5_error_code krb5_read_message (krb5_context context, @@ -49,7 +49,7 @@ krb5_read_message (krb5_context context, return errno; if(ret < 4) { data->length = 0; - return 0; + return HEIM_ERR_EOF; } len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]; ret = krb5_data_alloc (data, len); @@ -61,3 +61,41 @@ krb5_read_message (krb5_context context, } return 0; } + +krb5_error_code +krb5_read_priv_message(krb5_context context, + krb5_auth_context ac, + krb5_pointer p_fd, + krb5_data *data) +{ + krb5_error_code ret; + krb5_data packet; + + ret = krb5_read_message(context, p_fd, &packet); + if(ret) + return ret; + ret = krb5_rd_priv (context, ac, &packet, data, NULL); + krb5_data_free(&packet); + if(ret) + return ret; + return ret; +} + +krb5_error_code +krb5_read_safe_message(krb5_context context, + krb5_auth_context ac, + krb5_pointer p_fd, + krb5_data *data) +{ + krb5_error_code ret; + krb5_data packet; + + ret = krb5_read_message(context, p_fd, &packet); + if(ret) + return ret; + ret = krb5_rd_safe (context, ac, &packet, data, NULL); + krb5_data_free(&packet); + if(ret) + return ret; + return ret; +} diff --git a/crypto/heimdal/lib/krb5/recvauth.c b/crypto/heimdal/lib/krb5/recvauth.c index 49fe7b6..3c11254 100644 --- a/crypto/heimdal/lib/krb5/recvauth.c +++ b/crypto/heimdal/lib/krb5/recvauth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: recvauth.c,v 1.12 1999/12/02 17:05:12 joda Exp $"); +RCSID("$Id: recvauth.c,v 1.13 2000/12/06 20:59:05 joda Exp $"); /* * See `sendauth.c' for the format. @@ -177,7 +177,7 @@ krb5_recvauth_match_version(krb5_context context, return errno; if (ap_options & AP_OPTS_MUTUAL_REQUIRED) { - ret = krb5_mk_rep (context, auth_context, &data); + ret = krb5_mk_rep (context, *auth_context, &data); if (ret) return ret; diff --git a/crypto/heimdal/lib/krb5/replay.c b/crypto/heimdal/lib/krb5/replay.c index 3ca68e8..2935cfc 100644 --- a/crypto/heimdal/lib/krb5/replay.c +++ b/crypto/heimdal/lib/krb5/replay.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,6 +32,9 @@ */ #include "krb5_locl.h" +#include + +RCSID("$Id: replay.c,v 1.7 2001/01/29 02:09:00 assar Exp $"); struct krb5_rcache_data { char *name; @@ -82,6 +85,12 @@ krb5_rc_default_name(krb5_context context) return "FILE:/var/run/default_rcache"; } +const char * +krb5_rc_default_type(krb5_context context) +{ + return "FILE"; +} + krb5_error_code krb5_rc_default(krb5_context context, krb5_rcache *id) @@ -140,20 +149,20 @@ checksum_authenticator(Authenticator *auth, void *data) MD5_CTX md5; int i; - MD5Init (&md5); - MD5Update (&md5, auth->crealm, strlen(auth->crealm)); + MD5_Init (&md5); + MD5_Update (&md5, auth->crealm, strlen(auth->crealm)); for(i = 0; i < auth->cname.name_string.len; i++) - MD5Update(&md5, auth->cname.name_string.val[i], - strlen(auth->cname.name_string.val[i])); - MD5Update (&md5, &auth->ctime, sizeof(auth->ctime)); - MD5Update (&md5, &auth->cusec, sizeof(auth->cusec)); - MD5Final (&md5, data); + MD5_Update(&md5, auth->cname.name_string.val[i], + strlen(auth->cname.name_string.val[i])); + MD5_Update (&md5, &auth->ctime, sizeof(auth->ctime)); + MD5_Update (&md5, &auth->cusec, sizeof(auth->cusec)); + MD5_Final (data, &md5); } krb5_error_code krb5_rc_store(krb5_context context, krb5_rcache id, - krb5_donot_reply *rep) + krb5_donot_replay *rep) { struct rc_entry ent, tmp; time_t t; @@ -209,6 +218,7 @@ krb5_rc_get_lifespan(krb5_context context, } return KRB5_RC_IO_UNKNOWN; } + const char* krb5_rc_get_name(krb5_context context, krb5_rcache id) @@ -223,3 +233,32 @@ krb5_rc_get_type(krb5_context context, return "FILE"; } +krb5_error_code +krb5_get_server_rcache(krb5_context context, + const krb5_data *piece, + krb5_rcache *id) +{ + krb5_rcache rcache; + krb5_error_code ret; + + char *tmp = malloc(4 * piece->length + 1); + char *name; + if(tmp == NULL) + return ENOMEM; + strvisx(tmp, piece->data, piece->length, VIS_WHITE | VIS_OCTAL); +#ifdef HAVE_GETEUID + asprintf(&name, "FILE:rc_%s_%u", tmp, geteuid()); +#else + asprintf(&name, "FILE:rc_%s", tmp); +#endif + free(tmp); + if(name == NULL) + return ENOMEM; + + ret = krb5_rc_resolve_full(context, &rcache, name); + free(name); + if(ret) + return ret; + *id = rcache; + return ret; +} diff --git a/crypto/heimdal/lib/krb5/send_to_kdc.c b/crypto/heimdal/lib/krb5/send_to_kdc.c index 2872322..e2b884d 100644 --- a/crypto/heimdal/lib/krb5/send_to_kdc.c +++ b/crypto/heimdal/lib/krb5/send_to_kdc.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: send_to_kdc.c,v 1.36 2000/01/06 07:59:11 assar Exp $"); +RCSID("$Id: send_to_kdc.c,v 1.40 2000/11/15 01:48:23 assar Exp $"); /* * send the data in `req' on the socket `fd' (which is datagram iff udp) @@ -54,6 +54,10 @@ recv_loop (int fd, int ret; int nbytes; + if (fd >= FD_SETSIZE) { + return -1; + } + krb5_data_zero(rep); do { FD_ZERO(&fdset); @@ -237,7 +241,8 @@ send_via_proxy (krb5_context context, const krb5_data *send, krb5_data *receive) { - char *proxy = strdup(context->http_proxy); + char *proxy2 = strdup(context->http_proxy); + char *proxy = proxy2; char *prefix; char *colon; struct addrinfo hints; @@ -246,6 +251,11 @@ send_via_proxy (krb5_context context, int s; char portstr[NI_MAXSERV]; + if (proxy == NULL) + return ENOMEM; + if (strncmp (proxy, "http://", 7) == 0) + proxy += 7; + colon = strchr(proxy, ':'); if(colon != NULL) *colon++ = '\0'; @@ -254,10 +264,10 @@ send_via_proxy (krb5_context context, hints.ai_socktype = SOCK_STREAM; snprintf (portstr, sizeof(portstr), "%d", ntohs(init_port (colon, htons(80)))); - ret = getaddrinfo (proxy, portstr, NULL, &ai); - free (proxy); + ret = getaddrinfo (proxy, portstr, &hints, &ai); + free (proxy2); if (ret) - return ret; + return krb5_eai_to_heim_errno(ret); for (a = ai; a != NULL; a = a->ai_next) { s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); @@ -295,26 +305,17 @@ send_via_proxy (krb5_context context, */ krb5_error_code -krb5_sendto_kdc (krb5_context context, - const krb5_data *send, - const krb5_realm *realm, - krb5_data *receive) +krb5_sendto (krb5_context context, + const krb5_data *send, + char **hostlist, + int port, + krb5_data *receive) { - krb5_error_code ret; - char **hostlist, **hp, *p; + krb5_error_code ret = 0; + char **hp, *p; int fd; - int port; int i; - port = krb5_getportbyname (context, "kerberos", "udp", 88); - - if (context->use_admin_kdc) - ret = krb5_get_krb_admin_hst (context, realm, &hostlist); - else - ret = krb5_get_krbhst (context, realm, &hostlist); - if (ret) - return ret; - for (i = 0; i < context->max_retries; ++i) for (hp = hostlist; (p = *hp); ++hp) { char *colon; @@ -390,6 +391,38 @@ krb5_sendto_kdc (krb5_context context, } ret = KRB5_KDC_UNREACH; out: - krb5_free_krbhst (context, hostlist); return ret; } + +krb5_error_code +krb5_sendto_kdc2(krb5_context context, + const krb5_data *send, + const krb5_realm *realm, + krb5_data *receive, + krb5_boolean master) +{ + krb5_error_code ret; + char **hostlist; + int port; + + port = krb5_getportbyname (context, "kerberos", "udp", 88); + + if (master || context->use_admin_kdc) + ret = krb5_get_krb_admin_hst (context, realm, &hostlist); + else + ret = krb5_get_krbhst (context, realm, &hostlist); + if (ret) + return ret; + ret = krb5_sendto(context, send, hostlist, port, receive); + krb5_free_krbhst (context, hostlist); + return ret; +} + +krb5_error_code +krb5_sendto_kdc(krb5_context context, + const krb5_data *send, + const krb5_realm *realm, + krb5_data *receive) +{ + return krb5_sendto_kdc2(context, send, realm, receive, FALSE); +} diff --git a/crypto/heimdal/lib/krb5/sock_principal.c b/crypto/heimdal/lib/krb5/sock_principal.c index bfd4eb4..477622d 100644 --- a/crypto/heimdal/lib/krb5/sock_principal.c +++ b/crypto/heimdal/lib/krb5/sock_principal.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: sock_principal.c,v 1.9 1999/12/02 17:05:12 joda Exp $"); +RCSID("$Id: sock_principal.c,v 1.11 2000/08/09 20:53:11 assar Exp $"); krb5_error_code krb5_sock_to_principal (krb5_context context, @@ -46,10 +46,11 @@ krb5_sock_to_principal (krb5_context context, krb5_address address; struct sockaddr_storage __ss; struct sockaddr *sa = (struct sockaddr *)&__ss; - int len = sizeof(__ss); + socklen_t len = sizeof(__ss); struct hostent *hostent; int family; char hname[256]; + char *tmp; if (getsockname (sock, sa, &len) < 0) return errno; @@ -65,7 +66,18 @@ krb5_sock_to_principal (krb5_context context, if (hostent == NULL) return h_errno; - strlcpy(hname, hostent->h_name, sizeof(hname)); + tmp = hostent->h_name; + if (strchr(tmp, '.') == NULL) { + char **a; + + for (a = hostent->h_aliases; a != NULL && *a != NULL; ++a) + if (strchr(*a, '.') != NULL) { + tmp = *a; + break; + } + } + + strlcpy(hname, tmp, sizeof(hname)); return krb5_sname_to_principal (context, hname, sname, diff --git a/crypto/heimdal/lib/krb5/store.c b/crypto/heimdal/lib/krb5/store.c index 17b1547..5f9d659 100644 --- a/crypto/heimdal/lib/krb5/store.c +++ b/crypto/heimdal/lib/krb5/store.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: store.c,v 1.32 1999/12/02 17:05:12 joda Exp $"); +RCSID("$Id: store.c,v 1.34 2000/04/11 00:46:09 assar Exp $"); void krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags) @@ -275,8 +275,7 @@ krb5_ret_string(krb5_storage *sp, } krb5_error_code -krb5_store_stringz(krb5_storage *sp, - char *s) +krb5_store_stringz(krb5_storage *sp, const char *s) { size_t len = strlen(s) + 1; ssize_t ret; @@ -554,20 +553,46 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) return ret; } +/* + * store `creds' on `sp' returning error or zero + */ + krb5_error_code krb5_store_creds(krb5_storage *sp, krb5_creds *creds) { - krb5_store_principal(sp, creds->client); - krb5_store_principal(sp, creds->server); - krb5_store_keyblock(sp, creds->session); - krb5_store_times(sp, creds->times); - krb5_store_int8(sp, 0); /* this is probably the + int ret; + + ret = krb5_store_principal(sp, creds->client); + if (ret) + return ret; + ret = krb5_store_principal(sp, creds->server); + if (ret) + return ret; + ret = krb5_store_keyblock(sp, creds->session); + if (ret) + return ret; + ret = krb5_store_times(sp, creds->times); + if (ret) + return ret; + ret = krb5_store_int8(sp, 0); /* this is probably the enc-tkt-in-skey bit from KDCOptions */ - krb5_store_int32(sp, creds->flags.i); - krb5_store_addrs(sp, creds->addresses); - krb5_store_authdata(sp, creds->authdata); - krb5_store_data(sp, creds->ticket); - krb5_store_data(sp, creds->second_ticket); + if (ret) + return ret; + ret = krb5_store_int32(sp, creds->flags.i); + if (ret) + return ret; + ret = krb5_store_addrs(sp, creds->addresses); + if (ret) + return ret; + ret = krb5_store_authdata(sp, creds->authdata); + if (ret) + return ret; + ret = krb5_store_data(sp, creds->ticket); + if (ret) + return ret; + ret = krb5_store_data(sp, creds->second_ticket); + if (ret) + return ret; return 0; } diff --git a/crypto/heimdal/lib/krb5/store_emem.c b/crypto/heimdal/lib/krb5/store_emem.c index d2497ef..4d531c6 100644 --- a/crypto/heimdal/lib/krb5/store_emem.c +++ b/crypto/heimdal/lib/krb5/store_emem.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 200 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: store_emem.c,v 1.9 1999/12/02 17:05:12 joda Exp $"); +RCSID("$Id: store_emem.c,v 1.10 2000/05/19 14:39:49 assar Exp $"); typedef struct emem_storage{ unsigned char *base; @@ -54,7 +54,7 @@ emem_fetch(krb5_storage *sp, void *data, size_t size) } static ssize_t -emem_store(krb5_storage *sp, void *data, size_t size) +emem_store(krb5_storage *sp, const void *data, size_t size) { emem_storage *s = (emem_storage*)sp->data; if(size > s->base + s->size - s->ptr){ diff --git a/crypto/heimdal/lib/krb5/store_fd.c b/crypto/heimdal/lib/krb5/store_fd.c index e4c507c..2c795bd 100644 --- a/crypto/heimdal/lib/krb5/store_fd.c +++ b/crypto/heimdal/lib/krb5/store_fd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: store_fd.c,v 1.6 1999/12/02 17:05:13 joda Exp $"); +RCSID("$Id: store_fd.c,v 1.8 2001/01/29 02:32:35 assar Exp $"); typedef struct fd_storage{ int fd; @@ -44,13 +44,13 @@ typedef struct fd_storage{ static ssize_t fd_fetch(krb5_storage *sp, void *data, size_t size) { - return read(FD(sp), data, size); + return net_read(FD(sp), data, size); } static ssize_t -fd_store(krb5_storage *sp, void *data, size_t size) +fd_store(krb5_storage *sp, const void *data, size_t size) { - return write(FD(sp), data, size); + return net_write(FD(sp), data, size); } static off_t diff --git a/crypto/heimdal/lib/krb5/store_mem.c b/crypto/heimdal/lib/krb5/store_mem.c index a8019e6..e6c277a 100644 --- a/crypto/heimdal/lib/krb5/store_mem.c +++ b/crypto/heimdal/lib/krb5/store_mem.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: store_mem.c,v 1.9 1999/12/02 17:05:13 joda Exp $"); +RCSID("$Id: store_mem.c,v 1.10 2000/05/19 14:39:02 assar Exp $"); typedef struct mem_storage{ unsigned char *base; @@ -53,7 +53,7 @@ mem_fetch(krb5_storage *sp, void *data, size_t size) } static ssize_t -mem_store(krb5_storage *sp, void *data, size_t size) +mem_store(krb5_storage *sp, const void *data, size_t size) { mem_storage *s = (mem_storage*)sp->data; if(size > s->base + s->size - s->ptr) diff --git a/crypto/heimdal/lib/krb5/string-to-key-test.c b/crypto/heimdal/lib/krb5/string-to-key-test.c index 0e884d0..6e6c0b6 100644 --- a/crypto/heimdal/lib/krb5/string-to-key-test.c +++ b/crypto/heimdal/lib/krb5/string-to-key-test.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ #include "krb5_locl.h" -RCSID("$Id: string-to-key-test.c,v 1.2 1999/10/28 23:10:38 assar Exp $"); +RCSID("$Id: string-to-key-test.c,v 1.4 2000/12/31 08:03:54 assar Exp $"); enum { MAXSIZE = 24 }; @@ -60,6 +60,9 @@ static struct testcase { {0x7f, 0x40, 0x67, 0xb9, 0xbc, 0xc4, 0x40, 0xfb, 0x43, 0x73, 0xd9, 0xd3, 0xcd, 0x7c, 0xc7, 0x67, 0xe6, 0x79, 0x94, 0xd0, 0xa8, 0x34, 0xdf, 0x62}}, + {"does/not@MATTER", "foo", ETYPE_ARCFOUR_HMAC_MD5, + {0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, + 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc}}, {NULL} }; @@ -71,7 +74,9 @@ main(int argc, char **argv) krb5_error_code ret; int val = 0; - krb5_init_context (&context); + ret = krb5_init_context (&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); for (t = tests; t->principal_name; ++t) { krb5_keyblock key; diff --git a/crypto/heimdal/lib/krb5/test_get_addrs.c b/crypto/heimdal/lib/krb5/test_get_addrs.c new file mode 100644 index 0000000..96a8f89 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_get_addrs.c @@ -0,0 +1,78 @@ +/* + * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include + +RCSID("$Id: test_get_addrs.c,v 1.3 2001/01/25 12:45:15 assar Exp $"); + +/* print all addresses that we find */ + +static void +print_addresses (krb5_context context, const krb5_addresses *addrs) +{ + int i; + char buf[256]; + size_t len; + + for (i = 0; i < addrs->len; ++i) { + krb5_print_address (&addrs->val[i], buf, sizeof(buf), &len); + printf ("%s\n", buf); + } +} + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + krb5_addresses addrs; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + ret = krb5_get_all_client_addrs (context, &addrs); + if (ret) + krb5_err (context, 1, ret, "krb5_get_all_client_addrs"); + printf ("client addresses\n"); + print_addresses (context, &addrs); + krb5_free_addresses (context, &addrs); + + ret = krb5_get_all_server_addrs (context, &addrs); + if (ret) + krb5_err (context, 1, ret, "krb5_get_all_server_addrs"); + printf ("server addresses\n"); + print_addresses (context, &addrs); + krb5_free_addresses (context, &addrs); + return 0; +} diff --git a/crypto/heimdal/lib/krb5/time.c b/crypto/heimdal/lib/krb5/time.c index e5a1185..98121b4 100644 --- a/crypto/heimdal/lib/krb5/time.c +++ b/crypto/heimdal/lib/krb5/time.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: time.c,v 1.3 2000/02/06 05:21:53 assar Exp $"); +RCSID("$Id: time.c,v 1.4 2000/06/29 08:20:52 joda Exp $"); /* * return ``corrected'' time in `timeret'. @@ -64,3 +64,16 @@ krb5_us_timeofday (krb5_context context, *usec = tv.tv_usec; /* XXX */ return 0; } + +krb5_error_code +krb5_format_time(krb5_context context, time_t t, + char *s, size_t len, krb5_boolean include_time) +{ + struct tm *tm; + if(context->log_utc) + tm = gmtime (&t); + else + tm = localtime(&t); + strftime(s, len, include_time ? context->time_fmt : context->date_fmt, tm); + return 0; +} diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.8 b/crypto/heimdal/lib/krb5/verify_krb5_conf.8 new file mode 100644 index 0000000..55cdc92 --- /dev/null +++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.8 @@ -0,0 +1,33 @@ +.\" $Id: verify_krb5_conf.8,v 1.2 2000/03/04 14:07:50 assar Exp $ +.\" +.Dd March 4, 2000 +.Dt VERIFY_KRB5_CONF 8 +.Os HEIMDAL +.Sh NAME +.Nm verify_krb5_conf +.Nd +does a crude test that +.Pa krb5.conf +does not contain any obvious syntax error +.Sh SYNOPSIS +.Nm +.Ar [config-file] +.Sh DESCRIPTION +.Nm +reads the configuration file +.Pa krb5.conf , +or the file given on the command line, +and parses it, thereby verifying that the syntax is not correctly wrong. +Since that file is read by almost all Kerberos programs but most of +them have no way of notifying the user that it could not be parsed, +this program is useful. +.Sh ENVIRONMENT +.Ev KRB5_CONFIG +points to the configuration file to read. +.Sh FILES +.Xr krb5.conf 5 +.Sh SEE ALSO +.Xr krb5.conf 5 +.Sh BUGS +It should know about what variables are actually used and warn about +unknown ones. diff --git a/crypto/heimdal/lib/krb5/verify_user.c b/crypto/heimdal/lib/krb5/verify_user.c index 10c22cb..758bc60 100644 --- a/crypto/heimdal/lib/krb5/verify_user.c +++ b/crypto/heimdal/lib/krb5/verify_user.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: verify_user.c,v 1.11 1999/12/02 17:05:13 joda Exp $"); +RCSID("$Id: verify_user.c,v 1.12 2001/01/04 17:40:00 joda Exp $"); static krb5_error_code verify_common (krb5_context context, @@ -101,6 +101,9 @@ krb5_verify_user(krb5_context context, krb5_creds cred; krb5_get_init_creds_opt_init (&opt); + krb5_get_init_creds_opt_set_default_flags(context, NULL, + *krb5_princ_realm(context, principal), + &opt); ret = krb5_get_init_creds_password (context, &cred, @@ -152,6 +155,9 @@ krb5_verify_user_lrealm(krb5_context context, free (*krb5_princ_realm (context, principal)); krb5_princ_set_realm (context, principal, &tmp); + krb5_get_init_creds_opt_set_default_flags(context, NULL, + *krb5_princ_realm(context, principal), + &opt); ret = krb5_get_init_creds_password (context, &cred, principal, diff --git a/crypto/heimdal/lib/krb5/warn.c b/crypto/heimdal/lib/krb5/warn.c index b202f7d..1f594fb 100644 --- a/crypto/heimdal/lib/krb5/warn.c +++ b/crypto/heimdal/lib/krb5/warn.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include -RCSID("$Id: warn.c,v 1.10 1999/12/02 17:05:13 joda Exp $"); +RCSID("$Id: warn.c,v 1.11 2000/08/16 07:37:41 assar Exp $"); static krb5_error_code _warnerr(krb5_context context, int do_errtext, @@ -44,6 +44,7 @@ _warnerr(krb5_context context, int do_errtext, const char *args[2], **arg; char *msg = NULL; + args[0] = args[1] = NULL; arg = args; if(fmt){ strcat(xfmt, "%s"); diff --git a/crypto/heimdal/lib/krb5/write_message.c b/crypto/heimdal/lib/krb5/write_message.c index b7f2c28..2e394b6 100644 --- a/crypto/heimdal/lib/krb5/write_message.c +++ b/crypto/heimdal/lib/krb5/write_message.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: write_message.c,v 1.4 1999/12/02 17:05:13 joda Exp $"); +RCSID("$Id: write_message.c,v 1.6 2000/07/21 23:49:09 joda Exp $"); krb5_error_code krb5_write_message (krb5_context context, @@ -44,12 +44,42 @@ krb5_write_message (krb5_context context, u_int8_t buf[4]; len = data->length; - buf[0] = (len >> 24) & 0xFF; - buf[1] = (len >> 16) & 0xFF; - buf[2] = (len >> 8) & 0xFF; - buf[3] = (len >> 0) & 0xFF; + _krb5_put_int(buf, len, 4); if (krb5_net_write (context, p_fd, buf, 4) != 4 || krb5_net_write (context, p_fd, data->data, len) != len) return errno; return 0; } + +krb5_error_code +krb5_write_priv_message(krb5_context context, + krb5_auth_context ac, + krb5_pointer p_fd, + krb5_data *data) +{ + krb5_error_code ret; + krb5_data packet; + ret = krb5_mk_priv (context, ac, data, &packet, NULL); + if(ret) + return ret; + ret = krb5_write_message(context, p_fd, &packet); + krb5_data_free(&packet); + return ret; +} + +krb5_error_code +krb5_write_safe_message(krb5_context context, + krb5_auth_context ac, + krb5_boolean priv, + krb5_pointer p_fd, + krb5_data *data) +{ + krb5_error_code ret; + krb5_data packet; + ret = krb5_mk_safe (context, ac, data, &packet, NULL); + if(ret) + return ret; + ret = krb5_write_message(context, p_fd, &packet); + krb5_data_free(&packet); + return ret; +} -- cgit v1.1