aboutsummaryrefslogtreecommitdiff
path: root/src/lib/krb5
diff options
context:
space:
mode:
authorno author <devnull@mit.edu>2004-05-17 19:28:46 +0000
committerno author <devnull@mit.edu>2004-05-17 19:28:46 +0000
commitef4d928fc937a354577c397ec8e723e920ff7351 (patch)
tree8ed7a02bd110ed46492e88c6e67d1997bbde297f /src/lib/krb5
parent6670198c5e4945eaabfec95e24b0c47c7d97fc44 (diff)
downloadkrb5-kfw-2.6.2-beta2.zip
krb5-kfw-2.6.2-beta2.tar.gz
krb5-kfw-2.6.2-beta2.tar.bz2
This commit was manufactured by cvs2svn to create tagkfw-2.6.2-beta2
'kfw-2_6_2-beta-2'. git-svn-id: svn://anonsvn.mit.edu/krb5/tags/kfw-2_6_2-beta-2@16344 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5')
-rw-r--r--src/lib/krb5/Makefile.in8
-rw-r--r--src/lib/krb5/asn.1/ChangeLog100
-rw-r--r--src/lib/krb5/asn.1/Makefile.in73
-rw-r--r--src/lib/krb5/asn.1/asn1_decode.c46
-rw-r--r--src/lib/krb5/asn.1/asn1_decode.h2
-rw-r--r--src/lib/krb5/asn.1/asn1_k_decode.c101
-rw-r--r--src/lib/krb5/asn.1/asn1_k_decode.h4
-rw-r--r--src/lib/krb5/asn.1/asn1_k_encode.c43
-rw-r--r--src/lib/krb5/asn.1/asn1_k_encode.h7
-rw-r--r--src/lib/krb5/asn.1/krb5_decode.c62
-rw-r--r--src/lib/krb5/asn.1/krb5_encode.c73
-rw-r--r--src/lib/krb5/ccache/ChangeLog209
-rw-r--r--src/lib/krb5/ccache/Makefile.in61
-rw-r--r--src/lib/krb5/ccache/cc-int.h39
-rw-r--r--src/lib/krb5/ccache/cc_file.c16
-rw-r--r--src/lib/krb5/ccache/cc_memory.c16
-rw-r--r--src/lib/krb5/ccache/cc_mslsa.c1621
-rw-r--r--src/lib/krb5/ccache/cc_retr.c65
-rw-r--r--src/lib/krb5/ccache/ccbase.c34
-rw-r--r--src/lib/krb5/ccache/ccdefault.c28
-rw-r--r--src/lib/krb5/error_tables/.Sanitize1
-rw-r--r--src/lib/krb5/error_tables/ChangeLog27
-rw-r--r--src/lib/krb5/error_tables/Makefile.in22
-rw-r--r--src/lib/krb5/error_tables/init_ets.c14
-rw-r--r--src/lib/krb5/error_tables/krb524_err.et34
-rw-r--r--src/lib/krb5/error_tables/krb5_err.et4
-rw-r--r--src/lib/krb5/keytab/ChangeLog39
-rw-r--r--src/lib/krb5/keytab/Makefile.in54
-rw-r--r--src/lib/krb5/keytab/kt_file.c26
-rw-r--r--src/lib/krb5/keytab/ktbase.c36
-rw-r--r--src/lib/krb5/krb/.Sanitize4
-rw-r--r--src/lib/krb5/krb/ChangeLog325
-rw-r--r--src/lib/krb5/krb/Makefile.in521
-rw-r--r--src/lib/krb5/krb/auth_con.c220
-rw-r--r--src/lib/krb5/krb/auth_con.h10
-rw-r--r--src/lib/krb5/krb/chpw.c322
-rw-r--r--src/lib/krb5/krb/conv_creds.c277
-rw-r--r--src/lib/krb5/krb/copy_data.c22
-rw-r--r--src/lib/krb5/krb/fwd_tgt.c15
-rw-r--r--src/lib/krb5/krb/gc_frm_kdc.c41
-rw-r--r--src/lib/krb5/krb/gen_seqnum.c19
-rw-r--r--src/lib/krb5/krb/get_in_tkt.c35
-rw-r--r--src/lib/krb5/krb/gic_keytab.c81
-rw-r--r--src/lib/krb5/krb/gic_pwd.c119
-rw-r--r--src/lib/krb5/krb/in_tkt_ktb.c125
-rw-r--r--src/lib/krb5/krb/in_tkt_pwd.c123
-rw-r--r--src/lib/krb5/krb/init_ctx.c47
-rw-r--r--src/lib/krb5/krb/kfree.c21
-rw-r--r--src/lib/krb5/krb/mk_cred.c5
-rw-r--r--src/lib/krb5/krb/mk_priv.c5
-rw-r--r--src/lib/krb5/krb/mk_rep.c9
-rw-r--r--src/lib/krb5/krb/mk_req_ext.c58
-rw-r--r--src/lib/krb5/krb/mk_safe.c5
-rw-r--r--src/lib/krb5/krb/parse.c9
-rw-r--r--src/lib/krb5/krb/preauth2.c224
-rw-r--r--src/lib/krb5/krb/rd_cred.c11
-rw-r--r--src/lib/krb5/krb/rd_priv.c8
-rw-r--r--src/lib/krb5/krb/rd_rep.c18
-rw-r--r--src/lib/krb5/krb/rd_req.c4
-rw-r--r--src/lib/krb5/krb/rd_req_dec.c12
-rw-r--r--src/lib/krb5/krb/rd_safe.c26
-rw-r--r--src/lib/krb5/krb/send_tgs.c1
-rw-r--r--src/lib/krb5/krb/ser_actx.c28
-rw-r--r--src/lib/krb5/krb/serialize.c35
-rw-r--r--src/lib/krb5/krb/srv_rcache.c13
-rw-r--r--src/lib/krb5/krb/unparse.c3
-rw-r--r--src/lib/krb5/krb/v4lifetime.c149
-rw-r--r--src/lib/krb5/os/.Sanitize1
-rw-r--r--src/lib/krb5/os/ChangeLog139
-rw-r--r--src/lib/krb5/os/Makefile.in255
-rw-r--r--src/lib/krb5/os/accessor.c26
-rw-r--r--src/lib/krb5/os/an_to_ln.c15
-rw-r--r--src/lib/krb5/os/changepw.c119
-rw-r--r--src/lib/krb5/os/dnssrv.c273
-rw-r--r--src/lib/krb5/os/init_os_ctx.c12
-rw-r--r--src/lib/krb5/os/locate_kdc.c242
-rw-r--r--src/lib/krb5/os/read_pwd.c9
-rw-r--r--src/lib/krb5/os/send524.c111
-rw-r--r--src/lib/krb5/os/sendto_kdc.c58
-rw-r--r--src/lib/krb5/os/t_locate_kdc.c2
-rw-r--r--src/lib/krb5/os/toffset.c2
-rw-r--r--src/lib/krb5/rcache/Makefile.in38
82 files changed, 5754 insertions, 1363 deletions
diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in
index dc5c7b9..96efb56 100644
--- a/src/lib/krb5/Makefile.in
+++ b/src/lib/krb5/Makefile.in
@@ -130,8 +130,8 @@ install-unix:: install-libs
# Makefile dependencies follow. This must be the last section in
# the Makefile.in file
#
-krb5_libinit.so krb5_libinit.po $(OUTPRE)krb5_libinit.$(OBJEXT): krb5_libinit.c $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(BUILDTOP)/include/krb5_err.h $(BUILDTOP)/include/kv5m_err.h \
- $(BUILDTOP)/include/asn1_err.h $(BUILDTOP)/include/kdb5_err.h \
- krb5_libinit.h
+krb5_libinit.so krb5_libinit.po $(OUTPRE)krb5_libinit.$(OBJEXT): krb5_libinit.c $(COM_ERR_DEPS) \
+ $(BUILDTOP)/include/krb5.h $(BUILDTOP)/include/krb5_err.h \
+ $(BUILDTOP)/include/kv5m_err.h $(BUILDTOP)/include/asn1_err.h \
+ $(BUILDTOP)/include/kdb5_err.h krb5_libinit.h
diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog
index b1ff161..18e4c07 100644
--- a/src/lib/krb5/asn.1/ChangeLog
+++ b/src/lib/krb5/asn.1/ChangeLog
@@ -1,3 +1,103 @@
+2003-10-08 Tom Yu <tlyu@mit.edu>
+
+ * asn1_k_encode.c (asn1_encode_krb_saved_safe_body): New function;
+ kludge to insert a raw pre-encoded KRB-SAFE-BODY.
+
+ * asn1_k_encode.h (asn1_encode_krb_saved_safe_body): Add
+ prototype.
+
+ * krb5_decode.c (decode_krb5_safe_with_body): New function; saves
+ a copy of the encoding of the KRB-SAFE-BODY to avoid problems
+ caused by re-encoding it during verification.
+
+ * krb5_encode.c (encode_krb5_safe_with_body): New function;
+ re-encode a KRB-SAFE using a saved KRB-SAFE-BODY encoding, to
+ avoid trouble with re-encoding a KRB-SAFE-BODY.
+
+2003-07-22 Sam Hartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * asn1_k_decode.c (asn1_decode_etype_info2_entry_1_3): Decoder for
+ the broken 1.3 ASN.1 behavior for etype_info2; see bug 1681.
+
+ * asn1_k_decode.h (asn1_decode_etype_info2): Add v1_3_behavior
+ flag for parsing the broken 1.3 behavior of using an octetString
+ instead of generalString
+
+ * asn1_k_decode.c (asn1_decode_etype_info2_entry): Expect etype_info2 as generalstring not octetstring
+
+2003-06-20 Sam Hartman <hartmans@mit.edu>
+
+ * asn1_k_decode.h (asn1_decode_etype_info2): Prototype. Also
+ deleted prototype for asn1_decode_etype_info_entry as that is not
+ used outside asn1_k_decode.c
+
+ * krb5_decode.c (decode_krb5_etype_info2): Call etype_info2 decoder
+
+ * asn1_k_decode.c (asn1_decode_etype_info_entry): Split out
+ etype_info2 and etype_info decoder so we ignore tag 2 in the
+ heimdal encoder
+ (asn1_decode_etype_info2): new function
+
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * asn1_k_decode.c (asn1_decode_etype_info_entry): Fix logic error
+ that incorrectly set up s2kparams.data
+
+2003-05-20 Ezra Peisach <epeisach@bu.edu>
+
+ * asn1_k_encode.c (asn1_encode_krb_safe_body): Use
+ asn1_encode_unsigned_integer for sequence number.
+
+ * asn1_k_decode.c (asn1_decode_krb_safe_body): Use
+ asn1_decode_seqnum to decode sequence number.
+
+
+2003-05-18 Tom Yu <tlyu@mit.edu>
+
+ * asn1_decode.c (asn1_decode_maybe_unsigned): New function; decode
+ negative 32-bit numbers into positive unsigned numbers for the
+ sake of backwards compatibility with old code.
+
+ * asn1_decode.h: Add prototype for asn1_decode_maybe_unsigned.
+
+ * asn1_k_decode.c (asn1_decode_seqnum): New function; wrapper
+ around asn1_decode_maybe_unsigned.
+
+ * asn1_k_decode.h: Add prototype for asn1_decode_seqnum.
+
+ * krb5_decode.c (decode_krb5_authenticator)
+ (decode_krb5_ap_rep_enc_part, decode_krb5_enc_priv_part): Sequence
+ numbers are now unsigned. Use asn1_decode_seqnum to handle
+ backwards compat with negative sequence numbers.
+
+ * krb5_encode.c (encode_krb5_authenticator)
+ (encode_krb5_ap_rep_enc_part, encode_krb5_enc_priv_part): Sequence
+ numbers are now unsigned.
+
+2003-05-06 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_decode.c (decode_krb5_etype_info2): New function; currently
+ the same code as decode_krb5_etype_info. This means that we can
+ manage to accept s2kparams in etype_info which is wrong but
+ probably harmless.
+
+ * asn1_k_decode.c (asn1_decode_etype_info_entry): Add etype_info2
+ support
+
+ * asn1_k_encode.c (asn1_encode_etype_info_entry): Add support for
+ etype-info2
+
+ * krb5_encode.c (encode_krb5_etype_info2): New function
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_encode.c (encode_krb5_setpw_req): new function
+
+2003-04-13 Ezra Peisach <epeisach@mit.edu>
+
+ * asn1_k_decode.c (asn1_decode_kdc_req_body): Fix memory leak if
+ optional server field is lacking,
+
2003-03-11 Ken Raeburn <raeburn@mit.edu>
* asn1_get.c (asn1_get_tag): Deleted.
diff --git a/src/lib/krb5/asn.1/Makefile.in b/src/lib/krb5/asn.1/Makefile.in
index 6757046..8de97f0 100644
--- a/src/lib/krb5/asn.1/Makefile.in
+++ b/src/lib/krb5/asn.1/Makefile.in
@@ -61,61 +61,66 @@ clean-unix:: clean-libobjs
#
asn1_decode.so asn1_decode.po $(OUTPRE)asn1_decode.$(OBJEXT): asn1_decode.c asn1_decode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h asn1_get.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_get.h
asn1_k_decode.so asn1_k_decode.po $(OUTPRE)asn1_k_decode.$(OBJEXT): asn1_k_decode.c asn1_k_decode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h asn1_decode.h asn1_get.h asn1_misc.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_decode.h \
+ asn1_get.h asn1_misc.h
asn1_encode.so asn1_encode.po $(OUTPRE)asn1_encode.$(OBJEXT): asn1_encode.c asn1_encode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h asn1_make.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_make.h
asn1_get.so asn1_get.po $(OUTPRE)asn1_get.$(OBJEXT): asn1_get.c asn1_get.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h
asn1_make.so asn1_make.po $(OUTPRE)asn1_make.$(OBJEXT): asn1_make.c asn1_make.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h
asn1buf.so asn1buf.po $(OUTPRE)asn1buf.$(OBJEXT): asn1buf.c asn1buf.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h krbasn1.h asn1_get.h
+ krbasn1.h asn1_get.h
krb5_decode.so krb5_decode.po $(OUTPRE)krb5_decode.$(OBJEXT): krb5_decode.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) krbasn1.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- asn1_k_decode.h asn1buf.h asn1_decode.h asn1_get.h
+ $(SRCTOP)/include/krb5/kdb.h asn1_k_decode.h asn1buf.h \
+ asn1_decode.h asn1_get.h
krb5_encode.so krb5_encode.po $(OUTPRE)krb5_encode.$(OBJEXT): krb5_encode.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) asn1_k_encode.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- asn1buf.h krbasn1.h asn1_encode.h asn1_make.h
+ $(SRCTOP)/include/krb5/kdb.h asn1buf.h krbasn1.h asn1_encode.h \
+ asn1_make.h
asn1_k_encode.so asn1_k_encode.po $(OUTPRE)asn1_k_encode.$(OBJEXT): asn1_k_encode.c asn1_k_encode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- asn1buf.h krbasn1.h asn1_make.h asn1_encode.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h asn1buf.h krbasn1.h asn1_make.h \
+ asn1_encode.h
asn1_misc.so asn1_misc.po $(OUTPRE)asn1_misc.$(OBJEXT): asn1_misc.c asn1_misc.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h
diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
index 56904c5..6586320 100644
--- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
@@ -1,7 +1,7 @@
/*
* src/lib/krb5/asn.1/asn1_decode.c
*
- * Copyright 1994 by the Massachusetts Institute of Technology.
+ * Copyright 1994, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -106,6 +106,50 @@ asn1_error_code asn1_decode_unsigned_integer(asn1buf *buf, long unsigned int *va
cleanup();
}
+/*
+ * asn1_decode_maybe_unsigned
+ *
+ * This is needed because older releases of MIT krb5 have signed
+ * sequence numbers. We want to accept both signed and unsigned
+ * sequence numbers, in the range -2^31..2^32-1, mapping negative
+ * numbers into their positive equivalents in the same way that C's
+ * normal integer conversions do, i.e., would preserve bits on a
+ * two's-complement architecture.
+ */
+asn1_error_code asn1_decode_maybe_unsigned(asn1buf *buf, unsigned long *val)
+{
+ setup();
+ asn1_octet o;
+ unsigned long n, bitsremain;
+ unsigned int i;
+
+ tag(ASN1_INTEGER);
+ o = 0;
+ n = 0;
+ bitsremain = ~0UL;
+ for (i = 0; i < length; i++) {
+ /* Accounts for u_long width not being a multiple of 8. */
+ if (bitsremain < 0xff) return ASN1_OVERFLOW;
+ retval = asn1buf_remove_octet(buf, &o);
+ if (retval) return retval;
+ if (bitsremain == ~0UL) {
+ if (i == 0)
+ n = (o & 0x80) ? ~0UL : 0UL; /* grab sign bit */
+ /*
+ * Skip leading zero or 0xFF octets to humor non-compliant encoders.
+ */
+ if (n == 0 && o == 0)
+ continue;
+ if (n == ~0UL && o == 0xff)
+ continue;
+ }
+ n = (n << 8) | o;
+ bitsremain >>= 8;
+ }
+ *val = n;
+ cleanup();
+}
+
asn1_error_code asn1_decode_oid(asn1buf *buf, unsigned int *retlen, asn1_octet **val)
{
setup();
diff --git a/src/lib/krb5/asn.1/asn1_decode.h b/src/lib/krb5/asn.1/asn1_decode.h
index 449a589..cafbf3f 100644
--- a/src/lib/krb5/asn.1/asn1_decode.h
+++ b/src/lib/krb5/asn.1/asn1_decode.h
@@ -62,6 +62,8 @@ asn1_error_code asn1_decode_integer
(asn1buf *buf, long *val);
asn1_error_code asn1_decode_unsigned_integer
(asn1buf *buf, unsigned long *val);
+asn1_error_code asn1_decode_maybe_unsigned
+ (asn1buf *buf, unsigned long *val);
asn1_error_code asn1_decode_null
(asn1buf *buf);
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c
index c64ebb8..3ffb701 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.c
+++ b/src/lib/krb5/asn.1/asn1_k_decode.c
@@ -320,6 +320,17 @@ integer_convert(asn1_decode_authdatatype,krb5_authdatatype)
unsigned_integer_convert(asn1_decode_ui_2,krb5_ui_2)
unsigned_integer_convert(asn1_decode_ui_4,krb5_ui_4)
+asn1_error_code asn1_decode_seqnum(asn1buf *buf, krb5_ui_4 *val)
+{
+ asn1_error_code retval;
+ unsigned long n;
+
+ retval = asn1_decode_maybe_unsigned(buf, &n);
+ if (retval) return retval;
+ *val = (krb5_ui_4)n & 0xffffffff;
+ return 0;
+}
+
asn1_error_code asn1_decode_msgtype(asn1buf *buf, krb5_msgtype *val)
{
asn1_error_code retval;
@@ -541,7 +552,9 @@ asn1_error_code asn1_decode_kdc_req(asn1buf *buf, krb5_kdc_req *val)
asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val)
{
setup();
- { begin_structure();
+ {
+ krb5_principal psave;
+ begin_structure();
get_field(val->kdc_options,0,asn1_decode_kdc_options);
if(tagnum == 1){ alloc_field(val->client,krb5_principal_data); }
opt_field(val->client,1,asn1_decode_principal_name,NULL);
@@ -550,7 +563,19 @@ asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val)
if(val->client != NULL){
retval = asn1_krb5_realm_copy(val->client,val->server);
if(retval) return retval; }
+
+ /* If opt_field server is missing, memory reference to server is
+ lost and results in memory leak */
+ psave = val->server;
opt_field(val->server,3,asn1_decode_principal_name,NULL);
+ if(val->server == NULL){
+ if(psave->realm.data) {
+ free(psave->realm.data);
+ psave->realm.data = NULL;
+ psave->realm.length=0;
+ }
+ free(psave);
+ }
opt_field(val->from,4,asn1_decode_kerberos_time,0);
get_field(val->till,5,asn1_decode_kerberos_time);
opt_field(val->rtime,6,asn1_decode_kerberos_time,0);
@@ -580,7 +605,7 @@ asn1_error_code asn1_decode_krb_safe_body(asn1buf *buf, krb5_safe *val)
get_lenfield(val->user_data.length,val->user_data.data,0,asn1_decode_charstring);
opt_field(val->timestamp,1,asn1_decode_kerberos_time,0);
opt_field(val->usec,2,asn1_decode_int32,0);
- opt_field(val->seq_number,3,asn1_decode_int32,0);
+ opt_field(val->seq_number,3,asn1_decode_seqnum,0);
alloc_field(val->s_address,krb5_address);
get_field(*(val->s_address),4,asn1_decode_host_address);
if(tagnum == 5){
@@ -782,7 +807,33 @@ asn1_error_code asn1_decode_sequence_of_checksum(asn1buf *buf, krb5_checksum ***
decode_array_body(krb5_checksum, asn1_decode_checksum);
}
-asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val)
+static asn1_error_code asn1_decode_etype_info2_entry(asn1buf *buf, krb5_etype_info_entry *val )
+{
+ setup();
+ { begin_structure();
+ get_field(val->etype,0,asn1_decode_enctype);
+ if (tagnum == 1) {
+ get_lenfield(val->length,val->salt,1,asn1_decode_generalstring);
+ } else {
+ val->length = KRB5_ETYPE_NO_SALT;
+ val->salt = 0;
+ }
+ if ( tagnum ==2) {
+ krb5_octet *params ;
+ get_lenfield( val->s2kparams.length, params,
+ 2, asn1_decode_octetstring);
+ val->s2kparams.data = ( char *) params;
+ } else {
+ val->s2kparams.data = NULL;
+ val->s2kparams.length = 0;
+ }
+ end_structure();
+ val->magic = KV5M_ETYPE_INFO_ENTRY;
+ }
+ cleanup();
+}
+
+static asn1_error_code asn1_decode_etype_info2_entry_1_3(asn1buf *buf, krb5_etype_info_entry *val )
{
setup();
{ begin_structure();
@@ -793,17 +844,59 @@ asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry
val->length = KRB5_ETYPE_NO_SALT;
val->salt = 0;
}
+ if ( tagnum ==2) {
+ krb5_octet *params ;
+ get_lenfield( val->s2kparams.length, params,
+ 2, asn1_decode_octetstring);
+ val->s2kparams.data = ( char *) params;
+ } else {
+ val->s2kparams.data = NULL;
+ val->s2kparams.length = 0;
+ }
end_structure();
val->magic = KV5M_ETYPE_INFO_ENTRY;
}
cleanup();
}
-asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val)
+
+static asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val )
+{
+ setup();
+ { begin_structure();
+ get_field(val->etype,0,asn1_decode_enctype);
+ if (tagnum == 1) {
+ get_lenfield(val->length,val->salt,1,asn1_decode_octetstring);
+ } else {
+ val->length = KRB5_ETYPE_NO_SALT;
+ val->salt = 0;
+ }
+ val->s2kparams.data = NULL;
+ val->s2kparams.length = 0;
+
+ end_structure();
+ val->magic = KV5M_ETYPE_INFO_ENTRY;
+ }
+ cleanup();
+}
+
+asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val )
{
decode_array_body(krb5_etype_info_entry,asn1_decode_etype_info_entry);
}
+asn1_error_code asn1_decode_etype_info2(asn1buf *buf, krb5_etype_info_entry ***val ,
+ krb5_boolean v1_3_behavior)
+{
+ if (v1_3_behavior) {
+ decode_array_body(krb5_etype_info_entry,
+ asn1_decode_etype_info2_entry_1_3);
+ } else {
+ decode_array_body(krb5_etype_info_entry,
+ asn1_decode_etype_info2_entry);
+ }
+}
+
asn1_error_code asn1_decode_passwdsequence(asn1buf *buf, passwd_phrase_element *val)
{
setup();
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h
index 8f8b0bc..1852e76 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.h
+++ b/src/lib/krb5/asn.1/asn1_k_decode.h
@@ -89,6 +89,8 @@ asn1_error_code asn1_decode_ui_2
(asn1buf *buf, krb5_ui_2 *val);
asn1_error_code asn1_decode_ui_4
(asn1buf *buf, krb5_ui_4 *val);
+asn1_error_code asn1_decode_seqnum
+ (asn1buf *buf, krb5_ui_4 *val);
asn1_error_code asn1_decode_kerberos_time
(asn1buf *buf, krb5_timestamp *val);
asn1_error_code asn1_decode_sam_flags
@@ -185,6 +187,8 @@ asn1_error_code asn1_decode_sequence_of_passwdsequence
asn1_error_code asn1_decode_etype_info
(asn1buf *buf, krb5_etype_info_entry ***val);
+asn1_error_code asn1_decode_etype_info2
+ (asn1buf *buf, krb5_etype_info_entry ***val, krb5_boolean v1_3_behavior);
#endif
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 9226f7c..00cfab0 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -27,6 +27,7 @@
#include "asn1_k_encode.h"
#include "asn1_make.h"
#include "asn1_encode.h"
+#include <assert.h>
/**** asn1 macros ****/
#if 0
@@ -643,7 +644,7 @@ asn1_error_code asn1_encode_krb_safe_body(asn1buf *buf, const krb5_safe *val, un
asn1_addfield(val->r_address,5,asn1_encode_host_address);
asn1_addfield(val->s_address,4,asn1_encode_host_address);
if(val->seq_number)
- asn1_addfield(val->seq_number,3,asn1_encode_integer);
+ asn1_addfield(val->seq_number,3,asn1_encode_unsigned_integer);
if(val->timestamp){
asn1_addfield(val->usec,2,asn1_encode_integer);
asn1_addfield(val->timestamp,1,asn1_encode_kerberos_time);
@@ -708,24 +709,33 @@ asn1_error_code asn1_encode_krb_cred_info(asn1buf *buf, const krb5_cred_info *va
asn1_cleanup();
}
-asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val, unsigned int *retlen)
+asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val,
+ unsigned int *retlen, int etype_info2)
{
asn1_setup();
+ assert(val->s2kparams.data == NULL || etype_info2);
if(val == NULL || (val->length > 0 && val->length != KRB5_ETYPE_NO_SALT &&
val->salt == NULL))
return ASN1_MISSING_FIELD;
-
- if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT)
+ if(val->s2kparams.data != NULL)
+ asn1_addlenfield(val->s2kparams.length, val->s2kparams.data, 2,
+ asn1_encode_octetstring);
+ if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT){
+ if (etype_info2)
asn1_addlenfield(val->length,val->salt,1,
- asn1_encode_octetstring);
- asn1_addfield(val->etype,0,asn1_encode_integer);
+ asn1_encode_generalstring)
+ else asn1_addlenfield(val->length,val->salt,1,
+ asn1_encode_octetstring);
+ }
+asn1_addfield(val->etype,0,asn1_encode_integer);
asn1_makeseq();
asn1_cleanup();
}
-asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val, unsigned int *retlen)
+asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val,
+ unsigned int *retlen, int etype_info2)
{
asn1_setup();
int i;
@@ -734,7 +744,7 @@ asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry
for(i=0; val[i] != NULL; i++); /* get to the end of the array */
for(i--; i>=0; i--){
- retval = asn1_encode_etype_info_entry(buf,val[i],&length);
+ retval = asn1_encode_etype_info_entry(buf,val[i],&length, etype_info2);
if(retval) return retval;
sum += length;
}
@@ -932,3 +942,20 @@ asn1_error_code asn1_encode_predicted_sam_response(asn1buf *buf, const krb5_pred
asn1_cleanup();
}
+
+/*
+ * Do some ugliness to insert a raw pre-encoded KRB-SAFE-BODY.
+ */
+asn1_error_code asn1_encode_krb_saved_safe_body(asn1buf *buf, const krb5_data *body, unsigned int *retlen)
+{
+ asn1_error_code retval;
+
+ retval = asn1buf_insert_octetstring(buf, body->length,
+ (krb5_octet *)body->data);
+ if (retval){
+ asn1buf_destroy(&buf);
+ return retval;
+ }
+ *retlen = body->length;
+ return 0;
+}
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.h b/src/lib/krb5/asn.1/asn1_k_encode.h
index 5914e09..caa46c5 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.h
+++ b/src/lib/krb5/asn.1/asn1_k_encode.h
@@ -219,11 +219,11 @@ asn1_error_code asn1_encode_alt_method
asn1_error_code asn1_encode_etype_info_entry
(asn1buf *buf, const krb5_etype_info_entry *val,
- unsigned int *retlen);
+ unsigned int *retlen, int etype_info2);
asn1_error_code asn1_encode_etype_info
(asn1buf *buf, const krb5_etype_info_entry **val,
- unsigned int *retlen);
+ unsigned int *retlen, int etype_info2);
asn1_error_code asn1_encode_passwdsequence
(asn1buf *buf, const passwd_phrase_element *val, unsigned int *retlen);
@@ -266,4 +266,7 @@ asn1_error_code asn1_encode_predicted_sam_response
(asn1buf *buf, const krb5_predicted_sam_response *val,
unsigned int *retlen);
+asn1_error_code asn1_encode_krb_saved_safe_body
+ (asn1buf *buf, const krb5_data *body, unsigned int *retlen);
+
#endif
diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c
index 03a3029..596997f 100644
--- a/src/lib/krb5/asn.1/krb5_decode.c
+++ b/src/lib/krb5/asn.1/krb5_decode.c
@@ -90,6 +90,7 @@ if((var) == NULL) clean_return(ENOMEM)
construction = t2.construction; \
tagnum = t2.tagnum; \
indef = t2.indef; \
+ taglen = t2.length; \
}
#define get_eoc() \
@@ -107,6 +108,7 @@ if((var) == NULL) clean_return(ENOMEM)
/* decode sequence header and initialize tagnum with the first field */
#define begin_structure()\
+unsigned int taglen;\
asn1buf subbuf;\
int seqindef;\
int indef;\
@@ -219,7 +221,7 @@ krb5_error_code decode_krb5_authenticator(const krb5_data *code, krb5_authentica
get_field((*rep)->ctime,5,asn1_decode_kerberos_time);
if(tagnum == 6){ alloc_field((*rep)->subkey,krb5_keyblock); }
opt_field(*((*rep)->subkey),6,asn1_decode_encryption_key);
- opt_field((*rep)->seq_number,7,asn1_decode_int32);
+ opt_field((*rep)->seq_number,7,asn1_decode_seqnum);
opt_field((*rep)->authorization_data,8,asn1_decode_authorization_data);
(*rep)->magic = KV5M_AUTHENTICATOR;
end_structure();
@@ -440,7 +442,7 @@ krb5_error_code decode_krb5_ap_rep_enc_part(const krb5_data *code, krb5_ap_rep_e
get_field((*rep)->cusec,1,asn1_decode_int32);
if(tagnum == 2){ alloc_field((*rep)->subkey,krb5_keyblock); }
opt_field(*((*rep)->subkey),2,asn1_decode_encryption_key);
- opt_field((*rep)->seq_number,3,asn1_decode_int32);
+ opt_field((*rep)->seq_number,3,asn1_decode_seqnum);
end_structure();
(*rep)->magic = KV5M_AP_REP_ENC_PART;
}
@@ -494,8 +496,26 @@ krb5_error_code decode_krb5_kdc_req_body(const krb5_data *code, krb5_kdc_req **r
cleanup(free);
}
-krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep)
+/*
+ * decode_krb5_safe_with_body
+ *
+ * Like decode_krb5_safe(), but grabs the encoding of the
+ * KRB-SAFE-BODY as well, in case re-encoding would produce a
+ * different encoding. (Yes, we're using DER, but there's this
+ * annoying problem with pre-1.3.x code using signed sequence numbers,
+ * which we permissively decode and cram into unsigned 32-bit numbers.
+ * When they're re-encoded, they're no longer negative if they started
+ * out negative, so checksum verification fails.)
+ *
+ * This does *not* perform any copying; the returned pointer to the
+ * encoded KRB-SAFE-BODY points into the input buffer.
+ */
+krb5_error_code decode_krb5_safe_with_body(
+ const krb5_data *code,
+ krb5_safe **rep,
+ krb5_data *body)
{
+ krb5_data tmpbody;
setup();
alloc_field(*rep,krb5_safe);
clear_field(rep,checksum);
@@ -511,12 +531,26 @@ krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep)
if(msg_type != KRB5_SAFE) clean_return(KRB5_BADMSGTYPE);
#endif
}
+ /*
+ * Gross kludge to extract pointer to encoded safe-body. Relies
+ * on tag prefetch done by next_tag(). Don't handle indefinite
+ * encoding, as it's too much work.
+ */
+ if (!indef) {
+ tmpbody.length = taglen;
+ tmpbody.data = subbuf.next;
+ } else {
+ tmpbody.length = 0;
+ tmpbody.data = NULL;
+ }
get_field(**rep,2,asn1_decode_krb_safe_body);
alloc_field((*rep)->checksum,krb5_checksum);
get_field(*((*rep)->checksum),3,asn1_decode_checksum);
(*rep)->magic = KV5M_SAFE;
end_structure();
}
+ if (body != NULL)
+ *body = tmpbody;
cleanup_manual();
error_out:
if (rep && *rep) {
@@ -526,6 +560,11 @@ error_out:
return retval;
}
+krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep)
+{
+ return decode_krb5_safe_with_body(code, rep, NULL);
+}
+
krb5_error_code decode_krb5_priv(const krb5_data *code, krb5_priv **rep)
{
setup();
@@ -561,7 +600,7 @@ krb5_error_code decode_krb5_enc_priv_part(const krb5_data *code, krb5_priv_enc_p
get_lenfield((*rep)->user_data.length,(*rep)->user_data.data,0,asn1_decode_charstring);
opt_field((*rep)->timestamp,1,asn1_decode_kerberos_time);
opt_field((*rep)->usec,2,asn1_decode_int32);
- opt_field((*rep)->seq_number,3,asn1_decode_int32);
+ opt_field((*rep)->seq_number,3,asn1_decode_seqnum);
alloc_field((*rep)->s_address,krb5_address);
get_field(*((*rep)->s_address),4,asn1_decode_host_address);
if(tagnum == 5){ alloc_field((*rep)->r_address,krb5_address); }
@@ -744,6 +783,21 @@ krb5_error_code decode_krb5_etype_info(const krb5_data *code, krb5_etype_info_en
cleanup_none(); /* we're not allocating anything here */
}
+krb5_error_code decode_krb5_etype_info2(const krb5_data *code, krb5_etype_info_entry ***rep)
+{
+ setup_buf_only();
+ *rep = 0;
+ retval = asn1_decode_etype_info2(&buf,rep, 0);
+ if (retval == ASN1_BAD_ID) {
+ retval = asn1buf_wrap_data(&buf,code);
+ if(retval) clean_return(retval);
+ retval = asn1_decode_etype_info2(&buf, rep, 1);
+ }
+ if(retval) clean_return(retval);
+ cleanup_none(); /* we're not allocating anything here */
+}
+
+
krb5_error_code decode_krb5_enc_data(const krb5_data *code, krb5_enc_data **rep)
{
setup_buf_only();
diff --git a/src/lib/krb5/asn.1/krb5_encode.c b/src/lib/krb5/asn.1/krb5_encode.c
index 2a4f7bb..ecdfa18 100644
--- a/src/lib/krb5/asn.1/krb5_encode.c
+++ b/src/lib/krb5/asn.1/krb5_encode.c
@@ -166,7 +166,7 @@ krb5_error_code encode_krb5_authenticator(const krb5_authenticator *rep, krb5_da
/* seq-number[7] INTEGER OPTIONAL */
if(rep->seq_number != 0)
- krb5_addfield(rep->seq_number,7,asn1_encode_integer);
+ krb5_addfield(rep->seq_number,7,asn1_encode_unsigned_integer);
/* subkey[6] EncryptionKey OPTIONAL */
if(rep->subkey != NULL)
@@ -305,6 +305,7 @@ krb5_error_code encode_krb5_enc_kdc_rep_part(const krb5_enc_kdc_rep_part *rep, k
#ifdef KRB5_ENCKRB5KDCREPPART_COMPAT
krb5_apptag(26);
#else
+ /* XXX WRONG!!! Should use 25 || 26, not the outer KDC_REP tags! */
if (rep->msg_type == KRB5_AS_REP) { krb5_apptag(ASN1_KRB_AS_REP); }
else if (rep->msg_type == KRB5_TGS_REP) { krb5_apptag(ASN1_KRB_TGS_REP); }
else return KRB5_BADMSGTYPE;
@@ -395,7 +396,7 @@ krb5_error_code encode_krb5_ap_rep_enc_part(const krb5_ap_rep_enc_part *rep, krb
/* seq-number[3] INTEGER OPTIONAL */
if(rep->seq_number)
- krb5_addfield(rep->seq_number,3,asn1_encode_integer);
+ krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer);
/* subkey[2] EncryptionKey OPTIONAL */
if(rep->subkey != NULL)
@@ -477,6 +478,43 @@ krb5_error_code encode_krb5_safe(const krb5_safe *rep, krb5_data **code)
krb5_cleanup();
}
+/*
+ * encode_krb5_safe_with_body
+ *
+ * Like encode_krb5_safe(), except takes a saved KRB-SAFE-BODY
+ * encoding to avoid problems with re-encoding.
+ */
+krb5_error_code encode_krb5_safe_with_body(
+ const krb5_safe *rep,
+ const krb5_data *body,
+ krb5_data **code)
+{
+ krb5_setup();
+
+ if (body == NULL) {
+ asn1buf_destroy(&buf);
+ return ASN1_MISSING_FIELD;
+ }
+
+ /* cksum[3] Checksum */
+ krb5_addfield(rep->checksum,3,asn1_encode_checksum);
+
+ /* safe-body[2] KRB-SAFE-BODY */
+ krb5_addfield(body,2,asn1_encode_krb_saved_safe_body);
+
+ /* msg-type[1] INTEGER */
+ krb5_addfield(ASN1_KRB_SAFE,1,asn1_encode_integer);
+
+ /* pvno[0] INTEGER */
+ krb5_addfield(KVNO,0,asn1_encode_integer);
+
+ /* KRB-SAFE ::= [APPLICATION 20] SEQUENCE */
+ krb5_makeseq();
+ krb5_apptag(20);
+
+ krb5_cleanup();
+}
+
krb5_error_code encode_krb5_priv(const krb5_priv *rep, krb5_data **code)
{
krb5_setup();
@@ -510,7 +548,7 @@ krb5_error_code encode_krb5_enc_priv_part(const krb5_priv_enc_part *rep, krb5_da
/* seq-number[3] INTEGER OPTIONAL */
if(rep->seq_number)
- krb5_addfield(rep->seq_number,3,asn1_encode_integer);
+ krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer);
/* usec[2] INTEGER OPTIONAL */
if(rep->timestamp){
@@ -678,11 +716,21 @@ krb5_error_code encode_krb5_alt_method(const krb5_alt_method *rep, krb5_data **c
krb5_error_code encode_krb5_etype_info(const krb5_etype_info_entry **rep, krb5_data **code)
{
krb5_setup();
- retval = asn1_encode_etype_info(buf,rep,&length);
+ retval = asn1_encode_etype_info(buf,rep,&length, 0);
+ if(retval) return retval;
+ sum += length;
+ krb5_cleanup();
+}
+
+krb5_error_code encode_krb5_etype_info2(const krb5_etype_info_entry **rep, krb5_data **code)
+{
+ krb5_setup();
+ retval = asn1_encode_etype_info(buf,rep,&length, 1);
if(retval) return retval;
sum += length;
krb5_cleanup();
}
+
krb5_error_code encode_krb5_enc_data(const krb5_enc_data *rep, krb5_data **code)
{
@@ -822,3 +870,20 @@ krb5_error_code encode_krb5_predicted_sam_response(const krb5_predicted_sam_resp
sum += length;
krb5_cleanup();
}
+
+krb5_error_code encode_krb5_setpw_req(const krb5_principal target,
+ char *password, krb5_data **code)
+{
+ /* Macros really want us to have a variable called rep which we do not need*/
+ const char *rep = "dummy string";
+
+ krb5_setup();
+
+ krb5_addfield(target,2,asn1_encode_realm);
+ krb5_addfield(target,1,asn1_encode_principal_name);
+ krb5_addlenfield(strlen(password), password,0,asn1_encode_octetstring);
+ krb5_makeseq();
+
+
+ krb5_cleanup();
+}
diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index 0b44b4d..18e15ab 100644
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,3 +1,212 @@
+2004-05-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c: The FAILED() macro only considered an error
+ to be a failure if the value is negative. ConstructTicketRequest()
+ returns positive errors. Do not use FAILED() to test the result.
+ Fix a potential leak of LSA allocated memory. Fix a leak of
+ LocalAlloc memory.
+
+2004-04-13 Jeffrey Altman <jaltman@mit.edu>
+
+ * ccbase.c:
+ Since we have to reserve all the single letter
+ prefixes make them apply to all platforms
+
+2004-04-13 Jeffrey Altman <jaltman@mit.edu>
+
+ * ccbase.c:
+ On Windows, if there is a ccache name provided without
+ a prefix but which appears to start with a drive letter,
+ treat it as a FILE: ccache instead of failing with a
+ ccache type unknown error.
+
+2004-04-06 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c:
+ In at least one case on Win2003 it appears that it is possible
+ for the logon session to be authenticated via NTLM and yet for
+ there to be Kerberos credentials obtained by the LSA on behalf
+ of the logged in user. Therefore, we are removing the test
+ for IsKerberosLogon() within krb5_lcc_resolve()
+ which was meant to avoid the need to perform GetMSTGT() when
+ there was no possibility of credentials being found.
+
+2004-03-31 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c: Add IsWindows2000() function and use it to return
+ errors whenever the MSLSA: ccache type is used on platforms
+ older than Windows 2000. This is needed to prevent calls to
+ the functions loaded from ADVAPI32.DLL and SECUR32.DLL which
+ do not exist on the Windows 9x platforms.
+
+2004-03-18 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c:
+ Add missing return statements in krb5_lcc_start_seq_get()
+
+ Return error if principal name cannot be determined during
+ krb5_lcc_resolve()
+
+ * cc-int.h:
+ New file - Add prototypes for cc internal functions
+
+ * cc_retr.c - include cc-int.h
+
+2004-02-04 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c:
+ Remove reference to <ntstatus.h> as it is not present in the August 2001
+ Platform SDK used by Pismere. Instead copy the error value.
+
+2004-02-02 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_msla.c:
+ GetMSCacheTicketFromCacheInfo() uses the tktinfo->TicketFlags as the
+ value to assign to TicketRequest->TicketFlags. This field is blindly
+ inserted into the kdc-options[0] field of the TGS_REQ. If there are
+ bits such as TRANSIT_POLICY_CHECKED in the TicketFlags, this will result
+ in an unknown TGS_OPTION being processed by the KDC.
+
+ This has been fixed by mapping the Ticket Flags to KDC options.
+ We only map Forwardable, Forwarded, Proxiable, and Renewable. The others
+ should not be used.
+
+2004-02-02 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c: the MSLSA code was crashing on Pismere machines when
+ logging on with cross realm credentials. On these machines there are
+ 8 tickets within the LSA cache from two different realms. One of the
+ krbtgt/CLIENT-REALM@CLIENT-REALM tickets (not the Initial ticket but
+ a Forwarded ticket) is inaccessible to the ms2mit.exe and leash32.exe
+ processes. The attempt to access the ticket returns a SubStatus code
+ of STATUS_LOGON_FAILURE (0xC000006DL) which is supposed to mean that
+ the logon attempt was invalid due to bad authentication information.
+ kerbtray has no problem listing this ticket. The other seven tickets
+ in the cache including the Initial Ticket are accessible. Modified
+ krb5_lcc_next_cred() to skip to the next ticket if an attempt to read
+ a single ticket fails.
+
+2004-01-31 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c: Optimize the get next logic by storing a handle to
+ the MS TGT in the lcc_cursor data structure
+
+2004-01-31 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c: Do not return tickets to the caller if they contain
+ NULL session keys. This is to prevent useless TGTs from being
+ placed into the MIT credential cache.
+
+2004-01-30 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c: As per extensive conversations with Doug Engert we have
+ concluded that MS is not specifying a complete set of domain information
+ when it comes to service tickets other than the initial TGT. What happens
+ is the client principal domain cannot be derived from the fields they
+ export. Code has now been added to obtain the domain from the initial
+ TGT and use that when constructing the client principals for all tickets.
+
+ This behavior can be turned off by setting a registry either on a per-user
+ or a system-wide basis:
+
+ {HKCU,HKLM}\Software\MIT\Kerberos5
+ PreserveInitialTicketIdentity = 0x0 (DWORD)
+
+
+2004-01-06 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_file.c, cc_memory.c:
+ Add stub implementations for unimplemented krb5_cc_remove_cred()
+ Returns KRB5_CC_NOSUPP
+
+ * cc_mslsa.c:
+ Add implementation for krb5_cc_remove_cred(). Returns KRB5_CC_READONLY.
+
+2003-12-18 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_retr.c: Extract the test to determine if a credential matches
+ a requested credential according to the specified fields into
+ a private function: krb5int_cc_creds_match_request()
+
+ * cc_mslsa.c: Extend the functionality of krb5_lcc_retrieve() to
+ perform a MS Kerberos LSA ticket request if there is no matching
+ credential in the cache. The MS Kerberos LSA places the following
+ restriction on what tickets it will place into the LSA cache:
+ tickets obtained by an application request for a specific
+ set of kerberos flags or enctype will not be cached.
+ Therefore, we first make a request with no flags or enctype in
+ the hope that we will be lucky and get the right ones anyway.
+ If not, we make the application's request and return that ticket
+ if it matches the other criteria.
+
+ Implemented a similar technique for krb5_lcc_store(). Since we
+ can not write to the cache, when a store request is made we
+ instead perform a ticket request through the lsa for a matching
+ credential. If we receive one, we return success. Otherwise,
+ we return the KRB5_CC_READONLY error.
+
+ With these changes I am now able to operate entirely with the MSLSA
+ ccache as the default cache provided the MS LSA credentials are
+ for the principal I wish to use. Obviously, one cannot change
+ principals while the MSLSA ccache is the default.
+
+2003-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_msla.c: Enable purging of the MS Kerberos LSA cache when the TGT
+ has expired. This will force the LSA to get a new TGT instead of
+ returning the expired version.
+
+2003-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c: Perform a GetMSTGT() call as part of krb5_lcc_start_seq_get
+ to ensure that the tgt is refreshed
+
+2003-12-13 Jeffrey Altman <jaltman@mit.edu>
+
+ * Makefile.in: Remove extranenous spaces in ##WIN32## constructs
+ defining MSLSA_SRC MSLSA_OBJ
+
+2003-12-12 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Move ##WIN32## constructs from inside
+ backslash-continued lists, as it was breaking them. Move explicit
+ dependency information from under automatic dependencies.
+
+2003-12-11 Jeffrey Altman <jaltman@mit.edu>
+
+ * Makefile.in, ccbase.c, cc_mslsa.c (new)
+
+ Remove all of the code which was duplicated between ms2mit.c
+ and the KfW Leash libraries (and who knows how many applications
+ shipped by third parties) and use it as the basis for a new
+ krb5_ccache type, "MSLSA:". The "MSLSA:" ccache type is a
+ read-only ccache which can be used either as a monitor of the
+ contents of the Microsoft LSA cache or as a source for copying
+ the contents to another ccache type. The purpose of migrating
+ this code to the krb5_32.dll is to avoid the need for applications
+ to be consistently updated each time Microsoft makes a change
+ to the behavior of the LSA cache. Changes have occurred with
+ the release of 2000, XP, and 2003 so far. Also, the code for
+ working with the MS LSA cache is not well documented and many
+ mistakes were made in the original versions of the ms2mit.c
+ code base. Unfortunately, the ms2mit.c code has been copied
+ into many other applications.
+
+ With access to this new ccache type, the ms2mit.c source file
+ is reduced from 890 lines to 80 lines including the copyright
+ banner.
+
+2003-11-26 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_default.c: Add support for Leash Kinit Dialog on Windows to
+ krb5int_c_default()
+
+2003-07-22 Sam Hartman <hartmans@mit.edu>
+
+ * ccbase.c: Always register the file credentials cache type. If
+ we do not, then when USE_CCAPI is defined, it will not be
+ available.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* ccdefault.c: Remove Mac header goober and include
diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in
index bbf61be..01e6544 100644
--- a/src/lib/krb5/ccache/Makefile.in
+++ b/src/lib/krb5/ccache/Makefile.in
@@ -17,6 +17,9 @@ LOCALINCLUDES = -I$(srcdir)$(S)ccapi $(WIN_INCLUDES)
##DOS##OBJFILE=..\$(OUTPRE)$(PREFIXDIR).lst
##WIN16##LIBNAME=..\krb5.lib
+##WIN32##MSLSA_OBJ = $(OUTPRE)cc_mslsa.$(OBJEXT)
+##WIN32##MSLSA_SRC = $(srcdir)/cc_mslsa.c
+
MAC_SUBDIRS = ccapi
STLIBOBJS= \
@@ -37,7 +40,7 @@ OBJS= $(OUTPRE)ccbase.$(OBJEXT) \
$(OUTPRE)cc_file.$(OBJEXT) \
$(OUTPRE)cc_memory.$(OBJEXT) \
$(OUTPRE)ccfns.$(OBJEXT) \
- $(OUTPRE)ser_cc.$(OBJEXT)
+ $(OUTPRE)ser_cc.$(OBJEXT) $(MSLSA_OBJ)
SRCS= $(srcdir)/ccbase.c \
$(srcdir)/cccopy.c \
@@ -47,7 +50,7 @@ SRCS= $(srcdir)/ccbase.c \
$(srcdir)/cc_file.c \
$(srcdir)/cc_memory.c \
$(srcdir)/ccfns.c \
- $(srcdir)/ser_cc.c
+ $(srcdir)/ser_cc.c $(MSLSA_SRC)
##DOS##OBJS=$(OBJS) $(OUTPRE)ccfns.$(OBJEXT)
@@ -97,7 +100,7 @@ check-unix:: t_cc
clean-unix::
$(RM) t_cc t_cc.o
-
+##WIN32## $(OUTPRE)cc_mslsa.$(OBJEXT): cc_mslsa.c $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS)
# @libobj_frag@
@@ -108,47 +111,49 @@ clean-unix::
#
ccbase.so ccbase.po $(OUTPRE)ccbase.$(OBJEXT): ccbase.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ fcc.h
cccopy.so cccopy.po $(OUTPRE)cccopy.$(OBJEXT): cccopy.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ccdefault.so ccdefault.po $(OUTPRE)ccdefault.$(OBJEXT): ccdefault.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ccdefops.so ccdefops.po $(OUTPRE)ccdefops.$(OBJEXT): ccdefops.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h fcc.h
+ fcc.h
cc_retr.so cc_retr.po $(OUTPRE)cc_retr.$(OBJEXT): cc_retr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
cc_file.so cc_file.po $(OUTPRE)cc_file.$(OBJEXT): cc_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
cc_memory.so cc_memory.po $(OUTPRE)cc_memory.$(OBJEXT): cc_memory.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ccfns.so ccfns.po $(OUTPRE)ccfns.$(OBJEXT): ccfns.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ser_cc.so ser_cc.po $(OUTPRE)ser_cc.$(OBJEXT): ser_cc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h
new file mode 100644
index 0000000..48ee4fb
--- /dev/null
+++ b/src/lib/krb5/ccache/cc-int.h
@@ -0,0 +1,39 @@
+/*
+ * lib/krb5/ccache/file/cc-int.h
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * This file contains constant and function declarations used in the
+ * file-based credential cache routines.
+ */
+
+#ifndef __KRB5_CCACHE_H__
+#define __KRB5_CCACHE_H__
+
+#include "k5-int.h"
+
+krb5_boolean
+krb5int_cc_creds_match_request(krb5_context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds);
+
+#endif /* __KRB5_CCACHE_H__ */
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index eb051c1..dff3038 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -2305,6 +2305,18 @@ lose:
#undef TCHECK
}
+/*
+ * Non-functional stub implementation for krb5_fcc_remove
+ *
+ * Errors:
+ * KRB5_CC_NOSUPP - not implemented
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
+ krb5_creds *creds)
+{
+ return KRB5_CC_NOSUPP;
+}
/*
* Requires:
@@ -2413,7 +2425,7 @@ const krb5_cc_ops krb5_fcc_ops = {
krb5_fcc_start_seq_get,
krb5_fcc_next_cred,
krb5_fcc_end_seq_get,
- NULL, /* XXX krb5_fcc_remove, */
+ krb5_fcc_remove_cred,
krb5_fcc_set_flags,
};
@@ -2473,6 +2485,6 @@ const krb5_cc_ops krb5_cc_file_ops = {
krb5_fcc_start_seq_get,
krb5_fcc_next_cred,
krb5_fcc_end_seq_get,
- NULL, /* XXX krb5_fcc_remove, */
+ krb5_fcc_remove_cred,
krb5_fcc_set_flags,
};
diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c
index 97ec327..c3aeb1e 100644
--- a/src/lib/krb5/ccache/cc_memory.c
+++ b/src/lib/krb5/ccache/cc_memory.c
@@ -519,6 +519,20 @@ krb5_mcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
return ret;
}
+/*
+ * Non-functional stub implementation for krb5_mcc_remove
+ *
+ * Errors:
+ * KRB5_CC_NOSUPP - not implemented
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
+ krb5_creds *creds)
+{
+ return KRB5_CC_NOSUPP;
+}
+
+
/*
* Requires:
* id is a cred cache returned by krb5_mcc_resolve or
@@ -553,6 +567,6 @@ const krb5_cc_ops krb5_mcc_ops = {
krb5_mcc_start_seq_get,
krb5_mcc_next_cred,
krb5_mcc_end_seq_get,
- NULL, /* XXX krb5_mcc_remove, */
+ krb5_mcc_remove_cred,
krb5_mcc_set_flags,
};
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
new file mode 100644
index 0000000..93a938d
--- /dev/null
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -0,0 +1,1621 @@
+/*
+ * lib/krb5/ccache/cc_mslsa.c
+ *
+ * Copyright 2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Copyright 2000 by Carnegie Mellon University
+ *
+ * All Rights Reserved
+ *
+ * Permission to use, copy, modify, and distribute this software and its
+ * documentation for any purpose and without fee is hereby granted,
+ * provided that the above copyright notice appear in all copies and that
+ * both that copyright notice and this permission notice appear in
+ * supporting documentation, and that the name of Carnegie Mellon
+ * University not be used in advertising or publicity pertaining to
+ * distribution of the software without specific, written prior
+ * permission.
+ *
+ * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR
+ * ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Implementation of read-only microsoft windows lsa credentials cache
+ */
+
+#ifdef _WIN32
+#define UNICODE
+#define _UNICODE
+
+#include "k5-int.h"
+#include "com_err.h"
+#include "cc-int.h"
+
+#include <stdio.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <conio.h>
+#include <time.h>
+#define SECURITY_WIN32
+#include <security.h>
+#include <ntsecapi.h>
+
+#define MAX_MSG_SIZE 256
+#define MAX_MSPRINC_SIZE 1024
+
+static BOOL IsWindows2000 (void)
+{
+ static BOOL fChecked = FALSE;
+ static BOOL fIsWin2K = FALSE;
+
+ if (!fChecked)
+ {
+ OSVERSIONINFO Version;
+ fChecked = TRUE;
+
+ memset (&Version, 0x00, sizeof(Version));
+ Version.dwOSVersionInfoSize = sizeof(Version);
+
+ if (GetVersionEx (&Version))
+ {
+ if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT &&
+ Version.dwMajorVersion >= 5)
+ fIsWin2K = TRUE;
+ }
+ }
+
+ return fIsWin2K;
+}
+
+static VOID
+ShowWinError(LPSTR szAPI, DWORD dwError)
+{
+
+ // TODO - Write errors to event log so that scripts that don't
+ // check for errors will still get something in the event log
+
+ WCHAR szMsgBuf[MAX_MSG_SIZE];
+ DWORD dwRes;
+
+ printf("Error calling function %s: %lu\n", szAPI, dwError);
+
+ dwRes = FormatMessage (
+ FORMAT_MESSAGE_FROM_SYSTEM,
+ NULL,
+ dwError,
+ MAKELANGID (LANG_ENGLISH, SUBLANG_ENGLISH_US),
+ szMsgBuf,
+ MAX_MSG_SIZE,
+ NULL);
+ if (0 == dwRes) {
+ printf("FormatMessage failed with %d\n", GetLastError());
+ ExitProcess(EXIT_FAILURE);
+ }
+
+ printf("%S",szMsgBuf);
+}
+
+static VOID
+ShowLsaError(LPSTR szAPI, NTSTATUS Status)
+{
+ //
+ // Convert the NTSTATUS to Winerror. Then call ShowWinError().
+ //
+ ShowWinError(szAPI, LsaNtStatusToWinError(Status));
+}
+
+
+
+static BOOL
+WINAPI
+UnicodeToANSI(LPTSTR lpInputString, LPSTR lpszOutputString, int nOutStringLen)
+{
+ CPINFO CodePageInfo;
+
+ GetCPInfo(CP_ACP, &CodePageInfo);
+
+ if (CodePageInfo.MaxCharSize > 1)
+ // Only supporting non-Unicode strings
+ return FALSE;
+ else if (((LPBYTE) lpInputString)[1] == '\0')
+ {
+ // Looks like unicode, better translate it
+ WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) lpInputString, -1,
+ lpszOutputString, nOutStringLen, NULL, NULL);
+ }
+ else
+ lstrcpyA(lpszOutputString, (LPSTR) lpInputString);
+ return TRUE;
+} // UnicodeToANSI
+
+static VOID
+WINAPI
+ANSIToUnicode(LPSTR lpInputString, LPTSTR lpszOutputString, int nOutStringLen)
+{
+
+ CPINFO CodePageInfo;
+
+ lstrcpy(lpszOutputString, (LPTSTR) lpInputString);
+
+ GetCPInfo(CP_ACP, &CodePageInfo);
+
+ if (CodePageInfo.MaxCharSize > 1)
+ // It must already be a Unicode string
+ return;
+ else if (((LPBYTE) lpInputString)[1] != '\0')
+ {
+ // Looks like ANSI, better translate it
+ MultiByteToWideChar(CP_ACP, 0, (LPCSTR) lpInputString, -1,
+ (LPWSTR) lpszOutputString, nOutStringLen);
+ }
+ else
+ lstrcpy(lpszOutputString, (LPTSTR) lpInputString);
+} // ANSIToUnicode
+
+
+static void
+MITPrincToMSPrinc(krb5_context context, krb5_principal principal, UNICODE_STRING * msprinc)
+{
+ char *aname = NULL;
+
+ if (!krb5_unparse_name(context, principal, &aname)) {
+ msprinc->Length = strlen(aname) * sizeof(WCHAR);
+ ANSIToUnicode(aname, msprinc->Buffer, msprinc->MaximumLength);
+ krb5_free_unparsed_name(context,aname);
+ }
+}
+
+static void
+MSPrincToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_context context, krb5_principal *principal)
+{
+ WCHAR princbuf[512],tmpbuf[128];
+ char aname[512];
+ USHORT i;
+ princbuf[0]=0;
+ for (i=0;i<msprinc->NameCount;i++) {
+ wcsncpy(tmpbuf, msprinc->Names[i].Buffer,
+ msprinc->Names[i].Length/sizeof(WCHAR));
+ tmpbuf[msprinc->Names[i].Length/sizeof(WCHAR)]=0;
+ if (princbuf[0])
+ wcscat(princbuf, L"/");
+ wcscat(princbuf, tmpbuf);
+ }
+ wcscat(princbuf, L"@");
+ wcscat(princbuf, realm);
+ UnicodeToANSI(princbuf, aname, sizeof(aname));
+ krb5_parse_name(context, aname, principal);
+}
+
+
+static time_t
+FileTimeToUnixTime(LARGE_INTEGER *ltime)
+{
+ FILETIME filetime, localfiletime;
+ SYSTEMTIME systime;
+ struct tm utime;
+ filetime.dwLowDateTime=ltime->LowPart;
+ filetime.dwHighDateTime=ltime->HighPart;
+ FileTimeToLocalFileTime(&filetime, &localfiletime);
+ FileTimeToSystemTime(&localfiletime, &systime);
+ utime.tm_sec=systime.wSecond;
+ utime.tm_min=systime.wMinute;
+ utime.tm_hour=systime.wHour;
+ utime.tm_mday=systime.wDay;
+ utime.tm_mon=systime.wMonth-1;
+ utime.tm_year=systime.wYear-1900;
+ utime.tm_isdst=-1;
+ return(mktime(&utime));
+}
+
+static void
+MSSessionKeyToMITKeyblock(KERB_CRYPTO_KEY *mskey, krb5_context context, krb5_keyblock *keyblock)
+{
+ krb5_keyblock tmpblock;
+ tmpblock.magic=KV5M_KEYBLOCK;
+ tmpblock.enctype=mskey->KeyType;
+ tmpblock.length=mskey->Length;
+ tmpblock.contents=mskey->Value;
+ krb5_copy_keyblock_contents(context, &tmpblock, keyblock);
+}
+
+
+static void
+MSFlagsToMITFlags(ULONG msflags, ULONG *mitflags)
+{
+ *mitflags=msflags;
+}
+
+static void
+MSTicketToMITTicket(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_data *ticket)
+{
+ krb5_data tmpdata, *newdata;
+ tmpdata.magic=KV5M_DATA;
+ tmpdata.length=msticket->EncodedTicketSize;
+ tmpdata.data=msticket->EncodedTicket;
+
+ // TODO: fix this up a little. this is ugly and will break krb5_free_data()
+ krb5_copy_data(context, &tmpdata, &newdata);
+ memcpy(ticket, newdata, sizeof(krb5_data));
+}
+
+/*
+ * PreserveInitialTicketIdentity()
+ *
+ * This will find the "PreserveInitialTicketIdentity" key in the registry.
+ * Returns 1 to preserve and 0 to not.
+ */
+
+static DWORD
+PreserveInitialTicketIdentity(void)
+{
+ HKEY hKey;
+ DWORD size = sizeof(DWORD);
+ DWORD type = REG_DWORD;
+ const char *key_path = "Software\\MIT\\Kerberos5";
+ const char *value_name = "PreserveInitialTicketIdentity";
+ DWORD retval = 1; /* default to Preserve */
+
+ if (RegOpenKeyExA(HKEY_CURRENT_USER, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
+ goto syskey;
+ if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS)
+ {
+ RegCloseKey(hKey);
+ goto syskey;
+ }
+ RegCloseKey(hKey);
+ goto done;
+
+ syskey:
+ if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
+ goto done;
+ if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS)
+ {
+ RegCloseKey(hKey);
+ goto done;
+ }
+ RegCloseKey(hKey);
+
+ done:
+ return retval;
+}
+
+
+static void
+MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING InitialTicketDomain,
+ krb5_context context, krb5_creds *creds)
+{
+ WCHAR wrealm[128];
+ ZeroMemory(creds, sizeof(krb5_creds));
+ creds->magic=KV5M_CREDS;
+
+ // construct Client Principal
+ if ( PreserveInitialTicketIdentity() ) {
+ wcsncpy(wrealm, InitialTicketDomain.Buffer, InitialTicketDomain.Length/sizeof(WCHAR));
+ wrealm[InitialTicketDomain.Length/sizeof(WCHAR)]=0;
+ } else {
+ wcsncpy(wrealm, msticket->DomainName.Buffer, msticket->DomainName.Length/sizeof(WCHAR));
+ wrealm[msticket->DomainName.Length/sizeof(WCHAR)]=0;
+ }
+ MSPrincToMITPrinc(msticket->ClientName, wrealm, context, &creds->client);
+
+ // construct Service Principal
+ wcsncpy(wrealm, msticket->DomainName.Buffer,
+ msticket->DomainName.Length/sizeof(WCHAR));
+ wrealm[msticket->DomainName.Length/sizeof(WCHAR)]=0;
+ MSPrincToMITPrinc(msticket->ServiceName, wrealm, context, &creds->server);
+
+ MSSessionKeyToMITKeyblock(&msticket->SessionKey, context,
+ &creds->keyblock);
+ MSFlagsToMITFlags(msticket->TicketFlags, &creds->ticket_flags);
+ creds->times.starttime=FileTimeToUnixTime(&msticket->StartTime);
+ creds->times.endtime=FileTimeToUnixTime(&msticket->EndTime);
+ creds->times.renew_till=FileTimeToUnixTime(&msticket->RenewUntil);
+
+ /* MS Tickets are addressless. MIT requires an empty address
+ * not a NULL list of addresses.
+ */
+ creds->addresses = (krb5_address **)malloc(sizeof(krb5_address *));
+ memset(creds->addresses, 0, sizeof(krb5_address *));
+
+ MSTicketToMITTicket(msticket, context, &creds->ticket);
+}
+
+static BOOL
+PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId)
+{
+ LSA_STRING Name;
+ NTSTATUS Status;
+
+ Status = LsaConnectUntrusted(
+ pLogonHandle
+ );
+
+ if (FAILED(Status))
+ {
+ ShowLsaError("LsaConnectUntrusted", Status);
+ return FALSE;
+ }
+
+ Name.Buffer = MICROSOFT_KERBEROS_NAME_A;
+ Name.Length = strlen(Name.Buffer);
+ Name.MaximumLength = Name.Length + 1;
+
+ Status = LsaLookupAuthenticationPackage(
+ *pLogonHandle,
+ &Name,
+ pPackageId
+ );
+
+ if (FAILED(Status))
+ {
+ ShowLsaError("LsaLookupAuthenticationPackage", Status);
+ return FALSE;
+ }
+
+ return TRUE;
+
+}
+
+
+static DWORD
+ConcatenateUnicodeStrings(UNICODE_STRING *pTarget, UNICODE_STRING Source1, UNICODE_STRING Source2)
+{
+ //
+ // The buffers for Source1 and Source2 cannot overlap pTarget's
+ // buffer. Source1.Length + Source2.Length must be <= 0xFFFF,
+ // otherwise we overflow...
+ //
+
+ USHORT TotalSize = Source1.Length + Source2.Length;
+ PBYTE buffer = (PBYTE) pTarget->Buffer;
+
+ if (TotalSize > pTarget->MaximumLength)
+ return ERROR_INSUFFICIENT_BUFFER;
+
+ if ( pTarget->Buffer != Source1.Buffer )
+ memcpy(buffer, Source1.Buffer, Source1.Length);
+ memcpy(buffer + Source1.Length, Source2.Buffer, Source2.Length);
+
+ pTarget->Length = TotalSize;
+ return ERROR_SUCCESS;
+}
+
+static BOOL
+get_STRING_from_registry(HKEY hBaseKey, char * key, char * value, char * outbuf, DWORD outlen)
+{
+ HKEY hKey;
+ DWORD dwCount;
+ LONG rc;
+
+ if (!outbuf || outlen == 0)
+ return FALSE;
+
+ rc = RegOpenKeyExA(hBaseKey, key, 0, KEY_QUERY_VALUE, &hKey);
+ if (rc)
+ return FALSE;
+
+ dwCount = outlen;
+ rc = RegQueryValueExA(hKey, value, 0, 0, (LPBYTE) outbuf, &dwCount);
+ RegCloseKey(hKey);
+
+ return rc?FALSE:TRUE;
+}
+
+static BOOL
+GetSecurityLogonSessionData(PSECURITY_LOGON_SESSION_DATA * ppSessionData)
+{
+ NTSTATUS Status = 0;
+ HANDLE TokenHandle;
+ TOKEN_STATISTICS Stats;
+ DWORD ReqLen;
+ BOOL Success;
+
+ if (!ppSessionData)
+ return FALSE;
+ *ppSessionData = NULL;
+
+ Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle );
+ if ( !Success )
+ return FALSE;
+
+ Success = GetTokenInformation( TokenHandle, TokenStatistics, &Stats, sizeof(TOKEN_STATISTICS), &ReqLen );
+ CloseHandle( TokenHandle );
+ if ( !Success )
+ return FALSE;
+
+ Status = LsaGetLogonSessionData( &Stats.AuthenticationId, ppSessionData );
+ if ( FAILED(Status) || !ppSessionData )
+ return FALSE;
+
+ return TRUE;
+}
+
+//
+// IsKerberosLogon() does not validate whether or not there are valid tickets in the
+// cache. It validates whether or not it is reasonable to assume that if we
+// attempted to retrieve valid tickets we could do so. Microsoft does not
+// automatically renew expired tickets. Therefore, the cache could contain
+// expired or invalid tickets. Microsoft also caches the user's password
+// and will use it to retrieve new TGTs if the cache is empty and tickets
+// are requested.
+
+static BOOL
+IsKerberosLogon(VOID)
+{
+ PSECURITY_LOGON_SESSION_DATA pSessionData = NULL;
+ BOOL Success = FALSE;
+
+ if ( GetSecurityLogonSessionData(&pSessionData) ) {
+ if ( pSessionData->AuthenticationPackage.Buffer ) {
+ WCHAR buffer[256];
+ WCHAR *usBuffer;
+ int usLength;
+
+ Success = FALSE;
+ usBuffer = (pSessionData->AuthenticationPackage).Buffer;
+ usLength = (pSessionData->AuthenticationPackage).Length;
+ if (usLength < 256)
+ {
+ lstrcpyn (buffer, usBuffer, usLength);
+ lstrcat (buffer,L"");
+ if ( !lstrcmp(L"Kerberos",buffer) )
+ Success = TRUE;
+ }
+ }
+ LsaFreeReturnBuffer(pSessionData);
+ }
+ return Success;
+}
+
+static DWORD
+ConstructTicketRequest(UNICODE_STRING DomainName, PKERB_RETRIEVE_TKT_REQUEST * outRequest, ULONG * outSize)
+{
+ DWORD Error;
+ UNICODE_STRING TargetPrefix;
+ USHORT TargetSize;
+ ULONG RequestSize;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL;
+
+ *outRequest = NULL;
+ *outSize = 0;
+
+ //
+ // Set up the "krbtgt/" target prefix into a UNICODE_STRING so we
+ // can easily concatenate it later.
+ //
+
+ TargetPrefix.Buffer = L"krbtgt/";
+ TargetPrefix.Length = wcslen(TargetPrefix.Buffer) * sizeof(WCHAR);
+ TargetPrefix.MaximumLength = TargetPrefix.Length;
+
+ //
+ // We will need to concatenate the "krbtgt/" prefix and the
+ // Logon Session's DnsDomainName into our request's target name.
+ //
+ // Therefore, first compute the necessary buffer size for that.
+ //
+ // Note that we might theoretically have integer overflow.
+ //
+
+ TargetSize = TargetPrefix.Length + DomainName.Length;
+
+ //
+ // The ticket request buffer needs to be a single buffer. That buffer
+ // needs to include the buffer for the target name.
+ //
+
+ RequestSize = sizeof(*pTicketRequest) + TargetSize;
+
+ //
+ // Allocate the request buffer and make sure it's zero-filled.
+ //
+
+ pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize);
+ if (!pTicketRequest)
+ return GetLastError();
+
+ //
+ // Concatenate the target prefix with the previous reponse's
+ // target domain.
+ //
+
+ pTicketRequest->TargetName.Length = 0;
+ pTicketRequest->TargetName.MaximumLength = TargetSize;
+ pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1);
+ Error = ConcatenateUnicodeStrings(&(pTicketRequest->TargetName),
+ TargetPrefix,
+ DomainName);
+ *outRequest = pTicketRequest;
+ *outSize = RequestSize;
+ return Error;
+}
+
+static BOOL
+PurgeMSTGT(HANDLE LogonHandle, ULONG PackageId)
+{
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+ KERB_PURGE_TKT_CACHE_REQUEST PurgeRequest;
+
+ PurgeRequest.MessageType = KerbPurgeTicketCacheMessage;
+ PurgeRequest.LogonId.LowPart = 0;
+ PurgeRequest.LogonId.HighPart = 0;
+ PurgeRequest.ServerName.Buffer = L"";
+ PurgeRequest.ServerName.Length = 0;
+ PurgeRequest.ServerName.MaximumLength = 0;
+ PurgeRequest.RealmName.Buffer = L"";
+ PurgeRequest.RealmName.Length = 0;
+ PurgeRequest.RealmName.MaximumLength = 0;
+ Status = LsaCallAuthenticationPackage(LogonHandle,
+ PackageId,
+ &PurgeRequest,
+ sizeof(PurgeRequest),
+ NULL,
+ NULL,
+ &SubStatus
+ );
+ if (FAILED(Status) || FAILED(SubStatus))
+ return FALSE;
+ return TRUE;
+}
+
+#define ENABLE_PURGING 1
+// to allow the purging of expired tickets from LSA cache. This is necessary
+// to force the retrieval of new TGTs. Microsoft does not appear to retrieve
+// new tickets when they expire. Instead they continue to accept the expired
+// tickets. This is safe to do because the LSA purges its cache when it
+// retrieves a new TGT (ms calls this renew) but not when it renews the TGT
+// (ms calls this refresh).
+
+static BOOL
+GetMSTGT(HANDLE LogonHandle, ULONG PackageId,KERB_EXTERNAL_TICKET **ticket)
+{
+ //
+ // INVARIANTS:
+ //
+ // (FAILED(Status) || FAILED(SubStatus)) ==> error
+ // bIsLsaError ==> LsaCallAuthenticationPackage() error
+ //
+
+ BOOL bIsLsaError = FALSE;
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+ DWORD Error;
+
+ KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest;
+ PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
+ ULONG RequestSize;
+ ULONG ResponseSize;
+#ifdef ENABLE_PURGING
+ int purge_cache = 0;
+#endif /* ENABLE_PURGING */
+ int ignore_cache = 0;
+
+ CacheRequest.MessageType = KerbRetrieveTicketMessage;
+ CacheRequest.LogonId.LowPart = 0;
+ CacheRequest.LogonId.HighPart = 0;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ &CacheRequest,
+ sizeof(CacheRequest),
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if (FAILED(Status))
+ {
+ // if the call to LsaCallAuthenticationPackage failed we cannot
+ // perform any queries most likely because the Kerberos package
+ // is not available or we do not have access
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ if (FAILED(SubStatus)) {
+ PSECURITY_LOGON_SESSION_DATA pSessionData = NULL;
+ BOOL Success = FALSE;
+ OSVERSIONINFOEX verinfo;
+ int supported = 0;
+
+ // SubStatus 0x8009030E is not documented. However, it appears
+ // to mean there is no TGT
+ if (SubStatus != 0x8009030E) {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ verinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+ GetVersionEx((OSVERSIONINFO *)&verinfo);
+ supported = (verinfo.dwMajorVersion > 5) ||
+ (verinfo.dwMajorVersion == 5 && verinfo.dwMinorVersion >= 1);
+
+ // If we could not get a TGT from the cache we won't know what the
+ // Kerberos Domain should have been. On Windows XP and 2003 Server
+ // we can extract it from the Security Logon Session Data. However,
+ // the required fields are not supported on Windows 2000. :(
+ if ( supported && GetSecurityLogonSessionData(&pSessionData) ) {
+ if ( pSessionData->DnsDomainName.Buffer ) {
+ Error = ConstructTicketRequest(pSessionData->DnsDomainName,
+ &pTicketRequest, &RequestSize);
+ LsaFreeReturnBuffer(pSessionData);
+ if ( Error )
+ goto cleanup;
+ } else {
+ LsaFreeReturnBuffer(pSessionData);
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+ } else {
+ CHAR UserDnsDomain[256];
+ WCHAR UnicodeUserDnsDomain[256];
+ UNICODE_STRING wrapper;
+ if ( !get_STRING_from_registry(HKEY_CURRENT_USER,
+ "Volatile Environment",
+ "USERDNSDOMAIN",
+ UserDnsDomain,
+ sizeof(UserDnsDomain)
+ ) )
+ {
+ goto cleanup;
+ }
+
+ ANSIToUnicode(UserDnsDomain,UnicodeUserDnsDomain,256);
+ wrapper.Buffer = UnicodeUserDnsDomain;
+ wrapper.Length = wcslen(UnicodeUserDnsDomain) * sizeof(WCHAR);
+ wrapper.MaximumLength = 256;
+
+ Error = ConstructTicketRequest(wrapper,
+ &pTicketRequest, &RequestSize);
+ if ( Error )
+ goto cleanup;
+ }
+ } else {
+#ifdef PURGE_ALL
+ purge_cache = 1;
+#else
+ switch (pTicketResponse->Ticket.SessionKey.KeyType) {
+ case KERB_ETYPE_DES_CBC_CRC:
+ case KERB_ETYPE_DES_CBC_MD4:
+ case KERB_ETYPE_DES_CBC_MD5:
+ case KERB_ETYPE_NULL:
+ case KERB_ETYPE_RC4_HMAC_NT: {
+ FILETIME Now, MinLife, EndTime, LocalEndTime;
+ __int64 temp;
+ // FILETIME is in units of 100 nano-seconds
+ // If obtained tickets are either expired or have a lifetime
+ // less than 20 minutes, retry ...
+ GetSystemTimeAsFileTime(&Now);
+ EndTime.dwLowDateTime=pTicketResponse->Ticket.EndTime.LowPart;
+ EndTime.dwHighDateTime=pTicketResponse->Ticket.EndTime.HighPart;
+ FileTimeToLocalFileTime(&EndTime, &LocalEndTime);
+ temp = Now.dwHighDateTime;
+ temp <<= 32;
+ temp = Now.dwLowDateTime;
+ temp += 1200 * 10000;
+ MinLife.dwHighDateTime = (DWORD)((temp >> 32) & 0xFFFFFFFF);
+ MinLife.dwLowDateTime = (DWORD)(temp & 0xFFFFFFFF);
+ if (CompareFileTime(&MinLife, &LocalEndTime) >= 0) {
+#ifdef ENABLE_PURGING
+ purge_cache = 1;
+#else
+ ignore_cache = 1;
+#endif /* ENABLE_PURGING */
+ break;
+ }
+ if (pTicketResponse->Ticket.TicketFlags & KERB_TICKET_FLAGS_invalid) {
+ ignore_cache = 1;
+ break; // invalid, need to attempt a TGT request
+ }
+ goto cleanup; // all done
+ }
+ case KERB_ETYPE_RC4_MD4:
+ default:
+ // not supported
+ ignore_cache = 1;
+ break;
+ }
+#endif /* PURGE_ALL */
+
+ Error = ConstructTicketRequest(pTicketResponse->Ticket.TargetDomainName,
+ &pTicketRequest, &RequestSize);
+ if ( Error ) {
+ goto cleanup;
+ }
+
+ //
+ // Free the previous response buffer so we can get the new response.
+ //
+
+ if ( pTicketResponse ) {
+ memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE));
+ LsaFreeReturnBuffer(pTicketResponse);
+ pTicketResponse = NULL;
+ }
+
+#ifdef ENABLE_PURGING
+ if ( purge_cache ) {
+ //
+ // Purge the existing tickets which we cannot use so new ones can
+ // be requested. It is not possible to purge just the TGT. All
+ // service tickets must be purged.
+ //
+ PurgeMSTGT(LogonHandle, PackageId);
+ }
+#endif /* ENABLE_PURGING */
+ }
+
+ //
+ // Intialize the request of the request.
+ //
+
+ pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
+ pTicketRequest->LogonId.LowPart = 0;
+ pTicketRequest->LogonId.HighPart = 0;
+ // Note: pTicketRequest->TargetName set up above
+#ifdef ENABLE_PURGING
+ pTicketRequest->CacheOptions = ((ignore_cache || !purge_cache) ?
+ KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L);
+#else
+ pTicketRequest->CacheOptions = (ignore_cache ? KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L);
+#endif /* ENABLE_PURGING */
+ pTicketRequest->TicketFlags = 0L;
+ pTicketRequest->EncryptionType = 0L;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ pTicketRequest,
+ RequestSize,
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ //
+ // Check to make sure the new tickets we received are of a type we support
+ //
+
+ switch (pTicketResponse->Ticket.SessionKey.KeyType) {
+ case KERB_ETYPE_DES_CBC_CRC:
+ case KERB_ETYPE_DES_CBC_MD4:
+ case KERB_ETYPE_DES_CBC_MD5:
+ case KERB_ETYPE_NULL:
+ case KERB_ETYPE_RC4_HMAC_NT:
+ goto cleanup; // all done
+ case KERB_ETYPE_RC4_MD4:
+ default:
+ // not supported
+ break;
+ }
+
+
+ //
+ // Try once more but this time specify the Encryption Type
+ // (This will not store the retrieved tickets in the LSA cache)
+ //
+ pTicketRequest->EncryptionType = ENCTYPE_DES_CBC_CRC;
+ pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE;
+
+ if ( pTicketResponse ) {
+ memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE));
+ LsaFreeReturnBuffer(pTicketResponse);
+ pTicketResponse = NULL;
+ }
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ pTicketRequest,
+ RequestSize,
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ cleanup:
+ if ( pTicketRequest )
+ LocalFree(pTicketRequest);
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ {
+ if (bIsLsaError)
+ {
+ // XXX - Will be fixed later
+ if (FAILED(Status))
+ ShowLsaError("LsaCallAuthenticationPackage", Status);
+ if (FAILED(SubStatus))
+ ShowLsaError("LsaCallAuthenticationPackage", SubStatus);
+ }
+ else
+ {
+ ShowWinError("GetMSTGT", Status);
+ }
+
+ if (pTicketResponse) {
+ memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE));
+ LsaFreeReturnBuffer(pTicketResponse);
+ pTicketResponse = NULL;
+ }
+ return(FALSE);
+ }
+
+ *ticket = &(pTicketResponse->Ticket);
+ return(TRUE);
+}
+
+static BOOL
+GetQueryTktCacheResponse( HANDLE LogonHandle, ULONG PackageId,
+ PKERB_QUERY_TKT_CACHE_RESPONSE * ppResponse)
+{
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+
+ KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
+ PKERB_QUERY_TKT_CACHE_RESPONSE pQueryResponse = NULL;
+ ULONG ResponseSize;
+
+ CacheRequest.MessageType = KerbQueryTicketCacheMessage;
+ CacheRequest.LogonId.LowPart = 0;
+ CacheRequest.LogonId.HighPart = 0;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ &CacheRequest,
+ sizeof(CacheRequest),
+ &pQueryResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if ( !(FAILED(Status) || FAILED(SubStatus)) ) {
+ *ppResponse = pQueryResponse;
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
+static void
+FreeQueryResponse(PKERB_QUERY_TKT_CACHE_RESPONSE pResponse)
+{
+ LsaFreeReturnBuffer(pResponse);
+}
+
+
+static BOOL
+GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId,
+ krb5_context context, krb5_creds *creds, PKERB_EXTERNAL_TICKET *ticket)
+{
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+ ULONG RequestSize;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL;
+ PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
+ ULONG ResponseSize;
+
+ RequestSize = sizeof(*pTicketRequest) + MAX_MSPRINC_SIZE;
+
+ pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize);
+ if (!pTicketRequest)
+ return FALSE;
+
+ pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
+ pTicketRequest->LogonId.LowPart = 0;
+ pTicketRequest->LogonId.HighPart = 0;
+
+ pTicketRequest->TargetName.Length = 0;
+ pTicketRequest->TargetName.MaximumLength = MAX_MSPRINC_SIZE;
+ pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1);
+ MITPrincToMSPrinc(context, creds->server, &pTicketRequest->TargetName);
+ pTicketRequest->CacheOptions = 0;
+ pTicketRequest->TicketFlags = creds->ticket_flags;
+ pTicketRequest->EncryptionType = creds->keyblock.enctype;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ pTicketRequest,
+ RequestSize,
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ LocalFree(pTicketRequest);
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ return(FALSE);
+
+ /* otherwise return ticket */
+ *ticket = &(pTicketResponse->Ticket);
+ return(TRUE);
+
+}
+
+static BOOL
+GetMSCacheTicketFromCacheInfo( HANDLE LogonHandle, ULONG PackageId,
+ PKERB_TICKET_CACHE_INFO tktinfo, PKERB_EXTERNAL_TICKET *ticket)
+{
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+ ULONG RequestSize;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL;
+ PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
+ ULONG ResponseSize;
+
+ RequestSize = sizeof(*pTicketRequest) + tktinfo->ServerName.Length;
+
+ pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize);
+ if (!pTicketRequest)
+ return FALSE;
+
+ pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
+ pTicketRequest->LogonId.LowPart = 0;
+ pTicketRequest->LogonId.HighPart = 0;
+ pTicketRequest->TargetName.Length = tktinfo->ServerName.Length;
+ pTicketRequest->TargetName.MaximumLength = tktinfo->ServerName.Length;
+ pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1);
+ memcpy(pTicketRequest->TargetName.Buffer,tktinfo->ServerName.Buffer, tktinfo->ServerName.Length);
+ pTicketRequest->CacheOptions = 0;
+ pTicketRequest->EncryptionType = tktinfo->EncryptionType;
+ pTicketRequest->TicketFlags = 0;
+ if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwardable )
+ pTicketRequest->TicketFlags |= KDC_OPT_FORWARDABLE;
+ if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwarded )
+ pTicketRequest->TicketFlags |= KDC_OPT_FORWARDED;
+ if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_proxiable )
+ pTicketRequest->TicketFlags |= KDC_OPT_PROXIABLE;
+ if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_renewable )
+ pTicketRequest->TicketFlags |= KDC_OPT_RENEWABLE;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ pTicketRequest,
+ RequestSize,
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ LocalFree(pTicketRequest);
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ return(FALSE);
+
+ /* otherwise return ticket */
+ *ticket = &(pTicketResponse->Ticket);
+ return(TRUE);
+
+}
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_close
+ (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_destroy
+ (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_end_seq_get
+ (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_generate_new
+ (krb5_context, krb5_ccache *id);
+
+static const char * KRB5_CALLCONV krb5_lcc_get_name
+ (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_get_principal
+ (krb5_context, krb5_ccache id, krb5_principal *princ);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_initialize
+ (krb5_context, krb5_ccache id, krb5_principal princ);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_next_cred
+ (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor,
+ krb5_creds *creds);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_resolve
+ (krb5_context, krb5_ccache *id, const char *residual);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_retrieve
+ (krb5_context, krb5_ccache id, krb5_flags whichfields,
+ krb5_creds *mcreds, krb5_creds *creds);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_start_seq_get
+ (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_store
+ (krb5_context, krb5_ccache id, krb5_creds *creds);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_set_flags
+ (krb5_context, krb5_ccache id, krb5_flags flags);
+
+extern const krb5_cc_ops krb5_lcc_ops;
+
+krb5_error_code krb5_change_cache (void);
+
+krb5_boolean
+krb5int_cc_creds_match_request(krb5_context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds);
+
+#define KRB5_OK 0
+
+typedef struct _krb5_lcc_data {
+ HANDLE LogonHandle;
+ ULONG PackageId;
+ char * cc_name;
+ krb5_principal princ;
+} krb5_lcc_data;
+
+typedef struct _krb5_lcc_cursor {
+ PKERB_QUERY_TKT_CACHE_RESPONSE response;
+ int index;
+ PKERB_EXTERNAL_TICKET mstgt;
+} krb5_lcc_cursor;
+
+
+/*
+ * Requires:
+ * residual is ignored
+ *
+ * Modifies:
+ * id
+ *
+ * Effects:
+ * Acccess the MS Kerberos LSA cache in the current logon session
+ * Ignore the residual.
+ *
+ * Returns:
+ * A filled in krb5_ccache structure "id".
+ *
+ * Errors:
+ * KRB5_CC_NOMEM - there was insufficient memory to allocate the
+ *
+ * krb5_ccache. id is undefined.
+ * permission errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
+{
+ krb5_ccache lid;
+ krb5_lcc_data *data;
+ HANDLE LogonHandle;
+ ULONG PackageId;
+ KERB_EXTERNAL_TICKET *msticket;
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+#ifdef COMMENT
+ /* In at least one case on Win2003 it appears that it is possible
+ * for the logon session to be authenticated via NTLM and yet for
+ * there to be Kerberos credentials obtained by the LSA on behalf
+ * of the logged in user. Therefore, we are removing this test
+ * which was meant to avoid the need to perform GetMSTGT() when
+ * there was no possibility of credentials being found.
+ */
+ if (!IsKerberosLogon())
+ return KRB5_FCC_NOFILE;
+#endif
+
+ if(!PackageConnectLookup(&LogonHandle, &PackageId))
+ return KRB5_FCC_NOFILE;
+
+ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache));
+ if (lid == NULL) {
+ CloseHandle(LogonHandle);
+ return KRB5_CC_NOMEM;
+ }
+
+ lid->ops = &krb5_lcc_ops;
+
+ lid->data = (krb5_pointer) malloc(sizeof(krb5_lcc_data));
+ if (lid->data == NULL) {
+ krb5_xfree(lid);
+ CloseHandle(LogonHandle);
+ return KRB5_CC_NOMEM;
+ }
+
+ lid->magic = KV5M_CCACHE;
+ data = (krb5_lcc_data *)lid->data;
+ data->LogonHandle = LogonHandle;
+ data->PackageId = PackageId;
+
+ data->cc_name = (char *)malloc(strlen(residual)+1);
+ if (data->cc_name == NULL) {
+ krb5_xfree(lid->data);
+ krb5_xfree(lid);
+ CloseHandle(LogonHandle);
+ return KRB5_CC_NOMEM;
+ }
+ strcpy(data->cc_name, residual);
+
+ /*
+ * we must obtain a tgt from the cache in order to determine the principal
+ */
+ if (GetMSTGT(data->LogonHandle, data->PackageId, &msticket)) {
+ /* convert the ticket */
+ krb5_creds creds;
+ MSCredToMITCred(msticket, msticket->DomainName, context, &creds);
+ LsaFreeReturnBuffer(msticket);
+
+ krb5_copy_principal(context, creds.client, &data->princ);
+ krb5_free_cred_contents(context,&creds);
+ } else {
+ data->princ = 0;
+ krb5_xfree(data->cc_name);
+ krb5_xfree(lid->data);
+ krb5_xfree(lid);
+ CloseHandle(LogonHandle);
+ return KRB5_FCC_NOFILE;
+ }
+
+ /*
+ * other routines will get errors on open, and callers must expect them,
+ * if cache is non-existent/unusable
+ */
+ *id = lid;
+ return KRB5_OK;
+}
+
+/*
+ * not supported
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ)
+{
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ return KRB5_CC_READONLY;
+}
+
+
+/*
+ * Modifies:
+ * id
+ *
+ * Effects:
+ * Closes the microsoft lsa cache, invalidates the id, and frees any resources
+ * associated with the cache.
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_close(krb5_context context, krb5_ccache id)
+{
+ register int closeval = KRB5_OK;
+ register krb5_lcc_data *data;
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ if (id) {
+ data = (krb5_lcc_data *) id->data;
+
+ if (data) {
+ CloseHandle(data->LogonHandle);
+ krb5_xfree(data);
+ }
+ krb5_xfree(id);
+ }
+ return closeval;
+}
+
+/*
+ * Effects:
+ * Destroys the contents of id.
+ *
+ * Errors:
+ * system errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_destroy(krb5_context context, krb5_ccache id)
+{
+ register krb5_lcc_data *data;
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ if (id) {
+ data = (krb5_lcc_data *) id->data;
+
+ return PurgeMSTGT(data->LogonHandle, data->PackageId) ? KRB5_FCC_INTERNAL : KRB5_OK;
+ }
+ return KRB5_FCC_INTERNAL;
+}
+
+/*
+ * Effects:
+ * Prepares for a sequential search of the credentials cache.
+ * Returns a krb5_cc_cursor to be used with krb5_lcc_next_cred and
+ * krb5_lcc_end_seq_get.
+ *
+ * If the cache is modified between the time of this call and the time
+ * of the final krb5_lcc_end_seq_get, the results are undefined.
+ *
+ * Errors:
+ * KRB5_CC_NOMEM
+ * KRB5_FCC_INTERNAL - system errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_start_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor)
+{
+ krb5_lcc_cursor *lcursor;
+ krb5_lcc_data *data = (krb5_lcc_data *)id->data;
+ KERB_EXTERNAL_TICKET *msticket;
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ lcursor = (krb5_lcc_cursor *) malloc(sizeof(krb5_lcc_cursor));
+ if (lcursor == NULL) {
+ *cursor = 0;
+ return KRB5_CC_NOMEM;
+ }
+
+ /*
+ * obtain a tgt to refresh the ccache in case the ticket is expired
+ */
+ if (!GetMSTGT(data->LogonHandle, data->PackageId, &lcursor->mstgt)) {
+ free(lcursor);
+ *cursor = 0;
+ return KRB5_FCC_INTERNAL;
+ }
+
+ if ( !GetQueryTktCacheResponse(data->LogonHandle, data->PackageId, &lcursor->response) ) {
+ LsaFreeReturnBuffer(lcursor->mstgt);
+ free(lcursor);
+ *cursor = 0;
+ return KRB5_FCC_INTERNAL;
+ }
+ lcursor->index = 0;
+ *cursor = (krb5_cc_cursor) lcursor;
+ return KRB5_OK;
+}
+
+
+/*
+ * Requires:
+ * cursor is a krb5_cc_cursor originally obtained from
+ * krb5_lcc_start_seq_get.
+ *
+ * Modifes:
+ * cursor
+ *
+ * Effects:
+ * Fills in creds with the TGT obtained from the MS LSA
+ *
+ * The cursor is updated to indicate TGT retrieval
+ *
+ * Errors:
+ * KRB5_CC_END
+ * KRB5_FCC_INTERNAL - system errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, krb5_creds *creds)
+{
+ krb5_lcc_cursor *lcursor = (krb5_lcc_cursor *) *cursor;
+ krb5_lcc_data *data;
+ KERB_EXTERNAL_TICKET *msticket;
+ krb5_error_code retval = KRB5_OK;
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ data = (krb5_lcc_data *)id->data;
+
+ next_cred:
+ if ( lcursor->index >= lcursor->response->CountOfTickets ) {
+ if (retval == KRB5_OK)
+ return KRB5_CC_END;
+ else {
+ LsaFreeReturnBuffer(lcursor->mstgt);
+ LsaFreeReturnBuffer(lcursor->response);
+ free(*cursor);
+ *cursor = 0;
+ return retval;
+ }
+ }
+
+ if (!GetMSCacheTicketFromCacheInfo(data->LogonHandle, data->PackageId,
+ &lcursor->response->Tickets[lcursor->index++],&msticket)) {
+ retval = KRB5_FCC_INTERNAL;
+ goto next_cred;
+ }
+
+ /* Don't return tickets with NULL Session Keys */
+ if ( msticket->SessionKey.KeyType == KERB_ETYPE_NULL) {
+ LsaFreeReturnBuffer(msticket);
+ goto next_cred;
+ }
+
+ /* convert the ticket */
+ MSCredToMITCred(msticket, lcursor->mstgt->DomainName, context, creds);
+ LsaFreeReturnBuffer(msticket);
+ return KRB5_OK;
+}
+
+/*
+ * Requires:
+ * cursor is a krb5_cc_cursor originally obtained from
+ * krb5_lcc_start_seq_get.
+ *
+ * Modifies:
+ * id, cursor
+ *
+ * Effects:
+ * Finishes sequential processing of the file credentials ccache id,
+ * and invalidates the cursor (it must never be used after this call).
+ */
+/* ARGSUSED */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor)
+{
+ krb5_lcc_cursor *lcursor = (krb5_lcc_cursor *) *cursor;
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ if ( lcursor ) {
+ LsaFreeReturnBuffer(lcursor->mstgt);
+ LsaFreeReturnBuffer(lcursor->response);
+ free(*cursor);
+ }
+ *cursor = 0;
+
+ return KRB5_OK;
+}
+
+
+/*
+ * Errors:
+ * KRB5_CC_READONLY - not supported
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_generate_new (krb5_context context, krb5_ccache *id)
+{
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ return KRB5_CC_READONLY;
+}
+
+/*
+ * Requires:
+ * id is a ms lsa credential cache
+ *
+ * Returns:
+ * The ccname specified during the krb5_lcc_resolve call
+ */
+static const char * KRB5_CALLCONV
+krb5_lcc_get_name (krb5_context context, krb5_ccache id)
+{
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ if ( !id )
+ return "";
+
+ return (char *) ((krb5_lcc_data *) id->data)->cc_name;
+}
+
+/*
+ * Modifies:
+ * id, princ
+ *
+ * Effects:
+ * Retrieves the primary principal from id, as set with
+ * krb5_lcc_initialize. The principal is returned is allocated
+ * storage that must be freed by the caller via krb5_free_principal.
+ *
+ * Errors:
+ * system errors
+ * KRB5_CC_NOT_KTYPE
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ)
+{
+ krb5_error_code kret = KRB5_OK;
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ /* obtain principal */
+ return krb5_copy_principal(context, ((krb5_lcc_data *) id->data)->princ, princ);
+}
+
+
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields,
+ krb5_creds *mcreds, krb5_creds *creds)
+{
+ krb5_error_code kret = KRB5_OK;
+ krb5_lcc_data *data = (krb5_lcc_data *)id->data;
+ KERB_EXTERNAL_TICKET *msticket = 0, *mstgt = 0;
+ krb5_creds * mcreds_noflags;
+ krb5_creds fetchcreds;
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ memset(&fetchcreds, 0, sizeof(krb5_creds));
+
+ /* first try to find out if we have an existing ticket which meets the requirements */
+ kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds);
+ if ( !kret )
+ return KRB5_OK;
+
+ /* if not, we must try to get a ticket without specifying any flags or etypes */
+ krb5_copy_creds(context, mcreds, &mcreds_noflags);
+ mcreds_noflags->ticket_flags = 0;
+ mcreds_noflags->keyblock.enctype = 0;
+
+ if (!GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, mcreds_noflags, &msticket)) {
+ kret = KRB5_CC_NOTFOUND;
+ goto cleanup;
+ }
+
+ /* try again to find out if we have an existing ticket which meets the requirements */
+ kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds);
+ if ( !kret )
+ goto cleanup;
+
+ /* if not, obtain a ticket using the request flags and enctype even though it will not
+ * be stored in the LSA cache for future use.
+ */
+ if ( msticket ) {
+ LsaFreeReturnBuffer(msticket);
+ msticket = 0;
+ }
+
+ if (!GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, mcreds, &msticket)) {
+ kret = KRB5_CC_NOTFOUND;
+ goto cleanup;
+ }
+
+ /* convert the ticket */
+ GetMSTGT(data->LogonHandle, data->PackageId, &mstgt);
+
+ MSCredToMITCred(msticket, mstgt ? mstgt->DomainName : msticket->DomainName, context, &fetchcreds);
+
+ /* check to see if this ticket matches the request using logic from
+ * krb5_cc_retrieve_cred_default()
+ */
+ if ( krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds) ) {
+ *creds = fetchcreds;
+ } else {
+ krb5_free_cred_contents(context, &fetchcreds);
+ kret = KRB5_CC_NOTFOUND;
+ }
+
+ cleanup:
+ if ( mstgt )
+ LsaFreeReturnBuffer(mstgt);
+ if ( msticket )
+ LsaFreeReturnBuffer(msticket);
+ if ( mcreds_noflags )
+ krb5_free_creds(context, mcreds_noflags);
+ return kret;
+}
+
+
+/*
+ * We can't write to the MS LSA cache. So we request the cache to obtain a ticket for the same
+ * principal in the hope that next time the application requires a ticket for the service it
+ * is attempt to store, the retrieved ticket will be good enough.
+ *
+ * Errors:
+ * KRB5_CC_READONLY - not supported
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
+{
+ krb5_error_code kret = KRB5_OK;
+ krb5_lcc_data *data = (krb5_lcc_data *)id->data;
+ KERB_EXTERNAL_TICKET *msticket = 0;
+ krb5_creds * creds_noflags;
+
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ /* if not, we must try to get a ticket without specifying any flags or etypes */
+ krb5_copy_creds(context, creds, &creds_noflags);
+ creds_noflags->ticket_flags = 0;
+ creds_noflags->keyblock.enctype = 0;
+
+ if (GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, creds_noflags, &msticket)) {
+ LsaFreeReturnBuffer(msticket);
+ return KRB5_OK;
+ }
+ return KRB5_CC_READONLY;
+}
+
+/*
+ * The ability to remove a credential from the MS LSA cache cannot be implemented.
+ *
+ * Errors:
+ * KRB5_CC_READONLY:
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
+ krb5_creds *creds)
+{
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ return KRB5_CC_READONLY;
+}
+
+
+/*
+ * Effects:
+ * None - ignored
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags)
+{
+ if (!IsWindows2000())
+ return KRB5_FCC_NOFILE;
+
+ return KRB5_OK;
+}
+
+const krb5_cc_ops krb5_lcc_ops = {
+ 0,
+ "MSLSA",
+ krb5_lcc_get_name,
+ krb5_lcc_resolve,
+ krb5_lcc_generate_new,
+ krb5_lcc_initialize,
+ krb5_lcc_destroy,
+ krb5_lcc_close,
+ krb5_lcc_store,
+ krb5_lcc_retrieve,
+ krb5_lcc_get_principal,
+ krb5_lcc_start_seq_get,
+ krb5_lcc_next_cred,
+ krb5_lcc_end_seq_get,
+ krb5_lcc_remove_cred,
+ krb5_lcc_set_flags
+};
+#endif /* _WIN32 */ \ No newline at end of file
diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c
index ebd6193..5ddb2cc 100644
--- a/src/lib/krb5/ccache/cc_retr.c
+++ b/src/lib/krb5/ccache/cc_retr.c
@@ -27,6 +27,7 @@
*/
#include "k5-int.h"
+#include "cc-int.h"
#define KRB5_OK 0
@@ -157,6 +158,40 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes)
* KRB5_CC_NOT_KTYPE
*/
+krb5_boolean
+krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds)
+{
+ if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) &&
+ srvname_match(context, mcreds, creds)) ||
+ standard_fields_match(context, mcreds, creds))
+ &&
+ (! set(KRB5_TC_MATCH_IS_SKEY) ||
+ mcreds->is_skey == creds->is_skey)
+ &&
+ (! set(KRB5_TC_MATCH_FLAGS_EXACT) ||
+ mcreds->ticket_flags == creds->ticket_flags)
+ &&
+ (! set(KRB5_TC_MATCH_FLAGS) ||
+ flags_match(mcreds->ticket_flags, creds->ticket_flags))
+ &&
+ (! set(KRB5_TC_MATCH_TIMES_EXACT) ||
+ times_match_exact(&mcreds->times, &creds->times))
+ &&
+ (! set(KRB5_TC_MATCH_TIMES) ||
+ times_match(&mcreds->times, &creds->times))
+ &&
+ ( ! set(KRB5_TC_MATCH_AUTHDATA) ||
+ authdata_match(mcreds->authdata, creds->authdata))
+ &&
+ (! set(KRB5_TC_MATCH_2ND_TKT) ||
+ data_match (&mcreds->second_ticket, &creds->second_ticket))
+ &&
+ ((! set(KRB5_TC_MATCH_KTYPE))||
+ (mcreds->keyblock.enctype == creds->keyblock.enctype)))
+ return TRUE;
+ return FALSE;
+}
+
static krb5_error_code
krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds, int nktypes, krb5_enctype *ktypes)
{
@@ -178,34 +213,8 @@ krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, krb5_flags whic
return kret;
while ((kret = krb5_cc_next_cred(context, id, &cursor, &fetchcreds)) == KRB5_OK) {
- if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) &&
- srvname_match(context, mcreds, &fetchcreds)) ||
- standard_fields_match(context, mcreds, &fetchcreds))
- &&
- (! set(KRB5_TC_MATCH_IS_SKEY) ||
- mcreds->is_skey == fetchcreds.is_skey)
- &&
- (! set(KRB5_TC_MATCH_FLAGS_EXACT) ||
- mcreds->ticket_flags == fetchcreds.ticket_flags)
- &&
- (! set(KRB5_TC_MATCH_FLAGS) ||
- flags_match(mcreds->ticket_flags, fetchcreds.ticket_flags))
- &&
- (! set(KRB5_TC_MATCH_TIMES_EXACT) ||
- times_match_exact(&mcreds->times, &fetchcreds.times))
- &&
- (! set(KRB5_TC_MATCH_TIMES) ||
- times_match(&mcreds->times, &fetchcreds.times))
- &&
- ( ! set(KRB5_TC_MATCH_AUTHDATA) ||
- authdata_match(mcreds->authdata, fetchcreds.authdata))
- &&
- (! set(KRB5_TC_MATCH_2ND_TKT) ||
- data_match (&mcreds->second_ticket, &fetchcreds.second_ticket))
- &&
- ((! set(KRB5_TC_MATCH_KTYPE))||
- (mcreds->keyblock.enctype == fetchcreds.keyblock.enctype)))
- {
+ if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds))
+ {
if (ktypes) {
fetched.pref = pref (fetchcreds.keyblock.enctype,
nktypes, ktypes);
diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c
index ddd5e80..8bb178e 100644
--- a/src/lib/krb5/ccache/ccbase.c
+++ b/src/lib/krb5/ccache/ccbase.c
@@ -29,6 +29,8 @@
#include "k5-int.h"
+#include "fcc.h"
+
struct krb5_cc_typelist
{
krb5_cc_ops *ops;
@@ -36,9 +38,19 @@ struct krb5_cc_typelist
};
extern const krb5_cc_ops krb5_mcc_ops;
-static struct krb5_cc_typelist cc_entry = { &krb5_mcc_ops, NULL };
+#ifdef _WIN32
+extern const krb5_cc_ops krb5_lcc_ops;
+static struct krb5_cc_typelist cc_lcc_entry = { &krb5_lcc_ops, NULL };
+static struct krb5_cc_typelist cc_mcc_entry = { &krb5_mcc_ops, &cc_lcc_entry };
+#else
+static struct krb5_cc_typelist cc_mcc_entry = { &krb5_mcc_ops, NULL };
+#endif
+
+static struct krb5_cc_typelist cc_fcc_entry = { &krb5_cc_file_ops,
+ &cc_mcc_entry };
+
+static struct krb5_cc_typelist *cc_typehead = &cc_fcc_entry;
-static struct krb5_cc_typelist *cc_typehead = &cc_entry;
/*
* Register a new credentials cache type
@@ -99,8 +111,22 @@ krb5_cc_resolve (krb5_context context, const char *name, krb5_ccache *cache)
if (!pfx)
return ENOMEM;
- memcpy (pfx, name, pfxlen);
- pfx[pfxlen] = '\0';
+ if ( pfxlen == 1 && isalpha(name[0]) ) {
+ /* We found a drive letter not a prefix - use FILE: */
+ pfx = strdup("FILE:");
+ if (!pfx)
+ return ENOMEM;
+
+ resid = name;
+ } else {
+ resid = name + pfxlen + 1;
+
+ pfx = malloc (pfxlen+1);
+ if (!pfx)
+ return ENOMEM;
+ memcpy (pfx, name, pfxlen);
+ pfx[pfxlen] = '\0';
+ }
*cache = (krb5_ccache) 0;
diff --git a/src/lib/krb5/ccache/ccdefault.c b/src/lib/krb5/ccache/ccdefault.c
index 71e6f9c..3dfb1a3 100644
--- a/src/lib/krb5/ccache/ccdefault.c
+++ b/src/lib/krb5/ccache/ccdefault.c
@@ -31,6 +31,11 @@
#ifdef USE_LOGIN_LIBRARY
#include "KerberosLoginPrivate.h"
+#else
+#ifdef USE_LEASH
+static void (*pLeash_AcquireInitialTicketsIfNeeded)(krb5_context,krb5_principal) = NULL;
+static HANDLE hLeashDLL = INVALID_HANDLE_VALUE;
+#endif
#endif
@@ -111,6 +116,29 @@ krb5int_cc_default(krb5_context context, krb5_ccache *ccache)
if (desiredPrincipal != nil)
KLDisposePrincipal (desiredPrincipal);
}
+#else
+#ifdef USE_LEASH
+
+ if ( hLeashDLL == INVALID_HANDLE_VALUE ) {
+ hLeashDLL = LoadLibrary("leashw32.dll");
+ if ( hLeashDLL != INVALID_HANDLE_VALUE ) {
+ (FARPROC) pLeash_AcquireInitialTicketsIfNeeded =
+ GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded");
+ }
+ }
+
+ if ( pLeash_AcquireInitialTicketsIfNeeded )
+ {
+ krb5_os_context os_ctx;
+
+ if (!context || context->magic != KV5M_CONTEXT)
+ return KV5M_CONTEXT;
+
+ os_ctx = context->os_context;
+
+ pLeash_AcquireInitialTicketsIfNeeded(context,os_ctx->default_ccprincipal);
+ }
+#endif
#endif
return krb5_cc_default (context, ccache);
diff --git a/src/lib/krb5/error_tables/.Sanitize b/src/lib/krb5/error_tables/.Sanitize
index b952162..ba18e42 100644
--- a/src/lib/krb5/error_tables/.Sanitize
+++ b/src/lib/krb5/error_tables/.Sanitize
@@ -34,6 +34,7 @@ configure.in
init_ets.c
kdb5_err.et
krb5_err.et
+krb524_err.et
kv5m_err.et
Things-to-lose:
diff --git a/src/lib/krb5/error_tables/ChangeLog b/src/lib/krb5/error_tables/ChangeLog
index 2de7f07..c51b6c7 100644
--- a/src/lib/krb5/error_tables/ChangeLog
+++ b/src/lib/krb5/error_tables/ChangeLog
@@ -1,3 +1,30 @@
+2004-01-06 Jeffrey Altman <jaltman@mit.edu>
+
+ * krb5_err.et (KRB5_CC_NOSUPP) new ccache error code
+
+2003-12-12 Jeffrey Altman <jaltman@mit.edu>
+
+ * krb5_err.et (KRB5_CC_READONLY) new ccache error code
+
+2003-07-19 Ezra Peisach <epeisach@mit.edu>
+
+ * init_ets.c (krb5_init_ets): Only initialize error tables once -
+ so that init_conext/free_context loops do not result in memory
+ leaks.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * krb5_err.et (KRB5_ERR_NO_SERVICE): New error code.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * krb524_err.et: New file, moved from ../../../krb524. Add new
+ error code KRB524_KRB4_DISABLED.
+ * Makefile.in (STLIBOBJS, HDRS, OBJS, ETSRCS, SRCS, awk-windows):
+ Add it.
+ ($(OUTPRE)krb524_err.$(OBJEXT)): List dependence on .c file.
+ * init_ets.c (krb5_init_ets): Call initialize_k524_error_table.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* krb5_err.et (KRB5_ERR_BAD_S2K_PARAMS): New error code.
diff --git a/src/lib/krb5/error_tables/Makefile.in b/src/lib/krb5/error_tables/Makefile.in
index da1f770..0192f79 100644
--- a/src/lib/krb5/error_tables/Makefile.in
+++ b/src/lib/krb5/error_tables/Makefile.in
@@ -12,13 +12,14 @@ THDRDIR=$(BUILDTOP)$(S)include
EHDRDIR=$(BUILDTOP)$(S)include$(S)krb5
STLIBOBJS= asn1_err.o kdb5_err.o krb5_err.o \
- kv5m_err.o init_ets.o
+ kv5m_err.o krb524_err.o init_ets.o
-HDRS= asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h
+HDRS= asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h krb524_err.h
OBJS= $(OUTPRE)asn1_err.$(OBJEXT) $(OUTPRE)kdb5_err.$(OBJEXT) $(OUTPRE)krb5_err.$(OBJEXT) \
- $(OUTPRE)kv5m_err.$(OBJEXT) $(OUTPRE)init_ets.$(OBJEXT)
-ETSRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c
-SRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c \
+ $(OUTPRE)kv5m_err.$(OBJEXT) $(OUTPRE)krb524_err.$(OBJEXT) \
+ $(OUTPRE)init_ets.$(OBJEXT)
+ETSRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c krb524_err.c
+SRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c krb524_err.c \
$(srcdir)/init_ets.c
##DOS##LIBOBJS = $(OBJS)
@@ -40,14 +41,17 @@ awk-windows:
$(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=kdb5_err.h kdb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=krb5_err.h krb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=kv5m_err.h kv5m_err.et
+ $(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=krb524_err.h krb524_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=asn1_err.c asn1_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=kdb5_err.c kdb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=krb5_err.c krb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=kv5m_err.c kv5m_err.et
+ $(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=krb524_err.c krb524_err.et
if exist asn1_err.h copy asn1_err.h "$(EHDRDIR)"
if exist kdb5_err.h copy kdb5_err.h "$(EHDRDIR)"
if exist krb5_err.h copy krb5_err.h "$(EHDRDIR)"
if exist kv5m_err.h copy kv5m_err.h "$(EHDRDIR)"
+ if exist krb524_err.h copy krb524_err.h "$(EHDRDIR)"
#
# dependencies for traditional makes
@@ -56,6 +60,7 @@ $(OUTPRE)asn1_err.$(OBJEXT): asn1_err.c
$(OUTPRE)kdb5_err.$(OBJEXT): kdb5_err.c
$(OUTPRE)krb5_err.$(OBJEXT): krb5_err.c
$(OUTPRE)kv5m_err.$(OBJEXT): kv5m_err.c
+$(OUTPRE)krb524_err.$(OBJEXT): krb524_err.c
clean-unix:: clean-libobjs
$(RM) $(HDRS) $(ETSRCS)
@@ -71,9 +76,10 @@ asn1_err.so asn1_err.po $(OUTPRE)asn1_err.$(OBJEXT): asn1_err.c $(COM_ERR_DEPS)
kdb5_err.so kdb5_err.po $(OUTPRE)kdb5_err.$(OBJEXT): kdb5_err.c $(COM_ERR_DEPS)
krb5_err.so krb5_err.po $(OUTPRE)krb5_err.$(OBJEXT): krb5_err.c $(COM_ERR_DEPS)
kv5m_err.so kv5m_err.po $(OUTPRE)kv5m_err.$(OBJEXT): kv5m_err.c $(COM_ERR_DEPS)
+krb524_err.so krb524_err.po $(OUTPRE)krb524_err.$(OBJEXT): krb524_err.c $(COM_ERR_DEPS)
init_ets.so init_ets.po $(OUTPRE)init_ets.$(OBJEXT): init_ets.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/error_tables/init_ets.c b/src/lib/krb5/error_tables/init_ets.c
index 0ac810a..56a750e 100644
--- a/src/lib/krb5/error_tables/init_ets.c
+++ b/src/lib/krb5/error_tables/init_ets.c
@@ -32,10 +32,16 @@
void
krb5_init_ets (krb5_context context)
{
- initialize_krb5_error_table();
- initialize_kv5m_error_table();
- initialize_kdb5_error_table();
- initialize_asn1_error_table();
+ static int inited = 0;
+
+ if (inited == 0) {
+ initialize_krb5_error_table();
+ initialize_kv5m_error_table();
+ initialize_kdb5_error_table();
+ initialize_asn1_error_table();
+ initialize_k524_error_table();
+ inited++;
+ }
}
void
diff --git a/src/lib/krb5/error_tables/krb524_err.et b/src/lib/krb5/error_tables/krb524_err.et
new file mode 100644
index 0000000..5a4a004
--- /dev/null
+++ b/src/lib/krb5/error_tables/krb524_err.et
@@ -0,0 +1,34 @@
+# Copyright 1994 by OpenVision Technologies, Inc.
+#
+# Permission to use, copy, modify, distribute, and sell this software
+# and its documentation for any purpose is hereby granted without fee,
+# provided that the above copyright notice appears in all copies and
+# that both that copyright notice and this permission notice appear in
+# supporting documentation, and that the name of OpenVision not be used
+# in advertising or publicity pertaining to distribution of the software
+# without specific, written prior permission. OpenVision makes no
+# representations about the suitability of this software for any
+# purpose. It is provided "as is" without express or implied warranty.
+#
+# OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
+# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
+# EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
+# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+# USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+#
+
+error_table k524
+
+error_code KRB524_BADKEY, "Cannot convert V5 keyblock"
+error_code KRB524_BADADDR, "Cannot convert V5 address information"
+error_code KRB524_BADPRINC, "Cannot convert V5 principal"
+error_code KRB524_BADREALM, "V5 realm name longer than V4 maximum"
+error_code KRB524_V4ERR, "Kerberos V4 error"
+error_code KRB524_ENCFULL, "Encoding too large"
+error_code KRB524_DECEMPTY, "Decoding out of data"
+error_code KRB524_NOTRESP, "Service not responding"
+error_code KRB524_KRB4_DISABLED, "Kerberos version 4 support is disabled"
+
+end
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index b401c92..b03d376 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -336,4 +336,8 @@ error_code KRB5_ERR_NUMERIC_REALM, "Cannot determine realm for numeric host addr
error_code KRB5_ERR_BAD_S2K_PARAMS, "Invalid key generation parameters from KDC"
+error_code KRB5_ERR_NO_SERVICE, "service not available"
+
+error_code KRB5_CC_READONLY, "Ccache function not supported: read-only ccache type"
+error_code KRB5_CC_NOSUPP, "Ccache function not supported: not implemented"
end
diff --git a/src/lib/krb5/keytab/ChangeLog b/src/lib/krb5/keytab/ChangeLog
index ef0e702..ab8200d 100644
--- a/src/lib/krb5/keytab/ChangeLog
+++ b/src/lib/krb5/keytab/ChangeLog
@@ -1,3 +1,42 @@
+2004-04-13 Jeffrey Altman <jaltman@mit.edu>
+
+ * ktbase.c:
+ Since we have to reserve all the single letter
+ prefixes make them apply to all platforms
+
+2004-04-13 Jeffrey Altman <jaltman@mit.edu>
+
+ * ktbase.c: On Windows, improve the treat drive letter
+ prefix string as a FILE: keytab change to work if the
+ default keytab type was changed to not be of type FILE:
+
+2004-04-08 Jeffrey Altman <jaltman@mit.edu>
+
+ * ktbase.c: Restore the thread safety fixes
+
+2004-04-08 Jeffrey Altman <jaltman@mit.edu>
+
+ * ktbase.c: On Windows, if we see a colon do not assume it means
+ we found a prefix string unless the length of the prefix is
+ not equal to one. If it is one, it means we found a drive letter
+ and not a prefix.
+
+2003-05-22 Tom Yu <tlyu@mit.edu>
+
+ * kt_file.c (krb5_ktfile_get_entry): Check principal name prior to
+ checking enctype. Suggested by Wyllys Ingersoll.
+
+2003-05-19 Sam Hartman <hartmans@mit.edu>
+
+ * ktbase.c: Register writable keytab by default
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * kt_file.c (krb5_ktfileint_internal_read_entry): Use
+ krb5_princ_size instead of direct field access.
+ (krb5_ktfileint_write_entry, krb5_ktfileint_size_entry):
+ Likewise.
+
2003-02-08 Tom Yu <tlyu@mit.edu>
* kt_file.c (krb5_ktfile_get_entry): Fix comment; not going to
diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
index 545cd27..731c34b 100644
--- a/src/lib/krb5/keytab/Makefile.in
+++ b/src/lib/krb5/keytab/Makefile.in
@@ -64,47 +64,47 @@ clean-windows::
#
ktadd.so ktadd.po $(OUTPRE)ktadd.$(OBJEXT): ktadd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktbase.so ktbase.po $(OUTPRE)ktbase.$(OBJEXT): ktbase.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktdefault.so ktdefault.po $(OUTPRE)ktdefault.$(OBJEXT): ktdefault.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktfr_entry.so ktfr_entry.po $(OUTPRE)ktfr_entry.$(OBJEXT): ktfr_entry.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktremove.so ktremove.po $(OUTPRE)ktremove.$(OBJEXT): ktremove.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktfns.so ktfns.po $(OUTPRE)ktfns.$(OBJEXT): ktfns.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kt_file.so kt_file.po $(OUTPRE)kt_file.$(OBJEXT): kt_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kt_srvtab.so kt_srvtab.po $(OUTPRE)kt_srvtab.$(OBJEXT): kt_srvtab.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
read_servi.so read_servi.po $(OUTPRE)read_servi.$(OBJEXT): read_servi.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 9e4f15a..3175de7 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -258,6 +258,14 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal
and copy new_entry there, or free new_entry. Otherwise, it
leaks. */
+ /* if the principal isn't the one requested, free new_entry
+ and continue to the next. */
+
+ if (!krb5_principal_compare(context, principal, new_entry.principal)) {
+ krb5_kt_free_entry(context, &new_entry);
+ continue;
+ }
+
/* if the enctype is not ignored and doesn't match, free new_entry
and continue to the next */
@@ -281,14 +289,6 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal
}
- /* if the principal isn't the one requested, free new_entry
- and continue to the next. */
-
- if (!krb5_principal_compare(context, principal, new_entry.principal)) {
- krb5_kt_free_entry(context, &new_entry);
- continue;
- }
-
if (kvno == IGNORE_VNO) {
/* if this is the first match, or if the new vno is
bigger, free the current and keep the new. Otherwise,
@@ -1324,7 +1324,7 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke
return 0;
fail:
- for (i = 0; i < ret_entry->principal->length; i++) {
+ for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) {
princ = krb5_princ_component(context, ret_entry->principal, i);
if (princ->data)
free(princ->data);
@@ -1375,9 +1375,9 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent
}
if (KTVERSION(id) == KRB5_KT_VNO_1) {
- count = (krb5_int16) entry->principal->length + 1;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1;
} else {
- count = htons((u_short) entry->principal->length);
+ count = htons((u_short) krb5_princ_size(context, entry->principal));
}
if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) {
@@ -1396,7 +1396,7 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent
goto abend;
}
- count = (krb5_int16) entry->principal->length;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal);
for (i = 0; i < count; i++) {
princ = krb5_princ_component(context, entry->principal, i);
size = princ->length;
@@ -1494,7 +1494,7 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i
krb5_int32 total_size, i;
krb5_error_code retval = 0;
- count = (krb5_int16) entry->principal->length;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal);
total_size = sizeof(count);
total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16));
diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c
index 41f473d..a03379d 100644
--- a/src/lib/krb5/keytab/ktbase.c
+++ b/src/lib/krb5/keytab/ktbase.c
@@ -30,15 +30,20 @@
#include "k5-int.h"
extern const krb5_kt_ops krb5_ktf_ops;
+extern const krb5_kt_ops krb5_ktf_writable_ops;
extern const krb5_kt_ops krb5_kts_ops;
struct krb5_kt_typelist {
const krb5_kt_ops *ops;
struct krb5_kt_typelist *next;
};
+static struct krb5_kt_typelist krb5_kt_typelist_wrfile = {
+ &krb5_ktf_writable_ops,
+ 0
+};
static struct krb5_kt_typelist krb5_kt_typelist_file = {
&krb5_ktf_ops,
- 0
+ &krb5_kt_typelist_wrfile
};
static struct krb5_kt_typelist krb5_kt_typelist_srvtab = {
&krb5_kts_ops,
@@ -93,14 +98,31 @@ krb5_kt_resolve (krb5_context context, const char *name, krb5_keytab *ktid)
}
pfxlen = cp - name;
- resid = name + pfxlen + 1;
+
+#if defined(_WIN32)
+ if ( pfxlen == 1 ) {
+ /* We found a drive letter not a prefix */
+ return (*krb5_kt_dfl_ops.resolve)(context, name, ktid);
+ }
+#endif
+
+ if ( pfxlen == 1 && isalpha(name[0]) ) {
+ /* We found a drive letter not a prefix - use FILE: */
+ pfx = strdup("FILE:");
+ if (!pfx)
+ return ENOMEM;
+
+ resid = name;
+ } else {
+ resid = name + pfxlen + 1;
- pfx = malloc (pfxlen+1);
- if (!pfx)
- return ENOMEM;
+ pfx = malloc (pfxlen+1);
+ if (!pfx)
+ return ENOMEM;
- memcpy (pfx, name, pfxlen);
- pfx[pfxlen] = '\0';
+ memcpy (pfx, name, pfxlen);
+ pfx[pfxlen] = '\0';
+ }
*ktid = (krb5_keytab) 0;
diff --git a/src/lib/krb5/krb/.Sanitize b/src/lib/krb5/krb/.Sanitize
index 7457c84..a2ab3a0 100644
--- a/src/lib/krb5/krb/.Sanitize
+++ b/src/lib/krb5/krb/.Sanitize
@@ -37,6 +37,7 @@ chk_trans.c
cleanup.h
configure
configure.in
+conv_creds.c
conv_princ.c
copy_addrs.c
copy_athctr.c
@@ -60,8 +61,6 @@ gen_seqnum.c
gen_subkey.c
get_creds.c
get_in_tkt.c
-in_tkt_ktb.c
-in_tkt_pwd.c
in_tkt_sky.c
init_ctx.c
int-proto.h
@@ -106,6 +105,7 @@ t_ref_kerb.out
t_ser.c
tgtname.c
unparse.c
+v4lifetime.c
valid_times.c
walk_rtree.c
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index c936ca4..274245a 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,328 @@
+2004-05-12 Jeffrey Altman <jaltman@mit.edu>
+
+ * send_tgs.c: krb5_send_tgs() was broken in the case of a KRB_ERROR
+ message. The krb5_response message_type field was never set
+ resulting in stack garbage being used instead. This would
+ break code which used transitive cross-realm to obtain service
+ tickets.
+
+2004-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * gic_pwd.c (krb5_get_init_creds_password): Free the as reply in
+ the !use_master case (Thanks to Lijian Liu)
+
+2004-02-06 Sam Hartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * init_ctx.c (DEFAULT_ETYPE_LIST): Include aes128-cts
+
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * mk_req_ext.c (krb5int_generate_and_save_subkey): New function,
+ split out from krb5_mk_req_extended.
+ (krb5_mk_req_extended): Call it.
+ * mk_rep.c (krb5_mk_rep): If KRB5_AUTH_CONTEXT_USE_SUBKEY flag is
+ set, call krb5int_generate_and_save_subkey to set up a new subkey
+ to send to the client.
+
+ * serialize.c (krb5_ser_pack_int64, krb5_ser_unpack_int64): New
+ functions.
+
+2003-10-30 Tom Yu <tlyu@mit.edu>
+
+ * gen_seqnum.c (krb5_generate_seq_number): Fix mask; was short by
+ 4 bits.
+
+2003-10-08 Tom Yu <tlyu@mit.edu>
+
+ * rd_safe.c (krb5_rd_safe_basic): Save the encoded KRB-SAFE-BODY
+ to avoid trouble caused by re-encoding. Also, handle correctly
+ implemented RFC 1510 KRB-SAFE, i.e., checksummed over
+ KRB-SAFE-BODY only.
+
+2003-09-02 Tom Yu <tlyu@mit.edu>
+
+ * conv_creds.c (krb524_convert_creds_plain): Apply patch from
+ Cesar Garcia to fix lifetime computation.
+
+2003-08-19 SamHartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * rd_cred.c (decrypt_credencdata): Don't double free credentials.
+
+2003-08-08 Tom Yu <tlyu@mit.edu>
+
+ * gic_pwd.c (krb5_get_init_creds_password): If DNS SRV support is
+ turned off, the second call to get_init_creds() will fail with
+ KRB5_REALM_UNKNOWN under certain circumstances. If that happens,
+ return the error from the first call to get_init_creds(), which
+ will be more useful to the user.
+
+2003-07-22 Sam Hartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * preauth2.c (krb5_do_preauth): Use the etype_info2 decoder for decoding etype_info2
+ (krb5_do_preauth): If an invalid encoding of etype_info or
+ etype_info2 is received, ignore it rather than failing the request
+
+2003-07-09 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_ctx.c: Export krb5_get_permitted_enctypes for Samba.
+
+2003-06-27 Tom Yu <tlyu@mit.edu>
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): Pass (void*)keytab,
+ not &keytab, to get_init_creds. Thanks to Herb Lewis.
+
+2003-06-16 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Set use_conf_ktypes to true while getting the TGT key
+
+2003-06-13 Tom Yu <tlyu@mit.edu>
+
+ * rd_rep.c (krb5_rd_rep): Free subkeys before replacing them, if
+ needed. This avoids a memory leak.
+
+2003-06-11 Tom Yu <tlyu@mit.edu>
+
+ * srv_rcache.c (krb5_get_server_rcache): Octal escapes begin with
+ hyphen now, since backslash is a pathname separator on DOS.
+
+2003-06-06 Sam Hartman <hartmans@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Mask out renewable_ok if the
+ request is for a renewable ticket with rtime greater than till
+
+2003-06-06 Ezra Peisach <epeisach@mit.edu>
+
+ * mk_req_ext.c (krb5_generate_authenticator): Sequence numbers are
+ unsigned now.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Change hardcoded default
+ ticket lifetime from 10 hours to 24 hours.
+
+ * init_ctx.c (DEFAULT_KDC_TIMESYNC): Define as 1 always.
+ (DEFAULT_CCACHE_TYPE): Define as 4 always.
+
+2003-05-30 Alexandra Ellwood <lxs@mit.edu>
+
+ * get_in_tkt.c: (verify_as_reply) Only check the renewable lifetime
+ of tickets whose request options included KDC_OPT_RENEWABLE_OK
+ if those options did not also include KDC_OPT_RENEWABLE. Otherwise
+ verify_as_reply() will fail for all renewable tickets.
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_creds.c: Enable support on Windows always.
+ (krb5_524_convert_creds): Renamed from krb524_convert_creds_kdc.
+ (krb524_convert_creds_kdc, krb524_init_ets) [!_WIN32]: Backwards
+ compatibility functions.
+
+2003-05-27 Sam Hartman <hartmans@mit.edu>
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): as below
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Store client and
+ server principals to avoid memory leak
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_creds.c: New file, moved from krb524/conv_creds.c and
+ krb524/encode.c. Rename exported encode routine, make other
+ encode and decode routines static. If KRB5_KRB4_COMPAT is not
+ defined, return an error.
+ * v4lifetime.c: New file, moved from lib/krb4/lifetime.c. Renamed
+ functions, changed interface to use krb5 types.
+ * Makefile.in (STLIBOBJS, OBJS, SRCS): Add them.
+
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Initialize options based on
+ context.kdc_default_options
+
+2003-05-22 Tom Yu <tlyu@mit.edu>
+
+ * gen_seqnum.c (krb5_generate_seq_number): Fix think-o on sequence
+ number mask.
+
+ * auth_con.c (krb5int_auth_con_chkseqnum): New function; implement
+ heuristic for broken Heimdal sequence number encoding.
+ (chk_heimdal_seqnum): Auxiliary function for above.
+
+ * auth_con.h: Add flags for sequence number heuristic.
+
+ * rd_priv.c: Use krb5int_auth_con_chkseqnum.
+
+ * rd_safe.c: Use krb5int_auth_con_chkseqnum.
+
+2003-05-22 Sam Hartman <hartmans@mit.edu>
+
+ * gic_pwd.c (krb5int_populate_gic_opt): returns void
+
+2003-05-21 Tom Yu <tlyu@mit.edu>
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Set pw0.length
+ correctly if a password is passed in.
+
+2003-05-20 Sam Hartman <hartmans@mit.edu>
+
+ * Makefile.in (SRCS): Remove in_ktb.c
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): Move from
+ in_tkt_keytab.c and rewrite to use krb5_get_init_creds
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Moved here from
+ in_tkt_pwd.c so it can share code with
+ krb5_get_init_creds_password. Rewritten to call
+ krb5_get_in_tkt_password
+
+ * Makefile.in (SRCS): Delete in_tkt_pwd.c
+
+2003-05-18 Tom Yu <tlyu@mit.edu>
+
+ * auth_con.h: Sequence numbers are now unsigned.
+
+ * gen_seqnum.c (krb5_generate_seq_number): Constrain initial
+ sequence number space to facilitate backwards compatibility.
+
+2003-05-16 Ken Raeburn <raeburn@mit.edu>
+
+ * chpw.c (krb5int_rd_chpw_rep): Allow new kpasswd error codes up
+ through _INITIAL_FLAG_NEEDED.
+
+2003-05-13 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Try with no specified enctype if
+ forwarding a specific enctype fails. l
+
+ * get_in_tkt.c (krb5_get_init_creds): Free s2kparams
+
+ * preauth2.c (krb5_do_preauth): Fix memory management
+ (pa_salt): Use copy_data_contents
+
+ * copy_data.c (krb5int_copy_data_contents): New function
+
+2003-05-09 Sam Hartman <hartmans@mit.edu>
+
+ * preauth2.c: Patch from Sun to reorganize code for handling
+ etype_info requests. More efficient and easier to implement etype_info2
+ (krb5_do_preauth): Support enctype_info2
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * preauth2.c: Add s2kparams to the declaration of a preauth
+ function, to every instance of a preauth function and to every
+ call to gak_fct
+
+ * get_in_tkt.c (krb5_get_init_creds): Add s2kparams support
+
+ * gic_keytab.c (krb5_get_as_key_keytab): Add s2kparams
+
+ * gic_pwd.c (krb5_get_as_key_password): Add s2kparams support
+
+2003-05-09 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (init_common): Copy tgs_ktypes array to
+ conf_tgs_ktypes. Clear use_conf_ktypes.
+ (krb5_free_context): Free conf_tgs_ktypes.
+ (krb5_get_tgs_ktypes): Use use_conf_ktypes to choose between
+ tgs_ktypes and conf_tgs_ktypes.
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Set use_conf_ktypes
+ in context to 1 for all operations except the acquisition of the
+ desired service ticket.
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * auth_con.c (krb5_auth_con_setsendsubkey)
+ (krb5_auth_con_setrecvsubkey, krb5_auth_con_getsendsubkey)
+ (krb5_auth_con_getrecvsubkey): New functions. Set or retrieve
+ subkeys from an auth_context.
+ (krb5_auth_con_getlocalsubkey, krb5_auth_con_getremotesubkey):
+ Reimplement in terms of the above.
+
+ * auth_con.h, ser_actx.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey.
+
+ * chpw.c (krb5int_rd_chpw_rep): Save send_subkey prior to rd_rep;
+ use saved send_subkey to smash recv_subkey obtained from rd_rep.
+
+ * mk_req_ext.c (krb5_mk_req_extended): Rename
+ {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if
+ subkey generation is requested.
+
+ * mk_cred.c, mk_priv.c, mk_safe.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Use either send_subkey or keyblock, in that
+ order.
+
+ * rd_cred.c, rd_priv.c, rd_safe.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Use either recv_subkey or keyblock, in that
+ order.
+
+ * rd_rep.c (krb5_rd_rep): Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Set both subkeys if a subkey is present in
+ the AP-REP message.
+
+ * rd_req_dec.c (krb5_rd_req_decoded_opt): Rename
+ {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if
+ a subkey is present in the AP-REQ message.
+
+2003-05-06 Sam Hartman <hartmans@mit.edu>
+
+ * kfree.c (krb5_free_etype_info): Free s2kparams
+
+2003-04-27 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_setpw_result_code_string): Make internal
+
+2003-04-25 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_rd_setpw_rep): Fix error handling; allow
+ krberrors to be read correctly; fix memory alloctaion so that
+ allocated structures are freed.
+
+2003-04-24 Ezra Peisach <epeisach@mit.edu>
+
+ * kfree.c (krb5_free_pwd_sequences): Correction to previous
+ fix. Free contents of krb5_data - not just the pointer.
+
+2003-04-23 Ezra Peisach <epeisach@mit.edu>
+
+ * kfree.c (krb5_free_pwd_sequences): Actually free the entire
+ sequence of passwd_phase_elements and not just the first one.
+
+2003-04-16 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_mk_setpw_req): Use encode_krb5_setpw_req. Fix
+ memory handling to free data that is allocated
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_mk_setpw_req krb5int_rd_setpw_rep): New function
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (DEFAULT_ETYPE_LIST): Add AES with 256 bits at the
+ front of the list. No 128-bit support by defaut.
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name
+ length before examining components.
+
+ * parse.c (krb5_parse_name): Double-check principal name length
+ before filling in components.
+
+ * srv_rcache.c (krb5_get_server_rcache): Check for null pointer
+ supplied in place of name.
+
+ * unparse.c (krb5_unparse_name_ext): Don't move buffer pointer
+ backwards if nothing has been put into the buffer yet.
+
+2003-04-01 Sam Hartman <hartmans@mit.edu>
+
+ * rd_req.c (krb5_rd_req): If AUTH_CONTEXT_DO_TIME is cleared,
+ don't set up a replay cache.
+
2003-03-08 Ezra Peisach <epeisach@mit.edu>
* t_kerb.c: Only include krb.h if krb4 support compiled in,
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 18627b1..b703e56 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -23,6 +23,7 @@ STLIBOBJS= \
bld_princ.o \
chk_trans.o \
chpw.o \
+ conv_creds.o \
conv_princ.o \
copy_addrs.o \
copy_auth.o \
@@ -51,8 +52,6 @@ STLIBOBJS= \
gic_keytab.o \
gic_opt.o \
gic_pwd.o \
- in_tkt_ktb.o \
- in_tkt_pwd.o \
in_tkt_sky.o \
init_ctx.o \
init_keyblock.o \
@@ -95,6 +94,7 @@ STLIBOBJS= \
str_conv.o \
tgtname.o \
unparse.o \
+ v4lifetime.o \
valid_times.o \
vfy_increds.o \
vic_opt.o \
@@ -109,6 +109,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \
$(OUTPRE)bld_princ.$(OBJEXT) \
$(OUTPRE)chk_trans.$(OBJEXT) \
$(OUTPRE)chpw.$(OBJEXT) \
+ $(OUTPRE)conv_creds.$(OBJEXT) \
$(OUTPRE)conv_princ.$(OBJEXT) \
$(OUTPRE)copy_addrs.$(OBJEXT) \
$(OUTPRE)copy_auth.$(OBJEXT) \
@@ -137,8 +138,6 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \
$(OUTPRE)gic_keytab.$(OBJEXT) \
$(OUTPRE)gic_opt.$(OBJEXT) \
$(OUTPRE)gic_pwd.$(OBJEXT) \
- $(OUTPRE)in_tkt_ktb.$(OBJEXT) \
- $(OUTPRE)in_tkt_pwd.$(OBJEXT) \
$(OUTPRE)in_tkt_sky.$(OBJEXT) \
$(OUTPRE)init_ctx.$(OBJEXT) \
$(OUTPRE)init_keyblock.$(OBJEXT) \
@@ -181,6 +180,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \
$(OUTPRE)str_conv.$(OBJEXT) \
$(OUTPRE)tgtname.$(OBJEXT) \
$(OUTPRE)unparse.$(OBJEXT) \
+ $(OUTPRE)v4lifetime.$(OBJEXT) \
$(OUTPRE)valid_times.$(OBJEXT) \
$(OUTPRE)vfy_increds.$(OBJEXT) \
$(OUTPRE)vic_opt.$(OBJEXT) \
@@ -196,6 +196,7 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/brand.c \
$(srcdir)/chk_trans.c \
$(srcdir)/chpw.c \
+ $(srcdir)/conv_creds.c \
$(srcdir)/conv_princ.c \
$(srcdir)/copy_addrs.c \
$(srcdir)/copy_auth.c \
@@ -224,8 +225,6 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/gic_keytab.c \
$(srcdir)/gic_opt.c \
$(srcdir)/gic_pwd.c \
- $(srcdir)/in_tkt_ktb.c \
- $(srcdir)/in_tkt_pwd.c \
$(srcdir)/in_tkt_sky.c \
$(srcdir)/init_ctx.c \
$(srcdir)/init_keyblock.c \
@@ -268,6 +267,7 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/str_conv.c \
$(srcdir)/tgtname.c \
$(srcdir)/unparse.c \
+ $(srcdir)/v4lifetime.c \
$(srcdir)/valid_times.c \
$(srcdir)/vfy_increds.c \
$(srcdir)/vic_opt.c \
@@ -367,449 +367,482 @@ clean::
#
addr_comp.so addr_comp.po $(OUTPRE)addr_comp.$(OBJEXT): addr_comp.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
addr_order.so addr_order.po $(OUTPRE)addr_order.$(OBJEXT): addr_order.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
addr_srch.so addr_srch.po $(OUTPRE)addr_srch.$(OBJEXT): addr_srch.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
appdefault.so appdefault.po $(OUTPRE)appdefault.$(OBJEXT): appdefault.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
auth_con.so auth_con.po $(OUTPRE)auth_con.$(OBJEXT): auth_con.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
bld_pr_ext.so bld_pr_ext.po $(OUTPRE)bld_pr_ext.$(OBJEXT): bld_pr_ext.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
bld_princ.so bld_princ.po $(OUTPRE)bld_princ.$(OBJEXT): bld_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
brand.so brand.po $(OUTPRE)brand.$(OBJEXT): brand.c
chk_trans.so chk_trans.po $(OUTPRE)chk_trans.$(OBJEXT): chk_trans.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
chpw.so chpw.po $(OUTPRE)chpw.$(OBJEXT): chpw.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/krb5_err.h \
- auth_con.h
-conv_princ.so conv_princ.po $(OUTPRE)conv_princ.$(OBJEXT): conv_princ.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5_err.h auth_con.h
+conv_creds.so conv_creds.po $(OUTPRE)conv_creds.$(OBJEXT): conv_creds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(KRB_ERR_H_DEP)
+conv_princ.so conv_princ.po $(OUTPRE)conv_princ.$(OBJEXT): conv_princ.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_addrs.so copy_addrs.po $(OUTPRE)copy_addrs.$(OBJEXT): copy_addrs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_auth.so copy_auth.po $(OUTPRE)copy_auth.$(OBJEXT): copy_auth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_athctr.so copy_athctr.po $(OUTPRE)copy_athctr.$(OBJEXT): copy_athctr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_cksum.so copy_cksum.po $(OUTPRE)copy_cksum.$(OBJEXT): copy_cksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_creds.so copy_creds.po $(OUTPRE)copy_creds.$(OBJEXT): copy_creds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_data.so copy_data.po $(OUTPRE)copy_data.$(OBJEXT): copy_data.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_key.so copy_key.po $(OUTPRE)copy_key.$(OBJEXT): copy_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_princ.so copy_princ.po $(OUTPRE)copy_princ.$(OBJEXT): copy_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_tick.so copy_tick.po $(OUTPRE)copy_tick.$(OBJEXT): copy_tick.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
cp_key_cnt.so cp_key_cnt.po $(OUTPRE)cp_key_cnt.$(OBJEXT): cp_key_cnt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
decode_kdc.so decode_kdc.po $(OUTPRE)decode_kdc.$(OBJEXT): decode_kdc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
decrypt_tk.so decrypt_tk.po $(OUTPRE)decrypt_tk.$(OBJEXT): decrypt_tk.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
deltat.so deltat.po $(OUTPRE)deltat.$(OBJEXT): deltat.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
enc_helper.so enc_helper.po $(OUTPRE)enc_helper.$(OBJEXT): enc_helper.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
encode_kdc.so encode_kdc.po $(OUTPRE)encode_kdc.$(OBJEXT): encode_kdc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
encrypt_tk.so encrypt_tk.po $(OUTPRE)encrypt_tk.$(OBJEXT): encrypt_tk.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
free_rtree.so free_rtree.po $(OUTPRE)free_rtree.$(OBJEXT): free_rtree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
fwd_tgt.so fwd_tgt.po $(OUTPRE)fwd_tgt.$(OBJEXT): fwd_tgt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gc_frm_kdc.so gc_frm_kdc.po $(OUTPRE)gc_frm_kdc.$(OBJEXT): gc_frm_kdc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
gc_via_tkt.so gc_via_tkt.po $(OUTPRE)gc_via_tkt.$(OBJEXT): gc_via_tkt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
gen_seqnum.so gen_seqnum.po $(OUTPRE)gen_seqnum.$(OBJEXT): gen_seqnum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gen_subkey.so gen_subkey.po $(OUTPRE)gen_subkey.$(OBJEXT): gen_subkey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
get_creds.so get_creds.po $(OUTPRE)get_creds.$(OBJEXT): get_creds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
get_in_tkt.so get_in_tkt.po $(OUTPRE)get_in_tkt.$(OBJEXT): get_in_tkt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h $(srcdir)/../os/os-proto.h
+ int-proto.h $(srcdir)/../os/os-proto.h
gic_keytab.so gic_keytab.po $(OUTPRE)gic_keytab.$(OBJEXT): gic_keytab.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gic_opt.so gic_opt.po $(OUTPRE)gic_opt.$(OBJEXT): gic_opt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gic_pwd.so gic_pwd.po $(OUTPRE)gic_pwd.$(OBJEXT): gic_pwd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
-in_tkt_ktb.so in_tkt_ktb.po $(OUTPRE)in_tkt_ktb.$(OBJEXT): in_tkt_ktb.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
-in_tkt_pwd.so in_tkt_pwd.po $(OUTPRE)in_tkt_pwd.$(OBJEXT): in_tkt_pwd.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
in_tkt_sky.so in_tkt_sky.po $(OUTPRE)in_tkt_sky.$(OBJEXT): in_tkt_sky.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
init_ctx.so init_ctx.po $(OUTPRE)init_ctx.$(OBJEXT): init_ctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h brand.c $(srcdir)/../krb5_libinit.h
+ brand.c $(srcdir)/../krb5_libinit.h
init_keyblock.so init_keyblock.po $(OUTPRE)init_keyblock.$(OBJEXT): init_keyblock.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kdc_rep_dc.so kdc_rep_dc.po $(OUTPRE)kdc_rep_dc.$(OBJEXT): kdc_rep_dc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kfree.so kfree.po $(OUTPRE)kfree.$(OBJEXT): kfree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
mk_cred.so mk_cred.po $(OUTPRE)mk_cred.$(OBJEXT): mk_cred.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
mk_error.so mk_error.po $(OUTPRE)mk_error.$(OBJEXT): mk_error.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
mk_priv.so mk_priv.po $(OUTPRE)mk_priv.$(OBJEXT): mk_priv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
mk_rep.so mk_rep.po $(OUTPRE)mk_rep.$(OBJEXT): mk_rep.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
mk_req.so mk_req.po $(OUTPRE)mk_req.$(OBJEXT): mk_req.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
mk_req_ext.so mk_req_ext.po $(OUTPRE)mk_req_ext.$(OBJEXT): mk_req_ext.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
mk_safe.so mk_safe.po $(OUTPRE)mk_safe.$(OBJEXT): mk_safe.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
parse.so parse.po $(OUTPRE)parse.$(OBJEXT): parse.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
pr_to_salt.so pr_to_salt.po $(OUTPRE)pr_to_salt.$(OBJEXT): pr_to_salt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
preauth.so preauth.po $(OUTPRE)preauth.$(OBJEXT): preauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
preauth2.so preauth2.po $(OUTPRE)preauth2.$(OBJEXT): preauth2.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
princ_comp.so princ_comp.po $(OUTPRE)princ_comp.$(OBJEXT): princ_comp.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
rd_cred.so rd_cred.po $(OUTPRE)rd_cred.$(OBJEXT): rd_cred.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
rd_error.so rd_error.po $(OUTPRE)rd_error.$(OBJEXT): rd_error.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
rd_priv.so rd_priv.po $(OUTPRE)rd_priv.$(OBJEXT): rd_priv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
rd_rep.so rd_rep.po $(OUTPRE)rd_rep.$(OBJEXT): rd_rep.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
rd_req.so rd_req.po $(OUTPRE)rd_req.$(OBJEXT): rd_req.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
rd_req_dec.so rd_req_dec.po $(OUTPRE)rd_req_dec.$(OBJEXT): rd_req_dec.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): rd_safe.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): recvauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): sendauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
send_tgs.so send_tgs.po $(OUTPRE)send_tgs.$(OBJEXT): send_tgs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ser_actx.so ser_actx.po $(OUTPRE)ser_actx.$(OBJEXT): ser_actx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h auth_con.h
+ int-proto.h auth_con.h
ser_adata.so ser_adata.po $(OUTPRE)ser_adata.$(OBJEXT): ser_adata.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_addr.so ser_addr.po $(OUTPRE)ser_addr.$(OBJEXT): ser_addr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_auth.so ser_auth.po $(OUTPRE)ser_auth.$(OBJEXT): ser_auth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_cksum.so ser_cksum.po $(OUTPRE)ser_cksum.$(OBJEXT): ser_cksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_ctx.so ser_ctx.po $(OUTPRE)ser_ctx.$(OBJEXT): ser_ctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ser_eblk.so ser_eblk.po $(OUTPRE)ser_eblk.$(OBJEXT): ser_eblk.c
ser_key.so ser_key.po $(OUTPRE)ser_key.$(OBJEXT): ser_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_princ.so ser_princ.po $(OUTPRE)ser_princ.$(OBJEXT): ser_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
serialize.so serialize.po $(OUTPRE)serialize.$(OBJEXT): serialize.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
set_realm.so set_realm.po $(OUTPRE)set_realm.$(OBJEXT): set_realm.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
srv_rcache.so srv_rcache.po $(OUTPRE)srv_rcache.$(OBJEXT): srv_rcache.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): str_conv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
tgtname.so tgtname.po $(OUTPRE)tgtname.$(OBJEXT): tgtname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
unparse.so unparse.po $(OUTPRE)unparse.$(OBJEXT): unparse.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
+v4lifetime.so v4lifetime.po $(OUTPRE)v4lifetime.$(OBJEXT): v4lifetime.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
valid_times.so valid_times.po $(OUTPRE)valid_times.$(OBJEXT): valid_times.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
vfy_increds.so vfy_increds.po $(OUTPRE)vfy_increds.$(OBJEXT): vfy_increds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
vic_opt.so vic_opt.po $(OUTPRE)vic_opt.$(OBJEXT): vic_opt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
walk_rtree.so walk_rtree.po $(OUTPRE)walk_rtree.$(OBJEXT): walk_rtree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
t_walk_rtree.so t_walk_rtree.po $(OUTPRE)t_walk_rtree.$(OBJEXT): t_walk_rtree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
t_kerb.so t_kerb.po $(OUTPRE)t_kerb.$(OBJEXT): t_kerb.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(BUILDTOP)/include/profile.h
t_ser.so t_ser.po $(OUTPRE)t_ser.$(OBJEXT): t_ser.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
t_deltat.so t_deltat.po $(OUTPRE)t_deltat.$(OBJEXT): t_deltat.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
t_expand.so t_expand.po $(OUTPRE)t_expand.$(OBJEXT): t_expand.c chk_trans.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c
index 09ccf98..cd3acf1 100644
--- a/src/lib/krb5/krb/auth_con.c
+++ b/src/lib/krb5/krb/auth_con.c
@@ -1,6 +1,8 @@
#include "k5-int.h"
#include "auth_con.h"
+static krb5_boolean chk_heimdal_seqnum(krb5_ui_4, krb5_ui_4);
+
static krb5_error_code
actx_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **outad)
{
@@ -59,10 +61,10 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context)
krb5_free_authenticator(context, auth_context->authentp);
if (auth_context->keyblock)
krb5_free_keyblock(context, auth_context->keyblock);
- if (auth_context->local_subkey)
- krb5_free_keyblock(context, auth_context->local_subkey);
- if (auth_context->remote_subkey)
- krb5_free_keyblock(context, auth_context->remote_subkey);
+ if (auth_context->send_subkey)
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ if (auth_context->recv_subkey)
+ krb5_free_keyblock(context, auth_context->recv_subkey);
if (auth_context->rcache)
krb5_rc_close(context, auth_context->rcache);
if (auth_context->permitted_etypes)
@@ -176,17 +178,53 @@ krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
{
- if (auth_context->local_subkey)
- return krb5_copy_keyblock(context,auth_context->local_subkey,keyblock);
+ return krb5_auth_con_getsendsubkey(context, auth_context, keyblock);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
+{
+ return krb5_auth_con_getrecvsubkey(context, auth_context, keyblock);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
+{
+ if (ac->send_subkey != NULL)
+ krb5_free_keyblock(ctx, ac->send_subkey);
+ ac->send_subkey = NULL;
+ if (keyblock !=NULL)
+ return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey);
+ else
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
+{
+ if (ac->recv_subkey != NULL)
+ krb5_free_keyblock(ctx, ac->recv_subkey);
+ ac->recv_subkey = NULL;
+ if (keyblock != NULL)
+ return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey);
+ else
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
+{
+ if (ac->send_subkey != NULL)
+ return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock);
*keyblock = NULL;
return 0;
}
krb5_error_code KRB5_CALLCONV
-krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
+krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
{
- if (auth_context->remote_subkey)
- return krb5_copy_keyblock(context,auth_context->remote_subkey,keyblock);
+ if (ac->recv_subkey != NULL)
+ return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock);
*keyblock = NULL;
return 0;
}
@@ -359,3 +397,167 @@ krb5_auth_con_get_checksum_func( krb5_context context,
*data = auth_context->checksum_func_data;
return 0;
}
+
+/*
+ * krb5int_auth_con_chkseqnum
+ *
+ * We use a somewhat complex heuristic for validating received
+ * sequence numbers. We must accommodate both our older
+ * implementation, which sends negative sequence numbers, and the
+ * broken Heimdal implementation (at least as of 0.5.2), which
+ * violates X.690 BER for integer encodings. The requirement of
+ * handling negative sequence numbers removes one of easier means of
+ * detecting a Heimdal implementation, so we resort to this mess
+ * here.
+ *
+ * X.690 BER (and consequently DER, which are the required encoding
+ * rules in RFC1510) encode all integer types as signed integers.
+ * This means that the MSB being set on the first octet of the
+ * contents of the encoding indicates a negative value. Heimdal does
+ * not prepend the required zero octet to unsigned integer encodings
+ * which would otherwise have the MSB of the first octet of their
+ * encodings set.
+ *
+ * Our ASN.1 library implements a special decoder for sequence
+ * numbers, accepting both negative and positive 32-bit numbers but
+ * mapping them both into the space of positive unsigned 32-bit
+ * numbers in the obvious bit-pattern-preserving way. This maintains
+ * compatibility with our older implementations. This also means that
+ * encodings emitted by Heimdal are ambiguous.
+ *
+ * Heimdal counter value received uint32 value
+ *
+ * 0x00000080 0xFFFFFF80
+ * 0x000000FF 0xFFFFFFFF
+ * 0x00008000 0xFFFF8000
+ * 0x0000FFFF 0xFFFFFFFF
+ * 0x00800000 0xFF800000
+ * 0x00FFFFFF 0xFFFFFFFF
+ * 0xFF800000 0xFF800000
+ * 0xFFFFFFFF 0xFFFFFFFF
+ *
+ * We use two auth_context flags, SANE_SEQ and HEIMDAL_SEQ, which are
+ * only set after we can unambiguously determine the sanity of the
+ * sending implementation. Once one of these flags is set, we accept
+ * only the sequence numbers appropriate to the remote implementation
+ * type. We can make the determination in two different ways. The
+ * first is to note the receipt of a "negative" sequence number when a
+ * "positive" one was expected. The second is to note the receipt of
+ * a sequence number that wraps through "zero" in a weird way. The
+ * latter corresponds to the receipt of an initial sequence number in
+ * the ambiguous range.
+ *
+ * There are 2^7 + 2^15 + 2^23 + 2^23 = 16810112 total ambiguous
+ * initial Heimdal counter values, but we receive them as one of 2^23
+ * possible values. There is a ~1/256 chance of a Heimdal
+ * implementation sending an intial sequence number in the ambiguous
+ * range.
+ *
+ * We have to do special treatment when receiving sequence numbers
+ * between 0xFF800000..0xFFFFFFFF, or when wrapping through zero
+ * weirdly (due to ambiguous initial sequence number). If we are
+ * expecting a value corresponding to an ambiguous Heimdal counter
+ * value, and we receive an exact match, we can mark the remote end as
+ * sane.
+ */
+krb5_boolean
+krb5int_auth_con_chkseqnum(
+ krb5_context ctx,
+ krb5_auth_context ac,
+ krb5_ui_4 in_seq)
+{
+ krb5_ui_4 exp_seq;
+
+ exp_seq = ac->remote_seq_number;
+
+ /*
+ * If sender is known to be sane, accept _only_ exact matches.
+ */
+ if (ac->auth_context_flags & KRB5_AUTH_CONN_SANE_SEQ)
+ return in_seq == exp_seq;
+
+ /*
+ * If sender is not known to be sane, first check the ambiguous
+ * range of received values, 0xFF800000..0xFFFFFFFF.
+ */
+ if ((in_seq & 0xFF800000) == 0xFF800000) {
+ /*
+ * If expected sequence number is in the range
+ * 0xFF800000..0xFFFFFFFF, then we can't make any
+ * determinations about the sanity of the sending
+ * implementation.
+ */
+ if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq)
+ return 1;
+ /*
+ * If sender is not known for certain to be a broken Heimdal
+ * implementation, check for exact match.
+ */
+ if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)
+ && in_seq == exp_seq)
+ return 1;
+ /*
+ * Now apply hairy algorithm for matching sequence numbers
+ * sent by broken Heimdal implementations. If it matches, we
+ * know for certain it's a broken Heimdal sender.
+ */
+ if (chk_heimdal_seqnum(exp_seq, in_seq)) {
+ ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ;
+ return 1;
+ }
+ return 0;
+ }
+
+ /*
+ * Received value not in the ambiguous range? If the _expected_
+ * value is in the range of ambiguous Hemidal counter values, and
+ * it matches the received value, sender is known to be sane.
+ */
+ if (in_seq == exp_seq) {
+ if (( exp_seq & 0xFFFFFF80) == 0x00000080
+ || (exp_seq & 0xFFFF8000) == 0x00008000
+ || (exp_seq & 0xFF800000) == 0x00800000)
+ ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ;
+ return 1;
+ }
+
+ /*
+ * Magic wraparound for the case where the intial sequence number
+ * is in the ambiguous range. This means that the sender's
+ * counter is at a different count than ours, so we correct ours,
+ * and mark the sender as being a broken Heimdal implementation.
+ */
+ if (exp_seq == 0
+ && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) {
+ switch (in_seq) {
+ case 0x100:
+ case 0x10000:
+ case 0x1000000:
+ ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ;
+ exp_seq = in_seq;
+ return 1;
+ default:
+ return 0;
+ }
+ }
+ return 0;
+}
+
+static krb5_boolean
+chk_heimdal_seqnum(krb5_ui_4 exp_seq, krb5_ui_4 in_seq)
+{
+ if (( exp_seq & 0xFF800000) == 0x00800000
+ && (in_seq & 0xFF800000) == 0xFF800000
+ && (in_seq & 0x00FFFFFF) == exp_seq)
+ return 1;
+ else if (( exp_seq & 0xFFFF8000) == 0x00008000
+ && (in_seq & 0xFFFF8000) == 0xFFFF8000
+ && (in_seq & 0x0000FFFF) == exp_seq)
+ return 1;
+ else if (( exp_seq & 0xFFFFFF80) == 0x00000080
+ && (in_seq & 0xFFFFFF80) == 0xFFFFFF80
+ && (in_seq & 0x000000FF) == exp_seq)
+ return 1;
+ else
+ return 0;
+}
diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h
index d83d6b8..9543de3 100644
--- a/src/lib/krb5/krb/auth_con.h
+++ b/src/lib/krb5/krb/auth_con.h
@@ -9,12 +9,12 @@ struct _krb5_auth_context {
krb5_address * local_addr;
krb5_address * local_port;
krb5_keyblock * keyblock;
- krb5_keyblock * local_subkey;
- krb5_keyblock * remote_subkey;
+ krb5_keyblock * send_subkey;
+ krb5_keyblock * recv_subkey;
krb5_int32 auth_context_flags;
- krb5_int32 remote_seq_number;
- krb5_int32 local_seq_number;
+ krb5_ui_4 remote_seq_number;
+ krb5_ui_4 local_seq_number;
krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/
krb5_cksumtype req_cksumtype; /* mk_safe, ... */
krb5_cksumtype safe_cksumtype; /* mk_safe, ... */
@@ -30,5 +30,7 @@ struct _krb5_auth_context {
#define KRB5_AUTH_CONN_INITIALIZED 0x00010000
#define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000
#define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000
+#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000
+#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000
#endif
diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c
index bb2cfe9..a455cc4 100644
--- a/src/lib/krb5/krb/chpw.c
+++ b/src/lib/krb5/krb/chpw.c
@@ -1,11 +1,15 @@
+/*
+** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc.
+*/
#include <string.h>
#include "k5-int.h"
#include "krb5_err.h"
#include "auth_con.h"
-krb5_error_code KRB5_CALLCONV
-krb5_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet)
+
+krb5_error_code
+krb5int_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet)
{
krb5_error_code ret = 0;
krb5_data clearpw;
@@ -66,8 +70,8 @@ cleanup:
return(ret);
}
-krb5_error_code KRB5_CALLCONV
-krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
+krb5_error_code
+krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
{
char *ptr;
int plen, vno;
@@ -116,8 +120,18 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data
ap_rep.data = ptr;
ptr += ap_rep.length;
- if ((ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc)))
+ /*
+ * Save send_subkey to later smash recv_subkey.
+ */
+ ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
+ if (ret) {
+ krb5_free_keyblock(context, tmp);
return(ret);
+ }
krb5_free_ap_rep_enc_part(context, ap_rep_enc);
@@ -126,18 +140,17 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data
cipherresult.data = ptr;
cipherresult.length = (packet->data + packet->length) - ptr;
- /* XXX there's no api to do this right. The problem is that
- if there's a remote subkey, it will be used. This is
- not what the spec requires */
-
- tmp = auth_context->remote_subkey;
- auth_context->remote_subkey = NULL;
+ /*
+ * Smash recv_subkey to be send_subkey, per spec.
+ */
+ ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp);
+ krb5_free_keyblock(context, tmp);
+ if (ret)
+ return ret;
ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
&replay);
- auth_context->remote_subkey = tmp;
-
if (ret)
return(ret);
} else {
@@ -161,7 +174,7 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data
*result_code = (*result_code<<8) | (*ptr++ & 0xff);
if ((*result_code < KRB5_KPASSWD_SUCCESS) ||
- (*result_code > KRB5_KPASSWD_SOFTERROR)) {
+ (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) {
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
@@ -221,3 +234,284 @@ krb5_chpw_result_code_string(krb5_context context, int result_code, char **code_
return(0);
}
+
+krb5_error_code
+krb5int_mk_setpw_req(
+ krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_data *ap_req,
+ krb5_principal targprinc,
+ char *passwd,
+ krb5_data *packet )
+{
+ krb5_error_code ret;
+ krb5_data cipherpw;
+ krb5_data *encoded_setpw;
+
+ char *ptr;
+ int count = 2;
+
+ cipherpw.data = NULL;
+ cipherpw.length = 0;
+
+ if (ret = krb5_auth_con_setflags(context, auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE))
+ return(ret);
+
+ ret = encode_krb5_setpw_req(targprinc, passwd, &encoded_setpw);
+ if (ret) {
+ return ret;
+ }
+
+ if ( (ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) {
+ krb5_free_data( context, encoded_setpw);
+ return(ret);
+ }
+ krb5_free_data( context, encoded_setpw);
+
+
+ packet->length = 6 + ap_req->length + cipherpw.length;
+ packet->data = (char *) malloc(packet->length);
+ if (packet->data == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+ ptr = packet->data;
+/*
+** build the packet -
+*/
+/* put in the length */
+ *ptr++ = (packet->length>>8) & 0xff;
+ *ptr++ = packet->length & 0xff;
+/* put in the version */
+ *ptr++ = (char)0xff;
+ *ptr++ = (char)0x80;
+/* the ap_req length is big endian */
+ *ptr++ = (ap_req->length>>8) & 0xff;
+ *ptr++ = ap_req->length & 0xff;
+/* put in the request data */
+ memcpy(ptr, ap_req->data, ap_req->length);
+ ptr += ap_req->length;
+/*
+** put in the "private" password data -
+*/
+ memcpy(ptr, cipherpw.data, cipherpw.length);
+ ret = 0;
+ cleanup:
+ if (cipherpw.data)
+ krb5_free_data_contents(context, &cipherpw);
+ if ((ret != 0) && packet->data) {
+ free( packet->data);
+ packet->data = NULL;
+ }
+ return ret;
+}
+
+krb5_error_code
+krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5_data *packet,
+ int *result_code, krb5_data *result_data )
+{
+ char *ptr;
+ unsigned int message_length, version_number;
+ krb5_data ap_rep;
+ krb5_ap_rep_enc_part *ap_rep_enc;
+ krb5_error_code ret;
+ krb5_data cipherresult;
+ krb5_data clearresult;
+ krb5_replay_data replay;
+ krb5_keyblock *tmpkey;
+/*
+** validate the packet length -
+*/
+ if (packet->length < 4)
+ return(KRB5KRB_AP_ERR_MODIFIED);
+
+ ptr = packet->data;
+
+/*
+** see if it is an error
+*/
+ if (krb5_is_krb_error(packet)) {
+ krb5_error *krberror;
+ if (ret = krb5_rd_error(context, packet, &krberror))
+ return(ret);
+ if (krberror->e_data.data == NULL) {
+ ret = ERROR_TABLE_BASE_krb5 + krberror->error;
+ krb5_free_error(context, krberror);
+ return (ret);
+ }
+ clearresult = krberror->e_data;
+ krberror->e_data.data = NULL; /*So we can free it later*/
+ krberror->e_data.length = 0;
+ krb5_free_error(context, krberror);
+
+ } else { /* Not an error*/
+
+/*
+** validate the message length -
+** length is big endian
+*/
+ message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+/*
+** make sure the message length and packet length agree -
+*/
+ if (message_length != packet->length)
+ return(KRB5KRB_AP_ERR_MODIFIED);
+/*
+** get the version number -
+*/
+ version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+/*
+** make sure we support the version returned -
+*/
+/*
+** set password version is 0xff80, change password version is 1
+*/
+ if (version_number != 0xff80 && version_number != 1)
+ return(KRB5KDC_ERR_BAD_PVNO);
+/*
+** now fill in ap_rep with the reply -
+*/
+/*
+** get the reply length -
+*/
+ ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+/*
+** validate ap_rep length agrees with the packet length -
+*/
+ if (ptr + ap_rep.length >= packet->data + packet->length)
+ return(KRB5KRB_AP_ERR_MODIFIED);
+/*
+** if data was returned, set the ap_rep ptr -
+*/
+ if( ap_rep.length ) {
+ ap_rep.data = ptr;
+ ptr += ap_rep.length;
+
+ /*
+ * Save send_subkey to later smash recv_subkey.
+ */
+ ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
+ if (ret) {
+ krb5_free_keyblock(context, tmpkey);
+ return(ret);
+ }
+
+ krb5_free_ap_rep_enc_part(context, ap_rep_enc);
+/*
+** now decrypt the result -
+*/
+ cipherresult.data = ptr;
+ cipherresult.length = (packet->data + packet->length) - ptr;
+
+ /*
+ * Smash recv_subkey to be send_subkey, per spec.
+ */
+ ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey);
+ krb5_free_keyblock(context, tmpkey);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
+ NULL);
+ if (ret)
+ return(ret);
+ } /*We got an ap_rep*/
+ else
+ return (KRB5KRB_AP_ERR_MODIFIED);
+ } /*Response instead of error*/
+
+/*
+** validate the cleartext length
+*/
+ if (clearresult.length < 2) {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
+/*
+** now decode the result -
+*/
+ ptr = clearresult.data;
+
+ *result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+
+/*
+** result code 5 is access denied
+*/
+ if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5))
+ {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
+/*
+** all success replies should be authenticated/encrypted
+*/
+ if( (ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS) )
+ {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
+
+ if (result_data) {
+ result_data->length = (clearresult.data + clearresult.length) - ptr;
+
+ if (result_data->length)
+ {
+ result_data->data = (char *) malloc(result_data->length);
+ if (result_data->data)
+ memcpy(result_data->data, ptr, result_data->length);
+ }
+ else
+ result_data->data = NULL;
+ }
+ ret = 0;
+
+ cleanup:
+ krb5_free_data_contents(context, &clearresult);
+ return(ret);
+}
+
+krb5_error_code
+krb5int_setpw_result_code_string( krb5_context context, int result_code, const char **code_string )
+{
+ switch (result_code)
+ {
+ case KRB5_KPASSWD_MALFORMED:
+ *code_string = "Malformed request error";
+ break;
+ case KRB5_KPASSWD_HARDERROR:
+ *code_string = "Server error";
+ break;
+ case KRB5_KPASSWD_AUTHERROR:
+ *code_string = "Authentication error";
+ break;
+ case KRB5_KPASSWD_SOFTERROR:
+ *code_string = "Password change rejected";
+ break;
+ case 5: /* access denied */
+ *code_string = "Access denied";
+ break;
+ case 6: /* bad version */
+ *code_string = "Wrong protocol version";
+ break;
+ case 7: /* initial flag is needed */
+ *code_string = "Initial password required";
+ break;
+ case 0:
+ *code_string = "Success";
+ default:
+ *code_string = "Password change failed";
+ break;
+ }
+
+ return(0);
+}
+
diff --git a/src/lib/krb5/krb/conv_creds.c b/src/lib/krb5/krb/conv_creds.c
new file mode 100644
index 0000000..3a4e66d
--- /dev/null
+++ b/src/lib/krb5/krb/conv_creds.c
@@ -0,0 +1,277 @@
+/*
+ * Copyright 1994 by OpenVision Technologies, Inc.
+ *
+ * Permission to use, copy, modify, distribute, and sell this software
+ * and its documentation for any purpose is hereby granted without fee,
+ * provided that the above copyright notice appears in all copies and
+ * that both that copyright notice and this permission notice appear in
+ * supporting documentation, and that the name of OpenVision not be used
+ * in advertising or publicity pertaining to distribution of the software
+ * without specific, written prior permission. OpenVision makes no
+ * representations about the suitability of this software for any
+ * purpose. It is provided "as is" without express or implied warranty.
+ *
+ * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
+ * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "k5-int.h"
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include "port-sockets.h"
+#include "socket-utils.h"
+
+#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck */
+#include "kerberosIV/krb.h"
+
+#ifdef USE_CCAPI
+#include <CredentialsCache.h>
+#endif
+
+#define krb524_debug krb5int_krb524_debug
+int krb524_debug = 0;
+
+static krb5_error_code krb524_convert_creds_plain
+(krb5_context context, krb5_creds *v5creds,
+ CREDENTIALS *v4creds);
+
+static int decode_v4tkt
+ (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
+
+krb5_error_code KRB5_CALLCONV
+krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
+ CREDENTIALS *v4creds)
+{
+ krb5_error_code ret;
+ krb5_data reply;
+ char *p;
+ struct sockaddr_storage ss;
+ socklen_t slen = sizeof(ss);
+
+ ret = krb524_convert_creds_plain(context, v5creds, v4creds);
+ if (ret)
+ return ret;
+
+ reply.data = NULL;
+ ret = krb5int_524_sendto_kdc(context, &v5creds->ticket,
+ &v5creds->server->realm, &reply,
+ ss2sa(&ss), &slen);
+ if (ret)
+ return ret;
+
+#if TARGET_OS_MAC
+#ifdef USE_CCAPI
+ v4creds->stk_type = cc_v4_stk_des;
+#endif
+ if (slen == sizeof(struct sockaddr_in)
+ && ss2sa(&ss)->sa_family == AF_INET) {
+ v4creds->address = ss2sin(&ss)->sin_addr.s_addr;
+ }
+ /* Otherwise, leave it set to all-zero. */
+#endif
+
+ p = reply.data;
+ ret = ntohl(*((krb5_error_code *) p));
+ p += sizeof(krb5_int32);
+ reply.length -= sizeof(krb5_int32);
+ if (ret)
+ goto fail;
+
+ v4creds->kvno = ntohl(*((krb5_error_code *) p));
+ p += sizeof(krb5_int32);
+ reply.length -= sizeof(krb5_int32);
+ ret = decode_v4tkt(&v4creds->ticket_st, p, &reply.length);
+
+fail:
+ if (reply.data)
+ free(reply.data);
+ reply.data = NULL;
+ return ret;
+}
+
+static krb5_error_code
+krb524_convert_creds_plain(context, v5creds, v4creds)
+ krb5_context context;
+ krb5_creds *v5creds;
+ CREDENTIALS *v4creds;
+{
+ int ret;
+ krb5_timestamp endtime;
+ char dummy[REALM_SZ];
+ memset((char *) v4creds, 0, sizeof(CREDENTIALS));
+
+ if ((ret = krb5_524_conv_principal(context, v5creds->client,
+ v4creds->pname, v4creds->pinst,
+ dummy)))
+ return ret;
+ if ((ret = krb5_524_conv_principal(context, v5creds->server,
+ v4creds->service, v4creds->instance,
+ v4creds->realm)))
+ return ret;
+
+ /* Check enctype too */
+ if (v5creds->keyblock.length != sizeof(C_Block)) {
+ if (krb524_debug)
+ fprintf(stderr, "v5 session keyblock length %d != C_Block size %d\n",
+ v5creds->keyblock.length,
+ (int) sizeof(C_Block));
+ return KRB524_BADKEY;
+ } else
+ memcpy(v4creds->session, (char *) v5creds->keyblock.contents,
+ sizeof(C_Block));
+
+ /* V4 has no concept of authtime or renew_till, so ignore them */
+ v4creds->issue_date = v5creds->times.starttime;
+ v4creds->lifetime = krb5int_krb_time_to_life(v5creds->times.starttime,
+ v5creds->times.endtime);
+ endtime = krb5int_krb_life_to_time(v4creds->issue_date,
+ v4creds->lifetime);
+ /*
+ * Adjust start time backwards to deal with rounding up in
+ * krb_time_to_life(), to match code on server side.
+ */
+ if (endtime > v5creds->times.endtime)
+ v4creds->issue_date -= endtime - v5creds->times.endtime;
+
+ return 0;
+}
+
+/* this used to be krb524/encode.c, under same copyright as above */
+/*
+ * I'm sure that this is reinventing the wheel, but I don't know where
+ * the wheel is hidden.
+ */
+
+int encode_v4tkt (KTEXT_ST *, char *, unsigned int *);
+static int encode_bytes (char **, int *, char *, unsigned int),
+ encode_int32 (char **, int *, krb5_int32 *);
+
+static int decode_bytes (char **, int *, char *, unsigned int),
+ decode_int32 (char **, int *, krb5_int32 *);
+
+static int encode_bytes(out, outlen, in, len)
+ char **out;
+ int *outlen;
+ char *in;
+ unsigned int len;
+{
+ if (len > *outlen)
+ return KRB524_ENCFULL;
+ memcpy(*out, in, len);
+ *out += len;
+ *outlen -= len;
+ return 0;
+}
+
+static int encode_int32(out, outlen, v)
+ char **out;
+ int *outlen;
+ krb5_int32 *v;
+{
+ krb5_int32 nv; /* Must be 4 bytes */
+
+ nv = htonl(*v);
+ return encode_bytes(out, outlen, (char *) &nv, sizeof(nv));
+}
+
+int krb5int_encode_v4tkt(v4tkt, buf, encoded_len)
+ KTEXT_ST *v4tkt;
+ char *buf;
+ unsigned int *encoded_len;
+{
+ int buflen, ret;
+
+ buflen = *encoded_len;
+
+ if ((ret = encode_int32(&buf, &buflen, &v4tkt->length)))
+ return ret;
+ if ((ret = encode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
+ return ret;
+ if ((ret = encode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz)))
+ return ret;
+
+ *encoded_len -= buflen;
+ return 0;
+}
+
+/* decode functions */
+
+static int decode_bytes(out, outlen, in, len)
+ char **out;
+ int *outlen;
+ char *in;
+ unsigned int len;
+{
+ if (len > *outlen)
+ return KRB524_DECEMPTY;
+ memcpy(in, *out, len);
+ *out += len;
+ *outlen -= len;
+ return 0;
+}
+
+static int decode_int32(out, outlen, v)
+ char **out;
+ int *outlen;
+ krb5_int32 *v;
+{
+ int ret;
+ krb5_int32 nv; /* Must be four bytes */
+
+ if ((ret = decode_bytes(out, outlen, (char *) &nv, sizeof(nv))))
+ return ret;
+ *v = ntohl(nv);
+ return 0;
+}
+
+static int decode_v4tkt(v4tkt, buf, encoded_len)
+ KTEXT_ST *v4tkt;
+ char *buf;
+ unsigned int *encoded_len;
+{
+ int buflen, ret;
+
+ buflen = *encoded_len;
+ if ((ret = decode_int32(&buf, &buflen, &v4tkt->length)))
+ return ret;
+ if ((ret = decode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
+ return ret;
+ if ((ret = decode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz)))
+ return ret;
+ *encoded_len -= buflen;
+ return 0;
+}
+
+#else /* no krb4 compat */
+
+krb5_error_code KRB5_CALLCONV
+krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
+ struct credentials *v4creds)
+{
+ return KRB524_KRB4_DISABLED;
+}
+
+#endif
+
+/* These may be needed for object-level backwards compatibility on Mac
+ OS and UNIX, but Windows should be okay. */
+#ifndef _WIN32
+#undef krb524_convert_creds_kdc
+krb5_error_code KRB5_CALLCONV
+krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds,
+ struct credentials *v4creds)
+{
+ return krb5_524_convert_creds(context, v5creds, v4creds);
+}
+
+#undef krb524_init_ets
+void KRB5_CALLCONV krb524_init_ets ()
+{
+}
+#endif
diff --git a/src/lib/krb5/krb/copy_data.c b/src/lib/krb5/krb/copy_data.c
index 2899c5a..1be2a2d 100644
--- a/src/lib/krb5/krb/copy_data.c
+++ b/src/lib/krb5/krb/copy_data.c
@@ -58,3 +58,25 @@ krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdat
*outdata = tempdata;
return 0;
}
+
+krb5_error_code
+krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_data *outdata)
+{
+ if (!indata) {
+ return EINVAL;
+ }
+
+
+ outdata->length = indata->length;
+ if (outdata->length) {
+ if (!(outdata->data = malloc(outdata->length))) {
+ krb5_xfree(outdata);
+ return ENOMEM;
+ }
+ memcpy((char *)outdata->data, (char *)indata->data, outdata->length);
+ } else
+ outdata->data = 0;
+ outdata->magic = KV5M_DATA;
+
+ return 0;
+}
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index aa42f8c..4e2c8f0 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -56,6 +56,7 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r
int free_rhost = 0;
krb5_enctype enctype = 0;
krb5_keyblock *session_key;
+ krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
memset((char *)&creds, 0, sizeof(creds));
memset((char *)&tgt, 0, sizeof(creds));
@@ -109,8 +110,10 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r
goto errout;
/* fetch tgt directly from cache */
+ context->use_conf_ktypes = 1;
retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES,
&creds, &tgt);
+ context->use_conf_ktypes = old_use_conf_ktypes;
if (retval)
goto errout;
@@ -161,9 +164,15 @@ retval = KRB5_FWD_BAD_PRINCIPAL;
kdcoptions &= ~(KDC_OPT_FORWARDABLE);
if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
- addrs, &creds, &pcreds)))
- goto errout;
-
+ addrs, &creds, &pcreds))) {
+ if (enctype) {
+ creds.keyblock.enctype = 0;
+ if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
+ addrs, &creds, &pcreds)))
+ goto errout;
+ }
+ else goto errout;
+ }
retval = krb5_mk_1cred(context, auth_context, pcreds,
&scratch, &replaydata);
krb5_free_creds(context, pcreds);
diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index fdf00e6..8ca62cc 100644
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1994 by the Massachusetts Institute of Technology.
+ * Copyright (c) 1994,2003 by the Massachusetts Institute of Technology.
* Copyright (c) 1994 CyberSAFE Corporation
* Copyright (c) 1993 Open Computing Security Group
* Copyright (c) 1990,1991 by the Massachusetts Institute of Technology.
@@ -76,6 +76,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
krb5_principal *top_server = NULL;
krb5_principal *next_server = NULL;
unsigned int nservers = 0;
+ krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
/* in case we never get a TGT, zero the return */
@@ -114,6 +115,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
goto cleanup;
}
+ context->use_conf_ktypes = 1;
if ((retval = krb5_cc_retrieve_cred(context, ccache,
KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
&tgtq, &tgt))) {
@@ -231,21 +233,17 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
krb5_free_cred_contents(context, &tgtq);
memset(&tgtq, 0, sizeof(tgtq));
-#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
tgtq.times = tgt.times;
-#else
- memcpy(&tgtq.times, &tgt.times, sizeof(krb5_ticket_times));
-#endif
-
if ((retval = krb5_copy_principal(context, tgt.client, &tgtq.client)))
goto cleanup;
if ((retval = krb5_copy_principal(context, int_server, &tgtq.server)))
goto cleanup;
tgtq.is_skey = FALSE;
tgtq.ticket_flags = tgt.ticket_flags;
- if ((retval = krb5_get_cred_via_tkt(context, &tgt,
- FLAGS2OPTS(tgtq.ticket_flags),
- tgt.addresses, &tgtq, &tgtr))) {
+ retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgtq.ticket_flags),
+ tgt.addresses, &tgtq, &tgtr);
+ if (retval) {
/*
* couldn't get one so now loop backwards through the realms
@@ -301,12 +299,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
goto cleanup;
tgtq.is_skey = FALSE;
tgtq.ticket_flags = tgt.ticket_flags;
- if ((retval = krb5_get_cred_via_tkt(context, &tgt,
- FLAGS2OPTS(tgtq.ticket_flags),
- tgt.addresses,
- &tgtq, &tgtr))) {
+ retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgtq.ticket_flags),
+ tgt.addresses,
+ &tgtq, &tgtr);
+ if (retval)
continue;
- }
/* save tgt in return array */
if ((retval = krb5_copy_creds(context, tgtr,
@@ -341,7 +339,9 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
for (next_server = top_server; *next_server; next_server++) {
krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1);
krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1);
- if (realm_1->length == realm_2->length &&
+ if (realm_1 != NULL &&
+ realm_2 != NULL &&
+ realm_1->length == realm_2->length &&
!memcmp(realm_1->data, realm_2->data, realm_1->length)) {
break;
}
@@ -374,10 +374,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
goto cleanup;
}
- retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) |
- kdcopt |
- (in_cred->second_ticket.length ?
- KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ context->use_conf_ktypes = old_use_conf_ktypes;
+ retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgt.ticket_flags) |
+ kdcopt |
+ (in_cred->second_ticket.length ?
+ KDC_OPT_ENC_TKT_IN_SKEY : 0),
tgt.addresses, in_cred, out_cred);
/* cleanup and return */
@@ -393,6 +395,7 @@ cleanup:
if (ret_tgts) free(ret_tgts);
krb5_free_cred_contents(context, &tgt);
}
+ context->use_conf_ktypes = old_use_conf_ktypes;
return(retval);
}
diff --git a/src/lib/krb5/krb/gen_seqnum.c b/src/lib/krb5/krb/gen_seqnum.c
index 196a437..3737640 100644
--- a/src/lib/krb5/krb/gen_seqnum.c
+++ b/src/lib/krb5/krb/gen_seqnum.c
@@ -36,7 +36,7 @@
#endif
krb5_error_code
-krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_int32 *seqno)
+krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui_4 *seqno)
{
krb5_data seed;
krb5_error_code retval;
@@ -48,5 +48,20 @@ krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_in
seed.length = sizeof(*seqno);
seed.data = (char *) seqno;
- return(krb5_c_random_make_octets(context, &seed));
+ retval = krb5_c_random_make_octets(context, &seed);
+ if (retval)
+ return retval;
+ /*
+ * Work around implementation incompatibilities by not generating
+ * initial sequence numbers greater than 2^30. Previous MIT
+ * implementations use signed sequence numbers, so initial
+ * sequence numbers 2^31 to 2^32-1 inclusive will be rejected.
+ * Letting the maximum initial sequence number be 2^30-1 allows
+ * for about 2^30 messages to be sent before wrapping into
+ * "negative" numbers.
+ */
+ *seqno &= 0x3fffffff;
+ if (*seqno == 0)
+ *seqno = 1;
+ return 0;
}
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index dc06c53..df5ebaf 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1,7 +1,7 @@
/*
* lib/krb5/krb/get_in_tkt.c
*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -262,6 +262,7 @@ verify_as_reply(krb5_context context,
(request->rtime != 0) &&
(as_reply->enc_part2->times.renew_till > request->rtime))
|| ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
+ !(request->kdc_options & KDC_OPT_RENEWABLE) &&
(as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
(request->till != 0) &&
(as_reply->enc_part2->times.renew_till > request->till))
@@ -409,6 +410,15 @@ make_preauth_list(krb5_context context,
}
#define MAX_IN_TKT_LOOPS 16
+static krb5_enctype get_in_tkt_enctypes[] = {
+ ENCTYPE_DES3_CBC_SHA1,
+ ENCTYPE_ARCFOUR_HMAC,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES_CBC_MD4,
+ ENCTYPE_DES_CBC_CRC,
+ 0
+};
+
krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt(krb5_context context,
@@ -460,8 +470,13 @@ krb5_get_in_tkt(krb5_context context,
request.from = creds->times.starttime;
request.till = creds->times.endtime;
request.rtime = creds->times.renew_till;
- if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype)))
+
+ request.ktype = malloc (sizeof(get_in_tkt_enctypes));
+ if (request.ktype == NULL) {
+ retval = ENOMEM;
goto cleanup;
+ }
+ memcpy(request.ktype, get_in_tkt_enctypes, sizeof(get_in_tkt_enctypes));
for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++);
if (ktypes) {
int i, req, next = 0;
@@ -734,6 +749,7 @@ krb5_get_init_creds(krb5_context context,
krb5_deltat renew_life;
int loopcount;
krb5_data salt;
+ krb5_data s2kparams;
krb5_keyblock as_key;
krb5_error *err_reply;
krb5_kdc_rep *local_as_reply;
@@ -742,6 +758,8 @@ krb5_get_init_creds(krb5_context context,
/* initialize everything which will be freed at cleanup */
+ s2kparams.data = NULL;
+ s2kparams.length = 0;
request.server = NULL;
request.ktype = NULL;
request.addresses = NULL;
@@ -761,7 +779,7 @@ krb5_get_init_creds(krb5_context context,
/* request.padata is filled in later */
- request.kdc_options = 0;
+ request.kdc_options = context->kdc_default_options;
/* forwardable */
@@ -854,11 +872,13 @@ krb5_get_init_creds(krb5_context context,
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE))
request.till += options->tkt_life;
else
- request.till += 10*60*60; /* this used to be hardcoded in kinit.c */
+ request.till += 24*60*60; /* this used to be hardcoded in kinit.c */
if (renew_life > 0) {
request.rtime = request.from;
request.rtime += renew_life;
+ if (request.rtime >= request.till)
+ request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
} else {
request.rtime = 0;
}
@@ -927,7 +947,7 @@ krb5_get_init_creds(krb5_context context,
if ((ret = krb5_do_preauth(context, &request,
padata, &request.padata,
- &salt, &etype, &as_key, prompter,
+ &salt, &s2kparams, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data)))
goto cleanup;
@@ -973,7 +993,7 @@ krb5_get_init_creds(krb5_context context,
if ((ret = krb5_do_preauth(context, &request,
local_as_reply->padata, &padata,
- &salt, &etype, &as_key, prompter,
+ &salt, &s2kparams, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data)))
goto cleanup;
@@ -1005,7 +1025,7 @@ krb5_get_init_creds(krb5_context context,
if ((ret = ((*gak_fct)(context, request.client,
local_as_reply->enc_part.enctype,
- prompter, prompter_data, &salt,
+ prompter, prompter_data, &salt, &s2kparams,
&as_key, gak_data))))
goto cleanup;
@@ -1050,6 +1070,7 @@ cleanup:
if (salt.data &&
(!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT))))
krb5_xfree(salt.data);
+ krb5_free_data_contents(context, &s2kparams);
if (as_reply)
*as_reply = local_as_reply;
else if (local_as_reply)
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index a7cb773..38a88ee 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -1,3 +1,29 @@
+/*
+ * lib/krb5/krb/gic_keytab.c
+ *
+ * Copyright (C) 2002, 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
#include "k5-int.h"
static krb5_error_code
@@ -8,6 +34,7 @@ krb5_get_as_key_keytab(
krb5_prompter_fct prompter,
void *prompter_data,
krb5_data *salt,
+ krb5_data *params,
krb5_keyblock *as_key,
void *gak_data)
{
@@ -115,3 +142,57 @@ cleanup:
return(ret);
}
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
+ krb5_address *const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types,
+ krb5_keytab arg_keytab, krb5_ccache ccache,
+ krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+ krb5_error_code retval;
+ krb5_get_init_creds_opt opt;
+ char * server = NULL;
+ krb5_keytab keytab;
+ krb5_principal client_princ, server_princ;
+
+ krb5int_populate_gic_opt(context, &opt,
+ options, addrs, ktypes,
+ pre_auth_types);
+ if (arg_keytab == NULL) {
+ retval = krb5_kt_default(context, &keytab);
+ if (retval)
+ return retval;
+ }
+ else keytab = arg_keytab;
+
+ retval = krb5_unparse_name( context, creds->server, &server);
+ if (retval)
+ goto cleanup;
+ server_princ = creds->server;
+ client_princ = creds->client;
+ retval = krb5_get_init_creds (context,
+ creds, creds->client,
+ krb5_prompter_posix, NULL,
+ 0, server, &opt,
+ krb5_get_as_key_keytab, (void *)keytab,
+ 0, ret_as_reply);
+ krb5_free_unparsed_name( context, server);
+ if (retval) {
+ goto cleanup;
+ }
+ if (creds->server)
+ krb5_free_principal( context, creds->server);
+ if (creds->client)
+ krb5_free_principal( context, creds->client);
+ creds->client = client_princ;
+ creds->server = server_princ;
+
+ /* store it in the ccache! */
+ if (ccache)
+ if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+ goto cleanup;
+ cleanup: if (arg_keytab == NULL)
+ krb5_kt_close(context, keytab);
+ return retval;
+}
+
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 7b5e0ba..af95b97 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -9,6 +9,7 @@ krb5_get_as_key_password(
krb5_prompter_fct prompter,
void *prompter_data,
krb5_data *salt,
+ krb5_data *params,
krb5_keyblock *as_key,
void *gak_data)
{
@@ -42,7 +43,7 @@ krb5_get_as_key_password(
return(EIO);
if ((ret = krb5_unparse_name(context, client, &clientstr)))
- return(ret);
+ return(ret);
strcpy(promptstr, "Password for ");
strncat(promptstr, clientstr, sizeof(promptstr)-strlen(promptstr)-1);
@@ -74,7 +75,8 @@ krb5_get_as_key_password(
defsalt.length = 0;
}
- ret = krb5_c_string_to_key(context, etype, password, salt, as_key);
+ ret = krb5_c_string_to_key_with_params(context, etype, password, salt,
+ params->data?params:NULL, as_key);
if (defsalt.length)
krb5_xfree(defsalt.data);
@@ -144,6 +146,10 @@ krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_princ
if (!use_master) {
use_master = 1;
+ if (as_reply) {
+ krb5_free_kdc_rep( context, as_reply);
+ as_reply = NULL;
+ }
ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
@@ -158,7 +164,8 @@ krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_princ
slave we were able to contact */
if ((ret2 == KRB5_KDC_UNREACH) ||
- (ret2 == KRB5_REALM_CANT_RESOLVE))
+ (ret2 == KRB5_REALM_CANT_RESOLVE) ||
+ (ret2 == KRB5_REALM_UNKNOWN))
goto cleanup;
ret = ret2;
@@ -366,3 +373,109 @@ cleanup:
return(ret);
}
+void krb5int_populate_gic_opt (
+ krb5_context context, krb5_get_init_creds_opt *opt,
+ krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types)
+{
+ int i;
+ krb5_get_init_creds_opt_init(opt);
+ if (addrs)
+ krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs);
+ if (ktypes) {
+ for (i=0; ktypes[i]; i++);
+ if (i)
+ krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i);
+ }
+ if (pre_auth_types) {
+ for (i=0; pre_auth_types[i]; i++);
+ if (i)
+ krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i);
+ }
+ if (options&KDC_OPT_FORWARDABLE)
+ krb5_get_init_creds_opt_set_forwardable(opt, 1);
+ else krb5_get_init_creds_opt_set_forwardable(opt, 0);
+ if (options&KDC_OPT_PROXIABLE)
+ krb5_get_init_creds_opt_set_proxiable(opt, 1);
+ else krb5_get_init_creds_opt_set_proxiable(opt, 0);
+
+
+}
+
+/*
+ Rewrites get_in_tkt in terms of newer get_init_creds API.
+ Attempts to get an initial ticket for creds->client to use server
+ creds->server, (realm is taken from creds->client), with options
+ options, and using creds->times.starttime, creds->times.endtime,
+ creds->times.renew_till as from, till, and rtime.
+ creds->times.renew_till is ignored unless the RENEWABLE option is requested.
+
+ If addrs is non-NULL, it is used for the addresses requested. If it is
+ null, the system standard addresses are used.
+
+ If password is non-NULL, it is converted using the cryptosystem entry
+ point for a string conversion routine, seeded with the client's name.
+ If password is passed as NULL, the password is read from the terminal,
+ and then converted into a key.
+
+ A succesful call will place the ticket in the credentials cache ccache.
+
+ returns system errors, encryption errors
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
+ krb5_address *const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types,
+ const char *password, krb5_ccache ccache,
+ krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+ krb5_error_code retval;
+ krb5_data pw0;
+ char pw0array[1024];
+ krb5_get_init_creds_opt opt;
+ char * server;
+ krb5_principal server_princ, client_princ;
+
+ pw0array[0] = '\0';
+ pw0.data = pw0array;
+ if (password) {
+ pw0.length = strlen(password);
+ if (pw0.length > sizeof(pw0array))
+ return EINVAL;
+ strncpy(pw0.data, password, sizeof(pw0array));
+ if (pw0.length == 0)
+ pw0.length = sizeof(pw0array);
+ } else {
+ pw0.length = sizeof(pw0array);
+ }
+ krb5int_populate_gic_opt(context, &opt,
+ options, addrs, ktypes,
+ pre_auth_types);
+ retval = krb5_unparse_name( context, creds->server, &server);
+ if (retval)
+ return (retval);
+ server_princ = creds->server;
+ client_princ = creds->client;
+ retval = krb5_get_init_creds (context,
+ creds, creds->client,
+ krb5_prompter_posix, NULL,
+ 0, server, &opt,
+ krb5_get_as_key_password, &pw0,
+ 0, ret_as_reply);
+ krb5_free_unparsed_name( context, server);
+ if (retval) {
+ return (retval);
+ }
+ if (creds->server)
+ krb5_free_principal( context, creds->server);
+ if (creds->client)
+ krb5_free_principal( context, creds->client);
+ creds->client = client_princ;
+ creds->server = server_princ;
+ /* store it in the ccache! */
+ if (ccache)
+ if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+ return (retval);
+ return retval;
+ }
+
diff --git a/src/lib/krb5/krb/in_tkt_ktb.c b/src/lib/krb5/krb/in_tkt_ktb.c
deleted file mode 100644
index db4f3b4..0000000
--- a/src/lib/krb5/krb/in_tkt_ktb.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * lib/krb5/krb/in_tkt_ktb.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * krb5_get_in_tkt_with_keytab()
- *
- */
-
-#include "k5-int.h"
-
-struct keytab_keyproc_arg {
- krb5_keytab keytab;
- krb5_principal client;
-};
-
-/*
- * Key-generator for in_tkt_keytab, below.
- * "keyseed" is actually a krb5_keytab, or NULL if we should fetch
- * from system area.
- */
-static krb5_error_code keytab_keyproc
- (krb5_context,
- const krb5_enctype,
- krb5_data *,
- krb5_const_pointer,
- krb5_keyblock **);
-
-static krb5_error_code
-keytab_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt,
- krb5_const_pointer keyseed, krb5_keyblock **key)
-{
- const struct keytab_keyproc_arg * arg =
- (const struct keytab_keyproc_arg *)keyseed;
- krb5_keyblock *realkey;
- krb5_error_code retval = 0;
- krb5_keytab kt_id;
- krb5_keytab_entry kt_ent;
-
- kt_id = arg->keytab;
-
- if (!krb5_c_valid_enctype(type))
- return KRB5_PROG_ETYPE_NOSUPP;
-
- if (kt_id == NULL)
- /* Fetch from default keytab location */
- if ((retval = krb5_kt_default(context, &kt_id)))
- return retval;
-
-
- if ((retval = krb5_kt_get_entry(context, kt_id, arg->client,
- 0, /* don't have vno available */
- type, &kt_ent)))
- goto cleanup;
-
- if ((retval = krb5_copy_keyblock(context, &kt_ent.key, &realkey))) {
- (void) krb5_kt_free_entry(context, &kt_ent);
- goto cleanup;
- }
-
- (void) krb5_kt_free_entry(context, &kt_ent);
- *key = realkey;
-
-cleanup:
- if (! arg->keytab)
- krb5_kt_close(context, kt_id);
- return retval;
-}
-
-/*
- Similar to krb5_get_in_tkt_with_skey.
-
- Attempts to get an initial ticket for creds->client to use server
- creds->server, (realm is taken from creds->client), with options
- options, and using creds->times.starttime, creds->times.endtime,
- creds->times.renew_till as from, till, and rtime.
- creds->times.renew_till is ignored unless the RENEWABLE option is requested.
-
- If addrs is non-NULL, it is used for the addresses requested. If it is
- null, the system standard addresses are used.
-
- A succesful call will place the ticket in the credentials cache ccache.
-
- returns system errors, encryption errors
-
- */
-krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
- krb5_address *const *addrs, krb5_enctype *ktypes,
- krb5_preauthtype *pre_auth_types,
- krb5_keytab keytab, krb5_ccache ccache,
- krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
-{
- struct keytab_keyproc_arg arg;
-
- arg.keytab = keytab;
- arg.client = creds->client;
-
- return(krb5_get_in_tkt(context, options, addrs, ktypes,
- pre_auth_types,
- keytab_keyproc, (krb5_pointer)&arg,
- krb5_kdc_rep_decrypt_proc, 0, creds,
- ccache, ret_as_reply));
-}
diff --git a/src/lib/krb5/krb/in_tkt_pwd.c b/src/lib/krb5/krb/in_tkt_pwd.c
deleted file mode 100644
index 1d9ad2e..0000000
--- a/src/lib/krb5/krb/in_tkt_pwd.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * lib/krb5/krb/in_tkt_pwd.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * krb5_get_in_tkt_with_password()
- */
-
-#include "k5-int.h"
-
-extern char *krb5_default_pwd_prompt1;
-
-/*
- * key-producing procedure for use by krb5_get_in_tkt_with_password.
- */
-static krb5_error_code pwd_keyproc
- (krb5_context,
- const krb5_enctype,
- krb5_data *,
- krb5_const_pointer,
- krb5_keyblock **);
-
-static krb5_error_code
-pwd_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt,
- krb5_const_pointer keyseed, krb5_keyblock **key)
-{
- krb5_error_code retval;
- krb5_data * password;
- unsigned int pwsize;
-
- password = (krb5_data *)keyseed;
-
- if (!password->length) {
- pwsize = BUFSIZ;
- if ((password->data = malloc(pwsize)) == NULL)
- return ENOMEM;
-
- if ((retval = krb5_read_password(context, krb5_default_pwd_prompt1, 0,
- password->data, &pwsize))) {
- return retval;
- }
- password->length = pwsize;
- }
-
- if (!(*key = (krb5_keyblock *)malloc(sizeof(**key))))
- return ENOMEM;
-
- if ((retval = krb5_c_string_to_key(context, type, password, salt, *key)))
- krb5_xfree(*key);
-
- return(retval);
-}
-
-/*
- Attempts to get an initial ticket for creds->client to use server
- creds->server, (realm is taken from creds->client), with options
- options, and using creds->times.starttime, creds->times.endtime,
- creds->times.renew_till as from, till, and rtime.
- creds->times.renew_till is ignored unless the RENEWABLE option is requested.
-
- If addrs is non-NULL, it is used for the addresses requested. If it is
- null, the system standard addresses are used.
-
- If password is non-NULL, it is converted using the cryptosystem entry
- point for a string conversion routine, seeded with the client's name.
- If password is passed as NULL, the password is read from the terminal,
- and then converted into a key.
-
- A succesful call will place the ticket in the credentials cache ccache.
-
- returns system errors, encryption errors
- */
-krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
- krb5_address *const *addrs, krb5_enctype *ktypes,
- krb5_preauthtype *pre_auth_types,
- const char *password, krb5_ccache ccache,
- krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
-{
- krb5_error_code retval;
- krb5_data data;
-
-
- if ((data.data = (char *)password)) {
- data.length = strlen(password);
- } else {
- data.length = 0;
- }
-
- retval = krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types,
- pwd_keyproc, (krb5_pointer) &data,
- krb5_kdc_rep_decrypt_proc, 0,
- creds, ccache, ret_as_reply);
-
- if ((password == NULL) && (data.data)) {
- memset(data.data, 0, strlen(data.data));
- free(data.data);
- }
-
- return retval;
-}
-
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 59b6123..2740d83 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -1,7 +1,7 @@
/*
* lib/krb5/krb/init_ctx.c
*
- * Copyright 1994,1999,2000, 2002 by the Massachusetts Institute of Technology.
+ * Copyright 1994,1999,2000, 2002, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -65,9 +65,15 @@
them. This'll be fixed, but for better compatibility, let's prefer
des-crc for now. */
#define DEFAULT_ETYPE_LIST \
+ "aes256-cts-hmac-sha1-96 " \
+ "aes128-cts-hmac-sha1-96 " \
"des3-cbc-sha1 arcfour-hmac-md5 " \
"des-cbc-crc des-cbc-md5 des-cbc-md4 "
+/* Not included:
+ "aes128-cts-hmac-sha1-96 " \
+ */
+
#if (defined(_WIN32))
extern krb5_error_code krb5_vercheck();
extern void krb5_win_ccdll_load(krb5_context context);
@@ -142,6 +148,13 @@ init_common (krb5_context *context, krb5_boolean secure)
if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL)))
goto cleanup;
+ ctx->conf_tgs_ktypes = calloc(ctx->tgs_ktype_count, sizeof(krb5_enctype));
+ if (ctx->conf_tgs_ktypes == NULL && ctx->tgs_ktype_count != 0)
+ goto cleanup;
+ memcpy(ctx->conf_tgs_ktypes, ctx->tgs_ktypes,
+ sizeof(krb5_enctype) * ctx->tgs_ktype_count);
+ ctx->conf_tgs_ktypes_count = ctx->tgs_ktype_count;
+
if ((retval = krb5_os_init_context(ctx)))
goto cleanup;
@@ -189,11 +202,7 @@ init_common (krb5_context *context, krb5_boolean secure)
"kdc_default_options", 0,
KDC_OPT_RENEWABLE_OK, &tmp);
ctx->kdc_default_options = tmp;
-#if TARGET_OS_MAC
#define DEFAULT_KDC_TIMESYNC 1
-#else
-#define DEFAULT_KDC_TIMESYNC 0
-#endif
profile_get_integer(ctx->profile, "libdefaults",
"kdc_timesync", 0, DEFAULT_KDC_TIMESYNC,
&tmp);
@@ -207,16 +216,13 @@ init_common (krb5_context *context, krb5_boolean secure)
* Note: DCE 1.0.3a only supports a cache type of 1
* DCE 1.1 supports a cache type of 2.
*/
-#if TARGET_OS_MAC
#define DEFAULT_CCACHE_TYPE 4
-#else
-#define DEFAULT_CCACHE_TYPE 3
-#endif
profile_get_integer(ctx->profile, "libdefaults", "ccache_type",
0, DEFAULT_CCACHE_TYPE, &tmp);
ctx->fcc_default_format = tmp + 0x0500;
ctx->scc_default_format = tmp + 0x0500;
ctx->prompt_types = 0;
+ ctx->use_conf_ktypes = 0;
ctx->udp_pref_limit = -1;
*context = ctx;
@@ -243,6 +249,11 @@ krb5_free_context(krb5_context ctx)
ctx->tgs_ktypes = 0;
}
+ if (ctx->conf_tgs_ktypes) {
+ free(ctx->conf_tgs_ktypes);
+ ctx->conf_tgs_ktypes = 0;
+ }
+
if (ctx->default_realm) {
free(ctx->default_realm);
ctx->default_realm = 0;
@@ -291,7 +302,8 @@ krb5_set_default_in_tkt_ktypes(krb5_context context, const krb5_enctype *ktypes)
}
static krb5_error_code
-get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr, int ctx_count, krb5_enctype *ctx_list)
+get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr,
+ int ctx_count, krb5_enctype *ctx_list)
{
krb5_enctype *old_ktypes;
@@ -426,12 +438,19 @@ krb5_error_code
KRB5_CALLCONV
krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes)
{
- return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
- context->tgs_ktype_count,
- context->tgs_ktypes));
+ if (context->use_conf_ktypes)
+ /* This one is set *only* by reading the config file; it's not
+ set by the application. */
+ return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+ context->conf_tgs_ktypes_count,
+ context->conf_tgs_ktypes));
+ else
+ return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+ context->tgs_ktype_count,
+ context->tgs_ktypes));
}
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes)
{
return(get_profile_etype_list(context, ktypes, "permitted_enctypes",
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index 46d485d..4700439 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -246,6 +246,7 @@ void krb5_free_etype_info(krb5_context context, krb5_etype_info info)
for(i=0; info[i] != NULL; i++) {
if (info[i]->salt)
free(info[i]->salt);
+ krb5_free_data_contents( context, &info[i]->s2kparams);
free(info[i]);
}
free(info);
@@ -429,14 +430,20 @@ krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val)
void KRB5_CALLCONV
krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val)
{
- if ((*val)->passwd) {
- krb5_xfree((*val)->passwd);
- (*val)->passwd = 0;
- }
- if ((*val)->phrase) {
- krb5_xfree((*val)->phrase);
- (*val)->phrase = 0;
+ register passwd_phrase_element **temp;
+
+ for (temp = val; *temp; temp++) {
+ if ((*temp)->passwd) {
+ krb5_free_data(context, (*temp)->passwd);
+ (*temp)->passwd = 0;
+ }
+ if ((*temp)->phrase) {
+ krb5_free_data(context, (*temp)->phrase);
+ (*temp)->phrase = 0;
+ }
+ krb5_xfree(*temp);
}
+ krb5_xfree(val);
}
diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c
index 6389298..04248c0 100644
--- a/src/lib/krb5/krb/mk_cred.c
+++ b/src/lib/krb5/krb/mk_cred.c
@@ -182,9 +182,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds *
memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1));
/* Get keyblock */
- if ((keyblock = auth_context->local_subkey) == NULL)
- if ((keyblock = auth_context->remote_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->send_subkey) == NULL)
+ keyblock = auth_context->keyblock;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c
index 196b6ee..efe254a 100644
--- a/src/lib/krb5/krb/mk_priv.c
+++ b/src/lib/krb5/krb/mk_priv.c
@@ -119,9 +119,8 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
memset((char *) &replaydata, 0, sizeof(krb5_replay_data));
/* Get keyblock */
- if ((keyblock = auth_context->local_subkey) == NULL)
- if ((keyblock = auth_context->remote_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->send_subkey) == NULL)
+ keyblock = auth_context->keyblock;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c
index 31f3fe5..393f634 100644
--- a/src/lib/krb5/krb/mk_rep.c
+++ b/src/lib/krb5/krb/mk_rep.c
@@ -59,7 +59,14 @@ krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *out
repl.ctime = auth_context->authentp->ctime;
repl.cusec = auth_context->authentp->cusec;
- repl.subkey = auth_context->authentp->subkey;
+ if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
+ retval = krb5int_generate_and_save_subkey (context, auth_context,
+ auth_context->keyblock);
+ if (retval)
+ return retval;
+ repl.subkey = auth_context->send_subkey;
+ } else
+ repl.subkey = auth_context->authentp->subkey;
repl.seq_number = auth_context->local_seq_number;
/* encode it before encrypting */
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 1ed14a9..cdb8f69 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -68,7 +68,39 @@ static krb5_error_code
krb5_generate_authenticator (krb5_context,
krb5_authenticator *, krb5_principal,
krb5_checksum *, krb5_keyblock *,
- krb5_int32, krb5_authdata ** );
+ krb5_ui_4, krb5_authdata ** );
+
+krb5_error_code
+krb5int_generate_and_save_subkey (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock *keyblock)
+{
+ /* Provide some more fodder for random number code.
+ This isn't strong cryptographically; the point here is not
+ to guarantee randomness, but to make it less likely that multiple
+ sessions could pick the same subkey. */
+ struct {
+ krb5_int32 sec, usec;
+ } rnd_data;
+ krb5_data d;
+ krb5_error_code retval;
+
+ krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
+ d.length = sizeof (rnd_data);
+ d.data = (char *) &rnd_data;
+ (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
+
+ if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey)))
+ return retval;
+ retval = krb5_copy_keyblock(context, auth_context->send_subkey,
+ &auth_context->recv_subkey);
+ if (retval) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ return retval;
+ }
+ return 0;
+}
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
@@ -130,22 +162,10 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
goto cleanup;
}
- if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) {
- /* Provide some more fodder for random number code.
- This isn't strong cryptographically; the point here is not
- to guarantee randomness, but to make it less likely that multiple
- sessions could pick the same subkey. */
- struct {
- krb5_int32 sec, usec;
- } rnd_data;
- krb5_data d;
- krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
- d.length = sizeof (rnd_data);
- d.data = (char *) &rnd_data;
- (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
-
- if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock,
- &(*auth_context)->local_subkey)))
+ if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
+ retval = krb5int_generate_and_save_subkey (context, *auth_context,
+ &in_creds->keyblock);
+ if (retval)
goto cleanup;
}
@@ -178,7 +198,7 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
if ((retval = krb5_generate_authenticator(context,
(*auth_context)->authentp,
(in_creds)->client, checksump,
- (*auth_context)->local_subkey,
+ (*auth_context)->send_subkey,
(*auth_context)->local_seq_number,
(in_creds)->authdata)))
goto cleanup_cksum;
@@ -232,7 +252,7 @@ cleanup:
}
static krb5_error_code
-krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_int32 seq_number, krb5_authdata **authorization)
+krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_ui_4 seq_number, krb5_authdata **authorization)
{
krb5_error_code retval;
diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c
index 992a456..eefcab7 100644
--- a/src/lib/krb5/krb/mk_safe.c
+++ b/src/lib/krb5/krb/mk_safe.c
@@ -120,9 +120,8 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da
memset((char *) &replaydata, 0, sizeof(krb5_replay_data));
/* Get keyblock */
- if ((keyblock = auth_context->local_subkey) == NULL)
- if ((keyblock = auth_context->remote_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->send_subkey) == NULL)
+ keyblock = auth_context->keyblock;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c
index abbcfbe..3debb6a 100644
--- a/src/lib/krb5/krb/parse.c
+++ b/src/lib/krb5/krb/parse.c
@@ -170,11 +170,13 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip
cp++;
size++;
} else if (c == COMPONENT_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
i++;
} else if (c == REALM_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
parsed_realm = cp+1;
} else
@@ -183,7 +185,8 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip
if (parsed_realm)
krb5_princ_realm(context, principal)->length = size;
else
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
if (i + 1 != components) {
#if !defined(_WIN32) && !defined(macintosh)
fprintf(stderr,
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index e50440e..6238a82 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -35,7 +35,7 @@ typedef krb5_error_code (*pa_function)(krb5_context,
krb5_kdc_req *request,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
- krb5_data *salt,
+ krb5_data *salt, krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter_fct,
@@ -57,7 +57,7 @@ krb5_error_code pa_salt(krb5_context context,
krb5_kdc_req *request,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
- krb5_data *salt,
+ krb5_data *salt, krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
@@ -65,22 +65,11 @@ krb5_error_code pa_salt(krb5_context context,
{
krb5_data tmp;
- /* screw the abstraction. If there was a *reasonable* copy_data,
- I'd use it. But I'm inside the library, which is the twilight
- zone of source code, so I can do anything. */
-
+ tmp.data = in_padata->contents;
tmp.length = in_padata->length;
- if (tmp.length) {
- if ((tmp.data = malloc(tmp.length)) == NULL)
- return ENOMEM;
- memcpy(tmp.data, in_padata->contents, tmp.length);
- } else {
- tmp.data = NULL;
- }
-
- *salt = tmp;
-
- /* assume that no other salt was allocated */
+ krb5_free_data_contents(context, salt);
+ krb5int_copy_data_contents(context, &tmp, salt);
+
if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT)
salt->length = SALT_TYPE_AFS_LENGTH;
@@ -94,6 +83,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
@@ -119,7 +109,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context,
if ((ret = ((*gak_fct)(context, request->client,
*etype ? *etype : request->ktype[0],
prompter, prompter_data,
- salt, as_key, gak_data))))
+ salt, s2kparams, as_key, gak_data))))
return(ret);
}
@@ -233,6 +223,7 @@ krb5_error_code pa_sam(krb5_context context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
@@ -283,7 +274,7 @@ krb5_error_code pa_sam(krb5_context context,
*etype = ENCTYPE_DES_CBC_CRC;
if ((ret = (gak_fct)(context, request->client, *etype, prompter,
- prompter_data, salt, as_key, gak_data)))
+ prompter_data, salt, s2kparams, as_key, gak_data)))
return(ret);
}
sprintf(name, "%.*s",
@@ -472,6 +463,7 @@ krb5_error_code pa_sam_2(krb5_context context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
@@ -542,7 +534,7 @@ krb5_error_code pa_sam_2(krb5_context context,
retval = (gak_fct)(context, request->client,
sc2b->sam_etype, prompter,
- prompter_data, salt, as_key, gak_data);
+ prompter_data, salt, s2kparams, as_key, gak_data);
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
krb5_free_sam_challenge_2_body(context, sc2b);
@@ -827,87 +819,19 @@ static const pa_types_t pa_types[] = {
},
};
-static void
-sort_etype_info(krb5_context context, krb5_kdc_req *request,
- krb5_etype_info_entry **etype_info)
-{
-/* Originally adapted from a proposed solution in ticket 1006. This
- * solution is not efficient, but implementing an efficient sort
- * with a comparison function based on order in the kdc request would
- * be difficult.*/
- krb5_etype_info_entry *tmp;
- int i, j, e;
- krb5_boolean similar;
-
- if (etype_info == NULL)
- return;
-
- /* First, move up etype_info_entries whose enctype exactly matches a
- * requested enctype.
- */
- e = 0;
- for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
- {
- if (request->ktype[i] == etype_info[e]->etype)
- {
- e++;
- continue;
- }
- for ( j = e+1 ; etype_info[j] ; j++ )
- if (request->ktype[i] == etype_info[j]->etype)
- break;
- if (etype_info[j] == NULL)
- continue;
-
- tmp = etype_info[j];
- etype_info[j] = etype_info[e];
- etype_info[e] = tmp;
- e++;
- }
-
- /* Then move up etype_info_entries whose enctype is similar to a
- * requested enctype.
- */
- for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
- {
- if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[e]->etype, &similar) != 0)
- continue;
-
- if (similar)
- {
- e++;
- continue;
- }
- for ( j = e+1 ; etype_info[j] ; j++ )
- {
- if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[j]->etype, &similar) != 0)
- continue;
-
- if (similar)
- break;
- }
- if (etype_info[j] == NULL)
- continue;
-
- tmp = etype_info[j];
- etype_info[j] = etype_info[e];
- etype_info[e] = tmp;
- e++;
- }
-}
-
-
krb5_error_code
krb5_do_preauth(krb5_context context,
krb5_kdc_req *request,
krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
- krb5_data *salt, krb5_enctype *etype,
+ krb5_data *salt, krb5_data *s2kparams,
+ krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
krb5_gic_get_as_key_fct gak_fct, void *gak_data)
{
int h, i, j, out_pa_list_size;
- krb5_pa_data *out_pa, **out_pa_list;
+ int seen_etype_info2 = 0;
+ krb5_pa_data *out_pa = NULL, **out_pa_list = NULL;
krb5_data scratch;
krb5_etype_info etype_info = NULL;
krb5_error_code ret;
@@ -938,6 +862,7 @@ krb5_do_preauth(krb5_context context,
for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) {
realdone = 0;
for (i=0; in_padata[i] && !realdone; i++) {
+ int k, l, etype_found, valid_etype_found;
/*
* This is really gross, but is necessary to prevent
* lossge when talking to a 1.0.x KDC, which returns an
@@ -946,27 +871,81 @@ krb5_do_preauth(krb5_context context,
*/
switch (in_padata[i]->pa_type) {
case KRB5_PADATA_ETYPE_INFO:
- if (etype_info)
- continue;
+ case KRB5_PADATA_ETYPE_INFO2:
+ {
+ krb5_preauthtype pa_type = in_padata[i]->pa_type;
+ if (etype_info) {
+ if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2)
+ continue;
+ if (pa_type == KRB5_PADATA_ETYPE_INFO2) {
+ krb5_free_etype_info( context, etype_info);
+ etype_info = NULL;
+ }
+ }
+
scratch.length = in_padata[i]->length;
scratch.data = (char *) in_padata[i]->contents;
- ret = decode_krb5_etype_info(&scratch, &etype_info);
+ if (pa_type == KRB5_PADATA_ETYPE_INFO2) {
+ seen_etype_info2++;
+ ret = decode_krb5_etype_info2(&scratch, &etype_info);
+ }
+ else ret = decode_krb5_etype_info(&scratch, &etype_info);
if (ret) {
- if (out_pa_list) {
- out_pa_list[out_pa_list_size++] = NULL;
- krb5_free_pa_data(context, out_pa_list);
- }
- return ret;
+ ret = 0; /*Ignore error and etype_info element*/
+ krb5_free_etype_info( context, etype_info);
+ etype_info = NULL;
+ continue;
}
if (etype_info[0] == NULL) {
krb5_free_etype_info(context, etype_info);
etype_info = NULL;
break;
}
- sort_etype_info(context, request, etype_info);
- salt->data = (char *) etype_info[0]->salt;
- salt->length = etype_info[0]->length;
- *etype = etype_info[0]->etype;
+ /*
+ * Select first etype in our request which is also in
+ * etype-info (preferring client request ktype order).
+ */
+ for (etype_found = 0, valid_etype_found = 0, k = 0;
+ !etype_found && k < request->nktypes; k++) {
+ for (l = 0; etype_info[l]; l++) {
+ if (etype_info[l]->etype == request->ktype[k]) {
+ etype_found++;
+ break;
+ }
+ /* check if program has support for this etype for more
+ * precise error reporting.
+ */
+ if (valid_enctype(etype_info[l]->etype))
+ valid_etype_found++;
+ }
+ }
+ if (!etype_found) {
+ if (valid_etype_found) {
+ /* supported enctype but not requested */
+ ret = KRB5_CONFIG_ETYPE_NOSUPP;
+ goto cleanup;
+ }
+ else {
+ /* unsupported enctype */
+ ret = KRB5_PROG_ETYPE_NOSUPP;
+ goto cleanup;
+ }
+
+ }
+ scratch.data = (char *) etype_info[l]->salt;
+ scratch.length = etype_info[l]->length;
+ krb5_free_data_contents(context, salt);
+ if (scratch.length == KRB5_ETYPE_NO_SALT)
+ salt->data = NULL;
+ else
+ if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0)
+ goto cleanup;
+ *etype = etype_info[l]->etype;
+ krb5_free_data_contents(context, s2kparams);
+ if ((ret = krb5int_copy_data_contents(context,
+ &etype_info[l]->s2kparams,
+ s2kparams)) != 0)
+ goto cleanup;
#ifdef DEBUG
for (j = 0; etype_info[j]; j++) {
krb5_etype_info_entry *e = etype_info[j];
@@ -978,6 +957,7 @@ krb5_do_preauth(krb5_context context,
}
#endif
break;
+ }
case KRB5_PADATA_PW_SALT:
case KRB5_PADATA_AFS3_SALT:
if (etype_info)
@@ -993,16 +973,10 @@ krb5_do_preauth(krb5_context context,
if ((ret = ((*pa_types[j].fct)(context, request,
in_padata[i], &out_pa,
- salt, etype, as_key,
+ salt, s2kparams, etype, as_key,
prompter, prompter_data,
gak_fct, gak_data)))) {
- if (out_pa_list) {
- out_pa_list[out_pa_list_size++] = NULL;
- krb5_free_pa_data(context, out_pa_list);
- }
- if (etype_info)
- krb5_free_etype_info(context, etype_info);
- return(ret);
+ goto cleanup;
}
if (out_pa) {
@@ -1010,18 +984,22 @@ krb5_do_preauth(krb5_context context,
if ((out_pa_list =
(krb5_pa_data **)
malloc(2*sizeof(krb5_pa_data *)))
- == NULL)
- return(ENOMEM);
+ == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
} else {
if ((out_pa_list =
(krb5_pa_data **)
realloc(out_pa_list,
(out_pa_list_size+2)*
sizeof(krb5_pa_data *)))
- == NULL)
- /* XXX this will leak the pointers which
+ == NULL) {
+ /* XXX this will leak the pointers which
have already been allocated. oh well. */
- return(ENOMEM);
+ ret = ENOMEM;
+ goto cleanup;
+ }
}
out_pa_list[out_pa_list_size++] = out_pa;
@@ -1037,6 +1015,16 @@ krb5_do_preauth(krb5_context context,
out_pa_list[out_pa_list_size++] = NULL;
*out_padata = out_pa_list;
-
+ if (etype_info)
+ krb5_free_etype_info(context, etype_info);
+
return(0);
+ cleanup:
+ if (out_pa_list) {
+ out_pa_list[out_pa_list_size++] = NULL;
+ krb5_free_pa_data(context, out_pa_list);
+ }
+ if (etype_info)
+ krb5_free_etype_info(context, etype_info);
+ return (ret);
}
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index 228219f..11be47f 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -33,15 +33,11 @@ decrypt_credencdata(krb5_context context, krb5_cred *pcred, krb5_keyblock *pkeyb
/* now decode the decrypted stuff */
if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
- goto cleanup_encpart;
+ goto cleanup;
*pcredenc = *ppart;
retval = 0;
-cleanup_encpart:
- memset(ppart, 0, sizeof(*ppart));
- krb5_xfree(ppart);
-
cleanup:
memset(scratch.data, 0, scratch.length);
krb5_xfree(scratch.data);
@@ -169,9 +165,8 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *pc
krb5_replay_data replaydata;
/* Get keyblock */
- if ((keyblock = auth_context->remote_subkey) == NULL)
- if ((keyblock = auth_context->local_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->recv_subkey) == NULL)
+ keyblock = auth_context->keyblock;
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c
index 8132056..cf74807 100644
--- a/src/lib/krb5/krb/rd_priv.c
+++ b/src/lib/krb5/krb/rd_priv.c
@@ -156,9 +156,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_da
krb5_replay_data replaydata;
/* Get keyblock */
- if ((keyblock = auth_context->remote_subkey) == NULL)
- if ((keyblock = auth_context->local_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->recv_subkey) == NULL)
+ keyblock = auth_context->keyblock;
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
@@ -247,7 +246,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_da
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
- if (auth_context->remote_seq_number != replaydata.seq) {
+ if (!krb5int_auth_con_chkseqnum(context, auth_context,
+ replaydata.seq)) {
retval = KRB5KRB_AP_ERR_BADORDER;
goto error;
}
diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c
index e35e43f..8019229 100644
--- a/src/lib/krb5/krb/rd_rep.c
+++ b/src/lib/krb5/krb/rd_rep.c
@@ -81,8 +81,24 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat
/* Set auth subkey */
if ((*repl)->subkey) {
+ if (auth_context->recv_subkey) {
+ krb5_free_keyblock(context, auth_context->recv_subkey);
+ auth_context->recv_subkey = NULL;
+ }
retval = krb5_copy_keyblock(context, (*repl)->subkey,
- &auth_context->remote_subkey);
+ &auth_context->recv_subkey);
+ if (retval)
+ goto clean_scratch;
+ if (auth_context->send_subkey) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ }
+ retval = krb5_copy_keyblock(context, (*repl)->subkey,
+ &auth_context->send_subkey);
+ if (retval) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ }
}
/* Get remote sequence number */
diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c
index f844e3c..9a2f458 100644
--- a/src/lib/krb5/krb/rd_req.c
+++ b/src/lib/krb5/krb/rd_req.c
@@ -83,7 +83,9 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_da
server = request->ticket->server;
}
/* Get an rcache if necessary. */
- if (((*auth_context)->rcache == NULL) && server) {
+ if (((*auth_context)->rcache == NULL)
+ && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
+&& server) {
if ((retval = krb5_get_server_rcache(context,
krb5_princ_component(context,server,0), &(*auth_context)->rcache)))
goto cleanup_auth_context;
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index fa126b4..3c398ae 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -290,10 +290,18 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c
if ((*auth_context)->authentp->subkey) {
if ((retval = krb5_copy_keyblock(context,
(*auth_context)->authentp->subkey,
- &((*auth_context)->remote_subkey))))
+ &((*auth_context)->recv_subkey))))
goto cleanup;
+ retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey,
+ &((*auth_context)->send_subkey));
+ if (retval) {
+ krb5_free_keyblock(context, (*auth_context)->recv_subkey);
+ (*auth_context)->recv_subkey = NULL;
+ goto cleanup;
+ }
} else {
- (*auth_context)->remote_subkey = 0;
+ (*auth_context)->recv_subkey = 0;
+ (*auth_context)->send_subkey = 0;
}
if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session,
diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c
index 0f6cec2..15dc6dc 100644
--- a/src/lib/krb5/krb/rd_safe.c
+++ b/src/lib/krb5/krb/rd_safe.c
@@ -51,6 +51,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb
{
krb5_error_code retval;
krb5_safe * message;
+ krb5_data safe_body;
krb5_checksum our_cksum, *his_cksum;
krb5_octet zero_octet = 0;
krb5_data *scratch;
@@ -59,7 +60,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb
if (!krb5_is_krb_safe(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
- if ((retval = decode_krb5_safe(inbuf, &message)))
+ if ((retval = decode_krb5_safe_with_body(inbuf, &message, &safe_body)))
return retval;
if (!krb5_c_valid_cksumtype(message->checksum->checksum_type)) {
@@ -113,7 +114,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb
message->checksum = &our_cksum;
- if ((retval = encode_krb5_safe(message, &scratch)))
+ if ((retval = encode_krb5_safe_with_body(message, &safe_body, &scratch)))
goto cleanup;
message->checksum = his_cksum;
@@ -126,8 +127,17 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb
krb5_free_data(context, scratch);
if (!valid) {
- retval = KRB5KRB_AP_ERR_MODIFIED;
- goto cleanup;
+ /*
+ * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in
+ * case someone actually implements it correctly.
+ */
+ retval = krb5_c_verify_checksum(context, keyblock,
+ KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
+ &safe_body, his_cksum, &valid);
+ if (!valid) {
+ retval = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
}
replaydata->timestamp = message->timestamp;
@@ -161,9 +171,8 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da
return KRB5_RC_REQUIRED;
/* Get keyblock */
- if ((keyblock = auth_context->remote_subkey) == NULL)
- if ((keyblock = auth_context->local_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->recv_subkey) == NULL)
+ keyblock = auth_context->keyblock;
{
krb5_address * premote_fulladdr = NULL;
@@ -240,7 +249,8 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
- if (auth_context->remote_seq_number != replaydata.seq) {
+ if (!krb5int_auth_con_chkseqnum(context, auth_context,
+ replaydata.seq)) {
retval = KRB5KRB_AP_ERR_BADORDER;
goto error;
}
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
index 244d18e..34a98c0 100644
--- a/src/lib/krb5/krb/send_tgs.c
+++ b/src/lib/krb5/krb/send_tgs.c
@@ -278,6 +278,7 @@ send_again:
}
krb5_free_error(context, err_reply);
}
+ rep->message_type = KRB5_ERROR;
} else if (krb5_is_tgs_rep(&rep->response))
rep->message_type = KRB5_TGS_REP;
else /* XXX: assume it's an error */
diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c
index a8ec90e..32519e1 100644
--- a/src/lib/krb5/krb/ser_actx.c
+++ b/src/lib/krb5/krb/ser_actx.c
@@ -151,21 +151,21 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
required += sizeof(krb5_int32);
}
- /* Calculate size required by local_subkey, if appropriate */
- if (!kret && auth_context->local_subkey) {
+ /* Calculate size required by send_subkey, if appropriate */
+ if (!kret && auth_context->send_subkey) {
kret = krb5_size_opaque(kcontext,
KV5M_KEYBLOCK,
- (krb5_pointer) auth_context->local_subkey,
+ (krb5_pointer) auth_context->send_subkey,
&required);
if (!kret)
required += sizeof(krb5_int32);
}
- /* Calculate size required by remote_subkey, if appropriate */
- if (!kret && auth_context->remote_subkey) {
+ /* Calculate size required by recv_subkey, if appropriate */
+ if (!kret && auth_context->recv_subkey) {
kret = krb5_size_opaque(kcontext,
KV5M_KEYBLOCK,
- (krb5_pointer) auth_context->remote_subkey,
+ (krb5_pointer) auth_context->recv_subkey,
&required);
if (!kret)
required += sizeof(krb5_int32);
@@ -300,23 +300,23 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe
}
/* Now handle subkey, if appropriate */
- if (!kret && auth_context->local_subkey) {
+ if (!kret && auth_context->send_subkey) {
(void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain);
kret = krb5_externalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer)
- auth_context->local_subkey,
+ auth_context->send_subkey,
&bp,
&remain);
}
/* Now handle subkey, if appropriate */
- if (!kret && auth_context->remote_subkey) {
+ if (!kret && auth_context->recv_subkey) {
(void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain);
kret = krb5_externalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer)
- auth_context->remote_subkey,
+ auth_context->recv_subkey,
&bp,
&remain);
}
@@ -474,26 +474,26 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc
kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
}
- /* This is the local_subkey */
+ /* This is the send_subkey */
if (!kret && (tag == TOKEN_LSKBLOCK)) {
if (!(kret = krb5_internalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer *)
&auth_context->
- local_subkey,
+ send_subkey,
&bp,
&remain)))
kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
}
- /* This is the remote_subkey */
+ /* This is the recv_subkey */
if (!kret) {
if (tag == TOKEN_RSKBLOCK) {
kret = krb5_internalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer *)
&auth_context->
- remote_subkey,
+ recv_subkey,
&bp,
&remain);
}
diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c
index 7c5f17a..9cbcef7 100644
--- a/src/lib/krb5/krb/serialize.c
+++ b/src/lib/krb5/krb/serialize.c
@@ -174,7 +174,7 @@ krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer *
}
/*
- * krb5_ser_pack_int32() - Pack a 4-byte integer if space is availble.
+ * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available.
* Update buffer pointer and remaining space.
*/
krb5_error_code KRB5_CALLCONV
@@ -194,6 +194,23 @@ krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp)
}
/*
+ * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available.
+ * Update buffer pointer and remaining space.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ store_64_be(iarg, (unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+
+/*
* krb5_ser_pack_bytes() - Pack a string of bytes.
*/
krb5_error_code KRB5_CALLCONV
@@ -229,6 +246,22 @@ krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp)
}
/*
+ * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ *intp = load_64_be((unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+
+/*
* krb5_ser_unpack_bytes() - Unpack a byte string if it's there.
*/
krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c
index aa41bc5..e66d2d3 100644
--- a/src/lib/krb5/krb/srv_rcache.c
+++ b/src/lib/krb5/krb/srv_rcache.c
@@ -48,6 +48,9 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache
unsigned long uid = geteuid();
#endif
+ if (piece == NULL)
+ return ENOMEM;
+
rcache = (krb5_rcache) malloc(sizeof(*rcache));
if (!rcache)
return ENOMEM;
@@ -58,7 +61,7 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache
len = piece->length + 3 + 1;
for (i = 0; i < piece->length; i++) {
- if (piece->data[i] == '\\')
+ if (piece->data[i] == '-')
len++;
else if (!isvalidrcname((int) piece->data[i]))
len += 3;
@@ -78,14 +81,14 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache
strcpy(cachename, "rc_");
p = 3;
for (i = 0; i < piece->length; i++) {
- if (piece->data[i] == '\\') {
- cachename[p++] = '\\';
- cachename[p++] = '\\';
+ if (piece->data[i] == '-') {
+ cachename[p++] = '-';
+ cachename[p++] = '-';
continue;
}
if (!isvalidrcname((int) piece->data[i])) {
sprintf(tmp, "%03o", piece->data[i]);
- cachename[p++] = '\\';
+ cachename[p++] = '-';
cachename[p++] = tmp[0];
cachename[p++] = tmp[1];
cachename[p++] = tmp[2];
diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c
index f0e52dc..6f1a3c9 100644
--- a/src/lib/krb5/krb/unparse.c
+++ b/src/lib/krb5/krb/unparse.c
@@ -149,7 +149,8 @@ krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, regi
*q++ = COMPONENT_SEP;
}
- q--; /* Back up last component separator */
+ if (i > 0)
+ q--; /* Back up last component separator */
*q++ = REALM_SEP;
cp = krb5_princ_realm(context, principal)->data;
diff --git a/src/lib/krb5/krb/v4lifetime.c b/src/lib/krb5/krb/v4lifetime.c
new file mode 100644
index 0000000..94bf5f6
--- /dev/null
+++ b/src/lib/krb5/krb/v4lifetime.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+#include "k5-int.h"
+
+/*
+ * Only lifetime bytes values less than 128 are on a linear scale.
+ * The following table contains an exponential scale that covers the
+ * lifetime values 128 to 191 inclusive (a total of 64 values).
+ * Values greater than 191 get interpreted the same as 191, but they
+ * will never be generated by the functions in this file.
+ *
+ * The ratio is approximately 1.069144898 (actually exactly
+ * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30
+ * days, and 38400 = 128*5 minutes. This allows a lifetime byte of
+ * 191 to correspond to a ticket life of exactly 30 days and a
+ * lifetime byte of 128 to correspond to exactly 128*5 minutes, with
+ * the other values spread on an exponential curve fit in between
+ * them. This table should correspond exactly to the set of extended
+ * ticket lifetime values used by AFS and CMU.
+ *
+ * The following awk script is sufficient to reproduce the table:
+ * BEGIN {
+ * r = exp(log(2592000/38400)/63);
+ * x = 38400;
+ * for (i=0;i<64;i++) {
+ * printf("%d\n",x+0.5);
+ * x *= r;
+ * }
+ * }
+ */
+#ifndef SHORT_LIFETIME
+#define NLIFETIMES 64
+static const krb5_int32 lifetimes[NLIFETIMES] = {
+ 38400, 41055, /* 00:10:40:00, 00:11:24:15 */
+ 43894, 46929, /* 00:12:11:34, 00:13:02:09 */
+ 50174, 53643, /* 00:13:56:14, 00:14:54:03 */
+ 57352, 61318, /* 00:15:55:52, 00:17:01:58 */
+ 65558, 70091, /* 00:18:12:38, 00:19:28:11 */
+ 74937, 80119, /* 00:20:48:57, 00:22:15:19 */
+ 85658, 91581, /* 00:23:47:38, 01:01:26:21 */
+ 97914, 104684, /* 01:03:11:54, 01:05:04:44 */
+ 111922, 119661, /* 01:07:05:22, 01:09:14:21 */
+ 127935, 136781, /* 01:11:32:15, 01:13:59:41 */
+ 146239, 156350, /* 01:16:37:19, 01:19:25:50 */
+ 167161, 178720, /* 01:22:26:01, 02:01:38:40 */
+ 191077, 204289, /* 02:05:04:37, 02:08:44:49 */
+ 218415, 233517, /* 02:12:40:15, 02:16:51:57 */
+ 249664, 266926, /* 02:21:21:04, 03:02:08:46 */
+ 285383, 305116, /* 03:07:16:23, 03:12:45:16 */
+ 326213, 348769, /* 03:18:36:53, 04:00:52:49 */
+ 372885, 398668, /* 04:07:34:45, 04:14:44:28 */
+ 426234, 455705, /* 04:22:23:54, 05:06:35:05 */
+ 487215, 520904, /* 05:15:20:15, 06:00:41:44 */
+ 556921, 595430, /* 06:10:42:01, 06:21:23:50 */
+ 636601, 680618, /* 07:08:50:01, 07:21:03:38 */
+ 727680, 777995, /* 08:10:08:00, 09:00:06:35 */
+ 831789, 889303, /* 09:15:03:09, 10:07:01:43 */
+ 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */
+ 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */
+ 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */
+ 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */
+ 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */
+ 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */
+ 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */
+ 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */
+};
+#define MINFIXED 0x80
+#define MAXFIXED (MINFIXED + NLIFETIMES - 1)
+#endif /* !SHORT_LIFETIME */
+
+/*
+ * krb_life_to_time
+ *
+ * Given a start date and a lifetime byte, compute the expiration
+ * date.
+ */
+krb5_int32
+krb5int_krb_life_to_time(krb5_int32 start, int life)
+{
+ if (life < 0 || life > 255) /* possibly sign botch in caller */
+ return start;
+#ifndef SHORT_LIFETIME
+ if (life < MINFIXED)
+ return start + life * 5 * 60;
+ if (life > MAXFIXED)
+ return start + lifetimes[NLIFETIMES - 1];
+ return start + lifetimes[life - MINFIXED];
+#else /* SHORT_LIFETIME */
+ return start + life * 5 * 60;
+#endif /* SHORT_LIFETIME */
+}
+
+/*
+ * krb_time_to_life
+ *
+ * Given the start date and the end date, compute the lifetime byte.
+ * Round up, since we can adjust the start date backwards if we are
+ * issuing the ticket to cause it to expire at the correct time.
+ */
+int
+krb5int_krb_time_to_life(krb5_int32 start, krb5_int32 end)
+{
+ krb5_int32 dt;
+#ifndef SHORT_LIFETIME
+ int i;
+#endif
+
+ dt = end - start;
+ if (dt <= 0)
+ return 0;
+#ifndef SHORT_LIFETIME
+ if (dt < lifetimes[0])
+ return (dt + 5 * 60 - 1) / (5 * 60);
+ /* This depends on the array being ordered. */
+ for (i = 0; i < NLIFETIMES; i++) {
+ if (lifetimes[i] >= dt)
+ return i + MINFIXED;
+ }
+ return MAXFIXED;
+#else /* SHORT_LIFETIME */
+ if (dt > 5 * 60 * 255)
+ return 255;
+ else
+ return (dt + 5 * 60 - 1) / (5 * 60);
+#endif /* SHORT_LIFETIME */
+}
diff --git a/src/lib/krb5/os/.Sanitize b/src/lib/krb5/os/.Sanitize
index cf13ff1..e17c876 100644
--- a/src/lib/krb5/os/.Sanitize
+++ b/src/lib/krb5/os/.Sanitize
@@ -61,6 +61,7 @@ read_msg.c
read_pwd.c
realm_dom.c
ref_std_conf.out
+send524.c
sendto_kdc.c
sn2princ.c
timeofday.c
diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog
index 51638d9..a5a0dc8 100644
--- a/src/lib/krb5/os/ChangeLog
+++ b/src/lib/krb5/os/ChangeLog
@@ -1,3 +1,142 @@
+2004-03-22 Ken Raeburn <raeburn@mit.edu>
+
+ * sendto_kdc.c (get_so_error): New function.
+ (service_tcp_fd): Call it for write fds as well as exception fds.
+
+2004-02-25 Ken Raeburn <raeburn@mit.edu>
+
+ * sendto_kdc.c (start_connection): Close socket if connect() call
+ fails for an unexpected reason.
+
+2004-02-09 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_locate_kpasswd): Run htons on the default port
+
+2003-12-22 Jeffrey Altman <jaltman@mit.edu>
+
+ * dnssrv.c: wrap within #ifdef KRB5_DNS_LOOKUP to prevent references
+ to resolver functions when DNS support is not being compiled
+
+2003-12-18 Jeffrey Altman <jaltman@mit.edu>
+
+ * accessor.c: Add new functions for use by gssapi
+
+2003-12-12 Tom Yu <tlyu@mit.edu>
+
+ * an_to_ln.c (krb5_aname_to_localname): Don't write one byte past
+ the end of a string. Found by Christopher Nebergall.
+
+2003-10-27 Jeffrey Altman <jaltman@mit.edu>
+
+ * sendto_kdc.c: sockets must be closed with closesocket() and
+ and not close() in order to ensure portability among different
+ operating systems.
+
+2003-08-21 Ken Raeburn <raeburn@mit.edu>
+
+ * dnssrv.c: New file; split out DNS SRV RR query support...
+ * locate_kdc.c: ...from here. Always compile in the calls.
+ * Makefile.in (STLIBOBJS, OBJS, SRCS): Add it.
+
+2003-07-25 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (krb5_locate_kdc): Always pass 0 to locate_server
+ as the get_masters argument. Instead, if get_masters is set,
+ look up "master_kdc" in the config file instead of "kdc".
+
+2003-07-09 Alexandra Ellwood <lxs@mit.edu>
+
+ * toffset.c: Export and krb5_set_real_time for Samba.
+
+2003-06-06 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (struct srv_dns_entry): Moved to k5-int.h.
+ (krb5int_make_srv_query_realm): Renamed from make_srv_query_realm.
+ (krb5int_free_srv_dns_data): New function.
+ (krb5_locate_srv_dns_1): Use it.
+
+ * accessor.c (krb5int_accessor): Fill in make_srv_query_realm and
+ free_srv_dns_data fields.
+
+2003-06-05 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (make_srv_query_realm): Punt if strdup fails.
+ Always return what data we can, even if memory allocation or other
+ problems prevent us from returning more.
+ (krb5_locate_srv_dns_1): Always return what data we can. Fix
+ memory leak. Free up temporary storage as quickly as possible,
+ while building up address list to return.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * accessor.c (krb5int_accessor): Initialize restored locate_server
+ field.
+
+ * locate_kdc.c (struct srv_dns_entry): Move to top level.
+ (make_srv_query_realm): Separate from krb5_locate_srv_dns_1; just
+ do query and return results.
+ (krb5_locate_srv_dns_1): Call it, and build addlist entries.
+ Check for one RR with a target of ".", and return an error.
+ (krb5_locate_srv_dns): Deleted.
+
+ * t_locate_kdc.c (main): Call krb5_locate_srv_dns_1.
+
+ * changepw.c (krb5_locate_kpasswd): Check specifically for certain
+ errors before using fallback heuristics.
+
+2003-06-03 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_os_ctx.c: Included header to get __KLAllowHomeDirectoryAccess().
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * send524.c (krb5int_524_sendto_kdc): Enable support on Windows
+ always.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * send524.c: New file, moved from krb524/sendmsg.c. Rename
+ function to have krb5int_ prefix. If KRB5_KRB4_COMPAT not
+ defined, return an error.
+ * accessor.c (krb5int_accessor): Update for deleted and added
+ fields. If KRB5_KRB4_COMPAT is not defined, just use null
+ pointers for the new fields.
+
+2003-05-06 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_os_ctx.c: Added support for KLL's __KLAllowHomeDirectoryAccess()
+ function so that krb4, krb5 and gssapi will not access the user's homedir
+ if the application forbids it.
+
+2003-04-28 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): Locate server in realm of
+ creds.server, not in realm of target principal because target
+ principal is null in the changepw case.
+
+2003-04-27 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): Call
+ krb5_setpw_result_code_string not krb5_setpw_result_code_string
+
+2003-04-24 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): return error from
+ auth_con_setaddrs not last socket errno if auth_con_setaddrs fails
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): Patches from Paul Nelson
+ to implement Microsoft set password protocol
+ (krb5_set_password_using_ccache): Use kadmin/changepw in target realm, not local realm and use a two-component principal
+ (krb5_change_set_password): Find the kpasswd server for the realm
+ of the target principal not the client
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * read_pwd.c (krb5_read_password): Always free temporary storage
+ used for verification version of password.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* c_ustime.c: Removed Mac OS 9 code.
diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in
index acd37b2..27431a0 100644
--- a/src/lib/krb5/os/Makefile.in
+++ b/src/lib/krb5/os/Makefile.in
@@ -18,6 +18,7 @@ STLIBOBJS= \
def_realm.o \
ccdefname.o \
changepw.o \
+ dnssrv.o \
free_krbhs.o \
free_hstrl.o \
full_ipadr.o \
@@ -46,6 +47,7 @@ STLIBOBJS= \
read_pwd.o \
realm_dom.o \
realm_iter.o \
+ send524.o \
sendto_kdc.o \
sn2princ.o \
timeofday.o \
@@ -61,6 +63,7 @@ OBJS= \
$(OUTPRE)def_realm.$(OBJEXT) \
$(OUTPRE)ccdefname.$(OBJEXT) \
$(OUTPRE)changepw.$(OBJEXT) \
+ $(OUTPRE)dnssrv.$(OBJEXT) \
$(OUTPRE)free_krbhs.$(OBJEXT) \
$(OUTPRE)free_hstrl.$(OBJEXT) \
$(OUTPRE)full_ipadr.$(OBJEXT) \
@@ -89,6 +92,7 @@ OBJS= \
$(OUTPRE)read_pwd.$(OBJEXT) \
$(OUTPRE)realm_dom.$(OBJEXT) \
$(OUTPRE)realm_iter.$(OBJEXT) \
+ $(OUTPRE)send524.$(OBJEXT) \
$(OUTPRE)sendto_kdc.$(OBJEXT) \
$(OUTPRE)sn2princ.$(OBJEXT) \
$(OUTPRE)timeofday.$(OBJEXT) \
@@ -104,6 +108,7 @@ SRCS= \
$(srcdir)/def_realm.c \
$(srcdir)/ccdefname.c \
$(srcdir)/changepw.c \
+ $(srcdir)/dnssrv.c \
$(srcdir)/free_krbhs.c \
$(srcdir)/free_hstrl.c \
$(srcdir)/full_ipadr.c \
@@ -132,6 +137,7 @@ SRCS= \
$(srcdir)/realm_dom.c \
$(srcdir)/realm_iter.c \
$(srcdir)/port2ip.c \
+ $(srcdir)/send524.c \
$(srcdir)/sendto_kdc.c \
$(srcdir)/sn2princ.c \
$(srcdir)/timeofday.c \
@@ -235,210 +241,235 @@ clean::
#
accessor.so accessor.po $(OUTPRE)accessor.$(OBJEXT): accessor.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
an_to_ln.so an_to_ln.po $(OUTPRE)an_to_ln.$(OBJEXT): an_to_ln.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
c_ustime.so c_ustime.po $(OUTPRE)c_ustime.$(OBJEXT): c_ustime.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
def_realm.so def_realm.po $(OUTPRE)def_realm.$(OBJEXT): def_realm.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
ccdefname.so ccdefname.po $(OUTPRE)ccdefname.$(OBJEXT): ccdefname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
changepw.so changepw.po $(OUTPRE)changepw.$(OBJEXT): changepw.c $(SRCTOP)/include/fake-addrinfo.h \
$(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
+dnssrv.so dnssrv.po $(OUTPRE)dnssrv.$(OBJEXT): dnssrv.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
os-proto.h
free_krbhs.so free_krbhs.po $(OUTPRE)free_krbhs.$(OBJEXT): free_krbhs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
free_hstrl.so free_hstrl.po $(OUTPRE)free_hstrl.$(OBJEXT): free_hstrl.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
full_ipadr.so full_ipadr.po $(OUTPRE)full_ipadr.$(OBJEXT): full_ipadr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
get_krbhst.so get_krbhst.po $(OUTPRE)get_krbhst.$(OBJEXT): get_krbhst.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gen_port.so gen_port.po $(OUTPRE)gen_port.$(OBJEXT): gen_port.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
genaddrs.so genaddrs.po $(OUTPRE)genaddrs.$(OBJEXT): genaddrs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
gen_rname.so gen_rname.po $(OUTPRE)gen_rname.$(OBJEXT): gen_rname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
gmt_mktime.so gmt_mktime.po $(OUTPRE)gmt_mktime.$(OBJEXT): gmt_mktime.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
hostaddr.so hostaddr.po $(OUTPRE)hostaddr.$(OBJEXT): hostaddr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/fake-addrinfo.h
+ $(SRCTOP)/include/fake-addrinfo.h
hst_realm.so hst_realm.po $(OUTPRE)hst_realm.$(OBJEXT): hst_realm.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h $(SRCTOP)/include/fake-addrinfo.h
+ os-proto.h $(SRCTOP)/include/fake-addrinfo.h
init_os_ctx.so init_os_ctx.po $(OUTPRE)init_os_ctx.$(OBJEXT): init_os_ctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
krbfileio.so krbfileio.po $(OUTPRE)krbfileio.$(OBJEXT): krbfileio.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktdefname.so ktdefname.po $(OUTPRE)ktdefname.$(OBJEXT): ktdefname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): kuserok.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
mk_faddr.so mk_faddr.po $(OUTPRE)mk_faddr.$(OBJEXT): mk_faddr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
localaddr.so localaddr.po $(OUTPRE)localaddr.$(OBJEXT): localaddr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/foreachaddr.c
+ $(SRCTOP)/include/foreachaddr.c
locate_kdc.so locate_kdc.po $(OUTPRE)locate_kdc.$(OBJEXT): locate_kdc.c $(SRCTOP)/include/fake-addrinfo.h \
$(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- os-proto.h
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
lock_file.so lock_file.po $(OUTPRE)lock_file.$(OBJEXT): lock_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
net_read.so net_read.po $(OUTPRE)net_read.$(OBJEXT): net_read.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
net_write.so net_write.po $(OUTPRE)net_write.$(OBJEXT): net_write.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
osconfig.so osconfig.po $(OUTPRE)osconfig.$(OBJEXT): osconfig.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
prompter.so prompter.po $(OUTPRE)prompter.$(OBJEXT): prompter.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
promptusr.so promptusr.po $(OUTPRE)promptusr.$(OBJEXT): promptusr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
read_msg.so read_msg.po $(OUTPRE)read_msg.$(OBJEXT): read_msg.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
read_pwd.so read_pwd.po $(OUTPRE)read_pwd.$(OBJEXT): read_pwd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
realm_dom.so realm_dom.po $(OUTPRE)realm_dom.$(OBJEXT): realm_dom.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
realm_iter.so realm_iter.po $(OUTPRE)realm_iter.$(OBJEXT): realm_iter.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
port2ip.so port2ip.po $(OUTPRE)port2ip.$(OBJEXT): port2ip.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
+send524.so send524.po $(OUTPRE)send524.$(OBJEXT): send524.c $(SRCTOP)/include/fake-addrinfo.h \
+ $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
sendto_kdc.so sendto_kdc.po $(OUTPRE)sendto_kdc.$(OBJEXT): sendto_kdc.c $(SRCTOP)/include/fake-addrinfo.h \
$(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- os-proto.h $(SRCTOP)/include/cm.h
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h $(SRCTOP)/include/cm.h
sn2princ.so sn2princ.po $(OUTPRE)sn2princ.$(OBJEXT): sn2princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/fake-addrinfo.h
+ $(SRCTOP)/include/fake-addrinfo.h
timeofday.so timeofday.po $(OUTPRE)timeofday.$(OBJEXT): timeofday.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
toffset.so toffset.po $(OUTPRE)toffset.$(OBJEXT): toffset.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
unlck_file.so unlck_file.po $(OUTPRE)unlck_file.$(OBJEXT): unlck_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ustime.so ustime.po $(OUTPRE)ustime.$(OBJEXT): ustime.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
write_msg.so write_msg.po $(OUTPRE)write_msg.$(OBJEXT): write_msg.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c
index 509d317..4e907b1 100644
--- a/src/lib/krb5/os/accessor.c
+++ b/src/lib/krb5/os/accessor.c
@@ -35,18 +35,32 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
if (version == KRB5INT_ACCESS_VERSION)
{
krb5int_access internals_temp;
- internals_temp.krb5_locate_server = krb5int_locate_server;
- internals_temp.krb5_locate_kdc = krb5_locate_kdc;
internals_temp.free_addrlist = krb5int_free_addrlist;
- internals_temp.krb5_max_skdc_timeout = krb5_max_skdc_timeout;
- internals_temp.krb5_skdc_timeout_shift = krb5_skdc_timeout_shift;
- internals_temp.krb5_skdc_timeout_1 = krb5_skdc_timeout_1;
- internals_temp.krb5_max_dgram_size = krb5_max_dgram_size;
internals_temp.krb5_hmac = krb5_hmac;
internals_temp.md5_hash_provider = &krb5int_hash_md5;
internals_temp.arcfour_enc_provider = &krb5int_enc_arcfour;
+ internals_temp.locate_server = &krb5int_locate_server;
internals_temp.sendto_udp = &krb5int_sendto;
internals_temp.add_host_to_list = krb5int_add_host_to_list;
+#ifdef KRB5_DNS_LOOKUP
+ internals_temp.make_srv_query_realm = krb5int_make_srv_query_realm;
+ internals_temp.free_srv_dns_data = krb5int_free_srv_dns_data;
+#else
+ internals_temp.make_srv_query_realm = 0;
+ internals_temp.free_srv_dns_data = 0;
+#endif
+#ifdef KRB5_KRB4_COMPAT
+ internals_temp.krb_life_to_time = krb5int_krb_life_to_time;
+ internals_temp.krb_time_to_life = krb5int_krb_time_to_life;
+ internals_temp.krb524_encode_v4tkt = krb5int_encode_v4tkt;
+#else
+ internals_temp.krb_life_to_time = 0;
+ internals_temp.krb_time_to_life = 0;
+ internals_temp.krb524_encode_v4tkt = 0;
+#endif
+ internals_temp.krb5int_c_mandatory_cksumtype = krb5int_c_mandatory_cksumtype;
+ internals_temp.krb5_ser_pack_int64 = krb5_ser_pack_int64;
+ internals_temp.krb5_ser_unpack_int64 = krb5_ser_unpack_int64;
*internals = internals_temp;
return 0;
}
diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c
index 426399e..c42b821 100644
--- a/src/lib/krb5/os/an_to_ln.c
+++ b/src/lib/krb5/os/an_to_ln.c
@@ -643,7 +643,7 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, const
const char *hierarchy[5];
char **mapping_values;
int i, nvalid;
- char *cp;
+ char *cp, *s;
char *typep, *argp;
unsigned int lnsize;
@@ -677,11 +677,14 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, const
/* Just use the last one. */
/* Trim the value. */
- cp = &mapping_values[nvalid-1]
- [strlen(mapping_values[nvalid-1])];
- while (isspace((int) (*cp))) cp--;
- cp++;
- *cp = '\0';
+ s = mapping_values[nvalid-1];
+ cp = s + strlen(s);
+ while (cp > s) {
+ cp--;
+ if (!isspace((int)(*cp)))
+ break;
+ *cp = '\0';
+ }
/* Copy out the value if there's enough room */
if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize)
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index 60cb3a9..df558b6 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -24,6 +24,10 @@
* or implied warranty.
*
*/
+/*
+ * krb5_set_password - Implements set password per RFC 3244
+ * Added by Paul W. Nelson, Thursby Software Systems, Inc.
+ */
#define NEED_SOCKETS
#include "fake-addrinfo.h"
@@ -49,8 +53,8 @@ krb5_locate_kpasswd(krb5_context context, const krb5_data *realm,
code = krb5int_locate_server (context, realm, addrlist, 0,
"kpasswd_server", "_kpasswd", 0,
- DEFAULT_KPASSWD_PORT, 0, 0);
- if (code) {
+ htons(DEFAULT_KPASSWD_PORT), 0, 0);
+ if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
code = krb5int_locate_server (context, realm, addrlist, 0,
"admin_server", "_kerberos-adm", 1,
DEFAULT_KPASSWD_PORT, 0, 0);
@@ -69,8 +73,16 @@ krb5_locate_kpasswd(krb5_context context, const krb5_data *realm,
}
+/*
+** The logic for setting and changing a password is mostly the same
+** krb5_change_set_password handles both cases
+** if set_password_for is NULL, then a password change is performed,
+** otherwise, the password is set for the principal indicated in set_password_for
+*/
krb5_error_code KRB5_CALLCONV
-krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string)
+krb5_change_set_password(
+ krb5_context context, krb5_creds *creds, char *newpw, krb5_principal set_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string)
{
krb5_auth_context auth_context;
krb5_data ap_req, chpw_req, chpw_rep;
@@ -104,7 +116,7 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *
goto cleanup;
if ((code = krb5_locate_kpasswd(context,
- krb5_princ_realm(context, creds->client),
+ krb5_princ_realm(context, creds->server),
&al)))
goto cleanup;
@@ -218,14 +230,15 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *
if ((code = krb5_auth_con_setaddrs(context, auth_context,
&local_kaddr, NULL))) {
- code = SOCKET_ERRNO;
- goto cleanup;
+ goto cleanup;
}
- if ((code = krb5_mk_chpw_req(context, auth_context, &ap_req,
- newpw, &chpw_req)))
+ if( set_password_for )
+ code = krb5int_mk_setpw_req(context, auth_context, &ap_req, set_password_for, newpw, &chpw_req);
+ else
+ code = krb5int_mk_chpw_req(context, auth_context, &ap_req, newpw, &chpw_req);
+ if (code)
{
- code = SOCKET_ERRNO;
goto cleanup;
}
@@ -289,19 +302,23 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *
NULL, &remote_kaddr)))
goto cleanup;
- if ((code = krb5_rd_chpw_rep(context, auth_context, &chpw_rep,
- &local_result_code,
- result_string)))
- goto cleanup;
+ if( set_password_for )
+ code = krb5int_rd_setpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string);
+ else
+ code = krb5int_rd_chpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string);
+ if (code)
+ goto cleanup;
if (result_code)
*result_code = local_result_code;
if (result_code_string) {
- if ((code = krb5_chpw_result_code_string(context,
- local_result_code,
- &code_string)))
- goto cleanup;
+ if( set_password_for )
+ code = krb5int_setpw_result_code_string(context, local_result_code, (const char **)&code_string);
+ else
+ code = krb5_chpw_result_code_string(context, local_result_code, &code_string);
+ if(code)
+ goto cleanup;
result_code_string->length = strlen(code_string);
result_code_string->data = malloc(result_code_string->length);
@@ -343,3 +360,71 @@ cleanup:
return(code);
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string)
+{
+ return krb5_change_set_password(
+ context, creds, newpw, NULL, result_code, result_code_string, result_string );
+}
+
+/*
+ * krb5_set_password - Implements set password per RFC 3244
+ *
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_set_password(
+ krb5_context context,
+ krb5_creds *creds,
+ char *newpw,
+ krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string
+ )
+{
+ return krb5_change_set_password(
+ context, creds, newpw, change_password_for, result_code, result_code_string, result_string );
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_set_password_using_ccache(
+ krb5_context context,
+ krb5_ccache ccache,
+ char *newpw,
+ krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string
+ )
+{
+ krb5_creds creds;
+ krb5_creds *credsp;
+ krb5_error_code code;
+
+/*
+** get the proper creds for use with krb5_set_password -
+*/
+ memset( &creds, 0, sizeof(creds) );
+/*
+** first get the principal for the password service -
+*/
+ code = krb5_cc_get_principal( context, ccache, &creds.client );
+ if( !code )
+ {
+ code = krb5_build_principal( context, &creds.server,
+ krb5_princ_realm(context, change_password_for)->length,
+ krb5_princ_realm(context, change_password_for)->data,
+ "kadmin", "changepw", NULL );
+ if(!code)
+ {
+ code = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
+ if( ! code )
+ {
+ code = krb5_set_password(context, credsp, newpw, change_password_for,
+ result_code, result_code_string,
+ result_string);
+ krb5_free_creds(context, credsp);
+ }
+ }
+ krb5_free_cred_contents(context, &creds);
+ }
+ return code;
+}
diff --git a/src/lib/krb5/os/dnssrv.c b/src/lib/krb5/os/dnssrv.c
new file mode 100644
index 0000000..1c1586a
--- /dev/null
+++ b/src/lib/krb5/os/dnssrv.c
@@ -0,0 +1,273 @@
+/*
+ * lib/krb5/os/dnssrv.c
+ *
+ * Copyright 1990,2000,2001,2002,2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * do DNS SRV RR queries
+ */
+
+#ifdef KRB5_DNS_LOOKUP
+#define NEED_SOCKETS
+#include "k5-int.h"
+#include "os-proto.h"
+#include <stdio.h>
+#ifdef WSHELPER
+#include <wshelper.h>
+#else /* WSHELPER */
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <netdb.h>
+#endif /* WSHELPER */
+#ifndef T_SRV
+#define T_SRV 33
+#endif /* T_SRV */
+
+/* for old Unixes and friends ... */
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 64
+#endif
+
+#define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1)
+
+/*
+ * Lookup a KDC via DNS SRV records
+ */
+
+void krb5int_free_srv_dns_data (struct srv_dns_entry *p)
+{
+ struct srv_dns_entry *next;
+ while (p) {
+ next = p->next;
+ free(p->host);
+ free(p);
+ p = next;
+ }
+}
+
+/* Do DNS SRV query, return results in *answers.
+
+ Make best effort to return all the data we can. On memory or
+ decoding errors, just return what we've got. Always return 0,
+ currently. */
+
+krb5_error_code
+krb5int_make_srv_query_realm(const krb5_data *realm,
+ const char *service,
+ const char *protocol,
+ struct srv_dns_entry **answers)
+{
+ union {
+ unsigned char bytes[2048];
+ HEADER hdr;
+ } answer;
+ unsigned char *p=NULL;
+ char host[MAX_DNS_NAMELEN], *h;
+ int type, rrclass;
+ int priority, weight, size, len, numanswers, numqueries, rdlen;
+ unsigned short port;
+ const int hdrsize = sizeof(HEADER);
+
+ struct srv_dns_entry *head = NULL;
+ struct srv_dns_entry *srv = NULL, *entry = NULL;
+
+ /*
+ * First off, build a query of the form:
+ *
+ * service.protocol.realm
+ *
+ * which will most likely be something like:
+ *
+ * _kerberos._udp.REALM
+ *
+ */
+
+ if (memchr(realm->data, 0, realm->length))
+ return 0;
+ if ( strlen(service) + strlen(protocol) + realm->length + 6
+ > MAX_DNS_NAMELEN )
+ return 0;
+ sprintf(host, "%s.%s.%.*s", service, protocol, (int) realm->length,
+ realm->data);
+
+ /* Realm names don't (normally) end with ".", but if the query
+ doesn't end with "." and doesn't get an answer as is, the
+ resolv code will try appending the local domain. Since the
+ realm names are absolutes, let's stop that.
+
+ But only if a name has been specified. If we are performing
+ a search on the prefix alone then the intention is to allow
+ the local domain or domain search lists to be expanded. */
+
+ h = host + strlen (host);
+ if ((h[-1] != '.') && ((h - host + 1) < sizeof(host)))
+ strcpy (h, ".");
+
+#ifdef TEST
+ fprintf (stderr, "sending DNS SRV query for %s\n", host);
+#endif
+
+ size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
+
+ if ((size < hdrsize) || (size > sizeof(answer.bytes)))
+ goto out;
+
+ /*
+ * We got an answer! First off, parse the header and figure out how
+ * many answers we got back.
+ */
+
+ p = answer.bytes;
+
+ numqueries = ntohs(answer.hdr.qdcount);
+ numanswers = ntohs(answer.hdr.ancount);
+
+ p += sizeof(HEADER);
+
+ /*
+ * We need to skip over all of the questions, so we have to iterate
+ * over every query record. dn_expand() is able to tell us the size
+ * of compress DNS names, so we use it.
+ */
+
+#define INCR_CHECK(x,y) x += y; if (x > size + answer.bytes) goto out
+#define CHECK(x,y) if (x + y > size + answer.bytes) goto out
+#define NTOHSP(x,y) x[0] << 8 | x[1]; x += y
+
+ while (numqueries--) {
+ len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
+ if (len < 0)
+ goto out;
+ INCR_CHECK(p, len + 4);
+ }
+
+ /*
+ * We're now pointing at the answer records. Only process them if
+ * they're actually T_SRV records (they might be CNAME records,
+ * for instance).
+ *
+ * But in a DNS reply, if you get a CNAME you always get the associated
+ * "real" RR for that CNAME. RFC 1034, 3.6.2:
+ *
+ * CNAME RRs cause special action in DNS software. When a name server
+ * fails to find a desired RR in the resource set associated with the
+ * domain name, it checks to see if the resource set consists of a CNAME
+ * record with a matching class. If so, the name server includes the CNAME
+ * record in the response and restarts the query at the domain name
+ * specified in the data field of the CNAME record. The one exception to
+ * this rule is that queries which match the CNAME type are not restarted.
+ *
+ * In other words, CNAMEs do not need to be expanded by the client.
+ */
+
+ while (numanswers--) {
+
+ /* First is the name; use dn_expand to get the compressed size */
+ len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
+ if (len < 0)
+ goto out;
+ INCR_CHECK(p, len);
+
+ /* Next is the query type */
+ CHECK(p, 2);
+ type = NTOHSP(p,2);
+
+ /* Next is the query class; also skip over 4 byte TTL */
+ CHECK(p, 6);
+ rrclass = NTOHSP(p,6);
+
+ /* Record data length */
+
+ CHECK(p,2);
+ rdlen = NTOHSP(p,2);
+
+ /*
+ * If this is an SRV record, process it. Record format is:
+ *
+ * Priority
+ * Weight
+ * Port
+ * Server name
+ */
+
+ if (rrclass == C_IN && type == T_SRV) {
+ CHECK(p,2);
+ priority = NTOHSP(p,2);
+ CHECK(p, 2);
+ weight = NTOHSP(p,2);
+ CHECK(p, 2);
+ port = NTOHSP(p,2);
+ len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
+ if (len < 0)
+ goto out;
+ INCR_CHECK(p, len);
+
+ /*
+ * We got everything! Insert it into our list, but make sure
+ * it's in the right order. Right now we don't do anything
+ * with the weight field
+ */
+
+ srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry));
+ if (srv == NULL)
+ goto out;
+
+ srv->priority = priority;
+ srv->weight = weight;
+ srv->port = port;
+ srv->host = strdup(host);
+ if (srv->host == NULL) {
+ free(srv);
+ goto out;
+ }
+
+ if (head == NULL || head->priority > srv->priority) {
+ srv->next = head;
+ head = srv;
+ } else
+ /*
+ * This is confusing. Only insert an entry into this
+ * spot if:
+ * The next person has a higher priority (lower priorities
+ * are preferred).
+ * Or
+ * There is no next entry (we're at the end)
+ */
+ for (entry = head; entry != NULL; entry = entry->next)
+ if ((entry->next &&
+ entry->next->priority > srv->priority) ||
+ entry->next == NULL) {
+ srv->next = entry->next;
+ entry->next = srv;
+ break;
+ }
+ } else
+ INCR_CHECK(p, rdlen);
+ }
+
+ out:
+ *answers = head;
+ return 0;
+}
+#endif
diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
index eb2321d..c43771d 100644
--- a/src/lib/krb5/os/init_os_ctx.c
+++ b/src/lib/krb5/os/init_os_ctx.c
@@ -31,6 +31,10 @@
#include "k5-int.h"
#include "os-proto.h"
+#ifdef USE_LOGIN_LIBRARY
+#include "KerberosLoginPrivate.h"
+#endif
+
#if defined(_WIN32)
static krb5_error_code
@@ -234,8 +238,14 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure)
unsigned int ent_len;
const char *s, *t;
+#ifdef USE_LOGIN_LIBRARY
+ /* If __KLAllowHomeDirectoryAccess() == FALSE, we are probably
+ trying to authenticate to a fileserver for the user's homedir. */
+ if (secure || !__KLAllowHomeDirectoryAccess ()) {
+#else
if (secure) {
- filepath = DEFAULT_SECURE_PROFILE_PATH;
+#endif
+ filepath = DEFAULT_SECURE_PROFILE_PATH;
} else {
filepath = getenv("KRB5_CONFIG");
if (!filepath) filepath = DEFAULT_PROFILE_PATH;
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index 9c9fed4..ce90127 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -502,12 +502,6 @@ krb5_locate_srv_conf(krb5_context context, const krb5_data *realm,
}
#endif
-#ifdef KRB5_DNS_LOOKUP
-
-/*
- * Lookup a KDC via DNS SRV records
- */
-
static krb5_error_code
krb5_locate_srv_dns_1 (const krb5_data *realm,
const char *service,
@@ -515,196 +509,14 @@ krb5_locate_srv_dns_1 (const krb5_data *realm,
struct addrlist *addrlist,
int family)
{
- union {
- unsigned char bytes[2048];
- HEADER hdr;
- } answer;
- unsigned char *p=NULL;
- char host[MAX_DNS_NAMELEN], *h;
- int type, rrclass;
- int priority, weight, size, len, numanswers, numqueries, rdlen;
- unsigned short port;
- const int hdrsize = sizeof(HEADER);
- struct srv_dns_entry {
- struct srv_dns_entry *next;
- int priority;
- int weight;
- unsigned short port;
- char *host;
- };
-
struct srv_dns_entry *head = NULL;
- struct srv_dns_entry *srv = NULL, *entry = NULL;
+ struct srv_dns_entry *entry = NULL, *next;
krb5_error_code code = 0;
- /*
- * First off, build a query of the form:
- *
- * service.protocol.realm
- *
- * which will most likely be something like:
- *
- * _kerberos._udp.REALM
- *
- */
-
- if ( strlen(service) + strlen(protocol) + realm->length + 6
- > MAX_DNS_NAMELEN )
- goto out;
- sprintf(host, "%s.%s.%.*s", service, protocol, (int) realm->length,
- realm->data);
-
- /* Realm names don't (normally) end with ".", but if the query
- doesn't end with "." and doesn't get an answer as is, the
- resolv code will try appending the local domain. Since the
- realm names are absolutes, let's stop that.
-
- But only if a name has been specified. If we are performing
- a search on the prefix alone then the intention is to allow
- the local domain or domain search lists to be expanded. */
-
- h = host + strlen (host);
- if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host)))
- strcpy (h, ".");
-
-#ifdef TEST
- fprintf (stderr, "sending DNS SRV query for %s\n", host);
-#endif
-
- size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
-
- if ((size < hdrsize) || (size > sizeof(answer.bytes)))
- goto out;
-
- /*
- * We got an answer! First off, parse the header and figure out how
- * many answers we got back.
- */
-
- p = answer.bytes;
-
- numqueries = ntohs(answer.hdr.qdcount);
- numanswers = ntohs(answer.hdr.ancount);
-
- p += sizeof(HEADER);
-
- /*
- * We need to skip over all of the questions, so we have to iterate
- * over every query record. dn_expand() is able to tell us the size
- * of compress DNS names, so we use it.
- */
-
-#define INCR_CHECK(x,y) x += y; if (x > size + answer.bytes) goto out
-#define CHECK(x,y) if (x + y > size + answer.bytes) goto out
-#define NTOHSP(x,y) x[0] << 8 | x[1]; x += y
-
- while (numqueries--) {
- len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
- if (len < 0)
- goto out;
- INCR_CHECK(p, len + 4);
- }
-
- /*
- * We're now pointing at the answer records. Only process them if
- * they're actually T_SRV records (they might be CNAME records,
- * for instance).
- *
- * But in a DNS reply, if you get a CNAME you always get the associated
- * "real" RR for that CNAME. RFC 1034, 3.6.2:
- *
- * CNAME RRs cause special action in DNS software. When a name server
- * fails to find a desired RR in the resource set associated with the
- * domain name, it checks to see if the resource set consists of a CNAME
- * record with a matching class. If so, the name server includes the CNAME
- * record in the response and restarts the query at the domain name
- * specified in the data field of the CNAME record. The one exception to
- * this rule is that queries which match the CNAME type are not restarted.
- *
- * In other words, CNAMEs do not need to be expanded by the client.
- */
-
- while (numanswers--) {
-
- /* First is the name; use dn_expand to get the compressed size */
- len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
- if (len < 0)
- goto out;
- INCR_CHECK(p, len);
-
- /* Next is the query type */
- CHECK(p, 2);
- type = NTOHSP(p,2);
-
- /* Next is the query class; also skip over 4 byte TTL */
- CHECK(p, 6);
- rrclass = NTOHSP(p,6);
-
- /* Record data length */
-
- CHECK(p,2);
- rdlen = NTOHSP(p,2);
-
- /*
- * If this is an SRV record, process it. Record format is:
- *
- * Priority
- * Weight
- * Port
- * Server name
- */
+ code = krb5int_make_srv_query_realm(realm, service, protocol, &head);
+ if (code)
+ return 0;
- if (rrclass == C_IN && type == T_SRV) {
- CHECK(p,2);
- priority = NTOHSP(p,2);
- CHECK(p, 2);
- weight = NTOHSP(p,2);
- CHECK(p, 2);
- port = NTOHSP(p,2);
- len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
- if (len < 0)
- goto out;
- INCR_CHECK(p, len);
-
- /*
- * We got everything! Insert it into our list, but make sure
- * it's in the right order. Right now we don't do anything
- * with the weight field
- */
-
- srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry));
- if (srv == NULL)
- goto out;
-
- srv->priority = priority;
- srv->weight = weight;
- srv->port = port;
- srv->host = strdup(host);
-
- if (head == NULL || head->priority > srv->priority) {
- srv->next = head;
- head = srv;
- } else
- /*
- * This is confusing. Only insert an entry into this
- * spot if:
- * The next person has a higher priority (lower priorities
- * are preferred).
- * Or
- * There is no next entry (we're at the end)
- */
- for (entry = head; entry != NULL; entry = entry->next)
- if ((entry->next &&
- entry->next->priority > srv->priority) ||
- entry->next == NULL) {
- srv->next = entry->next;
- entry->next = srv;
- break;
- }
- } else
- INCR_CHECK(p, rdlen);
- }
-
/*
* Okay! Now we've got a linked list of entries sorted by
* priority. Start looking up A records and returning
@@ -712,53 +524,44 @@ krb5_locate_srv_dns_1 (const krb5_data *realm,
*/
if (head == NULL)
- goto out;
+ return 0;
+
+ /* Check for the "." case indicating no support. */
+ if (head->next == 0 && head->host[0] == 0) {
+ free(head->host);
+ free(head);
+ return KRB5_ERR_NO_SERVICE;
+ }
#ifdef TEST
fprintf (stderr, "walking answer list:\n");
#endif
- for (entry = head; entry != NULL; entry = entry->next) {
+ for (entry = head; entry != NULL; entry = next) {
#ifdef TEST
fprintf (stderr, "\tport=%d host=%s\n", entry->port, entry->host);
#endif
+ next = entry->next;
code = add_host_to_list (addrlist, entry->host, htons (entry->port), 0,
(strcmp("_tcp", protocol)
? SOCK_DGRAM
: SOCK_STREAM), family);
if (code)
break;
+ if (entry == head) {
+ free(entry->host);
+ free(entry);
+ head = next;
+ entry = 0;
+ }
}
#ifdef TEST
fprintf (stderr, "[end]\n");
#endif
- for (entry = head; entry != NULL; ) {
- free(entry->host);
- entry->host = NULL;
- srv = entry;
- entry = entry->next;
- free(srv);
- srv = NULL;
- }
-
- out:
- if (srv)
- free(srv);
-
+ krb5int_free_srv_dns_data(head);
return code;
}
-#ifdef TEST
-static krb5_error_code
-krb5_locate_srv_dns(const krb5_data *realm,
- const char *service, const char *protocol,
- struct addrlist *al)
-{
- return krb5_locate_srv_dns_1 (realm, service, protocol, al, 0);
-}
-#endif
-#endif /* KRB5_DNS_LOOKUP */
-
/*
* Wrapper function for the two backends
*/
@@ -852,7 +655,8 @@ krb5_locate_kdc(krb5_context context, const krb5_data *realm,
sec_udpport = 0;
}
- return krb5int_locate_server(context, realm, addrlist, get_masters, "kdc",
+ return krb5int_locate_server(context, realm, addrlist, 0,
+ get_masters ? "master_kdc" : "kdc",
(get_masters
? "_kerberos-master"
: "_kerberos"),
diff --git a/src/lib/krb5/os/read_pwd.c b/src/lib/krb5/os/read_pwd.c
index 9023b8e..1bb631c 100644
--- a/src/lib/krb5/os/read_pwd.c
+++ b/src/lib/krb5/os/read_pwd.c
@@ -64,15 +64,12 @@ krb5_read_password(krb5_context context, const char *prompt, const char *prompt2
return ENOMEM;
retval = krb5_prompter_posix(NULL,
NULL,NULL, NULL, 1, &k5prompt);
- if (retval) {
- free(verify_data.data);
- } else {
+ if (retval == 0) {
/* compare */
- if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) {
+ if (strncmp(return_pwd, (char *)verify_data.data, *size_return))
retval = KRB5_LIBOS_BADPWDMATCH;
- free(verify_data.data);
- }
}
+ free(verify_data.data);
}
if (!retval)
*size_return = k5prompt.reply->length;
diff --git a/src/lib/krb5/os/send524.c b/src/lib/krb5/os/send524.c
new file mode 100644
index 0000000..0ca8e93
--- /dev/null
+++ b/src/lib/krb5/os/send524.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright 1990,1991,1997 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Send a packet to a service and await a reply, using an exponential
+ * backoff retry algorithm. This is based on krb5_sendto_kdc.
+ */
+
+/* Grab socket stuff. This might want to go away later. */
+#define NEED_SOCKETS
+#define NEED_LOWLEVEL_IO
+#include "fake-addrinfo.h" /* for custom addrinfo if needed */
+#include "k5-int.h"
+
+#ifndef _WIN32
+#include <unistd.h>
+#include <sys/time.h>
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "os-proto.h"
+
+/*
+ * krb524_sendto_kdc:
+ *
+ * A slightly modified version of krb5_sendto_kdc.
+ *
+ * send the formatted request 'message' to a KDC for realm 'realm' and
+ * return the response (if any) in 'reply'.
+ *
+ * If the message is sent and a response is received, 0 is returned,
+ * otherwise an error code is returned.
+ *
+ * The storage for 'reply' is allocated and should be freed by the caller
+ * when finished.
+ */
+
+krb5_error_code
+krb5int_524_sendto_kdc (context, message, realm, reply, addr, addrlen)
+ krb5_context context;
+ const krb5_data * message;
+ const krb5_data * realm;
+ krb5_data * reply;
+ struct sockaddr *addr;
+ socklen_t *addrlen;
+{
+#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck! */
+ int i;
+ struct addrlist al = ADDRLIST_INIT;
+ struct servent *serv;
+ krb5_error_code retval;
+ int port;
+
+ /*
+ * find KDC location(s) for realm
+ */
+
+ serv = getservbyname(KRB524_SERVICE, "udp");
+ port = serv ? serv->s_port : htons (KRB524_PORT);
+
+ retval = krb5int_locate_server(context, realm, &al, 0,
+ "krb524_server", "_krb524",
+ SOCK_DGRAM, port,
+ 0, PF_INET);
+ if (retval == KRB5_REALM_CANT_RESOLVE || retval == KRB5_REALM_UNKNOWN) {
+ /* Fallback heuristic: Assume krb524 port on every KDC might
+ work. */
+ retval = krb5_locate_kdc(context, realm, &al, 0, SOCK_DGRAM, PF_INET);
+ /*
+ * Bash the ports numbers.
+ */
+ if (retval == 0)
+ for (i = 0; i < al.naddrs; i++) {
+ al.addrs[i]->ai_socktype = SOCK_DGRAM;
+ if (al.addrs[i]->ai_family == AF_INET)
+ sa2sin (al.addrs[i]->ai_addr)->sin_port = port;
+ }
+ }
+ if (retval)
+ return retval;
+ if (al.naddrs == 0)
+ return KRB5_REALM_UNKNOWN;
+
+ retval = krb5int_sendto (context, message, &al, reply, addr, addrlen);
+ krb5int_free_addrlist (&al);
+ return retval;
+#else
+ return KRB524_KRB4_DISABLED;
+#endif
+}
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 0f5b9f2..1b336a6 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -562,6 +562,7 @@ start_connection (struct conn_state *state, struct select_state *selstate)
state->state = CONNECTING;
} else {
dprint("connect failed: %m\n", SOCKET_ERRNO);
+ (void) closesocket(fd);
state->err = SOCKET_ERRNO;
state->state = FAILED;
return -2;
@@ -677,6 +678,25 @@ kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
selstate->nfds--;
}
+/* Check socket for error. */
+static int
+get_so_error(int fd)
+{
+ int e, sockerr;
+ socklen_t sockerrlen;
+
+ sockerr = 0;
+ sockerrlen = sizeof(sockerr);
+ e = getsockopt(fd, SOL_SOCKET, SO_ERROR, &sockerr, &sockerrlen);
+ if (e != 0) {
+ /* What to do now? */
+ e = SOCKET_ERRNO;
+ dprint("getsockopt(SO_ERROR) on fd failed: %m\n", e);
+ return e;
+ }
+ return sockerr;
+}
+
/* Return nonzero only if we're finished and the caller should exit
its loop. This happens in two cases: We have a complete message,
or the socket has closed and no others are open. */
@@ -706,35 +726,29 @@ service_tcp_fd (struct conn_state *conn, struct select_state *selstate,
return e == 0;
}
if (ssflags & SSF_EXCEPTION) {
-#ifdef DEBUG
- int sockerr;
- socklen_t sockerrlen;
-#endif
handle_exception:
-#ifdef DEBUG
- sockerrlen = sizeof(sockerr);
- e = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR,
- &sockerr, &sockerrlen);
- if (e != 0) {
- /* What to do now? */
- e = SOCKET_ERRNO;
- dprint("getsockopt(SO_ERROR) on exception fd failed: %m\n", e);
- goto kill_conn;
- }
- /* Okay, got the error back. Either way, kill the
- connection. */
- e = sockerr;
-#else
- e = 1; /* need only be non-zero */
-#endif
+ e = get_so_error(conn->fd);
+ if (e)
+ dprint("socket error on exception fd: %m", e);
+ else
+ dprint("no socket error info available on exception fd");
goto kill_conn;
}
/*
* Connect finished -- but did it succeed or fail?
* UNIX sets can_write if failed.
- * Try writing, I guess, and find out.
+ * Call getsockopt to see if error pending.
+ *
+ * (For most UNIX systems it works to just try writing the
+ * first time and detect an error. But Bill Dodd at IBM
+ * reports that some version of AIX, SIGPIPE can result.)
*/
+ e = get_so_error(conn->fd);
+ if (e) {
+ dprint("socket error on write fd: %m", e);
+ goto kill_conn;
+ }
conn->state = WRITING;
goto try_writing;
@@ -1073,7 +1087,7 @@ krb5int_sendto (krb5_context context, const krb5_data *message,
egress:
for (i = 0; i < n_conns; i++) {
if (conns[i].fd != INVALID_SOCKET)
- close(conns[i].fd);
+ closesocket(conns[i].fd);
if (conns[i].state == READING
&& conns[i].x.in.buf != 0
&& conns[i].x.in.buf != udpbuf)
diff --git a/src/lib/krb5/os/t_locate_kdc.c b/src/lib/krb5/os/t_locate_kdc.c
index a3d6828..03dac07 100644
--- a/src/lib/krb5/os/t_locate_kdc.c
+++ b/src/lib/krb5/os/t_locate_kdc.c
@@ -117,7 +117,7 @@ int main (int argc, char *argv[])
break;
case LOOKUP_DNS:
- err = krb5_locate_srv_dns (&realm, "_kerberos", "_udp", &al);
+ err = krb5_locate_srv_dns_1 (&realm, "_kerberos", "_udp", &al, 0);
break;
case LOOKUP_WHATEVER:
diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c
index aad995a..4578f82 100644
--- a/src/lib/krb5/os/toffset.c
+++ b/src/lib/krb5/os/toffset.c
@@ -35,7 +35,7 @@
* between the system time and the "real time" as passed to this
* routine
*/
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_set_real_time(krb5_context context, krb5_int32 seconds, krb5_int32 microseconds)
{
krb5_os_context os_ctx = context->os_context;
diff --git a/src/lib/krb5/rcache/Makefile.in b/src/lib/krb5/rcache/Makefile.in
index 79b6a28..d67b044 100644
--- a/src/lib/krb5/rcache/Makefile.in
+++ b/src/lib/krb5/rcache/Makefile.in
@@ -49,38 +49,40 @@ clean-unix:: clean-libobjs
#
rc_base.so rc_base.po $(OUTPRE)rc_base.$(OBJEXT): rc_base.c rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
rc_dfl.so rc_dfl.po $(OUTPRE)rc_dfl.$(OBJEXT): rc_dfl.c rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rc_dfl.h rc_io.h
+ rc_dfl.h rc_io.h
rc_io.so rc_io.po $(OUTPRE)rc_io.$(OBJEXT): rc_io.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- rc_dfl.h rc_io.h
+ $(SRCTOP)/include/krb5/kdb.h rc_dfl.h rc_io.h
rcdef.so rcdef.po $(OUTPRE)rcdef.$(OBJEXT): rcdef.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rc_dfl.h
+ rc_dfl.h
rc_conv.so rc_conv.po $(OUTPRE)rc_conv.$(OBJEXT): rc_conv.c rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ser_rc.so ser_rc.po $(OUTPRE)ser_rc.$(OBJEXT): ser_rc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
rcfns.so rcfns.po $(OUTPRE)rcfns.$(OBJEXT): rcfns.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
generated by cgit v1.1 at 2024-08-01 17:49:00 +0000