diff options
author | Ken Raeburn <raeburn@mit.edu> | 2000-06-27 21:00:02 +0000 |
---|---|---|
committer | Ken Raeburn <raeburn@mit.edu> | 2000-06-27 21:00:02 +0000 |
commit | 9fe2a01ec0fefa8b764bb6e9d7f9a09d11fed7ff (patch) | |
tree | 2d4fd8b1bf6272f1286ffb7af9ae1d351a347e71 /src/lib/krb5 | |
parent | 0d54ee19a3e5a159f0b86097ebfe193a0d9c26d8 (diff) | |
download | krb5-9fe2a01ec0fefa8b764bb6e9d7f9a09d11fed7ff.zip krb5-9fe2a01ec0fefa8b764bb6e9d7f9a09d11fed7ff.tar.gz krb5-9fe2a01ec0fefa8b764bb6e9d7f9a09d11fed7ff.tar.bz2 |
pullup from 1.2 branch
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12442 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5')
32 files changed, 772 insertions, 267 deletions
diff --git a/src/lib/krb5/ChangeLog b/src/lib/krb5/ChangeLog index 89f7f2e..0610803 100644 --- a/src/lib/krb5/ChangeLog +++ b/src/lib/krb5/ChangeLog @@ -1,3 +1,11 @@ +2000-06-23 Tom Yu <tlyu@mit.edu> + + * Makefile.in (LIBMAJOR, LIBMINOR): Bump version. + +2000-06-23 Ken Raeburn <raeburn@mit.edu> + + * Makefile.in (SHLIB_EXPLIBS): Add @RESOLV_LIB@. + 2000-05-31 Wilfredo Sanchez <tritan@mit.edu> * configure.in: Check for existance of <memory.h>. diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in index 0dab1f3..68e354c 100644 --- a/src/lib/krb5/Makefile.in +++ b/src/lib/krb5/Makefile.in @@ -32,8 +32,8 @@ LIBDONE= error_tables/DONE asn.1/DONE ccache/DONE ccache/stdio/DONE \ STLIBOBJS=krb5_libinit.o LIB=krb5 -LIBMAJOR=2 -LIBMINOR=2 +LIBMAJOR=3 +LIBMINOR=0 STOBJLISTS= \ OBJS.ST \ @@ -58,7 +58,7 @@ RELDIR=krb5 SHLIB_EXPDEPS = \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(TOPLIBD)/libcom_err$(SHLIBEXT) -SHLIB_EXPLIBS=-lk5crypto -lcom_err @GEN_LIB@ +SHLIB_EXPLIBS=-lk5crypto -lcom_err @GEN_LIB@ @RESOLV_LIB@ SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 14fa9c3..80f24eb 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,102 @@ +2000-06-23 Miro Jurisic <meeroh@mit.edu> + + * conv_princ.c (krb5_425_conv_principal): Fixed v4->v5 realm + name conversion + + * conv_princ.c (krb5_425_conv_principal): Honor v4/v5 realm name + differences when convertion from v4 principals to v5. + +2000-06-23 Tom Yu <tlyu@mit.edu> + + * get_creds.c (krb5_get_credentials): Translate KRB5_CC_NOTFOUND + returned from krb5_get_cred_from_kdc() if a prior call to + krb5_cc_retrieve_cred() returned KRB5_CC_NOT_KTYPE. + + * rd_priv.c (krb5_rd_priv_basic): Delete code that was incorrectly + doing explicit ivec chaining; c_decrypt() does it now. + + * mk_priv.c (krb5_mk_priv_basic): Delete code that was incorrectly + doing explicit ivec chaining; c_encrypt() does it now. + + * conv_princ.c (krb5_524_conv_principal): Make a copy of the krb5 + realm that is nul-terminated to avoid falling off the end of the + krb5 realm, which is not necessarily nul-terminated. + +2000-06-23 Danilo Almeida <dalmeida@mit.edu> + + * init_ctx.c (krb5_get_tgs_ktypes, krb5_free_ktypes): Fix linkage to + be KRB5_CALLCONV. + +2000-06-23 Ken Raeburn <raeburn@mit.edu> + + * get_in_tkt.c (krb5_get_in_tkt): If enctypes are specified, send + the server the intersection of that list and the supported types, + in the order requested. + + * recvauth.c (krb5_recvauth_version): New routine, takes a + krb5_data in which to store the client's application version + string. + (recvauth_common): Renamed from krb5_recvauth, added above + functionality depending on extra argument values. + (krb5_recvauth): New stub, calls above routine with extra dummy + values. + + * kfree.c: Remove unneeded "return" statements at the end of many + functions. + (krb5_free_*_content, krb5_free_*_contents, + krb5_free_cred_enc_part, krb5_free_pwd_sequences): Set freed + pointer members to null when containing structure isn't being + freed. + + * t_kerb.c (test_524_conv_principal): New test code, to exercise + bbense's code addition. + (main, usage): Updated. + * t_krb5.conf: Added stanford.edu->IR.STANFORD.EDU mapping, and a + test case for improperly long v4 realm names. + * Makefile.in (check-unix): Run 524 conversion test for some test + Athena and Stanford names. + * t_ref_kerb.out: Updated. + + * init_ctx.c (init_common): Feed current-microsecond time and + process-id into PRNG, instead of just current-second time. + * mk_req_ext.c (krb5_mk_req_extended): Feed current time into + PRNG if a subkey will be generated. + * sendauth.c (krb5_sendauth): Feed local and remote addresses of + socket, if they can be determined, into the PRNG if a subkey will + be used. + + * init_ctx.c (krb5_free_ktypes): New routine, to free values + returned by krb5_get_tgs_ktypes, krb5_get_permitted_enctypes, and + krb5_get_default_in_tkt_ktypes. + (krb5_set_default_tgs_ktypes, krb5_is_permitted_enctype): Use it. + (get_profile_etype_list): Use passed-in enctype list if the + passed-in count is non-zero, instead of checking the + in_tkt_ktype_count value in the context. + +2000-06-23 Ken Raeburn <raeburn@mit.edu> + Nalin Dahyabhai <nalin@redhat.com> + + * conv_princ.c (krb5_524_conv_principal): Return an error if name + is too long. Use memcpy for character data since we already know + the length. + +2000-06-23 Nalin Dahyabhai <nalin@redhat.com> + + * kfree.c (krb5_free_keyblock_contents): Set contents pointer to + null after freeing. + + * chk_trans.c (krb5_check_transited_list): Don't overflow buffers + "prev" and "next". + * conv_princ.c (krb5_425_conv_principal): Don't overflow buffer + "buf". + +2000-06-23 Ken Raeburn <raeburn@mit.edu> + Booker C. Bense <bbense@networking.stanford.edu> + + * conv_princ.c (krb5_524_conv_principal): Look up v4_realm in + config file, in case site's krb4 realm name isn't the same as the + krb5 realm name. + 2000-05-31 Wilfredo Sanchez <tritan@mit.edu> * fwd_tgt.c: Check for existance of <memory.h>. @@ -22,8 +121,9 @@ 2000-04-28 Alexandra Ellwood <lxs@mit.edu> - * gic_pwd.c (krb5_init_creds_password) added code to return to login library if - the password is expired (login library handles this error appropriately). + * gic_pwd.c (krb5_init_creds_password) added code to return to + login library if the password is expired (login library handles + this error appropriately). 2000-04-08 Tom Yu <tlyu@mit.edu> @@ -32,11 +132,12 @@ 2000-04-07 Jeffrey Altman <jaltman@columbia.edu> - * gic_pwd.c (krb5_get_init_creds_keytab), gic_pwd.c (krb5_get_init_creds_password) - when determining whether or not to retry with a "master kdc" do not retry if - the return value from the first attempt was KRB5_REALM_CANT_RESOLV. Also, do - not overwrite the return code if the return value from the access to the "master - kdc" was KRB5_REALM_CANT_RESOLV. + * gic_pwd.c (krb5_get_init_creds_keytab), gic_pwd.c + (krb5_get_init_creds_password) when determining whether or not to + retry with a "master kdc" do not retry if the return value from + the first attempt was KRB5_REALM_CANT_RESOLV. Also, do not + overwrite the return code if the return value from the access to + the "master kdc" was KRB5_REALM_CANT_RESOLV. 2000-03-15 Danilo Almeida <dalmeida@mit.edu> diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in index 8aeb398..19c1da4 100644 --- a/src/lib/krb5/krb/Makefile.in +++ b/src/lib/krb5/krb/Makefile.in @@ -327,6 +327,8 @@ check-unix:: $(TEST_PROGS) 425_conv_principal rcmd uunet UU.NET \ 425_conv_principal zephyr zephyr ATHENA.MIT.EDU \ 425_conv_principal kadmin ATHENA.MIT.EDU ATHENA.MIT.EDU \ + 524_conv_principal host/e40-po.mit.edu@ATHENA.MIT.EDU \ + 524_conv_principal host/foobar.stanford.edu@stanford.edu \ set_realm marc@MIT.EDU CYGNUS.COM \ > test.out cmp test.out $(srcdir)/t_ref_kerb.out diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c index c2ac716..eee55c8 100644 --- a/src/lib/krb5/krb/chk_trans.c +++ b/src/lib/krb5/krb/chk_trans.c @@ -56,13 +56,13 @@ krb5_data *realm2; return(retval); } - memset(prev, 0, MAX_REALM_LN + 1); - memset(next, 0, MAX_REALM_LN + 1), nextp = next; + memset(prev, 0, sizeof(prev)); + memset(next, 0, sizeof(next)), nextp = next; for (i = 0; i < trans_length; i++) { if (i < trans_length-1 && trans->data[i] == '\\') { i++; *nextp++ = trans->data[i]; - if (nextp - next > MAX_REALM_LN) { + if (nextp - next >= sizeof(next)) { retval = KRB5KRB_AP_ERR_ILL_CR_TKT; goto finish; } @@ -70,16 +70,17 @@ krb5_data *realm2; } if (i < trans_length && trans->data[i] != ',') { *nextp++ = trans->data[i]; - if (nextp - next > MAX_REALM_LN) { + if (nextp - next >= sizeof(next)) { retval = KRB5KRB_AP_ERR_ILL_CR_TKT; goto finish; } continue; } + next[sizeof(next) - 1] = '\0'; if (strlen(next) > 0) { if (next[0] != '/') { if (*(nextp-1) == '.' && strlen(next) + strlen(prev) <= MAX_REALM_LN) - strcat(next, prev); + strncat(next, prev, sizeof(next) - 1 - strlen(next)); retval = KRB5KRB_AP_ERR_ILL_CR_TKT; for (j = 0; tgs_list[j]; j++) { if (strlen(next) == (size_t) krb5_princ_realm(context, tgs_list[j])->length && @@ -93,12 +94,12 @@ krb5_data *realm2; } if (i+1 < trans_length && trans->data[i+1] == ' ') { i++; - memset(next, 0, MAX_REALM_LN + 1), nextp = next; + memset(next, 0, sizeof(next)), nextp = next; continue; } if (i+1 < trans_length && trans->data[i+1] != '/') { - strcpy(prev, next); - memset(next, 0, MAX_REALM_LN + 1), nextp = next; + strncpy(prev, next, sizeof(prev) - 1); + memset(next, 0, sizeof(next)), nextp = next; continue; } } diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c index b90289a..36e2bbd 100644 --- a/src/lib/krb5/krb/conv_princ.c +++ b/src/lib/krb5/krb/conv_princ.c @@ -137,7 +137,8 @@ krb5_524_conv_principal(context, princ, name, inst, realm) { const struct krb_convert *p; krb5_data *compo; - char *c; + char *c, *tmp_realm, *tmp_prealm; + int tmp_realm_len, retval; *name = *inst = '\0'; switch (krb5_princ_size(context, princ)) { @@ -147,18 +148,22 @@ krb5_524_conv_principal(context, princ, name, inst, realm) p = sconv_list; while (p->v4_str) { if (strncmp(p->v5_str, compo->data, compo->length) == 0) { - /* It is, so set the new name now, and chop off */ - /* instance's domain name if requested */ - strcpy(name, p->v4_str); - if (p->flags & DO_REALM_CONVERSION) { - compo = krb5_princ_component(context, princ, 1); - c = strnchr(compo->data, '.', compo->length); - if (!c || (c - compo->data) > INST_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - strncpy(inst, compo->data, c - compo->data); - inst[c - compo->data] = '\0'; - } - break; + /* + * It is, so set the new name now, and chop off + * instance's domain name if requested. + */ + if (strlen (p->v4_str) > ANAME_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + strcpy(name, p->v4_str); + if (p->flags & DO_REALM_CONVERSION) { + compo = krb5_princ_component(context, princ, 1); + c = strnchr(compo->data, '.', compo->length); + if (!c || (c - compo->data) >= INST_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + memcpy(inst, compo->data, c - compo->data); + inst[c - compo->data] = '\0'; + } + break; } p++; } @@ -168,7 +173,7 @@ krb5_524_conv_principal(context, princ, name, inst, realm) compo = krb5_princ_component(context, princ, 1); if (compo->length >= INST_SZ - 1) return KRB5_INVALID_PRINCIPAL; - strncpy(inst, compo->data, compo->length); + memcpy(inst, compo->data, compo->length); inst[compo->length] = '\0'; } /* fall through */ @@ -178,7 +183,7 @@ krb5_524_conv_principal(context, princ, name, inst, realm) compo = krb5_princ_component(context, princ, 0); if (compo->length >= ANAME_SZ) return KRB5_INVALID_PRINCIPAL; - strncpy(name, compo->data, compo->length); + memcpy(name, compo->data, compo->length); name[compo->length] = '\0'; } break; @@ -187,11 +192,39 @@ krb5_524_conv_principal(context, princ, name, inst, realm) } compo = krb5_princ_realm(context, princ); - if (compo->length > REALM_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - strncpy(realm, compo->data, compo->length); - realm[compo->length] = '\0'; + tmp_prealm = malloc(compo->length + 1); + if (tmp_prealm == NULL) + return ENOMEM; + strncpy(tmp_prealm, compo->data, compo->length); + tmp_prealm[compo->length] = '\0'; + + /* Ask for v4_realm corresponding to + krb5 principal realm from krb5.conf realms stanza */ + + if (context->profile == 0) + return KRB5_CONFIG_CANTOPEN; + retval = profile_get_string(context->profile, "realms", + tmp_prealm, "v4_realm", 0, + &tmp_realm); + free(tmp_prealm); + if (retval) { + return retval; + } else { + if (tmp_realm == 0) { + if (compo->length > REALM_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + strncpy(realm, compo->data, compo->length); + realm[compo->length] = '\0'; + } else { + tmp_realm_len = strlen(tmp_realm); + if (tmp_realm_len > REALM_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + strncpy(realm, tmp_realm, tmp_realm_len); + realm[tmp_realm_len] = '\0'; + profile_release_string(tmp_realm); + } + } return 0; } @@ -209,6 +242,37 @@ krb5_425_conv_principal(context, name, instance, realm, princ) char *domain, *cp; char **full_name = 0, **cpp; const char *names[5]; + void* iterator = NULL; + char** v4realms = NULL; + char* realm_name = NULL; + char* dummy_value = NULL; + + /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm + To do that, iterate over all the realms in the config file, looking for a matching + v4_realm line */ + names [0] = "realms"; + names [1] = NULL; + retval = profile_iterator_create (context -> profile, names, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator); + while (retval == 0) { + retval = profile_iterator (&iterator, &realm_name, &dummy_value); + if ((retval == 0) && (realm_name != NULL)) { + names [0] = "realms"; + names [1] = realm_name; + names [2] = "v4_realm"; + names [3] = NULL; + + retval = profile_get_values (context -> profile, names, &v4realms); + if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) { + realm = realm_name; + break; + } else if (retval == PROF_NO_RELATION) { + /* If it's not found, just keep going */ + retval = 0; + } + } else if ((retval == 0) && (realm_name == NULL)) { + break; + } + } if (instance) { if (instance[0] == '\0') { @@ -234,7 +298,8 @@ krb5_425_conv_principal(context, name, instance, realm, princ) if (retval == 0 && full_name && full_name[0]) { instance = full_name[0]; } else { - strcpy(buf, instance); + strncpy(buf, instance, sizeof(buf)); + buf[sizeof(buf) - 1] = '\0'; retval = krb5_get_realm_domain(context, realm, &domain); if (retval) return retval; @@ -242,8 +307,8 @@ krb5_425_conv_principal(context, name, instance, realm, princ) for (cp = domain; *cp; cp++) if (isupper(*cp)) *cp = tolower(*cp); - strcat(buf, "."); - strcat(buf, domain); + strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); + strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); krb5_xfree(domain); } instance = buf; @@ -254,6 +319,10 @@ krb5_425_conv_principal(context, name, instance, realm, princ) not_service: retval = krb5_build_principal(context, princ, strlen(realm), realm, name, instance, 0); + profile_iterator_free (&iterator); profile_free_list(full_name); + profile_free_list(v4realms); + profile_release_string (realm_name); + profile_release_string (dummy_value); return retval; } diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index 3bcaa0b..6d764d3 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -102,6 +102,7 @@ krb5_get_credentials(context, options, ccache, in_creds, out_creds) krb5_creds *ncreds; krb5_creds **tgts; krb5_flags fields; + int not_ktype; retval = krb5_get_credentials_core(context, options, ccache, in_creds, out_creds, @@ -128,6 +129,11 @@ krb5_get_credentials(context, options, ccache, in_creds, out_creds) || options & KRB5_GC_CACHED) return retval; + if (retval == KRB5_CC_NOT_KTYPE) + not_ktype = 1; + else + not_ktype = 0; + retval = krb5_get_cred_from_kdc(context, ccache, ncreds, out_creds, &tgts); if (tgts) { register int i = 0; @@ -141,6 +147,21 @@ krb5_get_credentials(context, options, ccache, in_creds, out_creds) } krb5_free_tgt_creds(context, tgts); } + /* + * Translate KRB5_CC_NOTFOUND if we previously got + * KRB5_CC_NOT_KTYPE from krb5_cc_retrieve_cred(), in order to + * handle the case where there is no TGT in the ccache and the + * input enctype didn't match. This handling is necessary because + * some callers, such as GSSAPI, iterate through enctypes and + * KRB5_CC_NOTFOUND passed through from the + * krb5_get_cred_from_kdc() is semantically incorrect, since the + * actual failure was the non-existence of a ticket of the correct + * enctype rather than the missing TGT. + */ + if ((retval == KRB5_CC_NOTFOUND || retval == KRB5_CC_NOT_KTYPE) + && not_ktype) + retval = KRB5_CC_NOT_KTYPE; + if (!retval) retval = krb5_cc_store_cred(context, ccache, *out_creds); return retval; diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 9686f57..298f152 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -457,12 +457,35 @@ krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed, request.from = creds->times.starttime; request.till = creds->times.endtime; request.rtime = creds->times.renew_till; - if (ktypes) - request.ktype = ktypes; - else - if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype))) - goto cleanup; + if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype))) + goto cleanup; for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++); + if (ktypes) { + int i, req, next = 0; + for (req = 0; ktypes[req]; req++) { + if (ktypes[req] == request.ktype[next]) { + next++; + continue; + } + for (i = next + 1; i < request.nktypes; i++) + if (ktypes[req] == request.ktype[i]) { + /* Found the enctype we want, but not in the + position we want. Move it, but keep the old + one from the desired slot around in case it's + later in our requested-ktypes list. */ + krb5_enctype t; + t = request.ktype[next]; + request.ktype[next] = request.ktype[i]; + request.ktype[i] = t; + next++; + break; + } + /* If we didn't find it, don't do anything special, just + drop it. */ + } + request.ktype[next] = 0; + request.nktypes = next; + } request.authorization_data.ciphertext.length = 0; request.authorization_data.ciphertext.data = 0; request.unenc_authdata = 0; @@ -538,7 +561,7 @@ krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed, goto cleanup; cleanup: - if (!ktypes && request.ktype) + if (request.ktype) free(request.ktype); if (!addrs && request.addresses) krb5_free_addresses(context, request.addresses); diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index e2eccc4..c10c6f7 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/init_ctx.c * - * Copyright 1994 by the Massachusetts Institute of Technology. + * Copyright 1994,1999,2000 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -84,7 +84,10 @@ init_common (context, secure) { krb5_context ctx = 0; krb5_error_code retval; - krb5_timestamp now; + struct { + krb5_int32 now, now_usec; + long pid; + } seed_data; krb5_data seed; int tmp; @@ -129,10 +132,11 @@ init_common (context, secure) goto cleanup; /* initialize the prng (not well, but passable) */ - if ((retval = krb5_timeofday(ctx, &now))) + if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec))) goto cleanup; - seed.length = sizeof(now); - seed.data = (char *) &now; + seed_data.pid = getpid (); + seed.length = sizeof(seed_data); + seed.data = (char *) &seed_data; if ((retval = krb5_c_random_seed(ctx, &seed))) goto cleanup; @@ -281,7 +285,7 @@ get_profile_etype_list(context, ktypes, profstr, ctx_count, ctx_list) { krb5_enctype *old_ktypes; - if (context->in_tkt_ktype_count) { + if (ctx_count) { /* application-set defaults */ if ((old_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * @@ -396,13 +400,23 @@ krb5_set_default_tgs_ktypes(context, ktypes) } if (context->tgs_ktypes) - free(context->tgs_ktypes); + krb5_free_ktypes(context, context->tgs_ktypes); context->tgs_ktypes = new_ktypes; context->tgs_ktype_count = i; return 0; } +void +KRB5_CALLCONV +krb5_free_ktypes (context, val) + krb5_context context; + krb5_enctype FAR *val; +{ + free (val); +} + krb5_error_code +KRB5_CALLCONV krb5_get_tgs_ktypes(context, princ, ktypes) krb5_context context; krb5_const_principal princ; @@ -441,7 +455,7 @@ krb5_is_permitted_enctype(context, etype) if (*ptr == etype) ret = 1; - krb5_xfree(list); + krb5_free_ktypes (context, list); return(ret); } diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 24d8aaf..8e57f83 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -36,7 +36,6 @@ krb5_free_address(context, val) if (val->contents) krb5_xfree(val->contents); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -52,7 +51,6 @@ krb5_free_addresses(context, val) krb5_xfree(*temp); } krb5_xfree(val); - return; } @@ -64,7 +62,6 @@ krb5_free_ap_rep(context, val) if (val->enc_part.ciphertext.data) krb5_xfree(val->enc_part.ciphertext.data); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -77,7 +74,6 @@ krb5_free_ap_req(context, val) if (val->authenticator.ciphertext.data) krb5_xfree(val->authenticator.ciphertext.data); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -88,7 +84,6 @@ krb5_free_ap_rep_enc_part(context, val) if (val->subkey) krb5_free_keyblock(context, val->subkey); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -96,15 +91,22 @@ krb5_free_authenticator_contents(context, val) krb5_context context; krb5_authenticator FAR *val; { - if (val->checksum) + if (val->checksum) { krb5_free_checksum(context, val->checksum); - if (val->client) + val->checksum = 0; + } + if (val->client) { krb5_free_principal(context, val->client); - if (val->subkey) + val->client = 0; + } + if (val->subkey) { krb5_free_keyblock(context, val->subkey); - if (val->authorization_data) - krb5_free_authdata(context, val->authorization_data); - return; + val->subkey = 0; + } + if (val->authorization_data) { + krb5_free_authdata(context, val->authorization_data); + val->authorization_data = 0; + } } KRB5_DLLIMP void KRB5_CALLCONV @@ -120,7 +122,6 @@ krb5_free_authdata(context, val) krb5_xfree(*temp); } krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -128,16 +129,8 @@ krb5_free_authenticator(context, val) krb5_context context; krb5_authenticator FAR *val; { - if (val->checksum) - krb5_free_checksum(context, val->checksum); - if (val->client) - krb5_free_principal(context, val->client); - if (val->subkey) - krb5_free_keyblock(context, val->subkey); - if (val->authorization_data) - krb5_free_authdata(context, val->authorization_data); + krb5_free_authenticator_contents(context, val); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -145,10 +138,8 @@ krb5_free_checksum(context, val) krb5_context context; register krb5_checksum *val; { - if (val->contents) - krb5_xfree(val->contents); + krb5_free_checksum_contents(context, val); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -156,9 +147,10 @@ krb5_free_checksum_contents(context, val) krb5_context context; register krb5_checksum *val; { - if (val->contents) + if (val->contents) { krb5_xfree(val->contents); - return; + val->contents = 0; + } } KRB5_DLLIMP void KRB5_CALLCONV @@ -171,7 +163,6 @@ krb5_free_cred(context, val) if (val->enc_part.ciphertext.data) krb5_xfree(val->enc_part.ciphertext.data); krb5_xfree(val); - return; } /* @@ -184,23 +175,35 @@ krb5_free_cred_contents(context, val) krb5_context context; krb5_creds FAR *val; { - if (val->client) + if (val->client) { krb5_free_principal(context, val->client); - if (val->server) + val->client = 0; + } + if (val->server) { krb5_free_principal(context, val->server); + val->server = 0; + } if (val->keyblock.contents) { memset((char *)val->keyblock.contents, 0, val->keyblock.length); krb5_xfree(val->keyblock.contents); + val->keyblock.contents = 0; } - if (val->ticket.data) + if (val->ticket.data) { krb5_xfree(val->ticket.data); - if (val->second_ticket.data) + val->ticket.data = 0; + } + if (val->second_ticket.data) { krb5_xfree(val->second_ticket.data); - if (val->addresses) + val->second_ticket.data = 0; + } + if (val->addresses) { krb5_free_addresses(context, val->addresses); - if (val->authdata) + val->addresses = 0; + } + if (val->authdata) { krb5_free_authdata(context, val->authdata); - return; + val->authdata = 0; + } } KRB5_DLLIMP void KRB5_CALLCONV @@ -210,10 +213,14 @@ krb5_free_cred_enc_part(context, val) { register krb5_cred_info **temp; - if (val->r_address) - krb5_free_address(context, val->r_address); - if (val->s_address) - krb5_free_address(context, val->s_address); + if (val->r_address) { + krb5_free_address(context, val->r_address); + val->r_address = 0; + } + if (val->s_address) { + krb5_free_address(context, val->s_address); + val->s_address = 0; + } if (val->ticket_info) { for (temp = val->ticket_info; *temp; temp++) { @@ -228,8 +235,8 @@ krb5_free_cred_enc_part(context, val) krb5_xfree((*temp)); } krb5_xfree(val->ticket_info); + val->ticket_info = 0; } - return; } @@ -240,7 +247,6 @@ krb5_free_creds(context, val) { krb5_free_cred_contents(context, val); krb5_xfree(val); - return; } @@ -252,7 +258,6 @@ krb5_free_data(context, val) if (val->data) krb5_xfree(val->data); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -260,9 +265,10 @@ krb5_free_data_contents(context, val) krb5_context context; krb5_data FAR * val; { - if (val->data) + if (val->data) { krb5_xfree(val->data); - return; + val->data = 0; + } } void krb5_free_etype_info(context, info) @@ -294,7 +300,6 @@ krb5_free_enc_kdc_rep_part(context, val) if (val->caddrs) krb5_free_addresses(context, val->caddrs); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -313,7 +318,6 @@ krb5_free_enc_tkt_part(context, val) if (val->authorization_data) krb5_free_authdata(context, val->authorization_data); krb5_xfree(val); - return; } @@ -331,7 +335,6 @@ krb5_free_error(context, val) if (val->e_data.data) krb5_xfree(val->e_data.data); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -350,7 +353,6 @@ krb5_free_kdc_rep(context, val) if (val->enc_part2) krb5_free_enc_kdc_rep_part(context, val->enc_part2); krb5_xfree(val); - return; } @@ -376,7 +378,6 @@ krb5_free_kdc_req(context, val) if (val->second_ticket) krb5_free_tickets(context, val->second_ticket); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -387,8 +388,8 @@ krb5_free_keyblock_contents(context, key) if (key->contents) { memset(key->contents, 0, key->length); krb5_xfree(key->contents); + key->contents = 0; } - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -398,7 +399,6 @@ krb5_free_keyblock(context, val) { krb5_free_keyblock_contents(context, val); krb5_xfree(val); - return; } @@ -413,7 +413,6 @@ krb5_free_last_req(context, val) for (temp = val; *temp; temp++) krb5_xfree(*temp); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -429,7 +428,6 @@ krb5_free_pa_data(context, val) krb5_xfree(*temp); } krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -451,7 +449,6 @@ krb5_free_principal(context, val) if (val->realm.data) krb5_xfree(val->realm.data); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -462,7 +459,6 @@ krb5_free_priv(context, val) if (val->enc_part.ciphertext.data) krb5_xfree(val->enc_part.ciphertext.data); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -477,7 +473,6 @@ krb5_free_priv_enc_part(context, val) if (val->s_address) krb5_free_address(context, val->s_address); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -488,7 +483,6 @@ krb5_free_pwd_data(context, val) if (val->element) krb5_free_pwd_sequences(context, val->element); krb5_xfree(val); - return; } @@ -497,11 +491,14 @@ krb5_free_pwd_sequences(context, val) krb5_context context; passwd_phrase_element FAR * FAR *val; { - if ((*val)->passwd) + if ((*val)->passwd) { krb5_xfree((*val)->passwd); - if ((*val)->phrase) + (*val)->passwd = 0; + } + if ((*val)->phrase) { krb5_xfree((*val)->phrase); - return; + (*val)->phrase = 0; + } } @@ -519,7 +516,6 @@ krb5_free_safe(context, val) if (val->checksum) krb5_free_checksum(context, val->checksum); krb5_xfree(val); - return; } @@ -535,7 +531,6 @@ krb5_free_ticket(context, val) if (val->enc_part2) krb5_free_enc_tkt_part(context, val->enc_part2); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -548,7 +543,6 @@ krb5_free_tickets(context, val) for (temp = val; *temp; temp++) krb5_free_ticket(context, *temp); krb5_xfree(val); - return; } @@ -573,7 +567,6 @@ krb5_free_tkt_authent(context, val) if (val->authenticator) krb5_free_authenticator(context, val->authenticator); krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -583,7 +576,6 @@ krb5_free_unparsed_name(context, val) { if (val) krb5_xfree(val); - return; } KRB5_DLLIMP void KRB5_CALLCONV @@ -612,8 +604,10 @@ krb5_free_sam_challenge_contents(krb5_context ctx, krb5_sam_challenge FAR *sc) krb5_free_data_contents(ctx, &sc->sam_response_prompt); if (sc->sam_pk_for_sad.data) krb5_free_data_contents(ctx, &sc->sam_pk_for_sad); - if (sc->sam_cksum.contents) + if (sc->sam_cksum.contents) { krb5_xfree(sc->sam_cksum.contents); + sc->sam_cksum.contents = 0; + } } KRB5_DLLIMP void KRB5_CALLCONV @@ -656,8 +650,10 @@ krb5_free_predicted_sam_response_contents(krb5_context ctx, return; if (psr->sam_key.contents) krb5_free_keyblock_contents(ctx, &psr->sam_key); - if (psr->client) + if (psr->client) { krb5_free_principal(ctx, psr->client); + psr->client = 0; + } if (psr->msd.data) krb5_free_data_contents(ctx, &psr->msd); } @@ -689,4 +685,3 @@ krb5_free_pa_enc_ts(krb5_context ctx, krb5_pa_enc_ts FAR *pa_enc_ts) return; krb5_xfree(pa_enc_ts); } - diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 7685817..d72f6b2 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -93,14 +93,6 @@ krb5_mk_priv_basic(context, userdata, keyblock, replaydata, local_addr, scratch1, &privmsg.enc_part))) goto clean_encpart; - /* put last block into the i_vector */ - - if (i_vector) - memcpy(i_vector, - privmsg.enc_part.ciphertext.data + - (privmsg.enc_part.ciphertext.length - blocksize), - blocksize); - if ((retval = encode_krb5_priv(&privmsg, &scratch2))) goto clean_encpart; diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index a8b20eb..88daab5 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -126,10 +126,24 @@ krb5_mk_req_extended(context, auth_context, ap_req_options, in_data, in_creds, /* generate subkey if needed */ - if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) + if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) { + /* Provide some more fodder for random number code. + This isn't strong cryptographically; the point here is not + to guarantee randomness, but to make it less likely that multiple + sessions could pick the same subkey. */ + struct { + krb5_int32 sec, usec; + } rnd_data; + krb5_data d; + krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec); + d.length = sizeof (rnd_data); + d.data = (char *) &rnd_data; + (void) krb5_c_random_seed (context, &d); + if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock, &(*auth_context)->local_subkey))) goto cleanup; + } if (in_data) { if ((*auth_context)->req_cksumtype == 0x8003) { diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 9629b0c..ab6a531 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -101,13 +101,6 @@ krb5_rd_priv_basic(context, inbuf, keyblock, local_addr, remote_addr, &privmsg->enc_part, &scratch))) goto cleanup_scratch; - /* if i_vector is set, put last block into the i_vector */ - if (i_vector) - memcpy(i_vector, - privmsg->enc_part.ciphertext.data + - (privmsg->enc_part.ciphertext.length - blocksize), - blocksize); - /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_priv_part(&scratch, &privmsg_enc_part))) goto cleanup_scratch; diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c index 3d5bce4..f74041c 100644 --- a/src/lib/krb5/krb/recvauth.c +++ b/src/lib/krb5/krb/recvauth.c @@ -37,20 +37,18 @@ static char *sendauth_version = "KRB5_SENDAUTH_V1.0"; -KRB5_DLLIMP krb5_error_code KRB5_CALLCONV -krb5_recvauth(context, auth_context, - /* IN */ - fd, appl_version, server, flags, keytab, - /* OUT */ - ticket) - krb5_context context; - krb5_auth_context FAR * auth_context; - krb5_pointer fd; - char FAR * appl_version; - krb5_principal server; - krb5_int32 flags; - krb5_keytab keytab; - krb5_ticket FAR * FAR * ticket; +krb5_error_code +recvauth_common(krb5_context context, + krb5_auth_context FAR * auth_context, + /* IN */ + krb5_pointer fd, + char FAR *appl_version, + krb5_principal server, + krb5_int32 flags, + krb5_keytab keytab, + /* OUT */ + krb5_ticket FAR * FAR * ticket, + krb5_data FAR *version) { krb5_auth_context new_auth_context; krb5_flags ap_option; @@ -91,12 +89,15 @@ krb5_recvauth(context, auth_context, */ if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); - if (strcmp(inbuf.data, appl_version)) { + if (appl_version && strcmp(inbuf.data, appl_version)) { krb5_xfree(inbuf.data); if (!problem) problem = KRB5_SENDAUTH_BADAPPLVERS; } - krb5_xfree(inbuf.data); + if (version && !problem) + *version = inbuf; + else + krb5_xfree(inbuf.data); /* * OK, now check the problem variable. If it's zero, we're * fine and we can continue. Otherwise, we have to signal an @@ -243,3 +244,38 @@ cleanup:; } return retval; } + +KRB5_DLLIMP krb5_error_code KRB5_CALLCONV +krb5_recvauth(context, auth_context, + /* IN */ + fd, appl_version, server, flags, keytab, + /* OUT */ + ticket) + krb5_context context; + krb5_auth_context FAR * auth_context; + krb5_pointer fd; + char FAR * appl_version; + krb5_principal server; + krb5_int32 flags; + krb5_keytab keytab; + krb5_ticket FAR * FAR * ticket; +{ + return recvauth_common (context, auth_context, fd, appl_version, + server, flags, keytab, ticket, 0); +} + +KRB5_DLLIMP krb5_error_code KRB5_CALLCONV +krb5_recvauth_version(krb5_context context, + krb5_auth_context FAR *auth_context, + /* IN */ + krb5_pointer fd, + krb5_principal server, + krb5_int32 flags, + krb5_keytab keytab, + /* OUT */ + krb5_ticket FAR * FAR *ticket, + krb5_data FAR *version) +{ + return recvauth_common (context, auth_context, fd, 0, + server, flags, keytab, ticket, version); +} diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c index 1e6b726..b19afdb 100644 --- a/src/lib/krb5/krb/sendauth.c +++ b/src/lib/krb5/krb/sendauth.c @@ -152,9 +152,32 @@ krb5_sendauth(context, auth_context, credsp = in_creds; } - if ((retval = krb5_mk_req_extended(context, auth_context, ap_req_options, - in_data, credsp, &outbuf))) - goto error_return; + if (ap_req_options & AP_OPTS_USE_SUBKEY) { + /* Provide some more fodder for random number code. + This isn't strong cryptographically; the point here is + not to guarantee randomness, but to make it less likely + that multiple sessions could pick the same subkey. */ + char rnd_data[1024]; + size_t len; + krb5_data d; + d.length = sizeof (rnd_data); + d.data = rnd_data; + len = sizeof (rnd_data); + if (getpeername (*(int*)fd, (struct sockaddr *) rnd_data, &len) == 0) { + d.length = len; + (void) krb5_c_random_seed (context, &d); + } + len = sizeof (rnd_data); + if (getsockname (*(int*)fd, (struct sockaddr *) rnd_data, &len) == 0) { + d.length = len; + (void) krb5_c_random_seed (context, &d); + } + } + + if ((retval = krb5_mk_req_extended(context, auth_context, + ap_req_options, in_data, credsp, + &outbuf))) + goto error_return; /* * First write the length of the AP_REQ message, then write diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c index 2feef39..458015d 100644 --- a/src/lib/krb5/krb/t_kerb.c +++ b/src/lib/krb5/krb/t_kerb.c @@ -4,6 +4,7 @@ */ #include "krb5.h" +#include "kerberosIV/krb.h" #include <stdio.h> #include <stdlib.h> #include <unistd.h> @@ -56,6 +57,32 @@ void test_425_conv_principal(ctx, name, inst, realm) krb5_free_principal(ctx, princ); } +void test_524_conv_principal(ctx, name) + krb5_context ctx; + char *name; +{ + krb5_principal princ = 0; + krb5_error_code retval; + char aname[ANAME_SZ+1], inst[INST_SZ+1], realm[REALM_SZ+1]; + + aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0; + retval = krb5_parse_name(ctx, name, &princ); + if (retval) { + com_err("krb5_parse_name", retval, 0); + goto fail; + } + retval = krb5_524_conv_principal(ctx, princ, aname, inst, realm); + if (retval) { + com_err("krb5_524_conv_principal", retval, 0); + goto fail; + } + printf("524_converted_principal(%s): '%s' '%s' '%s'\n", + name, aname, inst, realm); + fail: + if (princ) + krb5_free_principal (ctx, princ); +} + void test_parse_name(ctx, name) krb5_context ctx; const char *name; @@ -131,6 +158,7 @@ void usage(progname) { fprintf(stderr, "%s: Usage: %s 425_conv_principal <name> <inst> <realm\n", progname, progname); + fprintf(stderr, "\t%s 524_conv_principal <name>\n", progname); fprintf(stderr, "\t%s parse_name <name>\n", progname); fprintf(stderr, "\t%s set_realm <name> <realm>\n", progname); fprintf(stderr, "\t%s string_to_timestamp <time>\n", progname); @@ -186,6 +214,10 @@ main(argc, argv) argc--; argv++; if (!argc) usage(progname); test_string_to_timestamp(ctx, *argv); + } else if (strcmp(*argv, "524_conv_principal") == 0) { + argc--; argv++; + if (!argc) usage(progname); + test_524_conv_principal(ctx, *argv); } else usage(progname); diff --git a/src/lib/krb5/krb/t_krb5.conf b/src/lib/krb5/krb/t_krb5.conf index 5882d97..8d7a4d9 100644 --- a/src/lib/krb5/krb/t_krb5.conf +++ b/src/lib/krb5/krb/t_krb5.conf @@ -19,6 +19,12 @@ kdc = KERBEROS.CYGNUS.COM admin_server = KERBEROS.MIT.EDU } + stanford.edu = { + v4_realm = IR.STANFORD.EDU + } + LONGNAMES.COM = { + v4_realm = SOME-REALLY-LONG-REALM-NAME-V4-CANNOT-HANDLE.COM + } [domain_realm] .mit.edu = ATHENA.MIT.EDU diff --git a/src/lib/krb5/krb/t_ref_kerb.out b/src/lib/krb5/krb/t_ref_kerb.out index 9423944..08a5334 100644 --- a/src/lib/krb5/krb/t_ref_kerb.out +++ b/src/lib/krb5/krb/t_ref_kerb.out @@ -14,4 +14,6 @@ parsed (and unparsed) principal(\/slash/\@atsign/octa\/thorpe@\/slash\@at\/sign) 425_converted principal(rcmd, uunet, UU.NET): 'host/uunet.uu.net@UU.NET' 425_converted principal(zephyr, zephyr, ATHENA.MIT.EDU): 'zephyr/zephyr@ATHENA.MIT.EDU' 425_converted principal(kadmin, ATHENA.MIT.EDU, ATHENA.MIT.EDU): 'kadmin/ATHENA.MIT.EDU@ATHENA.MIT.EDU' +524_converted_principal(host/e40-po.mit.edu@ATHENA.MIT.EDU): 'rcmd' 'e40-po' 'ATHENA.MIT.EDU' +524_converted_principal(host/foobar.stanford.edu@stanford.edu): 'rcmd' 'foobar' 'IR.STANFORD.EDU' old principal: marc@MIT.EDU, modified principal: marc@CYGNUS.COM diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog index adf1c5d..33f8018 100644 --- a/src/lib/krb5/os/ChangeLog +++ b/src/lib/krb5/os/ChangeLog @@ -1,3 +1,50 @@ +2000-06-23 Miro Jurisic <meeroh@mit.edu> + + * init_os_ctx.c (os_get_default_config_files): Return ENOENT when + file is not found on MacOS (not ENFILE). Use Kerberos Preferences + library to locate the config files on Mac OS. Eliminated some + dead code. + +2000-06-23 Nalin Dahyabhai <nalin@redhat.com> + + * an_to_ln.c (do_replacement): Don't overflow buffers "in" or "out". + * hst_realm.c (krb5_try_realm_txt_rr): Don't overfill "host" when + malformed DNS responses are received. + + * ccdefname.c (get_from_os): Don't overflow buffer "name_buf". + * kuserok.c (krb5_kuserok): Don't overflow buffer "pbuf". + +2000-06-23 Ken Raeburn <raeburn@mit.edu> + + * localaddr.c: Include stddef.h. + (foreach_localaddr): Check each address against previously used + addresses, and skip duplicates, in case multiple interfaces have + the same address. If called functions fail, drop out of loop and + return nonzero. Use SIOCGSIZIFCONF ioctl if available to get the + buffer size needed for SIOCGIFCONF, and skip the silly heuristics + if it returns a reasonable value. + (krb5_os_localaddr): Increment count of addresses to include null + pointer terminator. Delete check for zero count. + + * locate_kdc.c (maybe_use_dns): Renamed from _krb5_use_dns. Now + takes an arg to indicate a key to look up in krb5.conf, falling + back to "dns_fallback", and an arg indicating the default value if + no config file entries match. + (_krb5_use_dns_realm): New routine; use "dns_lookup_realm" and + KRB5_DNS_LOOKUP_REALM setting. + (_krb5_use_dns_kdc): New routine; use "dns_lookup_kdc" and + KRB5_DNS_LOOKUP_KDC. + (krb5_locate_kdc): Call _krb5_use_dns_kdc. + * changepw.c (krb5_locate_kpasswd): Call _krb5_use_dns_kdc. + * def_realm.c (krb5_get_default_realm): Call _krb5_use_dns_realm. + * hst_realm.c (krb5_get_host_realm): Call _krb5_use_dns_realm. + +2000-06-23 Alexandra Ellwood <lxs@mit.edu> + + * ccdefname.c: Added support to store a krb5_principal in the os_context + along with the default ccache name (if known, this principal is the same + as the last time we looked at the ccache. + 2000-05-09 Alexandra Ellwood <lxs@mit.edu> *localaddr.c: Fixed the local_addr_fallback_kludge so that it actually does something. diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c index 3c721fb..02e68fb 100644 --- a/src/lib/krb5/os/an_to_ln.c +++ b/src/lib/krb5/os/an_to_ln.c @@ -298,15 +298,15 @@ do_replacement(regexp, repl, doall, in, out) strncpy(op, cp, match_match.rm_so); op += match_match.rm_so; } - strcpy(op, repl); - op += strlen(repl); + strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); + op += strlen(op); cp += match_match.rm_eo; if (!doall) - strcpy(op, cp); + strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 1; } else { - strcpy(op, cp); + strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } } while (doall && matched); @@ -333,20 +333,20 @@ do_replacement(regexp, repl, doall, in, out) strncpy(op, cp, sdispl); op += sdispl; } - strcpy(op, repl); + strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(repl); cp += edispl; if (!doall) - strcpy(op, cp); + strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 1; } else { - strcpy(op, cp); + strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } } while (doall && matched); #else /* HAVE_REGEXP_H */ - strcpy(out, in); + memcpy(out, in, MAX_FORMAT_BUFFER); #endif /* HAVE_REGCOMP */ } @@ -379,7 +379,8 @@ aname_replacer(string, contextp, result) * Prime the buffers. Copy input string to "out" to simulate it * being the result of an initial iteration. */ - strcpy(out, string); + strncpy(out, string, MAX_FORMAT_BUFFER - 1); + out[MAX_FORMAT_BUFFER - 1] = '\0'; in[0] = '\0'; kret = 0; /* @@ -421,6 +422,7 @@ aname_replacer(string, contextp, result) out = ep; /* Do the replacemenbt */ + memset(out, '\0', MAX_FORMAT_BUFFER); do_replacement(rule, repl, doglobal, in, out); free(rule); free(repl); diff --git a/src/lib/krb5/os/ccdefname.c b/src/lib/krb5/os/ccdefname.c index 3bc2546..6b00e52 100644 --- a/src/lib/krb5/os/ccdefname.c +++ b/src/lib/krb5/os/ccdefname.c @@ -160,7 +160,7 @@ static krb5_error_code get_from_os(char *name_buf, int name_size) if (get_from_registry_indirect(name_buf, name_size) != 0) return 0; - strncpy(name_buf, prefix, name_size); + strncpy(name_buf, prefix, name_size - 1); name_buf[name_size - 1] = 0; size = name_size - strlen(prefix); if (size > 0) diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c index 5973516..575866e 100644 --- a/src/lib/krb5/os/changepw.c +++ b/src/lib/krb5/os/changepw.c @@ -66,10 +66,10 @@ krb5_locate_kpasswd(context, realm, addr_pp, naddrs) * We always try the local file first */ - code = krb5_locate_srv_conf( context, realm, "kpasswd_server", + code = krb5_locate_srv_conf(context, realm, "kpasswd_server", addr_pp, naddrs, 0); if (code) { - code = krb5_locate_srv_conf( context, realm, "admin_server", + code = krb5_locate_srv_conf(context, realm, "admin_server", addr_pp, naddrs, 0); if ( !code ) { /* success with admin_server but now we need to change the port */ @@ -83,7 +83,7 @@ krb5_locate_kpasswd(context, realm, addr_pp, naddrs) #ifdef KRB5_DNS_LOOKUP if (code) { - int use_dns = _krb5_use_dns(context); + int use_dns = _krb5_use_dns_kdc(context); if ( use_dns ) { code = krb5_locate_srv_dns(realm, "_kpasswd", "_udp", addr_pp, naddrs); diff --git a/src/lib/krb5/os/def_realm.c b/src/lib/krb5/os/def_realm.c index d3c031f..d9bd017 100644 --- a/src/lib/krb5/os/def_realm.c +++ b/src/lib/krb5/os/def_realm.c @@ -104,7 +104,7 @@ krb5_get_default_realm(context, lrealm) #ifdef KRB5_DNS_LOOKUP if (context->default_realm == 0) { - int use_dns = _krb5_use_dns(context); + int use_dns = _krb5_use_dns_realm(context); if ( use_dns ) { /* * Since this didn't appear in our config file, try looking diff --git a/src/lib/krb5/os/hst_realm.c b/src/lib/krb5/os/hst_realm.c index 1e8923f..965a991 100644 --- a/src/lib/krb5/os/hst_realm.c +++ b/src/lib/krb5/os/hst_realm.c @@ -117,6 +117,8 @@ krb5_try_realm_txt_rr(prefix, name, realm) */ if (name == NULL || name[0] == '\0') { + if (strlen (prefix) >= sizeof(host)-1) + return KRB5_ERR_HOST_REALM_UNKNOWN; strcpy(host,prefix); } else { if ( strlen(prefix) + strlen(name) + 3 > MAX_DNS_NAMELEN ) @@ -134,7 +136,7 @@ krb5_try_realm_txt_rr(prefix, name, realm) */ h = host + strlen (host); - if (h > host && h[-1] != '.') + if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host))) strcpy (h, "."); } size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes)); @@ -312,7 +314,7 @@ krb5_get_host_realm(context, host, realmsp) #ifdef KRB5_DNS_LOOKUP if (realm == (char *)NULL) { - int use_dns = _krb5_use_dns(context); + int use_dns = _krb5_use_dns_realm(context); if ( use_dns ) { /* * Since this didn't appear in our config file, try looking diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c index 5222e6a..f599697 100644 --- a/src/lib/krb5/os/init_os_ctx.c +++ b/src/lib/krb5/os/init_os_ctx.c @@ -30,22 +30,7 @@ #include "k5-int.h" #ifdef macintosh -OSErr -GetMacProfileFileSpec (FSSpec* outFileSpec, StringPtr inName, UInt32 whichFolder) -{ - OSErr err; - - - - err = FindFolder (kOnSystemDisk, whichFolder, kCreateFolder, - &(outFileSpec -> vRefNum) , &(outFileSpec -> parID)); - - if (err == noErr) { - BlockMoveData (inName, &(outFileSpec -> name), strlen (inName) + 1); - } - - return err; -} +#include <PreferencesLib.h> #endif /* macintosh */ #if defined(_MSDOS) || defined(_WIN32) @@ -204,42 +189,94 @@ os_get_default_config_files(pfiles, secure) { profile_filespec_t* files; #ifdef macintosh - files = malloc(7 * sizeof(FSSpec)); - - if (files != 0) { - OSErr err = GetMacProfileFileSpec(&(files [3]), "\pKerberos Preferences", kApplicationSupportFolderType); - if (err == noErr) { - err = GetMacProfileFileSpec( &(files [4]), "\pkrb5.ini", kApplicationSupportFolderType); - } - if (err == noErr) { - err = GetMacProfileFileSpec( &(files [5]), "\pKerberos5 Configuration", kApplicationSupportFolderType); - } - - if (err == noErr) { - files[6].vRefNum = 0; - files[6].parID = 0; - files[6].name[0] = '\0'; - } else { - files[3].vRefNum = 0; - files[3].parID = 0; - files[3].name[0] = '\0'; + FSSpec* preferencesFiles = nil; + UInt32 numPreferencesFiles; + FSSpec* preferencesFilesToInit = nil; + UInt32 numPreferencesFilesToInit; + UInt32 i; + Boolean foundPreferences = false; + Boolean writtenPreferences = false; + SInt16 refNum = -1; + SInt32 length = 0; + + OSErr err = KPGetListOfPreferencesFiles ( + secure ? kpSystemPreferences : kpUserPreferences | kpSystemPreferences, + &preferencesFiles, + &numPreferencesFiles); + + if (err == noErr) { + /* After we get the list of files, check whether any of them contain any useful information */ + for (i = 0; i < numPreferencesFiles; i++) { + if (KPPreferencesFileIsReadable (&preferencesFiles [i]) == noErr) { + /* It's readable, check if it has anything in the data fork */ + err = FSpOpenDF (&preferencesFiles [i], fsRdPerm, &refNum); + if (err == noErr) { + err = GetEOF (refNum, &length); + } + + if (refNum != -1) { + FSClose (refNum); + } + + if (length != 0) { + foundPreferences = true; + break; + } + } } - err = GetMacProfileFileSpec(&(files [0]), "\pKerberos Preferences", kPreferencesFolderType); - if (err == noErr) { - err = GetMacProfileFileSpec( &(files [1]), "\pkrb5.ini", kPreferencesFolderType); - } - if (err == noErr) { - err = GetMacProfileFileSpec( &(files [2]), "\pKerberos5 Configuration", kPreferencesFolderType); + if (!foundPreferences) { + /* We found no profile data in any of those files; try to initialize one */ + /* If we are running "secure" do not try to initialize preferences */ + if (!secure) { + err = KPGetListOfPreferencesFiles (kpUserPreferences, &preferencesFilesToInit, &numPreferencesFilesToInit); + if (err == noErr) { + for (i = 0; i < numPreferencesFilesToInit; i++) { + if (KPPreferencesFileIsWritable (&preferencesFilesToInit [i]) == noErr) { + err = noErr; + /* If not readable, create it */ + if (KPPreferencesFileIsReadable (&preferencesFilesToInit [i]) != noErr) { + err = KPCreatePreferencesFile (&preferencesFilesToInit [i]); + } + /* Initialize it */ + if (err == noErr) { + err = KPInitializeWithDefaultKerberosLibraryPreferences (&preferencesFilesToInit [i]); + } + break; + } + } + } + } } + } + + if (err == noErr) { + files = malloc ((numPreferencesFiles + 1) * sizeof (FSSpec)); + if (files == NULL) + err = memFullErr; + } + + if (err == noErr) { + for (i = 0; i < numPreferencesFiles; i++) { + files [i] = preferencesFiles [i]; + } + + files [numPreferencesFiles].vRefNum = 0; + files [numPreferencesFiles].parID = 0; + files [numPreferencesFiles].name[0] = '\0'; + } + + if (preferencesFiles != nil) + KPFreeListOfPreferencesFiles (preferencesFiles); + + if (preferencesFilesToInit != nil) + KPFreeListOfPreferencesFiles (preferencesFilesToInit); - if (err != noErr) { - free (files); - return ENFILE; - } - } else { + if (err == memFullErr) return ENOMEM; - } + else if (err != noErr) + return ENOENT; + #else /* !macintosh */ #if defined(_MSDOS) || defined(_WIN32) krb5_error_code retval = 0; @@ -405,7 +442,7 @@ krb5_os_init_context(ctx) os_ctx->os_flags = 0; os_ctx->default_ccname = 0; os_ctx->default_ccprincipal = 0; - + krb5_cc_set_default_name(ctx, NULL); retval = os_init_paths(ctx); @@ -522,8 +559,8 @@ krb5_os_free_context(ctx) if (os_ctx->default_ccname) { free(os_ctx->default_ccname); - os_ctx->default_ccname = 0; - } + os_ctx->default_ccname = 0; + } if (os_ctx->default_ccprincipal) { krb5_free_principal (ctx, os_ctx->default_ccprincipal); diff --git a/src/lib/krb5/os/kuserok.c b/src/lib/krb5/os/kuserok.c index ef08037..6d2adb1 100644 --- a/src/lib/krb5/os/kuserok.c +++ b/src/lib/krb5/os/kuserok.c @@ -80,8 +80,9 @@ krb5_kuserok(context, principal, luser) if ((pwd = getpwnam(luser)) == NULL) { return(FALSE); } - (void) strcpy(pbuf, pwd->pw_dir); - (void) strcat(pbuf, "/.k5login"); + (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); + pbuf[sizeof(pbuf) - 1] = '\0'; + (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf)); if (access(pbuf, F_OK)) { /* not accessible */ /* diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c index f0f1a29..d5b46b6 100644 --- a/src/lib/krb5/os/localaddr.c +++ b/src/lib/krb5/os/localaddr.c @@ -1,7 +1,7 @@ /* * lib/krb5/os/localaddr.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2000 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -39,6 +39,7 @@ #include <sys/ioctl.h> #include <sys/time.h> #include <errno.h> +#include <stddef.h> /* * The SIOCGIF* ioctls require a socket. @@ -255,13 +256,17 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn) int (*betweenfn) (void *); int (*pass2fn) (void *, struct sockaddr *); { - struct ifreq *ifr, ifreq; + struct ifreq *ifr, ifreq, *ifr2; struct ifconf ifc; - int s, code, n, i; + int s, code, n, i, j; int est_if_count = 8, est_ifreq_size; char *buf = 0; size_t current_buf_size = 0; - + int fail = 0; +#ifdef SIOCGSIZIFCONF + int ifconfsize = -1; +#endif + s = socket (USE_AF, USE_TYPE, USE_PROTO); if (s < 0) return SOCKET_ERRNO; @@ -270,7 +275,15 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn) isn't big enough for an IPv6 or ethernet address. So add a little more space. */ est_ifreq_size = sizeof (struct ifreq) + 8; - current_buf_size = est_ifreq_size * est_if_count; +#ifdef SIOCGSIZIFCONF + code = ioctl (s, SIOCGSIZIFCONF, &ifconfsize); + if (!code) { + current_buf_size = ifconfsize; + est_if_count = ifconfsize / est_ifreq_size; + } +#endif + if (current_buf_size == 0) + current_buf_size = est_ifreq_size * est_if_count; buf = malloc (current_buf_size); ask_again: @@ -289,7 +302,11 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn) the only indication we get, complicated by the fact that the associated address may make the required storage a little bigger than the size of an ifreq. */ - if (current_buf_size - ifc.ifc_len < sizeof (struct ifreq) + 40) { + if (current_buf_size - ifc.ifc_len < sizeof (struct ifreq) + 40 +#ifdef SIOCGSIZIFCONF + && ifconfsize <= 0 +#endif + ) { int new_size; char *newbuf; @@ -312,26 +329,49 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn) ifr = (struct ifreq *)((caddr_t) ifc.ifc_buf+i); strncpy(ifreq.ifr_name, ifr->ifr_name, sizeof (ifreq.ifr_name)); - if (ioctl (s, SIOCGIFFLAGS, (char *)&ifreq) < 0 -#ifdef IFF_LOOPBACK - /* None of the current callers want loopback addresses. */ - || (ifreq.ifr_flags & IFF_LOOPBACK) -#endif - /* Ignore interfaces that are down. */ - || !(ifreq.ifr_flags & IFF_UP)) { + if (ioctl (s, SIOCGIFFLAGS, (char *)&ifreq) < 0) { + skip: /* mark for next pass */ ifr->ifr_name[0] = 0; continue; } +#ifdef IFF_LOOPBACK + /* None of the current callers want loopback addresses. */ + if (ifreq.ifr_flags & IFF_LOOPBACK) + goto skip; +#endif + /* Ignore interfaces that are down. */ + if (!(ifreq.ifr_flags & IFF_UP)) + goto skip; + + /* Make sure we didn't process this address already. */ + for (j = 0; j < i; j += ifreq_size(*ifr2)) { + ifr2 = (struct ifreq *)((caddr_t) ifc.ifc_buf+j); + if (ifr2->ifr_name[0] == 0) + continue; + if (ifr2->ifr_addr.sa_family == ifr->ifr_addr.sa_family + && ifreq_size (*ifr) == ifreq_size (*ifr2) + /* Compare address info. If this isn't good enough -- + i.e., if random padding bytes turn out to differ + when the addresses are the same -- then we'll have + to do it on a per address family basis. */ + && !memcmp (&ifr2->ifr_addr.sa_data, &ifr->ifr_addr.sa_data, + (ifreq_size (*ifr) + - offsetof (struct ifreq, ifr_addr.sa_data)))) + goto skip; + } + if ((*pass1fn) (data, &ifr->ifr_addr)) { - abort (); + fail = 1; + goto punt; } } if (betweenfn && (*betweenfn)(data)) { - abort (); + fail = 1; + goto punt; } if (pass2fn) @@ -343,13 +383,15 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn) continue; if ((*pass2fn) (data, &ifr->ifr_addr)) { - abort (); + fail = 1; + goto punt; } } + punt: closesocket(s); free (buf); - return 0; + return fail; } @@ -376,10 +418,9 @@ krb5_os_localaddr(context, addr) return r; } + data.cur_idx++; /* null termination */ if (data.mem_err) return ENOMEM; - else if (data.cur_idx == 0) - abort (); else if (data.cur_idx == data.count) *addr = data.addr_temp; else { diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c index 1139fb3..53f36d8 100644 --- a/src/lib/krb5/os/locate_kdc.c +++ b/src/lib/krb5/os/locate_kdc.c @@ -53,29 +53,57 @@ #define KPASSWD_PORTNAME "kpasswd" #endif -int -_krb5_use_dns(context) - krb5_context context; +#if KRB5_DNS_LOOKUP_KDC +#define DEFAULT_LOOKUP_KDC 1 +#else +#define DEFAULT_LOOKUP_KDC 0 +#endif +#if KRB5_DNS_LOOKUP_REALM +#define DEFAULT_LOOKUP_REALM 1 +#else +#define DEFAULT_LOOKUP_REALM 0 +#endif + +static int +maybe_use_dns (context, name, defalt) + krb5_context context; + const char *name; + int defalt; { krb5_error_code code; char * value = NULL; int use_dns = 0; code = profile_get_string(context->profile, "libdefaults", - "dns_fallback", 0, - context->profile_in_memory?"1":"0", - &value); + name, 0, 0, &value); + if (value == 0 && code == 0) + code = profile_get_string(context->profile, "libdefaults", + "dns_fallback", 0, 0, &value); if (code) - return(code); + return defalt; - if (value) { - use_dns = _krb5_conf_boolean(value); - profile_release_string(value); - } + if (value == 0) + return defalt; + use_dns = _krb5_conf_boolean(value); + profile_release_string(value); return use_dns; } +int +_krb5_use_dns_kdc(context) + krb5_context context; +{ + return maybe_use_dns (context, "dns_lookup_kdc", DEFAULT_LOOKUP_KDC); +} + +int +_krb5_use_dns_realm(context) + krb5_context context; +{ + return maybe_use_dns (context, "dns_lookup_realm", DEFAULT_LOOKUP_REALM); +} + #endif /* KRB5_DNS_LOOKUP */ /* @@ -205,9 +233,9 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, get_masters) addr_p = (struct sockaddr *)malloc (sizeof (struct sockaddr) * count); if (addr_p == NULL) { - if ( hostlist ) + if (hostlist) profile_free_list(hostlist); - if ( masterlist ) + if (masterlist) profile_free_list(masterlist); return ENOMEM; } @@ -281,9 +309,9 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, get_masters) } } - if ( hostlist ) + if (hostlist) profile_free_list(hostlist); - if ( masterlist ) + if (masterlist) profile_free_list(masterlist); if (out == 0) { /* Couldn't resolve any KDC names */ @@ -582,11 +610,11 @@ krb5_locate_kdc(context, realm, addr_pp, naddrs, get_masters) #ifdef KRB5_DNS_LOOKUP if (code) { - int use_dns = _krb5_use_dns(context); + int use_dns = _krb5_use_dns_kdc(context); if ( use_dns ) { code = krb5_locate_srv_dns(realm, - get_masters ? "_kerberos-master" : "_kerberos", - "_udp", addr_pp, naddrs); + get_masters ? "_kerberos-master" : "_kerberos", + "_udp", addr_pp, naddrs); } } #endif /* KRB5_DNS_LOOKUP */ diff --git a/src/lib/krb5/posix/ChangeLog b/src/lib/krb5/posix/ChangeLog index 813ec31..118c028 100644 --- a/src/lib/krb5/posix/ChangeLog +++ b/src/lib/krb5/posix/ChangeLog @@ -1,3 +1,10 @@ +2000-04-28 Ken Raeburn <raeburn@mit.edu> + Nalin Dahyabhai <nalin@redhat.com> + + * syslog.c (vsyslog): Use strncpy and strncat instead of strcpy + and strcat when adding to buffer "tbuf". If calling vsprintf, + abort if it appears to have overrun the buffer. + 1999-10-26 Wilfredo Sanchez <tritan@mit.edu> * Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES, diff --git a/src/lib/krb5/posix/syslog.c b/src/lib/krb5/posix/syslog.c index 31e7874..f7ddbff 100644 --- a/src/lib/krb5/posix/syslog.c +++ b/src/lib/krb5/posix/syslog.c @@ -115,7 +115,7 @@ vsyslog(pri, fmt, ap) (void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4); for (p = tbuf; *p; ++p); if (LogTag) { - (void)strcpy(p, LogTag); + (void)strncpy(p, LogTag, sizeof(tbuf) - 1 - (p - tbuf)); for (; *p; ++p); } if (LogStat & LOG_PID) { @@ -146,6 +146,11 @@ vsyslog(pri, fmt, ap) } (void)vsprintf(p, fmt_cpy, ap); + /* Bounds checking?? If a system doesn't have syslog, we + probably can't rely on it having vsnprintf either. Try not + to let a buffer overrun be exploited. */ + if (strlen (tbuf) >= sizeof (tbuf)) + abort (); /* output the message to the local logger */ if (send(LogFile, tbuf, cnt = strlen(tbuf), 0) >= 0 || @@ -169,7 +174,8 @@ vsyslog(pri, fmt, ap) if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0) return; (void)alarm((u_int)0); - (void)strcat(tbuf, "\r"); + tbuf[sizeof(tbuf) - 1] = '\0'; + (void)strncat(tbuf, "\r", sizeof(tbuf) - 1 - strlen(tbuf)); p = strchr(tbuf, '>') + 1; (void)write(fd, p, cnt + 1 - (p - tbuf)); (void)close(fd); diff --git a/src/lib/krb5/rcache/ChangeLog b/src/lib/krb5/rcache/ChangeLog index 52f9db9..f58e877 100644 --- a/src/lib/krb5/rcache/ChangeLog +++ b/src/lib/krb5/rcache/ChangeLog @@ -1,3 +1,8 @@ +2000-04-28 Nalin Dahyabhai <nalin@redhat.com> + + * rc_io.c (getdir): Don't check dirlen again, the call sites + always do. Fix dirlen calculation. + 1999-10-26 Wilfredo Sanchez <tritan@mit.edu> * Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES, diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c index d45c7a1..b4291bc 100644 --- a/src/lib/krb5/rcache/rc_io.c +++ b/src/lib/krb5/rcache/rc_io.c @@ -57,8 +57,6 @@ static char *dir; static void getdir() { - if (!dirlen) - { if (!(dir = getenv("KRB5RCACHEDIR"))) #if defined(_MSDOS) || defined(_WIN32) if (!(dir = getenv("TEMP"))) @@ -72,8 +70,7 @@ static void getdir() dir = "/tmp"; #endif #endif - dirlen = strlen(dir) + 1; - } + dirlen = strlen(dir) + sizeof(PATH_SEPARATOR); } krb5_error_code krb5_rc_io_creat (context, d, fn) |