diff options
-rw-r--r-- | src/include/kdb.h | 4 | ||||
-rw-r--r-- | src/include/krb5/krb5.hin | 199 | ||||
-rw-r--r-- | src/kdc/do_as_req.c | 145 | ||||
-rw-r--r-- | src/kdc/do_tgs_req.c | 11 | ||||
-rw-r--r-- | src/kdc/fast_util.c | 20 | ||||
-rw-r--r-- | src/kdc/kdc_util.h | 3 | ||||
-rw-r--r-- | src/kdc/main.c | 9 | ||||
-rw-r--r-- | src/lib/crypto/builtin/des/deps | 61 | ||||
-rw-r--r-- | src/lib/krb5/ccache/ccfns.c | 44 | ||||
-rw-r--r-- | src/util/support/plugins.c | 2 |
10 files changed, 264 insertions, 234 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index 20ca78a..81e14e9 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -756,8 +756,8 @@ krb5_dbe_free_tl_data(krb5_context, krb5_tl_data *); /* * A krb5_context can hold one database object. Modules should use - * context->dal_handle->db_context to store state associated with the database - * object. + * krb5_db_set_context and krb5_db_get_context to store state associated with + * the database object. * * Some module functions are mandatory for KDC operation; others are optional * or apply only to administrative operations. If a function is optional, a diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 308e50f..b722f2d 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -1,6 +1,7 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* General definitions for Kerberos version 5. */ /* - * Copyright 1989,1990,1995,2001, 2003, 2007, 2011 by the Massachusetts + * Copyright 1989, 1990, 1995, 2001, 2003, 2007, 2011 by the Massachusetts * Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may @@ -3500,33 +3501,37 @@ krb5_error_code KRB5_CALLCONV krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache *rcptr); -/** - * @brief Build a principal name using length-counted strings. +/** Build a principal name using length-counted strings. * - * @param context Context structure [input, output] - * @param princ Principal name [input] - * @param rlen Realm name length [input] - * @param realm Realm name [input] - * @param ... List of arguments specifying length and content for each argument + * @param context Context structure [input, output] + * @param princ Principal name [input] + * @param rlen Realm name length [input] + * @param realm Realm name [input] + * @param ... List of arguments specifying length and content for each argument * * Make sure to free the allocated memory when it is no longer needed. * * @note krb5_build_principal() and krb5_build_principal_va() perform the same task. - * krb5_build_principal() takes variadic arguments. krb5_build_principal_va() takes a pre-computed - * @a varargs pointer. + * krb5_build_principal() takes variadic arguments. + * krb5_build_principal_va() takes a pre-computed @a varargs pointer. + * + * @code + * Example of how to build principal WELLKNOWN/ANONYMOUS@R + * krb5_build_principal_ext(context, &principal, strlen("R"), "R", + * strlen(KRB5_WELLKNOWN_NAMESTR), KRB5_WELLKNOWN_NAMESTR, + * strlen(KRB5_ANONYMOUS_PRINCSTR), KRB5_ANONYMOUS_PRINCSTR, 0); + * @endcode * * @retval * 0 Success * @return * Kerberos error codes - * */ krb5_error_code KRB5_CALLCONV_C krb5_build_principal_ext(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, ...); -/** - * @brief Build a principal name using null-terminated strings. +/** Build a principal name using null-terminated strings. * * @param context Context structure [input, output] * @param princ Principal name [output] @@ -3537,8 +3542,14 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, * Make sure to free the allocated memory when it is no longer needed. * * @note krb5_build_principal() and krb5_build_principal_va() perform the same task. - * krb5_build_principal() takes variadic arguments. krb5_build_principal_va() takes a pre-computed - * @a varargs pointer. + * krb5_build_principal() takes variadic arguments. + * krb5_build_principal_va() takes a pre-computed @a varargs pointer. + * + * @code + * Example of how to build principal H/S@R + * krb5_build_principal(context, &principal, + * strlen("R"), "R", "H", "S", (char*)NULL); + * @endcode * * @retval * 0 Success @@ -3555,8 +3566,7 @@ krb5_build_principal(krb5_context context, #endif ; #if KRB5_DEPRECATED -/** - * @brief Build a principal name, using a precomputed @c va_list. +/** Build a principal name, using a precomputed @c va_list. * * @param context Context structure [input, output] * @param princ Principal structure [output] @@ -3565,8 +3575,8 @@ krb5_build_principal(krb5_context context, * @param ... @c va_list of arguments [input] * * @note krb5_build_principal() and krb5_build_principal_va() perform the same task. - * krb5_build_principal() takes variadic arguments. krb5_build_principal_va() takes a pre-computed - * @a varargs pointer. + * krb5_build_principal() takes variadic arguments. + * krb5_build_principal_va() takes a pre-computed @a varargs pointer. * * Make sure to free the allocated memory when it is no longer needed. * @@ -3574,7 +3584,6 @@ krb5_build_principal(krb5_context context, * 0 Success * @return * Kerberos error codes - * */ KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV krb5_build_principal_va(krb5_context context, @@ -3584,8 +3593,32 @@ krb5_build_principal_va(krb5_context context, va_list ap); #endif -/** - * @brief Version of krb5_build_principal_va which allocates krb5_principal_data +/** Build a principal name, using a precomputed variable argument list + * + * @param context Context structure [input, output] + * @param princ Principal structure. Locally allocated. [output] + * @param rlen Realm name length [input] + * @param realm Realm name [input] + * @param ap @c va_list of arguments [input] + * + * Similar to krb5_build_principal() this function builds a principal name, + * but its name components are specified as va_list. + * + * Make sure to call krb5_free_principal() to deallocate the principal + * when it is no longer needed. + * + * @code + * Function usage example: + * va_list ap; + * va_start(ap, realm); + * krb5_build_principal_alloc_va(context, princ, rlen, realm, ap); + * va_end(ap); + * @endcode + * + * @retval + * 0 Success + * @return + * Kerberos error codes */ krb5_error_code KRB5_CALLCONV krb5_build_principal_alloc_va(krb5_context context, @@ -3607,7 +3640,6 @@ krb5_build_principal_alloc_va(krb5_context context, * 0 Success * @return * Kerberos error codes - * */ krb5_error_code KRB5_CALLCONV krb5_425_conv_principal(krb5_context context, const char *name, @@ -3906,48 +3938,96 @@ krb5_cc_default(krb5_context context, krb5_ccache *ccache); krb5_error_code KRB5_CALLCONV krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc); +/** Get some configuration for the credential cache in the cache. + * + * @param context a Keberos context [input] + * @param id the credential cache to store the data for [input] + * @param principal configuration for a specific principal, if NULL, global for the whole cache.[input] + * @param key name under which the configuraion is stored [input] + * @param data data to be fetched; free with krb5_free_data_contents() [input,output] + * + * @code + * Example: + * krb5_data config_data; + * config_data.data = NULL; + * krb5_cc_get_config(context, ccache, target_principal, key, &config_data); + * ... + * krb5_free_data_contents(context, &config_data); + * @endcode + * + * @retval + * 0 Success + * @return + * Kerberos error codes + */ krb5_error_code KRB5_CALLCONV krb5_cc_get_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char *key, krb5_data *data); +/** Store some configuration for the credential cache in the cache. + * + * @param context a Keberos context [input,output] + * @param id the credential cache to store the data for. [input] + * @param principal configuration for a specific principal; if NULL, global for the whole cache.[input] + * @param key name under which the configuraion is stored.[input] + * @param data data to store. [input] + * + * @note Existing configuration under the same key is over-written. + * + * @code + * Example: + * config_data.data = "yes"; + * config_data.length = strlen(config_data.data); + * krb5_cc_set_config(context, id, principal,key, &config_data); + * @endcode + * + * @retval + * 0 Success + * @return + * Kerberos error codes + */ krb5_error_code KRB5_CALLCONV krb5_cc_set_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char *key, krb5_data *data); +/** Test whether a principal is a configuration principal. + * + * @param context a Keberos context [input] + * @param principal principal to check if it a configuration principal [input] + * + * @return Return TRUE (non zero) if the principal is a configuration + * principal (generated part of krb5_cc_set_config()). Returns + * FALSE (zero) if not a configuration principal. + */ krb5_boolean KRB5_CALLCONV krb5_is_config_principal(krb5_context context, krb5_const_principal principal); /* krb5_free.c */ -/** - * @brief Free a principal structure. +/** Free a principal structure. * * @param context Context structure [input, output] - * @param val Pointer to data structure to be freed [input, output] + * @param val Pointer to data structure to be freed [input,output] * * @return * None - * */ void KRB5_CALLCONV krb5_free_principal(krb5_context context, krb5_principal val); -/** - * @brief Free an authenticator structure, including its pointer. +/** Free an authenticator structure, including its pointer. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] * * @return * None - * */ void KRB5_CALLCONV krb5_free_authenticator(krb5_context context, krb5_authenticator *val); -/** - * @brief Free an array of addresses and its pointer. +/** Free an array of addresses and its pointer. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input,output] @@ -3958,8 +4038,7 @@ krb5_free_authenticator(krb5_context context, krb5_authenticator *val); void KRB5_CALLCONV krb5_free_addresses(krb5_context context, krb5_address **val); -/** - * @brief Free an @c _krb5_auth_data structure. +/** Free an @c _krb5_auth_data structure. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] @@ -3970,8 +4049,7 @@ krb5_free_addresses(krb5_context context, krb5_address **val); void KRB5_CALLCONV krb5_free_authdata(krb5_context context, krb5_authdata **val); -/** - * @brief Free a ticket. +/** Free a ticket. * * @param context Context structure [input, output] * @param val Pointer to the data structure to be freed [input, output] @@ -3982,60 +4060,53 @@ krb5_free_authdata(krb5_context context, krb5_authdata **val); void KRB5_CALLCONV krb5_free_ticket(krb5_context context, krb5_ticket *val); -/** - * @brief Free an error allocated by either krb5_read_error() or krb5_sendauth(). +/** Free an error allocated by either krb5_read_error() or krb5_sendauth(). * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] * * @return * None - * */ void KRB5_CALLCONV krb5_free_error(krb5_context context, register krb5_error *val); -/** - * @brief Free a credentials structure and invalidate its pointer. +/** Free a credentials structure and invalidate its pointer. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] * * @return * None - * */ void KRB5_CALLCONV krb5_free_creds(krb5_context context, krb5_creds *val); -/** - * @brief Zero out the session key and free the credentials structure. +/** Zero out the session key and free the credentials structure. * * @param context Context structure [input, output] * @param val Pointer to the data structure to be freed [input, output] * * @note The pointer val is not freed. + * * @return * None */ void KRB5_CALLCONV krb5_free_cred_contents(krb5_context context, krb5_creds *val); -/** - * @brief Free a @a checksum structure and its pointer. +/** Free a @a checksum structure and its pointer. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] * * @return * None - * */ void KRB5_CALLCONV krb5_free_checksum(krb5_context context, register krb5_checksum *val); -/** - * @brief Free the contents of a @a checksum structure. +/** Free the contents of a @a checksum structure. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] @@ -4048,8 +4119,7 @@ krb5_free_checksum(krb5_context context, register krb5_checksum *val); void KRB5_CALLCONV krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val); -/** - * @brief Free the pointer @a val and zero the contents of the keyblock. +/** Free the pointer @a val and zero the contents of the keyblock. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] @@ -4060,8 +4130,7 @@ krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val); void KRB5_CALLCONV krb5_free_keyblock(krb5_context context, register krb5_keyblock *val); -/** - * @brief Free the contents of a keyblock. +/** Free the contents of a keyblock. * * @param context Context structure [input, output] * @param key Pointer to data structure to be freed [input, output] @@ -4074,8 +4143,7 @@ krb5_free_keyblock(krb5_context context, register krb5_keyblock *val); void KRB5_CALLCONV krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key); -/** - * @brief Free the subkey keyblock (if set)and its pointer. +/** Free the subkey keyblock (if set)and its pointer. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] @@ -4086,8 +4154,7 @@ krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key); void KRB5_CALLCONV krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val); -/** - * @brief Free storage associated with a @c krb5_data structure and its pointer. +/** Free storage associated with a @c krb5_data structure and its pointer. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] @@ -4098,8 +4165,7 @@ krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val); void KRB5_CALLCONV krb5_free_data(krb5_context context, krb5_data *val); -/** - * @brief Free the contents of a @c _krb5_data structure and zero the data field. +/** Free the contents of a @c _krb5_data structure and zero the data field. * * @param context Context structure [input, output] * @param val Pointer to data structure to be freed [input, output] @@ -4108,13 +4174,11 @@ krb5_free_data(krb5_context context, krb5_data *val); * * @return * None - * */ void KRB5_CALLCONV krb5_free_data_contents(krb5_context context, krb5_data *val); -/** - * @brief Free a simple character name string returned by krb5_unparse_name(). +/** Free a simple character name string returned by krb5_unparse_name(). * * @param context Context structure [input, output] * @param val Pointer to name string to be freed [input, output] @@ -4122,13 +4186,11 @@ krb5_free_data_contents(krb5_context context, krb5_data *val); * @note The pointer is not freed. * @return * None - * */ void KRB5_CALLCONV krb5_free_unparsed_name(krb5_context context, char *val); -/** - * @brief Free an array of checksum types. +/** Free an array of checksum types. * * @param context Context structure [input, output] * @param val Pointer to checksum type to be freed [input, output] @@ -4148,12 +4210,10 @@ krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val); * @param seconds System timeofday, seconds portion [output] * @param microseconds System timeofday, microseconds portion [output] * - * * @retval * 0 Success * @return * Kerberos error codes - * */ krb5_error_code KRB5_CALLCONV krb5_us_timeofday(krb5_context context, krb5_timestamp *seconds, krb5_int32 *microseconds); @@ -4164,14 +4224,12 @@ krb5_us_timeofday(krb5_context context, krb5_timestamp *seconds, krb5_int32 *mic * @param context Context structure [input, output] * @param timeret Pointer to @a timeofday field in timestamp * - * * Make sure to free the allocated memory when it is no longer needed. * * @retval * 0 Success * @return * Kerberos error codes - * */ krb5_error_code KRB5_CALLCONV krb5_timeofday(krb5_context context, register krb5_timestamp *timeret); @@ -4192,8 +4250,7 @@ krb5_timeofday(krb5_context context, register krb5_timestamp *timeret); * 0 Success * @return * Kerberos error codes - * -*/ + */ krb5_error_code KRB5_CALLCONV krb5_os_localaddr(krb5_context context, krb5_address ***addr); diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 0cc21ce..6c0921c 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -115,7 +115,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, krb5_key_data *server_key, *client_key; krb5_keyblock server_keyblock, client_keyblock; krb5_enctype useenctype; - krb5_data e_data; + krb5_data e_data = empty_data(); register int i; krb5_timestamp rtime; char *cname = 0, *sname = 0; @@ -135,7 +135,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, #endif /* APPLE_PKINIT */ ticket_reply.enc_part.ciphertext.data = 0; - e_data.data = 0; server_keyblock.contents = NULL; client_keyblock.contents = NULL; reply.padata = 0; @@ -680,6 +679,61 @@ discard: if (emsg) return errcode; } +/* + * If e_data contains a padata or typed data sequence, produce a padata + * sequence for FAST in *pa_out. If e_data contains neither, set *pa_out to + * NULL and return successfully. + */ +static krb5_error_code +get_error_padata(const krb5_data *e_data, krb5_pa_data ***pa_out) +{ + krb5_error_code retval; + krb5_pa_data **pa = NULL, *pad; + krb5_typed_data **td = NULL; + size_t size, i; + + *pa_out = NULL; + + /* Try decoding e_data as padata. */ + retval = decode_krb5_padata_sequence(e_data, &pa); + if (retval == 0) { + *pa_out = pa; + return 0; + } + + /* Try decoding e_data as typed data. If it doesn't decode, assume there + * is no error padata. */ + retval = decode_krb5_typed_data(e_data, &td); + if (retval == ENOMEM) + return retval; + else if (retval != 0) + return 0; + + /* Convert the typed data to padata. */ + for (size = 0; td[size]; size++); + pa = k5alloc((size + 1) * sizeof(*pa), &retval); + if (pa == NULL) + goto cleanup; + for (i = 0; i < size; i++) { + pad = k5alloc(sizeof(*pad), &retval); + if (pad == NULL) + goto cleanup; + pad->pa_type = td[i]->type; + pad->contents = td[i]->data; + pad->length = td[i]->length; + pa[i] = pad; + td[i]->data = NULL; + } + + *pa_out = pa; + pa = NULL; + +cleanup: + krb5_free_typed_data(kdc_context, td); + krb5_free_pa_data(kdc_context, pa); + return retval; +} + static krb5_error_code prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, int error, krb5_data *e_data, @@ -688,75 +742,44 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, { krb5_error errpkt; krb5_error_code retval; - krb5_data *scratch; + krb5_data *scratch, *fast_edata = NULL; krb5_pa_data **pa = NULL; - krb5_typed_data **td = NULL; - size_t size; errpkt.ctime = request->nonce; errpkt.cusec = 0; - if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime, - &errpkt.susec))) - return(retval); + retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec); + if (retval) + return retval; errpkt.error = error; errpkt.server = request->server; + errpkt.client = (error == KRB5KDC_ERR_WRONG_REALM) ? canon_client : + request->client; + errpkt.e_data = *e_data; + errpkt.text = string2data((char *)status); - if (error == KRB5KDC_ERR_WRONG_REALM) - errpkt.client = canon_client; - else - errpkt.client = request->client; - errpkt.text.length = strlen(status); - if (!(errpkt.text.data = strdup(status))) - return ENOMEM; + retval = get_error_padata(e_data, &pa); + if (retval) + goto cleanup; + retval = kdc_fast_handle_error(kdc_context, rstate, request, pa, &errpkt, + &fast_edata); + if (retval) + goto cleanup; + if (fast_edata != NULL) + errpkt.e_data = *fast_edata; + scratch = k5alloc(sizeof(*scratch), &retval); + if (scratch == NULL) + goto cleanup; + retval = krb5_mk_error(kdc_context, &errpkt, scratch); + if (retval) + goto cleanup; - if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { - free(errpkt.text.data); - return ENOMEM; - } - if (e_data != NULL&& e_data->data != NULL) { - errpkt.e_data = *e_data; - } else { - errpkt.e_data.length = 0; - errpkt.e_data.data = NULL; - } - /*We need to try and produce a padata sequence for FAST*/ - retval = decode_krb5_padata_sequence(e_data, &pa); - if (retval != 0) { - retval = decode_krb5_typed_data(e_data, &td); - if (retval == 0) { - for (size =0; td[size]; size++); - pa = calloc(size+1, sizeof(*pa)); - if (pa == NULL) - retval = ENOMEM; - else - for (size = 0; td[size]; size++) { - krb5_pa_data *pad = malloc(sizeof(krb5_pa_data )); - if (pad == NULL) { - retval = ENOMEM; - break; - } - pad->pa_type = td[size]->type; - pad->contents = td[size]->data; - pad->length = td[size]->length; - pa[size] = pad; - td[size]->data = NULL; - td[size]->length = 0; - } - krb5_free_typed_data(kdc_context, td); - } - } - retval = kdc_fast_handle_error(kdc_context, rstate, - request, pa, &errpkt); - if (retval == 0) - retval = krb5_mk_error(kdc_context, &errpkt, scratch); + *response = scratch; + scratch = NULL; - free(errpkt.text.data); - if (retval) - free(scratch); - else - *response = scratch; +cleanup: krb5_free_pa_data(kdc_context, pa); - + krb5_free_data(kdc_context, fast_edata); + free(scratch); return retval; } diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 087fc48..f09ae47 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -987,7 +987,7 @@ prepare_error_tgs (struct kdc_request_state *state, { krb5_error errpkt; krb5_error_code retval = 0; - krb5_data *scratch; + krb5_data *scratch, *fast_edata = NULL; errpkt.ctime = request->nonce; errpkt.cusec = 0; @@ -1010,15 +1010,20 @@ prepare_error_tgs (struct kdc_request_state *state, return ENOMEM; } errpkt.e_data = *e_data; - if (state) - retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt); + if (state) { + retval = kdc_fast_handle_error(kdc_context, state, request, NULL, + &errpkt, &fast_edata); + } if (retval) { free(scratch); free(errpkt.text.data); return retval; } + if (fast_edata) + errpkt.e_data = *fast_edata; retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); + krb5_free_data(kdc_context, fast_edata); if (retval) free(scratch); else diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 860dfcb..65e4600 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -338,6 +338,7 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state, pa[0].length = encrypted_reply->length; pa[0].contents = (unsigned char *) encrypted_reply->data; pa_array[0] = &pa[0]; + krb5_free_pa_data(kdc_context, rep->padata); rep->padata = pa_array; pa_array = NULL; free(encrypted_reply); @@ -363,14 +364,15 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state, /* * We assume the caller is responsible for passing us an in_padata * sufficient to include in a FAST error. In the FAST case we will - * throw away the e_data in the error (if any); in the non-FAST case - * we will not use the in_padata. + * set *fast_edata_out to the edata to be included in the error; in + * the non-FAST case we will set it to NULL. */ krb5_error_code kdc_fast_handle_error(krb5_context context, struct kdc_request_state *state, krb5_kdc_req *request, - krb5_pa_data **in_padata, krb5_error *err) + krb5_pa_data **in_padata, krb5_error *err, + krb5_data **fast_edata_out) { krb5_error_code retval = 0; krb5_fast_response resp; @@ -380,8 +382,8 @@ kdc_fast_handle_error(krb5_context context, krb5_pa_data *outer_pa[3], *cookie = NULL; krb5_pa_data **inner_pa = NULL; size_t size = 0; - krb5_data *encoded_e_data = NULL; + *fast_edata_out = NULL; memset(outer_pa, 0, sizeof(outer_pa)); if (!state || !state->armor_key) return 0; @@ -429,15 +431,7 @@ kdc_fast_handle_error(krb5_context context, pa[0].contents = (unsigned char *) encrypted_reply->data; outer_pa[0] = &pa[0]; } - retval = encode_krb5_padata_sequence(outer_pa, &encoded_e_data); - if (retval == 0) { - /*process_as holds onto a pointer to the original e_data and frees it*/ - err->e_data = *encoded_e_data; - free(encoded_e_data); /*contents belong to err*/ - encoded_e_data = NULL; - } - if (encoded_e_data) - krb5_free_data(kdc_context, encoded_e_data); + retval = encode_krb5_padata_sequence(outer_pa, fast_edata_out); if (encrypted_reply) krb5_free_data(kdc_context, encrypted_reply); if (encoded_fx_error) diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 9eba0fc..2f85b02 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -354,7 +354,8 @@ krb5_error_code kdc_fast_handle_error (krb5_context context, struct kdc_request_state *state, krb5_kdc_req *request, - krb5_pa_data **in_padata, krb5_error *err); + krb5_pa_data **in_padata, krb5_error *err, + krb5_data **fast_edata_out); krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, krb5_keyblock *existing_key, diff --git a/src/kdc/main.c b/src/kdc/main.c index 7979031..d58298d 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -162,6 +162,8 @@ setup_server_realm(krb5_principal sprinc) static void finish_realm(kdc_realm_t *rdp) { + if (rdp->realm_name) + free(rdp->realm_name); if (rdp->realm_mpname) free(rdp->realm_mpname); if (rdp->realm_stash) @@ -290,7 +292,11 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, goto whoops; } - rdp->realm_name = realm; + rdp->realm_name = strdup(realm); + if (rdp->realm_name == NULL) { + kret = ENOMEM; + goto whoops; + } kret = krb5int_init_context_kdc(&rdp->realm_context); if (kret) { kdc_err(NULL, kret, "while getting context for realm %s", realm); @@ -863,6 +869,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) kdc_realmlist[0] = rdatap; kdc_numrealms++; } + krb5_free_default_realm(kcontext, lrealm); } /* Ensure that this is set for our first request. */ diff --git a/src/lib/crypto/builtin/des/deps b/src/lib/crypto/builtin/des/deps index f920a65..582ad9e 100644 --- a/src/lib/crypto/builtin/des/deps +++ b/src/lib/crypto/builtin/des/deps @@ -1,20 +1,6 @@ # # Generated makefile dependencies follow. # -afsstring2key.so afsstring2key.po $(OUTPRE)afsstring2key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../aes/aes.h \ - $(srcdir)/../aes/uitypes.h $(srcdir)/../crypto_mod.h \ - $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - afsstring2key.c des_int.h d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ @@ -39,6 +25,20 @@ d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h d3_kysched.c des_int.h +des_keys.so des_keys.po $(OUTPRE)des_keys.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../aes/aes.h \ + $(srcdir)/../aes/uitypes.h $(srcdir)/../crypto_mod.h \ + $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + des_int.h des_keys.c f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ @@ -66,17 +66,14 @@ f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../aes/aes.h \ - $(srcdir)/../aes/uitypes.h $(srcdir)/../crypto_mod.h \ - $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - des_int.h f_parity.c + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h des_int.h f_parity.c f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -122,20 +119,6 @@ weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h des_int.h weak_key.c -string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../aes/aes.h \ - $(srcdir)/../aes/uitypes.h $(srcdir)/../crypto_mod.h \ - $(srcdir)/../sha2/sha2.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - des_int.h string2key.c destest.so destest.po $(OUTPRE)destest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c index 0a23738..7d294e1 100644 --- a/src/lib/krb5/ccache/ccfns.c +++ b/src/lib/krb5/ccache/ccfns.c @@ -1,5 +1,5 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/krb5/ccache/ccfns.c */ +/* lib/krb5/ccache/ccfns.c - Dispatch methods for credentials cache code.*/ /* * Copyright 2000, 2007, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -24,10 +24,6 @@ * or implied warranty. */ -/* - * Dispatch methods for credentials cache code. - */ - #include "k5-int.h" const char * KRB5_CALLCONV @@ -226,7 +222,7 @@ build_conf_principals (krb5_context context, krb5_ccache id, ret = krb5_build_principal(context, &cred->server, sizeof(conf_realm) - 1, conf_realm, conf_name, name, pname, (char *)NULL); - free(pname); + krb5_free_unparsed_name(context, pname); if (ret) { krb5_free_principal(context, client); return ret; @@ -236,16 +232,6 @@ build_conf_principals (krb5_context context, krb5_ccache id, return ret; } -/*! - * \param context a Keberos context - * \param principal principal to check if it a configuration principal - * - * \brief Return TRUE (non zero) if the principal is a configuration - * principal (generated part of krb5_cc_set_config()). Returns - * FALSE (zero) if not a configuration principal. - * - */ - krb5_boolean KRB5_CALLCONV krb5_is_config_principal (krb5_context context, krb5_const_principal principal) @@ -266,20 +252,6 @@ krb5_is_config_principal (krb5_context context, return TRUE; } -/*! - * \param context a Keberos context - * \param id the credential cache to store the data for - * \param principal configuration for a specific principal, if - * NULL, global for the whole cache. - * \param key name under which the configuraion is stored. - * \param data data to store - * - * \brief Store some configuration for the credential cache in the - * cache. Existing configuration under the same key is - * over-written. - * - */ - krb5_error_code KRB5_CALLCONV krb5_cc_set_config (krb5_context context, krb5_ccache id, krb5_const_principal principal, @@ -310,18 +282,6 @@ out: return ret; } -/*! - * \param context a Keberos context - * \param id the credential cache to store the data for - * \param principal configuration for a specific principal, if - * NULL, global for the whole cache. - * \param key name under which the configuraion is stored. - * \param data data to fetched, free with krb5_data_free() - * - * \brief Get some configuration for the credential cache in the cache. - */ - - krb5_error_code KRB5_CALLCONV krb5_cc_get_config (krb5_context context, krb5_ccache id, krb5_const_principal principal, diff --git a/src/util/support/plugins.c b/src/util/support/plugins.c index f457f35..ce65e1b 100644 --- a/src/util/support/plugins.c +++ b/src/util/support/plugins.c @@ -263,7 +263,7 @@ krb5int_open_plugin (const char *filepath, struct plugin_file_handle **h, struct #define PLUGIN_DLOPEN_FLAGS (RTLD_NOW | RTLD_LOCAL) #endif if (!err) { - handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS); + handle = dlopen(filepath, PLUGIN_DLOPEN_FLAGS | RTLD_NODELETE); if (handle == NULL) { const char *e = dlerror(); if (e == NULL) |