diff options
Diffstat (limited to 'src/lib/krb4')
| -rw-r--r-- | src/lib/krb4/ChangeLog | 129 | ||||
| -rw-r--r-- | src/lib/krb4/Makefile.in | 48 | ||||
| -rw-r--r-- | src/lib/krb4/RealmsConfig-glue.c | 263 | ||||
| -rw-r--r-- | src/lib/krb4/change_password.c | 3 | ||||
| -rw-r--r-- | src/lib/krb4/configure.in | 8 | ||||
| -rw-r--r-- | src/lib/krb4/err_txt.c | 13 | ||||
| -rw-r--r-- | src/lib/krb4/g_ad_tkt.c | 9 | ||||
| -rw-r--r-- | src/lib/krb4/g_cnffile.c | 12 | ||||
| -rw-r--r-- | src/lib/krb4/g_in_tkt.c | 4 | ||||
| -rw-r--r-- | src/lib/krb4/g_pw_in_tkt.c | 2 | ||||
| -rw-r--r-- | src/lib/krb4/kadm_stream.c | 10 | ||||
| -rw-r--r-- | src/lib/krb4/lifetime.c | 109 | ||||
| -rw-r--r-- | src/lib/krb4/mk_auth.c | 1 | ||||
| -rw-r--r-- | src/lib/krb4/mk_req.c | 7 | ||||
| -rw-r--r-- | src/lib/krb4/password_to_key.c | 4 |
15 files changed, 388 insertions, 234 deletions
diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog index 9c53ca1..0842831 100644 --- a/src/lib/krb4/ChangeLog +++ b/src/lib/krb4/ChangeLog @@ -1,3 +1,132 @@ +2003-08-15 Alexandra Ellwood <lxs@mit.edu> + + * mk_auth.c: krb_check_auth clears the return value for the + schedule parameter with a memset. This prevents callers + from using the key schedule, which breaks code. + +2003-08-06 Alexandra Ellwood <lxs@mit.edu> + + * configure.in: Don't assume all darwin boxes are powerpc. + (eg: OpenDarwin/x86). + +2003-07-11 Alexandra Ellwood <lxs@mit.edu> + + * RealmsConfig-glue.c: Check for NULL realm argument and n + not equal to 1. Fill in realm with an empty string on error + in case the caller doesn't check the return value. + +2003-07-11 Alexandra Ellwood <lxs@mit.edu> + + * RealmsConfig-glue.c: Don't fail when krb5.conf is valid + and krb.conf isn't. Also, don't assert v4 realm is in profile + unless that realm is a valid v4 realm. + +2003-07-07 Alexandra Ellwood <lxs@mit.edu> + + * RealmsConfig-glue.c: krb_prof_get_nth() no longer assumes that + its retlen argument is correct (call strcpy instead of strncpy) + because this argument is a guess for some callers + (eg: krb_get_admhst()) + +2003-06-11 Tom Yu <tlyu@mit.edu> + + * Makefile.in (KRB_ERR_C): New variable; Darwin needs err_txt.o to + have a dependency on krb_err.c so that krb_err.c will be generated + first. + + * configure.in: Set KRB_ERR_C to krb_err.c on Darwin. + +2003-06-09 Ken Raeburn <raeburn@mit.edu> + + * RealmsConfig-glue.c (krb_get_krbhst): Don't fall back to DNS if + entries were found in krb.conf, and just not enough to fill the + request. + +2003-06-06 Ken Raeburn <raeburn@mit.edu> + + * RealmsConfig-glue.c: Include k5-int.h. + (dnscache): New variable. + (DNS_CACHE_TIMEOUT): New macro. + (krb_get_krbhst) [KRB5_DNS_LOOKUP]: If no krb.conf info is found, + try DNS SRV records for "kerberos-iv". Cache results in case + they're immediately requested again. + +2003-06-06 Tom Yu <tlyu@mit.edu> + + * g_cnffile.c (krb__get_srvtabname): Make retname be a static + array rather than a static pointer, to avoid callers' possible + retention of free()d pointers. Yes, this may cause difficulty + with making this function thread-safe. + +2003-06-04 Tom Yu <tlyu@mit.edu> + + * password_to_key.c (mit_passwd_to_key, afs_passwd_to_key): Delete + spurious space from prompt. + +2003-06-03 Ken Raeburn <raeburn@mit.edu> + + * RealmsConfig-glue.c (get_krbhst_default): Deleted. + (krb_get_krbhst): Don't call it. + +2003-06-03 Sam Hartman <hartmans@mit.edu> + + * g_pw_in_tkt.c (passwd_to_key): Fix password prompt + + * password_to_key.c (mit_passwd_to_key): Fix password prompt + (afs_passwd_to_key): Fix password prompt + + * g_in_tkt.c (krb_get_in_tkt_preauth_creds): Keep copy of + ciphertext while trying different keyprocs + +2003-06-02 Tom Yu <tlyu@mit.edu> + + * change_password.c (krb_change_password): Explicitly zero the + session key. Zero the key derived from the new password. + + * mk_req.c (krb_mk_req): Explicitly zero the session key. + (krb_mk_req_creds_prealm): Don't zero the session key, in case the + caller wants to make use of it. + +2003-05-24 Ken Raeburn <raeburn@mit.edu> + + * lifetime.c (krb_life_to_time, krb_time_to_life): Rewrite to use + support functions in the krb5 library via krb5int_accessor. Moved + old implementation into krb5 library. + +2003-05-12 Tom Yu <tlyu@mit.edu> + + * Makefile.in: Add setting of KRB_ERR on Windows. + +2003-05-11 Sam Hartman <hartmans@mit.edu> + + * Makefile.in: Build krb_err.c when appropriate. + + * configure.in: Set KRB_ERR to be the object file generated by + krb_err.c on non-Darwin + + * err_txt.c : Don't include krb_err.c on non-Darwin UNIX. Doing + so may break with some compile_et implementations. Also not + included on Windows. + +2003-05-01 Alexandra Ellwood <lxs@mit.edu> + ΚΚ + * kadm_stream.c: Fixed vts_long() and vts_short() so they return a + pointer to the beginning of the memory they allocate and place + their data at the end of the buffer which was passed in. + +2003-04-15 Alexandra Ellwood <lxs@mit.edu> + ΚΚ + * g_ad_tkt.c: accidentally checked a non-space character into + the USE_LOGIN_LIBRARY part of get_ad_tkt so it doesn't build + on the Mac. Oops. + +2003-04-14 Alexandra Ellwood <lxs@mit.edu> + ΚΚ + * g_ad_tkt.c: Added support for login library to get_ad_tkt. + Support is copied from Mac Kerberos4 library and conditionalized + for USE_LOGIN_LIBRARY to avoid changing get_ad_tkt's behavior for + non-Kerberos Login Library builds. + 2003-03-06 Alexandra Ellwood <lxs@mit.edu> * CCache-glue.c: Added prototypes for deprecated functions. diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in index 0a8ecff..572a3ad 100644 --- a/src/lib/krb4/Makefile.in +++ b/src/lib/krb4/Makefile.in @@ -29,6 +29,12 @@ SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) EHDRDIR=$(BUILDTOP)$(S)include$(S)kerberosIV +KRB_ERR=@KRB_ERR@ +##DOS##KRB_ERR=$(OUTPRE)krb_err.$(OBJEXT) + +# Name of generated krb_err.c, needed for err_txt.* dependency on Darwin. +KRB_ERR_C=@KRB_ERR_C@ +##DOS##KRB_ERR_C= OBJS = \ $(OUTPRE)change_password.$(OBJEXT) \ @@ -72,7 +78,7 @@ OBJS = \ $(OUTPRE)rd_preauth.$(OBJEXT) \ $(OUTPRE)mk_preauth.$(OBJEXT) \ $(OSOBJS) $(CACHEOBJS) $(SETENVOBJS) $(STRCASEOBJS) $(SHMOBJS) \ - $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) + $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) $(KRB_ERR) SRCS = \ change_password.c \ @@ -217,7 +223,7 @@ krb_err_txt.c: krb_err.et $(srcdir)$(S)et_errtxt.awk # Will be empty on Darwin, krb_err_txt.c elsewhere. KRB_ERR_TXT=@KRB_ERR_TXT@ ##DOS##KRB_ERR_TXT=krb_err_txt.c -err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_TXT) +err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_C) $(KRB_ERR_TXT) depend-dependencies: krb_err.h $(EHDRDIR)$(S)krb_err.h \ kadm_err.h $(EHDRDIR)$(S)kadm_err.h \ @@ -335,11 +341,14 @@ kname_parse.so kname_parse.po $(OUTPRE)kname_parse.$(OBJEXT): kname_parse.c $(SR err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ - krb_err.c + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h lifetime.so lifetime.po $(OUTPRE)lifetime.$(OBJEXT): lifetime.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ - $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h g_in_tkt.so g_in_tkt.po $(OUTPRE)g_in_tkt.$(OBJEXT): g_in_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \ @@ -409,9 +418,10 @@ send_to_kdc.so send_to_kdc.po $(OUTPRE)send_to_kdc.$(OBJEXT): send_to_kdc.c $(SR $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krbports.h \ $(SRCTOP)/include/kerberosIV/prot.h $(BUILDTOP)/include/krb5/autoconf.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/fake-addrinfo.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/kdb.h krb4int.h + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/krb5/kdb.h \ + krb4int.h stime.so stime.po $(OUTPRE)stime.$(OBJEXT): stime.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \ @@ -434,9 +444,9 @@ tf_util.so tf_util.po $(OUTPRE)tf_util.$(OBJEXT): tf_util.c $(SRCTOP)/include/ke $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - krb4int.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krb4int.h dest_tkt.so dest_tkt.po $(OUTPRE)dest_tkt.$(OBJEXT): dest_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-util.h \ @@ -489,9 +499,9 @@ rd_svc_key.so rd_svc_key.po $(OUTPRE)rd_svc_key.$(OBJEXT): rd_svc_key.c $(SRCTOP $(KRB_ERR_H_DEP) $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb54proto.h \ - $(SRCTOP)/include/kerberosIV/prot.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ + $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/kerberosIV/prot.h cr_err_repl.so cr_err_repl.po $(OUTPRE)cr_err_repl.$(OBJEXT): cr_err_repl.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h @@ -538,12 +548,14 @@ g_cnffile.so g_cnffile.po $(OUTPRE)g_cnffile.$(OBJEXT): g_cnffile.c $(SRCTOP)/in $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - krb4int.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krb4int.h RealmsConfig-glue.so RealmsConfig-glue.po $(OUTPRE)RealmsConfig-glue.$(OBJEXT): RealmsConfig-glue.c \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/krb4/RealmsConfig-glue.c b/src/lib/krb4/RealmsConfig-glue.c index 52437ee..0635284 100644 --- a/src/lib/krb4/RealmsConfig-glue.c +++ b/src/lib/krb4/RealmsConfig-glue.c @@ -37,6 +37,7 @@ #include "profile.h" #include "krb.h" #include "krb4int.h" +#include "k5-int.h" /* for accessor, addrlist stuff */ #include "port-sockets.h" #define KRB5_PRIVATE 1 @@ -142,10 +143,11 @@ krb_prof_get_nth( } if (result == KSUCCESS) { /* Return error rather than truncating. */ + /* Don't strncpy because retlen is a guess for some callers */ if (strlen(value) >= retlen) result = KFAILURE; else - strncpy(ret, value, retlen); + strcpy(ret, value); } cleanup: if (name != NULL) @@ -188,76 +190,112 @@ krb_get_lrealm( char *realm, int n) { - long profErr = 0; - char *realmString = NULL; - char *realmStringV4 = NULL; - profile_t profile = NULL; - int result; - FILE *cnffile = NULL; - char scratch[SCRATCHSZ]; - - if (n != 1 || realm == NULL) - return KFAILURE; + int result = KSUCCESS; + profile_t profile = NULL; + char *profileDefaultRealm = NULL; + char **profileV4Realms = NULL; + int profileHasDefaultRealm = 0; + int profileDefaultRealmIsV4RealmInProfile = 0; + char krbConfLocalRealm[REALM_SZ]; + int krbConfHasLocalRealm = 0; - result = KFAILURE; /* Start out with failure. */ - - profErr = krb_get_profile(&profile); - if (profErr) - goto cleanup; + if ((realm == NULL) || (n != 1)) { result = KFAILURE; } - profErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION, - REALMS_V4_DEFAULT_REALM, NULL, NULL, - &realmString); - if (profErr || realmString == NULL) - goto cleanup; + if (result == KSUCCESS) { + /* Some callers don't check the return value so we initialize + * to an empty string in case it never gets filled in. */ + realm [0] = '\0'; + } + + if (result == KSUCCESS) { + int profileErr = krb_get_profile (&profile); + + if (!profileErr) { + /* Get the default realm from the profile */ + profileErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION, + REALMS_V4_DEFAULT_REALM, NULL, NULL, + &profileDefaultRealm); + if (profileDefaultRealm == NULL) { profileErr = KFAILURE; } + } + + if (!profileErr) { + /* If there is an equivalent v4 realm to the default realm, use that instead */ + char *profileV4EquivalentRealm = NULL; + + if (profile_get_string (profile, "realms", profileDefaultRealm, "v4_realm", NULL, + &profileV4EquivalentRealm) == 0 && + profileV4EquivalentRealm != NULL) { + + profile_release_string (profileDefaultRealm); + profileDefaultRealm = profileV4EquivalentRealm; + } + } + + if (!profileErr) { + if (strlen (profileDefaultRealm) < REALM_SZ) { + profileHasDefaultRealm = 1; /* a reasonable default realm */ + } else { + profileErr = KFAILURE; + } + } + + if (!profileErr) { + /* Walk through the v4 realms list looking for the default realm */ + const char *profileV4RealmsList[] = { REALMS_V4_PROF_REALMS_SECTION, NULL }; + + if (profile_get_subsection_names (profile, profileV4RealmsList, + &profileV4Realms) == 0 && + profileV4Realms != NULL) { + + char **profileRealm; + for (profileRealm = profileV4Realms; *profileRealm != NULL; profileRealm++) { + if (strcmp (*profileRealm, profileDefaultRealm) == 0) { + /* default realm is a v4 realm */ + profileDefaultRealmIsV4RealmInProfile = 1; + break; + } + } + } + } + } + + if (result == KSUCCESS) { + /* Try to get old-style config file lookup for fallback. */ + FILE *cnffile = NULL; + char scratch[SCRATCHSZ]; + + cnffile = krb__get_cnffile(); + if (cnffile != NULL) { + if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) { + if (strlen(scratch) < REALM_SZ) { + strncpy(krbConfLocalRealm, scratch, REALM_SZ); + krbConfHasLocalRealm = 1; + } + } + fclose(cnffile); + } + } - if (strlen(realmString) >= REALM_SZ) - goto cleanup; - strncpy(realm, realmString, REALM_SZ); - /* - * Step 2: the default realm is actually v5 realm, so we have to - * check for the case where v4 and v5 realms are different. - */ - profErr = profile_get_string(profile, "realms", realm, "v4_realm", - NULL, &realmStringV4); - if (profErr || realmStringV4 == NULL) - goto cleanup; + if (result == KSUCCESS) { + /* + * We want to favor the profile value over the krb.conf value + * but not stop suppporting its use with a v5-only profile. + * So we only use the krb.conf realm when the default profile + * realm doesn't exist in the v4 realm section of the profile. + */ + if (krbConfHasLocalRealm && !profileDefaultRealmIsV4RealmInProfile) { + strncpy (realm, krbConfLocalRealm, REALM_SZ); + } else if (profileHasDefaultRealm) { + strncpy (realm, profileDefaultRealm, REALM_SZ); + } else { + result = KFAILURE; /* No default realm */ + } + } - if (strlen(realmStringV4) >= REALM_SZ) - goto cleanup; - strncpy(realm, realmStringV4, REALM_SZ); - result = KSUCCESS; -cleanup: - if (realmString != NULL) - profile_release_string(realmString); - if (realmStringV4 != NULL) - profile_release_string(realmStringV4); - if (profile != NULL) - profile_abandon(profile); + if (profileDefaultRealm != NULL) { profile_release_string (profileDefaultRealm); } + if (profileV4Realms != NULL) { profile_free_list (profileV4Realms); } + if (profile != NULL) { profile_abandon (profile); } - if (result == KSUCCESS) - return result; - /* - * Do old-style config file lookup. - */ - do { - cnffile = krb__get_cnffile(); - if (cnffile == NULL) - break; - if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) { - if (strlen(scratch) >= REALM_SZ) - result = KFAILURE; - else { - strncpy(realm, scratch, REALM_SZ); - result = KSUCCESS; - } - } - fclose(cnffile); - } while (0); - if (result == KFAILURE && strlen(KRB_REALM) < REALM_SZ) { - strncpy(realm, KRB_REALM, REALM_SZ); - result = KSUCCESS; - } return result; } @@ -359,23 +397,6 @@ krb_get_kpasswdhst( REALMS_V4_PROF_KPASSWD_KDC); } -static int -get_krbhst_default(h, r, n) - char *h; - char *r; - int n; -{ - if (n != 1) - return KFAILURE; - if (strlen(KRB_HOST) + 1 + strlen(r) >= MAXHOSTNAMELEN) - return KFAILURE; - /* KRB_HOST.REALM (ie. kerberos.CYGNUS.COM) */ - strcpy(h, KRB_HOST); - strcat(h, "."); - strcat(h, r); - return KSUCCESS; -} - /* * Realm, index -> KDC mapping * @@ -411,6 +432,15 @@ get_krbhst_default(h, r, n) * kerberos. In the long run, this functionality will be provided by a * nameserver. */ +#ifdef KRB5_DNS_LOOKUP +static struct { + time_t when; + char realm[REALM_SZ+1]; + struct srv_dns_entry *srv; +} dnscache = { 0, { 0 }, 0 }; +#define DNS_CACHE_TIMEOUT 60 /* seconds */ +#endif + int KRB5_CALLCONV krb_get_krbhst( char *host, @@ -423,10 +453,36 @@ krb_get_krbhst( char linebuf[BUFSIZ]; char tr[SCRATCHSZ]; char scratch[SCRATCHSZ]; +#ifdef KRB5_DNS_LOOKUP + time_t now; +#endif if (n < 1 || host == NULL || realm == NULL) return KFAILURE; +#ifdef KRB5_DNS_LOOKUP + /* We'll only have this realm's info in the DNS cache if there is + no data in the local config files. + + XXX The files could've been updated in the last few seconds. + Do we care? */ + if (!strncmp(dnscache.realm, realm, REALM_SZ) + && (time(&now), abs(dnscache.when - now) < DNS_CACHE_TIMEOUT)) { + struct srv_dns_entry *entry; + + get_from_dnscache: + /* n starts at 1, addrs indices run 0..naddrs */ + for (i = 1, entry = dnscache.srv; i < n && entry; i++) + entry = entry->next; + if (entry == NULL) + return KFAILURE; + if (strlen(entry->host) + 6 >= MAXHOSTNAMELEN) + return KFAILURE; + sprintf(host, "%s:%d", entry->host, entry->port); + return KSUCCESS; + } +#endif + result = krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n, REALMS_V4_PROF_REALMS_SECTION, REALMS_V4_PROF_KDC); @@ -461,14 +517,43 @@ krb_get_krbhst( i++; } fclose(cnffile); - if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN) + if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN) { strcpy(host, scratch); - else - result = KFAILURE; + return KSUCCESS; + } + if (i > 0) + /* Found some, but not as many as requested. */ + return KFAILURE; } while (0); - if (result == KFAILURE) - result = get_krbhst_default(host, realm, n); - return result; +#ifdef KRB5_DNS_LOOKUP + do { + krb5int_access k5; + krb5_error_code err; + krb5_data realmdat; + struct srv_dns_entry *srv; + + err = krb5int_accessor(&k5, KRB5INT_ACCESS_VERSION); + if (err) + break; + + realmdat.data = realm; + realmdat.length = strlen(realm); + err = k5.make_srv_query_realm(&realmdat, "_kerberos-iv", "_udp", &srv); + if (err) + break; + + if (srv == 0) + break; + + if (dnscache.srv) + k5.free_srv_dns_data(dnscache.srv); + dnscache.srv = srv; + strncpy(dnscache.realm, realm, REALM_SZ); + dnscache.when = now; + goto get_from_dnscache; + } while (0); +#endif + return KFAILURE; } /* diff --git a/src/lib/krb4/change_password.c b/src/lib/krb4/change_password.c index a6e4d7b..7c3bcd0 100644 --- a/src/lib/krb4/change_password.c +++ b/src/lib/krb4/change_password.c @@ -100,6 +100,7 @@ krb_change_password(char *principal, char *instance, char *realm, p = key; KRB4_GET32BE(tempKey, p); sendSize += vts_long(tempKey, &sendStream, (int)sendSize); + tempKey = 0; if (newPassword) { sendSize += vts_string(newPassword, &sendStream, (int)sendSize); @@ -120,5 +121,7 @@ disconnect: kadm_cli_disconn(&client_parm); cleanup: + memset(&client_parm.creds.session, 0, sizeof(client_parm.creds.session)); + memset(&key, 0, sizeof(key)); return err; } diff --git a/src/lib/krb4/configure.in b/src/lib/krb4/configure.in index 87aeebc..d428656 100644 --- a/src/lib/krb4/configure.in +++ b/src/lib/krb4/configure.in @@ -3,14 +3,20 @@ CONFIG_RULES AC_TYPE_MODE_T AC_TYPE_UID_T case $krb5_cv_host in - powerpc-apple-darwin*) + *-apple-darwin*) KRB_ERR_TXT= + KRB_ERR= + KRB_ERR_C=krb_err.c ;; *) + KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)' KRB_ERR_TXT=krb_err_txt.c + KRB_ERR_C= ;; esac AC_SUBST([KRB_ERR_TXT]) +AC_SUBST([KRB_ERR]) +AC_SUBST([KRB_ERR_C]) AC_PROG_AWK KRB5_BUILD_LIBOBJS KRB5_BUILD_LIBRARY_WITH_DEPS diff --git a/src/lib/krb4/err_txt.c b/src/lib/krb4/err_txt.c index 9d942a0..a7a290c 100644 --- a/src/lib/krb4/err_txt.c +++ b/src/lib/krb4/err_txt.c @@ -31,17 +31,14 @@ * This is gross. We want krb_err_txt to match the contents of the * com_err error table, but the text is static in krb_err.c. We can't * alias it by making a pointer to it, either, so we have to suck in - * another copy of it that is named differently. Also, to avoid - * multiple registrations of the error table, we want to override - * initialize_krb_error_table() in case someone decides to call it. - */ + * another copy of it that is named differently. */ +#if TARGET_OS_MAC #undef initialize_krb_error_table #define initialize_krb_error_table krb4int_init_krb_err_tbl void krb4int_init_krb_err_tbl(void); #include "krb_err.c" #undef initialize_krb_error_table -#if TARGET_OS_MAC /* * Depends on the name of the static table generated by compile_et, * but since this is only on Darwin, where we will always use a @@ -69,12 +66,6 @@ krb4int_et_init(void) } void -initialize_krb_error_table(void) -{ - krb4int_et_init(); -} - -void krb4int_et_fini(void) { if (inited) diff --git a/src/lib/krb4/g_ad_tkt.c b/src/lib/krb4/g_ad_tkt.c index daae751..353fdce 100644 --- a/src/lib/krb4/g_ad_tkt.c +++ b/src/lib/krb4/g_ad_tkt.c @@ -256,6 +256,15 @@ get_ad_tkt(service, sinstance, realm, lifetime) size_t snamelen, sinstlen; kerror = krb_get_tf_realm(TKT_FILE, lrealm); +#if USE_LOGIN_LIBRARY + if (kerror == GC_NOTKT) { + /* No tickets... call krb_get_cred (KLL will prompt) and try again. */ + if ((kerror = krb_get_cred ("krbtgt", realm, realm, &cr)) == KSUCCESS) { + /* Now get the realm again. */ + kerror = krb_get_tf_realm (TKT_FILE, lrealm); + } + } +#endif if (kerror != KSUCCESS) return kerror; diff --git a/src/lib/krb4/g_cnffile.c b/src/lib/krb4/g_cnffile.c index 8d61f50..dd5ed5c 100644 --- a/src/lib/krb4/g_cnffile.c +++ b/src/lib/krb4/g_cnffile.c @@ -56,7 +56,7 @@ krb__get_srvtabname(default_srvtabname) const char* names[3]; char **full_name = 0, **cpp; krb5_error_code retval; - static char *retname; + static char retname[MAXPATHLEN]; if (!krb5__krb4_context) krb5_init_context(&krb5__krb4_context); @@ -67,18 +67,16 @@ krb__get_srvtabname(default_srvtabname) retval = profile_get_values(krb5__krb4_context->profile, names, &full_name); if (retval == 0 && full_name && full_name[0]) { - if (retname != NULL) - free(retname); - retname = strdup(full_name[0]); + retname[0] = '\0'; + strncat(retname, full_name[0], sizeof(retname)); for (cpp = full_name; *cpp; cpp++) krb5_xfree(*cpp); krb5_xfree(full_name); return retname; } } - if (retname != NULL) - free(retname); - retname = strdup(default_srvtabname); + retname[0] = '\0'; + strncat(retname, default_srvtabname, sizeof(retname)); return retname; } diff --git a/src/lib/krb4/g_in_tkt.c b/src/lib/krb4/g_in_tkt.c index 4d5286a..58a91b0 100644 --- a/src/lib/krb4/g_in_tkt.c +++ b/src/lib/krb4/g_in_tkt.c @@ -424,6 +424,9 @@ krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life, /* Attempt to decrypt the reply. Loop trying password_to_key algorithms until we succeed or we get an error other than "bad password" */ do { + KTEXT_ST cip_copy_st; + memcpy(&cip_copy_st, &cip_st, sizeof(cip_st)); + cip = &cip_copy_st; if (decrypt_proc == NULL) { decrypt_tkt (user, instance, realm, arg, keyprocs[i], &cip); } else { @@ -432,6 +435,7 @@ krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life, kerror = krb_parse_in_tkt_creds(user, instance, realm, service, sinstance, life, cip, byteorder, creds); } while ((keyprocs [++i] != NULL) && (kerror == INTK_BADPW)); + cip = &cip_st; /* Fill in the local address if the caller wants it */ if (laddrp != NULL) { diff --git a/src/lib/krb4/g_pw_in_tkt.c b/src/lib/krb4/g_pw_in_tkt.c index 494a059..d687818 100644 --- a/src/lib/krb4/g_pw_in_tkt.c +++ b/src/lib/krb4/g_pw_in_tkt.c @@ -79,7 +79,7 @@ passwd_to_key(user,instance,realm,passwd,key) if (passwd) string_to_key(passwd, key); else { - des_read_password((des_cblock *)key, "Password: ", 0); + des_read_password((des_cblock *)key, "Password", 0); } #endif /* NOENCRYPTION */ #endif /* unix */ diff --git a/src/lib/krb4/kadm_stream.c b/src/lib/krb4/kadm_stream.c index 3a9861e..dc9fef1 100644 --- a/src/lib/krb4/kadm_stream.c +++ b/src/lib/krb4/kadm_stream.c @@ -129,8 +129,11 @@ vts_short(KRB_UINT32 dat, u_char **st, int loc) if (p == NULL) return -1; + *st = p; /* KRB4_PUT32BE will modify p */ + + p += loc; /* place bytes at the end */ KRB4_PUT16BE(p, dat); - *st = p; + return 2; } @@ -145,8 +148,11 @@ vts_long(KRB_UINT32 dat, u_char **st, int loc) if (p == NULL) return -1; + *st = p; /* KRB4_PUT32BE will modify p */ + + p += loc; /* place bytes at the end */ KRB4_PUT32BE(p, dat); - *st = p; + return 4; } diff --git a/src/lib/krb4/lifetime.c b/src/lib/krb4/lifetime.c index b43ed45..826e090 100644 --- a/src/lib/krb4/lifetime.c +++ b/src/lib/krb4/lifetime.c @@ -1,5 +1,5 @@ /* - * Copyright 2000, 2001 by the Massachusetts Institute of Technology. + * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -24,72 +24,7 @@ */ #include "krb.h" - -/* - * Only lifetime bytes values less than 128 are on a linear scale. - * The following table contains an exponential scale that covers the - * lifetime values 128 to 191 inclusive (a total of 64 values). - * Values greater than 191 get interpreted the same as 191, but they - * will never be generated by the functions in this file. - * - * The ratio is approximately 1.069144898 (actually exactly - * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30 - * days, and 38400 = 128*5 minutes. This allows a lifetime byte of - * 191 to correspond to a ticket life of exactly 30 days and a - * lifetime byte of 128 to correspond to exactly 128*5 minutes, with - * the other values spread on an exponential curve fit in between - * them. This table should correspond exactly to the set of extended - * ticket lifetime values used by AFS and CMU. - * - * The following awk script is sufficient to reproduce the table: - * BEGIN { - * r = exp(log(2592000/38400)/63); - * x = 38400; - * for (i=0;i<64;i++) { - * printf("%d\n",x+0.5); - * x *= r; - * } - * } - */ -#ifndef SHORT_LIFETIME -#define NLIFETIMES 64 -static const KRB4_32 lifetimes[NLIFETIMES] = { - 38400, 41055, /* 00:10:40:00, 00:11:24:15 */ - 43894, 46929, /* 00:12:11:34, 00:13:02:09 */ - 50174, 53643, /* 00:13:56:14, 00:14:54:03 */ - 57352, 61318, /* 00:15:55:52, 00:17:01:58 */ - 65558, 70091, /* 00:18:12:38, 00:19:28:11 */ - 74937, 80119, /* 00:20:48:57, 00:22:15:19 */ - 85658, 91581, /* 00:23:47:38, 01:01:26:21 */ - 97914, 104684, /* 01:03:11:54, 01:05:04:44 */ - 111922, 119661, /* 01:07:05:22, 01:09:14:21 */ - 127935, 136781, /* 01:11:32:15, 01:13:59:41 */ - 146239, 156350, /* 01:16:37:19, 01:19:25:50 */ - 167161, 178720, /* 01:22:26:01, 02:01:38:40 */ - 191077, 204289, /* 02:05:04:37, 02:08:44:49 */ - 218415, 233517, /* 02:12:40:15, 02:16:51:57 */ - 249664, 266926, /* 02:21:21:04, 03:02:08:46 */ - 285383, 305116, /* 03:07:16:23, 03:12:45:16 */ - 326213, 348769, /* 03:18:36:53, 04:00:52:49 */ - 372885, 398668, /* 04:07:34:45, 04:14:44:28 */ - 426234, 455705, /* 04:22:23:54, 05:06:35:05 */ - 487215, 520904, /* 05:15:20:15, 06:00:41:44 */ - 556921, 595430, /* 06:10:42:01, 06:21:23:50 */ - 636601, 680618, /* 07:08:50:01, 07:21:03:38 */ - 727680, 777995, /* 08:10:08:00, 09:00:06:35 */ - 831789, 889303, /* 09:15:03:09, 10:07:01:43 */ - 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */ - 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */ - 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */ - 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */ - 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */ - 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */ - 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */ - 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */ -}; -#define MINFIXED 0x80 -#define MAXFIXED (MINFIXED + NLIFETIMES - 1) -#endif /* !SHORT_LIFETIME */ +#include "k5-int.h" /* * krb_life_to_time @@ -100,17 +35,12 @@ static const KRB4_32 lifetimes[NLIFETIMES] = { KRB4_32 KRB5_CALLCONV krb_life_to_time(KRB4_32 start, int life) { - if (life < 0 || life > 255) /* possibly sign botch in caller */ + krb5int_access k5internals; + + if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION) + || k5internals.krb_life_to_time == NULL) return start; -#ifndef SHORT_LIFETIME - if (life < MINFIXED) - return start + life * 5 * 60; - if (life > MAXFIXED) - return start + lifetimes[NLIFETIMES - 1]; - return start + lifetimes[life - MINFIXED]; -#else /* SHORT_LIFETIME */ - return start + life * 5 * 60; -#endif /* SHORT_LIFETIME */ + return k5internals.krb_life_to_time(start, life); } /* @@ -123,27 +53,10 @@ krb_life_to_time(KRB4_32 start, int life) int KRB5_CALLCONV krb_time_to_life(KRB4_32 start, KRB4_32 end) { - KRB4_32 dt; -#ifndef SHORT_LIFETIME - int i; -#endif + krb5int_access k5internals; - dt = end - start; - if (dt <= 0) + if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION) + || k5internals.krb_time_to_life == NULL) return 0; -#ifndef SHORT_LIFETIME - if (dt < lifetimes[0]) - return (dt + 5 * 60 - 1) / (5 * 60); - /* This depends on the array being ordered. */ - for (i = 0; i < NLIFETIMES; i++) { - if (lifetimes[i] >= dt) - return i + MINFIXED; - } - return MAXFIXED; -#else /* SHORT_LIFETIME */ - if (dt > 5 * 60 * 255) - return 255; - else - return (dt + 5 * 60 - 1) / (5 * 60); -#endif /* SHORT_LIFETIME */ + return k5internals.krb_time_to_life(start, end); } diff --git a/src/lib/krb4/mk_auth.c b/src/lib/krb4/mk_auth.c index 9159ce1..cf85ea2 100644 --- a/src/lib/krb4/mk_auth.c +++ b/src/lib/krb4/mk_auth.c @@ -230,7 +230,6 @@ krb_check_auth (buf, checksum, msg_data, session, schedule, laddr, faddr) return KFAILURE; cc = krb_rd_priv(buf->dat, (unsigned KRB4_32)buf->length, schedule, (C_Block *)session, faddr, laddr, msg_data); - memset(schedule, 0, sizeof(schedule)); if (cc) return cc; diff --git a/src/lib/krb4/mk_req.c b/src/lib/krb4/mk_req.c index 698d2c2..3066f43 100644 --- a/src/lib/krb4/mk_req.c +++ b/src/lib/krb4/mk_req.c @@ -114,7 +114,6 @@ krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) + 1 + 1 + ticket->length) || ticket->length < 0 || ticket->length > 255) { authent->length = 0; - memset(creds->session, 0, sizeof(creds->session)); return KFAILURE; } @@ -150,7 +149,6 @@ krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) myrealmlen = strlen(myrealm) + 1; if (sizeof(req_id->dat) / 8 < (pnamelen + pinstlen + myrealmlen + 4 + 1 + 4 + 7) / 8) { - memset(creds->session, 0, sizeof(creds->session)); return KFAILURE; } @@ -185,7 +183,6 @@ krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) (long)req_id->length, key_s, &creds->session, 1); /* clean up */ memset(key_s, 0, sizeof(key_s)); - memset(creds->session, 0, sizeof(creds->session)); #endif /* NOENCRYPTION */ /* Copy it into the authenticator */ @@ -252,7 +249,9 @@ krb_mk_req(authent, service, instance, realm, checksum) if (retval != KSUCCESS) return retval; - return krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm); + retval = krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm); + memset(&creds.session, 0, sizeof(creds.session)); + return retval; } int KRB5_CALLCONV diff --git a/src/lib/krb4/password_to_key.c b/src/lib/krb4/password_to_key.c index 56b5f8e..c6e60d9 100644 --- a/src/lib/krb4/password_to_key.c +++ b/src/lib/krb4/password_to_key.c @@ -90,7 +90,7 @@ mit_passwd_to_key( des_string_to_key(passwd, key); } else { #if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - des_read_password((des_cblock *)key, "Password: ", 0); + des_read_password((des_cblock *)key, "Password", 0); #else return (-1); #endif @@ -143,7 +143,7 @@ afs_passwd_to_key( afs_string_to_key(passwd, realm, key); } else { #if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - des_read_password((des_cblock *)key, "Password: ", 0); + des_read_password((des_cblock *)key, "Password", 0); #else return (-1); #endif |