aboutsummaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/ChangeLog56
-rw-r--r--src/lib/Makefile.in2
-rw-r--r--src/lib/crypto/ChangeLog50
-rw-r--r--src/lib/crypto/Makefile.in247
-rw-r--r--src/lib/crypto/aes/ChangeLog15
-rw-r--r--src/lib/crypto/aes/Makefile.in5
-rw-r--r--src/lib/crypto/aes/aes_s2k.c40
-rw-r--r--src/lib/crypto/aes/uitypes.h2
-rw-r--r--src/lib/crypto/arcfour/Makefile.in11
-rw-r--r--src/lib/crypto/checksum_length.c2
-rw-r--r--src/lib/crypto/cksumtypes.c8
-rw-r--r--src/lib/crypto/combine_keys.c22
-rw-r--r--src/lib/crypto/crc32/Makefile.in5
-rw-r--r--src/lib/crypto/des/Makefile.in59
-rw-r--r--src/lib/crypto/dk/ChangeLog20
-rw-r--r--src/lib/crypto/dk/Makefile.in28
-rw-r--r--src/lib/crypto/dk/dk.h19
-rw-r--r--src/lib/crypto/dk/dk_decrypt.c51
-rw-r--r--src/lib/crypto/dk/dk_encrypt.c174
-rw-r--r--src/lib/crypto/enc_provider/ChangeLog11
-rw-r--r--src/lib/crypto/enc_provider/Makefile.in26
-rw-r--r--src/lib/crypto/enc_provider/aes.c78
-rw-r--r--src/lib/crypto/etypes.c58
-rw-r--r--src/lib/crypto/hash_provider/Makefile.in24
-rw-r--r--src/lib/crypto/keyhash_provider/Makefile.in28
-rw-r--r--src/lib/crypto/make_checksum.c7
-rw-r--r--src/lib/crypto/mandatory_sumtype.c41
-rw-r--r--src/lib/crypto/md4/Makefile.in5
-rw-r--r--src/lib/crypto/md5/Makefile.in5
-rw-r--r--src/lib/crypto/old/ChangeLog6
-rw-r--r--src/lib/crypto/old/Makefile.in19
-rw-r--r--src/lib/crypto/old/des_stringtokey.c17
-rw-r--r--src/lib/crypto/pbkdf2.c27
-rw-r--r--src/lib/crypto/raw/Makefile.in10
-rw-r--r--src/lib/crypto/sha1/Makefile.in6
-rw-r--r--src/lib/crypto/string_to_key.c15
-rw-r--r--src/lib/crypto/yarrow/Makefile.in15
-rw-r--r--src/lib/des425/ChangeLog5
-rw-r--r--src/lib/des425/Makefile.in109
-rw-r--r--src/lib/des425/quad_cksum.c4
-rw-r--r--src/lib/des425/t_pcbc.c2
-rw-r--r--src/lib/des425/t_quad.c2
-rw-r--r--src/lib/des425/verify.c2
-rw-r--r--src/lib/gssapi/ChangeLog5
-rw-r--r--src/lib/gssapi/Makefile.in1
-rw-r--r--src/lib/gssapi/generic/ChangeLog17
-rw-r--r--src/lib/gssapi/generic/Makefile.in36
-rw-r--r--src/lib/gssapi/generic/gssapiP_generic.h14
-rw-r--r--src/lib/gssapi/generic/util_ordering.c56
-rw-r--r--src/lib/gssapi/generic/util_token.c25
-rw-r--r--src/lib/gssapi/gss_libinit.c3
-rw-r--r--src/lib/gssapi/krb5/ChangeLog158
-rw-r--r--src/lib/gssapi/krb5/Makefile.in144
-rw-r--r--src/lib/gssapi/krb5/accept_sec_context.c176
-rw-r--r--src/lib/gssapi/krb5/acquire_cred.c10
-rw-r--r--src/lib/gssapi/krb5/delete_sec_context.c5
-rw-r--r--src/lib/gssapi/krb5/gssapiP_krb5.h61
-rw-r--r--src/lib/gssapi/krb5/gssapi_krb5.c137
-rw-r--r--src/lib/gssapi/krb5/gssapi_krb5.h3
-rw-r--r--src/lib/gssapi/krb5/init_sec_context.c1017
-rw-r--r--src/lib/gssapi/krb5/inq_cred.c25
-rw-r--r--src/lib/gssapi/krb5/k5seal.c75
-rw-r--r--src/lib/gssapi/krb5/k5sealv3.c476
-rw-r--r--src/lib/gssapi/krb5/k5unseal.c43
-rw-r--r--src/lib/gssapi/krb5/rel_cred.c6
-rw-r--r--src/lib/gssapi/krb5/ser_sctx.c46
-rw-r--r--src/lib/gssapi/krb5/set_ccache.c79
-rw-r--r--src/lib/gssapi/krb5/wrap_size_limit.c26
-rw-r--r--src/lib/gssapi32.def15
-rw-r--r--src/lib/kadm5/ChangeLog20
-rw-r--r--src/lib/kadm5/Makefile.in62
-rw-r--r--src/lib/kadm5/alt_prof.c27
-rw-r--r--src/lib/kadm5/clnt/Makefile.in65
-rw-r--r--src/lib/kadm5/srv/ChangeLog16
-rw-r--r--src/lib/kadm5/srv/Makefile.in188
-rw-r--r--src/lib/kadm5/srv/server_kdb.c16
-rw-r--r--src/lib/kadm5/srv/svr_principal.c138
-rw-r--r--src/lib/kadm5/unit-test/ChangeLog23
-rw-r--r--src/lib/kadm5/unit-test/api.0/init.exp4
-rw-r--r--src/lib/kadm5/unit-test/api.1/lock.exp64
-rw-r--r--src/lib/kadm5/unit-test/api.2/init-v2.exp4
-rw-r--r--src/lib/kadm5/unit-test/api.2/init.exp4
-rw-r--r--src/lib/kdb/ChangeLog28
-rw-r--r--src/lib/kdb/Makefile.in73
-rw-r--r--src/lib/kdb/keytab.c49
-rw-r--r--src/lib/krb4/ChangeLog129
-rw-r--r--src/lib/krb4/Makefile.in48
-rw-r--r--src/lib/krb4/RealmsConfig-glue.c263
-rw-r--r--src/lib/krb4/change_password.c3
-rw-r--r--src/lib/krb4/configure.in8
-rw-r--r--src/lib/krb4/err_txt.c13
-rw-r--r--src/lib/krb4/g_ad_tkt.c9
-rw-r--r--src/lib/krb4/g_cnffile.c12
-rw-r--r--src/lib/krb4/g_in_tkt.c4
-rw-r--r--src/lib/krb4/g_pw_in_tkt.c2
-rw-r--r--src/lib/krb4/kadm_stream.c10
-rw-r--r--src/lib/krb4/lifetime.c109
-rw-r--r--src/lib/krb4/mk_auth.c1
-rw-r--r--src/lib/krb4/mk_req.c7
-rw-r--r--src/lib/krb4/password_to_key.c4
-rw-r--r--src/lib/krb4_32.def30
-rw-r--r--src/lib/krb5/Makefile.in8
-rw-r--r--src/lib/krb5/asn.1/ChangeLog100
-rw-r--r--src/lib/krb5/asn.1/Makefile.in73
-rw-r--r--src/lib/krb5/asn.1/asn1_decode.c46
-rw-r--r--src/lib/krb5/asn.1/asn1_decode.h2
-rw-r--r--src/lib/krb5/asn.1/asn1_k_decode.c101
-rw-r--r--src/lib/krb5/asn.1/asn1_k_decode.h4
-rw-r--r--src/lib/krb5/asn.1/asn1_k_encode.c43
-rw-r--r--src/lib/krb5/asn.1/asn1_k_encode.h7
-rw-r--r--src/lib/krb5/asn.1/krb5_decode.c62
-rw-r--r--src/lib/krb5/asn.1/krb5_encode.c73
-rw-r--r--src/lib/krb5/ccache/ChangeLog94
-rw-r--r--src/lib/krb5/ccache/Makefile.in61
-rw-r--r--src/lib/krb5/ccache/cc_file.c16
-rw-r--r--src/lib/krb5/ccache/cc_memory.c16
-rw-r--r--src/lib/krb5/ccache/cc_mslsa.c1429
-rw-r--r--src/lib/krb5/ccache/cc_retr.c64
-rw-r--r--src/lib/krb5/ccache/ccbase.c16
-rw-r--r--src/lib/krb5/ccache/ccdefault.c28
-rw-r--r--src/lib/krb5/error_tables/.Sanitize1
-rw-r--r--src/lib/krb5/error_tables/ChangeLog27
-rw-r--r--src/lib/krb5/error_tables/Makefile.in22
-rw-r--r--src/lib/krb5/error_tables/init_ets.c14
-rw-r--r--src/lib/krb5/error_tables/krb524_err.et34
-rw-r--r--src/lib/krb5/error_tables/krb5_err.et4
-rw-r--r--src/lib/krb5/keytab/ChangeLog16
-rw-r--r--src/lib/krb5/keytab/Makefile.in54
-rw-r--r--src/lib/krb5/keytab/kt_file.c26
-rw-r--r--src/lib/krb5/keytab/ktbase.c7
-rw-r--r--src/lib/krb5/krb/.Sanitize4
-rw-r--r--src/lib/krb5/krb/ChangeLog308
-rw-r--r--src/lib/krb5/krb/Makefile.in521
-rw-r--r--src/lib/krb5/krb/auth_con.c220
-rw-r--r--src/lib/krb5/krb/auth_con.h10
-rw-r--r--src/lib/krb5/krb/chpw.c322
-rw-r--r--src/lib/krb5/krb/conv_creds.c277
-rw-r--r--src/lib/krb5/krb/copy_data.c22
-rw-r--r--src/lib/krb5/krb/fwd_tgt.c15
-rw-r--r--src/lib/krb5/krb/gc_frm_kdc.c41
-rw-r--r--src/lib/krb5/krb/gen_seqnum.c19
-rw-r--r--src/lib/krb5/krb/get_in_tkt.c35
-rw-r--r--src/lib/krb5/krb/gic_keytab.c81
-rw-r--r--src/lib/krb5/krb/gic_pwd.c115
-rw-r--r--src/lib/krb5/krb/in_tkt_ktb.c125
-rw-r--r--src/lib/krb5/krb/in_tkt_pwd.c123
-rw-r--r--src/lib/krb5/krb/init_ctx.c46
-rw-r--r--src/lib/krb5/krb/kfree.c21
-rw-r--r--src/lib/krb5/krb/mk_cred.c5
-rw-r--r--src/lib/krb5/krb/mk_priv.c5
-rw-r--r--src/lib/krb5/krb/mk_rep.c9
-rw-r--r--src/lib/krb5/krb/mk_req_ext.c58
-rw-r--r--src/lib/krb5/krb/mk_safe.c5
-rw-r--r--src/lib/krb5/krb/parse.c9
-rw-r--r--src/lib/krb5/krb/preauth2.c224
-rw-r--r--src/lib/krb5/krb/rd_cred.c11
-rw-r--r--src/lib/krb5/krb/rd_priv.c8
-rw-r--r--src/lib/krb5/krb/rd_rep.c18
-rw-r--r--src/lib/krb5/krb/rd_req.c4
-rw-r--r--src/lib/krb5/krb/rd_req_dec.c12
-rw-r--r--src/lib/krb5/krb/rd_safe.c26
-rw-r--r--src/lib/krb5/krb/ser_actx.c28
-rw-r--r--src/lib/krb5/krb/serialize.c35
-rw-r--r--src/lib/krb5/krb/srv_rcache.c13
-rw-r--r--src/lib/krb5/krb/unparse.c3
-rw-r--r--src/lib/krb5/krb/v4lifetime.c149
-rw-r--r--src/lib/krb5/os/.Sanitize1
-rw-r--r--src/lib/krb5/os/ChangeLog120
-rw-r--r--src/lib/krb5/os/Makefile.in255
-rw-r--r--src/lib/krb5/os/accessor.c26
-rw-r--r--src/lib/krb5/os/changepw.c117
-rw-r--r--src/lib/krb5/os/dnssrv.c273
-rw-r--r--src/lib/krb5/os/init_os_ctx.c12
-rw-r--r--src/lib/krb5/os/locate_kdc.c242
-rw-r--r--src/lib/krb5/os/read_pwd.c9
-rw-r--r--src/lib/krb5/os/send524.c111
-rw-r--r--src/lib/krb5/os/sendto_kdc.c2
-rw-r--r--src/lib/krb5/os/t_locate_kdc.c2
-rw-r--r--src/lib/krb5/os/toffset.c2
-rw-r--r--src/lib/krb5/rcache/Makefile.in38
-rw-r--r--src/lib/krb5_32.def15
-rw-r--r--src/lib/rpc/ChangeLog13
-rw-r--r--src/lib/rpc/bindresvport.c2
-rw-r--r--src/lib/rpc/clnt_tcp.c2
-rw-r--r--src/lib/rpc/svc.c3
-rw-r--r--src/lib/rpc/xdr_mem.c21
186 files changed, 9140 insertions, 2931 deletions
diff --git a/src/lib/ChangeLog b/src/lib/ChangeLog
index bfa7678..2d456bb 100644
--- a/src/lib/ChangeLog
+++ b/src/lib/ChangeLog
@@ -1,3 +1,59 @@
+2003-12-18 Jeffrey Altman <jaltman@mit.edu>
+
+ * krb5_32.def: Remove exports added on 2003-12-13. Moved
+ to krb5int_accessor
+
+2003-12-13 Jeffrey Altman <jaltman@mit.edu>
+
+ * krb4_32.def: Remove exports from KfM not yet compiled in KfW
+ krb_ad_tkt, krb_pw_tkt, kuserok, tkt_string, FSp_xxx
+
+ * krb5_32.def: Add exports of private functions necessary for
+ building new gssapi32.dll:
+ krb5int_c_mandatory_cksumtype ; PRIVATE GSSAPI k5-int.h
+ krb5_ser_pack_int64 ; PRIVATE GSSAPI k5-int.h
+ krb5_ser_unpack_int64 ; PRIVATE GSSAPI k5-int.h
+
+2003-12-11 Jeffrey Altman <jaltman@mit.edu>
+
+ * Makefile.in: Add secur32.lib to libraries necessary to build
+ krb5_32.dll. Necessary to support the new MSLSA ccache type.
+
+2003-12-08 Jeffrey Altman <jaltman@mit.edu>
+
+ * krb4_32.def: Add exports for functions exported by KfM
+
+2003-07-21 Alexandra Ellwood <lxs@mit.edu>
+
+ * krb5_32.def: Export krb5_principal2salt.
+
+2003-07-18 Jeffrey Altman <jaltman@mit.edu>
+
+ * gssapi32.def: Export GSS OID constants
+
+2003-07-09 Alexandra Ellwood <lxs@mit.edu>
+
+ * krb5_32.def: Export krb5_get_permitted_enctypes and
+ krb5_set_real_time for Samba.
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * krb5_32.def: Add krb5_524_convert_creds.
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_32.def: Add krb5_c_string_to_key_with_params
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * krb5_32.def: Add krb5_auth_con_getrecvsubkey,
+ krb5_auth_con_getsendsubkey, krb5_auth_con_setrecvsubkey,
+ krb5_auth_con_setsendsubkey.
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_32.def: Add krb5_set_password and krb5_set_password_using_ccache
+
2003-02-10 Tom Yu <tlyu@mit.edu>
* Makefile.in (K4LIBS): Revert previous.
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 01a4351..030beb7 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -52,7 +52,7 @@ KRB5RC = krb5.rc
VERSIONRC = $(BUILDTOP)\windows\version.rc
WINLIBS = kernel32.lib ws2_32.lib user32.lib shell32.lib oldnames.lib \
- version.lib advapi32.lib gdi32.lib
+ version.lib secur32.lib advapi32.lib gdi32.lib
WINDLLFLAGS = $(DLL_LINKOPTS) -base:0x1c000000
NO_GLUE=$(OUTPRE)no_glue.obj
diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog
index 6f73ddf..68c2bc1 100644
--- a/src/lib/crypto/ChangeLog
+++ b/src/lib/crypto/ChangeLog
@@ -1,3 +1,53 @@
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * etypes.c (krb5_enctypes_list): Fill in required_ctype field.
+ * mandatory_sumtype.c: New file.
+ * Makefile.in (SRCS, OBJS, STLIBOBJS): Build it.
+
+2003-07-13 Kenneth Raeburn <raeburn@mit.edu>
+
+ * pbkdf2.c (foo): Never call com_err.
+
+2003-06-25 Ken Raeburn <raeburn@mit.edu>
+
+ * checksum_length.c (krb5_c_checksum_length): Handle trunc_size.
+
+2003-06-23 Ken Raeburn <raeburn@mit.edu>
+
+ * cksumtypes.c (krb5_cksumtypes_list): Add aes128/256 hmacs, with
+ new trunc_size field.
+
+ * make_checksum.c (krb5_c_make_checksum): If trunc_size is
+ specified, shrink the computed checksum down to the indicated
+ size.
+
+2003-06-05 Sam Hartman <hartmans@mit.edu>
+
+ * string_to_key.c (krb5_c_string_to_key_with_params): Only allow
+ AFS s2k for DES enctypes
+
+2003-05-15 Sam Hartman <hartmans@mit.edu>
+
+ * combine_keys.c (enctype_ok): new function to determine if we support combine_keys for a particular enctype
+
+2003-05-13 Ken Raeburn <raeburn@mit.edu>
+
+ * etypes.c (krb5_enctypes_list): Add names aes128-cts and
+ aes256-cts as aliases.
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * string_to_key.c: Move krb5_c_string_to_key_with_params to krb5.h
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * pbkdf2.c (krb5int_pbkdf2): Provide a temporary buffer for the
+ output from F, if the remaining space in the output buffer isn't
+ big enough. Free the temporary buffers before returning.
+
+ * etypes.c (krb5_enctypes_list): Use krb5int_aes_encrypt_length,
+ and krb5int_aes_dk_encrypt, and krb5int_aes_dk_decrypt for AES.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* prng.c: use Unix randomness sources on Mac OS X.
diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in
index e571ef7..987945f 100644
--- a/src/lib/crypto/Makefile.in
+++ b/src/lib/crypto/Makefile.in
@@ -54,6 +54,7 @@ STLIBOBJS=\
keyed_checksum_types.o \
make_checksum.o \
make_random_key.o \
+ mandatory_sumtype.o \
nfold.o \
old_api_glue.o \
pbkdf2.o \
@@ -86,6 +87,7 @@ OBJS=\
$(OUTPRE)keyed_checksum_types.$(OBJEXT) \
$(OUTPRE)make_checksum.$(OBJEXT) \
$(OUTPRE)make_random_key.$(OBJEXT) \
+ $(OUTPRE)mandatory_sumtype.$(OBJEXT) \
$(OUTPRE)nfold.$(OBJEXT) \
$(OUTPRE)old_api_glue.$(OBJEXT) \
$(OUTPRE)pbkdf2.$(OBJEXT) \
@@ -118,6 +120,7 @@ SRCS=\
$(srcdir)/keyed_checksum_types.c\
$(srcdir)/make_checksum.c \
$(srcdir)/make_random_key.c \
+ $(srcdir)/mandatory_sumtype.c \
$(srcdir)/nfold.c \
$(srcdir)/old_api_glue.c \
$(srcdir)/pbkdf2.c \
@@ -348,206 +351,224 @@ check-windows::
#
block_size.so block_size.po $(OUTPRE)block_size.$(OBJEXT): block_size.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ etypes.h
checksum_length.so checksum_length.po $(OUTPRE)checksum_length.$(OBJEXT): checksum_length.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- cksumtypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cksumtypes.h
cksumtype_to_string.so cksumtype_to_string.po $(OUTPRE)cksumtype_to_string.$(OBJEXT): cksumtype_to_string.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- cksumtypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cksumtypes.h
cksumtypes.so cksumtypes.po $(OUTPRE)cksumtypes.$(OBJEXT): cksumtypes.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/hash_provider/hash_provider.h \
- $(srcdir)/keyhash_provider/keyhash_provider.h cksumtypes.h
+ $(srcdir)/hash_provider/hash_provider.h $(srcdir)/keyhash_provider/keyhash_provider.h \
+ cksumtypes.h
coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): coll_proof_cksum.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- cksumtypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cksumtypes.h
combine_keys.so combine_keys.po $(OUTPRE)combine_keys.$(OBJEXT): combine_keys.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h $(srcdir)/dk/dk.h
+ etypes.h $(srcdir)/dk/dk.h
crypto_libinit.so crypto_libinit.po $(OUTPRE)crypto_libinit.$(OBJEXT): crypto_libinit.c \
crypto_libinit.h
default_state.so default_state.po $(OUTPRE)default_state.$(OBJEXT): default_state.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
decrypt.so decrypt.po $(OUTPRE)decrypt.$(OBJEXT): decrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ etypes.h
encrypt.so encrypt.po $(OUTPRE)encrypt.$(OBJEXT): encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ etypes.h
encrypt_length.so encrypt_length.po $(OUTPRE)encrypt_length.$(OBJEXT): encrypt_length.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- etypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
enctype_compare.so enctype_compare.po $(OUTPRE)enctype_compare.$(OBJEXT): enctype_compare.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- etypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
enctype_to_string.so enctype_to_string.po $(OUTPRE)enctype_to_string.$(OBJEXT): enctype_to_string.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- etypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): etypes.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/enc_provider/enc_provider.h \
- $(srcdir)/hash_provider/hash_provider.h etypes.h $(srcdir)/old/old.h \
- $(srcdir)/raw/raw.h $(srcdir)/dk/dk.h $(srcdir)/arcfour/arcfour.h \
- $(srcdir)/aes/aes_s2k.h
+ $(srcdir)/enc_provider/enc_provider.h $(srcdir)/hash_provider/hash_provider.h \
+ etypes.h $(srcdir)/old/old.h $(srcdir)/raw/raw.h $(srcdir)/dk/dk.h \
+ $(srcdir)/arcfour/arcfour.h $(srcdir)/aes/aes_s2k.h
hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): hmac.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
keyed_cksum.so keyed_cksum.po $(OUTPRE)keyed_cksum.$(OBJEXT): keyed_cksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cksumtypes.h
+ cksumtypes.h
keyed_checksum_types.so keyed_checksum_types.po $(OUTPRE)keyed_checksum_types.$(OBJEXT): keyed_checksum_types.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- etypes.h cksumtypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h cksumtypes.h
make_checksum.so make_checksum.po $(OUTPRE)make_checksum.$(OBJEXT): make_checksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cksumtypes.h etypes.h \
- $(srcdir)/dk/dk.h
+ cksumtypes.h etypes.h $(srcdir)/dk/dk.h
make_random_key.so make_random_key.po $(OUTPRE)make_random_key.$(OBJEXT): make_random_key.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- etypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
+mandatory_sumtype.so mandatory_sumtype.po $(OUTPRE)mandatory_sumtype.$(OBJEXT): mandatory_sumtype.c \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
nfold.so nfold.po $(OUTPRE)nfold.$(OBJEXT): nfold.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
old_api_glue.so old_api_glue.po $(OUTPRE)old_api_glue.$(OBJEXT): old_api_glue.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): pbkdf2.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/hash_provider/hash_provider.h
+ $(srcdir)/hash_provider/hash_provider.h
prng.so prng.po $(OUTPRE)prng.$(OBJEXT): prng.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/enc_provider/enc_provider.h \
- $(srcdir)/yarrow/yarrow.h $(srcdir)/yarrow/ytypes.h \
- $(srcdir)/yarrow/yhash.h $(srcdir)/sha1/shs.h $(srcdir)/yarrow/ycipher.h
+ $(srcdir)/enc_provider/enc_provider.h $(srcdir)/yarrow/yarrow.h \
+ $(srcdir)/yarrow/ytypes.h $(srcdir)/yarrow/yhash.h \
+ $(srcdir)/sha1/shs.h $(srcdir)/yarrow/ycipher.h
state.so state.po $(OUTPRE)state.$(OBJEXT): state.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ etypes.h
string_to_cksumtype.so string_to_cksumtype.po $(OUTPRE)string_to_cksumtype.$(OBJEXT): string_to_cksumtype.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- cksumtypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cksumtypes.h
string_to_enctype.so string_to_enctype.po $(OUTPRE)string_to_enctype.$(OBJEXT): string_to_enctype.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- etypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h etypes.h
string_to_key.so string_to_key.po $(OUTPRE)string_to_key.$(OBJEXT): string_to_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ etypes.h
valid_cksumtype.so valid_cksumtype.po $(OUTPRE)valid_cksumtype.$(OBJEXT): valid_cksumtype.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- cksumtypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cksumtypes.h
valid_enctype.so valid_enctype.po $(OUTPRE)valid_enctype.$(OBJEXT): valid_enctype.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ etypes.h
verify_checksum.so verify_checksum.po $(OUTPRE)verify_checksum.$(OBJEXT): verify_checksum.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- cksumtypes.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h cksumtypes.h
t_nfold.so t_nfold.po $(OUTPRE)t_nfold.$(OBJEXT): t_nfold.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
t_encrypt.so t_encrypt.po $(OUTPRE)t_encrypt.$(OBJEXT): t_encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h etypes.h
+ etypes.h
t_prng.so t_prng.po $(OUTPRE)t_prng.$(OBJEXT): t_prng.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
t_hmac.so t_hmac.po $(OUTPRE)t_hmac.$(OBJEXT): t_hmac.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
t_pkcs5.so t_pkcs5.po $(OUTPRE)t_pkcs5.$(OBJEXT): t_pkcs5.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
t_cts.so t_cts.po $(OUTPRE)t_cts.$(OBJEXT): t_cts.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
vectors.so vectors.po $(OUTPRE)vectors.$(OBJEXT): vectors.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/crypto/aes/ChangeLog b/src/lib/crypto/aes/ChangeLog
index 443aabd..5852b3b 100644
--- a/src/lib/crypto/aes/ChangeLog
+++ b/src/lib/crypto/aes/ChangeLog
@@ -1,3 +1,18 @@
+2003-05-13 Ken Raeburn <raeburn@mit.edu>
+
+ * aes_s2k.c (DEFAULT_ITERATION_COUNT): New macro; define to 4096.
+ (MAX_ITERATION_COUNT): New macro.
+ (krb5int_aes_string_to_key): Use them.
+
+2003-04-29 Ken Raeburn <raeburn@mit.edu>
+
+ * uitypes.h: Use inttypes.h if HAVE_INTTYPES_H is defined.
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * aes_s2k.c (krb5int_aes_string_to_key): Return an error if the
+ supplied iteration count is really, really large.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* aes_s2k.c, aes_s2k.h: New files.
diff --git a/src/lib/crypto/aes/Makefile.in b/src/lib/crypto/aes/Makefile.in
index d14f0f9..4a1064a 100644
--- a/src/lib/crypto/aes/Makefile.in
+++ b/src/lib/crypto/aes/Makefile.in
@@ -83,7 +83,8 @@ aeskey.so aeskey.po $(OUTPRE)aeskey.$(OBJEXT): aeskey.c aesopt.h aes.h \
uitypes.h
aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): aes_s2k.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h aes_s2k.h
+ $(srcdir)/../dk/dk.h aes_s2k.h
diff --git a/src/lib/crypto/aes/aes_s2k.c b/src/lib/crypto/aes/aes_s2k.c
index f3670d7..9d48bd0 100644
--- a/src/lib/crypto/aes/aes_s2k.c
+++ b/src/lib/crypto/aes/aes_s2k.c
@@ -1,9 +1,39 @@
-/* Insert MIT copyright here. */
+/*
+ * lib/crypto/aes/aes_s2k.c
+ *
+ * Copyright 2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * krb5int_aes_string_to_key
+ */
#include "k5-int.h"
#include "dk.h"
#include "aes_s2k.h"
+#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */
+#define MAX_ITERATION_COUNT 0x1000000L
+
krb5_error_code
krb5int_aes_string_to_key(const struct krb5_enc_provider *enc,
const krb5_data *string,
@@ -27,7 +57,13 @@ krb5int_aes_string_to_key(const struct krb5_enc_provider *enc,
return KRB5_ERR_BAD_S2K_PARAMS;
}
} else
- iter_count = 0xb000L;
+ iter_count = DEFAULT_ITERATION_COUNT;
+
+ /* This is not a protocol specification constraint; this is an
+ implementation limit, which should eventually be controlled by
+ a config file. */
+ if (iter_count >= MAX_ITERATION_COUNT)
+ return KRB5_ERR_BAD_S2K_PARAMS;
/*
* Dense key space, no parity bits or anything, so take a shortcut
diff --git a/src/lib/crypto/aes/uitypes.h b/src/lib/crypto/aes/uitypes.h
index 4e50ef7..02dd3b0 100644
--- a/src/lib/crypto/aes/uitypes.h
+++ b/src/lib/crypto/aes/uitypes.h
@@ -44,7 +44,7 @@
#endif
#endif
-#if defined HAS_INTTYPES_H
+#if defined HAS_INTTYPES_H || defined HAVE_INTTYPES_H
#include <inttypes.h>
#define s_u32 u
#define s_u64 ull
diff --git a/src/lib/crypto/arcfour/Makefile.in b/src/lib/crypto/arcfour/Makefile.in
index 8c33066..329feb4 100644
--- a/src/lib/crypto/arcfour/Makefile.in
+++ b/src/lib/crypto/arcfour/Makefile.in
@@ -45,13 +45,14 @@ clean-unix:: clean-libobjs
#
arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): arcfour.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h arcfour-int.h arcfour.h
+ arcfour-int.h arcfour.h
string_to_key.so string_to_key.po $(OUTPRE)string_to_key.$(OBJEXT): string_to_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../md4/rsa-md4.h \
- arcfour-int.h arcfour.h
+ $(srcdir)/../md4/rsa-md4.h arcfour-int.h arcfour.h
diff --git a/src/lib/crypto/checksum_length.c b/src/lib/crypto/checksum_length.c
index 80040b2..f3886f4 100644
--- a/src/lib/crypto/checksum_length.c
+++ b/src/lib/crypto/checksum_length.c
@@ -45,6 +45,8 @@ krb5_c_checksum_length(context, cksumtype, length)
if (krb5_cksumtypes_list[i].keyhash)
(*(krb5_cksumtypes_list[i].keyhash->hash_size))(length);
+ else if (krb5_cksumtypes_list[i].trunc_size)
+ *length = krb5_cksumtypes_list[i].trunc_size;
else
(*(krb5_cksumtypes_list[i].hash->hash_size))(length);
diff --git a/src/lib/crypto/cksumtypes.c b/src/lib/crypto/cksumtypes.c
index 76882f8..ae7ed5f 100644
--- a/src/lib/crypto/cksumtypes.c
+++ b/src/lib/crypto/cksumtypes.c
@@ -84,6 +84,14 @@ const struct krb5_cksumtypes krb5_cksumtypes_list[] = {
ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_hmac_md5,
NULL },
+ { CKSUMTYPE_HMAC_SHA1_96_AES128, KRB5_CKSUMFLAG_DERIVE,
+ "hmac-sha1-96-aes128", "HMAC-SHA1 AES128 key",
+ 0, NULL,
+ &krb5int_hash_sha1, 12 },
+ { CKSUMTYPE_HMAC_SHA1_96_AES256, KRB5_CKSUMFLAG_DERIVE,
+ "hmac-sha1-96-aes256", "HMAC-SHA1 AES256 key",
+ 0, NULL,
+ &krb5int_hash_sha1, 12 },
};
const int krb5_cksumtypes_length =
diff --git a/src/lib/crypto/combine_keys.c b/src/lib/crypto/combine_keys.c
index 6466a95..9aad8f5 100644
--- a/src/lib/crypto/combine_keys.c
+++ b/src/lib/crypto/combine_keys.c
@@ -50,6 +50,25 @@ static krb5_error_code dr
(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey,
unsigned char *outdata, const krb5_data *in_constant);
+/*
+ * We only support this combine_keys algorithm for des and 3des keys.
+ * Everything else should use the PRF defined in the crypto framework.
+ * We don't implement that yet.
+ */
+
+static krb5_boolean enctype_ok (krb5_enctype e)
+{
+ switch (e) {
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES3_CBC_SHA1:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
krb5_error_code krb5int_c_combine_keys
(krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, krb5_keyblock *outkey)
{
@@ -60,6 +79,9 @@ krb5_error_code krb5int_c_combine_keys
krb5_keyblock tkey;
krb5_error_code ret;
int i, myalloc = 0;
+ if (!(enctype_ok(key1->enctype)&&enctype_ok(key2->enctype)))
+ return (KRB5_CRYPTO_INTERNAL);
+
if (key1->length != key2->length || key1->enctype != key2->enctype)
return (KRB5_CRYPTO_INTERNAL);
diff --git a/src/lib/crypto/crc32/Makefile.in b/src/lib/crypto/crc32/Makefile.in
index 09d2404..29e0939 100644
--- a/src/lib/crypto/crc32/Makefile.in
+++ b/src/lib/crypto/crc32/Makefile.in
@@ -46,7 +46,8 @@ t_crc: t_crc.o crc32.o
#
crc32.so crc32.po $(OUTPRE)crc32.$(OBJEXT): crc32.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h crc-32.h
+ crc-32.h
diff --git a/src/lib/crypto/des/Makefile.in b/src/lib/crypto/des/Makefile.in
index f8065d7..607cc5f 100644
--- a/src/lib/crypto/des/Makefile.in
+++ b/src/lib/crypto/des/Makefile.in
@@ -100,61 +100,68 @@ clean-unix:: clean-libobjs
#
afsstring2key.so afsstring2key.po $(OUTPRE)afsstring2key.$(OBJEXT): afsstring2key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ des_int.h $(SRCTOP)/include/kerberosIV/des.h
d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): d3_cbc.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \
- f_tables.h
+ $(SRCTOP)/include/kerberosIV/des.h f_tables.h
d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): d3_kysched.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ des_int.h $(SRCTOP)/include/kerberosIV/des.h
f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): f_cbc.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \
- f_tables.h
+ $(SRCTOP)/include/kerberosIV/des.h f_tables.h
f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): f_cksum.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \
- f_tables.h
+ $(SRCTOP)/include/kerberosIV/des.h f_tables.h
f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): f_parity.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h
+ $(SRCTOP)/include/kerberosIV/des.h
f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): f_sched.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ des_int.h $(SRCTOP)/include/kerberosIV/des.h
f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): f_tables.c des_int.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \
- f_tables.h
+ $(SRCTOP)/include/kerberosIV/des.h f_tables.h
key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): key_sched.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ des_int.h $(SRCTOP)/include/kerberosIV/des.h
weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): weak_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ des_int.h $(SRCTOP)/include/kerberosIV/des.h
string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): string2key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h
+ des_int.h $(SRCTOP)/include/kerberosIV/des.h
diff --git a/src/lib/crypto/dk/ChangeLog b/src/lib/crypto/dk/ChangeLog
index 9ed3a8d..e30e76e 100644
--- a/src/lib/crypto/dk/ChangeLog
+++ b/src/lib/crypto/dk/ChangeLog
@@ -1,3 +1,23 @@
+2003-04-17 Ken Raeburn <raeburn@mit.edu>
+
+ * dk_encrypt.c (krb5int_aes_dk_encrypt): Set output length
+ properly.
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * dk_decrypt.c (krb5_dk_decrypt_maybe_trunc_hmac): Renamed from
+ krb5_dk_decrypt, made static, added extra HMACSIZE argument to
+ indicate size of HMAC. Cast byte values to char to silence
+ compiler warning.
+ (krb5_dk_decrypt): Call it.
+ (krb5int_aes_dk_decrypt): New function.
+ * dk_encrypt.c (krb5_dk_encrypt): Cast byte values to char to
+ silence compiler warning.
+ (krb5int_aes_encrypt_length, trunc_hmac, krb5int_aes_dk_encrypt):
+ New functions.
+ * dk.h (krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt,
+ krb5int_aes_dk_decrypt): Declare.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* stringtokey.c (krb5int_dk_string_to_key): Renamed from
diff --git a/src/lib/crypto/dk/Makefile.in b/src/lib/crypto/dk/Makefile.in
index 3785ad6..cfd4821 100644
--- a/src/lib/crypto/dk/Makefile.in
+++ b/src/lib/crypto/dk/Makefile.in
@@ -54,28 +54,32 @@ clean-unix:: clean-libobjs
#
checksum.so checksum.po $(OUTPRE)checksum.$(OBJEXT): checksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../etypes.h \
- dk.h
+ $(srcdir)/../etypes.h dk.h
dk_decrypt.so dk_decrypt.po $(OUTPRE)dk_decrypt.$(OBJEXT): dk_decrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h dk.h
+ dk.h
dk_encrypt.so dk_encrypt.po $(OUTPRE)dk_encrypt.$(OBJEXT): dk_encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h dk.h
+ dk.h
derive.so derive.po $(OUTPRE)derive.$(OBJEXT): derive.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h dk.h $(srcdir)/../etypes.h
+ dk.h $(srcdir)/../etypes.h
stringtokey.so stringtokey.po $(OUTPRE)stringtokey.$(OBJEXT): stringtokey.c dk.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/crypto/dk/dk.h b/src/lib/crypto/dk/dk.h
index 0171016..a224167 100644
--- a/src/lib/crypto/dk/dk.h
+++ b/src/lib/crypto/dk/dk.h
@@ -38,6 +38,18 @@ krb5_error_code krb5_dk_encrypt
const krb5_data *ivec,
const krb5_data *input, krb5_data *output);
+void krb5int_aes_encrypt_length
+(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ size_t input, size_t *length);
+
+krb5_error_code krb5int_aes_dk_encrypt
+(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output);
+
krb5_error_code krb5_dk_decrypt
(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
@@ -45,6 +57,13 @@ krb5_error_code krb5_dk_decrypt
const krb5_data *ivec, const krb5_data *input,
krb5_data *arg_output);
+krb5_error_code krb5int_aes_dk_decrypt
+(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *ivec, const krb5_data *input,
+ krb5_data *arg_output);
+
krb5_error_code krb5int_dk_string_to_key
(const struct krb5_enc_provider *enc,
const krb5_data *string, const krb5_data *salt,
diff --git a/src/lib/crypto/dk/dk_decrypt.c b/src/lib/crypto/dk/dk_decrypt.c
index adc4d23..5f35fa6 100644
--- a/src/lib/crypto/dk/dk_decrypt.c
+++ b/src/lib/crypto/dk/dk_decrypt.c
@@ -29,6 +29,16 @@
#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
+static krb5_error_code
+krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *ivec,
+ const krb5_data *input,
+ krb5_data *output,
+ size_t hmacsize);
+
krb5_error_code
krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
const struct krb5_enc_provider *enc;
@@ -39,6 +49,36 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
const krb5_data *input;
krb5_data *output;
{
+ return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage,
+ ivec, input, output, 0);
+}
+
+krb5_error_code
+krb5int_aes_dk_decrypt(enc, hash, key, usage, ivec, input, output)
+ const struct krb5_enc_provider *enc;
+ const struct krb5_hash_provider *hash;
+ const krb5_keyblock *key;
+ krb5_keyusage usage;
+ const krb5_data *ivec;
+ const krb5_data *input;
+ krb5_data *output;
+{
+ return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage,
+ ivec, input, output, 96 / 8);
+}
+
+static krb5_error_code
+krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, ivec, input, output,
+ hmacsize)
+ const struct krb5_enc_provider *enc;
+ const struct krb5_hash_provider *hash;
+ const krb5_keyblock *key;
+ krb5_keyusage usage;
+ const krb5_data *ivec;
+ const krb5_data *input;
+ krb5_data *output;
+ size_t hmacsize;
+{
krb5_error_code ret;
size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen;
unsigned char *plaindata, *kedata, *kidata, *cksum, *cn;
@@ -52,7 +92,12 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
(*(enc->block_size))(&blocksize);
(*(enc->keysize))(&keybytes, &keylength);
- enclen = input->length - hashsize;
+ if (hmacsize == 0)
+ hmacsize = hashsize;
+ else if (hmacsize > hashsize)
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+
+ enclen = input->length - hmacsize;
if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
return(ENOMEM);
@@ -87,7 +132,7 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
d1.data[2] = (usage>>8)&0xff;
d1.data[3] = usage&0xff;
- d1.data[4] = 0xAA;
+ d1.data[4] = (char) 0xAA;
if ((ret = krb5_derive_key(enc, key, &ke, &d1)) != 0)
goto cleanup;
@@ -121,7 +166,7 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
if ((ret = krb5_hmac(hash, &ki, 1, &d2, &d1)) != 0)
goto cleanup;
- if (memcmp(cksum, input->data+enclen, hashsize) != 0) {
+ if (memcmp(cksum, input->data+enclen, hmacsize) != 0) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto cleanup;
}
diff --git a/src/lib/crypto/dk/dk_encrypt.c b/src/lib/crypto/dk/dk_encrypt.c
index eb9fe5f..9de05fc 100644
--- a/src/lib/crypto/dk/dk_encrypt.c
+++ b/src/lib/crypto/dk/dk_encrypt.c
@@ -108,7 +108,7 @@ krb5_dk_encrypt(enc, hash, key, usage, ivec, input, output)
d1.data[2] = (usage>>8)&0xff;
d1.data[3] = usage&0xff;
- d1.data[4] = 0xAA;
+ d1.data[4] = (char) 0xAA;
if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
goto cleanup;
@@ -177,6 +177,178 @@ cleanup:
return(ret);
}
+/* Not necessarily "AES", per se, but "a CBC+CTS mode block cipher
+ with a 96-bit truncated HMAC". */
+void
+krb5int_aes_encrypt_length(enc, hash, inputlen, length)
+ const struct krb5_enc_provider *enc;
+ const struct krb5_hash_provider *hash;
+ size_t inputlen;
+ size_t *length;
+{
+ size_t blocksize, hashsize;
+
+ (*(enc->block_size))(&blocksize);
+ hashsize = 96 / 8;
+
+ /* No roundup, since CTS requires no padding once we've hit the
+ block size. */
+ *length = blocksize+inputlen + hashsize;
+}
+
+static krb5_error_code
+trunc_hmac (const struct krb5_hash_provider *hash,
+ const krb5_keyblock *ki, int num,
+ const krb5_data *input, const krb5_data *output)
+{
+ size_t hashsize;
+ krb5_data tmp;
+ krb5_error_code ret;
+
+ (hash->hash_size)(&hashsize);
+ if (hashsize < output->length)
+ return KRB5_CRYPTO_INTERNAL;
+ tmp.length = hashsize;
+ tmp.data = malloc(hashsize);
+ if (tmp.data == NULL)
+ return errno;
+ ret = krb5_hmac(hash, ki, num, input, &tmp);
+ if (ret == 0)
+ memcpy(output->data, tmp.data, output->length);
+ memset(tmp.data, 0, hashsize);
+ free(tmp.data);
+ return ret;
+}
+
+krb5_error_code
+krb5int_aes_dk_encrypt(enc, hash, key, usage, ivec, input, output)
+ const struct krb5_enc_provider *enc;
+ const struct krb5_hash_provider *hash;
+ const krb5_keyblock *key;
+ krb5_keyusage usage;
+ const krb5_data *ivec;
+ const krb5_data *input;
+ krb5_data *output;
+{
+ size_t blocksize, keybytes, keylength, plainlen, enclen;
+ krb5_error_code ret;
+ unsigned char constantdata[K5CLENGTH];
+ krb5_data d1, d2;
+ unsigned char *plaintext, *kedata, *kidata, *cn;
+ krb5_keyblock ke, ki;
+
+ /* allocate and set up plaintext and to-be-derived keys */
+
+ (*(enc->block_size))(&blocksize);
+ (*(enc->keysize))(&keybytes, &keylength);
+ plainlen = blocksize+input->length;
+
+ krb5int_aes_encrypt_length(enc, hash, input->length, &enclen);
+
+ /* key->length, ivec will be tested in enc->encrypt */
+
+ if (output->length < enclen)
+ return(KRB5_BAD_MSIZE);
+
+ if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
+ return(ENOMEM);
+ if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
+ free(kedata);
+ return(ENOMEM);
+ }
+ if ((plaintext = (unsigned char *) malloc(plainlen)) == NULL) {
+ free(kidata);
+ free(kedata);
+ return(ENOMEM);
+ }
+
+ ke.contents = kedata;
+ ke.length = keylength;
+ ki.contents = kidata;
+ ki.length = keylength;
+
+ /* derive the keys */
+
+ d1.data = constantdata;
+ d1.length = K5CLENGTH;
+
+ d1.data[0] = (usage>>24)&0xff;
+ d1.data[1] = (usage>>16)&0xff;
+ d1.data[2] = (usage>>8)&0xff;
+ d1.data[3] = usage&0xff;
+
+ d1.data[4] = (char) 0xAA;
+
+ if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
+ goto cleanup;
+
+ d1.data[4] = 0x55;
+
+ if ((ret = krb5_derive_key(enc, key, &ki, &d1)))
+ goto cleanup;
+
+ /* put together the plaintext */
+
+ d1.length = blocksize;
+ d1.data = plaintext;
+
+ if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1)))
+ goto cleanup;
+
+ memcpy(plaintext+blocksize, input->data, input->length);
+
+ /* Ciphertext stealing; there should be no more. */
+ if (plainlen != blocksize + input->length)
+ abort();
+
+ /* encrypt the plaintext */
+
+ d1.length = plainlen;
+ d1.data = plaintext;
+
+ d2.length = plainlen;
+ d2.data = output->data;
+
+ if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
+ goto cleanup;
+
+ if (ivec != NULL && ivec->length == blocksize)
+ cn = d2.data + d2.length - blocksize;
+ else
+ cn = NULL;
+
+ /* hash the plaintext */
+
+ d2.length = enclen - plainlen;
+ d2.data = output->data+plainlen;
+ if (d2.length != 96 / 8)
+ abort();
+
+ if ((ret = trunc_hmac(hash, &ki, 1, &d1, &d2))) {
+ memset(d2.data, 0, d2.length);
+ goto cleanup;
+ }
+
+ output->length = enclen;
+
+ /* update ivec */
+ if (cn != NULL)
+ memcpy(ivec->data, cn, blocksize);
+
+ /* ret is set correctly by the prior call */
+
+cleanup:
+ memset(kedata, 0, keylength);
+ memset(kidata, 0, keylength);
+ memset(plaintext, 0, plainlen);
+
+ free(plaintext);
+ free(kidata);
+ free(kedata);
+
+ return(ret);
+}
+
#ifdef ATHENA_DES3_KLUDGE
void
krb5_marc_dk_encrypt_length(enc, hash, inputlen, length)
diff --git a/src/lib/crypto/enc_provider/ChangeLog b/src/lib/crypto/enc_provider/ChangeLog
index 08a614e..f954f7f 100644
--- a/src/lib/crypto/enc_provider/ChangeLog
+++ b/src/lib/crypto/enc_provider/ChangeLog
@@ -1,3 +1,14 @@
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * aes.c (enc): Replaced function with a macro.
+ (dec): New macro.
+ (krb5int_aes_encrypt): Use enc and dec. Delete unused variable
+ OFFSET.
+ (krb5int_aes_decrypt): Renamed from k5_aes_dencrypt, implemented
+ decryption, made non-static.
+ (krb5int_enc_aes128, krb5int_enc_aes256): Use new name for
+ krb5int_aes_decrypt.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* aes.c (krb5int_aes_init_state): Implement.
diff --git a/src/lib/crypto/enc_provider/Makefile.in b/src/lib/crypto/enc_provider/Makefile.in
index dbc4f64..743f4ee 100644
--- a/src/lib/crypto/enc_provider/Makefile.in
+++ b/src/lib/crypto/enc_provider/Makefile.in
@@ -47,26 +47,28 @@ clean-unix:: clean-libobjs
#
des.so des.po $(OUTPRE)des.$(OBJEXT): des.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
- $(SRCTOP)/include/kerberosIV/des.h enc_provider.h
+ $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h \
+ enc_provider.h
des3.so des3.po $(OUTPRE)des3.$(OBJEXT): des3.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h
aes.so aes.po $(OUTPRE)aes.$(OBJEXT): aes.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h enc_provider.h $(srcdir)/../aes/aes.h \
- $(srcdir)/../aes/uitypes.h
+ enc_provider.h $(srcdir)/../aes/aes.h $(srcdir)/../aes/uitypes.h
arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): arcfour.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../arcfour/arcfour-int.h \
- $(srcdir)/../arcfour/arcfour.h enc_provider.h
+ $(srcdir)/../arcfour/arcfour-int.h $(srcdir)/../arcfour/arcfour.h \
+ enc_provider.h
diff --git a/src/lib/crypto/enc_provider/aes.c b/src/lib/crypto/enc_provider/aes.c
index d3dc2a5..013a688 100644
--- a/src/lib/crypto/enc_provider/aes.c
+++ b/src/lib/crypto/enc_provider/aes.c
@@ -52,23 +52,8 @@ static void printd (const char *descr, krb5_data *d) {
}
printf("\n");
}
-static void enc(char *out, const char *in, aes_ctx *ctx)
-{
- if (aes_enc_blk(in, out, ctx) != aes_good)
- abort();
-#if 0
- {
- krb5_data e_in, e_out;
- e_in.data = in;
- e_out.data = out;
- e_in.length = e_out.length = BLOCK_SIZE;
- printf("encrypting [[\n");
- printd("input block", &e_in);
- printd("output block", &e_out);
- printf("]]\n");
- }
-#endif
-}
+#define enc(OUT, IN, CTX) (aes_enc_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort())
+#define dec(OUT, IN, CTX) (aes_dec_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort())
static void xorblock(char *out, const char *in)
{
@@ -83,7 +68,6 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
{
aes_ctx ctx;
unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
- int offset;
int nblocks = 0, blockno;
/* CHECK_SIZES; */
@@ -100,8 +84,7 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
if (nblocks == 1) {
/* XXX Used for DK function. */
- if (aes_enc_blk(input->data, output->data, &ctx) != aes_good)
- abort();
+ enc(output->data, input->data, &ctx);
} else {
int nleft;
@@ -112,7 +95,6 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
/* Set up for next block. */
memcpy(tmp, tmp2, BLOCK_SIZE);
- offset += BLOCK_SIZE;
}
/* Do final CTS step for last two blocks (the second of which
may or may not be incomplete). */
@@ -132,18 +114,60 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
return 0;
}
-static krb5_error_code
-k5_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
+krb5_error_code
+krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output)
{
aes_ctx ctx;
+ unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
+ int nblocks = 0, blockno;
CHECK_SIZES;
if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
abort();
- abort();
+ if (ivec)
+ memcpy(tmp, ivec->data, BLOCK_SIZE);
+ else
+ memset(tmp, 0, BLOCK_SIZE);
+
+ nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+ if (nblocks == 1) {
+ if (input->length < BLOCK_SIZE)
+ abort();
+ dec(output->data, input->data, &ctx);
+ } else {
+ int nleft;
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
+ xorblock(tmp2, tmp);
+ memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE);
+ memcpy(tmp, input->data + blockno * BLOCK_SIZE, BLOCK_SIZE);
+ }
+ /* Do last two blocks, the second of which (next-to-last block
+ of plaintext) may be incomplete. */
+ dec(tmp2, input->data + (nblocks - 2) * BLOCK_SIZE, &ctx);
+ /* Set tmp3 to last ciphertext block, padded. */
+ memset(tmp3, 0, sizeof(tmp3));
+ memcpy(tmp3, input->data + (nblocks - 1) * BLOCK_SIZE,
+ input->length - (nblocks - 1) * BLOCK_SIZE);
+ /* Set tmp2 to last (possibly partial) plaintext block, and
+ save it. */
+ xorblock(tmp2, tmp3);
+ memcpy(output->data + (nblocks - 1) * BLOCK_SIZE, tmp2,
+ input->length - (nblocks - 1) * BLOCK_SIZE);
+ /* Maybe keep the trailing part, and copy in the last
+ ciphertext block. */
+ memcpy(tmp2, tmp3, input->length - (nblocks - 1) * BLOCK_SIZE);
+ /* Decrypt, to get next to last plaintext block xor previous
+ ciphertext. */
+ dec(tmp3, tmp2, &ctx);
+ xorblock(tmp3, tmp);
+ memcpy(output->data + (nblocks - 2) * BLOCK_SIZE, tmp3, BLOCK_SIZE);
+ }
return 0;
}
@@ -178,7 +202,7 @@ const struct krb5_enc_provider krb5int_enc_aes128 = {
aes_block_size,
aes128_keysize,
krb5int_aes_encrypt,
- k5_aes_decrypt,
+ krb5int_aes_decrypt,
k5_aes_make_key,
krb5int_aes_init_state,
krb5int_default_free_state
@@ -188,7 +212,7 @@ const struct krb5_enc_provider krb5int_enc_aes256 = {
aes_block_size,
aes256_keysize,
krb5int_aes_encrypt,
- k5_aes_decrypt,
+ krb5int_aes_decrypt,
k5_aes_make_key,
krb5int_aes_init_state,
krb5int_default_free_state
diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c
index 1cc570c..6dcf026 100644
--- a/src/lib/crypto/etypes.c
+++ b/src/lib/crypto/etypes.c
@@ -45,93 +45,109 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
"des-cbc-crc", "DES cbc mode with CRC-32",
&krb5int_enc_des, &krb5int_hash_crc32,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD4 },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_MD5,
"des", "DES cbc mode with RSA-MD5", /* alias */
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", "DES cbc mode raw",
&krb5int_enc_des, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, 0 },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, 0 },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", "DES with HMAC/sha1",
&krb5int_enc_des, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, 0 },
{ ENCTYPE_ARCFOUR_HMAC,
"arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
"aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
- krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
+ { ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */
+ "aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
+ &krb5int_enc_aes128, &krb5int_hash_sha1,
+ krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
- krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */
+ "aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
+ &krb5int_enc_aes256, &krb5int_hash_sha1,
+ krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
#ifdef ATHENA_DES3_KLUDGE
/*
@@ -143,7 +159,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
"Triple DES with HMAC/sha1 and 32-bit length code",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_marc_dk_encrypt_length, krb5_marc_dk_encrypt, krb5_marc_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
#endif
};
diff --git a/src/lib/crypto/hash_provider/Makefile.in b/src/lib/crypto/hash_provider/Makefile.in
index 55aa892..b9e6ba7 100644
--- a/src/lib/crypto/hash_provider/Makefile.in
+++ b/src/lib/crypto/hash_provider/Makefile.in
@@ -42,26 +42,26 @@ clean-unix:: clean-libobjs
#
hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): hash_crc32.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../crc32/crc-32.h \
- hash_provider.h
+ $(srcdir)/../crc32/crc-32.h hash_provider.h
hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): hash_md4.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../md4/rsa-md4.h \
- hash_provider.h
+ $(srcdir)/../md4/rsa-md4.h hash_provider.h
hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): hash_md5.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../md5/rsa-md5.h \
- hash_provider.h
+ $(srcdir)/../md5/rsa-md5.h hash_provider.h
hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): hash_sha1.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../sha1/shs.h \
- hash_provider.h
+ $(srcdir)/../sha1/shs.h hash_provider.h
diff --git a/src/lib/crypto/keyhash_provider/Makefile.in b/src/lib/crypto/keyhash_provider/Makefile.in
index 27c3821..d134fd8 100644
--- a/src/lib/crypto/keyhash_provider/Makefile.in
+++ b/src/lib/crypto/keyhash_provider/Makefile.in
@@ -61,29 +61,31 @@ clean-unix:: clean-libobjs
#
descbc.so descbc.po $(OUTPRE)descbc.$(OBJEXT): descbc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
- $(SRCTOP)/include/kerberosIV/des.h keyhash_provider.h
+ $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h \
+ keyhash_provider.h
k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): k5_md4des.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
- $(SRCTOP)/include/kerberosIV/des.h $(srcdir)/../md4/rsa-md4.h \
- keyhash_provider.h
+ $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(srcdir)/../md4/rsa-md4.h keyhash_provider.h
k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): k5_md5des.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \
- $(SRCTOP)/include/kerberosIV/des.h $(srcdir)/../md5/rsa-md5.h \
- keyhash_provider.h
+ $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(srcdir)/../md5/rsa-md5.h keyhash_provider.h
hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): hmac_md5.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h keyhash_provider.h $(srcdir)/../arcfour/arcfour-int.h \
+ keyhash_provider.h $(srcdir)/../arcfour/arcfour-int.h \
$(srcdir)/../arcfour/arcfour.h $(srcdir)/../md5/rsa-md5.h \
$(srcdir)/../hash_provider/hash_provider.h
diff --git a/src/lib/crypto/make_checksum.c b/src/lib/crypto/make_checksum.c
index 5d7be93..8a384e7 100644
--- a/src/lib/crypto/make_checksum.c
+++ b/src/lib/crypto/make_checksum.c
@@ -108,6 +108,13 @@ krb5_c_make_checksum(context, cksumtype, key, usage, input, cksum)
if (!ret) {
cksum->magic = KV5M_CHECKSUM;
cksum->checksum_type = cksumtype;
+ if (krb5_cksumtypes_list[i].trunc_size) {
+ krb5_octet *trunc;
+ cksum->length = krb5_cksumtypes_list[i].trunc_size;
+ trunc = (krb5_octet *) realloc(cksum->contents, cksum->length);
+ if (trunc)
+ cksum->contents = trunc;
+ }
}
cleanup:
diff --git a/src/lib/crypto/mandatory_sumtype.c b/src/lib/crypto/mandatory_sumtype.c
new file mode 100644
index 0000000..f9322ff
--- /dev/null
+++ b/src/lib/crypto/mandatory_sumtype.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "etypes.h"
+
+krb5_error_code
+krb5int_c_mandatory_cksumtype (krb5_context ctx, krb5_enctype etype,
+ krb5_cksumtype *cksumtype)
+{
+ int i;
+
+ for (i = 0; i < krb5_enctypes_length; i++)
+ if (krb5_enctypes_list[i].etype == etype) {
+ *cksumtype = krb5_enctypes_list[i].required_ctype;
+ return 0;
+ }
+
+ return KRB5_BAD_ENCTYPE;
+}
diff --git a/src/lib/crypto/md4/Makefile.in b/src/lib/crypto/md4/Makefile.in
index af05935..57341c6 100644
--- a/src/lib/crypto/md4/Makefile.in
+++ b/src/lib/crypto/md4/Makefile.in
@@ -63,7 +63,8 @@ clean-unix:: clean-libobjs
#
md4.so md4.po $(OUTPRE)md4.$(OBJEXT): md4.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rsa-md4.h
+ rsa-md4.h
diff --git a/src/lib/crypto/md5/Makefile.in b/src/lib/crypto/md5/Makefile.in
index b783893..d5e3a22 100644
--- a/src/lib/crypto/md5/Makefile.in
+++ b/src/lib/crypto/md5/Makefile.in
@@ -53,7 +53,8 @@ clean-unix:: clean-libobjs
#
md5.so md5.po $(OUTPRE)md5.$(OBJEXT): md5.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rsa-md5.h
+ rsa-md5.h
diff --git a/src/lib/crypto/old/ChangeLog b/src/lib/crypto/old/ChangeLog
index c23b403..bab2704 100644
--- a/src/lib/crypto/old/ChangeLog
+++ b/src/lib/crypto/old/ChangeLog
@@ -1,3 +1,9 @@
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * des_stringtokey.c (krb5int_des_string_to_key): If param has one
+ byte, treat it as a type. Type 0 is normal, type 1 is AFS
+ string2key.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* des_stringtokey.c (krb5int_des_string_to_key): Renamed from
diff --git a/src/lib/crypto/old/Makefile.in b/src/lib/crypto/old/Makefile.in
index 8fc8390..acc2cdd 100644
--- a/src/lib/crypto/old/Makefile.in
+++ b/src/lib/crypto/old/Makefile.in
@@ -40,18 +40,21 @@ clean-unix:: clean-libobjs
#
des_stringtokey.so des_stringtokey.po $(OUTPRE)des_stringtokey.$(OBJEXT): des_stringtokey.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- old.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h old.h $(srcdir)/../des/des_int.h \
+ $(SRCTOP)/include/kerberosIV/des.h
old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): old_decrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h old.h
+ old.h
old_encrypt.so old_encrypt.po $(OUTPRE)old_encrypt.$(OBJEXT): old_encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h old.h
+ old.h
diff --git a/src/lib/crypto/old/des_stringtokey.c b/src/lib/crypto/old/des_stringtokey.c
index fd3440b..20f2f05 100644
--- a/src/lib/crypto/old/des_stringtokey.c
+++ b/src/lib/crypto/old/des_stringtokey.c
@@ -26,6 +26,7 @@
#include "k5-int.h"
#include "old.h"
+#include <des_int.h>
/* XXX */
extern krb5_error_code mit_des_string_to_key_int
@@ -41,7 +42,19 @@ krb5int_des_string_to_key(enc, string, salt, parm, key)
const krb5_data *parm;
krb5_keyblock *key;
{
- if (parm != NULL)
- return KRB5_ERR_BAD_S2K_PARAMS;
+ int type;
+ if (parm ) {
+ if (parm->length != 1)
+ return KRB5_ERR_BAD_S2K_PARAMS;
+ type = parm->data[0];
+ }
+ else type = 0;
+ switch(type) {
+ case 0:
return(mit_des_string_to_key_int(key, string, salt));
+ case 1:
+ return mit_afs_string_to_key(key, string, salt);
+ default:
+ return KRB5_ERR_BAD_S2K_PARAMS;
+ }
}
diff --git a/src/lib/crypto/pbkdf2.c b/src/lib/crypto/pbkdf2.c
index d8a3f8b..ce9f215 100644
--- a/src/lib/crypto/pbkdf2.c
+++ b/src/lib/crypto/pbkdf2.c
@@ -158,6 +158,7 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
{
int l, r, i;
char *utmp1, *utmp2;
+ char utmp3[20]; /* XXX length shouldn't be hardcoded! */
if (output->length == 0 || hlen == 0)
abort();
@@ -169,7 +170,13 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
r = output->length - (l - 1) * hlen;
utmp1 = /*output + dklen; */ malloc(hlen);
+ if (utmp1 == NULL)
+ return errno;
utmp2 = /*utmp1 + hlen; */ malloc(salt->length + 4 + hlen);
+ if (utmp2 == NULL) {
+ free(utmp1);
+ return errno;
+ }
/* Step 3. */
for (i = 1; i <= l; i++) {
@@ -177,11 +184,21 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
int j;
#endif
krb5_error_code err;
+ char *out;
- err = F(output->data + (i-1) * hlen, utmp1, utmp2, prf, hlen,
- pass, salt, count, i);
- if (err)
+ if (i == l)
+ out = utmp3;
+ else
+ out = output->data + (i-1) * hlen;
+ err = F(out, utmp1, utmp2, prf, hlen, pass, salt, count, i);
+ if (err) {
+ free(utmp1);
+ free(utmp2);
return err;
+ }
+ if (i == l)
+ memcpy(output->data + (i-1) * hlen, utmp3,
+ output->length - (i-1) * hlen);
#if 0
printf("after F(%d), @%p:\n", i, output->data);
@@ -190,6 +207,8 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
printf ("\n");
#endif
}
+ free(utmp1);
+ free(utmp2);
return 0;
}
@@ -235,8 +254,6 @@ foo(krb5_keyblock *pass, krb5_data *salt, krb5_data *out)
memset(out->data, 0, out->length);
err = hmac1 (&krb5int_hash_sha1, pass, salt, out);
- if (err)
- com_err("foo", err, "computing hmac");
return err;
}
diff --git a/src/lib/crypto/raw/Makefile.in b/src/lib/crypto/raw/Makefile.in
index d94112b..490d2c7 100644
--- a/src/lib/crypto/raw/Makefile.in
+++ b/src/lib/crypto/raw/Makefile.in
@@ -38,12 +38,14 @@ clean-unix:: clean-libobjs
#
raw_decrypt.so raw_decrypt.po $(OUTPRE)raw_decrypt.$(OBJEXT): raw_decrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h raw.h
+ raw.h
raw_encrypt.so raw_encrypt.po $(OUTPRE)raw_encrypt.$(OBJEXT): raw_encrypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h raw.h
+ raw.h
diff --git a/src/lib/crypto/sha1/Makefile.in b/src/lib/crypto/sha1/Makefile.in
index da3e70f..f796eaa 100644
--- a/src/lib/crypto/sha1/Makefile.in
+++ b/src/lib/crypto/sha1/Makefile.in
@@ -58,7 +58,7 @@ t_shs3: t_shs3.o shs.o
#
shs.so shs.po $(OUTPRE)shs.$(OBJEXT): shs.c shs.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/crypto/string_to_key.c b/src/lib/crypto/string_to_key.c
index c9434e0..4125831 100644
--- a/src/lib/crypto/string_to_key.c
+++ b/src/lib/crypto/string_to_key.c
@@ -27,7 +27,6 @@
#include "k5-int.h"
#include "etypes.h"
-/* Eventually this declaration should move to krb5.h. */
krb5_error_code KRB5_CALLCONV
krb5_c_string_to_key_with_params(krb5_context context,
krb5_enctype enctype,
@@ -72,7 +71,21 @@ krb5_c_string_to_key_with_params(context, enctype, string, salt, params, key)
return(KRB5_BAD_ENCTYPE);
enc = krb5_enctypes_list[i].enc;
+/* xxx AFS string2key function is indicated by a special length in
+ * the salt in much of the code. However only the DES enctypes can
+ * deal with this. Using s2kparams would be a much better solution.*/
+ if (salt && salt->length == SALT_TYPE_AFS_LENGTH) {
+ switch (enctype) {
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_MD5:
+ break;
+ default:
+ return (KRB5_CRYPTO_INTERNAL);
+ }
+ }
+
(*(enc->keysize))(&keybytes, &keylength);
if ((key->contents = (krb5_octet *) malloc(keylength)) == NULL)
diff --git a/src/lib/crypto/yarrow/Makefile.in b/src/lib/crypto/yarrow/Makefile.in
index efae363..5357272 100644
--- a/src/lib/crypto/yarrow/Makefile.in
+++ b/src/lib/crypto/yarrow/Makefile.in
@@ -44,15 +44,16 @@ clean-unix:: clean-libobjs
#
yarrow.so yarrow.po $(OUTPRE)yarrow.$(OBJEXT): yarrow.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h yarrow.h ytypes.h yhash.h \
- $(srcdir)/../sha1/shs.h ycipher.h ylock.h ystate.h \
- yexcep.h
+ yarrow.h ytypes.h yhash.h $(srcdir)/../sha1/shs.h ycipher.h \
+ ylock.h ystate.h yexcep.h
ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): ycipher.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h yarrow.h ytypes.h yhash.h \
- $(srcdir)/../sha1/shs.h ycipher.h $(srcdir)/../enc_provider/enc_provider.h
+ yarrow.h ytypes.h yhash.h $(srcdir)/../sha1/shs.h ycipher.h \
+ $(srcdir)/../enc_provider/enc_provider.h
diff --git a/src/lib/des425/ChangeLog b/src/lib/des425/ChangeLog
index acd4ea6..9ab878a 100644
--- a/src/lib/des425/ChangeLog
+++ b/src/lib/des425/ChangeLog
@@ -1,3 +1,8 @@
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * quad_cksum.c, t_pcbc.c, t_quad.c, verify.c: Don't declare errno
+ or errmsg.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* mac_des_glue.c, des.c, enc_dec.c, key_sched.c, str_to_key.c:
diff --git a/src/lib/des425/Makefile.in b/src/lib/des425/Makefile.in
index dc486f3..54960fe 100644
--- a/src/lib/des425/Makefile.in
+++ b/src/lib/des425/Makefile.in
@@ -119,85 +119,86 @@ install-unix:: install-libs
#
cksum.so cksum.po $(OUTPRE)cksum.$(OBJEXT): cksum.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
des.so des.po $(OUTPRE)des.$(OBJEXT): des.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
enc_dec.so enc_dec.po $(OUTPRE)enc_dec.$(OBJEXT): enc_dec.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
key_parity.so key_parity.po $(OUTPRE)key_parity.$(OBJEXT): key_parity.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): key_sched.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
new_rnd_key.so new_rnd_key.po $(OUTPRE)new_rnd_key.$(OBJEXT): new_rnd_key.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
pcbc_encrypt.so pcbc_encrypt.po $(OUTPRE)pcbc_encrypt.$(OBJEXT): pcbc_encrypt.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h $(srcdir)/../crypto/des/f_tables.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(srcdir)/../crypto/des/f_tables.h
quad_cksum.so quad_cksum.po $(OUTPRE)quad_cksum.$(OBJEXT): quad_cksum.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
random_key.so random_key.po $(OUTPRE)random_key.$(OBJEXT): random_key.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
read_passwd.so read_passwd.po $(OUTPRE)read_passwd.$(OBJEXT): read_passwd.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
str_to_key.so str_to_key.po $(OUTPRE)str_to_key.$(OBJEXT): str_to_key.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): unix_time.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
util.so util.po $(OUTPRE)util.$(OBJEXT): util.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(srcdir)/../crypto/des/des_int.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(srcdir)/../crypto/des/des_int.h $(SRCTOP)/include/kerberosIV/des.h
weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): weak_key.c $(srcdir)/../crypto/des/des_int.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/kerberosIV/des.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h
diff --git a/src/lib/des425/quad_cksum.c b/src/lib/des425/quad_cksum.c
index b9ef031..2a7b78c 100644
--- a/src/lib/des425/quad_cksum.c
+++ b/src/lib/des425/quad_cksum.c
@@ -119,10 +119,6 @@
#define vaxtohs(x) two_bytes_vax_to_nets(((const unsigned char *)(x)))
/* Externals */
-extern char *errmsg();
-#ifndef HAVE_ERRNO
-extern int errno;
-#endif
extern int des_debug;
/*** Routines ***************************************************** */
diff --git a/src/lib/des425/t_pcbc.c b/src/lib/des425/t_pcbc.c
index 8bd6a08..2932148 100644
--- a/src/lib/des425/t_pcbc.c
+++ b/src/lib/des425/t_pcbc.c
@@ -30,8 +30,6 @@
#include "des_int.h"
#include "des.h"
-extern char *errmsg();
-extern int errno;
char *progname;
int des_debug;
diff --git a/src/lib/des425/t_quad.c b/src/lib/des425/t_quad.c
index 421a555..b9299fd 100644
--- a/src/lib/des425/t_quad.c
+++ b/src/lib/des425/t_quad.c
@@ -30,8 +30,6 @@
#include "des_int.h"
#include "des.h"
-extern char *errmsg();
-extern int errno;
extern unsigned long quad_cksum();
char *progname;
int des_debug;
diff --git a/src/lib/des425/verify.c b/src/lib/des425/verify.c
index 91718e3..653730a 100644
--- a/src/lib/des425/verify.c
+++ b/src/lib/des425/verify.c
@@ -37,8 +37,6 @@
#include "des_int.h"
#include "des.h"
-extern char *errmsg();
-extern int errno;
char *progname;
int nflag = 2;
int vflag;
diff --git a/src/lib/gssapi/ChangeLog b/src/lib/gssapi/ChangeLog
index 2674710..27fc2d9 100644
--- a/src/lib/gssapi/ChangeLog
+++ b/src/lib/gssapi/ChangeLog
@@ -1,3 +1,8 @@
+2003-07-17 Tom Yu <tlyu@mit.edu>
+
+ * gss_libinit.c (gssint_initialize_library): Don't call
+ kg_release_defcred(); it doesn't exist any more.
+
2003-03-08 Ken Raeburn <raeburn@mit.edu>
* Makefile.in ($(BUILDTOP)/include/gssapi/gssapi.h,
diff --git a/src/lib/gssapi/Makefile.in b/src/lib/gssapi/Makefile.in
index baa776e..3df77c8 100644
--- a/src/lib/gssapi/Makefile.in
+++ b/src/lib/gssapi/Makefile.in
@@ -122,5 +122,6 @@ gss_libinit.so gss_libinit.po $(OUTPRE)gss_libinit.$(OBJEXT): gss_libinit.c gene
$(COM_ERR_DEPS) krb5/gssapi_err_krb5.h $(srcdir)/krb5/gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(srcdir)/generic/gssapiP_generic.h \
$(srcdir)/generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \
$(srcdir)/krb5/gssapi_krb5.h gss_libinit.h generic/gssapi.h
diff --git a/src/lib/gssapi/generic/ChangeLog b/src/lib/gssapi/generic/ChangeLog
index bd58e5a..4890149 100644
--- a/src/lib/gssapi/generic/ChangeLog
+++ b/src/lib/gssapi/generic/ChangeLog
@@ -1,3 +1,20 @@
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * gssapiP_generic.h: Include k5-platform.h.
+ (gssint_uint64): New typedef.
+ (g_order_init, g_order_check): Update decls.
+ * util_ordering.c (struct _queue): Change sequence number fields
+ to gssint_uint64. Add mask field.
+ (queue_insert): Change sequence number to gssint_uint64.
+ (g_order_init): Change sequence numbers to gssint_uint64. Add
+ "wide_nums" argument; initialize the queue mask field based on
+ it; all callers changed. Store a -1 as the first element.
+ (g_order_check): Store and check elements as offsets from
+ firstnum. Mask to 32 bits if desired.
+ * util_token.c (g_verify_token_header): Add new argument
+ indicating whether the pseudo-ASN.1 wrapper is required; all
+ callers changed.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* disp_com_err_status.c, gssapi_generic.h:
diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in
index 8ac282f..b55a6e2 100644
--- a/src/lib/gssapi/generic/Makefile.in
+++ b/src/lib/gssapi/generic/Makefile.in
@@ -147,40 +147,52 @@ depend:: $(ETSRCS)
#
disp_com_err_status.so disp_com_err_status.po $(OUTPRE)disp_com_err_status.$(OBJEXT): disp_com_err_status.c \
gssapiP_generic.h gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
disp_major_status.so disp_major_status.po $(OUTPRE)disp_major_status.$(OBJEXT): disp_major_status.c \
gssapiP_generic.h gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
gssapi_generic.so gssapi_generic.po $(OUTPRE)gssapi_generic.$(OBJEXT): gssapi_generic.c \
gssapiP_generic.h gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
oid_ops.so oid_ops.po $(OUTPRE)oid_ops.$(OBJEXT): oid_ops.c gssapiP_generic.h \
gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
rel_buffer.so rel_buffer.po $(OUTPRE)rel_buffer.$(OBJEXT): rel_buffer.c gssapiP_generic.h \
gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
rel_oid_set.so rel_oid_set.po $(OUTPRE)rel_oid_set.$(OBJEXT): rel_oid_set.c gssapiP_generic.h \
gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
util_buffer.so util_buffer.po $(OUTPRE)util_buffer.$(OBJEXT): util_buffer.c gssapiP_generic.h \
gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
util_oid.so util_oid.po $(OUTPRE)util_oid.$(OBJEXT): util_oid.c gssapiP_generic.h \
gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
util_ordering.so util_ordering.po $(OUTPRE)util_ordering.$(OBJEXT): util_ordering.c gssapiP_generic.h \
gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
util_set.so util_set.po $(OUTPRE)util_set.$(OBJEXT): util_set.c gssapiP_generic.h \
gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
util_token.so util_token.po $(OUTPRE)util_token.$(OBJEXT): util_token.c gssapiP_generic.h \
gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
util_validate.so util_validate.po $(OUTPRE)util_validate.$(OBJEXT): util_validate.c gssapiP_generic.h \
gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- gssapi_err_generic.h $(COM_ERR_DEPS)
+ gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h
gssapi_err_generic.so gssapi_err_generic.po $(OUTPRE)gssapi_err_generic.$(OBJEXT): gssapi_err_generic.c \
$(COM_ERR_DEPS)
diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h
index 102ba69..24d51d0 100644
--- a/src/lib/gssapi/generic/gssapiP_generic.h
+++ b/src/lib/gssapi/generic/gssapiP_generic.h
@@ -40,6 +40,9 @@
#include "gssapi_err_generic.h"
#include <errno.h>
+#include "k5-platform.h"
+typedef UINT64_TYPE gssint_uint64;
+
/** helper macros **/
#define g_OID_equal(o1,o2) \
@@ -159,8 +162,9 @@ void g_make_token_header (gss_OID mech, unsigned int body_size,
unsigned char **buf, int tok_type);
gss_int32 g_verify_token_header (gss_OID mech, unsigned int *body_size,
- unsigned char **buf, int tok_type,
- unsigned int toksize_in);
+ unsigned char **buf, int tok_type,
+ unsigned int toksize_in,
+ int wrapper_required);
OM_uint32 g_display_major_status (OM_uint32 *minor_status,
OM_uint32 status_value,
@@ -171,10 +175,10 @@ OM_uint32 g_display_com_err_status (OM_uint32 *minor_status,
OM_uint32 status_value,
gss_buffer_t status_string);
-gss_int32 g_order_init (void **queue, OM_uint32 seqnum,
- int do_replay, int do_sequence);
+gss_int32 g_order_init (void **queue, gssint_uint64 seqnum,
+ int do_replay, int do_sequence, int wide);
-gss_int32 g_order_check (void **queue, OM_uint32 seqnum);
+gss_int32 g_order_check (void **queue, gssint_uint64 seqnum);
void g_order_free (void **queue);
diff --git a/src/lib/gssapi/generic/util_ordering.c b/src/lib/gssapi/generic/util_ordering.c
index 21a8b06..fe2eaaf 100644
--- a/src/lib/gssapi/generic/util_ordering.c
+++ b/src/lib/gssapi/generic/util_ordering.c
@@ -38,8 +38,14 @@ typedef struct _queue {
int do_sequence;
int start;
int length;
- unsigned int firstnum;
- unsigned int elem[QUEUE_LENGTH];
+ gssint_uint64 firstnum;
+ /* Stored as deltas from firstnum. This way, the high bit won't
+ overflow unless we've actually gone through 2**n messages, or
+ gotten something *way* out of sequence. */
+ gssint_uint64 elem[QUEUE_LENGTH];
+ /* All ones for 64-bit sequence numbers; 32 ones for 32-bit
+ sequence numbers. */
+ gssint_uint64 mask;
} queue;
/* rep invariant:
@@ -51,7 +57,7 @@ typedef struct _queue {
#define QELEM(q,i) ((q)->elem[(i)%QSIZE(q)])
static void
-queue_insert(queue *q, int after, unsigned int seqnum)
+queue_insert(queue *q, int after, gssint_uint64 seqnum)
{
/* insert. this is not the fastest way, but it's easy, and it's
optimized for insert at end, which is the common case */
@@ -80,10 +86,10 @@ queue_insert(queue *q, int after, unsigned int seqnum)
q->length++;
}
}
-
+
gss_int32
-g_order_init(void **vqueue, OM_uint32 seqnum,
- int do_replay, int do_sequence)
+g_order_init(void **vqueue, gssint_uint64 seqnum,
+ int do_replay, int do_sequence, int wide_nums)
{
queue *q;
@@ -92,38 +98,49 @@ g_order_init(void **vqueue, OM_uint32 seqnum,
q->do_replay = do_replay;
q->do_sequence = do_sequence;
+ q->mask = wide_nums ? ~(gssint_uint64)0 : 0xffffffffUL;
q->start = 0;
q->length = 1;
q->firstnum = seqnum;
- q->elem[q->start] = seqnum-1;
+ q->elem[q->start] = ((gssint_uint64)0 - 1) & q->mask;
*vqueue = (void *) q;
return(0);
}
gss_int32
-g_order_check(void **vqueue, OM_uint32 seqnum)
+g_order_check(void **vqueue, gssint_uint64 seqnum)
{
queue *q;
int i;
-
+ gssint_uint64 expected;
+
q = (queue *) (*vqueue);
if (!q->do_replay && !q->do_sequence)
return(GSS_S_COMPLETE);
+ /* All checks are done relative to the initial sequence number, to
+ avoid (or at least put off) the pain of wrapping. */
+ seqnum -= q->firstnum;
+ /* If we're only doing 32-bit values, adjust for that again.
+
+ Note that this will probably be the wrong thing to if we get
+ 2**32 messages sent with 32-bit sequence numbers. */
+ seqnum &= q->mask;
+
/* rule 1: expected sequence number */
- if (seqnum == QELEM(q,q->start+q->length-1)+1) {
+ expected = (QELEM(q,q->start+q->length-1)+1) & q->mask;
+ if (seqnum == expected) {
queue_insert(q, q->start+q->length-1, seqnum);
return(GSS_S_COMPLETE);
}
/* rule 2: > expected sequence number */
- if ((seqnum > QELEM(q,q->start+q->length-1)+1) ||
- (seqnum < q->firstnum)) {
+ if ((seqnum > expected)) {
queue_insert(q, q->start+q->length-1, seqnum);
if (q->do_replay && !q->do_sequence)
return(GSS_S_COMPLETE);
@@ -134,7 +151,20 @@ g_order_check(void **vqueue, OM_uint32 seqnum)
/* rule 3: seqnum < seqnum(first) */
if ((seqnum < QELEM(q,q->start)) &&
- (seqnum >= q->firstnum)) {
+ /* Is top bit of whatever width we're using set?
+
+ We used to check for greater than or equal to firstnum, but
+ (1) we've since switched to compute values relative to
+ firstnum, so the lowest we can have is 0, and (2) the effect
+ of the original scheme was highly dependent on whether
+ firstnum was close to either side of 0. (Consider
+ firstnum==0xFFFFFFFE and we miss three packets; the next
+ packet is *new* but would look old.)
+
+ This check should give us 2**31 or 2**63 messages "new", and
+ just as many "old". That's not quite right either. */
+ (seqnum & (1 + (q->mask >> 1)))
+ ) {
if (q->do_replay && !q->do_sequence)
return(GSS_S_OLD_TOKEN);
else
diff --git a/src/lib/gssapi/generic/util_token.c b/src/lib/gssapi/generic/util_token.c
index 30ae069..97a788c 100644
--- a/src/lib/gssapi/generic/util_token.c
+++ b/src/lib/gssapi/generic/util_token.c
@@ -168,12 +168,15 @@ void g_make_token_header(mech, body_size, buf, tok_type)
* mechanism in the token does not match the mech argument. buf and
* *body_size are left unmodified on error.
*/
-gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in)
+
+gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in,
+ wrapper_required)
gss_OID mech;
unsigned int *body_size;
unsigned char **buf_in;
int tok_type;
unsigned int toksize_in;
+ int wrapper_required;
{
unsigned char *buf = *buf_in;
int seqsize;
@@ -182,8 +185,13 @@ gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in)
if ((toksize-=1) < 0)
return(G_BAD_TOK_HEADER);
- if (*buf++ != 0x60)
- return(G_BAD_TOK_HEADER);
+ if (*buf++ != 0x60) {
+ if (wrapper_required)
+ return(G_BAD_TOK_HEADER);
+ buf--;
+ toksize++;
+ goto skip_wrapper;
+ }
if ((seqsize = der_read_length(&buf, &toksize)) < 0)
return(G_BAD_TOK_HEADER);
@@ -207,16 +215,17 @@ gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in)
if (! g_OID_equal(&toid, mech))
return G_WRONG_MECH;
+skip_wrapper:
if (tok_type != -1) {
if ((toksize-=2) < 0)
return(G_BAD_TOK_HEADER);
if ((*buf++ != ((tok_type>>8)&0xff)) ||
- (*buf++ != (tok_type&0xff)))
+ (*buf++ != (tok_type&0xff)))
return(G_WRONG_TOKID);
}
- *buf_in = buf;
- *body_size = toksize;
+ *buf_in = buf;
+ *body_size = toksize;
- return 0;
- }
+ return 0;
+}
diff --git a/src/lib/gssapi/gss_libinit.c b/src/lib/gssapi/gss_libinit.c
index 7906786..0568f29 100644
--- a/src/lib/gssapi/gss_libinit.c
+++ b/src/lib/gssapi/gss_libinit.c
@@ -33,12 +33,9 @@ OM_uint32 gssint_initialize_library (void)
void gssint_cleanup_library (void)
{
- OM_uint32 min_stat;
assert (initialized);
- (void) kg_release_defcred (&min_stat);
-
#if !USE_BUNDLE_ERROR_STRINGS
remove_error_table(&et_k5g_error_table);
remove_error_table(&et_ggss_error_table);
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 7424a25..f68dfbc 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,161 @@
+2004-01-05 Ken Raeburn <raeburn@mit.edu>
+
+ * init_sec_context.c: Include auth_con.h if CFX_EXERCISE is
+ defined.
+ (make_gss_checksum) [CFX_EXERCISE]: If the key enctype is aes256,
+ insert some stuff after the delegation slot.
+ (new_connection) [CFX_EXERCISE]: Don't send messages with bogus
+ token ids.
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Don't
+ discard the delegation flag; only look for a delegation if the
+ flag is set, and only look for delegation, not other options.
+ Ignore any other data there.
+
+2003-12-19 Tom Yu <tlyu@mit.edu>
+
+ * init_sec_context.c: Include k5-int.h for accessor.
+
+2003-12-18 Jeffrey Altman <jaltman@mit.edu>
+
+ * accept_sec_context.c, init_sec_context.c, ser_sctx.c:
+ Implement use of krb5int_accessor() for krb5int_c_mandatory_cksumtype,
+ krb5_ser_pack_int64, and krb5_ser_unpack_int64
+
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+ Sam Hartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * k5sealv3.c: New file, implements Wrap and MIC tokens for CFX
+ extensions.
+ * gssapiP_krb5.h (struct _krb5_gss_ctx_id_rec): Added acceptor
+ subkey, 64-bit sequence numbers, checksum type, and hooks for
+ sending a bogus initial token for CFX testing. Changed some flags
+ into bitfields.
+ (gss_krb5int_make_seal_token_v3): Declare.
+ * Makefile.in (SRCS, OBJS, STLIBOBJS): Build it.
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Add CFX
+ support. For G_WRONG_TOKID, send back an error token with
+ AP_ERR_MSG_TYPE code and return a CONTINUE_NEEDED indication.
+ Initialize new fields in context.
+ * delete_sec_context.c (krb5_gss_delete_sec_context): Free
+ acceptor subkey field.
+ * init_sec_context.c (get_credentials): Drop enctypes argument;
+ callers changed.
+ (get_requested_enctypes): Deleted.
+ (setup_enc): Combine some common sections. Do CFX initialization
+ for newer enctypes.
+ (new_connection) [CFX_EXERCISE]: If doing CFX, send a bogus
+ token. Delete the enctype list manipulation.
+ (mutual_auth): If CFX, save acceptor's subkey.
+ * k5seal.c (make_seal_token_v1): Sequence number is now 64 bits.
+ (kg_seal): Call out to _v3 code for CFX.
+ * k5unseal.c (kg_unseal): For CFX, adjust token id numbers and
+ call out to _v3 code.
+ * wrap_size_limit.c (krb5_gss_wrap_size_limit): Implement CFX
+ support.
+
+ * gssapiP_krb5.h (struct _krb5_gss_ctx_id_rec): Deleted fields
+ ctypes and nctypes.
+ * delete_sec_context.c, init_sec_context.c, ser_sctx.c: Removed
+ references.
+
+2003-12-11 Alexandra Ellwood <lxs@mit.edu>
+
+ * acquire_cred.c, gssapi_krb5.c, gssapiP_krb5.h, set_ccache.c:
+ Added kg_sync_ccache_name(), kg_get_ccache_name, and
+ kg_set_ccache_name() and rewrote gss_krb5_ccache_name() and
+ added a call to kg_sync_ccache_name() to acquire_init_cred()
+ to fix a bug where on systems with multiple ccaches that GSSAPI
+ gets stuck on the ccache that was default when it launched.
+
+2003-07-19 Ezra Peisach <epeisach@mit.edu>
+
+ * acquire_cred.c (krb5_gss_register_acceptor_identity): Allocate
+ enough memory to include the null at the end of the keytab char *.
+
+2003-07-17 Tom Yu <tlyu@mit.edu>
+
+ * gssapiP_krb5.h: Delete kg_release_defcred(); it's no longer
+ used.
+
+ * gssapi_krb5.c: Delete defcred; it's no longer cached.
+ (kg_get_defcred): Don't cache.
+ (kg_release_defcred): Delete; it's no longer used.
+
+ * init_sec_context.c (krb5_gss_init_sec_context): Break into more
+ manageable pieces. Clean up a few error condition memory leaks
+ previously obscured by the sheer size of this function.
+ (setup_enc): New function; used to be part of
+ krb5_gss_init_sec_context() responsible for setting up enctypes,
+ keyblocks, related nastiness.
+ (get_requested_enctypes): New function; used to be part of
+ krb5_gss_init_sec_context() responsible for pruning the krb5
+ library's default enctype list to the limited set of enctypes
+ usable with GSSAPI.
+ (new_connection): New function; used to be part of
+ krb5_gss_init_sec_context() responsible for initial gss_ctx setup
+ and creating the AP-REQ.
+ (mutual_auth): New function; used to be part of
+ krb5_gss_init_sec_context() responsible for reading the AP-REP if
+ mutual auth was requested.
+
+ * inq_cred.c (krb5_gss_inquire_cred): Rearrange due to removal of
+ kg_release_defcred(), particularly to explicitly release the
+ defcred once it's obtained.
+
+ * rel_cred.c (krb5_gss_release_cred): Remove call to
+ kg_release_defcred(), and always succeed in releasing the null
+ credential.
+
+ * set_ccache.c (gss_krb5_ccache_name): Remove call to
+ kg_release_defcred().
+
+2003-07-14 Tom Yu <tlyu@mit.edu>
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Call
+ TREAD_STR with correct arguments. Patch from Emily Ratliff.
+
+2003-07-10 Tom Yu <tlyu@mit.edu>
+
+ * acquire_cred.c (acquire_init_cred): Close the ccache if
+ krb5_cc_set_flags() fails, as krb5int_cc_default succeeds even if
+ the file is not there, but krb5_cc_set_flags will fail in turning
+ off OPENCLOSE mode if the file can't be opened. Thanks to Kent Wu.
+
+2003-06-13 Tom Yu <tlyu@mit.edu>
+
+ * init_sec_context.c (make_ap_req_v1): Free checksum_data if
+ needed, to avoid leaking memory. Found by Kent Wu.
+ (krb5_gss_init_sec_context): Free default_enctypes to avoid
+ leaking returned value from krb5_get_tgs_ktypes.
+
+ * k5unseal.c (kg_unseal_v1): Explicitly set token.value to NULL if
+ token.length == 0, to avoid spurious uninitialized memory
+ references when calling memcpy() with a zero length.
+
+2003-05-13 Tom Yu <tlyu@mit.edu>
+
+ * gssapi_krb5.h: Remove check for GSS_RFC_COMPLIANT_OIDS.
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Rename
+ remote_subkey -> recv_subkey.
+
+ * init_sec_context.c (krb5_gss_init_sec_context): Rename
+ local_subkey -> send_subkey.
+
+2003-03-14 Sam Hartman <hartmans@mit.edu>
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Set
+ prot_ready here
+
+ * init_sec_context.c (krb5_gss_init_sec_context): Set prot_ready
+ after context established
+
+ * gssapiP_krb5.h (KG_IMPLFLAGS): Don't claim prot_ready until the
+ context is established because we don't currently support it.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* disp_status.c, gssapi_krb5.h, gssapiP_krb5.h:
diff --git a/src/lib/gssapi/krb5/Makefile.in b/src/lib/gssapi/krb5/Makefile.in
index c0d2660..0bdc117 100644
--- a/src/lib/gssapi/krb5/Makefile.in
+++ b/src/lib/gssapi/krb5/Makefile.in
@@ -43,6 +43,7 @@ SRCS = \
$(srcdir)/inq_cred.c \
$(srcdir)/inq_names.c \
$(srcdir)/k5seal.c \
+ $(srcdir)/k5sealv3.c \
$(srcdir)/k5unseal.c \
$(srcdir)/krb5_gss_glue.c \
$(srcdir)/process_context_token.c \
@@ -90,6 +91,7 @@ OBJS = \
$(OUTPRE)inq_cred.$(OBJEXT) \
$(OUTPRE)inq_names.$(OBJEXT) \
$(OUTPRE)k5seal.$(OBJEXT) \
+ $(OUTPRE)k5sealv3.$(OBJEXT) \
$(OUTPRE)k5unseal.$(OBJEXT) \
$(OUTPRE)krb5_gss_glue.$(OBJEXT) \
$(OUTPRE)process_context_token.$(OBJEXT) \
@@ -137,6 +139,7 @@ STLIBOBJS = \
inq_cred.o \
inq_names.o \
k5seal.o \
+ k5sealv3.o \
k5unseal.o \
krb5_gss_glue.o \
process_context_token.o \
@@ -215,195 +218,244 @@ install::
#
accept_sec_context.so accept_sec_context.po $(OUTPRE)accept_sec_context.$(OBJEXT): accept_sec_context.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
acquire_cred.so acquire_cred.po $(OUTPRE)acquire_cred.$(OBJEXT): acquire_cred.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
add_cred.so add_cred.po $(OUTPRE)add_cred.$(OBJEXT): add_cred.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
canon_name.so canon_name.po $(OUTPRE)canon_name.$(OBJEXT): canon_name.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
compare_name.so compare_name.po $(OUTPRE)compare_name.$(OBJEXT): compare_name.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
context_time.so context_time.po $(OUTPRE)context_time.$(OBJEXT): context_time.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
copy_ccache.so copy_ccache.po $(OUTPRE)copy_ccache.$(OBJEXT): copy_ccache.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
delete_sec_context.so delete_sec_context.po $(OUTPRE)delete_sec_context.$(OBJEXT): delete_sec_context.c \
gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \
$(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
$(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \
gssapi_krb5.h gssapi_err_krb5.h
disp_name.so disp_name.po $(OUTPRE)disp_name.$(OBJEXT): disp_name.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
disp_status.so disp_status.po $(OUTPRE)disp_status.$(OBJEXT): disp_status.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
duplicate_name.so duplicate_name.po $(OUTPRE)duplicate_name.$(OBJEXT): duplicate_name.c \
gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \
$(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
$(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \
gssapi_krb5.h gssapi_err_krb5.h
export_name.so export_name.po $(OUTPRE)export_name.$(OBJEXT): export_name.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
export_sec_context.so export_sec_context.po $(OUTPRE)export_sec_context.$(OBJEXT): export_sec_context.c \
gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \
$(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
$(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \
gssapi_krb5.h gssapi_err_krb5.h
get_tkt_flags.so get_tkt_flags.po $(OUTPRE)get_tkt_flags.$(OBJEXT): get_tkt_flags.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
gssapi_krb5.so gssapi_krb5.po $(OUTPRE)gssapi_krb5.$(OBJEXT): gssapi_krb5.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
import_name.so import_name.po $(OUTPRE)import_name.$(OBJEXT): import_name.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
import_sec_context.so import_sec_context.po $(OUTPRE)import_sec_context.$(OBJEXT): import_sec_context.c \
gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \
$(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
$(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \
gssapi_krb5.h gssapi_err_krb5.h
indicate_mechs.so indicate_mechs.po $(OUTPRE)indicate_mechs.$(OBJEXT): indicate_mechs.c \
gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \
$(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
$(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \
gssapi_krb5.h gssapi_err_krb5.h
init_sec_context.so init_sec_context.po $(OUTPRE)init_sec_context.$(OBJEXT): init_sec_context.c \
- gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \
- $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
- $(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \
- gssapi_krb5.h gssapi_err_krb5.h
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
+ ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
inq_context.so inq_context.po $(OUTPRE)inq_context.$(OBJEXT): inq_context.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
inq_cred.so inq_cred.po $(OUTPRE)inq_cred.$(OBJEXT): inq_cred.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
inq_names.so inq_names.po $(OUTPRE)inq_names.$(OBJEXT): inq_names.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
k5seal.so k5seal.po $(OUTPRE)k5seal.$(OBJEXT): k5seal.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
+k5sealv3.so k5sealv3.po $(OUTPRE)k5sealv3.$(OBJEXT): k5sealv3.c $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
+ gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
k5unseal.so k5unseal.po $(OUTPRE)k5unseal.$(OBJEXT): k5unseal.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
krb5_gss_glue.so krb5_gss_glue.po $(OUTPRE)krb5_gss_glue.$(OBJEXT): krb5_gss_glue.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
process_context_token.so process_context_token.po $(OUTPRE)process_context_token.$(OBJEXT): process_context_token.c \
gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \
$(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
$(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \
gssapi_krb5.h gssapi_err_krb5.h
rel_cred.so rel_cred.po $(OUTPRE)rel_cred.$(OBJEXT): rel_cred.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
rel_oid.so rel_oid.po $(OUTPRE)rel_oid.$(OBJEXT): rel_oid.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
rel_name.so rel_name.po $(OUTPRE)rel_name.$(OBJEXT): rel_name.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
seal.so seal.po $(OUTPRE)seal.$(OBJEXT): seal.c gssapiP_krb5.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
ser_sctx.so ser_sctx.po $(OUTPRE)ser_sctx.$(OBJEXT): ser_sctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
set_ccache.so set_ccache.po $(OUTPRE)set_ccache.$(OBJEXT): set_ccache.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
sign.so sign.po $(OUTPRE)sign.$(OBJEXT): sign.c gssapiP_krb5.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
unseal.so unseal.po $(OUTPRE)unseal.$(OBJEXT): unseal.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
util_cksum.so util_cksum.po $(OUTPRE)util_cksum.$(OBJEXT): util_cksum.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
util_crypt.so util_crypt.po $(OUTPRE)util_crypt.$(OBJEXT): util_crypt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
+ gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
util_seed.so util_seed.po $(OUTPRE)util_seed.$(OBJEXT): util_seed.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
util_seqnum.so util_seqnum.po $(OUTPRE)util_seqnum.$(OBJEXT): util_seqnum.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h \
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
val_cred.so val_cred.po $(OUTPRE)val_cred.$(OBJEXT): val_cred.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
verify.so verify.po $(OUTPRE)verify.$(OBJEXT): verify.c gssapiP_krb5.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \
$(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
- ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h
+ ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h
wrap_size_limit.so wrap_size_limit.po $(OUTPRE)wrap_size_limit.$(OBJEXT): wrap_size_limit.c \
gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \
$(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \
$(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \
gssapi_krb5.h gssapi_err_krb5.h
gssapi_err_krb5.so gssapi_err_krb5.po $(OUTPRE)gssapi_err_krb5.$(OBJEXT): gssapi_err_krb5.c \
$(COM_ERR_DEPS)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 5ff6146..c27d823 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -77,6 +77,12 @@
#endif
#include <assert.h>
+#ifdef CFX_EXERCISE
+#define CFX_ACCEPTOR_SUBKEY (time(0) & 1)
+#else
+#define CFX_ACCEPTOR_SUBKEY 1
+#endif
+
/* Decode, decrypt and store the forwarded creds in the local ccache. */
static krb5_error_code
rd_and_store_for_creds(context, auth_context, inbuf, out_cred)
@@ -101,8 +107,8 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred)
* By the time krb5_rd_cred is called here (after krb5_rd_req has been
* called in krb5_gss_accept_sec_context), the "keyblock" field of
* auth_context contains a pointer to the session key, and the
- * "remote_subkey" field might contain a session subkey. Either of
- * these (the "remote_subkey" if it isn't NULL, otherwise the
+ * "recv_subkey" field might contain a session subkey. Either of
+ * these (the "recv_subkey" if it isn't NULL, otherwise the
* "keyblock") might have been used to encrypt the encrypted part of
* the KRB_CRED message that contains the forwarded credentials. (The
* Java Crypto and Security Implementation from the DSTC in Australia
@@ -122,7 +128,8 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred)
if ((retval = krb5_auth_con_init(context, &new_auth_ctx)))
goto cleanup;
krb5_auth_con_setflags(context, new_auth_ctx, 0);
- if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf, &creds, NULL)))
+ if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf,
+ &creds, NULL)))
goto cleanup;
}
@@ -241,7 +248,14 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
krb5_data scratch;
gss_cred_id_t cred_handle = NULL;
krb5_gss_cred_id_t deleg_cred = NULL;
+ krb5int_access kaccess;
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code) {
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
if (GSS_ERROR(kg_get_context(minor_status, &context)))
return(GSS_S_FAILURE);
@@ -312,13 +326,13 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
if (!(code = g_verify_token_header((gss_OID) gss_mech_krb5,
&(ap_req.length),
&ptr, KG_TOK_CTX_AP_REQ,
- input_token->length))) {
+ input_token->length, 1))) {
mech_used = gss_mech_krb5;
} else if ((code == G_WRONG_MECH) &&
!(code = g_verify_token_header((gss_OID) gss_mech_krb5_old,
&(ap_req.length),
&ptr, KG_TOK_CTX_AP_REQ,
- input_token->length))) {
+ input_token->length, 1))) {
/*
* Previous versions of this library used the old mech_id
* and some broken behavior (wrong IV on checksum
@@ -327,6 +341,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
* old behavior.
*/
mech_used = gss_mech_krb5_old;
+ } else if (code == G_WRONG_TOKID) {
+ major_status = GSS_S_CONTINUE_NEEDED;
+ code = KRB5KRB_AP_ERR_MSG_TYPE;
+ mech_used = gss_mech_krb5;
+ goto fail;
} else {
major_status = GSS_S_DEFECTIVE_TOKEN;
goto fail;
@@ -496,18 +515,20 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
reqcksum.contents = 0;
TREAD_INT(ptr, gss_flags, bigend);
+#if 0
gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
there's a delegation, we'll set
it below */
+#endif
decode_req_message = 0;
/* if the checksum length > 24, there are options to process */
- if(authdat->checksum->length > 24) {
+ if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) {
i = authdat->checksum->length - 24;
- while (i >= 4) {
+ if (i >= 4) {
TREAD_INT16(ptr, option_id, bigend);
@@ -515,23 +536,24 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
i -= 4;
- /* have to use ptr2, since option.data is wrong type and
- macro uses ptr as both lvalue and rvalue */
-
if (i < option.length || option.length < 0) {
code = KG_BAD_LENGTH;
major_status = GSS_S_FAILURE;
goto fail;
}
- TREAD_STR(ptr, ptr2, bigend);
+ /* have to use ptr2, since option.data is wrong type and
+ macro uses ptr as both lvalue and rvalue */
+
+ TREAD_STR(ptr, ptr2, option.length);
option.data = (char *) ptr2;
i -= option.length;
- switch(option_id) {
-
- case KRB5_GSS_FOR_CREDS_OPTION:
+ if (option_id != KRB5_GSS_FOR_CREDS_OPTION) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
/* store the delegated credential */
@@ -543,15 +565,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
goto fail;
}
- gss_flags |= GSS_C_DELEG_FLAG; /* got a delegation */
-
- break;
-
- /* default: */
- /* unknown options aren't an error */
-
- } /* switch */
- } /* while */
+ } /* if i >= 4 */
+ /* ignore any additional trailing data, for now */
} /* if */
}
@@ -592,8 +607,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
goto fail;
}
- if ((code = krb5_auth_con_getremotesubkey(context, auth_context,
- &ctx->subkey))) {
+ if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
+ &ctx->subkey))) {
major_status = GSS_S_FAILURE;
goto fail;
}
@@ -616,6 +631,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
goto fail;
}
+ ctx->proto = 0;
switch(ctx->subkey->enctype) {
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_DES_CBC_CRC:
@@ -635,12 +651,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
/*SUPPRESS 113*/
ctx->enc->contents[i] ^= 0xf0;
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
- break;
+ goto copy_subkey_to_seq;
case ENCTYPE_DES3_CBC_SHA1:
ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
@@ -649,36 +660,38 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
ctx->sealalg = SEAL_ALG_DES3KD;
/* fill in the encryption descriptors */
-
+ copy_subkey:
if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) {
major_status = GSS_S_FAILURE;
goto fail;
}
-
+ copy_subkey_to_seq:
if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) {
major_status = GSS_S_FAILURE;
goto fail;
}
-
break;
- case ENCTYPE_ARCFOUR_HMAC:
- ctx->signalg = SGN_ALG_HMAC_MD5 ;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
-
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
- if (code)
- goto fail;
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
- if (code) {
- krb5_free_keyblock (context, ctx->enc);
- goto fail;
- }
- break;
+
+ case ENCTYPE_ARCFOUR_HMAC:
+ ctx->signalg = SGN_ALG_HMAC_MD5 ;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
+ goto copy_subkey;
default:
- code = KRB5_BAD_ENCTYPE;
- goto fail;
+ ctx->signalg = -1;
+ ctx->sealalg = -1;
+ ctx->proto = 1;
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
+ &ctx->cksumtype);
+ if (code)
+ goto fail;
+ code = krb5_c_checksum_length(context, ctx->cksumtype,
+ &ctx->cksum_size);
+ if (code)
+ goto fail;
+ ctx->have_acceptor_subkey = 0;
+ goto copy_subkey;
}
ctx->endtime = ticket->enc_part2->times.endtime;
@@ -686,7 +699,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
krb5_free_ticket(context, ticket); /* Done with ticket */
- krb5_auth_con_getremoteseqnumber(context, auth_context, &ctx->seq_recv);
+ {
+ krb5_ui_4 seq_temp;
+ krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp);
+ ctx->seq_recv = seq_temp;
+ }
if ((code = krb5_timeofday(context, &now))) {
major_status = GSS_S_FAILURE;
@@ -701,7 +718,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
g_order_init(&(ctx->seqstate), ctx->seq_recv,
(ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0);
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
/* at this point, the entire context structure is filled in,
so it can be released. */
@@ -710,15 +727,56 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
unsigned char * ptr3;
+ krb5_ui_4 seq_temp;
+ int cfx_generate_subkey;
+
+ if (ctx->proto == 1)
+ cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY;
+ else
+ cfx_generate_subkey = 0;
+
+ if (cfx_generate_subkey) {
+ krb5_int32 acflags;
+ code = krb5_auth_con_getflags(context, auth_context, &acflags);
+ if (code == 0) {
+ acflags |= KRB5_AUTH_CONTEXT_USE_SUBKEY;
+ code = krb5_auth_con_setflags(context, auth_context, acflags);
+ }
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+
if ((code = krb5_mk_rep(context, auth_context, &ap_rep))) {
major_status = GSS_S_FAILURE;
goto fail;
}
- krb5_auth_con_getlocalseqnumber(context, auth_context,
- &ctx->seq_send);
+ krb5_auth_con_getlocalseqnumber(context, auth_context, &seq_temp);
+ ctx->seq_send = seq_temp & 0xffffffffL;
+
+ if (cfx_generate_subkey) {
+ /* Get the new acceptor subkey. With the code above, there
+ should always be one if we make it to this point. */
+ code = krb5_auth_con_getsendsubkey(context, auth_context,
+ &ctx->acceptor_subkey);
+ if (code != 0) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
+ ctx->acceptor_subkey->enctype,
+ &ctx->acceptor_subkey_cksumtype);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ ctx->have_acceptor_subkey = 1;
+ }
/* the reply token hasn't been sent yet, but that's ok. */
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
ctx->established = 1;
token.length = g_token_size((gss_OID) mech_used, ap_rep.length);
@@ -803,7 +861,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
if (ap_rep.data)
krb5_free_data_contents(context, &ap_rep);
- if (!GSS_ERROR(major_status))
+ if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED)
return(major_status);
/* from here on is the real "fail" code */
@@ -843,7 +901,9 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
krb5_free_ap_req(context, request);
}
- if (cred && (gss_flags & GSS_C_MUTUAL_FLAG)) {
+ if (cred
+ && ((gss_flags & GSS_C_MUTUAL_FLAG)
+ || (major_status == GSS_S_CONTINUE_NEEDED))) {
unsigned int tmsglen;
int toktype;
@@ -853,7 +913,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
*/
memset(&krb_error_data, 0, sizeof(krb_error_data));
- code -= ERROR_TABLE_BASE_krb5;
+ code -= ERROR_TABLE_BASE_krb5;
if (code < 0 || code > 128)
code = 60 /* KRB_ERR_GENERIC */;
@@ -861,7 +921,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
(void) krb5_us_timeofday(context, &krb_error_data.stime,
&krb_error_data.susec);
krb_error_data.server = cred->princ;
-
+
code = krb5_mk_error(context, &krb_error_data, &scratch);
if (code)
return (major_status);
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 2c620b9..513abe5 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -92,7 +92,7 @@ krb5_gss_register_acceptor_identity(const char *keytab)
free(krb5_gss_keytab);
len = strlen(keytab);
- krb5_gss_keytab = malloc(len);
+ krb5_gss_keytab = malloc(len + 1);
if (krb5_gss_keytab == NULL)
return GSS_S_FAILURE;
@@ -190,8 +190,13 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
cred->ccache = NULL;
- /* open the default credential cache */
+ /* load the GSS ccache name into the kg_context */
+
+ if (GSS_ERROR(kg_sync_ccache_name(minor_status)))
+ return(GSS_S_FAILURE);
+ /* open the default credential cache */
+
if ((code = krb5int_cc_default(context, &ccache))) {
*minor_status = code;
return(GSS_S_CRED_UNAVAIL);
@@ -201,6 +206,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
flags = 0; /* turns off OPENCLOSE mode */
if ((code = krb5_cc_set_flags(context, ccache, flags))) {
+ (void)krb5_cc_close(context, ccache);
*minor_status = code;
return(GSS_S_CRED_UNAVAIL);
}
diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c
index 28c2358..94702b8 100644
--- a/src/lib/gssapi/krb5/delete_sec_context.c
+++ b/src/lib/gssapi/krb5/delete_sec_context.c
@@ -92,6 +92,8 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token)
krb5_free_principal(context, ctx->there);
if (ctx->subkey)
krb5_free_keyblock(context, ctx->subkey);
+ if (ctx->acceptor_subkey)
+ krb5_free_keyblock(context, ctx->acceptor_subkey);
if (ctx->auth_context) {
(void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
@@ -101,9 +103,6 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token)
if (ctx->mech_used)
gss_release_oid(minor_status, &ctx->mech_used);
- if (ctx->ctypes)
- xfree(ctx->ctypes);
-
/* Zero out context */
memset(ctx, 0, sizeof(*ctx));
xfree(ctx);
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 3251086..cee702b 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -69,6 +69,9 @@
#include "gssapi_krb5.h"
#include "gssapi_err_krb5.h"
+/* for debugging */
+#undef CFX_EXERCISE
+
/** constants **/
#define CKSUMTYPE_KG_CB 0x8003
@@ -83,7 +86,7 @@
#define KG_TOK_DEL_CTX 0x0102
#define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \
- GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG | \
+ GSS_C_TRANS_FLAG | \
((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)))
@@ -116,10 +119,17 @@ enum seal_alg {
SEAL_ALG_DES3KD = 0x0002
};
+/* for 3DES */
#define KG_USAGE_SEAL 22
#define KG_USAGE_SIGN 23
#define KG_USAGE_SEQ 24
+/* for draft-ietf-krb-wg-gssapi-cfx-01 */
+#define KG_USAGE_ACCEPTOR_SEAL 22
+#define KG_USAGE_ACCEPTOR_SIGN 23
+#define KG_USAGE_INITIATOR_SEAL 24
+#define KG_USAGE_INITIATOR_SIGN 25
+
enum qop {
GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */
GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002,
@@ -152,15 +162,21 @@ typedef struct _krb5_gss_cred_id_rec {
} krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
typedef struct _krb5_gss_ctx_id_rec {
- int initiate; /* nonzero if initiating, zero if accepting */
+ unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
+ unsigned int established : 1;
+ unsigned int big_endian : 1;
+ unsigned int have_acceptor_subkey : 1;
+ unsigned int seed_init : 1; /* XXX tested but never actually set */
+#ifdef CFX_EXERCISE
+ unsigned int testing_unknown_tokid : 1; /* for testing only */
+#endif
OM_uint32 gss_flags;
- int seed_init;
unsigned char seed[16];
krb5_principal here;
krb5_principal there;
krb5_keyblock *subkey;
int signalg;
- int cksum_size;
+ size_t cksum_size;
int sealalg;
krb5_keyblock *enc;
krb5_keyblock *seq;
@@ -169,15 +185,22 @@ typedef struct _krb5_gss_ctx_id_rec {
/* XXX these used to be signed. the old spec is inspecific, and
the new spec specifies unsigned. I don't believe that the change
affects the wire encoding. */
- krb5_ui_4 seq_send;
- krb5_ui_4 seq_recv;
+ gssint_uint64 seq_send;
+ gssint_uint64 seq_recv;
void *seqstate;
- int established;
- int big_endian;
krb5_auth_context auth_context;
gss_OID_desc *mech_used;
- int nctypes;
- krb5_cksumtype *ctypes;
+ /* Protocol spec revision
+ 0 => RFC 1964 with 3DES and RC4 enhancements
+ 1 => draft-ietf-krb-wg-gssapi-cfx-01
+ No others defined so far. */
+ int proto;
+ krb5_cksumtype cksumtype; /* for "main" subkey */
+ krb5_keyblock *acceptor_subkey; /* CFX only */
+ krb5_cksumtype acceptor_subkey_cksumtype;
+#ifdef CFX_EXERCISE
+ gss_buffer_desc init_token;
+#endif
} krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
extern void *kg_vdb;
@@ -202,8 +225,6 @@ OM_uint32 kg_get_defcred
(OM_uint32 *minor_status,
gss_cred_id_t *cred);
-OM_uint32 kg_release_defcred (OM_uint32 *minor_status);
-
krb5_error_code kg_checksum_channel_bindings
(krb5_context context, gss_channel_bindings_t cb,
krb5_checksum *cksum,
@@ -290,7 +311,15 @@ krb5_error_code kg_ctx_internalize (krb5_context kcontext,
OM_uint32 kg_get_context (OM_uint32 *minor_status,
krb5_context *context);
-
+
+OM_uint32 kg_sync_ccache_name (OM_uint32 *minor_status);
+
+OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status,
+ const char **out_name);
+
+OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status,
+ const char *name);
+
/** declarations of internal name mechanism functions **/
OM_uint32 krb5_gss_acquire_cred
@@ -589,4 +618,10 @@ gss_OID krb5_gss_convert_static_mech_oid
(gss_OID oid
);
+krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context,
+ krb5_gss_ctx_id_rec *,
+ const gss_buffer_desc *,
+ gss_buffer_t,
+ int, int);
+
#endif /* _GSSAPIP_KRB5_H_ */
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index db6eabd..be750a7 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -125,13 +125,10 @@ const gss_OID_set_desc * const gss_mech_set_krb5_old = oidsets+1;
const gss_OID_set_desc * const gss_mech_set_krb5_both = oidsets+2;
void *kg_vdb = NULL;
+static char *kg_ccache_name = NULL;
/** default credential support */
-/* default credentials */
-
-static gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
-
/*
* init_sec_context() will explicitly re-acquire default credentials,
* so handling the expiration/invalidation condition here isn't needed.
@@ -141,37 +138,19 @@ kg_get_defcred(minor_status, cred)
OM_uint32 *minor_status;
gss_cred_id_t *cred;
{
- if (defcred == GSS_C_NO_CREDENTIAL) {
- OM_uint32 major;
-
- if ((major = krb5_gss_acquire_cred(minor_status,
- (gss_name_t) NULL, GSS_C_INDEFINITE,
- GSS_C_NULL_OID_SET, GSS_C_INITIATE,
- &defcred, NULL, NULL)) &&
- GSS_ERROR(major)) {
- defcred = GSS_C_NO_CREDENTIAL;
- return(major);
- }
+ OM_uint32 major;
+
+ if ((major = krb5_gss_acquire_cred(minor_status,
+ (gss_name_t) NULL, GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET, GSS_C_INITIATE,
+ cred, NULL, NULL)) && GSS_ERROR(major)) {
+ return(major);
}
-
- *cred = defcred;
*minor_status = 0;
return(GSS_S_COMPLETE);
}
OM_uint32
-kg_release_defcred(minor_status)
- OM_uint32 *minor_status;
-{
- if (defcred == GSS_C_NO_CREDENTIAL) {
- *minor_status = 0;
- return(GSS_S_COMPLETE);
- }
-
- return(krb5_gss_release_cred(minor_status, &defcred));
-}
-
-OM_uint32
kg_get_context(minor_status, context)
OM_uint32 *minor_status;
krb5_context *context;
@@ -203,3 +182,103 @@ fail:
*minor_status = (OM_uint32) code;
return GSS_S_FAILURE;
}
+
+OM_uint32
+kg_sync_ccache_name (OM_uint32 *minor_status)
+{
+ krb5_context context = NULL;
+ OM_uint32 err = 0;
+ OM_uint32 minor;
+
+ /*
+ * Sync up the kg_context ccache name with the GSSAPI ccache name.
+ * If kg_ccache_name is NULL -- normal unless someone has called
+ * gss_krb5_ccache_name() -- then the system default ccache will
+ * be picked up and used by resetting the context default ccache.
+ * This is needed for platforms which support multiple ccaches.
+ */
+
+ if (!err) {
+ if (GSS_ERROR(kg_get_context (&minor, &context))) {
+ err = minor;
+ }
+ }
+
+ if (!err) {
+ /* kg_ccache_name == NULL resets the context default ccache */
+ err = krb5_cc_set_default_name(context, kg_ccache_name);
+ }
+
+ *minor_status = err;
+ return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
+}
+
+OM_uint32
+kg_get_ccache_name (OM_uint32 *minor_status, const char **out_name)
+{
+ krb5_context context = NULL;
+ const char *name = NULL;
+ OM_uint32 err = 0;
+ OM_uint32 minor;
+
+ if (!err) {
+ if (GSS_ERROR(kg_get_context (&minor, &context))) {
+ err = minor;
+ }
+ }
+
+ if (!err) {
+ if (kg_ccache_name != NULL) {
+ name = kg_ccache_name;
+ } else {
+ /* reset the context default ccache (see text above) */
+ err = krb5_cc_set_default_name (context, NULL);
+ if (!err) {
+ name = krb5_cc_default_name(context);
+ }
+ }
+ }
+
+ if (!err) {
+ if (out_name) {
+ *out_name = name;
+ }
+ }
+
+ *minor_status = err;
+ return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
+}
+
+OM_uint32
+kg_set_ccache_name (OM_uint32 *minor_status, const char *name)
+{
+ char *new_name = NULL;
+ OM_uint32 err = 0;
+
+ if (!err) {
+ if (name) {
+ new_name = malloc(strlen(name) + 1);
+ if (new_name == NULL) {
+ err = ENOMEM;
+ } else {
+ strcpy(new_name, name);
+ }
+ }
+ }
+
+ if (!err) {
+ char *swap = NULL;
+
+ swap = kg_ccache_name;
+ kg_ccache_name = new_name;
+ new_name = swap;
+ }
+
+ if (new_name != NULL) {
+ free (new_name);
+ }
+
+ *minor_status = err;
+ return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
+}
+
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.h b/src/lib/gssapi/krb5/gssapi_krb5.h
index c142802..3007a0f 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.h
+++ b/src/lib/gssapi/krb5/gssapi_krb5.h
@@ -31,7 +31,6 @@
extern "C" {
#endif /* __cplusplus */
-#if GSS_RFC_COMPLIANT_OIDS
/* Reserved static storage for GSS_oids. See rfc 1964 for more details. */
/* 2.1.1. Kerberos Principal Name Form: */
@@ -71,8 +70,6 @@ GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME;
* generic(1) string_uid_name(3)}. The recommended symbolic name for
* this type is "GSS_KRB5_NT_STRING_UID_NAME". */
-#endif /* GSS_RFC_COMPLIANT_OIDS */
-
extern const gss_OID_desc * const gss_mech_krb5;
extern const gss_OID_desc * const gss_mech_krb5_old;
extern const gss_OID_set_desc * const gss_mech_set_krb5;
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 8877052..20d416f 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -70,6 +70,7 @@
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
+#include "k5-int.h"
#include "gssapiP_krb5.h"
#ifdef HAVE_MEMORY_H
#include <memory.h>
@@ -90,13 +91,12 @@ int krb5_gss_dbg_client_expcreds = 0;
* ccache.
*/
static krb5_error_code get_credentials(context, cred, server, now,
- endtime, enctypes, out_creds)
+ endtime, out_creds)
krb5_context context;
krb5_gss_cred_id_t cred;
krb5_principal server;
krb5_timestamp now;
krb5_timestamp endtime;
- const krb5_enctype *enctypes;
krb5_creds **out_creds;
{
krb5_error_code code;
@@ -112,10 +112,7 @@ static krb5_error_code get_credentials(context, cred, server, now,
in_creds.keyblock.enctype = 0;
- code = krb5_set_default_tgs_enctypes (context, enctypes);
- if (code)
- goto cleanup;
- code = krb5_get_credentials(context, 0, cred->ccache,
+ code = krb5_get_credentials(context, 0, cred->ccache,
&in_creds, out_creds);
if (code)
goto cleanup;
@@ -145,6 +142,9 @@ struct gss_checksum_data {
krb5_data checksum_data;
};
+#ifdef CFX_EXERCISE
+#include "../../krb5/krb/auth_con.h"
+#endif
static krb5_error_code KRB5_CALLCONV
make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
void *cksum_data, krb5_data **out)
@@ -154,6 +154,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
unsigned char *ptr;
struct gss_checksum_data *data = cksum_data;
krb5_data credmsg;
+ int junk;
+
data->checksum_data.data = 0;
credmsg.data = 0;
/* build the checksum field */
@@ -191,6 +193,20 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
} else {
data->checksum_data.length = 24;
}
+#ifdef CFX_EXERCISE
+ if (data->ctx->auth_context->keyblock->enctype == 18) {
+ srand(time(0) ^ getpid());
+ /* Our ftp client code stupidly assumes a base64-encoded
+ version of the token will fit in 10K, so don't make this
+ too big. */
+ junk = rand() & 0xff;
+ } else
+ junk = 0;
+#else
+ junk = 0;
+#endif
+
+ data->checksum_data.length += junk;
/* now allocate a buffer to hold the checksum data and
(maybe) KRB_CRED msg */
@@ -219,6 +235,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
/* free credmsg data */
krb5_free_data_contents(context, &credmsg);
}
+ if (junk)
+ memset(ptr, 'i', junk);
*out = &data->checksum_data;
return 0;
}
@@ -316,12 +334,526 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token)
code = 0;
cleanup:
+ if (checksum_data && checksum_data->data)
+ krb5_free_data_contents(context, checksum_data);
if (ap_req.data)
krb5_free_data_contents(context, &ap_req);
return (code);
}
+/*
+ * setup_enc
+ *
+ * Fill in the encryption descriptors. Called after AP-REQ is made.
+ */
+static OM_uint32
+setup_enc(
+ OM_uint32 *minor_status,
+ krb5_gss_ctx_id_rec *ctx,
+ krb5_context context)
+{
+ krb5_error_code code;
+ int i;
+ krb5int_access kaccess;
+
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code)
+ goto fail;
+
+ ctx->have_acceptor_subkey = 0;
+ ctx->proto = 0;
+ ctx->cksumtype = 0;
+ switch(ctx->subkey->enctype) {
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_CRC:
+ ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
+ ctx->signalg = SGN_ALG_DES_MAC_MD5;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_DES;
+
+ /* The encryption key is the session key XOR
+ 0xf0f0f0f0f0f0f0f0. */
+ if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
+ goto fail;
+
+ for (i=0; i<ctx->enc->length; i++)
+ ctx->enc->contents[i] ^= 0xf0;
+
+ goto copy_subkey_to_seq;
+
+ case ENCTYPE_DES3_CBC_SHA1:
+ /* MIT extension */
+ ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
+ ctx->cksum_size = 20;
+ ctx->sealalg = SEAL_ALG_DES3KD;
+
+ copy_subkey:
+ code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
+ if (code)
+ goto fail;
+ copy_subkey_to_seq:
+ code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
+ if (code) {
+ krb5_free_keyblock (context, ctx->enc);
+ goto fail;
+ }
+ break;
+
+ case ENCTYPE_ARCFOUR_HMAC:
+ /* Microsoft extension */
+ ctx->signalg = SGN_ALG_HMAC_MD5 ;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
+
+ goto copy_subkey;
+
+ default:
+ /* Fill some fields we shouldn't be using on this path
+ with garbage. */
+ ctx->signalg = -10;
+ ctx->sealalg = -10;
+
+ ctx->proto = 1;
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
+ &ctx->cksumtype);
+ if (code)
+ goto fail;
+ code = krb5_c_checksum_length(context, ctx->cksumtype,
+ &ctx->cksum_size);
+ if (code)
+ goto fail;
+ goto copy_subkey;
+ }
+fail:
+ *minor_status = code;
+ return GSS_S_FAILURE;
+}
+
+/*
+ * new_connection
+ *
+ * Do the grunt work of setting up a new context.
+ */
+static OM_uint32
+new_connection(
+ OM_uint32 *minor_status,
+ krb5_gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ krb5_context context,
+ int default_mech)
+{
+ OM_uint32 major_status;
+ krb5_error_code code;
+ krb5_creds *k_cred;
+ krb5_gss_ctx_id_rec *ctx, *ctx_free;
+ krb5_timestamp now;
+ gss_buffer_desc token;
+
+ major_status = GSS_S_FAILURE;
+ token.length = 0;
+ token.value = NULL;
+
+ /* make sure the cred is usable for init */
+
+ if ((cred->usage != GSS_C_INITIATE) &&
+ (cred->usage != GSS_C_BOTH)) {
+ *minor_status = 0;
+ return(GSS_S_NO_CRED);
+ }
+
+ /* complain if the input token is non-null */
+
+ if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
+#ifdef CFX_EXERCISE
+ if (*context_handle != GSS_C_NO_CONTEXT
+ && ((krb5_gss_ctx_id_t)*context_handle)->testing_unknown_tokid) {
+ /* XXX Should check for a KRB_ERROR message that we can
+ parse, and which contains the expected error code. */
+ ctx = (krb5_gss_ctx_id_t)*context_handle;
+ goto resume_after_testing;
+ }
+#endif
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
+
+ /* create the ctx */
+
+ if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
+ == NULL) {
+ *minor_status = ENOMEM;
+ return(GSS_S_FAILURE);
+ }
+
+ /* fill in the ctx */
+ memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
+ ctx_free = ctx;
+ if ((code = krb5_auth_con_init(context, &ctx->auth_context)))
+ goto fail;
+ krb5_auth_con_setflags(context, ctx->auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+ ctx->initiate = 1;
+ ctx->gss_flags = KG_IMPLFLAGS(req_flags);
+ ctx->seed_init = 0;
+ ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
+ ctx->seqstate = 0;
+
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+
+ if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
+ ctx->endtime = 0;
+ } else {
+ ctx->endtime = now + time_req;
+ }
+
+ if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
+ goto fail;
+
+ if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
+ &ctx->there)))
+ goto fail;
+
+ code = get_credentials(context, cred, ctx->there, now,
+ ctx->endtime, &k_cred);
+ if (code)
+ goto fail;
+
+ if (default_mech) {
+ mech_type = (gss_OID) gss_mech_krb5;
+ }
+
+ if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
+ != GSS_S_COMPLETE) {
+ code = *minor_status;
+ goto fail;
+ }
+ /*
+ * Now try to make it static if at all possible....
+ */
+ ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
+
+ {
+ /* gsskrb5 v1 */
+ krb5_ui_4 seq_temp;
+ if ((code = make_ap_req_v1(context, ctx,
+ cred, k_cred, input_chan_bindings,
+ mech_type, &token))) {
+ if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
+ (code == KG_EMPTY_CCACHE))
+ major_status = GSS_S_NO_CRED;
+ if (code == KRB5KRB_AP_ERR_TKT_EXPIRED)
+ major_status = GSS_S_CREDENTIALS_EXPIRED;
+ goto fail;
+ }
+
+ krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp);
+ ctx->seq_send = seq_temp;
+ krb5_auth_con_getsendsubkey(context, ctx->auth_context,
+ &ctx->subkey);
+ }
+
+ major_status = setup_enc(minor_status, ctx, context);
+
+ if (k_cred) {
+ krb5_free_creds(context, k_cred);
+ k_cred = 0;
+ }
+
+ /* at this point, the context is constructed and valid,
+ hence, releaseable */
+
+ /* intern the context handle */
+
+ if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
+ code = G_VALIDATE_FAILED;
+ goto fail;
+ }
+ *context_handle = (gss_ctx_id_t) ctx;
+ ctx_free = 0;
+
+#if 0 /* Sigh. We're changing the spec again. */
+#ifdef CFX_EXERCISE
+ if (ctx->proto == 1
+ /* I think the RPC code may be broken. Don't mess around
+ if we're authenticating to "kadmin/whatever". */
+ && ctx->there->data[0].data[0] != 'k'
+ /* I *know* the FTP server code is broken. */
+ && ctx->there->data[0].data[0] != 'f'
+ ) {
+ /* Create a bogus token and return it, with status
+ GSS_S_CONTINUE_NEEDED. Save enough data that we can resume
+ on the next call. */
+ static const unsigned char hack_token[20] = {
+ 0x60, 0x12, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x12, 0x01, 0x02, 0x02, 0x12, 0x34, 0x68,
+ 0x65, 0x6c, 0x6c, 0x6f
+ };
+ ctx->testing_unknown_tokid = 1;
+ ctx->init_token = token;
+ token.value = malloc(20);
+ token.length = 20;
+ if (token.value == NULL) {
+ /* Skip testing. We'll probably die soon enough, but let's
+ not do it because we couldn't exercise this code
+ path. */
+ goto resume_after_testing;
+ }
+ memcpy(token.value, hack_token, sizeof(hack_token));
+ /* Can just fall through into the normal return path, because
+ it'll always return GSS_S_CONTINUE_NEEDED because we're
+ doing mutual authentication. */
+ }
+ if (0) {
+ resume_after_testing:
+ token = ctx->init_token;
+ ctx->init_token.value = 0;
+ ctx->init_token.length = 0;
+ ctx->testing_unknown_tokid = 0;
+ ctx_free = 0;
+ }
+#endif /* CFX_EXERCISE */
+#endif /* 0 */
+
+ /* compute time_rec */
+ if (time_rec) {
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+ *time_rec = ctx->endtime - now;
+ }
+
+ /* set the other returns */
+ *output_token = token;
+
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
+
+ if (actual_mech_type)
+ *actual_mech_type = mech_type;
+
+ /* return successfully */
+
+ *minor_status = 0;
+ if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
+ ctx->established = 0;
+ return(GSS_S_CONTINUE_NEEDED);
+ } else {
+ ctx->seq_recv = ctx->seq_send;
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto);
+ ctx->gss_flags |= GSS_C_PROT_READY_FLAG;
+ ctx->established = 1;
+ return(GSS_S_COMPLETE);
+ }
+
+fail:
+ if (ctx_free) {
+ if (ctx_free->auth_context)
+ krb5_auth_con_free(context, ctx_free->auth_context);
+ if (ctx_free->here)
+ krb5_free_principal(context, ctx_free->here);
+ if (ctx_free->there)
+ krb5_free_principal(context, ctx_free->there);
+ if (ctx_free->subkey)
+ krb5_free_keyblock(context, ctx_free->subkey);
+ xfree(ctx_free);
+ } else
+ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+
+ *minor_status = code;
+ return (major_status);
+}
+
+/*
+ * mutual_auth
+ *
+ * Handle the reply from the acceptor, if we're doing mutual auth.
+ */
+static OM_uint32
+mutual_auth(
+ OM_uint32 *minor_status,
+ krb5_gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ krb5_context context)
+{
+ OM_uint32 major_status;
+ unsigned char *ptr;
+ char *sptr;
+ krb5_data ap_rep;
+ krb5_ap_rep_enc_part *ap_rep_data;
+ krb5_timestamp now;
+ krb5_gss_ctx_id_rec *ctx;
+ krb5_error *krb_error;
+ krb5_error_code code;
+ krb5int_access kaccess;
+
+ code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code)
+ goto fail;
+
+ major_status = GSS_S_FAILURE;
+
+ /* validate the context handle */
+ /*SUPPRESS 29*/
+ if (! kg_validate_ctx_id(*context_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_NO_CONTEXT);
+ }
+
+ ctx = (gss_ctx_id_t) *context_handle;
+
+ /* make sure the context is non-established, and that certain
+ arguments are unchanged */
+
+ if ((ctx->established) ||
+ ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) {
+ code = KG_CONTEXT_ESTABLISHED;
+ goto fail;
+ }
+
+ if (! krb5_principal_compare(context, ctx->there,
+ (krb5_principal) target_name)) {
+ (void)krb5_gss_delete_sec_context(minor_status,
+ context_handle, NULL);
+ code = 0;
+ major_status = GSS_S_BAD_NAME;
+ goto fail;
+ }
+
+ /* verify the token and leave the AP_REP message in ap_rep */
+
+ if (input_token == GSS_C_NO_BUFFER) {
+ (void)krb5_gss_delete_sec_context(minor_status,
+ context_handle, NULL);
+ code = 0;
+ major_status = GSS_S_DEFECTIVE_TOKEN;
+ goto fail;
+ }
+
+ ptr = (unsigned char *) input_token->value;
+
+ if (g_verify_token_header((gss_OID) ctx->mech_used,
+ &(ap_rep.length),
+ &ptr, KG_TOK_CTX_AP_REP,
+ input_token->length, 1)) {
+ if (g_verify_token_header((gss_OID) ctx->mech_used,
+ &(ap_rep.length),
+ &ptr, KG_TOK_CTX_ERROR,
+ input_token->length, 1) == 0) {
+
+ /* Handle a KRB_ERROR message from the server */
+
+ sptr = (char *) ptr; /* PC compiler bug */
+ TREAD_STR(sptr, ap_rep.data, ap_rep.length);
+
+ code = krb5_rd_error(context, &ap_rep, &krb_error);
+ if (code)
+ goto fail;
+ if (krb_error->error)
+ code = krb_error->error + ERROR_TABLE_BASE_krb5;
+ else
+ code = 0;
+ krb5_free_error(context, krb_error);
+ goto fail;
+ } else {
+ *minor_status = 0;
+ return(GSS_S_DEFECTIVE_TOKEN);
+ }
+ }
+
+ sptr = (char *) ptr; /* PC compiler bug */
+ TREAD_STR(sptr, ap_rep.data, ap_rep.length);
+
+ /* decode the ap_rep */
+ if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
+ &ap_rep_data))) {
+ /*
+ * XXX A hack for backwards compatiblity.
+ * To be removed in 1999 -- proven
+ */
+ krb5_auth_con_setuseruserkey(context, ctx->auth_context,
+ ctx->subkey);
+ if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep,
+ &ap_rep_data)))
+ goto fail;
+ }
+
+ /* store away the sequence number */
+ ctx->seq_recv = ap_rep_data->seq_number;
+ g_order_init(&(ctx->seqstate), ctx->seq_recv,
+ (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
+ (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto);
+
+ if (ctx->proto == 1 && ap_rep_data->subkey) {
+ /* Keep acceptor's subkey. */
+ ctx->have_acceptor_subkey = 1;
+ code = krb5_copy_keyblock(context, ap_rep_data->subkey,
+ &ctx->acceptor_subkey);
+ if (code)
+ goto fail;
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
+ ctx->acceptor_subkey->enctype,
+ &ctx->acceptor_subkey_cksumtype);
+ if (code)
+ goto fail;
+ }
+
+ /* free the ap_rep_data */
+ krb5_free_ap_rep_enc_part(context, ap_rep_data);
+
+ /* set established */
+ ctx->established = 1;
+
+ /* set returns */
+
+ if (time_rec) {
+ if ((code = krb5_timeofday(context, &now)))
+ goto fail;
+ *time_rec = ctx->endtime - now;
+ }
+
+ if (ret_flags)
+ *ret_flags = ctx->gss_flags;
+
+ if (actual_mech_type)
+ *actual_mech_type = mech_type;
+
+ /* success */
+
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+
+fail:
+ (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+
+ *minor_status = code;
+ return (major_status);
+}
+
OM_uint32
krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
context_handle, target_name, mech_type,
@@ -344,25 +876,10 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
{
krb5_context context;
krb5_gss_cred_id_t cred;
- krb5_creds *k_cred = 0;
- static const krb5_enctype wanted_enctypes[] = {
-#if 1
- ENCTYPE_DES3_CBC_SHA1,
-#endif
- ENCTYPE_ARCFOUR_HMAC,
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4,
- };
-#define N_WANTED_ENCTYPES (sizeof(wanted_enctypes)/sizeof(wanted_enctypes[0]))
- krb5_enctype requested_enctypes[N_WANTED_ENCTYPES + 1];
- krb5_enctype *default_enctypes = 0;
- krb5_error_code code;
- krb5_gss_ctx_id_rec *ctx, *ctx_free;
- krb5_timestamp now;
- gss_buffer_desc token;
- int i, j, k, err;
+ int err;
int default_mech = 0;
OM_uint32 major_status;
+ OM_uint32 tmp_min_stat;
if (GSS_ERROR(kg_get_context(minor_status, &context)))
return(GSS_S_FAILURE);
@@ -374,35 +891,28 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
output_token->value = NULL;
if (actual_mech_type)
*actual_mech_type = NULL;
- token.value = 0;
- ctx_free = 0;
+
+ /* verify that the target_name is valid and usable */
+
+ if (! kg_validate_name(target_name)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
+ }
/* verify the credential, or use the default */
/*SUPPRESS 29*/
if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
- OM_uint32 major;
-
- /*
- * Release default cred prior to re-acquiring it, to notice when
- * the ccache has changed.
- */
- major = kg_release_defcred(minor_status);
- if (GSS_ERROR(major))
- return major;
- if ((major = kg_get_defcred(minor_status, &claimant_cred_handle)) &&
- GSS_ERROR(major)) {
- return(major);
+ major_status = kg_get_defcred(minor_status, &cred);
+ if (major_status && GSS_ERROR(major_status)) {
+ return(major_status);
}
} else {
- OM_uint32 major;
-
- major = krb5_gss_validate_cred(minor_status, claimant_cred_handle);
- if (GSS_ERROR(major))
- return(major);
+ major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle);
+ if (GSS_ERROR(major_status))
+ return(major_status);
+ cred = (krb5_gss_cred_id_t) claimant_cred_handle;
}
- cred = (krb5_gss_cred_id_t) claimant_cred_handle;
-
/* verify the mech_type */
err = 0;
@@ -426,414 +936,37 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
}
if (err) {
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t)cred);
*minor_status = 0;
return(GSS_S_BAD_MECH);
}
- /* verify that the target_name is valid and usable */
-
- if (! kg_validate_name(target_name)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
- }
-
/* is this a new connection or not? */
/*SUPPRESS 29*/
- if (*context_handle == GSS_C_NO_CONTEXT) {
- /* make sure the cred is usable for init */
-
- if ((cred->usage != GSS_C_INITIATE) &&
- (cred->usage != GSS_C_BOTH)) {
- *minor_status = 0;
- return(GSS_S_NO_CRED);
- }
-
- /* complain if the input token is non-null */
-
- if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
- }
-
- /* create the ctx */
-
- if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))
- == NULL) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
-
- /* fill in the ctx */
- memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
- ctx_free = ctx;
- if ((code = krb5_auth_con_init(context, &ctx->auth_context)))
- goto fail;
- krb5_auth_con_setflags(context, ctx->auth_context,
- KRB5_AUTH_CONTEXT_DO_SEQUENCE);
- ctx->initiate = 1;
- ctx->gss_flags = KG_IMPLFLAGS(req_flags);
- ctx->seed_init = 0;
- ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
- ctx->seqstate = 0;
- ctx->nctypes = 0;
- ctx->ctypes = 0;
-
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
-
- if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
- ctx->endtime = 0;
- } else {
- ctx->endtime = now + time_req;
- }
-
- if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
- goto fail;
-
- if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
- &ctx->there)))
- goto fail;
-
- code = krb5_get_tgs_ktypes (context, 0, &default_enctypes);
- if (code)
- goto fail;
- /* "i" denotes *next* slot to fill. Don't forget to save room
- for a trailing zero. */
- i = 0;
- for (j = 0;
- (default_enctypes[j] != 0
- /* This part should be redundant, but let's be paranoid. */
- && i < N_WANTED_ENCTYPES);
- j++) {
-
- int is_duplicate_enctype;
- int is_wanted_enctype;
-
- krb5_enctype e = default_enctypes[j];
-
- /* Is this enctype one of the ones we want for GSSAPI? */
- is_wanted_enctype = 0;
- for (k = 0; k < N_WANTED_ENCTYPES; k++) {
- if (wanted_enctypes[k] == e) {
- is_wanted_enctype = 1;
- break;
- }
- }
- /* If unwanted, go to the next one. */
- if (!is_wanted_enctype)
- continue;
-
- /* Is this enctype already in the list of enctypes to
- request? (Is it a duplicate?) */
- is_duplicate_enctype = 0;
- for (k = 0; k < i; k++) {
- if (requested_enctypes[k] == e) {
- is_duplicate_enctype = 1;
- break;
- }
- }
- /* If it is not a duplicate, add it. */
- if (!is_duplicate_enctype)
- requested_enctypes[i++] = e;
- }
- requested_enctypes[i++] = 0;
-
- if ((code = get_credentials(context, cred, ctx->there, now,
- ctx->endtime, requested_enctypes, &k_cred)))
- goto fail;
-
- if (default_mech) {
- mech_type = (gss_OID) gss_mech_krb5;
- }
-
- if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
- != GSS_S_COMPLETE) {
- code = *minor_status;
- goto fail;
- }
- /*
- * Now try to make it static if at all possible....
- */
- ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
-
- {
- /* gsskrb5 v1 */
- if ((code = make_ap_req_v1(context, ctx,
- cred, k_cred, input_chan_bindings,
- mech_type, &token))) {
- if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
- (code == KG_EMPTY_CCACHE))
- major_status = GSS_S_NO_CRED;
- if (code == KRB5KRB_AP_ERR_TKT_EXPIRED)
- major_status = GSS_S_CREDENTIALS_EXPIRED;
- goto fail;
- }
-
- krb5_auth_con_getlocalseqnumber(context, ctx->auth_context,
- &ctx->seq_send);
- krb5_auth_con_getlocalsubkey(context, ctx->auth_context,
- &ctx->subkey);
-
- /* fill in the encryption descriptors */
-
- switch(ctx->subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_CRC:
- ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
- ctx->signalg = SGN_ALG_DES_MAC_MD5;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_DES;
-
- /* The encryption key is the session key XOR
- 0xf0f0f0f0f0f0f0f0. */
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
- goto fail;
-
- for (i=0; i<ctx->enc->length; i++)
- /*SUPPRESS 113*/
- ctx->enc->contents[i] ^= 0xf0;
-
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq)))
- goto fail;
-
- break;
-
- case ENCTYPE_DES3_CBC_SHA1:
- ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
- ctx->cksum_size = 20;
- ctx->sealalg = SEAL_ALG_DES3KD;
-
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
- if (code)
- goto fail;
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
- if (code) {
- krb5_free_keyblock (context, ctx->enc);
- goto fail;
- }
- break;
- case ENCTYPE_ARCFOUR_HMAC:
- ctx->signalg = SGN_ALG_HMAC_MD5 ;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
-
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
- if (code)
- goto fail;
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
- if (code) {
- krb5_free_keyblock (context, ctx->enc);
- goto fail;
- }
- break;
-#if 0
- case ENCTYPE_DES3_CBC_MD5:
- enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->signalg = 3;
- ctx->cksum_size = 16;
- ctx->sealalg = 1;
- break;
+ if (*context_handle == GSS_C_NO_CONTEXT
+#ifdef CFX_EXERCISE
+ || ((krb5_gss_ctx_id_t)*context_handle)->testing_unknown_tokid
#endif
- default:
- *minor_status = KRB5_BAD_ENCTYPE;
- return GSS_S_FAILURE;
- }
-
- }
-
- if (k_cred) {
- krb5_free_creds(context, k_cred);
- k_cred = 0;
- }
-
- /* at this point, the context is constructed and valid,
- hence, releaseable */
-
- /* intern the context handle */
-
- if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
- code = G_VALIDATE_FAILED;
- goto fail;
- }
- *context_handle = (gss_ctx_id_t) ctx;
- ctx_free = 0;
-
- /* compute time_rec */
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
- *time_rec = ctx->endtime - now;
- }
-
- /* set the other returns */
- *output_token = token;
-
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
-
- if (actual_mech_type)
- *actual_mech_type = mech_type;
-
- /* return successfully */
-
- *minor_status = 0;
- if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) {
- ctx->established = 0;
- return(GSS_S_CONTINUE_NEEDED);
- } else {
- ctx->seq_recv = ctx->seq_send;
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0);
- ctx->established = 1;
- /* fall through to GSS_S_COMPLETE */
- }
+ ) {
+ major_status = new_connection(minor_status, cred, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings,
+ input_token, actual_mech_type,
+ output_token, ret_flags, time_rec,
+ context, default_mech);
} else {
- unsigned char *ptr;
- char *sptr;
- krb5_data ap_rep;
- krb5_ap_rep_enc_part *ap_rep_data;
- krb5_error *krb_error;
-
- /* validate the context handle */
- /*SUPPRESS 29*/
- if (! kg_validate_ctx_id(*context_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_NO_CONTEXT);
- }
-
- ctx = (gss_ctx_id_t) *context_handle;
-
- /* make sure the context is non-established, and that certain
- arguments are unchanged */
-
- if ((ctx->established) ||
- (((gss_cred_id_t) cred) != claimant_cred_handle) ||
- ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) {
- code = KG_CONTEXT_ESTABLISHED;
- goto fail;
- }
-
- if (! krb5_principal_compare(context, ctx->there,
- (krb5_principal) target_name)) {
- (void)krb5_gss_delete_sec_context(minor_status,
- context_handle, NULL);
- code = 0;
- major_status = GSS_S_BAD_NAME;
- goto fail;
- }
-
- /* verify the token and leave the AP_REP message in ap_rep */
-
- if (input_token == GSS_C_NO_BUFFER) {
- (void)krb5_gss_delete_sec_context(minor_status,
- context_handle, NULL);
- code = 0;
- major_status = GSS_S_DEFECTIVE_TOKEN;
- goto fail;
- }
-
- ptr = (unsigned char *) input_token->value;
-
- if ((err = g_verify_token_header((gss_OID) ctx->mech_used,
- &(ap_rep.length),
- &ptr, KG_TOK_CTX_AP_REP,
- input_token->length))) {
- if (g_verify_token_header((gss_OID) ctx->mech_used,
- &(ap_rep.length),
- &ptr, KG_TOK_CTX_ERROR,
- input_token->length) == 0) {
-
- /* Handle a KRB_ERROR message from the server */
-
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
-
- code = krb5_rd_error(context, &ap_rep, &krb_error);
- if (code)
- goto fail;
- if (krb_error->error)
- code = krb_error->error + ERROR_TABLE_BASE_krb5;
- else
- code = 0;
- krb5_free_error(context, krb_error);
- goto fail;
- } else {
- *minor_status = 0;
- return(GSS_S_DEFECTIVE_TOKEN);
- }
- }
-
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
-
- /* decode the ap_rep */
- if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
- &ap_rep_data))) {
- /*
- * XXX A hack for backwards compatiblity.
- * To be removed in 1999 -- proven
- */
- krb5_auth_con_setuseruserkey(context, ctx->auth_context,
- ctx->subkey);
- if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep,
- &ap_rep_data)))
- goto fail;
- }
-
- /* store away the sequence number */
- ctx->seq_recv = ap_rep_data->seq_number;
- g_order_init(&(ctx->seqstate), ctx->seq_recv,
- (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
- (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0);
-
- /* free the ap_rep_data */
- krb5_free_ap_rep_enc_part(context, ap_rep_data);
-
- /* set established */
- ctx->established = 1;
-
- /* set returns */
-
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
- *time_rec = ctx->endtime - now;
- }
-
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
-
- if (actual_mech_type)
- *actual_mech_type = mech_type;
-
- /* success */
-
- *minor_status = 0;
- /* fall through to GSS_S_COMPLETE */
+ major_status = mutual_auth(minor_status, cred, context_handle,
+ target_name, mech_type, req_flags,
+ time_req, input_chan_bindings,
+ input_token, actual_mech_type,
+ output_token, ret_flags, time_rec,
+ context);
}
- return(GSS_S_COMPLETE);
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t)cred);
-fail:
- if (ctx_free) {
- if (ctx_free->auth_context)
- krb5_auth_con_free(context, ctx_free->auth_context);
- if (ctx_free->here)
- krb5_free_principal(context, ctx_free->here);
- if (ctx_free->there)
- krb5_free_principal(context, ctx_free->there);
- if (ctx_free->subkey)
- krb5_free_keyblock(context, ctx_free->subkey);
- if (ctx_free->ctypes)
- krb5_free_cksumtypes(context, ctx_free->ctypes);
- xfree(ctx_free);
- } else
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
-
- *minor_status = code;
- return (major_status);
+ return(major_status);
}
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index a79034d..8378216 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -91,6 +91,8 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
gss_OID_set mechs;
OM_uint32 ret;
+ ret = GSS_S_FAILURE;
+
if (GSS_ERROR(kg_get_context(minor_status, &context)))
return(GSS_S_FAILURE);
@@ -102,7 +104,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
if (cred_handle == GSS_C_NO_CREDENTIAL) {
OM_uint32 major;
- if ((major = kg_get_defcred(minor_status, &cred_handle)) &&
+ if ((major = kg_get_defcred(minor_status, (gss_cred_id_t)&cred)) &&
GSS_ERROR(major)) {
return(major);
}
@@ -112,13 +114,13 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
major = krb5_gss_validate_cred(minor_status, cred_handle);
if (GSS_ERROR(major))
return(major);
+ cred = (krb5_gss_cred_id_t) cred_handle;
}
- cred = (krb5_gss_cred_id_t) cred_handle;
-
if ((code = krb5_timeofday(context, &now))) {
*minor_status = code;
- return(GSS_S_FAILURE);
+ ret = GSS_S_FAILURE;
+ goto fail;
}
if (cred->tgt_expire > 0) {
@@ -132,7 +134,8 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
if (cred->princ &&
(code = krb5_copy_principal(context, cred->princ, &ret_name))) {
*minor_status = code;
- return(GSS_S_FAILURE);
+ ret = GSS_S_FAILURE;
+ goto fail;
}
}
@@ -149,7 +152,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
&mechs)))) {
krb5_free_principal(context, ret_name);
/* *minor_status set above */
- return(ret);
+ goto fail;
}
}
@@ -172,8 +175,18 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
if (mechanisms)
*mechanisms = mechs;
+ if (cred_handle == GSS_C_NO_CREDENTIAL)
+ krb5_gss_release_cred(minor_status, (gss_cred_id_t)cred);
+
*minor_status = 0;
return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
+fail:
+ if (cred_handle == GSS_C_NO_CREDENTIAL) {
+ OM_uint32 tmp_min_stat;
+
+ krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t)cred);
+ }
+ return ret;
}
/* V2 interface */
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
index 3c8702a..7999a3e 100644
--- a/src/lib/gssapi/krb5/k5seal.c
+++ b/src/lib/gssapi/krb5/k5seal.c
@@ -54,7 +54,7 @@ static krb5_error_code
make_seal_token_v1 (krb5_context context,
krb5_keyblock *enc,
krb5_keyblock *seq,
- krb5_ui_4 *seqnum,
+ gssint_uint64 *seqnum,
int direction,
gss_buffer_t text,
gss_buffer_t token,
@@ -304,6 +304,7 @@ make_seal_token_v1 (krb5_context context,
/* that's it. return the token */
(*seqnum)++;
+ *seqnum &= 0xffffffffL;
token->length = tlen;
token->value = (void *) t;
@@ -334,50 +335,16 @@ kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req,
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
- /* only default qop or matching established cryptosystem is allowed */
-
-#if 0
- switch (qop_req & GSS_KRB5_CONF_C_QOP_MASK) {
- case GSS_C_QOP_DEFAULT:
- break;
- default:
- unknown_qop:
- *minor_status = (OM_uint32) G_UNKNOWN_QOP;
- return GSS_S_FAILURE;
- case GSS_KRB5_CONF_C_QOP_DES:
- if (ctx->sealalg != SEAL_ALG_DES) {
- bad_qop:
- *minor_status = (OM_uint32) G_BAD_QOP;
- return GSS_S_FAILURE;
- }
- break;
- case GSS_KRB5_CONF_C_QOP_DES3:
- if (ctx->sealalg != SEAL_ALG_DES3)
- goto bad_qop;
- break;
- }
- switch (qop_req & GSS_KRB5_INTEG_C_QOP_MASK) {
- case GSS_C_QOP_DEFAULT:
- break;
- default:
- goto unknown_qop;
- case GSS_KRB5_INTEG_C_QOP_MD5:
- case GSS_KRB5_INTEG_C_QOP_DES_MD5:
- case GSS_KRB5_INTEG_C_QOP_DES_MAC:
- if (ctx->sealalg != SEAL_ALG_DES)
- goto bad_qop;
- break;
- case GSS_KRB5_INTEG_C_QOP_HMAC_SHA1:
- if (ctx->sealalg != SEAL_ALG_DES3KD)
- goto bad_qop;
- break;
- }
-#else
+ /* Only default qop or matching established cryptosystem is allowed.
+
+ There are NO EXTENSIONS to this set for AES and friends! The
+ new spec says "just use 0". The old spec plus extensions would
+ actually allow for certain non-zero values. Fix this to handle
+ them later. */
if (qop_req != 0) {
*minor_status = (OM_uint32) G_UNKNOWN_QOP;
return GSS_S_FAILURE;
}
-#endif
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
@@ -397,12 +364,26 @@ kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req,
return(GSS_S_FAILURE);
}
- code = make_seal_token_v1(context, ctx->enc, ctx->seq,
- &ctx->seq_send, ctx->initiate,
- input_message_buffer, output_message_buffer,
- ctx->signalg, ctx->cksum_size, ctx->sealalg,
- conf_req_flag, toktype, ctx->big_endian,
- ctx->mech_used);
+ switch (ctx->proto)
+ {
+ case 0:
+ code = make_seal_token_v1(context, ctx->enc, ctx->seq,
+ &ctx->seq_send, ctx->initiate,
+ input_message_buffer, output_message_buffer,
+ ctx->signalg, ctx->cksum_size, ctx->sealalg,
+ conf_req_flag, toktype, ctx->big_endian,
+ ctx->mech_used);
+ break;
+ case 1:
+ code = gss_krb5int_make_seal_token_v3(context, ctx,
+ input_message_buffer,
+ output_message_buffer,
+ conf_req_flag, toktype);
+ break;
+ default:
+ code = G_UNKNOWN_QOP; /* XXX */
+ break;
+ }
if (code) {
*minor_status = code;
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
new file mode 100644
index 0000000..73b993b
--- /dev/null
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -0,0 +1,476 @@
+/* Copyright 2003 MIT. All rights reserved. */
+/* draft-ietf-krb-wg-gssapi-cfx-02 plus discussed changes */
+
+#include <assert.h>
+#include "k5-platform.h" /* for 64-bit support */
+#include "k5-int.h" /* for zap() */
+#include "gssapiP_krb5.h"
+#include <stdarg.h>
+
+static int
+rotate_left (void *ptr, size_t bufsiz, size_t rc)
+{
+ /* Optimize for receiving. After some debugging is done, the MIT
+ implementation won't do any rotates on sending, and while
+ debugging, they'll be randomly chosen.
+
+ Return 1 for success, 0 for failure (ENOMEM). */
+ void *tbuf;
+
+ if (bufsiz == 0)
+ return 1;
+ rc = rc % bufsiz;
+ if (rc == 0)
+ return 1;
+
+ tbuf = malloc(rc);
+ if (tbuf == 0)
+ return 0;
+ memcpy(tbuf, ptr, rc);
+ memmove(ptr, (char *)ptr + rc, bufsiz - rc);
+ memcpy((char *)ptr + bufsiz - rc, tbuf, rc);
+ free(tbuf);
+ return 1;
+}
+
+static const gss_buffer_desc empty_message = { 0, 0 };
+
+#define FLAG_SENDER_IS_ACCEPTOR 0x01
+#define FLAG_WRAP_CONFIDENTIAL 0x02
+#define FLAG_ACCEPTOR_SUBKEY 0x04
+
+krb5_error_code
+gss_krb5int_make_seal_token_v3 (krb5_context context,
+ krb5_gss_ctx_id_rec *ctx,
+ const gss_buffer_desc * message,
+ gss_buffer_t token,
+ int conf_req_flag, int toktype)
+{
+ size_t bufsize = 16;
+ unsigned char *outbuf = 0;
+ krb5_error_code err;
+ int key_usage;
+ unsigned char acceptor_flag;
+ const gss_buffer_desc *message2 = message;
+ size_t rrc, ec;
+ unsigned short tok_id;
+ krb5_checksum sum;
+ krb5_keyblock *key;
+
+ assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0);
+ assert(ctx->big_endian == 0);
+
+ acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
+ key_usage = (toktype == KG_TOK_WRAP_MSG
+ ? (ctx->initiate
+ ? KG_USAGE_INITIATOR_SEAL
+ : KG_USAGE_ACCEPTOR_SEAL)
+ : (ctx->initiate
+ ? KG_USAGE_INITIATOR_SIGN
+ : KG_USAGE_ACCEPTOR_SIGN));
+ if (ctx->have_acceptor_subkey) {
+ key = ctx->acceptor_subkey;
+ } else {
+ key = ctx->enc;
+ }
+
+#ifdef CFX_EXERCISE
+ {
+ static int initialized = 0;
+ if (!initialized) {
+ srand(time(0));
+ initialized = 1;
+ }
+ }
+#endif
+
+ if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
+ krb5_data plain;
+ krb5_enc_data cipher;
+ size_t ec_max;
+
+ /* 300: Adds some slop. */
+ if (SIZE_MAX - 300 < message->length)
+ return ENOMEM;
+ ec_max = SIZE_MAX - message->length - 300;
+ if (ec_max > 0xffff)
+ ec_max = 0xffff;
+#ifdef CFX_EXERCISE
+ /* For testing only. For performance, always set ec = 0. */
+ ec = ec_max & rand();
+#else
+ ec = 0;
+#endif
+ plain.length = message->length + 16 + ec;
+ plain.data = malloc(message->length + 16 + ec);
+ if (plain.data == NULL)
+ return ENOMEM;
+
+ /* Get size of ciphertext. */
+ bufsize = 16 + krb5_encrypt_size (plain.length, ctx->enc->enctype);
+ /* Allocate space for header plus encrypted data. */
+ outbuf = malloc(bufsize);
+ if (outbuf == NULL) {
+ free(plain.data);
+ return ENOMEM;
+ }
+
+ /* TOK_ID */
+ store_16_be(0x0504, outbuf);
+ /* flags */
+ outbuf[2] = (acceptor_flag
+ | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
+ | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ /* filler */
+ outbuf[3] = 0xff;
+ /* EC */
+ store_16_be(ec, outbuf+4);
+ /* RRC */
+ store_16_be(0, outbuf+6);
+ store_64_be(ctx->seq_send, outbuf+8);
+
+ memcpy(plain.data, message->value, message->length);
+ memset(plain.data + message->length, 'x', ec);
+ memcpy(plain.data + message->length + ec, outbuf, 16);
+
+ cipher.ciphertext.data = outbuf + 16;
+ cipher.ciphertext.length = bufsize - 16;
+ cipher.enctype = key->enctype;
+ err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher);
+ zap(plain.data, plain.length);
+ free(plain.data);
+ plain.data = 0;
+ if (err)
+ goto error;
+
+ /* Now that we know we're returning a valid token.... */
+ ctx->seq_send++;
+
+#ifdef CFX_EXERCISE
+ rrc = rand() & 0xffff;
+ if (rotate_left(outbuf+16, bufsize-16,
+ (bufsize-16) - (rrc % (bufsize - 16))))
+ store_16_be(rrc, outbuf+6);
+ /* If the rotate fails, don't worry about it. */
+#endif
+ } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
+ krb5_data plain;
+
+ /* Here, message is the application-supplied data; message2 is
+ what goes into the output token. They may be the same, or
+ message2 may be empty (for MIC). */
+
+ tok_id = 0x0504;
+
+ wrap_with_checksum:
+ plain.length = message->length + 16;
+ plain.data = malloc(message->length + 16);
+ if (plain.data == NULL)
+ return ENOMEM;
+
+ if (ctx->cksum_size > 0xffff)
+ abort();
+
+ bufsize = 16 + message2->length + ctx->cksum_size;
+ outbuf = malloc(bufsize);
+ if (outbuf == NULL) {
+ free(plain.data);
+ plain.data = 0;
+ err = ENOMEM;
+ goto error;
+ }
+
+ /* TOK_ID */
+ store_16_be(tok_id, outbuf);
+ /* flags */
+ outbuf[2] = (acceptor_flag
+ | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
+ /* filler */
+ outbuf[3] = 0xff;
+ if (toktype == KG_TOK_WRAP_MSG) {
+ /* Use 0 for checksum calculation, substitute
+ checksum length later. */
+ /* EC */
+ store_16_be(0, outbuf+4);
+ /* RRC */
+ store_16_be(0, outbuf+6);
+ } else {
+ /* MIC and DEL store 0xFF in EC and RRC. */
+ store_16_be(0xffff, outbuf+4);
+ store_16_be(0xffff, outbuf+6);
+ }
+ store_64_be(ctx->seq_send, outbuf+8);
+
+ memcpy(plain.data, message->value, message->length);
+ memcpy(plain.data + message->length, outbuf, 16);
+
+ /* Fill in the output token -- data contents, if any, and
+ space for the checksum. */
+ if (message2->length)
+ memcpy(outbuf + 16, message2->value, message2->length);
+
+ sum.contents = outbuf + 16 + message2->length;
+ sum.length = ctx->cksum_size;
+
+ err = krb5_c_make_checksum(context, ctx->cksumtype, key,
+ key_usage, &plain, &sum);
+ zap(plain.data, plain.length);
+ free(plain.data);
+ plain.data = 0;
+ if (err) {
+ zap(outbuf,bufsize);
+ free(outbuf);
+ goto error;
+ }
+ if (sum.length != ctx->cksum_size)
+ abort();
+ memcpy(outbuf + 16 + message2->length, sum.contents, ctx->cksum_size);
+ krb5_free_checksum_contents(context, &sum);
+ sum.contents = 0;
+ /* Now that we know we're actually generating the token... */
+ ctx->seq_send++;
+
+ if (toktype == KG_TOK_WRAP_MSG) {
+#ifdef CFX_EXERCISE
+ rrc = rand() & 0xffff;
+ /* If the rotate fails, don't worry about it. */
+ if (rotate_left(outbuf+16, bufsize-16,
+ (bufsize-16) - (rrc % (bufsize - 16))))
+ store_16_be(rrc, outbuf+6);
+#endif
+ /* Fix up EC field. */
+ store_16_be(ctx->cksum_size, outbuf+4);
+ } else {
+ store_16_be(0xffff, outbuf+6);
+ }
+ } else if (toktype == KG_TOK_MIC_MSG) {
+ tok_id = 0x0404;
+ message2 = &empty_message;
+ goto wrap_with_checksum;
+ } else if (toktype == KG_TOK_DEL_CTX) {
+ tok_id = 0x0405;
+ message = message2 = &empty_message;
+ goto wrap_with_checksum;
+ } else
+ abort();
+
+ token->value = outbuf;
+ token->length = bufsize;
+ return 0;
+
+error:
+ free(outbuf);
+ token->value = NULL;
+ token->length = 0;
+ return err;
+}
+
+/* message_buffer is an input if SIGN, output if SEAL, and ignored if DEL_CTX
+ conf_state is only valid if SEAL. */
+
+OM_uint32
+gss_krb5int_unseal_token_v3(krb5_context *contextptr,
+ OM_uint32 *minor_status,
+ krb5_gss_ctx_id_rec *ctx,
+ unsigned char *ptr, int bodysize,
+ gss_buffer_t message_buffer,
+ int *conf_state, int *qop_state, int toktype)
+{
+ krb5_context context = *contextptr;
+ krb5_data plain;
+ gssint_uint64 seqnum;
+ size_t ec, rrc;
+ int key_usage;
+ unsigned char acceptor_flag;
+ krb5_checksum sum;
+ krb5_error_code err;
+ krb5_boolean valid;
+ krb5_keyblock *key;
+
+ assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0);
+ assert(ctx->big_endian == 0);
+ assert(ctx->proto == 1);
+
+ if (qop_state)
+ *qop_state = GSS_C_QOP_DEFAULT;
+
+ acceptor_flag = ctx->initiate ? FLAG_SENDER_IS_ACCEPTOR : 0;
+ key_usage = (toktype == KG_TOK_WRAP_MSG
+ ? (!ctx->initiate
+ ? KG_USAGE_INITIATOR_SEAL
+ : KG_USAGE_ACCEPTOR_SEAL)
+ : (!ctx->initiate
+ ? KG_USAGE_INITIATOR_SIGN
+ : KG_USAGE_ACCEPTOR_SIGN));
+
+ /* Oops. I wrote this code assuming ptr would be at the start of
+ the token header. */
+ ptr -= 2;
+ bodysize += 2;
+
+ if (bodysize < 16) {
+ defective:
+ *minor_status = 0;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+ if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) {
+ *minor_status = G_BAD_DIRECTION;
+ return GSS_S_BAD_SIG;
+ }
+
+ /* Two things to note here.
+
+ First, we can't really enforce the use of the acceptor's subkey,
+ if we're the acceptor; the initiator may have sent messages
+ before getting the subkey. We could probably enforce it if
+ we're the initiator.
+
+ Second, if someone tweaks the code to not set the flag telling
+ the krb5 library to generate a new subkey in the AP-REP
+ message, the MIT library may include a subkey anyways --
+ namely, a copy of the AP-REQ subkey, if it was provided. So
+ the initiator may think we wanted a subkey, and set the flag,
+ even though we weren't trying to set the subkey. The "other"
+ key, the one not asserted by the acceptor, will have the same
+ value in that case, though, so we can just ignore the flag. */
+ if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) {
+ key = ctx->acceptor_subkey;
+ } else {
+ key = ctx->enc;
+ }
+
+ if (toktype == KG_TOK_WRAP_MSG) {
+ if (load_16_be(ptr) != 0x0504)
+ goto defective;
+ if (ptr[3] != 0xff)
+ goto defective;
+ ec = load_16_be(ptr+4);
+ rrc = load_16_be(ptr+6);
+ seqnum = load_64_be(ptr+8);
+ if (!rotate_left(ptr+16, bodysize-16, rrc)) {
+ no_mem:
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) {
+ /* confidentiality */
+ krb5_enc_data cipher;
+ unsigned char *althdr;
+
+ if (conf_state)
+ *conf_state = 1;
+ /* Do we have no decrypt_size function?
+
+ For all current cryptosystems, the ciphertext size will
+ be larger than the plaintext size. */
+ cipher.enctype = key->enctype;
+ cipher.ciphertext.length = bodysize - 16;
+ cipher.ciphertext.data = ptr + 16;
+ plain.length = bodysize - 16;
+ plain.data = malloc(plain.length);
+ if (plain.data == NULL)
+ goto no_mem;
+ err = krb5_c_decrypt(context, key, key_usage, 0,
+ &cipher, &plain);
+ if (err) {
+ free(plain.data);
+ goto error;
+ }
+ /* Don't use bodysize here! Use the fact that
+ cipher.ciphertext.length has been adjusted to the
+ correct length. */
+ althdr = plain.data + plain.length - 16;
+ if (load_16_be(althdr) != 0x0504
+ || althdr[2] != ptr[2]
+ || althdr[3] != ptr[3]
+ || memcmp(althdr+8, ptr+8, 8))
+ goto defective;
+ message_buffer->value = plain.data;
+ message_buffer->length = plain.length - ec - 16;
+ } else {
+ /* no confidentiality */
+ if (conf_state)
+ *conf_state = 0;
+ if (ec + 16 < ec)
+ /* overflow check */
+ goto defective;
+ if (ec + 16 > bodysize)
+ goto defective;
+ /* We have: header | msg | cksum.
+ We need cksum(msg | header).
+ Rotate the first two. */
+ store_16_be(0, ptr+4);
+ store_16_be(0, ptr+6);
+ plain.length = bodysize-ec;
+ plain.data = ptr;
+ if (!rotate_left(ptr, bodysize-ec, 16))
+ goto no_mem;
+ sum.length = ec;
+ if (sum.length != ctx->cksum_size) {
+ *minor_status = 0;
+ return GSS_S_BAD_SIG;
+ }
+ sum.contents = ptr+bodysize-ec;
+ sum.checksum_type = ctx->cksumtype;
+ err = krb5_c_verify_checksum(context, key, key_usage,
+ &plain, &sum, &valid);
+ if (err)
+ goto error;
+ if (!valid) {
+ *minor_status = 0;
+ return GSS_S_BAD_SIG;
+ }
+ message_buffer->length = plain.length - 16;
+ message_buffer->value = malloc(message_buffer->length);
+ if (message_buffer->value == NULL)
+ goto no_mem;
+ memcpy(message_buffer->value, plain.data, message_buffer->length);
+ }
+ err = g_order_check(&ctx->seqstate, seqnum);
+ *minor_status = 0;
+ return err;
+ } else if (toktype == KG_TOK_MIC_MSG) {
+ /* wrap token, no confidentiality */
+ if (load_16_be(ptr) != 0x0404)
+ goto defective;
+ verify_mic_1:
+ if (ptr[3] != 0xff)
+ goto defective;
+ if (load_32_be(ptr+4) != 0xffffffffL)
+ goto defective;
+ seqnum = load_64_be(ptr+8);
+ plain.length = message_buffer->length + 16;
+ plain.data = malloc(plain.length);
+ if (plain.data == NULL)
+ goto no_mem;
+ if (message_buffer->length)
+ memcpy(plain.data, message_buffer->value, message_buffer->length);
+ memcpy(plain.data + message_buffer->length, ptr, 16);
+ sum.length = bodysize - 16;
+ sum.contents = ptr + 16;
+ sum.checksum_type = ctx->cksumtype;
+ err = krb5_c_verify_checksum(context, key, key_usage,
+ &plain, &sum, &valid);
+ if (err) {
+ error:
+ free(plain.data);
+ *minor_status = err;
+ return GSS_S_BAD_SIG; /* XXX */
+ }
+ if (!valid) {
+ free(plain.data);
+ *minor_status = 0;
+ return GSS_S_BAD_SIG;
+ }
+ err = g_order_check(&ctx->seqstate, seqnum);
+ *minor_status = 0;
+ return err;
+ } else if (toktype == KG_TOK_DEL_CTX) {
+ if (load_16_be(ptr) != 0x0405)
+ goto defective;
+ message_buffer = &empty_message;
+ goto verify_mic_1;
+ } else {
+ goto defective;
+ }
+}
diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index 347d6b8..6851352 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -224,6 +224,8 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
return(GSS_S_FAILURE);
}
memcpy(token.value, plain+conflen, token.length);
+ } else {
+ token.value = NULL;
}
} else if (toktype == KG_TOK_SIGN_MSG) {
token = *message_buffer;
@@ -488,6 +490,7 @@ kg_unseal(context, minor_status, context_handle, input_token_buffer,
unsigned char *ptr;
unsigned int bodysize;
int err;
+ int toktype2;
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
@@ -508,14 +511,38 @@ kg_unseal(context, minor_status, context_handle, input_token_buffer,
ptr = (unsigned char *) input_token_buffer->value;
- if (!(err = g_verify_token_header((gss_OID) ctx->mech_used,
- &bodysize, &ptr, toktype,
- input_token_buffer->length))) {
- return(kg_unseal_v1(context, minor_status, ctx, ptr, bodysize,
- message_buffer, conf_state, qop_state,
- toktype));
+ if (ctx->proto)
+ switch (toktype) {
+ case KG_TOK_SIGN_MSG:
+ toktype2 = 0x0404;
+ break;
+ case KG_TOK_SEAL_MSG:
+ toktype2 = 0x0504;
+ break;
+ case KG_TOK_DEL_CTX:
+ toktype2 = 0x0405;
+ break;
+ default:
+ toktype2 = toktype;
+ break;
+ }
+ else
+ toktype2 = toktype;
+ err = g_verify_token_header((gss_OID) ctx->mech_used,
+ &bodysize, &ptr, toktype2,
+ input_token_buffer->length,
+ !ctx->proto);
+ if (err) {
+ *minor_status = err;
+ return GSS_S_DEFECTIVE_TOKEN;
}
- *minor_status = err;
- return(GSS_S_DEFECTIVE_TOKEN);
+ if (ctx->proto == 0)
+ return kg_unseal_v1(context, minor_status, ctx, ptr, bodysize,
+ message_buffer, conf_state, qop_state,
+ toktype);
+ else
+ return gss_krb5int_unseal_token_v3(context, minor_status, ctx,
+ ptr, bodysize, message_buffer,
+ conf_state, qop_state, toktype);
}
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
index 0d81399..43d5ca1 100644
--- a/src/lib/gssapi/krb5/rel_cred.c
+++ b/src/lib/gssapi/krb5/rel_cred.c
@@ -34,8 +34,10 @@ krb5_gss_release_cred(minor_status, cred_handle)
if (GSS_ERROR(kg_get_context(minor_status, &context)))
return(GSS_S_FAILURE);
- if (*cred_handle == GSS_C_NO_CREDENTIAL)
- return(kg_release_defcred(minor_status));
+ if (*cred_handle == GSS_C_NO_CREDENTIAL) {
+ *minor_status = 0;
+ return(GSS_S_COMPLETE);
+ }
if (! kg_delete_cred_id(*cred_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c
index 8ab9401..4c55646 100644
--- a/src/lib/gssapi/krb5/ser_sctx.c
+++ b/src/lib/gssapi/krb5/ser_sctx.c
@@ -237,7 +237,6 @@ kg_ctx_size(kcontext, arg, sizep)
if ((ctx = (krb5_gss_ctx_id_rec *) arg)) {
required = 16*sizeof(krb5_int32);
required += sizeof(ctx->seed);
- required += ctx->nctypes*sizeof(krb5_int32);
kret = 0;
if (!kret && ctx->here)
@@ -305,6 +304,11 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
krb5_octet *bp;
size_t remain;
int i;
+ krb5int_access kaccess;
+
+ kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (kret)
+ return(kret);
required = 0;
bp = *buffer;
@@ -337,16 +341,14 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
&bp, &remain);
(void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags,
&bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->seq_send,
+ (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_send,
&bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->seq_recv,
+ (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_recv,
&bp, &remain);
(void) krb5_ser_pack_int32((krb5_int32) ctx->established,
&bp, &remain);
(void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian,
&bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->nctypes,
- &bp, &remain);
/* Now dynamic data */
kret = 0;
@@ -395,13 +397,6 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
(krb5_pointer) ctx->auth_context,
&bp, &remain);
- for (i=0; i<ctx->nctypes; i++) {
- if (!kret) {
- kret = krb5_ser_pack_int32((krb5_int32) ctx->ctypes[i],
- &bp, &remain);
- }
- }
-
if (!kret) {
(void) krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
*buffer = bp;
@@ -428,6 +423,11 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
krb5_octet *bp;
size_t remain;
int i;
+ krb5int_access kaccess;
+
+ kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
+ if (kret)
+ return(kret);
bp = *buffer;
remain = *lenremain;
@@ -464,14 +464,12 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
ctx->endtime = (krb5_timestamp) ibuf;
(void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
ctx->krb_flags = (krb5_flags) ibuf;
- (void) krb5_ser_unpack_int32(&ctx->seq_send, &bp, &remain);
- (void) krb5_ser_unpack_int32(&ctx->seq_recv, &bp, &remain);
+ (void) (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_send, &bp, &remain);
+ (void) (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_recv, &bp, &remain);
(void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
ctx->established = (int) ibuf;
(void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
ctx->big_endian = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->nctypes = (int) ibuf;
if ((kret = kg_oid_internalize(kcontext, &ctx->mech_used, &bp,
&remain))) {
@@ -531,22 +529,6 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
KV5M_AUTH_CONTEXT,
(krb5_pointer *) &ctx->auth_context,
&bp, &remain);
-
- if (!kret) {
- if (ctx->nctypes) {
- if ((ctx->ctypes = (krb5_cksumtype *)
- malloc(ctx->nctypes*sizeof(krb5_cksumtype))) == NULL){
- kret = ENOMEM;
- }
-
- for (i=0; i<ctx->nctypes; i++) {
- if (!kret) {
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->ctypes[i] = (krb5_cksumtype) ibuf;
- }
- }
- }
- }
/* Get trailer */
if (!kret &&
diff --git a/src/lib/gssapi/krb5/set_ccache.c b/src/lib/gssapi/krb5/set_ccache.c
index 9a61220..9a6cdda 100644
--- a/src/lib/gssapi/krb5/set_ccache.c
+++ b/src/lib/gssapi/krb5/set_ccache.c
@@ -36,36 +36,55 @@ gss_krb5_ccache_name(minor_status, name, out_name)
const char *name;
const char **out_name;
{
- krb5_context context;
- krb5_error_code retval;
- OM_uint32 foo_stat;
- static char *oldname = NULL;
- const char *tmpname = NULL;
+ static char *gss_out_name = NULL;
+
+ char *old_name = NULL;
+ OM_uint32 err = 0;
+ OM_uint32 minor = 0;
- if (GSS_ERROR(kg_get_context(minor_status, &context)))
- return (GSS_S_FAILURE);
+ if (out_name) {
+ const char *tmp_name = NULL;
- if (out_name) {
- if (oldname != NULL)
- free(oldname);
- /*
- * Save copy of previous default ccname, since
- * cc_set_default_name will free it and we don't want
- * to hang on to a pointer to freed memory.
- */
- tmpname = krb5_cc_default_name(context);
- oldname = malloc(strlen(tmpname) + 1);
- if (oldname == NULL)
- return GSS_S_FAILURE;
- strcpy(oldname, tmpname);
- *out_name = oldname;
- }
-
- retval = krb5_cc_set_default_name(context, name);
- if (retval) {
- *minor_status = retval;
- return GSS_S_FAILURE;
- }
- kg_release_defcred(&foo_stat);
- return GSS_S_COMPLETE;
+ if (!err) {
+ if (GSS_ERROR(kg_get_ccache_name (&minor, &tmp_name))) {
+ err = minor;
+ }
+ }
+
+ if (!err) {
+ old_name = malloc(strlen(tmp_name) + 1);
+ if (old_name == NULL) {
+ err = ENOMEM;
+ } else {
+ strcpy(old_name, tmp_name);
+ }
+ }
+
+ if (!err) {
+ char *swap = NULL;
+
+ swap = gss_out_name;
+ gss_out_name = old_name;
+ old_name = swap;
+ }
+ }
+
+ if (!err) {
+ if (GSS_ERROR(kg_set_ccache_name (&minor, name))) {
+ err = minor;
+ }
+ }
+
+ if (!err) {
+ if (out_name) {
+ *out_name = gss_out_name;
+ }
+ }
+
+ if (old_name != NULL) {
+ free (old_name);
+ }
+
+ *minor_status = err;
+ return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c
index 43ccc64..59bf30e 100644
--- a/src/lib/gssapi/krb5/wrap_size_limit.c
+++ b/src/lib/gssapi/krb5/wrap_size_limit.c
@@ -110,6 +110,32 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
return(GSS_S_NO_CONTEXT);
}
+ if (ctx->proto == 1) {
+ /* No pseudo-ASN.1 wrapper overhead, so no sequence length and
+ OID. */
+ OM_uint32 sz = req_output_size;
+ /* Token header: 16 octets. */
+ if (conf_req_flag) {
+ while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size)
+ sz--;
+ } else {
+ if (sz < 16 + ctx->cksum_size)
+ sz = 0;
+ else
+ sz -= (16 + ctx->cksum_size);
+ }
+
+ /* While testing only! */
+ if (sz < 65536)
+ sz = 0;
+ else
+ sz -= 65535;
+
+ *max_input_size = sz;
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+ }
+
/* Calculate the token size and subtract that from the output size */
overhead = 7 + ctx->mech_used->length;
data_size = req_output_size;
diff --git a/src/lib/gssapi32.def b/src/lib/gssapi32.def
index 3a43be2..e951cb9 100644
--- a/src/lib/gssapi32.def
+++ b/src/lib/gssapi32.def
@@ -72,7 +72,14 @@ EXPORTS
;
; GSS-API variables
;
- gss_nt_user_name DATA
- gss_nt_machine_uid_name DATA
- gss_nt_string_uid_name DATA
- gss_nt_service_name DATA
+ gss_nt_user_name DATA
+ gss_nt_machine_uid_name DATA
+ gss_nt_string_uid_name DATA
+ gss_nt_service_name DATA
+ GSS_C_NT_USER_NAME DATA
+ GSS_C_NT_MACHINE_UID_NAME DATA
+ GSS_C_NT_STRING_UID_NAME DATA
+ GSS_C_NT_HOSTBASED_SERVICE DATA
+ GSS_C_NT_HOSTBASED_SERVICE_X DATA
+ GSS_C_NT_ANONYMOUS DATA
+ GSS_C_NT_EXPORT_NAME DATA
diff --git a/src/lib/kadm5/ChangeLog b/src/lib/kadm5/ChangeLog
index d663d7f..75cf060 100644
--- a/src/lib/kadm5/ChangeLog
+++ b/src/lib/kadm5/ChangeLog
@@ -1,3 +1,23 @@
+2003-06-03 Tom Yu <tlyu@mit.edu>
+
+ * alt_prof.c (krb5_read_realm_params): Don't bother reading in
+ realm_keysalts or realm_num_keysalts, as they're no longer used.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * alt_prof.c (kadm5_get_config_params): Change default max_life to
+ one day.
+
+2003-05-13 Ken Raeburn <raeburn@mit.edu>
+
+ * alt_prof.c (kadm5_get_config_params): Remove aes256 from the
+ default supported enctypes list for now.
+
+2003-04-18 Ken Raeburn <raeburn@mit.edu>
+
+ * alt_prof.c (kadm5_get_config_params): Add aes256 to the default
+ supported enctypes list.
+
2003-01-10 Ken Raeburn <raeburn@mit.edu>
* configure.in: Don't explicitly invoke AC_PROG_ARCHIVE,
diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in
index 9546a6b..50bdfb6 100644
--- a/src/lib/kadm5/Makefile.in
+++ b/src/lib/kadm5/Makefile.in
@@ -122,10 +122,11 @@ ovsec_glue.so ovsec_glue.po $(OUTPRE)ovsec_glue.$(OBJEXT): ovsec_glue.c $(BUILDT
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h
misc_free.so misc_free.po $(OUTPRE)misc_free.$(OBJEXT): misc_free.c $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
@@ -133,11 +134,12 @@ misc_free.so misc_free.po $(OUTPRE)misc_free.$(OBJEXT): misc_free.c $(BUILDTOP)/
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- server_internal.h admin_internal.h adb.h $(DB_DEPS)
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h server_internal.h \
+ admin_internal.h adb.h $(DB_DEPS)
kadm_rpc_xdr.so kadm_rpc_xdr.po $(OUTPRE)kadm_rpc_xdr.$(OBJEXT): kadm_rpc_xdr.c $(BUILDTOP)/include/gssrpc/rpc.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
@@ -145,11 +147,12 @@ kadm_rpc_xdr.so kadm_rpc_xdr.po $(OUTPRE)kadm_rpc_xdr.$(OBJEXT): kadm_rpc_xdr.c
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/admin_xdr.h
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/admin.h \
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
+ $(BUILDTOP)/include/kadm5/admin_xdr.h
chpass_util.so chpass_util.po $(OUTPRE)chpass_util.$(OBJEXT): chpass_util.c $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
@@ -157,28 +160,29 @@ chpass_util.so chpass_util.po $(OUTPRE)chpass_util.$(OBJEXT): chpass_util.c $(BU
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- admin_internal.h
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h admin_internal.h
alt_prof.so alt_prof.po $(OUTPRE)alt_prof.$(OBJEXT): alt_prof.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
- $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
- $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
- $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(SRCTOP)/include/krb5/adm_proto.h
+ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
+ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
+ $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
+ $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
+ $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(SRCTOP)/include/krb5/adm_proto.h
str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): str_conv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h admin_internal.h $(BUILDTOP)/include/kadm5/admin.h \
+ admin_internal.h $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
$(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
@@ -188,8 +192,8 @@ str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): str_conv.c $(SRCTOP)/includ
$(SRCTOP)/include/krb5/adm_proto.h
logger.so logger.po $(OUTPRE)logger.$(OBJEXT): logger.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/adm_proto.h \
- $(SRCTOP)/include/syslog.h
+ $(SRCTOP)/include/krb5/adm_proto.h $(SRCTOP)/include/syslog.h
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index 758c885..659068b 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -605,7 +605,7 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv,
params.max_life = dtvalue;
params.mask |= KADM5_CONFIG_MAX_LIFE;
} else {
- params.max_life = 36000; /* 10 hours */
+ params.max_life = 24 * 60 * 60; /* 1 day */
params.mask |= KADM5_CONFIG_MAX_LIFE;
}
@@ -702,7 +702,7 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv,
if (aprofile)
krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
if (svalue == NULL)
- svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
+ svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
params.keysalts = NULL;
params.num_keysalts = 0;
@@ -936,27 +936,8 @@ krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp)
krb5_xfree(svalue);
}
- /* Get the value for the supported enctype/salttype matrix */
- /* XXX This is so that the kdc will search a different
- enctype list than kadmind */
- if (!kret) {
- hierarchy[2] = "kdc_supported_enctypes";
- kret = krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
- if (kret) {
- hierarchy[2] = "supported_enctypes";
- kret = krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
- }
- if (!kret) {
- krb5_string_to_keysalts(svalue,
- ", \t", /* Tuple separators */
- ":.-", /* Key/salt separators */
- 0, /* No duplicates */
- &rparams->realm_keysalts,
- &rparams->realm_num_keysalts);
- krb5_xfree(svalue);
- }
- kret = 0;
- }
+ rparams->realm_keysalts = NULL;
+ rparams->realm_num_keysalts = 0;
cleanup:
if (aprofile)
diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in
index daf317a..2f09492 100644
--- a/src/lib/kadm5/clnt/Makefile.in
+++ b/src/lib/kadm5/clnt/Makefile.in
@@ -84,12 +84,12 @@ clnt_policy.so clnt_policy.po $(OUTPRE)clnt_policy.$(OBJEXT): clnt_policy.c $(BU
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
+ client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h
client_rpc.so client_rpc.po $(OUTPRE)client_rpc.$(OBJEXT): client_rpc.c $(BUILDTOP)/include/gssrpc/rpc.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
@@ -98,10 +98,10 @@ client_rpc.so client_rpc.po $(OUTPRE)client_rpc.$(OBJEXT): client_rpc.c $(BUILDT
$(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h
client_principal.so client_principal.po $(OUTPRE)client_principal.$(OBJEXT): client_principal.c \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
@@ -110,26 +110,27 @@ client_principal.so client_principal.po $(OUTPRE)client_principal.$(OBJEXT): cli
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
- client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ $(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \
+ $(BUILDTOP)/include/kadm5/admin_internal.h
client_init.so client_init.po $(OUTPRE)client_init.$(OBJEXT): client_init.c $(COM_ERR_DEPS) \
$(BUILDTOP)/include/krb5.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
- $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
- $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
- $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
- $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
- client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
- $(BUILDTOP)/include/gssrpc/auth_gssapi.h
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/admin.h \
+ $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
+ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
+ $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
+ $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
+ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ $(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \
+ $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/gssapi/gssapi.h \
+ $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/gssrpc/auth_gssapi.h
clnt_privs.so clnt_privs.po $(OUTPRE)clnt_privs.$(OBJEXT): clnt_privs.c $(BUILDTOP)/include/gssrpc/rpc.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
@@ -137,12 +138,12 @@ clnt_privs.so clnt_privs.po $(OUTPRE)clnt_privs.$(OBJEXT): clnt_privs.c $(BUILDT
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \
+ client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h
clnt_chpass_util.so clnt_chpass_util.po $(OUTPRE)clnt_chpass_util.$(OBJEXT): clnt_chpass_util.c \
$(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
@@ -151,9 +152,9 @@ clnt_chpass_util.so clnt_chpass_util.po $(OUTPRE)clnt_chpass_util.$(OBJEXT): cln
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h client_internal.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h
diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog
index 6d3e3de..eea6987 100644
--- a/src/lib/kadm5/srv/ChangeLog
+++ b/src/lib/kadm5/srv/ChangeLog
@@ -1,3 +1,19 @@
+2003-09-02 Alexandra Ellwood <lxs@mit.edu>
+
+ * svr_principal.c: Added Apple password server support.
+
+2003-06-13 Tom Yu <tlyu@mit.edu>
+
+ * server_kdb.c (kdb_init_hist): Force history principal's key to
+ be of the same enctype as the master key, as searches for it later
+ on explicitly specify the enctype.
+
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables.
+ (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS).
+ (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB).
+
2003-01-12 Ezra Peisach <epeisach@bu.edu>
* svr_iters.c (kadm5_get_either): For POSIX_REGEXPS
diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in
index db61a8c..d46216c 100644
--- a/src/lib/kadm5/srv/Makefile.in
+++ b/src/lib/kadm5/srv/Makefile.in
@@ -13,18 +13,14 @@ LIBMAJOR=5
LIBMINOR=1
STOBJLISTS=../OBJS.ST OBJS.ST
-SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@)
-SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT)
-SHLIB_DBLIB-sys =
-
SHLIB_EXPDEPS=\
$(TOPLIBD)/libgssrpc$(SHLIBEXT) \
$(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \
- $(TOPLIBD)/libkdb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS) \
+ $(TOPLIBD)/libkdb5$(SHLIBEXT) \
$(TOPLIBD)/libkrb5$(SHLIBEXT) \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
$(COM_ERR_DEPLIB)
-SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(DB_LIB) \
+SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \
-lkrb5 -lk5crypto -lcom_err @GEN_LIB@
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
@@ -113,11 +109,12 @@ svr_policy.so svr_policy.po $(OUTPRE)svr_policy.$(OBJEXT): svr_policy.c $(BUILDT
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/adb.h \
+ $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h
svr_principal.so svr_principal.po $(OUTPRE)svr_principal.$(OBJEXT): svr_principal.c $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
@@ -126,53 +123,56 @@ svr_principal.so svr_principal.po $(OUTPRE)svr_principal.$(OBJEXT): svr_principa
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/adb.h \
+ $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h
server_acl.so server_acl.po $(OUTPRE)server_acl.$(OBJEXT): server_acl.c $(SRCTOP)/include/syslog.h \
$(BUILDTOP)/include/gssapi/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
- $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
- $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
- $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \
- $(DB_DEPS) $(SRCTOP)/include/krb5/adm_proto.h server_acl.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/server_internal.h \
+ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
+ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
+ $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
+ $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
+ $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/admin_internal.h \
+ $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(SRCTOP)/include/krb5/adm_proto.h \
+ server_acl.h
server_kdb.so server_kdb.po $(OUTPRE)server_kdb.$(OBJEXT): server_kdb.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
- $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
- $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
- $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS)
-server_misc.so server_misc.po $(OUTPRE)server_misc.$(OBJEXT): server_misc.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/adb.h \
- $(BUILDTOP)/include/gssrpc/types.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \
+ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
+ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
$(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
$(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h
+ $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \
+ $(DB_DEPS)
+server_misc.so server_misc.po $(OUTPRE)server_misc.$(OBJEXT): server_misc.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
+ $(BUILDTOP)/include/kadm5/adb.h $(BUILDTOP)/include/gssrpc/types.h \
+ $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
+ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
+ $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
+ $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
+ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h
server_init.so server_init.po $(OUTPRE)server_init.$(OBJEXT): server_init.c $(COM_ERR_DEPS) \
$(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \
@@ -181,12 +181,12 @@ server_init.so server_init.po $(OUTPRE)server_init.$(OBJEXT): server_init.c $(CO
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/krb5.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \
- $(DB_DEPS)
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \
+ $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS)
server_dict.so server_dict.po $(OUTPRE)server_dict.$(OBJEXT): server_dict.c $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
@@ -194,13 +194,14 @@ server_dict.so server_dict.po $(OUTPRE)server_dict.$(OBJEXT): server_dict.c $(BU
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(SRCTOP)/include/krb5/adm_proto.h $(SRCTOP)/include/syslog.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS)
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(SRCTOP)/include/krb5/adm_proto.h \
+ $(SRCTOP)/include/syslog.h $(BUILDTOP)/include/kadm5/server_internal.h \
+ $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \
+ $(DB_DEPS)
svr_iters.so svr_iters.po $(OUTPRE)svr_iters.$(OBJEXT): svr_iters.c $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
@@ -208,11 +209,12 @@ svr_iters.so svr_iters.po $(OUTPRE)svr_iters.$(OBJEXT): svr_iters.c $(BUILDTOP)/
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
- $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
+ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/adb.h \
+ $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \
$(BUILDTOP)/include/kadm5/admin_internal.h
svr_chpass_util.so svr_chpass_util.po $(OUTPRE)svr_chpass_util.$(OBJEXT): svr_chpass_util.c \
$(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
@@ -222,12 +224,12 @@ svr_chpass_util.so svr_chpass_util.po $(OUTPRE)svr_chpass_util.$(OBJEXT): svr_ch
$(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/server_internal.h \
- $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \
- $(DB_DEPS)
+ $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \
+ $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS)
adb_xdr.so adb_xdr.po $(OUTPRE)adb_xdr.$(OBJEXT): adb_xdr.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
$(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
@@ -235,46 +237,46 @@ adb_xdr.so adb_xdr.po $(OUTPRE)adb_xdr.$(OBJEXT): adb_xdr.c $(BUILDTOP)/include/
$(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
$(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/adb.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/admin_xdr.h \
- $(BUILDTOP)/include/kadm5/kadm_rpc.h
+ $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ $(BUILDTOP)/include/kadm5/admin_xdr.h $(BUILDTOP)/include/kadm5/kadm_rpc.h
adb_policy.so adb_policy.po $(OUTPRE)adb_policy.$(OBJEXT): adb_policy.c $(BUILDTOP)/include/kadm5/adb.h \
$(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \
- $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
- $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
- $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h
+ $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
+ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
+ $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
+ $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
+ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h
adb_free.so adb_free.po $(OUTPRE)adb_free.$(OBJEXT): adb_free.c $(BUILDTOP)/include/kadm5/adb.h \
$(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \
- $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
- $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
- $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h
+ $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
+ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
+ $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
+ $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
+ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h
adb_openclose.so adb_openclose.po $(OUTPRE)adb_openclose.$(OBJEXT): adb_openclose.c $(BUILDTOP)/include/kadm5/adb.h \
$(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \
- $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \
- $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \
- $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h
+ $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \
+ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
+ $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
+ $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
+ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \
+ $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 231fcb3..97d38c7 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -107,6 +107,7 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r)
int ret = 0;
char *realm, *hist_name;
krb5_key_data *key_data;
+ krb5_key_salt_tuple ks[1];
if (r == NULL) {
if ((ret = krb5_get_default_realm(handle->context, &realm)))
@@ -144,11 +145,13 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r)
history principal, anyway. */
hist_kvno = 2;
-
- ret = kadm5_create_principal(handle, &ent,
- (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
- KADM5_ATTRIBUTES),
- "to-be-random");
+ ks[0].ks_enctype = handle->params.enctype;
+ ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
+ ret = kadm5_create_principal_3(handle, &ent,
+ (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
+ KADM5_ATTRIBUTES),
+ 1, ks,
+ "to-be-random");
if (ret)
goto done;
@@ -156,7 +159,8 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r)
hist_princ = NULL;
- ret = kadm5_randkey_principal(handle, ent.principal, NULL, NULL);
+ ret = kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks,
+ NULL, NULL);
hist_princ = ent.principal;
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index c1b8bc5..c567f83 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -19,6 +19,9 @@ static char *rcsid = "$Header$";
#include "server_internal.h"
#include <stdarg.h>
#include <stdlib.h>
+#ifdef USE_PASSWORD_SERVER
+#include <sys/wait.h>
+#endif
extern krb5_principal master_princ;
extern krb5_principal hist_princ;
@@ -1065,6 +1068,105 @@ static kadm5_ret_t add_to_history(krb5_context context,
}
#undef KADM_MOD
+#ifdef USE_PASSWORD_SERVER
+
+/* FIXME: don't use global variable for this */
+krb5_boolean use_password_server = 0;
+
+static krb5_boolean
+kadm5_use_password_server (void)
+{
+ return use_password_server;
+}
+
+void
+kadm5_set_use_password_server (void)
+{
+ use_password_server = 1;
+}
+
+/*
+ * kadm5_launch_task () runs a program (task_path) to synchronize the
+ * Apple password server with the Kerberos database. Password server
+ * programs can receive arguments on the command line (task_argv)
+ * and a block of data via stdin (data_buffer).
+ *
+ * Because a failure to communicate with the tool results in the
+ * password server falling out of sync with the database,
+ * kadm5_launch_task() always fails if it can't talk to the tool.
+ */
+
+static kadm5_ret_t
+kadm5_launch_task (krb5_context context,
+ const char *task_path, char * const task_argv[],
+ const char *data_buffer)
+{
+ kadm5_ret_t ret = 0;
+ int data_pipe[2];
+
+ if (data_buffer != NULL) {
+ ret = pipe (data_pipe);
+ if (ret) { ret = errno; }
+ }
+
+ if (!ret) {
+ pid_t pid = fork ();
+ if (pid == -1) {
+ ret = errno;
+ } else if (pid == 0) {
+ /* The child: */
+
+ if (data_buffer != NULL) {
+ if (dup2 (data_pipe[0], STDIN_FILENO) == -1) {
+ _exit (1);
+ }
+ } else {
+ close (data_pipe[0]);
+ }
+
+ close (data_pipe[1]);
+
+ execv (task_path, task_argv);
+
+ _exit (1); /* Fail if execv fails */
+ } else {
+ /* The parent: */
+ int status;
+
+ if (data_buffer != NULL) {
+ /* Write out the buffer to the child */
+ if (krb5_net_write (context, data_pipe[1],
+ data_buffer, strlen (data_buffer)) < 0) {
+ /* kill the child to make sure waitpid() won't hang later */
+ ret = errno;
+ kill (pid, SIGKILL);
+ }
+ }
+
+ close (data_buffer[0]);
+ close (data_buffer[1]);
+
+ waitpid (pid, &status, 0);
+
+ if (!ret) {
+ if (WIFEXITED (status)) {
+ /* child read password and exited. Check the return value. */
+ if ((WEXITSTATUS (status) != 0) && (WEXITSTATUS (status) != 252)) {
+ ret = KRB5KDC_ERR_POLICY; /* password change rejected */
+ }
+ } else {
+ /* child read password but crashed or was killed */
+ ret = KRB5KRB_ERR_GENERIC; /* FIXME: better error */
+ }
+ }
+ }
+ }
+
+ return ret;
+}
+
+#endif
+
kadm5_ret_t
kadm5_chpass_principal(void *server_handle,
krb5_principal principal, char *password)
@@ -1193,6 +1295,42 @@ kadm5_chpass_principal_3(void *server_handle,
kdb.pw_expiration = 0;
}
+#ifdef USE_PASSWORD_SERVER
+ if (kadm5_use_password_server () &&
+ (krb5_princ_size (handle->context, principal) == 1)) {
+ krb5_data *princ = krb5_princ_component (handle->context, principal, 0);
+ const char *path = "/usr/sbin/mkpassdb";
+ char *argv[] = { "mkpassdb", "-setpassword", NULL, NULL };
+ char *pstring = NULL;
+ char pwbuf[256];
+ int pwlen = strlen (password);
+
+ if (pwlen > 254) pwlen = 254;
+ strncpy (pwbuf, password, pwlen);
+ pwbuf[pwlen] = '\n';
+ pwbuf[pwlen + 1] = '\0';
+
+ if (!ret) {
+ pstring = malloc ((princ->length + 1) * sizeof (char));
+ if (pstring == NULL) { ret = errno; }
+ }
+
+ if (!ret) {
+ memcpy (pstring, princ->data, princ->length);
+ pstring [princ->length] = '\0';
+ argv[2] = pstring;
+
+ ret = kadm5_launch_task (handle->context, path, argv, pwbuf);
+ }
+
+ if (pstring != NULL)
+ free (pstring);
+
+ if (ret)
+ goto done;
+ }
+#endif
+
ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
if (ret)
goto done;
diff --git a/src/lib/kadm5/unit-test/ChangeLog b/src/lib/kadm5/unit-test/ChangeLog
index f4da36d..d1cd620 100644
--- a/src/lib/kadm5/unit-test/ChangeLog
+++ b/src/lib/kadm5/unit-test/ChangeLog
@@ -1,3 +1,26 @@
+2003-10-16 Tom Yu <tlyu@mit.edu>
+
+ * api.1/lock.exp: Work around a race condition in the Solaris 9
+ pty implementation: output sent to a pty slave immediately before
+ last close/exit can get lost on the way to the master. This is
+ Sun bug #4927647. The workaround consists of changing the tests
+ to always make lock-test wait to read a character prior to
+ exiting, so any output prior to the "wait" directive will not get
+ lost.
+
+2003-06-02 Ken Raeburn <raeburn@mit.edu>
+
+ * api.2/init-v2.exp (test117): Update lifetime expected for new
+ defaults.
+
+2003-05-21 Tom Yu <tlyu@mit.edu>
+
+ * api.0/init.exp (test6, test7): Be slightly more lenient about
+ matching password prompt.
+
+ * api.2/init.exp (test6, test7): Be slightly more lenient about
+ matching password prompt.
+
2003-01-07 Ken Raeburn <raeburn@mit.edu>
* Makefile.ov: Deleted.
diff --git a/src/lib/kadm5/unit-test/api.0/init.exp b/src/lib/kadm5/unit-test/api.0/init.exp
index f232d23..d39ecce 100644
--- a/src/lib/kadm5/unit-test/api.0/init.exp
+++ b/src/lib/kadm5/unit-test/api.0/init.exp
@@ -77,7 +77,7 @@ proc test6 {} {
send "ovsec_kadm_init admin null \$OVSEC_KADM_ADMIN_SERVICE null \$OVSEC_KADM_STRUCT_VERSION \$OVSEC_KADM_API_VERSION_1 server_handle\n"
expect {
- {Enter password:} { }
+ -re "assword\[^\r\n\]*: *" { }
eof {
fail "$test: eof instead of password prompt"
api_exit
@@ -103,7 +103,7 @@ proc test7 {} {
send "ovsec_kadm_init admin \"\" \$OVSEC_KADM_ADMIN_SERVICE null \$OVSEC_KADM_STRUCT_VERSION \$OVSEC_KADM_API_VERSION_1 server_handle\n"
expect {
- {Enter password:} { }
+ -re "assword\[^\r\n\]*: *" { }
-re "\n\[^\n\]+key:\[^\n\]*$" { }
eof {
fail "$test: eof instead of password prompt"
diff --git a/src/lib/kadm5/unit-test/api.1/lock.exp b/src/lib/kadm5/unit-test/api.1/lock.exp
index e61a28f..6adef59 100644
--- a/src/lib/kadm5/unit-test/api.1/lock.exp
+++ b/src/lib/kadm5/unit-test/api.1/lock.exp
@@ -137,60 +137,78 @@ proc lock_test_continue {test my_spawn_id test_failed fail_output cont cmds} {
return {}
}
-lock_test 1 [list \
+set lock1 [lock_test_start 1 [list \
[list shared "shared"] \
[list release "released"] \
- [list eof 0]]
+ [list wait ""] \
+ [list eof 0]]]
+eval lock_test_continue $lock1
-lock_test 2 [list \
+set lock2 [lock_test_start 2 [list \
[list exclusive exclusive] \
[list release released] \
- [list eof 0]]
+ [list wait ""] \
+ [list eof 0]]]
+eval lock_test_continue $lock2
-lock_test 3 [list \
+set lock3 [lock_test_start 5 [list \
[list permanent permanent] \
[list release released] \
- [list eof 0]]
+ [list wait ""] \
+ [list eof 0]]]
+eval lock_test_continue $lock3
-lock_test 4 [list \
+set lock4 [lock_test_start 4 [list \
[list release "Database not locked"] \
- [list eof 0]]
+ [list wait ""] \
+ [list eof 0]]]
+eval lock_test_continue $lock4
set lock5 [lock_test_start 5 [list \
[list shared shared] \
[list wait ""] \
[list eof 0]]]
-lock_test 5.1 [list \
+set lock5_1 [lock_test_start 5.1 [list \
[list shared shared] \
- [list eof 0]]
+ [list wait ""] \
+ [list eof 0]]]
+eval lock_test_continue $lock5_1
eval lock_test_continue $lock5
set lock6 [lock_test_start 6 [list \
[list exclusive exclusive] \
[list wait ""] \
[list eof 0]]]
-lock_test 6.1 [list \
+set lock6_1 [lock_test_start 6.1 [list \
[list shared "Cannot lock database"] \
- [list eof 0]]
+ [list wait ""] \
+ [list eof 0]]]
+eval lock_test_continue $lock6_1
eval lock_test_continue $lock6
set lock7 [lock_test_start 7 [list \
[list shared shared] \
[list wait ""] \
[list eof 0]]]
-lock_test 7.1 [list \
+set lock7_1 [lock_test_start 7.1 [list \
[list exclusive "Cannot lock database"] \
- [list eof 0]]
+ [list wait ""] \
+ [list eof 0]]]
+eval lock_test_continue $lock7_1
eval lock_test_continue $lock7
set lock8 [lock_test_start 8 [list \
[list permanent permanent] \
[list wait ""] \
[list release "released" ] \
+ [list wait ""] \
[list eof 0]]]
-lock_test 8.1 [list \
+set lock8_1 [lock_test_start 8.1 [list \
[list "" "administration database lock file missing while opening database" ] \
- [list eof 1]]
+ [list wait ""] \
+ [list eof 1]]]
+eval lock_test_continue $lock8_1
+eval set lock8 \[lock_test_continue $lock8\]
eval lock_test_continue $lock8
set lock9 [lock_test_start 9 [list \
@@ -198,13 +216,17 @@ set lock9 [lock_test_start 9 [list \
[list release released] \
[list wait ""] \
[list exclusive "database lock file missing while getting exclusive"] \
+ [list wait ""] \
[list eof 0]]]
set lock9_1 [lock_test_start 9.1 [list \
[list permanent permanent] \
[list wait ""] \
[list release released] \
+ [list wait ""] \
[list eof 0]]]
+eval set lock9 \[lock_test_continue $lock9\]
eval lock_test_continue $lock9
+eval set lock9_1 \[lock_test_continue $lock9_1\]
eval lock_test_continue $lock9_1
if {! [file exists $lockfile]} {
@@ -214,10 +236,12 @@ set lock10 [lock_test_start 10 [list \
[list permanent permanent] \
[list wait ""] \
[list release released] \
+ [list wait ""] \
[list eof 0]]]
if {[file exists $lockfile]} {
fail "test 10: lock file exists"
}
+eval set lock10 \[lock_test_continue $lock10\]
eval lock_test_continue $lock10
if {[file exists $lockfile]} {
pass "test 11: lock file exists"
@@ -229,15 +253,18 @@ set lock12 [lock_test_start 12 [list \
[list shared shared] \
[list wait ""] \
[list eof 0]]]
-lock_test 12.1 [list \
+set lock12_1 [lock_test_start 12.1 [list \
[list "get test-pol" retrieved] \
- [list eof 0]]
+ [list wait ""] \
+ [list eof 0]]]
+eval lock_test_continue $lock12_1
eval lock_test_continue $lock12
set lock13 [lock_test_start 13 [list \
[list "get lock13" "Principal or policy does not exist"] \
[list wait ""] \
[list "get lock13" retrieved] \
+ [list wait ""] \
[list eof 0]]]
set test13_spawn_id $spawn_id
# create_policy could call api_exit immediately when it starts up.
@@ -248,6 +275,7 @@ api_start
create_policy lock13
set api_spawn_id $spawn_id
set spawn_id $test13_spawn_id
+eval set lock13 \[lock_test_continue $lock13\]
eval lock_test_continue $lock13
set spawn_id $api_spawn_id
delete_policy lock13
diff --git a/src/lib/kadm5/unit-test/api.2/init-v2.exp b/src/lib/kadm5/unit-test/api.2/init-v2.exp
index 58fe1a8..0893009 100644
--- a/src/lib/kadm5/unit-test/api.2/init-v2.exp
+++ b/src/lib/kadm5/unit-test/api.2/init-v2.exp
@@ -532,10 +532,10 @@ proc test117 {} {
}
}
- if {$max_life == 36000} {
+ if {$max_life == 86400} {
pass "$test"
} else {
- fail "$test: max_life $max_life should be 36000"
+ fail "$test: max_life $max_life should be 86400"
}
if {! [cmd {kadm5_destroy $server_handle}]} {
diff --git a/src/lib/kadm5/unit-test/api.2/init.exp b/src/lib/kadm5/unit-test/api.2/init.exp
index a1a2bc5..335f6e0 100644
--- a/src/lib/kadm5/unit-test/api.2/init.exp
+++ b/src/lib/kadm5/unit-test/api.2/init.exp
@@ -80,7 +80,7 @@ proc test6 {} {
send "kadm5_init admin null \$KADM5_ADMIN_SERVICE null \$KADM5_STRUCT_VERSION \$KADM5_API_VERSION_2 server_handle\n"
expect {
- {Enter password:} { }
+ -re "assword\[^\r\n\]*:" { }
eof {
fail "$test: eof instead of password prompt"
api_exit
@@ -106,7 +106,7 @@ proc test7 {} {
send "kadm5_init admin \"\" \$KADM5_ADMIN_SERVICE null \$KADM5_STRUCT_VERSION \$KADM5_API_VERSION_2 server_handle\n"
expect {
- {Enter password:} { }
+ -re "assword\[^\r\n\]*:" { }
-re "key:$" { }
eof {
fail "$test: eof instead of password prompt"
diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog
index d685be6..87f60aa 100644
--- a/src/lib/kdb/ChangeLog
+++ b/src/lib/kdb/ChangeLog
@@ -1,3 +1,31 @@
+2003-05-22 Ezra Peisach <epeisach@mit.edu>
+
+ * keytab.c (is_xrealm_tgt): Use strncmp instead of strcmp - as
+ principal and realm name do not need to be null terminated.
+
+2003-04-01 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables.
+ (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS).
+ (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB).
+ (DBOBJLISTS, STOBJLISTS): Pull in object lists of in-tree libdb so
+ we don't need to install libdb. Don't do this if building with
+ system libdb, though, since we need to explicitly link against the
+ system libdb in that case.
+
+2003-03-18 Tom Yu <tlyu@mit.edu>
+
+ * keytab.c (krb5_ktkdb_get_entry): Do not perform the enctype
+ comparison if the requested enctype is a wildcard.
+
+2003-03-16 Sam Hartman <hartmans@mit.edu>
+
+ * keytab.c (krb5_ktkdb_get_entry): Match only against the first
+ enctype for non-cross-realm tickets so we will only accept
+ tickets that the current configuration would have issued. For
+ cross-realm tickets be liberal and match against the specified
+ enctype.
+
2003-03-05 Tom Yu <tlyu@mit.edu>
* kdb_xdr.c (krb5_dbe_search_enctype): Check for ktype > 0 rather
diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in
index ea80b76..4ca36b0 100644
--- a/src/lib/kdb/Makefile.in
+++ b/src/lib/kdb/Makefile.in
@@ -12,17 +12,20 @@ LIBMAJOR=4
LIBMINOR=0
RELDIR=kdb
# Depends on libk5crypto and libkrb5
-SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@)
-SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT)
-SHLIB_DBLIB-sys =
SHLIB_EXPDEPS = \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
- $(TOPLIBD)/libkrb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS)
-SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(DB_LIB) $(LIBS)
+ $(TOPLIBD)/libkrb5$(SHLIBEXT)
+SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(KDB5_DB_LIB) $(LIBS)
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
+DBDIR = $(BUILDTOP)/util/db2
+DBOBJLISTS = $(DBOBJLISTS-@DB_VERSION@)
+DBOBJLISTS-sys =
+DBOBJLISTS-k5 = $(DBDIR)/hash/OBJS.ST $(DBDIR)/btree/OBJS.ST \
+ $(DBDIR)/db/OBJS.ST $(DBDIR)/mpool/OBJS.ST $(DBDIR)/recno/OBJS.ST \
+ $(DBDIR)/clib/OBJS.ST
all::
@@ -38,7 +41,7 @@ SRCS= \
$(srcdir)/setup_mkey.c \
$(srcdir)/store_mkey.c
-STOBJLISTS=OBJS.ST
+STOBJLISTS=OBJS.ST $(DBOBJLISTS)
STLIBOBJS= \
keytab.o \
encrypt_key.o \
@@ -77,53 +80,55 @@ clean::
#
keytab.so keytab.po $(OUTPRE)keytab.$(OBJEXT): keytab.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/kdb_kt.h
+ $(SRCTOP)/include/krb5/kdb_kt.h
encrypt_key.so encrypt_key.po $(OUTPRE)encrypt_key.$(OBJEXT): encrypt_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
decrypt_key.so decrypt_key.po $(OUTPRE)decrypt_key.$(OBJEXT): decrypt_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kdb_cpw.so kdb_cpw.po $(OUTPRE)kdb_cpw.$(OBJEXT): kdb_cpw.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/adm.h
+ $(SRCTOP)/include/krb5/adm.h
kdb_db2.so kdb_db2.po $(OUTPRE)kdb_db2.$(OBJEXT): kdb_db2.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(DB_DEPS) kdb_compat.h \
- kdb_db2.h
+ $(DB_DEPS) kdb_compat.h kdb_db2.h
kdb_xdr.so kdb_xdr.po $(OUTPRE)kdb_xdr.$(OBJEXT): kdb_xdr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
verify_mky.so verify_mky.po $(OUTPRE)verify_mky.$(OBJEXT): verify_mky.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
fetch_mkey.so fetch_mkey.po $(OUTPRE)fetch_mkey.$(OBJEXT): fetch_mkey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
setup_mkey.so setup_mkey.po $(OUTPRE)setup_mkey.$(OBJEXT): setup_mkey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
store_mkey.so store_mkey.po $(OUTPRE)store_mkey.$(OBJEXT): store_mkey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c
index 6ec375a..5db382c 100644
--- a/src/lib/kdb/keytab.c
+++ b/src/lib/kdb/keytab.c
@@ -24,10 +24,14 @@
* or implied warranty.
*
*/
+#include <string.h>
#include "k5-int.h"
#include "kdb_kt.h"
+static int
+is_xrealm_tgt(krb5_context, krb5_const_principal);
+
krb5_error_code krb5_ktkdb_close (krb5_context, krb5_keytab);
krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_principal,
@@ -116,6 +120,8 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
krb5_db_entry db_entry;
krb5_boolean more = 0;
int n = 0;
+ int xrealm_tgt = is_xrealm_tgt(context, principal);
+ int similar;
if (ktkdb_ctx)
context = ktkdb_ctx;
@@ -150,16 +156,33 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
if (kerror)
goto error;
+ /* For cross realm tgts, we match whatever enctype is provided;
+ * for other principals, we only match the first enctype that is
+ * found. Since the TGS and AS code do the same thing, then we
+ * will only successfully decrypt tickets we have issued.*/
kerror = krb5_dbe_find_enctype(context, &db_entry,
- enctype, -1, kvno, &key_data);
+ xrealm_tgt?enctype:-1,
+ -1, kvno, &key_data);
if (kerror)
goto error;
+
kerror = krb5_dbekd_decrypt_key_data(context, master_key,
key_data, &entry->key, NULL);
if (kerror)
goto error;
+ if (enctype > 0) {
+ kerror = krb5_c_enctype_compare(context, enctype,
+ entry->key.enctype, &similar);
+ if (kerror)
+ goto error;
+
+ if (!similar) {
+ kerror = KRB5_KDB_NO_PERMITTED_KEY;
+ goto error;
+ }
+ }
/*
* Coerce the enctype of the output keyblock in case we got an
* inexact match on the enctype.
@@ -176,3 +199,27 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
krb5_db_close_database(context);
return(kerror);
}
+
+/*
+ * is_xrealm_tgt: Returns true if the principal is a cross-realm TGT
+ * principal-- a principal with first component krbtgt and second
+ * component not equal to realm.
+ */
+static int
+is_xrealm_tgt(krb5_context context, krb5_const_principal princ)
+{
+ krb5_data *dat;
+ if (krb5_princ_size(context, princ) != 2)
+ return 0;
+ dat = krb5_princ_component(context, princ, 0);
+ if (strncmp("krbtgt", dat->data, dat->length) != 0)
+ return 0;
+ dat = krb5_princ_component(context, princ, 1);
+ if (dat->length != princ->realm.length)
+ return 1;
+ if (strncmp(dat->data, princ->realm.data, dat->length) == 0)
+ return 0;
+ return 1;
+
+}
+
diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog
index 9c53ca1..0842831 100644
--- a/src/lib/krb4/ChangeLog
+++ b/src/lib/krb4/ChangeLog
@@ -1,3 +1,132 @@
+2003-08-15 Alexandra Ellwood <lxs@mit.edu>
+
+ * mk_auth.c: krb_check_auth clears the return value for the
+ schedule parameter with a memset. This prevents callers
+ from using the key schedule, which breaks code.
+
+2003-08-06 Alexandra Ellwood <lxs@mit.edu>
+
+ * configure.in: Don't assume all darwin boxes are powerpc.
+ (eg: OpenDarwin/x86).
+
+2003-07-11 Alexandra Ellwood <lxs@mit.edu>
+
+ * RealmsConfig-glue.c: Check for NULL realm argument and n
+ not equal to 1. Fill in realm with an empty string on error
+ in case the caller doesn't check the return value.
+
+2003-07-11 Alexandra Ellwood <lxs@mit.edu>
+
+ * RealmsConfig-glue.c: Don't fail when krb5.conf is valid
+ and krb.conf isn't. Also, don't assert v4 realm is in profile
+ unless that realm is a valid v4 realm.
+
+2003-07-07 Alexandra Ellwood <lxs@mit.edu>
+
+ * RealmsConfig-glue.c: krb_prof_get_nth() no longer assumes that
+ its retlen argument is correct (call strcpy instead of strncpy)
+ because this argument is a guess for some callers
+ (eg: krb_get_admhst())
+
+2003-06-11 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in (KRB_ERR_C): New variable; Darwin needs err_txt.o to
+ have a dependency on krb_err.c so that krb_err.c will be generated
+ first.
+
+ * configure.in: Set KRB_ERR_C to krb_err.c on Darwin.
+
+2003-06-09 Ken Raeburn <raeburn@mit.edu>
+
+ * RealmsConfig-glue.c (krb_get_krbhst): Don't fall back to DNS if
+ entries were found in krb.conf, and just not enough to fill the
+ request.
+
+2003-06-06 Ken Raeburn <raeburn@mit.edu>
+
+ * RealmsConfig-glue.c: Include k5-int.h.
+ (dnscache): New variable.
+ (DNS_CACHE_TIMEOUT): New macro.
+ (krb_get_krbhst) [KRB5_DNS_LOOKUP]: If no krb.conf info is found,
+ try DNS SRV records for "kerberos-iv". Cache results in case
+ they're immediately requested again.
+
+2003-06-06 Tom Yu <tlyu@mit.edu>
+
+ * g_cnffile.c (krb__get_srvtabname): Make retname be a static
+ array rather than a static pointer, to avoid callers' possible
+ retention of free()d pointers. Yes, this may cause difficulty
+ with making this function thread-safe.
+
+2003-06-04 Tom Yu <tlyu@mit.edu>
+
+ * password_to_key.c (mit_passwd_to_key, afs_passwd_to_key): Delete
+ spurious space from prompt.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * RealmsConfig-glue.c (get_krbhst_default): Deleted.
+ (krb_get_krbhst): Don't call it.
+
+2003-06-03 Sam Hartman <hartmans@mit.edu>
+
+ * g_pw_in_tkt.c (passwd_to_key): Fix password prompt
+
+ * password_to_key.c (mit_passwd_to_key): Fix password prompt
+ (afs_passwd_to_key): Fix password prompt
+
+ * g_in_tkt.c (krb_get_in_tkt_preauth_creds): Keep copy of
+ ciphertext while trying different keyprocs
+
+2003-06-02 Tom Yu <tlyu@mit.edu>
+
+ * change_password.c (krb_change_password): Explicitly zero the
+ session key. Zero the key derived from the new password.
+
+ * mk_req.c (krb_mk_req): Explicitly zero the session key.
+ (krb_mk_req_creds_prealm): Don't zero the session key, in case the
+ caller wants to make use of it.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * lifetime.c (krb_life_to_time, krb_time_to_life): Rewrite to use
+ support functions in the krb5 library via krb5int_accessor. Moved
+ old implementation into krb5 library.
+
+2003-05-12 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Add setting of KRB_ERR on Windows.
+
+2003-05-11 Sam Hartman <hartmans@mit.edu>
+
+ * Makefile.in: Build krb_err.c when appropriate.
+
+ * configure.in: Set KRB_ERR to be the object file generated by
+ krb_err.c on non-Darwin
+
+ * err_txt.c : Don't include krb_err.c on non-Darwin UNIX. Doing
+ so may break with some compile_et implementations. Also not
+ included on Windows.
+
+2003-05-01 Alexandra Ellwood <lxs@mit.edu>
+ ÊÊ
+ * kadm_stream.c: Fixed vts_long() and vts_short() so they return a
+ pointer to the beginning of the memory they allocate and place
+ their data at the end of the buffer which was passed in.
+
+2003-04-15 Alexandra Ellwood <lxs@mit.edu>
+ ÊÊ
+ * g_ad_tkt.c: accidentally checked a non-space character into
+ the USE_LOGIN_LIBRARY part of get_ad_tkt so it doesn't build
+ on the Mac. Oops.
+
+2003-04-14 Alexandra Ellwood <lxs@mit.edu>
+ ÊÊ
+ * g_ad_tkt.c: Added support for login library to get_ad_tkt.
+ Support is copied from Mac Kerberos4 library and conditionalized
+ for USE_LOGIN_LIBRARY to avoid changing get_ad_tkt's behavior for
+ non-Kerberos Login Library builds.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* CCache-glue.c: Added prototypes for deprecated functions.
diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in
index 0a8ecff..572a3ad 100644
--- a/src/lib/krb4/Makefile.in
+++ b/src/lib/krb4/Makefile.in
@@ -29,6 +29,12 @@ SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
EHDRDIR=$(BUILDTOP)$(S)include$(S)kerberosIV
+KRB_ERR=@KRB_ERR@
+##DOS##KRB_ERR=$(OUTPRE)krb_err.$(OBJEXT)
+
+# Name of generated krb_err.c, needed for err_txt.* dependency on Darwin.
+KRB_ERR_C=@KRB_ERR_C@
+##DOS##KRB_ERR_C=
OBJS = \
$(OUTPRE)change_password.$(OBJEXT) \
@@ -72,7 +78,7 @@ OBJS = \
$(OUTPRE)rd_preauth.$(OBJEXT) \
$(OUTPRE)mk_preauth.$(OBJEXT) \
$(OSOBJS) $(CACHEOBJS) $(SETENVOBJS) $(STRCASEOBJS) $(SHMOBJS) \
- $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS)
+ $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) $(KRB_ERR)
SRCS = \
change_password.c \
@@ -217,7 +223,7 @@ krb_err_txt.c: krb_err.et $(srcdir)$(S)et_errtxt.awk
# Will be empty on Darwin, krb_err_txt.c elsewhere.
KRB_ERR_TXT=@KRB_ERR_TXT@
##DOS##KRB_ERR_TXT=krb_err_txt.c
-err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_TXT)
+err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_C) $(KRB_ERR_TXT)
depend-dependencies: krb_err.h $(EHDRDIR)$(S)krb_err.h \
kadm_err.h $(EHDRDIR)$(S)kadm_err.h \
@@ -335,11 +341,14 @@ kname_parse.so kname_parse.po $(OUTPRE)kname_parse.$(OBJEXT): kname_parse.c $(SR
err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \
- $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- krb_err.c
+ $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h
lifetime.so lifetime.po $(OUTPRE)lifetime.$(OBJEXT): lifetime.c $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
- $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
g_in_tkt.so g_in_tkt.po $(OUTPRE)g_in_tkt.$(OBJEXT): g_in_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \
@@ -409,9 +418,10 @@ send_to_kdc.so send_to_kdc.po $(OUTPRE)send_to_kdc.$(OBJEXT): send_to_kdc.c $(SR
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krbports.h \
$(SRCTOP)/include/kerberosIV/prot.h $(BUILDTOP)/include/krb5/autoconf.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/kdb.h krb4int.h
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/krb5/kdb.h \
+ krb4int.h
stime.so stime.po $(OUTPRE)stime.$(OBJEXT): stime.c $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \
@@ -434,9 +444,9 @@ tf_util.so tf_util.po $(OUTPRE)tf_util.$(OBJEXT): tf_util.c $(SRCTOP)/include/ke
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- krb4int.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krb4int.h
dest_tkt.so dest_tkt.po $(OUTPRE)dest_tkt.$(OBJEXT): dest_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-util.h \
@@ -489,9 +499,9 @@ rd_svc_key.so rd_svc_key.po $(OUTPRE)rd_svc_key.$(OBJEXT): rd_svc_key.c $(SRCTOP
$(KRB_ERR_H_DEP) $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb54proto.h \
- $(SRCTOP)/include/kerberosIV/prot.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
+ $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/kerberosIV/prot.h
cr_err_repl.so cr_err_repl.po $(OUTPRE)cr_err_repl.$(OBJEXT): cr_err_repl.c $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h
@@ -538,12 +548,14 @@ g_cnffile.so g_cnffile.po $(OUTPRE)g_cnffile.$(OBJEXT): g_cnffile.c $(SRCTOP)/in
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- krb4int.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krb4int.h
RealmsConfig-glue.so RealmsConfig-glue.po $(OUTPRE)RealmsConfig-glue.$(OBJEXT): RealmsConfig-glue.c \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb4/RealmsConfig-glue.c b/src/lib/krb4/RealmsConfig-glue.c
index 52437ee..0635284 100644
--- a/src/lib/krb4/RealmsConfig-glue.c
+++ b/src/lib/krb4/RealmsConfig-glue.c
@@ -37,6 +37,7 @@
#include "profile.h"
#include "krb.h"
#include "krb4int.h"
+#include "k5-int.h" /* for accessor, addrlist stuff */
#include "port-sockets.h"
#define KRB5_PRIVATE 1
@@ -142,10 +143,11 @@ krb_prof_get_nth(
}
if (result == KSUCCESS) {
/* Return error rather than truncating. */
+ /* Don't strncpy because retlen is a guess for some callers */
if (strlen(value) >= retlen)
result = KFAILURE;
else
- strncpy(ret, value, retlen);
+ strcpy(ret, value);
}
cleanup:
if (name != NULL)
@@ -188,76 +190,112 @@ krb_get_lrealm(
char *realm,
int n)
{
- long profErr = 0;
- char *realmString = NULL;
- char *realmStringV4 = NULL;
- profile_t profile = NULL;
- int result;
- FILE *cnffile = NULL;
- char scratch[SCRATCHSZ];
-
- if (n != 1 || realm == NULL)
- return KFAILURE;
+ int result = KSUCCESS;
+ profile_t profile = NULL;
+ char *profileDefaultRealm = NULL;
+ char **profileV4Realms = NULL;
+ int profileHasDefaultRealm = 0;
+ int profileDefaultRealmIsV4RealmInProfile = 0;
+ char krbConfLocalRealm[REALM_SZ];
+ int krbConfHasLocalRealm = 0;
- result = KFAILURE; /* Start out with failure. */
-
- profErr = krb_get_profile(&profile);
- if (profErr)
- goto cleanup;
+ if ((realm == NULL) || (n != 1)) { result = KFAILURE; }
- profErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION,
- REALMS_V4_DEFAULT_REALM, NULL, NULL,
- &realmString);
- if (profErr || realmString == NULL)
- goto cleanup;
+ if (result == KSUCCESS) {
+ /* Some callers don't check the return value so we initialize
+ * to an empty string in case it never gets filled in. */
+ realm [0] = '\0';
+ }
+
+ if (result == KSUCCESS) {
+ int profileErr = krb_get_profile (&profile);
+
+ if (!profileErr) {
+ /* Get the default realm from the profile */
+ profileErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION,
+ REALMS_V4_DEFAULT_REALM, NULL, NULL,
+ &profileDefaultRealm);
+ if (profileDefaultRealm == NULL) { profileErr = KFAILURE; }
+ }
+
+ if (!profileErr) {
+ /* If there is an equivalent v4 realm to the default realm, use that instead */
+ char *profileV4EquivalentRealm = NULL;
+
+ if (profile_get_string (profile, "realms", profileDefaultRealm, "v4_realm", NULL,
+ &profileV4EquivalentRealm) == 0 &&
+ profileV4EquivalentRealm != NULL) {
+
+ profile_release_string (profileDefaultRealm);
+ profileDefaultRealm = profileV4EquivalentRealm;
+ }
+ }
+
+ if (!profileErr) {
+ if (strlen (profileDefaultRealm) < REALM_SZ) {
+ profileHasDefaultRealm = 1; /* a reasonable default realm */
+ } else {
+ profileErr = KFAILURE;
+ }
+ }
+
+ if (!profileErr) {
+ /* Walk through the v4 realms list looking for the default realm */
+ const char *profileV4RealmsList[] = { REALMS_V4_PROF_REALMS_SECTION, NULL };
+
+ if (profile_get_subsection_names (profile, profileV4RealmsList,
+ &profileV4Realms) == 0 &&
+ profileV4Realms != NULL) {
+
+ char **profileRealm;
+ for (profileRealm = profileV4Realms; *profileRealm != NULL; profileRealm++) {
+ if (strcmp (*profileRealm, profileDefaultRealm) == 0) {
+ /* default realm is a v4 realm */
+ profileDefaultRealmIsV4RealmInProfile = 1;
+ break;
+ }
+ }
+ }
+ }
+ }
+
+ if (result == KSUCCESS) {
+ /* Try to get old-style config file lookup for fallback. */
+ FILE *cnffile = NULL;
+ char scratch[SCRATCHSZ];
+
+ cnffile = krb__get_cnffile();
+ if (cnffile != NULL) {
+ if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) {
+ if (strlen(scratch) < REALM_SZ) {
+ strncpy(krbConfLocalRealm, scratch, REALM_SZ);
+ krbConfHasLocalRealm = 1;
+ }
+ }
+ fclose(cnffile);
+ }
+ }
- if (strlen(realmString) >= REALM_SZ)
- goto cleanup;
- strncpy(realm, realmString, REALM_SZ);
- /*
- * Step 2: the default realm is actually v5 realm, so we have to
- * check for the case where v4 and v5 realms are different.
- */
- profErr = profile_get_string(profile, "realms", realm, "v4_realm",
- NULL, &realmStringV4);
- if (profErr || realmStringV4 == NULL)
- goto cleanup;
+ if (result == KSUCCESS) {
+ /*
+ * We want to favor the profile value over the krb.conf value
+ * but not stop suppporting its use with a v5-only profile.
+ * So we only use the krb.conf realm when the default profile
+ * realm doesn't exist in the v4 realm section of the profile.
+ */
+ if (krbConfHasLocalRealm && !profileDefaultRealmIsV4RealmInProfile) {
+ strncpy (realm, krbConfLocalRealm, REALM_SZ);
+ } else if (profileHasDefaultRealm) {
+ strncpy (realm, profileDefaultRealm, REALM_SZ);
+ } else {
+ result = KFAILURE; /* No default realm */
+ }
+ }
- if (strlen(realmStringV4) >= REALM_SZ)
- goto cleanup;
- strncpy(realm, realmStringV4, REALM_SZ);
- result = KSUCCESS;
-cleanup:
- if (realmString != NULL)
- profile_release_string(realmString);
- if (realmStringV4 != NULL)
- profile_release_string(realmStringV4);
- if (profile != NULL)
- profile_abandon(profile);
+ if (profileDefaultRealm != NULL) { profile_release_string (profileDefaultRealm); }
+ if (profileV4Realms != NULL) { profile_free_list (profileV4Realms); }
+ if (profile != NULL) { profile_abandon (profile); }
- if (result == KSUCCESS)
- return result;
- /*
- * Do old-style config file lookup.
- */
- do {
- cnffile = krb__get_cnffile();
- if (cnffile == NULL)
- break;
- if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) {
- if (strlen(scratch) >= REALM_SZ)
- result = KFAILURE;
- else {
- strncpy(realm, scratch, REALM_SZ);
- result = KSUCCESS;
- }
- }
- fclose(cnffile);
- } while (0);
- if (result == KFAILURE && strlen(KRB_REALM) < REALM_SZ) {
- strncpy(realm, KRB_REALM, REALM_SZ);
- result = KSUCCESS;
- }
return result;
}
@@ -359,23 +397,6 @@ krb_get_kpasswdhst(
REALMS_V4_PROF_KPASSWD_KDC);
}
-static int
-get_krbhst_default(h, r, n)
- char *h;
- char *r;
- int n;
-{
- if (n != 1)
- return KFAILURE;
- if (strlen(KRB_HOST) + 1 + strlen(r) >= MAXHOSTNAMELEN)
- return KFAILURE;
- /* KRB_HOST.REALM (ie. kerberos.CYGNUS.COM) */
- strcpy(h, KRB_HOST);
- strcat(h, ".");
- strcat(h, r);
- return KSUCCESS;
-}
-
/*
* Realm, index -> KDC mapping
*
@@ -411,6 +432,15 @@ get_krbhst_default(h, r, n)
* kerberos. In the long run, this functionality will be provided by a
* nameserver.
*/
+#ifdef KRB5_DNS_LOOKUP
+static struct {
+ time_t when;
+ char realm[REALM_SZ+1];
+ struct srv_dns_entry *srv;
+} dnscache = { 0, { 0 }, 0 };
+#define DNS_CACHE_TIMEOUT 60 /* seconds */
+#endif
+
int KRB5_CALLCONV
krb_get_krbhst(
char *host,
@@ -423,10 +453,36 @@ krb_get_krbhst(
char linebuf[BUFSIZ];
char tr[SCRATCHSZ];
char scratch[SCRATCHSZ];
+#ifdef KRB5_DNS_LOOKUP
+ time_t now;
+#endif
if (n < 1 || host == NULL || realm == NULL)
return KFAILURE;
+#ifdef KRB5_DNS_LOOKUP
+ /* We'll only have this realm's info in the DNS cache if there is
+ no data in the local config files.
+
+ XXX The files could've been updated in the last few seconds.
+ Do we care? */
+ if (!strncmp(dnscache.realm, realm, REALM_SZ)
+ && (time(&now), abs(dnscache.when - now) < DNS_CACHE_TIMEOUT)) {
+ struct srv_dns_entry *entry;
+
+ get_from_dnscache:
+ /* n starts at 1, addrs indices run 0..naddrs */
+ for (i = 1, entry = dnscache.srv; i < n && entry; i++)
+ entry = entry->next;
+ if (entry == NULL)
+ return KFAILURE;
+ if (strlen(entry->host) + 6 >= MAXHOSTNAMELEN)
+ return KFAILURE;
+ sprintf(host, "%s:%d", entry->host, entry->port);
+ return KSUCCESS;
+ }
+#endif
+
result = krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n,
REALMS_V4_PROF_REALMS_SECTION,
REALMS_V4_PROF_KDC);
@@ -461,14 +517,43 @@ krb_get_krbhst(
i++;
}
fclose(cnffile);
- if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN)
+ if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN) {
strcpy(host, scratch);
- else
- result = KFAILURE;
+ return KSUCCESS;
+ }
+ if (i > 0)
+ /* Found some, but not as many as requested. */
+ return KFAILURE;
} while (0);
- if (result == KFAILURE)
- result = get_krbhst_default(host, realm, n);
- return result;
+#ifdef KRB5_DNS_LOOKUP
+ do {
+ krb5int_access k5;
+ krb5_error_code err;
+ krb5_data realmdat;
+ struct srv_dns_entry *srv;
+
+ err = krb5int_accessor(&k5, KRB5INT_ACCESS_VERSION);
+ if (err)
+ break;
+
+ realmdat.data = realm;
+ realmdat.length = strlen(realm);
+ err = k5.make_srv_query_realm(&realmdat, "_kerberos-iv", "_udp", &srv);
+ if (err)
+ break;
+
+ if (srv == 0)
+ break;
+
+ if (dnscache.srv)
+ k5.free_srv_dns_data(dnscache.srv);
+ dnscache.srv = srv;
+ strncpy(dnscache.realm, realm, REALM_SZ);
+ dnscache.when = now;
+ goto get_from_dnscache;
+ } while (0);
+#endif
+ return KFAILURE;
}
/*
diff --git a/src/lib/krb4/change_password.c b/src/lib/krb4/change_password.c
index a6e4d7b..7c3bcd0 100644
--- a/src/lib/krb4/change_password.c
+++ b/src/lib/krb4/change_password.c
@@ -100,6 +100,7 @@ krb_change_password(char *principal, char *instance, char *realm,
p = key;
KRB4_GET32BE(tempKey, p);
sendSize += vts_long(tempKey, &sendStream, (int)sendSize);
+ tempKey = 0;
if (newPassword) {
sendSize += vts_string(newPassword, &sendStream, (int)sendSize);
@@ -120,5 +121,7 @@ disconnect:
kadm_cli_disconn(&client_parm);
cleanup:
+ memset(&client_parm.creds.session, 0, sizeof(client_parm.creds.session));
+ memset(&key, 0, sizeof(key));
return err;
}
diff --git a/src/lib/krb4/configure.in b/src/lib/krb4/configure.in
index 87aeebc..d428656 100644
--- a/src/lib/krb4/configure.in
+++ b/src/lib/krb4/configure.in
@@ -3,14 +3,20 @@ CONFIG_RULES
AC_TYPE_MODE_T
AC_TYPE_UID_T
case $krb5_cv_host in
- powerpc-apple-darwin*)
+ *-apple-darwin*)
KRB_ERR_TXT=
+ KRB_ERR=
+ KRB_ERR_C=krb_err.c
;;
*)
+ KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)'
KRB_ERR_TXT=krb_err_txt.c
+ KRB_ERR_C=
;;
esac
AC_SUBST([KRB_ERR_TXT])
+AC_SUBST([KRB_ERR])
+AC_SUBST([KRB_ERR_C])
AC_PROG_AWK
KRB5_BUILD_LIBOBJS
KRB5_BUILD_LIBRARY_WITH_DEPS
diff --git a/src/lib/krb4/err_txt.c b/src/lib/krb4/err_txt.c
index 9d942a0..a7a290c 100644
--- a/src/lib/krb4/err_txt.c
+++ b/src/lib/krb4/err_txt.c
@@ -31,17 +31,14 @@
* This is gross. We want krb_err_txt to match the contents of the
* com_err error table, but the text is static in krb_err.c. We can't
* alias it by making a pointer to it, either, so we have to suck in
- * another copy of it that is named differently. Also, to avoid
- * multiple registrations of the error table, we want to override
- * initialize_krb_error_table() in case someone decides to call it.
- */
+ * another copy of it that is named differently. */
+#if TARGET_OS_MAC
#undef initialize_krb_error_table
#define initialize_krb_error_table krb4int_init_krb_err_tbl
void krb4int_init_krb_err_tbl(void);
#include "krb_err.c"
#undef initialize_krb_error_table
-#if TARGET_OS_MAC
/*
* Depends on the name of the static table generated by compile_et,
* but since this is only on Darwin, where we will always use a
@@ -69,12 +66,6 @@ krb4int_et_init(void)
}
void
-initialize_krb_error_table(void)
-{
- krb4int_et_init();
-}
-
-void
krb4int_et_fini(void)
{
if (inited)
diff --git a/src/lib/krb4/g_ad_tkt.c b/src/lib/krb4/g_ad_tkt.c
index daae751..353fdce 100644
--- a/src/lib/krb4/g_ad_tkt.c
+++ b/src/lib/krb4/g_ad_tkt.c
@@ -256,6 +256,15 @@ get_ad_tkt(service, sinstance, realm, lifetime)
size_t snamelen, sinstlen;
kerror = krb_get_tf_realm(TKT_FILE, lrealm);
+#if USE_LOGIN_LIBRARY
+ if (kerror == GC_NOTKT) {
+ /* No tickets... call krb_get_cred (KLL will prompt) and try again. */
+ if ((kerror = krb_get_cred ("krbtgt", realm, realm, &cr)) == KSUCCESS) {
+ /* Now get the realm again. */
+ kerror = krb_get_tf_realm (TKT_FILE, lrealm);
+ }
+ }
+#endif
if (kerror != KSUCCESS)
return kerror;
diff --git a/src/lib/krb4/g_cnffile.c b/src/lib/krb4/g_cnffile.c
index 8d61f50..dd5ed5c 100644
--- a/src/lib/krb4/g_cnffile.c
+++ b/src/lib/krb4/g_cnffile.c
@@ -56,7 +56,7 @@ krb__get_srvtabname(default_srvtabname)
const char* names[3];
char **full_name = 0, **cpp;
krb5_error_code retval;
- static char *retname;
+ static char retname[MAXPATHLEN];
if (!krb5__krb4_context)
krb5_init_context(&krb5__krb4_context);
@@ -67,18 +67,16 @@ krb__get_srvtabname(default_srvtabname)
retval = profile_get_values(krb5__krb4_context->profile, names,
&full_name);
if (retval == 0 && full_name && full_name[0]) {
- if (retname != NULL)
- free(retname);
- retname = strdup(full_name[0]);
+ retname[0] = '\0';
+ strncat(retname, full_name[0], sizeof(retname));
for (cpp = full_name; *cpp; cpp++)
krb5_xfree(*cpp);
krb5_xfree(full_name);
return retname;
}
}
- if (retname != NULL)
- free(retname);
- retname = strdup(default_srvtabname);
+ retname[0] = '\0';
+ strncat(retname, default_srvtabname, sizeof(retname));
return retname;
}
diff --git a/src/lib/krb4/g_in_tkt.c b/src/lib/krb4/g_in_tkt.c
index 4d5286a..58a91b0 100644
--- a/src/lib/krb4/g_in_tkt.c
+++ b/src/lib/krb4/g_in_tkt.c
@@ -424,6 +424,9 @@ krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life,
/* Attempt to decrypt the reply. Loop trying password_to_key algorithms
until we succeed or we get an error other than "bad password" */
do {
+ KTEXT_ST cip_copy_st;
+ memcpy(&cip_copy_st, &cip_st, sizeof(cip_st));
+ cip = &cip_copy_st;
if (decrypt_proc == NULL) {
decrypt_tkt (user, instance, realm, arg, keyprocs[i], &cip);
} else {
@@ -432,6 +435,7 @@ krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life,
kerror = krb_parse_in_tkt_creds(user, instance, realm,
service, sinstance, life, cip, byteorder, creds);
} while ((keyprocs [++i] != NULL) && (kerror == INTK_BADPW));
+ cip = &cip_st;
/* Fill in the local address if the caller wants it */
if (laddrp != NULL) {
diff --git a/src/lib/krb4/g_pw_in_tkt.c b/src/lib/krb4/g_pw_in_tkt.c
index 494a059..d687818 100644
--- a/src/lib/krb4/g_pw_in_tkt.c
+++ b/src/lib/krb4/g_pw_in_tkt.c
@@ -79,7 +79,7 @@ passwd_to_key(user,instance,realm,passwd,key)
if (passwd)
string_to_key(passwd, key);
else {
- des_read_password((des_cblock *)key, "Password: ", 0);
+ des_read_password((des_cblock *)key, "Password", 0);
}
#endif /* NOENCRYPTION */
#endif /* unix */
diff --git a/src/lib/krb4/kadm_stream.c b/src/lib/krb4/kadm_stream.c
index 3a9861e..dc9fef1 100644
--- a/src/lib/krb4/kadm_stream.c
+++ b/src/lib/krb4/kadm_stream.c
@@ -129,8 +129,11 @@ vts_short(KRB_UINT32 dat, u_char **st, int loc)
if (p == NULL)
return -1;
+ *st = p; /* KRB4_PUT32BE will modify p */
+
+ p += loc; /* place bytes at the end */
KRB4_PUT16BE(p, dat);
- *st = p;
+
return 2;
}
@@ -145,8 +148,11 @@ vts_long(KRB_UINT32 dat, u_char **st, int loc)
if (p == NULL)
return -1;
+ *st = p; /* KRB4_PUT32BE will modify p */
+
+ p += loc; /* place bytes at the end */
KRB4_PUT32BE(p, dat);
- *st = p;
+
return 4;
}
diff --git a/src/lib/krb4/lifetime.c b/src/lib/krb4/lifetime.c
index b43ed45..826e090 100644
--- a/src/lib/krb4/lifetime.c
+++ b/src/lib/krb4/lifetime.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2000, 2001 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -24,72 +24,7 @@
*/
#include "krb.h"
-
-/*
- * Only lifetime bytes values less than 128 are on a linear scale.
- * The following table contains an exponential scale that covers the
- * lifetime values 128 to 191 inclusive (a total of 64 values).
- * Values greater than 191 get interpreted the same as 191, but they
- * will never be generated by the functions in this file.
- *
- * The ratio is approximately 1.069144898 (actually exactly
- * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30
- * days, and 38400 = 128*5 minutes. This allows a lifetime byte of
- * 191 to correspond to a ticket life of exactly 30 days and a
- * lifetime byte of 128 to correspond to exactly 128*5 minutes, with
- * the other values spread on an exponential curve fit in between
- * them. This table should correspond exactly to the set of extended
- * ticket lifetime values used by AFS and CMU.
- *
- * The following awk script is sufficient to reproduce the table:
- * BEGIN {
- * r = exp(log(2592000/38400)/63);
- * x = 38400;
- * for (i=0;i<64;i++) {
- * printf("%d\n",x+0.5);
- * x *= r;
- * }
- * }
- */
-#ifndef SHORT_LIFETIME
-#define NLIFETIMES 64
-static const KRB4_32 lifetimes[NLIFETIMES] = {
- 38400, 41055, /* 00:10:40:00, 00:11:24:15 */
- 43894, 46929, /* 00:12:11:34, 00:13:02:09 */
- 50174, 53643, /* 00:13:56:14, 00:14:54:03 */
- 57352, 61318, /* 00:15:55:52, 00:17:01:58 */
- 65558, 70091, /* 00:18:12:38, 00:19:28:11 */
- 74937, 80119, /* 00:20:48:57, 00:22:15:19 */
- 85658, 91581, /* 00:23:47:38, 01:01:26:21 */
- 97914, 104684, /* 01:03:11:54, 01:05:04:44 */
- 111922, 119661, /* 01:07:05:22, 01:09:14:21 */
- 127935, 136781, /* 01:11:32:15, 01:13:59:41 */
- 146239, 156350, /* 01:16:37:19, 01:19:25:50 */
- 167161, 178720, /* 01:22:26:01, 02:01:38:40 */
- 191077, 204289, /* 02:05:04:37, 02:08:44:49 */
- 218415, 233517, /* 02:12:40:15, 02:16:51:57 */
- 249664, 266926, /* 02:21:21:04, 03:02:08:46 */
- 285383, 305116, /* 03:07:16:23, 03:12:45:16 */
- 326213, 348769, /* 03:18:36:53, 04:00:52:49 */
- 372885, 398668, /* 04:07:34:45, 04:14:44:28 */
- 426234, 455705, /* 04:22:23:54, 05:06:35:05 */
- 487215, 520904, /* 05:15:20:15, 06:00:41:44 */
- 556921, 595430, /* 06:10:42:01, 06:21:23:50 */
- 636601, 680618, /* 07:08:50:01, 07:21:03:38 */
- 727680, 777995, /* 08:10:08:00, 09:00:06:35 */
- 831789, 889303, /* 09:15:03:09, 10:07:01:43 */
- 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */
- 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */
- 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */
- 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */
- 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */
- 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */
- 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */
- 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */
-};
-#define MINFIXED 0x80
-#define MAXFIXED (MINFIXED + NLIFETIMES - 1)
-#endif /* !SHORT_LIFETIME */
+#include "k5-int.h"
/*
* krb_life_to_time
@@ -100,17 +35,12 @@ static const KRB4_32 lifetimes[NLIFETIMES] = {
KRB4_32 KRB5_CALLCONV
krb_life_to_time(KRB4_32 start, int life)
{
- if (life < 0 || life > 255) /* possibly sign botch in caller */
+ krb5int_access k5internals;
+
+ if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION)
+ || k5internals.krb_life_to_time == NULL)
return start;
-#ifndef SHORT_LIFETIME
- if (life < MINFIXED)
- return start + life * 5 * 60;
- if (life > MAXFIXED)
- return start + lifetimes[NLIFETIMES - 1];
- return start + lifetimes[life - MINFIXED];
-#else /* SHORT_LIFETIME */
- return start + life * 5 * 60;
-#endif /* SHORT_LIFETIME */
+ return k5internals.krb_life_to_time(start, life);
}
/*
@@ -123,27 +53,10 @@ krb_life_to_time(KRB4_32 start, int life)
int KRB5_CALLCONV
krb_time_to_life(KRB4_32 start, KRB4_32 end)
{
- KRB4_32 dt;
-#ifndef SHORT_LIFETIME
- int i;
-#endif
+ krb5int_access k5internals;
- dt = end - start;
- if (dt <= 0)
+ if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION)
+ || k5internals.krb_time_to_life == NULL)
return 0;
-#ifndef SHORT_LIFETIME
- if (dt < lifetimes[0])
- return (dt + 5 * 60 - 1) / (5 * 60);
- /* This depends on the array being ordered. */
- for (i = 0; i < NLIFETIMES; i++) {
- if (lifetimes[i] >= dt)
- return i + MINFIXED;
- }
- return MAXFIXED;
-#else /* SHORT_LIFETIME */
- if (dt > 5 * 60 * 255)
- return 255;
- else
- return (dt + 5 * 60 - 1) / (5 * 60);
-#endif /* SHORT_LIFETIME */
+ return k5internals.krb_time_to_life(start, end);
}
diff --git a/src/lib/krb4/mk_auth.c b/src/lib/krb4/mk_auth.c
index 9159ce1..cf85ea2 100644
--- a/src/lib/krb4/mk_auth.c
+++ b/src/lib/krb4/mk_auth.c
@@ -230,7 +230,6 @@ krb_check_auth (buf, checksum, msg_data, session, schedule, laddr, faddr)
return KFAILURE;
cc = krb_rd_priv(buf->dat, (unsigned KRB4_32)buf->length, schedule,
(C_Block *)session, faddr, laddr, msg_data);
- memset(schedule, 0, sizeof(schedule));
if (cc)
return cc;
diff --git a/src/lib/krb4/mk_req.c b/src/lib/krb4/mk_req.c
index 698d2c2..3066f43 100644
--- a/src/lib/krb4/mk_req.c
+++ b/src/lib/krb4/mk_req.c
@@ -114,7 +114,6 @@ krb_mk_req_creds_prealm(authent, creds, checksum, myrealm)
+ 1 + 1 + ticket->length)
|| ticket->length < 0 || ticket->length > 255) {
authent->length = 0;
- memset(creds->session, 0, sizeof(creds->session));
return KFAILURE;
}
@@ -150,7 +149,6 @@ krb_mk_req_creds_prealm(authent, creds, checksum, myrealm)
myrealmlen = strlen(myrealm) + 1;
if (sizeof(req_id->dat) / 8 < (pnamelen + pinstlen + myrealmlen
+ 4 + 1 + 4 + 7) / 8) {
- memset(creds->session, 0, sizeof(creds->session));
return KFAILURE;
}
@@ -185,7 +183,6 @@ krb_mk_req_creds_prealm(authent, creds, checksum, myrealm)
(long)req_id->length, key_s, &creds->session, 1);
/* clean up */
memset(key_s, 0, sizeof(key_s));
- memset(creds->session, 0, sizeof(creds->session));
#endif /* NOENCRYPTION */
/* Copy it into the authenticator */
@@ -252,7 +249,9 @@ krb_mk_req(authent, service, instance, realm, checksum)
if (retval != KSUCCESS)
return retval;
- return krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm);
+ retval = krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm);
+ memset(&creds.session, 0, sizeof(creds.session));
+ return retval;
}
int KRB5_CALLCONV
diff --git a/src/lib/krb4/password_to_key.c b/src/lib/krb4/password_to_key.c
index 56b5f8e..c6e60d9 100644
--- a/src/lib/krb4/password_to_key.c
+++ b/src/lib/krb4/password_to_key.c
@@ -90,7 +90,7 @@ mit_passwd_to_key(
des_string_to_key(passwd, key);
} else {
#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY))
- des_read_password((des_cblock *)key, "Password: ", 0);
+ des_read_password((des_cblock *)key, "Password", 0);
#else
return (-1);
#endif
@@ -143,7 +143,7 @@ afs_passwd_to_key(
afs_string_to_key(passwd, realm, key);
} else {
#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY))
- des_read_password((des_cblock *)key, "Password: ", 0);
+ des_read_password((des_cblock *)key, "Password", 0);
#else
return (-1);
#endif
diff --git a/src/lib/krb4_32.def b/src/lib/krb4_32.def
index d5a3c33..11814ce 100644
--- a/src/lib/krb4_32.def
+++ b/src/lib/krb4_32.def
@@ -54,3 +54,33 @@ EXPORTS
; kstream_destroy
; kstream_set_buffer_mode
krb_in_tkt
+
+; Added to match exports from KfM
+ krb_change_password
+ decomp_ticket
+ krb_err_txt
+ ;krb_ad_tkt
+ krb_get_in_tkt
+ krb_get_in_tkt_creds
+ krb_get_pw_in_tkt_creds
+ ;krb_pw_tkt
+ k_isrealm
+ k_isinst
+ k_isname
+ kname_unparse
+ ;kuserok
+ krb_set_lifetime
+ krb_rd_req_int
+ krb_sendauth
+ ;tkt_string
+ krb_set_tkt_string
+ krb_get_num_cred
+ krb_get_nth_cred
+ krb_delete_cred
+ dest_all_tkts
+ krb_get_profile
+ ;FSp_krb_get_svc_in_tkt
+ ;FSp_put_svc_key
+ ;FSp_read_service_key
+ krb_time_to_life
+ krb_life_to_time
diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in
index dc5c7b9..96efb56 100644
--- a/src/lib/krb5/Makefile.in
+++ b/src/lib/krb5/Makefile.in
@@ -130,8 +130,8 @@ install-unix:: install-libs
# Makefile dependencies follow. This must be the last section in
# the Makefile.in file
#
-krb5_libinit.so krb5_libinit.po $(OUTPRE)krb5_libinit.$(OBJEXT): krb5_libinit.c $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(BUILDTOP)/include/krb5_err.h $(BUILDTOP)/include/kv5m_err.h \
- $(BUILDTOP)/include/asn1_err.h $(BUILDTOP)/include/kdb5_err.h \
- krb5_libinit.h
+krb5_libinit.so krb5_libinit.po $(OUTPRE)krb5_libinit.$(OBJEXT): krb5_libinit.c $(COM_ERR_DEPS) \
+ $(BUILDTOP)/include/krb5.h $(BUILDTOP)/include/krb5_err.h \
+ $(BUILDTOP)/include/kv5m_err.h $(BUILDTOP)/include/asn1_err.h \
+ $(BUILDTOP)/include/kdb5_err.h krb5_libinit.h
diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog
index b1ff161..18e4c07 100644
--- a/src/lib/krb5/asn.1/ChangeLog
+++ b/src/lib/krb5/asn.1/ChangeLog
@@ -1,3 +1,103 @@
+2003-10-08 Tom Yu <tlyu@mit.edu>
+
+ * asn1_k_encode.c (asn1_encode_krb_saved_safe_body): New function;
+ kludge to insert a raw pre-encoded KRB-SAFE-BODY.
+
+ * asn1_k_encode.h (asn1_encode_krb_saved_safe_body): Add
+ prototype.
+
+ * krb5_decode.c (decode_krb5_safe_with_body): New function; saves
+ a copy of the encoding of the KRB-SAFE-BODY to avoid problems
+ caused by re-encoding it during verification.
+
+ * krb5_encode.c (encode_krb5_safe_with_body): New function;
+ re-encode a KRB-SAFE using a saved KRB-SAFE-BODY encoding, to
+ avoid trouble with re-encoding a KRB-SAFE-BODY.
+
+2003-07-22 Sam Hartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * asn1_k_decode.c (asn1_decode_etype_info2_entry_1_3): Decoder for
+ the broken 1.3 ASN.1 behavior for etype_info2; see bug 1681.
+
+ * asn1_k_decode.h (asn1_decode_etype_info2): Add v1_3_behavior
+ flag for parsing the broken 1.3 behavior of using an octetString
+ instead of generalString
+
+ * asn1_k_decode.c (asn1_decode_etype_info2_entry): Expect etype_info2 as generalstring not octetstring
+
+2003-06-20 Sam Hartman <hartmans@mit.edu>
+
+ * asn1_k_decode.h (asn1_decode_etype_info2): Prototype. Also
+ deleted prototype for asn1_decode_etype_info_entry as that is not
+ used outside asn1_k_decode.c
+
+ * krb5_decode.c (decode_krb5_etype_info2): Call etype_info2 decoder
+
+ * asn1_k_decode.c (asn1_decode_etype_info_entry): Split out
+ etype_info2 and etype_info decoder so we ignore tag 2 in the
+ heimdal encoder
+ (asn1_decode_etype_info2): new function
+
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * asn1_k_decode.c (asn1_decode_etype_info_entry): Fix logic error
+ that incorrectly set up s2kparams.data
+
+2003-05-20 Ezra Peisach <epeisach@bu.edu>
+
+ * asn1_k_encode.c (asn1_encode_krb_safe_body): Use
+ asn1_encode_unsigned_integer for sequence number.
+
+ * asn1_k_decode.c (asn1_decode_krb_safe_body): Use
+ asn1_decode_seqnum to decode sequence number.
+
+
+2003-05-18 Tom Yu <tlyu@mit.edu>
+
+ * asn1_decode.c (asn1_decode_maybe_unsigned): New function; decode
+ negative 32-bit numbers into positive unsigned numbers for the
+ sake of backwards compatibility with old code.
+
+ * asn1_decode.h: Add prototype for asn1_decode_maybe_unsigned.
+
+ * asn1_k_decode.c (asn1_decode_seqnum): New function; wrapper
+ around asn1_decode_maybe_unsigned.
+
+ * asn1_k_decode.h: Add prototype for asn1_decode_seqnum.
+
+ * krb5_decode.c (decode_krb5_authenticator)
+ (decode_krb5_ap_rep_enc_part, decode_krb5_enc_priv_part): Sequence
+ numbers are now unsigned. Use asn1_decode_seqnum to handle
+ backwards compat with negative sequence numbers.
+
+ * krb5_encode.c (encode_krb5_authenticator)
+ (encode_krb5_ap_rep_enc_part, encode_krb5_enc_priv_part): Sequence
+ numbers are now unsigned.
+
+2003-05-06 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_decode.c (decode_krb5_etype_info2): New function; currently
+ the same code as decode_krb5_etype_info. This means that we can
+ manage to accept s2kparams in etype_info which is wrong but
+ probably harmless.
+
+ * asn1_k_decode.c (asn1_decode_etype_info_entry): Add etype_info2
+ support
+
+ * asn1_k_encode.c (asn1_encode_etype_info_entry): Add support for
+ etype-info2
+
+ * krb5_encode.c (encode_krb5_etype_info2): New function
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * krb5_encode.c (encode_krb5_setpw_req): new function
+
+2003-04-13 Ezra Peisach <epeisach@mit.edu>
+
+ * asn1_k_decode.c (asn1_decode_kdc_req_body): Fix memory leak if
+ optional server field is lacking,
+
2003-03-11 Ken Raeburn <raeburn@mit.edu>
* asn1_get.c (asn1_get_tag): Deleted.
diff --git a/src/lib/krb5/asn.1/Makefile.in b/src/lib/krb5/asn.1/Makefile.in
index 6757046..8de97f0 100644
--- a/src/lib/krb5/asn.1/Makefile.in
+++ b/src/lib/krb5/asn.1/Makefile.in
@@ -61,61 +61,66 @@ clean-unix:: clean-libobjs
#
asn1_decode.so asn1_decode.po $(OUTPRE)asn1_decode.$(OBJEXT): asn1_decode.c asn1_decode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h asn1_get.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_get.h
asn1_k_decode.so asn1_k_decode.po $(OUTPRE)asn1_k_decode.$(OBJEXT): asn1_k_decode.c asn1_k_decode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h asn1_decode.h asn1_get.h asn1_misc.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_decode.h \
+ asn1_get.h asn1_misc.h
asn1_encode.so asn1_encode.po $(OUTPRE)asn1_encode.$(OBJEXT): asn1_encode.c asn1_encode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h asn1_make.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_make.h
asn1_get.so asn1_get.po $(OUTPRE)asn1_get.$(OBJEXT): asn1_get.c asn1_get.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h
asn1_make.so asn1_make.po $(OUTPRE)asn1_make.$(OBJEXT): asn1_make.c asn1_make.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h asn1buf.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h
asn1buf.so asn1buf.po $(OUTPRE)asn1buf.$(OBJEXT): asn1buf.c asn1buf.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h krbasn1.h asn1_get.h
+ krbasn1.h asn1_get.h
krb5_decode.so krb5_decode.po $(OUTPRE)krb5_decode.$(OBJEXT): krb5_decode.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) krbasn1.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- asn1_k_decode.h asn1buf.h asn1_decode.h asn1_get.h
+ $(SRCTOP)/include/krb5/kdb.h asn1_k_decode.h asn1buf.h \
+ asn1_decode.h asn1_get.h
krb5_encode.so krb5_encode.po $(OUTPRE)krb5_encode.$(OBJEXT): krb5_encode.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) asn1_k_encode.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- asn1buf.h krbasn1.h asn1_encode.h asn1_make.h
+ $(SRCTOP)/include/krb5/kdb.h asn1buf.h krbasn1.h asn1_encode.h \
+ asn1_make.h
asn1_k_encode.so asn1_k_encode.po $(OUTPRE)asn1_k_encode.$(OBJEXT): asn1_k_encode.c asn1_k_encode.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- asn1buf.h krbasn1.h asn1_make.h asn1_encode.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h asn1buf.h krbasn1.h asn1_make.h \
+ asn1_encode.h
asn1_misc.so asn1_misc.po $(OUTPRE)asn1_misc.$(OBJEXT): asn1_misc.c asn1_misc.h \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- krbasn1.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h krbasn1.h
diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
index 56904c5..6586320 100644
--- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
@@ -1,7 +1,7 @@
/*
* src/lib/krb5/asn.1/asn1_decode.c
*
- * Copyright 1994 by the Massachusetts Institute of Technology.
+ * Copyright 1994, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -106,6 +106,50 @@ asn1_error_code asn1_decode_unsigned_integer(asn1buf *buf, long unsigned int *va
cleanup();
}
+/*
+ * asn1_decode_maybe_unsigned
+ *
+ * This is needed because older releases of MIT krb5 have signed
+ * sequence numbers. We want to accept both signed and unsigned
+ * sequence numbers, in the range -2^31..2^32-1, mapping negative
+ * numbers into their positive equivalents in the same way that C's
+ * normal integer conversions do, i.e., would preserve bits on a
+ * two's-complement architecture.
+ */
+asn1_error_code asn1_decode_maybe_unsigned(asn1buf *buf, unsigned long *val)
+{
+ setup();
+ asn1_octet o;
+ unsigned long n, bitsremain;
+ unsigned int i;
+
+ tag(ASN1_INTEGER);
+ o = 0;
+ n = 0;
+ bitsremain = ~0UL;
+ for (i = 0; i < length; i++) {
+ /* Accounts for u_long width not being a multiple of 8. */
+ if (bitsremain < 0xff) return ASN1_OVERFLOW;
+ retval = asn1buf_remove_octet(buf, &o);
+ if (retval) return retval;
+ if (bitsremain == ~0UL) {
+ if (i == 0)
+ n = (o & 0x80) ? ~0UL : 0UL; /* grab sign bit */
+ /*
+ * Skip leading zero or 0xFF octets to humor non-compliant encoders.
+ */
+ if (n == 0 && o == 0)
+ continue;
+ if (n == ~0UL && o == 0xff)
+ continue;
+ }
+ n = (n << 8) | o;
+ bitsremain >>= 8;
+ }
+ *val = n;
+ cleanup();
+}
+
asn1_error_code asn1_decode_oid(asn1buf *buf, unsigned int *retlen, asn1_octet **val)
{
setup();
diff --git a/src/lib/krb5/asn.1/asn1_decode.h b/src/lib/krb5/asn.1/asn1_decode.h
index 449a589..cafbf3f 100644
--- a/src/lib/krb5/asn.1/asn1_decode.h
+++ b/src/lib/krb5/asn.1/asn1_decode.h
@@ -62,6 +62,8 @@ asn1_error_code asn1_decode_integer
(asn1buf *buf, long *val);
asn1_error_code asn1_decode_unsigned_integer
(asn1buf *buf, unsigned long *val);
+asn1_error_code asn1_decode_maybe_unsigned
+ (asn1buf *buf, unsigned long *val);
asn1_error_code asn1_decode_null
(asn1buf *buf);
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c
index c64ebb8..3ffb701 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.c
+++ b/src/lib/krb5/asn.1/asn1_k_decode.c
@@ -320,6 +320,17 @@ integer_convert(asn1_decode_authdatatype,krb5_authdatatype)
unsigned_integer_convert(asn1_decode_ui_2,krb5_ui_2)
unsigned_integer_convert(asn1_decode_ui_4,krb5_ui_4)
+asn1_error_code asn1_decode_seqnum(asn1buf *buf, krb5_ui_4 *val)
+{
+ asn1_error_code retval;
+ unsigned long n;
+
+ retval = asn1_decode_maybe_unsigned(buf, &n);
+ if (retval) return retval;
+ *val = (krb5_ui_4)n & 0xffffffff;
+ return 0;
+}
+
asn1_error_code asn1_decode_msgtype(asn1buf *buf, krb5_msgtype *val)
{
asn1_error_code retval;
@@ -541,7 +552,9 @@ asn1_error_code asn1_decode_kdc_req(asn1buf *buf, krb5_kdc_req *val)
asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val)
{
setup();
- { begin_structure();
+ {
+ krb5_principal psave;
+ begin_structure();
get_field(val->kdc_options,0,asn1_decode_kdc_options);
if(tagnum == 1){ alloc_field(val->client,krb5_principal_data); }
opt_field(val->client,1,asn1_decode_principal_name,NULL);
@@ -550,7 +563,19 @@ asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val)
if(val->client != NULL){
retval = asn1_krb5_realm_copy(val->client,val->server);
if(retval) return retval; }
+
+ /* If opt_field server is missing, memory reference to server is
+ lost and results in memory leak */
+ psave = val->server;
opt_field(val->server,3,asn1_decode_principal_name,NULL);
+ if(val->server == NULL){
+ if(psave->realm.data) {
+ free(psave->realm.data);
+ psave->realm.data = NULL;
+ psave->realm.length=0;
+ }
+ free(psave);
+ }
opt_field(val->from,4,asn1_decode_kerberos_time,0);
get_field(val->till,5,asn1_decode_kerberos_time);
opt_field(val->rtime,6,asn1_decode_kerberos_time,0);
@@ -580,7 +605,7 @@ asn1_error_code asn1_decode_krb_safe_body(asn1buf *buf, krb5_safe *val)
get_lenfield(val->user_data.length,val->user_data.data,0,asn1_decode_charstring);
opt_field(val->timestamp,1,asn1_decode_kerberos_time,0);
opt_field(val->usec,2,asn1_decode_int32,0);
- opt_field(val->seq_number,3,asn1_decode_int32,0);
+ opt_field(val->seq_number,3,asn1_decode_seqnum,0);
alloc_field(val->s_address,krb5_address);
get_field(*(val->s_address),4,asn1_decode_host_address);
if(tagnum == 5){
@@ -782,7 +807,33 @@ asn1_error_code asn1_decode_sequence_of_checksum(asn1buf *buf, krb5_checksum ***
decode_array_body(krb5_checksum, asn1_decode_checksum);
}
-asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val)
+static asn1_error_code asn1_decode_etype_info2_entry(asn1buf *buf, krb5_etype_info_entry *val )
+{
+ setup();
+ { begin_structure();
+ get_field(val->etype,0,asn1_decode_enctype);
+ if (tagnum == 1) {
+ get_lenfield(val->length,val->salt,1,asn1_decode_generalstring);
+ } else {
+ val->length = KRB5_ETYPE_NO_SALT;
+ val->salt = 0;
+ }
+ if ( tagnum ==2) {
+ krb5_octet *params ;
+ get_lenfield( val->s2kparams.length, params,
+ 2, asn1_decode_octetstring);
+ val->s2kparams.data = ( char *) params;
+ } else {
+ val->s2kparams.data = NULL;
+ val->s2kparams.length = 0;
+ }
+ end_structure();
+ val->magic = KV5M_ETYPE_INFO_ENTRY;
+ }
+ cleanup();
+}
+
+static asn1_error_code asn1_decode_etype_info2_entry_1_3(asn1buf *buf, krb5_etype_info_entry *val )
{
setup();
{ begin_structure();
@@ -793,17 +844,59 @@ asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry
val->length = KRB5_ETYPE_NO_SALT;
val->salt = 0;
}
+ if ( tagnum ==2) {
+ krb5_octet *params ;
+ get_lenfield( val->s2kparams.length, params,
+ 2, asn1_decode_octetstring);
+ val->s2kparams.data = ( char *) params;
+ } else {
+ val->s2kparams.data = NULL;
+ val->s2kparams.length = 0;
+ }
end_structure();
val->magic = KV5M_ETYPE_INFO_ENTRY;
}
cleanup();
}
-asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val)
+
+static asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val )
+{
+ setup();
+ { begin_structure();
+ get_field(val->etype,0,asn1_decode_enctype);
+ if (tagnum == 1) {
+ get_lenfield(val->length,val->salt,1,asn1_decode_octetstring);
+ } else {
+ val->length = KRB5_ETYPE_NO_SALT;
+ val->salt = 0;
+ }
+ val->s2kparams.data = NULL;
+ val->s2kparams.length = 0;
+
+ end_structure();
+ val->magic = KV5M_ETYPE_INFO_ENTRY;
+ }
+ cleanup();
+}
+
+asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val )
{
decode_array_body(krb5_etype_info_entry,asn1_decode_etype_info_entry);
}
+asn1_error_code asn1_decode_etype_info2(asn1buf *buf, krb5_etype_info_entry ***val ,
+ krb5_boolean v1_3_behavior)
+{
+ if (v1_3_behavior) {
+ decode_array_body(krb5_etype_info_entry,
+ asn1_decode_etype_info2_entry_1_3);
+ } else {
+ decode_array_body(krb5_etype_info_entry,
+ asn1_decode_etype_info2_entry);
+ }
+}
+
asn1_error_code asn1_decode_passwdsequence(asn1buf *buf, passwd_phrase_element *val)
{
setup();
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h
index 8f8b0bc..1852e76 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.h
+++ b/src/lib/krb5/asn.1/asn1_k_decode.h
@@ -89,6 +89,8 @@ asn1_error_code asn1_decode_ui_2
(asn1buf *buf, krb5_ui_2 *val);
asn1_error_code asn1_decode_ui_4
(asn1buf *buf, krb5_ui_4 *val);
+asn1_error_code asn1_decode_seqnum
+ (asn1buf *buf, krb5_ui_4 *val);
asn1_error_code asn1_decode_kerberos_time
(asn1buf *buf, krb5_timestamp *val);
asn1_error_code asn1_decode_sam_flags
@@ -185,6 +187,8 @@ asn1_error_code asn1_decode_sequence_of_passwdsequence
asn1_error_code asn1_decode_etype_info
(asn1buf *buf, krb5_etype_info_entry ***val);
+asn1_error_code asn1_decode_etype_info2
+ (asn1buf *buf, krb5_etype_info_entry ***val, krb5_boolean v1_3_behavior);
#endif
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 9226f7c..00cfab0 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -27,6 +27,7 @@
#include "asn1_k_encode.h"
#include "asn1_make.h"
#include "asn1_encode.h"
+#include <assert.h>
/**** asn1 macros ****/
#if 0
@@ -643,7 +644,7 @@ asn1_error_code asn1_encode_krb_safe_body(asn1buf *buf, const krb5_safe *val, un
asn1_addfield(val->r_address,5,asn1_encode_host_address);
asn1_addfield(val->s_address,4,asn1_encode_host_address);
if(val->seq_number)
- asn1_addfield(val->seq_number,3,asn1_encode_integer);
+ asn1_addfield(val->seq_number,3,asn1_encode_unsigned_integer);
if(val->timestamp){
asn1_addfield(val->usec,2,asn1_encode_integer);
asn1_addfield(val->timestamp,1,asn1_encode_kerberos_time);
@@ -708,24 +709,33 @@ asn1_error_code asn1_encode_krb_cred_info(asn1buf *buf, const krb5_cred_info *va
asn1_cleanup();
}
-asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val, unsigned int *retlen)
+asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val,
+ unsigned int *retlen, int etype_info2)
{
asn1_setup();
+ assert(val->s2kparams.data == NULL || etype_info2);
if(val == NULL || (val->length > 0 && val->length != KRB5_ETYPE_NO_SALT &&
val->salt == NULL))
return ASN1_MISSING_FIELD;
-
- if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT)
+ if(val->s2kparams.data != NULL)
+ asn1_addlenfield(val->s2kparams.length, val->s2kparams.data, 2,
+ asn1_encode_octetstring);
+ if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT){
+ if (etype_info2)
asn1_addlenfield(val->length,val->salt,1,
- asn1_encode_octetstring);
- asn1_addfield(val->etype,0,asn1_encode_integer);
+ asn1_encode_generalstring)
+ else asn1_addlenfield(val->length,val->salt,1,
+ asn1_encode_octetstring);
+ }
+asn1_addfield(val->etype,0,asn1_encode_integer);
asn1_makeseq();
asn1_cleanup();
}
-asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val, unsigned int *retlen)
+asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val,
+ unsigned int *retlen, int etype_info2)
{
asn1_setup();
int i;
@@ -734,7 +744,7 @@ asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry
for(i=0; val[i] != NULL; i++); /* get to the end of the array */
for(i--; i>=0; i--){
- retval = asn1_encode_etype_info_entry(buf,val[i],&length);
+ retval = asn1_encode_etype_info_entry(buf,val[i],&length, etype_info2);
if(retval) return retval;
sum += length;
}
@@ -932,3 +942,20 @@ asn1_error_code asn1_encode_predicted_sam_response(asn1buf *buf, const krb5_pred
asn1_cleanup();
}
+
+/*
+ * Do some ugliness to insert a raw pre-encoded KRB-SAFE-BODY.
+ */
+asn1_error_code asn1_encode_krb_saved_safe_body(asn1buf *buf, const krb5_data *body, unsigned int *retlen)
+{
+ asn1_error_code retval;
+
+ retval = asn1buf_insert_octetstring(buf, body->length,
+ (krb5_octet *)body->data);
+ if (retval){
+ asn1buf_destroy(&buf);
+ return retval;
+ }
+ *retlen = body->length;
+ return 0;
+}
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.h b/src/lib/krb5/asn.1/asn1_k_encode.h
index 5914e09..caa46c5 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.h
+++ b/src/lib/krb5/asn.1/asn1_k_encode.h
@@ -219,11 +219,11 @@ asn1_error_code asn1_encode_alt_method
asn1_error_code asn1_encode_etype_info_entry
(asn1buf *buf, const krb5_etype_info_entry *val,
- unsigned int *retlen);
+ unsigned int *retlen, int etype_info2);
asn1_error_code asn1_encode_etype_info
(asn1buf *buf, const krb5_etype_info_entry **val,
- unsigned int *retlen);
+ unsigned int *retlen, int etype_info2);
asn1_error_code asn1_encode_passwdsequence
(asn1buf *buf, const passwd_phrase_element *val, unsigned int *retlen);
@@ -266,4 +266,7 @@ asn1_error_code asn1_encode_predicted_sam_response
(asn1buf *buf, const krb5_predicted_sam_response *val,
unsigned int *retlen);
+asn1_error_code asn1_encode_krb_saved_safe_body
+ (asn1buf *buf, const krb5_data *body, unsigned int *retlen);
+
#endif
diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c
index 03a3029..596997f 100644
--- a/src/lib/krb5/asn.1/krb5_decode.c
+++ b/src/lib/krb5/asn.1/krb5_decode.c
@@ -90,6 +90,7 @@ if((var) == NULL) clean_return(ENOMEM)
construction = t2.construction; \
tagnum = t2.tagnum; \
indef = t2.indef; \
+ taglen = t2.length; \
}
#define get_eoc() \
@@ -107,6 +108,7 @@ if((var) == NULL) clean_return(ENOMEM)
/* decode sequence header and initialize tagnum with the first field */
#define begin_structure()\
+unsigned int taglen;\
asn1buf subbuf;\
int seqindef;\
int indef;\
@@ -219,7 +221,7 @@ krb5_error_code decode_krb5_authenticator(const krb5_data *code, krb5_authentica
get_field((*rep)->ctime,5,asn1_decode_kerberos_time);
if(tagnum == 6){ alloc_field((*rep)->subkey,krb5_keyblock); }
opt_field(*((*rep)->subkey),6,asn1_decode_encryption_key);
- opt_field((*rep)->seq_number,7,asn1_decode_int32);
+ opt_field((*rep)->seq_number,7,asn1_decode_seqnum);
opt_field((*rep)->authorization_data,8,asn1_decode_authorization_data);
(*rep)->magic = KV5M_AUTHENTICATOR;
end_structure();
@@ -440,7 +442,7 @@ krb5_error_code decode_krb5_ap_rep_enc_part(const krb5_data *code, krb5_ap_rep_e
get_field((*rep)->cusec,1,asn1_decode_int32);
if(tagnum == 2){ alloc_field((*rep)->subkey,krb5_keyblock); }
opt_field(*((*rep)->subkey),2,asn1_decode_encryption_key);
- opt_field((*rep)->seq_number,3,asn1_decode_int32);
+ opt_field((*rep)->seq_number,3,asn1_decode_seqnum);
end_structure();
(*rep)->magic = KV5M_AP_REP_ENC_PART;
}
@@ -494,8 +496,26 @@ krb5_error_code decode_krb5_kdc_req_body(const krb5_data *code, krb5_kdc_req **r
cleanup(free);
}
-krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep)
+/*
+ * decode_krb5_safe_with_body
+ *
+ * Like decode_krb5_safe(), but grabs the encoding of the
+ * KRB-SAFE-BODY as well, in case re-encoding would produce a
+ * different encoding. (Yes, we're using DER, but there's this
+ * annoying problem with pre-1.3.x code using signed sequence numbers,
+ * which we permissively decode and cram into unsigned 32-bit numbers.
+ * When they're re-encoded, they're no longer negative if they started
+ * out negative, so checksum verification fails.)
+ *
+ * This does *not* perform any copying; the returned pointer to the
+ * encoded KRB-SAFE-BODY points into the input buffer.
+ */
+krb5_error_code decode_krb5_safe_with_body(
+ const krb5_data *code,
+ krb5_safe **rep,
+ krb5_data *body)
{
+ krb5_data tmpbody;
setup();
alloc_field(*rep,krb5_safe);
clear_field(rep,checksum);
@@ -511,12 +531,26 @@ krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep)
if(msg_type != KRB5_SAFE) clean_return(KRB5_BADMSGTYPE);
#endif
}
+ /*
+ * Gross kludge to extract pointer to encoded safe-body. Relies
+ * on tag prefetch done by next_tag(). Don't handle indefinite
+ * encoding, as it's too much work.
+ */
+ if (!indef) {
+ tmpbody.length = taglen;
+ tmpbody.data = subbuf.next;
+ } else {
+ tmpbody.length = 0;
+ tmpbody.data = NULL;
+ }
get_field(**rep,2,asn1_decode_krb_safe_body);
alloc_field((*rep)->checksum,krb5_checksum);
get_field(*((*rep)->checksum),3,asn1_decode_checksum);
(*rep)->magic = KV5M_SAFE;
end_structure();
}
+ if (body != NULL)
+ *body = tmpbody;
cleanup_manual();
error_out:
if (rep && *rep) {
@@ -526,6 +560,11 @@ error_out:
return retval;
}
+krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep)
+{
+ return decode_krb5_safe_with_body(code, rep, NULL);
+}
+
krb5_error_code decode_krb5_priv(const krb5_data *code, krb5_priv **rep)
{
setup();
@@ -561,7 +600,7 @@ krb5_error_code decode_krb5_enc_priv_part(const krb5_data *code, krb5_priv_enc_p
get_lenfield((*rep)->user_data.length,(*rep)->user_data.data,0,asn1_decode_charstring);
opt_field((*rep)->timestamp,1,asn1_decode_kerberos_time);
opt_field((*rep)->usec,2,asn1_decode_int32);
- opt_field((*rep)->seq_number,3,asn1_decode_int32);
+ opt_field((*rep)->seq_number,3,asn1_decode_seqnum);
alloc_field((*rep)->s_address,krb5_address);
get_field(*((*rep)->s_address),4,asn1_decode_host_address);
if(tagnum == 5){ alloc_field((*rep)->r_address,krb5_address); }
@@ -744,6 +783,21 @@ krb5_error_code decode_krb5_etype_info(const krb5_data *code, krb5_etype_info_en
cleanup_none(); /* we're not allocating anything here */
}
+krb5_error_code decode_krb5_etype_info2(const krb5_data *code, krb5_etype_info_entry ***rep)
+{
+ setup_buf_only();
+ *rep = 0;
+ retval = asn1_decode_etype_info2(&buf,rep, 0);
+ if (retval == ASN1_BAD_ID) {
+ retval = asn1buf_wrap_data(&buf,code);
+ if(retval) clean_return(retval);
+ retval = asn1_decode_etype_info2(&buf, rep, 1);
+ }
+ if(retval) clean_return(retval);
+ cleanup_none(); /* we're not allocating anything here */
+}
+
+
krb5_error_code decode_krb5_enc_data(const krb5_data *code, krb5_enc_data **rep)
{
setup_buf_only();
diff --git a/src/lib/krb5/asn.1/krb5_encode.c b/src/lib/krb5/asn.1/krb5_encode.c
index 2a4f7bb..ecdfa18 100644
--- a/src/lib/krb5/asn.1/krb5_encode.c
+++ b/src/lib/krb5/asn.1/krb5_encode.c
@@ -166,7 +166,7 @@ krb5_error_code encode_krb5_authenticator(const krb5_authenticator *rep, krb5_da
/* seq-number[7] INTEGER OPTIONAL */
if(rep->seq_number != 0)
- krb5_addfield(rep->seq_number,7,asn1_encode_integer);
+ krb5_addfield(rep->seq_number,7,asn1_encode_unsigned_integer);
/* subkey[6] EncryptionKey OPTIONAL */
if(rep->subkey != NULL)
@@ -305,6 +305,7 @@ krb5_error_code encode_krb5_enc_kdc_rep_part(const krb5_enc_kdc_rep_part *rep, k
#ifdef KRB5_ENCKRB5KDCREPPART_COMPAT
krb5_apptag(26);
#else
+ /* XXX WRONG!!! Should use 25 || 26, not the outer KDC_REP tags! */
if (rep->msg_type == KRB5_AS_REP) { krb5_apptag(ASN1_KRB_AS_REP); }
else if (rep->msg_type == KRB5_TGS_REP) { krb5_apptag(ASN1_KRB_TGS_REP); }
else return KRB5_BADMSGTYPE;
@@ -395,7 +396,7 @@ krb5_error_code encode_krb5_ap_rep_enc_part(const krb5_ap_rep_enc_part *rep, krb
/* seq-number[3] INTEGER OPTIONAL */
if(rep->seq_number)
- krb5_addfield(rep->seq_number,3,asn1_encode_integer);
+ krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer);
/* subkey[2] EncryptionKey OPTIONAL */
if(rep->subkey != NULL)
@@ -477,6 +478,43 @@ krb5_error_code encode_krb5_safe(const krb5_safe *rep, krb5_data **code)
krb5_cleanup();
}
+/*
+ * encode_krb5_safe_with_body
+ *
+ * Like encode_krb5_safe(), except takes a saved KRB-SAFE-BODY
+ * encoding to avoid problems with re-encoding.
+ */
+krb5_error_code encode_krb5_safe_with_body(
+ const krb5_safe *rep,
+ const krb5_data *body,
+ krb5_data **code)
+{
+ krb5_setup();
+
+ if (body == NULL) {
+ asn1buf_destroy(&buf);
+ return ASN1_MISSING_FIELD;
+ }
+
+ /* cksum[3] Checksum */
+ krb5_addfield(rep->checksum,3,asn1_encode_checksum);
+
+ /* safe-body[2] KRB-SAFE-BODY */
+ krb5_addfield(body,2,asn1_encode_krb_saved_safe_body);
+
+ /* msg-type[1] INTEGER */
+ krb5_addfield(ASN1_KRB_SAFE,1,asn1_encode_integer);
+
+ /* pvno[0] INTEGER */
+ krb5_addfield(KVNO,0,asn1_encode_integer);
+
+ /* KRB-SAFE ::= [APPLICATION 20] SEQUENCE */
+ krb5_makeseq();
+ krb5_apptag(20);
+
+ krb5_cleanup();
+}
+
krb5_error_code encode_krb5_priv(const krb5_priv *rep, krb5_data **code)
{
krb5_setup();
@@ -510,7 +548,7 @@ krb5_error_code encode_krb5_enc_priv_part(const krb5_priv_enc_part *rep, krb5_da
/* seq-number[3] INTEGER OPTIONAL */
if(rep->seq_number)
- krb5_addfield(rep->seq_number,3,asn1_encode_integer);
+ krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer);
/* usec[2] INTEGER OPTIONAL */
if(rep->timestamp){
@@ -678,11 +716,21 @@ krb5_error_code encode_krb5_alt_method(const krb5_alt_method *rep, krb5_data **c
krb5_error_code encode_krb5_etype_info(const krb5_etype_info_entry **rep, krb5_data **code)
{
krb5_setup();
- retval = asn1_encode_etype_info(buf,rep,&length);
+ retval = asn1_encode_etype_info(buf,rep,&length, 0);
+ if(retval) return retval;
+ sum += length;
+ krb5_cleanup();
+}
+
+krb5_error_code encode_krb5_etype_info2(const krb5_etype_info_entry **rep, krb5_data **code)
+{
+ krb5_setup();
+ retval = asn1_encode_etype_info(buf,rep,&length, 1);
if(retval) return retval;
sum += length;
krb5_cleanup();
}
+
krb5_error_code encode_krb5_enc_data(const krb5_enc_data *rep, krb5_data **code)
{
@@ -822,3 +870,20 @@ krb5_error_code encode_krb5_predicted_sam_response(const krb5_predicted_sam_resp
sum += length;
krb5_cleanup();
}
+
+krb5_error_code encode_krb5_setpw_req(const krb5_principal target,
+ char *password, krb5_data **code)
+{
+ /* Macros really want us to have a variable called rep which we do not need*/
+ const char *rep = "dummy string";
+
+ krb5_setup();
+
+ krb5_addfield(target,2,asn1_encode_realm);
+ krb5_addfield(target,1,asn1_encode_principal_name);
+ krb5_addlenfield(strlen(password), password,0,asn1_encode_octetstring);
+ krb5_makeseq();
+
+
+ krb5_cleanup();
+}
diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index 0b44b4d..673cd98 100644
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,3 +1,97 @@
+2004-01-06 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_file.c, cc_memory.c:
+ Add stub implementations for unimplemented krb5_cc_remove_cred()
+ Returns KRB5_CC_NOSUPP
+
+ * cc_mslsa.c:
+ Add implementation for krb5_cc_remove_cred(). Returns KRB5_CC_READONLY.
+
+2003-12-18 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_retr.c: Extract the test to determine if a credential matches
+ a requested credential according to the specified fields into
+ a private function: krb5int_cc_creds_match_request()
+
+ * cc_mslsa.c: Extend the functionality of krb5_lcc_retrieve() to
+ perform a MS Kerberos LSA ticket request if there is no matching
+ credential in the cache. The MS Kerberos LSA places the following
+ restriction on what tickets it will place into the LSA cache:
+ tickets obtained by an application request for a specific
+ set of kerberos flags or enctype will not be cached.
+ Therefore, we first make a request with no flags or enctype in
+ the hope that we will be lucky and get the right ones anyway.
+ If not, we make the application's request and return that ticket
+ if it matches the other criteria.
+
+ Implemented a similar technique for krb5_lcc_store(). Since we
+ can not write to the cache, when a store request is made we
+ instead perform a ticket request through the lsa for a matching
+ credential. If we receive one, we return success. Otherwise,
+ we return the KRB5_CC_READONLY error.
+
+ With these changes I am now able to operate entirely with the MSLSA
+ ccache as the default cache provided the MS LSA credentials are
+ for the principal I wish to use. Obviously, one cannot change
+ principals while the MSLSA ccache is the default.
+
+2003-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_msla.c: Enable purging of the MS Kerberos LSA cache when the TGT
+ has expired. This will force the LSA to get a new TGT instead of
+ returning the expired version.
+
+2003-12-15 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_mslsa.c: Perform a GetMSTGT() call as part of krb5_lcc_start_seq_get
+ to ensure that the tgt is refreshed
+
+2003-12-13 Jeffrey Altman <jaltman@mit.edu>
+
+ * Makefile.in: Remove extranenous spaces in ##WIN32## constructs
+ defining MSLSA_SRC MSLSA_OBJ
+
+2003-12-12 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in: Move ##WIN32## constructs from inside
+ backslash-continued lists, as it was breaking them. Move explicit
+ dependency information from under automatic dependencies.
+
+2003-12-11 Jeffrey Altman <jaltman@mit.edu>
+
+ * Makefile.in, ccbase.c, cc_mslsa.c (new)
+
+ Remove all of the code which was duplicated between ms2mit.c
+ and the KfW Leash libraries (and who knows how many applications
+ shipped by third parties) and use it as the basis for a new
+ krb5_ccache type, "MSLSA:". The "MSLSA:" ccache type is a
+ read-only ccache which can be used either as a monitor of the
+ contents of the Microsoft LSA cache or as a source for copying
+ the contents to another ccache type. The purpose of migrating
+ this code to the krb5_32.dll is to avoid the need for applications
+ to be consistently updated each time Microsoft makes a change
+ to the behavior of the LSA cache. Changes have occurred with
+ the release of 2000, XP, and 2003 so far. Also, the code for
+ working with the MS LSA cache is not well documented and many
+ mistakes were made in the original versions of the ms2mit.c
+ code base. Unfortunately, the ms2mit.c code has been copied
+ into many other applications.
+
+ With access to this new ccache type, the ms2mit.c source file
+ is reduced from 890 lines to 80 lines including the copyright
+ banner.
+
+2003-11-26 Jeffrey Altman <jaltman@mit.edu>
+
+ * cc_default.c: Add support for Leash Kinit Dialog on Windows to
+ krb5int_c_default()
+
+2003-07-22 Sam Hartman <hartmans@mit.edu>
+
+ * ccbase.c: Always register the file credentials cache type. If
+ we do not, then when USE_CCAPI is defined, it will not be
+ available.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* ccdefault.c: Remove Mac header goober and include
diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in
index bbf61be..01e6544 100644
--- a/src/lib/krb5/ccache/Makefile.in
+++ b/src/lib/krb5/ccache/Makefile.in
@@ -17,6 +17,9 @@ LOCALINCLUDES = -I$(srcdir)$(S)ccapi $(WIN_INCLUDES)
##DOS##OBJFILE=..\$(OUTPRE)$(PREFIXDIR).lst
##WIN16##LIBNAME=..\krb5.lib
+##WIN32##MSLSA_OBJ = $(OUTPRE)cc_mslsa.$(OBJEXT)
+##WIN32##MSLSA_SRC = $(srcdir)/cc_mslsa.c
+
MAC_SUBDIRS = ccapi
STLIBOBJS= \
@@ -37,7 +40,7 @@ OBJS= $(OUTPRE)ccbase.$(OBJEXT) \
$(OUTPRE)cc_file.$(OBJEXT) \
$(OUTPRE)cc_memory.$(OBJEXT) \
$(OUTPRE)ccfns.$(OBJEXT) \
- $(OUTPRE)ser_cc.$(OBJEXT)
+ $(OUTPRE)ser_cc.$(OBJEXT) $(MSLSA_OBJ)
SRCS= $(srcdir)/ccbase.c \
$(srcdir)/cccopy.c \
@@ -47,7 +50,7 @@ SRCS= $(srcdir)/ccbase.c \
$(srcdir)/cc_file.c \
$(srcdir)/cc_memory.c \
$(srcdir)/ccfns.c \
- $(srcdir)/ser_cc.c
+ $(srcdir)/ser_cc.c $(MSLSA_SRC)
##DOS##OBJS=$(OBJS) $(OUTPRE)ccfns.$(OBJEXT)
@@ -97,7 +100,7 @@ check-unix:: t_cc
clean-unix::
$(RM) t_cc t_cc.o
-
+##WIN32## $(OUTPRE)cc_mslsa.$(OBJEXT): cc_mslsa.c $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS)
# @libobj_frag@
@@ -108,47 +111,49 @@ clean-unix::
#
ccbase.so ccbase.po $(OUTPRE)ccbase.$(OBJEXT): ccbase.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ fcc.h
cccopy.so cccopy.po $(OUTPRE)cccopy.$(OBJEXT): cccopy.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ccdefault.so ccdefault.po $(OUTPRE)ccdefault.$(OBJEXT): ccdefault.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ccdefops.so ccdefops.po $(OUTPRE)ccdefops.$(OBJEXT): ccdefops.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h fcc.h
+ fcc.h
cc_retr.so cc_retr.po $(OUTPRE)cc_retr.$(OBJEXT): cc_retr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
cc_file.so cc_file.po $(OUTPRE)cc_file.$(OBJEXT): cc_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
cc_memory.so cc_memory.po $(OUTPRE)cc_memory.$(OBJEXT): cc_memory.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ccfns.so ccfns.po $(OUTPRE)ccfns.$(OBJEXT): ccfns.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ser_cc.so ser_cc.po $(OUTPRE)ser_cc.$(OBJEXT): ser_cc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index eb051c1..dff3038 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -2305,6 +2305,18 @@ lose:
#undef TCHECK
}
+/*
+ * Non-functional stub implementation for krb5_fcc_remove
+ *
+ * Errors:
+ * KRB5_CC_NOSUPP - not implemented
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
+ krb5_creds *creds)
+{
+ return KRB5_CC_NOSUPP;
+}
/*
* Requires:
@@ -2413,7 +2425,7 @@ const krb5_cc_ops krb5_fcc_ops = {
krb5_fcc_start_seq_get,
krb5_fcc_next_cred,
krb5_fcc_end_seq_get,
- NULL, /* XXX krb5_fcc_remove, */
+ krb5_fcc_remove_cred,
krb5_fcc_set_flags,
};
@@ -2473,6 +2485,6 @@ const krb5_cc_ops krb5_cc_file_ops = {
krb5_fcc_start_seq_get,
krb5_fcc_next_cred,
krb5_fcc_end_seq_get,
- NULL, /* XXX krb5_fcc_remove, */
+ krb5_fcc_remove_cred,
krb5_fcc_set_flags,
};
diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c
index 97ec327..c3aeb1e 100644
--- a/src/lib/krb5/ccache/cc_memory.c
+++ b/src/lib/krb5/ccache/cc_memory.c
@@ -519,6 +519,20 @@ krb5_mcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
return ret;
}
+/*
+ * Non-functional stub implementation for krb5_mcc_remove
+ *
+ * Errors:
+ * KRB5_CC_NOSUPP - not implemented
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
+ krb5_creds *creds)
+{
+ return KRB5_CC_NOSUPP;
+}
+
+
/*
* Requires:
* id is a cred cache returned by krb5_mcc_resolve or
@@ -553,6 +567,6 @@ const krb5_cc_ops krb5_mcc_ops = {
krb5_mcc_start_seq_get,
krb5_mcc_next_cred,
krb5_mcc_end_seq_get,
- NULL, /* XXX krb5_mcc_remove, */
+ krb5_mcc_remove_cred,
krb5_mcc_set_flags,
};
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
new file mode 100644
index 0000000..acb6449
--- /dev/null
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -0,0 +1,1429 @@
+/*
+ * lib/krb5/ccache/cc_mslsa.c
+ *
+ * Copyright 2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Copyright 2000 by Carnegie Mellon University
+ *
+ * All Rights Reserved
+ *
+ * Permission to use, copy, modify, and distribute this software and its
+ * documentation for any purpose and without fee is hereby granted,
+ * provided that the above copyright notice appear in all copies and that
+ * both that copyright notice and this permission notice appear in
+ * supporting documentation, and that the name of Carnegie Mellon
+ * University not be used in advertising or publicity pertaining to
+ * distribution of the software without specific, written prior
+ * permission.
+ *
+ * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR
+ * ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Implementation of read-only microsoft windows lsa credentials cache
+ */
+
+#ifdef _WIN32
+#define UNICODE
+#define _UNICODE
+
+#include "k5-int.h"
+#include "com_err.h"
+
+#include <stdio.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <conio.h>
+#include <time.h>
+#define SECURITY_WIN32
+#include <security.h>
+#include <ntsecapi.h>
+
+#define MAX_MSG_SIZE 256
+#define MAX_MSPRINC_SIZE 1024
+
+static VOID
+ShowWinError(LPSTR szAPI, DWORD dwError)
+{
+
+ // TODO - Write errors to event log so that scripts that don't
+ // check for errors will still get something in the event log
+
+ WCHAR szMsgBuf[MAX_MSG_SIZE];
+ DWORD dwRes;
+
+ printf("Error calling function %s: %lu\n", szAPI, dwError);
+
+ dwRes = FormatMessage (
+ FORMAT_MESSAGE_FROM_SYSTEM,
+ NULL,
+ dwError,
+ MAKELANGID (LANG_ENGLISH, SUBLANG_ENGLISH_US),
+ szMsgBuf,
+ MAX_MSG_SIZE,
+ NULL);
+ if (0 == dwRes) {
+ printf("FormatMessage failed with %d\n", GetLastError());
+ ExitProcess(EXIT_FAILURE);
+ }
+
+ printf("%S",szMsgBuf);
+}
+
+static VOID
+ShowLsaError(LPSTR szAPI, NTSTATUS Status)
+{
+ //
+ // Convert the NTSTATUS to Winerror. Then call ShowWinError().
+ //
+ ShowWinError(szAPI, LsaNtStatusToWinError(Status));
+}
+
+
+
+static BOOL
+WINAPI
+UnicodeToANSI(LPTSTR lpInputString, LPSTR lpszOutputString, int nOutStringLen)
+{
+ CPINFO CodePageInfo;
+
+ GetCPInfo(CP_ACP, &CodePageInfo);
+
+ if (CodePageInfo.MaxCharSize > 1)
+ // Only supporting non-Unicode strings
+ return FALSE;
+ else if (((LPBYTE) lpInputString)[1] == '\0')
+ {
+ // Looks like unicode, better translate it
+ WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) lpInputString, -1,
+ lpszOutputString, nOutStringLen, NULL, NULL);
+ }
+ else
+ lstrcpyA(lpszOutputString, (LPSTR) lpInputString);
+ return TRUE;
+} // UnicodeToANSI
+
+static VOID
+WINAPI
+ANSIToUnicode(LPSTR lpInputString, LPTSTR lpszOutputString, int nOutStringLen)
+{
+
+ CPINFO CodePageInfo;
+
+ lstrcpy(lpszOutputString, (LPTSTR) lpInputString);
+
+ GetCPInfo(CP_ACP, &CodePageInfo);
+
+ if (CodePageInfo.MaxCharSize > 1)
+ // It must already be a Unicode string
+ return;
+ else if (((LPBYTE) lpInputString)[1] != '\0')
+ {
+ // Looks like ANSI, better translate it
+ MultiByteToWideChar(CP_ACP, 0, (LPCSTR) lpInputString, -1,
+ (LPWSTR) lpszOutputString, nOutStringLen);
+ }
+ else
+ lstrcpy(lpszOutputString, (LPTSTR) lpInputString);
+} // ANSIToUnicode
+
+
+static void
+MITPrincToMSPrinc(krb5_context context, krb5_principal principal, UNICODE_STRING * msprinc)
+{
+ char *aname = NULL;
+
+ if (!krb5_unparse_name(context, principal, &aname)) {
+ msprinc->Length = strlen(aname) * sizeof(WCHAR);
+ ANSIToUnicode(aname, msprinc->Buffer, msprinc->MaximumLength);
+ krb5_free_unparsed_name(context,aname);
+ }
+}
+
+static void
+MSPrincToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_context context, krb5_principal *principal)
+{
+ WCHAR princbuf[512],tmpbuf[128];
+ char aname[512];
+ USHORT i;
+ princbuf[0]=0;
+ for (i=0;i<msprinc->NameCount;i++) {
+ wcsncpy(tmpbuf, msprinc->Names[i].Buffer,
+ msprinc->Names[i].Length/sizeof(WCHAR));
+ tmpbuf[msprinc->Names[i].Length/sizeof(WCHAR)]=0;
+ if (princbuf[0])
+ wcscat(princbuf, L"/");
+ wcscat(princbuf, tmpbuf);
+ }
+ wcscat(princbuf, L"@");
+ wcscat(princbuf, realm);
+ UnicodeToANSI(princbuf, aname, sizeof(aname));
+ krb5_parse_name(context, aname, principal);
+}
+
+
+static time_t
+FileTimeToUnixTime(LARGE_INTEGER *ltime)
+{
+ FILETIME filetime, localfiletime;
+ SYSTEMTIME systime;
+ struct tm utime;
+ filetime.dwLowDateTime=ltime->LowPart;
+ filetime.dwHighDateTime=ltime->HighPart;
+ FileTimeToLocalFileTime(&filetime, &localfiletime);
+ FileTimeToSystemTime(&localfiletime, &systime);
+ utime.tm_sec=systime.wSecond;
+ utime.tm_min=systime.wMinute;
+ utime.tm_hour=systime.wHour;
+ utime.tm_mday=systime.wDay;
+ utime.tm_mon=systime.wMonth-1;
+ utime.tm_year=systime.wYear-1900;
+ utime.tm_isdst=-1;
+ return(mktime(&utime));
+}
+
+static void
+MSSessionKeyToMITKeyblock(KERB_CRYPTO_KEY *mskey, krb5_context context, krb5_keyblock *keyblock)
+{
+ krb5_keyblock tmpblock;
+ tmpblock.magic=KV5M_KEYBLOCK;
+ tmpblock.enctype=mskey->KeyType;
+ tmpblock.length=mskey->Length;
+ tmpblock.contents=mskey->Value;
+ krb5_copy_keyblock_contents(context, &tmpblock, keyblock);
+}
+
+
+static void
+MSFlagsToMITFlags(ULONG msflags, ULONG *mitflags)
+{
+ *mitflags=msflags;
+}
+
+static void
+MSTicketToMITTicket(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_data *ticket)
+{
+ krb5_data tmpdata, *newdata;
+ tmpdata.magic=KV5M_DATA;
+ tmpdata.length=msticket->EncodedTicketSize;
+ tmpdata.data=msticket->EncodedTicket;
+ // todo: fix this up a little. this is ugly and will break krb_free_data()
+ krb5_copy_data(context, &tmpdata, &newdata);
+ memcpy(ticket, newdata, sizeof(krb5_data));
+}
+
+static void
+MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_creds *creds)
+{
+ WCHAR wtmp[128];
+ ZeroMemory(creds, sizeof(krb5_creds));
+ creds->magic=KV5M_CREDS;
+ wcsncpy(wtmp, msticket->TargetDomainName.Buffer,
+ msticket->TargetDomainName.Length/sizeof(WCHAR));
+ wtmp[msticket->TargetDomainName.Length/sizeof(WCHAR)]=0;
+ MSPrincToMITPrinc(msticket->ClientName, wtmp, context, &creds->client);
+ wcsncpy(wtmp, msticket->DomainName.Buffer,
+ msticket->DomainName.Length/sizeof(WCHAR));
+ wtmp[msticket->DomainName.Length/sizeof(WCHAR)]=0;
+ MSPrincToMITPrinc(msticket->ServiceName, wtmp, context, &creds->server);
+ MSSessionKeyToMITKeyblock(&msticket->SessionKey, context,
+ &creds->keyblock);
+ MSFlagsToMITFlags(msticket->TicketFlags, &creds->ticket_flags);
+ creds->times.starttime=FileTimeToUnixTime(&msticket->StartTime);
+ creds->times.endtime=FileTimeToUnixTime(&msticket->EndTime);
+ creds->times.renew_till=FileTimeToUnixTime(&msticket->RenewUntil);
+
+ /* MS Tickets are addressless. MIT requires an empty address
+ * not a NULL list of addresses.
+ */
+ creds->addresses = (krb5_address **)malloc(sizeof(krb5_address *));
+ memset(creds->addresses, 0, sizeof(krb5_address *));
+
+ MSTicketToMITTicket(msticket, context, &creds->ticket);
+}
+
+static BOOL
+PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId)
+{
+ LSA_STRING Name;
+ NTSTATUS Status;
+
+ Status = LsaConnectUntrusted(
+ pLogonHandle
+ );
+
+ if (FAILED(Status))
+ {
+ ShowLsaError("LsaConnectUntrusted", Status);
+ return FALSE;
+ }
+
+ Name.Buffer = MICROSOFT_KERBEROS_NAME_A;
+ Name.Length = strlen(Name.Buffer);
+ Name.MaximumLength = Name.Length + 1;
+
+ Status = LsaLookupAuthenticationPackage(
+ *pLogonHandle,
+ &Name,
+ pPackageId
+ );
+
+ if (FAILED(Status))
+ {
+ ShowLsaError("LsaLookupAuthenticationPackage", Status);
+ return FALSE;
+ }
+
+ return TRUE;
+
+}
+
+
+static DWORD
+ConcatenateUnicodeStrings(UNICODE_STRING *pTarget, UNICODE_STRING Source1, UNICODE_STRING Source2)
+{
+ //
+ // The buffers for Source1 and Source2 cannot overlap pTarget's
+ // buffer. Source1.Length + Source2.Length must be <= 0xFFFF,
+ // otherwise we overflow...
+ //
+
+ USHORT TotalSize = Source1.Length + Source2.Length;
+ PBYTE buffer = (PBYTE) pTarget->Buffer;
+
+ if (TotalSize > pTarget->MaximumLength)
+ return ERROR_INSUFFICIENT_BUFFER;
+
+ if ( pTarget->Buffer != Source1.Buffer )
+ memcpy(buffer, Source1.Buffer, Source1.Length);
+ memcpy(buffer + Source1.Length, Source2.Buffer, Source2.Length);
+
+ pTarget->Length = TotalSize;
+ return ERROR_SUCCESS;
+}
+
+static BOOL
+get_STRING_from_registry(HKEY hBaseKey, char * key, char * value, char * outbuf, DWORD outlen)
+{
+ HKEY hKey;
+ DWORD dwCount;
+ LONG rc;
+
+ if (!outbuf || outlen == 0)
+ return FALSE;
+
+ rc = RegOpenKeyExA(hBaseKey, key, 0, KEY_QUERY_VALUE, &hKey);
+ if (rc)
+ return FALSE;
+
+ dwCount = outlen;
+ rc = RegQueryValueExA(hKey, value, 0, 0, (LPBYTE) outbuf, &dwCount);
+ RegCloseKey(hKey);
+
+ return rc?FALSE:TRUE;
+}
+
+static BOOL
+GetSecurityLogonSessionData(PSECURITY_LOGON_SESSION_DATA * ppSessionData)
+{
+ NTSTATUS Status = 0;
+ HANDLE TokenHandle;
+ TOKEN_STATISTICS Stats;
+ DWORD ReqLen;
+ BOOL Success;
+
+ if (!ppSessionData)
+ return FALSE;
+ *ppSessionData = NULL;
+
+ Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle );
+ if ( !Success )
+ return FALSE;
+
+ Success = GetTokenInformation( TokenHandle, TokenStatistics, &Stats, sizeof(TOKEN_STATISTICS), &ReqLen );
+ CloseHandle( TokenHandle );
+ if ( !Success )
+ return FALSE;
+
+ Status = LsaGetLogonSessionData( &Stats.AuthenticationId, ppSessionData );
+ if ( FAILED(Status) || !ppSessionData )
+ return FALSE;
+
+ return TRUE;
+}
+
+//
+// IsKerberosLogon() does not validate whether or not there are valid tickets in the
+// cache. It validates whether or not it is reasonable to assume that if we
+// attempted to retrieve valid tickets we could do so. Microsoft does not
+// automatically renew expired tickets. Therefore, the cache could contain
+// expired or invalid tickets. Microsoft also caches the user's password
+// and will use it to retrieve new TGTs if the cache is empty and tickets
+// are requested.
+
+static BOOL
+IsKerberosLogon(VOID)
+{
+ PSECURITY_LOGON_SESSION_DATA pSessionData = NULL;
+ BOOL Success = FALSE;
+
+ if ( GetSecurityLogonSessionData(&pSessionData) ) {
+ if ( pSessionData->AuthenticationPackage.Buffer ) {
+ WCHAR buffer[256];
+ WCHAR *usBuffer;
+ int usLength;
+
+ Success = FALSE;
+ usBuffer = (pSessionData->AuthenticationPackage).Buffer;
+ usLength = (pSessionData->AuthenticationPackage).Length;
+ if (usLength < 256)
+ {
+ lstrcpyn (buffer, usBuffer, usLength);
+ lstrcat (buffer,L"");
+ if ( !lstrcmp(L"Kerberos",buffer) )
+ Success = TRUE;
+ }
+ }
+ LsaFreeReturnBuffer(pSessionData);
+ }
+ return Success;
+}
+
+static NTSTATUS
+ConstructTicketRequest(UNICODE_STRING DomainName, PKERB_RETRIEVE_TKT_REQUEST * outRequest, ULONG * outSize)
+{
+ NTSTATUS Status;
+ UNICODE_STRING TargetPrefix;
+ USHORT TargetSize;
+ ULONG RequestSize;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL;
+
+ *outRequest = NULL;
+ *outSize = 0;
+
+ //
+ // Set up the "krbtgt/" target prefix into a UNICODE_STRING so we
+ // can easily concatenate it later.
+ //
+
+ TargetPrefix.Buffer = L"krbtgt/";
+ TargetPrefix.Length = wcslen(TargetPrefix.Buffer) * sizeof(WCHAR);
+ TargetPrefix.MaximumLength = TargetPrefix.Length;
+
+ //
+ // We will need to concatenate the "krbtgt/" prefix and the
+ // Logon Session's DnsDomainName into our request's target name.
+ //
+ // Therefore, first compute the necessary buffer size for that.
+ //
+ // Note that we might theoretically have integer overflow.
+ //
+
+ TargetSize = TargetPrefix.Length + DomainName.Length;
+
+ //
+ // The ticket request buffer needs to be a single buffer. That buffer
+ // needs to include the buffer for the target name.
+ //
+
+ RequestSize = sizeof(*pTicketRequest) + TargetSize;
+
+ //
+ // Allocate the request buffer and make sure it's zero-filled.
+ //
+
+ pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize);
+ if (!pTicketRequest)
+ return GetLastError();
+
+ //
+ // Concatenate the target prefix with the previous reponse's
+ // target domain.
+ //
+
+ pTicketRequest->TargetName.Length = 0;
+ pTicketRequest->TargetName.MaximumLength = TargetSize;
+ pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1);
+ Status = ConcatenateUnicodeStrings(&(pTicketRequest->TargetName),
+ TargetPrefix,
+ DomainName);
+ *outRequest = pTicketRequest;
+ *outSize = RequestSize;
+ return Status;
+}
+
+static BOOL
+PurgeMSTGT(HANDLE LogonHandle, ULONG PackageId)
+{
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+ KERB_PURGE_TKT_CACHE_REQUEST PurgeRequest;
+
+ PurgeRequest.MessageType = KerbPurgeTicketCacheMessage;
+ PurgeRequest.LogonId.LowPart = 0;
+ PurgeRequest.LogonId.HighPart = 0;
+ PurgeRequest.ServerName.Buffer = L"";
+ PurgeRequest.ServerName.Length = 0;
+ PurgeRequest.ServerName.MaximumLength = 0;
+ PurgeRequest.RealmName.Buffer = L"";
+ PurgeRequest.RealmName.Length = 0;
+ PurgeRequest.RealmName.MaximumLength = 0;
+ Status = LsaCallAuthenticationPackage(LogonHandle,
+ PackageId,
+ &PurgeRequest,
+ sizeof(PurgeRequest),
+ NULL,
+ NULL,
+ &SubStatus
+ );
+ if (FAILED(Status) || FAILED(SubStatus))
+ return FALSE;
+ return TRUE;
+}
+
+#define ENABLE_PURGING 1
+// to allow the purging of expired tickets from LSA cache. This is necessary
+// to force the retrieval of new TGTs. Microsoft does not appear to retrieve
+// new tickets when they expire. Instead they continue to accept the expired
+// tickets. This is safe to do because the LSA purges its cache when it
+// retrieves a new TGT (ms calls this renew) but not when it renews the TGT
+// (ms calls this refresh).
+
+static BOOL
+GetMSTGT(HANDLE LogonHandle, ULONG PackageId,KERB_EXTERNAL_TICKET **ticket)
+{
+ //
+ // INVARIANTS:
+ //
+ // (FAILED(Status) || FAILED(SubStatus)) ==> error
+ // bIsLsaError ==> LsaCallAuthenticationPackage() error
+ //
+
+ BOOL bIsLsaError = FALSE;
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+
+ KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest;
+ PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
+ ULONG RequestSize;
+ ULONG ResponseSize;
+#ifdef ENABLE_PURGING
+ int purge_cache = 0;
+#endif /* ENABLE_PURGING */
+ int ignore_cache = 0;
+
+ CacheRequest.MessageType = KerbRetrieveTicketMessage;
+ CacheRequest.LogonId.LowPart = 0;
+ CacheRequest.LogonId.HighPart = 0;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ &CacheRequest,
+ sizeof(CacheRequest),
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if (FAILED(Status))
+ {
+ // if the call to LsaCallAuthenticationPackage failed we cannot
+ // perform any queries most likely because the Kerberos package
+ // is not available or we do not have access
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ if (FAILED(SubStatus)) {
+ PSECURITY_LOGON_SESSION_DATA pSessionData = NULL;
+ BOOL Success = FALSE;
+ OSVERSIONINFOEX verinfo;
+ int supported = 0;
+
+ // SubStatus 0x8009030E is not documented. However, it appears
+ // to mean there is no TGT
+ if (SubStatus != 0x8009030E) {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ verinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+ GetVersionEx((OSVERSIONINFO *)&verinfo);
+ supported = (verinfo.dwMajorVersion > 5) ||
+ (verinfo.dwMajorVersion == 5 && verinfo.dwMinorVersion >= 1);
+
+ // If we could not get a TGT from the cache we won't know what the
+ // Kerberos Domain should have been. On Windows XP and 2003 Server
+ // we can extract it from the Security Logon Session Data. However,
+ // the required fields are not supported on Windows 2000. :(
+ if ( supported && GetSecurityLogonSessionData(&pSessionData) ) {
+ if ( pSessionData->DnsDomainName.Buffer ) {
+ Status = ConstructTicketRequest(pSessionData->DnsDomainName,
+ &pTicketRequest, &RequestSize);
+ if ( FAILED(Status) ) {
+ goto cleanup;
+ }
+ } else {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+ LsaFreeReturnBuffer(pSessionData);
+ } else {
+ CHAR UserDnsDomain[256];
+ WCHAR UnicodeUserDnsDomain[256];
+ UNICODE_STRING wrapper;
+ if ( !get_STRING_from_registry(HKEY_CURRENT_USER,
+ "Volatile Environment",
+ "USERDNSDOMAIN",
+ UserDnsDomain,
+ sizeof(UserDnsDomain)
+ ) )
+ {
+ goto cleanup;
+ }
+
+ ANSIToUnicode(UserDnsDomain,UnicodeUserDnsDomain,256);
+ wrapper.Buffer = UnicodeUserDnsDomain;
+ wrapper.Length = wcslen(UnicodeUserDnsDomain) * sizeof(WCHAR);
+ wrapper.MaximumLength = 256;
+
+ Status = ConstructTicketRequest(wrapper,
+ &pTicketRequest, &RequestSize);
+ if ( FAILED(Status) ) {
+ goto cleanup;
+ }
+ }
+ } else {
+#ifdef PURGE_ALL
+ purge_cache = 1;
+#else
+ switch (pTicketResponse->Ticket.SessionKey.KeyType) {
+ case KERB_ETYPE_DES_CBC_CRC:
+ case KERB_ETYPE_DES_CBC_MD4:
+ case KERB_ETYPE_DES_CBC_MD5:
+ case KERB_ETYPE_NULL:
+ case KERB_ETYPE_RC4_HMAC_NT: {
+ FILETIME Now, MinLife, EndTime, LocalEndTime;
+ __int64 temp;
+ // FILETIME is in units of 100 nano-seconds
+ // If obtained tickets are either expired or have a lifetime
+ // less than 20 minutes, retry ...
+ GetSystemTimeAsFileTime(&Now);
+ EndTime.dwLowDateTime=pTicketResponse->Ticket.EndTime.LowPart;
+ EndTime.dwHighDateTime=pTicketResponse->Ticket.EndTime.HighPart;
+ FileTimeToLocalFileTime(&EndTime, &LocalEndTime);
+ temp = Now.dwHighDateTime;
+ temp <<= 32;
+ temp = Now.dwLowDateTime;
+ temp += 1200 * 10000;
+ MinLife.dwHighDateTime = (DWORD)((temp >> 32) & 0xFFFFFFFF);
+ MinLife.dwLowDateTime = (DWORD)(temp & 0xFFFFFFFF);
+ if (CompareFileTime(&MinLife, &LocalEndTime) >= 0) {
+#ifdef ENABLE_PURGING
+ purge_cache = 1;
+#else
+ ignore_cache = 1;
+#endif /* ENABLE_PURGING */
+ break;
+ }
+ if (pTicketResponse->Ticket.TicketFlags & KERB_TICKET_FLAGS_invalid) {
+ ignore_cache = 1;
+ break; // invalid, need to attempt a TGT request
+ }
+ goto cleanup; // all done
+ }
+ case KERB_ETYPE_RC4_MD4:
+ default:
+ // not supported
+ ignore_cache = 1;
+ break;
+ }
+#endif /* PURGE_ALL */
+
+ Status = ConstructTicketRequest(pTicketResponse->Ticket.TargetDomainName,
+ &pTicketRequest, &RequestSize);
+ if ( FAILED(Status) ) {
+ goto cleanup;
+ }
+
+ //
+ // Free the previous response buffer so we can get the new response.
+ //
+
+ if ( pTicketResponse ) {
+ memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE));
+ LsaFreeReturnBuffer(pTicketResponse);
+ pTicketResponse = NULL;
+ }
+
+#ifdef ENABLE_PURGING
+ if ( purge_cache ) {
+ //
+ // Purge the existing tickets which we cannot use so new ones can
+ // be requested. It is not possible to purge just the TGT. All
+ // service tickets must be purged.
+ //
+ PurgeMSTGT(LogonHandle, PackageId);
+ }
+#endif /* ENABLE_PURGING */
+ }
+
+ //
+ // Intialize the request of the request.
+ //
+
+ pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
+ pTicketRequest->LogonId.LowPart = 0;
+ pTicketRequest->LogonId.HighPart = 0;
+ // Note: pTicketRequest->TargetName set up above
+#ifdef ENABLE_PURGING
+ pTicketRequest->CacheOptions = ((ignore_cache || !purge_cache) ?
+ KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L);
+#else
+ pTicketRequest->CacheOptions = (ignore_cache ? KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L);
+#endif /* ENABLE_PURGING */
+ pTicketRequest->TicketFlags = 0L;
+ pTicketRequest->EncryptionType = 0L;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ pTicketRequest,
+ RequestSize,
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ //
+ // Check to make sure the new tickets we received are of a type we support
+ //
+
+ switch (pTicketResponse->Ticket.SessionKey.KeyType) {
+ case KERB_ETYPE_DES_CBC_CRC:
+ case KERB_ETYPE_DES_CBC_MD4:
+ case KERB_ETYPE_DES_CBC_MD5:
+ case KERB_ETYPE_NULL:
+ case KERB_ETYPE_RC4_HMAC_NT:
+ goto cleanup; // all done
+ case KERB_ETYPE_RC4_MD4:
+ default:
+ // not supported
+ break;
+ }
+
+
+ //
+ // Try once more but this time specify the Encryption Type
+ // (This will not store the retrieved tickets in the LSA cache)
+ //
+ pTicketRequest->EncryptionType = ENCTYPE_DES_CBC_CRC;
+ pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE;
+
+ if ( pTicketResponse ) {
+ memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE));
+ LsaFreeReturnBuffer(pTicketResponse);
+ pTicketResponse = NULL;
+ }
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ pTicketRequest,
+ RequestSize,
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ {
+ bIsLsaError = TRUE;
+ goto cleanup;
+ }
+
+ cleanup:
+ if ( pTicketRequest )
+ LsaFreeReturnBuffer(pTicketRequest);
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ {
+ if (bIsLsaError)
+ {
+ // XXX - Will be fixed later
+ if (FAILED(Status))
+ ShowLsaError("LsaCallAuthenticationPackage", Status);
+ if (FAILED(SubStatus))
+ ShowLsaError("LsaCallAuthenticationPackage", SubStatus);
+ }
+ else
+ {
+ ShowWinError("GetMSTGT", Status);
+ }
+
+ if (pTicketResponse) {
+ memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE));
+ LsaFreeReturnBuffer(pTicketResponse);
+ pTicketResponse = NULL;
+ }
+ return(FALSE);
+ }
+
+ *ticket = &(pTicketResponse->Ticket);
+ return(TRUE);
+}
+
+static BOOL
+GetQueryTktCacheResponse( HANDLE LogonHandle, ULONG PackageId,
+ PKERB_QUERY_TKT_CACHE_RESPONSE * ppResponse)
+{
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+
+ KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
+ PKERB_QUERY_TKT_CACHE_RESPONSE pQueryResponse = NULL;
+ ULONG ResponseSize;
+
+ CacheRequest.MessageType = KerbQueryTicketCacheMessage;
+ CacheRequest.LogonId.LowPart = 0;
+ CacheRequest.LogonId.HighPart = 0;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ &CacheRequest,
+ sizeof(CacheRequest),
+ &pQueryResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ if ( !(FAILED(Status) || FAILED(SubStatus)) ) {
+ *ppResponse = pQueryResponse;
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
+static void
+FreeQueryResponse(PKERB_QUERY_TKT_CACHE_RESPONSE pResponse)
+{
+ LsaFreeReturnBuffer(pResponse);
+}
+
+
+static BOOL
+GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId,
+ krb5_context context, krb5_creds *creds, PKERB_EXTERNAL_TICKET *ticket)
+{
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+ ULONG RequestSize;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL;
+ PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
+ ULONG ResponseSize;
+
+ RequestSize = sizeof(*pTicketRequest) + MAX_MSPRINC_SIZE;
+
+ pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize);
+ if (!pTicketRequest)
+ return FALSE;
+
+ pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
+ pTicketRequest->LogonId.LowPart = 0;
+ pTicketRequest->LogonId.HighPart = 0;
+
+ pTicketRequest->TargetName.Length = 0;
+ pTicketRequest->TargetName.MaximumLength = MAX_MSPRINC_SIZE;
+ pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1);
+ MITPrincToMSPrinc(context, creds->server, &pTicketRequest->TargetName);
+ pTicketRequest->CacheOptions = 0;
+ pTicketRequest->TicketFlags = creds->ticket_flags;
+ pTicketRequest->EncryptionType = creds->keyblock.enctype;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ pTicketRequest,
+ RequestSize,
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ LocalFree(pTicketRequest);
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ return(FALSE);
+
+ /* otherwise return ticket */
+ *ticket = &(pTicketResponse->Ticket);
+ return(TRUE);
+
+}
+
+static BOOL
+GetMSCacheTicketFromCacheInfo( HANDLE LogonHandle, ULONG PackageId,
+ PKERB_TICKET_CACHE_INFO tktinfo, PKERB_EXTERNAL_TICKET *ticket)
+{
+ NTSTATUS Status = 0;
+ NTSTATUS SubStatus = 0;
+ ULONG RequestSize;
+ PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL;
+ PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
+ ULONG ResponseSize;
+
+ RequestSize = sizeof(*pTicketRequest) + tktinfo->ServerName.Length;
+
+ pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize);
+ if (!pTicketRequest)
+ return FALSE;
+
+ pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
+ pTicketRequest->LogonId.LowPart = 0;
+ pTicketRequest->LogonId.HighPart = 0;
+ pTicketRequest->TargetName.Length = tktinfo->ServerName.Length;
+ pTicketRequest->TargetName.MaximumLength = tktinfo->ServerName.Length;
+ pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1);
+ memcpy(pTicketRequest->TargetName.Buffer,tktinfo->ServerName.Buffer, tktinfo->ServerName.Length);
+ pTicketRequest->CacheOptions = 0;
+ pTicketRequest->EncryptionType = tktinfo->EncryptionType;
+ pTicketRequest->TicketFlags = tktinfo->TicketFlags;
+
+ Status = LsaCallAuthenticationPackage(
+ LogonHandle,
+ PackageId,
+ pTicketRequest,
+ RequestSize,
+ &pTicketResponse,
+ &ResponseSize,
+ &SubStatus
+ );
+
+ LocalFree(pTicketRequest);
+
+ if (FAILED(Status) || FAILED(SubStatus))
+ return(FALSE);
+
+ /* otherwise return ticket */
+ *ticket = &(pTicketResponse->Ticket);
+ return(TRUE);
+
+}
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_close
+ (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_destroy
+ (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_end_seq_get
+ (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_generate_new
+ (krb5_context, krb5_ccache *id);
+
+static const char * KRB5_CALLCONV krb5_lcc_get_name
+ (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_get_principal
+ (krb5_context, krb5_ccache id, krb5_principal *princ);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_initialize
+ (krb5_context, krb5_ccache id, krb5_principal princ);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_next_cred
+ (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor,
+ krb5_creds *creds);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_resolve
+ (krb5_context, krb5_ccache *id, const char *residual);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_retrieve
+ (krb5_context, krb5_ccache id, krb5_flags whichfields,
+ krb5_creds *mcreds, krb5_creds *creds);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_start_seq_get
+ (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_store
+ (krb5_context, krb5_ccache id, krb5_creds *creds);
+
+static krb5_error_code KRB5_CALLCONV krb5_lcc_set_flags
+ (krb5_context, krb5_ccache id, krb5_flags flags);
+
+extern const krb5_cc_ops krb5_lcc_ops;
+
+krb5_error_code krb5_change_cache (void);
+
+krb5_boolean
+krb5int_cc_creds_match_request(krb5_context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds);
+
+#define KRB5_OK 0
+
+typedef struct _krb5_lcc_data {
+ HANDLE LogonHandle;
+ ULONG PackageId;
+ char * cc_name;
+ krb5_principal princ;
+} krb5_lcc_data;
+
+typedef struct _krb5_lcc_cursor {
+ PKERB_QUERY_TKT_CACHE_RESPONSE response;
+ int index;
+} krb5_lcc_cursor;
+
+
+/*
+ * Requires:
+ * residual is ignored
+ *
+ * Modifies:
+ * id
+ *
+ * Effects:
+ * creates a file-based cred cache that will reside in the file
+ * residual. The cache is not opened, but the filename is reserved.
+ *
+ * Returns:
+ * A filled in krb5_ccache structure "id".
+ *
+ * Errors:
+ * KRB5_CC_NOMEM - there was insufficient memory to allocate the
+ *
+ * krb5_ccache. id is undefined.
+ * permission errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
+{
+ krb5_ccache lid;
+ krb5_lcc_data *data;
+ HANDLE LogonHandle;
+ ULONG PackageId;
+ KERB_EXTERNAL_TICKET *msticket;
+
+ if (!IsKerberosLogon())
+ return KRB5_FCC_NOFILE;
+
+ if(!PackageConnectLookup(&LogonHandle, &PackageId))
+ return KRB5_FCC_NOFILE;
+
+ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache));
+ if (lid == NULL) {
+ CloseHandle(LogonHandle);
+ return KRB5_CC_NOMEM;
+ }
+
+ lid->ops = &krb5_lcc_ops;
+
+ lid->data = (krb5_pointer) malloc(sizeof(krb5_lcc_data));
+ if (lid->data == NULL) {
+ krb5_xfree(lid);
+ CloseHandle(LogonHandle);
+ return KRB5_CC_NOMEM;
+ }
+
+ lid->magic = KV5M_CCACHE;
+ data = (krb5_lcc_data *)lid->data;
+ data->LogonHandle = LogonHandle;
+ data->PackageId = PackageId;
+
+ data->cc_name = (char *)malloc(strlen(residual)+1);
+ if (data->cc_name == NULL) {
+ krb5_xfree(lid->data);
+ krb5_xfree(lid);
+ CloseHandle(LogonHandle);
+ return KRB5_CC_NOMEM;
+ }
+ strcpy(data->cc_name, residual);
+
+ /*
+ * we must obtain a tgt from the cache in order to determine the principal
+ */
+ if (GetMSTGT(data->LogonHandle, data->PackageId, &msticket)) {
+ /* convert the ticket */
+ krb5_creds creds;
+ MSCredToMITCred(msticket, context, &creds);
+ LsaFreeReturnBuffer(msticket);
+
+ krb5_copy_principal(context, creds.client, &data->princ);
+ krb5_free_cred_contents(context,&creds);
+ } else {
+ data->princ = 0;
+ }
+
+ /*
+ * other routines will get errors on open, and callers must expect them,
+ * if cache is non-existent/unusable
+ */
+ *id = lid;
+ return KRB5_OK;
+}
+
+/*
+ * not supported
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ)
+{
+ return KRB5_CC_READONLY;
+}
+
+
+/*
+ * Modifies:
+ * id
+ *
+ * Effects:
+ * Closes the microsoft lsa cache, invalidates the id, and frees any resources
+ * associated with the cache.
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_close(krb5_context context, krb5_ccache id)
+{
+ register int closeval = KRB5_OK;
+ register krb5_lcc_data *data = (krb5_lcc_data *) id->data;
+
+ CloseHandle(data->LogonHandle);
+
+ krb5_xfree(data);
+ krb5_xfree(id);
+
+ return closeval;
+}
+
+/*
+ * Effects:
+ * Destroys the contents of id.
+ *
+ * Errors:
+ * system errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_destroy(krb5_context context, krb5_ccache id)
+{
+ register krb5_lcc_data *data = (krb5_lcc_data *) id->data;
+
+ return PurgeMSTGT(data->LogonHandle, data->PackageId) ? KRB5_FCC_INTERNAL : KRB5_OK;
+}
+
+/*
+ * Effects:
+ * Prepares for a sequential search of the credentials cache.
+ * Returns a krb5_cc_cursor to be used with krb5_lcc_next_cred and
+ * krb5_lcc_end_seq_get.
+ *
+ * If the cache is modified between the time of this call and the time
+ * of the final krb5_lcc_end_seq_get, the results are undefined.
+ *
+ * Errors:
+ * KRB5_CC_NOMEM
+ * KRB5_FCC_INTERNAL - system errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_start_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor)
+{
+ krb5_lcc_cursor *lcursor;
+ krb5_lcc_data *data = (krb5_lcc_data *)id->data;
+ KERB_EXTERNAL_TICKET *msticket;
+
+ /*
+ * obtain a tgt to refresh the ccache in case the ticket is expired
+ */
+ if (GetMSTGT(data->LogonHandle, data->PackageId, &msticket)) {
+ LsaFreeReturnBuffer(msticket);
+ }
+
+ lcursor = (krb5_lcc_cursor *) malloc(sizeof(krb5_lcc_cursor));
+ if (lcursor == NULL)
+ return KRB5_CC_NOMEM;
+
+ if ( !GetQueryTktCacheResponse(data->LogonHandle, data->PackageId, &lcursor->response) ) {
+ free(lcursor);
+ KRB5_FCC_INTERNAL;
+ }
+ lcursor->index = 0;
+ *cursor = (krb5_cc_cursor) lcursor;
+
+ return KRB5_OK;
+}
+
+
+/*
+ * Requires:
+ * cursor is a krb5_cc_cursor originally obtained from
+ * krb5_lcc_start_seq_get.
+ *
+ * Modifes:
+ * cursor
+ *
+ * Effects:
+ * Fills in creds with the TGT obtained from the MS LSA
+ *
+ * The cursor is updated to indicate TGT retrieval
+ *
+ * Errors:
+ * KRB5_CC_END
+ * KRB5_FCC_INTERNAL - system errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, krb5_creds *creds)
+{
+ krb5_lcc_cursor *lcursor = (krb5_lcc_cursor *) *cursor;
+ krb5_lcc_data *data = (krb5_lcc_data *)id->data;
+ KERB_EXTERNAL_TICKET *msticket;
+
+ if ( lcursor->index >= lcursor->response->CountOfTickets )
+ return KRB5_CC_END;
+
+ if (!GetMSCacheTicketFromCacheInfo(data->LogonHandle, data->PackageId,
+ &lcursor->response->Tickets[lcursor->index++],&msticket))
+ return KRB5_FCC_INTERNAL;
+
+ /* convert the ticket */
+ MSCredToMITCred(msticket, context, creds);
+
+ LsaFreeReturnBuffer(msticket);
+ return KRB5_OK;
+}
+
+/*
+ * Requires:
+ * cursor is a krb5_cc_cursor originally obtained from
+ * krb5_lcc_start_seq_get.
+ *
+ * Modifies:
+ * id, cursor
+ *
+ * Effects:
+ * Finishes sequential processing of the file credentials ccache id,
+ * and invalidates the cursor (it must never be used after this call).
+ */
+/* ARGSUSED */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor)
+{
+ krb5_lcc_cursor *lcursor = (krb5_lcc_cursor *) *cursor;
+
+ LsaFreeReturnBuffer(lcursor->response);
+ free(*cursor);
+ return KRB5_OK;
+}
+
+
+/*
+ * Errors:
+ * KRB5_CC_READONLY - not supported
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_generate_new (krb5_context context, krb5_ccache *id)
+{
+ return KRB5_CC_READONLY;
+}
+
+/*
+ * Requires:
+ * id is a ms lsa credential cache
+ *
+ * Returns:
+ * The ccname specified during the krb5_lcc_resolve call
+ */
+static const char * KRB5_CALLCONV
+krb5_lcc_get_name (krb5_context context, krb5_ccache id)
+{
+ return (char *) ((krb5_lcc_data *) id->data)->cc_name;
+}
+
+/*
+ * Modifies:
+ * id, princ
+ *
+ * Effects:
+ * Retrieves the primary principal from id, as set with
+ * krb5_lcc_initialize. The principal is returned is allocated
+ * storage that must be freed by the caller via krb5_free_principal.
+ *
+ * Errors:
+ * system errors
+ * KRB5_CC_NOT_KTYPE
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ)
+{
+ krb5_error_code kret = KRB5_OK;
+
+ /* obtain principal */
+ return krb5_copy_principal(context, ((krb5_lcc_data *) id->data)->princ, princ);
+}
+
+
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields,
+ krb5_creds *mcreds, krb5_creds *creds)
+{
+ krb5_error_code kret = KRB5_OK;
+ krb5_lcc_data *data = (krb5_lcc_data *)id->data;
+ KERB_EXTERNAL_TICKET *msticket = 0;
+ krb5_creds * mcreds_noflags;
+ krb5_creds * fetchcreds;
+
+ /* first try to find out if we have an existing ticket which meets the requirements */
+ kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds);
+ if ( !kret )
+ return KRB5_OK;
+
+ /* if not, we must try to get a ticket without specifying any flags or etypes */
+ krb5_copy_creds(context, mcreds, &mcreds_noflags);
+ mcreds_noflags->ticket_flags = 0;
+ mcreds_noflags->keyblock.enctype = 0;
+
+ if (!GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, mcreds_noflags, &msticket)) {
+ kret = KRB5_CC_NOTFOUND;
+ goto cleanup;
+ }
+
+ /* try again to find out if we have an existing ticket which meets the requirements */
+ kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds);
+ if ( !kret )
+ goto cleanup;
+
+ /* if not, obtain a ticket using the request flags and enctype even though it will not
+ * be stored in the LSA cache for future use.
+ */
+ if ( msticket ) {
+ LsaFreeReturnBuffer(msticket);
+ msticket = 0;
+ }
+
+ if (!GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, mcreds, &msticket)) {
+ kret = KRB5_CC_NOTFOUND;
+ goto cleanup;
+ }
+
+ /* convert the ticket */
+ MSCredToMITCred(msticket, context, fetchcreds);
+
+ /* check to see if this ticket matches the request using logic from
+ * krb5_cc_retrieve_cred_default()
+ */
+ if ( krb5int_cc_creds_match_request(context, whichfields, mcreds, fetchcreds) ) {
+ creds = fetchcreds;
+ } else {
+ krb5_free_creds(context, fetchcreds);
+ kret = KRB5_CC_NOTFOUND;
+ }
+
+ cleanup:
+ if ( msticket )
+ LsaFreeReturnBuffer(msticket);
+ if ( mcreds_noflags )
+ krb5_free_creds(context, mcreds_noflags);
+ return kret;
+}
+
+
+/*
+ * We can't write to the MS LSA cache. So we request the cache to obtain a ticket for the same
+ * principal in the hope that next time the application requires a ticket for the service it
+ * is attempt to store, the retrieved ticket will be good enough.
+ *
+ * Errors:
+ * KRB5_CC_READONLY - not supported
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
+{
+ krb5_error_code kret = KRB5_OK;
+ krb5_lcc_data *data = (krb5_lcc_data *)id->data;
+ KERB_EXTERNAL_TICKET *msticket = 0;
+ krb5_creds * creds_noflags;
+
+ /* if not, we must try to get a ticket without specifying any flags or etypes */
+ krb5_copy_creds(context, creds, &creds_noflags);
+ creds_noflags->ticket_flags = 0;
+ creds_noflags->keyblock.enctype = 0;
+
+ if (GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, creds_noflags, &msticket)) {
+ LsaFreeReturnBuffer(msticket);
+ return KRB5_OK;
+ }
+ return KRB5_CC_READONLY;
+}
+
+/*
+ * The ability to remove a credential from the MS LSA cache cannot be implemented.
+ *
+ * Errors:
+ * KRB5_CC_READONLY:
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
+ krb5_creds *creds)
+{
+ return KRB5_CC_READONLY;
+}
+
+
+/*
+ * Effects:
+ * None - ignored
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_lcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags)
+{
+ return KRB5_OK;
+}
+
+const krb5_cc_ops krb5_lcc_ops = {
+ 0,
+ "MSLSA",
+ krb5_lcc_get_name,
+ krb5_lcc_resolve,
+ krb5_lcc_generate_new,
+ krb5_lcc_initialize,
+ krb5_lcc_destroy,
+ krb5_lcc_close,
+ krb5_lcc_store,
+ krb5_lcc_retrieve,
+ krb5_lcc_get_principal,
+ krb5_lcc_start_seq_get,
+ krb5_lcc_next_cred,
+ krb5_lcc_end_seq_get,
+ krb5_lcc_remove_cred,
+ krb5_lcc_set_flags
+};
+#endif /* _WIN32 */ \ No newline at end of file
diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c
index ebd6193..80d3164 100644
--- a/src/lib/krb5/ccache/cc_retr.c
+++ b/src/lib/krb5/ccache/cc_retr.c
@@ -157,6 +157,40 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes)
* KRB5_CC_NOT_KTYPE
*/
+krb5_boolean
+krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds)
+{
+ if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) &&
+ srvname_match(context, mcreds, creds)) ||
+ standard_fields_match(context, mcreds, creds))
+ &&
+ (! set(KRB5_TC_MATCH_IS_SKEY) ||
+ mcreds->is_skey == creds->is_skey)
+ &&
+ (! set(KRB5_TC_MATCH_FLAGS_EXACT) ||
+ mcreds->ticket_flags == creds->ticket_flags)
+ &&
+ (! set(KRB5_TC_MATCH_FLAGS) ||
+ flags_match(mcreds->ticket_flags, creds->ticket_flags))
+ &&
+ (! set(KRB5_TC_MATCH_TIMES_EXACT) ||
+ times_match_exact(&mcreds->times, &creds->times))
+ &&
+ (! set(KRB5_TC_MATCH_TIMES) ||
+ times_match(&mcreds->times, &creds->times))
+ &&
+ ( ! set(KRB5_TC_MATCH_AUTHDATA) ||
+ authdata_match(mcreds->authdata, creds->authdata))
+ &&
+ (! set(KRB5_TC_MATCH_2ND_TKT) ||
+ data_match (&mcreds->second_ticket, &creds->second_ticket))
+ &&
+ ((! set(KRB5_TC_MATCH_KTYPE))||
+ (mcreds->keyblock.enctype == creds->keyblock.enctype)))
+ return TRUE;
+ return FALSE;
+}
+
static krb5_error_code
krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds, int nktypes, krb5_enctype *ktypes)
{
@@ -178,34 +212,8 @@ krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, krb5_flags whic
return kret;
while ((kret = krb5_cc_next_cred(context, id, &cursor, &fetchcreds)) == KRB5_OK) {
- if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) &&
- srvname_match(context, mcreds, &fetchcreds)) ||
- standard_fields_match(context, mcreds, &fetchcreds))
- &&
- (! set(KRB5_TC_MATCH_IS_SKEY) ||
- mcreds->is_skey == fetchcreds.is_skey)
- &&
- (! set(KRB5_TC_MATCH_FLAGS_EXACT) ||
- mcreds->ticket_flags == fetchcreds.ticket_flags)
- &&
- (! set(KRB5_TC_MATCH_FLAGS) ||
- flags_match(mcreds->ticket_flags, fetchcreds.ticket_flags))
- &&
- (! set(KRB5_TC_MATCH_TIMES_EXACT) ||
- times_match_exact(&mcreds->times, &fetchcreds.times))
- &&
- (! set(KRB5_TC_MATCH_TIMES) ||
- times_match(&mcreds->times, &fetchcreds.times))
- &&
- ( ! set(KRB5_TC_MATCH_AUTHDATA) ||
- authdata_match(mcreds->authdata, fetchcreds.authdata))
- &&
- (! set(KRB5_TC_MATCH_2ND_TKT) ||
- data_match (&mcreds->second_ticket, &fetchcreds.second_ticket))
- &&
- ((! set(KRB5_TC_MATCH_KTYPE))||
- (mcreds->keyblock.enctype == fetchcreds.keyblock.enctype)))
- {
+ if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds))
+ {
if (ktypes) {
fetched.pref = pref (fetchcreds.keyblock.enctype,
nktypes, ktypes);
diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c
index ddd5e80..f178706 100644
--- a/src/lib/krb5/ccache/ccbase.c
+++ b/src/lib/krb5/ccache/ccbase.c
@@ -29,6 +29,8 @@
#include "k5-int.h"
+#include "fcc.h"
+
struct krb5_cc_typelist
{
krb5_cc_ops *ops;
@@ -36,9 +38,19 @@ struct krb5_cc_typelist
};
extern const krb5_cc_ops krb5_mcc_ops;
-static struct krb5_cc_typelist cc_entry = { &krb5_mcc_ops, NULL };
+#ifdef _WIN32
+extern const krb5_cc_ops krb5_lcc_ops;
+static struct krb5_cc_typelist cc_lcc_entry = { &krb5_lcc_ops, NULL };
+static struct krb5_cc_typelist cc_mcc_entry = { &krb5_mcc_ops, &cc_lcc_entry };
+#else
+static struct krb5_cc_typelist cc_mcc_entry = { &krb5_mcc_ops, NULL };
+#endif
+
+static struct krb5_cc_typelist cc_fcc_entry = { &krb5_cc_file_ops,
+ &cc_mcc_entry };
+
+static struct krb5_cc_typelist *cc_typehead = &cc_fcc_entry;
-static struct krb5_cc_typelist *cc_typehead = &cc_entry;
/*
* Register a new credentials cache type
diff --git a/src/lib/krb5/ccache/ccdefault.c b/src/lib/krb5/ccache/ccdefault.c
index 71e6f9c..3dfb1a3 100644
--- a/src/lib/krb5/ccache/ccdefault.c
+++ b/src/lib/krb5/ccache/ccdefault.c
@@ -31,6 +31,11 @@
#ifdef USE_LOGIN_LIBRARY
#include "KerberosLoginPrivate.h"
+#else
+#ifdef USE_LEASH
+static void (*pLeash_AcquireInitialTicketsIfNeeded)(krb5_context,krb5_principal) = NULL;
+static HANDLE hLeashDLL = INVALID_HANDLE_VALUE;
+#endif
#endif
@@ -111,6 +116,29 @@ krb5int_cc_default(krb5_context context, krb5_ccache *ccache)
if (desiredPrincipal != nil)
KLDisposePrincipal (desiredPrincipal);
}
+#else
+#ifdef USE_LEASH
+
+ if ( hLeashDLL == INVALID_HANDLE_VALUE ) {
+ hLeashDLL = LoadLibrary("leashw32.dll");
+ if ( hLeashDLL != INVALID_HANDLE_VALUE ) {
+ (FARPROC) pLeash_AcquireInitialTicketsIfNeeded =
+ GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded");
+ }
+ }
+
+ if ( pLeash_AcquireInitialTicketsIfNeeded )
+ {
+ krb5_os_context os_ctx;
+
+ if (!context || context->magic != KV5M_CONTEXT)
+ return KV5M_CONTEXT;
+
+ os_ctx = context->os_context;
+
+ pLeash_AcquireInitialTicketsIfNeeded(context,os_ctx->default_ccprincipal);
+ }
+#endif
#endif
return krb5_cc_default (context, ccache);
diff --git a/src/lib/krb5/error_tables/.Sanitize b/src/lib/krb5/error_tables/.Sanitize
index b952162..ba18e42 100644
--- a/src/lib/krb5/error_tables/.Sanitize
+++ b/src/lib/krb5/error_tables/.Sanitize
@@ -34,6 +34,7 @@ configure.in
init_ets.c
kdb5_err.et
krb5_err.et
+krb524_err.et
kv5m_err.et
Things-to-lose:
diff --git a/src/lib/krb5/error_tables/ChangeLog b/src/lib/krb5/error_tables/ChangeLog
index 2de7f07..c51b6c7 100644
--- a/src/lib/krb5/error_tables/ChangeLog
+++ b/src/lib/krb5/error_tables/ChangeLog
@@ -1,3 +1,30 @@
+2004-01-06 Jeffrey Altman <jaltman@mit.edu>
+
+ * krb5_err.et (KRB5_CC_NOSUPP) new ccache error code
+
+2003-12-12 Jeffrey Altman <jaltman@mit.edu>
+
+ * krb5_err.et (KRB5_CC_READONLY) new ccache error code
+
+2003-07-19 Ezra Peisach <epeisach@mit.edu>
+
+ * init_ets.c (krb5_init_ets): Only initialize error tables once -
+ so that init_conext/free_context loops do not result in memory
+ leaks.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * krb5_err.et (KRB5_ERR_NO_SERVICE): New error code.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * krb524_err.et: New file, moved from ../../../krb524. Add new
+ error code KRB524_KRB4_DISABLED.
+ * Makefile.in (STLIBOBJS, HDRS, OBJS, ETSRCS, SRCS, awk-windows):
+ Add it.
+ ($(OUTPRE)krb524_err.$(OBJEXT)): List dependence on .c file.
+ * init_ets.c (krb5_init_ets): Call initialize_k524_error_table.
+
2003-03-04 Ken Raeburn <raeburn@mit.edu>
* krb5_err.et (KRB5_ERR_BAD_S2K_PARAMS): New error code.
diff --git a/src/lib/krb5/error_tables/Makefile.in b/src/lib/krb5/error_tables/Makefile.in
index da1f770..0192f79 100644
--- a/src/lib/krb5/error_tables/Makefile.in
+++ b/src/lib/krb5/error_tables/Makefile.in
@@ -12,13 +12,14 @@ THDRDIR=$(BUILDTOP)$(S)include
EHDRDIR=$(BUILDTOP)$(S)include$(S)krb5
STLIBOBJS= asn1_err.o kdb5_err.o krb5_err.o \
- kv5m_err.o init_ets.o
+ kv5m_err.o krb524_err.o init_ets.o
-HDRS= asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h
+HDRS= asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h krb524_err.h
OBJS= $(OUTPRE)asn1_err.$(OBJEXT) $(OUTPRE)kdb5_err.$(OBJEXT) $(OUTPRE)krb5_err.$(OBJEXT) \
- $(OUTPRE)kv5m_err.$(OBJEXT) $(OUTPRE)init_ets.$(OBJEXT)
-ETSRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c
-SRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c \
+ $(OUTPRE)kv5m_err.$(OBJEXT) $(OUTPRE)krb524_err.$(OBJEXT) \
+ $(OUTPRE)init_ets.$(OBJEXT)
+ETSRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c krb524_err.c
+SRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c krb524_err.c \
$(srcdir)/init_ets.c
##DOS##LIBOBJS = $(OBJS)
@@ -40,14 +41,17 @@ awk-windows:
$(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=kdb5_err.h kdb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=krb5_err.h krb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=kv5m_err.h kv5m_err.et
+ $(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=krb524_err.h krb524_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=asn1_err.c asn1_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=kdb5_err.c kdb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=krb5_err.c krb5_err.et
$(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=kv5m_err.c kv5m_err.et
+ $(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=krb524_err.c krb524_err.et
if exist asn1_err.h copy asn1_err.h "$(EHDRDIR)"
if exist kdb5_err.h copy kdb5_err.h "$(EHDRDIR)"
if exist krb5_err.h copy krb5_err.h "$(EHDRDIR)"
if exist kv5m_err.h copy kv5m_err.h "$(EHDRDIR)"
+ if exist krb524_err.h copy krb524_err.h "$(EHDRDIR)"
#
# dependencies for traditional makes
@@ -56,6 +60,7 @@ $(OUTPRE)asn1_err.$(OBJEXT): asn1_err.c
$(OUTPRE)kdb5_err.$(OBJEXT): kdb5_err.c
$(OUTPRE)krb5_err.$(OBJEXT): krb5_err.c
$(OUTPRE)kv5m_err.$(OBJEXT): kv5m_err.c
+$(OUTPRE)krb524_err.$(OBJEXT): krb524_err.c
clean-unix:: clean-libobjs
$(RM) $(HDRS) $(ETSRCS)
@@ -71,9 +76,10 @@ asn1_err.so asn1_err.po $(OUTPRE)asn1_err.$(OBJEXT): asn1_err.c $(COM_ERR_DEPS)
kdb5_err.so kdb5_err.po $(OUTPRE)kdb5_err.$(OBJEXT): kdb5_err.c $(COM_ERR_DEPS)
krb5_err.so krb5_err.po $(OUTPRE)krb5_err.$(OBJEXT): krb5_err.c $(COM_ERR_DEPS)
kv5m_err.so kv5m_err.po $(OUTPRE)kv5m_err.$(OBJEXT): kv5m_err.c $(COM_ERR_DEPS)
+krb524_err.so krb524_err.po $(OUTPRE)krb524_err.$(OBJEXT): krb524_err.c $(COM_ERR_DEPS)
init_ets.so init_ets.po $(OUTPRE)init_ets.$(OBJEXT): init_ets.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/error_tables/init_ets.c b/src/lib/krb5/error_tables/init_ets.c
index 0ac810a..56a750e 100644
--- a/src/lib/krb5/error_tables/init_ets.c
+++ b/src/lib/krb5/error_tables/init_ets.c
@@ -32,10 +32,16 @@
void
krb5_init_ets (krb5_context context)
{
- initialize_krb5_error_table();
- initialize_kv5m_error_table();
- initialize_kdb5_error_table();
- initialize_asn1_error_table();
+ static int inited = 0;
+
+ if (inited == 0) {
+ initialize_krb5_error_table();
+ initialize_kv5m_error_table();
+ initialize_kdb5_error_table();
+ initialize_asn1_error_table();
+ initialize_k524_error_table();
+ inited++;
+ }
}
void
diff --git a/src/lib/krb5/error_tables/krb524_err.et b/src/lib/krb5/error_tables/krb524_err.et
new file mode 100644
index 0000000..5a4a004
--- /dev/null
+++ b/src/lib/krb5/error_tables/krb524_err.et
@@ -0,0 +1,34 @@
+# Copyright 1994 by OpenVision Technologies, Inc.
+#
+# Permission to use, copy, modify, distribute, and sell this software
+# and its documentation for any purpose is hereby granted without fee,
+# provided that the above copyright notice appears in all copies and
+# that both that copyright notice and this permission notice appear in
+# supporting documentation, and that the name of OpenVision not be used
+# in advertising or publicity pertaining to distribution of the software
+# without specific, written prior permission. OpenVision makes no
+# representations about the suitability of this software for any
+# purpose. It is provided "as is" without express or implied warranty.
+#
+# OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
+# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
+# EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
+# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+# USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+#
+
+error_table k524
+
+error_code KRB524_BADKEY, "Cannot convert V5 keyblock"
+error_code KRB524_BADADDR, "Cannot convert V5 address information"
+error_code KRB524_BADPRINC, "Cannot convert V5 principal"
+error_code KRB524_BADREALM, "V5 realm name longer than V4 maximum"
+error_code KRB524_V4ERR, "Kerberos V4 error"
+error_code KRB524_ENCFULL, "Encoding too large"
+error_code KRB524_DECEMPTY, "Decoding out of data"
+error_code KRB524_NOTRESP, "Service not responding"
+error_code KRB524_KRB4_DISABLED, "Kerberos version 4 support is disabled"
+
+end
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index b401c92..b03d376 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -336,4 +336,8 @@ error_code KRB5_ERR_NUMERIC_REALM, "Cannot determine realm for numeric host addr
error_code KRB5_ERR_BAD_S2K_PARAMS, "Invalid key generation parameters from KDC"
+error_code KRB5_ERR_NO_SERVICE, "service not available"
+
+error_code KRB5_CC_READONLY, "Ccache function not supported: read-only ccache type"
+error_code KRB5_CC_NOSUPP, "Ccache function not supported: not implemented"
end
diff --git a/src/lib/krb5/keytab/ChangeLog b/src/lib/krb5/keytab/ChangeLog
index ef0e702..a3c4f8c 100644
--- a/src/lib/krb5/keytab/ChangeLog
+++ b/src/lib/krb5/keytab/ChangeLog
@@ -1,3 +1,19 @@
+2003-05-22 Tom Yu <tlyu@mit.edu>
+
+ * kt_file.c (krb5_ktfile_get_entry): Check principal name prior to
+ checking enctype. Suggested by Wyllys Ingersoll.
+
+2003-05-19 Sam Hartman <hartmans@mit.edu>
+
+ * ktbase.c: Register writable keytab by default
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * kt_file.c (krb5_ktfileint_internal_read_entry): Use
+ krb5_princ_size instead of direct field access.
+ (krb5_ktfileint_write_entry, krb5_ktfileint_size_entry):
+ Likewise.
+
2003-02-08 Tom Yu <tlyu@mit.edu>
* kt_file.c (krb5_ktfile_get_entry): Fix comment; not going to
diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
index 545cd27..731c34b 100644
--- a/src/lib/krb5/keytab/Makefile.in
+++ b/src/lib/krb5/keytab/Makefile.in
@@ -64,47 +64,47 @@ clean-windows::
#
ktadd.so ktadd.po $(OUTPRE)ktadd.$(OBJEXT): ktadd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktbase.so ktbase.po $(OUTPRE)ktbase.$(OBJEXT): ktbase.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktdefault.so ktdefault.po $(OUTPRE)ktdefault.$(OBJEXT): ktdefault.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktfr_entry.so ktfr_entry.po $(OUTPRE)ktfr_entry.$(OBJEXT): ktfr_entry.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktremove.so ktremove.po $(OUTPRE)ktremove.$(OBJEXT): ktremove.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktfns.so ktfns.po $(OUTPRE)ktfns.$(OBJEXT): ktfns.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kt_file.so kt_file.po $(OUTPRE)kt_file.$(OBJEXT): kt_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kt_srvtab.so kt_srvtab.po $(OUTPRE)kt_srvtab.$(OBJEXT): kt_srvtab.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
read_servi.so read_servi.po $(OUTPRE)read_servi.$(OBJEXT): read_servi.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 9e4f15a..3175de7 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -258,6 +258,14 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal
and copy new_entry there, or free new_entry. Otherwise, it
leaks. */
+ /* if the principal isn't the one requested, free new_entry
+ and continue to the next. */
+
+ if (!krb5_principal_compare(context, principal, new_entry.principal)) {
+ krb5_kt_free_entry(context, &new_entry);
+ continue;
+ }
+
/* if the enctype is not ignored and doesn't match, free new_entry
and continue to the next */
@@ -281,14 +289,6 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal
}
- /* if the principal isn't the one requested, free new_entry
- and continue to the next. */
-
- if (!krb5_principal_compare(context, principal, new_entry.principal)) {
- krb5_kt_free_entry(context, &new_entry);
- continue;
- }
-
if (kvno == IGNORE_VNO) {
/* if this is the first match, or if the new vno is
bigger, free the current and keep the new. Otherwise,
@@ -1324,7 +1324,7 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke
return 0;
fail:
- for (i = 0; i < ret_entry->principal->length; i++) {
+ for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) {
princ = krb5_princ_component(context, ret_entry->principal, i);
if (princ->data)
free(princ->data);
@@ -1375,9 +1375,9 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent
}
if (KTVERSION(id) == KRB5_KT_VNO_1) {
- count = (krb5_int16) entry->principal->length + 1;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1;
} else {
- count = htons((u_short) entry->principal->length);
+ count = htons((u_short) krb5_princ_size(context, entry->principal));
}
if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) {
@@ -1396,7 +1396,7 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent
goto abend;
}
- count = (krb5_int16) entry->principal->length;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal);
for (i = 0; i < count; i++) {
princ = krb5_princ_component(context, entry->principal, i);
size = princ->length;
@@ -1494,7 +1494,7 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i
krb5_int32 total_size, i;
krb5_error_code retval = 0;
- count = (krb5_int16) entry->principal->length;
+ count = (krb5_int16) krb5_princ_size(context, entry->principal);
total_size = sizeof(count);
total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16));
diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c
index 41f473d..684c4e4 100644
--- a/src/lib/krb5/keytab/ktbase.c
+++ b/src/lib/krb5/keytab/ktbase.c
@@ -30,15 +30,20 @@
#include "k5-int.h"
extern const krb5_kt_ops krb5_ktf_ops;
+extern const krb5_kt_ops krb5_ktf_writable_ops;
extern const krb5_kt_ops krb5_kts_ops;
struct krb5_kt_typelist {
const krb5_kt_ops *ops;
struct krb5_kt_typelist *next;
};
+static struct krb5_kt_typelist krb5_kt_typelist_wrfile = {
+ &krb5_ktf_writable_ops,
+ 0
+};
static struct krb5_kt_typelist krb5_kt_typelist_file = {
&krb5_ktf_ops,
- 0
+ &krb5_kt_typelist_wrfile
};
static struct krb5_kt_typelist krb5_kt_typelist_srvtab = {
&krb5_kts_ops,
diff --git a/src/lib/krb5/krb/.Sanitize b/src/lib/krb5/krb/.Sanitize
index 7457c84..a2ab3a0 100644
--- a/src/lib/krb5/krb/.Sanitize
+++ b/src/lib/krb5/krb/.Sanitize
@@ -37,6 +37,7 @@ chk_trans.c
cleanup.h
configure
configure.in
+conv_creds.c
conv_princ.c
copy_addrs.c
copy_athctr.c
@@ -60,8 +61,6 @@ gen_seqnum.c
gen_subkey.c
get_creds.c
get_in_tkt.c
-in_tkt_ktb.c
-in_tkt_pwd.c
in_tkt_sky.c
init_ctx.c
int-proto.h
@@ -106,6 +105,7 @@ t_ref_kerb.out
t_ser.c
tgtname.c
unparse.c
+v4lifetime.c
valid_times.c
walk_rtree.c
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index c936ca4..5942276 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,311 @@
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * mk_req_ext.c (krb5int_generate_and_save_subkey): New function,
+ split out from krb5_mk_req_extended.
+ (krb5_mk_req_extended): Call it.
+ * mk_rep.c (krb5_mk_rep): If KRB5_AUTH_CONTEXT_USE_SUBKEY flag is
+ set, call krb5int_generate_and_save_subkey to set up a new subkey
+ to send to the client.
+
+ * serialize.c (krb5_ser_pack_int64, krb5_ser_unpack_int64): New
+ functions.
+
+2003-10-30 Tom Yu <tlyu@mit.edu>
+
+ * gen_seqnum.c (krb5_generate_seq_number): Fix mask; was short by
+ 4 bits.
+
+2003-10-08 Tom Yu <tlyu@mit.edu>
+
+ * rd_safe.c (krb5_rd_safe_basic): Save the encoded KRB-SAFE-BODY
+ to avoid trouble caused by re-encoding. Also, handle correctly
+ implemented RFC 1510 KRB-SAFE, i.e., checksummed over
+ KRB-SAFE-BODY only.
+
+2003-09-02 Tom Yu <tlyu@mit.edu>
+
+ * conv_creds.c (krb524_convert_creds_plain): Apply patch from
+ Cesar Garcia to fix lifetime computation.
+
+2003-08-19 SamHartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * rd_cred.c (decrypt_credencdata): Don't double free credentials.
+
+2003-08-08 Tom Yu <tlyu@mit.edu>
+
+ * gic_pwd.c (krb5_get_init_creds_password): If DNS SRV support is
+ turned off, the second call to get_init_creds() will fail with
+ KRB5_REALM_UNKNOWN under certain circumstances. If that happens,
+ return the error from the first call to get_init_creds(), which
+ will be more useful to the user.
+
+2003-07-22 Sam Hartman <hartmans@avalanche-breakdown.mit.edu>
+
+ * preauth2.c (krb5_do_preauth): Use the etype_info2 decoder for decoding etype_info2
+ (krb5_do_preauth): If an invalid encoding of etype_info or
+ etype_info2 is received, ignore it rather than failing the request
+
+2003-07-09 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_ctx.c: Export krb5_get_permitted_enctypes for Samba.
+
+2003-06-27 Tom Yu <tlyu@mit.edu>
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): Pass (void*)keytab,
+ not &keytab, to get_init_creds. Thanks to Herb Lewis.
+
+2003-06-16 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Set use_conf_ktypes to true while getting the TGT key
+
+2003-06-13 Tom Yu <tlyu@mit.edu>
+
+ * rd_rep.c (krb5_rd_rep): Free subkeys before replacing them, if
+ needed. This avoids a memory leak.
+
+2003-06-11 Tom Yu <tlyu@mit.edu>
+
+ * srv_rcache.c (krb5_get_server_rcache): Octal escapes begin with
+ hyphen now, since backslash is a pathname separator on DOS.
+
+2003-06-06 Sam Hartman <hartmans@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Mask out renewable_ok if the
+ request is for a renewable ticket with rtime greater than till
+
+2003-06-06 Ezra Peisach <epeisach@mit.edu>
+
+ * mk_req_ext.c (krb5_generate_authenticator): Sequence numbers are
+ unsigned now.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Change hardcoded default
+ ticket lifetime from 10 hours to 24 hours.
+
+ * init_ctx.c (DEFAULT_KDC_TIMESYNC): Define as 1 always.
+ (DEFAULT_CCACHE_TYPE): Define as 4 always.
+
+2003-05-30 Alexandra Ellwood <lxs@mit.edu>
+
+ * get_in_tkt.c: (verify_as_reply) Only check the renewable lifetime
+ of tickets whose request options included KDC_OPT_RENEWABLE_OK
+ if those options did not also include KDC_OPT_RENEWABLE. Otherwise
+ verify_as_reply() will fail for all renewable tickets.
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_creds.c: Enable support on Windows always.
+ (krb5_524_convert_creds): Renamed from krb524_convert_creds_kdc.
+ (krb524_convert_creds_kdc, krb524_init_ets) [!_WIN32]: Backwards
+ compatibility functions.
+
+2003-05-27 Sam Hartman <hartmans@mit.edu>
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): as below
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Store client and
+ server principals to avoid memory leak
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_creds.c: New file, moved from krb524/conv_creds.c and
+ krb524/encode.c. Rename exported encode routine, make other
+ encode and decode routines static. If KRB5_KRB4_COMPAT is not
+ defined, return an error.
+ * v4lifetime.c: New file, moved from lib/krb4/lifetime.c. Renamed
+ functions, changed interface to use krb5 types.
+ * Makefile.in (STLIBOBJS, OBJS, SRCS): Add them.
+
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Initialize options based on
+ context.kdc_default_options
+
+2003-05-22 Tom Yu <tlyu@mit.edu>
+
+ * gen_seqnum.c (krb5_generate_seq_number): Fix think-o on sequence
+ number mask.
+
+ * auth_con.c (krb5int_auth_con_chkseqnum): New function; implement
+ heuristic for broken Heimdal sequence number encoding.
+ (chk_heimdal_seqnum): Auxiliary function for above.
+
+ * auth_con.h: Add flags for sequence number heuristic.
+
+ * rd_priv.c: Use krb5int_auth_con_chkseqnum.
+
+ * rd_safe.c: Use krb5int_auth_con_chkseqnum.
+
+2003-05-22 Sam Hartman <hartmans@mit.edu>
+
+ * gic_pwd.c (krb5int_populate_gic_opt): returns void
+
+2003-05-21 Tom Yu <tlyu@mit.edu>
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Set pw0.length
+ correctly if a password is passed in.
+
+2003-05-20 Sam Hartman <hartmans@mit.edu>
+
+ * Makefile.in (SRCS): Remove in_ktb.c
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): Move from
+ in_tkt_keytab.c and rewrite to use krb5_get_init_creds
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Moved here from
+ in_tkt_pwd.c so it can share code with
+ krb5_get_init_creds_password. Rewritten to call
+ krb5_get_in_tkt_password
+
+ * Makefile.in (SRCS): Delete in_tkt_pwd.c
+
+2003-05-18 Tom Yu <tlyu@mit.edu>
+
+ * auth_con.h: Sequence numbers are now unsigned.
+
+ * gen_seqnum.c (krb5_generate_seq_number): Constrain initial
+ sequence number space to facilitate backwards compatibility.
+
+2003-05-16 Ken Raeburn <raeburn@mit.edu>
+
+ * chpw.c (krb5int_rd_chpw_rep): Allow new kpasswd error codes up
+ through _INITIAL_FLAG_NEEDED.
+
+2003-05-13 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Try with no specified enctype if
+ forwarding a specific enctype fails. l
+
+ * get_in_tkt.c (krb5_get_init_creds): Free s2kparams
+
+ * preauth2.c (krb5_do_preauth): Fix memory management
+ (pa_salt): Use copy_data_contents
+
+ * copy_data.c (krb5int_copy_data_contents): New function
+
+2003-05-09 Sam Hartman <hartmans@mit.edu>
+
+ * preauth2.c: Patch from Sun to reorganize code for handling
+ etype_info requests. More efficient and easier to implement etype_info2
+ (krb5_do_preauth): Support enctype_info2
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * preauth2.c: Add s2kparams to the declaration of a preauth
+ function, to every instance of a preauth function and to every
+ call to gak_fct
+
+ * get_in_tkt.c (krb5_get_init_creds): Add s2kparams support
+
+ * gic_keytab.c (krb5_get_as_key_keytab): Add s2kparams
+
+ * gic_pwd.c (krb5_get_as_key_password): Add s2kparams support
+
+2003-05-09 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (init_common): Copy tgs_ktypes array to
+ conf_tgs_ktypes. Clear use_conf_ktypes.
+ (krb5_free_context): Free conf_tgs_ktypes.
+ (krb5_get_tgs_ktypes): Use use_conf_ktypes to choose between
+ tgs_ktypes and conf_tgs_ktypes.
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Set use_conf_ktypes
+ in context to 1 for all operations except the acquisition of the
+ desired service ticket.
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * auth_con.c (krb5_auth_con_setsendsubkey)
+ (krb5_auth_con_setrecvsubkey, krb5_auth_con_getsendsubkey)
+ (krb5_auth_con_getrecvsubkey): New functions. Set or retrieve
+ subkeys from an auth_context.
+ (krb5_auth_con_getlocalsubkey, krb5_auth_con_getremotesubkey):
+ Reimplement in terms of the above.
+
+ * auth_con.h, ser_actx.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey.
+
+ * chpw.c (krb5int_rd_chpw_rep): Save send_subkey prior to rd_rep;
+ use saved send_subkey to smash recv_subkey obtained from rd_rep.
+
+ * mk_req_ext.c (krb5_mk_req_extended): Rename
+ {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if
+ subkey generation is requested.
+
+ * mk_cred.c, mk_priv.c, mk_safe.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Use either send_subkey or keyblock, in that
+ order.
+
+ * rd_cred.c, rd_priv.c, rd_safe.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Use either recv_subkey or keyblock, in that
+ order.
+
+ * rd_rep.c (krb5_rd_rep): Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Set both subkeys if a subkey is present in
+ the AP-REP message.
+
+ * rd_req_dec.c (krb5_rd_req_decoded_opt): Rename
+ {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if
+ a subkey is present in the AP-REQ message.
+
+2003-05-06 Sam Hartman <hartmans@mit.edu>
+
+ * kfree.c (krb5_free_etype_info): Free s2kparams
+
+2003-04-27 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_setpw_result_code_string): Make internal
+
+2003-04-25 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_rd_setpw_rep): Fix error handling; allow
+ krberrors to be read correctly; fix memory alloctaion so that
+ allocated structures are freed.
+
+2003-04-24 Ezra Peisach <epeisach@mit.edu>
+
+ * kfree.c (krb5_free_pwd_sequences): Correction to previous
+ fix. Free contents of krb5_data - not just the pointer.
+
+2003-04-23 Ezra Peisach <epeisach@mit.edu>
+
+ * kfree.c (krb5_free_pwd_sequences): Actually free the entire
+ sequence of passwd_phase_elements and not just the first one.
+
+2003-04-16 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_mk_setpw_req): Use encode_krb5_setpw_req. Fix
+ memory handling to free data that is allocated
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_mk_setpw_req krb5int_rd_setpw_rep): New function
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (DEFAULT_ETYPE_LIST): Add AES with 256 bits at the
+ front of the list. No 128-bit support by defaut.
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name
+ length before examining components.
+
+ * parse.c (krb5_parse_name): Double-check principal name length
+ before filling in components.
+
+ * srv_rcache.c (krb5_get_server_rcache): Check for null pointer
+ supplied in place of name.
+
+ * unparse.c (krb5_unparse_name_ext): Don't move buffer pointer
+ backwards if nothing has been put into the buffer yet.
+
+2003-04-01 Sam Hartman <hartmans@mit.edu>
+
+ * rd_req.c (krb5_rd_req): If AUTH_CONTEXT_DO_TIME is cleared,
+ don't set up a replay cache.
+
2003-03-08 Ezra Peisach <epeisach@mit.edu>
* t_kerb.c: Only include krb.h if krb4 support compiled in,
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 18627b1..b703e56 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -23,6 +23,7 @@ STLIBOBJS= \
bld_princ.o \
chk_trans.o \
chpw.o \
+ conv_creds.o \
conv_princ.o \
copy_addrs.o \
copy_auth.o \
@@ -51,8 +52,6 @@ STLIBOBJS= \
gic_keytab.o \
gic_opt.o \
gic_pwd.o \
- in_tkt_ktb.o \
- in_tkt_pwd.o \
in_tkt_sky.o \
init_ctx.o \
init_keyblock.o \
@@ -95,6 +94,7 @@ STLIBOBJS= \
str_conv.o \
tgtname.o \
unparse.o \
+ v4lifetime.o \
valid_times.o \
vfy_increds.o \
vic_opt.o \
@@ -109,6 +109,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \
$(OUTPRE)bld_princ.$(OBJEXT) \
$(OUTPRE)chk_trans.$(OBJEXT) \
$(OUTPRE)chpw.$(OBJEXT) \
+ $(OUTPRE)conv_creds.$(OBJEXT) \
$(OUTPRE)conv_princ.$(OBJEXT) \
$(OUTPRE)copy_addrs.$(OBJEXT) \
$(OUTPRE)copy_auth.$(OBJEXT) \
@@ -137,8 +138,6 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \
$(OUTPRE)gic_keytab.$(OBJEXT) \
$(OUTPRE)gic_opt.$(OBJEXT) \
$(OUTPRE)gic_pwd.$(OBJEXT) \
- $(OUTPRE)in_tkt_ktb.$(OBJEXT) \
- $(OUTPRE)in_tkt_pwd.$(OBJEXT) \
$(OUTPRE)in_tkt_sky.$(OBJEXT) \
$(OUTPRE)init_ctx.$(OBJEXT) \
$(OUTPRE)init_keyblock.$(OBJEXT) \
@@ -181,6 +180,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \
$(OUTPRE)str_conv.$(OBJEXT) \
$(OUTPRE)tgtname.$(OBJEXT) \
$(OUTPRE)unparse.$(OBJEXT) \
+ $(OUTPRE)v4lifetime.$(OBJEXT) \
$(OUTPRE)valid_times.$(OBJEXT) \
$(OUTPRE)vfy_increds.$(OBJEXT) \
$(OUTPRE)vic_opt.$(OBJEXT) \
@@ -196,6 +196,7 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/brand.c \
$(srcdir)/chk_trans.c \
$(srcdir)/chpw.c \
+ $(srcdir)/conv_creds.c \
$(srcdir)/conv_princ.c \
$(srcdir)/copy_addrs.c \
$(srcdir)/copy_auth.c \
@@ -224,8 +225,6 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/gic_keytab.c \
$(srcdir)/gic_opt.c \
$(srcdir)/gic_pwd.c \
- $(srcdir)/in_tkt_ktb.c \
- $(srcdir)/in_tkt_pwd.c \
$(srcdir)/in_tkt_sky.c \
$(srcdir)/init_ctx.c \
$(srcdir)/init_keyblock.c \
@@ -268,6 +267,7 @@ SRCS= $(srcdir)/addr_comp.c \
$(srcdir)/str_conv.c \
$(srcdir)/tgtname.c \
$(srcdir)/unparse.c \
+ $(srcdir)/v4lifetime.c \
$(srcdir)/valid_times.c \
$(srcdir)/vfy_increds.c \
$(srcdir)/vic_opt.c \
@@ -367,449 +367,482 @@ clean::
#
addr_comp.so addr_comp.po $(OUTPRE)addr_comp.$(OBJEXT): addr_comp.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
addr_order.so addr_order.po $(OUTPRE)addr_order.$(OBJEXT): addr_order.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
addr_srch.so addr_srch.po $(OUTPRE)addr_srch.$(OBJEXT): addr_srch.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
appdefault.so appdefault.po $(OUTPRE)appdefault.$(OBJEXT): appdefault.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
auth_con.so auth_con.po $(OUTPRE)auth_con.$(OBJEXT): auth_con.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
bld_pr_ext.so bld_pr_ext.po $(OUTPRE)bld_pr_ext.$(OBJEXT): bld_pr_ext.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
bld_princ.so bld_princ.po $(OUTPRE)bld_princ.$(OBJEXT): bld_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
brand.so brand.po $(OUTPRE)brand.$(OBJEXT): brand.c
chk_trans.so chk_trans.po $(OUTPRE)chk_trans.$(OBJEXT): chk_trans.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
chpw.so chpw.po $(OUTPRE)chpw.$(OBJEXT): chpw.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/krb5_err.h \
- auth_con.h
-conv_princ.so conv_princ.po $(OUTPRE)conv_princ.$(OBJEXT): conv_princ.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5_err.h auth_con.h
+conv_creds.so conv_creds.po $(OUTPRE)conv_creds.$(OBJEXT): conv_creds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \
+ $(KRB_ERR_H_DEP)
+conv_princ.so conv_princ.po $(OUTPRE)conv_princ.$(OBJEXT): conv_princ.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_addrs.so copy_addrs.po $(OUTPRE)copy_addrs.$(OBJEXT): copy_addrs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_auth.so copy_auth.po $(OUTPRE)copy_auth.$(OBJEXT): copy_auth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_athctr.so copy_athctr.po $(OUTPRE)copy_athctr.$(OBJEXT): copy_athctr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_cksum.so copy_cksum.po $(OUTPRE)copy_cksum.$(OBJEXT): copy_cksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_creds.so copy_creds.po $(OUTPRE)copy_creds.$(OBJEXT): copy_creds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_data.so copy_data.po $(OUTPRE)copy_data.$(OBJEXT): copy_data.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_key.so copy_key.po $(OUTPRE)copy_key.$(OBJEXT): copy_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_princ.so copy_princ.po $(OUTPRE)copy_princ.$(OBJEXT): copy_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
copy_tick.so copy_tick.po $(OUTPRE)copy_tick.$(OBJEXT): copy_tick.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
cp_key_cnt.so cp_key_cnt.po $(OUTPRE)cp_key_cnt.$(OBJEXT): cp_key_cnt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
decode_kdc.so decode_kdc.po $(OUTPRE)decode_kdc.$(OBJEXT): decode_kdc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
decrypt_tk.so decrypt_tk.po $(OUTPRE)decrypt_tk.$(OBJEXT): decrypt_tk.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
deltat.so deltat.po $(OUTPRE)deltat.$(OBJEXT): deltat.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
enc_helper.so enc_helper.po $(OUTPRE)enc_helper.$(OBJEXT): enc_helper.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
encode_kdc.so encode_kdc.po $(OUTPRE)encode_kdc.$(OBJEXT): encode_kdc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
encrypt_tk.so encrypt_tk.po $(OUTPRE)encrypt_tk.$(OBJEXT): encrypt_tk.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
free_rtree.so free_rtree.po $(OUTPRE)free_rtree.$(OBJEXT): free_rtree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
fwd_tgt.so fwd_tgt.po $(OUTPRE)fwd_tgt.$(OBJEXT): fwd_tgt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gc_frm_kdc.so gc_frm_kdc.po $(OUTPRE)gc_frm_kdc.$(OBJEXT): gc_frm_kdc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
gc_via_tkt.so gc_via_tkt.po $(OUTPRE)gc_via_tkt.$(OBJEXT): gc_via_tkt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
gen_seqnum.so gen_seqnum.po $(OUTPRE)gen_seqnum.$(OBJEXT): gen_seqnum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gen_subkey.so gen_subkey.po $(OUTPRE)gen_subkey.$(OBJEXT): gen_subkey.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
get_creds.so get_creds.po $(OUTPRE)get_creds.$(OBJEXT): get_creds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
get_in_tkt.so get_in_tkt.po $(OUTPRE)get_in_tkt.$(OBJEXT): get_in_tkt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h $(srcdir)/../os/os-proto.h
+ int-proto.h $(srcdir)/../os/os-proto.h
gic_keytab.so gic_keytab.po $(OUTPRE)gic_keytab.$(OBJEXT): gic_keytab.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gic_opt.so gic_opt.po $(OUTPRE)gic_opt.$(OBJEXT): gic_opt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gic_pwd.so gic_pwd.po $(OUTPRE)gic_pwd.$(OBJEXT): gic_pwd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
-in_tkt_ktb.so in_tkt_ktb.po $(OUTPRE)in_tkt_ktb.$(OBJEXT): in_tkt_ktb.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
-in_tkt_pwd.so in_tkt_pwd.po $(OUTPRE)in_tkt_pwd.$(OBJEXT): in_tkt_pwd.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
in_tkt_sky.so in_tkt_sky.po $(OUTPRE)in_tkt_sky.$(OBJEXT): in_tkt_sky.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
init_ctx.so init_ctx.po $(OUTPRE)init_ctx.$(OBJEXT): init_ctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h brand.c $(srcdir)/../krb5_libinit.h
+ brand.c $(srcdir)/../krb5_libinit.h
init_keyblock.so init_keyblock.po $(OUTPRE)init_keyblock.$(OBJEXT): init_keyblock.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kdc_rep_dc.so kdc_rep_dc.po $(OUTPRE)kdc_rep_dc.$(OBJEXT): kdc_rep_dc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kfree.so kfree.po $(OUTPRE)kfree.$(OBJEXT): kfree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
mk_cred.so mk_cred.po $(OUTPRE)mk_cred.$(OBJEXT): mk_cred.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
mk_error.so mk_error.po $(OUTPRE)mk_error.$(OBJEXT): mk_error.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
mk_priv.so mk_priv.po $(OUTPRE)mk_priv.$(OBJEXT): mk_priv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
mk_rep.so mk_rep.po $(OUTPRE)mk_rep.$(OBJEXT): mk_rep.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
mk_req.so mk_req.po $(OUTPRE)mk_req.$(OBJEXT): mk_req.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
mk_req_ext.so mk_req_ext.po $(OUTPRE)mk_req_ext.$(OBJEXT): mk_req_ext.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
mk_safe.so mk_safe.po $(OUTPRE)mk_safe.$(OBJEXT): mk_safe.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
parse.so parse.po $(OUTPRE)parse.$(OBJEXT): parse.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
pr_to_salt.so pr_to_salt.po $(OUTPRE)pr_to_salt.$(OBJEXT): pr_to_salt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
preauth.so preauth.po $(OUTPRE)preauth.$(OBJEXT): preauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
preauth2.so preauth2.po $(OUTPRE)preauth2.$(OBJEXT): preauth2.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
princ_comp.so princ_comp.po $(OUTPRE)princ_comp.$(OBJEXT): princ_comp.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
rd_cred.so rd_cred.po $(OUTPRE)rd_cred.$(OBJEXT): rd_cred.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
rd_error.so rd_error.po $(OUTPRE)rd_error.$(OBJEXT): rd_error.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
rd_priv.so rd_priv.po $(OUTPRE)rd_priv.$(OBJEXT): rd_priv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
rd_rep.so rd_rep.po $(OUTPRE)rd_rep.$(OBJEXT): rd_rep.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
rd_req.so rd_req.po $(OUTPRE)rd_req.$(OBJEXT): rd_req.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
rd_req_dec.so rd_req_dec.po $(OUTPRE)rd_req_dec.$(OBJEXT): rd_req_dec.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): rd_safe.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h cleanup.h auth_con.h
+ cleanup.h auth_con.h
recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): recvauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): sendauth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
send_tgs.so send_tgs.po $(OUTPRE)send_tgs.$(OBJEXT): send_tgs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ser_actx.so ser_actx.po $(OUTPRE)ser_actx.$(OBJEXT): ser_actx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h auth_con.h
+ int-proto.h auth_con.h
ser_adata.so ser_adata.po $(OUTPRE)ser_adata.$(OBJEXT): ser_adata.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_addr.so ser_addr.po $(OUTPRE)ser_addr.$(OBJEXT): ser_addr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_auth.so ser_auth.po $(OUTPRE)ser_auth.$(OBJEXT): ser_auth.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_cksum.so ser_cksum.po $(OUTPRE)ser_cksum.$(OBJEXT): ser_cksum.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_ctx.so ser_ctx.po $(OUTPRE)ser_ctx.$(OBJEXT): ser_ctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ser_eblk.so ser_eblk.po $(OUTPRE)ser_eblk.$(OBJEXT): ser_eblk.c
ser_key.so ser_key.po $(OUTPRE)ser_key.$(OBJEXT): ser_key.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
ser_princ.so ser_princ.po $(OUTPRE)ser_princ.$(OBJEXT): ser_princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
serialize.so serialize.po $(OUTPRE)serialize.$(OBJEXT): serialize.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
set_realm.so set_realm.po $(OUTPRE)set_realm.$(OBJEXT): set_realm.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
srv_rcache.so srv_rcache.po $(OUTPRE)srv_rcache.$(OBJEXT): srv_rcache.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): str_conv.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
tgtname.so tgtname.po $(OUTPRE)tgtname.$(OBJEXT): tgtname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
unparse.so unparse.po $(OUTPRE)unparse.$(OBJEXT): unparse.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
+v4lifetime.so v4lifetime.po $(OUTPRE)v4lifetime.$(OBJEXT): v4lifetime.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
valid_times.so valid_times.po $(OUTPRE)valid_times.$(OBJEXT): valid_times.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
vfy_increds.so vfy_increds.po $(OUTPRE)vfy_increds.$(OBJEXT): vfy_increds.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
vic_opt.so vic_opt.po $(OUTPRE)vic_opt.$(OBJEXT): vic_opt.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
walk_rtree.so walk_rtree.po $(OUTPRE)walk_rtree.$(OBJEXT): walk_rtree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h int-proto.h
+ int-proto.h
t_walk_rtree.so t_walk_rtree.po $(OUTPRE)t_walk_rtree.$(OBJEXT): t_walk_rtree.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
t_kerb.so t_kerb.po $(OUTPRE)t_kerb.$(OBJEXT): t_kerb.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \
$(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \
$(BUILDTOP)/include/profile.h
t_ser.so t_ser.po $(OUTPRE)t_ser.$(OBJEXT): t_ser.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h auth_con.h
+ auth_con.h
t_deltat.so t_deltat.po $(OUTPRE)t_deltat.$(OBJEXT): t_deltat.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
t_expand.so t_expand.po $(OUTPRE)t_expand.$(OBJEXT): t_expand.c chk_trans.c \
$(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
- $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h
+ $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c
index 09ccf98..cd3acf1 100644
--- a/src/lib/krb5/krb/auth_con.c
+++ b/src/lib/krb5/krb/auth_con.c
@@ -1,6 +1,8 @@
#include "k5-int.h"
#include "auth_con.h"
+static krb5_boolean chk_heimdal_seqnum(krb5_ui_4, krb5_ui_4);
+
static krb5_error_code
actx_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **outad)
{
@@ -59,10 +61,10 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context)
krb5_free_authenticator(context, auth_context->authentp);
if (auth_context->keyblock)
krb5_free_keyblock(context, auth_context->keyblock);
- if (auth_context->local_subkey)
- krb5_free_keyblock(context, auth_context->local_subkey);
- if (auth_context->remote_subkey)
- krb5_free_keyblock(context, auth_context->remote_subkey);
+ if (auth_context->send_subkey)
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ if (auth_context->recv_subkey)
+ krb5_free_keyblock(context, auth_context->recv_subkey);
if (auth_context->rcache)
krb5_rc_close(context, auth_context->rcache);
if (auth_context->permitted_etypes)
@@ -176,17 +178,53 @@ krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
{
- if (auth_context->local_subkey)
- return krb5_copy_keyblock(context,auth_context->local_subkey,keyblock);
+ return krb5_auth_con_getsendsubkey(context, auth_context, keyblock);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
+{
+ return krb5_auth_con_getrecvsubkey(context, auth_context, keyblock);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
+{
+ if (ac->send_subkey != NULL)
+ krb5_free_keyblock(ctx, ac->send_subkey);
+ ac->send_subkey = NULL;
+ if (keyblock !=NULL)
+ return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey);
+ else
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
+{
+ if (ac->recv_subkey != NULL)
+ krb5_free_keyblock(ctx, ac->recv_subkey);
+ ac->recv_subkey = NULL;
+ if (keyblock != NULL)
+ return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey);
+ else
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
+{
+ if (ac->send_subkey != NULL)
+ return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock);
*keyblock = NULL;
return 0;
}
krb5_error_code KRB5_CALLCONV
-krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
+krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
{
- if (auth_context->remote_subkey)
- return krb5_copy_keyblock(context,auth_context->remote_subkey,keyblock);
+ if (ac->recv_subkey != NULL)
+ return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock);
*keyblock = NULL;
return 0;
}
@@ -359,3 +397,167 @@ krb5_auth_con_get_checksum_func( krb5_context context,
*data = auth_context->checksum_func_data;
return 0;
}
+
+/*
+ * krb5int_auth_con_chkseqnum
+ *
+ * We use a somewhat complex heuristic for validating received
+ * sequence numbers. We must accommodate both our older
+ * implementation, which sends negative sequence numbers, and the
+ * broken Heimdal implementation (at least as of 0.5.2), which
+ * violates X.690 BER for integer encodings. The requirement of
+ * handling negative sequence numbers removes one of easier means of
+ * detecting a Heimdal implementation, so we resort to this mess
+ * here.
+ *
+ * X.690 BER (and consequently DER, which are the required encoding
+ * rules in RFC1510) encode all integer types as signed integers.
+ * This means that the MSB being set on the first octet of the
+ * contents of the encoding indicates a negative value. Heimdal does
+ * not prepend the required zero octet to unsigned integer encodings
+ * which would otherwise have the MSB of the first octet of their
+ * encodings set.
+ *
+ * Our ASN.1 library implements a special decoder for sequence
+ * numbers, accepting both negative and positive 32-bit numbers but
+ * mapping them both into the space of positive unsigned 32-bit
+ * numbers in the obvious bit-pattern-preserving way. This maintains
+ * compatibility with our older implementations. This also means that
+ * encodings emitted by Heimdal are ambiguous.
+ *
+ * Heimdal counter value received uint32 value
+ *
+ * 0x00000080 0xFFFFFF80
+ * 0x000000FF 0xFFFFFFFF
+ * 0x00008000 0xFFFF8000
+ * 0x0000FFFF 0xFFFFFFFF
+ * 0x00800000 0xFF800000
+ * 0x00FFFFFF 0xFFFFFFFF
+ * 0xFF800000 0xFF800000
+ * 0xFFFFFFFF 0xFFFFFFFF
+ *
+ * We use two auth_context flags, SANE_SEQ and HEIMDAL_SEQ, which are
+ * only set after we can unambiguously determine the sanity of the
+ * sending implementation. Once one of these flags is set, we accept
+ * only the sequence numbers appropriate to the remote implementation
+ * type. We can make the determination in two different ways. The
+ * first is to note the receipt of a "negative" sequence number when a
+ * "positive" one was expected. The second is to note the receipt of
+ * a sequence number that wraps through "zero" in a weird way. The
+ * latter corresponds to the receipt of an initial sequence number in
+ * the ambiguous range.
+ *
+ * There are 2^7 + 2^15 + 2^23 + 2^23 = 16810112 total ambiguous
+ * initial Heimdal counter values, but we receive them as one of 2^23
+ * possible values. There is a ~1/256 chance of a Heimdal
+ * implementation sending an intial sequence number in the ambiguous
+ * range.
+ *
+ * We have to do special treatment when receiving sequence numbers
+ * between 0xFF800000..0xFFFFFFFF, or when wrapping through zero
+ * weirdly (due to ambiguous initial sequence number). If we are
+ * expecting a value corresponding to an ambiguous Heimdal counter
+ * value, and we receive an exact match, we can mark the remote end as
+ * sane.
+ */
+krb5_boolean
+krb5int_auth_con_chkseqnum(
+ krb5_context ctx,
+ krb5_auth_context ac,
+ krb5_ui_4 in_seq)
+{
+ krb5_ui_4 exp_seq;
+
+ exp_seq = ac->remote_seq_number;
+
+ /*
+ * If sender is known to be sane, accept _only_ exact matches.
+ */
+ if (ac->auth_context_flags & KRB5_AUTH_CONN_SANE_SEQ)
+ return in_seq == exp_seq;
+
+ /*
+ * If sender is not known to be sane, first check the ambiguous
+ * range of received values, 0xFF800000..0xFFFFFFFF.
+ */
+ if ((in_seq & 0xFF800000) == 0xFF800000) {
+ /*
+ * If expected sequence number is in the range
+ * 0xFF800000..0xFFFFFFFF, then we can't make any
+ * determinations about the sanity of the sending
+ * implementation.
+ */
+ if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq)
+ return 1;
+ /*
+ * If sender is not known for certain to be a broken Heimdal
+ * implementation, check for exact match.
+ */
+ if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)
+ && in_seq == exp_seq)
+ return 1;
+ /*
+ * Now apply hairy algorithm for matching sequence numbers
+ * sent by broken Heimdal implementations. If it matches, we
+ * know for certain it's a broken Heimdal sender.
+ */
+ if (chk_heimdal_seqnum(exp_seq, in_seq)) {
+ ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ;
+ return 1;
+ }
+ return 0;
+ }
+
+ /*
+ * Received value not in the ambiguous range? If the _expected_
+ * value is in the range of ambiguous Hemidal counter values, and
+ * it matches the received value, sender is known to be sane.
+ */
+ if (in_seq == exp_seq) {
+ if (( exp_seq & 0xFFFFFF80) == 0x00000080
+ || (exp_seq & 0xFFFF8000) == 0x00008000
+ || (exp_seq & 0xFF800000) == 0x00800000)
+ ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ;
+ return 1;
+ }
+
+ /*
+ * Magic wraparound for the case where the intial sequence number
+ * is in the ambiguous range. This means that the sender's
+ * counter is at a different count than ours, so we correct ours,
+ * and mark the sender as being a broken Heimdal implementation.
+ */
+ if (exp_seq == 0
+ && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) {
+ switch (in_seq) {
+ case 0x100:
+ case 0x10000:
+ case 0x1000000:
+ ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ;
+ exp_seq = in_seq;
+ return 1;
+ default:
+ return 0;
+ }
+ }
+ return 0;
+}
+
+static krb5_boolean
+chk_heimdal_seqnum(krb5_ui_4 exp_seq, krb5_ui_4 in_seq)
+{
+ if (( exp_seq & 0xFF800000) == 0x00800000
+ && (in_seq & 0xFF800000) == 0xFF800000
+ && (in_seq & 0x00FFFFFF) == exp_seq)
+ return 1;
+ else if (( exp_seq & 0xFFFF8000) == 0x00008000
+ && (in_seq & 0xFFFF8000) == 0xFFFF8000
+ && (in_seq & 0x0000FFFF) == exp_seq)
+ return 1;
+ else if (( exp_seq & 0xFFFFFF80) == 0x00000080
+ && (in_seq & 0xFFFFFF80) == 0xFFFFFF80
+ && (in_seq & 0x000000FF) == exp_seq)
+ return 1;
+ else
+ return 0;
+}
diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h
index d83d6b8..9543de3 100644
--- a/src/lib/krb5/krb/auth_con.h
+++ b/src/lib/krb5/krb/auth_con.h
@@ -9,12 +9,12 @@ struct _krb5_auth_context {
krb5_address * local_addr;
krb5_address * local_port;
krb5_keyblock * keyblock;
- krb5_keyblock * local_subkey;
- krb5_keyblock * remote_subkey;
+ krb5_keyblock * send_subkey;
+ krb5_keyblock * recv_subkey;
krb5_int32 auth_context_flags;
- krb5_int32 remote_seq_number;
- krb5_int32 local_seq_number;
+ krb5_ui_4 remote_seq_number;
+ krb5_ui_4 local_seq_number;
krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/
krb5_cksumtype req_cksumtype; /* mk_safe, ... */
krb5_cksumtype safe_cksumtype; /* mk_safe, ... */
@@ -30,5 +30,7 @@ struct _krb5_auth_context {
#define KRB5_AUTH_CONN_INITIALIZED 0x00010000
#define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000
#define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000
+#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000
+#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000
#endif
diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c
index bb2cfe9..a455cc4 100644
--- a/src/lib/krb5/krb/chpw.c
+++ b/src/lib/krb5/krb/chpw.c
@@ -1,11 +1,15 @@
+/*
+** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc.
+*/
#include <string.h>
#include "k5-int.h"
#include "krb5_err.h"
#include "auth_con.h"
-krb5_error_code KRB5_CALLCONV
-krb5_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet)
+
+krb5_error_code
+krb5int_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet)
{
krb5_error_code ret = 0;
krb5_data clearpw;
@@ -66,8 +70,8 @@ cleanup:
return(ret);
}
-krb5_error_code KRB5_CALLCONV
-krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
+krb5_error_code
+krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
{
char *ptr;
int plen, vno;
@@ -116,8 +120,18 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data
ap_rep.data = ptr;
ptr += ap_rep.length;
- if ((ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc)))
+ /*
+ * Save send_subkey to later smash recv_subkey.
+ */
+ ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
+ if (ret) {
+ krb5_free_keyblock(context, tmp);
return(ret);
+ }
krb5_free_ap_rep_enc_part(context, ap_rep_enc);
@@ -126,18 +140,17 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data
cipherresult.data = ptr;
cipherresult.length = (packet->data + packet->length) - ptr;
- /* XXX there's no api to do this right. The problem is that
- if there's a remote subkey, it will be used. This is
- not what the spec requires */
-
- tmp = auth_context->remote_subkey;
- auth_context->remote_subkey = NULL;
+ /*
+ * Smash recv_subkey to be send_subkey, per spec.
+ */
+ ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp);
+ krb5_free_keyblock(context, tmp);
+ if (ret)
+ return ret;
ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
&replay);
- auth_context->remote_subkey = tmp;
-
if (ret)
return(ret);
} else {
@@ -161,7 +174,7 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data
*result_code = (*result_code<<8) | (*ptr++ & 0xff);
if ((*result_code < KRB5_KPASSWD_SUCCESS) ||
- (*result_code > KRB5_KPASSWD_SOFTERROR)) {
+ (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) {
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
@@ -221,3 +234,284 @@ krb5_chpw_result_code_string(krb5_context context, int result_code, char **code_
return(0);
}
+
+krb5_error_code
+krb5int_mk_setpw_req(
+ krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_data *ap_req,
+ krb5_principal targprinc,
+ char *passwd,
+ krb5_data *packet )
+{
+ krb5_error_code ret;
+ krb5_data cipherpw;
+ krb5_data *encoded_setpw;
+
+ char *ptr;
+ int count = 2;
+
+ cipherpw.data = NULL;
+ cipherpw.length = 0;
+
+ if (ret = krb5_auth_con_setflags(context, auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE))
+ return(ret);
+
+ ret = encode_krb5_setpw_req(targprinc, passwd, &encoded_setpw);
+ if (ret) {
+ return ret;
+ }
+
+ if ( (ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) {
+ krb5_free_data( context, encoded_setpw);
+ return(ret);
+ }
+ krb5_free_data( context, encoded_setpw);
+
+
+ packet->length = 6 + ap_req->length + cipherpw.length;
+ packet->data = (char *) malloc(packet->length);
+ if (packet->data == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+ ptr = packet->data;
+/*
+** build the packet -
+*/
+/* put in the length */
+ *ptr++ = (packet->length>>8) & 0xff;
+ *ptr++ = packet->length & 0xff;
+/* put in the version */
+ *ptr++ = (char)0xff;
+ *ptr++ = (char)0x80;
+/* the ap_req length is big endian */
+ *ptr++ = (ap_req->length>>8) & 0xff;
+ *ptr++ = ap_req->length & 0xff;
+/* put in the request data */
+ memcpy(ptr, ap_req->data, ap_req->length);
+ ptr += ap_req->length;
+/*
+** put in the "private" password data -
+*/
+ memcpy(ptr, cipherpw.data, cipherpw.length);
+ ret = 0;
+ cleanup:
+ if (cipherpw.data)
+ krb5_free_data_contents(context, &cipherpw);
+ if ((ret != 0) && packet->data) {
+ free( packet->data);
+ packet->data = NULL;
+ }
+ return ret;
+}
+
+krb5_error_code
+krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5_data *packet,
+ int *result_code, krb5_data *result_data )
+{
+ char *ptr;
+ unsigned int message_length, version_number;
+ krb5_data ap_rep;
+ krb5_ap_rep_enc_part *ap_rep_enc;
+ krb5_error_code ret;
+ krb5_data cipherresult;
+ krb5_data clearresult;
+ krb5_replay_data replay;
+ krb5_keyblock *tmpkey;
+/*
+** validate the packet length -
+*/
+ if (packet->length < 4)
+ return(KRB5KRB_AP_ERR_MODIFIED);
+
+ ptr = packet->data;
+
+/*
+** see if it is an error
+*/
+ if (krb5_is_krb_error(packet)) {
+ krb5_error *krberror;
+ if (ret = krb5_rd_error(context, packet, &krberror))
+ return(ret);
+ if (krberror->e_data.data == NULL) {
+ ret = ERROR_TABLE_BASE_krb5 + krberror->error;
+ krb5_free_error(context, krberror);
+ return (ret);
+ }
+ clearresult = krberror->e_data;
+ krberror->e_data.data = NULL; /*So we can free it later*/
+ krberror->e_data.length = 0;
+ krb5_free_error(context, krberror);
+
+ } else { /* Not an error*/
+
+/*
+** validate the message length -
+** length is big endian
+*/
+ message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+/*
+** make sure the message length and packet length agree -
+*/
+ if (message_length != packet->length)
+ return(KRB5KRB_AP_ERR_MODIFIED);
+/*
+** get the version number -
+*/
+ version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+/*
+** make sure we support the version returned -
+*/
+/*
+** set password version is 0xff80, change password version is 1
+*/
+ if (version_number != 0xff80 && version_number != 1)
+ return(KRB5KDC_ERR_BAD_PVNO);
+/*
+** now fill in ap_rep with the reply -
+*/
+/*
+** get the reply length -
+*/
+ ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+/*
+** validate ap_rep length agrees with the packet length -
+*/
+ if (ptr + ap_rep.length >= packet->data + packet->length)
+ return(KRB5KRB_AP_ERR_MODIFIED);
+/*
+** if data was returned, set the ap_rep ptr -
+*/
+ if( ap_rep.length ) {
+ ap_rep.data = ptr;
+ ptr += ap_rep.length;
+
+ /*
+ * Save send_subkey to later smash recv_subkey.
+ */
+ ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
+ if (ret) {
+ krb5_free_keyblock(context, tmpkey);
+ return(ret);
+ }
+
+ krb5_free_ap_rep_enc_part(context, ap_rep_enc);
+/*
+** now decrypt the result -
+*/
+ cipherresult.data = ptr;
+ cipherresult.length = (packet->data + packet->length) - ptr;
+
+ /*
+ * Smash recv_subkey to be send_subkey, per spec.
+ */
+ ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey);
+ krb5_free_keyblock(context, tmpkey);
+ if (ret)
+ return ret;
+
+ ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
+ NULL);
+ if (ret)
+ return(ret);
+ } /*We got an ap_rep*/
+ else
+ return (KRB5KRB_AP_ERR_MODIFIED);
+ } /*Response instead of error*/
+
+/*
+** validate the cleartext length
+*/
+ if (clearresult.length < 2) {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
+/*
+** now decode the result -
+*/
+ ptr = clearresult.data;
+
+ *result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+ ptr += 2;
+
+/*
+** result code 5 is access denied
+*/
+ if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5))
+ {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
+/*
+** all success replies should be authenticated/encrypted
+*/
+ if( (ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS) )
+ {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
+
+ if (result_data) {
+ result_data->length = (clearresult.data + clearresult.length) - ptr;
+
+ if (result_data->length)
+ {
+ result_data->data = (char *) malloc(result_data->length);
+ if (result_data->data)
+ memcpy(result_data->data, ptr, result_data->length);
+ }
+ else
+ result_data->data = NULL;
+ }
+ ret = 0;
+
+ cleanup:
+ krb5_free_data_contents(context, &clearresult);
+ return(ret);
+}
+
+krb5_error_code
+krb5int_setpw_result_code_string( krb5_context context, int result_code, const char **code_string )
+{
+ switch (result_code)
+ {
+ case KRB5_KPASSWD_MALFORMED:
+ *code_string = "Malformed request error";
+ break;
+ case KRB5_KPASSWD_HARDERROR:
+ *code_string = "Server error";
+ break;
+ case KRB5_KPASSWD_AUTHERROR:
+ *code_string = "Authentication error";
+ break;
+ case KRB5_KPASSWD_SOFTERROR:
+ *code_string = "Password change rejected";
+ break;
+ case 5: /* access denied */
+ *code_string = "Access denied";
+ break;
+ case 6: /* bad version */
+ *code_string = "Wrong protocol version";
+ break;
+ case 7: /* initial flag is needed */
+ *code_string = "Initial password required";
+ break;
+ case 0:
+ *code_string = "Success";
+ default:
+ *code_string = "Password change failed";
+ break;
+ }
+
+ return(0);
+}
+
diff --git a/src/lib/krb5/krb/conv_creds.c b/src/lib/krb5/krb/conv_creds.c
new file mode 100644
index 0000000..3a4e66d
--- /dev/null
+++ b/src/lib/krb5/krb/conv_creds.c
@@ -0,0 +1,277 @@
+/*
+ * Copyright 1994 by OpenVision Technologies, Inc.
+ *
+ * Permission to use, copy, modify, distribute, and sell this software
+ * and its documentation for any purpose is hereby granted without fee,
+ * provided that the above copyright notice appears in all copies and
+ * that both that copyright notice and this permission notice appear in
+ * supporting documentation, and that the name of OpenVision not be used
+ * in advertising or publicity pertaining to distribution of the software
+ * without specific, written prior permission. OpenVision makes no
+ * representations about the suitability of this software for any
+ * purpose. It is provided "as is" without express or implied warranty.
+ *
+ * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
+ * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "k5-int.h"
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include "port-sockets.h"
+#include "socket-utils.h"
+
+#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck */
+#include "kerberosIV/krb.h"
+
+#ifdef USE_CCAPI
+#include <CredentialsCache.h>
+#endif
+
+#define krb524_debug krb5int_krb524_debug
+int krb524_debug = 0;
+
+static krb5_error_code krb524_convert_creds_plain
+(krb5_context context, krb5_creds *v5creds,
+ CREDENTIALS *v4creds);
+
+static int decode_v4tkt
+ (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
+
+krb5_error_code KRB5_CALLCONV
+krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
+ CREDENTIALS *v4creds)
+{
+ krb5_error_code ret;
+ krb5_data reply;
+ char *p;
+ struct sockaddr_storage ss;
+ socklen_t slen = sizeof(ss);
+
+ ret = krb524_convert_creds_plain(context, v5creds, v4creds);
+ if (ret)
+ return ret;
+
+ reply.data = NULL;
+ ret = krb5int_524_sendto_kdc(context, &v5creds->ticket,
+ &v5creds->server->realm, &reply,
+ ss2sa(&ss), &slen);
+ if (ret)
+ return ret;
+
+#if TARGET_OS_MAC
+#ifdef USE_CCAPI
+ v4creds->stk_type = cc_v4_stk_des;
+#endif
+ if (slen == sizeof(struct sockaddr_in)
+ && ss2sa(&ss)->sa_family == AF_INET) {
+ v4creds->address = ss2sin(&ss)->sin_addr.s_addr;
+ }
+ /* Otherwise, leave it set to all-zero. */
+#endif
+
+ p = reply.data;
+ ret = ntohl(*((krb5_error_code *) p));
+ p += sizeof(krb5_int32);
+ reply.length -= sizeof(krb5_int32);
+ if (ret)
+ goto fail;
+
+ v4creds->kvno = ntohl(*((krb5_error_code *) p));
+ p += sizeof(krb5_int32);
+ reply.length -= sizeof(krb5_int32);
+ ret = decode_v4tkt(&v4creds->ticket_st, p, &reply.length);
+
+fail:
+ if (reply.data)
+ free(reply.data);
+ reply.data = NULL;
+ return ret;
+}
+
+static krb5_error_code
+krb524_convert_creds_plain(context, v5creds, v4creds)
+ krb5_context context;
+ krb5_creds *v5creds;
+ CREDENTIALS *v4creds;
+{
+ int ret;
+ krb5_timestamp endtime;
+ char dummy[REALM_SZ];
+ memset((char *) v4creds, 0, sizeof(CREDENTIALS));
+
+ if ((ret = krb5_524_conv_principal(context, v5creds->client,
+ v4creds->pname, v4creds->pinst,
+ dummy)))
+ return ret;
+ if ((ret = krb5_524_conv_principal(context, v5creds->server,
+ v4creds->service, v4creds->instance,
+ v4creds->realm)))
+ return ret;
+
+ /* Check enctype too */
+ if (v5creds->keyblock.length != sizeof(C_Block)) {
+ if (krb524_debug)
+ fprintf(stderr, "v5 session keyblock length %d != C_Block size %d\n",
+ v5creds->keyblock.length,
+ (int) sizeof(C_Block));
+ return KRB524_BADKEY;
+ } else
+ memcpy(v4creds->session, (char *) v5creds->keyblock.contents,
+ sizeof(C_Block));
+
+ /* V4 has no concept of authtime or renew_till, so ignore them */
+ v4creds->issue_date = v5creds->times.starttime;
+ v4creds->lifetime = krb5int_krb_time_to_life(v5creds->times.starttime,
+ v5creds->times.endtime);
+ endtime = krb5int_krb_life_to_time(v4creds->issue_date,
+ v4creds->lifetime);
+ /*
+ * Adjust start time backwards to deal with rounding up in
+ * krb_time_to_life(), to match code on server side.
+ */
+ if (endtime > v5creds->times.endtime)
+ v4creds->issue_date -= endtime - v5creds->times.endtime;
+
+ return 0;
+}
+
+/* this used to be krb524/encode.c, under same copyright as above */
+/*
+ * I'm sure that this is reinventing the wheel, but I don't know where
+ * the wheel is hidden.
+ */
+
+int encode_v4tkt (KTEXT_ST *, char *, unsigned int *);
+static int encode_bytes (char **, int *, char *, unsigned int),
+ encode_int32 (char **, int *, krb5_int32 *);
+
+static int decode_bytes (char **, int *, char *, unsigned int),
+ decode_int32 (char **, int *, krb5_int32 *);
+
+static int encode_bytes(out, outlen, in, len)
+ char **out;
+ int *outlen;
+ char *in;
+ unsigned int len;
+{
+ if (len > *outlen)
+ return KRB524_ENCFULL;
+ memcpy(*out, in, len);
+ *out += len;
+ *outlen -= len;
+ return 0;
+}
+
+static int encode_int32(out, outlen, v)
+ char **out;
+ int *outlen;
+ krb5_int32 *v;
+{
+ krb5_int32 nv; /* Must be 4 bytes */
+
+ nv = htonl(*v);
+ return encode_bytes(out, outlen, (char *) &nv, sizeof(nv));
+}
+
+int krb5int_encode_v4tkt(v4tkt, buf, encoded_len)
+ KTEXT_ST *v4tkt;
+ char *buf;
+ unsigned int *encoded_len;
+{
+ int buflen, ret;
+
+ buflen = *encoded_len;
+
+ if ((ret = encode_int32(&buf, &buflen, &v4tkt->length)))
+ return ret;
+ if ((ret = encode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
+ return ret;
+ if ((ret = encode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz)))
+ return ret;
+
+ *encoded_len -= buflen;
+ return 0;
+}
+
+/* decode functions */
+
+static int decode_bytes(out, outlen, in, len)
+ char **out;
+ int *outlen;
+ char *in;
+ unsigned int len;
+{
+ if (len > *outlen)
+ return KRB524_DECEMPTY;
+ memcpy(in, *out, len);
+ *out += len;
+ *outlen -= len;
+ return 0;
+}
+
+static int decode_int32(out, outlen, v)
+ char **out;
+ int *outlen;
+ krb5_int32 *v;
+{
+ int ret;
+ krb5_int32 nv; /* Must be four bytes */
+
+ if ((ret = decode_bytes(out, outlen, (char *) &nv, sizeof(nv))))
+ return ret;
+ *v = ntohl(nv);
+ return 0;
+}
+
+static int decode_v4tkt(v4tkt, buf, encoded_len)
+ KTEXT_ST *v4tkt;
+ char *buf;
+ unsigned int *encoded_len;
+{
+ int buflen, ret;
+
+ buflen = *encoded_len;
+ if ((ret = decode_int32(&buf, &buflen, &v4tkt->length)))
+ return ret;
+ if ((ret = decode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
+ return ret;
+ if ((ret = decode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz)))
+ return ret;
+ *encoded_len -= buflen;
+ return 0;
+}
+
+#else /* no krb4 compat */
+
+krb5_error_code KRB5_CALLCONV
+krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
+ struct credentials *v4creds)
+{
+ return KRB524_KRB4_DISABLED;
+}
+
+#endif
+
+/* These may be needed for object-level backwards compatibility on Mac
+ OS and UNIX, but Windows should be okay. */
+#ifndef _WIN32
+#undef krb524_convert_creds_kdc
+krb5_error_code KRB5_CALLCONV
+krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds,
+ struct credentials *v4creds)
+{
+ return krb5_524_convert_creds(context, v5creds, v4creds);
+}
+
+#undef krb524_init_ets
+void KRB5_CALLCONV krb524_init_ets ()
+{
+}
+#endif
diff --git a/src/lib/krb5/krb/copy_data.c b/src/lib/krb5/krb/copy_data.c
index 2899c5a..1be2a2d 100644
--- a/src/lib/krb5/krb/copy_data.c
+++ b/src/lib/krb5/krb/copy_data.c
@@ -58,3 +58,25 @@ krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdat
*outdata = tempdata;
return 0;
}
+
+krb5_error_code
+krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_data *outdata)
+{
+ if (!indata) {
+ return EINVAL;
+ }
+
+
+ outdata->length = indata->length;
+ if (outdata->length) {
+ if (!(outdata->data = malloc(outdata->length))) {
+ krb5_xfree(outdata);
+ return ENOMEM;
+ }
+ memcpy((char *)outdata->data, (char *)indata->data, outdata->length);
+ } else
+ outdata->data = 0;
+ outdata->magic = KV5M_DATA;
+
+ return 0;
+}
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index aa42f8c..4e2c8f0 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -56,6 +56,7 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r
int free_rhost = 0;
krb5_enctype enctype = 0;
krb5_keyblock *session_key;
+ krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
memset((char *)&creds, 0, sizeof(creds));
memset((char *)&tgt, 0, sizeof(creds));
@@ -109,8 +110,10 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r
goto errout;
/* fetch tgt directly from cache */
+ context->use_conf_ktypes = 1;
retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES,
&creds, &tgt);
+ context->use_conf_ktypes = old_use_conf_ktypes;
if (retval)
goto errout;
@@ -161,9 +164,15 @@ retval = KRB5_FWD_BAD_PRINCIPAL;
kdcoptions &= ~(KDC_OPT_FORWARDABLE);
if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
- addrs, &creds, &pcreds)))
- goto errout;
-
+ addrs, &creds, &pcreds))) {
+ if (enctype) {
+ creds.keyblock.enctype = 0;
+ if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
+ addrs, &creds, &pcreds)))
+ goto errout;
+ }
+ else goto errout;
+ }
retval = krb5_mk_1cred(context, auth_context, pcreds,
&scratch, &replaydata);
krb5_free_creds(context, pcreds);
diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index fdf00e6..8ca62cc 100644
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1994 by the Massachusetts Institute of Technology.
+ * Copyright (c) 1994,2003 by the Massachusetts Institute of Technology.
* Copyright (c) 1994 CyberSAFE Corporation
* Copyright (c) 1993 Open Computing Security Group
* Copyright (c) 1990,1991 by the Massachusetts Institute of Technology.
@@ -76,6 +76,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
krb5_principal *top_server = NULL;
krb5_principal *next_server = NULL;
unsigned int nservers = 0;
+ krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes;
/* in case we never get a TGT, zero the return */
@@ -114,6 +115,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
goto cleanup;
}
+ context->use_conf_ktypes = 1;
if ((retval = krb5_cc_retrieve_cred(context, ccache,
KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
&tgtq, &tgt))) {
@@ -231,21 +233,17 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
krb5_free_cred_contents(context, &tgtq);
memset(&tgtq, 0, sizeof(tgtq));
-#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
tgtq.times = tgt.times;
-#else
- memcpy(&tgtq.times, &tgt.times, sizeof(krb5_ticket_times));
-#endif
-
if ((retval = krb5_copy_principal(context, tgt.client, &tgtq.client)))
goto cleanup;
if ((retval = krb5_copy_principal(context, int_server, &tgtq.server)))
goto cleanup;
tgtq.is_skey = FALSE;
tgtq.ticket_flags = tgt.ticket_flags;
- if ((retval = krb5_get_cred_via_tkt(context, &tgt,
- FLAGS2OPTS(tgtq.ticket_flags),
- tgt.addresses, &tgtq, &tgtr))) {
+ retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgtq.ticket_flags),
+ tgt.addresses, &tgtq, &tgtr);
+ if (retval) {
/*
* couldn't get one so now loop backwards through the realms
@@ -301,12 +299,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
goto cleanup;
tgtq.is_skey = FALSE;
tgtq.ticket_flags = tgt.ticket_flags;
- if ((retval = krb5_get_cred_via_tkt(context, &tgt,
- FLAGS2OPTS(tgtq.ticket_flags),
- tgt.addresses,
- &tgtq, &tgtr))) {
+ retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgtq.ticket_flags),
+ tgt.addresses,
+ &tgtq, &tgtr);
+ if (retval)
continue;
- }
/* save tgt in return array */
if ((retval = krb5_copy_creds(context, tgtr,
@@ -341,7 +339,9 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
for (next_server = top_server; *next_server; next_server++) {
krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1);
krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1);
- if (realm_1->length == realm_2->length &&
+ if (realm_1 != NULL &&
+ realm_2 != NULL &&
+ realm_1->length == realm_2->length &&
!memcmp(realm_1->data, realm_2->data, realm_1->length)) {
break;
}
@@ -374,10 +374,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
goto cleanup;
}
- retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) |
- kdcopt |
- (in_cred->second_ticket.length ?
- KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ context->use_conf_ktypes = old_use_conf_ktypes;
+ retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgt.ticket_flags) |
+ kdcopt |
+ (in_cred->second_ticket.length ?
+ KDC_OPT_ENC_TKT_IN_SKEY : 0),
tgt.addresses, in_cred, out_cred);
/* cleanup and return */
@@ -393,6 +395,7 @@ cleanup:
if (ret_tgts) free(ret_tgts);
krb5_free_cred_contents(context, &tgt);
}
+ context->use_conf_ktypes = old_use_conf_ktypes;
return(retval);
}
diff --git a/src/lib/krb5/krb/gen_seqnum.c b/src/lib/krb5/krb/gen_seqnum.c
index 196a437..3737640 100644
--- a/src/lib/krb5/krb/gen_seqnum.c
+++ b/src/lib/krb5/krb/gen_seqnum.c
@@ -36,7 +36,7 @@
#endif
krb5_error_code
-krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_int32 *seqno)
+krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui_4 *seqno)
{
krb5_data seed;
krb5_error_code retval;
@@ -48,5 +48,20 @@ krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_in
seed.length = sizeof(*seqno);
seed.data = (char *) seqno;
- return(krb5_c_random_make_octets(context, &seed));
+ retval = krb5_c_random_make_octets(context, &seed);
+ if (retval)
+ return retval;
+ /*
+ * Work around implementation incompatibilities by not generating
+ * initial sequence numbers greater than 2^30. Previous MIT
+ * implementations use signed sequence numbers, so initial
+ * sequence numbers 2^31 to 2^32-1 inclusive will be rejected.
+ * Letting the maximum initial sequence number be 2^30-1 allows
+ * for about 2^30 messages to be sent before wrapping into
+ * "negative" numbers.
+ */
+ *seqno &= 0x3fffffff;
+ if (*seqno == 0)
+ *seqno = 1;
+ return 0;
}
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index dc06c53..df5ebaf 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1,7 +1,7 @@
/*
* lib/krb5/krb/get_in_tkt.c
*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -262,6 +262,7 @@ verify_as_reply(krb5_context context,
(request->rtime != 0) &&
(as_reply->enc_part2->times.renew_till > request->rtime))
|| ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
+ !(request->kdc_options & KDC_OPT_RENEWABLE) &&
(as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
(request->till != 0) &&
(as_reply->enc_part2->times.renew_till > request->till))
@@ -409,6 +410,15 @@ make_preauth_list(krb5_context context,
}
#define MAX_IN_TKT_LOOPS 16
+static krb5_enctype get_in_tkt_enctypes[] = {
+ ENCTYPE_DES3_CBC_SHA1,
+ ENCTYPE_ARCFOUR_HMAC,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES_CBC_MD4,
+ ENCTYPE_DES_CBC_CRC,
+ 0
+};
+
krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt(krb5_context context,
@@ -460,8 +470,13 @@ krb5_get_in_tkt(krb5_context context,
request.from = creds->times.starttime;
request.till = creds->times.endtime;
request.rtime = creds->times.renew_till;
- if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype)))
+
+ request.ktype = malloc (sizeof(get_in_tkt_enctypes));
+ if (request.ktype == NULL) {
+ retval = ENOMEM;
goto cleanup;
+ }
+ memcpy(request.ktype, get_in_tkt_enctypes, sizeof(get_in_tkt_enctypes));
for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++);
if (ktypes) {
int i, req, next = 0;
@@ -734,6 +749,7 @@ krb5_get_init_creds(krb5_context context,
krb5_deltat renew_life;
int loopcount;
krb5_data salt;
+ krb5_data s2kparams;
krb5_keyblock as_key;
krb5_error *err_reply;
krb5_kdc_rep *local_as_reply;
@@ -742,6 +758,8 @@ krb5_get_init_creds(krb5_context context,
/* initialize everything which will be freed at cleanup */
+ s2kparams.data = NULL;
+ s2kparams.length = 0;
request.server = NULL;
request.ktype = NULL;
request.addresses = NULL;
@@ -761,7 +779,7 @@ krb5_get_init_creds(krb5_context context,
/* request.padata is filled in later */
- request.kdc_options = 0;
+ request.kdc_options = context->kdc_default_options;
/* forwardable */
@@ -854,11 +872,13 @@ krb5_get_init_creds(krb5_context context,
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE))
request.till += options->tkt_life;
else
- request.till += 10*60*60; /* this used to be hardcoded in kinit.c */
+ request.till += 24*60*60; /* this used to be hardcoded in kinit.c */
if (renew_life > 0) {
request.rtime = request.from;
request.rtime += renew_life;
+ if (request.rtime >= request.till)
+ request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
} else {
request.rtime = 0;
}
@@ -927,7 +947,7 @@ krb5_get_init_creds(krb5_context context,
if ((ret = krb5_do_preauth(context, &request,
padata, &request.padata,
- &salt, &etype, &as_key, prompter,
+ &salt, &s2kparams, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data)))
goto cleanup;
@@ -973,7 +993,7 @@ krb5_get_init_creds(krb5_context context,
if ((ret = krb5_do_preauth(context, &request,
local_as_reply->padata, &padata,
- &salt, &etype, &as_key, prompter,
+ &salt, &s2kparams, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data)))
goto cleanup;
@@ -1005,7 +1025,7 @@ krb5_get_init_creds(krb5_context context,
if ((ret = ((*gak_fct)(context, request.client,
local_as_reply->enc_part.enctype,
- prompter, prompter_data, &salt,
+ prompter, prompter_data, &salt, &s2kparams,
&as_key, gak_data))))
goto cleanup;
@@ -1050,6 +1070,7 @@ cleanup:
if (salt.data &&
(!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT))))
krb5_xfree(salt.data);
+ krb5_free_data_contents(context, &s2kparams);
if (as_reply)
*as_reply = local_as_reply;
else if (local_as_reply)
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index a7cb773..38a88ee 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -1,3 +1,29 @@
+/*
+ * lib/krb5/krb/gic_keytab.c
+ *
+ * Copyright (C) 2002, 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
#include "k5-int.h"
static krb5_error_code
@@ -8,6 +34,7 @@ krb5_get_as_key_keytab(
krb5_prompter_fct prompter,
void *prompter_data,
krb5_data *salt,
+ krb5_data *params,
krb5_keyblock *as_key,
void *gak_data)
{
@@ -115,3 +142,57 @@ cleanup:
return(ret);
}
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
+ krb5_address *const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types,
+ krb5_keytab arg_keytab, krb5_ccache ccache,
+ krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+ krb5_error_code retval;
+ krb5_get_init_creds_opt opt;
+ char * server = NULL;
+ krb5_keytab keytab;
+ krb5_principal client_princ, server_princ;
+
+ krb5int_populate_gic_opt(context, &opt,
+ options, addrs, ktypes,
+ pre_auth_types);
+ if (arg_keytab == NULL) {
+ retval = krb5_kt_default(context, &keytab);
+ if (retval)
+ return retval;
+ }
+ else keytab = arg_keytab;
+
+ retval = krb5_unparse_name( context, creds->server, &server);
+ if (retval)
+ goto cleanup;
+ server_princ = creds->server;
+ client_princ = creds->client;
+ retval = krb5_get_init_creds (context,
+ creds, creds->client,
+ krb5_prompter_posix, NULL,
+ 0, server, &opt,
+ krb5_get_as_key_keytab, (void *)keytab,
+ 0, ret_as_reply);
+ krb5_free_unparsed_name( context, server);
+ if (retval) {
+ goto cleanup;
+ }
+ if (creds->server)
+ krb5_free_principal( context, creds->server);
+ if (creds->client)
+ krb5_free_principal( context, creds->client);
+ creds->client = client_princ;
+ creds->server = server_princ;
+
+ /* store it in the ccache! */
+ if (ccache)
+ if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+ goto cleanup;
+ cleanup: if (arg_keytab == NULL)
+ krb5_kt_close(context, keytab);
+ return retval;
+}
+
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 7b5e0ba..fdd7c51 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -9,6 +9,7 @@ krb5_get_as_key_password(
krb5_prompter_fct prompter,
void *prompter_data,
krb5_data *salt,
+ krb5_data *params,
krb5_keyblock *as_key,
void *gak_data)
{
@@ -42,7 +43,7 @@ krb5_get_as_key_password(
return(EIO);
if ((ret = krb5_unparse_name(context, client, &clientstr)))
- return(ret);
+ return(ret);
strcpy(promptstr, "Password for ");
strncat(promptstr, clientstr, sizeof(promptstr)-strlen(promptstr)-1);
@@ -74,7 +75,8 @@ krb5_get_as_key_password(
defsalt.length = 0;
}
- ret = krb5_c_string_to_key(context, etype, password, salt, as_key);
+ ret = krb5_c_string_to_key_with_params(context, etype, password, salt,
+ params->data?params:NULL, as_key);
if (defsalt.length)
krb5_xfree(defsalt.data);
@@ -158,7 +160,8 @@ krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_princ
slave we were able to contact */
if ((ret2 == KRB5_KDC_UNREACH) ||
- (ret2 == KRB5_REALM_CANT_RESOLVE))
+ (ret2 == KRB5_REALM_CANT_RESOLVE) ||
+ (ret2 == KRB5_REALM_UNKNOWN))
goto cleanup;
ret = ret2;
@@ -366,3 +369,109 @@ cleanup:
return(ret);
}
+void krb5int_populate_gic_opt (
+ krb5_context context, krb5_get_init_creds_opt *opt,
+ krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types)
+{
+ int i;
+ krb5_get_init_creds_opt_init(opt);
+ if (addrs)
+ krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs);
+ if (ktypes) {
+ for (i=0; ktypes[i]; i++);
+ if (i)
+ krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i);
+ }
+ if (pre_auth_types) {
+ for (i=0; pre_auth_types[i]; i++);
+ if (i)
+ krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i);
+ }
+ if (options&KDC_OPT_FORWARDABLE)
+ krb5_get_init_creds_opt_set_forwardable(opt, 1);
+ else krb5_get_init_creds_opt_set_forwardable(opt, 0);
+ if (options&KDC_OPT_PROXIABLE)
+ krb5_get_init_creds_opt_set_proxiable(opt, 1);
+ else krb5_get_init_creds_opt_set_proxiable(opt, 0);
+
+
+}
+
+/*
+ Rewrites get_in_tkt in terms of newer get_init_creds API.
+ Attempts to get an initial ticket for creds->client to use server
+ creds->server, (realm is taken from creds->client), with options
+ options, and using creds->times.starttime, creds->times.endtime,
+ creds->times.renew_till as from, till, and rtime.
+ creds->times.renew_till is ignored unless the RENEWABLE option is requested.
+
+ If addrs is non-NULL, it is used for the addresses requested. If it is
+ null, the system standard addresses are used.
+
+ If password is non-NULL, it is converted using the cryptosystem entry
+ point for a string conversion routine, seeded with the client's name.
+ If password is passed as NULL, the password is read from the terminal,
+ and then converted into a key.
+
+ A succesful call will place the ticket in the credentials cache ccache.
+
+ returns system errors, encryption errors
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
+ krb5_address *const *addrs, krb5_enctype *ktypes,
+ krb5_preauthtype *pre_auth_types,
+ const char *password, krb5_ccache ccache,
+ krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+ krb5_error_code retval;
+ krb5_data pw0;
+ char pw0array[1024];
+ krb5_get_init_creds_opt opt;
+ char * server;
+ krb5_principal server_princ, client_princ;
+
+ pw0array[0] = '\0';
+ pw0.data = pw0array;
+ if (password) {
+ pw0.length = strlen(password);
+ if (pw0.length > sizeof(pw0array))
+ return EINVAL;
+ strncpy(pw0.data, password, sizeof(pw0array));
+ if (pw0.length == 0)
+ pw0.length = sizeof(pw0array);
+ } else {
+ pw0.length = sizeof(pw0array);
+ }
+ krb5int_populate_gic_opt(context, &opt,
+ options, addrs, ktypes,
+ pre_auth_types);
+ retval = krb5_unparse_name( context, creds->server, &server);
+ if (retval)
+ return (retval);
+ server_princ = creds->server;
+ client_princ = creds->client;
+ retval = krb5_get_init_creds (context,
+ creds, creds->client,
+ krb5_prompter_posix, NULL,
+ 0, server, &opt,
+ krb5_get_as_key_password, &pw0,
+ 0, ret_as_reply);
+ krb5_free_unparsed_name( context, server);
+ if (retval) {
+ return (retval);
+ }
+ if (creds->server)
+ krb5_free_principal( context, creds->server);
+ if (creds->client)
+ krb5_free_principal( context, creds->client);
+ creds->client = client_princ;
+ creds->server = server_princ;
+ /* store it in the ccache! */
+ if (ccache)
+ if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+ return (retval);
+ return retval;
+ }
+
diff --git a/src/lib/krb5/krb/in_tkt_ktb.c b/src/lib/krb5/krb/in_tkt_ktb.c
deleted file mode 100644
index db4f3b4..0000000
--- a/src/lib/krb5/krb/in_tkt_ktb.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * lib/krb5/krb/in_tkt_ktb.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * krb5_get_in_tkt_with_keytab()
- *
- */
-
-#include "k5-int.h"
-
-struct keytab_keyproc_arg {
- krb5_keytab keytab;
- krb5_principal client;
-};
-
-/*
- * Key-generator for in_tkt_keytab, below.
- * "keyseed" is actually a krb5_keytab, or NULL if we should fetch
- * from system area.
- */
-static krb5_error_code keytab_keyproc
- (krb5_context,
- const krb5_enctype,
- krb5_data *,
- krb5_const_pointer,
- krb5_keyblock **);
-
-static krb5_error_code
-keytab_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt,
- krb5_const_pointer keyseed, krb5_keyblock **key)
-{
- const struct keytab_keyproc_arg * arg =
- (const struct keytab_keyproc_arg *)keyseed;
- krb5_keyblock *realkey;
- krb5_error_code retval = 0;
- krb5_keytab kt_id;
- krb5_keytab_entry kt_ent;
-
- kt_id = arg->keytab;
-
- if (!krb5_c_valid_enctype(type))
- return KRB5_PROG_ETYPE_NOSUPP;
-
- if (kt_id == NULL)
- /* Fetch from default keytab location */
- if ((retval = krb5_kt_default(context, &kt_id)))
- return retval;
-
-
- if ((retval = krb5_kt_get_entry(context, kt_id, arg->client,
- 0, /* don't have vno available */
- type, &kt_ent)))
- goto cleanup;
-
- if ((retval = krb5_copy_keyblock(context, &kt_ent.key, &realkey))) {
- (void) krb5_kt_free_entry(context, &kt_ent);
- goto cleanup;
- }
-
- (void) krb5_kt_free_entry(context, &kt_ent);
- *key = realkey;
-
-cleanup:
- if (! arg->keytab)
- krb5_kt_close(context, kt_id);
- return retval;
-}
-
-/*
- Similar to krb5_get_in_tkt_with_skey.
-
- Attempts to get an initial ticket for creds->client to use server
- creds->server, (realm is taken from creds->client), with options
- options, and using creds->times.starttime, creds->times.endtime,
- creds->times.renew_till as from, till, and rtime.
- creds->times.renew_till is ignored unless the RENEWABLE option is requested.
-
- If addrs is non-NULL, it is used for the addresses requested. If it is
- null, the system standard addresses are used.
-
- A succesful call will place the ticket in the credentials cache ccache.
-
- returns system errors, encryption errors
-
- */
-krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
- krb5_address *const *addrs, krb5_enctype *ktypes,
- krb5_preauthtype *pre_auth_types,
- krb5_keytab keytab, krb5_ccache ccache,
- krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
-{
- struct keytab_keyproc_arg arg;
-
- arg.keytab = keytab;
- arg.client = creds->client;
-
- return(krb5_get_in_tkt(context, options, addrs, ktypes,
- pre_auth_types,
- keytab_keyproc, (krb5_pointer)&arg,
- krb5_kdc_rep_decrypt_proc, 0, creds,
- ccache, ret_as_reply));
-}
diff --git a/src/lib/krb5/krb/in_tkt_pwd.c b/src/lib/krb5/krb/in_tkt_pwd.c
deleted file mode 100644
index 1d9ad2e..0000000
--- a/src/lib/krb5/krb/in_tkt_pwd.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * lib/krb5/krb/in_tkt_pwd.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * krb5_get_in_tkt_with_password()
- */
-
-#include "k5-int.h"
-
-extern char *krb5_default_pwd_prompt1;
-
-/*
- * key-producing procedure for use by krb5_get_in_tkt_with_password.
- */
-static krb5_error_code pwd_keyproc
- (krb5_context,
- const krb5_enctype,
- krb5_data *,
- krb5_const_pointer,
- krb5_keyblock **);
-
-static krb5_error_code
-pwd_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt,
- krb5_const_pointer keyseed, krb5_keyblock **key)
-{
- krb5_error_code retval;
- krb5_data * password;
- unsigned int pwsize;
-
- password = (krb5_data *)keyseed;
-
- if (!password->length) {
- pwsize = BUFSIZ;
- if ((password->data = malloc(pwsize)) == NULL)
- return ENOMEM;
-
- if ((retval = krb5_read_password(context, krb5_default_pwd_prompt1, 0,
- password->data, &pwsize))) {
- return retval;
- }
- password->length = pwsize;
- }
-
- if (!(*key = (krb5_keyblock *)malloc(sizeof(**key))))
- return ENOMEM;
-
- if ((retval = krb5_c_string_to_key(context, type, password, salt, *key)))
- krb5_xfree(*key);
-
- return(retval);
-}
-
-/*
- Attempts to get an initial ticket for creds->client to use server
- creds->server, (realm is taken from creds->client), with options
- options, and using creds->times.starttime, creds->times.endtime,
- creds->times.renew_till as from, till, and rtime.
- creds->times.renew_till is ignored unless the RENEWABLE option is requested.
-
- If addrs is non-NULL, it is used for the addresses requested. If it is
- null, the system standard addresses are used.
-
- If password is non-NULL, it is converted using the cryptosystem entry
- point for a string conversion routine, seeded with the client's name.
- If password is passed as NULL, the password is read from the terminal,
- and then converted into a key.
-
- A succesful call will place the ticket in the credentials cache ccache.
-
- returns system errors, encryption errors
- */
-krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
- krb5_address *const *addrs, krb5_enctype *ktypes,
- krb5_preauthtype *pre_auth_types,
- const char *password, krb5_ccache ccache,
- krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
-{
- krb5_error_code retval;
- krb5_data data;
-
-
- if ((data.data = (char *)password)) {
- data.length = strlen(password);
- } else {
- data.length = 0;
- }
-
- retval = krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types,
- pwd_keyproc, (krb5_pointer) &data,
- krb5_kdc_rep_decrypt_proc, 0,
- creds, ccache, ret_as_reply);
-
- if ((password == NULL) && (data.data)) {
- memset(data.data, 0, strlen(data.data));
- free(data.data);
- }
-
- return retval;
-}
-
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 59b6123..7ff983c 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -1,7 +1,7 @@
/*
* lib/krb5/krb/init_ctx.c
*
- * Copyright 1994,1999,2000, 2002 by the Massachusetts Institute of Technology.
+ * Copyright 1994,1999,2000, 2002, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -65,9 +65,14 @@
them. This'll be fixed, but for better compatibility, let's prefer
des-crc for now. */
#define DEFAULT_ETYPE_LIST \
+ "aes256-cts-hmac-sha1-96 " \
"des3-cbc-sha1 arcfour-hmac-md5 " \
"des-cbc-crc des-cbc-md5 des-cbc-md4 "
+/* Not included:
+ "aes128-cts-hmac-sha1-96 " \
+ */
+
#if (defined(_WIN32))
extern krb5_error_code krb5_vercheck();
extern void krb5_win_ccdll_load(krb5_context context);
@@ -142,6 +147,13 @@ init_common (krb5_context *context, krb5_boolean secure)
if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL)))
goto cleanup;
+ ctx->conf_tgs_ktypes = calloc(ctx->tgs_ktype_count, sizeof(krb5_enctype));
+ if (ctx->conf_tgs_ktypes == NULL && ctx->tgs_ktype_count != 0)
+ goto cleanup;
+ memcpy(ctx->conf_tgs_ktypes, ctx->tgs_ktypes,
+ sizeof(krb5_enctype) * ctx->tgs_ktype_count);
+ ctx->conf_tgs_ktypes_count = ctx->tgs_ktype_count;
+
if ((retval = krb5_os_init_context(ctx)))
goto cleanup;
@@ -189,11 +201,7 @@ init_common (krb5_context *context, krb5_boolean secure)
"kdc_default_options", 0,
KDC_OPT_RENEWABLE_OK, &tmp);
ctx->kdc_default_options = tmp;
-#if TARGET_OS_MAC
#define DEFAULT_KDC_TIMESYNC 1
-#else
-#define DEFAULT_KDC_TIMESYNC 0
-#endif
profile_get_integer(ctx->profile, "libdefaults",
"kdc_timesync", 0, DEFAULT_KDC_TIMESYNC,
&tmp);
@@ -207,16 +215,13 @@ init_common (krb5_context *context, krb5_boolean secure)
* Note: DCE 1.0.3a only supports a cache type of 1
* DCE 1.1 supports a cache type of 2.
*/
-#if TARGET_OS_MAC
#define DEFAULT_CCACHE_TYPE 4
-#else
-#define DEFAULT_CCACHE_TYPE 3
-#endif
profile_get_integer(ctx->profile, "libdefaults", "ccache_type",
0, DEFAULT_CCACHE_TYPE, &tmp);
ctx->fcc_default_format = tmp + 0x0500;
ctx->scc_default_format = tmp + 0x0500;
ctx->prompt_types = 0;
+ ctx->use_conf_ktypes = 0;
ctx->udp_pref_limit = -1;
*context = ctx;
@@ -243,6 +248,11 @@ krb5_free_context(krb5_context ctx)
ctx->tgs_ktypes = 0;
}
+ if (ctx->conf_tgs_ktypes) {
+ free(ctx->conf_tgs_ktypes);
+ ctx->conf_tgs_ktypes = 0;
+ }
+
if (ctx->default_realm) {
free(ctx->default_realm);
ctx->default_realm = 0;
@@ -291,7 +301,8 @@ krb5_set_default_in_tkt_ktypes(krb5_context context, const krb5_enctype *ktypes)
}
static krb5_error_code
-get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr, int ctx_count, krb5_enctype *ctx_list)
+get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr,
+ int ctx_count, krb5_enctype *ctx_list)
{
krb5_enctype *old_ktypes;
@@ -426,12 +437,19 @@ krb5_error_code
KRB5_CALLCONV
krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes)
{
- return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
- context->tgs_ktype_count,
- context->tgs_ktypes));
+ if (context->use_conf_ktypes)
+ /* This one is set *only* by reading the config file; it's not
+ set by the application. */
+ return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+ context->conf_tgs_ktypes_count,
+ context->conf_tgs_ktypes));
+ else
+ return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+ context->tgs_ktype_count,
+ context->tgs_ktypes));
}
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes)
{
return(get_profile_etype_list(context, ktypes, "permitted_enctypes",
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index 46d485d..4700439 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -246,6 +246,7 @@ void krb5_free_etype_info(krb5_context context, krb5_etype_info info)
for(i=0; info[i] != NULL; i++) {
if (info[i]->salt)
free(info[i]->salt);
+ krb5_free_data_contents( context, &info[i]->s2kparams);
free(info[i]);
}
free(info);
@@ -429,14 +430,20 @@ krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val)
void KRB5_CALLCONV
krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val)
{
- if ((*val)->passwd) {
- krb5_xfree((*val)->passwd);
- (*val)->passwd = 0;
- }
- if ((*val)->phrase) {
- krb5_xfree((*val)->phrase);
- (*val)->phrase = 0;
+ register passwd_phrase_element **temp;
+
+ for (temp = val; *temp; temp++) {
+ if ((*temp)->passwd) {
+ krb5_free_data(context, (*temp)->passwd);
+ (*temp)->passwd = 0;
+ }
+ if ((*temp)->phrase) {
+ krb5_free_data(context, (*temp)->phrase);
+ (*temp)->phrase = 0;
+ }
+ krb5_xfree(*temp);
}
+ krb5_xfree(val);
}
diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c
index 6389298..04248c0 100644
--- a/src/lib/krb5/krb/mk_cred.c
+++ b/src/lib/krb5/krb/mk_cred.c
@@ -182,9 +182,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds *
memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1));
/* Get keyblock */
- if ((keyblock = auth_context->local_subkey) == NULL)
- if ((keyblock = auth_context->remote_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->send_subkey) == NULL)
+ keyblock = auth_context->keyblock;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c
index 196b6ee..efe254a 100644
--- a/src/lib/krb5/krb/mk_priv.c
+++ b/src/lib/krb5/krb/mk_priv.c
@@ -119,9 +119,8 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
memset((char *) &replaydata, 0, sizeof(krb5_replay_data));
/* Get keyblock */
- if ((keyblock = auth_context->local_subkey) == NULL)
- if ((keyblock = auth_context->remote_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->send_subkey) == NULL)
+ keyblock = auth_context->keyblock;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c
index 31f3fe5..393f634 100644
--- a/src/lib/krb5/krb/mk_rep.c
+++ b/src/lib/krb5/krb/mk_rep.c
@@ -59,7 +59,14 @@ krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *out
repl.ctime = auth_context->authentp->ctime;
repl.cusec = auth_context->authentp->cusec;
- repl.subkey = auth_context->authentp->subkey;
+ if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
+ retval = krb5int_generate_and_save_subkey (context, auth_context,
+ auth_context->keyblock);
+ if (retval)
+ return retval;
+ repl.subkey = auth_context->send_subkey;
+ } else
+ repl.subkey = auth_context->authentp->subkey;
repl.seq_number = auth_context->local_seq_number;
/* encode it before encrypting */
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 1ed14a9..cdb8f69 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -68,7 +68,39 @@ static krb5_error_code
krb5_generate_authenticator (krb5_context,
krb5_authenticator *, krb5_principal,
krb5_checksum *, krb5_keyblock *,
- krb5_int32, krb5_authdata ** );
+ krb5_ui_4, krb5_authdata ** );
+
+krb5_error_code
+krb5int_generate_and_save_subkey (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock *keyblock)
+{
+ /* Provide some more fodder for random number code.
+ This isn't strong cryptographically; the point here is not
+ to guarantee randomness, but to make it less likely that multiple
+ sessions could pick the same subkey. */
+ struct {
+ krb5_int32 sec, usec;
+ } rnd_data;
+ krb5_data d;
+ krb5_error_code retval;
+
+ krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
+ d.length = sizeof (rnd_data);
+ d.data = (char *) &rnd_data;
+ (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
+
+ if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey)))
+ return retval;
+ retval = krb5_copy_keyblock(context, auth_context->send_subkey,
+ &auth_context->recv_subkey);
+ if (retval) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ return retval;
+ }
+ return 0;
+}
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
@@ -130,22 +162,10 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
goto cleanup;
}
- if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) {
- /* Provide some more fodder for random number code.
- This isn't strong cryptographically; the point here is not
- to guarantee randomness, but to make it less likely that multiple
- sessions could pick the same subkey. */
- struct {
- krb5_int32 sec, usec;
- } rnd_data;
- krb5_data d;
- krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
- d.length = sizeof (rnd_data);
- d.data = (char *) &rnd_data;
- (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
-
- if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock,
- &(*auth_context)->local_subkey)))
+ if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
+ retval = krb5int_generate_and_save_subkey (context, *auth_context,
+ &in_creds->keyblock);
+ if (retval)
goto cleanup;
}
@@ -178,7 +198,7 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
if ((retval = krb5_generate_authenticator(context,
(*auth_context)->authentp,
(in_creds)->client, checksump,
- (*auth_context)->local_subkey,
+ (*auth_context)->send_subkey,
(*auth_context)->local_seq_number,
(in_creds)->authdata)))
goto cleanup_cksum;
@@ -232,7 +252,7 @@ cleanup:
}
static krb5_error_code
-krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_int32 seq_number, krb5_authdata **authorization)
+krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_ui_4 seq_number, krb5_authdata **authorization)
{
krb5_error_code retval;
diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c
index 992a456..eefcab7 100644
--- a/src/lib/krb5/krb/mk_safe.c
+++ b/src/lib/krb5/krb/mk_safe.c
@@ -120,9 +120,8 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da
memset((char *) &replaydata, 0, sizeof(krb5_replay_data));
/* Get keyblock */
- if ((keyblock = auth_context->local_subkey) == NULL)
- if ((keyblock = auth_context->remote_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->send_subkey) == NULL)
+ keyblock = auth_context->keyblock;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c
index abbcfbe..3debb6a 100644
--- a/src/lib/krb5/krb/parse.c
+++ b/src/lib/krb5/krb/parse.c
@@ -170,11 +170,13 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip
cp++;
size++;
} else if (c == COMPONENT_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
i++;
} else if (c == REALM_SEP) {
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
size = 0;
parsed_realm = cp+1;
} else
@@ -183,7 +185,8 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip
if (parsed_realm)
krb5_princ_realm(context, principal)->length = size;
else
- krb5_princ_component(context, principal, i)->length = size;
+ if (krb5_princ_size(context, principal) > i)
+ krb5_princ_component(context, principal, i)->length = size;
if (i + 1 != components) {
#if !defined(_WIN32) && !defined(macintosh)
fprintf(stderr,
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index e50440e..6238a82 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -35,7 +35,7 @@ typedef krb5_error_code (*pa_function)(krb5_context,
krb5_kdc_req *request,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
- krb5_data *salt,
+ krb5_data *salt, krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter_fct,
@@ -57,7 +57,7 @@ krb5_error_code pa_salt(krb5_context context,
krb5_kdc_req *request,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
- krb5_data *salt,
+ krb5_data *salt, krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
@@ -65,22 +65,11 @@ krb5_error_code pa_salt(krb5_context context,
{
krb5_data tmp;
- /* screw the abstraction. If there was a *reasonable* copy_data,
- I'd use it. But I'm inside the library, which is the twilight
- zone of source code, so I can do anything. */
-
+ tmp.data = in_padata->contents;
tmp.length = in_padata->length;
- if (tmp.length) {
- if ((tmp.data = malloc(tmp.length)) == NULL)
- return ENOMEM;
- memcpy(tmp.data, in_padata->contents, tmp.length);
- } else {
- tmp.data = NULL;
- }
-
- *salt = tmp;
-
- /* assume that no other salt was allocated */
+ krb5_free_data_contents(context, salt);
+ krb5int_copy_data_contents(context, &tmp, salt);
+
if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT)
salt->length = SALT_TYPE_AFS_LENGTH;
@@ -94,6 +83,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
@@ -119,7 +109,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context,
if ((ret = ((*gak_fct)(context, request->client,
*etype ? *etype : request->ktype[0],
prompter, prompter_data,
- salt, as_key, gak_data))))
+ salt, s2kparams, as_key, gak_data))))
return(ret);
}
@@ -233,6 +223,7 @@ krb5_error_code pa_sam(krb5_context context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
@@ -283,7 +274,7 @@ krb5_error_code pa_sam(krb5_context context,
*etype = ENCTYPE_DES_CBC_CRC;
if ((ret = (gak_fct)(context, request->client, *etype, prompter,
- prompter_data, salt, as_key, gak_data)))
+ prompter_data, salt, s2kparams, as_key, gak_data)))
return(ret);
}
sprintf(name, "%.*s",
@@ -472,6 +463,7 @@ krb5_error_code pa_sam_2(krb5_context context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_data *s2kparams,
krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
@@ -542,7 +534,7 @@ krb5_error_code pa_sam_2(krb5_context context,
retval = (gak_fct)(context, request->client,
sc2b->sam_etype, prompter,
- prompter_data, salt, as_key, gak_data);
+ prompter_data, salt, s2kparams, as_key, gak_data);
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
krb5_free_sam_challenge_2_body(context, sc2b);
@@ -827,87 +819,19 @@ static const pa_types_t pa_types[] = {
},
};
-static void
-sort_etype_info(krb5_context context, krb5_kdc_req *request,
- krb5_etype_info_entry **etype_info)
-{
-/* Originally adapted from a proposed solution in ticket 1006. This
- * solution is not efficient, but implementing an efficient sort
- * with a comparison function based on order in the kdc request would
- * be difficult.*/
- krb5_etype_info_entry *tmp;
- int i, j, e;
- krb5_boolean similar;
-
- if (etype_info == NULL)
- return;
-
- /* First, move up etype_info_entries whose enctype exactly matches a
- * requested enctype.
- */
- e = 0;
- for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
- {
- if (request->ktype[i] == etype_info[e]->etype)
- {
- e++;
- continue;
- }
- for ( j = e+1 ; etype_info[j] ; j++ )
- if (request->ktype[i] == etype_info[j]->etype)
- break;
- if (etype_info[j] == NULL)
- continue;
-
- tmp = etype_info[j];
- etype_info[j] = etype_info[e];
- etype_info[e] = tmp;
- e++;
- }
-
- /* Then move up etype_info_entries whose enctype is similar to a
- * requested enctype.
- */
- for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
- {
- if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[e]->etype, &similar) != 0)
- continue;
-
- if (similar)
- {
- e++;
- continue;
- }
- for ( j = e+1 ; etype_info[j] ; j++ )
- {
- if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[j]->etype, &similar) != 0)
- continue;
-
- if (similar)
- break;
- }
- if (etype_info[j] == NULL)
- continue;
-
- tmp = etype_info[j];
- etype_info[j] = etype_info[e];
- etype_info[e] = tmp;
- e++;
- }
-}
-
-
krb5_error_code
krb5_do_preauth(krb5_context context,
krb5_kdc_req *request,
krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
- krb5_data *salt, krb5_enctype *etype,
+ krb5_data *salt, krb5_data *s2kparams,
+ krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
krb5_gic_get_as_key_fct gak_fct, void *gak_data)
{
int h, i, j, out_pa_list_size;
- krb5_pa_data *out_pa, **out_pa_list;
+ int seen_etype_info2 = 0;
+ krb5_pa_data *out_pa = NULL, **out_pa_list = NULL;
krb5_data scratch;
krb5_etype_info etype_info = NULL;
krb5_error_code ret;
@@ -938,6 +862,7 @@ krb5_do_preauth(krb5_context context,
for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) {
realdone = 0;
for (i=0; in_padata[i] && !realdone; i++) {
+ int k, l, etype_found, valid_etype_found;
/*
* This is really gross, but is necessary to prevent
* lossge when talking to a 1.0.x KDC, which returns an
@@ -946,27 +871,81 @@ krb5_do_preauth(krb5_context context,
*/
switch (in_padata[i]->pa_type) {
case KRB5_PADATA_ETYPE_INFO:
- if (etype_info)
- continue;
+ case KRB5_PADATA_ETYPE_INFO2:
+ {
+ krb5_preauthtype pa_type = in_padata[i]->pa_type;
+ if (etype_info) {
+ if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2)
+ continue;
+ if (pa_type == KRB5_PADATA_ETYPE_INFO2) {
+ krb5_free_etype_info( context, etype_info);
+ etype_info = NULL;
+ }
+ }
+
scratch.length = in_padata[i]->length;
scratch.data = (char *) in_padata[i]->contents;
- ret = decode_krb5_etype_info(&scratch, &etype_info);
+ if (pa_type == KRB5_PADATA_ETYPE_INFO2) {
+ seen_etype_info2++;
+ ret = decode_krb5_etype_info2(&scratch, &etype_info);
+ }
+ else ret = decode_krb5_etype_info(&scratch, &etype_info);
if (ret) {
- if (out_pa_list) {
- out_pa_list[out_pa_list_size++] = NULL;
- krb5_free_pa_data(context, out_pa_list);
- }
- return ret;
+ ret = 0; /*Ignore error and etype_info element*/
+ krb5_free_etype_info( context, etype_info);
+ etype_info = NULL;
+ continue;
}
if (etype_info[0] == NULL) {
krb5_free_etype_info(context, etype_info);
etype_info = NULL;
break;
}
- sort_etype_info(context, request, etype_info);
- salt->data = (char *) etype_info[0]->salt;
- salt->length = etype_info[0]->length;
- *etype = etype_info[0]->etype;
+ /*
+ * Select first etype in our request which is also in
+ * etype-info (preferring client request ktype order).
+ */
+ for (etype_found = 0, valid_etype_found = 0, k = 0;
+ !etype_found && k < request->nktypes; k++) {
+ for (l = 0; etype_info[l]; l++) {
+ if (etype_info[l]->etype == request->ktype[k]) {
+ etype_found++;
+ break;
+ }
+ /* check if program has support for this etype for more
+ * precise error reporting.
+ */
+ if (valid_enctype(etype_info[l]->etype))
+ valid_etype_found++;
+ }
+ }
+ if (!etype_found) {
+ if (valid_etype_found) {
+ /* supported enctype but not requested */
+ ret = KRB5_CONFIG_ETYPE_NOSUPP;
+ goto cleanup;
+ }
+ else {
+ /* unsupported enctype */
+ ret = KRB5_PROG_ETYPE_NOSUPP;
+ goto cleanup;
+ }
+
+ }
+ scratch.data = (char *) etype_info[l]->salt;
+ scratch.length = etype_info[l]->length;
+ krb5_free_data_contents(context, salt);
+ if (scratch.length == KRB5_ETYPE_NO_SALT)
+ salt->data = NULL;
+ else
+ if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0)
+ goto cleanup;
+ *etype = etype_info[l]->etype;
+ krb5_free_data_contents(context, s2kparams);
+ if ((ret = krb5int_copy_data_contents(context,
+ &etype_info[l]->s2kparams,
+ s2kparams)) != 0)
+ goto cleanup;
#ifdef DEBUG
for (j = 0; etype_info[j]; j++) {
krb5_etype_info_entry *e = etype_info[j];
@@ -978,6 +957,7 @@ krb5_do_preauth(krb5_context context,
}
#endif
break;
+ }
case KRB5_PADATA_PW_SALT:
case KRB5_PADATA_AFS3_SALT:
if (etype_info)
@@ -993,16 +973,10 @@ krb5_do_preauth(krb5_context context,
if ((ret = ((*pa_types[j].fct)(context, request,
in_padata[i], &out_pa,
- salt, etype, as_key,
+ salt, s2kparams, etype, as_key,
prompter, prompter_data,
gak_fct, gak_data)))) {
- if (out_pa_list) {
- out_pa_list[out_pa_list_size++] = NULL;
- krb5_free_pa_data(context, out_pa_list);
- }
- if (etype_info)
- krb5_free_etype_info(context, etype_info);
- return(ret);
+ goto cleanup;
}
if (out_pa) {
@@ -1010,18 +984,22 @@ krb5_do_preauth(krb5_context context,
if ((out_pa_list =
(krb5_pa_data **)
malloc(2*sizeof(krb5_pa_data *)))
- == NULL)
- return(ENOMEM);
+ == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
} else {
if ((out_pa_list =
(krb5_pa_data **)
realloc(out_pa_list,
(out_pa_list_size+2)*
sizeof(krb5_pa_data *)))
- == NULL)
- /* XXX this will leak the pointers which
+ == NULL) {
+ /* XXX this will leak the pointers which
have already been allocated. oh well. */
- return(ENOMEM);
+ ret = ENOMEM;
+ goto cleanup;
+ }
}
out_pa_list[out_pa_list_size++] = out_pa;
@@ -1037,6 +1015,16 @@ krb5_do_preauth(krb5_context context,
out_pa_list[out_pa_list_size++] = NULL;
*out_padata = out_pa_list;
-
+ if (etype_info)
+ krb5_free_etype_info(context, etype_info);
+
return(0);
+ cleanup:
+ if (out_pa_list) {
+ out_pa_list[out_pa_list_size++] = NULL;
+ krb5_free_pa_data(context, out_pa_list);
+ }
+ if (etype_info)
+ krb5_free_etype_info(context, etype_info);
+ return (ret);
}
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index 228219f..11be47f 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -33,15 +33,11 @@ decrypt_credencdata(krb5_context context, krb5_cred *pcred, krb5_keyblock *pkeyb
/* now decode the decrypted stuff */
if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
- goto cleanup_encpart;
+ goto cleanup;
*pcredenc = *ppart;
retval = 0;
-cleanup_encpart:
- memset(ppart, 0, sizeof(*ppart));
- krb5_xfree(ppart);
-
cleanup:
memset(scratch.data, 0, scratch.length);
krb5_xfree(scratch.data);
@@ -169,9 +165,8 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *pc
krb5_replay_data replaydata;
/* Get keyblock */
- if ((keyblock = auth_context->remote_subkey) == NULL)
- if ((keyblock = auth_context->local_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->recv_subkey) == NULL)
+ keyblock = auth_context->keyblock;
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c
index 8132056..cf74807 100644
--- a/src/lib/krb5/krb/rd_priv.c
+++ b/src/lib/krb5/krb/rd_priv.c
@@ -156,9 +156,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_da
krb5_replay_data replaydata;
/* Get keyblock */
- if ((keyblock = auth_context->remote_subkey) == NULL)
- if ((keyblock = auth_context->local_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->recv_subkey) == NULL)
+ keyblock = auth_context->keyblock;
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
@@ -247,7 +246,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_da
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
- if (auth_context->remote_seq_number != replaydata.seq) {
+ if (!krb5int_auth_con_chkseqnum(context, auth_context,
+ replaydata.seq)) {
retval = KRB5KRB_AP_ERR_BADORDER;
goto error;
}
diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c
index e35e43f..8019229 100644
--- a/src/lib/krb5/krb/rd_rep.c
+++ b/src/lib/krb5/krb/rd_rep.c
@@ -81,8 +81,24 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat
/* Set auth subkey */
if ((*repl)->subkey) {
+ if (auth_context->recv_subkey) {
+ krb5_free_keyblock(context, auth_context->recv_subkey);
+ auth_context->recv_subkey = NULL;
+ }
retval = krb5_copy_keyblock(context, (*repl)->subkey,
- &auth_context->remote_subkey);
+ &auth_context->recv_subkey);
+ if (retval)
+ goto clean_scratch;
+ if (auth_context->send_subkey) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ }
+ retval = krb5_copy_keyblock(context, (*repl)->subkey,
+ &auth_context->send_subkey);
+ if (retval) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ }
}
/* Get remote sequence number */
diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c
index f844e3c..9a2f458 100644
--- a/src/lib/krb5/krb/rd_req.c
+++ b/src/lib/krb5/krb/rd_req.c
@@ -83,7 +83,9 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_da
server = request->ticket->server;
}
/* Get an rcache if necessary. */
- if (((*auth_context)->rcache == NULL) && server) {
+ if (((*auth_context)->rcache == NULL)
+ && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
+&& server) {
if ((retval = krb5_get_server_rcache(context,
krb5_princ_component(context,server,0), &(*auth_context)->rcache)))
goto cleanup_auth_context;
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index fa126b4..3c398ae 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -290,10 +290,18 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c
if ((*auth_context)->authentp->subkey) {
if ((retval = krb5_copy_keyblock(context,
(*auth_context)->authentp->subkey,
- &((*auth_context)->remote_subkey))))
+ &((*auth_context)->recv_subkey))))
goto cleanup;
+ retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey,
+ &((*auth_context)->send_subkey));
+ if (retval) {
+ krb5_free_keyblock(context, (*auth_context)->recv_subkey);
+ (*auth_context)->recv_subkey = NULL;
+ goto cleanup;
+ }
} else {
- (*auth_context)->remote_subkey = 0;
+ (*auth_context)->recv_subkey = 0;
+ (*auth_context)->send_subkey = 0;
}
if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session,
diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c
index 0f6cec2..15dc6dc 100644
--- a/src/lib/krb5/krb/rd_safe.c
+++ b/src/lib/krb5/krb/rd_safe.c
@@ -51,6 +51,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb
{
krb5_error_code retval;
krb5_safe * message;
+ krb5_data safe_body;
krb5_checksum our_cksum, *his_cksum;
krb5_octet zero_octet = 0;
krb5_data *scratch;
@@ -59,7 +60,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb
if (!krb5_is_krb_safe(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
- if ((retval = decode_krb5_safe(inbuf, &message)))
+ if ((retval = decode_krb5_safe_with_body(inbuf, &message, &safe_body)))
return retval;
if (!krb5_c_valid_cksumtype(message->checksum->checksum_type)) {
@@ -113,7 +114,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb
message->checksum = &our_cksum;
- if ((retval = encode_krb5_safe(message, &scratch)))
+ if ((retval = encode_krb5_safe_with_body(message, &safe_body, &scratch)))
goto cleanup;
message->checksum = his_cksum;
@@ -126,8 +127,17 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb
krb5_free_data(context, scratch);
if (!valid) {
- retval = KRB5KRB_AP_ERR_MODIFIED;
- goto cleanup;
+ /*
+ * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in
+ * case someone actually implements it correctly.
+ */
+ retval = krb5_c_verify_checksum(context, keyblock,
+ KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
+ &safe_body, his_cksum, &valid);
+ if (!valid) {
+ retval = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
}
replaydata->timestamp = message->timestamp;
@@ -161,9 +171,8 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da
return KRB5_RC_REQUIRED;
/* Get keyblock */
- if ((keyblock = auth_context->remote_subkey) == NULL)
- if ((keyblock = auth_context->local_subkey) == NULL)
- keyblock = auth_context->keyblock;
+ if ((keyblock = auth_context->recv_subkey) == NULL)
+ keyblock = auth_context->keyblock;
{
krb5_address * premote_fulladdr = NULL;
@@ -240,7 +249,8 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
- if (auth_context->remote_seq_number != replaydata.seq) {
+ if (!krb5int_auth_con_chkseqnum(context, auth_context,
+ replaydata.seq)) {
retval = KRB5KRB_AP_ERR_BADORDER;
goto error;
}
diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c
index a8ec90e..32519e1 100644
--- a/src/lib/krb5/krb/ser_actx.c
+++ b/src/lib/krb5/krb/ser_actx.c
@@ -151,21 +151,21 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
required += sizeof(krb5_int32);
}
- /* Calculate size required by local_subkey, if appropriate */
- if (!kret && auth_context->local_subkey) {
+ /* Calculate size required by send_subkey, if appropriate */
+ if (!kret && auth_context->send_subkey) {
kret = krb5_size_opaque(kcontext,
KV5M_KEYBLOCK,
- (krb5_pointer) auth_context->local_subkey,
+ (krb5_pointer) auth_context->send_subkey,
&required);
if (!kret)
required += sizeof(krb5_int32);
}
- /* Calculate size required by remote_subkey, if appropriate */
- if (!kret && auth_context->remote_subkey) {
+ /* Calculate size required by recv_subkey, if appropriate */
+ if (!kret && auth_context->recv_subkey) {
kret = krb5_size_opaque(kcontext,
KV5M_KEYBLOCK,
- (krb5_pointer) auth_context->remote_subkey,
+ (krb5_pointer) auth_context->recv_subkey,
&required);
if (!kret)
required += sizeof(krb5_int32);
@@ -300,23 +300,23 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe
}
/* Now handle subkey, if appropriate */
- if (!kret && auth_context->local_subkey) {
+ if (!kret && auth_context->send_subkey) {
(void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain);
kret = krb5_externalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer)
- auth_context->local_subkey,
+ auth_context->send_subkey,
&bp,
&remain);
}
/* Now handle subkey, if appropriate */
- if (!kret && auth_context->remote_subkey) {
+ if (!kret && auth_context->recv_subkey) {
(void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain);
kret = krb5_externalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer)
- auth_context->remote_subkey,
+ auth_context->recv_subkey,
&bp,
&remain);
}
@@ -474,26 +474,26 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc
kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
}
- /* This is the local_subkey */
+ /* This is the send_subkey */
if (!kret && (tag == TOKEN_LSKBLOCK)) {
if (!(kret = krb5_internalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer *)
&auth_context->
- local_subkey,
+ send_subkey,
&bp,
&remain)))
kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
}
- /* This is the remote_subkey */
+ /* This is the recv_subkey */
if (!kret) {
if (tag == TOKEN_RSKBLOCK) {
kret = krb5_internalize_opaque(kcontext,
KV5M_KEYBLOCK,
(krb5_pointer *)
&auth_context->
- remote_subkey,
+ recv_subkey,
&bp,
&remain);
}
diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c
index 7c5f17a..9cbcef7 100644
--- a/src/lib/krb5/krb/serialize.c
+++ b/src/lib/krb5/krb/serialize.c
@@ -174,7 +174,7 @@ krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer *
}
/*
- * krb5_ser_pack_int32() - Pack a 4-byte integer if space is availble.
+ * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available.
* Update buffer pointer and remaining space.
*/
krb5_error_code KRB5_CALLCONV
@@ -194,6 +194,23 @@ krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp)
}
/*
+ * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available.
+ * Update buffer pointer and remaining space.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ store_64_be(iarg, (unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+
+/*
* krb5_ser_pack_bytes() - Pack a string of bytes.
*/
krb5_error_code KRB5_CALLCONV
@@ -229,6 +246,22 @@ krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp)
}
/*
+ * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ *intp = load_64_be((unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+
+/*
* krb5_ser_unpack_bytes() - Unpack a byte string if it's there.
*/
krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c
index aa41bc5..e66d2d3 100644
--- a/src/lib/krb5/krb/srv_rcache.c
+++ b/src/lib/krb5/krb/srv_rcache.c
@@ -48,6 +48,9 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache
unsigned long uid = geteuid();
#endif
+ if (piece == NULL)
+ return ENOMEM;
+
rcache = (krb5_rcache) malloc(sizeof(*rcache));
if (!rcache)
return ENOMEM;
@@ -58,7 +61,7 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache
len = piece->length + 3 + 1;
for (i = 0; i < piece->length; i++) {
- if (piece->data[i] == '\\')
+ if (piece->data[i] == '-')
len++;
else if (!isvalidrcname((int) piece->data[i]))
len += 3;
@@ -78,14 +81,14 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache
strcpy(cachename, "rc_");
p = 3;
for (i = 0; i < piece->length; i++) {
- if (piece->data[i] == '\\') {
- cachename[p++] = '\\';
- cachename[p++] = '\\';
+ if (piece->data[i] == '-') {
+ cachename[p++] = '-';
+ cachename[p++] = '-';
continue;
}
if (!isvalidrcname((int) piece->data[i])) {
sprintf(tmp, "%03o", piece->data[i]);
- cachename[p++] = '\\';
+ cachename[p++] = '-';
cachename[p++] = tmp[0];
cachename[p++] = tmp[1];
cachename[p++] = tmp[2];
diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c
index f0e52dc..6f1a3c9 100644
--- a/src/lib/krb5/krb/unparse.c
+++ b/src/lib/krb5/krb/unparse.c
@@ -149,7 +149,8 @@ krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, regi
*q++ = COMPONENT_SEP;
}
- q--; /* Back up last component separator */
+ if (i > 0)
+ q--; /* Back up last component separator */
*q++ = REALM_SEP;
cp = krb5_princ_realm(context, principal)->data;
diff --git a/src/lib/krb5/krb/v4lifetime.c b/src/lib/krb5/krb/v4lifetime.c
new file mode 100644
index 0000000..94bf5f6
--- /dev/null
+++ b/src/lib/krb5/krb/v4lifetime.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+#include "k5-int.h"
+
+/*
+ * Only lifetime bytes values less than 128 are on a linear scale.
+ * The following table contains an exponential scale that covers the
+ * lifetime values 128 to 191 inclusive (a total of 64 values).
+ * Values greater than 191 get interpreted the same as 191, but they
+ * will never be generated by the functions in this file.
+ *
+ * The ratio is approximately 1.069144898 (actually exactly
+ * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30
+ * days, and 38400 = 128*5 minutes. This allows a lifetime byte of
+ * 191 to correspond to a ticket life of exactly 30 days and a
+ * lifetime byte of 128 to correspond to exactly 128*5 minutes, with
+ * the other values spread on an exponential curve fit in between
+ * them. This table should correspond exactly to the set of extended
+ * ticket lifetime values used by AFS and CMU.
+ *
+ * The following awk script is sufficient to reproduce the table:
+ * BEGIN {
+ * r = exp(log(2592000/38400)/63);
+ * x = 38400;
+ * for (i=0;i<64;i++) {
+ * printf("%d\n",x+0.5);
+ * x *= r;
+ * }
+ * }
+ */
+#ifndef SHORT_LIFETIME
+#define NLIFETIMES 64
+static const krb5_int32 lifetimes[NLIFETIMES] = {
+ 38400, 41055, /* 00:10:40:00, 00:11:24:15 */
+ 43894, 46929, /* 00:12:11:34, 00:13:02:09 */
+ 50174, 53643, /* 00:13:56:14, 00:14:54:03 */
+ 57352, 61318, /* 00:15:55:52, 00:17:01:58 */
+ 65558, 70091, /* 00:18:12:38, 00:19:28:11 */
+ 74937, 80119, /* 00:20:48:57, 00:22:15:19 */
+ 85658, 91581, /* 00:23:47:38, 01:01:26:21 */
+ 97914, 104684, /* 01:03:11:54, 01:05:04:44 */
+ 111922, 119661, /* 01:07:05:22, 01:09:14:21 */
+ 127935, 136781, /* 01:11:32:15, 01:13:59:41 */
+ 146239, 156350, /* 01:16:37:19, 01:19:25:50 */
+ 167161, 178720, /* 01:22:26:01, 02:01:38:40 */
+ 191077, 204289, /* 02:05:04:37, 02:08:44:49 */
+ 218415, 233517, /* 02:12:40:15, 02:16:51:57 */
+ 249664, 266926, /* 02:21:21:04, 03:02:08:46 */
+ 285383, 305116, /* 03:07:16:23, 03:12:45:16 */
+ 326213, 348769, /* 03:18:36:53, 04:00:52:49 */
+ 372885, 398668, /* 04:07:34:45, 04:14:44:28 */
+ 426234, 455705, /* 04:22:23:54, 05:06:35:05 */
+ 487215, 520904, /* 05:15:20:15, 06:00:41:44 */
+ 556921, 595430, /* 06:10:42:01, 06:21:23:50 */
+ 636601, 680618, /* 07:08:50:01, 07:21:03:38 */
+ 727680, 777995, /* 08:10:08:00, 09:00:06:35 */
+ 831789, 889303, /* 09:15:03:09, 10:07:01:43 */
+ 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */
+ 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */
+ 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */
+ 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */
+ 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */
+ 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */
+ 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */
+ 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */
+};
+#define MINFIXED 0x80
+#define MAXFIXED (MINFIXED + NLIFETIMES - 1)
+#endif /* !SHORT_LIFETIME */
+
+/*
+ * krb_life_to_time
+ *
+ * Given a start date and a lifetime byte, compute the expiration
+ * date.
+ */
+krb5_int32
+krb5int_krb_life_to_time(krb5_int32 start, int life)
+{
+ if (life < 0 || life > 255) /* possibly sign botch in caller */
+ return start;
+#ifndef SHORT_LIFETIME
+ if (life < MINFIXED)
+ return start + life * 5 * 60;
+ if (life > MAXFIXED)
+ return start + lifetimes[NLIFETIMES - 1];
+ return start + lifetimes[life - MINFIXED];
+#else /* SHORT_LIFETIME */
+ return start + life * 5 * 60;
+#endif /* SHORT_LIFETIME */
+}
+
+/*
+ * krb_time_to_life
+ *
+ * Given the start date and the end date, compute the lifetime byte.
+ * Round up, since we can adjust the start date backwards if we are
+ * issuing the ticket to cause it to expire at the correct time.
+ */
+int
+krb5int_krb_time_to_life(krb5_int32 start, krb5_int32 end)
+{
+ krb5_int32 dt;
+#ifndef SHORT_LIFETIME
+ int i;
+#endif
+
+ dt = end - start;
+ if (dt <= 0)
+ return 0;
+#ifndef SHORT_LIFETIME
+ if (dt < lifetimes[0])
+ return (dt + 5 * 60 - 1) / (5 * 60);
+ /* This depends on the array being ordered. */
+ for (i = 0; i < NLIFETIMES; i++) {
+ if (lifetimes[i] >= dt)
+ return i + MINFIXED;
+ }
+ return MAXFIXED;
+#else /* SHORT_LIFETIME */
+ if (dt > 5 * 60 * 255)
+ return 255;
+ else
+ return (dt + 5 * 60 - 1) / (5 * 60);
+#endif /* SHORT_LIFETIME */
+}
diff --git a/src/lib/krb5/os/.Sanitize b/src/lib/krb5/os/.Sanitize
index cf13ff1..e17c876 100644
--- a/src/lib/krb5/os/.Sanitize
+++ b/src/lib/krb5/os/.Sanitize
@@ -61,6 +61,7 @@ read_msg.c
read_pwd.c
realm_dom.c
ref_std_conf.out
+send524.c
sendto_kdc.c
sn2princ.c
timeofday.c
diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog
index 51638d9..1814be2 100644
--- a/src/lib/krb5/os/ChangeLog
+++ b/src/lib/krb5/os/ChangeLog
@@ -1,3 +1,123 @@
+2003-12-22 Jeffrey Altman <jaltman@mit.edu>
+
+ * dnssrv.c: wrap within #ifdef KRB5_DNS_LOOKUP to prevent references
+ to resolver functions when DNS support is not being compiled
+
+2003-12-18 Jeffrey Altman <jaltman@mit.edu>
+
+ * accessor.c: Add new functions for use by gssapi
+
+2003-10-27 Jeffrey Altman <jaltman@mit.edu>
+
+ * sendto_kdc.c: sockets must be closed with closesocket() and
+ and not close() in order to ensure portability among different
+ operating systems.
+
+2003-08-21 Ken Raeburn <raeburn@mit.edu>
+
+ * dnssrv.c: New file; split out DNS SRV RR query support...
+ * locate_kdc.c: ...from here. Always compile in the calls.
+ * Makefile.in (STLIBOBJS, OBJS, SRCS): Add it.
+
+2003-07-25 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (krb5_locate_kdc): Always pass 0 to locate_server
+ as the get_masters argument. Instead, if get_masters is set,
+ look up "master_kdc" in the config file instead of "kdc".
+
+2003-07-09 Alexandra Ellwood <lxs@mit.edu>
+
+ * toffset.c: Export and krb5_set_real_time for Samba.
+
+2003-06-06 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (struct srv_dns_entry): Moved to k5-int.h.
+ (krb5int_make_srv_query_realm): Renamed from make_srv_query_realm.
+ (krb5int_free_srv_dns_data): New function.
+ (krb5_locate_srv_dns_1): Use it.
+
+ * accessor.c (krb5int_accessor): Fill in make_srv_query_realm and
+ free_srv_dns_data fields.
+
+2003-06-05 Ken Raeburn <raeburn@mit.edu>
+
+ * locate_kdc.c (make_srv_query_realm): Punt if strdup fails.
+ Always return what data we can, even if memory allocation or other
+ problems prevent us from returning more.
+ (krb5_locate_srv_dns_1): Always return what data we can. Fix
+ memory leak. Free up temporary storage as quickly as possible,
+ while building up address list to return.
+
+2003-06-03 Ken Raeburn <raeburn@mit.edu>
+
+ * accessor.c (krb5int_accessor): Initialize restored locate_server
+ field.
+
+ * locate_kdc.c (struct srv_dns_entry): Move to top level.
+ (make_srv_query_realm): Separate from krb5_locate_srv_dns_1; just
+ do query and return results.
+ (krb5_locate_srv_dns_1): Call it, and build addlist entries.
+ Check for one RR with a target of ".", and return an error.
+ (krb5_locate_srv_dns): Deleted.
+
+ * t_locate_kdc.c (main): Call krb5_locate_srv_dns_1.
+
+ * changepw.c (krb5_locate_kpasswd): Check specifically for certain
+ errors before using fallback heuristics.
+
+2003-06-03 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_os_ctx.c: Included header to get __KLAllowHomeDirectoryAccess().
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * send524.c (krb5int_524_sendto_kdc): Enable support on Windows
+ always.
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * send524.c: New file, moved from krb524/sendmsg.c. Rename
+ function to have krb5int_ prefix. If KRB5_KRB4_COMPAT not
+ defined, return an error.
+ * accessor.c (krb5int_accessor): Update for deleted and added
+ fields. If KRB5_KRB4_COMPAT is not defined, just use null
+ pointers for the new fields.
+
+2003-05-06 Alexandra Ellwood <lxs@mit.edu>
+
+ * init_os_ctx.c: Added support for KLL's __KLAllowHomeDirectoryAccess()
+ function so that krb4, krb5 and gssapi will not access the user's homedir
+ if the application forbids it.
+
+2003-04-28 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): Locate server in realm of
+ creds.server, not in realm of target principal because target
+ principal is null in the changepw case.
+
+2003-04-27 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): Call
+ krb5_setpw_result_code_string not krb5_setpw_result_code_string
+
+2003-04-24 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): return error from
+ auth_con_setaddrs not last socket errno if auth_con_setaddrs fails
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * changepw.c (krb5_change_set_password): Patches from Paul Nelson
+ to implement Microsoft set password protocol
+ (krb5_set_password_using_ccache): Use kadmin/changepw in target realm, not local realm and use a two-component principal
+ (krb5_change_set_password): Find the kpasswd server for the realm
+ of the target principal not the client
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * read_pwd.c (krb5_read_password): Always free temporary storage
+ used for verification version of password.
+
2003-03-06 Alexandra Ellwood <lxs@mit.edu>
* c_ustime.c: Removed Mac OS 9 code.
diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in
index acd37b2..27431a0 100644
--- a/src/lib/krb5/os/Makefile.in
+++ b/src/lib/krb5/os/Makefile.in
@@ -18,6 +18,7 @@ STLIBOBJS= \
def_realm.o \
ccdefname.o \
changepw.o \
+ dnssrv.o \
free_krbhs.o \
free_hstrl.o \
full_ipadr.o \
@@ -46,6 +47,7 @@ STLIBOBJS= \
read_pwd.o \
realm_dom.o \
realm_iter.o \
+ send524.o \
sendto_kdc.o \
sn2princ.o \
timeofday.o \
@@ -61,6 +63,7 @@ OBJS= \
$(OUTPRE)def_realm.$(OBJEXT) \
$(OUTPRE)ccdefname.$(OBJEXT) \
$(OUTPRE)changepw.$(OBJEXT) \
+ $(OUTPRE)dnssrv.$(OBJEXT) \
$(OUTPRE)free_krbhs.$(OBJEXT) \
$(OUTPRE)free_hstrl.$(OBJEXT) \
$(OUTPRE)full_ipadr.$(OBJEXT) \
@@ -89,6 +92,7 @@ OBJS= \
$(OUTPRE)read_pwd.$(OBJEXT) \
$(OUTPRE)realm_dom.$(OBJEXT) \
$(OUTPRE)realm_iter.$(OBJEXT) \
+ $(OUTPRE)send524.$(OBJEXT) \
$(OUTPRE)sendto_kdc.$(OBJEXT) \
$(OUTPRE)sn2princ.$(OBJEXT) \
$(OUTPRE)timeofday.$(OBJEXT) \
@@ -104,6 +108,7 @@ SRCS= \
$(srcdir)/def_realm.c \
$(srcdir)/ccdefname.c \
$(srcdir)/changepw.c \
+ $(srcdir)/dnssrv.c \
$(srcdir)/free_krbhs.c \
$(srcdir)/free_hstrl.c \
$(srcdir)/full_ipadr.c \
@@ -132,6 +137,7 @@ SRCS= \
$(srcdir)/realm_dom.c \
$(srcdir)/realm_iter.c \
$(srcdir)/port2ip.c \
+ $(srcdir)/send524.c \
$(srcdir)/sendto_kdc.c \
$(srcdir)/sn2princ.c \
$(srcdir)/timeofday.c \
@@ -235,210 +241,235 @@ clean::
#
accessor.so accessor.po $(OUTPRE)accessor.$(OBJEXT): accessor.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
an_to_ln.so an_to_ln.po $(OUTPRE)an_to_ln.$(OBJEXT): an_to_ln.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
c_ustime.so c_ustime.po $(OUTPRE)c_ustime.$(OBJEXT): c_ustime.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
def_realm.so def_realm.po $(OUTPRE)def_realm.$(OBJEXT): def_realm.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
ccdefname.so ccdefname.po $(OUTPRE)ccdefname.$(OBJEXT): ccdefname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
changepw.so changepw.po $(OUTPRE)changepw.$(OBJEXT): changepw.c $(SRCTOP)/include/fake-addrinfo.h \
$(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
+dnssrv.so dnssrv.po $(OUTPRE)dnssrv.$(OBJEXT): dnssrv.c $(SRCTOP)/include/k5-int.h \
+ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
os-proto.h
free_krbhs.so free_krbhs.po $(OUTPRE)free_krbhs.$(OBJEXT): free_krbhs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
free_hstrl.so free_hstrl.po $(OUTPRE)free_hstrl.$(OBJEXT): free_hstrl.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
full_ipadr.so full_ipadr.po $(OUTPRE)full_ipadr.$(OBJEXT): full_ipadr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
get_krbhst.so get_krbhst.po $(OUTPRE)get_krbhst.$(OBJEXT): get_krbhst.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
gen_port.so gen_port.po $(OUTPRE)gen_port.$(OBJEXT): gen_port.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
genaddrs.so genaddrs.po $(OUTPRE)genaddrs.$(OBJEXT): genaddrs.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
gen_rname.so gen_rname.po $(OUTPRE)gen_rname.$(OBJEXT): gen_rname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
gmt_mktime.so gmt_mktime.po $(OUTPRE)gmt_mktime.$(OBJEXT): gmt_mktime.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
hostaddr.so hostaddr.po $(OUTPRE)hostaddr.$(OBJEXT): hostaddr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/fake-addrinfo.h
+ $(SRCTOP)/include/fake-addrinfo.h
hst_realm.so hst_realm.po $(OUTPRE)hst_realm.$(OBJEXT): hst_realm.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h $(SRCTOP)/include/fake-addrinfo.h
+ os-proto.h $(SRCTOP)/include/fake-addrinfo.h
init_os_ctx.so init_os_ctx.po $(OUTPRE)init_os_ctx.$(OBJEXT): init_os_ctx.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
krbfileio.so krbfileio.po $(OUTPRE)krbfileio.$(OBJEXT): krbfileio.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ktdefname.so ktdefname.po $(OUTPRE)ktdefname.$(OBJEXT): ktdefname.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): kuserok.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
mk_faddr.so mk_faddr.po $(OUTPRE)mk_faddr.$(OBJEXT): mk_faddr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
localaddr.so localaddr.po $(OUTPRE)localaddr.$(OBJEXT): localaddr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/foreachaddr.c
+ $(SRCTOP)/include/foreachaddr.c
locate_kdc.so locate_kdc.po $(OUTPRE)locate_kdc.$(OBJEXT): locate_kdc.c $(SRCTOP)/include/fake-addrinfo.h \
$(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- os-proto.h
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
lock_file.so lock_file.po $(OUTPRE)lock_file.$(OBJEXT): lock_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
net_read.so net_read.po $(OUTPRE)net_read.$(OBJEXT): net_read.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
net_write.so net_write.po $(OUTPRE)net_write.$(OBJEXT): net_write.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
osconfig.so osconfig.po $(OUTPRE)osconfig.$(OBJEXT): osconfig.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
prompter.so prompter.po $(OUTPRE)prompter.$(OBJEXT): prompter.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
promptusr.so promptusr.po $(OUTPRE)promptusr.$(OBJEXT): promptusr.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
read_msg.so read_msg.po $(OUTPRE)read_msg.$(OBJEXT): read_msg.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
read_pwd.so read_pwd.po $(OUTPRE)read_pwd.$(OBJEXT): read_pwd.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
realm_dom.so realm_dom.po $(OUTPRE)realm_dom.$(OBJEXT): realm_dom.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
realm_iter.so realm_iter.po $(OUTPRE)realm_iter.$(OBJEXT): realm_iter.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
port2ip.so port2ip.po $(OUTPRE)port2ip.$(OBJEXT): port2ip.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h os-proto.h
+ os-proto.h
+send524.so send524.po $(OUTPRE)send524.$(OBJEXT): send524.c $(SRCTOP)/include/fake-addrinfo.h \
+ $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h
sendto_kdc.so sendto_kdc.po $(OUTPRE)sendto_kdc.$(OBJEXT): sendto_kdc.c $(SRCTOP)/include/fake-addrinfo.h \
$(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- os-proto.h $(SRCTOP)/include/cm.h
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
+ $(SRCTOP)/include/krb5/kdb.h os-proto.h $(SRCTOP)/include/cm.h
sn2princ.so sn2princ.po $(OUTPRE)sn2princ.$(OBJEXT): sn2princ.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/fake-addrinfo.h
+ $(SRCTOP)/include/fake-addrinfo.h
timeofday.so timeofday.po $(OUTPRE)timeofday.$(OBJEXT): timeofday.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
toffset.so toffset.po $(OUTPRE)toffset.$(OBJEXT): toffset.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
unlck_file.so unlck_file.po $(OUTPRE)unlck_file.$(OBJEXT): unlck_file.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ustime.so ustime.po $(OUTPRE)ustime.$(OBJEXT): ustime.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
write_msg.so write_msg.po $(OUTPRE)write_msg.$(OBJEXT): write_msg.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c
index 509d317..4e907b1 100644
--- a/src/lib/krb5/os/accessor.c
+++ b/src/lib/krb5/os/accessor.c
@@ -35,18 +35,32 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
if (version == KRB5INT_ACCESS_VERSION)
{
krb5int_access internals_temp;
- internals_temp.krb5_locate_server = krb5int_locate_server;
- internals_temp.krb5_locate_kdc = krb5_locate_kdc;
internals_temp.free_addrlist = krb5int_free_addrlist;
- internals_temp.krb5_max_skdc_timeout = krb5_max_skdc_timeout;
- internals_temp.krb5_skdc_timeout_shift = krb5_skdc_timeout_shift;
- internals_temp.krb5_skdc_timeout_1 = krb5_skdc_timeout_1;
- internals_temp.krb5_max_dgram_size = krb5_max_dgram_size;
internals_temp.krb5_hmac = krb5_hmac;
internals_temp.md5_hash_provider = &krb5int_hash_md5;
internals_temp.arcfour_enc_provider = &krb5int_enc_arcfour;
+ internals_temp.locate_server = &krb5int_locate_server;
internals_temp.sendto_udp = &krb5int_sendto;
internals_temp.add_host_to_list = krb5int_add_host_to_list;
+#ifdef KRB5_DNS_LOOKUP
+ internals_temp.make_srv_query_realm = krb5int_make_srv_query_realm;
+ internals_temp.free_srv_dns_data = krb5int_free_srv_dns_data;
+#else
+ internals_temp.make_srv_query_realm = 0;
+ internals_temp.free_srv_dns_data = 0;
+#endif
+#ifdef KRB5_KRB4_COMPAT
+ internals_temp.krb_life_to_time = krb5int_krb_life_to_time;
+ internals_temp.krb_time_to_life = krb5int_krb_time_to_life;
+ internals_temp.krb524_encode_v4tkt = krb5int_encode_v4tkt;
+#else
+ internals_temp.krb_life_to_time = 0;
+ internals_temp.krb_time_to_life = 0;
+ internals_temp.krb524_encode_v4tkt = 0;
+#endif
+ internals_temp.krb5int_c_mandatory_cksumtype = krb5int_c_mandatory_cksumtype;
+ internals_temp.krb5_ser_pack_int64 = krb5_ser_pack_int64;
+ internals_temp.krb5_ser_unpack_int64 = krb5_ser_unpack_int64;
*internals = internals_temp;
return 0;
}
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index 60cb3a9..780f0c0 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -24,6 +24,10 @@
* or implied warranty.
*
*/
+/*
+ * krb5_set_password - Implements set password per RFC 3244
+ * Added by Paul W. Nelson, Thursby Software Systems, Inc.
+ */
#define NEED_SOCKETS
#include "fake-addrinfo.h"
@@ -50,7 +54,7 @@ krb5_locate_kpasswd(krb5_context context, const krb5_data *realm,
code = krb5int_locate_server (context, realm, addrlist, 0,
"kpasswd_server", "_kpasswd", 0,
DEFAULT_KPASSWD_PORT, 0, 0);
- if (code) {
+ if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
code = krb5int_locate_server (context, realm, addrlist, 0,
"admin_server", "_kerberos-adm", 1,
DEFAULT_KPASSWD_PORT, 0, 0);
@@ -69,8 +73,16 @@ krb5_locate_kpasswd(krb5_context context, const krb5_data *realm,
}
+/*
+** The logic for setting and changing a password is mostly the same
+** krb5_change_set_password handles both cases
+** if set_password_for is NULL, then a password change is performed,
+** otherwise, the password is set for the principal indicated in set_password_for
+*/
krb5_error_code KRB5_CALLCONV
-krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string)
+krb5_change_set_password(
+ krb5_context context, krb5_creds *creds, char *newpw, krb5_principal set_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string)
{
krb5_auth_context auth_context;
krb5_data ap_req, chpw_req, chpw_rep;
@@ -104,7 +116,7 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *
goto cleanup;
if ((code = krb5_locate_kpasswd(context,
- krb5_princ_realm(context, creds->client),
+ krb5_princ_realm(context, creds->server),
&al)))
goto cleanup;
@@ -218,14 +230,15 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *
if ((code = krb5_auth_con_setaddrs(context, auth_context,
&local_kaddr, NULL))) {
- code = SOCKET_ERRNO;
- goto cleanup;
+ goto cleanup;
}
- if ((code = krb5_mk_chpw_req(context, auth_context, &ap_req,
- newpw, &chpw_req)))
+ if( set_password_for )
+ code = krb5int_mk_setpw_req(context, auth_context, &ap_req, set_password_for, newpw, &chpw_req);
+ else
+ code = krb5int_mk_chpw_req(context, auth_context, &ap_req, newpw, &chpw_req);
+ if (code)
{
- code = SOCKET_ERRNO;
goto cleanup;
}
@@ -289,19 +302,23 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *
NULL, &remote_kaddr)))
goto cleanup;
- if ((code = krb5_rd_chpw_rep(context, auth_context, &chpw_rep,
- &local_result_code,
- result_string)))
- goto cleanup;
+ if( set_password_for )
+ code = krb5int_rd_setpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string);
+ else
+ code = krb5int_rd_chpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string);
+ if (code)
+ goto cleanup;
if (result_code)
*result_code = local_result_code;
if (result_code_string) {
- if ((code = krb5_chpw_result_code_string(context,
- local_result_code,
- &code_string)))
- goto cleanup;
+ if( set_password_for )
+ code = krb5int_setpw_result_code_string(context, local_result_code, (const char **)&code_string);
+ else
+ code = krb5_chpw_result_code_string(context, local_result_code, &code_string);
+ if(code)
+ goto cleanup;
result_code_string->length = strlen(code_string);
result_code_string->data = malloc(result_code_string->length);
@@ -343,3 +360,71 @@ cleanup:
return(code);
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string)
+{
+ return krb5_change_set_password(
+ context, creds, newpw, NULL, result_code, result_code_string, result_string );
+}
+
+/*
+ * krb5_set_password - Implements set password per RFC 3244
+ *
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_set_password(
+ krb5_context context,
+ krb5_creds *creds,
+ char *newpw,
+ krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string
+ )
+{
+ return krb5_change_set_password(
+ context, creds, newpw, change_password_for, result_code, result_code_string, result_string );
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_set_password_using_ccache(
+ krb5_context context,
+ krb5_ccache ccache,
+ char *newpw,
+ krb5_principal change_password_for,
+ int *result_code, krb5_data *result_code_string, krb5_data *result_string
+ )
+{
+ krb5_creds creds;
+ krb5_creds *credsp;
+ krb5_error_code code;
+
+/*
+** get the proper creds for use with krb5_set_password -
+*/
+ memset( &creds, 0, sizeof(creds) );
+/*
+** first get the principal for the password service -
+*/
+ code = krb5_cc_get_principal( context, ccache, &creds.client );
+ if( !code )
+ {
+ code = krb5_build_principal( context, &creds.server,
+ krb5_princ_realm(context, change_password_for)->length,
+ krb5_princ_realm(context, change_password_for)->data,
+ "kadmin", "changepw", NULL );
+ if(!code)
+ {
+ code = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
+ if( ! code )
+ {
+ code = krb5_set_password(context, credsp, newpw, change_password_for,
+ result_code, result_code_string,
+ result_string);
+ krb5_free_creds(context, credsp);
+ }
+ }
+ krb5_free_cred_contents(context, &creds);
+ }
+ return code;
+}
diff --git a/src/lib/krb5/os/dnssrv.c b/src/lib/krb5/os/dnssrv.c
new file mode 100644
index 0000000..90279fd
--- /dev/null
+++ b/src/lib/krb5/os/dnssrv.c
@@ -0,0 +1,273 @@
+/*
+ * lib/krb5/os/dnssrv.c
+ *
+ * Copyright 1990,2000,2001,2002,2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * do DNS SRV RR queries
+ */
+
+#ifdef KRB5_DNS_LOOKUP
+#define NEED_SOCKETS
+#include "k5-int.h"
+#include "os-proto.h"
+#include <stdio.h>
+#ifdef WSHELPER
+#include <wshelper.h>
+#else /* WSHELPER */
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <netdb.h>
+#endif /* WSHELPER */
+#ifndef T_SRV
+#define T_SRV 33
+#endif /* T_SRV */
+
+/* for old Unixes and friends ... */
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 64
+#endif
+
+#define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1)
+
+/*
+ * Lookup a KDC via DNS SRV records
+ */
+
+void krb5int_free_srv_dns_data (struct srv_dns_entry *p)
+{
+ struct srv_dns_entry *next;
+ while (p) {
+ next = p->next;
+ free(p->host);
+ free(p);
+ p = next;
+ }
+}
+
+/* Do DNS SRV query, return results in *answers.
+
+ Make best effort to return all the data we can. On memory or
+ decoding errors, just return what we've got. Always return 0,
+ currently. */
+
+krb5_error_code
+krb5int_make_srv_query_realm(const krb5_data *realm,
+ const char *service,
+ const char *protocol,
+ struct srv_dns_entry **answers)
+{
+ union {
+ unsigned char bytes[2048];
+ HEADER hdr;
+ } answer;
+ unsigned char *p=NULL;
+ char host[MAX_DNS_NAMELEN], *h;
+ int type, rrclass;
+ int priority, weight, size, len, numanswers, numqueries, rdlen;
+ unsigned short port;
+ const int hdrsize = sizeof(HEADER);
+
+ struct srv_dns_entry *head = NULL;
+ struct srv_dns_entry *srv = NULL, *entry = NULL;
+
+ /*
+ * First off, build a query of the form:
+ *
+ * service.protocol.realm
+ *
+ * which will most likely be something like:
+ *
+ * _kerberos._udp.REALM
+ *
+ */
+
+ if (memchr(realm->data, 0, realm->length))
+ return 0;
+ if ( strlen(service) + strlen(protocol) + realm->length + 6
+ > MAX_DNS_NAMELEN )
+ return 0;
+ sprintf(host, "%s.%s.%.*s", service, protocol, (int) realm->length,
+ realm->data);
+
+ /* Realm names don't (normally) end with ".", but if the query
+ doesn't end with "." and doesn't get an answer as is, the
+ resolv code will try appending the local domain. Since the
+ realm names are absolutes, let's stop that.
+
+ But only if a name has been specified. If we are performing
+ a search on the prefix alone then the intention is to allow
+ the local domain or domain search lists to be expanded. */
+
+ h = host + strlen (host);
+ if ((h[-1] != '.') && ((h - host + 1) < sizeof(host)))
+ strcpy (h, ".");
+
+#ifdef TEST
+ fprintf (stderr, "sending DNS SRV query for %s\n", host);
+#endif
+
+ size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
+
+ if ((size < hdrsize) || (size > sizeof(answer.bytes)))
+ goto out;
+
+ /*
+ * We got an answer! First off, parse the header and figure out how
+ * many answers we got back.
+ */
+
+ p = answer.bytes;
+
+ numqueries = ntohs(answer.hdr.qdcount);
+ numanswers = ntohs(answer.hdr.ancount);
+
+ p += sizeof(HEADER);
+
+ /*
+ * We need to skip over all of the questions, so we have to iterate
+ * over every query record. dn_expand() is able to tell us the size
+ * of compress DNS names, so we use it.
+ */
+
+#define INCR_CHECK(x,y) x += y; if (x > size + answer.bytes) goto out
+#define CHECK(x,y) if (x + y > size + answer.bytes) goto out
+#define NTOHSP(x,y) x[0] << 8 | x[1]; x += y
+
+ while (numqueries--) {
+ len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
+ if (len < 0)
+ goto out;
+ INCR_CHECK(p, len + 4);
+ }
+
+ /*
+ * We're now pointing at the answer records. Only process them if
+ * they're actually T_SRV records (they might be CNAME records,
+ * for instance).
+ *
+ * But in a DNS reply, if you get a CNAME you always get the associated
+ * "real" RR for that CNAME. RFC 1034, 3.6.2:
+ *
+ * CNAME RRs cause special action in DNS software. When a name server
+ * fails to find a desired RR in the resource set associated with the
+ * domain name, it checks to see if the resource set consists of a CNAME
+ * record with a matching class. If so, the name server includes the CNAME
+ * record in the response and restarts the query at the domain name
+ * specified in the data field of the CNAME record. The one exception to
+ * this rule is that queries which match the CNAME type are not restarted.
+ *
+ * In other words, CNAMEs do not need to be expanded by the client.
+ */
+
+ while (numanswers--) {
+
+ /* First is the name; use dn_expand to get the compressed size */
+ len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
+ if (len < 0)
+ goto out;
+ INCR_CHECK(p, len);
+
+ /* Next is the query type */
+ CHECK(p, 2);
+ type = NTOHSP(p,2);
+
+ /* Next is the query class; also skip over 4 byte TTL */
+ CHECK(p, 6);
+ rrclass = NTOHSP(p,6);
+
+ /* Record data length */
+
+ CHECK(p,2);
+ rdlen = NTOHSP(p,2);
+
+ /*
+ * If this is an SRV record, process it. Record format is:
+ *
+ * Priority
+ * Weight
+ * Port
+ * Server name
+ */
+
+ if (rrclass == C_IN && type == T_SRV) {
+ CHECK(p,2);
+ priority = NTOHSP(p,2);
+ CHECK(p, 2);
+ weight = NTOHSP(p,2);
+ CHECK(p, 2);
+ port = NTOHSP(p,2);
+ len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
+ if (len < 0)
+ goto out;
+ INCR_CHECK(p, len);
+
+ /*
+ * We got everything! Insert it into our list, but make sure
+ * it's in the right order. Right now we don't do anything
+ * with the weight field
+ */
+
+ srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry));
+ if (srv == NULL)
+ goto out;
+
+ srv->priority = priority;
+ srv->weight = weight;
+ srv->port = port;
+ srv->host = strdup(host);
+ if (srv->host == NULL) {
+ free(srv);
+ goto out;
+ }
+
+ if (head == NULL || head->priority > srv->priority) {
+ srv->next = head;
+ head = srv;
+ } else
+ /*
+ * This is confusing. Only insert an entry into this
+ * spot if:
+ * The next person has a higher priority (lower priorities
+ * are preferred).
+ * Or
+ * There is no next entry (we're at the end)
+ */
+ for (entry = head; entry != NULL; entry = entry->next)
+ if ((entry->next &&
+ entry->next->priority > srv->priority) ||
+ entry->next == NULL) {
+ srv->next = entry->next;
+ entry->next = srv;
+ break;
+ }
+ } else
+ INCR_CHECK(p, rdlen);
+ }
+
+ out:
+ *answers = head;
+ return 0;
+}
+#endif \ No newline at end of file
diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
index eb2321d..c43771d 100644
--- a/src/lib/krb5/os/init_os_ctx.c
+++ b/src/lib/krb5/os/init_os_ctx.c
@@ -31,6 +31,10 @@
#include "k5-int.h"
#include "os-proto.h"
+#ifdef USE_LOGIN_LIBRARY
+#include "KerberosLoginPrivate.h"
+#endif
+
#if defined(_WIN32)
static krb5_error_code
@@ -234,8 +238,14 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure)
unsigned int ent_len;
const char *s, *t;
+#ifdef USE_LOGIN_LIBRARY
+ /* If __KLAllowHomeDirectoryAccess() == FALSE, we are probably
+ trying to authenticate to a fileserver for the user's homedir. */
+ if (secure || !__KLAllowHomeDirectoryAccess ()) {
+#else
if (secure) {
- filepath = DEFAULT_SECURE_PROFILE_PATH;
+#endif
+ filepath = DEFAULT_SECURE_PROFILE_PATH;
} else {
filepath = getenv("KRB5_CONFIG");
if (!filepath) filepath = DEFAULT_PROFILE_PATH;
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index 9c9fed4..ce90127 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -502,12 +502,6 @@ krb5_locate_srv_conf(krb5_context context, const krb5_data *realm,
}
#endif
-#ifdef KRB5_DNS_LOOKUP
-
-/*
- * Lookup a KDC via DNS SRV records
- */
-
static krb5_error_code
krb5_locate_srv_dns_1 (const krb5_data *realm,
const char *service,
@@ -515,196 +509,14 @@ krb5_locate_srv_dns_1 (const krb5_data *realm,
struct addrlist *addrlist,
int family)
{
- union {
- unsigned char bytes[2048];
- HEADER hdr;
- } answer;
- unsigned char *p=NULL;
- char host[MAX_DNS_NAMELEN], *h;
- int type, rrclass;
- int priority, weight, size, len, numanswers, numqueries, rdlen;
- unsigned short port;
- const int hdrsize = sizeof(HEADER);
- struct srv_dns_entry {
- struct srv_dns_entry *next;
- int priority;
- int weight;
- unsigned short port;
- char *host;
- };
-
struct srv_dns_entry *head = NULL;
- struct srv_dns_entry *srv = NULL, *entry = NULL;
+ struct srv_dns_entry *entry = NULL, *next;
krb5_error_code code = 0;
- /*
- * First off, build a query of the form:
- *
- * service.protocol.realm
- *
- * which will most likely be something like:
- *
- * _kerberos._udp.REALM
- *
- */
-
- if ( strlen(service) + strlen(protocol) + realm->length + 6
- > MAX_DNS_NAMELEN )
- goto out;
- sprintf(host, "%s.%s.%.*s", service, protocol, (int) realm->length,
- realm->data);
-
- /* Realm names don't (normally) end with ".", but if the query
- doesn't end with "." and doesn't get an answer as is, the
- resolv code will try appending the local domain. Since the
- realm names are absolutes, let's stop that.
-
- But only if a name has been specified. If we are performing
- a search on the prefix alone then the intention is to allow
- the local domain or domain search lists to be expanded. */
-
- h = host + strlen (host);
- if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host)))
- strcpy (h, ".");
-
-#ifdef TEST
- fprintf (stderr, "sending DNS SRV query for %s\n", host);
-#endif
-
- size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
-
- if ((size < hdrsize) || (size > sizeof(answer.bytes)))
- goto out;
-
- /*
- * We got an answer! First off, parse the header and figure out how
- * many answers we got back.
- */
-
- p = answer.bytes;
-
- numqueries = ntohs(answer.hdr.qdcount);
- numanswers = ntohs(answer.hdr.ancount);
-
- p += sizeof(HEADER);
-
- /*
- * We need to skip over all of the questions, so we have to iterate
- * over every query record. dn_expand() is able to tell us the size
- * of compress DNS names, so we use it.
- */
-
-#define INCR_CHECK(x,y) x += y; if (x > size + answer.bytes) goto out
-#define CHECK(x,y) if (x + y > size + answer.bytes) goto out
-#define NTOHSP(x,y) x[0] << 8 | x[1]; x += y
-
- while (numqueries--) {
- len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
- if (len < 0)
- goto out;
- INCR_CHECK(p, len + 4);
- }
-
- /*
- * We're now pointing at the answer records. Only process them if
- * they're actually T_SRV records (they might be CNAME records,
- * for instance).
- *
- * But in a DNS reply, if you get a CNAME you always get the associated
- * "real" RR for that CNAME. RFC 1034, 3.6.2:
- *
- * CNAME RRs cause special action in DNS software. When a name server
- * fails to find a desired RR in the resource set associated with the
- * domain name, it checks to see if the resource set consists of a CNAME
- * record with a matching class. If so, the name server includes the CNAME
- * record in the response and restarts the query at the domain name
- * specified in the data field of the CNAME record. The one exception to
- * this rule is that queries which match the CNAME type are not restarted.
- *
- * In other words, CNAMEs do not need to be expanded by the client.
- */
-
- while (numanswers--) {
-
- /* First is the name; use dn_expand to get the compressed size */
- len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
- if (len < 0)
- goto out;
- INCR_CHECK(p, len);
-
- /* Next is the query type */
- CHECK(p, 2);
- type = NTOHSP(p,2);
-
- /* Next is the query class; also skip over 4 byte TTL */
- CHECK(p, 6);
- rrclass = NTOHSP(p,6);
-
- /* Record data length */
-
- CHECK(p,2);
- rdlen = NTOHSP(p,2);
-
- /*
- * If this is an SRV record, process it. Record format is:
- *
- * Priority
- * Weight
- * Port
- * Server name
- */
+ code = krb5int_make_srv_query_realm(realm, service, protocol, &head);
+ if (code)
+ return 0;
- if (rrclass == C_IN && type == T_SRV) {
- CHECK(p,2);
- priority = NTOHSP(p,2);
- CHECK(p, 2);
- weight = NTOHSP(p,2);
- CHECK(p, 2);
- port = NTOHSP(p,2);
- len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
- if (len < 0)
- goto out;
- INCR_CHECK(p, len);
-
- /*
- * We got everything! Insert it into our list, but make sure
- * it's in the right order. Right now we don't do anything
- * with the weight field
- */
-
- srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry));
- if (srv == NULL)
- goto out;
-
- srv->priority = priority;
- srv->weight = weight;
- srv->port = port;
- srv->host = strdup(host);
-
- if (head == NULL || head->priority > srv->priority) {
- srv->next = head;
- head = srv;
- } else
- /*
- * This is confusing. Only insert an entry into this
- * spot if:
- * The next person has a higher priority (lower priorities
- * are preferred).
- * Or
- * There is no next entry (we're at the end)
- */
- for (entry = head; entry != NULL; entry = entry->next)
- if ((entry->next &&
- entry->next->priority > srv->priority) ||
- entry->next == NULL) {
- srv->next = entry->next;
- entry->next = srv;
- break;
- }
- } else
- INCR_CHECK(p, rdlen);
- }
-
/*
* Okay! Now we've got a linked list of entries sorted by
* priority. Start looking up A records and returning
@@ -712,53 +524,44 @@ krb5_locate_srv_dns_1 (const krb5_data *realm,
*/
if (head == NULL)
- goto out;
+ return 0;
+
+ /* Check for the "." case indicating no support. */
+ if (head->next == 0 && head->host[0] == 0) {
+ free(head->host);
+ free(head);
+ return KRB5_ERR_NO_SERVICE;
+ }
#ifdef TEST
fprintf (stderr, "walking answer list:\n");
#endif
- for (entry = head; entry != NULL; entry = entry->next) {
+ for (entry = head; entry != NULL; entry = next) {
#ifdef TEST
fprintf (stderr, "\tport=%d host=%s\n", entry->port, entry->host);
#endif
+ next = entry->next;
code = add_host_to_list (addrlist, entry->host, htons (entry->port), 0,
(strcmp("_tcp", protocol)
? SOCK_DGRAM
: SOCK_STREAM), family);
if (code)
break;
+ if (entry == head) {
+ free(entry->host);
+ free(entry);
+ head = next;
+ entry = 0;
+ }
}
#ifdef TEST
fprintf (stderr, "[end]\n");
#endif
- for (entry = head; entry != NULL; ) {
- free(entry->host);
- entry->host = NULL;
- srv = entry;
- entry = entry->next;
- free(srv);
- srv = NULL;
- }
-
- out:
- if (srv)
- free(srv);
-
+ krb5int_free_srv_dns_data(head);
return code;
}
-#ifdef TEST
-static krb5_error_code
-krb5_locate_srv_dns(const krb5_data *realm,
- const char *service, const char *protocol,
- struct addrlist *al)
-{
- return krb5_locate_srv_dns_1 (realm, service, protocol, al, 0);
-}
-#endif
-#endif /* KRB5_DNS_LOOKUP */
-
/*
* Wrapper function for the two backends
*/
@@ -852,7 +655,8 @@ krb5_locate_kdc(krb5_context context, const krb5_data *realm,
sec_udpport = 0;
}
- return krb5int_locate_server(context, realm, addrlist, get_masters, "kdc",
+ return krb5int_locate_server(context, realm, addrlist, 0,
+ get_masters ? "master_kdc" : "kdc",
(get_masters
? "_kerberos-master"
: "_kerberos"),
diff --git a/src/lib/krb5/os/read_pwd.c b/src/lib/krb5/os/read_pwd.c
index 9023b8e..1bb631c 100644
--- a/src/lib/krb5/os/read_pwd.c
+++ b/src/lib/krb5/os/read_pwd.c
@@ -64,15 +64,12 @@ krb5_read_password(krb5_context context, const char *prompt, const char *prompt2
return ENOMEM;
retval = krb5_prompter_posix(NULL,
NULL,NULL, NULL, 1, &k5prompt);
- if (retval) {
- free(verify_data.data);
- } else {
+ if (retval == 0) {
/* compare */
- if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) {
+ if (strncmp(return_pwd, (char *)verify_data.data, *size_return))
retval = KRB5_LIBOS_BADPWDMATCH;
- free(verify_data.data);
- }
}
+ free(verify_data.data);
}
if (!retval)
*size_return = k5prompt.reply->length;
diff --git a/src/lib/krb5/os/send524.c b/src/lib/krb5/os/send524.c
new file mode 100644
index 0000000..0ca8e93
--- /dev/null
+++ b/src/lib/krb5/os/send524.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright 1990,1991,1997 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Send a packet to a service and await a reply, using an exponential
+ * backoff retry algorithm. This is based on krb5_sendto_kdc.
+ */
+
+/* Grab socket stuff. This might want to go away later. */
+#define NEED_SOCKETS
+#define NEED_LOWLEVEL_IO
+#include "fake-addrinfo.h" /* for custom addrinfo if needed */
+#include "k5-int.h"
+
+#ifndef _WIN32
+#include <unistd.h>
+#include <sys/time.h>
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "os-proto.h"
+
+/*
+ * krb524_sendto_kdc:
+ *
+ * A slightly modified version of krb5_sendto_kdc.
+ *
+ * send the formatted request 'message' to a KDC for realm 'realm' and
+ * return the response (if any) in 'reply'.
+ *
+ * If the message is sent and a response is received, 0 is returned,
+ * otherwise an error code is returned.
+ *
+ * The storage for 'reply' is allocated and should be freed by the caller
+ * when finished.
+ */
+
+krb5_error_code
+krb5int_524_sendto_kdc (context, message, realm, reply, addr, addrlen)
+ krb5_context context;
+ const krb5_data * message;
+ const krb5_data * realm;
+ krb5_data * reply;
+ struct sockaddr *addr;
+ socklen_t *addrlen;
+{
+#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck! */
+ int i;
+ struct addrlist al = ADDRLIST_INIT;
+ struct servent *serv;
+ krb5_error_code retval;
+ int port;
+
+ /*
+ * find KDC location(s) for realm
+ */
+
+ serv = getservbyname(KRB524_SERVICE, "udp");
+ port = serv ? serv->s_port : htons (KRB524_PORT);
+
+ retval = krb5int_locate_server(context, realm, &al, 0,
+ "krb524_server", "_krb524",
+ SOCK_DGRAM, port,
+ 0, PF_INET);
+ if (retval == KRB5_REALM_CANT_RESOLVE || retval == KRB5_REALM_UNKNOWN) {
+ /* Fallback heuristic: Assume krb524 port on every KDC might
+ work. */
+ retval = krb5_locate_kdc(context, realm, &al, 0, SOCK_DGRAM, PF_INET);
+ /*
+ * Bash the ports numbers.
+ */
+ if (retval == 0)
+ for (i = 0; i < al.naddrs; i++) {
+ al.addrs[i]->ai_socktype = SOCK_DGRAM;
+ if (al.addrs[i]->ai_family == AF_INET)
+ sa2sin (al.addrs[i]->ai_addr)->sin_port = port;
+ }
+ }
+ if (retval)
+ return retval;
+ if (al.naddrs == 0)
+ return KRB5_REALM_UNKNOWN;
+
+ retval = krb5int_sendto (context, message, &al, reply, addr, addrlen);
+ krb5int_free_addrlist (&al);
+ return retval;
+#else
+ return KRB524_KRB4_DISABLED;
+#endif
+}
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 0f5b9f2..8e0f719 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -1073,7 +1073,7 @@ krb5int_sendto (krb5_context context, const krb5_data *message,
egress:
for (i = 0; i < n_conns; i++) {
if (conns[i].fd != INVALID_SOCKET)
- close(conns[i].fd);
+ closesocket(conns[i].fd);
if (conns[i].state == READING
&& conns[i].x.in.buf != 0
&& conns[i].x.in.buf != udpbuf)
diff --git a/src/lib/krb5/os/t_locate_kdc.c b/src/lib/krb5/os/t_locate_kdc.c
index a3d6828..03dac07 100644
--- a/src/lib/krb5/os/t_locate_kdc.c
+++ b/src/lib/krb5/os/t_locate_kdc.c
@@ -117,7 +117,7 @@ int main (int argc, char *argv[])
break;
case LOOKUP_DNS:
- err = krb5_locate_srv_dns (&realm, "_kerberos", "_udp", &al);
+ err = krb5_locate_srv_dns_1 (&realm, "_kerberos", "_udp", &al, 0);
break;
case LOOKUP_WHATEVER:
diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c
index aad995a..4578f82 100644
--- a/src/lib/krb5/os/toffset.c
+++ b/src/lib/krb5/os/toffset.c
@@ -35,7 +35,7 @@
* between the system time and the "real time" as passed to this
* routine
*/
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
krb5_set_real_time(krb5_context context, krb5_int32 seconds, krb5_int32 microseconds)
{
krb5_os_context os_ctx = context->os_context;
diff --git a/src/lib/krb5/rcache/Makefile.in b/src/lib/krb5/rcache/Makefile.in
index 79b6a28..d67b044 100644
--- a/src/lib/krb5/rcache/Makefile.in
+++ b/src/lib/krb5/rcache/Makefile.in
@@ -49,38 +49,40 @@ clean-unix:: clean-libobjs
#
rc_base.so rc_base.po $(OUTPRE)rc_base.$(OBJEXT): rc_base.c rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
rc_dfl.so rc_dfl.po $(OUTPRE)rc_dfl.$(OBJEXT): rc_dfl.c rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rc_dfl.h rc_io.h
+ rc_dfl.h rc_io.h
rc_io.so rc_io.po $(OUTPRE)rc_io.$(OBJEXT): rc_io.c $(BUILDTOP)/include/krb5.h \
$(COM_ERR_DEPS) rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \
- rc_dfl.h rc_io.h
+ $(SRCTOP)/include/krb5/kdb.h rc_dfl.h rc_io.h
rcdef.so rcdef.po $(OUTPRE)rcdef.$(OBJEXT): rcdef.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h rc_dfl.h
+ rc_dfl.h
rc_conv.so rc_conv.po $(OUTPRE)rc_conv.$(OBJEXT): rc_conv.c rc_base.h $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
ser_rc.so ser_rc.po $(OUTPRE)ser_rc.$(OBJEXT): ser_rc.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
rcfns.so rcfns.po $(OUTPRE)rcfns.$(OBJEXT): rcfns.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/profile.h
+ $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \
+ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 53172a8..58b4390 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -36,8 +36,10 @@ EXPORTS
krb5_auth_con_getlocalseqnumber
krb5_auth_con_getlocalsubkey
krb5_auth_con_getrcache ; KRB5_CALLCONV_WRONG
+ krb5_auth_con_getrecvsubkey
krb5_auth_con_getremoteseqnumber
krb5_auth_con_getremotesubkey
+ krb5_auth_con_getsendsubkey
krb5_auth_con_init
krb5_auth_con_initivector ; DEPRECATED
krb5_auth_con_setaddrs ; KRB5_CALLCONV_WRONG
@@ -45,6 +47,8 @@ EXPORTS
krb5_auth_con_setflags
krb5_auth_con_setports
krb5_auth_con_setrcache
+ krb5_auth_con_setrecvsubkey
+ krb5_auth_con_setsendsubkey
krb5_auth_con_setuseruserkey
krb5_build_principal
krb5_build_principal_ext
@@ -63,6 +67,7 @@ EXPORTS
krb5_c_random_make_octets
krb5_c_random_seed
krb5_c_string_to_key
+krb5_c_string_to_key_with_params
krb5_c_valid_cksumtype
krb5_c_valid_enctype
krb5_c_verify_checksum
@@ -153,6 +158,7 @@ EXPORTS
krb5_get_init_creds_opt_set_salt
krb5_get_init_creds_opt_set_tkt_life
krb5_get_init_creds_password
+ krb5_get_permitted_enctypes
krb5_get_prompt_types
krb5_get_renewed_creds
krb5_get_server_rcache
@@ -187,6 +193,7 @@ EXPORTS
krb5_os_localaddr
krb5_parse_name
krb5_principal_compare
+ krb5_principal2salt
krb5_process_key
krb5_prompter_posix
krb5_random_key
@@ -204,7 +211,10 @@ EXPORTS
krb5_sendauth
krb5_set_default_realm
krb5_set_default_tgs_enctypes
+krb5_set_password
+krb5_set_password_using_ccache
krb5_set_principal_realm
+ krb5_set_real_time
krb5_sname_to_principal
krb5_string_to_cksumtype
krb5_string_to_deltat
@@ -224,6 +234,10 @@ EXPORTS
krb5_verify_init_creds_opt_init
krb5_verify_init_creds_opt_set_ap_req_nofail
+ krb5_524_convert_creds
+; Don't add krb524_convert_creds_kdc or krb524_init_ets here;
+; they've never been exported by this library, and are deprecated. -KR
+
krb5int_accessor ; INTERNAL (to end all internals)
; To Add (exported on Mac OS X):
@@ -265,3 +279,4 @@ EXPORTS
krb5_rc_close ; PRIVATE GSSAPI krb5.hin
krb5_free_enc_tkt_part ; PRIVATE GSSAPI krb5.hin
krb5_decrypt_tkt_part ; PRIVATE GSSAPI krb5.hin
+ \ No newline at end of file
diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog
index 6534240..279ec8a 100644
--- a/src/lib/rpc/ChangeLog
+++ b/src/lib/rpc/ChangeLog
@@ -1,3 +1,16 @@
+2003-04-23 Ken Raeburn <raeburn@mit.edu>
+
+ * bindresvport.c: Include errno.h.
+ (gssrpc_bindresvport): Don't declare errno.
+ * clnt_tcp.c: Don't declare errno.
+ * svc.c: Don't declare errno. Include errno.h.
+
+2003-03-24 Tom Yu <tlyu@mit.edu>
+
+ * xdr_mem.c (xdrmem_create): Perform some additional size checks.
+ (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes): Check x_handy
+ prior to decrementing it.
+
2003-01-12 Ezra Peisach <epeisach@bu.edu>
* svc_auth_gssapi.c (_svcauth_gssapi_unset_names): If invoked more
diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c
index 36b3ed5..28017d6 100644
--- a/src/lib/rpc/bindresvport.c
+++ b/src/lib/rpc/bindresvport.c
@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)bindresvport.c 2.2 88/07/29 4.0 RPCSRC 1.8 88/02/08
#include <sys/socket.h>
#include <netinet/in.h>
#include <gssrpc/rpc.h>
+#include <errno.h>
/*
* Bind a socket to a privileged IP port
@@ -53,7 +54,6 @@ gssrpc_bindresvport(sd, sockin)
int res;
static short port;
struct sockaddr_in myaddr;
- extern int errno;
int i;
#define STARTPORT 600
diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c
index abadf33..9906bca 100644
--- a/src/lib/rpc/clnt_tcp.c
+++ b/src/lib/rpc/clnt_tcp.c
@@ -60,8 +60,6 @@ static char sccsid[] = "@(#)clnt_tcp.c 1.37 87/10/05 Copyr 1984 Sun Micro";
#define MCALL_MSG_SIZE 24
-extern int errno;
-
static enum clnt_stat clnttcp_call(CLIENT *, rpc_u_int32, xdrproc_t, void *,
xdrproc_t, void *, struct timeval);
static void clnttcp_abort(CLIENT *);
diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c
index 7429acd..9026815 100644
--- a/src/lib/rpc/svc.c
+++ b/src/lib/rpc/svc.c
@@ -46,8 +46,7 @@ static char sccsid[] = "@(#)svc.c 1.41 87/10/13 Copyr 1984 Sun Micro";
#include <gssrpc/pmap_clnt.h>
#include <stdio.h>
#include <string.h>
-
-extern int errno;
+#include <errno.h>
#ifdef FD_SETSIZE
static SVCXPRT **xports;
diff --git a/src/lib/rpc/xdr_mem.c b/src/lib/rpc/xdr_mem.c
index 18265da..58e2d82 100644
--- a/src/lib/rpc/xdr_mem.c
+++ b/src/lib/rpc/xdr_mem.c
@@ -48,6 +48,7 @@ static char sccsid[] = "@(#)xdr_mem.c 1.19 87/08/11 Copyr 1984 Sun Micro";
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>
+#include <limits.h>
static bool_t xdrmem_getlong(XDR *, long *);
static bool_t xdrmem_putlong(XDR *, long *);
@@ -84,7 +85,7 @@ xdrmem_create(xdrs, addr, size, op)
xdrs->x_op = op;
xdrs->x_ops = &xdrmem_ops;
xdrs->x_private = xdrs->x_base = addr;
- xdrs->x_handy = size;
+ xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */
}
static void
@@ -99,8 +100,10 @@ xdrmem_getlong(xdrs, lp)
long *lp;
{
- if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+ if (xdrs->x_handy < sizeof(rpc_int32))
return (FALSE);
+ else
+ xdrs->x_handy -= sizeof(rpc_int32);
*lp = (long)ntohl(*((rpc_u_int32 *)(xdrs->x_private)));
xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32);
return (TRUE);
@@ -112,8 +115,10 @@ xdrmem_putlong(xdrs, lp)
long *lp;
{
- if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+ if (xdrs->x_handy < sizeof(rpc_int32))
return (FALSE);
+ else
+ xdrs->x_handy -= sizeof(rpc_int32);
*(rpc_int32 *)xdrs->x_private = (rpc_int32)htonl((rpc_u_int32)(*lp));
xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32);
return (TRUE);
@@ -126,8 +131,10 @@ xdrmem_getbytes(xdrs, addr, len)
register unsigned int len;
{
- if ((xdrs->x_handy -= len) < 0)
+ if (xdrs->x_handy < len)
return (FALSE);
+ else
+ xdrs->x_handy -= len;
memmove(addr, xdrs->x_private, len);
xdrs->x_private = (char *)xdrs->x_private + len;
return (TRUE);
@@ -140,8 +147,10 @@ xdrmem_putbytes(xdrs, addr, len)
register unsigned int len;
{
- if ((xdrs->x_handy -= len) < 0)
+ if (xdrs->x_handy < len)
return (FALSE);
+ else
+ xdrs->x_handy -= len;
memmove(xdrs->x_private, addr, len);
xdrs->x_private = (char *)xdrs->x_private + len;
return (TRUE);
@@ -180,7 +189,7 @@ xdrmem_inline(xdrs, len)
{
rpc_int32 *buf = 0;
- if (xdrs->x_handy >= len) {
+ if (len >= 0 && xdrs->x_handy >= len) {
xdrs->x_handy -= len;
buf = (rpc_int32 *) xdrs->x_private;
xdrs->x_private = (char *)xdrs->x_private + len;
generated by cgit v1.1 at 2024-09-08 17:05:40 +0000