aboutsummaryrefslogtreecommitdiff
path: root/src/lib/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/krb5')
-rw-r--r--src/lib/krb5/ChangeLog38
-rw-r--r--src/lib/krb5/Makefile.in6
-rw-r--r--src/lib/krb5/asn.1/ChangeLog91
-rw-r--r--src/lib/krb5/asn.1/asn1_encode.c12
-rw-r--r--src/lib/krb5/asn.1/asn1_get.c9
-rw-r--r--src/lib/krb5/asn.1/asn1_k_decode.c97
-rw-r--r--src/lib/krb5/asn.1/asn1buf.c71
-rw-r--r--src/lib/krb5/asn.1/asn1buf.h15
-rw-r--r--src/lib/krb5/asn.1/krb5_decode.c30
-rw-r--r--src/lib/krb5/ccache/ChangeLog61
-rw-r--r--src/lib/krb5/ccache/Makefile.in3
-rw-r--r--src/lib/krb5/ccache/ccapi/ChangeLog90
-rw-r--r--src/lib/krb5/ccache/ccapi/stdcc.c8
-rw-r--r--src/lib/krb5/ccache/ccapi/stdcc.h6
-rw-r--r--src/lib/krb5/ccache/ccapi/stdcc_util.c717
-rw-r--r--src/lib/krb5/ccache/ccapi/stdcc_util.h13
-rw-r--r--src/lib/krb5/ccache/ccapi/winccld.c3
-rw-r--r--src/lib/krb5/ccache/ccapi/winccld.h54
-rw-r--r--src/lib/krb5/ccache/ccdefault.c84
-rw-r--r--src/lib/krb5/ccache/ccdefops.c2
-rw-r--r--src/lib/krb5/ccache/ccfns.c131
-rw-r--r--src/lib/krb5/ccache/file/ChangeLog3
-rw-r--r--src/lib/krb5/ccache/file/fcc_gprin.c1
-rw-r--r--src/lib/krb5/ccache/stdio/ChangeLog3
-rw-r--r--src/lib/krb5/ccache/stdio/scc_skip.c1
-rw-r--r--src/lib/krb5/error_tables/ChangeLog16
-rw-r--r--src/lib/krb5/error_tables/asn1_err.et2
-rw-r--r--src/lib/krb5/error_tables/kdb5_err.et2
-rw-r--r--src/lib/krb5/error_tables/krb5_err.et8
-rw-r--r--src/lib/krb5/keytab/ChangeLog24
-rw-r--r--src/lib/krb5/keytab/Makefile.in2
-rw-r--r--src/lib/krb5/keytab/file/ChangeLog13
-rw-r--r--src/lib/krb5/keytab/file/ktf_g_ent.c34
-rw-r--r--src/lib/krb5/keytab/ktfns.c80
-rw-r--r--src/lib/krb5/keytab/ktfr_entry.c10
-rw-r--r--src/lib/krb5/keytab/srvtab/ChangeLog10
-rw-r--r--src/lib/krb5/keytab/srvtab/kts_g_ent.c1
-rw-r--r--src/lib/krb5/keytab/srvtab/kts_util.c2
-rw-r--r--src/lib/krb5/krb/ChangeLog298
-rw-r--r--src/lib/krb5/krb/Makefile.in8
-rw-r--r--src/lib/krb5/krb/addr_comp.c2
-rw-r--r--src/lib/krb5/krb/addr_order.c2
-rw-r--r--src/lib/krb5/krb/appdefault.c183
-rw-r--r--src/lib/krb5/krb/auth_con.c6
-rw-r--r--src/lib/krb5/krb/bld_princ.c1
-rw-r--r--src/lib/krb5/krb/chk_trans.c497
-rw-r--r--src/lib/krb5/krb/conv_princ.c126
-rw-r--r--src/lib/krb5/krb/fwd_tgt.c38
-rw-r--r--src/lib/krb5/krb/gc_frm_kdc.c4
-rw-r--r--src/lib/krb5/krb/get_creds.c23
-rw-r--r--src/lib/krb5/krb/get_in_tkt.c69
-rw-r--r--src/lib/krb5/krb/gic_keytab.c16
-rw-r--r--src/lib/krb5/krb/gic_pwd.c28
-rw-r--r--src/lib/krb5/krb/init_ctx.c45
-rw-r--r--src/lib/krb5/krb/init_keyblock.c61
-rw-r--r--src/lib/krb5/krb/kfree.c129
-rw-r--r--src/lib/krb5/krb/mk_cred.c2
-rw-r--r--src/lib/krb5/krb/mk_priv.c8
-rw-r--r--src/lib/krb5/krb/mk_req_ext.c16
-rw-r--r--src/lib/krb5/krb/mk_safe.c29
-rw-r--r--src/lib/krb5/krb/parse.c11
-rw-r--r--src/lib/krb5/krb/preauth.c5
-rw-r--r--src/lib/krb5/krb/preauth2.c8
-rw-r--r--src/lib/krb5/krb/princ_comp.c2
-rw-r--r--src/lib/krb5/krb/rd_cred.c89
-rw-r--r--src/lib/krb5/krb/rd_priv.c9
-rw-r--r--src/lib/krb5/krb/rd_req_dec.c4
-rw-r--r--src/lib/krb5/krb/rd_safe.c2
-rw-r--r--src/lib/krb5/krb/recvauth.c69
-rw-r--r--src/lib/krb5/krb/send_tgs.c1
-rw-r--r--src/lib/krb5/krb/sendauth.c32
-rw-r--r--src/lib/krb5/krb/ser_actx.c10
-rw-r--r--src/lib/krb5/krb/srv_rcache.c3
-rw-r--r--src/lib/krb5/krb/t_kerb.c32
-rw-r--r--src/lib/krb5/krb/t_krb5.conf6
-rw-r--r--src/lib/krb5/krb/t_ref_kerb.out2
-rw-r--r--src/lib/krb5/krb/unparse.c6
-rw-r--r--src/lib/krb5/krb/vfy_increds.c2
-rw-r--r--src/lib/krb5/krb/walk_rtree.c25
-rw-r--r--src/lib/krb5/krb5_libinit.c10
-rw-r--r--src/lib/krb5/os/ChangeLog209
-rw-r--r--src/lib/krb5/os/an_to_ln.c22
-rw-r--r--src/lib/krb5/os/c_ustime.c141
-rw-r--r--src/lib/krb5/os/ccdefname.c15
-rw-r--r--src/lib/krb5/os/changepw.c61
-rw-r--r--src/lib/krb5/os/def_realm.c13
-rw-r--r--src/lib/krb5/os/gmt_mktime.c2
-rw-r--r--src/lib/krb5/os/hst_realm.c19
-rw-r--r--src/lib/krb5/os/init_os_ctx.c80
-rw-r--r--src/lib/krb5/os/kuserok.c5
-rw-r--r--src/lib/krb5/os/localaddr.c233
-rw-r--r--src/lib/krb5/os/locate_kdc.c148
-rw-r--r--src/lib/krb5/os/os-proto.h3
-rw-r--r--src/lib/krb5/os/prompter.c14
-rw-r--r--src/lib/krb5/os/promptusr.c2
-rw-r--r--src/lib/krb5/os/sendto_kdc.c26
-rw-r--r--src/lib/krb5/os/t_std_conf.c4
-rw-r--r--src/lib/krb5/os/timeofday.c6
-rw-r--r--src/lib/krb5/os/toffset.c2
-rw-r--r--src/lib/krb5/posix/ChangeLog11
-rw-r--r--src/lib/krb5/posix/setenv.c2
-rw-r--r--src/lib/krb5/posix/syslog.c10
-rw-r--r--src/lib/krb5/rcache/ChangeLog22
-rw-r--r--src/lib/krb5/rcache/rc_dfl.c2
-rw-r--r--src/lib/krb5/rcache/rc_io.c27
105 files changed, 3530 insertions, 1221 deletions
diff --git a/src/lib/krb5/ChangeLog b/src/lib/krb5/ChangeLog
index a2ab81a..13007dd 100644
--- a/src/lib/krb5/ChangeLog
+++ b/src/lib/krb5/ChangeLog
@@ -1,3 +1,41 @@
+2002-05-22 Alexandra Ellwood <lxs@mit.edu>
+ * krb5_libinit.c: Conditionalized error table loading for
+ Mac OS X. Error tables should always be loaded on other
+ platforms.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * krb5_libinit.c: Added an include for com_err.h since
+ it is not included by error table headers on Mac OS X. Also
+ fixed busted check for Mac OS
+
+2001-12-03 Miro Jurisic <meeroh@mit.edu>
+
+ * krb5_libinit.c: punted the Mac OS 9 sleep notification code
+
+2001-11-05 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (LIBMINOR): Bump due to changes in error tables.
+
+2000-11-29 Miro Jurisic <meeroh@mit.edu>
+
+ * krb5_libinit.c: Install a callback in the Mac OS sleep
+ queue to get notification of the machine coming out
+ of sleep, in order to refresh the cached uptime to
+ real time offset
+
+2000-10-02 Alexandra Ellwood <lxs@mit.edu
+
+ * krb5_libinit.c: added #define for Mac OS X so
+ that krb5int_cleanup_library calls krb5_stdcc_shutdown.
+
+2000-06-03 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (LIBMAJOR, LIBMINOR): Bump version.
+
+2000-04-18 Ken Raeburn <raeburn@mit.edu>
+
+ * Makefile.in (SHLIB_EXPLIBS): Add @RESOLV_LIB@.
+
2000-03-14 Ken Raeburn <raeburn@mit.edu>
* configure.in: Check for gethostbyname2.
diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in
index 0dab1f3..3b42585 100644
--- a/src/lib/krb5/Makefile.in
+++ b/src/lib/krb5/Makefile.in
@@ -32,8 +32,8 @@ LIBDONE= error_tables/DONE asn.1/DONE ccache/DONE ccache/stdio/DONE \
STLIBOBJS=krb5_libinit.o
LIB=krb5
-LIBMAJOR=2
-LIBMINOR=2
+LIBMAJOR=3
+LIBMINOR=1
STOBJLISTS= \
OBJS.ST \
@@ -58,7 +58,7 @@ RELDIR=krb5
SHLIB_EXPDEPS = \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
$(TOPLIBD)/libcom_err$(SHLIBEXT)
-SHLIB_EXPLIBS=-lk5crypto -lcom_err @GEN_LIB@
+SHLIB_EXPLIBS=-lk5crypto -lcom_err @GEN_LIB@ @RESOLV_LIB@
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog
index 96f7098..bc8b40a 100644
--- a/src/lib/krb5/asn.1/ChangeLog
+++ b/src/lib/krb5/asn.1/ChangeLog
@@ -1,3 +1,94 @@
+2002-04-08 Tom Yu <tlyu@mit.edu>
+
+ * asn1_get.c (asn1_get_length): Check for negative length.
+
+2002-03-06 Alexandra Ellwood <lxs@mit.edu>
+ * asn1_encode.c: Removed unused Mac OS 9 code
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * asn1_get.c: removed unused variable to reduce warnings
+
+2001-10-29 Miro Jurisic <meeroh@mit.edu>
+ * pullup from krb5-1-2 branch after krb5-1-2-2-bp
+ * asn1_encode.c: Updated Utilities.h #include
+
+2001-01-31 Tom Yu <tlyu@mit.edu>
+
+ * asn1buf.c (asn1buf_sync): Add new arguments to include the full
+ complement of data about a prefetched tag, as well as to indicate
+ whether the prefetched tag or the surrounding sequence is of an
+ indefinite length.
+ (asn1buf_skiptail): Add new arguments to indicate whether the
+ prefetched tag is indefinite, as well as its length. This
+ facilitates proper skipping of trailing garbage.
+ (asn1buf_remains): Add new argument to indicate whether the
+ surrounding encoding is indefinite. Don't advance buf->next if an
+ EOC encoding is detected; the caller will do that.
+ [pullup from trunk]
+
+ * asn1buf.h: Update prototypes. [pullup from trunk]
+
+ * asn1_get.c (asn1_get_tag_indef): Don't treat EOC encoding as
+ special anymore, since previous behavior was overloading the
+ tag number in a bad way. Also, report a MISMATCH_INDEF error if
+ the tag encoding is for the forbidden primitive constructed
+ encoding. [pullup from trunk]
+
+ * asn1_k_decode.c (next_tag): Call get_tag_indef() in order to get
+ information about whether the length is indefinite. Don't check
+ the tag class and construction explicitly.
+ (get_eoc): New macro to get a tag and check if it is an EOC
+ encoding.
+ (get_field, opt_field): Move the check for the tag class and
+ construction to here.
+ (get_field_body, get_lenfield_body): Call get_eoc() instead of
+ next_tag() if we are decoding a constructed indefinite encoding.
+ (begin_structure): Use a different variable to indicate whether
+ the sequence is indefinite as opposed to whether an individual
+ field is indefinite.
+ (end_structure): Update to new calling convention of
+ asn1buf_sync().
+ (sequence_of): Rewrite significantly.
+ (sequence_of_common): Move the bulk of previous sequence_of()
+ macro to here. Does not declare some variables that sequence_of()
+ declares.
+ (sequence_of_no_tagvars): Similar to sequence_of() macro but
+ declares different variables for the purpose of prefetching the
+ final tag.
+ (end_sequence_of_no_tagvars): Similar to end_sequence_of() macro
+ but uses variables declared by the sequence_of_no_tagvars() macro
+ to prefetch the final tag.
+ (asn1_decode_principal_name): Update for new asn1buf_remains()
+ calling convention. Call sequence_of_no_tagvars(), etc. instead
+ of sequence_of(), etc. in order to not declare shadowing
+ block-local variables.
+ (decode_array_body): Update for new asn1buf_remains() calling
+ convention.
+ (asn1_decode_sequence_of_enctype): Update for new
+ asn1buf_remains() calling convention.
+ [pullup from trunk]
+
+ * krb5_decode.c (next_tag): Call get_tag_indef() in order to get
+ information about whether the length is indefinite. Don't check
+ the tag class and construction explicitly.
+ (get_eoc): New macro to get a tag and check if it is an EOC
+ encoding.
+ (get_field, opt_field): Move the check for the tag class and
+ construction to here.
+ (get_field_body, get_lenfield_body): Call get_eoc() instead of
+ next_tag() if we are decoding a constructed indefinite encoding.
+ (begin_structure): Use a different variable to indicate whether
+ the sequence is indefinite as opposed to whether an individual
+ field is indefinite.
+ (end_structure): Update to new calling convention of
+ asn1buf_sync().
+ [pullup from trunk]
+
+2000-09-28 Miro Jurisic <meeroh@mit.edu>
+
+ * asn1_encode.c (asn1_encode_generaltime): Fixed the Mac code to
+ use the correct epoch.
+
2000-02-06 Ken Raeburn <raeburn@mit.edu>
Patches from Frank Cusack for helping in preauth replay
diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
index 7ef89c8..7cc8042 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -186,12 +186,6 @@ asn1_error_code asn1_encode_ia5string(buf, len, val, retlen)
return 0;
}
-#ifdef macintosh
-#define EPOCH ((70 * 365 * 24 * 60 * 60) + (17 * 24 * 60 * 60) + (getTimeZoneOffset() * 60 * 60))
-#else
-#define EPOCH (0)
-#endif
-
asn1_error_code asn1_encode_generaltime(buf, val, retlen)
asn1buf * buf;
const time_t val;
@@ -201,9 +195,11 @@ asn1_error_code asn1_encode_generaltime(buf, val, retlen)
struct tm *gtime;
char s[16];
int length, sum=0;
- time_t gmt_time;
+ time_t gmt_time = val;
- gmt_time = val + EPOCH;
+#ifdef macintosh
+ unix_time_to_msl_time (&gmt_time);
+#endif
gtime = gmtime(&gmt_time);
/*
diff --git a/src/lib/krb5/asn.1/asn1_get.c b/src/lib/krb5/asn.1/asn1_get.c
index 20334a2..90f5dd9 100644
--- a/src/lib/krb5/asn.1/asn1_get.c
+++ b/src/lib/krb5/asn.1/asn1_get.c
@@ -42,12 +42,6 @@ asn1_get_tag_indef(buf, class, construction, tagnum, retlen, indef)
*tagnum = ASN1_TAGNUM_CEILING;
return 0;
}
- /* Allow for the indefinite encoding */
- if ( !*(buf->next) && !*(buf->next + 1)) {
- buf->next += 2;
- *tagnum = ASN1_TAGNUM_CEILING;
- return 0;
- }
retval = asn1_get_id(buf,class,construction,tagnum);
if(retval) return retval;
retval = asn1_get_length(buf,retlen,indef);
@@ -63,7 +57,6 @@ asn1_get_tag(buf, class, construction, tagnum, retlen)
asn1_tagnum *tagnum;
int *retlen;
{
- asn1_error_code retval;
int indef;
return asn1_get_tag_indef(buf, class, construction, tagnum, retlen, &indef);
@@ -149,6 +142,8 @@ asn1_error_code asn1_get_length(buf, retlen, indef)
if(retval) return retval;
len = (len<<8) + (int)o;
}
+ if (len < 0)
+ return ASN1_OVERRUN;
if (indef != NULL && !len)
*indef = 1;
if(retlen != NULL) *retlen = len;
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c
index 6f72d8e..a855527 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.c
+++ b/src/lib/krb5/asn.1/asn1_k_decode.c
@@ -39,10 +39,16 @@ int length,taglen
#define unused_var(x) if(0) x=0
#define next_tag()\
-retval = asn1_get_tag(&subbuf,&class,&construction,&tagnum,&taglen);\
-if(retval) return retval;\
-if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
- return ASN1_BAD_ID
+retval = asn1_get_tag_indef(&subbuf,&class,&construction,\
+ &tagnum,&taglen,&indef);\
+if(retval) return retval;
+
+#define get_eoc() \
+retval = asn1_get_tag_indef(&subbuf,&class,&construction, \
+ &tagnum,&taglen,&indef); \
+if(retval) return retval; \
+if(class != UNIVERSAL || tagnum || indef) \
+ return ASN1_MISSING_EOC
#define alloc_field(var,type)\
var = (type*)calloc(1,sizeof(type));\
@@ -59,15 +65,21 @@ if(class != APPLICATION || construction != CONSTRUCTED ||\
#define get_field_body(var,decoder)\
retval = decoder(&subbuf,&(var));\
if(retval) return retval;\
-if(!taglen) { next_tag(); }\
+if(!taglen && indef) { get_eoc(); }\
next_tag()
#define get_field(var,tagexpect,decoder)\
if(tagnum > (tagexpect)) return ASN1_MISSING_FIELD;\
if(tagnum < (tagexpect)) return ASN1_MISPLACED_FIELD;\
+if((class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) \
+ && (tagnum || taglen || class != UNIVERSAL)) \
+ return ASN1_BAD_ID;\
get_field_body(var,decoder)
#define opt_field(var,tagexpect,decoder,optvalue)\
+if((class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) \
+ && (tagnum || taglen || class != UNIVERSAL)) \
+ return ASN1_BAD_ID;\
if(tagnum == (tagexpect)){\
get_field_body(var,decoder); }\
else var = optvalue
@@ -76,12 +88,15 @@ else var = optvalue
#define get_lenfield_body(len,var,decoder)\
retval = decoder(&subbuf,&(len),&(var));\
if(retval) return retval;\
-if(!taglen) { next_tag(); }\
+if(!taglen && indef) { get_eoc(); }\
next_tag()
#define get_lenfield(len,var,tagexpect,decoder)\
if(tagnum > (tagexpect)) return ASN1_MISSING_FIELD;\
if(tagnum < (tagexpect)) return ASN1_MISPLACED_FIELD;\
+if((class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) \
+ && (tagnum || taglen || class != UNIVERSAL)) \
+ return ASN1_BAD_ID;\
get_lenfield_body(len,var,decoder)
#define opt_lenfield(len,var,tagexpect,decoder)\
@@ -92,30 +107,58 @@ else { len = 0; var = 0; }
#define begin_structure()\
asn1buf subbuf;\
+int seqindef;\
int indef;\
-retval = asn1_get_sequence(buf,&length,&indef);\
+retval = asn1_get_sequence(buf,&length,&seqindef);\
if(retval) return retval;\
-retval = asn1buf_imbed(&subbuf,buf,length,indef);\
+retval = asn1buf_imbed(&subbuf,buf,length,seqindef);\
if(retval) return retval;\
next_tag()
#define end_structure()\
-retval = asn1buf_sync(buf,&subbuf,tagnum,length);\
+retval = asn1buf_sync(buf,&subbuf,class,tagnum,length,indef,seqindef);\
if(retval) return retval
-#define sequence_of(buf)\
-int size=0;\
-asn1buf seqbuf;\
-int length;\
-int indef;\
-retval = asn1_get_sequence(buf,&length,&indef);\
-if(retval) return retval;\
-retval = asn1buf_imbed(&seqbuf,buf,length,indef);\
+#define sequence_of(buf) \
+unsigned int length, taglen; \
+asn1_class class; \
+asn1_construction construction; \
+asn1_tagnum tagnum; \
+int indef; \
+sequence_of_common(buf)
+
+#define sequence_of_common(buf) \
+int size=0; \
+asn1buf seqbuf; \
+int seqofindef; \
+retval = asn1_get_sequence(buf,&length,&seqofindef); \
+if(retval) return retval; \
+retval = asn1buf_imbed(&seqbuf,buf,length,seqofindef); \
if(retval) return retval
-#define end_sequence_of(buf)\
-retval = asn1buf_sync(buf,&seqbuf,ASN1_TAGNUM_CEILING,length);\
-if(retval) return retval
+#define sequence_of_no_tagvars(buf) \
+asn1_class eseqclass; \
+asn1_construction eseqconstr; \
+asn1_tagnum eseqnum; \
+unsigned int eseqlen; \
+int eseqindef; \
+sequence_of_common(buf)
+
+#define end_sequence_of_no_tagvars(buf) \
+retval = asn1_get_tag_indef(&seqbuf,&eseqclass,&eseqconstr, \
+ &eseqnum,&eseqlen,&eseqindef); \
+if(retval) return retval; \
+retval = asn1buf_sync(buf,&seqbuf,eseqclass,eseqnum, \
+ eseqlen,eseqindef,seqofindef); \
+if(retval) return retval;
+
+#define end_sequence_of(buf) \
+retval = asn1_get_tag_indef(&seqbuf,&class,&construction, \
+ &tagnum,&taglen,&indef); \
+if(retval) return retval; \
+retval = asn1buf_sync(buf,&seqbuf,class,tagnum, \
+ length,indef,seqofindef); \
+if(retval) return retval;
#define cleanup()\
return 0
@@ -206,8 +249,8 @@ asn1_error_code asn1_decode_principal_name(buf, val)
{ begin_structure();
get_field((*val)->type,0,asn1_decode_int32);
- { sequence_of(&subbuf);
- while(asn1buf_remains(&seqbuf)){
+ { sequence_of_no_tagvars(&subbuf);
+ while(asn1buf_remains(&seqbuf,seqofindef) > 0){
size++;
if ((*val)->data == NULL)
(*val)->data = (krb5_data*)malloc(size*sizeof(krb5_data));
@@ -221,8 +264,12 @@ asn1_error_code asn1_decode_principal_name(buf, val)
if(retval) return retval;
}
(*val)->length = size;
- end_sequence_of(&subbuf);
+ end_sequence_of_no_tagvars(&subbuf);
+ }
+ if (indef) {
+ get_eoc();
}
+ next_tag();
end_structure();
(*val)->magic = KV5M_PRINCIPAL;
}
@@ -528,7 +575,7 @@ if(*(array) == NULL) return ENOMEM;\
type *elt;\
\
{ sequence_of(buf);\
- while(asn1buf_remains(&seqbuf) > 0){\
+ while(asn1buf_remains(&seqbuf,seqofindef) > 0){\
alloc_field(elt,type);\
get_element(elt,decoder);\
array_append(val,size,elt,type);\
@@ -660,7 +707,7 @@ asn1_error_code asn1_decode_sequence_of_enctype(buf, num, val)
{
asn1_error_code retval;
{ sequence_of(buf);
- while(asn1buf_remains(&seqbuf) > 0){
+ while(asn1buf_remains(&seqbuf,seqofindef) > 0){
size++;
if (*val == NULL)
*val = (krb5_enctype*)malloc(size*sizeof(krb5_enctype));
diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
index 9c63927..4be82fb 100644
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -54,6 +54,9 @@
#include <stdio.h>
#include "asn1_get.h"
+#define asn1_is_eoc(class, num, indef) \
+((class) == UNIVERSAL && !(num) && !(indef))
+
asn1_error_code asn1buf_create(buf)
asn1buf ** buf;
{
@@ -91,34 +94,35 @@ asn1_error_code asn1buf_imbed(subbuf, buf, length, indef)
return 0;
}
-asn1_error_code asn1buf_sync(buf, subbuf, lasttag, length)
+asn1_error_code asn1buf_sync(buf, subbuf, class, lasttag, length, indef, seqindef)
asn1buf * buf;
asn1buf * subbuf;
+ const asn1_class class;
const asn1_tagnum lasttag;
const int length;
+ const int indef;
+ const int seqindef;
{
asn1_error_code retval;
- if (length) {
+ if (!seqindef) {
+ /* sequence was encoded as definite length */
buf->next = subbuf->bound + 1;
+ } else if (!asn1_is_eoc(class, lasttag, indef)) {
+ retval = asn1buf_skiptail(subbuf, length, indef);
+ if (retval)
+ return retval;
} else {
- /*
- * indefinite length:
- *
- * Note that asn1_get_tag() returns ASN1_TAGNUM_CEILING
- * for an EOC encoding.
- */
- if (lasttag != ASN1_TAGNUM_CEILING) {
- retval = asn1buf_skiptail(subbuf);
- if (retval) return retval;
- }
+ /* We have just read the EOC octets. */
buf->next = subbuf->next;
}
return 0;
}
-asn1_error_code asn1buf_skiptail(buf)
+asn1_error_code asn1buf_skiptail(buf, length, indef)
asn1buf *buf;
+ const int length;
+ const int indef;
{
asn1_error_code retval;
asn1_class class;
@@ -126,15 +130,29 @@ asn1_error_code asn1buf_skiptail(buf)
asn1_tagnum tagnum;
int taglen;
int nestlevel;
+ int tagindef;
- nestlevel = 1;
+ nestlevel = 1 + indef;
+ if (!indef) {
+ if (length <= buf->bound - buf->next + 1)
+ buf->next += length;
+ else
+ return ASN1_OVERRUN;
+ }
while (nestlevel > 0) {
- retval = asn1_get_tag(buf, &class, &construction, &tagnum, &taglen);
+ retval = asn1_get_tag_indef(buf, &class, &construction, &tagnum,
+ &taglen, &tagindef);
if (retval) return retval;
- if (construction == CONSTRUCTED && taglen == 0)
+ if (!tagindef) {
+ if (taglen <= buf->bound - buf->next + 1)
+ buf->next += taglen;
+ else
+ return ASN1_OVERRUN;
+ }
+ if (tagindef)
nestlevel++;
- if (tagnum == ASN1_TAGNUM_CEILING)
- nestlevel--;
+ if (asn1_is_eoc(class, tagnum, tagindef))
+ nestlevel--; /* got an EOC encoding */
}
return 0;
}
@@ -247,8 +265,9 @@ asn1_error_code asn1buf_remove_charstring(buf, len, s)
return 0;
}
-int asn1buf_remains(buf)
+int asn1buf_remains(buf, indef)
asn1buf *buf;
+ int indef;
{
int remain;
if(buf == NULL || buf->base == NULL) return 0;
@@ -256,15 +275,9 @@ int asn1buf_remains(buf)
if (remain <= 0) return remain;
/*
* Two 0 octets means the end of an indefinite encoding.
- *
- * XXX Do we need to test to make sure we'er actually doing an
- * indefinite encoding here?
*/
- if ( !*(buf->next) && !*(buf->next + 1)) {
- /* buf->bound = buf->next + 1; */
- buf->next += 2;
+ if (indef && remain >= 2 && !*(buf->next) && !*(buf->next + 1))
return 0;
- }
else return remain;
}
@@ -379,9 +392,9 @@ asn1_error_code asn1buf_ensure_space(buf, amount)
asn1buf * buf;
const int amount;
{
- int free = asn1buf_free(buf);
- if(free < amount){
- asn1_error_code retval = asn1buf_expand(buf, amount-free);
+ int avail = asn1buf_free(buf);
+ if(avail < amount){
+ asn1_error_code retval = asn1buf_expand(buf, amount-avail);
if(retval) return retval;
}
return 0;
diff --git a/src/lib/krb5/asn.1/asn1buf.h b/src/lib/krb5/asn.1/asn1buf.h
index 52fc0d6..3f4a6ac 100644
--- a/src/lib/krb5/asn.1/asn1buf.h
+++ b/src/lib/krb5/asn.1/asn1buf.h
@@ -121,14 +121,17 @@ asn1_error_code asn1buf_imbed
position starts at the beginning of *subbuf. */
asn1_error_code asn1buf_sync
- PROTOTYPE((asn1buf *buf, asn1buf *subbuf, const asn1_tagnum lasttag,
- const int length));
+ PROTOTYPE((asn1buf *buf, asn1buf *subbuf, const asn1_class class,
+ const asn1_tagnum lasttag,
+ const int length, const int indef,
+ const int seqindef));
/* requires *subbuf is a sub-buffer of *buf, as created by asn1buf_imbed.
- lasttag is a pointer to the last tagnumber read.
+ lasttag is the last tagnumber read.
effects Synchronizes *buf's current position to match that of *subbuf. */
asn1_error_code asn1buf_skiptail
- PROTOTYPE((asn1buf *buf));
+ PROTOTYPE((asn1buf *buf, const int length,
+ const int indef));
/* requires *buf is a subbuffer used in a decoding of a
constructed indefinite sequence.
effects skips trailing fields. */
@@ -143,7 +146,7 @@ asn1_error_code asn1buf_insert_octet
effects Inserts o into the buffer *buf, expanding the buffer if
necessary. Returns ENOMEM memory is exhausted. */
#if ((__GNUC__ >= 2) && !defined(ASN1BUF_OMIT_INLINE_FUNCS))
-extern inline asn1_error_code asn1buf_insert_octet(buf, o)
+extern __inline__ asn1_error_code asn1buf_insert_octet(buf, o)
asn1buf * buf;
const int o;
{
@@ -221,7 +224,7 @@ asn1_error_code asn12krb5_buf
int asn1buf_remains
- PROTOTYPE((asn1buf *buf));
+ PROTOTYPE((asn1buf *buf, int indef));
/* requires *buf is a buffer containing an asn.1 structure or array
modifies *buf
effects Returns the number of unprocessed octets remaining in *buf. */
diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c
index 69028b9..ff935c6 100644
--- a/src/lib/krb5/asn.1/krb5_decode.c
+++ b/src/lib/krb5/asn.1/krb5_decode.c
@@ -77,23 +77,29 @@ if(tagnum != (tagexpect)) clean_return(KRB5_BADMSGTYPE)
/* decode an explicit tag and place the number in tagnum */
#define next_tag()\
-retval = asn1_get_tag(&subbuf,&class,&construction,&tagnum,NULL);\
-if(retval) clean_return(retval);\
-if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
- clean_return(ASN1_BAD_ID)
+retval = asn1_get_tag_indef(&subbuf,&class,&construction,&tagnum,NULL,&indef);\
+if(retval) clean_return(retval)
+
+#define get_eoc() \
+retval = asn1_get_tag_indef(&subbuf,&class,&construction, \
+ &tagnum,NULL,&indef); \
+if(retval) return retval; \
+if(class != UNIVERSAL || tagnum || indef) \
+ return ASN1_MISSING_EOC
/* decode sequence header and initialize tagnum with the first field */
#define begin_structure()\
asn1buf subbuf;\
+int seqindef;\
int indef;\
-retval = asn1_get_sequence(&buf,&length,&indef);\
+retval = asn1_get_sequence(&buf,&length,&seqindef);\
if(retval) clean_return(retval);\
-retval = asn1buf_imbed(&subbuf,&buf,length,indef);\
+retval = asn1buf_imbed(&subbuf,&buf,length,seqindef);\
if(retval) clean_return(retval);\
next_tag()
#define end_structure()\
-retval = asn1buf_sync(&buf,&subbuf,tagnum,length);\
+retval = asn1buf_sync(&buf,&subbuf,class,tagnum,length,indef,seqindef);\
if (retval) clean_return(retval)
/* process fields *******************************************/
@@ -101,6 +107,7 @@ if (retval) clean_return(retval)
#define get_field_body(var,decoder)\
retval = decoder(&subbuf,&(var));\
if(retval) clean_return(retval);\
+if (indef) { get_eoc(); }\
next_tag()
/* decode a field (<[UNIVERSAL id]> <length> <contents>)
@@ -110,26 +117,35 @@ next_tag()
#define get_field(var,tagexpect,decoder)\
if(tagnum > (tagexpect)) clean_return(ASN1_MISSING_FIELD);\
if(tagnum < (tagexpect)) clean_return(ASN1_MISPLACED_FIELD);\
+if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
+ clean_return(ASN1_BAD_ID);\
get_field_body(var,decoder)
/* decode (or skip, if not present) an optional field */
#define opt_field(var,tagexpect,decoder)\
+if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
+ clean_return(ASN1_BAD_ID);\
if(tagnum == (tagexpect)){ get_field_body(var,decoder); }
/* field w/ accompanying length *********/
#define get_lenfield_body(len,var,decoder)\
retval = decoder(&subbuf,&(len),&(var));\
if(retval) clean_return(retval);\
+if (indef) { get_eoc(); }\
next_tag()
/* decode a field w/ its length (for string types) */
#define get_lenfield(len,var,tagexpect,decoder)\
if(tagnum > (tagexpect)) clean_return(ASN1_MISSING_FIELD);\
if(tagnum < (tagexpect)) clean_return(ASN1_MISPLACED_FIELD);\
+if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
+ clean_return(ASN1_BAD_ID);\
get_lenfield_body(len,var,decoder)
/* decode an optional field w/ length */
#define opt_lenfield(len,var,tagexpect,decoder)\
+if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
+ clean_return(ASN1_BAD_ID);\
if(tagnum == (tagexpect)){\
get_lenfield_body(len,var,decoder);\
}
diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index 2f74235..b9f1516 100644
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,3 +1,64 @@
+2002-04-05 Danilo Almeida <dalmeida@mit.edu>
+
+ * Makefile.in: Build cc accessor functions on Windows.
+
+2002-04-2 Alexandra Ellwood <lxs@mit.edu>
+ * ccdefault.c: updated to new KLL function name
+
+2002-03-03 Alexandra Ellwood <lxs@mit.edu>
+ * ccdefault.c: swapped include of KerberosLoginPrivate with k5-int.h
+ to avoid problems with including CoreServices.h after profile.h and krb.h
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * ccdefault.c: Updated Mac OS X headers to new framework layout
+
+2002-01-29 Tom Yu <tlyu@mit.edu>
+
+ * ccdefault.c: Add terminal newline. Fixes [krb5-build/1041].
+
+2001-11-16 Miro Jurisic <meeroh@mit.edu>
+ * pullup from krb5-1-2 branch: LoginLib #include changes
+
+2001-10-29 Miro Jurisic <meeroh@mit.edu>
+ * pullup from krb5-1-2 branch after krb5-1-2-2-bp
+ * Makefile.in: Added ccfns.c
+ * ccdefault.h: Updated Mac OS #defines and #includes for new header layout
+ and Mac OS X frameworks
+
+2000-09-12 Alexandra Ellwood <lxs@mit.edu>
+
+ * ccdefops.c: created #define for USE_CCAPI now that both Mac OS 9 and
+ Mac OS 10 use ccapi.
+
+2000-5-31 Alexandra Ellwood <lxs@mit.edu>
+
+ * ccdefault.c: Changed kerberosPrincipal_V5 to kerberosVersion_V5 to reflect
+ the new constant name.
+
+2000-5-19 Alexandra Ellwood <lxs@mit.edu>
+
+ * ccdefault.c: Added krb5int_cc_default. This function
+ supports the Kerberos Login Library and pops up a dialog if the cache does
+ not contain valid tickets. This is used to automatically get a tgt before
+ obtaining service tickets. Note that this should be an internal function
+ because callers don't expect krb5_cc_default to pop up a dialog!
+ (We found this out the hard way :-)
+
+2000-4-26 Alexandra Ellwood <lxs@mit.edu>
+
+ * ccdefault.c: Added version number to internal Kerberos Login Library
+ routine.
+
+2000-4-13 Alexandra Ellwood <lxs@mit.edu>
+
+ * ccdefault.c: Added Kerberos Login library support (with ifdefs to control
+ whether or not it is on. Also added support to store a krb5_principal in the
+ os_context along with the default ccache name (if known, this principal is
+ the same as the last time we looked at the ccache.
+ * ccdefname.c: Added support to store a krb5_principal in the os_context
+ along with the default ccache name (if known, this principal is the same
+ as the last time we looked at the ccache.
+
1999-10-26 Tom Yu <tlyu@mit.edu>
* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in
index 37abee4..ae09347 100644
--- a/src/lib/krb5/ccache/Makefile.in
+++ b/src/lib/krb5/ccache/Makefile.in
@@ -35,9 +35,12 @@ SRCS= $(srcdir)/ccbase.c \
$(srcdir)/cccopy.c \
$(srcdir)/ccdefault.c \
$(srcdir)/ccdefops.c \
+ $(srcdir)/ccfns.c \
$(srcdir)/cc_retr.c \
$(srcdir)/ser_cc.c
+##DOS##OBJS=$(OBJS) $(OUTPRE)ccfns.$(OBJEXT)
+
all-unix:: all-libobjs
all-windows:: subdirs $(OBJFILE)
diff --git a/src/lib/krb5/ccache/ccapi/ChangeLog b/src/lib/krb5/ccache/ccapi/ChangeLog
index e4dac98..9b07b33 100644
--- a/src/lib/krb5/ccache/ccapi/ChangeLog
+++ b/src/lib/krb5/ccache/ccapi/ChangeLog
@@ -1,3 +1,93 @@
+2002-04-05 Danilo Almeida <dalmeida@mit.edu>
+
+ * winccld.c: Include k5-int.h to get hidden ops struct.
+
+2002-04-03 Danilo Almeida <dalmeida@mit.edu>
+
+ * stdcc.h: Remove KRB5_DLLIMP, KRB5_CALLCONV from
+ krb5_stdcc_shutdown() prototype (to fix Windows build).
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * stdcc.h: Added prototype for krb5_stdcc_shutdown.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * stdcc.h, stdcc_util.h, stdcc_util.c: Updated Mac OS X headers to new
+ framework layout
+ * stdcc.c: Removed unused variables and fixed macros to reduce warnings
+
+2001-10-29 Miro Jurisic <meeroh@mit.edu>
+ * pullup from krb5-1-2 branch after krb5-1-2-2-bp
+ * stdcc.c: Replaced cc_* macros with functions
+ * stdcc.h, stdcc_util.h: Updated Mac OS #defines and #includes for new
+ header layout and Mac OS X frameworks
+
+2000-10-02 Alexandra Ellwood <lxs@mit.edu>
+
+ * stdcc_util.c: now Mac OS X uses get_time_offsets to store offset time
+ like Mac OS 9.
+
+2000-09-12 Alexandra Ellwood <lxs@mit.edu>
+
+ * stdcc.h, stdcc_util.h: created #define for USE_CCAPI now that
+ both Mac OS 9 and Mac OS 10 use ccapi.
+
+2000-06-08 Alexandra Ellwood <lxs@mit.edu>
+
+ * stdcc_util.c (dupCCtoK5, dupK5toCC):
+ Fixed code that stores times in localtime, not in kdc time.
+
+2000-05-18 Danilo Almeida <dalmeida@mit.edu>
+
+ * stdcc_util.c (dupK5toCC): Remove unused variables.
+
+ * stdcc_util.c: Reindent to krb5 coding style. Remove whitespace
+ at end of lines. Replace C++ comments with C comments.
+
+ * stdcc_util.h: Replace C++ comments with C comments.
+
+ * winccld.h: Define CC_API_VER2 for all Windows code using ccapi.
+ Update dynamic loading declarations to use CC_API_VER2.
+
+ * winccld.h: Do not define or try to load cc_lock_request, which is
+ not actually used anywhere in the code.
+
+ * stdcc.c: Define CC_API_VER2 if not defined rather than just if
+ not Windows.
+
+ * winccld.c (LoadFuncs): Get error on DLL load failure even though
+ we do not use it in case we are doing source-level debugging.
+
+2000-05-04 Miro Jurisic <meeroh@mit.edu>
+
+ * stdcc_util.c (dupCCtoK5, dupK5toCC):
+ Conditionalized local/KDC time conversions for Mac-only
+ until we figure out what to do about that
+
+2000-04-07 Jeffrey Altman <jaltman@columbia.edu>
+
+ * stdcc_util.c (copyCCDataArrayToK5, copyCCDataArrayToK5):
+ * stdcc_util.c (dupCCtoK5, dupK5toCC):
+
+ memory was being allocated as (sizeof(foo) * count + 1)
+ instead of (sizeof(foo) * (count + 1))
+
+2000-04-03 Jeffrey Altman <jaltman@columbia.edu>
+
+ * stdcc_util.c (copyCCDataArrayToK5, copyCCDataArrayToK5):
+ * stdcc_util.c (dupCCtoK5, dupK5toCC):
+
+ Changed all references to the type UInt32 to unsigned int
+ since UInt32 is not a standard type on Unix or Win32
+
+2000-03-24 Alexandra Ellwood <lxs@mit.edu>
+
+ * stdcc_util.c (copyCCDataArrayToK5, copyCCDataArrayToK5):
+ Modified to copy authdata as well... this code may have
+ bugs since I couldn't get a good case where authdata != NULL
+
+ * stdcc_util.c (dupCCtoK5, dupK5toCC):
+ Added code to store times in localtime, not in kdc time.
+
2000-03-15 Danilo Almeida <dalmeida@mit.edu>
* stdcc.c (krb5_stdcc_destroy): Do not mask KRB5_FCC_NOFILE error
diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c
index a17cd02..b885885 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc.c
+++ b/src/lib/krb5/ccache/ccapi/stdcc.c
@@ -32,6 +32,7 @@
#include "stdcc.h"
#include "stdcc_util.h"
#include "string.h"
+#include "k5-int.h"
#include <stdio.h>
apiCB *gCntrlBlock = NULL;
@@ -40,7 +41,7 @@ apiCB *gCntrlBlock = NULL;
#include "winccld.h"
#endif
-#if !defined(_MSDOS) && !defined(_WIN32)
+#ifndef CC_API_VER2
#define CC_API_VER2
#endif
@@ -264,7 +265,7 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_resolve
stdccCacheDataPtr ccapi_data = NULL;
int err;
krb5_error_code retval;
- char *cName;
+ char *cName = NULL;
if ((retval = stdcc_setup(context, NULL)))
return retval;
@@ -548,7 +549,9 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get
krb5_error_code retval;
stdccCacheDataPtr ccapi_data = NULL;
int err;
+#ifndef CC_API_VER2
cred_union *credU = NULL;
+#endif
ccapi_data = id->data;
@@ -656,7 +659,6 @@ krb5_stdcc_destroy (krb5_context context, krb5_ccache id)
char * KRB5_CALLCONV krb5_stdcc_get_name
(krb5_context context, krb5_ccache id )
{
- char *name = NULL;
stdccCacheDataPtr ccapi_data = id->data;
if (!ccapi_data)
diff --git a/src/lib/krb5/ccache/ccapi/stdcc.h b/src/lib/krb5/ccache/ccapi/stdcc.h
index 109c4fc..a9825b7 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc.h
+++ b/src/lib/krb5/ccache/ccapi/stdcc.h
@@ -1,7 +1,7 @@
#include "krb5.h"
-#if defined(macintosh)
-#include "CCache2.h"
+#if TARGET_OS_MAC
+#include <Kerberos/CredentialsCache2.h>
#endif
#if defined(_MSDOS) || defined(_WIN32)
@@ -24,6 +24,8 @@ typedef struct _stdccCacheData {
/* function protoypes */
+void krb5_stdcc_shutdown(void);
+
KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_stdcc_close
KRB5_PROTOTYPE((krb5_context, krb5_ccache id ));
diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c
index 4262eed..cf2054e 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc_util.c
+++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c
@@ -23,112 +23,170 @@
* - copy and translate the null terminated arrays of data records
* used in k5 tickets
*/
-int copyCCDataArrayToK5(cc_creds *cc, krb5_creds *kc, char whichArray) {
-
- cc_data *ccAdr, **cbase;
- krb5_address *kAdr, **kbase, **constKBase;
- int numRecords = 0;
-
-
- if (whichArray == kAddressArray) {
- /* check pointer */
- if (cc->addresses == NULL) {
- kc->addresses = NULL;
- return 0;
- }
- } else if (whichArray == kAuthDataArray) {
- /* check pointer */
- if (cc->authdata == NULL) {
- kc->authdata = NULL;
- return 0;
- }
- } else
- return -1;
-
-
- cbase = (whichArray == kAddressArray) ? cc->addresses : cc->authdata;
- /* calc number of records */
- while (*cbase++ != NULL) numRecords++;
- /* allocate new array */
- constKBase = kbase = (krb5_address **)malloc((numRecords+1)*sizeof(char *));
- //reset base
- cbase = (whichArray == kAddressArray) ? cc->addresses : cc->authdata;
-
-
- //copy records
- while (*cbase != NULL) {
- *kbase = (krb5_address *)malloc(sizeof(krb5_address));
- kAdr = *kbase;
- ccAdr = *cbase;
- kAdr->magic = (whichArray == kAddressArray) ? KV5M_ADDRESS : KV5M_AUTHDATA;
- kAdr->addrtype = ccAdr->type;
- kAdr->length = ccAdr->length;
- kAdr->contents = (krb5_octet *)malloc(kAdr->length);
- memcpy(kAdr->contents, ccAdr->data, kAdr->length);
- //next element please
- kbase++; cbase++;
+int copyCCDataArrayToK5(cc_creds *ccCreds, krb5_creds *v5Creds, char whichArray) {
+
+ if (whichArray == kAddressArray) {
+ if (ccCreds->addresses == NULL) {
+ v5Creds->addresses = NULL;
+ } else {
+
+ krb5_address **addrPtr, *addr;
+ cc_data **dataPtr, *data;
+ unsigned int numRecords = 0;
+
+ /* Allocate the array of pointers: */
+ for (dataPtr = ccCreds->addresses; *dataPtr != NULL; numRecords++, dataPtr++) {}
+
+ v5Creds->addresses = (krb5_address **) malloc (sizeof(krb5_address *) * (numRecords + 1));
+ if (v5Creds->addresses == NULL)
+ return ENOMEM;
+
+ /* Fill in the array, allocating the address structures: */
+ for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *dataPtr != NULL; addrPtr++, dataPtr++) {
+
+ *addrPtr = (krb5_address *) malloc (sizeof(krb5_address));
+ if (*addrPtr == NULL)
+ return ENOMEM;
+ data = *dataPtr;
+ addr = *addrPtr;
+
+ addr->addrtype = data->type;
+ addr->magic = KV5M_ADDRESS;
+ addr->length = data->length;
+ addr->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * addr->length);
+ if (addr->contents == NULL)
+ return ENOMEM;
+ memmove(addr->contents, data->data, addr->length); /* copy contents */
+ }
+
+ /* Write terminator: */
+ *addrPtr = NULL;
+ }
+ }
+
+ if (whichArray == kAuthDataArray) {
+ if (ccCreds->authdata == NULL) {
+ v5Creds->authdata = NULL;
+ } else {
+ krb5_authdata **authPtr, *auth;
+ cc_data **dataPtr, *data;
+ unsigned int numRecords = 0;
+
+ /* Allocate the array of pointers: */
+ for (dataPtr = ccCreds->authdata; *dataPtr != NULL; numRecords++, dataPtr++) {}
+
+ v5Creds->authdata = (krb5_authdata **) malloc (sizeof(krb5_authdata *) * (numRecords + 1));
+ if (v5Creds->authdata == NULL)
+ return ENOMEM;
+
+ /* Fill in the array, allocating the address structures: */
+ for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *dataPtr != NULL; authPtr++, dataPtr++) {
+
+ *authPtr = (krb5_authdata *) malloc (sizeof(krb5_authdata));
+ if (*authPtr == NULL)
+ return ENOMEM;
+ data = *dataPtr;
+ auth = *authPtr;
+
+ auth->ad_type = data->type;
+ auth->magic = KV5M_AUTHDATA;
+ auth->length = data->length;
+ auth->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * auth->length);
+ if (auth->contents == NULL)
+ return ENOMEM;
+ memmove(auth->contents, data->data, auth->length); /* copy contents */
+ }
+
+ /* Write terminator: */
+ *authPtr = NULL;
}
-
- //write terminator
- *kbase = NULL;
- if (whichArray == kAddressArray) kc->addresses = constKBase;
- else kc->authdata = (krb5_authdata **)constKBase;
+ }
- return 0;
+ return 0;
}
/*
* copyK5DataArrayToCC
* - analagous to above, but in the other direction
*/
-int copyK5DataArrayToCC(krb5_creds *kc, cc_creds *cc, char whichArray) {
-
- cc_data *ccAdr, **cbase, **constCBase;
- krb5_address *kAdr, **kbase;
- int numRecords = 0;
-
-
- if (whichArray == kAddressArray) {
- //check pointer
- if (kc->addresses == NULL) {
- cc->addresses = NULL;
- return 0; }
- } else if (whichArray == kAuthDataArray) {
- //check pointer
- if (kc->authdata == NULL) {
- cc->authdata = NULL;
- return 0; }
- } else return -1;
-
-
- kbase = (whichArray == kAddressArray) ? kc->addresses : (krb5_address **)kc->authdata;
- //calc number of records
- while (*kbase++ != NULL) numRecords++;
- //allocate new array
- constCBase = cbase = (cc_data **)malloc((numRecords+1)*sizeof(char *));
- //reset base
- kbase = (whichArray == kAddressArray) ? kc->addresses : (krb5_address **)kc->authdata;
-
-
- //copy records
- while (*kbase != NULL) {
- *cbase = (cc_data *)malloc(sizeof(krb5_address));
- kAdr = *kbase;
- ccAdr = *cbase;
- ccAdr->type = kAdr->addrtype;
- ccAdr->length = kAdr->length;
- ccAdr->data = (unsigned char *)malloc(ccAdr->length);
- memcpy(ccAdr->data, kAdr->contents, kAdr->length);
- //next element please
- kbase++; cbase++;
+int copyK5DataArrayToCC(krb5_creds *v5Creds, cc_creds *ccCreds, char whichArray)
+{
+ if (whichArray == kAddressArray) {
+ if (v5Creds->addresses == NULL) {
+ ccCreds->addresses = NULL;
+ } else {
+
+ krb5_address **addrPtr, *addr;
+ cc_data **dataPtr, *data;
+ unsigned int numRecords = 0;
+
+ /* Allocate the array of pointers: */
+ for (addrPtr = v5Creds->addresses; *addrPtr != NULL; numRecords++, addrPtr++) {}
+
+ ccCreds->addresses = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1));
+ if (ccCreds->addresses == NULL)
+ return ENOMEM;
+
+ /* Fill in the array, allocating the address structures: */
+ for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *addrPtr != NULL; addrPtr++, dataPtr++) {
+
+ *dataPtr = (cc_data *) malloc (sizeof(cc_data));
+ if (*dataPtr == NULL)
+ return ENOMEM;
+ data = *dataPtr;
+ addr = *addrPtr;
+
+ data->type = addr->addrtype;
+ data->length = addr->length;
+ data->data = malloc (sizeof(char) * data->length);
+ if (data->data == NULL)
+ return ENOMEM;
+ memmove(data->data, addr->contents, data->length); /* copy contents */
+ }
+
+ /* Write terminator: */
+ *dataPtr = NULL;
+ }
+ }
+
+ if (whichArray == kAuthDataArray) {
+ if (v5Creds->authdata == NULL) {
+ ccCreds->authdata = NULL;
+ } else {
+ krb5_authdata **authPtr, *auth;
+ cc_data **dataPtr, *data;
+ unsigned int numRecords = 0;
+
+ /* Allocate the array of pointers: */
+ for (authPtr = v5Creds->authdata; *authPtr != NULL; numRecords++, authPtr++) {}
+
+ ccCreds->authdata = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1));
+ if (ccCreds->authdata == NULL)
+ return ENOMEM;
+
+ /* Fill in the array, allocating the address structures: */
+ for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *authPtr != NULL; authPtr++, dataPtr++) {
+
+ *dataPtr = (cc_data *) malloc (sizeof(cc_data));
+ if (*dataPtr == NULL)
+ return ENOMEM;
+ data = *dataPtr;
+ auth = *authPtr;
+
+ data->type = auth->ad_type;
+ data->length = auth->length;
+ data->data = malloc (sizeof(char) * data->length);
+ if (data->data == NULL)
+ return ENOMEM;
+ memmove(data->data, auth->contents, data->length); /* copy contents */
+ }
+
+ /* Write terminator: */
+ *dataPtr = NULL;
}
-
- //write terminator
- *cbase = NULL;
- if (whichArray == kAddressArray) cc->addresses = (cc_data **)constCBase;
- else cc->authdata = (cc_data **)constCBase;
+ }
- return 0;
+ return 0;
}
/*
@@ -136,52 +194,56 @@ int copyK5DataArrayToCC(krb5_creds *kc, cc_creds *cc, char whichArray) {
* - allocate an empty k5 style ticket and copy info from the cc_creds ticket
*/
-void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest) {
-
- int err;
-
- /*
- * allocate and copy
- * copy all of those damn fields back
- */
- err = krb5_parse_name(context, src->client, &(dest->client));
- err = krb5_parse_name(context, src->server, &(dest->server));
- if (err) return; //parsename fails w/o krb5.ini for example
-
- /* copy keyblock */
- dest->keyblock.enctype = src->keyblock.type;
- dest->keyblock.length = src->keyblock.length;
- dest->keyblock.contents = (krb5_octet *)malloc(dest->keyblock.length);
- memcpy(dest->keyblock.contents, src->keyblock.data, dest->keyblock.length);
-
- /* copy times */
- dest->times.authtime = src->authtime;
- dest->times.starttime = src->starttime;
- dest->times.endtime = src->endtime;
- dest->times.renew_till = src->renew_till;
- dest->is_skey = src->is_skey;
- dest->ticket_flags = src->ticket_flags;
-
- /* more branching fields */
- copyCCDataArrayToK5(src, dest, kAddressArray);
- dest->ticket.length = src->ticket.length;
- dest->ticket.data = (char *)malloc(src->ticket.length);
- memcpy(dest->ticket.data, src->ticket.data, src->ticket.length);
- dest->second_ticket.length = src->second_ticket.length;
- (dest->second_ticket).data = ( char *)malloc(src->second_ticket.length);
- memcpy(dest->second_ticket.data, src->second_ticket.data, src->second_ticket.length);
-
- /* zero out magic number */
- dest->magic = 0;
- /*
- * later
- * copyCCDataArrayToK5(src, dest, kAuthDataArray);
- * krb5 docs say that authdata can be nulled out if we
- * only want default behavior
- */
- dest->authdata = NULL;
-
- return;
+void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest)
+{
+ krb5_int32 offset_seconds = 0, offset_microseconds = 0;
+ int err;
+
+ /*
+ * allocate and copy
+ * copy all of those damn fields back
+ */
+ err = krb5_parse_name(context, src->client, &(dest->client));
+ err = krb5_parse_name(context, src->server, &(dest->server));
+ if (err) return; /* parsename fails w/o krb5.ini for example */
+
+ /* copy keyblock */
+ dest->keyblock.enctype = src->keyblock.type;
+ dest->keyblock.length = src->keyblock.length;
+ dest->keyblock.contents = (krb5_octet *)malloc(dest->keyblock.length);
+ memcpy(dest->keyblock.contents, src->keyblock.data, dest->keyblock.length);
+
+ /* copy times */
+#if TARGET_OS_MAC
+ err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds);
+ if (err) return;
+#endif
+ dest->times.authtime = src->authtime + offset_seconds;
+ dest->times.starttime = src->starttime + offset_seconds;
+ dest->times.endtime = src->endtime + offset_seconds;
+ dest->times.renew_till = src->renew_till + offset_seconds;
+ dest->is_skey = src->is_skey;
+ dest->ticket_flags = src->ticket_flags;
+
+ /* more branching fields */
+ err = copyCCDataArrayToK5(src, dest, kAddressArray);
+ if (err) return;
+
+ dest->ticket.length = src->ticket.length;
+ dest->ticket.data = (char *)malloc(src->ticket.length);
+ memcpy(dest->ticket.data, src->ticket.data, src->ticket.length);
+ dest->second_ticket.length = src->second_ticket.length;
+ (dest->second_ticket).data = ( char *)malloc(src->second_ticket.length);
+ memcpy(dest->second_ticket.data, src->second_ticket.data, src->second_ticket.length);
+
+ /* zero out magic number */
+ dest->magic = 0;
+
+ /* authdata */
+ err = copyCCDataArrayToK5(src, dest, kAuthDataArray);
+ if (err) return;
+
+ return;
}
/*
@@ -190,90 +252,97 @@ void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest) {
*/
void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu)
{
- cc_creds *c;
- int err;
+ cc_creds *c;
+ int err;
+ krb5_int32 offset_seconds = 0, offset_microseconds = 0;
#ifdef macintosh
- char *tempname = NULL;
+ char *tempname = NULL;
#endif
-
- if (cu == NULL) return;
-
- /* allocate the cred_union */
- *cu = (cred_union *)malloc(sizeof(cred_union));
- if ((*cu) == NULL)
- return;
-
- (*cu)->cred_type = CC_CRED_V5;
-
- /* allocate creds structure (and install) */
- c = (cc_creds *)malloc(sizeof(cc_creds));
- if (c == NULL) return;
- (*cu)->cred.pV5Cred = c;
-
- /* convert krb5 principals to flat principals */
+
+ if (cu == NULL) return;
+
+ /* allocate the cred_union */
+ *cu = (cred_union *)malloc(sizeof(cred_union));
+ if ((*cu) == NULL)
+ return;
+
+ (*cu)->cred_type = CC_CRED_V5;
+
+ /* allocate creds structure (and install) */
+ c = (cc_creds *)malloc(sizeof(cc_creds));
+ if (c == NULL) return;
+ (*cu)->cred.pV5Cred = c;
+
+ /* convert krb5 principals to flat principals */
#ifdef macintosh
- /*
- * and make sure the memory for c->client and c->server is on
- * the system heap with NewPtr for the Mac (krb5_unparse_name
- * puts it in appl heap with malloc)
- */
- err = krb5_unparse_name(context, creds->client, &tempname);
- c->client = malloc(strlen(tempname)+1);
- if (c->client != NULL)
- strcpy(c->client,tempname);
- free(tempname);
- tempname = NULL;
-
- err = krb5_unparse_name(context, creds->server, &tempname);
- c->server = malloc(strlen(tempname)+1);
- if (c->server != NULL)
- strcpy(c->server,tempname);
- free(tempname);
+ /*
+ * and make sure the memory for c->client and c->server is on
+ * the system heap with NewPtr for the Mac (krb5_unparse_name
+ * puts it in appl heap with malloc)
+ */
+ err = krb5_unparse_name(context, creds->client, &tempname);
+ c->client = malloc(strlen(tempname)+1);
+ if (c->client != NULL)
+ strcpy(c->client,tempname);
+ free(tempname);
+ tempname = NULL;
+
+ err = krb5_unparse_name(context, creds->server, &tempname);
+ c->server = malloc(strlen(tempname)+1);
+ if (c->server != NULL)
+ strcpy(c->server,tempname);
+ free(tempname);
#else
- err = krb5_unparse_name(context, creds->client, &(c->client));
- err = krb5_unparse_name(context, creds->server, &(c->server));
+ err = krb5_unparse_name(context, creds->client, &(c->client));
+ err = krb5_unparse_name(context, creds->server, &(c->server));
#endif
- if (err) return;
-
- /* copy more fields */
- c->keyblock.type = creds->keyblock.enctype;
- c->keyblock.length = creds->keyblock.length;
-
- if (creds->keyblock.contents != NULL) {
- c->keyblock.data = (unsigned char *)malloc(creds->keyblock.length);
- memcpy(c->keyblock.data, creds->keyblock.contents, creds->keyblock.length);
- } else {
- c->keyblock.data = NULL;
- }
-
- c->authtime = creds->times.authtime;
- c->starttime = creds->times.starttime;
- c->endtime = creds->times.endtime;
- c->renew_till = creds->times.renew_till;
- c->is_skey = creds->is_skey;
- c->ticket_flags = creds->ticket_flags;
-
- copyK5DataArrayToCC(creds, c, kAddressArray);
-
- c->ticket.length = creds->ticket.length;
- if (creds->ticket.data != NULL) {
- c->ticket.data = (unsigned char *)malloc(creds->ticket.length);
- memcpy(c->ticket.data, creds->ticket.data, creds->ticket.length);
- } else {
- c->ticket.data = NULL;
- }
-
- c->second_ticket.length = creds->second_ticket.length;
- if (creds->second_ticket.data != NULL) {
- c->second_ticket.data = (unsigned char *)malloc(creds->second_ticket.length);
- memcpy(c->second_ticket.data, creds->second_ticket.data, creds->second_ticket.length);
- } else {
- c->second_ticket.data = NULL;
- }
-
- c->authdata = NULL;
-
- return;
+ if (err) return;
+
+ /* copy more fields */
+ c->keyblock.type = creds->keyblock.enctype;
+ c->keyblock.length = creds->keyblock.length;
+
+ if (creds->keyblock.contents != NULL) {
+ c->keyblock.data = (unsigned char *)malloc(creds->keyblock.length);
+ memcpy(c->keyblock.data, creds->keyblock.contents, creds->keyblock.length);
+ } else {
+ c->keyblock.data = NULL;
+ }
+
+#if TARGET_OS_MAC
+ err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds);
+ if (err) return;
+#endif
+ c->authtime = creds->times.authtime - offset_seconds;
+ c->starttime = creds->times.starttime - offset_seconds;
+ c->endtime = creds->times.endtime - offset_seconds;
+ c->renew_till = creds->times.renew_till - offset_seconds;
+ c->is_skey = creds->is_skey;
+ c->ticket_flags = creds->ticket_flags;
+
+ err = copyK5DataArrayToCC(creds, c, kAddressArray);
+ if (err) return;
+
+ c->ticket.length = creds->ticket.length;
+ if (creds->ticket.data != NULL) {
+ c->ticket.data = (unsigned char *)malloc(creds->ticket.length);
+ memcpy(c->ticket.data, creds->ticket.data, creds->ticket.length);
+ } else {
+ c->ticket.data = NULL;
+ }
+
+ c->second_ticket.length = creds->second_ticket.length;
+ if (creds->second_ticket.data != NULL) {
+ c->second_ticket.data = (unsigned char *)malloc(creds->second_ticket.length);
+ memcpy(c->second_ticket.data, creds->second_ticket.data, creds->second_ticket.length);
+ } else {
+ c->second_ticket.data = NULL;
+ }
+
+ err = copyK5DataArrayToCC(creds, c, kAuthDataArray);
+ if (err) return;
+
+ return;
}
/*
@@ -281,7 +350,7 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu)
*/
static krb5_boolean
times_match(t1, t2)
-register const krb5_ticket_times *t1;
+ register const krb5_ticket_times *t1;
register const krb5_ticket_times *t2;
{
if (t1->renew_till) {
@@ -308,7 +377,7 @@ times_match_exact (t1, t2)
static krb5_boolean
standard_fields_match(context, mcreds, creds)
- krb5_context context;
+ krb5_context context;
register const krb5_creds *mcreds, *creds;
{
return (krb5_principal_compare(context, mcreds->client,creds->client) &&
@@ -319,12 +388,12 @@ register const krb5_creds *mcreds, *creds;
static krb5_boolean
srvname_match(context, mcreds, creds)
- krb5_context context;
+ krb5_context context;
register const krb5_creds *mcreds, *creds;
{
krb5_boolean retval;
krb5_principal_data p1, p2;
-
+
retval = krb5_principal_compare(context, mcreds->client,creds->client);
if (retval != TRUE)
return retval;
@@ -368,7 +437,7 @@ authdata_match(mdata, data)
static krb5_boolean
data_match(data1, data2)
-register const krb5_data *data1, *data2;
+ register const krb5_data *data1, *data2;
{
if (!data1) {
if (!data2)
@@ -396,117 +465,113 @@ register const krb5_data *data1, *data2;
int stdccCredsMatch(krb5_context context, krb5_creds *base,
krb5_creds *match, int whichfields)
{
- krb5_ticket_times b, m;
- krb5_authdata **bp, **mp;
- krb5_boolean retval;
-
- if (((MATCH_SET(KRB5_TC_MATCH_SRV_NAMEONLY) &&
- srvname_match(context, match, base)) ||
- standard_fields_match(context, match, base))
- &&
- (! MATCH_SET(KRB5_TC_MATCH_IS_SKEY) ||
- match->is_skey == base->is_skey)
- &&
- (! MATCH_SET(KRB5_TC_MATCH_FLAGS_EXACT) ||
- match->ticket_flags == base->ticket_flags)
- &&
- (! MATCH_SET(KRB5_TC_MATCH_FLAGS) ||
- flags_match(match->ticket_flags, base->ticket_flags))
- &&
- (! MATCH_SET(KRB5_TC_MATCH_TIMES_EXACT) ||
- times_match_exact(&match->times, &base->times))
- &&
- (! MATCH_SET(KRB5_TC_MATCH_TIMES) ||
- times_match(&match->times, &base->times))
- &&
- (! MATCH_SET(KRB5_TC_MATCH_AUTHDATA) ||
- authdata_match (match->authdata, base->authdata))
- &&
- (! MATCH_SET(KRB5_TC_MATCH_2ND_TKT) ||
- data_match (&match->second_ticket, &base->second_ticket))
- &&
- ((! MATCH_SET(KRB5_TC_MATCH_KTYPE))||
- (match->keyblock.enctype == base->keyblock.enctype))
- )
- return TRUE;
- return FALSE;
-
+ if (((MATCH_SET(KRB5_TC_MATCH_SRV_NAMEONLY) &&
+ srvname_match(context, match, base)) ||
+ standard_fields_match(context, match, base))
+ &&
+ (! MATCH_SET(KRB5_TC_MATCH_IS_SKEY) ||
+ match->is_skey == base->is_skey)
+ &&
+ (! MATCH_SET(KRB5_TC_MATCH_FLAGS_EXACT) ||
+ match->ticket_flags == base->ticket_flags)
+ &&
+ (! MATCH_SET(KRB5_TC_MATCH_FLAGS) ||
+ flags_match(match->ticket_flags, base->ticket_flags))
+ &&
+ (! MATCH_SET(KRB5_TC_MATCH_TIMES_EXACT) ||
+ times_match_exact(&match->times, &base->times))
+ &&
+ (! MATCH_SET(KRB5_TC_MATCH_TIMES) ||
+ times_match(&match->times, &base->times))
+ &&
+ (! MATCH_SET(KRB5_TC_MATCH_AUTHDATA) ||
+ authdata_match (match->authdata, base->authdata))
+ &&
+ (! MATCH_SET(KRB5_TC_MATCH_2ND_TKT) ||
+ data_match (&match->second_ticket, &base->second_ticket))
+ &&
+ ((! MATCH_SET(KRB5_TC_MATCH_KTYPE))||
+ (match->keyblock.enctype == base->keyblock.enctype))
+ )
+ return TRUE;
+ return FALSE;
}
-// ----- free_cc_cred_union, etc --------------
+/* ----- free_cc_cred_union, etc -------------- */
/*
- Since the Kerberos5 library allocates a credentials cache structure
- (in dupK5toCC() above) with its own memory allocation routines - which
- may be different than how the CCache allocates memory - the Kerb5 library
- must have its own version of cc_free_creds() to deallocate it. These
- functions do that. The top-level function to substitue for cc_free_creds()
- is krb5_free_cc_cred_union().
-
- If the CCache library wants to use a cred_union structure created by
- the Kerb5 library, it should make a deep copy of it to "translate" to its
- own memory allocation space.
+ Since the Kerberos5 library allocates a credentials cache structure
+ (in dupK5toCC() above) with its own memory allocation routines - which
+ may be different than how the CCache allocates memory - the Kerb5 library
+ must have its own version of cc_free_creds() to deallocate it. These
+ functions do that. The top-level function to substitue for cc_free_creds()
+ is krb5_free_cc_cred_union().
+
+ If the CCache library wants to use a cred_union structure created by
+ the Kerb5 library, it should make a deep copy of it to "translate" to its
+ own memory allocation space.
*/
-static void deep_free_cc_data (cc_data data) {
-
- if (data.data != NULL)
- free (data.data);
+static void deep_free_cc_data (cc_data data)
+{
+ if (data.data != NULL)
+ free (data.data);
}
static void deep_free_cc_data_array (cc_data** data) {
-
- unsigned int index;
-
- if (data == NULL)
- return;
-
- for (index = 0; data [index] != NULL; index++) {
- deep_free_cc_data (*(data [index]));
- free (data [index]);
- }
-
- free (data);
+
+ unsigned int index;
+
+ if (data == NULL)
+ return;
+
+ for (index = 0; data [index] != NULL; index++) {
+ deep_free_cc_data (*(data [index]));
+ free (data [index]);
+ }
+
+ free (data);
}
-static void deep_free_cc_v5_creds (cc_creds* creds) {
-
- if (creds == NULL)
- return;
-
- if (creds -> client != NULL)
- free (creds -> client);
- if (creds -> server != NULL)
- free (creds -> server);
-
- deep_free_cc_data (creds -> keyblock);
- deep_free_cc_data (creds -> ticket);
- deep_free_cc_data (creds -> second_ticket);
-
- deep_free_cc_data_array (creds -> addresses);
- deep_free_cc_data_array (creds -> authdata);
-
- free(creds);
+static void deep_free_cc_v5_creds (cc_creds* creds)
+{
+ if (creds == NULL)
+ return;
+
+ if (creds -> client != NULL)
+ free (creds -> client);
+ if (creds -> server != NULL)
+ free (creds -> server);
+
+ deep_free_cc_data (creds -> keyblock);
+ deep_free_cc_data (creds -> ticket);
+ deep_free_cc_data (creds -> second_ticket);
+
+ deep_free_cc_data_array (creds -> addresses);
+ deep_free_cc_data_array (creds -> authdata);
+
+ free(creds);
}
-static void deep_free_cc_creds (cred_union creds) {
-
- if (creds.cred_type == CC_CRED_V4) { // we shouldn't get this, of course
- free (creds.cred.pV4Cred);
- } else if (creds.cred_type == CC_CRED_V5) {
- deep_free_cc_v5_creds (creds.cred.pV5Cred);
- }
+static void deep_free_cc_creds (cred_union creds)
+{
+ if (creds.cred_type == CC_CRED_V4) {
+ /* we shouldn't get this, of course */
+ free (creds.cred.pV4Cred);
+ } else if (creds.cred_type == CC_CRED_V5) {
+ deep_free_cc_v5_creds (creds.cred.pV5Cred);
+ }
}
-// top-level exported function
-cc_int32 krb5_free_cc_cred_union (cred_union** creds) {
-
- if (creds == NULL)
- return CC_BAD_PARM;
-
- if (*creds != NULL) {
- deep_free_cc_creds (**creds);
- free (*creds);
- *creds = NULL;
- }
-
- return CC_NOERROR;
+/* top-level exported function */
+cc_int32 krb5_free_cc_cred_union (cred_union** creds)
+{
+ if (creds == NULL)
+ return CC_BAD_PARM;
+
+ if (*creds != NULL) {
+ deep_free_cc_creds (**creds);
+ free (*creds);
+ *creds = NULL;
+ }
+
+ return CC_NOERROR;
}
diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.h b/src/lib/krb5/ccache/ccapi/stdcc_util.h
index 93538bf..e8426d4 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc_util.h
+++ b/src/lib/krb5/ccache/ccapi/stdcc_util.h
@@ -1,9 +1,10 @@
-//stdcc_util.h
-//
-// Frank Dabek, July 1998
+/* stdcc_util.h
+ *
+ * Frank Dabek, July 1998
+ */
-#if defined(macintosh)
-#include "CCache2.h"
+#if TARGET_OS_MAC
+#include <Kerberos/CredentialsCache2.h>
#endif
#if defined(_MSDOS) || defined(_WIN32)
@@ -12,7 +13,7 @@
#include "krb5.h"
-//protoypes for private functions declared in stdcc_util.c
+/* protoypes for private functions declared in stdcc_util.c */
int copyCCDataArrayToK5(cc_creds *cc, krb5_creds *kc, char whichArray);
int copyK5DataArrayToCC(krb5_creds *kc, cc_creds *cc, char whichArray);
void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest);
diff --git a/src/lib/krb5/ccache/ccapi/winccld.c b/src/lib/krb5/ccache/ccapi/winccld.c
index 2792cee..e6e4d58 100644
--- a/src/lib/krb5/ccache/ccapi/winccld.c
+++ b/src/lib/krb5/ccache/ccapi/winccld.c
@@ -7,6 +7,7 @@
#include <windows.h>
#include <stdio.h>
#include "stdcc.h"
+#include "k5-int.h"
/* from fcc-proto.h */
KRB5_DLLIMP extern krb5_cc_ops krb5_fcc_ops;
@@ -45,6 +46,8 @@ static int LoadFuncs(const char* dll_name, FUNC_INFO fi[],
}
if (!(h = LoadLibrary(dll_name))) {
+ /* Get error for source debugging purposes. */
+ error = (int)GetLastError();
return LF_NODLL;
}
diff --git a/src/lib/krb5/ccache/ccapi/winccld.h b/src/lib/krb5/ccache/ccapi/winccld.h
index 09a7ef5..e285d1f 100644
--- a/src/lib/krb5/ccache/ccapi/winccld.h
+++ b/src/lib/krb5/ccache/ccapi/winccld.h
@@ -6,6 +6,10 @@
#ifndef KRB5_WINCCLD_H_
#define KRB5_WINCCLD_H_
+#ifndef CC_API_VER2
+#define CC_API_VER2
+#endif
+
#include "cacheapi.h"
typedef cc_int32 (*FP_cc_initialize)(apiCB**, const cc_int32,
@@ -19,6 +23,9 @@ typedef cc_int32 (*FP_cc_open)(apiCB*, const char*, const enum cc_cred_vers,
typedef cc_int32 (*FP_cc_close)(apiCB*, ccache_p**);
typedef cc_int32 (*FP_cc_destroy)(apiCB*, ccache_p**);
typedef cc_int32 (*FP_cc_seq_fetch_NCs)(apiCB*, ccache_p**, ccache_cit**);
+typedef cc_int32 (*FP_cc_seq_fetch_NCs_begin)(apiCB*, ccache_cit**);
+typedef cc_int32 (*FP_cc_seq_fetch_NCs_next)(apiCB*, ccache_p**, ccache_cit*);
+typedef cc_int32 (*FP_cc_seq_fetch_NCs_end)(apiCB*, ccache_cit**);
typedef cc_int32 (*FP_cc_get_NC_info)(apiCB*, struct _infoNC***);
typedef cc_int32 (*FP_cc_free_NC_info)(apiCB*, struct _infoNC***);
typedef cc_int32 (*FP_cc_get_name)(apiCB*, const ccache_p*, char**);
@@ -34,6 +41,11 @@ typedef cc_int32 (*FP_cc_remove_cred)(apiCB*, const ccache_p*,
const cred_union);
typedef cc_int32 (*FP_cc_seq_fetch_creds)(apiCB*, const ccache_p*,
cred_union**, ccache_cit**);
+typedef cc_int32 (*FP_cc_seq_fetch_creds_begin)(apiCB*, const ccache_p*,
+ ccache_cit**);
+typedef cc_int32 (*FP_cc_seq_fetch_creds_next)(apiCB*, cred_union**,
+ ccache_cit*);
+typedef cc_int32 (*FP_cc_seq_fetch_creds_end)(apiCB*, ccache_cit**);
typedef cc_int32 (*FP_cc_free_principal)(apiCB*, char**);
typedef cc_int32 (*FP_cc_free_name)(apiCB*, char** name);
typedef cc_int32 (*FP_cc_free_creds)(apiCB*, cred_union** pCred);
@@ -58,17 +70,33 @@ DECL_FUNC_PTR(cc_create);
DECL_FUNC_PTR(cc_open);
DECL_FUNC_PTR(cc_close);
DECL_FUNC_PTR(cc_destroy);
+#if 0 /* Not used */
+#ifdef CC_API_VER2
+DECL_FUNC_PTR(cc_seq_fetch_NCs_begin);
+DECL_FUNC_PTR(cc_seq_fetch_NCs_next);
+DECL_FUNC_PTR(cc_seq_fetch_NCs_end);
+#else
DECL_FUNC_PTR(cc_seq_fetch_NCs);
+#endif
DECL_FUNC_PTR(cc_get_NC_info);
DECL_FUNC_PTR(cc_free_NC_info);
+#endif
DECL_FUNC_PTR(cc_get_name);
DECL_FUNC_PTR(cc_set_principal);
DECL_FUNC_PTR(cc_get_principal);
DECL_FUNC_PTR(cc_get_cred_version);
+#if 0 /* Not used */
DECL_FUNC_PTR(cc_lock_request);
+#endif
DECL_FUNC_PTR(cc_store);
DECL_FUNC_PTR(cc_remove_cred);
+#ifdef CC_API_VER2
+DECL_FUNC_PTR(cc_seq_fetch_creds_begin);
+DECL_FUNC_PTR(cc_seq_fetch_creds_next);
+DECL_FUNC_PTR(cc_seq_fetch_creds_end);
+#else
DECL_FUNC_PTR(cc_seq_fetch_creds);
+#endif
DECL_FUNC_PTR(cc_free_principal);
DECL_FUNC_PTR(cc_free_name);
DECL_FUNC_PTR(cc_free_creds);
@@ -82,17 +110,27 @@ FUNC_INFO krbcc_fi[] = {
MAKE_FUNC_INFO(cc_open),
MAKE_FUNC_INFO(cc_close),
MAKE_FUNC_INFO(cc_destroy),
+#if 0 /* Not used */
MAKE_FUNC_INFO(cc_seq_fetch_NCs),
MAKE_FUNC_INFO(cc_get_NC_info),
MAKE_FUNC_INFO(cc_free_NC_info),
+#endif
MAKE_FUNC_INFO(cc_get_name),
MAKE_FUNC_INFO(cc_set_principal),
MAKE_FUNC_INFO(cc_get_principal),
MAKE_FUNC_INFO(cc_get_cred_version),
+#if 0 /* Not used */
MAKE_FUNC_INFO(cc_lock_request),
+#endif
MAKE_FUNC_INFO(cc_store),
MAKE_FUNC_INFO(cc_remove_cred),
+#ifdef CC_API_VER2
+ MAKE_FUNC_INFO(cc_seq_fetch_creds_begin),
+ MAKE_FUNC_INFO(cc_seq_fetch_creds_next),
+ MAKE_FUNC_INFO(cc_seq_fetch_creds_end),
+#else
MAKE_FUNC_INFO(cc_seq_fetch_creds),
+#endif
MAKE_FUNC_INFO(cc_free_principal),
MAKE_FUNC_INFO(cc_free_name),
MAKE_FUNC_INFO(cc_free_creds),
@@ -109,17 +147,33 @@ FUNC_INFO krbcc_fi[] = {
#define cc_open pcc_open
#define cc_close pcc_close
#define cc_destroy pcc_destroy
+#if 0 /* Not used */
+#ifdef CC_API_VER2
+#define cc_seq_fetch_NCs_begin pcc_seq_fetch_NCs_begin
+#define cc_seq_fetch_NCs_next pcc_seq_fetch_NCs_next
+#define cc_seq_fetch_NCs_end pcc_seq_fetch_NCs_end
+#else
#define cc_seq_fetch_NCs pcc_seq_fetch_NCs
+#endif
#define cc_get_NC_info pcc_get_NC_info
#define cc_free_NC_info pcc_free_NC_info
+#endif /* End of Not used */
#define cc_get_name pcc_get_name
#define cc_set_principal pcc_set_principal
#define cc_get_principal pcc_get_principal
#define cc_get_cred_version pcc_get_cred_version
+#if 0 /* Not used */
#define cc_lock_request pcc_lock_request
+#endif
#define cc_store pcc_store
#define cc_remove_cred pcc_remove_cred
+#ifdef CC_API_VER2
+#define cc_seq_fetch_creds_begin pcc_seq_fetch_creds_begin
+#define cc_seq_fetch_creds_next pcc_seq_fetch_creds_next
+#define cc_seq_fetch_creds_end pcc_seq_fetch_creds_end
+#else
#define cc_seq_fetch_creds pcc_seq_fetch_creds
+#endif
#define cc_free_principal pcc_free_principal
#define cc_free_name pcc_free_name
#define cc_free_creds pcc_free_creds
diff --git a/src/lib/krb5/ccache/ccdefault.c b/src/lib/krb5/ccache/ccdefault.c
index 3e2699c..fc3e0ad 100644
--- a/src/lib/krb5/ccache/ccdefault.c
+++ b/src/lib/krb5/ccache/ccdefault.c
@@ -27,6 +27,10 @@
* Find default credential cache
*/
+#ifdef USE_LOGIN_LIBRARY
+#include <Kerberos/KerberosLoginPrivate.h>
+#endif
+
#include "k5-int.h"
KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
@@ -34,5 +38,83 @@ krb5_cc_default(context, ccache)
krb5_context context;
krb5_ccache FAR *ccache;
{
- return krb5_cc_resolve(context, krb5_cc_default_name(context), ccache);
+ krb5_error_code retval;
+ krb5_os_context os_ctx;
+
+ if (!context || context->magic != KV5M_CONTEXT)
+ return KV5M_CONTEXT;
+
+ os_ctx = context->os_context;
+
+ retval = krb5_cc_resolve(context, krb5_cc_default_name(context), ccache);
+ if (!retval && ccache && !os_ctx->default_ccprincipal) {
+ /* We got a ccache... remember what principal is associated with it */
+ if (krb5_cc_get_principal (context, *ccache, &os_ctx->default_ccprincipal) != 0)
+ os_ctx->default_ccprincipal = 0;
+ }
+ return retval;
+}
+
+/* This is the internal function which opens the default ccache. On platforms supporting
+ the login library's automatic popup dialog to get tickets, this function also updated the
+ library's internal view of the current principal associated with this cache.
+
+ All krb5 and GSS functions which need to open a cache to get a tgt to obtain service tickets
+ should call this function, not krb5_cc_default() */
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5int_cc_default(context, ccache)
+ krb5_context context;
+ krb5_ccache FAR *ccache;
+{
+#ifdef USE_LOGIN_LIBRARY
+ {
+ /* make sure the default cache has tix before you open it */
+ char *outCacheName;
+ KLPrincipal desiredPrincipal = nil;
+ krb5_principal desiredKrb5Principal;
+ krb5_error_code err;
+ krb5_os_context os_ctx;
+
+ if (!context || context->magic != KV5M_CONTEXT)
+ return KV5M_CONTEXT;
+
+ os_ctx = context->os_context;
+
+ desiredKrb5Principal = os_ctx->default_ccprincipal;
+
+ /* do we want a specific client principal? */
+ if (desiredKrb5Principal != NULL) {
+ char *desiredName;
+
+ err = krb5_unparse_name (context, desiredKrb5Principal, &desiredName);
+ if (!err) {
+ err = KLCreatePrincipalFromString (desiredName,
+ kerberosVersion_V5, &desiredPrincipal);
+ krb5_free_unparsed_name (context, desiredName);
+ if (err != klNoErr)
+ desiredPrincipal = nil;
+ }
+ }
+
+ /* Try to make sure a krb5 tgt is in the cache */
+ err = __KLInternalAcquireInitialTicketsForCache (desiredPrincipal, NULL,
+ krb5_cc_default_name (context),
+ kerberosVersion_V5, nil, &outCacheName);
+ if (err == klNoErr) {
+ /* This function tries to get tickets and put them in the specified
+ cache, however, if the cache does not exist, it may choose to put
+ them elsewhere (ie: the system default) so we set that here */
+ if (strcmp (krb5_cc_default_name (context), outCacheName) != 0) {
+ krb5_cc_set_default_name (context, outCacheName);
+ }
+ KLDisposeString (outCacheName);
+ }
+
+ if (desiredPrincipal != nil)
+ KLDisposePrincipal (desiredPrincipal);
+ }
+#endif
+
+ return krb5_cc_default (context, ccache);
}
diff --git a/src/lib/krb5/ccache/ccdefops.c b/src/lib/krb5/ccache/ccdefops.c
index 2651273..092503e 100644
--- a/src/lib/krb5/ccache/ccdefops.c
+++ b/src/lib/krb5/ccache/ccdefops.c
@@ -30,7 +30,7 @@
#include "k5-int.h"
-#if defined(macintosh)
+#if defined(USE_CCAPI)
/*
* Macs use the shared, memory based credentials cache
diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c
new file mode 100644
index 0000000..b12c93e
--- /dev/null
+++ b/src/lib/krb5/ccache/ccfns.c
@@ -0,0 +1,131 @@
+/*
+ * lib/krb5/ccache/ccfns.c
+ *
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Dispatch methods for credentials cache code.
+ */
+
+#include "k5-int.h"
+#include "krb5.h"
+
+#if KRB5_CCACHE_ACCESSOR_FUNCTIONS
+
+const char FAR * KRB5_CALLCONV
+krb5_cc_get_name (krb5_context context, krb5_ccache cache)
+{
+ return cache->ops->get_name(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_gen_new (krb5_context context, krb5_ccache FAR *cache)
+{
+ return (*cache)->ops->gen_new(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_initialize(krb5_context context, krb5_ccache cache,
+ krb5_principal principal)
+{
+ return cache->ops->init(context, cache, principal);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_destroy (krb5_context context, krb5_ccache cache)
+{
+ return cache->ops->destroy(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_close (krb5_context context, krb5_ccache cache)
+{
+ return cache->ops->close(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_store_cred (krb5_context context, krb5_ccache cache,
+ krb5_creds FAR *creds)
+{
+ return cache->ops->store(context, cache, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_retrieve_cred (krb5_context context, krb5_ccache cache,
+ krb5_flags flags, krb5_creds FAR *mcreds,
+ krb5_creds FAR *creds)
+{
+ return cache->ops->retrieve(context, cache, flags, mcreds, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_get_principal (krb5_context context, krb5_ccache cache,
+ krb5_principal FAR *principal)
+{
+ return cache->ops->get_princ(context, cache, principal);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_start_seq_get (krb5_context context, krb5_ccache cache,
+ krb5_cc_cursor FAR *cursor)
+{
+ return cache->ops->get_first(context, cache, cursor);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_next_cred (krb5_context context, krb5_ccache cache,
+ krb5_cc_cursor FAR *cursor, krb5_creds FAR *creds)
+{
+ return cache->ops->get_next(context, cache, cursor, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_end_seq_get (krb5_context context, krb5_ccache cache,
+ krb5_cc_cursor FAR *cursor)
+{
+ return cache->ops->end_get(context, cache, cursor);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_remove_cred (krb5_context context, krb5_ccache cache, krb5_flags flags,
+ krb5_creds FAR *creds)
+{
+ return cache->ops->remove_cred(context, cache, flags, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_flags (krb5_context context, krb5_ccache cache, krb5_flags flags)
+{
+ return cache->ops->set_flags(context, cache, flags);
+}
+
+const char FAR * KRB5_CALLCONV
+krb5_cc_get_type (krb5_context context, krb5_ccache cache)
+{
+ return cache->ops->prefix;
+}
+#else
+/* Dummy variable for compilers which don't like empty files */
+static krb5_int dummy = 0;
+#endif /* KRB5_CCACHE_ACCESSOR_FUNCTIONS */ \ No newline at end of file
diff --git a/src/lib/krb5/ccache/file/ChangeLog b/src/lib/krb5/ccache/file/ChangeLog
index 298360b..cda7184 100644
--- a/src/lib/krb5/ccache/file/ChangeLog
+++ b/src/lib/krb5/ccache/file/ChangeLog
@@ -1,3 +1,6 @@
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * fcc_gprinc.c: removed unused data variable to reduce warnings
+
1999-10-26 Tom Yu <tlyu@mit.edu>
* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/ccache/file/fcc_gprin.c b/src/lib/krb5/ccache/file/fcc_gprin.c
index b8a2595..bbac185 100644
--- a/src/lib/krb5/ccache/file/fcc_gprin.c
+++ b/src/lib/krb5/ccache/file/fcc_gprin.c
@@ -50,7 +50,6 @@ krb5_fcc_get_principal(context, id, princ)
krb5_principal *princ;
{
krb5_error_code kret = KRB5_OK;
- krb5_fcc_data *data = (krb5_fcc_data *)id->data;
MAYBE_OPEN(context, id, FCC_OPEN_RDONLY);
diff --git a/src/lib/krb5/ccache/stdio/ChangeLog b/src/lib/krb5/ccache/stdio/ChangeLog
index c520ca3..1379190 100644
--- a/src/lib/krb5/ccache/stdio/ChangeLog
+++ b/src/lib/krb5/ccache/stdio/ChangeLog
@@ -1,3 +1,6 @@
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * scc_skip.c: removed unused princ variable to reduce warnings
+
1999-10-26 Tom Yu <tlyu@mit.edu>
* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/ccache/stdio/scc_skip.c b/src/lib/krb5/ccache/stdio/scc_skip.c
index c203c71..9c86cb7 100644
--- a/src/lib/krb5/ccache/stdio/scc_skip.c
+++ b/src/lib/krb5/ccache/stdio/scc_skip.c
@@ -37,7 +37,6 @@ krb5_scc_skip_header(context, id)
krb5_ccache id;
{
krb5_error_code kret;
- krb5_principal princ;
krb5_scc_data *data = (krb5_scc_data *) id->data;
krb5_ui_2 scc_flen;
diff --git a/src/lib/krb5/error_tables/ChangeLog b/src/lib/krb5/error_tables/ChangeLog
index d93bf5e..710d7a4 100644
--- a/src/lib/krb5/error_tables/ChangeLog
+++ b/src/lib/krb5/error_tables/ChangeLog
@@ -1,3 +1,19 @@
+2001-10-29 Miro Jurisic <meeroh@mit.edu>
+ * pullup from krb5-1-2 branch after krb5-1-2-2-bp
+ * krb5_err.et: Changed Credentials Cache file to Credentials Cache
+ because on Mac and Windows, the credentials cache is in memory.
+
+2001-10-24 Tom Yu <tlyu@mit.edu>
+
+ * kdb5_err.et: Add KRB5_KDB_NO_PERMITTED_KEY,
+ KRB5_KDB_NO_MATCHING_KEY for libkdb so we can return something
+ other than ENOENT (which was Just Wrong).
+
+2001-01-31 Tom Yu <tlyu@mit.edu>
+
+ * asn1_err.et: Add error codes MISMATCH_INDEF and MISSING_EOC.
+ [pullup from trunk]
+
1999-12-01 Ken Raeburn <raeburn@mit.edu>
* krb5_err.et (KRB5_OBSOLETE_FN): New error code.
diff --git a/src/lib/krb5/error_tables/asn1_err.et b/src/lib/krb5/error_tables/asn1_err.et
index f0136cf..06078ff 100644
--- a/src/lib/krb5/error_tables/asn1_err.et
+++ b/src/lib/krb5/error_tables/asn1_err.et
@@ -10,4 +10,6 @@ error_code ASN1_BAD_LENGTH, "ASN.1 length doesn't match expected value"
error_code ASN1_BAD_FORMAT, "ASN.1 badly-formatted encoding"
error_code ASN1_PARSE_ERROR, "ASN.1 parse error"
error_code ASN1_BAD_GMTIME, "ASN.1 bad return from gmtime"
+error_code ASN1_MISMATCH_INDEF, "ASN.1 non-constructed indefinite encoding"
+error_code ASN1_MISSING_EOC, "ASN.1 missing expected EOC"
end
diff --git a/src/lib/krb5/error_tables/kdb5_err.et b/src/lib/krb5/error_tables/kdb5_err.et
index 982a9c1..aee3c4a 100644
--- a/src/lib/krb5/error_tables/kdb5_err.et
+++ b/src/lib/krb5/error_tables/kdb5_err.et
@@ -66,4 +66,6 @@ ec KRB5_KDB_BAD_VERSION, "Unsupported version in database entry"
ec KRB5_KDB_BAD_SALTTYPE, "Unsupported salt type"
ec KRB5_KDB_BAD_ENCTYPE, "Unsupported encryption type"
ec KRB5_KDB_BAD_CREATEFLAGS, "Bad database creation flags"
+ec KRB5_KDB_NO_PERMITTED_KEY, "No matching key in entry having a permitted enctype"
+ec KRB5_KDB_NO_MATCHING_KEY, "No matching key in entry"
end
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index 6135a9d..8ff5ff3 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -259,10 +259,10 @@ error_code KRB5_CC_TYPE_EXISTS, "Credentials cache type is already registered."
error_code KRB5_KT_TYPE_EXISTS, "Key table type is already registered."
error_code KRB5_CC_IO, "Credentials cache I/O operation failed XXX"
-error_code KRB5_FCC_PERM, "Credentials cache file permissions incorrect"
-error_code KRB5_FCC_NOFILE, "No credentials cache file found"
-error_code KRB5_FCC_INTERNAL, "Internal file credentials cache error"
-error_code KRB5_CC_WRITE, "Error writing to credentials cache file"
+error_code KRB5_FCC_PERM, "Credentials cache permissions incorrect"
+error_code KRB5_FCC_NOFILE, "No credentials cache found"
+error_code KRB5_FCC_INTERNAL, "Internal credentials cache error"
+error_code KRB5_CC_WRITE, "Error writing to credentials cache"
error_code KRB5_CC_NOMEM, "No more memory to allocate (in credentials cache code)"
error_code KRB5_CC_FORMAT, "Bad format in credentials cache"
error_code KRB5_CC_NOT_KTYPE, "No credentials found with supported encryption types"
diff --git a/src/lib/krb5/keytab/ChangeLog b/src/lib/krb5/keytab/ChangeLog
index fa1e715..ab4e5e4 100644
--- a/src/lib/krb5/keytab/ChangeLog
+++ b/src/lib/krb5/keytab/ChangeLog
@@ -1,3 +1,27 @@
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * kt_file.c (krb5_ktfileint_internal_read_entry): Use
+ krb5_princ_size instead of direct field access.
+ (krb5_ktfileint_write_entry, krb5_ktfileint_size_entry):
+ Likewise.
+
+2002-04-05 Danilo Almeida <dalmeida@mit.edu>
+
+ * Makefile.in: Build kt accessor functions on Windows.
+
+ * ktfr_entry.c: Rename krb5_kt_free_entry_contents as
+ krb5_free_keytab_entry_contents to make it consistent with rest of
+ API.
+
+2002-04-02 Ken Raeburn <raeburn@mit.edu>
+
+ * ktfr_entry.c (krb5_kt_free_entry_contents): Rename from
+ krb5_kt_free_entry, keep old name as wrapper.
+
+2000-04-01 Miro Jurisic <meeroh@mit.edu>
+
+ * ktfns.c: Merged from trunk
+
2000-03-12 Ezra Peisach <epeisach@mit.edu>
* ktbase.c (krb5_kt_resolve): Change prototype from const to
diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
index 66677a1..7d2b023 100644
--- a/src/lib/krb5/keytab/Makefile.in
+++ b/src/lib/krb5/keytab/Makefile.in
@@ -35,6 +35,8 @@ SRCS= \
$(srcdir)/ktremove.c \
$(srcdir)/read_servi.c
+##DOS##OBJS=$(OBJS) $(OUTPRE)ktfns.$(OBJEXT)
+
all-windows:: subdirs $(OBJFILE)
##DOSsubdirs:: file\$(OUTPRE)file.lst srvtab\$(OUTPRE)srvtab.lst
diff --git a/src/lib/krb5/keytab/file/ChangeLog b/src/lib/krb5/keytab/file/ChangeLog
index 4be401b..d0ececa 100644
--- a/src/lib/krb5/keytab/file/ChangeLog
+++ b/src/lib/krb5/keytab/file/ChangeLog
@@ -1,3 +1,16 @@
+2002-01-30 Ken Raeburn <raeburn@mit.edu>
+
+ * ktf_g_ent.c (krb5_ktfile_get_entry): For non-zero kvno, match
+ only low 8 bits. For zero kvno, if any kvno in the keytab is over
+ 240, assume we're dealing with numbers 128 through (127+256)
+ instead. This allows for wrapping at 256 while retaining a small
+ set of consecutively numbered prior keys in the keytab.
+
+2001-11-19 Tom Yu <tlyu@mit.edu>
+
+ * ktf_g_ent.c (krb5_ktfile_get_entry): Coerce enctype for now to
+ restore 1.0.x enctype similarity behavior.
+
1999-10-26 Tom Yu <tlyu@mit.edu>
* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/keytab/file/ktf_g_ent.c b/src/lib/krb5/keytab/file/ktf_g_ent.c
index b45ab6f..905ff6c 100644
--- a/src/lib/krb5/keytab/file/ktf_g_ent.c
+++ b/src/lib/krb5/keytab/file/ktf_g_ent.c
@@ -45,6 +45,7 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
krb5_error_code kerror = 0;
int found_wrong_kvno = 0;
krb5_boolean similar;
+ int kvno_offset = 0;
/* Open the keyfile for reading */
if ((kerror = krb5_ktfileint_openr(context, id)))
@@ -81,6 +82,14 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
krb5_kt_free_entry(context, &new_entry);
continue;
}
+ /*
+ * Coerce the enctype of the output keyblock in case we
+ * got an inexact match on the enctype; this behavior will
+ * go away when the key storage architecture gets
+ * redesigned for 1.3.
+ */
+ new_entry.key.enctype = enctype;
+
}
/* if the principal isn't the one requested, free new_entry
@@ -95,9 +104,24 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
/* if this is the first match, or if the new vno is
bigger, free the current and keep the new. Otherwise,
free the new. */
-
+ /* A 1.2.x keytab contains only the low 8 bits of the key
+ version number. Since it can be much bigger, and thus
+ the 8-bit value can wrap, we need some heuristics to
+ figure out the "highest" numbered key if some numbers
+ close to 255 and some near 0 are used.
+
+ The heuristic here:
+
+ If we have any keys with versions over 240, then assume
+ that all version numbers 0-127 refer to 256+N instead.
+ Not perfect, but maybe good enough? */
+
+#define M(VNO) (((VNO) - kvno_offset + 256) % 256)
+
+ if (new_entry.vno > 240)
+ kvno_offset = 128;
if (! cur_entry.principal ||
- (new_entry.vno > cur_entry.vno)) {
+ M(new_entry.vno) > M(cur_entry.vno)) {
krb5_kt_free_entry(context, &cur_entry);
cur_entry = new_entry;
} else {
@@ -108,8 +132,12 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
be one?), keep the new, and break out. Otherwise, remember
that we were here so we can return the right error, and
free the new */
+ /* Yuck. The krb5-1.2.x keytab format only stores one byte
+ for the kvno, so we're toast if the kvno requested is
+ higher than that. Short-term workaround: only compare
+ the low 8 bits. */
- if (new_entry.vno == kvno) {
+ if (new_entry.vno == (kvno & 0xff)) {
krb5_kt_free_entry(context, &cur_entry);
cur_entry = new_entry;
break;
diff --git a/src/lib/krb5/keytab/ktfns.c b/src/lib/krb5/keytab/ktfns.c
new file mode 100644
index 0000000..5bd6b40
--- /dev/null
+++ b/src/lib/krb5/keytab/ktfns.c
@@ -0,0 +1,80 @@
+/*
+ * lib/krb5/keytab/ktfns.c
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Dispatch methods for keytab code.
+ */
+
+#include "krb5.h"
+#include "k5-int.h"
+
+char * KRB5_CALLCONV
+krb5_kt_get_type (krb5_context context, krb5_keytab keytab)
+{
+ return keytab->ops->prefix;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name,
+ unsigned int namelen)
+{
+ return krb5_x((keytab)->ops->get_name,(context, keytab,name,namelen));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_close(krb5_context context, krb5_keytab keytab)
+{
+ return krb5_x((keytab)->ops->close,(context, keytab));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
+ krb5_const_principal principal, krb5_kvno vno,
+ krb5_enctype enctype, krb5_keytab_entry *entry)
+{
+ return krb5_x((keytab)->ops->get,(context, keytab, principal, vno, enctype, entry));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab,
+ krb5_kt_cursor *cursor)
+{
+ return krb5_x((keytab)->ops->start_seq_get,(context, keytab, cursor));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_next_entry(krb5_context context, krb5_keytab keytab,
+ krb5_keytab_entry *entry, krb5_kt_cursor *cursor)
+{
+ return krb5_x((keytab)->ops->get_next,(context, keytab, entry, cursor));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
+ krb5_kt_cursor *cursor)
+{
+ return krb5_x((keytab)->ops->end_get,(context, keytab, cursor));
+}
diff --git a/src/lib/krb5/keytab/ktfr_entry.c b/src/lib/krb5/keytab/ktfr_entry.c
index ddccb17..abd5d4d 100644
--- a/src/lib/krb5/keytab/ktfr_entry.c
+++ b/src/lib/krb5/keytab/ktfr_entry.c
@@ -30,7 +30,7 @@
#include "k5-int.h"
KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_free_entry (context, entry)
+krb5_free_keytab_entry_contents (context, entry)
krb5_context context;
krb5_keytab_entry FAR *entry;
{
@@ -44,3 +44,11 @@ krb5_kt_free_entry (context, entry)
}
return 0;
}
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_kt_free_entry (context, entry)
+ krb5_context context;
+ krb5_keytab_entry FAR *entry;
+{
+ return krb5_free_keytab_entry_contents (context, entry);
+}
diff --git a/src/lib/krb5/keytab/srvtab/ChangeLog b/src/lib/krb5/keytab/srvtab/ChangeLog
index a4157a0..8724b71 100644
--- a/src/lib/krb5/keytab/srvtab/ChangeLog
+++ b/src/lib/krb5/keytab/srvtab/ChangeLog
@@ -1,9 +1,17 @@
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * kts_util.c: removed unused variable n
+
+2002-02-05 Ken Raeburn <raeburn@mit.edu>
+
+ * kts_g_ent.c (krb5_ktsrvtab_get_entry): If a specific DES enctype
+ was requested, set the key's enctype to it, instead of always
+ returning des-cbc-crc.
+
Fri Jan 28 19:53:44 2000 Ezra Peisach <epeisach@mit.edu>
* kts_g_ent.c, ktsrvtab.h (krb5_ktsrvtab_get_entry): Change the
third argument to krb5_const_principal (from krb5_principal) to
agree with krb5_kts_ops entries.
-
1999-10-26 Tom Yu <tlyu@mit.edu>
diff --git a/src/lib/krb5/keytab/srvtab/kts_g_ent.c b/src/lib/krb5/keytab/srvtab/kts_g_ent.c
index e422c38..0237241 100644
--- a/src/lib/krb5/keytab/srvtab/kts_g_ent.c
+++ b/src/lib/krb5/keytab/srvtab/kts_g_ent.c
@@ -65,6 +65,7 @@ krb5_ktsrvtab_get_entry(context, id, principal, kvno, enctype, entry)
best_entry.vno = 0;
best_entry.key.contents = 0;
while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) {
+ ent.key.enctype = enctype;
if (krb5_principal_compare(context, principal, ent.principal)) {
if (kvno == IGNORE_VNO) {
if (!best_entry.principal || (best_entry.vno < ent.vno)) {
diff --git a/src/lib/krb5/keytab/srvtab/kts_util.c b/src/lib/krb5/keytab/srvtab/kts_util.c
index d95aceb..35f4a16 100644
--- a/src/lib/krb5/keytab/srvtab/kts_util.c
+++ b/src/lib/krb5/keytab/srvtab/kts_util.c
@@ -62,7 +62,7 @@ read_field(fp, s, len)
char *s;
int len;
{
- int c, n = 0;
+ int c = 0;
while ((c = getc(fp)) != 0) {
if (c == EOF || len <= 1)
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 59d8765..1cc8d59 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,301 @@
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name
+ length before examining components.
+
+ * parse.c (krb5_parse_name): Double-check principal name length
+ before filling in components.
+
+ * srv_rcache.c (krb5_get_server_rcache): Check for null pointer
+ supplied in place of name.
+
+ * unparse.c (krb5_unparse_name_ext): Don't move buffer pointer
+ backwards if nothing has been put into the buffer yet.
+
+2002-10-30 Tom Yu <tlyu@mit.edu>
+
+ * chk_trans.c (krb5_check_transited_list): Style nit: check
+ character against '\0' not NULL.
+ [pullup from trunk]
+
+2002-10-30 Sam Hartman <hartmans@mit.edu>
+
+ * chk_trans.c: Ignore trailing null in transited encoding; older
+ versions of MIT code included this.
+ [pullup from trunk]
+
+2002-08-12 Tom Yu <tlyu@mit.edu>
+
+ * unparse.c (krb5_unparse_name_ext): Error out if passed a NULL
+ pointer. Patch from Mark Levinson; fixes [krb5-admin/1140].
+ [pullup from trunk]
+
+2002-04-05 Danilo Almeida <dalmeida@mit.edu>
+
+ * princ_comp.c (krb5_realm_compare), auth_con.c
+ (krb5_auth_con_setports, krb5_auth_con_getaddrs,
+ krb5_auth_con_initivector), addr_order.c (krb5_address_order),
+ addr_comp.c (krb5_address_compare): Make KRB5_CALLCONV.
+
+2002-04-03 Danilo Almeida <dalmeida@mit.edu>
+
+ * bld_princ.c (krb5_build_principal_va): Make
+ krb5_build_principal_va() KRB5_CALLCONV.
+
+2002-04-02 Sam Hartman <hartmans@mit.edu>
+
+ * init_keyblock.c: Merge from mainline
+
+2002-03-15 Sam Hartman <hartmans@mit.edu>
+
+ * walk_rtree.c (krb5_walk_realm_tree): Fix handling of null realms
+
+2002-03-14 Alexandra Ellwood <lxs@mit.edu>
+ * appdefault.c, get_in_tkt.c: made conf_yes and conf_no const to
+ improve load time on Mach-O
+
+2002-03-13 Sam Hartman <hartmans@mit.edu>
+
+ * rd_cred.c (krb5_rd_cred): Don't check IP addresses; improves
+ Heimdal compatibility.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * conv_princ.c: removed unused variable cpp to reduce warnings
+ * get_creds.c: removed unused variables fields and mcreds to
+ reduce warnings
+ * get_in_tkt.c: removed unused variables cpp and preauth_to_use
+ to reduce warnings
+ * init_ctx: fixed Mac OS macros
+ * parse.c: added type in to avoid "defaults to int" warning
+ * send_tgs.c: removed unused variable enclen
+
+2001-12-20 Ken Raeburn <raeburn@mit.edu>
+
+ * ser_actx.c (krb5_auth_context_externalize): Pass address of a
+ size_t, not a krb5_int32, to krb5_c_block_size.
+
+2001-11-29 Ken Raeburn <raeburn@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): If no session key has been set,
+ try getting credentials and use the session key type as a hint
+ for the enctype to use for the forwarded credentials.
+
+ 2001-11-24 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Get a session key for the
+ forwarded tgt that is the same as the session key for the
+ auth_context. This is an enctype we know the remote side
+ supports.
+
+2001-10-29 Miro Jurisic <meeroh@mit.edu>
+ * pullup from krb5-1-2 branch after krb5-1-2-2-bp
+ * rd_safe.c, rd_priv.c, rd_cred.c, preauth.c, mk_safe.c,
+ mk_cred.c, appdefault.c: use "" includes for krb5.h, k5-int.h and
+ syslog.h
+ * gic_pwd.c, sendauth.c, recvauth.c: com_err.h is already included by
+ k5-int.h. Removed #include because it was confusing the Mac OS X builds
+
+2001-09-25 Ken Raeburn <raeburn@mit.edu>
+
+ * chk_trans.c: Reimplemented from scratch.
+
+2001-01-30 Tom Yu <tlyu@mit.edu>
+
+ * preauth.c (krb5_obtain_padata): Don't dereference a NULL pointer
+ if we receive an empty ETYPE_INFO preauth. [krb5-libs/903 from
+ craziboy77@hotmail.com]
+
+ * preauth2.c (krb5_do_preauth): Don't dereference a NULL pointer
+ if we receive an empty ETYPE_INFO preauth. [krb5-libs/903 from
+ craziboy77@hotmail.com]
+
+2001-01-30 Ezra Peisach <epeisach@mit.edu>
+
+ * rd_req_dec.c (krb5_rd_req_decrypt_tkt_part): Free
+ krb5_keytab_entry if call to krb5_decrypt_tkt_part()
+ fails. [krb5-libs/855 reported by guy@packeteer.com]
+
+2001-01-30 Ken Raeburn <raeburn@mit.edu>
+
+ * mk_safe.c (krb5_mk_safe): Only use safe_cksumtype from the
+ auth_context (derived from the config file or hardcoded default)
+ if it's suitable for the enctype of the key we're going to use.
+
+2001-01-29 Alexandra Ellwood <lxs@mit.edu>
+
+ * conv_princ.c (krb5_524_conv_principal): Fixed strncmp bug where principals
+ which are left substrings of "changepw" were being remapped into "changepw".
+ Added length check to if() statement.
+
+2001-01-29 Ken Raeburn <raeburn@mit.edu>
+
+ * preauth2.c (pa_sam): Check for a null prompter function pointer,
+ and return an error for that case rather than crashing.
+
+2000-10-02 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_ctx.c: Added #defines for Mac OS X (__MACH__)
+
+2000-06-29 Tom Yu <tlyu@mit.edu>
+
+ * conv_princ.c (krb5_425_conv_principal): NULL, not nil.
+
+2000-06-28 Miro Jurisic <meeroh@mit.edu>
+
+ * conv_princ.c (krb5_425_conv_principal): Fixed a memory leak
+
+2000-06-17 Miro Jurisic <meeroh@mit.edu>
+
+ * conv_princ.c (krb5_425_conv_principal): Fixed v4->v5 realm
+ name conversion
+
+2000-06-17 Miro Jurisic <meeroh@mit.edu>
+
+ * conv_princ.c (krb5_425_conv_principal): Honor v4/v5 realm name
+ differences when convertion from v4 principals to v5.
+
+2000-06-07 Tom Yu <tlyu@mit.edu>
+
+ * get_creds.c (krb5_get_credentials): Translate KRB5_CC_NOTFOUND
+ returned from krb5_get_cred_from_kdc() if a prior call to
+ krb5_cc_retrieve_cred() returned KRB5_CC_NOT_KTYPE.
+
+2000-06-03 Tom Yu <tlyu@mit.edu>
+
+ * rd_priv.c (krb5_rd_priv_basic): Delete code that was incorrectly
+ doing explicit ivec chaining; c_decrypt() does it now.
+
+ * mk_priv.c (krb5_mk_priv_basic): Delete code that was incorrectly
+ doing explicit ivec chaining; c_encrypt() does it now.
+
+2000-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * get_in_tkt.c (krb5_get_in_tkt): If enctypes are specified, send
+ the server the intersection of that list and the supported types,
+ in the order requested.
+
+2000-06-02 Danilo Almeida <dalmeida@mit.edu>
+
+ * init_ctx.c (krb5_get_tgs_ktypes, krb5_free_ktypes): Fix linkage to
+ be KRB5_CALLCONV.
+
+2000-05-31 Ken Raeburn <raeburn@mit.edu>
+
+ * recvauth.c (krb5_recvauth_version): New routine, takes a
+ krb5_data in which to store the client's application version
+ string.
+ (recvauth_common): Renamed from krb5_recvauth, added above
+ functionality depending on extra argument values.
+ (krb5_recvauth): New stub, calls above routine with extra dummy
+ values.
+
+2000-5-19 Alexandra Ellwood <lxs@mit.edu>
+
+ * sendauth.c, fwd_tgt.c: Changed to use krb5int_cc_default. This function
+ supports the Kerberos Login Library and pops up a dialog if the cache does
+ not contain valid tickets. This is used to automatically get a tgt before
+ obtaining service tickets. Note that this should be an internal function
+ because callers don't expect krb5_cc_default to pop up a dialog!
+ (We found this out the hard way :-)
+
+2000-05-16 Ken Raeburn <raeburn@mit.edu>
+ Nalin Dahyabhai <nalin@redhat.com>
+
+ * conv_princ.c (krb5_524_conv_principal): Return an error if name
+ is too long. Use memcpy for character data since we already know
+ the length.
+
+2000-05-16 Ken Raeburn <raeburn@mit.edu>
+
+ * kfree.c: Remove unneeded "return" statements at the end of many
+ functions.
+ (krb5_free_*_content, krb5_free_*_contents,
+ krb5_free_cred_enc_part, krb5_free_pwd_sequences): Set freed
+ pointer members to null when containing structure isn't being
+ freed.
+
+2000-05-16 Tom Yu <tlyu@mit.edu>
+
+ * conv_princ.c (krb5_524_conv_principal): Make a copy of the krb5
+ realm that is nul-terminated to avoid falling off the end of the
+ krb5 realm, which is not necessarily nul-terminated.
+
+2000-05-16 Nalin Dahyabhai <nalin@redhat.com>
+
+ * kfree.c (krb5_free_keyblock_contents): Set contents pointer to
+ null after freeing.
+
+2000-05-15 Jeffrey Altman <jaltman@columbia.edu>
+
+ * Added new source file appdefault.c
+ Implements new public functions
+
+ krb5_appdefault_string
+ krb5_appdefault_boolean
+
+2000-05-12 Ken Raeburn <raeburn@mit.edu>
+
+ * t_kerb.c (test_524_conv_principal): New test code, to exercise
+ yesterday's code addition.
+ (main, usage): Updated.
+ * t_krb5.conf: Added stanford.edu->IR.STANFORD.EDU mapping, and a
+ test case for improperly long v4 realm names.
+ * Makefile.in (check-unix): Run 524 conversion test for some test
+ Athena and Stanford names.
+ * t_ref_kerb.out: Updated.
+
+ * init_ctx.c (init_common): Feed current-microsecond time and
+ process-id into PRNG, instead of just current-second time.
+ * mk_req_ext.c (krb5_mk_req_extended): Feed current time into
+ PRNG if a subkey will be generated.
+ * sendauth.c (krb5_sendauth): Feed local and remote addresses of
+ socket, if they can be determined, into the PRNG if a subkey will
+ be used.
+
+2000-05-11 Ken Raeburn <raeburn@mit.edu>
+ Booker C. Bense <bbense@networking.stanford.edu>
+
+ * conv_princ.c (krb5_524_conv_principal): Look up v4_realm in
+ config file, in case site's krb4 realm name isn't the same as the
+ krb5 realm name.
+
+2000-04-28 Nalin Dahyabhai <nalin@redhat.com>
+
+ * chk_trans.c (krb5_check_transited_list): Don't overflow buffers
+ "prev" and "next".
+ * conv_princ.c (krb5_425_conv_principal): Don't overflow buffer
+ "buf".
+
+2000-04-28 Alexandra Ellwood <lxs@mit.edu>
+
+ * gic_pwd.c (krb5_init_creds_password) added code to return to
+ login library if the password is expired (login library handles
+ this error appropriately).
+
+2000-04-18 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (krb5_free_ktypes): New routine, to free values
+ returned by krb5_get_tgs_ktypes, krb5_get_permitted_enctypes, and
+ krb5_get_default_in_tkt_ktypes.
+ (krb5_set_default_tgs_ktypes, krb5_is_permitted_enctype): Use it.
+ (get_profile_etype_list): Use passed-in enctype list if the
+ passed-in count is non-zero, instead of checking the
+ in_tkt_ktype_count value in the context.
+
+2000-04-08 Tom Yu <tlyu@mit.edu>
+
+ * vfy_increds.c (krb5_verify_init_creds): appdefault_boolean ->
+ libdefault_boolean; it somehow got missed earlier.
+
+2000-04-07 Jeffrey Altman <jaltman@columbia.edu>
+
+ * gic_pwd.c (krb5_get_init_creds_keytab), gic_pwd.c
+ (krb5_get_init_creds_password) when determining whether or not to
+ retry with a "master kdc" do not retry if the return value from
+ the first attempt was KRB5_REALM_CANT_RESOLV. Also, do not
+ overwrite the return code if the return value from the access to
+ the "master kdc" was KRB5_REALM_CANT_RESOLV.
+
2000-03-15 Danilo Almeida <dalmeida@mit.edu>
* init_ctx.c (init_common), gic_pwd.c (krb5_get_as_key_password,
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index ba76662..484cd39 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -15,6 +15,7 @@ STLIBOBJS= \
addr_comp.o \
addr_order.o \
addr_srch.o \
+ appdefault.o \
auth_con.o \
bld_pr_ext.o \
bld_princ.o \
@@ -52,6 +53,7 @@ STLIBOBJS= \
in_tkt_pwd.o \
in_tkt_sky.o \
init_ctx.o \
+ init_keyblock.o \
kdc_rep_dc.o \
kfree.o \
mk_cred.o \
@@ -99,6 +101,7 @@ STLIBOBJS= \
OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \
$(OUTPRE)addr_order.$(OBJEXT) \
$(OUTPRE)addr_srch.$(OBJEXT) \
+ $(OUTPRE)appdefault.$(OBJEXT) \
$(OUTPRE)auth_con.$(OBJEXT) \
$(OUTPRE)bld_pr_ext.$(OBJEXT) \
$(OUTPRE)bld_princ.$(OBJEXT) \
@@ -136,6 +139,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \
$(OUTPRE)in_tkt_pwd.$(OBJEXT) \
$(OUTPRE)in_tkt_sky.$(OBJEXT) \
$(OUTPRE)init_ctx.$(OBJEXT) \
+ $(OUTPRE)init_keyblock.$(OBJEXT) \
$(OUTPRE)kdc_rep_dc.$(OBJEXT) \
$(OUTPRE)kfree.$(OBJEXT) \
$(OUTPRE)mk_cred.$(OBJEXT) \
@@ -183,6 +187,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \
SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/addr_order.c \
$(srcdir)/addr_srch.c \
+ $(srcdir)/appdefault.c \
$(srcdir)/auth_con.c \
$(srcdir)/bld_pr_ext.c \
$(srcdir)/bld_princ.c \
@@ -221,6 +226,7 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/in_tkt_pwd.c \
$(srcdir)/in_tkt_sky.c \
$(srcdir)/init_ctx.c \
+ $(srcdir)/init_keyblock.c \
$(srcdir)/kdc_rep_dc.c \
$(srcdir)/kfree.c \
$(srcdir)/mk_cred.c \
@@ -324,6 +330,8 @@ check-unix:: $(TEST_PROGS)
425_conv_principal rcmd uunet UU.NET \
425_conv_principal zephyr zephyr ATHENA.MIT.EDU \
425_conv_principal kadmin ATHENA.MIT.EDU ATHENA.MIT.EDU \
+ 524_conv_principal host/e40-po.mit.edu@ATHENA.MIT.EDU \
+ 524_conv_principal host/foobar.stanford.edu@stanford.edu \
set_realm marc@MIT.EDU CYGNUS.COM \
> test.out
cmp test.out $(srcdir)/t_ref_kerb.out
diff --git a/src/lib/krb5/krb/addr_comp.c b/src/lib/krb5/krb/addr_comp.c
index 587bd5f..f9e10bb 100644
--- a/src/lib/krb5/krb/addr_comp.c
+++ b/src/lib/krb5/krb/addr_comp.c
@@ -32,7 +32,7 @@
/*
* If the two addresses are the same, return TRUE, else return FALSE
*/
-krb5_boolean
+krb5_boolean KRB5_CALLCONV
krb5_address_compare(context, addr1, addr2)
krb5_context context;
krb5_const krb5_address *addr1;
diff --git a/src/lib/krb5/krb/addr_order.c b/src/lib/krb5/krb/addr_order.c
index 800fa2b..2598205 100644
--- a/src/lib/krb5/krb/addr_order.c
+++ b/src/lib/krb5/krb/addr_order.c
@@ -37,7 +37,7 @@
* Return an ordering on two addresses: 0 if the same,
* < 0 if first is less than 2nd, > 0 if first is greater than 2nd.
*/
-int
+int KRB5_CALLCONV
krb5_address_order(context, addr1, addr2)
krb5_context context;
register krb5_const krb5_address *addr1;
diff --git a/src/lib/krb5/krb/appdefault.c b/src/lib/krb5/krb/appdefault.c
new file mode 100644
index 0000000..65a9459
--- /dev/null
+++ b/src/lib/krb5/krb/appdefault.c
@@ -0,0 +1,183 @@
+/*
+ * appdefault - routines designed to be called from applications to
+ * handle the [appdefaults] profile section
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "k5-int.h"
+
+
+
+ /*xxx Duplicating this is annoying; try to work on a better way.*/
+static const char *conf_yes[] = {
+ "y", "yes", "true", "t", "1", "on",
+ 0,
+};
+
+static const char *conf_no[] = {
+ "n", "no", "false", "nil", "0", "off",
+ 0,
+};
+
+static int conf_boolean(s)
+ char *s;
+{
+ char **p;
+ for(p=conf_yes; *p; p++) {
+ if (!strcasecmp(*p,s))
+ return 1;
+ }
+ for(p=conf_no; *p; p++) {
+ if (!strcasecmp(*p,s))
+ return 0;
+ }
+ /* Default to "no" */
+ return 0;
+}
+
+static krb5_error_code appdefault_get(context, appname, realm, option,
+ ret_value)
+ krb5_context context;
+ const char *appname, *option;
+ const krb5_data *realm;
+ char **ret_value;
+{
+ profile_t profile;
+ const char *names[5];
+ char **nameval = NULL;
+ krb5_error_code retval;
+ const char * realmstr = realm?realm->data:NULL;
+
+ if (!context || (context->magic != KV5M_CONTEXT))
+ return KV5M_CONTEXT;
+
+ profile = context->profile;
+
+ /*
+ * Try number one:
+ *
+ * [appdefaults]
+ * app = {
+ * SOME.REALM = {
+ * option = <boolean>
+ * }
+ * }
+ */
+
+ names[0] = "appdefaults";
+ names[1] = appname;
+
+ if (realmstr) {
+ names[2] = realmstr;
+ names[3] = option;
+ names[4] = 0;
+ retval = profile_get_values(profile, names, &nameval);
+ if (retval == 0 && nameval && nameval[0]) {
+ *ret_value = strdup(nameval[0]);
+ goto goodbye;
+ }
+ }
+
+ /*
+ * Try number two:
+ *
+ * [appdefaults]
+ * app = {
+ * option = <boolean>
+ * }
+ */
+
+ names[2] = option;
+ names[3] = 0;
+ retval = profile_get_values(profile, names, &nameval);
+ if (retval == 0 && nameval && nameval[0]) {
+ *ret_value = strdup(nameval[0]);
+ goto goodbye;
+ }
+
+ /*
+ * Try number three:
+ *
+ * [appdefaults]
+ * realm = {
+ * option = <boolean>
+ */
+
+ if (realmstr) {
+ names[1] = realmstr;
+ names[2] = option;
+ names[3] = 0;
+ retval = profile_get_values(profile, names, &nameval);
+ if (retval == 0 && nameval && nameval[0]) {
+ *ret_value = strdup(nameval[0]);
+ goto goodbye;
+ }
+ }
+
+ /*
+ * Try number four:
+ *
+ * [appdefaults]
+ * option = <boolean>
+ */
+
+ names[1] = option;
+ names[2] = 0;
+ retval = profile_get_values(profile, names, &nameval);
+ if (retval == 0 && nameval && nameval[0]) {
+ *ret_value = strdup(nameval[0]);
+ } else {
+ return retval;
+ }
+
+goodbye:
+ if (nameval) {
+ char **cpp;
+ for (cpp = nameval; *cpp; cpp++)
+ free(*cpp);
+ free(nameval);
+ }
+ return 0;
+}
+
+KRB5_DLLIMP void KRB5_CALLCONV
+krb5_appdefault_boolean(context, appname, realm, option,
+ default_value, ret_value)
+ krb5_context context;
+ const char *appname, *option;
+ const krb5_data *realm;
+ int default_value;
+ int *ret_value;
+{
+ char *string = NULL;
+ krb5_error_code retval;
+
+ retval = appdefault_get(context, appname, realm, option, &string);
+
+ if (! retval && string) {
+ *ret_value = conf_boolean(string);
+ free(string);
+ } else
+ *ret_value = default_value;
+}
+
+KRB5_DLLIMP void KRB5_CALLCONV
+krb5_appdefault_string(context, appname, realm, option, default_value,
+ ret_value)
+ krb5_context context;
+ const char *appname, *option, *default_value;
+ char **ret_value;
+ const krb5_data *realm;
+ {
+ krb5_error_code retval;
+ char *string;
+
+ retval = appdefault_get(context, appname, realm, option, &string);
+
+ if (! retval && string) {
+ *ret_value = string;
+ } else {
+ *ret_value = strdup(default_value);
+ }
+}
diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c
index 335f7ae..f80a167 100644
--- a/src/lib/krb5/krb/auth_con.c
+++ b/src/lib/krb5/krb/auth_con.c
@@ -109,7 +109,7 @@ krb5_auth_con_setaddrs(context, auth_context, local_addr, remote_addr)
return retval;
}
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_auth_con_getaddrs(context, auth_context, local_addr, remote_addr)
krb5_context context;
krb5_auth_context auth_context;
@@ -132,7 +132,7 @@ krb5_auth_con_getaddrs(context, auth_context, local_addr, remote_addr)
return retval;
}
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_auth_con_setports(context, auth_context, local_port, remote_port)
krb5_context context;
krb5_auth_context auth_context;
@@ -270,7 +270,7 @@ krb5_auth_con_getremoteseqnumber(context, auth_context, seqnumber)
return 0;
}
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_auth_con_initivector(context, auth_context)
krb5_context context;
krb5_auth_context auth_context;
diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
index bf49105..34b50c0 100644
--- a/src/lib/krb5/krb/bld_princ.c
+++ b/src/lib/krb5/krb/bld_princ.c
@@ -37,6 +37,7 @@
#endif
krb5_error_code
+KRB5_CALLCONV
krb5_build_principal_va(context, princ, rlen, realm, ap)
krb5_context context;
krb5_principal princ;
diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c
index c2ac716..9fe73c8 100644
--- a/src/lib/krb5/krb/chk_trans.c
+++ b/src/lib/krb5/krb/chk_trans.c
@@ -1,12 +1,14 @@
/*
- * Copyright (c) 1994 CyberSAFE Corporation.
- * All rights reserved.
+ * lib/krb5/krb/chk_trans.c
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -14,97 +16,426 @@
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
- * permission. Neither M.I.T., the Open Computing Security Group, nor
- * CyberSAFE Corporation make any representations about the suitability of
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
+ *
+ *
+ * krb5_check_transited_list()
*/
-
#include "k5-int.h"
-#include <stdio.h>
+#include <stdarg.h>
-#define MAX_REALM_LN 500
+#if defined (TEST) || defined (TEST2)
+# undef DEBUG
+# define DEBUG
+#endif
-krb5_error_code
-krb5_check_transited_list(context, trans, realm1, realm2)
- krb5_context context;
-krb5_data *trans;
-krb5_data *realm1;
-krb5_data *realm2;
+#ifdef DEBUG
+#define verbose krb5int_chk_trans_verbose
+static int verbose = 0;
+# define Tprintf(ARGS) if (verbose) printf ARGS
+#else
+# define Tprintf(ARGS) (void)(0)
+#endif
+
+#define MAXLEN 512
+
+static krb5_error_code
+process_intermediates (krb5_error_code (*fn)(krb5_data *, void *), void *data,
+ const krb5_data *n1, const krb5_data *n2) {
+ unsigned int len1, len2, i;
+ char *p1, *p2;
+
+ Tprintf (("process_intermediates(%.*s,%.*s)\n",
+ (int) n1->length, n1->data, (int) n2->length, n2->data));
+
+ len1 = n1->length;
+ len2 = n2->length;
+
+ Tprintf (("(walking intermediates now)\n"));
+ /* Simplify... */
+ if (len1 > len2) {
+ const krb5_data *p;
+ int tmp = len1;
+ len1 = len2;
+ len2 = tmp;
+ p = n1;
+ n1 = n2;
+ n2 = p;
+ }
+ /* Okay, now len1 is always shorter or equal. */
+ if (len1 == len2) {
+ if (memcmp (n1->data, n2->data, len1)) {
+ Tprintf (("equal length but different strings in path: '%.*s' '%.*s'\n",
+ (int) n1->length, n1->data, (int) n2->length, n2->data));
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ }
+ Tprintf (("(end intermediates)\n"));
+ return 0;
+ }
+ /* Now len1 is always shorter. */
+ if (len1 == 0)
+ /* Shouldn't be possible. Internal error? */
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ p1 = n1->data;
+ p2 = n2->data;
+ if (p1[0] == '/') {
+ /* X.500 style names, with common prefix. */
+ if (p2[0] != '/') {
+ Tprintf (("mixed name formats in path: x500='%.*s' domain='%.*s'\n",
+ (int) len1, p1, (int) len2, p2));
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ }
+ if (memcmp (p1, p2, len1)) {
+ Tprintf (("x500 names with different prefixes '%.*s' '%.*s'\n",
+ (int) len1, p1, (int) len2, p2));
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ }
+ for (i = len1 + 1; i < len2; i++)
+ if (p2[i] == '/') {
+ krb5_data d;
+ krb5_error_code r;
+
+ d.data = p2;
+ d.length = i;
+ r = (*fn) (&d, data);
+ if (r)
+ return r;
+ }
+ } else {
+ /* Domain style names, with common suffix. */
+ if (p2[0] == '/') {
+ Tprintf (("mixed name formats in path: domain='%.*s' x500='%.*s'\n",
+ (int) len1, p1, (int) len2, p2));
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ }
+ if (memcmp (p1, p2 + (len2 - len1), len1)) {
+ Tprintf (("domain names with different suffixes '%.*s' '%.*s'\n",
+ (int) len1, p1, (int) len2, p2));
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ }
+ for (i = len2 - len1 - 1; i > 0; i--) {
+ Tprintf (("looking at '%.*s'\n", (int) (len2 - i), p2+i));
+ if (p2[i-1] == '.') {
+ krb5_data d;
+ krb5_error_code r;
+
+ d.data = p2+i;
+ d.length = len2 - i;
+ r = (*fn) (&d, data);
+ if (r)
+ return r;
+ }
+ }
+ }
+ Tprintf (("(end intermediates)\n"));
+ return 0;
+}
+
+static krb5_error_code
+maybe_join (krb5_data *last, krb5_data *buf, int bufsiz)
+{
+ if (buf->length == 0)
+ return 0;
+ if (buf->data[0] == '/') {
+ if (last->length + buf->length > bufsiz) {
+ Tprintf (("too big: last=%d cur=%d max=%d\n", last->length, buf->length, bufsiz));
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ }
+ memmove (buf->data+last->length, buf->data, buf->length);
+ memcpy (buf->data, last->data, last->length);
+ buf->length += last->length;
+ } else if (buf->data[buf->length-1] == '.') {
+ /* We can ignore the case where the previous component was
+ empty; the strcat will be a no-op. It should probably
+ be an error case, but let's be flexible. */
+ if (last->length+buf->length > bufsiz) {
+ Tprintf (("too big\n"));
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ }
+ memcpy (buf->data + buf->length, last->data, last->length);
+ buf->length += last->length;
+ }
+ /* Otherwise, do nothing. */
+ return 0;
+}
+
+/* The input strings cannot contain any \0 bytes, according to the
+ spec, but our API is such that they may not be \0 terminated
+ either. Thus we keep on treating them as krb5_data objects instead
+ of C strings. */
+static krb5_error_code
+foreach_realm (krb5_error_code (*fn)(krb5_data *comp,void *data), void *data,
+ const krb5_data *crealm, const krb5_data *srealm,
+ const krb5_data *transit)
+{
+ char buf[MAXLEN], last[MAXLEN];
+ char *p, *bufp;
+ int next_lit, intermediates, l;
+ krb5_data this_component;
+ krb5_error_code r;
+ krb5_data last_component;
+
+ /* Invariants:
+ - last_component points to last[]
+ - this_component points to buf[]
+ - last_component has length of last
+ - this_component has length of buf when calling out
+ Keep these consistent, and we should be okay. */
+
+ next_lit = 0;
+ intermediates = 0;
+ memset (buf, 0, sizeof (buf));
+
+ this_component.data = buf;
+ last_component.data = last;
+ last_component.length = 0;
+
+#define print_data(fmt,d) Tprintf((fmt,(int)(d)->length,(d)->data))
+ print_data ("client realm: %.*s\n", crealm);
+ print_data ("server realm: %.*s\n", srealm);
+ print_data ("transit enc.: %.*s\n", transit);
+
+ if (transit->length == 0) {
+ Tprintf (("no other realms transited\n"));
+ return 0;
+ }
+
+ bufp = buf;
+ for (p = transit->data, l = transit->length; l; p++, l--) {
+ if (next_lit) {
+ *bufp++ = *p;
+ if (bufp == buf+sizeof(buf))
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ next_lit = 0;
+ } else if (*p == '\\') {
+ next_lit = 1;
+ } else if (*p == ',') {
+ if (bufp != buf) {
+ this_component.length = bufp - buf;
+ r = maybe_join (&last_component, &this_component, sizeof(buf));
+ if (r)
+ return r;
+ r = (*fn) (&this_component, data);
+ if (r)
+ return r;
+ if (intermediates) {
+ if (p == transit->data)
+ r = process_intermediates (fn, data,
+ &this_component, crealm);
+ else {
+ r = process_intermediates (fn, data, &this_component,
+ &last_component);
+ }
+ if (r)
+ return r;
+ }
+ intermediates = 0;
+ memcpy (last, buf, sizeof (buf));
+ last_component.length = this_component.length;
+ memset (buf, 0, sizeof (buf));
+ bufp = buf;
+ } else {
+ intermediates = 1;
+ if (p == transit->data) {
+ if (crealm->length >= MAXLEN)
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ memcpy (last, crealm->data, crealm->length);
+ last[crealm->length] = '\0';
+ last_component.length = crealm->length;
+ }
+ }
+ } else if (*p == ' ' && bufp == buf) {
+ /* This next component stands alone, even if it has a
+ trailing dot or leading slash. */
+ memset (last, 0, sizeof (last));
+ last_component.length = 0;
+ } else {
+ /* Not a special character; literal. */
+ *bufp++ = *p;
+ if (bufp == buf+sizeof(buf))
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+ }
+ }
+ /* At end. Must be normal state. */
+ if (next_lit)
+ Tprintf (("ending in next-char-literal state\n"));
+ /* Process trailing element or comma. */
+ if (bufp == buf) {
+ /* Trailing comma. */
+ r = process_intermediates (fn, data, &last_component, srealm);
+ } else {
+ /* Trailing component. */
+ this_component.length = bufp - buf;
+ r = maybe_join (&last_component, &this_component, sizeof(buf));
+ if (r)
+ return r;
+ r = (*fn) (&this_component, data);
+ if (r)
+ return r;
+ if (intermediates)
+ r = process_intermediates (fn, data, &this_component,
+ &last_component);
+ }
+ if (r != 0)
+ return r;
+ return 0;
+}
+
+
+struct check_data {
+ krb5_context ctx;
+ krb5_principal *tgs;
+};
+
+static int
+same_data (krb5_data *d1, krb5_data *d2)
{
- char prev[MAX_REALM_LN+1];
- char next[MAX_REALM_LN+1];
- char *nextp;
- int i, j;
- int trans_length;
- krb5_error_code retval = 0;
- krb5_principal *tgs_list;
-
- if (trans == NULL || trans->data == NULL || trans->length == 0)
- return(0);
- trans_length = trans->data[trans->length-1] ?
- trans->length : trans->length - 1;
-
- for (i = 0; i < trans_length; i++)
- if (trans->data[i] == '\0') {
- /* Realms may not contain ASCII NUL character. */
- return(KRB5KRB_AP_ERR_ILL_CR_TKT);
+ return (d1->length == d2->length
+ && !memcmp (d1->data, d2->data, d1->length));
+}
+
+static krb5_error_code
+check_realm_in_list (krb5_data *realm, void *data)
+{
+ struct check_data *cdata = data;
+ int i;
+
+ Tprintf ((".. checking '%.*s'\n", (int) realm->length, realm->data));
+ for (i = 0; cdata->tgs[i]; i++) {
+ if (same_data (krb5_princ_realm (cdata->ctx, cdata->tgs[i]), realm))
+ return 0;
}
+ Tprintf (("BAD!\n"));
+ return KRB5KRB_AP_ERR_ILL_CR_TKT;
+}
+
+krb5_error_code
+krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in,
+ const krb5_data *crealm, const krb5_data *srealm)
+{
+ krb5_data trans;
+ struct check_data cdata;
+ krb5_error_code r;
- if ((retval = krb5_walk_realm_tree(context, realm1, realm2, &tgs_list,
- KRB5_REALM_BRANCH_CHAR))) {
- return(retval);
- }
-
- memset(prev, 0, MAX_REALM_LN + 1);
- memset(next, 0, MAX_REALM_LN + 1), nextp = next;
- for (i = 0; i < trans_length; i++) {
- if (i < trans_length-1 && trans->data[i] == '\\') {
- i++;
- *nextp++ = trans->data[i];
- if (nextp - next > MAX_REALM_LN) {
- retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
- goto finish;
- }
- continue;
+ trans.length = trans_in->length;
+ trans.data = (char *) trans_in->data;
+ if (trans.length && (trans.data[trans.length-1] == '\0'))
+ trans.length--;
+
+ Tprintf (("krb5_check_transited_list(trans=\"%.*s\", crealm=\"%.*s\", srealm=\"%.*s\")\n",
+ (int) trans.length, trans.data,
+ (int) crealm->length, crealm->data,
+ (int) srealm->length, srealm->data));
+ if (trans.length == 0)
+ return 0;
+ r = krb5_walk_realm_tree (ctx, crealm, srealm, &cdata.tgs,
+ KRB5_REALM_BRANCH_CHAR);
+ if (r) {
+ Tprintf (("error %ld\n", (long) r));
+ return r;
+ }
+#ifdef DEBUG /* avoid compiler warning about 'd' unused */
+ {
+ int i;
+ Tprintf (("tgs list = {\n"));
+ for (i = 0; cdata.tgs[i]; i++) {
+ char *name;
+ r = krb5_unparse_name (ctx, cdata.tgs[i], &name);
+ Tprintf (("\t'%s'\n", name));
+ free (name);
+ }
+ Tprintf (("}\n"));
}
- if (i < trans_length && trans->data[i] != ',') {
- *nextp++ = trans->data[i];
- if (nextp - next > MAX_REALM_LN) {
- retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
- goto finish;
- }
- continue;
+#endif
+ cdata.ctx = ctx;
+ r = foreach_realm (check_realm_in_list, &cdata, crealm, srealm, &trans);
+ krb5_free_realm_tree (ctx, cdata.tgs);
+ return r;
+}
+
+#ifdef TEST
+
+static krb5_error_code
+print_a_realm (krb5_data *realm, void *data)
+{
+ printf ("%.*s\n", (int) realm->length, realm->data);
+ return 0;
+}
+
+int main (int argc, char *argv[]) {
+ const char *me;
+ krb5_data crealm, srealm, transit;
+ krb5_error_code r;
+ int expand_only = 0;
+
+ me = strrchr (argv[0], '/');
+ me = me ? me+1 : argv[0];
+
+ while (argc > 3 && argv[1][0] == '-') {
+ if (!strcmp ("-v", argv[1]))
+ verbose++, argc--, argv++;
+ else if (!strcmp ("-x", argv[1]))
+ expand_only++, argc--, argv++;
+ else
+ goto usage;
}
- if (strlen(next) > 0) {
- if (next[0] != '/') {
- if (*(nextp-1) == '.' && strlen(next) + strlen(prev) <= MAX_REALM_LN)
- strcat(next, prev);
- retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
- for (j = 0; tgs_list[j]; j++) {
- if (strlen(next) == (size_t) krb5_princ_realm(context, tgs_list[j])->length &&
- !memcmp(next, krb5_princ_realm(context, tgs_list[j])->data,
- strlen(next))) {
- retval = 0;
- break;
- }
- }
- if (retval) goto finish;
- }
- if (i+1 < trans_length && trans->data[i+1] == ' ') {
- i++;
- memset(next, 0, MAX_REALM_LN + 1), nextp = next;
- continue;
- }
- if (i+1 < trans_length && trans->data[i+1] != '/') {
- strcpy(prev, next);
- memset(next, 0, MAX_REALM_LN + 1), nextp = next;
- continue;
- }
+
+ if (argc != 4) {
+ usage:
+ printf ("usage: %s [-v] [-x] clientRealm serverRealm transitEncoding\n",
+ me);
+ return 1;
}
- }
-finish:
- krb5_free_realm_tree(context, tgs_list);
- return(retval);
+ crealm.data = argv[1];
+ crealm.length = strlen(argv[1]);
+ srealm.data = argv[2];
+ srealm.length = strlen(argv[2]);
+ transit.data = argv[3];
+ transit.length = strlen(argv[3]);
+
+ if (expand_only) {
+
+ printf ("client realm: %s\n", argv[1]);
+ printf ("server realm: %s\n", argv[2]);
+ printf ("transit enc.: %s\n", argv[3]);
+
+ if (argv[3][0] == 0) {
+ printf ("no other realms transited\n");
+ return 0;
+ }
+
+ r = foreach_realm (print_a_realm, NULL, &crealm, &srealm, &transit);
+ if (r)
+ printf ("--> returned error %ld\n", (long) r);
+ return r != 0;
+
+ } else {
+
+ /* Actually check the values against the supplied krb5.conf file. */
+ krb5_context ctx;
+ r = krb5_init_context (&ctx);
+ if (r) {
+ com_err (me, r, "initializing krb5 context");
+ return 1;
+ }
+ r = krb5_check_transited_list (ctx, &transit, &crealm, &srealm);
+ if (r == KRB5KRB_AP_ERR_ILL_CR_TKT) {
+ printf ("NO\n");
+ } else if (r == 0) {
+ printf ("YES\n");
+ } else {
+ printf ("kablooey!\n");
+ com_err (me, r, "checking transited-realm list");
+ return 1;
+ }
+ return 0;
+ }
}
+
+#endif /* TEST */
diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c
index b90289a..e7aab77 100644
--- a/src/lib/krb5/krb/conv_princ.c
+++ b/src/lib/krb5/krb/conv_princ.c
@@ -137,7 +137,8 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
{
const struct krb_convert *p;
krb5_data *compo;
- char *c;
+ char *c, *tmp_realm, *tmp_prealm;
+ int tmp_realm_len, retval;
*name = *inst = '\0';
switch (krb5_princ_size(context, princ)) {
@@ -146,19 +147,24 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
compo = krb5_princ_component(context, princ, 0);
p = sconv_list;
while (p->v4_str) {
- if (strncmp(p->v5_str, compo->data, compo->length) == 0) {
- /* It is, so set the new name now, and chop off */
- /* instance's domain name if requested */
- strcpy(name, p->v4_str);
- if (p->flags & DO_REALM_CONVERSION) {
- compo = krb5_princ_component(context, princ, 1);
- c = strnchr(compo->data, '.', compo->length);
- if (!c || (c - compo->data) > INST_SZ - 1)
- return KRB5_INVALID_PRINCIPAL;
- strncpy(inst, compo->data, c - compo->data);
- inst[c - compo->data] = '\0';
- }
- break;
+ if (strncmp(p->v5_str, compo->data, compo->length) == 0 &&
+ strlen(p->v5_str) == compo->length) {
+ /*
+ * It is, so set the new name now, and chop off
+ * instance's domain name if requested.
+ */
+ if (strlen (p->v4_str) > ANAME_SZ - 1)
+ return KRB5_INVALID_PRINCIPAL;
+ strcpy(name, p->v4_str);
+ if (p->flags & DO_REALM_CONVERSION) {
+ compo = krb5_princ_component(context, princ, 1);
+ c = strnchr(compo->data, '.', compo->length);
+ if (!c || (c - compo->data) >= INST_SZ - 1)
+ return KRB5_INVALID_PRINCIPAL;
+ memcpy(inst, compo->data, c - compo->data);
+ inst[c - compo->data] = '\0';
+ }
+ break;
}
p++;
}
@@ -168,7 +174,7 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
compo = krb5_princ_component(context, princ, 1);
if (compo->length >= INST_SZ - 1)
return KRB5_INVALID_PRINCIPAL;
- strncpy(inst, compo->data, compo->length);
+ memcpy(inst, compo->data, compo->length);
inst[compo->length] = '\0';
}
/* fall through */
@@ -178,7 +184,7 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
compo = krb5_princ_component(context, princ, 0);
if (compo->length >= ANAME_SZ)
return KRB5_INVALID_PRINCIPAL;
- strncpy(name, compo->data, compo->length);
+ memcpy(name, compo->data, compo->length);
name[compo->length] = '\0';
}
break;
@@ -187,11 +193,39 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
}
compo = krb5_princ_realm(context, princ);
- if (compo->length > REALM_SZ - 1)
- return KRB5_INVALID_PRINCIPAL;
- strncpy(realm, compo->data, compo->length);
- realm[compo->length] = '\0';
+ tmp_prealm = malloc(compo->length + 1);
+ if (tmp_prealm == NULL)
+ return ENOMEM;
+ strncpy(tmp_prealm, compo->data, compo->length);
+ tmp_prealm[compo->length] = '\0';
+
+ /* Ask for v4_realm corresponding to
+ krb5 principal realm from krb5.conf realms stanza */
+
+ if (context->profile == 0)
+ return KRB5_CONFIG_CANTOPEN;
+ retval = profile_get_string(context->profile, "realms",
+ tmp_prealm, "v4_realm", 0,
+ &tmp_realm);
+ free(tmp_prealm);
+ if (retval) {
+ return retval;
+ } else {
+ if (tmp_realm == 0) {
+ if (compo->length > REALM_SZ - 1)
+ return KRB5_INVALID_PRINCIPAL;
+ strncpy(realm, compo->data, compo->length);
+ realm[compo->length] = '\0';
+ } else {
+ tmp_realm_len = strlen(tmp_realm);
+ if (tmp_realm_len > REALM_SZ - 1)
+ return KRB5_INVALID_PRINCIPAL;
+ strncpy(realm, tmp_realm, tmp_realm_len);
+ realm[tmp_realm_len] = '\0';
+ profile_release_string(tmp_realm);
+ }
+ }
return 0;
}
@@ -207,8 +241,47 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
char buf[256]; /* V4 instances are limited to 40 characters */
krb5_error_code retval;
char *domain, *cp;
- char **full_name = 0, **cpp;
+ char **full_name = 0;
const char *names[5];
+ void* iterator = NULL;
+ char** v4realms = NULL;
+ char* realm_name = NULL;
+ char* dummy_value = NULL;
+
+ /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm
+ To do that, iterate over all the realms in the config file, looking for a matching
+ v4_realm line */
+ names [0] = "realms";
+ names [1] = NULL;
+ retval = profile_iterator_create (context -> profile, names, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator);
+ while (retval == 0) {
+ retval = profile_iterator (&iterator, &realm_name, &dummy_value);
+ if ((retval == 0) && (realm_name != NULL)) {
+ names [0] = "realms";
+ names [1] = realm_name;
+ names [2] = "v4_realm";
+ names [3] = NULL;
+
+ retval = profile_get_values (context -> profile, names, &v4realms);
+ if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) {
+ realm = realm_name;
+ break;
+ } else if (retval == PROF_NO_RELATION) {
+ /* If it's not found, just keep going */
+ retval = 0;
+ }
+ } else if ((retval == 0) && (realm_name == NULL)) {
+ break;
+ }
+ if (realm_name != NULL) {
+ profile_release_string (realm_name);
+ realm_name = NULL;
+ }
+ if (dummy_value != NULL) {
+ profile_release_string (dummy_value);
+ dummy_value = NULL;
+ }
+ }
if (instance) {
if (instance[0] == '\0') {
@@ -234,7 +307,8 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
if (retval == 0 && full_name && full_name[0]) {
instance = full_name[0];
} else {
- strcpy(buf, instance);
+ strncpy(buf, instance, sizeof(buf));
+ buf[sizeof(buf) - 1] = '\0';
retval = krb5_get_realm_domain(context, realm, &domain);
if (retval)
return retval;
@@ -242,8 +316,8 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
for (cp = domain; *cp; cp++)
if (isupper(*cp))
*cp = tolower(*cp);
- strcat(buf, ".");
- strcat(buf, domain);
+ strncat(buf, ".", sizeof(buf) - 1 - strlen(buf));
+ strncat(buf, domain, sizeof(buf) - 1 - strlen(buf));
krb5_xfree(domain);
}
instance = buf;
@@ -254,6 +328,10 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
not_service:
retval = krb5_build_principal(context, princ, strlen(realm), realm, name,
instance, 0);
+ profile_iterator_free (&iterator);
profile_free_list(full_name);
+ profile_free_list(v4realms);
+ profile_release_string (realm_name);
+ profile_release_string (dummy_value);
return retval;
}
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index 814195a..2e2c5db 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -53,6 +53,8 @@ krb5_fwd_tgt_creds(context, auth_context, rhost, client, server, cc,
krb5_flags kdcoptions;
int close_cc = 0;
int free_rhost = 0;
+ krb5_enctype enctype = 0;
+ krb5_keyblock *session_key;
memset((char *)&creds, 0, sizeof(creds));
memset((char *)&tgt, 0, sizeof(creds));
@@ -71,7 +73,36 @@ krb5_fwd_tgt_creds(context, auth_context, rhost, client, server, cc,
memcpy(rhost, server->data[1].data, server->data[1].length);
rhost[server->data[1].length] = '\0';
}
-
+ retval = krb5_auth_con_getkey (context, auth_context, &session_key);
+ if (retval)
+ goto errout;
+ if (session_key) {
+ enctype = session_key->enctype;
+ krb5_free_keyblock (context, session_key);
+ session_key = NULL;
+ } else if (server) { /* must server be non-NULL when rhost is given? */
+ /* Try getting credentials to see what the remote side supports.
+ Not bulletproof, just a heuristic. */
+ krb5_creds in, *out = 0;
+ memset (&in, 0, sizeof(in));
+
+ retval = krb5_copy_principal (context, server, &in.server);
+ if (retval)
+ goto punt;
+ retval = krb5_copy_principal (context, client, &in.client);
+ if (retval)
+ goto punt;
+ retval = krb5_get_credentials (context, 0, cc, &in, &out);
+ if (retval)
+ goto punt;
+ /* Got the credentials. Okay, now record the enctype and
+ throw them away. */
+ enctype = out->keyblock.enctype;
+ krb5_free_creds (context, out);
+ punt:
+ krb5_free_cred_contents (context, &in);
+ }
+
retval = krb5_os_hostaddr(context, rhost, &addrs);
if (retval)
goto errout;
@@ -90,7 +121,7 @@ krb5_fwd_tgt_creds(context, auth_context, rhost, client, server, cc,
goto errout;
if (cc == 0) {
- if ((retval = krb5_cc_default(context, &cc)))
+ if ((retval = krb5int_cc_default(context, &cc)))
goto errout;
close_cc = 1;
}
@@ -111,7 +142,8 @@ krb5_fwd_tgt_creds(context, auth_context, rhost, client, server, cc,
retval = KRB5_NO_TKT_SUPPLIED;
goto errout;
}
-
+
+ creds.keyblock.enctype = enctype;
creds.times = tgt.times;
creds.times.starttime = 0;
kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED;
diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index 1e315fe..fd36385 100644
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -347,7 +347,9 @@ krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
for (next_server = top_server; *next_server; next_server++) {
krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1);
krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1);
- if (realm_1->length == realm_2->length &&
+ if (realm_1 != NULL &&
+ realm_2 != NULL &&
+ realm_1->length == realm_2->length &&
!memcmp(realm_1->data, realm_2->data, realm_1->length)) {
break;
}
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 3bcaa0b..de8d29f 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -102,6 +102,7 @@ krb5_get_credentials(context, options, ccache, in_creds, out_creds)
krb5_creds *ncreds;
krb5_creds **tgts;
krb5_flags fields;
+ int not_ktype;
retval = krb5_get_credentials_core(context, options, ccache,
in_creds, out_creds,
@@ -128,6 +129,11 @@ krb5_get_credentials(context, options, ccache, in_creds, out_creds)
|| options & KRB5_GC_CACHED)
return retval;
+ if (retval == KRB5_CC_NOT_KTYPE)
+ not_ktype = 1;
+ else
+ not_ktype = 0;
+
retval = krb5_get_cred_from_kdc(context, ccache, ncreds, out_creds, &tgts);
if (tgts) {
register int i = 0;
@@ -141,6 +147,21 @@ krb5_get_credentials(context, options, ccache, in_creds, out_creds)
}
krb5_free_tgt_creds(context, tgts);
}
+ /*
+ * Translate KRB5_CC_NOTFOUND if we previously got
+ * KRB5_CC_NOT_KTYPE from krb5_cc_retrieve_cred(), in order to
+ * handle the case where there is no TGT in the ccache and the
+ * input enctype didn't match. This handling is necessary because
+ * some callers, such as GSSAPI, iterate through enctypes and
+ * KRB5_CC_NOTFOUND passed through from the
+ * krb5_get_cred_from_kdc() is semantically incorrect, since the
+ * actual failure was the non-existence of a ticket of the correct
+ * enctype rather than the missing TGT.
+ */
+ if ((retval == KRB5_CC_NOTFOUND || retval == KRB5_CC_NOT_KTYPE)
+ && not_ktype)
+ retval = KRB5_CC_NOT_KTYPE;
+
if (!retval)
retval = krb5_cc_store_cred(context, ccache, *out_creds);
return retval;
@@ -160,10 +181,8 @@ krb5_get_credentials_val_renew_core(context, options, ccache,
int which;
{
krb5_error_code retval;
- krb5_creds mcreds;
krb5_principal tmp;
krb5_creds **tgts = 0;
- krb5_flags fields;
switch(which) {
case INT_GC_VALIDATE:
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index c1c6df1..57d0313 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -84,13 +84,13 @@ static krb5_error_code make_preauth_list PROTOTYPE((krb5_context,
*/
static krb5_error_code
send_as_request(context, request, time_now, ret_err_reply, ret_as_reply,
- master)
+ use_master)
krb5_context context;
krb5_kdc_req *request;
krb5_timestamp *time_now;
krb5_error ** ret_err_reply;
krb5_kdc_rep ** ret_as_reply;
- int * master;
+ int use_master;
{
krb5_kdc_rep *as_reply = 0;
krb5_error_code retval;
@@ -116,7 +116,7 @@ send_as_request(context, request, time_now, ret_err_reply, ret_as_reply,
k4_version = packet->data[0];
retval = krb5_sendto_kdc(context, packet,
krb5_princ_realm(context, request->client),
- &reply, master);
+ &reply, use_master);
krb5_free_data(context, packet);
if (retval)
goto cleanup;
@@ -367,7 +367,6 @@ make_preauth_list(context, ptypes, nptypes, ret_list)
{
krb5_preauthtype * ptypep;
krb5_pa_data ** preauthp;
- krb5_pa_data ** preauth_to_use;
int i;
if (nptypes < 0) {
@@ -457,12 +456,35 @@ krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed,
request.from = creds->times.starttime;
request.till = creds->times.endtime;
request.rtime = creds->times.renew_till;
- if (ktypes)
- request.ktype = ktypes;
- else
- if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype)))
- goto cleanup;
+ if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype)))
+ goto cleanup;
for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++);
+ if (ktypes) {
+ int i, req, next = 0;
+ for (req = 0; ktypes[req]; req++) {
+ if (ktypes[req] == request.ktype[next]) {
+ next++;
+ continue;
+ }
+ for (i = next + 1; i < request.nktypes; i++)
+ if (ktypes[req] == request.ktype[i]) {
+ /* Found the enctype we want, but not in the
+ position we want. Move it, but keep the old
+ one from the desired slot around in case it's
+ later in our requested-ktypes list. */
+ krb5_enctype t;
+ t = request.ktype[next];
+ request.ktype[next] = request.ktype[i];
+ request.ktype[i] = t;
+ next++;
+ break;
+ }
+ /* If we didn't find it, don't do anything special, just
+ drop it. */
+ }
+ request.ktype[next] = 0;
+ request.nktypes = next;
+ }
request.authorization_data.ciphertext.length = 0;
request.authorization_data.ciphertext.data = 0;
request.unenc_authdata = 0;
@@ -538,7 +560,7 @@ krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed,
goto cleanup;
cleanup:
- if (!ktypes && request.ktype)
+ if (request.ktype)
free(request.ktype);
if (!addrs && request.addresses)
krb5_free_addresses(context, request.addresses);
@@ -559,17 +581,17 @@ cleanup:
return (retval);
}
-/* begin appdefaults parsing code. This should almost certainly move
+/* begin libdefaults parsing code. This should almost certainly move
somewhere else, but I don't know where the correct somewhere else
is yet. */
/* XXX Duplicating this is annoying; try to work on a better way.*/
-static char *conf_yes[] = {
+static const char *conf_yes[] = {
"y", "yes", "true", "t", "1", "on",
0,
};
-static char *conf_no[] = {
+static const char *conf_no[] = {
"n", "no", "false", "nil", "0", "off",
0,
};
@@ -595,7 +617,7 @@ _krb5_conf_boolean(s)
}
static krb5_error_code
-krb5_appdefault_string(context, realm, option, ret_value)
+krb5_libdefault_string(context, realm, option, ret_value)
krb5_context context;
const krb5_data *realm;
const char *option;
@@ -606,7 +628,6 @@ krb5_appdefault_string(context, realm, option, ret_value)
char **nameval = NULL;
krb5_error_code retval;
char realmstr[1024];
- char **cpp;
if (realm->length > sizeof(realmstr)-1)
return(EINVAL);
@@ -673,7 +694,7 @@ goodbye:
/* as well as the DNS code */
krb5_error_code
-krb5_appdefault_boolean(context, realm, option, ret_value)
+krb5_libdefault_boolean(context, realm, option, ret_value)
krb5_context context;
const char *option;
const krb5_data *realm;
@@ -682,7 +703,7 @@ krb5_appdefault_boolean(context, realm, option, ret_value)
char *string = NULL;
krb5_error_code retval;
- retval = krb5_appdefault_string(context, realm, option, &string);
+ retval = krb5_libdefault_string(context, realm, option, &string);
if (retval)
return(retval);
@@ -696,7 +717,7 @@ krb5_appdefault_boolean(context, realm, option, ret_value)
KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
krb5_get_init_creds(context, creds, client, prompter, prompter_data,
start_time, in_tkt_service, options, gak_fct, gak_data,
- master, as_reply)
+ use_master, as_reply)
krb5_context context;
krb5_creds *creds;
krb5_principal client;
@@ -707,7 +728,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
krb5_get_init_creds_opt *options;
krb5_gic_get_as_key_fct gak_fct;
void *gak_data;
- int *master;
+ int use_master;
krb5_kdc_rep **as_reply;
{
krb5_error_code ret;
@@ -751,7 +772,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE))
tempint = options->forwardable;
- else if ((ret = krb5_appdefault_boolean(context, &client->realm,
+ else if ((ret = krb5_libdefault_boolean(context, &client->realm,
"forwardable", &tempint)) == 0)
;
else
@@ -763,7 +784,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE))
tempint = options->proxiable;
- else if ((ret = krb5_appdefault_boolean(context, &client->realm,
+ else if ((ret = krb5_libdefault_boolean(context, &client->realm,
"proxiable", &tempint)) == 0)
;
else
@@ -775,7 +796,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)) {
renew_life = options->renew_life;
- } else if ((ret = krb5_appdefault_string(context, &client->realm,
+ } else if ((ret = krb5_libdefault_string(context, &client->realm,
"renew_lifetime", &tempstr))
== 0) {
if (ret = krb5_string_to_deltat(tempstr, &renew_life)) {
@@ -868,7 +889,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
}
/* it would be nice if this parsed out an address list, but
that would be work. */
- else if (((ret = krb5_appdefault_boolean(context, &client->realm,
+ else if (((ret = krb5_libdefault_boolean(context, &client->realm,
"noaddresses", &tempint)) == 0)
&& tempint) {
;
@@ -923,7 +944,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
err_reply = 0;
local_as_reply = 0;
if ((ret = send_as_request(context, &request, &time_now, &err_reply,
- &local_as_reply, master)))
+ &local_as_reply, use_master)))
goto cleanup;
if (err_reply) {
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index 8b6f231..98bbbd0 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -61,7 +61,7 @@ krb5_get_init_creds_keytab(context, creds, client, arg_keytab,
krb5_get_init_creds_opt *options;
{
krb5_error_code ret, ret2;
- int master;
+ int use_master;
krb5_keytab keytab;
if (arg_keytab == NULL) {
@@ -71,14 +71,14 @@ krb5_get_init_creds_keytab(context, creds, client, arg_keytab,
keytab = arg_keytab;
}
- master = 0;
+ use_master = 0;
/* first try: get the requested tkt from any kdc */
ret = krb5_get_init_creds(context, creds, client, NULL, NULL,
start_time, in_tkt_service, options,
krb5_get_as_key_keytab, (void *) keytab,
- &master, NULL);
+ use_master,NULL);
/* check for success */
@@ -87,19 +87,19 @@ krb5_get_init_creds_keytab(context, creds, client, arg_keytab,
/* If all the kdc's are unavailable fail */
- if (ret == KRB5_KDC_UNREACH)
+ if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
/* if the reply did not come from the master kdc, try again with
the master kdc */
- if (!master) {
- master = 1;
+ if (!use_master) {
+ use_master = 1;
ret2 = krb5_get_init_creds(context, creds, client, NULL, NULL,
start_time, in_tkt_service, options,
krb5_get_as_key_keytab, (void *) keytab,
- &master, NULL);
+ use_master, NULL);
if (ret2 == 0) {
ret = 0;
@@ -109,7 +109,7 @@ krb5_get_init_creds_keytab(context, creds, client, arg_keytab,
/* if the master is unreachable, return the error from the
slave we were able to contact */
- if (ret2 == KRB5_KDC_UNREACH)
+ if ((ret2 == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
ret = ret2;
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 7ca4343..f867989 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -1,5 +1,4 @@
#include "k5-int.h"
-#include "com_err.h"
static krb5_error_code
krb5_get_as_key_password(context, client, etype, prompter, prompter_data,
@@ -97,7 +96,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
krb5_get_init_creds_opt *options;
{
krb5_error_code ret, ret2;
- int master;
+ int use_master;
krb5_kdc_rep *as_reply;
int tries;
krb5_creds chpw_creds;
@@ -107,7 +106,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
krb5_prompt prompt[2];
krb5_prompt_type prompt_types[sizeof(prompt)/sizeof(prompt[0])];
- master = 0;
+ use_master = 0;
as_reply = NULL;
memset(&chpw_creds, 0, sizeof(chpw_creds));
@@ -133,7 +132,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
ret = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
- &master, &as_reply);
+ use_master, &as_reply);
/* check for success */
@@ -144,19 +143,20 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
user interrupt, fail */
if ((ret == KRB5_KDC_UNREACH) ||
- (ret == KRB5_LIBOS_PWDINTR))
+ (ret == KRB5_LIBOS_PWDINTR) ||
+ (ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
/* if the reply did not come from the master kdc, try again with
the master kdc */
- if (!master) {
- master = 1;
+ if (!use_master) {
+ use_master = 1;
ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
- &master, &as_reply);
+ use_master, &as_reply);
if (ret2 == 0) {
ret = 0;
@@ -166,12 +166,18 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
/* if the master is unreachable, return the error from the
slave we were able to contact */
- if (ret2 == KRB5_KDC_UNREACH)
+ if ((ret2 == KRB5_KDC_UNREACH) ||
+ (ret2 == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
ret = ret2;
}
+#ifdef USE_LOGIN_LIBRARY
+ if (ret == KRB5KDC_ERR_KEY_EXP)
+ goto cleanup; /* Login library will deal appropriately with this error */
+#endif
+
/* at this point, we have an error from the master. if the error
is not password expired, or if it is but there's no prompter,
return this error */
@@ -195,7 +201,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
prompter, data,
start_time, "kadmin/changepw", &chpw_opts,
krb5_get_as_key_password, (void *) &pw0,
- &master, NULL)))
+ use_master, NULL)))
goto cleanup;
prompt[0].prompt = "Enter new password";
@@ -282,7 +288,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
ret = krb5_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
- &master, &as_reply);
+ use_master, &as_reply);
cleanup:
krb5int_set_prompt_types(context, 0);
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index e2eccc4..abcb573 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -1,7 +1,7 @@
/*
* lib/krb5/krb/init_ctx.c
*
- * Copyright 1994 by the Massachusetts Institute of Technology.
+ * Copyright 1994,1999,2000 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -84,7 +84,10 @@ init_common (context, secure)
{
krb5_context ctx = 0;
krb5_error_code retval;
- krb5_timestamp now;
+ struct {
+ krb5_int32 now, now_usec;
+ long pid;
+ } seed_data;
krb5_data seed;
int tmp;
@@ -129,10 +132,11 @@ init_common (context, secure)
goto cleanup;
/* initialize the prng (not well, but passable) */
- if ((retval = krb5_timeofday(ctx, &now)))
+ if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec)))
goto cleanup;
- seed.length = sizeof(now);
- seed.data = (char *) &now;
+ seed_data.pid = getpid ();
+ seed.length = sizeof(seed_data);
+ seed.data = (char *) &seed_data;
if ((retval = krb5_c_random_seed(ctx, &seed)))
goto cleanup;
@@ -169,7 +173,7 @@ init_common (context, secure)
"kdc_default_options", 0,
KDC_OPT_RENEWABLE_OK, &tmp);
ctx->kdc_default_options = KDC_OPT_RENEWABLE_OK;
-#ifdef macintosh
+#if TARGET_OS_MAC
#define DEFAULT_KDC_TIMESYNC 1
#else
#define DEFAULT_KDC_TIMESYNC 0
@@ -187,7 +191,7 @@ init_common (context, secure)
* Note: DCE 1.0.3a only supports a cache type of 1
* DCE 1.1 supports a cache type of 2.
*/
-#ifdef macintosh
+#if TARGET_OS_MAC
#define DEFAULT_CCACHE_TYPE 4
#else
#define DEFAULT_CCACHE_TYPE 3
@@ -281,7 +285,7 @@ get_profile_etype_list(context, ktypes, profstr, ctx_count, ctx_list)
{
krb5_enctype *old_ktypes;
- if (context->in_tkt_ktype_count) {
+ if (ctx_count) {
/* application-set defaults */
if ((old_ktypes =
(krb5_enctype *)malloc(sizeof(krb5_enctype) *
@@ -370,8 +374,8 @@ krb5_get_default_in_tkt_ktypes(context, ktypes)
context->in_tkt_ktypes));
}
-krb5_error_code
-krb5_set_default_tgs_ktypes(context, ktypes)
+krb5_error_code KRB5_CALLCONV
+krb5_set_default_tgs_enctypes (context, ktypes)
krb5_context context;
const krb5_enctype *ktypes;
{
@@ -396,13 +400,30 @@ krb5_set_default_tgs_ktypes(context, ktypes)
}
if (context->tgs_ktypes)
- free(context->tgs_ktypes);
+ krb5_free_ktypes(context, context->tgs_ktypes);
context->tgs_ktypes = new_ktypes;
context->tgs_ktype_count = i;
return 0;
}
+krb5_error_code krb5_set_default_tgs_ktypes
+(krb5_context context, const krb5_enctype *etypes)
+{
+ return (krb5_set_default_tgs_enctypes (context, etypes));
+}
+
+
+void
+KRB5_CALLCONV
+krb5_free_ktypes (context, val)
+ krb5_context context;
+ krb5_enctype FAR *val;
+{
+ free (val);
+}
+
krb5_error_code
+KRB5_CALLCONV
krb5_get_tgs_ktypes(context, princ, ktypes)
krb5_context context;
krb5_const_principal princ;
@@ -441,7 +462,7 @@ krb5_is_permitted_enctype(context, etype)
if (*ptr == etype)
ret = 1;
- krb5_xfree(list);
+ krb5_free_ktypes (context, list);
return(ret);
}
diff --git a/src/lib/krb5/krb/init_keyblock.c b/src/lib/krb5/krb/init_keyblock.c
new file mode 100644
index 0000000..eb60b06
--- /dev/null
+++ b/src/lib/krb5/krb/init_keyblock.c
@@ -0,0 +1,61 @@
+/*
+ * lib/krb5/krb/init_keyblock.c
+ *
+ * Copyright (C) 2002 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ *
+ * krb5_init_keyblock- a function to set up
+ * an empty keyblock
+ */
+
+
+#include "k5-int.h"
+#include <assert.h>
+
+krb5_error_code KRB5_CALLCONV
+krb5_init_keyblock(krb5_context context, krb5_enctype enctype,
+ size_t length, krb5_keyblock **out)
+{
+ krb5_keyblock *kb;
+ kb = malloc (sizeof(krb5_keyblock));
+ assert (out);
+ *out = NULL;
+ if (!kb) {
+ return ENOMEM;
+ }
+ kb->magic = KV5M_KEYBLOCK;
+ kb->enctype = enctype;
+ kb->length = length;
+ if(length) {
+ kb->contents = malloc (length);
+ if(!kb->contents) {
+ free (kb);
+ return ENOMEM;
+ }
+ } else {
+ kb->contents = NULL;
+ }
+ *out = kb;
+ return 0;
+}
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index 24d8aaf..8e57f83 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -36,7 +36,6 @@ krb5_free_address(context, val)
if (val->contents)
krb5_xfree(val->contents);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -52,7 +51,6 @@ krb5_free_addresses(context, val)
krb5_xfree(*temp);
}
krb5_xfree(val);
- return;
}
@@ -64,7 +62,6 @@ krb5_free_ap_rep(context, val)
if (val->enc_part.ciphertext.data)
krb5_xfree(val->enc_part.ciphertext.data);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -77,7 +74,6 @@ krb5_free_ap_req(context, val)
if (val->authenticator.ciphertext.data)
krb5_xfree(val->authenticator.ciphertext.data);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -88,7 +84,6 @@ krb5_free_ap_rep_enc_part(context, val)
if (val->subkey)
krb5_free_keyblock(context, val->subkey);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -96,15 +91,22 @@ krb5_free_authenticator_contents(context, val)
krb5_context context;
krb5_authenticator FAR *val;
{
- if (val->checksum)
+ if (val->checksum) {
krb5_free_checksum(context, val->checksum);
- if (val->client)
+ val->checksum = 0;
+ }
+ if (val->client) {
krb5_free_principal(context, val->client);
- if (val->subkey)
+ val->client = 0;
+ }
+ if (val->subkey) {
krb5_free_keyblock(context, val->subkey);
- if (val->authorization_data)
- krb5_free_authdata(context, val->authorization_data);
- return;
+ val->subkey = 0;
+ }
+ if (val->authorization_data) {
+ krb5_free_authdata(context, val->authorization_data);
+ val->authorization_data = 0;
+ }
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -120,7 +122,6 @@ krb5_free_authdata(context, val)
krb5_xfree(*temp);
}
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -128,16 +129,8 @@ krb5_free_authenticator(context, val)
krb5_context context;
krb5_authenticator FAR *val;
{
- if (val->checksum)
- krb5_free_checksum(context, val->checksum);
- if (val->client)
- krb5_free_principal(context, val->client);
- if (val->subkey)
- krb5_free_keyblock(context, val->subkey);
- if (val->authorization_data)
- krb5_free_authdata(context, val->authorization_data);
+ krb5_free_authenticator_contents(context, val);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -145,10 +138,8 @@ krb5_free_checksum(context, val)
krb5_context context;
register krb5_checksum *val;
{
- if (val->contents)
- krb5_xfree(val->contents);
+ krb5_free_checksum_contents(context, val);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -156,9 +147,10 @@ krb5_free_checksum_contents(context, val)
krb5_context context;
register krb5_checksum *val;
{
- if (val->contents)
+ if (val->contents) {
krb5_xfree(val->contents);
- return;
+ val->contents = 0;
+ }
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -171,7 +163,6 @@ krb5_free_cred(context, val)
if (val->enc_part.ciphertext.data)
krb5_xfree(val->enc_part.ciphertext.data);
krb5_xfree(val);
- return;
}
/*
@@ -184,23 +175,35 @@ krb5_free_cred_contents(context, val)
krb5_context context;
krb5_creds FAR *val;
{
- if (val->client)
+ if (val->client) {
krb5_free_principal(context, val->client);
- if (val->server)
+ val->client = 0;
+ }
+ if (val->server) {
krb5_free_principal(context, val->server);
+ val->server = 0;
+ }
if (val->keyblock.contents) {
memset((char *)val->keyblock.contents, 0, val->keyblock.length);
krb5_xfree(val->keyblock.contents);
+ val->keyblock.contents = 0;
}
- if (val->ticket.data)
+ if (val->ticket.data) {
krb5_xfree(val->ticket.data);
- if (val->second_ticket.data)
+ val->ticket.data = 0;
+ }
+ if (val->second_ticket.data) {
krb5_xfree(val->second_ticket.data);
- if (val->addresses)
+ val->second_ticket.data = 0;
+ }
+ if (val->addresses) {
krb5_free_addresses(context, val->addresses);
- if (val->authdata)
+ val->addresses = 0;
+ }
+ if (val->authdata) {
krb5_free_authdata(context, val->authdata);
- return;
+ val->authdata = 0;
+ }
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -210,10 +213,14 @@ krb5_free_cred_enc_part(context, val)
{
register krb5_cred_info **temp;
- if (val->r_address)
- krb5_free_address(context, val->r_address);
- if (val->s_address)
- krb5_free_address(context, val->s_address);
+ if (val->r_address) {
+ krb5_free_address(context, val->r_address);
+ val->r_address = 0;
+ }
+ if (val->s_address) {
+ krb5_free_address(context, val->s_address);
+ val->s_address = 0;
+ }
if (val->ticket_info) {
for (temp = val->ticket_info; *temp; temp++) {
@@ -228,8 +235,8 @@ krb5_free_cred_enc_part(context, val)
krb5_xfree((*temp));
}
krb5_xfree(val->ticket_info);
+ val->ticket_info = 0;
}
- return;
}
@@ -240,7 +247,6 @@ krb5_free_creds(context, val)
{
krb5_free_cred_contents(context, val);
krb5_xfree(val);
- return;
}
@@ -252,7 +258,6 @@ krb5_free_data(context, val)
if (val->data)
krb5_xfree(val->data);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -260,9 +265,10 @@ krb5_free_data_contents(context, val)
krb5_context context;
krb5_data FAR * val;
{
- if (val->data)
+ if (val->data) {
krb5_xfree(val->data);
- return;
+ val->data = 0;
+ }
}
void krb5_free_etype_info(context, info)
@@ -294,7 +300,6 @@ krb5_free_enc_kdc_rep_part(context, val)
if (val->caddrs)
krb5_free_addresses(context, val->caddrs);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -313,7 +318,6 @@ krb5_free_enc_tkt_part(context, val)
if (val->authorization_data)
krb5_free_authdata(context, val->authorization_data);
krb5_xfree(val);
- return;
}
@@ -331,7 +335,6 @@ krb5_free_error(context, val)
if (val->e_data.data)
krb5_xfree(val->e_data.data);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -350,7 +353,6 @@ krb5_free_kdc_rep(context, val)
if (val->enc_part2)
krb5_free_enc_kdc_rep_part(context, val->enc_part2);
krb5_xfree(val);
- return;
}
@@ -376,7 +378,6 @@ krb5_free_kdc_req(context, val)
if (val->second_ticket)
krb5_free_tickets(context, val->second_ticket);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -387,8 +388,8 @@ krb5_free_keyblock_contents(context, key)
if (key->contents) {
memset(key->contents, 0, key->length);
krb5_xfree(key->contents);
+ key->contents = 0;
}
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -398,7 +399,6 @@ krb5_free_keyblock(context, val)
{
krb5_free_keyblock_contents(context, val);
krb5_xfree(val);
- return;
}
@@ -413,7 +413,6 @@ krb5_free_last_req(context, val)
for (temp = val; *temp; temp++)
krb5_xfree(*temp);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -429,7 +428,6 @@ krb5_free_pa_data(context, val)
krb5_xfree(*temp);
}
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -451,7 +449,6 @@ krb5_free_principal(context, val)
if (val->realm.data)
krb5_xfree(val->realm.data);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -462,7 +459,6 @@ krb5_free_priv(context, val)
if (val->enc_part.ciphertext.data)
krb5_xfree(val->enc_part.ciphertext.data);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -477,7 +473,6 @@ krb5_free_priv_enc_part(context, val)
if (val->s_address)
krb5_free_address(context, val->s_address);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -488,7 +483,6 @@ krb5_free_pwd_data(context, val)
if (val->element)
krb5_free_pwd_sequences(context, val->element);
krb5_xfree(val);
- return;
}
@@ -497,11 +491,14 @@ krb5_free_pwd_sequences(context, val)
krb5_context context;
passwd_phrase_element FAR * FAR *val;
{
- if ((*val)->passwd)
+ if ((*val)->passwd) {
krb5_xfree((*val)->passwd);
- if ((*val)->phrase)
+ (*val)->passwd = 0;
+ }
+ if ((*val)->phrase) {
krb5_xfree((*val)->phrase);
- return;
+ (*val)->phrase = 0;
+ }
}
@@ -519,7 +516,6 @@ krb5_free_safe(context, val)
if (val->checksum)
krb5_free_checksum(context, val->checksum);
krb5_xfree(val);
- return;
}
@@ -535,7 +531,6 @@ krb5_free_ticket(context, val)
if (val->enc_part2)
krb5_free_enc_tkt_part(context, val->enc_part2);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -548,7 +543,6 @@ krb5_free_tickets(context, val)
for (temp = val; *temp; temp++)
krb5_free_ticket(context, *temp);
krb5_xfree(val);
- return;
}
@@ -573,7 +567,6 @@ krb5_free_tkt_authent(context, val)
if (val->authenticator)
krb5_free_authenticator(context, val->authenticator);
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -583,7 +576,6 @@ krb5_free_unparsed_name(context, val)
{
if (val)
krb5_xfree(val);
- return;
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -612,8 +604,10 @@ krb5_free_sam_challenge_contents(krb5_context ctx, krb5_sam_challenge FAR *sc)
krb5_free_data_contents(ctx, &sc->sam_response_prompt);
if (sc->sam_pk_for_sad.data)
krb5_free_data_contents(ctx, &sc->sam_pk_for_sad);
- if (sc->sam_cksum.contents)
+ if (sc->sam_cksum.contents) {
krb5_xfree(sc->sam_cksum.contents);
+ sc->sam_cksum.contents = 0;
+ }
}
KRB5_DLLIMP void KRB5_CALLCONV
@@ -656,8 +650,10 @@ krb5_free_predicted_sam_response_contents(krb5_context ctx,
return;
if (psr->sam_key.contents)
krb5_free_keyblock_contents(ctx, &psr->sam_key);
- if (psr->client)
+ if (psr->client) {
krb5_free_principal(ctx, psr->client);
+ psr->client = 0;
+ }
if (psr->msd.data)
krb5_free_data_contents(ctx, &psr->msd);
}
@@ -689,4 +685,3 @@ krb5_free_pa_enc_ts(krb5_context ctx, krb5_pa_enc_ts FAR *pa_enc_ts)
return;
krb5_xfree(pa_enc_ts);
}
-
diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c
index cdda80d..9bcfe84 100644
--- a/src/lib/krb5/krb/mk_cred.c
+++ b/src/lib/krb5/krb/mk_cred.c
@@ -7,7 +7,7 @@
* structures.
*
*/
-#include <k5-int.h>
+#include "k5-int.h"
#include "cleanup.h"
#include "auth_con.h"
diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c
index 7685817..d72f6b2 100644
--- a/src/lib/krb5/krb/mk_priv.c
+++ b/src/lib/krb5/krb/mk_priv.c
@@ -93,14 +93,6 @@ krb5_mk_priv_basic(context, userdata, keyblock, replaydata, local_addr,
scratch1, &privmsg.enc_part)))
goto clean_encpart;
- /* put last block into the i_vector */
-
- if (i_vector)
- memcpy(i_vector,
- privmsg.enc_part.ciphertext.data +
- (privmsg.enc_part.ciphertext.length - blocksize),
- blocksize);
-
if ((retval = encode_krb5_priv(&privmsg, &scratch2)))
goto clean_encpart;
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index a8b20eb..88daab5 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -126,10 +126,24 @@ krb5_mk_req_extended(context, auth_context, ap_req_options, in_data, in_creds,
/* generate subkey if needed */
- if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey))
+ if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) {
+ /* Provide some more fodder for random number code.
+ This isn't strong cryptographically; the point here is not
+ to guarantee randomness, but to make it less likely that multiple
+ sessions could pick the same subkey. */
+ struct {
+ krb5_int32 sec, usec;
+ } rnd_data;
+ krb5_data d;
+ krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
+ d.length = sizeof (rnd_data);
+ d.data = (char *) &rnd_data;
+ (void) krb5_c_random_seed (context, &d);
+
if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock,
&(*auth_context)->local_subkey)))
goto cleanup;
+ }
if (in_data) {
if ((*auth_context)->req_cksumtype == 0x8003) {
diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c
index 781e256..dd7d1ef 100644
--- a/src/lib/krb5/krb/mk_safe.c
+++ b/src/lib/krb5/krb/mk_safe.c
@@ -27,7 +27,7 @@
* krb5_mk_safe()
*/
-#include <k5-int.h>
+#include "k5-int.h"
#include "cleanup.h"
#include "auth_con.h"
@@ -169,6 +169,7 @@ krb5_mk_safe(context, auth_context, userdata, outbuf, outdata)
krb5_address * plocal_fulladdr = NULL;
krb5_address remote_fulladdr;
krb5_address local_fulladdr;
+ krb5_cksumtype sumtype;
CLEANUP_INIT(2);
@@ -204,9 +205,33 @@ krb5_mk_safe(context, auth_context, userdata, outbuf, outdata)
}
}
+ {
+ unsigned int nsumtypes;
+ unsigned int i;
+ krb5_cksumtype *sumtypes;
+ retval = krb5_c_keyed_checksum_types (context, keyblock->enctype,
+ &nsumtypes, &sumtypes);
+ if (retval) {
+ CLEANUP_DONE ();
+ goto error;
+ }
+ if (nsumtypes == 0) {
+ retval = KRB5_BAD_ENCTYPE;
+ krb5_free_cksumtypes (context, sumtypes);
+ CLEANUP_DONE ();
+ goto error;
+ }
+ for (i = 0; i < nsumtypes; i++)
+ if (auth_context->safe_cksumtype == sumtypes[i])
+ break;
+ if (i == nsumtypes)
+ i = 0;
+ sumtype = sumtypes[i];
+ krb5_free_cksumtypes (context, sumtypes);
+ }
if ((retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata,
plocal_fulladdr, premote_fulladdr,
- auth_context->safe_cksumtype, outbuf))) {
+ sumtype, outbuf))) {
CLEANUP_DONE();
goto error;
}
diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c
index b628a0d..43faf32 100644
--- a/src/lib/krb5/krb/parse.c
+++ b/src/lib/krb5/krb/parse.c
@@ -71,7 +71,7 @@ krb5_parse_name(context, name, nprincipal)
{
register const char *cp;
register char *q;
- register i,c,size;
+ register int i,c,size;
int components = 0;
const char *parsed_realm = NULL;
int fcompsize[FCOMPNUM];
@@ -173,11 +173,13 @@ krb5_parse_name(context, name, nprincipal)
cp++;
size++;
} else if (c == COMPONENT_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
i++;
} else if (c == REALM_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
parsed_realm = cp+1;
} else
@@ -186,7 +188,8 @@ krb5_parse_name(context, name, nprincipal)
if (parsed_realm)
krb5_princ_realm(context, principal)->length = size;
else
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
if (i + 1 != components) {
#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)
fprintf(stderr,
diff --git a/src/lib/krb5/krb/preauth.c b/src/lib/krb5/krb/preauth.c
index 9f301da..173170a 100644
--- a/src/lib/krb5/krb/preauth.c
+++ b/src/lib/krb5/krb/preauth.c
@@ -32,7 +32,6 @@
#include "k5-int.h"
#include <stdio.h>
#include <time.h>
-#include <syslog.h>
#ifdef _MSDOS
#define getpid _getpid
#include <process.h>
@@ -172,6 +171,10 @@ krb5_error_code krb5_obtain_padata(context, preauth_to_use, key_proc,
retval = decode_krb5_etype_info(&scratch, &etype_info);
if (retval)
return retval;
+ if (etype_info[0] == NULL) {
+ krb5_free_etype_info(context, etype_info);
+ etype_info = NULL;
+ }
}
}
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 5ea61c9..78afab9 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -256,6 +256,9 @@ krb5_error_code pa_sam(krb5_context context,
krb5_data * scratch;
krb5_pa_data * pa;
+ if (prompter == NULL)
+ return KRB5_LIBOS_CANTREADPWD;
+
tmpsam.length = in_padata->length;
tmpsam.data = (char *) in_padata->contents;
if (ret = decode_krb5_sam_challenge(&tmpsam, &sam_challenge))
@@ -530,6 +533,11 @@ krb5_do_preauth(krb5_context context,
}
return ret;
}
+ if (etype_info[0] == NULL) {
+ krb5_free_etype_info(context, etype_info);
+ etype_info = NULL;
+ break;
+ }
salt->data = (char *) etype_info[0]->salt;
salt->length = etype_info[0]->length;
*etype = etype_info[0]->etype;
diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
index cba26a6..dbcd29d 100644
--- a/src/lib/krb5/krb/princ_comp.c
+++ b/src/lib/krb5/krb/princ_comp.c
@@ -30,7 +30,7 @@
#include "k5-int.h"
-krb5_boolean
+krb5_boolean KRB5_CALLCONV
krb5_realm_compare(context, princ1, princ2)
krb5_context context;
krb5_const_principal princ1;
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index 86c5ccf..593eb42 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -1,4 +1,4 @@
-#include <k5-int.h>
+#include "k5-int.h"
#include "cleanup.h"
#include "auth_con.h"
@@ -55,24 +55,22 @@ cleanup:
/*----------------------- krb5_rd_cred_basic -----------------------*/
static krb5_error_code
-krb5_rd_cred_basic(context, pcreddata, pkeyblock, local_addr, remote_addr,
+krb5_rd_cred_basic(context, pcreddata, pkeyblock,
replaydata, pppcreds)
krb5_context context;
krb5_data * pcreddata;
krb5_keyblock * pkeyblock;
- krb5_address * local_addr;
- krb5_address * remote_addr;
krb5_replay_data * replaydata;
krb5_creds *** pppcreds;
{
- krb5_error_code retval;
- krb5_cred * pcred;
+ krb5_error_code retval;
+ krb5_cred * pcred;
krb5_int32 ncreds;
krb5_int32 i = 0;
krb5_cred_enc_part encpart;
/* decode cred message */
- if ((retval = decode_krb5_cred(pcreddata, &pcred)))
+ if ((retval = decode_krb5_cred(pcreddata, &pcred)))
return retval;
memset(&encpart, 0, sizeof(encpart));
@@ -80,38 +78,6 @@ krb5_rd_cred_basic(context, pcreddata, pkeyblock, local_addr, remote_addr,
if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart)))
goto cleanup_cred;
- /*
- * Only check the remote address if the KRB_CRED message was
- * protected by encryption. If it came in the checksum field of
- * an init_sec_context message, skip over this check.
- */
- if (remote_addr && encpart.s_address && pkeyblock != NULL) {
- if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
- retval = KRB5KRB_AP_ERR_BADADDR;
- goto cleanup_cred;
- }
- }
-
- if (encpart.r_address) {
- if (local_addr) {
- if (!krb5_address_compare(context, local_addr, encpart.r_address)) {
- retval = KRB5KRB_AP_ERR_BADADDR;
- goto cleanup_cred;
- }
- } else {
- krb5_address **our_addrs;
-
- if ((retval = krb5_os_localaddr(context, &our_addrs))) {
- goto cleanup_cred;
- }
- if (!krb5_address_search(context, encpart.r_address, our_addrs)) {
- krb5_free_addresses(context, our_addrs);
- retval = KRB5KRB_AP_ERR_BADADDR;
- goto cleanup_cred;
- }
- krb5_free_addresses(context, our_addrs);
- }
- }
replaydata->timestamp = encpart.timestamp;
replaydata->usec = encpart.usec;
@@ -232,54 +198,12 @@ krb5_rd_cred(context, auth_context, pcreddata, pppcreds, outdata)
(auth_context->rcache == NULL))
return KRB5_RC_REQUIRED;
-{
- krb5_address * premote_fulladdr = NULL;
- krb5_address * plocal_fulladdr = NULL;
- krb5_address remote_fulladdr;
- krb5_address local_fulladdr;
- CLEANUP_INIT(2);
-
- if (auth_context->local_addr) {
- if (auth_context->local_port) {
- if (!(retval = krb5_make_fulladdr(context,auth_context->local_addr,
- auth_context->local_port,
- &local_fulladdr))){
- CLEANUP_PUSH(local_fulladdr.contents, free);
- plocal_fulladdr = &local_fulladdr;
- } else {
- return retval;
- }
- } else {
- plocal_fulladdr = auth_context->local_addr;
- }
- }
-
- if (auth_context->remote_addr) {
- if (auth_context->remote_port) {
- if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr,
- auth_context->remote_port,
- &remote_fulladdr))){
- CLEANUP_PUSH(remote_fulladdr.contents, free);
- premote_fulladdr = &remote_fulladdr;
- } else {
- return retval;
- }
- } else {
- premote_fulladdr = auth_context->remote_addr;
- }
- }
if ((retval = krb5_rd_cred_basic(context, pcreddata, keyblock,
- plocal_fulladdr, premote_fulladdr,
&replaydata, pppcreds))) {
- CLEANUP_DONE();
- return retval;
+ return retval;
}
- CLEANUP_DONE();
-}
-
-
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
krb5_donot_replay replay;
krb5_timestamp currenttime;
@@ -327,4 +251,3 @@ error:;
return retval;
}
-
diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c
index 9629b0c..bf33ad2 100644
--- a/src/lib/krb5/krb/rd_priv.c
+++ b/src/lib/krb5/krb/rd_priv.c
@@ -27,7 +27,7 @@
* krb5_rd_priv()
*/
-#include <k5-int.h>
+#include "k5-int.h"
#include "cleanup.h"
#include "auth_con.h"
@@ -101,13 +101,6 @@ krb5_rd_priv_basic(context, inbuf, keyblock, local_addr, remote_addr,
&privmsg->enc_part, &scratch)))
goto cleanup_scratch;
- /* if i_vector is set, put last block into the i_vector */
- if (i_vector)
- memcpy(i_vector,
- privmsg->enc_part.ciphertext.data +
- (privmsg->enc_part.ciphertext.length - blocksize),
- blocksize);
-
/* now decode the decrypted stuff */
if ((retval = decode_krb5_enc_priv_part(&scratch, &privmsg_enc_part)))
goto cleanup_scratch;
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 442e78b..4e9f44e 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -83,8 +83,8 @@ krb5_rd_req_decrypt_tkt_part(context, req, keytab)
enctype, &ktent)))
return retval;
- if ((retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket)))
- return retval;
+ retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket);
+ /* Upon error, Free keytab entry first, then return */
(void) krb5_kt_free_entry(context, &ktent);
return retval;
diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c
index 19c541f..3909f16 100644
--- a/src/lib/krb5/krb/rd_safe.c
+++ b/src/lib/krb5/krb/rd_safe.c
@@ -27,7 +27,7 @@
* krb5_rd_safe()
*/
-#include <k5-int.h>
+#include "k5-int.h"
#include "cleanup.h"
#include "auth_con.h"
diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
index 3d5bce4..7458cb9 100644
--- a/src/lib/krb5/krb/recvauth.c
+++ b/src/lib/krb5/krb/recvauth.c
@@ -30,27 +30,24 @@
#define NEED_SOCKETS
#include "k5-int.h"
#include "auth_con.h"
-#include "com_err.h"
#include <errno.h>
#include <stdio.h>
#include <string.h>
static char *sendauth_version = "KRB5_SENDAUTH_V1.0";
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_recvauth(context, auth_context,
- /* IN */
- fd, appl_version, server, flags, keytab,
- /* OUT */
- ticket)
- krb5_context context;
- krb5_auth_context FAR * auth_context;
- krb5_pointer fd;
- char FAR * appl_version;
- krb5_principal server;
- krb5_int32 flags;
- krb5_keytab keytab;
- krb5_ticket FAR * FAR * ticket;
+krb5_error_code
+recvauth_common(krb5_context context,
+ krb5_auth_context FAR * auth_context,
+ /* IN */
+ krb5_pointer fd,
+ char FAR *appl_version,
+ krb5_principal server,
+ krb5_int32 flags,
+ krb5_keytab keytab,
+ /* OUT */
+ krb5_ticket FAR * FAR * ticket,
+ krb5_data FAR *version)
{
krb5_auth_context new_auth_context;
krb5_flags ap_option;
@@ -91,12 +88,15 @@ krb5_recvauth(context, auth_context,
*/
if ((retval = krb5_read_message(context, fd, &inbuf)))
return(retval);
- if (strcmp(inbuf.data, appl_version)) {
+ if (appl_version && strcmp(inbuf.data, appl_version)) {
krb5_xfree(inbuf.data);
if (!problem)
problem = KRB5_SENDAUTH_BADAPPLVERS;
}
- krb5_xfree(inbuf.data);
+ if (version && !problem)
+ *version = inbuf;
+ else
+ krb5_xfree(inbuf.data);
/*
* OK, now check the problem variable. If it's zero, we're
* fine and we can continue. Otherwise, we have to signal an
@@ -243,3 +243,38 @@ cleanup:;
}
return retval;
}
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_recvauth(context, auth_context,
+ /* IN */
+ fd, appl_version, server, flags, keytab,
+ /* OUT */
+ ticket)
+ krb5_context context;
+ krb5_auth_context FAR * auth_context;
+ krb5_pointer fd;
+ char FAR * appl_version;
+ krb5_principal server;
+ krb5_int32 flags;
+ krb5_keytab keytab;
+ krb5_ticket FAR * FAR * ticket;
+{
+ return recvauth_common (context, auth_context, fd, appl_version,
+ server, flags, keytab, ticket, 0);
+}
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_recvauth_version(krb5_context context,
+ krb5_auth_context FAR *auth_context,
+ /* IN */
+ krb5_pointer fd,
+ krb5_principal server,
+ krb5_int32 flags,
+ krb5_keytab keytab,
+ /* OUT */
+ krb5_ticket FAR * FAR *ticket,
+ krb5_data FAR *version)
+{
+ return recvauth_common (context, auth_context, fd, 0,
+ server, flags, keytab, ticket, version);
+}
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
index 520c0e2..49bc1c9 100644
--- a/src/lib/krb5/krb/send_tgs.c
+++ b/src/lib/krb5/krb/send_tgs.c
@@ -150,7 +150,6 @@ krb5_send_tgs(context, kdcoptions, timestruct, ktypes, sname, addrs,
krb5_timestamp time_now;
krb5_pa_data **combined_padata;
krb5_pa_data ap_req_padata;
- size_t enclen;
/*
* in_creds MUST be a valid credential NOT just a partially filled in
diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c
index 4e7c3a7..24d8a8e 100644
--- a/src/lib/krb5/krb/sendauth.c
+++ b/src/lib/krb5/krb/sendauth.c
@@ -30,7 +30,6 @@
#define NEED_SOCKETS
#include "k5-int.h"
-#include "com_err.h"
#include "auth_con.h"
#include <errno.h>
#include <stdio.h>
@@ -119,7 +118,7 @@ krb5_sendauth(context, auth_context,
if (!in_creds || !in_creds->ticket.length) {
if (ccache)
use_ccache = ccache;
- else if ((retval = krb5_cc_default(context, &use_ccache)))
+ else if ((retval = krb5int_cc_default(context, &use_ccache)))
goto error_return;
}
if (!in_creds) {
@@ -152,9 +151,32 @@ krb5_sendauth(context, auth_context,
credsp = in_creds;
}
- if ((retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
- in_data, credsp, &outbuf)))
- goto error_return;
+ if (ap_req_options & AP_OPTS_USE_SUBKEY) {
+ /* Provide some more fodder for random number code.
+ This isn't strong cryptographically; the point here is
+ not to guarantee randomness, but to make it less likely
+ that multiple sessions could pick the same subkey. */
+ char rnd_data[1024];
+ size_t len;
+ krb5_data d;
+ d.length = sizeof (rnd_data);
+ d.data = rnd_data;
+ len = sizeof (rnd_data);
+ if (getpeername (*(int*)fd, (struct sockaddr *) rnd_data, &len) == 0) {
+ d.length = len;
+ (void) krb5_c_random_seed (context, &d);
+ }
+ len = sizeof (rnd_data);
+ if (getsockname (*(int*)fd, (struct sockaddr *) rnd_data, &len) == 0) {
+ d.length = len;
+ (void) krb5_c_random_seed (context, &d);
+ }
+ }
+
+ if ((retval = krb5_mk_req_extended(context, auth_context,
+ ap_req_options, in_data, credsp,
+ &outbuf)))
+ goto error_return;
/*
* First write the length of the AP_REQ message, then write
diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c
index bac90e3..fdebbe3 100644
--- a/src/lib/krb5/krb/ser_actx.c
+++ b/src/lib/krb5/krb/ser_actx.c
@@ -208,6 +208,7 @@ krb5_auth_context_externalize(kcontext, arg, buffer, lenremain)
krb5_octet *bp;
size_t remain;
krb5_int32 obuf;
+ size_t vecsize;
required = 0;
bp = *buffer;
@@ -237,11 +238,14 @@ krb5_auth_context_externalize(kcontext, arg, buffer, lenremain)
if (auth_context->i_vector) {
kret = krb5_c_block_size(kcontext,
auth_context->keyblock->enctype,
- &obuf);
+ &vecsize);
} else {
- obuf = 0;
+ vecsize = 0;
}
-
+ obuf = vecsize;
+ if (obuf != vecsize)
+ kret = EINVAL;
+
if (!kret)
(void) krb5_ser_pack_int32(obuf, &bp, &remain);
diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c
index c94201b..04e9707 100644
--- a/src/lib/krb5/krb/srv_rcache.c
+++ b/src/lib/krb5/krb/srv_rcache.c
@@ -48,6 +48,9 @@ krb5_get_server_rcache(context, piece, rcptr)
unsigned long uid = geteuid();
#endif
+ if (piece == NULL)
+ return ENOMEM;
+
rcache = (krb5_rcache) malloc(sizeof(*rcache));
if (!rcache)
return ENOMEM;
diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c
index 2feef39..458015d 100644
--- a/src/lib/krb5/krb/t_kerb.c
+++ b/src/lib/krb5/krb/t_kerb.c
@@ -4,6 +4,7 @@
*/
#include "krb5.h"
+#include "kerberosIV/krb.h"
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
@@ -56,6 +57,32 @@ void test_425_conv_principal(ctx, name, inst, realm)
krb5_free_principal(ctx, princ);
}
+void test_524_conv_principal(ctx, name)
+ krb5_context ctx;
+ char *name;
+{
+ krb5_principal princ = 0;
+ krb5_error_code retval;
+ char aname[ANAME_SZ+1], inst[INST_SZ+1], realm[REALM_SZ+1];
+
+ aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0;
+ retval = krb5_parse_name(ctx, name, &princ);
+ if (retval) {
+ com_err("krb5_parse_name", retval, 0);
+ goto fail;
+ }
+ retval = krb5_524_conv_principal(ctx, princ, aname, inst, realm);
+ if (retval) {
+ com_err("krb5_524_conv_principal", retval, 0);
+ goto fail;
+ }
+ printf("524_converted_principal(%s): '%s' '%s' '%s'\n",
+ name, aname, inst, realm);
+ fail:
+ if (princ)
+ krb5_free_principal (ctx, princ);
+}
+
void test_parse_name(ctx, name)
krb5_context ctx;
const char *name;
@@ -131,6 +158,7 @@ void usage(progname)
{
fprintf(stderr, "%s: Usage: %s 425_conv_principal <name> <inst> <realm\n",
progname, progname);
+ fprintf(stderr, "\t%s 524_conv_principal <name>\n", progname);
fprintf(stderr, "\t%s parse_name <name>\n", progname);
fprintf(stderr, "\t%s set_realm <name> <realm>\n", progname);
fprintf(stderr, "\t%s string_to_timestamp <time>\n", progname);
@@ -186,6 +214,10 @@ main(argc, argv)
argc--; argv++;
if (!argc) usage(progname);
test_string_to_timestamp(ctx, *argv);
+ } else if (strcmp(*argv, "524_conv_principal") == 0) {
+ argc--; argv++;
+ if (!argc) usage(progname);
+ test_524_conv_principal(ctx, *argv);
}
else
usage(progname);
diff --git a/src/lib/krb5/krb/t_krb5.conf b/src/lib/krb5/krb/t_krb5.conf
index 5882d97..8d7a4d9 100644
--- a/src/lib/krb5/krb/t_krb5.conf
+++ b/src/lib/krb5/krb/t_krb5.conf
@@ -19,6 +19,12 @@
kdc = KERBEROS.CYGNUS.COM
admin_server = KERBEROS.MIT.EDU
}
+ stanford.edu = {
+ v4_realm = IR.STANFORD.EDU
+ }
+ LONGNAMES.COM = {
+ v4_realm = SOME-REALLY-LONG-REALM-NAME-V4-CANNOT-HANDLE.COM
+ }
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
diff --git a/src/lib/krb5/krb/t_ref_kerb.out b/src/lib/krb5/krb/t_ref_kerb.out
index 9423944..08a5334 100644
--- a/src/lib/krb5/krb/t_ref_kerb.out
+++ b/src/lib/krb5/krb/t_ref_kerb.out
@@ -14,4 +14,6 @@ parsed (and unparsed) principal(\/slash/\@atsign/octa\/thorpe@\/slash\@at\/sign)
425_converted principal(rcmd, uunet, UU.NET): 'host/uunet.uu.net@UU.NET'
425_converted principal(zephyr, zephyr, ATHENA.MIT.EDU): 'zephyr/zephyr@ATHENA.MIT.EDU'
425_converted principal(kadmin, ATHENA.MIT.EDU, ATHENA.MIT.EDU): 'kadmin/ATHENA.MIT.EDU@ATHENA.MIT.EDU'
+524_converted_principal(host/e40-po.mit.edu@ATHENA.MIT.EDU): 'rcmd' 'e40-po' 'ATHENA.MIT.EDU'
+524_converted_principal(host/foobar.stanford.edu@stanford.edu): 'rcmd' 'foobar' 'IR.STANFORD.EDU'
old principal: marc@MIT.EDU, modified principal: marc@CYGNUS.COM
diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c
index f7df6ab..d0dfadc 100644
--- a/src/lib/krb5/krb/unparse.c
+++ b/src/lib/krb5/krb/unparse.c
@@ -70,6 +70,9 @@ krb5_unparse_name_ext(context, principal, name, size)
krb5_int32 nelem;
register int totalsize = 0;
+ if (!principal)
+ return KRB5_PARSE_MALFORMED;
+
cp = krb5_princ_realm(context, principal)->data;
length = krb5_princ_realm(context, principal)->length;
totalsize += length;
@@ -150,7 +153,8 @@ krb5_unparse_name_ext(context, principal, name, size)
*q++ = COMPONENT_SEP;
}
- q--; /* Back up last component separator */
+ if (i > 0)
+ q--; /* Back up last component separator */
*q++ = REALM_SEP;
cp = krb5_princ_realm(context, principal)->data;
diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
index 85a8465..f046ab5 100644
--- a/src/lib/krb5/krb/vfy_increds.c
+++ b/src/lib/krb5/krb/vfy_increds.c
@@ -109,7 +109,7 @@ krb5_verify_init_creds(krb5_context context,
(options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) {
if (options->ap_req_nofail)
goto cleanup;
- } else if ((ret2 = krb5_appdefault_boolean(context,
+ } else if ((ret2 = krb5_libdefault_boolean(context,
&creds->client->realm,
"verify_ap_req_nofail",
&nofail))
diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c
index 833ec61..163b7bb 100644
--- a/src/lib/krb5/krb/walk_rtree.c
+++ b/src/lib/krb5/krb/walk_rtree.c
@@ -93,6 +93,27 @@
#define max(x,y) ((x) > (y) ? (x) : (y))
#endif
+/*
+ * xxx The following function is very confusing to read and probably
+ * is buggy. It should be documented better. Here is what I've
+ * learned about it doing a quick bug fixing walk through. The
+ * function takes a client and server realm name and returns the set
+ * of realms (in a field called tree) that you need to get tickets in
+ * in order to get from the source realm to the destination realm. It
+ * takes a realm separater character (normally ., but presumably there
+ * for all those X.500 realms) . There are two modes it runs in: the
+ * ANL krb5.confmode and the hierarchy mode. The ANL mode is
+ * fairly obvious. The hierarchy mode looks for common components in
+ * both the client and server realms. In general, the pointer scp and
+ * ccp are used to walk through the client and server realms. The
+ * com_sdot and com_cdot pointers point to (I think) the beginning of
+ * the common part of the realm names. I.E. strcmp(com_cdot,
+ * com_sdot) ==0 is roughly an invarient. However, there are cases
+ * where com_sdot and com_cdot are set to point before the start of
+ * the client or server strings. I think this only happens when there
+ * are no common components. --hartmans 2002/03/14
+ */
+
krb5_error_code
krb5_walk_realm_tree(context, client, server, tree, realm_branch_char)
krb5_context context;
@@ -115,6 +136,10 @@ krb5_walk_realm_tree(context, client, server, tree, realm_branch_char)
char *cap_client, *cap_server;
char **cap_nodes;
krb5_error_code cap_code;
+#endif
+ if (!(client->data &&server->data))
+ return KRB5_NO_TKT_IN_RLM;
+#ifdef CONFIGURABLE_AUTHENTICATION_PATH
if ((cap_client = (char *)malloc(client->length + 1)) == NULL)
return ENOMEM;
strncpy(cap_client, client->data, client->length);
diff --git a/src/lib/krb5/krb5_libinit.c b/src/lib/krb5/krb5_libinit.c
index beeb06d..547be4d 100644
--- a/src/lib/krb5/krb5_libinit.c
+++ b/src/lib/krb5/krb5_libinit.c
@@ -1,5 +1,9 @@
#include <assert.h>
+#if TARGET_OS_MAC
+ #include <Kerberos/com_err.h>
+#endif
+
#include "krb5.h"
#include "krb5_err.h"
#include "kv5m_err.h"
@@ -16,10 +20,12 @@ krb5_error_code krb5int_initialize_library (void)
{
if (!initialized) {
+#if !TARGET_OS_MAC || USE_HARDCODED_FALLBACK_ERROR_TABLES
add_error_table(&et_krb5_error_table);
add_error_table(&et_kv5m_error_table);
add_error_table(&et_kdb5_error_table);
add_error_table(&et_asn1_error_table);
+#endif
initialized = 1;
}
@@ -35,14 +41,16 @@ void krb5int_cleanup_library (void)
{
assert (initialized);
-#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
+#if defined(_MSDOS) || defined(_WIN32) || TARGET_OS_MAC
krb5_stdcc_shutdown();
#endif
+#if !TARGET_OS_MAC || USE_HARDCODED_FALLBACK_ERROR_TABLES
remove_error_table(&et_krb5_error_table);
remove_error_table(&et_kv5m_error_table);
remove_error_table(&et_kdb5_error_table);
remove_error_table(&et_asn1_error_table);
+#endif
initialized = 0;
}
diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog
index 8f8c018..ee721ce 100644
--- a/src/lib/krb5/os/ChangeLog
+++ b/src/lib/krb5/os/ChangeLog
@@ -1,3 +1,212 @@
+2002-10-31 Tom Yu <tlyu@mit.edu>
+
+ * hst_realm.c (krb5_try_realm_txt_rr): Apply patch from Nalin
+ Dahyabhai to bounds-check return value from res_search().
+
+ * locate_kdc.c (krb5_locate_srv_dns_1): Apply patch from Nalin
+ Dahyabhai to bounds-check return value from res_search().
+
+ [pullups from trunk]
+
+2002-05-24 Alexandra Ellwood <lxs@mit.edu>
+ * init_os_ctx.c: krb4 needs to get the os config files so it can use
+ the profile too. Define these functions on Mac OS X now.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * init_os_ctx.c: Removed use of FSSpecs because these cause serious
+ performance problems on Mac OS X. We now search paths the same way
+ the rest of the Unix platforms do.
+
+2002-04-05 Danilo Almeida <dalmeida@mit.edu>
+
+ * toffset.c (krb5_get_time_offsets), an_to_ln.c
+ (krb5_aname_to_localname): Make KRB5_CALLCONV.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * init_os_ctx.c: Add CoreServices.h before k5-int.h so we don't get
+ multiple definitions for FSSpec. Also removed an unused variable in
+ Mac OS X code and added casts for Mac OS X code so FSSpecs are cast
+ to profile file types (code deals properly on the other side)
+ * timeofday.c: Added casts to remove warnings
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * ccdefname.c, init_os_ctx.c, timeofday.c: Updated Mac OS X headers to new
+ framework layout and updated Mac OS macros
+ * changepw.c: removed unused variable
+ * gmt_mktime.c: added int to removed warning about type defaulting to int
+
+2002-01-29 Tom Yu <tlyu@mit.edu>
+
+ * def_realm.c: Add terminal newline. Fixes [krb5-build/1041].
+
+2001-12-03 Miro Jurisic <meeroh@mit.edu>
+
+ * c_ustime.c: punted the accurate microseconds timing code because it
+ wasn't so accurate after all.
+
+2000-11-27 Alexandra Ellwood <lxs@mit.edu>
+
+ * read_pwd.c: Removed #defines for Mac OS X (__MACH__) because we
+ now export krb5_read_password on Mac OS X
+
+2001-10-29 Miro Jurisic <meeroh@mit.edu>
+ * pullup from krb5-1-2 branch after krb5-1-2-2-bp
+ * localaddr.c: Fixed typo.
+ * localaddr.c: Added a special krb5_os_localaddr for Mac OS 9
+ which looks up the addresses without querying DNS synchronously
+ * prompter.c, promptusr.c, read_pwd.c: We now export
+ krb5_prompter_posix and krb5_read_password on Mac OS X
+ * c_us_time.c: Updated Utilities.h #include
+ * c_us_time.c: Fix the sleep queue notification code to
+ only run on machines with power management
+ * ccdefname.c, init_os_ctx.c: Updated Mac OS #defines and #includes
+ for new header layout and Mac OS X frameworks
+
+2001-02-05 Tom Yu <tlyu@mit.edu>
+
+ * prompter.c (krb5_prompter_posix): Fix up terminal modes if we're
+ interrupted. [reported by Booker Bense] [pullup from trunk]
+
+2001-02-02 Ken Raeburn <raeburn@mit.edu>
+
+ * localaddr.c (foreach_localaddr): Increase buffer space initially
+ allocated. Add more slop space at the end that must remain unused
+ before we stop growing the buffer. Impose a maximum size on the
+ buffer. Handle possibility of returned ifc_len being larger than
+ the supplied buffer.
+
+2001-01-30 Ken Raeburn <raeburn@mit.edu>
+
+ * changepw.c (fixup_ports): New function, uses correct level of
+ indirection for elements of socket address array.
+ (krb5_locate_kpasswd): Call fixup_ports.
+
+2001-01-24 Miro Jurisic <meeroh@mit.edu>
+
+ * c_us_time.c: Fix the sleep queue notification code to
+ avoid denying sleep requests
+
+2000-12-19 Miro Jurisic <meeroh@mit.edu>
+
+ * c_us_time.c: Fix the sleep queue notification code to
+ build with Universal Headers 3.3
+
+2000-11-29 Miro Jurisic <meeroh@mit.edu>
+
+ * c_us_time.c: Install a callback in the Mac OS sleep
+ queue to get notification of the machine coming out
+ of sleep, in order to refresh the cached uptime to
+ real time offset
+
+2000-10-28 Miro Jurisic <meeroh@mit.edu>
+
+ * c_ustime.c: Fixed epoch calculation under Mac OS 9 Carbon and Mac OS X
+
+2000-10-16 Miro Jurisic <meeroh@mit.edu>
+
+ * init_os_ctx.c: Use PreferencesLib to discover config files on Mac OS X
+
+2000-10-02 Alexandra Ellwood <lxs@mit.edu>
+
+ * ccdefname.c, init_os_ctx.c, prompter.c, prompterusr.c. read_pwd.c
+ timeofday.c: Added #defines for Mac OS X (__MACH__) to mimic macintosh
+ behavior
+
+2000-09-28 Miro Jurisic <meeroh@mit.edu>
+
+ * c_us_time.c: Fixed Mac code to use the correct epoch
+
+2000-09-23 Miro Jurisic <meeroh@mit.edu>
+
+ * c_us_time.c: Added modifications to Mac OS Microseconds timing
+ to work properly under Carbon.
+
+2000-06-19 Ken Raeburn <raeburn@mit.edu>
+
+ * localaddr.c (foreach_localaddr): Use SIOCGSIZIFCONF ioctl if
+ available to get the buffer size needed for SIOCGIFCONF, and skip
+ the silly heuristics if it returns a reasonable value.
+
+2000-06-14 Miro Jurisic <meeroh@mit.edu>
+
+ * init_os_ctx.c (os_get_default_config_files):
+ Return ENOENT when file is not found on MacOS (not ENFILE)
+
+2000-06-09 Miro Jurisic <meeroh@mit.edu>
+
+ * init_os_ctx.c (os_get_default_config_files):
+ Eliminated some dead code
+
+2000-06-09 Miro Jurisic <meeroh@mit.edu>
+
+ * init_os_ctx.c (os_get_default_config_files): Use Kerberos
+ Preferences library to locate the config files on Mac OS
+
+2000-05-17 Nalin Dahyabhai <nalin@redhat.com>
+
+ * an_to_ln.c (do_replacement): Don't overflow buffers "in" or "out".
+ * hst_realm.c (krb5_try_realm_txt_rr): Don't overfill "host" when
+ malformed DNS responses are received.
+
+2000-05-15 Jeffrey Altman <jaltman@columbia.edu>
+
+ * hst_realm.c (krb5_get_host_realm)
+ remove the searchlist and defaultrealm _kerberos queries
+
+2000-05-09 Alexandra Ellwood <lxs@mit.edu>
+
+ *localaddr.c: Fixed the local_addr_fallback_kludge so that it actually does something.
+ Before that the error code it was handling was blowing it away in cleanup.
+
+2000-04-28 Nalin Dahyabhai <nalin@redhat.com>
+
+ * ccdefname.c (get_from_os): Don't overflow buffer "name_buf".
+ * kuserok.c (krb5_kuserok): Don't overflow buffer "pbuf".
+
+2000-04-22 Ken Raeburn <raeburn@mit.edu>
+
+ * localaddr.c: Include stddef.h.
+ (foreach_localaddr): Check each address against previously used
+ addresses, and skip duplicates, in case multiple interfaces have
+ the same address. If called functions fail, drop out of loop and
+ return nonzero.
+ (krb5_os_localaddr): Increment count of addresses to include null
+ pointer terminator. Delete check for zero count.
+
+2000-04-18 Danilo Almeida <dalmeida@mit.edu>
+
+ * prompter.c (krb5int_set_prompt_types): Set to actual value
+ intead of 0.
+
+2000-4-13 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_os_ctx.c: Added support to store a krb5_principal in the os_context
+ along with the default ccache name (if known, this principal is the same
+ as the last time we looked at the ccache.
+ * ccdefname.c: Added support to store a krb5_principal in the os_context
+ along with the default ccache name (if known, this principal is the same
+ as the last time we looked at the ccache.
+
+2000-04-04 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (maybe_use_dns): Renamed from _krb5_use_dns. Now
+ takes an arg to indicate a key to look up in krb5.conf, falling
+ back to "dns_fallback", and an arg indicating the default value if
+ no config file entries match.
+ (_krb5_use_dns_realm): New routine; use "dns_lookup_realm" and
+ KRB5_DNS_LOOKUP_REALM setting.
+ (_krb5_use_dns_kdc): New routine; use "dns_lookup_kdc" and
+ KRB5_DNS_LOOKUP_KDC.
+ (krb5_locate_kdc): Call _krb5_use_dns_kdc.
+ * changepw.c (krb5_locate_kpasswd): Call _krb5_use_dns_kdc.
+ * def_realm.c (krb5_get_default_realm): Call _krb5_use_dns_realm.
+ * hst_realm.c (krb5_get_host_realm): Call _krb5_use_dns_realm.
+
+2000-03-20 Miro Jurisic <meeroh@mit.edu>
+
+ * def_realm.c (krb5_free_default_realm): Added, use to free
+ result of krb5_get_default_realm
+
2000-03-15 Danilo Almeida <dalmeida@mit.edu>
* prompter.c: Add krb5int_set_prompt_types() and
diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c
index 3c721fb..df4b5d5 100644
--- a/src/lib/krb5/os/an_to_ln.c
+++ b/src/lib/krb5/os/an_to_ln.c
@@ -298,15 +298,15 @@ do_replacement(regexp, repl, doall, in, out)
strncpy(op, cp, match_match.rm_so);
op += match_match.rm_so;
}
- strcpy(op, repl);
- op += strlen(repl);
+ strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
+ op += strlen(op);
cp += match_match.rm_eo;
if (!doall)
- strcpy(op, cp);
+ strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 1;
}
else {
- strcpy(op, cp);
+ strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 0;
}
} while (doall && matched);
@@ -333,20 +333,20 @@ do_replacement(regexp, repl, doall, in, out)
strncpy(op, cp, sdispl);
op += sdispl;
}
- strcpy(op, repl);
+ strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
op += strlen(repl);
cp += edispl;
if (!doall)
- strcpy(op, cp);
+ strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 1;
}
else {
- strcpy(op, cp);
+ strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 0;
}
} while (doall && matched);
#else /* HAVE_REGEXP_H */
- strcpy(out, in);
+ memcpy(out, in, MAX_FORMAT_BUFFER);
#endif /* HAVE_REGCOMP */
}
@@ -379,7 +379,8 @@ aname_replacer(string, contextp, result)
* Prime the buffers. Copy input string to "out" to simulate it
* being the result of an initial iteration.
*/
- strcpy(out, string);
+ strncpy(out, string, MAX_FORMAT_BUFFER - 1);
+ out[MAX_FORMAT_BUFFER - 1] = '\0';
in[0] = '\0';
kret = 0;
/*
@@ -421,6 +422,7 @@ aname_replacer(string, contextp, result)
out = ep;
/* Do the replacemenbt */
+ memset(out, '\0', MAX_FORMAT_BUFFER);
do_replacement(rule, repl, doglobal, in, out);
free(rule);
free(repl);
@@ -651,7 +653,7 @@ default_an_to_ln(context, aname, lnsize, lname)
returns system errors, NOT_ENOUGH_SPACE
*/
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_aname_to_localname(context, aname, lnsize, lname)
krb5_context context;
krb5_const_principal aname;
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
index 5f73587..d294e01 100644
--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
@@ -51,12 +51,17 @@
#include <DriverServices.h> /* Nanosecond timing */
#include <CodeFragments.h> /* Check for presence of UpTime */
#include <Math64.h> /* 64-bit integer math */
+#include <KerberosSupport/Utilities.h> /* Mac time -> UNIX time conversion */
+#include <Power.h> /* Sleep queue */
/* Mac Cincludes */
#include <string.h>
#include <stddef.h>
static krb5_int32 last_sec = 0, last_usec = 0;
+static int gResetCachedDifference = 0;
+static SleepQRec gSleepQRecord;
+static SleepQUPP gSleepQUPP;
/* Check for availability of microseconds or better timer */
Boolean HaveAccurateTime ();
@@ -68,6 +73,21 @@ void AbsoluteToSecsNanosecs (
UInt32 *residualNanoseconds /* Fractional second */
);
+/* Convert Microseconds to date and time */
+void MicrosecondsToSecsMicrosecs (
+ UnsignedWide eventTime, /* Value to convert */
+ UInt32 *eventSeconds, /* Result goes here */
+ UInt32 *residualMicroseconds /* Fractional second */
+ );
+
+/* Sleep notification callback in needed to reset cached
+difference when the machine goes to sleep */
+void InstallSleepNotification ();
+void RemoveSleepNotification ();
+pascal long SleepNotification (
+ SInt32 message,
+ SleepQRecPtr qRecPtr);
+
/*
* The Unix epoch is 1/1/70, the Mac epoch is 1/1/04.
*
@@ -101,14 +121,6 @@ getTimeZoneOffset()
/* Returns the GMT in seconds (and fake microseconds) using the Unix epoch */
-/*
- * Note that unix timers are guaranteed that consecutive calls to timing functions will
- * always return monotonically increasing values for time; even if called within one microsecond,
- * they must increase from one call to another. We must preserve this property in this code,
- * even though Mac UpTime does not make such guarantees... (actually it does, but it measures in
- * units that can be finer than 1 microsecond, so conversion can cause repeat microsecond values
- */
-
krb5_error_code
krb5_crypto_us_timeofday(seconds, microseconds)
krb5_int32 *seconds, *microseconds;
@@ -116,34 +128,13 @@ krb5_crypto_us_timeofday(seconds, microseconds)
krb5_int32 sec, usec;
time_t the_time;
- GetDateTime (&the_time);
-
- sec = the_time -
- ((66 * 365 * 24 * 60 * 60) + (17 * 24 * 60 * 60) +
- (getTimeZoneOffset() * 60 * 60));
-
-#if TARGET_CPU_PPC /* Only PPC has accurate time */
- if (HaveAccurateTime ()) { /* Does hardware support accurate time? */
-
- AbsoluteTime absoluteTime;
- UInt32 nanoseconds;
-
- absoluteTime = UpTime ();
- AbsoluteToSecsNanosecs (absoluteTime, &sec, &nanoseconds);
-
- usec = nanoseconds / 1000;
- } else
-#endif /* TARGET_CPU_PPC */
- {
- GetDateTime (&sec);
- usec = 0;
- }
+ GetDateTime (&sec);
+ usec = 0;
/* Fix secs to UNIX epoch */
- sec -= ((66 * 365 * 24 * 60 * 60) + (17 * 24 * 60 * 60) +
- (getTimeZoneOffset() * 60 * 60));
-
+ mac_time_to_unix_time (&sec);
+
/* Make sure that we are _not_ repeating */
if (sec < last_sec) { /* Seconds should be at least equal to last seconds */
@@ -170,90 +161,6 @@ krb5_crypto_us_timeofday(seconds, microseconds)
return 0;
}
-/* Check if we have microsecond or better timer */
-
-Boolean HaveAccurateTime ()
-{
- static Boolean alreadyChecked = false;
- static haveAccurateTime = false;
-
- if (!alreadyChecked) {
- alreadyChecked = true;
- haveAccurateTime = false;
-#if TARGET_CPU_PPC
- if ((Ptr) UpTime != (Ptr) kUnresolvedCFragSymbolAddress) {
- UInt32 minAbsoluteTimeDelta;
- UInt32 theAbsoluteTimeToNanosecondNumerator;
- UInt32 theAbsoluteTimeToNanosecondDenominator;
- UInt32 theProcessorToAbsoluteTimeNumerator;
- UInt32 theProcessorToAbsoluteTimeDenominator;
-
- GetTimeBaseInfo (
- &minAbsoluteTimeDelta,
- &theAbsoluteTimeToNanosecondNumerator,
- &theAbsoluteTimeToNanosecondDenominator,
- &theProcessorToAbsoluteTimeNumerator,
- &theProcessorToAbsoluteTimeDenominator);
-
- /* minAbsoluteTimeDelta is the period in which Uptime is updated, in absolute time */
- /* We convert it to nanoseconds and compare it with .5 microsecond */
-
- if (minAbsoluteTimeDelta * theAbsoluteTimeToNanosecondNumerator <
- 500 * theAbsoluteTimeToNanosecondDenominator) {
- haveAccurateTime = true;
- }
- }
-#endif /* TARGET_CPU_PPC */
- }
-
- return haveAccurateTime;
-}
-
-/* Convert nanoseconds to date and time */
-
-void AbsoluteToSecsNanosecs (
- AbsoluteTime eventTime, /* Value to convert */
- UInt32 *eventSeconds, /* Result goes here */
- UInt32 *residualNanoseconds /* Fractional second */
- )
-{
- UInt64 eventNanoseconds;
- UInt64 eventSeconds64;
- static const UInt64 kTenE9 = U64SetU (1000000000);
- static UInt64 gNanosecondsAtStart = U64SetU (0);
-
- /*
- * If this is the first call, compute the offset between
- * GetDateTime and UpTime.
- */
- if (U64Compare (gNanosecondsAtStart, U64SetU (0)) == 0) {
- UInt32 secondsAtStart;
- AbsoluteTime absoluteTimeAtStart;
- UInt64 upTimeAtStart;
- UInt64 nanosecondsAtStart;
-
- GetDateTime (&secondsAtStart);
- upTimeAtStart = UnsignedWideToUInt64 (AbsoluteToNanoseconds (UpTime()));
- nanosecondsAtStart = U64SetU (secondsAtStart);
- nanosecondsAtStart = U64Multiply (nanosecondsAtStart, kTenE9);
- gNanosecondsAtStart = U64Subtract (nanosecondsAtStart, upTimeAtStart);
- }
- /*
- * Convert the event time (UpTime value) to nanoseconds and add
- * the local time epoch.
- */
- eventNanoseconds = UnsignedWideToUInt64 (AbsoluteToNanoseconds (eventTime));
- eventNanoseconds = U64Add (gNanosecondsAtStart, eventNanoseconds);
- /*
- * eventSeconds = eventNanoseconds /= 10e9;
- * residualNanoseconds = eventNanoseconds % 10e9;
- * Finally, compute the local time (seconds) and fraction.
- */
- eventSeconds64 = U64Div (eventNanoseconds, kTenE9);
- eventNanoseconds = U64Subtract (eventNanoseconds, U64Multiply (eventSeconds64, kTenE9));
- *eventSeconds = (UInt64ToUnsignedWide (eventSeconds64)).lo;
- *residualNanoseconds = (UInt64ToUnsignedWide (eventNanoseconds)).lo;
-}
#elif defined(_WIN32)
/* Microsoft Windows NT and 95 (32bit) */
diff --git a/src/lib/krb5/os/ccdefname.c b/src/lib/krb5/os/ccdefname.c
index 53e7888..76c7528 100644
--- a/src/lib/krb5/os/ccdefname.c
+++ b/src/lib/krb5/os/ccdefname.c
@@ -31,8 +31,8 @@
#include "k5-int.h"
#include <stdio.h>
-#ifdef macintosh
-#include "CCache.h"
+#if TARGET_OS_MAC
+#include <Kerberos/CredentialsCache.h>
#endif
#if defined(_WIN32)
@@ -160,7 +160,7 @@ static krb5_error_code get_from_os(char *name_buf, int name_size)
if (get_from_registry_indirect(name_buf, name_size) != 0)
return 0;
- strncpy(name_buf, prefix, name_size);
+ strncpy(name_buf, prefix, name_size - 1);
name_buf[name_size - 1] = 0;
size = name_size - strlen(prefix);
if (size > 0)
@@ -186,7 +186,7 @@ static krb5_error_code get_from_os(char *name_buf, int name_size)
}
#endif
-#if defined (macintosh)
+#if TARGET_OS_MAC
static krb5_error_code get_from_os(char *name_buf, int name_size)
{
@@ -261,6 +261,13 @@ krb5_cc_set_default_name(context, name)
return ENOMEM;
strcpy(new_name, name_buf);
+ if (!os_ctx->default_ccname || (strcmp(os_ctx->default_ccname, new_name) != 0)) {
+ /* the ccache changed... forget the old principal */
+ if (os_ctx->default_ccprincipal)
+ krb5_free_principal (context, os_ctx->default_ccprincipal);
+ os_ctx->default_ccprincipal = 0; /* we don't care until we use it */
+ }
+
if (os_ctx->default_ccname)
free(os_ctx->default_ccname);
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index 6ed95bc..44161d6 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -52,45 +52,50 @@
* Wrapper function for the two backends
*/
+static void
+fixup_ports (struct sockaddr *addr_p, int naddrs, int port)
+{
+ /* Ick: In this version of krb5_locate_foo, we have a pointer to a
+ pointer to an array of sockaddr_in structures -- NOT an array
+ of pointers like we should have. */
+ int i;
+ port = htons (port);
+ if (addr_p->sa_family != AF_INET)
+ abort ();
+ for (i = 0; i < naddrs; i++) {
+ struct sockaddr_in *sinp = (struct sockaddr_in *) &addr_p[i];
+ sinp->sin_port = port;
+ }
+}
+
static krb5_error_code
-krb5_locate_kpasswd(context, realm, addr_pp, naddrs, master_index, nmasters)
+krb5_locate_kpasswd(context, realm, addr_pp, naddrs)
krb5_context context;
const krb5_data *realm;
struct sockaddr **addr_pp;
int *naddrs;
- int *master_index;
- int *nmasters;
{
krb5_error_code code;
- int i;
-#ifdef KRB5_DNS_LOOKUP
- struct sockaddr *admin_addr_p, *kdc_addr_p;
- int nadmin_addrs, nkdc_addrs;
- int j;
-#endif /* KRB5_DNS_LOOKUP */
/*
* We always try the local file first
*/
- code = krb5_locate_srv_conf(context, realm, "kpasswd_server", addr_pp, naddrs,
- master_index, nmasters);
+ code = krb5_locate_srv_conf(context, realm, "kpasswd_server",
+ addr_pp, naddrs, 0);
if (code) {
- code = krb5_locate_srv_conf(context, realm, "admin_server", addr_pp, naddrs,
- master_index, nmasters);
+ code = krb5_locate_srv_conf(context, realm, "admin_server",
+ addr_pp, naddrs, 0);
if ( !code ) {
- /* success with admin_server but now we need to change the port */
- /* number to use DEFAULT_KPASSWD_PORT. */
- for ( i=0;i<*naddrs;i++ ) {
- struct sockaddr_in *sin = (struct sockaddr_in *) addr_pp[i];
- sin->sin_port = htons(DEFAULT_KPASSWD_PORT);
- }
+ /* Success with admin_server but now we need to change the
+ port number to use DEFAULT_KPASSWD_PORT. */
+ fixup_ports (*addr_pp, *naddrs, DEFAULT_KPASSWD_PORT);
}
}
#ifdef KRB5_DNS_LOOKUP
if (code) {
- int use_dns = _krb5_use_dns(context);
+ int use_dns = _krb5_use_dns_kdc(context);
if ( use_dns ) {
code = krb5_locate_srv_dns(realm, "_kpasswd", "_udp",
addr_pp, naddrs);
@@ -100,18 +105,12 @@ krb5_locate_kpasswd(context, realm, addr_pp, naddrs, master_index, nmasters)
"_tcp",
addr_pp, naddrs);
if ( !code ) {
- /* success with admin_server but now we need to change the port */
- /* number to use DEFAULT_KPASSWD_PORT. */
- for ( i=0;i<*naddrs;i++ ) {
- struct sockaddr_in *sin = (struct sockaddr_in *) addr_pp[i];
- sin->sin_port = htons(DEFAULT_KPASSWD_PORT);
- }
+ /* Success with admin_server but now we need to
+ change the port number to use
+ DEFAULT_KPASSWD_PORT. */
+ fixup_ports (*addr_pp, *naddrs, DEFAULT_KPASSWD_PORT);
}
}
- if ( !code && master_index && nmasters ) {
- *master_index = 1;
- *nmasters = *naddrs;
- }
}
}
#endif /* KRB5_DNS_LOOKUP */
@@ -158,7 +157,7 @@ krb5_change_password(context, creds, newpw, result_code,
if (code = krb5_locate_kpasswd(context,
krb5_princ_realm(context, creds->client),
- &addr_p, &naddr_p,NULL,NULL))
+ &addr_p, &naddr_p))
goto cleanup;
/* this is really obscure. s1 is used for all communications. it
diff --git a/src/lib/krb5/os/def_realm.c b/src/lib/krb5/os/def_realm.c
index 8647f89..b2a9e1d 100644
--- a/src/lib/krb5/os/def_realm.c
+++ b/src/lib/krb5/os/def_realm.c
@@ -24,7 +24,8 @@
* or implied warranty.
*
*
- * krb5_get_default_realm() function.
+ * krb5_get_default_realm(), krb5_set_default_realm(),
+ * krb5_free_default_realm() functions.
*/
#include "k5-int.h"
@@ -103,7 +104,7 @@ krb5_get_default_realm(context, lrealm)
#ifdef KRB5_DNS_LOOKUP
if (context->default_realm == 0) {
- int use_dns = _krb5_use_dns(context);
+ int use_dns = _krb5_use_dns_realm(context);
if ( use_dns ) {
/*
* Since this didn't appear in our config file, try looking
@@ -202,3 +203,11 @@ krb5_set_default_realm(context, lrealm)
return(0);
}
+
+KRB5_DLLIMP void KRB5_CALLCONV
+krb5_free_default_realm(context, lrealm)
+ krb5_context context;
+ char FAR* lrealm;
+{
+ free (lrealm);
+}
diff --git a/src/lib/krb5/os/gmt_mktime.c b/src/lib/krb5/os/gmt_mktime.c
index b231790..1e3eebd 100644
--- a/src/lib/krb5/os/gmt_mktime.c
+++ b/src/lib/krb5/os/gmt_mktime.c
@@ -19,7 +19,7 @@
/* like mktime, this ignores tm_wday and tm_yday. */
/* unlike mktime, this does not set them... it only passes a return value. */
-static const days_in_month[12] = {
+static const int days_in_month[12] = {
0, /* jan 31 */
31, /* feb 28 */
59, /* mar 31 */
diff --git a/src/lib/krb5/os/hst_realm.c b/src/lib/krb5/os/hst_realm.c
index 3c0005c..6aa3083 100644
--- a/src/lib/krb5/os/hst_realm.c
+++ b/src/lib/krb5/os/hst_realm.c
@@ -117,6 +117,8 @@ krb5_try_realm_txt_rr(prefix, name, realm)
*/
if (name == NULL || name[0] == '\0') {
+ if (strlen (prefix) >= sizeof(host)-1)
+ return KRB5_ERR_HOST_REALM_UNKNOWN;
strcpy(host,prefix);
} else {
if ( strlen(prefix) + strlen(name) + 3 > MAX_DNS_NAMELEN )
@@ -134,12 +136,12 @@ krb5_try_realm_txt_rr(prefix, name, realm)
*/
h = host + strlen (host);
- if (h > host && h[-1] != '.')
+ if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host)))
strcpy (h, ".");
}
size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes));
- if (size < 0)
+ if ((size < sizeof(HEADER)) || (size > sizeof(answer.bytes)))
return KRB5_ERR_HOST_REALM_UNKNOWN;
p = answer.bytes;
@@ -312,7 +314,7 @@ krb5_get_host_realm(context, host, realmsp)
#ifdef KRB5_DNS_LOOKUP
if (realm == (char *)NULL) {
- int use_dns = _krb5_use_dns(context);
+ int use_dns = _krb5_use_dns_realm(context);
if ( use_dns ) {
/*
* Since this didn't appear in our config file, try looking
@@ -330,17 +332,6 @@ krb5_get_host_realm(context, host, realmsp)
if (cp)
cp++;
} while (retval && cp && cp[0]);
- if (retval)
- retval = krb5_try_realm_txt_rr("_kerberos", "", &realm);
- if (retval && default_realm) {
- cp = default_realm;
- do {
- retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm);
- cp = strchr(cp,'.');
- if (cp)
- cp++;
- } while (retval && cp && cp[0]);
- }
}
}
#endif /* KRB5_DNS_LOOKUP */
diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
index 48d8bc2..7cc456c 100644
--- a/src/lib/krb5/os/init_os_ctx.c
+++ b/src/lib/krb5/os/init_os_ctx.c
@@ -27,26 +27,8 @@
*/
#define NEED_WINDOWS
-#include "k5-int.h"
-
-#ifdef macintosh
-OSErr
-GetMacProfileFileSpec (FSSpec* outFileSpec, StringPtr inName, UInt32 whichFolder)
-{
- OSErr err;
-
-
-
- err = FindFolder (kOnSystemDisk, whichFolder, kCreateFolder,
- &(outFileSpec -> vRefNum) , &(outFileSpec -> parID));
-
- if (err == noErr) {
- BlockMoveData (inName, &(outFileSpec -> name), strlen (inName) + 1);
- }
- return err;
-}
-#endif /* macintosh */
+#include "k5-int.h"
#if defined(_MSDOS) || defined(_WIN32)
@@ -185,7 +167,7 @@ static void
free_filespecs(files)
profile_filespec_t *files;
{
-#ifndef macintosh
+#if !TARGET_OS_MAC
char **cp;
if (files == 0)
@@ -203,44 +185,6 @@ os_get_default_config_files(pfiles, secure)
krb5_boolean secure;
{
profile_filespec_t* files;
-#ifdef macintosh
- files = malloc(7 * sizeof(FSSpec));
-
- if (files != 0) {
- OSErr err = GetMacProfileFileSpec(&(files [3]), "\pKerberos Preferences", kApplicationSupportFolderType);
- if (err == noErr) {
- err = GetMacProfileFileSpec( &(files [4]), "\pkrb5.ini", kApplicationSupportFolderType);
- }
- if (err == noErr) {
- err = GetMacProfileFileSpec( &(files [5]), "\pKerberos5 Configuration", kApplicationSupportFolderType);
- }
-
- if (err == noErr) {
- files[6].vRefNum = 0;
- files[6].parID = 0;
- files[6].name[0] = '\0';
- } else {
- files[3].vRefNum = 0;
- files[3].parID = 0;
- files[3].name[0] = '\0';
- }
-
- err = GetMacProfileFileSpec(&(files [0]), "\pKerberos Preferences", kPreferencesFolderType);
- if (err == noErr) {
- err = GetMacProfileFileSpec( &(files [1]), "\pkrb5.ini", kPreferencesFolderType);
- }
- if (err == noErr) {
- err = GetMacProfileFileSpec( &(files [2]), "\pKerberos5 Configuration", kPreferencesFolderType);
- }
-
- if (err != noErr) {
- free (files);
- return ENFILE;
- }
- } else {
- return ENOMEM;
- }
-#else /* !macintosh */
#if defined(_MSDOS) || defined(_WIN32)
krb5_error_code retval = 0;
char *name = 0;
@@ -327,8 +271,7 @@ os_get_default_config_files(pfiles, secure)
/* cap the array */
files[i] = 0;
#endif /* !_MSDOS && !_WIN32 */
-#endif /* !macintosh */
- *pfiles = files;
+ *pfiles = (profile_filespec_t *)files;
return 0;
}
@@ -349,10 +292,11 @@ os_init_paths(ctx)
#endif /* KRB5_DNS_LOOKUP */
retval = os_get_default_config_files(&files, secure);
-
+
if (!retval) {
retval = profile_init((const_profile_filespec_t *) files,
&ctx->profile);
+
#ifdef KRB5_DNS_LOOKUP
/* if none of the filenames can be opened use an empty profile */
if (retval == ENOENT) {
@@ -404,6 +348,7 @@ krb5_os_init_context(ctx)
os_ctx->usec_offset = 0;
os_ctx->os_flags = 0;
os_ctx->default_ccname = 0;
+ os_ctx->default_ccprincipal = 0;
krb5_cc_set_default_name(ctx, NULL);
@@ -427,8 +372,10 @@ krb5_get_profile (ctx, profile)
retval = os_get_default_config_files(&files, ctx->profile_secure);
- if (!retval)
- retval = profile_init((const_profile_filespec_t *) files, profile);
+ if (!retval) {
+ retval = profile_init((const_profile_filespec_t *) files,
+ profile);
+ }
if (files)
free_filespecs(files);
@@ -446,7 +393,6 @@ krb5_get_profile (ctx, profile)
return retval;
}
-#ifndef macintosh
krb5_error_code
krb5_set_config_files(ctx, filenames)
@@ -483,7 +429,6 @@ krb5_free_config_files(filenames)
free_filespecs(filenames);
}
-#endif /* macintosh */
krb5_error_code
krb5_secure_config_files(ctx)
@@ -524,6 +469,11 @@ krb5_os_free_context(ctx)
os_ctx->default_ccname = 0;
}
+ if (os_ctx->default_ccprincipal) {
+ krb5_free_principal (ctx, os_ctx->default_ccprincipal);
+ os_ctx->default_ccprincipal = 0;
+ }
+
os_ctx->magic = 0;
free(os_ctx);
ctx->os_context = 0;
diff --git a/src/lib/krb5/os/kuserok.c b/src/lib/krb5/os/kuserok.c
index ef08037..6d2adb1 100644
--- a/src/lib/krb5/os/kuserok.c
+++ b/src/lib/krb5/os/kuserok.c
@@ -80,8 +80,9 @@ krb5_kuserok(context, principal, luser)
if ((pwd = getpwnam(luser)) == NULL) {
return(FALSE);
}
- (void) strcpy(pbuf, pwd->pw_dir);
- (void) strcat(pbuf, "/.k5login");
+ (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
+ pbuf[sizeof(pbuf) - 1] = '\0';
+ (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
if (access(pbuf, F_OK)) { /* not accessible */
/*
diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c
index 9079500..aaeade6 100644
--- a/src/lib/krb5/os/localaddr.c
+++ b/src/lib/krb5/os/localaddr.c
@@ -1,7 +1,7 @@
/*
* lib/krb5/os/localaddr.c
*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2000 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -39,6 +39,7 @@
#include <sys/ioctl.h>
#include <sys/time.h>
#include <errno.h>
+#include <stddef.h>
/*
* The SIOCGIF* ioctls require a socket.
@@ -248,6 +249,45 @@ add_addr (void *P_data, struct sockaddr *a)
#define ifreq_size(i) sizeof(struct ifreq)
#endif /* HAVE_SA_LEN*/
+/* SIOCGIFCONF:
+
+ The behavior of this ioctl varies across systems.
+
+ NetBSD 1.5-alpha: The returned ifc_len is the desired amount of
+ space, always. The returned list may be truncated if there isn't
+ enough room; no overrun.
+
+ Solaris 2.7: Return EINVAL if the buffer space is too small,
+ including ifc_len==0. (Not sure if this is "too small for a single
+ entry" or "too small for the entire list"; my Sun has only one
+ interface.) Solaris is the only system I've found so far that
+ actually returns an error.
+
+ AIX 4.3.3: Sometimes the returned ifc_len is bigger than the
+ supplied one, but it may not be big enough for *all* the
+ interfaces. Sometimes it's smaller than the supplied value, even
+ if the returned list is truncated. The list is filled in with as
+ many entries as will fit; no overrun.
+
+ Linux 2.2.12 (RH 6.1 dist, x86): The buffer is filled in with as
+ many entries as will fit, and the size used is returned in ifc_len.
+ The list is truncated if needed, with no indication.
+
+ IRIX 6.5: The buffer is filled in with as many entries as will fit
+ in N-1 bytes, and the size used is returned in ifc_len. Providing
+ exactly the desired number of bytes is inadequate; the buffer must
+ be *bigger* than needed. (E.g., 32->0, 33->32.) The returned
+ ifc_len is always less than the supplied one.
+
+ Digital UNIX 4.0F: If input ifc_len is zero, return an ifc_len
+ that's big enough to include all entries. (Actually, on our
+ system, it appears to be larger than that by 32.) If input ifc_len
+ is nonzero, fill in as many entries as will fit, and set ifc_len
+ accordingly.
+
+ Using this ioctl is going to be messy. Let's just hope that
+ getifaddrs() catches on quickly.... */
+
static int
foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
void *data;
@@ -255,13 +295,17 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
int (*betweenfn) (void *);
int (*pass2fn) (void *, struct sockaddr *);
{
- struct ifreq *ifr, ifreq;
+ struct ifreq *ifr, ifreq, *ifr2;
struct ifconf ifc;
- int s, code, n, i;
+ int s, code, n, i, j;
int est_if_count = 8, est_ifreq_size;
char *buf = 0;
size_t current_buf_size = 0;
-
+ int fail = 0;
+#ifdef SIOCGSIZIFCONF
+ int ifconfsize = -1;
+#endif
+
s = socket (USE_AF, USE_TYPE, USE_PROTO);
if (s < 0)
return SOCKET_ERRNO;
@@ -269,8 +313,17 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
/* At least on NetBSD, an ifreq can hold an IPv4 address, but
isn't big enough for an IPv6 or ethernet address. So add a
little more space. */
- est_ifreq_size = sizeof (struct ifreq) + 8;
- current_buf_size = est_ifreq_size * est_if_count;
+ est_ifreq_size = sizeof (struct ifreq) + 16;
+#ifdef SIOCGSIZIFCONF
+ code = ioctl (s, SIOCGSIZIFCONF, &ifconfsize);
+ if (!code) {
+ current_buf_size = ifconfsize;
+ est_if_count = ifconfsize / est_ifreq_size;
+ }
+#endif
+ if (current_buf_size == 0) {
+ current_buf_size = est_ifreq_size * est_if_count;
+ }
buf = malloc (current_buf_size);
ask_again:
@@ -284,12 +337,35 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
closesocket (s);
return retval;
}
- /* Test that the buffer was big enough that another ifreq could've
+ /* BSD 4.4 and similar systems truncate the address list if the
+ supplied buffer isn't big enough.
+
+ Test that the buffer was big enough that another ifreq could've
fit easily, if the OS wanted to provide one. That seems to be
the only indication we get, complicated by the fact that the
associated address may make the required storage a little
bigger than the size of an ifreq. */
- if (current_buf_size - ifc.ifc_len < sizeof (struct ifreq) + 40) {
+#define SLOP (sizeof (struct ifreq) + 128)
+ if ((current_buf_size - ifc.ifc_len < sizeof (struct ifreq) + SLOP
+ /* On AIX 4.3.3, ifc.ifc_len may be set to a larger size than
+ provided under some circumstances. On my test system, a
+ supplied value of 32..112 gets me 112, but with no data
+ filled in even at 112. But larger input ifc_len values get
+ me larger output values, so it's not necessarily the full
+ desired output buffer size. And as near as I can tell, the
+ ifc_len output has little to do with the offset of the last
+ byte in the buffer actually modified, except that both
+ input and output ifc_len values are higher (i.e., no buffer
+ overrun takes place in my testing). */
+ || current_buf_size < ifc.ifc_len)
+ /* But let's let SIOCGSIZIFCONF dominate, unless we discover
+ it's broken somewhere. */
+#ifdef SIOCGSIZIFCONF
+ && ifconfsize <= 0
+#endif
+ /* And we need *some* sort of bounds. */
+ && current_buf_size <= 100000
+ ) {
int new_size;
char *newbuf;
@@ -307,31 +383,62 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
}
n = ifc.ifc_len;
-
+ if (n > current_buf_size)
+ n = current_buf_size;
+
+ /* Note: Apparently some systems put the size (used or wanted?)
+ into the start of the buffer, just none that I'm actually
+ using. Fix this when there's such a test system available.
+ The Samba mailing list archives mention that NTP looks for the
+ size on these systems: *-fujitsu-uxp* *-ncr-sysv4*
+ *-univel-sysv*. [raeburn:20010201T2226-05] */
for (i = 0; i < n; i+= ifreq_size(*ifr) ) {
ifr = (struct ifreq *)((caddr_t) ifc.ifc_buf+i);
strncpy(ifreq.ifr_name, ifr->ifr_name, sizeof (ifreq.ifr_name));
- if (ioctl (s, SIOCGIFFLAGS, (char *)&ifreq) < 0
-#ifdef IFF_LOOPBACK
- /* None of the current callers want loopback addresses. */
- || (ifreq.ifr_flags & IFF_LOOPBACK)
-#endif
- /* Ignore interfaces that are down. */
- || !(ifreq.ifr_flags & IFF_UP)) {
+ if (ioctl (s, SIOCGIFFLAGS, (char *)&ifreq) < 0) {
+ skip:
/* mark for next pass */
ifr->ifr_name[0] = 0;
continue;
}
+#ifdef IFF_LOOPBACK
+ /* None of the current callers want loopback addresses. */
+ if (ifreq.ifr_flags & IFF_LOOPBACK)
+ goto skip;
+#endif
+ /* Ignore interfaces that are down. */
+ if (!(ifreq.ifr_flags & IFF_UP))
+ goto skip;
+
+ /* Make sure we didn't process this address already. */
+ for (j = 0; j < i; j += ifreq_size(*ifr2)) {
+ ifr2 = (struct ifreq *)((caddr_t) ifc.ifc_buf+j);
+ if (ifr2->ifr_name[0] == 0)
+ continue;
+ if (ifr2->ifr_addr.sa_family == ifr->ifr_addr.sa_family
+ && ifreq_size (*ifr) == ifreq_size (*ifr2)
+ /* Compare address info. If this isn't good enough --
+ i.e., if random padding bytes turn out to differ
+ when the addresses are the same -- then we'll have
+ to do it on a per address family basis. */
+ && !memcmp (&ifr2->ifr_addr.sa_data, &ifr->ifr_addr.sa_data,
+ (ifreq_size (*ifr)
+ - offsetof (struct ifreq, ifr_addr.sa_data))))
+ goto skip;
+ }
+
if ((*pass1fn) (data, &ifr->ifr_addr)) {
- abort ();
+ fail = 1;
+ goto punt;
}
}
if (betweenfn && (*betweenfn)(data)) {
- abort ();
+ fail = 1;
+ goto punt;
}
if (pass2fn)
@@ -343,13 +450,15 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
continue;
if ((*pass2fn) (data, &ifr->ifr_addr)) {
- abort ();
+ fail = 1;
+ goto punt;
}
}
+ punt:
closesocket(s);
free (buf);
- return 0;
+ return fail;
}
@@ -376,10 +485,9 @@ krb5_os_localaddr(context, addr)
return r;
}
+ data.cur_idx++; /* null termination */
if (data.mem_err)
return ENOMEM;
- else if (data.cur_idx == 0)
- abort ();
else if (data.cur_idx == data.count)
*addr = data.addr_temp;
else {
@@ -396,14 +504,13 @@ krb5_os_localaddr(context, addr)
return 0;
}
-#else /* Windows/Mac version */
+#elif defined(_MSDOS) || defined(_WIN32) /* Windows version */
/*
* Hold on to your lunch! Backup kludge method of obtaining your
* local IP address, courtesy of Windows Socket Network Programming,
* by Robert Quinn
*/
-#if defined(_MSDOS) || defined(_WIN32)
static struct hostent *local_addr_fallback_kludge()
{
static struct hostent host;
@@ -442,7 +549,6 @@ static struct hostent *local_addr_fallback_kludge()
return &host;
}
-#endif
/* No ioctls in winsock so we just assume there is only one networking
* card per machine, so gethostent is good enough.
@@ -473,6 +579,8 @@ krb5_os_localaddr (krb5_context context, krb5_address ***addr) {
hostrec = local_addr_fallback_kludge();
if (!hostrec)
return err;
+ else
+ err = 0; /* otherwise we will die at cleanup */
}
for (count = 0; hostrec->h_addr_list[count]; count++);
@@ -526,4 +634,79 @@ krb5_os_localaddr (krb5_context context, krb5_address ***addr) {
return(err);
}
+
+#else
+
+/* Mac OS 9 version */
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_os_localaddr (krb5_context context, krb5_address ***addr)
+{
+ // First, build the new list
+ krb5_address ** addresses = NULL;
+ SInt32 interfaceCount;
+ SInt32 interfaceIndex;
+ InetInterfaceInfo info;
+ krb5_error_code err = 0;
+
+ // Loop over the addressed once so we know how many there are
+ for (interfaceCount = 0; err == noErr; interfaceCount++) {
+ err = OTInetGetInterfaceInfo (&info, interfaceCount);
+ }
+
+ // Allocate storage for the address list
+ addresses = (krb5_address **) malloc( sizeof (krb5_address *) * (interfaceCount + 1));
+ if (addresses == NULL) {
+ err = ENOMEM;
+ goto cleanup;
+ }
+
+ // Set the pointers to NULL so we will have a termination pointer
+ memset (addresses, 0, sizeof (krb5_address *) * (interfaceCount + 1));
+
+ // Look up the addresses and store them in the list
+ for (interfaceIndex = 0; interfaceIndex < interfaceCount; interfaceIndex++) {
+ err = OTInetGetInterfaceInfo (&info, interfaceIndex);
+ if (err != noErr) {
+ err = 0;
+ break;
+ }
+
+ addresses[interfaceIndex] = (krb5_address *) malloc (sizeof (krb5_address));
+ if (addresses[interfaceIndex] == NULL) {
+ err = ENOMEM;
+ goto cleanup;
+ }
+
+ addresses[interfaceIndex]->magic = KV5M_ADDRESS;
+ addresses[interfaceIndex]->addrtype = AF_INET;
+ addresses[interfaceIndex]->length = INADDRSZ;
+ addresses[interfaceIndex]->contents = (unsigned char *) malloc (addresses[interfaceIndex]->length);
+ if (addresses[interfaceIndex]->contents == NULL) {
+ err = ENOMEM;
+ goto cleanup;
+ }
+
+ memcpy(addresses[interfaceIndex]->contents, &info.fAddress, addresses[interfaceIndex]->length);
+ }
+
+cleanup:
+ if (err) {
+ if (addresses != NULL) {
+ for (interfaceIndex = 0; interfaceIndex < interfaceCount; interfaceIndex++) {
+ if (addresses[interfaceIndex] != NULL) {
+ if (addresses[interfaceIndex]->contents != NULL) {
+ free (addresses[interfaceIndex]->contents);
+ }
+ free (addresses[interfaceIndex]);
+ }
+ }
+ free(addresses);
+ }
+ } else {
+ *addr = addresses;
+ }
+
+ return(err);
+
+}
#endif
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index fcdfa03..6668bbf 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -53,29 +53,57 @@
#define KPASSWD_PORTNAME "kpasswd"
#endif
-int
-_krb5_use_dns(context)
- krb5_context context;
+#if KRB5_DNS_LOOKUP_KDC
+#define DEFAULT_LOOKUP_KDC 1
+#else
+#define DEFAULT_LOOKUP_KDC 0
+#endif
+#if KRB5_DNS_LOOKUP_REALM
+#define DEFAULT_LOOKUP_REALM 1
+#else
+#define DEFAULT_LOOKUP_REALM 0
+#endif
+
+static int
+maybe_use_dns (context, name, defalt)
+ krb5_context context;
+ const char *name;
+ int defalt;
{
krb5_error_code code;
char * value = NULL;
int use_dns = 0;
code = profile_get_string(context->profile, "libdefaults",
- "dns_fallback", 0,
- context->profile_in_memory?"1":"0",
- &value);
+ name, 0, 0, &value);
+ if (value == 0 && code == 0)
+ code = profile_get_string(context->profile, "libdefaults",
+ "dns_fallback", 0, 0, &value);
if (code)
- return(code);
+ return defalt;
- if (value) {
- use_dns = _krb5_conf_boolean(value);
- profile_release_string(value);
- }
+ if (value == 0)
+ return defalt;
+ use_dns = _krb5_conf_boolean(value);
+ profile_release_string(value);
return use_dns;
}
+int
+_krb5_use_dns_kdc(context)
+ krb5_context context;
+{
+ return maybe_use_dns (context, "dns_lookup_kdc", DEFAULT_LOOKUP_KDC);
+}
+
+int
+_krb5_use_dns_realm(context)
+ krb5_context context;
+{
+ return maybe_use_dns (context, "dns_lookup_realm", DEFAULT_LOOKUP_REALM);
+}
+
#endif /* KRB5_DNS_LOOKUP */
/*
@@ -85,14 +113,13 @@ _krb5_use_dns(context)
*/
krb5_error_code
-krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmasters)
+krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, get_masters)
krb5_context context;
const krb5_data *realm;
const char * name;
struct sockaddr **addr_pp;
int *naddrs;
- int *master_index;
- int *nmasters;
+ int get_masters;
{
const char *realm_srv_names[4];
char **masterlist, **hostlist, *host, *port, *cp;
@@ -162,10 +189,7 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
return 0;
}
- if (master_index) {
- *master_index = 0;
- *nmasters = 0;
-
+ if (get_masters) {
realm_srv_names[0] = "realms";
realm_srv_names[1] = host;
realm_srv_names[2] = "admin_server";
@@ -209,8 +233,10 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
addr_p = (struct sockaddr *)malloc (sizeof (struct sockaddr) * count);
if (addr_p == NULL) {
- profile_free_list(hostlist);
- profile_free_list(masterlist);
+ if (hostlist)
+ profile_free_list(hostlist);
+ if (masterlist)
+ profile_free_list(masterlist);
return ENOMEM;
}
@@ -239,12 +265,12 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
if (masterlist) {
for (j=0; masterlist[j]; j++) {
if (strcasecmp(hostlist[i], masterlist[j]) == 0) {
- *master_index = out;
ismaster = 1;
}
}
}
+ if ( !get_masters || ismaster ) {
switch (hp->h_addrtype) {
#ifdef HAVE_NETINET_IN_H
@@ -263,8 +289,10 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
realloc ((char *)addr_p,
sizeof(struct sockaddr) * count);
if (addr_p == NULL) {
- profile_free_list(hostlist);
- profile_free_list(masterlist);
+ if (hostlist)
+ profile_free_list(hostlist);
+ if (masterlist)
+ profile_free_list(masterlist);
return ENOMEM;
}
}
@@ -279,12 +307,13 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
default:
break;
}
- if (ismaster)
- *nmasters = out - *master_index;
+ }
}
- profile_free_list(hostlist);
- profile_free_list(masterlist);
+ if (hostlist)
+ profile_free_list(hostlist);
+ if (masterlist)
+ profile_free_list(masterlist);
if (out == 0) { /* Couldn't resolve any KDC names */
free (addr_p);
@@ -362,7 +391,7 @@ krb5_locate_srv_dns(realm, service, protocol, addr_pp, naddrs)
size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
- if (size < hdrsize)
+ if ((size < hdrsize) || (size > sizeof(answer.bytes)))
goto out;
/*
@@ -564,78 +593,29 @@ krb5_locate_srv_dns(realm, service, protocol, addr_pp, naddrs)
*/
krb5_error_code
-krb5_locate_kdc(context, realm, addr_pp, naddrs, master_index, nmasters)
+krb5_locate_kdc(context, realm, addr_pp, naddrs, get_masters)
krb5_context context;
const krb5_data *realm;
struct sockaddr **addr_pp;
int *naddrs;
- int *master_index;
- int *nmasters;
+ int get_masters;
{
krb5_error_code code;
-#ifdef KRB5_DNS_LOOKUP
- struct sockaddr *admin_addr_p, *kdc_addr_p;
- int nadmin_addrs, nkdc_addrs;
- int i,j;
-#endif /* KRB5_DNS_LOOKUP */
/*
* We always try the local file first
*/
code = krb5_locate_srv_conf(context, realm, "kdc", addr_pp, naddrs,
- master_index, nmasters);
+ get_masters);
#ifdef KRB5_DNS_LOOKUP
if (code) {
- int use_dns = _krb5_use_dns(context);
+ int use_dns = _krb5_use_dns_kdc(context);
if ( use_dns ) {
- code = krb5_locate_srv_dns(realm, "_kerberos", "_udp",
- addr_pp, naddrs);
- if ( master_index && nmasters ) {
-
- code = krb5_locate_srv_dns(realm, "_kerberos-adm", "_tcp",
- &admin_addr_p, &nadmin_addrs);
- if ( code ) {
- free(*addr_pp);
- *addr_pp = NULL;
- *naddrs = 0;
- return(code);
- }
-
- kdc_addr_p = *addr_pp;
- nkdc_addrs = *naddrs;
-
- *naddrs = 0;
- *addr_pp = (struct sockaddr *) malloc(sizeof(*kdc_addr_p));
- if ( *addr_pp == NULL ) {
- free(kdc_addr_p);
- free(admin_addr_p);
- return ENOMEM;
- }
-
- for ( i=0; i<nkdc_addrs; i++ ) {
- for ( j=0 ; j<nadmin_addrs; j++) {
- if ( !memcmp(&kdc_addr_p[i].sa_data[2],&admin_addr_p[j].sa_data[2],4) ) {
- memcpy(&(*addr_pp)[(*naddrs)],&kdc_addr_p[i],
- sizeof(struct sockaddr));
- (*naddrs)++;
- break;
- }
- }
- }
-
- free(kdc_addr_p);
- free(admin_addr_p);
-
- if ( *naddrs == 0 ) {
- free(*addr_pp);
- *addr_pp = NULL;
- return KRB5_REALM_CANT_RESOLVE;
- }
- *master_index = 1;
- *nmasters = *naddrs;
- }
+ code = krb5_locate_srv_dns(realm,
+ get_masters ? "_kerberos-master" : "_kerberos",
+ "_udp", addr_pp, naddrs);
}
}
#endif /* KRB5_DNS_LOOKUP */
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
index fed7a81..a6b67f1 100644
--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
@@ -36,8 +36,7 @@ krb5_error_code krb5_locate_kdc
const krb5_data *,
struct sockaddr **,
int *,
- int *,
- int *));
+ int));
#endif
#ifdef HAVE_NETINET_IN_H
diff --git a/src/lib/krb5/os/prompter.c b/src/lib/krb5/os/prompter.c
index 933ff2c..8dc985c 100644
--- a/src/lib/krb5/os/prompter.c
+++ b/src/lib/krb5/os/prompter.c
@@ -117,6 +117,18 @@ krb5_prompter_posix(krb5_context context,
cleanup:
(void) signal(SIGINT, ointrfunc);
+#ifndef ECHO_PASSWORD
+ if (i < num_prompts) {
+ if (prompts[i].hidden) {
+ (void)putchar('\n');
+ if (isatty(fd) == 1) {
+ if ((tcsetattr(fd, TCSANOW, &save_control) == -1
+ && errcode == 0))
+ return errno;
+ }
+ }
+ }
+#endif
return(errcode);
}
#else /* MSDOS */
@@ -235,7 +247,7 @@ krb5int_set_prompt_types(context, types)
krb5_context context;
krb5_prompt_type *types;
{
- context->prompt_types = 0;
+ context->prompt_types = types;
}
KRB5_DLLIMP
diff --git a/src/lib/krb5/os/promptusr.c b/src/lib/krb5/os/promptusr.c
index 3ac3d4f..a3a185b 100644
--- a/src/lib/krb5/os/promptusr.c
+++ b/src/lib/krb5/os/promptusr.c
@@ -162,4 +162,4 @@ main(int argc, char **argv)
#endif
-#endif /* !_MSODS || _!MACINTOSH */
+#endif /* !_MSDOS || _!MACINTOSH */
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 01b797e..47f2408 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -60,16 +60,16 @@ extern int krb5_skdc_timeout_shift;
extern int krb5_skdc_timeout_1;
krb5_error_code
-krb5_sendto_kdc (context, message, realm, reply, master)
+krb5_sendto_kdc (context, message, realm, reply, use_master)
krb5_context context;
const krb5_data * message;
const krb5_data * realm;
krb5_data * reply;
- int *master;
+ int use_master;
{
register int timeout, host, i;
struct sockaddr *addr;
- int naddr, master_index, nmasters;
+ int naddr;
int sent, nready;
krb5_error_code retval;
SOCKET *socklist;
@@ -81,14 +81,10 @@ krb5_sendto_kdc (context, message, realm, reply, master)
* find KDC location(s) for realm
*/
- if (retval = krb5_locate_kdc (context, realm, &addr, &naddr,
- master?&master_index:NULL,
- master?&nmasters:NULL))
+ if (retval = krb5_locate_kdc (context, realm, &addr, &naddr, use_master))
return retval;
if (naddr == 0)
- return KRB5_REALM_UNKNOWN;
- if (master && (*master == 1) && (nmasters == 0))
- return KRB5_KDC_UNREACH;
+ return (use_master ? KRB5_KDC_UNREACH : KRB5_REALM_UNKNOWN);
socklist = (SOCKET *)malloc(naddr * sizeof(SOCKET));
if (socklist == NULL) {
@@ -128,12 +124,6 @@ krb5_sendto_kdc (context, message, realm, reply, master)
timeout <<= krb5_skdc_timeout_shift) {
sent = 0;
for (host = 0; host < naddr; host++) {
- /* if a master kdc is required, skip the non-master kdc's */
-
- if (master && (*master == 1) &&
- ((host < master_index) || (host >= (master_index+nmasters))))
- continue;
-
/* send to the host, wait timeout seconds for a response,
then move on. */
/* cache some sockets for each host */
@@ -211,12 +201,6 @@ krb5_sendto_kdc (context, message, realm, reply, master)
reply->length = cc;
retval = 0;
- /* if the caller asked to be informed if it
- got a master kdc, tell it */
- if (master)
- *master = ((host >= master_index) &&
- (host < (master_index+nmasters)));
-
goto out;
} else if (nready == 0) {
/* timeout */
diff --git a/src/lib/krb5/os/t_std_conf.c b/src/lib/krb5/os/t_std_conf.c
index 0846b1c..a95c67a 100644
--- a/src/lib/krb5/os/t_std_conf.c
+++ b/src/lib/krb5/os/t_std_conf.c
@@ -110,14 +110,14 @@ void test_locate_kdc(ctx, realm)
struct sockaddr *addrs;
struct sockaddr_in *sin;
int i, naddrs;
- int master_index, nmasters;
+ int get_masters=0;
krb5_data rlm;
krb5_error_code retval;
rlm.data = realm;
rlm.length = strlen(realm);
retval = krb5_locate_kdc(ctx, &rlm, &addrs, &naddrs,
- &master_index, &nmasters);
+ get_masters);
if (retval) {
com_err("krb5_get_krbhst", retval, 0);
return;
diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c
index 11dffd7..9ae528e 100644
--- a/src/lib/krb5/os/timeofday.c
+++ b/src/lib/krb5/os/timeofday.c
@@ -48,12 +48,12 @@ krb5_timeofday(context, timeret)
*timeret = os_ctx->time_offset;
return 0;
}
-#ifdef macintosh
+#if TARGET_OS_MAC
{
- long usecs;
+ krb5_int32 usecs;
krb5_error_code kret;
- if (kret = krb5_crypto_us_timeofday(&tval, &usecs))
+ if (kret = krb5_crypto_us_timeofday((krb5_int32 *)&tval, &usecs))
return kret;
}
#else
diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c
index 72d301d..59c7252 100644
--- a/src/lib/krb5/os/toffset.c
+++ b/src/lib/krb5/os/toffset.c
@@ -91,7 +91,7 @@ krb5_use_natural_time(context)
/*
* This routine returns the current time offsets in use.
*/
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_get_time_offsets(context, seconds, microseconds)
krb5_context context;
krb5_int32 *seconds, *microseconds;
diff --git a/src/lib/krb5/posix/ChangeLog b/src/lib/krb5/posix/ChangeLog
index e90e47b..c2527aa 100644
--- a/src/lib/krb5/posix/ChangeLog
+++ b/src/lib/krb5/posix/ChangeLog
@@ -1,3 +1,14 @@
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+ * setenv.c: Updated macros to removed warning about prototype
+ with no function definition
+
+2000-04-28 Ken Raeburn <raeburn@mit.edu>
+ Nalin Dahyabhai <nalin@redhat.com>
+
+ * syslog.c (vsyslog): Use strncpy and strncat instead of strcpy
+ and strcat when adding to buffer "tbuf". If calling vsprintf,
+ abort if it appears to have overrun the buffer.
+
1999-10-26 Tom Yu <tlyu@mit.edu>
* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/posix/setenv.c b/src/lib/krb5/posix/setenv.c
index 7072d7e..422c962 100644
--- a/src/lib/krb5/posix/setenv.c
+++ b/src/lib/krb5/posix/setenv.c
@@ -45,7 +45,9 @@
#ifndef __P
#define __P(x) ()
#endif
+#if (!HAVE_GETENV || !HAVE_SETENV || !HAVE_UNSETENV)
static char *__findenv __P((const char *, int *));
+#endif
/*
* setenv --
diff --git a/src/lib/krb5/posix/syslog.c b/src/lib/krb5/posix/syslog.c
index 31e7874..f7ddbff 100644
--- a/src/lib/krb5/posix/syslog.c
+++ b/src/lib/krb5/posix/syslog.c
@@ -115,7 +115,7 @@ vsyslog(pri, fmt, ap)
(void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4);
for (p = tbuf; *p; ++p);
if (LogTag) {
- (void)strcpy(p, LogTag);
+ (void)strncpy(p, LogTag, sizeof(tbuf) - 1 - (p - tbuf));
for (; *p; ++p);
}
if (LogStat & LOG_PID) {
@@ -146,6 +146,11 @@ vsyslog(pri, fmt, ap)
}
(void)vsprintf(p, fmt_cpy, ap);
+ /* Bounds checking?? If a system doesn't have syslog, we
+ probably can't rely on it having vsnprintf either. Try not
+ to let a buffer overrun be exploited. */
+ if (strlen (tbuf) >= sizeof (tbuf))
+ abort ();
/* output the message to the local logger */
if (send(LogFile, tbuf, cnt = strlen(tbuf), 0) >= 0 ||
@@ -169,7 +174,8 @@ vsyslog(pri, fmt, ap)
if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0)
return;
(void)alarm((u_int)0);
- (void)strcat(tbuf, "\r");
+ tbuf[sizeof(tbuf) - 1] = '\0';
+ (void)strncat(tbuf, "\r", sizeof(tbuf) - 1 - strlen(tbuf));
p = strchr(tbuf, '>') + 1;
(void)write(fd, p, cnt + 1 - (p - tbuf));
(void)close(fd);
diff --git a/src/lib/krb5/rcache/ChangeLog b/src/lib/krb5/rcache/ChangeLog
index a3b8b4f..9683a88 100644
--- a/src/lib/krb5/rcache/ChangeLog
+++ b/src/lib/krb5/rcache/ChangeLog
@@ -1,3 +1,25 @@
+2001-10-29 Miro Jurisic <meeroh@mit.edu>
+ * pullup from krb5-1-2 branch after krb5-1-2-2-bp
+ * rc_io.c, rc_dfl.c: use "" includes for krb5.h and k5-int.h
+
+2001-01-23 Tom Yu <tlyu@mit.edu>
+
+ * rc_io.c (getdir, krb5_rc_io_creat): Undo prior fudge; dirlen
+ will now not include trailing NUL character.
+
+2001-01-17 Tom Yu <tlyu@mit.edu>
+
+ * rc_io.c (krb5_rc_io_creat): Fudge for dirlen including trailing
+ NUL character.
+ (krb5_rc_io_move): When renaming OLD to NEW, don't copy the
+ filename. This was causing temporary files to get leaked.
+ (krb5_rc_io_close): Don't FREE if d->fn is NULL.
+
+2000-04-28 Nalin Dahyabhai <nalin@redhat.com>
+
+ * rc_io.c (getdir): Don't check dirlen again, the call sites
+ always do. Fix dirlen calculation.
+
1999-10-26 Tom Yu <tlyu@mit.edu>
* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index a86f42e..4760e59 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -14,7 +14,7 @@
#include "rc_base.h"
#include "rc_dfl.h"
#include "rc_io.h"
-#include <k5-int.h>
+#include "k5-int.h"
/*
If NOIOSTUFF is defined at compile time, dfl rcaches will be per-process.
diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c
index d45c7a1..f29c161 100644
--- a/src/lib/krb5/rcache/rc_io.c
+++ b/src/lib/krb5/rcache/rc_io.c
@@ -21,7 +21,7 @@
#define NEED_SOCKETS
#define NEED_LOWLEVEL_IO
-#include <krb5.h>
+#include "krb5.h"
#include <stdio.h> /* for P_tmpdir */
#include "rc_base.h"
#include "rc_dfl.h"
@@ -57,13 +57,11 @@ static char *dir;
static void getdir()
{
- if (!dirlen)
- {
if (!(dir = getenv("KRB5RCACHEDIR")))
#if defined(_MSDOS) || defined(_WIN32)
if (!(dir = getenv("TEMP")))
if (!(dir = getenv("TMP")))
- dir = "C:\\";
+ dir = "C:";
#else
if (!(dir = getenv("TMPDIR")))
#ifdef RCTMPDIR
@@ -72,8 +70,7 @@ static void getdir()
dir = "/tmp";
#endif
#endif
- dirlen = strlen(dir) + 1;
- }
+ dirlen = strlen(dir) + sizeof(PATH_SEPARATOR) - 1;
}
krb5_error_code krb5_rc_io_creat (context, d, fn)
@@ -245,33 +242,32 @@ krb5_error_code krb5_rc_io_move (context, new, old)
krb5_rc_iostuff *new;
krb5_rc_iostuff *old;
{
+ char *fn = NULL;
+
#if defined(_MSDOS) || defined(_WIN32)
/*
* Work around provided by Tom Sanfilippo to work around poor
* Windows emulation of POSIX functions. Rename and dup has
* different semantics!
*/
- char *fn = NULL;
GETDIR;
close(new->fd);
unlink(new->fn);
close(old->fd);
if (rename(old->fn,new->fn) == -1) /* MUST be atomic! */
return KRB5_RC_IO_UNKNOWN;
- if (!(fn = malloc(strlen(new->fn) - dirlen + 1)))
- return KRB5_RC_IO_MALLOC;
- strcpy(fn, new->fn + dirlen);
+ fn = new->fn;
+ new->fn = NULL; /* avoid clobbering */
krb5_rc_io_close(context, new);
krb5_rc_io_open(context, new, fn);
free(fn);
#else
if (rename(old->fn,new->fn) == -1) /* MUST be atomic! */
return KRB5_RC_IO_UNKNOWN;
+ fn = new->fn;
+ new->fn = NULL; /* avoid clobbering */
(void) krb5_rc_io_close(context, new);
- new->fn = malloc(strlen(old->fn)+1);
- if (new->fn == 0)
- return ENOMEM;
- strcpy(new->fn, old->fn);
+ new->fn = fn;
#ifdef macintosh
new->fd = fcntl(old->fd, F_DUPFD);
#else
@@ -342,7 +338,8 @@ krb5_error_code krb5_rc_io_close (context, d)
krb5_context context;
krb5_rc_iostuff *d;
{
- FREE(d->fn);
+ if (d->fn != NULL)
+ FREE(d->fn);
d->fn = NULL;
if (close(d->fd) == -1) /* can't happen */
return KRB5_RC_IO_UNKNOWN;
generated by cgit v1.1 at 2024-08-01 15:58:05 +0000