diff options
| author | Luke Howard <lukeh@padl.com> | 2009-09-11 06:14:03 +0000 |
|---|---|---|
| committer | Luke Howard <lukeh@padl.com> | 2009-09-11 06:14:03 +0000 |
| commit | 12ba11b327ce14c4847f1b717796f6d95078dc25 (patch) | |
| tree | baf8e731d898054f6e91d914ee00d3aa74a58a85 | |
| parent | f874340cb6e4a5efba1f34f616197d9e95df8053 (diff) | |
| download | krb5-12ba11b327ce14c4847f1b717796f6d95078dc25.zip krb5-12ba11b327ce14c4847f1b717796f6d95078dc25.tar.gz krb5-12ba11b327ce14c4847f1b717796f6d95078dc25.tar.bz2 | |
merge trunk to 22719
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/s4u@22724 dc483132-0cff-0310-8789-dd5450dbe970
83 files changed, 4865 insertions, 395 deletions
diff --git a/src/Makefile.in b/src/Makefile.in index bd67ad6..d74e9e5 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -195,7 +195,7 @@ WINMAKEFILES=Makefile \ include\Makefile \ lib\Makefile lib\crypto\Makefile \ lib\crypto\krb\crc32\Makefile lib\crypto\builtin\des\Makefile \ - lib\crypto\krb\dk\Makefile lib\crypto\krb\enc_provider\Makefile \ + lib\crypto\krb\dk\Makefile lib\crypto\builtin\enc_provider\Makefile \ lib\crypto\krb\hash_provider\Makefile \ lib\crypto\krb\keyhash_provider\Makefile \ lib\crypto\krb\raw\Makefile lib\crypto\old\Makefile \ @@ -268,7 +268,7 @@ WINMAKEFILES=Makefile \ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\krb\dk\Makefile: lib\crypto\krb\dk\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##lib\crypto\krb\enc_provider\Makefile: lib\crypto\krb\enc_provider\Makefile.in $(MKFDEP) +##DOS##lib\crypto\builtin\enc_provider\Makefile: lib\crypto\builtin\enc_provider\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\krb\hash_provider\Makefile: lib\crypto\krb\hash_provider\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ @@ -395,7 +395,7 @@ FILES= ./* \ config/* include/* include/kerberosIV/* \ include/krb5/* include/krb5/stock/* include/sys/* lib/* \ lib/crypto/* lib/crypto/krb/crc32/* lib/crypto/builtin/des/* lib/crypto/krb/dk/* \ - lib/crypto/krb/enc_provider/* lib/crypto/krb/hash_provider/* \ + lib/crypto/builtin/enc_provider/* lib/crypto/krb/hash_provider/* \ lib/crypto/krb/keyhash_provider/* lib/crypto/krb/old/* lib/crypto/krb/raw/* \ lib/crypto/builtin/sha1/* lib/crypto/builtin/arcfour/* lib/crypto/builtin/md4/* \ lib/crypto/builtin/md5/* lib/crypto/krb/yarrow/* \ diff --git a/src/clients/kinit/kinit.M b/src/clients/kinit/kinit.M index fb5a47a..5b85772 100644 --- a/src/clients/kinit/kinit.M +++ b/src/clients/kinit/kinit.M @@ -35,9 +35,11 @@ kinit \- obtain and cache Kerberos ticket-granting ticket [\fB\-f\fP | \fB\-F\fP] [\fB\-a\fP] [\fB\-A\fP] +[\fB\-C\fP] +[\fB\-E\fP] [\fB\-v\fP] [\fB\-R\fP] [\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP] -[\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP] +[\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP] [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]] [\fIprincipal\fP] .ad b @@ -109,6 +111,12 @@ request tickets with the local address[es]. .B \-A request address-less tickets. .TP +.B \-C +requests canonicalization of the principal name. +.TP +.B \-E +treats the principal name as an enterprise name. +.TP .B \-v requests that the ticket granting ticket in the cache (with the .I invalid diff --git a/src/clients/kpasswd/ksetpwd.c b/src/clients/kpasswd/ksetpwd.c index 896b4c2..a489f06 100644 --- a/src/clients/kpasswd/ksetpwd.c +++ b/src/clients/kpasswd/ksetpwd.c @@ -282,10 +282,6 @@ int main( int argc, char ** argv ) /* ** change the password - */ -#if 0 - fprintf( stderr, "the password is %s\n", new_password ); -#endif - { int pw_result; krb5_ccache ccache; diff --git a/src/configure.in b/src/configure.in index 368d179..8777e20 100644 --- a/src/configure.in +++ b/src/configure.in @@ -1060,7 +1060,7 @@ V5_AC_OUTPUT_MAKEFILE(. lib lib/kdb lib/crypto lib/crypto/krb lib/crypto/krb/crc32 lib/crypto/builtin/des - lib/crypto/krb/dk lib/crypto/krb/enc_provider + lib/crypto/krb/dk lib/crypto/builtin/enc_provider lib/crypto/krb/hash_provider lib/crypto/krb/keyhash_provider lib/crypto/builtin lib/crypto/builtin/md4 lib/crypto/builtin/md5 lib/crypto/krb/old lib/crypto/krb/raw lib/crypto/builtin/sha1 diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 60add98..dbe5223 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -675,6 +675,7 @@ struct krb5_enc_provider { }; struct krb5_hash_provider { + char hash_name[8]; size_t hashsize, blocksize; /* this takes multiple inputs to avoid lots of copying. */ diff --git a/src/kadmin/cli/deps b/src/kadmin/cli/deps index 928af0a..5c3ad65 100644 --- a/src/kadmin/cli/deps +++ b/src/kadmin/cli/deps @@ -20,7 +20,7 @@ $(OUTPRE)ss_wrapper.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SS_DEPS) kadmin.h ss_wrapper.c $(OUTPRE)getdate.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \ - getdate.c kadmin.h + getdate.c $(OUTPRE)keytab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ diff --git a/src/kadmin/server/deps b/src/kadmin/server/deps index d1303b8..2bd5fb7 100644 --- a/src/kadmin/server/deps +++ b/src/kadmin/server/deps @@ -93,16 +93,6 @@ $(OUTPRE)misc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h misc.c misc.h -$(OUTPRE)server_glue_v1.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \ - $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \ - $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \ - $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ - $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ - $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/kdb.h \ - $(SRCTOP)/include/krb5.h misc.h server_glue_v1.c $(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin index 519b986..be07151 100755 --- a/src/kadmin/testing/scripts/env-setup.shin +++ b/src/kadmin/testing/scripts/env-setup.shin @@ -90,21 +90,15 @@ if [ "$TEST_PATH" != "" ]; then fi if [ "x$PS_ALL" = "x" ]; then - ps -axwwu >/dev/null 2>&1 - ps_bsd=$? - - ps -ef >/dev/null 2>&1 - ps_sysv=$? - - if [ $ps_bsd = 0 -a $ps_sysv = 1 ]; then - PS_ALL="ps -auxww" - PS_PID="ps -auxww" - elif [ $ps_bsd = 1 -a $ps_sysv = 0 ]; then + if ps auxww >/dev/null 2>&1; then + PS_ALL="ps auxww" + PS_PID="ps auxww" + elif ps -ef >/dev/null 2>&1; then PS_ALL="ps -ef" PS_PID="ps -fp" else - PS_ALL="ps -auxww" - PS_PID="ps -auxww" + PS_ALL="ps auxww" + PS_PID="ps auxww" echo "WARNING! Cannot auto-detect ps type, assuming BSD." fi diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c index 15ae99f..6679ce0 100644 --- a/src/kadmin/testing/util/tcl_kadm5.c +++ b/src/kadmin/testing/util/tcl_kadm5.c @@ -2033,7 +2033,7 @@ static int tcl_kadm5_randkey_principal(ClientData clientData, ret = kadm5_randkey_principal(server_handle, princ, keyblock_var ? &keyblocks : 0, - num_var ? &num_keys : 0); + &num_keys); if (ret == KADM5_OK) { if (keyblock_var) { diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 52fbda5..304b76b 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -208,11 +208,10 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } else if (c_nprincs != 1) { status = "CLIENT_NOT_FOUND"; -#ifdef KRBCONF_VAGUE_ERRORS - errcode = KRB5KRB_ERR_GENERIC; -#else - errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; -#endif + if (vague_errors) + errcode = KRB5KRB_ERR_GENERIC; + else + errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto errout; } @@ -409,9 +408,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } update_client = 1; status = "PREAUTH_FAILED"; -#ifdef KRBCONF_VAGUE_ERRORS - errcode = KRB5KRB_ERR_GENERIC; -#endif + if (vague_errors) + errcode = KRB5KRB_ERR_GENERIC; goto errout; } } diff --git a/src/kdc/extern.h b/src/kdc/extern.h index 87cc1bf..079f0e4 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -105,6 +105,8 @@ extern const int kdc_modifies_kdb; extern char **db_args; extern krb5_int32 max_dgram_reply_size; /* maximum datagram size */ +extern const int vague_errors; + extern volatile int signal_requests_exit; extern volatile int signal_requests_hup; #endif /* __KRB5_KDC_EXTERN__ */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index b667c13..58e0e68 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -69,6 +69,12 @@ static char *kdc_current_rcname = (char *) NULL; krb5_deltat rc_lifetime; /* See kdc_initialize_rcache() */ #endif +#ifdef KRBCONF_VAGUE_ERRORS +const int vague_errors = 1; +#else +const int vague_errors = 0; +#endif + #ifdef USE_RCACHE /* * initialize the replay cache. @@ -941,11 +947,10 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, /* The client must not be expired */ if (client.expiration && client.expiration < kdc_time) { *status = "CLIENT EXPIRED"; -#ifdef KRBCONF_VAGUE_ERRORS - return(KRB_ERR_GENERIC); -#else - return(KDC_ERR_NAME_EXP); -#endif + if (vague_errors) + return(KRB_ERR_GENERIC); + else + return(KDC_ERR_NAME_EXP); } /* The client's password must not be expired, unless the server is @@ -953,11 +958,10 @@ validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, if (client.pw_expiration && client.pw_expiration < kdc_time && !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { *status = "CLIENT KEY EXPIRED"; -#ifdef KRBCONF_VAGUE_ERRORS - return(KRB_ERR_GENERIC); -#else - return(KDC_ERR_KEY_EXP); -#endif + if (vague_errors) + return(KRB_ERR_GENERIC); + else + return(KDC_ERR_KEY_EXP); } /* The server must not be expired */ diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in index b68ef55..a6203b2 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in @@ -2,7 +2,7 @@ thisconfigdir=../.. myfulldir=lib/crypto mydir=lib/crypto BUILDTOP=$(REL)..$(S).. -SUBDIRS=krb builtin crypto_tests +SUBDIRS= builtin krb crypto_tests RUN_SETUP = @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) @@ -20,19 +20,19 @@ LIBINITFUNC=cryptoint_initialize_library LIBFINIFUNC=cryptoint_cleanup_library RELDIR=crypto -STOBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST krb/enc_provider/OBJS.ST \ - krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \ - krb/old/OBJS.ST krb/raw/OBJS.ST krb/yarrow/OBJS.ST \ - @CRYPTO_IMPL@/md4/OBJS.ST @CRYPTO_IMPL@/md5/OBJS.ST @CRYPTO_IMPL@/sha1/OBJS.ST \ - @CRYPTO_IMPL@/arcfour/OBJS.ST @CRYPTO_IMPL@/aes/OBJS.ST @CRYPTO_IMPL@/des/OBJS.ST \ - krb/OBJS.ST @CRYPTO_IMPL@/OBJS.ST +STOBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST builtin/enc_provider/OBJS.ST \ + krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \ + krb/old/OBJS.ST krb/raw/OBJS.ST krb/yarrow/OBJS.ST \ + builtin/md4/OBJS.ST builtin/md5/OBJS.ST builtin/sha1/OBJS.ST \ + builtin/arcfour/OBJS.ST builtin/aes/OBJS.ST builtin/des/OBJS.ST \ + krb/OBJS.ST builtin/OBJS.ST -SUBDIROBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST krb/enc_provider/OBJS.ST \ - krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \ +SUBDIROBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST builtin/enc_provider/OBJS.ST \ + krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \ krb/old/OBJS.ST krb/raw/OBJS.ST krb/yarrow/OBJS.ST \ - @CRYPTO_IMPL@/md4/OBJS.ST @CRYPTO_IMPL@/md5/OBJS.ST @CRYPTO_IMPL@/sha1/OBJS.ST \ - @CRYPTO_IMPL@/arcfour/OBJS.ST @CRYPTO_IMPL@/aes/OBJS.ST @CRYPTO_IMPL@/des/OBJS.ST \ - krb/OBJS.ST @CRYPTO_IMPL@/OBJS.ST + builtin/md4/OBJS.ST builtin/md5/OBJS.ST builtin/sha1/OBJS.ST \ + builtin/arcfour/OBJS.ST builtin/aes/OBJS.ST builtin/des/OBJS.ST \ + krb/OBJS.ST builtin/OBJS.ST # No dependencies. Record places to find this shared object if the target # link editor and loader support it. diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in index 03ca5e9..c1d8a55 100644 --- a/src/lib/crypto/builtin/Makefile.in +++ b/src/lib/crypto/builtin/Makefile.in @@ -2,15 +2,16 @@ thisconfigdir=../../.. myfulldir=lib/crypto/builtin mydir=lib/crypto/builtin BUILDTOP=$(REL)..$(S)..$(S).. -SUBDIRS=../@CRYPTO_IMPL@/des ../@CRYPTO_IMPL@/arcfour ../@CRYPTO_IMPL@/aes \ - ../@CRYPTO_IMPL@/md4 ../@CRYPTO_IMPL@/md5 ../@CRYPTO_IMPL@/sha1 -LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir)/../krb/hash_provider \ +SUBDIRS=des arcfour aes md4 md5 sha1 enc_provider +LOCALINCLUDES = -I$(srcdir)/../krb \ + -I$(srcdir)/../krb/hash_provider \ -I$(srcdir)/../@CRYPTO_IMPL@/des \ -I$(srcdir)/../@CRYPTO_IMPL@/aes \ -I$(srcdir)/../@CRYPTO_IMPL@/arcfour \ -I$(srcdir)/../@CRYPTO_IMPL@/sha1 \ -I$(srcdir)/../@CRYPTO_IMPL@/md4 \ - -I$(srcdir)/../@CRYPTO_IMPL@/md5 + -I$(srcdir)/../@CRYPTO_IMPL@/md5 \ + -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) DEFS= @@ -23,8 +24,8 @@ DEFS= ##DOSOBJFILEDEP =$(OUTPRE)crypto.lst $(OUTPRE)des.lst $(OUTPRE)md4.lst $(OUTPRE)md5.lst $(OUTPRE)sha1.lst $(OUTPRE)arcfour.lst $(OUTPRE)crc32.lst $(OUTPRE)dk.lst $(OUTPRE)old.lst $(OUTPRE)raw.lst $(OUTPRE)enc_prov.lst $(OUTPRE)hash_pro.lst $(OUTPRE)kh_pro.lst $(OUTPRE)aes.lst STLIBOBJS=\ - hmac.o \ - pbkdf2.o + ../@CRYPTO_IMPL@/hmac.o \ + ../@CRYPTO_IMPL@/pbkdf2.o OBJS=\ $(OUTPRE)../@CRYPTO_IMPL@/hmac.$(OBJEXT) \ @@ -34,16 +35,18 @@ SRCS=\ $(srcdir)/../@CRYPTO_IMPL@/hmac.c \ $(srcdir)/../@CRYPTO_IMPL@/pbkdf2.c -STOBJLISTS= ../@CRYPTO_IMPL@/des/OBJS.ST ../@CRYPTO_IMPL@/md4/OBJS.ST \ - ../@CRYPTO_IMPL@/md5/OBJS.ST ../@CRYPTO_IMPL@/sha1/OBJS.ST \ - ../@CRYPTO_IMPL@/arcfour/OBJS.ST \ - ../@CRYPTO_IMPL@/aes/OBJS.ST \ - ../@CRYPTO_IMPL@/OBJS.ST +STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ + md5/OBJS.ST sha1/OBJS.ST \ + enc_provider/OBJS.ST \ + arcfour/OBJS.ST \ + aes/OBJS.ST \ + OBJS.ST -SUBDIROBJLISTS= ../@CRYPTO_IMPL@/des/OBJS.ST ../@CRYPTO_IMPL@/md4/OBJS.ST \ - ../@CRYPTO_IMPL@/md5/OBJS.ST ../@CRYPTO_IMPL@/sha1/OBJS.ST \ - ../@CRYPTO_IMPL@/arcfour/OBJS.ST \ - ../@CRYPTO_IMPL@/aes/OBJS.ST ../@CRYPTO_IMPL@/OBJS.ST +SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ + md5/OBJS.ST sha1/OBJS.ST \ + enc_provider/OBJS.ST \ + arcfour/OBJS.ST \ + aes/OBJS.ST OBJS.ST ##DOS##LIBOBJS = $(OBJS) @@ -67,6 +70,9 @@ all-windows:: cd ..\sha1 @echo Making in crypto\sha1 $(MAKE) -$(MFLAGS) + cd ..\enc_provider + @echo Making in crypto\enc_provider + $(MAKE) -$(MFLAGS) cd ..\arcfour @echo Making in crypto\arcfour $(MAKE) -$(MFLAGS) @@ -88,6 +94,9 @@ clean-windows:: cd ..\sha1 @echo Making clean in crypto\sha1 $(MAKE) -$(MFLAGS) clean + cd ..\enc_provider + @echo Making clean in crypto\enc_provider + $(MAKE) -$(MFLAGS) clean cd ..\arcfour @echo Making clean in crypto\arcfour $(MAKE) -$(MFLAGS) clean @@ -109,6 +118,9 @@ check-windows:: cd ..\sha1 @echo Making check in crypto\sha1 $(MAKE) -$(MFLAGS) check + cd ..\enc_provider + @echo Making check in crypto\enc_provider + $(MAKE) -$(MFLAGS) check cd ..\arcfour @echo Making check in crypto\arcfour $(MAKE) -$(MFLAGS) check diff --git a/src/lib/crypto/builtin/aes/Makefile.in b/src/lib/crypto/builtin/aes/Makefile.in index ed36f7e..49bc6a9 100644 --- a/src/lib/crypto/builtin/aes/Makefile.in +++ b/src/lib/crypto/builtin/aes/Makefile.in @@ -12,28 +12,30 @@ DEFS= PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) +CIMPL = @CRYPTO_IMPL@/aes + STLIBOBJS=\ - aescrypt.o \ - aestab.o \ - aeskey.o \ - aes_s2k.o + ../../$(CIMPL)/aescrypt.o \ + ../../$(CIMPL)/aestab.o \ + ../../$(CIMPL)/aeskey.o \ + ../../$(CIMPL)/aes_s2k.o OBJS=\ - $(OUTPRE)aescrypt.$(OBJEXT) \ - $(OUTPRE)aestab.$(OBJEXT) \ - $(OUTPRE)aeskey.$(OBJEXT) \ - $(OUTPRE)aes_s2k.$(OBJEXT) + $(OUTPRE)../../$(CIMPL)/aescrypt.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/aestab.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/aeskey.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/aes_s2k.$(OBJEXT) SRCS=\ - $(srcdir)/aescrypt.c \ - $(srcdir)/aestab.c \ - $(srcdir)/aeskey.c \ - $(srcdir)/aes_s2k.c + $(srcdir)..//../$(CIMPL)/aescrypt.c \ + $(srcdir)..//../$(CIMPL)/aestab.c \ + $(srcdir)/../../$(CIMPL)/aeskey.c \ + $(srcdir)/../../$(CIMPL)/aes_s2k.c GEN_OBJS=\ - $(OUTPRE)aescrypt.$(OBJEXT) \ - $(OUTPRE)aestab.$(OBJEXT) \ - $(OUTPRE)aeskey.$(OBJEXT) + $(OUTPRE)../../$(CIMPL)/aescrypt.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/aestab.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/aeskey.$(OBJEXT) ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/builtin/arcfour/Makefile.in b/src/lib/crypto/builtin/arcfour/Makefile.in index cf6c511..499c0a0 100644 --- a/src/lib/crypto/builtin/arcfour/Makefile.in +++ b/src/lib/crypto/builtin/arcfour/Makefile.in @@ -12,20 +12,22 @@ DEFS= PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) +CIMPL = @CRYPTO_IMPL@/arcfour + STLIBOBJS=\ - arcfour.o \ - arcfour_aead.o \ - arcfour_s2k.o + ../../$(CIMPL)/arcfour.o \ + ../../$(CIMPL)/arcfour_aead.o \ + ../../$(CIMPL)/arcfour_s2k.o OBJS=\ - $(OUTPRE)arcfour.$(OBJEXT) \ - $(OUTPRE)arcfour_aead.$(OBJEXT) \ - $(OUTPRE)arcfour_s2k.$(OBJEXT) + $(OUTPRE)../../$(CIMPL)/arcfour.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/arcfour_aead.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/arcfour_s2k.$(OBJEXT) SRCS=\ - $(srcdir)/arcfour.c \ - $(srcdir)/arcfour_aead.c\ - $(srcdir)/arcfour_s2k.c + $(srcdir)/../../$(CIMPL)/arcfour.c \ + $(srcdir)/../../$(CIMPL)/arcfour_aead.c\ + $(srcdir)/../../$(CIMPL)/arcfour_s2k.c ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/builtin/des/Makefile.in b/src/lib/crypto/builtin/des/Makefile.in index a609c42..47e9b1a 100644 --- a/src/lib/crypto/builtin/des/Makefile.in +++ b/src/lib/crypto/builtin/des/Makefile.in @@ -12,51 +12,53 @@ DEFS= PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) +CIMPL = @CRYPTO_IMPL@/des + STLIBOBJS=\ - afsstring2key.o \ - d3_cbc.o \ - d3_aead.o \ - d3_kysched.o \ - des_prf.o \ - f_aead.o \ - f_cbc.o \ - f_cksum.o \ - f_parity.o \ - f_sched.o \ - f_tables.o \ - key_sched.o \ - string2key.o \ - weak_key.o + ../../$(CIMPL)/afsstring2key.o \ + ../../$(CIMPL)/d3_cbc.o \ + ../../$(CIMPL)/d3_aead.o \ + ../../$(CIMPL)/d3_kysched.o \ + ../../$(CIMPL)/des_prf.o \ + ../../$(CIMPL)/f_aead.o \ + ../../$(CIMPL)/f_cbc.o \ + ../../$(CIMPL)/f_cksum.o \ + ../../$(CIMPL)/f_parity.o \ + ../../$(CIMPL)/f_sched.o \ + ../../$(CIMPL)/f_tables.o \ + ../../$(CIMPL)/key_sched.o \ + ../../$(CIMPL)/string2key.o \ + ../../$(CIMPL)/weak_key.o -OBJS= $(OUTPRE)afsstring2key.$(OBJEXT) \ - $(OUTPRE)d3_cbc.$(OBJEXT) \ - $(OUTPRE)d3_aead.$(OBJEXT) \ - $(OUTPRE)d3_kysched.$(OBJEXT) \ - $(OUTPRE)des_prf.$(OBJEXT) \ - $(OUTPRE)f_aead.$(OBJEXT) \ - $(OUTPRE)f_cbc.$(OBJEXT) \ - $(OUTPRE)f_cksum.$(OBJEXT) \ - $(OUTPRE)f_parity.$(OBJEXT) \ - $(OUTPRE)f_sched.$(OBJEXT) \ - $(OUTPRE)f_tables.$(OBJEXT) \ - $(OUTPRE)key_sched.$(OBJEXT) \ - $(OUTPRE)string2key.$(OBJEXT) \ - $(OUTPRE)weak_key.$(OBJEXT) +OBJS= $(OUTPRE)../../$(CIMPL)/afsstring2key.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/d3_cbc.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/d3_aead.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/d3_kysched.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/des_prf.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/f_aead.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/f_cbc.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/f_cksum.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/f_parity.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/f_sched.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/f_tables.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/key_sched.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/string2key.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/weak_key.$(OBJEXT) -SRCS= $(srcdir)/afsstring2key.c \ - $(srcdir)/d3_cbc.c \ - $(srcdir)/d3_aead.c \ - $(srcdir)/d3_kysched.c \ - $(srcdir)/des_prf.c \ - $(srcdir)/f_aead.c \ - $(srcdir)/f_cbc.c \ - $(srcdir)/f_cksum.c \ - $(srcdir)/f_parity.c \ - $(srcdir)/f_sched.c \ - $(srcdir)/f_tables.c \ - $(srcdir)/key_sched.c \ - $(srcdir)/weak_key.c \ - $(srcdir)/string2key.c +SRCS= $(srcdir)/../../$(CIMPL)/afsstring2key.c \ + $(srcdir)/../../$(CIMPL)/d3_cbc.c \ + $(srcdir)/../../$(CIMPL)/d3_aead.c \ + $(srcdir)/../../$(CIMPL)/d3_kysched.c \ + $(srcdir)/../../$(CIMPL)/des_prf.c \ + $(srcdir)/../../$(CIMPL)/f_aead.c \ + $(srcdir)/../../$(CIMPL)/f_cbc.c \ + $(srcdir)/../../$(CIMPL)/f_cksum.c \ + $(srcdir)/../../$(CIMPL)/f_parity.c \ + $(srcdir)/../../$(CIMPL)/f_sched.c \ + $(srcdir)/../../$(CIMPL)/f_tables.c \ + $(srcdir)/../../$(CIMPL)/key_sched.c \ + $(srcdir)/../../$(CIMPL)/weak_key.c \ + $(srcdir)/../../$(CIMPL)/string2key.c ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/builtin/enc_provider/Makefile.in b/src/lib/crypto/builtin/enc_provider/Makefile.in new file mode 100644 index 0000000..1895b51 --- /dev/null +++ b/src/lib/crypto/builtin/enc_provider/Makefile.in @@ -0,0 +1,48 @@ +thisconfigdir=../../../.. +myfulldir=lib/crypto/builtin/enc_provider +mydir=lib/crypto/builtin/enc_provider +BUILDTOP=$(REL)..$(S)..$(S)..$(S).. +LOCALINCLUDES = -I$(srcdir)/../../@CRYPTO_IMPL@/des \ + -I$(srcdir)/../../@CRYPTO_IMPL@/arcfour \ + -I$(srcdir)/../../@CRYPTO_IMPL@/aes \ + -I$(srcdir)/../../krb \ + -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@ +DEFS= + +##DOS##BUILDTOP = ..\..\..\.. +##DOS##PREFIXDIR=enc_provider +##DOS##OBJFILE=..\$(OUTPRE)enc_prov.lst + +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) + +STLIBOBJS= \ + ../../@CRYPTO_IMPL@/enc_provider/des.o \ + ../../@CRYPTO_IMPL@/enc_provider/des3.o \ + ../../@CRYPTO_IMPL@/enc_provider/rc4.o \ + ../../@CRYPTO_IMPL@/enc_provider/aes.o + +OBJS= \ + $(OUTPRE)../../@CRYPTO_IMPL@/enc_provider/des.$(OBJEXT) \ + $(OUTPRE)../../@CRYPTO_IMPL@/enc_provider/des3.$(OBJEXT) \ + $(OUTPRE)../../@CRYPTO_IMPL@/enc_provider/aes.$(OBJEXT) \ + $(OUTPRE)../../@CRYPTO_IMPL@/enc_provider/rc4.$(OBJEXT) + +SRCS= \ + $(srcdir)/../../@CRYPTO_IMPL@/enc_provider/des.c \ + $(srcdir)/../../@CRYPTO_IMPL@/enc_provider/des3.c \ + $(srcdir)/../../@CRYPTO_IMPL@/enc_provider/aes.c \ + $(srcdir)/../../@CRYPTO_IMPL@/enc_provider/rc4.c + +##DOS##LIBOBJS = $(OBJS) + +all-unix:: all-libobjs + +includes:: depend + +depend:: $(SRCS) + +clean-unix:: clean-libobjs + +@libobj_frag@ + diff --git a/src/lib/crypto/builtin/enc_provider/aes.c b/src/lib/crypto/builtin/enc_provider/aes.c new file mode 100644 index 0000000..88f2d9e --- /dev/null +++ b/src/lib/crypto/builtin/enc_provider/aes.c @@ -0,0 +1,415 @@ +/* + * lib/crypto/enc_provider/aes.c + * + * Copyright (C) 2003, 2007, 2008 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include "k5-int.h" +#include "enc_provider.h" +#include "aes.h" +#include <aead.h> + +#if 0 +aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]); +aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]); +aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], const aes_ctx cx[1]); +aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]); +aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], const aes_ctx cx[1]); +#endif + +#define CHECK_SIZES 0 + +#if 0 +static void printd (const char *descr, krb5_data *d) { + int i, j; + const int r = 16; + + printf("%s:", descr); + + for (i = 0; i < d->length; i += r) { + printf("\n %04x: ", i); + for (j = i; j < i + r && j < d->length; j++) + printf(" %02x", 0xff & d->data[j]); +#ifdef SHOW_TEXT + for (; j < i + r; j++) + printf(" "); + printf(" "); + for (j = i; j < i + r && j < d->length; j++) { + int c = 0xff & d->data[j]; + printf("%c", isprint(c) ? c : '.'); + } +#endif + } + printf("\n"); +} +#endif + +static inline void enc(char *out, const char *in, aes_ctx *ctx) +{ + if (aes_enc_blk((const unsigned char *)in, (unsigned char *)out, ctx) + != aes_good) + abort(); +} +static inline void dec(char *out, const char *in, aes_ctx *ctx) +{ + if (aes_dec_blk((const unsigned char *)in, (unsigned char *)out, ctx) + != aes_good) + abort(); +} + +static void xorblock(char *out, const char *in) +{ + int z; + for (z = 0; z < BLOCK_SIZE; z++) + out[z] ^= in[z]; +} + +krb5_error_code +krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + aes_ctx ctx; + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; + int nblocks = 0, blockno; + +/* CHECK_SIZES; */ + + if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) + abort(); + + if (ivec) + memcpy(tmp, ivec->data, BLOCK_SIZE); + else + memset(tmp, 0, BLOCK_SIZE); + + nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + if (nblocks == 1) { + /* XXX Used for DK function. */ + enc(output->data, input->data, &ctx); + } else { + unsigned int nleft; + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + xorblock(tmp, input->data + blockno * BLOCK_SIZE); + enc(tmp2, tmp, &ctx); + memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE); + + /* Set up for next block. */ + memcpy(tmp, tmp2, BLOCK_SIZE); + } + /* Do final CTS step for last two blocks (the second of which + may or may not be incomplete). */ + xorblock(tmp, input->data + (nblocks - 2) * BLOCK_SIZE); + enc(tmp2, tmp, &ctx); + nleft = input->length - (nblocks - 1) * BLOCK_SIZE; + memcpy(output->data + (nblocks - 1) * BLOCK_SIZE, tmp2, nleft); + memcpy(tmp, tmp2, BLOCK_SIZE); + + memset(tmp3, 0, sizeof(tmp3)); + memcpy(tmp3, input->data + (nblocks - 1) * BLOCK_SIZE, nleft); + xorblock(tmp, tmp3); + enc(tmp2, tmp, &ctx); + memcpy(output->data + (nblocks - 2) * BLOCK_SIZE, tmp2, BLOCK_SIZE); + if (ivec) + memcpy(ivec->data, tmp2, BLOCK_SIZE); + } + + return 0; +} + +krb5_error_code +krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + aes_ctx ctx; + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; + int nblocks = 0, blockno; + + CHECK_SIZES; + + if (aes_dec_key(key->contents, key->length, &ctx) != aes_good) + abort(); + + if (ivec) + memcpy(tmp, ivec->data, BLOCK_SIZE); + else + memset(tmp, 0, BLOCK_SIZE); + + nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + if (nblocks == 1) { + if (input->length < BLOCK_SIZE) + abort(); + dec(output->data, input->data, &ctx); + } else { + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); + xorblock(tmp2, tmp); + memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE); + memcpy(tmp, input->data + blockno * BLOCK_SIZE, BLOCK_SIZE); + } + /* Do last two blocks, the second of which (next-to-last block + of plaintext) may be incomplete. */ + dec(tmp2, input->data + (nblocks - 2) * BLOCK_SIZE, &ctx); + /* Set tmp3 to last ciphertext block, padded. */ + memset(tmp3, 0, sizeof(tmp3)); + memcpy(tmp3, input->data + (nblocks - 1) * BLOCK_SIZE, + input->length - (nblocks - 1) * BLOCK_SIZE); + /* Set tmp2 to last (possibly partial) plaintext block, and + save it. */ + xorblock(tmp2, tmp3); + memcpy(output->data + (nblocks - 1) * BLOCK_SIZE, tmp2, + input->length - (nblocks - 1) * BLOCK_SIZE); + /* Maybe keep the trailing part, and copy in the last + ciphertext block. */ + memcpy(tmp2, tmp3, input->length - (nblocks - 1) * BLOCK_SIZE); + /* Decrypt, to get next to last plaintext block xor previous + ciphertext. */ + dec(tmp3, tmp2, &ctx); + xorblock(tmp3, tmp); + memcpy(output->data + (nblocks - 2) * BLOCK_SIZE, tmp3, BLOCK_SIZE); + if (ivec) + memcpy(ivec->data, input->data + (nblocks - 2) * BLOCK_SIZE, + BLOCK_SIZE); + } + + return 0; +} + +static krb5_error_code +krb5int_aes_encrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + aes_ctx ctx; + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; + int nblocks = 0, blockno; + size_t input_length, i; + + if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) + abort(); + + if (ivec != NULL) + memcpy(tmp, ivec->data, BLOCK_SIZE); + else + memset(tmp, 0, BLOCK_SIZE); + + for (i = 0, input_length = 0; i < num_data; i++) { + krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } + + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + assert(nblocks > 1); + + { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ + struct iov_block_state input_pos, output_pos; + + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; + + krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos); + xorblock(tmp, blockN); + enc(tmp2, tmp, &ctx); + krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos); + + /* Set up for next block. */ + memcpy(tmp, tmp2, BLOCK_SIZE); + } + + /* Do final CTS step for last two blocks (the second of which + may or may not be incomplete). */ + + /* First, get the last two blocks */ + memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */ + krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos); + krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos); + + /* Encrypt second last block */ + xorblock(tmp, blockN2); + enc(tmp2, tmp, &ctx); + memcpy(blockN2, tmp2, BLOCK_SIZE); /* blockN2 now contains first block */ + memcpy(tmp, tmp2, BLOCK_SIZE); + + /* Encrypt last block */ + xorblock(tmp, blockN1); + enc(tmp2, tmp, &ctx); + memcpy(blockN1, tmp2, BLOCK_SIZE); + + /* Put the last two blocks back into the iovec (reverse order) */ + krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos); + krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos); + + if (ivec != NULL) + memcpy(ivec->data, blockN1, BLOCK_SIZE); + } + + return 0; +} + +static krb5_error_code +krb5int_aes_decrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + aes_ctx ctx; + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; + int nblocks = 0, blockno; + unsigned int i; + size_t input_length; + + CHECK_SIZES; + + if (aes_dec_key(key->contents, key->length, &ctx) != aes_good) + abort(); + + if (ivec != NULL) + memcpy(tmp, ivec->data, BLOCK_SIZE); + else + memset(tmp, 0, BLOCK_SIZE); + + for (i = 0, input_length = 0; i < num_data; i++) { + krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } + + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + assert(nblocks > 1); + + { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ + struct iov_block_state input_pos, output_pos; + + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; + + krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos); + dec(tmp2, blockN, &ctx); + xorblock(tmp2, tmp); + krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos); + memcpy(tmp, blockN, BLOCK_SIZE); + } + + /* Do last two blocks, the second of which (next-to-last block + of plaintext) may be incomplete. */ + + /* First, get the last two encrypted blocks */ + memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */ + krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos); + krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos); + + /* Decrypt second last block */ + dec(tmp2, blockN2, &ctx); + /* Set tmp2 to last (possibly partial) plaintext block, and + save it. */ + xorblock(tmp2, blockN1); + memcpy(blockN2, tmp2, BLOCK_SIZE); + + /* Maybe keep the trailing part, and copy in the last + ciphertext block. */ + input_length %= BLOCK_SIZE; + memcpy(tmp2, blockN1, input_length ? input_length : BLOCK_SIZE); + dec(tmp3, tmp2, &ctx); + xorblock(tmp3, tmp); + /* Copy out ivec first before we clobber blockN1 with plaintext */ + if (ivec != NULL) + memcpy(ivec->data, blockN1, BLOCK_SIZE); + memcpy(blockN1, tmp3, BLOCK_SIZE); + + /* Put the last two blocks back into the iovec */ + krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos); + krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos); + } + + return 0; +} + +static krb5_error_code +k5_aes_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + if (key->length != 16 && key->length != 32) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != key->length) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + + memcpy(key->contents, randombits->data, randombits->length); + return(0); +} + +static krb5_error_code +krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage, + krb5_data *state) +{ + state->length = 16; + state->data = (void *) malloc(16); + if (state->data == NULL) + return ENOMEM; + memset(state->data, 0, state->length); + return 0; +} + +const struct krb5_enc_provider krb5int_enc_aes128 = { + 16, + 16, 16, + krb5int_aes_encrypt, + krb5int_aes_decrypt, + k5_aes_make_key, + krb5int_aes_init_state, + krb5int_default_free_state, + krb5int_aes_encrypt_iov, + krb5int_aes_decrypt_iov +}; + +const struct krb5_enc_provider krb5int_enc_aes256 = { + 16, + 32, 32, + krb5int_aes_encrypt, + krb5int_aes_decrypt, + k5_aes_make_key, + krb5int_aes_init_state, + krb5int_default_free_state, + krb5int_aes_encrypt_iov, + krb5int_aes_decrypt_iov +}; + diff --git a/src/lib/crypto/builtin/enc_provider/deps b/src/lib/crypto/builtin/enc_provider/deps new file mode 100644 index 0000000..ed1b61c --- /dev/null +++ b/src/lib/crypto/builtin/enc_provider/deps @@ -0,0 +1,49 @@ +# +# Generated makefile dependencies follow. +# +des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../des/des_int.h $(srcdir)/../../krb/aead.h \ + $(srcdir)/../../krb/cksumtypes.h des.c enc_provider.h +des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../des/des_int.h $(srcdir)/../../krb/aead.h \ + $(srcdir)/../../krb/cksumtypes.h des3.c +aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../aes/aes.h $(srcdir)/../aes/uitypes.h \ + $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h aes.c \ + enc_provider.h +rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../arcfour/arcfour-int.h $(srcdir)/../arcfour/arcfour.h \ + $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h enc_provider.h \ + rc4.c diff --git a/src/lib/crypto/builtin/enc_provider/des.c b/src/lib/crypto/builtin/enc_provider/des.c new file mode 100644 index 0000000..547f6b9 --- /dev/null +++ b/src/lib/crypto/builtin/enc_provider/des.c @@ -0,0 +1,181 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "des_int.h" +#include "enc_provider.h" +#include "aead.h" + +static krb5_error_code +k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output, int enc) +{ + mit_des_key_schedule schedule; + + /* key->enctype was checked by the caller */ + + if (key->length != 8) + return(KRB5_BAD_KEYSIZE); + if ((input->length%8) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + if (input->length != output->length) + return(KRB5_BAD_MSIZE); + + switch (mit_des_key_sched(key->contents, schedule)) { + case -1: + return(KRB5DES_BAD_KEYPAR); + case -2: + return(KRB5DES_WEAK_KEY); + } + + /* this has a return value, but the code always returns zero */ + + mit_des_cbc_encrypt((krb5_pointer) input->data, + (krb5_pointer) output->data, input->length, + schedule, + (ivec + ? (const unsigned char *) ivec->data + : (const unsigned char *) mit_des_zeroblock), + enc); + + memset(schedule, 0, sizeof(schedule)); + + return(0); +} + +static krb5_error_code +k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + return(k5_des_docrypt(key, ivec, input, output, 1)); +} + +static krb5_error_code +k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + return(k5_des_docrypt(key, ivec, input, output, 0)); +} + +static krb5_error_code +k5_des_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + if (key->length != 8) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != 7) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + key->length = 8; + + /* take the seven bytes, move them around into the top 7 bits of the + 8 key bytes, then compute the parity bits */ + + memcpy(key->contents, randombits->data, randombits->length); + key->contents[7] = (((key->contents[0]&1)<<1) | ((key->contents[1]&1)<<2) | + ((key->contents[2]&1)<<3) | ((key->contents[3]&1)<<4) | + ((key->contents[4]&1)<<5) | ((key->contents[5]&1)<<6) | + ((key->contents[6]&1)<<7)); + + mit_des_fixup_key_parity(key->contents); + + return(0); +} + +static krb5_error_code +k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data, int enc) +{ + mit_des_key_schedule schedule; + size_t input_length = 0; + unsigned int i; + + /* key->enctype was checked by the caller */ + + if (key->length != 8) + return(KRB5_BAD_KEYSIZE); + + for (i = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_DATA_IOV(iov)) + input_length += iov->data.length; + } + + if ((input_length % 8) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + + switch (mit_des_key_sched(key->contents, schedule)) { + case -1: + return(KRB5DES_BAD_KEYPAR); + case -2: + return(KRB5DES_WEAK_KEY); + } + + /* this has a return value, but the code always returns zero */ + if (enc) + krb5int_des_cbc_encrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL); + else + krb5int_des_cbc_decrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL); + + memset(schedule, 0, sizeof(schedule)); + + return(0); +} + +static krb5_error_code +k5_des_encrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + return k5_des_docrypt_iov(key, ivec, data, num_data, 1); +} + +static krb5_error_code +k5_des_decrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + return k5_des_docrypt_iov(key, ivec, data, num_data, 0); +} + +const struct krb5_enc_provider krb5int_enc_des = { + 8, + 7, 8, + k5_des_encrypt, + k5_des_decrypt, + k5_des_make_key, + krb5int_des_init_state, + krb5int_default_free_state, + k5_des_encrypt_iov, + k5_des_decrypt_iov +}; diff --git a/src/lib/crypto/builtin/enc_provider/des3.c b/src/lib/crypto/builtin/enc_provider/des3.c new file mode 100644 index 0000000..dc7c633 --- /dev/null +++ b/src/lib/crypto/builtin/enc_provider/des3.c @@ -0,0 +1,221 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "des_int.h" +#include <aead.h> + +static krb5_error_code +validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, const krb5_data *output, + mit_des3_key_schedule *schedule) +{ + /* key->enctype was checked by the caller */ + + if (key->length != 24) + return(KRB5_BAD_KEYSIZE); + if ((input->length%8) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + if (input->length != output->length) + return(KRB5_BAD_MSIZE); + + switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents, + *schedule)) { + case -1: + return(KRB5DES_BAD_KEYPAR); + case -2: + return(KRB5DES_WEAK_KEY); + } + return 0; +} + +static krb5_error_code +validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_crypto_iov *data, size_t num_data, + mit_des3_key_schedule *schedule) +{ + size_t i, input_length; + + for (i = 0, input_length = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } + + if (key->length != 24) + return(KRB5_BAD_KEYSIZE); + if ((input_length%8) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + + switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents, + *schedule)) { + case -1: + return(KRB5DES_BAD_KEYPAR); + case -2: + return(KRB5DES_WEAK_KEY); + } + return 0; +} + +static krb5_error_code +k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + mit_des3_key_schedule schedule; + krb5_error_code err; + + err = validate_and_schedule(key, ivec, input, output, &schedule); + if (err) + return err; + + /* this has a return value, but the code always returns zero */ + krb5int_des3_cbc_encrypt((krb5_pointer) input->data, + (krb5_pointer) output->data, input->length, + schedule[0], schedule[1], schedule[2], + ivec?(const unsigned char *) ivec->data:(const unsigned char *)mit_des_zeroblock); + + zap(schedule, sizeof(schedule)); + + return(0); +} + +static krb5_error_code +k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + mit_des3_key_schedule schedule; + krb5_error_code err; + + err = validate_and_schedule(key, ivec, input, output, &schedule); + if (err) + return err; + + /* this has a return value, but the code always returns zero */ + krb5int_des3_cbc_decrypt((krb5_pointer) input->data, + (krb5_pointer) output->data, input->length, + schedule[0], schedule[1], schedule[2], + ivec?(const unsigned char *) ivec->data:(const unsigned char *)mit_des_zeroblock); + + zap(schedule, sizeof(schedule)); + + return(0); +} + +static krb5_error_code +k5_des3_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + int i; + + if (key->length != 24) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != 21) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + key->length = 24; + + /* take the seven bytes, move them around into the top 7 bits of the + 8 key bytes, then compute the parity bits. Do this three times. */ + + for (i=0; i<3; i++) { + memcpy(key->contents+i*8, randombits->data+i*7, 7); + key->contents[i*8+7] = (((key->contents[i*8]&1)<<1) | + ((key->contents[i*8+1]&1)<<2) | + ((key->contents[i*8+2]&1)<<3) | + ((key->contents[i*8+3]&1)<<4) | + ((key->contents[i*8+4]&1)<<5) | + ((key->contents[i*8+5]&1)<<6) | + ((key->contents[i*8+6]&1)<<7)); + + mit_des_fixup_key_parity(key->contents+i*8); + } + + return(0); +} + +static krb5_error_code +k5_des3_encrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + mit_des3_key_schedule schedule; + krb5_error_code err; + + err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule); + if (err) + return err; + + /* this has a return value, but the code always returns zero */ + krb5int_des3_cbc_encrypt_iov(data, num_data, + schedule[0], schedule[1], schedule[2], + ivec != NULL ? (unsigned char *) ivec->data : NULL); + + zap(schedule, sizeof(schedule)); + + return(0); +} + +static krb5_error_code +k5_des3_decrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + mit_des3_key_schedule schedule; + krb5_error_code err; + + err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule); + if (err) + return err; + + /* this has a return value, but the code always returns zero */ + krb5int_des3_cbc_decrypt_iov(data, num_data, + schedule[0], schedule[1], schedule[2], + ivec != NULL ? (unsigned char *) ivec->data : NULL); + + zap(schedule, sizeof(schedule)); + + return(0); +} + +const struct krb5_enc_provider krb5int_enc_des3 = { + 8, + 21, 24, + k5_des3_encrypt, + k5_des3_decrypt, + k5_des3_make_key, + krb5int_des_init_state, + krb5int_default_free_state, + k5_des3_encrypt_iov, + k5_des3_decrypt_iov +}; + diff --git a/src/lib/crypto/builtin/enc_provider/enc_provider.h b/src/lib/crypto/builtin/enc_provider/enc_provider.h new file mode 100644 index 0000000..92022b3 --- /dev/null +++ b/src/lib/crypto/builtin/enc_provider/enc_provider.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" + +extern const struct krb5_enc_provider krb5int_enc_des; +extern const struct krb5_enc_provider krb5int_enc_des3; +extern const struct krb5_enc_provider krb5int_enc_arcfour; +extern const struct krb5_enc_provider krb5int_enc_aes128; +extern const struct krb5_enc_provider krb5int_enc_aes256; +extern const struct krb5_enc_provider krb5int_enc_aes128_ctr; +extern const struct krb5_enc_provider krb5int_enc_aes256_ctr; + diff --git a/src/lib/crypto/builtin/enc_provider/rc4.c b/src/lib/crypto/builtin/enc_provider/rc4.c new file mode 100644 index 0000000..d1dbb6c --- /dev/null +++ b/src/lib/crypto/builtin/enc_provider/rc4.c @@ -0,0 +1,271 @@ +/* arcfour.c + * + * Copyright (c) 2000 by Computer Science Laboratory, + * Rensselaer Polytechnic Institute + * + * #include STD_DISCLAIMER + */ + +#include "k5-int.h" +#include "arcfour-int.h" +#include "enc_provider.h" +#include <aead.h> +/* gets the next byte from the PRNG */ +#if ((__GNUC__ >= 2) ) +static __inline__ unsigned int k5_arcfour_byte(ArcfourContext *); +#else +static unsigned int k5_arcfour_byte(ArcfourContext *); +#endif /* gcc inlines*/ + +/* Initializes the context and sets the key. */ +static krb5_error_code k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, + unsigned int keylen); + +/* Encrypts/decrypts data. */ +static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, + const unsigned char *src, unsigned int len); + +/* Interface layer to kerb5 crypto layer */ +static krb5_error_code +k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *, + const krb5_data *, krb5_data *); + +/* from a random bitstrem, construct a key */ +static krb5_error_code +k5_arcfour_make_key(const krb5_data *, krb5_keyblock *); + +static const unsigned char arcfour_weakkey1[] = {0x00, 0x00, 0xfd}; +static const unsigned char arcfour_weakkey2[] = {0x03, 0xfd, 0xfc}; +static const struct { + size_t length; + const unsigned char *data; +} arcfour_weakkeys[] = { + { sizeof (arcfour_weakkey1), arcfour_weakkey1}, + { sizeof (arcfour_weakkey2), arcfour_weakkey2}, +}; + +static inline unsigned int k5_arcfour_byte(ArcfourContext * ctx) +{ + unsigned int x; + unsigned int y; + unsigned int sx, sy; + unsigned char *state; + + state = ctx->state; + x = (ctx->x + 1) & 0xff; + sx = state[x]; + y = (sx + ctx->y) & 0xff; + sy = state[y]; + ctx->x = x; + ctx->y = y; + state[y] = sx; + state[x] = sy; + return state[(sx + sy) & 0xff]; +} + +static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, + const unsigned char *src, unsigned int len) +{ + unsigned int i; + for (i = 0; i < len; i++) + dest[i] = src[i] ^ k5_arcfour_byte(ctx); +} + + +static krb5_error_code +k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, + unsigned int key_len) +{ + unsigned int t, u; + unsigned int keyindex; + unsigned int stateindex; + unsigned char* state; + unsigned int counter; + + if (key_len != 16) + return KRB5_BAD_MSIZE; /*this is probably not the correct error code + to return */ + for (counter=0; + counter < sizeof(arcfour_weakkeys)/sizeof(arcfour_weakkeys[0]); + counter++) + if (!memcmp(key, arcfour_weakkeys[counter].data, + arcfour_weakkeys[counter].length)) + return KRB5DES_WEAK_KEY; /* most certainly not the correct error */ + + state = &ctx->state[0]; + ctx->x = 0; + ctx->y = 0; + for (counter = 0; counter < 256; counter++) + state[counter] = counter; + keyindex = 0; + stateindex = 0; + for (counter = 0; counter < 256; counter++) + { + t = state[counter]; + stateindex = (stateindex + key[keyindex] + t) & 0xff; + u = state[stateindex]; + state[stateindex] = t; + state[counter] = u; + if (++keyindex >= key_len) + keyindex = 0; + } + return 0; +} + + +/* The workhorse of the arcfour system, this impliments the cipher */ +static krb5_error_code +k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state, + const krb5_data *input, krb5_data *output) +{ + ArcfourContext *arcfour_ctx; + ArcFourCipherState *cipher_state; + int ret; + + if (key->length != 16) + return(KRB5_BAD_KEYSIZE); + if (state && (state->length != sizeof (ArcFourCipherState))) + return(KRB5_BAD_MSIZE); + if (input->length != output->length) + return(KRB5_BAD_MSIZE); + + if (state) { + cipher_state = (ArcFourCipherState *) state->data; + arcfour_ctx=&cipher_state->ctx; + if (cipher_state->initialized == 0) { + if ((ret=k5_arcfour_init(arcfour_ctx, key->contents, key->length))) { + return ret; + } + cipher_state->initialized = 1; + } + k5_arcfour_crypt(arcfour_ctx, (unsigned char *) output->data, (const unsigned char *) input->data, input->length); + } + else { + arcfour_ctx=malloc(sizeof (ArcfourContext)); + if (arcfour_ctx == NULL) + return ENOMEM; + if ((ret=k5_arcfour_init(arcfour_ctx, key->contents, key->length))) { + free(arcfour_ctx); + return (ret); + } + k5_arcfour_crypt(arcfour_ctx, (unsigned char * ) output->data, + (const unsigned char * ) input->data, input->length); + memset(arcfour_ctx, 0, sizeof (ArcfourContext)); + free(arcfour_ctx); + } + + return 0; +} + +/* In-place encryption */ +static krb5_error_code +k5_arcfour_docrypt_iov(const krb5_keyblock *key, + const krb5_data *state, + krb5_crypto_iov *data, + size_t num_data) +{ + ArcfourContext *arcfour_ctx = NULL; + ArcFourCipherState *cipher_state = NULL; + krb5_error_code ret; + size_t i; + + if (key->length != 16) + return KRB5_BAD_KEYSIZE; + if (state != NULL && (state->length != sizeof(ArcFourCipherState))) + return KRB5_BAD_MSIZE; + + if (state != NULL) { + cipher_state = (ArcFourCipherState *)state->data; + arcfour_ctx = &cipher_state->ctx; + if (cipher_state->initialized == 0) { + ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length); + if (ret != 0) + return ret; + + cipher_state->initialized = 1; + } + } else { + arcfour_ctx = (ArcfourContext *)malloc(sizeof(ArcfourContext)); + if (arcfour_ctx == NULL) + return ENOMEM; + + ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length); + if (ret != 0) { + free(arcfour_ctx); + return ret; + } + } + + for (i = 0; i < num_data; i++) { + krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_IOV(iov)) + k5_arcfour_crypt(arcfour_ctx, (unsigned char *)iov->data.data, + (const unsigned char *)iov->data.data, iov->data.length); + } + + if (state == NULL) { + memset(arcfour_ctx, 0, sizeof(ArcfourContext)); + free(arcfour_ctx); + } + + return 0; +} + +static krb5_error_code +k5_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + if (key->length != 16) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != 16) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + key->length = 16; + + memcpy(key->contents, randombits->data, randombits->length); + + return(0); +} + +static krb5_error_code +k5_arcfour_init_state (const krb5_keyblock *key, + krb5_keyusage keyusage, krb5_data *new_state) +{ + /* Note that we can't actually set up the state here because the key + * will change between now and when encrypt is called + * because it is data dependent. Yeah, this has strange + * properties. --SDH + */ + new_state->length = sizeof (ArcFourCipherState); + new_state->data = malloc (new_state->length); + if (new_state->data) { + memset (new_state->data, 0 , new_state->length); + /* That will set initialized to zero*/ + }else { + return (ENOMEM); + } + return 0; +} + +/* Since the arcfour cipher is identical going forwards and backwards, + we just call "docrypt" directly +*/ +const struct krb5_enc_provider krb5int_enc_arcfour = { + /* This seems to work... although I am not sure what the + implications are in other places in the kerberos library */ + 1, + /* Keysize is arbitrary in arcfour, but the constraints of the + system, and to attempt to work with the MSFT system forces us + to 16byte/128bit. Since there is no parity in the key, the + byte and length are the same. */ + 16, 16, + k5_arcfour_docrypt, + k5_arcfour_docrypt, + k5_arcfour_make_key, + k5_arcfour_init_state, /*xxx not implemented yet*/ + krb5int_default_free_state, + k5_arcfour_docrypt_iov, + k5_arcfour_docrypt_iov +}; + diff --git a/src/lib/crypto/builtin/md4/Makefile.in b/src/lib/crypto/builtin/md4/Makefile.in index 78dd053..480906b 100644 --- a/src/lib/crypto/builtin/md4/Makefile.in +++ b/src/lib/crypto/builtin/md4/Makefile.in @@ -12,11 +12,11 @@ DEFS= PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) -STLIBOBJS= md4.o +STLIBOBJS= ../../@CRYPTO_IMPL@/md4/md4.o -OBJS= $(OUTPRE)md4.$(OBJEXT) +OBJS= $(OUTPRE)../../@CRYPTO_IMPL@/md4/md4.$(OBJEXT) -SRCS= $(srcdir)/md4.c +SRCS= $(srcdir)/../../@CRYPTO_IMPL@/md4/md4.c ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/builtin/md5/Makefile.in b/src/lib/crypto/builtin/md5/Makefile.in index 6da4374..9292919 100644 --- a/src/lib/crypto/builtin/md5/Makefile.in +++ b/src/lib/crypto/builtin/md5/Makefile.in @@ -11,11 +11,11 @@ DEFS= PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) -STLIBOBJS= md5.o +STLIBOBJS= ../../@CRYPTO_IMPL@/md5/md5.o -OBJS= $(OUTPRE)md5.$(OBJEXT) +OBJS= $(OUTPRE)../../@CRYPTO_IMPL@/md5/md5.$(OBJEXT) -SRCS= $(srcdir)/md5.c +SRCS= $(srcdir)/../../@CRYPTO_IMPL@/md5/md5.c ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/builtin/sha1/Makefile.in b/src/lib/crypto/builtin/sha1/Makefile.in index 81776f5..7610881 100644 --- a/src/lib/crypto/builtin/sha1/Makefile.in +++ b/src/lib/crypto/builtin/sha1/Makefile.in @@ -11,11 +11,11 @@ DEFS= PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) -STLIBOBJS= shs.o +STLIBOBJS= ../../@CRYPTO_IMPL@/sha1/shs.o -OBJS= $(OUTPRE)shs.$(OBJEXT) +OBJS= $(OUTPRE)../../@CRYPTO_IMPL@/sha1/shs.$(OBJEXT) -SRCS= $(srcdir)/shs.c +SRCS= $(srcdir)/../../@CRYPTO_IMPL@/sha1/shs.c ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in index 4e33e83..41704c8 100644 --- a/src/lib/crypto/crypto_tests/Makefile.in +++ b/src/lib/crypto/crypto_tests/Makefile.in @@ -2,7 +2,7 @@ thisconfigdir=../../.. myfulldir=lib/crypto/crypto_tests mydir=lib/crypto/crypto_tests BUILDTOP=$(REL)..$(S)..$(S).. -LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir)/../krb/enc_provider \ +LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider \ -I$(srcdir)/../krb/hash_provider -I$(srcdir)/../krb/keyhash_provider \ -I$(srcdir)/../krb/dk -I$(srcdir)/../@CRYPTO_IMPL@/ \ -I$(srcdir)/../krb/yarrow \ diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in index 887fa16..636d2c6 100644 --- a/src/lib/crypto/krb/Makefile.in +++ b/src/lib/crypto/krb/Makefile.in @@ -2,11 +2,11 @@ thisconfigdir=../../.. myfulldir=lib/crypto/krb mydir=lib/crypto/krb BUILDTOP=$(REL)..$(S)..$(S).. -SUBDIRS= crc32 dk enc_provider hash_provider keyhash_provider \ +SUBDIRS= crc32 dk hash_provider keyhash_provider \ old raw yarrow -LOCALINCLUDES = -I$(srcdir) -I$(srcdir)/enc_provider -I$(srcdir)/dk \ - -I$(srcdir)/hash_provider -I$(srcdir)/keyhash_provider \ - -I$(srcdir)/old -I$(srcdir)/raw -I$(srcdir)/yarrow \ +LOCALINCLUDES = -I$(srcdir) -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider -I$(srcdir)/dk \ + -I$(srcdir)/hash_provider -I$(srcdir)/keyhash_provider \ + -I$(srcdir)/old -I$(srcdir)/raw -I$(srcdir)/yarrow \ -I$(srcdir)/../@CRYPTO_IMPL@/ -I$(srcdir)/../@CRYPTO_IMPL@/des \ -I$(srcdir)/../@CRYPTO_IMPL@/aes -I$(srcdir)/../@CRYPTO_IMPL@/arcfour \ -I$(srcdir)/../@CRYPTO_IMPL@/sha1 @@ -149,11 +149,11 @@ SRCS=\ $(srcdir)/verify_checksum.c \ $(srcdir)/verify_checksum_iov.c -STOBJLISTS=crc32/OBJS.ST dk/OBJS.ST enc_provider/OBJS.ST \ +STOBJLISTS=crc32/OBJS.ST dk/OBJS.ST \ hash_provider/OBJS.ST keyhash_provider/OBJS.ST \ old/OBJS.ST raw/OBJS.ST yarrow/OBJS.ST OBJS.ST -SUBDIROBJLISTS=crc32/OBJS.ST dk/OBJS.ST enc_provider/OBJS.ST \ +SUBDIROBJLISTS=crc32/OBJS.ST dk/OBJS.ST \ hash_provider/OBJS.ST keyhash_provider/OBJS.ST \ old/OBJS.ST raw/OBJS.ST yarrow/OBJS.ST OBJS.ST @@ -173,9 +173,6 @@ all-windows:: cd ..\dk @echo Making in crypto\dk $(MAKE) -$(MFLAGS) - cd ..\enc_provider - @echo Making in crypto\enc_provider - $(MAKE) -$(MFLAGS) cd ..\hash_provider @echo Making in crypto\hash_provider $(MAKE) -$(MFLAGS) @@ -200,9 +197,6 @@ clean-windows:: cd ..\dk @echo Making clean in crypto\dk $(MAKE) -$(MFLAGS) clean - cd ..\enc_provider - @echo Making clean in crypto\enc_provider - $(MAKE) -$(MFLAGS) clean cd ..\hash_provider @echo Making clean in crypto\hash_provider $(MAKE) -$(MFLAGS) clean @@ -227,9 +221,6 @@ check-windows:: cd ..\dk @echo Making check in crypto\dk $(MAKE) -$(MFLAGS) check - cd ..\enc_provider - @echo Making check in crypto\enc_provider - $(MAKE) -$(MFLAGS) check cd ..\hash_provider @echo Making check in crypto\hash_provider $(MAKE) -$(MFLAGS) check diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps index fa65836..58a614b 100644 --- a/src/lib/crypto/krb/deps +++ b/src/lib/crypto/krb/deps @@ -192,7 +192,7 @@ etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ $(srcdir)/../builtin/aes/aes_s2k.h $(srcdir)/../builtin/arcfour/arcfour.h \ $(srcdir)/../builtin/des/des_int.h $(srcdir)/dk/dk.h \ - $(srcdir)/enc_provider/enc_provider.h $(srcdir)/hash_provider/hash_provider.h \ + $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/hash_provider/hash_provider.h \ $(srcdir)/old/old.h $(srcdir)/raw/raw.h etypes.c etypes.h keyblocks.so keyblocks.po $(OUTPRE)keyblocks.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ @@ -326,7 +326,7 @@ prng.so prng.po $(OUTPRE)prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../builtin/sha1/shs.h $(srcdir)/enc_provider/enc_provider.h \ + $(srcdir)/../builtin/sha1/shs.h $(srcdir)/../builtin/enc_provider/enc_provider.h \ $(srcdir)/yarrow/yarrow.h $(srcdir)/yarrow/ycipher.h \ $(srcdir)/yarrow/yhash.h $(srcdir)/yarrow/ytypes.h \ prng.c diff --git a/src/lib/crypto/krb/hash_provider/hash_crc32.c b/src/lib/crypto/krb/hash_provider/hash_crc32.c index ca26810..780e158 100644 --- a/src/lib/crypto/krb/hash_provider/hash_crc32.c +++ b/src/lib/crypto/krb/hash_provider/hash_crc32.c @@ -49,6 +49,7 @@ k5_crc32_hash(unsigned int icount, const krb5_data *input, } const struct krb5_hash_provider krb5int_hash_crc32 = { + "CRC32", CRC32_CKSUM_LENGTH, 1, k5_crc32_hash diff --git a/src/lib/crypto/krb/hash_provider/hash_md4.c b/src/lib/crypto/krb/hash_provider/hash_md4.c index 1fa23c2..f507aaa 100644 --- a/src/lib/crypto/krb/hash_provider/hash_md4.c +++ b/src/lib/crypto/krb/hash_provider/hash_md4.c @@ -49,6 +49,7 @@ k5_md4_hash(unsigned int icount, const krb5_data *input, } const struct krb5_hash_provider krb5int_hash_md4 = { + "MD4", RSA_MD4_CKSUM_LENGTH, 64, k5_md4_hash diff --git a/src/lib/crypto/krb/hash_provider/hash_md5.c b/src/lib/crypto/krb/hash_provider/hash_md5.c index 174c432..a6e380a 100644 --- a/src/lib/crypto/krb/hash_provider/hash_md5.c +++ b/src/lib/crypto/krb/hash_provider/hash_md5.c @@ -49,6 +49,7 @@ k5_md5_hash(unsigned int icount, const krb5_data *input, } const struct krb5_hash_provider krb5int_hash_md5 = { + "MD5", RSA_MD5_CKSUM_LENGTH, 64, k5_md5_hash diff --git a/src/lib/crypto/krb/hash_provider/hash_sha1.c b/src/lib/crypto/krb/hash_provider/hash_sha1.c index ffc073c..00ab72b 100644 --- a/src/lib/crypto/krb/hash_provider/hash_sha1.c +++ b/src/lib/crypto/krb/hash_provider/hash_sha1.c @@ -51,6 +51,7 @@ k5_sha1_hash(unsigned int icount, const krb5_data *input, } const struct krb5_hash_provider krb5int_hash_sha1 = { + "SHA1", SHS_DIGESTSIZE, SHS_DATASIZE, k5_sha1_hash diff --git a/src/lib/crypto/krb/yarrow/Makefile.in b/src/lib/crypto/krb/yarrow/Makefile.in index d7f01e4..b246c6c 100644 --- a/src/lib/crypto/krb/yarrow/Makefile.in +++ b/src/lib/crypto/krb/yarrow/Makefile.in @@ -2,7 +2,7 @@ thisconfigdir=../../../.. myfulldir=lib/crypto/krb/yarrow mydir=lib/crypto/krb/yarrow BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@ -I$(srcdir)/../../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../enc_provider +LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@ -I$(srcdir)/../../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../../@CRYPTO_IMPL@/enc_provider DEFS= ##DOS##BUILDTOP = ..\..\..\.. diff --git a/src/lib/crypto/krb/yarrow/deps b/src/lib/crypto/krb/yarrow/deps index 8d69431..ed10e31 100644 --- a/src/lib/crypto/krb/yarrow/deps +++ b/src/lib/crypto/krb/yarrow/deps @@ -21,5 +21,5 @@ ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../../builtin/sha1/shs.h $(srcdir)/../enc_provider/enc_provider.h \ + $(srcdir)/../../builtin/sha1/shs.h $(srcdir)/../../builtin/enc_provider/enc_provider.h \ yarrow.h ycipher.c ycipher.h yhash.h ytypes.h diff --git a/src/lib/crypto/openssl/enc_provider/deps b/src/lib/crypto/openssl/enc_provider/deps new file mode 100644 index 0000000..1d4dcbe --- /dev/null +++ b/src/lib/crypto/openssl/enc_provider/deps @@ -0,0 +1,50 @@ +# +# Generated makefile dependencies follow. +# +des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/autoconf.h \ + $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \ + $(srcdir)/../../krb/aead.h $(srcdir)/../cksumtypes.h des.c \ + enc_provider.h +des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/autoconf.h \ + $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \ + $(srcdir)/../../krb/aead.h $(srcdir)/../cksumtypes.h des3.c +aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/autoconf.h \ + $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/aes/aes.h \ + $(srcdir)/../../builtin/aes/uitypes.h $(srcdir)/../../krb/aead.h \ + $(srcdir)/../cksumtypes.h aes.c enc_provider.h +rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/autoconf.h \ + $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \ + $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../krb/aead.h \ + $(srcdir)/../cksumtypes.h enc_provider.h rc4.c diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c new file mode 100644 index 0000000..bc43136 --- /dev/null +++ b/src/lib/crypto/openssl/enc_provider/des.c @@ -0,0 +1,271 @@ +/* + */ + +#include "k5-int.h" +#include "des_int.h" +#include "enc_provider.h" +#include <aead.h> +#include <openssl/evp.h> + +#define DES_BLOCK_SIZE 8 +#define DES_KEY_BYTES 7 +#define DES_KEY_LEN 8 + +static krb5_error_code +k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + int ret = 0, tmp_len = 0; + EVP_CIPHER_CTX ciph_ctx; + unsigned char *keybuf = NULL; + unsigned char *tmp_buf = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + + if (key->length != DES_KEY_LEN) + return(KRB5_BAD_KEYSIZE); + if ((input->length%8) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + if (input->length != output->length) + return(KRB5_BAD_MSIZE); + + keybuf=key->contents; + keybuf[key->length] = '\0'; + + if ( ivec && ivec->data ) { + memset(iv,0,sizeof(iv)); + memcpy(iv,ivec->data,ivec->length); + } + + tmp_buf=OPENSSL_malloc(output->length); + if (!tmp_buf) + return ENOMEM; + memset(tmp_buf,0,output->length); + + EVP_CIPHER_CTX_init(&ciph_ctx); + + ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf, + (ivec && ivec->data) ? iv : NULL); + if (ret) { + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)input->data, input->length); + if (ret) { + output->length = tmp_len; + ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf + tmp_len, &tmp_len); + } + } + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (ret) + memcpy(output->data,tmp_buf, output->length); + + memset(tmp_buf,0,output->length); + OPENSSL_free(tmp_buf); + + if (!ret) + return KRB5_CRYPTO_INTERNAL; + return 0; +} + +static krb5_error_code +k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + /* key->enctype was checked by the caller */ + int ret = 0, tmp_len = 0; + EVP_CIPHER_CTX ciph_ctx; + unsigned char *keybuf = NULL; + unsigned char *tmp_buf; + unsigned char iv[EVP_MAX_IV_LENGTH]; + + if (key->length != DES_KEY_LEN) + return(KRB5_BAD_KEYSIZE); + if ((input->length%8) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + if (input->length != output->length) + return(KRB5_BAD_MSIZE); + + keybuf=key->contents; + keybuf[key->length] = '\0'; + + if ( ivec != NULL && ivec->data ){ + memset(iv,0,sizeof(iv)); + memcpy(iv,ivec->data,ivec->length); + } + + tmp_buf=OPENSSL_malloc(output->length); + if (!tmp_buf) + return ENOMEM; + memset(tmp_buf,0,output->length); + + EVP_CIPHER_CTX_init(&ciph_ctx); + + ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf, + (ivec && ivec->data) ? iv : NULL); + if (ret) { + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)input->data, input->length); + if (ret) { + output->length = tmp_len; + ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len); + } + } + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (ret) + memcpy(output->data,tmp_buf, output->length); + + memset(tmp_buf,0,output->length ); + OPENSSL_free(tmp_buf); + + if (!ret) + return KRB5_CRYPTO_INTERNAL; + return 0; +} + +static krb5_error_code +k5_des_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + if (key->length != DES_KEY_LEN) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != 7) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + + /* take the seven bytes, move them around into the top 7 bits of the + 8 key bytes, then compute the parity bits */ + + memcpy(key->contents, randombits->data, randombits->length); + key->contents[7] = (((key->contents[0]&1)<<1) | ((key->contents[1]&1)<<2) | + ((key->contents[2]&1)<<3) | ((key->contents[3]&1)<<4) | + ((key->contents[4]&1)<<5) | ((key->contents[5]&1)<<6) | + ((key->contents[6]&1)<<7)); + + mit_des_fixup_key_parity(key->contents); + + return(0); +} + +static krb5_error_code +k5_des_encrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + int ret = 0, tmp_len = 0; + unsigned int i = 0; + EVP_CIPHER_CTX ciph_ctx; + unsigned char *keybuf = NULL ; + krb5_crypto_iov *iov = NULL; + unsigned char *tmp_buf = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + + if (ivec && ivec->data){ + memset(iv,0,sizeof(iv)); + memcpy(iv,ivec->data,ivec->length); + } + + EVP_CIPHER_CTX_init(&ciph_ctx); + + ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, + keybuf, (ivec && ivec->data) ? iv : NULL); + if (!ret) + return KRB5_CRYPTO_INTERNAL; + + for (i = 0; i < num_data; i++) { + iov = &data[i]; + if (iov->data.length <= 0) break; + tmp_len = iov->data.length; + + if (ENCRYPT_DATA_IOV(iov)) { + tmp_buf=(unsigned char *)iov->data.data; + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)iov->data.data, iov->data.length); + if (!ret) break; + iov->data.length = tmp_len; + } + } + if(ret) + ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len); + + if (ret) + iov->data.length += tmp_len; + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (!ret) + return KRB5_CRYPTO_INTERNAL; + return 0; + +} + +static krb5_error_code +k5_des_decrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + int ret = 0, tmp_len = 0; + unsigned int i = 0; + EVP_CIPHER_CTX ciph_ctx; + unsigned char *keybuf = NULL ; + krb5_crypto_iov *iov = NULL; + unsigned char *tmp_buf = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + + if (ivec && ivec->data){ + memset(iv,0,sizeof(iv)); + memcpy(iv,ivec->data,ivec->length); + } + + ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, + keybuf, (ivec && ivec->data) ? iv : NULL); + if (!ret) + return KRB5_CRYPTO_INTERNAL; + + for (i = 0; i < num_data; i++) { + iov = &data[i]; + if (iov->data.length <= 0) break; + tmp_len = iov->data.length; + + if (ENCRYPT_DATA_IOV(iov)) { + tmp_buf=(unsigned char *)iov->data.data; + ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)iov->data.data, iov->data.length); + if (!ret) break; + iov->data.length = tmp_len; + } + } + if(ret) + ret = EVP_DecryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len); + + if (ret) + iov->data.length += tmp_len; + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (!ret) + return KRB5_CRYPTO_INTERNAL; + return 0; +} + +const struct krb5_enc_provider krb5int_enc_des = { + DES_BLOCK_SIZE, + DES_KEY_BYTES, DES_KEY_LEN, + k5_des_encrypt, + k5_des_decrypt, + k5_des_make_key, + krb5int_des_init_state, + krb5int_default_free_state, + k5_des_encrypt_iov, + k5_des_decrypt_iov +}; + diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c new file mode 100644 index 0000000..1cc6748 --- /dev/null +++ b/src/lib/crypto/openssl/enc_provider/des3.c @@ -0,0 +1,352 @@ +/* + */ + +#include "k5-int.h" +#include "des_int.h" +#include <aead.h> +#include <openssl/evp.h> + + +#define DES_BLOCK_SIZE 8 +#define DES3_KEY_BYTES 21 +#define DES3_KEY_LEN 24 + +static krb5_error_code +validate(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, const krb5_data *output) +{ + mit_des3_key_schedule schedule; + + /* key->enctype was checked by the caller */ + + if (key->length != DES3_KEY_LEN) + return(KRB5_BAD_KEYSIZE); + if ((input->length%DES_BLOCK_SIZE) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + if (input->length != output->length) + return(KRB5_BAD_MSIZE); + + switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents, + schedule)) { + case -1: + return(KRB5DES_BAD_KEYPAR); + case -2: + return(KRB5DES_WEAK_KEY); + } + return 0; +} + +static krb5_error_code +validate_iov(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_crypto_iov *data, size_t num_data) +{ + size_t i, input_length; + mit_des3_key_schedule schedule; + + for (i = 0, input_length = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } + + if (key->length != DES3_KEY_LEN) + return(KRB5_BAD_KEYSIZE); + if ((input_length%DES_BLOCK_SIZE) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + + switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents, + schedule)) { + case -1: + return(KRB5DES_BAD_KEYPAR); + case -2: + return(KRB5DES_WEAK_KEY); + } + return 0; +} + +static krb5_error_code +k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + + int ret = 0, tmp_len = 0; + EVP_CIPHER_CTX ciph_ctx; + unsigned char *keybuf = NULL; + unsigned char *tmp_buf = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + + ret = validate(key, ivec, input, output); + if (ret) + return ret; + + keybuf=key->contents; + keybuf[key->length] = '\0'; + + if (ivec && ivec->data) { + memset(iv,0,sizeof(iv)); + memcpy(iv,ivec->data,ivec->length); + } + + tmp_buf = OPENSSL_malloc(output->length); + if (!tmp_buf) + return ENOMEM; + + EVP_CIPHER_CTX_init(&ciph_ctx); + + ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf, + (ivec && ivec->data) ? iv : NULL); + if (ret) { + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)input->data, input->length); + if (ret) { + output->length = tmp_len; + ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len); + } + } + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (ret) + memcpy(output->data,tmp_buf, output->length); + memset(tmp_buf,0,output->length); + OPENSSL_free(tmp_buf); + + if (!ret) + return KRB5_CRYPTO_INTERNAL; + return 0; + +} + +static krb5_error_code +k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + int ret = 0, tmp_len = 0; + EVP_CIPHER_CTX ciph_ctx; + unsigned char *keybuf = NULL; + unsigned char *tmp_buf = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + + ret = validate(key, ivec, input, output); + if (ret) + return ret; + + keybuf=key->contents; + keybuf[key->length] = '\0'; + + if (ivec && ivec->data) { + memset(iv,0,sizeof(iv)); + memcpy(iv,ivec->data,ivec->length); + } + + tmp_buf=OPENSSL_malloc(output->length); + if (!tmp_buf) + return ENOMEM; + + EVP_CIPHER_CTX_init(&ciph_ctx); + + ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf, + (ivec && ivec->data) ? iv: NULL); + if (ret) { + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)input->data, input->length); + if (ret) { + output->length = tmp_len; + ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len); + } + } + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (ret) + memcpy(output->data,tmp_buf, output->length); + + memset(tmp_buf,0,output->length); + OPENSSL_free(tmp_buf); + + if (!ret) + return KRB5_CRYPTO_INTERNAL; + return 0; + +} + +static krb5_error_code +k5_des3_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + int i; + + if (key->length != DES3_KEY_LEN) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != DES3_KEY_BYTES) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + + /* take the seven bytes, move them around into the top 7 bits of the + 8 key bytes, then compute the parity bits. Do this three times. */ + + for (i=0; i<3; i++) { + memcpy(key->contents+i*8, randombits->data+i*7, 7); + key->contents[i*8+7] = (((key->contents[i*8]&1)<<1) | + ((key->contents[i*8+1]&1)<<2) | + ((key->contents[i*8+2]&1)<<3) | + ((key->contents[i*8+3]&1)<<4) | + ((key->contents[i*8+4]&1)<<5) | + ((key->contents[i*8+5]&1)<<6) | + ((key->contents[i*8+6]&1)<<7)); + + mit_des_fixup_key_parity(key->contents+i*8); + } + + return(0); +} + +static krb5_error_code +validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_crypto_iov *data, size_t num_data, + mit_des3_key_schedule *schedule) +{ + size_t i, input_length; + + for (i = 0, input_length = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } + + if (key->length != 24) + return(KRB5_BAD_KEYSIZE); + if ((input_length%8) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + + switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents, + *schedule)) { + case -1: + return(KRB5DES_BAD_KEYPAR); + case -2: + return(KRB5DES_WEAK_KEY); + } + return 0; +} + +static krb5_error_code +k5_des3_encrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ +#if 0 + int ret = 0, tmp_len = 0; + unsigned int i = 0; + EVP_CIPHER_CTX ciph_ctx; + unsigned char *keybuf = NULL ; + krb5_crypto_iov *iov = NULL; + unsigned char *tmp_buf = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + + ret = validate_iov(key, ivec, data, num_data); + if (ret) + return ret; + + if (ivec && ivec->data){ + memset(iv,0,sizeof(iv)); + memcpy(iv,ivec->data,ivec->length); + } + + + EVP_CIPHER_CTX_init(&ciph_ctx); + + ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, + keybuf, (ivec && ivec->data) ? iv : NULL); + if (!ret) + return KRB5_CRYPTO_INTERNAL; + + for (i = 0; i < num_data; i++) { + iov = &data[i]; + if (iov->data.length <= 0) break; + tmp_len = iov->data.length; + + if (ENCRYPT_IOV(iov)) { + tmp_buf=(unsigned char *)iov->data.data; + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)iov->data.data, iov->data.length); + if (!ret) break; + iov->data.length = tmp_len; + } + } + if(ret) + ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len); + + if (ret) + iov->data.length += tmp_len; + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (!ret) + return KRB5_CRYPTO_INTERNAL; + return 0; +#endif + +//#if 0 + mit_des3_key_schedule schedule; + krb5_error_code err; + + err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule); + if (err) + return err; + + /* this has a return value, but the code always returns zero */ + krb5int_des3_cbc_encrypt_iov(data, num_data, + schedule[0], schedule[1], schedule[2], + ivec != NULL ? (unsigned char *) ivec->data : NULL); + + zap(schedule, sizeof(schedule)); + return(0); +//#endif +} + +static krb5_error_code +k5_des3_decrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + mit_des3_key_schedule schedule; + krb5_error_code err; + + err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule); + if (err) + return err; + + /* this has a return value, but the code always returns zero */ + krb5int_des3_cbc_decrypt_iov(data, num_data, + schedule[0], schedule[1], schedule[2], + ivec != NULL ? (unsigned char *) ivec->data : NULL); + + zap(schedule, sizeof(schedule)); + + return(0); +} + +const struct krb5_enc_provider krb5int_enc_des3 = { + DES_BLOCK_SIZE, + DES3_KEY_BYTES, DES3_KEY_LEN, + k5_des3_encrypt, + k5_des3_decrypt, + k5_des3_make_key, + krb5int_des_init_state, + krb5int_default_free_state, + k5_des3_encrypt_iov, + k5_des3_decrypt_iov +}; + diff --git a/src/lib/crypto/openssl/enc_provider/enc_provider.h b/src/lib/crypto/openssl/enc_provider/enc_provider.h new file mode 100644 index 0000000..d46e1b4 --- /dev/null +++ b/src/lib/crypto/openssl/enc_provider/enc_provider.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" + +extern const struct krb5_enc_provider krb5int_enc_des; +extern const struct krb5_enc_provider krb5int_enc_des3; +extern const struct krb5_enc_provider krb5int_enc_arcfour; +extern const struct krb5_enc_provider krb5int_enc_aes128; +extern const struct krb5_enc_provider krb5int_enc_aes256; +extern const struct krb5_enc_provider krb5int_enc_aes128_ctr; +extern const struct krb5_enc_provider krb5int_enc_aes256_ctr; + diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c new file mode 100644 index 0000000..b82af52 --- /dev/null +++ b/src/lib/crypto/openssl/enc_provider/rc4.c @@ -0,0 +1,167 @@ +/* arcfour.c + * + * #include STD_DISCLAIMER + */ + +#include "k5-int.h" +#include "arcfour-int.h" +#include "enc_provider.h" +#include <aead.h> +#include <openssl/evp.h> + +#define RC4_KEY_SIZE 16 +#define RC4_BLOCK_SIZE 1 + +/* Interface layer to kerb5 crypto layer */ +static krb5_error_code +k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *, + const krb5_data *, krb5_data *); + +/* from a random bitstrem, construct a key */ +static krb5_error_code +k5_arcfour_make_key(const krb5_data *, krb5_keyblock *); + +static krb5_error_code +k5_arcfour_free_state ( krb5_data *state); +static krb5_error_code +k5_arcfour_init_state (const krb5_keyblock *key, + krb5_keyusage keyusage, krb5_data *new_state); + +/* The workhorse of the arcfour system, this impliments the cipher */ +static krb5_error_code +k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state, + const krb5_data *input, krb5_data *output) +{ + int ret = 0, tmp_len = 0; + unsigned char *keybuf = NULL; + unsigned char *tmp_buf = NULL; + EVP_CIPHER_CTX ciph_ctx; + + if (key->length != RC4_KEY_SIZE) + return(KRB5_BAD_KEYSIZE); + + if (input->length != output->length) + return(KRB5_BAD_MSIZE); + + keybuf=key->contents; + keybuf[key->length] = '\0'; + + EVP_CIPHER_CTX_init(&ciph_ctx); + ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, keybuf, NULL); + if (ret) { + tmp_buf=(unsigned char *)output->data; + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, (unsigned char *)input->data, input->length); + output->length = tmp_len; + } + if (ret) { + tmp_buf += tmp_len; + ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf, &tmp_len); + } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + output->length += tmp_len; + + if (!ret) + return KRB5_CRYPTO_INTERNAL; + return 0; +} + + +/* In-place decryption */ +static krb5_error_code +k5_arcfour_docrypt_iov(const krb5_keyblock *key, + const krb5_data *state, + krb5_crypto_iov *data, + size_t num_data) +{ + size_t i; + int ret = 0, tmp_len = 0; + EVP_CIPHER_CTX ciph_ctx; + unsigned char *keybuf = NULL ; + krb5_crypto_iov *iov = NULL; + unsigned char *tmp_buf = NULL; + + keybuf=key->contents; + keybuf[key->length] = '\0'; + + EVP_CIPHER_CTX_init(&ciph_ctx); + + ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, keybuf, NULL); + if (!ret) + return -1; + + for (i = 0; i < num_data; i++) { + iov = &data[i]; + if (iov->data.length <= 0) break; + tmp_len = iov->data.length; + + if (ENCRYPT_IOV(iov)) { + tmp_buf=(unsigned char *)iov->data.data; + ret = EVP_EncryptUpdate(&ciph_ctx, + tmp_buf, &tmp_len, + (unsigned char *)iov->data.data, iov->data.length); + if (!ret) break; + iov->data.length = tmp_len; + } + } + if(ret) + ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len); + if (ret) + iov->data.length += tmp_len; + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (!ret) + return -1; + return 0; +} + + +static krb5_error_code +k5_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + if (key->length != RC4_KEY_SIZE) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != RC4_KEY_SIZE) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + + memcpy(key->contents, randombits->data, randombits->length); + + return(0); +} + +static krb5_error_code +k5_arcfour_free_state ( krb5_data *state) +{ + return 0; /* not implemented */ +} + +static krb5_error_code +k5_arcfour_init_state (const krb5_keyblock *key, + krb5_keyusage keyusage, krb5_data *new_state) +{ + return 0; /* not implemented */ + +} + +/* Since the arcfour cipher is identical going forwards and backwards, + we just call "docrypt" directly +*/ +const struct krb5_enc_provider krb5int_enc_arcfour = { + /* This seems to work... although I am not sure what the + implications are in other places in the kerberos library */ + RC4_BLOCK_SIZE, + /* Keysize is arbitrary in arcfour, but the constraints of the + system, and to attempt to work with the MSFT system forces us + to 16byte/128bit. Since there is no parity in the key, the + byte and length are the same. */ + RC4_KEY_SIZE, RC4_KEY_SIZE, + k5_arcfour_docrypt, + k5_arcfour_docrypt, + k5_arcfour_make_key, + k5_arcfour_init_state, /*xxx not implemented */ + k5_arcfour_free_state, /*xxx not implemented */ + k5_arcfour_docrypt_iov, + k5_arcfour_docrypt_iov +}; + diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c new file mode 100644 index 0000000..a5543c9 --- /dev/null +++ b/src/lib/crypto/openssl/hmac.c @@ -0,0 +1,110 @@ +/* + */ + +#include "k5-int.h" +#include "aead.h" +#include <openssl/hmac.h> +#include <openssl/evp.h> + +/* + * the HMAC transform looks like: + * + * H(K XOR opad, H(K XOR ipad, text)) + * + * where H is a cryptographic hash + * K is an n byte key + * ipad is the byte 0x36 repeated blocksize times + * opad is the byte 0x5c repeated blocksize times + * and text is the data being protected + */ + +static const EVP_MD * +map_digest(const struct krb5_hash_provider *hash) +{ + if (!strncmp(hash->hash_name, "SHA1",4)) + return EVP_sha1(); + else if (!strncmp(hash->hash_name, "MD5", 3)) + return EVP_md5(); + else if (!strncmp(hash->hash_name, "MD4", 3)) + return EVP_md4(); + else + return NULL; +} + +krb5_error_code +krb5_hmac(const struct krb5_hash_provider *hash, const krb5_keyblock *key, + unsigned int icount, const krb5_data *input, krb5_data *output) +{ + unsigned int i = 0, md_len = 0; + unsigned char md[EVP_MAX_MD_SIZE]; + HMAC_CTX c; + size_t hashsize, blocksize; + + hashsize = hash->hashsize; + blocksize = hash->blocksize; + + if (key->length > blocksize) + return(KRB5_CRYPTO_INTERNAL); + if (output->length < hashsize) + return(KRB5_BAD_MSIZE); + /* if this isn't > 0, then there won't be enough space in this + array to compute the outer hash */ + if (icount == 0) + return(KRB5_CRYPTO_INTERNAL); + + if (!map_digest(hash)) + return(KRB5_CRYPTO_INTERNAL); // unsupported alg + + HMAC_CTX_init(&c); + HMAC_Init(&c, key->contents, key->length, map_digest(hash)); + for ( i = 0; i < icount; i++ ) { + HMAC_Update(&c,(const unsigned char*)input[i].data, input[i].length); + } + HMAC_Final(&c,(unsigned char *)md, &md_len); + if ( md_len <= output->length) { + output->length = md_len; + memcpy(output->data, md, output->length); + } + HMAC_CTX_cleanup(&c); + return 0; + + +} + +krb5_error_code +krb5int_hmac_iov(const struct krb5_hash_provider *hash, const krb5_keyblock *key, + const krb5_crypto_iov *data, size_t num_data, krb5_data *output) +{ + krb5_data *sign_data; + size_t num_sign_data; + krb5_error_code ret; + size_t i, j; + + /* Create a checksum over all the data to be signed */ + for (i = 0, num_sign_data = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + + if (SIGN_IOV(iov)) + num_sign_data++; + } + + /* XXX cleanup to avoid alloc */ + sign_data = (krb5_data *)calloc(num_sign_data, sizeof(krb5_data)); + if (sign_data == NULL) + return ENOMEM; + + for (i = 0, j = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + + if (SIGN_IOV(iov)) + sign_data[j++] = iov->data; + } + + /* caller must store checksum in iov as it may be TYPE_TRAILER or TYPE_CHECKSUM */ + ret = krb5_hmac(hash, key, num_sign_data, sign_data, output); + + free(sign_data); + + return ret; +} + diff --git a/src/lib/crypto/openssl/md4/deps b/src/lib/crypto/openssl/md4/deps new file mode 100644 index 0000000..1decaf9 --- /dev/null +++ b/src/lib/crypto/openssl/md4/deps @@ -0,0 +1,13 @@ +# +# Generated makefile dependencies follow. +# +md4.so md4.po $(OUTPRE)md4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/autoconf.h \ + $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h md4.c rsa-md4.h diff --git a/src/lib/crypto/openssl/md4/md4.c b/src/lib/crypto/openssl/md4/md4.c new file mode 100644 index 0000000..88d5191 --- /dev/null +++ b/src/lib/crypto/openssl/md4/md4.c @@ -0,0 +1,29 @@ +/* + * lib/crypto/openssl/md4/md4.c + */ + +#include "k5-int.h" +#include "rsa-md4.h" +#include <openssl/evp.h> +#include <openssl/md4.h> + +void +krb5_MD4Init (krb5_MD4_CTX *mdContext) +{ + EVP_MD_CTX_init(&mdContext->ossl_md4_ctx ); + EVP_DigestInit_ex(&mdContext->ossl_md4_ctx, EVP_md4(), NULL); + +} +void +krb5_MD4Update (krb5_MD4_CTX *mdContext, const unsigned char *inBuf, unsigned int inLen) +{ + EVP_DigestUpdate(&mdContext->ossl_md4_ctx, inBuf, inLen); +} + +void +krb5_MD4Final (krb5_MD4_CTX *mdContext) +{ + EVP_DigestFinal_ex(&mdContext->ossl_md4_ctx, mdContext->digest , NULL); + EVP_MD_CTX_cleanup(&mdContext->ossl_md4_ctx ); +} + diff --git a/src/lib/crypto/openssl/md4/rsa-md4.h b/src/lib/crypto/openssl/md4/rsa-md4.h new file mode 100644 index 0000000..4b02047 --- /dev/null +++ b/src/lib/crypto/openssl/md4/rsa-md4.h @@ -0,0 +1,99 @@ +/* + * lib/crypto/md4/rsa-md4.h + * + * Copyright 1991 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * RSA MD4 header file, with Kerberos/STDC additions. + */ + +#ifndef __KRB5_RSA_MD4_H__ +#define __KRB5_RSA_MD4_H__ + +#ifdef unicos61 +#include <sys/types.h> +#endif /* unicos61 */ + +#include <openssl/evp.h> +#include <openssl/md5.h> + +/* 16 u_char's in the digest */ +#define RSA_MD4_CKSUM_LENGTH 16 +/* des blocksize is 8, so this works nicely... */ +#define OLD_RSA_MD4_DES_CKSUM_LENGTH 16 +#define NEW_RSA_MD4_DES_CKSUM_LENGTH 24 +#define RSA_MD4_DES_CONFOUND_LENGTH 8 + +/* + ********************************************************************** + ** md4.h -- Header file for implementation of MD4 ** + ** RSA Data Security, Inc. MD4 Message Digest Algorithm ** + ** Created: 2/17/90 RLR ** + ** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version ** + ********************************************************************** + */ + +/* + ********************************************************************** + ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. ** + ** ** + ** License to copy and use this software is granted provided that ** + ** it is identified as the "RSA Data Security, Inc. MD4 Message ** + ** Digest Algorithm" in all material mentioning or referencing this ** + ** software or this function. ** + ** ** + ** License is also granted to make and use derivative works ** + ** provided that such works are identified as "derived from the RSA ** + ** Data Security, Inc. MD4 Message Digest Algorithm" in all ** + ** material mentioning or referencing the derived work. ** + ** ** + ** RSA Data Security, Inc. makes no representations concerning ** + ** either the merchantability of this software or the suitability ** + ** of this software for any particular purpose. It is provided "as ** + ** is" without express or implied warranty of any kind. ** + ** ** + ** These notices must be retained in any copies of any part of this ** + ** documentation and/or software. ** + ********************************************************************** + */ + +/* Data structure for MD4 (Message Digest) computation */ +typedef struct { + EVP_MD_CTX ossl_md4_ctx; + krb5_int32 * digest_len; + krb5_ui_4 i[2]; /* number of _bits_ handled mod 2^64 */ + krb5_ui_4 buf[4]; /* scratch buffer */ + unsigned char in[64]; /* input buffer */ + unsigned char digest[16]; /* actual digest after MD4Final call */ +} krb5_MD4_CTX; + +extern void krb5_MD4Init(krb5_MD4_CTX *); +extern void krb5_MD4Update(krb5_MD4_CTX *, const unsigned char *, unsigned int); +extern void krb5_MD4Final(krb5_MD4_CTX *); + +/* + ********************************************************************** + ** End of md4.h ** + ******************************* (cut) ******************************** + */ +#endif /* __KRB5_RSA_MD4_H__ */ diff --git a/src/lib/crypto/openssl/md5/deps b/src/lib/crypto/openssl/md5/deps new file mode 100644 index 0000000..fc3378d --- /dev/null +++ b/src/lib/crypto/openssl/md5/deps @@ -0,0 +1,13 @@ +# +# Generated makefile dependencies follow. +# +md5.so md5.po $(OUTPRE)md5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/autoconf.h \ + $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h md5.c rsa-md5.h diff --git a/src/lib/crypto/openssl/md5/md5.c b/src/lib/crypto/openssl/md5/md5.c new file mode 100644 index 0000000..8519dd5 --- /dev/null +++ b/src/lib/crypto/openssl/md5/md5.c @@ -0,0 +1,36 @@ + +#include "k5-int.h" +#include "rsa-md5.h" +#include <openssl/evp.h> +#include <openssl/md5.h> + +/* The routine krb5_MD5Init initializes the message-digest context + mdContext. All fields are set to zero. + */ +void +krb5_MD5Init (krb5_MD5_CTX *mdContext) +{ + EVP_MD_CTX_init(&mdContext->ossl_md5_ctx); + EVP_DigestInit_ex(&mdContext->ossl_md5_ctx, EVP_md5(), NULL); +} + +/* The routine krb5_MD5Update updates the message-digest context to + account for the presence of each of the characters inBuf[0..inLen-1] + in the message whose digest is being computed. + */ +void +krb5_MD5Update (krb5_MD5_CTX *mdContext, const unsigned char *inBuf, unsigned int inLen) +{ + EVP_DigestUpdate(&mdContext->ossl_md5_ctx, inBuf, inLen); +} + +/* The routine krb5_MD5Final terminates the message-digest computation and + ends with the desired message digest in mdContext->digest[0...15]. + */ +void +krb5_MD5Final (krb5_MD5_CTX *mdContext) +{ + EVP_DigestFinal_ex(&mdContext->ossl_md5_ctx, mdContext->digest, NULL); + EVP_MD_CTX_cleanup(&mdContext->ossl_md5_ctx); +} + diff --git a/src/lib/crypto/openssl/md5/rsa-md5.h b/src/lib/crypto/openssl/md5/rsa-md5.h new file mode 100644 index 0000000..7240b20 --- /dev/null +++ b/src/lib/crypto/openssl/md5/rsa-md5.h @@ -0,0 +1,27 @@ + +#ifndef KRB5_RSA_MD5__ +#define KRB5_RSA_MD5__ + +#include <openssl/evp.h> +#include <openssl/md5.h> + +/* Data structure for MD5 (Message-Digest) computation */ +typedef struct { + EVP_MD_CTX ossl_md5_ctx; + krb5_int32 * digest_len; + krb5_ui_4 i[2]; /* number of _bits_ handled mod 2^64 */ + krb5_ui_4 buf[4]; /* scratch buffer */ + unsigned char in[64]; /* input buffer */ + unsigned char digest[16]; /* actual digest after MD5Final call */ +} krb5_MD5_CTX; + +extern void krb5_MD5Init(krb5_MD5_CTX *); +extern void krb5_MD5Update(krb5_MD5_CTX *,const unsigned char *,unsigned int); +extern void krb5_MD5Final(krb5_MD5_CTX *); + +#define RSA_MD5_CKSUM_LENGTH 16 +#define OLD_RSA_MD5_DES_CKSUM_LENGTH 16 +#define NEW_RSA_MD5_DES_CKSUM_LENGTH 24 +#define RSA_MD5_DES_CONFOUND_LENGTH 8 + +#endif /* KRB5_RSA_MD5__ */ diff --git a/src/lib/crypto/openssl/pbkdf2.c b/src/lib/crypto/openssl/pbkdf2.c new file mode 100644 index 0000000..bef8be2 --- /dev/null +++ b/src/lib/crypto/openssl/pbkdf2.c @@ -0,0 +1,53 @@ +/* + * lib/crypto/openssl/pbkdf2.c + * + * Copyright 2002, 2008 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Implementation of PBKDF2 from RFC 2898. + * Not currently used; likely to be used when we get around to AES support. + */ + +#include <ctype.h> +#include "k5-int.h" +#include "hash_provider.h" + +#include <openssl/x509.h> +#include <openssl/evp.h> +#include <openssl/hmac.h> + + +krb5_error_code +krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count, + const krb5_data *pass, const krb5_data *salt) +{ +/* + * This is an implementation of PKCS#5 v2.0 + * Does not return an error + */ + PKCS5_PBKDF2_HMAC_SHA1(pass->data, pass->length, + (unsigned char *)salt->data, salt->length, count, + out->length, (unsigned char *)out->data); + return 0; +} + diff --git a/src/lib/crypto/openssl/sha1/deps b/src/lib/crypto/openssl/sha1/deps new file mode 100644 index 0000000..a8f51a8 --- /dev/null +++ b/src/lib/crypto/openssl/sha1/deps @@ -0,0 +1,13 @@ +# +# Generated makefile dependencies follow. +# +shs.so shs.po $(OUTPRE)shs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/autoconf.h \ + $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h shs.c shs.h diff --git a/src/lib/crypto/openssl/sha1/shs.c b/src/lib/crypto/openssl/sha1/shs.c new file mode 100644 index 0000000..9fb60f8 --- /dev/null +++ b/src/lib/crypto/openssl/sha1/shs.c @@ -0,0 +1,34 @@ +#include "shs.h" +#ifdef HAVE_SYS_TYPES_H +#include <sys/types.h> +#endif +#include <string.h> + +/* Initialize the SHS values */ +void shsInit(SHS_INFO *shsInfo) +{ + EVP_MD_CTX_init(&shsInfo->ossl_sha1_ctx ); + EVP_DigestInit_ex(&shsInfo->ossl_sha1_ctx , EVP_sha1(), NULL); +} + +/* Update SHS for a block of data */ + +void shsUpdate(SHS_INFO *shsInfo, const SHS_BYTE *buffer, unsigned int count) +{ + EVP_DigestUpdate(&shsInfo->ossl_sha1_ctx , buffer, count); +} +/* Final wrapup - pad to SHS_DATASIZE-byte boundary with the bit pattern + 1 0* (64-bit count of bits processed, MSB-first) */ + +void shsFinal(SHS_INFO *shsInfo) +{ + unsigned char *digest_buf = NULL; + + digest_buf = (unsigned char *)OPENSSL_malloc( sizeof(shsInfo->digest)); + + EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx , digest_buf , &shsInfo->digest_len); + + memcpy(shsInfo->digest, digest_buf, shsInfo->digest_len); + OPENSSL_free(digest_buf); + EVP_MD_CTX_cleanup(&shsInfo->ossl_sha1_ctx ); +} diff --git a/src/lib/crypto/openssl/sha1/shs.h b/src/lib/crypto/openssl/sha1/shs.h new file mode 100644 index 0000000..66e91b6 --- /dev/null +++ b/src/lib/crypto/openssl/sha1/shs.h @@ -0,0 +1,49 @@ +#ifndef _SHS_DEFINED + +#include "k5-int.h" +#include <openssl/evp.h> +#include <openssl/sha.h> + +#define _SHS_DEFINED + +/* Some useful types */ + +typedef krb5_octet SHS_BYTE; +typedef krb5_ui_4 SHS_LONG; + +/* Define the following to use the updated SHS implementation */ +#define NEW_SHS /**/ + +/* The SHS block size and message digest sizes, in bytes */ + +#define SHS_DATASIZE 64 +#define SHS_DIGESTSIZE 20 + +/* The structure for storing SHS info */ + +typedef struct { + EVP_MD_CTX ossl_sha1_ctx; + unsigned int digest_len; + SHS_LONG digest[ 5 ]; /* Message digest */ + SHS_LONG countLo, countHi; /* 64-bit bit count */ + SHS_LONG data[ 16 ]; /* SHS data buffer */ +} SHS_INFO; + +/* Message digest functions (shs.c) */ +void shsInit(SHS_INFO *shsInfo); +void shsUpdate(SHS_INFO *shsInfo, const SHS_BYTE *buffer, unsigned int count); +void shsFinal(SHS_INFO *shsInfo); + + +/* Keyed Message digest functions (hmac_sha.c) */ +krb5_error_code hmac_sha(krb5_octet *text, + int text_len, + krb5_octet *key, + int key_len, + krb5_octet *digest); + + +#define NIST_SHA_CKSUM_LENGTH SHS_DIGESTSIZE +#define HMAC_SHA_CKSUM_LENGTH SHS_DIGESTSIZE + +#endif /* _SHS_DEFINED */ diff --git a/src/lib/gssapi/krb5/copy_ccache.c b/src/lib/gssapi/krb5/copy_ccache.c index e7b48e0..19fe1d7 100644 --- a/src/lib/gssapi/krb5/copy_ccache.c +++ b/src/lib/gssapi/krb5/copy_ccache.c @@ -50,8 +50,11 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status, krb5_free_context(context); return(GSS_S_FAILURE); } - while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, &creds)) + while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, + &creds)) { code = krb5_cc_store_cred(context, out_ccache, &creds); + krb5_free_cred_contents(context, &creds); + } krb5_cc_end_seq_get(context, k5creds->ccache, &cursor); k5_mutex_unlock(&k5creds->lock); *minor_status = code; diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index ad30cab..14b65f7 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -1683,6 +1683,13 @@ cleanup: *src_name = sc->internal_name; } release_spnego_ctx(&sc); + } else if (ret != GSS_S_CONTINUE_NEEDED) { + if (sc != NULL) { + gss_delete_sec_context(&tmpmin, &sc->ctx_handle, + GSS_C_NO_BUFFER); + release_spnego_ctx(&sc); + } + *context_handle = GSS_C_NO_CONTEXT; } gss_release_buffer(&tmpmin, &mechtok_out); if (mechtok_in != GSS_C_NO_BUFFER) { diff --git a/src/lib/kadm5/deps b/src/lib/kadm5/deps index 09b77a8..f3b1e03 100644 --- a/src/lib/kadm5/deps +++ b/src/lib/kadm5/deps @@ -5,16 +5,6 @@ kadm_err.so kadm_err.po $(OUTPRE)kadm_err.$(OBJEXT): \ $(COM_ERR_DEPS) kadm_err.c chpass_util_strings.so chpass_util_strings.po $(OUTPRE)chpass_util_strings.$(OBJEXT): \ $(COM_ERR_DEPS) chpass_util_strings.c -ovsec_glue.so ovsec_glue.po $(OUTPRE)ovsec_glue.$(OBJEXT): \ - $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \ - $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \ - $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \ - $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \ - $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \ - $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h ovsec_glue.c misc_free.so misc_free.po $(OUTPRE)misc_free.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/unit-test/config/unix.exp index f14f126..0bbd72d 100644 --- a/src/lib/kadm5/unit-test/config/unix.exp +++ b/src/lib/kadm5/unit-test/config/unix.exp @@ -131,85 +131,85 @@ proc api_start {} { set pid [spawn $API] expect { -re "$prompt$" {} - eof { error "EOF starting API" } - timeout { error "Timeout starting API" } + eof { perror "EOF starting API" } + timeout { perror "Timeout starting API" } } if {! [info exists env(TCLUTIL)]} { - error "TCLUTIL environment variable isn't set" + perror "TCLUTIL environment variable isn't set" } # tcl 8.4 for some reason screws up autodetection of output # EOL translation. Work around it for now. send "if { \[info commands fconfigure\] ne \"\" } { fconfigure stdout -translation lf }\n" expect { -re "$prompt$" {} - eof { error "EOF starting API" } - timeout { error "Timeout starting API" } + eof { perror "EOF starting API" } + timeout { perror "Timeout starting API" } } send "source $env(TCLUTIL)\n" expect { -re "$prompt$" {} - eof { error "EOF starting API" } - timeout { error "Timeout starting API" } + eof { perror "EOF starting API" } + timeout { perror "Timeout starting API" } } send "set current_struct_version \[expr \$KADM5_STRUCT_VERSION &~ \$KADM5_STRUCT_VERSION_MASK\]\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } send "set current_api_version \[expr \$KADM5_API_VERSION_2 &~ \$KADM5_API_VERSION_MASK\]\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } send "set bad_struct_version_mask \[expr 0x65432100 | \$current_struct_version\]\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } send "set bad_api_version_mask \[expr 0x65432100 | \$current_api_version\]\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } send "set no_api_version_mask \$current_api_version\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } send "set no_struct_version_mask \$current_struct_version\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } send "set old_api_version \[expr \$KADM5_API_VERSION_MASK | 0x00\]\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } send "set old_struct_version \[expr \$KADM5_STRUCT_VERSION_MASK | 0x00\]\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } send "set new_api_version \[expr \$KADM5_API_VERSION_MASK | 0xca\]\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } send "set new_struct_version \[expr \$KADM5_STRUCT_VERSION_MASK | 0xca\]\n" expect { -re "$prompt$" {} - eof { error "EOF setting API varibles"} - timeout { error "timeout setting API varibles"} + eof { perror "EOF setting API varibles"} + timeout { perror "timeout setting API varibles"} } set api_pid $pid diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/unit-test/lib/lib.t index 361c727..9537fc3 100644 --- a/src/lib/kadm5/unit-test/lib/lib.t +++ b/src/lib/kadm5/unit-test/lib/lib.t @@ -22,7 +22,7 @@ proc lib_start_api {} { $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \ lib_handle }]} { - error "$test: unexpected failure in init" + perror "$test: unexpected failure in init" return } verbose "+++ restarted api ($lib_pid) for lib" @@ -40,7 +40,7 @@ proc cmd {command} { expect { -re "OK .*$prompt$" { return 1 } -re "ERROR .*$prompt$" { return 0 } - "wrong # args" { error "$test: wrong number args"; return 0 } + "wrong # args" { perror "$test: wrong number args"; return 0 } timeout { fail "$test: timeout"; return 0 } eof { fail "$test: eof"; api_exit; lib_start_api; return 0 } } @@ -52,7 +52,7 @@ proc tcl_cmd {command} { send "[string trim $command]\n" expect { -re "$prompt$" { return 1} - "wrong # args" { error "$test: wrong number args"; return 0 } + "wrong # args" { perror "$test: wrong number args"; return 0 } timeout { error_and_restart "timeout" } eof { api_exit; lib_start_api; return 0 } } @@ -69,7 +69,7 @@ proc one_line_succeed_test {command} { -re "ERROR .*$prompt$" { fail "$test: $expect_out(buffer)"; return 0 } - "wrong # args" { error "$test: wrong number args"; return 0 } + "wrong # args" { perror "$test: wrong number args"; return 0 } timeout { fail "$test: timeout"; return 0 } eof { fail "$test: eof"; api_exit; lib_start_api; return 0 } } @@ -85,7 +85,7 @@ proc one_line_fail_test {command code} { -re "ERROR .*$code.*$prompt$" { pass "$test"; return 1 } -re "ERROR .*$prompt$" { fail "$test: bad failure"; return 0 } -re "OK .*$prompt$" { fail "$test: bad success"; return 0 } - "wrong # args" { error "$test: wrong number args"; return 0 } + "wrong # args" { perror "$test: wrong number args"; return 0 } timeout { fail "$test: timeout"; return 0 } eof { fail "$test: eof"; api_exit; lib_start_api; return 0 } } @@ -100,7 +100,7 @@ proc one_line_fail_test_nochk {command} { expect { -re "ERROR .*$prompt$" { pass "$test:"; return 1 } -re "OK .*$prompt$" { fail "$test: bad success"; return 0 } - "wrong # args" { error "$test: wrong number args"; return 0 } + "wrong # args" { perror "$test: wrong number args"; return 0 } timeout { fail "$test: timeout"; return 0 } eof { fail "$test: eof"; api_exit; lib_start_api; return 0 } } @@ -111,7 +111,7 @@ proc resync {} { expect { -re "$prompt$" {} - "wrong # args" { error "$test: wrong number args"; return 0 } + "wrong # args" { perror "$test: wrong number args"; return 0 } eof { api_exit; lib_start_api } } } @@ -173,7 +173,8 @@ proc principal_exists {name} { lib_start_api set ret [cmd [format { - kadm5_get_principal $lib_handle "%s" principal + kadm5_get_principal $lib_handle "%s" principal \ + KADM5_PRINCIPAL_NORMAL_MASK } $name]] # puts stdout "Finishing principal_exists." @@ -246,7 +247,7 @@ proc kinit { princ pass {opts ""} } { # the parent, which is us, to read pending data. expect { - "when initializing cache" { error "kinit failed: $expect_out(buffer)" } + "when initializing cache" { perror "kinit failed: $expect_out(buffer)" } eof {} } wait @@ -282,20 +283,20 @@ proc create_principal_with_keysalts {name keysalts} { spawn $kadmin_local -e "$keysalts" expect { "kadmin.local:" {} - default { error "waiting for kadmin.local prompt"; return 1} + default { perror "waiting for kadmin.local prompt"; return 1} } send "ank -pw \"$name\" \"$name\"\n" expect { -re "Principal \"$name.*\" created." {} "kadmin.local:" { - error "expecting principal created message"; + perror "expecting principal created message"; return 1 } - default { error "waiting for principal created message"; return 1 } + default { perror "waiting for principal created message"; return 1 } } expect { "kadmin.local:" {} - default { error "waiting for kadmin.local prompt"; return 1 } + default { perror "waiting for kadmin.local prompt"; return 1 } } close wait diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c index 8b43b4e..bd93fa4 100644 --- a/src/lib/krb5/ccache/cc_file.c +++ b/src/lib/krb5/ccache/cc_file.c @@ -725,7 +725,6 @@ krb5_fcc_read_int32(krb5_context context, krb5_ccache id, krb5_int32 *i) krb5_fcc_data *data = (krb5_fcc_data *)id->data; krb5_error_code retval; unsigned char buf[4]; - krb5_int32 val; k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); @@ -736,11 +735,7 @@ krb5_fcc_read_int32(krb5_context context, krb5_ccache id, krb5_int32 *i) retval = krb5_fcc_read(context, id, buf, 4); if (retval) return retval; - val = buf[0]; - val = (val << 8) | buf[1]; - val = (val << 8) | buf[2]; - val = (val << 8) | buf[3]; - *i = val; + *i = load_32_be (buf); return 0; } } @@ -761,7 +756,7 @@ krb5_fcc_read_ui_2(krb5_context context, krb5_ccache id, krb5_ui_2 *i) retval = krb5_fcc_read(context, id, buf, 2); if (retval) return retval; - *i = (buf[0] << 8) + buf[1]; + *i = load_16_be (buf); return 0; } } @@ -1077,13 +1072,7 @@ krb5_fcc_store_ui_4(krb5_context context, krb5_ccache id, krb5_ui_4 i) (data->version == KRB5_FCC_FVNO_2)) return krb5_fcc_write(context, id, (char *) &i, sizeof(krb5_int32)); else { - buf[3] = (unsigned char) (i & 0xFF); - i >>= 8; - buf[2] = (unsigned char) (i & 0xFF); - i >>= 8; - buf[1] = (unsigned char) (i & 0xFF); - i >>= 8; - buf[0] = (unsigned char) (i & 0xFF); + store_32_be (i, buf); return krb5_fcc_write(context, id, buf, 4); } } @@ -1102,9 +1091,7 @@ krb5_fcc_store_ui_2(krb5_context context, krb5_ccache id, krb5_int32 i) ibuf = (krb5_ui_2) i; return krb5_fcc_write(context, id, (char *) &ibuf, sizeof(krb5_ui_2)); } else { - buf[1] = (unsigned char) (i & 0xFF); - i >>= 8; - buf[0] = (unsigned char) (i & 0xFF); + store_16_be (i, buf); return krb5_fcc_write(context, id, buf, 2); } } diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c index 5fc3953..3e5f9e2 100644 --- a/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c @@ -57,7 +57,7 @@ #define DEFAULT_UDP_PREF_LIMIT 1465 #define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */ -#undef DEBUG +#define DEBUG 1 #ifdef DEBUG int krb5int_debug_sendto_kdc = 0; @@ -1017,11 +1017,7 @@ service_tcp_fd (struct conn_state *conn, struct select_state *selstate, } conn->x.in.bufsizebytes_read += nread; if (conn->x.in.bufsizebytes_read == 4) { - unsigned long len; - len = conn->x.in.bufsizebytes[0]; - len = (len << 8) + conn->x.in.bufsizebytes[1]; - len = (len << 8) + conn->x.in.bufsizebytes[2]; - len = (len << 8) + conn->x.in.bufsizebytes[3]; + unsigned long len = load_32_be (conn->x.in.bufsizebytes); dprint("received length on fd %d is %d\n", conn->fd, (int)len); /* Arbitrary 1M cap. */ if (len > 1 * 1024 * 1024) { diff --git a/src/plugins/kdb/db2/libdb2/Makefile.in b/src/plugins/kdb/db2/libdb2/Makefile.in index b04f521..f3a5f49 100644 --- a/src/plugins/kdb/db2/libdb2/Makefile.in +++ b/src/plugins/kdb/db2/libdb2/Makefile.in @@ -13,7 +13,7 @@ SUBDIROBJLISTS=$(STOBJLISTS) RELDIR=../plugins/kdb/db2/libdb2 HDRDIR=$(BUILDTOP)/include -HDRS = $(HDRDIR)/db.h $(HDRDIR)/db-config.h $(HDRDIR)/db-ndbm.h +HDRS = $(HDRDIR)/db.h $(HDRDIR)/db-config.h SHLIB_EXPDEPS=$(SUPPORT_DEPLIB) SHLIB_EXPLIBS=$(SUPPORT_LIB) @@ -26,12 +26,10 @@ clean-unix:: clean-libs clean-includes includes:: $(HDRS) -$(HDRDIR)/db.h: $(srcdir)/include/db.h - $(CP) $(srcdir)/include/db.h $@ -$(HDRDIR)/db-config.h: include/db-config.h - $(CP) $(srcdir)/include/db-config.h $@ -$(HDRDIR)/db-ndbm.h: $(srcdir)/include/db-ndbm.h - $(CP) $(srcdir)/include/db-ndbm.h $@ +$(HDRDIR)/db.h: $(srcdir)/include/db.hin + $(CP) $(srcdir)/include/db.hin $@ +$(HDRDIR)/db-config.h: include/db-config.hin + $(CP) $(srcdir)/include/db-config.hin $@ clean-includes:: $(RM) $(HDRS) include/*.stmp diff --git a/src/plugins/kdb/db2/libdb2/btree/deps b/src/plugins/kdb/db2/libdb2/btree/deps index 83a32a7..b35c4b7 100644 --- a/src/plugins/kdb/db2/libdb2/btree/deps +++ b/src/plugins/kdb/db2/libdb2/btree/deps @@ -2,75 +2,55 @@ # Generated makefile dependencies follow. # bt_close.so bt_close.po $(OUTPRE)bt_close.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_close.c btree.h extern.h + $(srcdir)/../mpool/mpool.h bt_close.c btree.h extern.h bt_conv.so bt_conv.po $(OUTPRE)bt_conv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_conv.c btree.h extern.h + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + bt_conv.c btree.h extern.h bt_debug.so bt_debug.po $(OUTPRE)bt_debug.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_debug.c btree.h extern.h + $(srcdir)/../mpool/mpool.h bt_debug.c btree.h extern.h bt_delete.so bt_delete.po $(OUTPRE)bt_delete.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_delete.c btree.h extern.h + $(srcdir)/../mpool/mpool.h bt_delete.c btree.h extern.h bt_get.so bt_get.po $(OUTPRE)bt_get.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_get.c btree.h extern.h + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + bt_get.c btree.h extern.h bt_open.so bt_open.po $(OUTPRE)bt_open.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-thread.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_open.c btree.h extern.h + $(DB_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + bt_open.c btree.h extern.h bt_overflow.so bt_overflow.po $(OUTPRE)bt_overflow.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_overflow.c btree.h extern.h + $(srcdir)/../mpool/mpool.h bt_overflow.c btree.h extern.h bt_page.so bt_page.po $(OUTPRE)bt_page.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_page.c btree.h extern.h + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + bt_page.c btree.h extern.h bt_put.so bt_put.po $(OUTPRE)bt_put.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_put.c btree.h extern.h + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + bt_put.c btree.h extern.h bt_search.so bt_search.po $(OUTPRE)bt_search.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_search.c btree.h extern.h + $(srcdir)/../mpool/mpool.h bt_search.c btree.h extern.h bt_seq.so bt_seq.po $(OUTPRE)bt_seq.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h bt_seq.c btree.h extern.h + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + bt_seq.c btree.h extern.h bt_split.so bt_split.po $(OUTPRE)bt_split.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_split.c btree.h extern.h + $(srcdir)/../mpool/mpool.h bt_split.c btree.h extern.h bt_utils.so bt_utils.po $(OUTPRE)bt_utils.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - bt_utils.c btree.h extern.h + $(srcdir)/../mpool/mpool.h bt_utils.c btree.h extern.h diff --git a/src/plugins/kdb/db2/libdb2/db/deps b/src/plugins/kdb/db2/libdb2/db/deps index 8824713..562e3d5 100644 --- a/src/plugins/kdb/db2/libdb2/db/deps +++ b/src/plugins/kdb/db2/libdb2/db/deps @@ -2,6 +2,5 @@ # Generated makefile dependencies follow. # db.so db.po $(OUTPRE)db.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db.h db.c + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + db.c diff --git a/src/plugins/kdb/db2/libdb2/hash/deps b/src/plugins/kdb/db2/libdb2/hash/deps index 59baef3..73b45f6 100644 --- a/src/plugins/kdb/db2/libdb2/hash/deps +++ b/src/plugins/kdb/db2/libdb2/hash/deps @@ -2,44 +2,36 @@ # Generated makefile dependencies follow. # hash.so hash.po $(OUTPRE)hash.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h hash.c hash.h page.h + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + extern.h hash.c hash.h page.h hash_bigkey.so hash_bigkey.po $(OUTPRE)hash_bigkey.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h hash.h hash_bigkey.c page.h + $(srcdir)/../mpool/mpool.h extern.h hash.h hash_bigkey.c \ + page.h hash_debug.so hash_debug.po $(OUTPRE)hash_debug.$(OBJEXT): \ hash_debug.c hash_func.so hash_func.po $(OUTPRE)hash_func.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h hash.h hash_func.c page.h + $(srcdir)/../mpool/mpool.h extern.h hash.h hash_func.c \ + page.h hash_log2.so hash_log2.po $(OUTPRE)hash_log2.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h hash.h hash_log2.c page.h + $(srcdir)/../mpool/mpool.h extern.h hash.h hash_log2.c \ + page.h hash_page.so hash_page.po $(OUTPRE)hash_page.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h hash.h hash_page.c page.h + $(srcdir)/../mpool/mpool.h extern.h hash.h hash_page.c \ + page.h hsearch.so hsearch.po $(OUTPRE)hsearch.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db.h hsearch.c search.h + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + hsearch.c search.h dbm.so dbm.po $(OUTPRE)dbm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(BUILDTOP)/include/db-ndbm.h \ - $(BUILDTOP)/include/db.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-dbm.h \ - $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-dbm.h \ + $(srcdir)/../include/db-int.h $(srcdir)/../include/db-ndbm.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ dbm.c hash.h diff --git a/src/plugins/kdb/db2/libdb2/include/db-config.h b/src/plugins/kdb/db2/libdb2/include/db-config.hin index 0ac7c91..0ac7c91 100644 --- a/src/plugins/kdb/db2/libdb2/include/db-config.h +++ b/src/plugins/kdb/db2/libdb2/include/db-config.hin diff --git a/src/plugins/kdb/db2/libdb2/include/db.h b/src/plugins/kdb/db2/libdb2/include/db.hin index ad86d0af..ad86d0af 100644 --- a/src/plugins/kdb/db2/libdb2/include/db.h +++ b/src/plugins/kdb/db2/libdb2/include/db.hin diff --git a/src/plugins/kdb/db2/libdb2/mpool/deps b/src/plugins/kdb/db2/libdb2/mpool/deps index 32aa172..86597d0 100644 --- a/src/plugins/kdb/db2/libdb2/mpool/deps +++ b/src/plugins/kdb/db2/libdb2/mpool/deps @@ -2,7 +2,5 @@ # Generated makefile dependencies follow. # mpool.so mpool.po $(OUTPRE)mpool.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - mpool.c mpool.h + $(DB_DEPS) $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h mpool.c mpool.h diff --git a/src/plugins/kdb/db2/libdb2/recno/deps b/src/plugins/kdb/db2/libdb2/recno/deps index 77b1e01..9397d4c 100644 --- a/src/plugins/kdb/db2/libdb2/recno/deps +++ b/src/plugins/kdb/db2/libdb2/recno/deps @@ -2,55 +2,42 @@ # Generated makefile dependencies follow. # rec_close.so rec_close.po $(OUTPRE)rec_close.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../btree/btree.h \ + $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h rec_close.c recno.h + $(srcdir)/../mpool/mpool.h extern.h rec_close.c recno.h rec_delete.so rec_delete.po $(OUTPRE)rec_delete.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../btree/btree.h \ + $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h rec_delete.c recno.h + $(srcdir)/../mpool/mpool.h extern.h rec_delete.c recno.h rec_get.so rec_get.po $(OUTPRE)rec_get.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../btree/btree.h \ - $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h rec_get.c recno.h + $(DB_DEPS) $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + extern.h rec_get.c recno.h rec_open.so rec_open.po $(OUTPRE)rec_open.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../btree/btree.h \ + $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h rec_open.c recno.h + $(srcdir)/../mpool/mpool.h extern.h rec_open.c recno.h rec_put.so rec_put.po $(OUTPRE)rec_put.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../btree/btree.h \ - $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h rec_put.c recno.h + $(DB_DEPS) $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + extern.h rec_put.c recno.h rec_search.so rec_search.po $(OUTPRE)rec_search.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../btree/btree.h \ + $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h rec_search.c recno.h + $(srcdir)/../mpool/mpool.h extern.h rec_search.c recno.h rec_seq.so rec_seq.po $(OUTPRE)rec_seq.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/db-config.h $(srcdir)/../btree/btree.h \ - $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ - $(srcdir)/../include/db-config.h $(srcdir)/../include/db-int.h \ - $(srcdir)/../include/db-queue.h $(srcdir)/../include/db.h \ - $(srcdir)/../mpool/mpool.h extern.h rec_seq.c recno.h + $(DB_DEPS) $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ + $(srcdir)/../include/config.h $(srcdir)/../include/db-int.h \ + $(srcdir)/../include/db-queue.h $(srcdir)/../mpool/mpool.h \ + extern.h rec_seq.c recno.h rec_utils.so rec_utils.po $(OUTPRE)rec_utils.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/db-config.h \ - $(srcdir)/../btree/btree.h $(srcdir)/../btree/extern.h \ - $(srcdir)/../include/config.h $(srcdir)/../include/db-config.h \ + $(BUILDTOP)/include/autoconf.h $(DB_DEPS) $(srcdir)/../btree/btree.h \ + $(srcdir)/../btree/extern.h $(srcdir)/../include/config.h \ $(srcdir)/../include/db-int.h $(srcdir)/../include/db-queue.h \ - $(srcdir)/../include/db.h $(srcdir)/../mpool/mpool.h \ - extern.h rec_utils.c recno.h + $(srcdir)/../mpool/mpool.h extern.h rec_utils.c recno.h diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c index 8b3c7a1..1cf6762 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c @@ -188,7 +188,10 @@ krb5_ldap_iterate(context, match_expr, func, func_arg) LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) { - if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { + values=ldap_get_values(ld, ent, "krbcanonicalname"); + if (values == NULL) + values=ldap_get_values(ld, ent, "krbprincipalname"); + if (values != NULL) { for (i=0; values[i] != NULL; ++i) { if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0) continue; @@ -201,13 +204,11 @@ krb5_ldap_iterate(context, match_expr, func, func_arg) (*func)(func_arg, &entry); krb5_dbe_free_contents(context, &entry); (void) krb5_free_principal(context, principal); - if (princ_name) - free(princ_name); + free(princ_name); break; } (void) krb5_free_principal(context, principal); - if (princ_name) - free(princ_name); + free(princ_name); } ldap_value_free(values); } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 14d029c..03c3da4 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -69,6 +69,30 @@ berval2tl_data(struct berval *in, krb5_tl_data **out) return 0; } +/* Return true if it's okay to return aliases according to flags. */ +static krb5_boolean +aliases_ok(unsigned int flags) +{ + /* + * The current DAL does not have a flag to indicate whether + * aliases are okay. For service name lookups (AS or TGT path), + * we can always return aliases. For client name lookups, we can + * only return aliases if the client passed the canonicalize flag. + * We abuse the CLIENT_REFERRALS_ONLY flag to detect client name + * lookups. + * + * This method has the side effect of permitting aliases for + * lookups by administrative interfaces (e.g. kadmin). Since we + * don't have explicit admin support for aliases yet, this is + * okay. + */ + if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) + return TRUE; + if (flags & KRB5_KDB_FLAG_CANONICALIZE) + return TRUE; + return FALSE; +} + /* * look up a principal in the directory. */ @@ -160,7 +184,7 @@ krb5_ldap_get_principal(context, searchfor, flags, entries, nentries, more) if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ - if (flags & KRB5_KDB_FLAG_CANONICALIZE) { + if (aliases_ok(flags)) { st = krb5_ldap_parse_principal_name(values[0], &cname); if (st != 0) goto cleanup; diff --git a/src/tests/mk_migr/db2_backend/README_for_mkmdb2 b/src/tests/mk_migr/db2_backend/README_for_mkmdb2 new file mode 100644 index 0000000..1a5cf30 --- /dev/null +++ b/src/tests/mk_migr/db2_backend/README_for_mkmdb2 @@ -0,0 +1,37 @@ +ABOUT: +A translation of Will Fiveash's "mit_db2_mkey_migrate_testB" ksh code into Python with the default db2 backend. With minor fixes and changes. Written by HaoQi Li. + +DEFAULT SETTINGS: +Options Name Default Setting + -h Help + -v Verbose: True + -p Testing pw: test123 + -s Sandbox loc: src/tests/mk_migr/db2_backend/sandbox + -c Krb5kdc: src/kdc/krb5kdc + -d Kadmind: src/kadmin/server/kadmind + -b Kdb5_util: src/kadmin/dbutil/kdb5_util + -l Kadmin.local: src/kadmin/cli/kadmin.local + -n Kadmin: src/kadmin/cli/kadmin + -t Client paths: src/clients + +INPUTS: +* src/tests/mk_migr/db2_backend/input_conf/kdc_template_db2.conf +* src/tests/mk_migr/db2_backend/input_conf/krb5_template_db2.conf +* src/tests/mk_migr/db2_backend/input_conf/kadm5_template_db2.acl + +OUTPUTS: +* sandbox that contains customized outfile with all commands and their outputs, kdc.conf, krb5.conf, kadm6.acl, and others. +* Statistics on screen of number of commands passed and failed. + +EXAMPLES: +- MUST RUN from trunk/src. +* python tests/mk_migr/db2_backend/mkmdb2.py + Using all Default Settings. +* python tests/mk_migr/db2_backend/mkmdb2.py -s /tmp/mySandbox + Sandbox now can be found in /tmp/mySandbox. + + +# Notes: +# Exists only at the end, unless fatal errors are encountered. Otherwise, skips errors and continue!! +# "haoqili" is a name that can be changed. +# 2019 and 2029 are future dates that should best be written not as fixed. Such as now+10years. diff --git a/src/tests/mk_migr/db2_backend/input_conf/kadm5_template_db2.acl b/src/tests/mk_migr/db2_backend/input_conf/kadm5_template_db2.acl new file mode 100644 index 0000000..719677a --- /dev/null +++ b/src/tests/mk_migr/db2_backend/input_conf/kadm5_template_db2.acl @@ -0,0 +1 @@ +*/admin * diff --git a/src/tests/mk_migr/db2_backend/input_conf/kdc_template_db2.conf b/src/tests/mk_migr/db2_backend/input_conf/kdc_template_db2.conf new file mode 100644 index 0000000..31ff522 --- /dev/null +++ b/src/tests/mk_migr/db2_backend/input_conf/kdc_template_db2.conf @@ -0,0 +1,14 @@ +[kdcdefaults] + kdc_ports = 8888 + +[realms] + K.MIT.EDU = { + database_name = %(sandboxdir)s/principal + acl_file = %(sandboxdir)s/kadm5.acl + key_stash_file = %(sandboxdir)s/keyStashFile + kdc_ports = 8888 + kpasswd_port = 8887 + kadmind_port = 8886 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + } diff --git a/src/tests/mk_migr/db2_backend/input_conf/krb5_template_db2.conf b/src/tests/mk_migr/db2_backend/input_conf/krb5_template_db2.conf new file mode 100644 index 0000000..e89aa87 --- /dev/null +++ b/src/tests/mk_migr/db2_backend/input_conf/krb5_template_db2.conf @@ -0,0 +1,21 @@ +[libdefaults] + default_realm = K.MIT.EDU + +[realms] +# use "kdc = ..." if realm admins haven't put SRV records into DNS + K.MIT.EDU = { + admin_server = %(localFQDN)s:8886 + kpasswd_server = %(localFQDN)s:8887 + default_domain = MIT.EDU + kdc = %(localFQDN)s:8888 + v4_instance_convert = { + mit = mit.edu + lithium = lithium.lcs.mit.edu + } + } + ANDREW.CMU.EDU = { + admin_server = vice28.fs.andrew.cmu.edu + } + +[logging] +# kdc = CONSOLE diff --git a/src/tests/mk_migr/db2_backend/mkmdb2.py b/src/tests/mk_migr/db2_backend/mkmdb2.py new file mode 100644 index 0000000..00ae4cb --- /dev/null +++ b/src/tests/mk_migr/db2_backend/mkmdb2.py @@ -0,0 +1,808 @@ +# Master Key Migration for db2 + +import os, sys, shutil, socket, time, string +from subprocess import Popen, PIPE +from optparse import OptionParser +from time import strftime + +class MasterKeyMigrationTest: + def __init__(self, verbose_in, pw_in, kdcPath_in, kdmdPath_in, kdbPath_in, kdmlPath_in, kdmPath_in, cltPath_in, sandir_in): + self.npass = 0 + self.nfail = 0 + + self.verbose = verbose_in + self.pw = pw_in + + self.krb5kdc = kdcPath_in #1 krb5kdc + self.kadmind = kdmdPath_in #2 kadmind + self.kdb5_util = kdbPath_in #3 kdb5_util + self.kadminlocal = kdmlPath_in #4 kadmin.local + self.kadmin = kdmPath_in #5 kadmin + self.clients = cltPath_in+"/" #6 clients + + self.sandir = sandir_in + + ########## SET UP Write Output File ##### + self.outfile = open(self.sandir+"/outfile", 'w') + + '''print os.environ''' + + def _writeLine(self, astr, prt=False): + self.outfile.write(astr.strip()+"\n") + if prt: + print astr.strip() + + def _writeHeader(self, astr, prt=True): + self.outfile.write("\n========== "+astr.strip()+" ==========\n") + if prt: + print "========== "+astr.strip()+" ==========" + + def _sysexit(self, fatal=False, finished=False): + self._writeLine("++++++++++++++++++++++++++++++", True) + if fatal: + self._writeLine("++++ Test did NOT finish +++++", True) + self._writeLine("++++ FATAL FAILURE! Stopped ++", True) + self._writeLine("++++ See sandbox/outfile +++++", True) + self._writeLine("++++++++++++++++++++++++++++++", True) + sys.exit() + elif not finished: + self._writeLine("++++ Test did NOT finish +++++", True) + self._writeLine("++++ FAIL Detected! keep going", True) + self._writeLine("++++++++++++++++++++++++++++++", True) + else: #finished + self._writeLine("++++ MKM Test Finished +++++++", True) + self._writeLine("++++++++++++++++++++++++++++++", True) + self._writeLine("++++ Commands Passed: %s +++++" % self.npass, True) + self._writeLine("++++ Commands Failed: %s +++++" % self.nfail, True) + sys.exit() + + def _printig(self): + self._writeLine("~.~.~Error should be ignored~.~.~.~") + + def _printerr(self, errm, stderr): + self._writeLine("#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#") + self._writeLine("-XX-FAILED: "+errm+". See stderr below:") + [self._writeLine(line) for line in stderr.readlines() ] + + def _printout(self, cmd, pstdout): + if self.verbose: + self._writeLine("---------------------------------------") + self._writeLine("-command: "+cmd) + self._writeLine("-----out: ") + [self._writeLine(line) for line in pstdout.readlines()] + + def _eval(self, succeed, pwait, errm, pstderr, fatal=False, msg2="", finished=False): + if int(pwait) != 0: # is bad + self._printerr(errm, pstderr) + if succeed==True: ## want good + self.nfail += 1 + self._sysexit(fatal, finished) + else: ## want bad + self.npass += 1 + self._printig() + else: # is good + if not succeed: ## want bad + if msg2 != "": + self._writeLine(msg2, True) + self.nfail += 1 + self._sysexit(fatal, finished) + else: ## want good + self.npass += 1 + + def _metafunc(self, command, errmsg, moreinfo="", isLocal=False, succeed=True, fatal=False): + l = command + if isLocal: + pl = Popen(l.split(None,2), stdin=PIPE, stdout=PIPE, stderr=PIPE) + else: + pl = Popen(l.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + self._printout(l+moreinfo, pl.stdout) + + self._eval(succeed, pl.wait(), errmsg, pl.stderr, fatal) + + ########################################### + + # Start the KDC daemons + def _startkdc(self): + self._writeLine("\nstarting kdc daemons ...") + l0 = self.krb5kdc + errm = "error at starting krb5kdc" + self._metafunc(l0, errm) + # below has been changed + l0b = self.kadmind + ' -W -nofork' #the W is for during off strong random numbers + errm = "error at starting kadmind, maybe it's already started" + pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + self._writeLine( "kadmind -nofork") + started = False + while time.clock() < 3: + l = pl0b.stderr.readline() + if l.find("starting") > -1: + self._writeLine( l.strip()) + self.npass += 1 + started = True + break + else: + self.nfail += 1 + self._printerr("kadmind not starting, check to see if there are any previous kadmind running with cmd: 'ps -ef | grep kadmind' and then do 'sudo kill -9 [# on the left]'", pl0b.stderr) + self._sysexit(fatal=True) + if not started: + self.nfail += 1 + self._sysexit() + self._writeLine("end starting kdc daemons") + + # Kill the KDC daemons in case they are running + def _killkdc(self, suc=True): + l1 = 'pkill -9 -x krb5kdc' + errm = "no krb5kdc killed" + self._metafunc(l1, errm, succeed=suc) + + l2 = 'pkill -9 -x kadmind' + errm = "no kadmind killed" + self._metafunc(l2, errm, succeed=suc) + + # Destroys current database + def _destroykdc(self, suc=True): + l3 = self.kdb5_util+' destroy -f' #forced + errm = "no kdb database destroyed" + self._metafunc(l3, errm, succeed=suc) + + # Create a new database with a new master key + def _createdb(self, pw): + l4 = self.kdb5_util+' -P '+pw+' create -s -W' #added W for svn version 22435 to avoid reading strong random numbers + errm = "error when creating new database, _createdb()" + self._metafunc(l4, errm, fatal=True) + + # Addprinc + def _locAddprinc(self, passw, usern): + l5 = self.kadminlocal+' -q addprinc -pw '+passw+' '+usern + errm = "error when adding princ, _locAddprinc" + self._metafunc(l5, errm, isLocal=True) + + # List princs + def _locListprincs(self): + l6 = self.kadminlocal+' -q listprincs' + errm = "error when listing princs, _locListprincs" + self._metafunc(l6, errm, isLocal=True) + + # Get princs + def _locGetprinc(self, usern, extra=False, succeed=True): + l7 = self.kadminlocal+' -q getprinc '+usern + errm="error when getting princ, _locGetprinc" + + pl7 = Popen(l7.split(None,2), stdin=PIPE, stdout=PIPE, stderr=PIPE) + if not extra: + self._printout(l7, pl7.stdout) + else: + if self.verbose: + self._writeLine("-command: "+l7) + self._writeLine("-----out: ") + for line in pl7.stdout.readlines(): + if line.startswith("Princ") or line.startswith("MKey"): + self._writeLine(line) + self._eval(succeed, pl7.wait(), errm, pl7.stderr) + + # Get princs and finds something in the output + def _locGetprincFind(self, usern, findstr, succeed=True): + l7b = self.kadminlocal+' -q getprinc ' +usern + errm="error when getting princs, _locGetprinc, (regular output of getprincs is not printed here), will NOT continue to find string="+findstr + pl7b = Popen(l7b.split(None, 2), stdin=PIPE, stdout=PIPE, stderr=PIPE) + if self.verbose: + self._writeLine("-command: "+l7b) + if int(pl7b.wait()) != 0: # is bad + self._printerr(errm, pl7b.stderr) + if succeed: ## want good + self.nfail += 1 + self._sysexit() + else: ## want bad + self.npass += 1 + self._printig() + else: # is good + if self.verbose: + self._writeLine( "-----out: ") + boofound = False + for outl in pl7b.stdout.readlines(): + self._writeLine(outl) + if string.find(outl, findstr) > -1: + boofound = True + if boofound: + self._writeLine("----FOUND: "+findstr) + else: + self._writeLine("----NOT FOUND: "+findstr) + if not succeed: ## want bad + self.nfail += 1 + self._sysexit() + else: ## want good + self.npass += 1 + + # Add policy + def _locAddpol(self, maxtime, minlength, minclasses, history, policyname): + rest = "" + if maxtime != None: + rest += '-maxlife '+maxtime+' ' + if minlength != None: + rest += '-minlength '+minlength+' ' + if minclasses != None: + rest += '-minclasses '+minclasses+' ' + if history != None: + rest += '-history '+history+' ' + l8 = self.kadminlocal+' -q add_policy '+rest+policyname + errm = "error when adding policy, _locAddpol" + self._metafunc(l8, errm, isLocal=True) + + # Get pol + def _locGetpol(self, poln): + l8b = self.kadminlocal+' -q getpol '+poln + errm="error when getting pol, _locGetpol" + self._metafunc(l8b, errm, isLocal=True) + + # Modify Principal + def _locModprinc(self, rest): + l9 = self.kadminlocal+' -q modprinc '+rest + errm = "error when modifing principal, _locModprinc" + self._metafunc(l9, errm, isLocal=True) + + # List mkeys + def _listmkeys(self): + l10 = self.kdb5_util+' list_mkeys' + errm = "error when listing mkeys, _listmkeys" + self._metafunc(l10, errm) + + # Use mkeys + def _usemkey(self, kvno, time, succeed=True): + l11 = self.kdb5_util+' use_mkey '+kvno+' '+time + pl11 = Popen(l11.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + self._printout(l11, pl11.stdout) + self._eval(succeed, pl11.wait(), "error when using mkeys, _usemkey", pl11.stderr, msg2="-XX-ERROR: "+l11+" should have failed.") + + + # Change password (cpw) + def _locCpw(self, passw, usern): + l12 = self.kadminlocal+' -q cpw -pw '+passw+' '+usern + errm = "error when changing password, _locCpw" + self._metafunc(l12, errm, moreinfo="\n--------: newpw='"+passw+"'", isLocal=True) + + # Purge mkeys + def _purgemkeys(self): + l13 = self.kdb5_util+' purge_mkeys -f -v' #-f is forced, -v is verbose + errm = "error when purging mkeys, _purgemkeys" + self._metafunc(l13, errm) + + # Add mkey + def _addmkey(self, passw, extra="", succeed=True): + l14 = self.kdb5_util+' add_mkey '+extra + pl14 = Popen(l14.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + pl14.stdin.write(passw+'\n') #enter 1st time + pl14.stdin.write(passw+'\n') #re-enter + self._printout(l14+' [with password='+passw+']', pl14.stdout) + self._eval(succeed, pl14.wait(), "error when adding mkey, _addmkey", pl14.stderr) + self._writeLine( "----end of adding mkey") + + # kinit user + def _kinit(self, passw_in, usern, succeed=True): + l15 = self.clients+'kinit/kinit '+usern + pl15 = Popen(l15.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + pl15.stdin.write(passw_in+'\n') + pl15.stdin.close() + self._printout(l15, pl15.stdout) + self._eval(succeed, pl15.wait(), "error when kinit user, _kinit", pl15.stderr) + self._writeLine( "----end of kiniting user") + + # change password on client's side + def _kpasswd(self, oldpw, newpw, usern, succeed=True): + l16 = self.clients+'kpasswd/kpasswd '+usern + pl16 = Popen(l16.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + pl16.stdin.write(oldpw+'\n') + pl16.stdin.write(newpw+'\n') + pl16.stdin.write(newpw+'\n') + self._printout(l16+"\n--------: oldpw='"+oldpw+"' -> newpw='"+newpw+"'", pl16.stdout) + self._eval(succeed, pl16.wait(), "error when changing password on client's side, _kpasswd", pl16.stderr) + self._writeLine("----end of changing kpasswd") + + # klist on client's side + def _klist(self): + l17 = self.clients+'klist/klist' + errm = "error when klist, _klist" + self._metafunc(l17, errm) + + # Update principal encryption + def _updatePrincEnc(self): + l18 = self.kdb5_util+' update_princ_encryption -f -v' + errm = "error when updating principal encryption, _updatePrincEnc" + self._metafunc(l18, errm) + + # kdestroy + def _kdestroy(self): + l19 = self.clients+'kdestroy/kdestroy' + errm = "error when kdestroy, _kdestroy" + self._metafunc(l19, errm) + + # stash + def _stash(self): + l20 = self.kdb5_util+' stash' + errm="error at stash, _stash" + self._metafunc(l20, errm) + + # any shell command + def _shell(self, command, succeed=True): + l21 = command + errm="error at executing this command in _shell(): "+l21 + pl21 = Popen(l21, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) + self._printout(l21, pl21.stdout) + self._eval(succeed, pl21.wait(), errm, pl21.stderr) + '''self._printerr(errm, pl21.stderr) Pointed out that kadmin had problems!''' + + # get_princ_records() + def _get_princ_records(self, succeed=True): + l22 = self.kadminlocal+" -q listprincs 2>/dev/null|grep -v '^Authenticating as'|fgrep '@'|sort" + errm="error at listprincs in _get_princ_records() with this command: "+l22 + pl22 = Popen(l22, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) + if int(pl22.wait()) != 0: # is bad + self.printerr(errm, pl22.stderr) + if succeed: ## want good + self.nfail += 1 + self._sysexit() + else: ## want badd + self.npass += 1 + self._printig() + else: # is good + if not succeed: ## want bad + self.nfail += 1 + self._sysexit() + else: ## want good + self.npass += 1 + self._writeLine( "\nget_princ_records() executing all listprincs command: "+l22+"\n------its results:") + for princ in pl22.stdout.readlines(): + self._locGetprinc(princ.strip(), extra=True) + self._writeLine("END executing command: "+l22+"\n~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~") + +###################################################### + def run(self): + #############RUN################### + passw=self.pw + + self._writeHeader("START MASTER KEY MIGRATION TEST") + + # Set up database + self._writeHeader("SET UP: database") + self._killkdc("Either") #74 =1,2 + self._destroykdc("Either") #77 =3 + self._createdb(passw) #81 =4 + #line 83-86 involves ktadd kadm5.keytab, which are out dated + + # add, get, and list princs + self._writeHeader("SET UP: add/get/list princs") + self._locAddprinc(passw, 'kdc/admin') #87 =5 + self._locListprincs() #89 =6 + self._locGetprinc('K/M') #90 =7 + self._locAddprinc('test123', 'haoqili') #91 =8 + self._locGetprinc('haoqili') #92 =9 + self._locAddprinc(passw, 'haoqili/admin') #93 =10 + self._locAddprinc('foobar', 'test') #94 =11 + self._locGetprinc('test') #95 =12 + self._locListprincs() # I added =13 + myfqdn = socket.getfqdn() + #self._shell(self.parentpath+"kadmin.local -q 'addprinc -randkey host/"+myfqdn+"'") #96 + self._shell(self.kadminlocal+" -q 'addprinc -randkey host/"+myfqdn+"'") #96 =14 + + # create policies + self._writeHeader("SET UP: create policies") + #print "\n~~~~~~~~~ create policies ~~~~~~~~~~~" + self._locAddpol('8days', None, None, None, 'testpolicy')#100 =15 + self._locAddpol('20days', '8', '3', None, 'testpolicy2')#101 + self._locAddpol('90days', '2', '2', None, 'testpolicy3')#102 + self._locAddpol('90days', '2', '2', '3', 'testpolicy4')#103 + + self._locModprinc('-policy testpolicy haoqili')#105 + self._locAddprinc(passw, 'foo')#106 + self._locModprinc('-policy testpolicy3 foo')#107 =21 + + # create all princ with all fields + self._writeHeader("SET UP: create all princ with all fields") + #print "\n~~~~~~~~~ create all princ with all fields ~~~~~" + self._locAddprinc(passw, 'all') #110 =22 + self._locModprinc('-expire "2029-12-30 7pm" all') #112 + self._locModprinc('-pwexpire 12/30/2029 all') #114 + self._locGetprinc('all') #115 + self._locModprinc('-maxlife 100days all') #116 + self._locGetprinc('all') #117 + self._locModprinc('-maxrenewlife 100days all') #118 + self._locGetprinc('all') #119 + self._locModprinc('+allow_postdated +allow_forwardable all') #120 =30 + self._locModprinc('+allow_proxiable +allow_dup_skey all') #121 + self._locModprinc('+requires_preauth +allow_svr +needchange all') #122 + self._locModprinc('-policy testpolicy4 all') #123 + self._locGetprinc('all') #124 =34 + + # Testing stuff + self._writeHeader("TEST: initial mkey list") #126 + self._writeLine("===== Listing mkeys at start of test") #I add + self._listmkeys() #127 =35 + + self._writeLine( "Testing krb5kdc list_mkeys Done ==============================================") #128 + + self._writeLine("---------------\n xxxxxxxxxx \/\/\/ ERRORS (multiple) EXPECTED below xxxxxxxxxx") + self._writeLine("\nERRORS (multiple) EXPECTED below") + self._writeLine("Testing bogus use_mkey (setting only mkey to future date, using non-existent kvno, so should return error) =======") #129, 130 + self._writeLine( "-> must have a mkey currently active (setting mkey to 2 days from now), should fail and return error") #132 + self._usemkey('1', 'now+2days', False) #133-138 =36 + + self._writeLine("-> must have a mkey currently active (setting mkey to 2019 the future), should fail and return error") #140 + self._usemkey('1', '5/30/2019', False) #141 =37 + self._writeLine("-> bogus kvno and setting mkey to 2 days from now, should fail and return error") #147 + self._usemkey('2', 'now+2days', False) #148 =38 + self._writeLine("-> bogus kvno, should fail and return error") #I add + self._usemkey('2', 'now-2days', False) #I add =39 + self._writeLine( "^^^ABOVE^^ SHOULD HAVE *ALL* FAILED\n-----------------") + + self._writeLine( "Listing mkeys at end of test") #I add + self._listmkeys() #155 =40 + self._writeLine("Testing bogus use_mkey (setting only mkey to future date) Done ===========================") #156 + + + self._writeLine("\nmake sure cpw [change password] works") #158 + # this changes the password of 'test' from 'foobar' in "add, get, and list princs" above + self._locCpw('test1', 'test') #159 =41 + + self._writeHeader("TEST: bogus purge_mkeys (should be no keys purged, no error returned") + #print "\nTesting bogus purge_mkeys (should be no keys purged, no error returned) ===========================" #161 + self._purgemkeys() #162 =42 + self._writeLine("Testing bogus purge_mkeys (no error) Done ===========================") #163 + + self._writeLine( "\nadd kvno 2") #164 + self._addmkey('abcde', '-s') #165-167 =43 + self._writeLine("\nlist mkeys") + self._listmkeys() #169 =44 + + #start daemons + self._startkdc() #172 =45 46 + self._writeLine("make sure kdc is up, by kinit test") #176 + self._kinit('test1', 'test') #177 =47 + + self._writeLine("---------------\n\/\/\/ ERROR EXPECTED below. Test passwd policy.:") #180 + self._kinit(passw, 'all', succeed=False) #181 =48 + self._writeLine("^^ABOVE^^ SHOULD HAVE FAILED\n-----------------") + + #change passwd on client's side + self._kpasswd(passw, 'Test123.', 'all')#184-188 =49 + + self._kinit('Test123.', 'all') #189 =50 + self._klist() #190 =51 + + self._writeHeader("TEST: password history for principal 'all', new passwords must not be a previous password") #191 + self._kpasswd('Test123.', 'Foobar2!', 'all') #192-195 =52 + self._writeLine("--------------\n\/\/\/ ERROR EXPECTED below") #197 + self._kpasswd('Foobar2!', passw, 'all', succeed=False) #199-202 =53 + self._writeLine("^^^ABOVE^^ SHOULD HAVE FAILED\n----------") + + # this shouldn't change the mkvno for any princs (should be 1) #206 + #self._updatePrincEnc() #207 + # princs should still be protected by mkvno 1 #208 + self._writeLine("@@@@@@@@ Wait for other people to fix bug in code 6507 update_princ_encryption to use mkey instead of latest mkey @@@@@@@@@@@@@\n") + self._locGetprincFind('test', 'MKey: vno 1') #209 =54 + + self._purgemkeys() #210 =55 + self._listmkeys() #211 =56 + self._usemkey('2', 'now-1day') #213 =57 + self._listmkeys() #214 =58 + + self._writeLine("-----------\n\/\/\/ ERROR EXPECTED below") #216 + self._kpasswd('Foobar2!', passw, 'all', succeed=False) #217-221 =59 + self._writeLine("^^^ABOVE^^ SHOULD HAVE FAILED\n--------") + + self._kpasswd('Foobar2!', 'Barfoo3.', 'all') #224-228 =60 + self._kinit('Barfoo3.', 'all') #229 + self._klist() #230 =62 + + self._writeLine("-------------\n\/\/\/ ERROR EXPECTED below") #231 + self._kpasswd('Barfoo3.', 'Foobar2!', 'all',succeed=False) #233-235 =63 + self._writeLine("^^^ABOVE^^ SHOULD HAVE FAILED\n---------") + + self._writeLine("\nTest's key should be protected by mkvno 2" ) #239 + self._locCpw('foo', 'test') #240 =64 + self._locGetprincFind('test', 'MKey: vno 2') #241 =65 + self._kdestroy() #242 =66 + + self._writeHeader("TEST: krb5kdc refetch of mkey")#243 + self._kinit('foo', 'test') #244 =67 + self._klist() #245 =68 + self._writeLine("END. Testing krb5kdc refetch of mkey list Done ==============================================\n") #246 + + self._updatePrincEnc() #247 =69 + self._get_princ_records() #248 =70 -83 + self._kdestroy() #249 =84 + self._kinit('foo', 'test') #250 =85 + self._purgemkeys() #252 =86 + + self._stash() #254 =87 + self._shell(self.clients+'klist/klist' +" -ekt "+self.sandir+"/keyStashFile") #255 =88 + + self._locGetprinc('K/M') #256 =89 + self._purgemkeys() #257 =90 + self._locGetprinc('K/M') #258 + self._listmkeys() #259 =92 + self._kdestroy() #260 + self._kinit('foo', 'test') #261 + self._klist() #262 =95 + + self._writeLine("\n Adding in Master Key Number 3") + self._listmkeys() #265 =96 + self._addmkey('abcde') #266-268 + self._listmkeys() #270 =98 + self._locCpw('foo', 'all') #271 + self._locGetprinc('all') #272 =100 + self._usemkey('3', 'now') #273 + self._listmkeys() #274 =102 + self._locCpw('99acefghI0!', 'all') #275 + self._locGetprinc('all') #276 =104 + self._kdestroy() #277 + self._kinit('foo', 'test') #279 =106 + self._klist() #280 + self._shell(self.kadmin+" -p haoqili/admin -w "+passw+" -q 'listprincs'") #281 =108 + self._shell(self.kadmin+" -p haoqili/admin -w "+passw+" -q 'getprinc test'") #282 =109 + + self._writeHeader("TEST: add_mkey with aes128 enctype") #283 + self._addmkey('abcde', '-e aes128-cts-hmac-sha1-96') #284-287 =110 + self._listmkeys() #288 =111 + + self._writeLine( "END. Testing add_mkey with aes128 enctype done ==============================================")#289 + + self._writeHeader("TEST: krb5kdc refetch of mkey list") + self._usemkey('4', 'now') #290 =112 + self._listmkeys() #291 =113 + self._shell(self.kadmin+" -p haoqili/admin -w "+passw+" -q 'cpw -pw abcde test'") #292 =114 + self._shell(self.kadmin +" -p haoqili/admin -w "+passw+" -q 'getprinc test'") #293 + self._kdestroy() #294 =116 + + self._writeLine("\nTesting krb5kdc refetch of mkey list =================================================") #295 + self._kinit('abcde', 'test') #296 =117 + #'self._klist() #297 =118 + self._writeLine("Testing krb5kdc refetch of mkey list Done :) =================================================\n") #298 + + self._killkdc() #300 =119, 120 + self._startkdc() #301 =121 122 + self._shell("kadmin -p haoqili/admin -w "+passw+" -q 'cpw -pw foo test'") #304 =123 + self._shell("kadmin -p haoqili/admin -w "+passw+" -q 'getprinc test'") #305 =124 + self._kdestroy() #307 =125 + + self._writeLine("\nTesting krb5kdc refetch of mkey list =================================================") #308 + self._kinit('foo', 'test') #309 =126 + self._klist() #310 =127 + self._writeLine("Testing krb5kdc refetch of mkey list Done =================================================\n") #311 + + self._updatePrincEnc() #313 =128 + self._locGetprinc('K/M') #314 + self._locGetprinc('all') #315 =130 + self._locGetprinc('haoqili') #316 + self._kdestroy() #317 =132 + self._kinit('foo', 'test') #318 + self._stash() #319 =134 + self._shell(self.clients+'klist/klist' + " -ekt "+self.sandir+"/keyStashFile") #320 + self._locGetprinc('K/M') #321 =136 + self._purgemkeys() #322 + self._locGetprinc('K/M') #323 =138 + self._locGetprinc('all') #324 + self._shell("kadmin -p haoqili/admin -w "+passw+" -q 'getprinc test'") #325 =140 + self._listmkeys() #326 + self._kdestroy() #327 =142 + self._kinit('foo', 'test') #328 + self._klist() #329 =144 + + self._get_princ_records() #330 =145-158 + + self._writeHeader("TEST: add_meky with DES-crc enctype") + #print "\nTesting add_mkey with DES-crc enctype ==============================================" #331 + self._addmkey('abcde', '-e des-cbc-crc') #332-335 =159 + self._listmkeys() #336 =160 + self._writeLine( "END. Testing add_mkey with DES-crc enctype Done ==============================================") #337 + self._addmkey('abcde') #338-341 =161 + self._listmkeys() #342 =162 + self._writeLine( "current time: "+strftime("%Y-%m-%d %H:%M:%S") ) #343 + + self._usemkey('5', 'now-1day') #344 =163 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#345 + self._listmkeys() #346 =164 + self._usemkey('5', 'now') #347 =165 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#348 + self._listmkeys() #349 =166 + self._usemkey('5', 'now+3days') #350 =167 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#351 + self._listmkeys() #352 =168 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#353 + self._usemkey('5', 'now+5sec') #354 =169 + self._listmkeys() #355 =170 + time.sleep(5) #356 + self._listmkeys() #357 =171 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#358 + self._usemkey('4', 'now+5sec') #359 =172 + self._listmkeys() #360 =173 + time.sleep(5) #361 + self._listmkeys() #362 =174 + self._usemkey('5', 'now+3days') #363 =175 + + self._writeLine("------------\n\/\/\/ ERROR EXPECTED below" )#364 + self._writeLine("should fail, because there must be one mkey currently active") #365 + self._usemkey('4', 'now+2days', False) #366 =176 + self._writeLine("^^^ABOVE^^ SHOULD HAVE FAILED\n---------------") + + self._listmkeys() #373 =177 + self._usemkey('4', '1/30/2009') #375 =178 + + self._writeHeader("TEST: purge_mkeys (removing mkey 5)") + #print "\nTesting purge_mkeys (removing mkey 5) ==============================================" #378 + self._purgemkeys() #379 =179 + self._stash() #380 =180 + self._shell(self.clients+'klist/klist' +" -ekt "+self.sandir+"/keyStashFile") #381 =181 + self._listmkeys() #382 =182 + self._shell("kadmin -p haoqili/admin -w "+passw+" -q 'getprinc K/M'") #383 =183 + self._writeLine("Testing purge_mkeys Done ==============================================") #384 + self._writeHeader("MASTER KEY MIGRATION TEST DONE. please consult 'outfile' in your sandbox for more info. The sandbox is at: %s" % self.sandir) + # I added + self._sysexit(finished=True) + +#################################################### +#################################################### + +class Launcher: + def __init__(self, path, sandP): + # srcdir, self._buildDir = InPath + self._buildDir = path + # self._confDir = InPath/tests/mk_migr/input_conf + self._confDir = '%s/tests/mk_migr/db2_backend/input_conf' % self._buildDir + + # setting up sand box + if sandP != "": + self._sandboxDir = sandP + else: + self._sandboxDir = '%s/tests/mk_migr/db2_backend/sandbox' % self._buildDir + + self._vars = {'srcdir': self._buildDir, + 'sandboxdir': self._sandboxDir, + 'localFQDN':socket.getfqdn()} + + def _prepSandbox(self): + sandir = self._sandboxDir + if os.path.exists(sandir): + shutil.rmtree(sandir) + print "------about to make sandbox, with the path of:" + print sandir + os.makedirs(sandir, 0777) + print "------sandbox made" + return sandir + + def _createFileFromTemplate(self, outpath, template, vars): + fin = open(template, 'r') + result = fin.read() % vars + fin.close() + fout = open(outpath, 'w') + fout.write(result) + fout.close() + + ####### Launcher RUN ################ + def runLauncher(self): + # create sandbox file directory if it does not exit + sandir = self._prepSandbox() + '''print os.environ + ''' + #save the initial 3 things setup + orig_libpath = os.getenv('LD_LIBRARY_PATH') + orig_krbconf = os.getenv('KRB5_CONFIG') + orig_kdcprof = os.getenv('KRB5_KDC_PROFILE') + + # change the 3 things + os.environ["LD_LIBRARY_PATH"] = '%s/lib' % self._buildDir + #os.environ["SRCDIR"] = '%s' % self._buildDir + + str1 = '%s/krb5.conf' % self._sandboxDir + os.environ["KRB5_CONFIG"] = str1 + + str2 = '%s/kdc.conf' % self._sandboxDir + os.environ["KRB5_KDC_PROFILE"] = str2 + + str3 = '%s/kadm5.acl' % self._sandboxDir + + # Create adequate to the environment config files + self._createFileFromTemplate('%s' % str1, '%s/%s' % (self._confDir, 'krb5_template_db2.conf'), self._vars) + self._createFileFromTemplate('%s' % str2, '%s/%s' % (self._confDir, 'kdc_template_db2.conf'), self._vars) + self._createFileFromTemplate('%s' % str3, '%s/%s' % (self._confDir, 'kadm5_template_db2.acl'), self._vars) + + return sandir + +#################################################### +#################################################### +def makeBool(aStr): + if aStr == "True" or aStr == "T": + return True + if aStr == "False" or aStr == "F": + return False + else: + print "did NOT execute due to invalid True False argument. Please enter either 'True', 'T', 'False', or 'F'" + sys.exit() + +# # # # # # # # # # # # # # # # # # # # # # # # # + +def processInputs(parser): + # get inputs + (options, args) = parser.parse_args() + + verbose = makeBool(options.opVerbose) + pw = options.opPassword + + kdcPath = options.opKdcPath #1 + kdmdPath = options.opKdmdPath #2 + kdbPath = options.opKdbPath #3 + kdmlPath = options.opKdmlPath #4 + kdmPath = options.opKdmPath #5 + cltPath = options.opCltPath #6 + + sandPath = options.opSandbox + + ########### Launch ############### + + print "\n############ Start Launcher #############" + src_path=os.environ["PWD"] + print "SOURCE PATH ==>" , src_path + + myLaunch = Launcher(src_path, sandPath) + sandir = myLaunch.runLauncher() + + test = MasterKeyMigrationTest(verbose, pw, kdcPath, kdmdPath, kdbPath, kdmlPath, kdmPath, cltPath, sandir) + print "########## Finished Launcher ############\n" + + return test +# # # # # # # # # # # # # # # # # # # # # # # # # + +def makeParser(): + usage = "\n\t%prog [-v][-p][-c][-d][-b][-l][-t][-s]" + description = "Description:\n\tTests for the master key migration commands." + parser = OptionParser(usage=usage, description=description) + + parser.add_option("-v", "--verbose", type="string", dest="opVerbose", +default="True", help="'True' or 'False'. Switch on for details of command lines and outputs. Default is 'True'") + + parser.add_option("-p", "--password", type="string", dest="opPassword", default="test123", help="master password for many of the passwords in the test. Default is 'test123'") + + ## Default Paths + dSrcPath = src_path=os.environ["PWD"] + dKdcPath = '%s/kdc/krb5kdc' % dSrcPath #1 + dKdmdPath = '%s/kadmin/server/kadmind' % dSrcPath #2 + dKdbPath = '%s/kadmin/dbutil/kdb5_util' % dSrcPath #3 + dKdmlPath = '%s/kadmin/cli/kadmin.local' % dSrcPath #4 + dKdmPath = '%s/kadmin/cli/kadmin' % dSrcPath #5 + dCltPath = '%s/clients' % dSrcPath #6 + + parser.add_option("-c", "--krb5kdcpath", +type="string", dest="opKdcPath", +default=dKdcPath, help="set krb5kdc path, default="+dKdcPath) #1 + + parser.add_option("-d", "--kadmindpath", +type="string", dest="opKdmdPath", +default=dKdmdPath, help="set kadmind path, default="+dKdmdPath) #2 + + parser.add_option("-b", "--kdb5_utilpath", +type="string", dest="opKdbPath", +default=dKdbPath, help="set kdb5_util path, default="+dKdbPath) #3 + + parser.add_option("-l", "--kadminlocalpath", +type="string", dest="opKdmlPath", +default=dKdmlPath, help="set kadmin.local path, default="+dKdmlPath) #4 + + parser.add_option("-n", "--kadminpath", +type="string", dest="opKdmPath", +default=dKdmPath, help="set kadmin path, default="+dKdmPath) #5 + + parser.add_option("-t", "--clientspath", +type="string", dest="opCltPath", +default=dCltPath, help="set clients path, default="+dCltPath) #6 + + # set up / initializing stuff for the sandbox + parser.add_option("-s", "--sandbox", +type="string", dest="opSandbox", +default="", +help="path for the sandbox. Default is '%s/tests/mk_migr/db2_backend/sandbox' % "+dSrcPath) + + return parser + +#################################################### +if __name__ == '__main__': + parser = makeParser() + test = processInputs(parser) + result = test.run() diff --git a/src/tests/mk_migr/ldap_backend/README_for_mkmldap b/src/tests/mk_migr/ldap_backend/README_for_mkmldap new file mode 100644 index 0000000..1ab3cde --- /dev/null +++ b/src/tests/mk_migr/ldap_backend/README_for_mkmldap @@ -0,0 +1,77 @@ +############################################################################## +###################### WARNING: DOES NOT WORK YET ############################ +############################################################################## + +ABOUT: +A translation of Will Fiveash's "mit_db2_mkey_migrate_testB" ksh code into Python with ldap backend. With minor fixes and changes. Written by HaoQi Li. + +DEFAULT SETTINGS: +Options Name Default Setting + -h Help + -v Verbose: True + -p Testing pw: test123 + -s Sandbox loc: src/tests/kdc_realm2/sandbox + -c Krb5kdc: src/kdc/krb5kdc + -d Kadmind: src/kadmin/server/kadmind + -b Kdb5_util: src/kadmin/dbutil/kdb5_util + -a Kdb5_ldap_util: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util + -l Kadmin.local: src/kadmin/cli/kadmin.local + -n Kadmin: src/kadmin/cli/kadmin + -t Client paths: src/clients + +INPUTS: +* src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf +* src/tests/mk_migr/ldap_backend/input_conf/krb5_template_ldap.conf +* src/tests/mk_migr/ldap_backend/input_conf/kadm5_template_ldap.acl +* src/tests/mk_migr/ldap_backend/input_conf/debconfile + +OUTPUTS: +* sandbox that contains customized outfile with all commands and their outputs, kdc.conf, krb5.conf, kadm6.acl, and others. +* Statistics on screen of number of commands passed and failed (if not interrupted by fatal failures). + +EXAMPLES: +- MUST RUN from trunk/src. +* python tests/mk_migr/ldap_backend/ldap7.py + Using all Default Settings. +* python tests/mk_migr/ldap_backend/ldap7.py -s /tmp/mySandbox + Sandbox now can be found in /tmp/mySandbox. + +REFERENCE: +http://k5wiki.kerberos.org/wiki/LDAP_on_Kerberos +and http://k5wiki.kerberos.org/wiki/User_talk:Haoqili + +NOTES: +* "haoqili" is a name that can be changed. +* "kdb5_util stash" is equivalent to "-s" in "kdb5_ldap_util create -s" +* 2019 and 2029 are future dates that should best be written not as fixed. Such as now+10years. + +FAILURES: + +* failure in kpasswd all, ERROR:"password history principal key version mismatch while trying to change password." This is caused by "-history 3" in testpolicy4 + +* The beginning of a series of failures starts from: the "kdb5_util list_mkeys" fails after "kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 [with password=abcde]" +ERROR:------------------------------------- +kdb5_util: Unable to decrypt latest master key with the provided master key +while getting master key list +kdb5_util: Warning: proceeding without master key list +kdb5_util: master keylist not initialized +can't decrypt the latest master key +-------------------------------------------- +Convo with Tom: +T: so you didn't activate the new mkey? +H: correct i just added it +T: the message looks familiar. does list_mkeys work before you do that add_mkey? +H: yes it does +T: Will might have mentioned some problems with the LDAP backend and the master key migration stuff. +T: how up-to-date is your source tree? Will says he remembers fixing this. +H: i'm at revision 22523 +T: hm, i think that should be recent enough. +T: do you have any enctype settings in your config files? +H: in krb5.conf +[libdefaults] +default_realm = EXAMPLE.ORG +default_tkt_enctypes = des3-hmac-sha1 aes128-cts +default_tgs_enctypes = des3-hmac-sha1 aes128-cts +T: anything for supported_enctypes or master_key_type? +H: no + diff --git a/src/tests/mk_migr/ldap_backend/input_conf/debconfile b/src/tests/mk_migr/ldap_backend/input_conf/debconfile new file mode 100644 index 0000000..6866e93 --- /dev/null +++ b/src/tests/mk_migr/ldap_backend/input_conf/debconfile @@ -0,0 +1,9 @@ +slapd slapd/no_configuration boolean false +slapd slapd/domain string example.org +slapd shared/organization string My Organization +slapd slapd/backend select HDB +slapd slapd/purge_database boolean true +slapd slapd/move_old_database boolean true +slapd slapd/password1 password a +slapd slapd/password2 password a +slapd slapd/allow_ldap_v2 boolean false diff --git a/src/tests/mk_migr/ldap_backend/input_conf/kadm5_template_ldap.acl b/src/tests/mk_migr/ldap_backend/input_conf/kadm5_template_ldap.acl new file mode 100644 index 0000000..719677a --- /dev/null +++ b/src/tests/mk_migr/ldap_backend/input_conf/kadm5_template_ldap.acl @@ -0,0 +1 @@ +*/admin * diff --git a/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf b/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf new file mode 100644 index 0000000..94a82a7 --- /dev/null +++ b/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf @@ -0,0 +1,17 @@ +[kdcdefaults] + kdc_ports = 8888 + +[realms] + EXAMPLE.ORG = { + database_name = %(sandir)s/krb5kdc/principal + acl_file = %(sandir)s/kadm5.acl + key_stash_file = %(sandir)s/krb5kdc/.k5.EXAMPLE.ORG + admin_keytab = FILE:%(sandir)s/krb5kdc/kadm5.keytab + kdc_ports = 8888 + kpasswd_port = 8887 + kadmind_port = 8886 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + } +[logging] + kdc = FILE:/tmp/myrealKDC.log diff --git a/src/tests/mk_migr/ldap_backend/input_conf/krb5_template_ldap.conf b/src/tests/mk_migr/ldap_backend/input_conf/krb5_template_ldap.conf new file mode 100644 index 0000000..5805f60 --- /dev/null +++ b/src/tests/mk_migr/ldap_backend/input_conf/krb5_template_ldap.conf @@ -0,0 +1,33 @@ +[libdefaults] + default_realm = EXAMPLE.ORG + default_tkt_enctypes = des3-hmac-sha1 aes128-cts + default_tgs_enctypes = des3-hmac-sha1 aes128-cts + +[realms] + EXAMPLE.ORG = { + admin_server = %(localFQDN)s:8886 + kpasswd_server = %(localFQDN)s:8887 + #default_domain = EXAMPLE.ORG + kdc = %(localFQDN)s:8888 + database_module = LDAP + } + +[dbdefaults] + ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org" + +[dbmodules] + LDAP = { + db_library = kldap + ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org" + ldap_kdc_dn = cn=admin,dc=example,dc=org + ldap_kadmind_dn = cn=admin,dc=example,dc=org + ldap_service_password_file = %(sandir)s/krb5kdc/admin.stash + ldap_servers = ldapi:/// + } +[domain_realm] + +[logging] + kdc = FILE:/tmp/kdc_fromkrb.log + default = FILE:/tmp/krb5.log + admin_server = FILE:/tmp/admin.log + diff --git a/src/tests/mk_migr/ldap_backend/mkmldap.py b/src/tests/mk_migr/ldap_backend/mkmldap.py new file mode 100644 index 0000000..ae2b83a --- /dev/null +++ b/src/tests/mk_migr/ldap_backend/mkmldap.py @@ -0,0 +1,897 @@ +############################################################################## +###################### WARNING: DOES NOT WORK YET ############################ +############################################################################## + +import os, sys, shutil, socket, time, string +from subprocess import Popen, PIPE +from optparse import OptionParser +from time import strftime + +class LDAPbackendSetup: + def __init__(self, verbose_in, pw_in, kdcPath_in, kdmdPath_in, kdbPath_in, ldapPath_in, kdmlPath_in, kdmPath_in, cltPath_in, sandir_in, confdir_in): + self.npass = 0 + + self.nfail = 0 + + self.verbose = verbose_in + self.pw = pw_in + + self.krb5kdc = kdcPath_in #1 krb5kdc + self.kadmind = kdmdPath_in #2 kadmind + self.kdb5_util = kdbPath_in #3a kdb5_util + self.kdb5_ldap_util = ldapPath_in #3b kdb5_ldap_util + self.kadminlocal = kdmlPath_in #4 kadmin.local + self.kadmin = kdmPath_in #5 kadmin + self.clients = cltPath_in+"/" #6 clients + + self.sandir = sandir_in + self.confdir = confdir_in + + ########## SET UP Write Output File ##### + print "outfile path" + print self.sandir + print self.sandir+"/outfile" + + self.outfile = open(self.sandir+"/outfile", 'w') + + #''print os.environ' + + def _writeLine(self, astr, prt=False): + self.outfile.write(astr.strip()+"\n") + if prt: + print astr.strip() + + def _writeHeader(self, astr, prt=True): + self.outfile.write("\n========== "+astr.strip()+" ==========\n") + if prt: + print "========== "+astr.strip()+" ==========" + + def _sysexit(self, fatal=False, finished=False): + self._writeLine("++++++++++++++++++++++++++++++", True) + if fatal: + self._writeLine("++++ Test did NOT finish +++++", True) + self._writeLine("++++ FATAL FAILURE! Stopped ++", True) + self._writeLine("++++ See sandbox/outfile +++++", True) + self._writeLine("++++++++++++++++++++++++++++++", True) + sys.exit() + elif not finished: + self._writeLine("++++ Test did NOT finish +++++", True) + self._writeLine("++++ FAIL Detected! keep going", True) + self._writeLine("++++++++++++++++++++++++++++++", True) + else: #finished + self._writeLine("++++ MKM Test Finished +++++++", True) + self._writeLine("++++++++++++++++++++++++++++++", True) + self._writeLine("++++ Commands Passed: %s +++++" % self.npass, True) + self._writeLine("++++ Commands Failed: %s +++++" % self.nfail, True) + sys.exit() + + def _printig(self): + self._writeLine("~.~.~Error should be ignored~.~.~.~") + + def _printerr(self, errm, stderr): + self._writeLine("#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#") + self._writeLine("-XX-FAILED: "+errm+". See stderr below:") + [self._writeLine(line) for line in stderr.readlines() ] + + def _printout(self, cmd, pstdout): + if self.verbose: + self._writeLine("#######################################") + #self._writeLine("---------------------------------------") + self._writeLine("-command: "+cmd) + self._writeLine("-----out: ") + [self._writeLine(line) for line in pstdout.readlines()] + + def _eval(self, succeed, pwait, errm, pstderr, fatal=False, msg2="", finished=False): + if int(pwait) != 0: # is bad + self._printerr(errm, pstderr) + if succeed==True: ## want good + self.nfail += 1 + self._sysexit(fatal, finished) + else: ## want bad + self.npass += 1 + self._printig() + else: # is good + if not succeed: ## want bad + if msg2 != "": + self._writeLine(msg2, True) + self.nfail += 1 + self._sysexit(fatal, finished) + else: ## want good + self.npass += 1 + + def _metafunc(self, command, errmsg, moreinfo="", isLocal=False, succeed=True, fatal=False): + l = command + if isLocal: + pl = Popen(l.split(None,2), stdin=PIPE, stdout=PIPE, stderr=PIPE) + else: + pl = Popen(l.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + self._printout(l+moreinfo, pl.stdout) + + self._eval(succeed, pl.wait(), errmsg, pl.stderr, fatal) + + ########################################### + + # Start the KDC daemons + def _startkdc(self): + self._writeLine("\nstarting kdc daemons ...") + l0 = self.krb5kdc + errm = "error at starting krb5kdc" + self._metafunc(l0, errm) + # below has been changed + + #starting kadmind + l0b = self.kadmind + ' -W -nofork' #the W is for during off strong random numbers + errm = "error at starting kadmind, maybe it's already started" + pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + self._writeLine( "kadmind -nofork") + started = False + while time.clock() < 3: + l = pl0b.stderr.readline() + if l.find("starting") > -1: + self._writeLine( l.strip()) + self.npass += 1 + started = True + break + else: + self.nfail += 1 + self._printerr("kadmind not starting, check to see if there are any previous kadmind running with cmd: 'ps -ef | grep kadmind' and then do 'sudo kill -9 [# on the left]'", pl0b.stderr) + self._sysexit(fatal=True) + if not started: + self.nfail += 1 + self._sysexit() + self._writeLine("end starting kdc daemons") + + # Kill the KDC daemons in case they are running + def _killkdc(self, suc=True): + l1 = 'pkill -9 -x krb5kdc' + errm = "no krb5kdc killed" + self._metafunc(l1, errm, succeed=suc) + l2 = 'pkill -9 -x kadmind' + errm = "no kadmind killed" + self._metafunc(l2, errm, succeed=suc) + + # Destroys current database + def _destroykdc(self, suc=True): + l3 = self.kdb5_util+' destroy -f' #forced + errm = "no kdb database destroyed" + self._metafunc(l3, errm, succeed=suc) + + ''' Destroys current database + I don't use this because 1. I don't know the specific kdc's to destroy, 2. the debconf setting up of slapd has destroyed old databases already + def _destroykdc_ldap(self, suc=True): + l3 = self.kdb5_ldap_util+' destroy -f' #forced + errm = "no kdb database destroyed" + self._metafunc(l3, errm, succeed=suc) + ''' + + # Create a new database with a new master key + def _createdb(self, pw): + l4 = self.kdb5_util+' -P '+pw+' create -s -W' #added W for svn version 22435 to avoid reading strong random numbers + errm = "error when creating new database, _createdb()" + self._metafunc(l4, errm, fatal=True) + + # Addprinc + def _locAddprinc(self, passw, usern): + l5 = self.kadminlocal+' -q addprinc -pw '+passw+' '+usern + errm = "error when adding princ, _locAddprinc" + self._metafunc(l5, errm, isLocal=True) + + # List princs + def _locListprincs(self): + l6 = self.kadminlocal+' -q listprincs' + errm = "error when listing princs, _locListprincs" + self._metafunc(l6, errm, isLocal=True) + + # Get princs + def _locGetprinc(self, usern, extra=False, succeed=True): + l7 = self.kadminlocal+' -q getprinc '+usern + errm="error when getting princ, _locGetprinc" + + pl7 = Popen(l7.split(None,2), stdin=PIPE, stdout=PIPE, stderr=PIPE) + if not extra: + self._printout(l7, pl7.stdout) + else: + if self.verbose: + self._writeLine("-command: "+l7) + self._writeLine("-----out: ") + for line in pl7.stdout.readlines(): + if line.startswith("Princ") or line.startswith("MKey"): + self._writeLine(line) + self._eval(succeed, pl7.wait(), errm, pl7.stderr) + + # Get princs and finds something in the output + def _locGetprincFind(self, usern, findstr, succeed=True): + l7b = self.kadminlocal+' -q getprinc ' +usern + errm="error when getting princs, _locGetprinc, (regular output of getprincs is not printed here), will NOT continue to find string="+findstr + pl7b = Popen(l7b.split(None, 2), stdin=PIPE, stdout=PIPE, stderr=PIPE) + if self.verbose: + self._writeLine("-command: "+l7b) + if int(pl7b.wait()) != 0: # is bad + self._printerr(errm, pl7b.stderr) + if succeed: ## want good + self.nfail += 1 + self._sysexit() + else: ## want bad + self.npass += 1 + self._printig() + else: # is good + if self.verbose: + self._writeLine( "-----out: ") + boofound = False + for outl in pl7b.stdout.readlines(): + self._writeLine(outl) + if string.find(outl, findstr) > -1: + boofound = True + if boofound: + self._writeLine("----FOUND: "+findstr) + else: + self._writeLine("----NOT FOUND: "+findstr) + if not succeed: ## want bad + self.nfail += 1 + self._sysexit() + else: ## want good + self.npass += 1 + + # Add policy + def _locAddpol(self, maxtime, minlength, minclasses, history, policyname): + rest = "" + if maxtime != None: + rest += '-maxlife '+maxtime+' ' + if minlength != None: + rest += '-minlength '+minlength+' ' + if minclasses != None: + rest += '-minclasses '+minclasses+' ' + if history != None: + rest += '-history '+history+' ' + l8 = self.kadminlocal+' -q add_policy '+rest+policyname + errm = "error when adding policy, _locAddpol" + self._metafunc(l8, errm, isLocal=True) + + # Get pol + def _locGetpol(self, poln): + l8b = self.kadminlocal+' -q getpol '+poln + errm="error when getting pol, _locGetpol" + self._metafunc(l8b, errm, isLocal=True) + + # Modify Principal + def _locModprinc(self, rest): + l9 = self.kadminlocal+' -q modprinc '+rest + errm = "error when modifing principal, _locModprinc" + self._metafunc(l9, errm, isLocal=True) + + # List mkeys + def _listmkeys(self): + l10 = self.kdb5_util+' list_mkeys' + errm = "error when listing mkeys, _listmkeys" + self._metafunc(l10, errm) + + # Use mkeys + def _usemkey(self, kvno, time, succeed=True): + l11 = self.kdb5_util+' use_mkey '+kvno+' '+time + pl11 = Popen(l11.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + self._printout(l11, pl11.stdout) + self._eval(succeed, pl11.wait(), "error when using mkeys, _usemkey", pl11.stderr, msg2="-XX-ERROR: "+l11+" should have failed.") + + + # Change password (cpw) + def _locCpw(self, passw, usern): + l12 = self.kadminlocal+' -q cpw -pw '+passw+' '+usern + errm = "error when changing password, _locCpw" + self._metafunc(l12, errm, moreinfo="\n--------: newpw='"+passw+"'", isLocal=True) + + # Purge mkeys + def _purgemkeys(self): + l13 = self.kdb5_util+' purge_mkeys -f -v' #-f is forced, -v is verbose + errm = "error when purging mkeys, _purgemkeys" + self._metafunc(l13, errm) + + # Add mkey + def _addmkey(self, passw, extra="", succeed=True): + l14 = self.kdb5_util+' add_mkey '+extra + pl14 = Popen(l14.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + pl14.stdin.write(passw+'\n') #enter 1st time + pl14.stdin.write(passw+'\n') #re-enter + self._printout(l14+' [with password='+passw+']', pl14.stdout) + self._eval(succeed, pl14.wait(), "error when adding mkey, _addmkey", pl14.stderr) + self._writeLine( "----end of adding mkey") + + # kinit user + def _kinit(self, passw_in, usern, succeed=True): + l15 = self.clients+'kinit/kinit '+usern + pl15 = Popen(l15.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + pl15.stdin.write(passw_in+'\n') + pl15.stdin.close() + self._printout(l15, pl15.stdout) + self._eval(succeed, pl15.wait(), "error when kinit user, _kinit", pl15.stderr) + self._writeLine( "----end of kiniting user") + + # change password on client's side + def _kpasswd(self, oldpw, newpw, usern, succeed=True): + l16 = self.clients+'kpasswd/kpasswd '+usern + pl16 = Popen(l16.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) + pl16.stdin.write(oldpw+'\n') + pl16.stdin.write(newpw+'\n') + pl16.stdin.write(newpw+'\n') + self._printout(l16+"\n--------: oldpw='"+oldpw+"' -> newpw='"+newpw+"'", pl16.stdout) + self._eval(succeed, pl16.wait(), "error when changing password on client's side, _kpasswd", pl16.stderr) + self._writeLine("----end of changing kpasswd") + + # klist on client's side + def _klist(self): + l17 = self.clients+'klist/klist' + errm = "error when klist, _klist" + self._metafunc(l17, errm) + + # Update principal encryption + def _updatePrincEnc(self): + l18 = self.kdb5_util+' update_princ_encryption -f -v' + errm = "error when updating principal encryption, _updatePrincEnc" + self._metafunc(l18, errm) + + # kdestroy + def _kdestroy(self): + l19 = self.clients+'kdestroy/kdestroy' + errm = "error when kdestroy, _kdestroy" + self._metafunc(l19, errm) + + # stash + def _stash(self): + l20 = self.kdb5_util+' stash' + errm="error at stash, _stash" + self._metafunc(l20, errm) + + # any shell command + def _shell(self, command, succeed=True): + l21 = command + errm="error at executing this command in _shell(): "+l21 + pl21 = Popen(l21, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) + self._printout(l21, pl21.stdout) + self._eval(succeed, pl21.wait(), errm, pl21.stderr) + #'self._printerr(errm, pl21.stderr) Pointed out that kadmin had problems!' + + + def _shelltest(self, command, succeed=True): + l21 = command + errm="error at executing this command in _shell(): "+l21 + pl21 = Popen(l21, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) + first = pl21.communicate('a\na')[0] + print "first:" + print first + print "end first" + + #self._printout(l21, pl21.stdout) self._printout(l21, first) + self._eval(succeed, pl21.wait(), errm, pl21.stderr) + #self._printerr(errm, pl21.stderr) #Pointed out that kadmin had problems!' + + + # get_princ_records() + def _get_princ_records(self, succeed=True): + l22 = self.kadminlocal+" -q listprincs 2>/dev/null|grep -v '^Authenticating as'|fgrep '@'|sort" + errm="error at listprincs in _get_princ_records() with this command: "+l22 + pl22 = Popen(l22, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) + if int(pl22.wait()) != 0: # is bad + self.printerr(errm, pl22.stderr) + if succeed: ## want good + self.nfail += 1 + self._sysexit() + else: ## want badd + self.npass += 1 + self._printig() + else: # is good + if not succeed: ## want bad + self.nfail += 1 + self._sysexit() + else: ## want good + self.npass += 1 + self._writeLine( "\nget_princ_records() executing all listprincs command: "+l22+"\n------its results:") + for princ in pl22.stdout.readlines(): + self._locGetprinc(princ.strip(), extra=True) + self._writeLine("END executing command: "+l22+"\n~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~") + +###################################################### + def run(self): + #############RUN################### + passw=self.pw + + self._writeHeader("START MASTER KEY MIGRATION TEST") + + # Set up database + self._writeHeader("SET UP: database") + self._killkdc("Either") #74 =1,2 + #self._destroykdc("Either") #77 =3 + #self._destroykdc_ldap("Either") #77 =3 + + self._shell('sudo cat '+self.confdir+'/debconfile') + self._shell('sudo debconf-set-selections '+self.confdir+'/debconfile') + self._shell('sudo dpkg-reconfigure --frontend=noninteractive slapd') + self._shell('sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///') + self._shell('kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -P a -s') #self._createdb(passw) #81 =4 + self._shelltest('kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org') + #self._shell('krb5kdc') ## MUST KILL krb5kdc before first! + self._writeHeader("+++++ START +++++") + + #line 83-86 involves ktadd kadm5.keytab, which are out dated + + # add, get, and list princs + self._writeHeader("SET UP: add/get/list princs") + self._locAddprinc(passw, 'kdc/admin') #87 =5 + self._locListprincs() #89 =6 + self._locGetprinc('K/M') #90 =7 + self._locAddprinc('test123', 'haoqili') #91 =8 + self._locGetprinc('haoqili') #92 =9 + self._locAddprinc(passw, 'haoqili/admin') #93 =10 + self._locAddprinc('foobar', 'test') #94 =11 + self._locGetprinc('test') #95 =12 + self._locListprincs() # I added =13 + myfqdn = socket.getfqdn() + #self._shell(self.parentpath+"kadmin.local -q 'addprinc -randkey host/"+myfqdn+"'") #96 + self._shell(self.kadminlocal+" -q 'addprinc -randkey host/"+myfqdn+"'") #96 =14 + + # create policies + self._writeHeader("SET UP: create policies") + + #print "\n~~~~~~~~~ create policies ~~~~~~~~~~~" + self._locAddpol('8days', None, None, None, 'testpolicy')#100 =15 + self._locAddpol('20days', '8', '3', None, 'testpolicy2')#101 + self._locAddpol('90days', '2', '2', None, 'testpolicy3')#102 + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + #!!!!!!!!!Changed to avoid problem in 'kpasswd all'!!!!!!!!!!!!!!!!!!!! + #self._locAddpol('90days', '2', '2', '3', 'testpolicy4')#103 + self._locAddpol('90days', '2', '2', None, 'testpolicy4')#103 + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + + self._locModprinc('-policy testpolicy haoqili')#105 + self._locAddprinc(passw, 'foo')#106 + self._locModprinc('-policy testpolicy3 foo')#107 =21 + + # create all princ with all fields + self._writeHeader("SET UP: create all princ with all fields") + #print "\n~~~~~~~~~ create all princ with all fields ~~~~~" + self._locAddprinc(passw, 'all') #110 =22 + self._locModprinc('-expire "2029-12-30 7pm" all') #112 + self._locModprinc('-pwexpire 12/30/2029 all') #114 + #self._locModprinc('-expire "now+10years" all') #112 + #self._locModprinc('-pwexpire now+10years all') #114 + self._locGetprinc('all') #115 + self._locModprinc('-maxlife 100days all') #116 + self._locGetprinc('all') #117 + self._locModprinc('-maxrenewlife 100days all') #118 + self._locGetprinc('all') #119 + self._locModprinc('+allow_postdated +allow_forwardable all') #120 =30 + self._locModprinc('+allow_proxiable +allow_dup_skey all') #121 + self._locModprinc('+requires_preauth +allow_svr +needchange all') #122 + self._locModprinc('-policy testpolicy4 all') #123 ########### + self._locGetprinc('all') #124 =34 + + # Testing stuff + self._writeHeader("TEST: initial mkey list") #126 + self._writeLine("===== Listing mkeys at start of test") #I add + self._listmkeys() #127 =35 + + self._writeLine( "Testing krb5kdc list_mkeys Done ==============================================") #128 + + self._writeLine("---------------\n xxxxxxxxxx \/\/\/ ERRORS (multiple) EXPECTED below xxxxxxxxxx") + self._writeLine("\nERRORS (multiple) EXPECTED below") + self._writeLine("Testing bogus use_mkey (setting only mkey to future date, using non-existent kvno, so should return error) =======") #129, 130 + self._writeLine( "-> must have a mkey currently active (setting mkey to 2 days from now), should fail and return error") #132 + self._usemkey('1', 'now+2days', False) #133-138 =36 + + self._writeLine("-> must have a mkey currently active (setting mkey to 2019 the future), should fail and return error") #140 + self._usemkey('1', '5/30/2019', False) #141 =37 + self._writeLine("-> bogus kvno and setting mkey to 2 days from now, should fail and return error") #147 + self._usemkey('2', 'now+2days', False) #148 =38 + self._writeLine("-> bogus kvno, should fail and return error") #I add + self._usemkey('2', 'now-2days', False) #I add =39 + self._writeLine( "^^^ABOVE^^ SHOULD HAVE *ALL* FAILED\n-----------------") + + self._writeLine( "Listing mkeys at end of test") #I add + self._listmkeys() #155 =40 + self._writeLine("Testing bogus use_mkey (setting only mkey to future date) Done ===========================") #156 + + + self._writeLine("\nmake sure cpw [change password] works") #158 + # this changes the password of 'test' from 'foobar' in "add, get, and list princs" above + self._locCpw('test1', 'test') #159 =41 + + self._writeHeader("TEST: bogus purge_mkeys (should be no keys purged, no error returned") + #print "\nTesting bogus purge_mkeys (should be no keys purged, no error returned) ===========================" #161 + self._purgemkeys() #162 =42 + self._writeLine("Testing bogus purge_mkeys (no error) Done ===========================") #163 + + self._writeHeader( "add kvno 2") #164 + + self._addmkey('abcde', '-s') #165-167 =43 + self._writeLine(".\nlist mkeys") + self._listmkeys() #169 =44 + + #start daemons + #@@@@@@@@@@@@@@@@@@@@@@@@@@@############@@@@@@@@@@@@@@@@@@############ + self._startkdc() #172 =45 46 + self._writeLine("make sure kdc is up, by kinit test") #176 + self._kinit('test1', 'test') #177 =47 + + self._writeLine("---------------\n\/\/\/ ERROR EXPECTED below. Test passwd policy.:") #180 + self._kinit(passw, 'all', succeed=False) #181 =48 + self._writeLine("^^ABOVE^^ SHOULD HAVE FAILED\n-----------------") + + #change passwd on client's side + + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + self._kpasswd(passw, 'Test123.', 'all')#184-188 =49 !!!!!!!!!!!!!!!! + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + + self._kinit('Test123.', 'all') #189 =50 + self._klist() #190 =51 + + self._writeHeader("TEST: password history for principal 'all', new passwords must not be a previous password") #191 + self._kpasswd('Test123.', 'Foobar2!', 'all') #192-195 =52 + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + ''' + self._writeLine("--------------\n\/\/\/ ERROR EXPECTED below") #197 + self._kpasswd('Foobar2!', passw, 'all', succeed=False) #199-202 =53 + self._writeLine("^^^ABOVE^^ SHOULD HAVE FAILED\n----------") + ''' + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + + # this shouldn't change the mkvno for any princs (should be 1) #206 + #self._updatePrincEnc() #207 + # princs should still be protected by mkvno 1 #208 + self._writeLine("@@@@@@@@ Wait for other people to fix bug in code 6507 update_princ_encryption to use mkey instead of latest mkey @@@@@@@@@@@@@\n") + self._locGetprincFind('test', 'MKey: vno 1') #209 =54 + + self._purgemkeys() #210 =55 + self._listmkeys() #211 =56 + self._usemkey('2', 'now-1day') #213 =57 + self._listmkeys() #214 =58 + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + ''' + self._writeLine("-----------\n\/\/\/ ERROR EXPECTED below") #216 + self._kpasswd('Foobar2!', passw, 'all', succeed=False) #217-221 =59 + self._writeLine("^^^ABOVE^^ SHOULD HAVE FAILED\n--------") + ''' + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + + self._kpasswd('Foobar2!', 'Barfoo3.', 'all') #224-228 =60 + self._kinit('Barfoo3.', 'all') #229 + self._klist() #230 =62 + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + ''' + self._writeLine("-------------\n\/\/\/ ERROR EXPECTED below") #231 + self._kpasswd('Barfoo3.', 'Foobar2!', 'all',succeed=False) #233-235 =63 + self._writeLine("^^^ABOVE^^ SHOULD HAVE FAILED\n---------") + ''' + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + + self._writeLine("\nTest's key should be protected by mkvno 2" ) #239 + self._locCpw('foo', 'test') #240 =64 + self._locGetprincFind('test', 'MKey: vno 2') #241 =65 + self._kdestroy() #242 =66 + + self._writeHeader("TEST: krb5kdc refetch of mkey")#243 + self._kinit('foo', 'test') #244 =67 + self._klist() #245 =68 + self._writeLine("END. Testing krb5kdc refetch of mkey list Done ==============================================\n") #246 + + self._updatePrincEnc() #247 =69 + self._get_princ_records() #248 =70 -83 + self._kdestroy() #249 =84 + self._kinit('foo', 'test') #250 =85 + self._purgemkeys() #252 =86 + + #self._stash() #254 =87 #!!! Not necessary in ldap, done by 'create -s' + self._shell(self.clients+'klist/klist' +" -ekt "+self.sandir+"/krb5kdc/.k5.EXAMPLE.ORG") #255=88 + + self._locGetprinc('K/M') #256 =89 + self._purgemkeys() #257 =90 + self._locGetprinc('K/M') #258 + self._listmkeys() #259 =92 + self._kdestroy() #260 + self._kinit('foo', 'test') #261 + self._klist() #262 =95 + + self._writeLine("\n Adding in Master Key Number 3") + self._listmkeys() #265 =96 + self._addmkey('abcde') #266-268 + self._listmkeys() #270 =98 + self._locCpw('foo', 'all') #271 + self._locGetprinc('all') #272 =100 + self._usemkey('3', 'now') #273 + self._listmkeys() #274 =102 + self._locCpw('99acefghI0!', 'all') #275 + self._locGetprinc('all') #276 =104 + self._kdestroy() #277 + self._kinit('foo', 'test') #279 =106 + self._klist() #280 + self._shell(self.kadmin+" -p haoqili/admin -w "+passw+" -q 'listprincs'") #281 =108 + self._shell(self.kadmin+" -p haoqili/admin -w "+passw+" -q 'getprinc test'") #282 =109 + + self._writeHeader("TEST: add_mkey with aes128 enctype") #283 + self._addmkey('abcde', '-e aes128-cts-hmac-sha1-96') #284-287 =110 + #!!!!!!!!!!!!!!!!Start to have problems !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + self._listmkeys() #288 =111 + '''$ kdb5_util list_mkeys +kdb5_util: Unable to decrypt latest master key with the provided master key + while getting master key list +kdb5_util: Warning: proceeding without master key list +kdb5_util: master keylist not initialized'''#!!!!!!!!!!!!!!!!!!!!!!! + #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + + self._writeLine( "END. Testing add_mkey with aes128 enctype done ==============================================")#289 + self._writeHeader("TEST: krb5kdc refetch of mkey list") + #!!!!!!!!!!!!!!\/ errors \/ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + self._usemkey('4', 'now') #290 =112 + self._listmkeys() #291 =113 + #!!!!!!!!!!!!!!/\ errors /\ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + self._shell(self.kadmin+" -p haoqili/admin -w "+passw+" -q 'cpw -pw abcde test'") #292 =114 + self._shell(self.kadmin +" -p haoqili/admin -w "+passw+" -q 'getprinc test'") #293 + + self._kdestroy() #294 =116 + + self._writeLine("\nTesting krb5kdc refetch of mkey list =================================================") #295 + self._kinit('abcde', 'test') #296 =117 + self._klist() #297 =118 + self._writeLine("Testing krb5kdc refetch of mkey list Done :) =================================================\n") #298 + + self._killkdc() #300 =119, 120 + self._startkdc() #301 =121 122 + + # The lines below are commented out because krb5kdc could not be restarted. For their error messages, see the outfile + ''' + kdc.log: + Aug 31 12:21:23 reach-my-dream krb5kdc[24273](info): AS_REQ (2 etypes {16 17}) 127.0.1.1: ISSUE: authtime 1251746483, etypes {rep=16 tkt=18 ses=16}, test@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG +krb5kdc: Unable to decrypt latest master key with the provided master key + - while fetching master keys list for realm EXAMPLE.ORG + ''' + ''' + self._shell("kadmin -p haoqili/admin -w "+passw+" -q 'cpw -pw foo test'") #304 =123 + self._shell("kadmin -p haoqili/admin -w "+passw+" -q 'getprinc test'") #305 =124 + self._kdestroy() #307 =125 + + self._writeLine("\nTesting krb5kdc refetch of mkey list =================================================") #308 + self._kinit('foo', 'test') #309 =126 + self._klist() #310 =127 + self._writeLine("Testing krb5kdc refetch of mkey list Done =================================================\n") #311 + + self._updatePrincEnc() #313 =128 + self._locGetprinc('K/M') #314 + self._locGetprinc('all') #315 =130 + self._locGetprinc('haoqili') #316 + self._kdestroy() #317 =132 + self._kinit('foo', 'test') #318 + self._stash() #319 =134 + self._shell(self.clients+'klist/klist' +" -ekt "+self.sandir+"/krb5kdc/.k5.EXAMPLE.ORG") #320 + self._locGetprinc('K/M') #321 =136 + self._purgemkeys() #322 + self._locGetprinc('K/M') #323 =138 + self._locGetprinc('all') #324 + self._shell("kadmin -p haoqili/admin -w "+passw+" -q 'getprinc test'") #325 =140 + self._listmkeys() #326 + self._kdestroy() #327 =142 + self._kinit('foo', 'test') #328 + self._klist() #329 =144 + + self._get_princ_records() #330 =145-158 + + self._writeHeader("TEST: add_meky with DES-crc enctype") + #print "\nTesting add_mkey with DES-crc enctype ==============================================" #331 + self._addmkey('abcde', '-e des-cbc-crc') #332-335 =159 + self._listmkeys() #336 =160 + self._writeLine( "END. Testing add_mkey with DES-crc enctype Done ==============================================") #337 + self._addmkey('abcde') #338-341 =161 + self._listmkeys() #342 =162 + self._writeLine( "current time: "+strftime("%Y-%m-%d %H:%M:%S") ) #343 + + self._usemkey('5', 'now-1day') #344 =163 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#345 + self._listmkeys() #346 =164 + self._usemkey('5', 'now') #347 =165 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#348 + self._listmkeys() #349 =166 + self._usemkey('5', 'now+3days') #350 =167 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#351 + self._listmkeys() #352 =168 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#353 + self._usemkey('5', 'now+5sec') #354 =169 + self._listmkeys() #355 =170 + time.sleep(5) #356 + self._listmkeys() #357 =171 + self._writeLine("current time: "+strftime("%Y-%m-%d %H:%M:%S") )#358 + self._usemkey('4', 'now+5sec') #359 =172 + self._listmkeys() #360 =173 + time.sleep(5) #361 + self._listmkeys() #362 =174 + self._usemkey('5', 'now+3days') #363 =175 + + self._writeLine("------------\n\/\/\/ ERROR EXPECTED below" )#364 + self._writeLine("should fail, because there must be one mkey currently active") #365 + self._usemkey('4', 'now+2days', False) #366 =176 + self._writeLine("^^^ABOVE^^ SHOULD HAVE FAILED\n---------------") + + self._listmkeys() #373 =177 + self._usemkey('4', '1/30/2009') #375 =178 + + self._writeHeader("TEST: purge_mkeys (removing mkey 5)") + #print "\nTesting purge_mkeys (removing mkey 5) ==============================================" #378 + self._purgemkeys() #379 =179 + #self._stash() #380 =180 + self._shell(self.clients+'klist/klist' +" -ekt "+self.sandir+"/krb5kdc/.k5.EXAMPLE.ORG") #381=181 + self._listmkeys() #382 =182 + self._shell("kadmin -p haoqili/admin -w "+passw+" -q 'getprinc K/M'") #383 =183 + self._writeLine("Testing purge_mkeys Done ==============================================") #384 + self._writeHeader("MASTER KEY MIGRATION TEST DONE. please consult 'outfile' in your sandbox for more info. The sandbox is at: %s" % self.sandir) + # I added + self._sysexit(finished=True) + ''' +#################################################### +#################################################### + +class Launcher: + #def __init__(self, path, sandP): + #def __init__(self): + def __init__(self, sandP): + self._buildDir = os.environ["PWD"] + self._confDir = '%s/tests/mk_migr/ldap_backend/input_conf' % self._buildDir + + #setting up sandbox + if sandP != "": + self._sandP = sandP + else: #default + self._sandP = '%s/tests/mk_migr/ldap_backend/sandbox' %self._buildDir + + print self._sandP + print "sandP" + self._vars = {'sandir': self._sandP, + 'localFQDN': socket.getfqdn()} + + def _prepSandbox(self, sandir): + if os.path.exists(sandir): + shutil.rmtree(sandir) + print "------about to make sandbox, with the path of:" + print sandir + os.makedirs(sandir, 0777) + os.mkdir(sandir+'/krb5kdc', 0777) + print "------sandbox made" + + def _createFileFromTemplate(self, outpath, template, vars): + fin = open(template, 'r') + result = fin.read() % vars + fin.close() + fout = open(outpath, 'w') + fout.write(result) + fout.close() + + ####### Launcher RUN ################ + def runLauncher(self): + # create sandbox file directory (and sandbox/krb5kdc) if it does not exit + self._prepSandbox(self._sandP) + + # Export the 3 env lines + src_path=os.environ["PWD"] + os.environ["LD_LIBRARY_PATH"] = '%s/lib' % src_path + + str1 = '%s/krb5.conf' % self._sandP + os.environ["KRB5_CONFIG"] = str1 + + str2 = '%s/kdc.conf' % self._sandP + os.environ["KRB5_KDC_PROFILE"] = str2 + + str3 = '%s/kadm5.acl' % self._sandP + + # Create adequate to the environment config files + self._createFileFromTemplate(str1, '%s/%s' % (self._confDir, 'krb5_template_ldap.conf'), self._vars) + self._createFileFromTemplate(str2, '%s/%s' % (self._confDir, 'kdc_template_ldap.conf'), self._vars) + self._createFileFromTemplate(str3, '%s/%s' % (self._confDir, 'kadm5_template_ldap.acl'), self._vars) + + return (self._confDir, self._sandP) + +#################################################### +#################################################### + +def makeBool(aStr): + if aStr == "True" or aStr == "T": + return True + if aStr == "False" or aStr == "F": + return False + else: + print "did NOT execute due to invalid True False argument. Please enter either 'True', 'T', 'False', or 'F'" + sys.exit() + +# # # # # # # # # # # # # # # # # # # # # # # # # + +def processInputs(parser): +#def processInputs(): + + # get inputs + (options, args) = parser.parse_args() + + verbose = makeBool(options.opVerbose) + pw = options.opPassword + + kdcPath = options.opKdcPath #1 + kdmdPath = options.opKdmdPath #2 + kdbPath = options.opKdbPath #3a + ldapPath = options.opLdapPath #3b + kdmlPath = options.opKdmlPath #4 + kdmPath = options.opKdmPath #5 + cltPath = options.opCltPath #6 + + sandPath = options.opSandbox + + ########### Launch ############### + + print "\n############ Start Launcher #############" + myLaunch = Launcher(sandPath) + (confDir, sandPath) = myLaunch.runLauncher() + + print ":D" + print sandPath + + test = LDAPbackendSetup(verbose, pw, kdcPath, kdmdPath, kdbPath, ldapPath, kdmlPath, kdmPath, cltPath, sandPath, confDir) + print "########## Finished Launcher ############\n" + + return test +# # # # # # # # # # # # # # # # # # # # # # # # # + +def makeParser(): + usage = "\n\t%prog [-v][-p][-c][-d][-b][-l][-t][-s]" + description = "Description:\n\tTests for the master key migration commands." + parser = OptionParser(usage=usage, description=description) + + parser.add_option("-v", "--verbose", type="string", dest="opVerbose", +default="True", help="'True' or 'False'. Switch on for details of command lines and outputs. Default is 'True'") + + parser.add_option("-p", "--password", type="string", dest="opPassword", default="test123", help="master password for many of the passwords in the test. Default is 'test123'") + + ## Default Paths + dSrcPath = src_path=os.environ["PWD"] + dKdcPath = '%s/kdc/krb5kdc' % dSrcPath #1 + dKdmdPath = '%s/kadmin/server/kadmind' % dSrcPath #2 + dKdbPath = '%s/kadmin/dbutil/kdb5_util' % dSrcPath #3a + dLdapPath = '%s/plugins/kdb/ldap/ldap_util/kdb5_ldap_util' % dSrcPath #3b + dKdmlPath = '%s/kadmin/cli/kadmin.local' % dSrcPath #4 + dKdmPath = '%s/kadmin/cli/kadmin' % dSrcPath #5 + dCltPath = '%s/clients' % dSrcPath #6 + + parser.add_option("-c", "--krb5kdcpath", +type="string", dest="opKdcPath", +default=dKdcPath, help="set krb5kdc path, default="+dKdcPath) #1 + + parser.add_option("-d", "--kadmindpath", +type="string", dest="opKdmdPath", +default=dKdmdPath, help="set kadmind path, default="+dKdmdPath) #2 + + parser.add_option("-b", "--kdb5_utilpath", +type="string", dest="opKdbPath", +default=dKdbPath, help="set kdb5_util path, default="+dKdbPath) #3a + + parser.add_option("-a", "--kdb5_ldap_utilpath", +type="string", dest="opLdapPath", +default=dKdbPath, help="set kdb5_ldap_util path, default="+dLdapPath) #3b + + parser.add_option("-l", "--kadminlocalpath", +type="string", dest="opKdmlPath", +default=dKdmlPath, help="set kadmin.local path, default="+dKdmlPath) #4 + + parser.add_option("-n", "--kadminpath", +type="string", dest="opKdmPath", +default=dKdmPath, help="set kadmin path, default="+dKdmPath) #5 + + parser.add_option("-t", "--clientspath", +type="string", dest="opCltPath", +default=dCltPath, help="set clients path, default="+dCltPath) #6 + + # set up / initializing stuff for the sandbox + parser.add_option("-s", "--sandbox", +type="string", dest="opSandbox", +default="", +help="path for the sandbox. Default is 'src/tests/mk_migr/ldap_backend/sandbox'") + + return parser + +#################################################### +if __name__ == '__main__': + #processInputs() + + parser = makeParser() + test = processInputs(parser) + result = test.run() diff --git a/src/util/collected-client-lib/Makefile.in b/src/util/collected-client-lib/Makefile.in index bd8b5d3..68ede98 100644 --- a/src/util/collected-client-lib/Makefile.in +++ b/src/util/collected-client-lib/Makefile.in @@ -43,7 +43,7 @@ STOBJLISTS= \ ../../lib/crypto/krb/crc32/OBJS.ST \ ../../lib/crypto/builtin/des/OBJS.ST \ ../../lib/crypto/krb/dk/OBJS.ST \ - ../../lib/crypto/krb/enc_provider/OBJS.ST \ + ../../lib/crypto/builtin/enc_provider/OBJS.ST \ ../../lib/crypto/krb/hash_provider/OBJS.ST \ ../../lib/crypto/krb/keyhash_provider/OBJS.ST \ ../../lib/crypto/builtin/md4/OBJS.ST \ diff --git a/src/util/depfix.pl b/src/util/depfix.pl index 96689e8..0ab02d7 100644 --- a/src/util/depfix.pl +++ b/src/util/depfix.pl @@ -155,10 +155,12 @@ sub do_subs_2 { # Use VPATH. s;\$\(srcdir\)/([^ /]* );$1;g; + $_ = &uniquify($_); + # Allow override of some util dependencies in case local tools are used. s;\$\(BUILDTOP\)/include/com_err.h ;\$(COM_ERR_DEPS) ;g; s;\$\(BUILDTOP\)/include/ss/ss.h \$\(BUILDTOP\)/include/ss/ss_err.h ;\$(SS_DEPS) ;g; - s;\$\(BUILDTOP\)/include/db.h \$\(BUILDTOP\)/include/db-config.h ;\$(DB_DEPS) ;g; + s;\$\(BUILDTOP\)/include/db-config.h \$\(BUILDTOP\)/include/db.h ;\$(DB_DEPS) ;g; $_ = &uniquify($_); diff --git a/src/util/support/fake-addrinfo.c b/src/util/support/fake-addrinfo.c index 4b628bb..34ce770 100644 --- a/src/util/support/fake-addrinfo.c +++ b/src/util/support/fake-addrinfo.c @@ -140,7 +140,15 @@ extern /*@dependent@*/ char *gai_strerror (int code) /*@*/; #endif #if defined (__linux__) && defined(HAVE_GETADDRINFO) -# define COPY_FIRST_CANONNAME +/* Define COPY_FIRST_CANONNAME for glibc 2.3 and prior. */ +#include <features.h> +# ifdef __GLIBC_PREREQ +# if ! __GLIBC_PREREQ(2, 4) +# define COPY_FIRST_CANONNAME +# endif +# else +# define COPY_FIRST_CANONNAME +# endif #endif #ifdef _AIX @@ -1157,7 +1165,7 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint, return aierr; } - /* Linux libc version 6 (libc-2.2.4.so on Debian) is broken. + /* Linux libc version 6 prior to 2.3.4 is broken. RFC 2553 says that when AI_CANONNAME is set, the ai_canonname flag of the first returned structure has the canonical name of @@ -1188,9 +1196,12 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint, Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=133668 . Since it's dependent on the target hostname, it's hard to check - for at configure time. Always do it on Linux for now. When - they get around to fixing it, add a compile-time or run-time - check for the glibc version in use. + for at configure time. The bug was fixed in glibc 2.3.4. + After the fix, the ai_canonname field is allocated, so our + workaround leaks memory. We disable the workaround for glibc + >= 2.4, but there is no easy way to test for glibc patch + versions, so we still leak memory under glibc 2.3.4 through + 2.3.6. Some Windows documentation says that even when AI_CANONNAME is set, the returned ai_canonname field can be null. The NetBSD |