diff options
Diffstat (limited to 'src/lib')
59 files changed, 756 insertions, 509 deletions
diff --git a/src/lib/crypto/crc32/crc.c b/src/lib/crypto/crc32/crc.c index be63e00..d553019 100644 --- a/src/lib/crypto/crc32/crc.c +++ b/src/lib/crypto/crc32/crc.c @@ -149,13 +149,6 @@ krb5_checksum *outcksum; register int idx; int i; - data = (u_char *)seed; - for (i=0; i<seed_length;i++) { - idx = (data[i] ^ c); - idx &= 0xff; - c >>= 8; - c ^= crc_table[idx]; - } data = (u_char *)in; for (i=0; i<in_length;i++) { idx = (data[i] ^ c); @@ -177,4 +170,6 @@ krb5_checksum *outcksum; krb5_checksum_entry crc32_cksumtable_entry = { crc32_sum_func, CRC32_CKSUM_LENGTH, /* CRC-32 is 4 octets */ + 0, /* not collision proof */ + 0, /* doesn't use key */ }; diff --git a/src/lib/crypto/des/des_int.h b/src/lib/crypto/des/des_int.h index 09fb53a..911ca29 100644 --- a/src/lib/crypto/des/des_int.h +++ b/src/lib/crypto/des/des_int.h @@ -160,7 +160,7 @@ extern krb5_error_code mit_des_random_key /* string2key.c */ extern krb5_error_code mit_des_string_to_key PROTOTYPE((const krb5_keytype, krb5_keyblock *, const krb5_data *, - krb5_const_principal )); + const krb5_data *)); /* weak_key.c */ extern int mit_des_is_weak_key PROTOTYPE((mit_des_cblock )); diff --git a/src/lib/crypto/des/new_rn_key.c b/src/lib/crypto/des/new_rn_key.c index 3e72740..e0fd7b9 100644 --- a/src/lib/crypto/des/new_rn_key.c +++ b/src/lib/crypto/des/new_rn_key.c @@ -78,7 +78,6 @@ void mit_des_init_random_number_generator(key,p_seed) krb5_int32 seconds; krb5_int32 microseconds; } timenow; - krb5_ui_2 msec; mit_des_cblock new_key; krb5_address **addrs; @@ -120,8 +119,8 @@ void mit_des_init_random_number_generator(key,p_seed) * use a time stamp to ensure that a server started later does not reuse * an old stream: */ - (void) krb5_ms_timeofday(&timenow.seconds, &msec); /* XXX return value */ - timenow.microseconds = msec * 1000; + (void) krb5_us_timeofday(&timenow.seconds, + &timenow.microseconds); /* XXX return value */ mit_des_set_sequence_number((unsigned char *)&timenow, p_seed); /* diff --git a/src/lib/crypto/des/string2key.c b/src/lib/crypto/des/string2key.c index d505aed..d21443a 100644 --- a/src/lib/crypto/des/string2key.c +++ b/src/lib/crypto/des/string2key.c @@ -34,7 +34,7 @@ extern int des_debug; It is the responsibility of the caller to release this storage when the generated key no longer needed. - The routine may use "princ" to seed or alter the conversion + The routine may use "salt" to seed or alter the conversion algorithm. If the particular function called does not know how to make a @@ -46,11 +46,11 @@ extern int des_debug; krb5_error_code mit_des_string_to_key (DECLARG(const krb5_keytype, keytype), DECLARG(krb5_keyblock *,keyblock), DECLARG(const krb5_data *,data), - DECLARG(krb5_const_principal, princ)) + DECLARG(const krb5_data *, salt)) OLDDECLARG(const krb5_keytype, keytype) OLDDECLARG(krb5_keyblock *,keyblock) OLDDECLARG(const krb5_data *,data) -OLDDECLARG(krb5_const_principal, princ) +OLDDECLARG(const krb5_data *, salt) { char copystr[512]; @@ -81,15 +81,13 @@ OLDDECLARG(krb5_const_principal, princ) keyblock->length = sizeof(mit_des_cblock); key = keyblock->contents; + /* XXX todo: make it work in face of embedded NUL's */ memset(copystr, 0, sizeof(copystr)); j = min(data->length, 511); (void) strncpy(copystr, data->data, j); - if ( princ != 0 ) - for (i=0; princ[i] != 0 && j < 511; i++) { - (void) strncpy(copystr+j, princ[i]->data, - min(princ[i]->length, 511-j)); - j += min(princ[i]->length, 511-j); - } + if (salt) { + strncpy (copystr + j, salt->data, min(salt->length, 511-j)); + } /* convert copystr to des key */ forward = 1; diff --git a/src/lib/crypto/md4/md4glue.c b/src/lib/crypto/md4/md4glue.c index 5104d50..51f2a29 100644 --- a/src/lib/crypto/md4/md4glue.c +++ b/src/lib/crypto/md4/md4glue.c @@ -58,4 +58,6 @@ krb5_checksum *outcksum; krb5_checksum_entry crc32_cksumtable_entry = { md4_sum_func, RSA_MD4_CKSUM_LENGTH, /* CRC-32 is 4 octets */ + 1, /* is collision proof */ + 0, /* doesn't use key */ }; diff --git a/src/lib/kdb/fetch_mkey.c b/src/lib/kdb/fetch_mkey.c index fa14564..ec0bb27 100644 --- a/src/lib/kdb/fetch_mkey.c +++ b/src/lib/kdb/fetch_mkey.c @@ -67,6 +67,8 @@ OLDDECLARG(krb5_keyblock *,key) if (fromkeyboard) { + krb5_data scratch; + if (retval = krb5_read_password(krb5_mkey_pwd_prompt1, twice ? krb5_mkey_pwd_prompt2 : 0, password, @@ -75,7 +77,10 @@ OLDDECLARG(krb5_keyblock *,key) pwd.data = password; pwd.length = size; - retval = krb5_string_to_key(eblock, key->keytype, key, &pwd, mname); + if (retval = krb5_principal2salt(mname, &scratch)) + return retval; + retval = krb5_string_to_key(eblock, key->keytype, key, &pwd, &scratch); + xfree(scratch.data); memset(password, 0, sizeof(password)); /* erase it */ return retval; diff --git a/src/lib/krb425/get_cred.c b/src/lib/krb425/get_cred.c index 03fef28..a97209e 100644 --- a/src/lib/krb425/get_cred.c +++ b/src/lib/krb425/get_cred.c @@ -86,12 +86,13 @@ CREDENTIALS *c; set_string(c->instance, REALM_SZ, creds.server[2]); c->ticket_st.length = creds.ticket.length; - memcpy(c->ticket_st.dat, - creds.ticket.data, + memcpy((char *)c->ticket_st.dat, + (char *)creds.ticket.data, min(c->ticket_st.length, MAX_KTXT_LEN)); c->ticket_st.mbz = 0; - memcpy((char*)c->session, creds.keyblock.contents, sizeof(C_Block)); + memcpy((char*)c->session, (char *)creds.keyblock.contents, + sizeof(C_Block)); c->issue_date = creds.times.starttime; c->lifetime = creds.times.endtime; diff --git a/src/lib/krb425/mk_priv.c b/src/lib/krb425/mk_priv.c index 84372c8..d360056 100644 --- a/src/lib/krb425/mk_priv.c +++ b/src/lib/krb425/mk_priv.c @@ -31,8 +31,6 @@ struct sockaddr_in *receiver; krb5_data inbuf; krb5_data out5; krb5_keyblock keyb; - krb5_fulladdr sfaddr; - krb5_fulladdr rfaddr; krb5_address saddr; krb5_address raddr; krb5_error_code r; @@ -53,19 +51,15 @@ struct sockaddr_in *receiver; memcpy(sa, (char *)&sender->sin_addr, 4); memcpy(ra, (char *)&receiver->sin_addr, 4); - sfaddr.address = &saddr; - sfaddr.port = sender->sin_port; - - rfaddr.address = &raddr; - rfaddr.port = receiver->sin_port; - inbuf.data = (char *)in; inbuf.length = in_length; if (r = krb5_mk_priv(&inbuf, KEYTYPE_DES, &keyb, - &sfaddr, &rfaddr, + &saddr, &raddr, + 0, /* no sequence number */ + 0, /* default flags (none) */ 0, &out5)) { #ifdef EBUG ERROR(r); @@ -73,7 +67,7 @@ struct sockaddr_in *receiver; return(-1); } - memcpy(out, out5.data, out5.length); + memcpy((char *)out, out5.data, out5.length); free(out5.data); return(out5.length); } diff --git a/src/lib/krb425/mk_safe.c b/src/lib/krb425/mk_safe.c index 77eeca7..28d6407 100644 --- a/src/lib/krb425/mk_safe.c +++ b/src/lib/krb425/mk_safe.c @@ -30,8 +30,6 @@ struct sockaddr_in *receiver; krb5_data inbuf; krb5_data out5; krb5_keyblock keyb; - krb5_fulladdr sfaddr; - krb5_fulladdr rfaddr; krb5_address saddr; krb5_address raddr; krb5_error_code r; @@ -52,19 +50,15 @@ struct sockaddr_in *receiver; memcpy(sa, (char *)&sender->sin_addr, 4); memcpy(ra, (char *)&receiver->sin_addr, 4); - sfaddr.address = &saddr; - sfaddr.port = sender->sin_port; - - rfaddr.address = &raddr; - rfaddr.port = receiver->sin_port; - inbuf.data = (char *)in; inbuf.length = in_length; if (r = krb5_mk_safe(&inbuf, CKSUMTYPE_CRC32, &keyb, - &sfaddr, &rfaddr, + &saddr, &raddr, + 0, /* no sequence number */ + 0, /* default flags (none) */ &out5)) { #ifdef EBUG ERROR(r); @@ -72,7 +66,7 @@ struct sockaddr_in *receiver; return(-1); } - memcpy(out, out5.data, out5.length); + memcpy((char *)out, out5.data, out5.length); free(out5.data); return(out5.length); } diff --git a/src/lib/krb425/rd_priv.c b/src/lib/krb425/rd_priv.c index 0b4af57..7aef5f6 100644 --- a/src/lib/krb425/rd_priv.c +++ b/src/lib/krb425/rd_priv.c @@ -31,8 +31,6 @@ MSG_DAT *msg; krb5_data inbuf; krb5_data out; krb5_keyblock keyb; - krb5_fulladdr sfaddr; - krb5_fulladdr rfaddr; krb5_address saddr; krb5_address raddr; krb5_error_code r; @@ -53,16 +51,10 @@ MSG_DAT *msg; memcpy(sa, (char *)&sender->sin_addr, 4); memcpy(ra, (char *)&receiver->sin_addr, 4); - sfaddr.address = &saddr; - sfaddr.port = sender->sin_port; - - rfaddr.address = &raddr; - rfaddr.port = receiver->sin_port; - inbuf.data = (char *)in; inbuf.length = in_length; - if (r = krb5_rd_priv(&inbuf, &keyb, &sfaddr, &rfaddr, 0, &out)) { + if (r = krb5_rd_priv(&inbuf, &keyb, &saddr, &raddr, 0, 0, 0, &out)) { #ifdef EBUG ERROR(r) #endif diff --git a/src/lib/krb425/rd_req.c b/src/lib/krb425/rd_req.c index 05b949d..f34156b 100644 --- a/src/lib/krb425/rd_req.c +++ b/src/lib/krb425/rd_req.c @@ -144,7 +144,7 @@ char *fn; goto out; } else memcpy((char*)ad->session, - authd.ticket->enc_part2->session->contents, + (char*)authd.ticket->enc_part2->session->contents, sizeof(C_Block)); ad->life = authd.ticket->enc_part2->times.endtime; @@ -155,14 +155,14 @@ char *fn; r = KFAILURE; goto out; } else - memcpy((char *)&ad->address + sizeof(ad->address) - 4, - authd.ticket->enc_part2->caddrs[0]->contents, 4); + memcpy((char*)&ad->address + sizeof(ad->address) - 4, + (char*)authd.ticket->enc_part2->caddrs[0]->contents, 4); if (authd.ticket->enc_part2->authorization_data && authd.ticket->enc_part2->authorization_data[0]) { ad->reply.length = authd.ticket->enc_part2->authorization_data[0]->length; - memcpy(ad->reply.dat, - authd.ticket->enc_part2->authorization_data[0]->contents, + memcpy((char*)ad->reply.dat, + (char*)authd.ticket->enc_part2->authorization_data[0]->contents, min(ad->reply.length, MAX_KTXT_LEN)); ad->reply.mbz = 0; } diff --git a/src/lib/krb425/rd_safe.c b/src/lib/krb425/rd_safe.c index 9b50aab..394a11b 100644 --- a/src/lib/krb425/rd_safe.c +++ b/src/lib/krb425/rd_safe.c @@ -30,8 +30,6 @@ MSG_DAT *msg; krb5_data inbuf; krb5_data out; krb5_keyblock keyb; - krb5_fulladdr sfaddr; - krb5_fulladdr rfaddr; krb5_address saddr; krb5_address raddr; krb5_error_code r; @@ -52,16 +50,10 @@ MSG_DAT *msg; memcpy(sa, (char *)&sender->sin_addr, 4); memcpy(ra, (char *)&receiver->sin_addr, 4); - sfaddr.address = &saddr; - sfaddr.port = sender->sin_port; - - rfaddr.address = &raddr; - rfaddr.port = receiver->sin_port; - inbuf.data = (char *)in; inbuf.length = in_length; - if (r = krb5_rd_safe(&inbuf, &keyb, &sfaddr, &rfaddr, &out)) { + if (r = krb5_rd_safe(&inbuf, &keyb, &saddr, &raddr, 0, 0, &out)) { #ifdef EBUG ERROR(r) #endif diff --git a/src/lib/krb425/set_key.c b/src/lib/krb425/set_key.c index 4589f7b..a25d1a0 100644 --- a/src/lib/krb425/set_key.c +++ b/src/lib/krb425/set_key.c @@ -36,7 +36,7 @@ int cvt; } keyblock.length = 8; keyblock.keytype = KEYTYPE_DES; - memcpy(keyblock.contents, key, 8); + memcpy((char *)keyblock.contents, (char *)key, 8); } return(KSUCCESS); } diff --git a/src/lib/krb5/asn.1/Imakefile b/src/lib/krb5/asn.1/Imakefile index 4c60c28..8e6df21 100644 --- a/src/lib/krb5/asn.1/Imakefile +++ b/src/lib/krb5/asn.1/Imakefile @@ -54,19 +54,23 @@ SRCS= \ kkdcr2kdcr.c \ kkey2enck.c \ klsrq2lsrq.c \ + kpadt2padt.c \ kprep2prep.c \ kprin2prin.c \ kpriv2priv.c \ ksafe2safe.c \ + ktran2tran.c \ ktgrq2tgrq.c \ ktgsr2kdcr.c \ ktkt2tkt.c \ lsrq2klsrq.c \ + padt2kpadt.c \ prep2kprep.c \ prin2kprin.c \ priv2kpriv.c \ qbuf2data.c \ safe2ksafe.c \ + tran2ktran.c \ tgrq2ktgrq.c \ tkt2ktkt.c \ u2gen.c @@ -113,19 +117,23 @@ OBJS= \ kkdcr2kdcr.o \ kkey2enck.o \ klsrq2lsrq.o \ + kpadt2padt.o \ kprep2prep.o \ kprin2prin.o \ kpriv2priv.o \ ksafe2safe.o \ + ktran2tran.o \ ktgrq2tgrq.o \ ktgsr2kdcr.o \ ktkt2tkt.o \ lsrq2klsrq.o \ + padt2kpadt.o \ prep2kprep.o \ prin2kprin.o \ priv2kpriv.o \ qbuf2data.o \ safe2ksafe.o \ + tran2ktran.o \ tgrq2ktgrq.o \ tkt2ktkt.o \ u2gen.o diff --git a/src/lib/krb5/asn.1/KRB5-asn.py b/src/lib/krb5/asn.1/KRB5-asn.py index 93ebaa7..c0fc1a4 100644 --- a/src/lib/krb5/asn.1/KRB5-asn.py +++ b/src/lib/krb5/asn.1/KRB5-asn.py @@ -18,52 +18,19 @@ BEGIN Realm ::= GeneralString PrincipalName ::= SEQUENCE OF GeneralString --- Message types from protocol spec - --- Some predefined integer values for certain types of fields -MessageType ::= INTEGER { - ticket(1), -- XXX RFC draft 3 uses illegal leading capitals - authenticator(2), - asReq(10), - asRep(11), - tgsReq(12), - tgsRep(13), - apReq(14), - apRep(15), - safe(20), - priv(21), - error(30) -} - -AddressType ::= INTEGER { - internet(2), - chaosnet(5), - iso(7), - xns(6), - appletalk-ddp(16) -} - --- XXX missing from RFC Draft 3 HostAddress ::= SEQUENCE { - addr-type[0] INTEGER, -- AddressType + addr-type[0] INTEGER, address[1] OCTET STRING } HostAddresses ::= SEQUENCE OF SEQUENCE { - addr-type[0] INTEGER, -- AddressType + addr-type[0] INTEGER, address[1] OCTET STRING } -AdType ::= BIT STRING -- { - - AuthorizationData Type --- reserved(0), --- external(1), --- registered(2), --- field-type(3-15) - - XXX ---} - AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type[0] INTEGER, -- XXX RFC says AdType, should be a 16-bit integer - ad-data[1] GeneralString + ad-type[0] INTEGER, + ad-data[1] OCTET STRING } KDCOptions ::= BIT STRING { @@ -77,22 +44,15 @@ KDCOptions ::= BIT STRING { unused7(7), renewable(8), unused9(9), - duplicate-skey(10), renewable-ok(27), enc-tkt-in-skey(28), - reuse-skey(29), renew(30), validate(31) } -LastReqType ::= BIT STRING --{ --- this-server-only(0), --- interpretation(1-7) - - XXX ---} - LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] INTEGER, -- LastReqType - lr-value[1] KerberosTime -- XXX RFC draft 3 has trailing , + lr-type[0] INTEGER, + lr-value[1] KerberosTime } KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) @@ -104,16 +64,20 @@ Ticket ::= [APPLICATION 1] SEQUENCE { enc-part[3] EncryptedData -- EncTicketPart } +TransitedEncoding ::= SEQUENCE { + tr-type[0] INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS + contents[1] OCTET STRING +} + -- Encrypted part of ticket --- XXX needs an [APPLICATION x] -EncTicketPart ::= SEQUENCE { +EncTicketPart ::= [APPLICATION 3] SEQUENCE { flags[0] TicketFlags, key[1] EncryptionKey, crealm[2] Realm, cname[3] PrincipalName, - transited[4] GeneralString, + transited[4] TransitedEncoding, authtime[5] KerberosTime, - starttime[6] KerberosTime, + starttime[6] KerberosTime OPTIONAL, endtime[7] KerberosTime, renew-till[8] KerberosTime OPTIONAL, caddr[9] HostAddresses, @@ -122,17 +86,16 @@ EncTicketPart ::= SEQUENCE { -- Unencrypted authenticator Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] AuthenticatorVersion, + authenticator-vno[0] INTEGER, crealm[1] Realm, cname[2] PrincipalName, - cksum[3] Checksum, - cmsec[4] INTEGER, - ctime[5] KerberosTime + cksum[3] Checksum OPTIONAL, + cusec[4] INTEGER, + ctime[5] KerberosTime, + subkey[6] EncryptionKey OPTIONAL, + seq-number[7] INTEGER OPTIONAL } -AuthenticatorVersion ::= INTEGER {krb5(5)} - --- XXX missing from RFC Draft 3 TicketFlags ::= BIT STRING { reserved(0), forwardable(1), @@ -143,31 +106,31 @@ TicketFlags ::= BIT STRING { postdated(6), invalid(7), renewable(8), - initial(9), - duplicate-skey(10) + initial(9) } --- XXX RFC Draft 3 needs "ClientName" changed to "PrincipalName" -- the following two sequences MUST be the same except for the -- APPLICATION identifier AS-REQ ::= [APPLICATION 10] SEQUENCE { pvno[1] INTEGER, msg-type[2] INTEGER, - padata-type[3] INTEGER, - padata[4] OCTET STRING OPTIONAL, -- encoded AP-REQ XXX optional - req-body[5] KDC-REQ-BODY + padata[3] PA-DATA OPTIONAL, + req-body[4] KDC-REQ-BODY } TGS-REQ ::= [APPLICATION 12] SEQUENCE { pvno[1] INTEGER, msg-type[2] INTEGER, - padata-type[3] INTEGER, - padata[4] OCTET STRING, -- encoded AP-REQ - req-body[5] KDC-REQ-BODY + padata[3] PA-DATA OPTIONAL, -- encoded AP-REQ, not optional + req-body[4] KDC-REQ-BODY } -- the preceding two sequences MUST be the same except for the -- APPLICATION identifier --- XXX this needs to feed back into the draft. +PA-DATA ::= SEQUENCE OF SEQUENCE { + padata-type[1] INTEGER, + pa-data[2] OCTET STRING -- might be encoded AP-REQ +} + KDC-REQ-BODY ::= SEQUENCE { kdc-options[0] KDCOptions, cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ @@ -176,31 +139,32 @@ KDC-REQ-BODY ::= SEQUENCE { from[4] KerberosTime OPTIONAL, till[5] KerberosTime, rtime[6] KerberosTime OPTIONAL, - ctime[7] KerberosTime, - nonce[8] INTEGER, - etype[9] INTEGER, -- EncryptionType - addresses[10] HostAddresses OPTIONAL, - authorization-data[11] AuthorizationData OPTIONAL, - additional-tickets[12] SEQUENCE OF Ticket OPTIONAL + nonce[7] INTEGER, + etype[8] SEQUENCE OF INTEGER, -- EncryptionType, in preference order + addresses[9] HostAddresses OPTIONAL, + authorization-data[10] EncryptedData OPTIONAL, -- AuthorizationData + additional-tickets[11] SEQUENCE OF Ticket OPTIONAL } -- the following two sequences MUST be the same except for the -- APPLICATION identifier AS-REP ::= [APPLICATION 11] SEQUENCE { pvno[0] INTEGER, - msg-type[1] INTEGER, -- MessageType - crealm[2] Realm, - cname[3] PrincipalName, - ticket[4] Ticket, -- Ticket - enc-part[5] EncryptedData -- EncKDCRepPart + msg-type[1] INTEGER, + padata[2] PA-DATA OPTIONAL, + crealm[3] Realm, + cname[4] PrincipalName, + ticket[5] Ticket, -- Ticket + enc-part[6] EncryptedData -- EncKDCRepPart } TGS-REP ::= [APPLICATION 13] SEQUENCE { pvno[0] INTEGER, - msg-type[1] INTEGER, -- MessageType - crealm[2] Realm, - cname[3] PrincipalName, - ticket[4] Ticket, -- Ticket - enc-part[5] EncryptedData -- EncKDCRepPart + msg-type[1] INTEGER, + padata[2] PA-DATA OPTIONAL, + crealm[3] Realm, + cname[4] PrincipalName, + ticket[5] Ticket, -- Ticket + enc-part[6] EncryptedData -- EncKDCRepPart } -- the preceding two sequences MUST be the same except for the -- APPLICATION identifier @@ -217,9 +181,9 @@ EncASRepPart ::= [APPLICATION 25] SEQUENCE { starttime[6] KerberosTime OPTIONAL, endtime[7] KerberosTime, renew-till[8] KerberosTime OPTIONAL, - realm[9] Realm, -- XXX should be srealm + srealm[9] Realm, sname[10] PrincipalName, - caddr[11] HostAddresses + caddr[11] HostAddresses OPTIONAL } EncTGSRepPart ::= [APPLICATION 26] SEQUENCE { key[0] EncryptionKey, @@ -231,9 +195,9 @@ EncTGSRepPart ::= [APPLICATION 26] SEQUENCE { starttime[6] KerberosTime OPTIONAL, endtime[7] KerberosTime, renew-till[8] KerberosTime OPTIONAL, - realm[9] Realm, -- XXX should be srealm + srealm[9] Realm, sname[10] PrincipalName, - caddr[11] HostAddresses + caddr[11] HostAddresses OPTIONAL } -- the preceding two sequences MUST be the same except for the -- APPLICATION identifier @@ -246,7 +210,6 @@ AP-REQ ::= [APPLICATION 14] SEQUENCE { authenticator[4] EncryptedData -- Authenticator } --- XXX These appear twice in the draft 3 RFC APOptions ::= BIT STRING { reserved(0), use-session-key(1), @@ -261,18 +224,25 @@ AP-REP ::= [APPLICATION 15] SEQUENCE { EncAPRepPart ::= [APPLICATION 27] SEQUENCE { ctime[0] KerberosTime, - cmsec[1] INTEGER + cusec[1] INTEGER, + subkey[2] EncryptionKey OPTIONAL, + seq-number[3] INTEGER OPTIONAL } KRB-SAFE ::= [APPLICATION 20] SEQUENCE { pvno[0] INTEGER, msg-type[1] INTEGER, - user-data[2] OCTET STRING, - timestamp[3] KerberosTime, - msec[4] INTEGER, - s-address[5] HostAddress, -- sender's addr - r-address[6] HostAddress, -- recip's addr - cksum[7] Checksum + safe-body[2] KRB-SAFE-BODY, + cksum[3] Checksum +} + +KRB-SAFE-BODY ::= SEQUENCE { + user-data[0] OCTET STRING, + timestamp[1] KerberosTime OPTIONAL, + usec[2] INTEGER OPTIONAL, + seq-number[3] INTEGER OPTIONAL, + s-address[4] HostAddress, -- sender's addr + r-address[5] HostAddress OPTIONAL -- recip's addr } KRB-PRIV ::= [APPLICATION 21] SEQUENCE { @@ -283,25 +253,26 @@ KRB-PRIV ::= [APPLICATION 21] SEQUENCE { EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { user-data[0] OCTET STRING, - timestamp[1] KerberosTime, - msec[2] INTEGER, - s-address[3] HostAddress, -- sender's addr - r-address[4] HostAddress -- recip's addr + timestamp[1] KerberosTime OPTIONAL, + usec[2] INTEGER OPTIONAL, + seq-number[3] INTEGER OPTIONAL, + s-address[4] HostAddress, -- sender's addr + r-address[5] HostAddress OPTIONAL -- recip's addr } KRB-ERROR ::= [APPLICATION 30] SEQUENCE { pvno[0] INTEGER, msg-type[1] INTEGER, ctime[2] KerberosTime OPTIONAL, - cmsec[3] INTEGER OPTIONAL, + cusec[3] INTEGER OPTIONAL, stime[4] KerberosTime, - smsec[5] INTEGER, + susec[5] INTEGER, error-code[6] INTEGER, crealm[7] Realm OPTIONAL, cname[8] PrincipalName OPTIONAL, realm[9] Realm, -- Correct realm sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, -- XXX should be optional + e-text[11] GeneralString OPTIONAL, e-data[12] OCTET STRING OPTIONAL } @@ -311,34 +282,18 @@ EncryptedData ::= SEQUENCE { cipher[2] OCTET STRING -- CipherText } -EncryptionType ::= INTEGER { - null(0), - des-cbc-crc(1), - lucifer-cbc-crc(2) -} - EncryptionKey ::= SEQUENCE { - keytype[0] INTEGER, -- KeyType + keytype[0] INTEGER, keyvalue[1] OCTET STRING } -KeyType ::= INTEGER { - null(0), - des(1), - lucifer(2) -} - Checksum ::= SEQUENCE { - cksumtype[0] INTEGER, -- ChecksumType + cksumtype[0] INTEGER, checksum[1] OCTET STRING } -ChecksumType ::= INTEGER { - crc32(1), - rsa-md4(2), - rsa-md4-des(3), - snefru(4), - des-mac(5) +METHOD-DATA ::= SEQUENCE { + method-type[0] INTEGER, + method-data[1] OCTET STRING OPTIONAL } - END diff --git a/src/lib/krb5/asn.1/arep2karep.c b/src/lib/krb5/asn.1/arep2karep.c index e37e0e6..6f659a4 100644 --- a/src/lib/krb5/asn.1/arep2karep.c +++ b/src/lib/krb5/asn.1/arep2karep.c @@ -39,15 +39,25 @@ register int *error; *error = ENOMEM; return(0); } - /* xbzero not needed, since structure is simple */ - /* xbzero(retval, sizeof(*retval)); */ + xbzero(retval, sizeof(*retval)); retval->ctime = gentime2unix(val->ctime, error); if (*error) { xfree(retval); return(0); } - retval->cmsec = val->cmsec; + retval->cusec = val->cusec; + + if (val->subkey) { + retval->subkey = KRB5_EncryptionKey2krb5_keyblock(val->subkey, + error); + if (!retval->subkey) { + krb5_free_ap_rep_enc_part(retval); + return 0; + } + } + if (val->optionals & opt_KRB5_EncAPRepPart_seq__number) + retval->seq_number = val->seq__number; return(retval); } diff --git a/src/lib/krb5/asn.1/auth2kauth.c b/src/lib/krb5/asn.1/auth2kauth.c index 56a8b63..40a3421 100644 --- a/src/lib/krb5/asn.1/auth2kauth.c +++ b/src/lib/krb5/asn.1/auth2kauth.c @@ -49,17 +49,21 @@ register int *error; xfree(retval); return(0); } - - retval->checksum = KRB5_Checksum2krb5_checksum(val->cksum, error); - if (!retval->checksum) { - krb5_free_authenticator(retval); - return(0); + if (val->cksum) { + retval->checksum = KRB5_Checksum2krb5_checksum(val->cksum, error); + if (!retval->checksum) { + krb5_free_authenticator(retval); + return(0); + } } - retval->cmsec = val->cmsec; + retval->cusec = val->cusec; retval->ctime = gentime2unix(val->ctime, error); if (*error) { krb5_free_authenticator(retval); return(0); } + if (val->optionals & opt_KRB5_Authenticator_seq__number) { + retval->seq_number = val->seq__number; + } return(retval); } diff --git a/src/lib/krb5/asn.1/ekrp2kekrp.c b/src/lib/krb5/asn.1/ekrp2kekrp.c index 0e41b7c..7c1f054 100644 --- a/src/lib/krb5/asn.1/ekrp2kekrp.c +++ b/src/lib/krb5/asn.1/ekrp2kekrp.c @@ -84,14 +84,16 @@ register int *error; } } retval->server = KRB5_PrincipalName2krb5_principal(val->sname, - val->realm, + val->srealm, error); if (!retval->server) { goto errout; } - retval->caddrs = KRB5_HostAddresses2krb5_address(val->caddr, error); - if (!retval->caddrs) { - goto errout; + if (val->caddr) { + retval->caddrs = KRB5_HostAddresses2krb5_address(val->caddr, error); + if (!retval->caddrs) { + goto errout; + } } return(retval); } diff --git a/src/lib/krb5/asn.1/err2kerr.c b/src/lib/krb5/asn.1/err2kerr.c index f25f65e..f8fc942 100644 --- a/src/lib/krb5/asn.1/err2kerr.c +++ b/src/lib/krb5/asn.1/err2kerr.c @@ -51,16 +51,16 @@ register int *error; return(0); } } - if (val->optionals & opt_KRB5_KRB__ERROR_cmsec) - retval->cmsec = val->cmsec; + if (val->optionals & opt_KRB5_KRB__ERROR_cusec) + retval->cusec = val->cusec; else - retval->cmsec = 0; + retval->cusec = 0; retval->stime = gentime2unix(val->stime, error); if (*error) { goto errout; } - retval->smsec = val->smsec; + retval->susec = val->susec; retval->error = val->error__code; if (val->crealm && val->cname) { retval->client = KRB5_PrincipalName2krb5_principal(val->cname, diff --git a/src/lib/krb5/asn.1/etpt2ketpt.c b/src/lib/krb5/asn.1/etpt2ketpt.c index 3b23cdb..6a9ca03 100644 --- a/src/lib/krb5/asn.1/etpt2ketpt.c +++ b/src/lib/krb5/asn.1/etpt2ketpt.c @@ -33,7 +33,7 @@ const register struct type_KRB5_EncTicketPart *val; register int *error; { register krb5_enc_tkt_part *retval; - krb5_data *temp; + krb5_transited *temp; retval = (krb5_enc_tkt_part *)xmalloc(sizeof(*retval)); if (!retval) { @@ -61,7 +61,8 @@ register int *error; if (!retval->client) { goto errout; } - temp = qbuf2krb5_data(val->transited, error); + + temp = KRB5_TransitedEncoding2krb5_transited(val->transited, error); if (temp) { retval->transited = *temp; xfree(temp); @@ -73,10 +74,12 @@ register int *error; if (*error) { goto errout; } - retval->times.starttime = gentime2unix(val->starttime, error); - if (*error) { - goto errout; - } + if (val->starttime) { + retval->times.starttime = gentime2unix(val->starttime, error); + if (*error) { + goto errout; + } + } retval->times.endtime = gentime2unix(val->endtime, error); if (*error) { goto errout; diff --git a/src/lib/krb5/asn.1/karep2arep.c b/src/lib/krb5/asn.1/karep2arep.c index 2d29c35..d5b8f7e 100644 --- a/src/lib/krb5/asn.1/karep2arep.c +++ b/src/lib/krb5/asn.1/karep2arep.c @@ -47,6 +47,17 @@ register int *error; return(0); } - retval->cmsec = val->cmsec; + retval->cusec = val->cusec; + if (val->subkey) { + retval->subkey = krb5_keyblock2KRB5_EncryptionKey(val->subkey, error); + if (!retval->subkey) { + free_KRB5_EncAPRepPart(retval); + return 0; + } + } + if (val->seq_number) { + retval->seq__number = val->seq_number; + retval->optionals |= opt_KRB5_EncAPRepPart_seq__number; + } return(retval); } diff --git a/src/lib/krb5/asn.1/kauth2auth.c b/src/lib/krb5/asn.1/kauth2auth.c index 7bd499a..56e1ba6 100644 --- a/src/lib/krb5/asn.1/kauth2auth.c +++ b/src/lib/krb5/asn.1/kauth2auth.c @@ -41,32 +41,32 @@ register int *error; } xbzero(retval, sizeof(*retval)); - retval->authenticator__vno = (struct type_KRB5_AuthenticatorVersion *) - xmalloc(sizeof(*retval->authenticator__vno)); - if (!retval->authenticator__vno) { + retval->authenticator__vno = KRB5_PVNO; + retval->crealm = krb5_data2qbuf(val->client[0]); + if (!retval->crealm) { *error = ENOMEM; errout: free_KRB5_Authenticator(retval); return(0); } - retval->authenticator__vno->parm = KRB5_PVNO; - retval->crealm = krb5_data2qbuf(val->client[0]); - if (!retval->crealm) { - *error = ENOMEM; - goto errout; - } retval->cname = krb5_principal2KRB5_PrincipalName(val->client, error); if (!retval->cname) { goto errout; } - retval->cksum = krb5_checksum2KRB5_Checksum(val->checksum, error); - if (!retval->cksum) { - goto errout; + if (val->checksum) { + retval->cksum = krb5_checksum2KRB5_Checksum(val->checksum, error); + if (!retval->cksum) { + goto errout; + } } - retval->cmsec = val->cmsec; + retval->cusec = val->cusec; retval->ctime = unix2gentime(val->ctime, error); if (!retval->ctime) { goto errout; } + if (val->seq_number) { + retval->seq__number = val->seq_number; + retval->optionals |= opt_KRB5_Authenticator_seq__number; + } return(retval); } diff --git a/src/lib/krb5/asn.1/kdcr2kkdcr.c b/src/lib/krb5/asn.1/kdcr2kkdcr.c index 79d9876..cb36e08 100644 --- a/src/lib/krb5/asn.1/kdcr2kkdcr.c +++ b/src/lib/krb5/asn.1/kdcr2kkdcr.c @@ -28,9 +28,8 @@ static char rcsid_kdcr2kkdcr_c[] = /* ISODE defines max(a,b) */ krb5_kdc_rep * -KRB5_KDC__REP2krb5_kdc_rep(val, type, error) +KRB5_KDC__REP2krb5_kdc_rep(val, error) const register struct type_KRB5_TGS__REP *val; -krb5_msgtype *type; register int *error; { register krb5_kdc_rep *retval; @@ -43,8 +42,16 @@ register int *error; } xbzero(retval, sizeof(*retval)); - *type = val->msg__type; + retval->msg_type = val->msg__type; + if (val->padata) { + retval->padata = KRB5_PA__DATA2krb5_pa_data(val->padata, error); + if (*error) { + xfree(retval); + return 0; + + } + } retval->client = KRB5_PrincipalName2krb5_principal(val->cname, val->crealm, error); diff --git a/src/lib/krb5/asn.1/kdcr2ktgsr.c b/src/lib/krb5/asn.1/kdcr2ktgsr.c index 7d3a241..bf62e00 100644 --- a/src/lib/krb5/asn.1/kdcr2ktgsr.c +++ b/src/lib/krb5/asn.1/kdcr2ktgsr.c @@ -32,14 +32,5 @@ KRB5_KDC__REP2krb5_tgs_rep(val, error) const register struct type_KRB5_TGS__REP *val; register int *error; { - krb5_msgtype type; - register krb5_kdc_rep *retval; - - retval = KRB5_KDC__REP2krb5_kdc_rep(val, &type, error); - if (retval && (type != KRB5_TGS_REP)) { - krb5_free_kdc_rep(retval); - *error = ISODE_50_LOCAL_ERR_BADMSGTYPE; - return 0; - } - return retval; + return KRB5_KDC__REP2krb5_kdc_rep(val, error); } diff --git a/src/lib/krb5/asn.1/kekrp2ekrp.c b/src/lib/krb5/asn.1/kekrp2ekrp.c index 23152c3..2824a97 100644 --- a/src/lib/krb5/asn.1/kekrp2ekrp.c +++ b/src/lib/krb5/asn.1/kekrp2ekrp.c @@ -83,8 +83,8 @@ register int *error; goto errout; } } - retval->realm = krb5_data2qbuf(val->server[0]); - if (!retval->realm) { + retval->srealm = krb5_data2qbuf(val->server[0]); + if (!retval->srealm) { *error = ENOMEM; goto errout; } @@ -92,9 +92,11 @@ register int *error; if (!retval->sname) { goto errout; } - retval->caddr = krb5_address2KRB5_HostAddresses(val->caddrs, error); - if (!retval->caddr) { - goto errout; + if (val->caddrs) { + retval->caddr = krb5_address2KRB5_HostAddresses(val->caddrs, error); + if (!retval->caddr) { + goto errout; + } } return(retval); } diff --git a/src/lib/krb5/asn.1/kerr2err.c b/src/lib/krb5/asn.1/kerr2err.c index 61acab2..4d0e455 100644 --- a/src/lib/krb5/asn.1/kerr2err.c +++ b/src/lib/krb5/asn.1/kerr2err.c @@ -51,9 +51,9 @@ register int *error; return(0); } } - if (val->cmsec) { - retval->cmsec = val->cmsec; - retval->optionals = opt_KRB5_KRB__ERROR_cmsec; + if (val->cusec) { + retval->cusec = val->cusec; + retval->optionals = opt_KRB5_KRB__ERROR_cusec; } retval->stime = unix2gentime(val->stime, error); @@ -62,7 +62,7 @@ register int *error; free_KRB5_KRB__ERROR(retval); return(0); } - retval->smsec = val->smsec; + retval->susec = val->susec; retval->error__code = val->error; if (val->client) { diff --git a/src/lib/krb5/asn.1/ketpt2etpt.c b/src/lib/krb5/asn.1/ketpt2etpt.c index bfcd1e8..bbf4875 100644 --- a/src/lib/krb5/asn.1/ketpt2etpt.c +++ b/src/lib/krb5/asn.1/ketpt2etpt.c @@ -62,18 +62,20 @@ register int *error; if (!retval->cname) { goto errout; } - retval->transited = krb5_data2qbuf(&(val->transited)); + retval->transited = + krb5_transited2KRB5_TransitedEncoding(&(val->transited), error); if (!retval->transited) { - *error = ENOMEM; goto errout; } retval->authtime = unix2gentime(val->times.authtime, error); if (!retval->authtime) { goto errout; } - retval->starttime = unix2gentime(val->times.starttime, error); - if (!retval->starttime) { - goto errout; + if (val->times.starttime) { + retval->starttime = unix2gentime(val->times.starttime, error); + if (!retval->starttime) { + goto errout; + } } retval->endtime = unix2gentime(val->times.endtime, error); if (!retval->endtime) { diff --git a/src/lib/krb5/asn.1/kkdcr2kdcr.c b/src/lib/krb5/asn.1/kkdcr2kdcr.c index 2ce84e4..9a5c66b 100644 --- a/src/lib/krb5/asn.1/kkdcr2kdcr.c +++ b/src/lib/krb5/asn.1/kkdcr2kdcr.c @@ -28,10 +28,8 @@ static char rcsid_kkdcr2kdcr_c[] = struct type_KRB5_TGS__REP * krb5_kdc_rep2KRB5_KDC__REP(DECLARG(const register krb5_kdc_rep *,val), - DECLARG(const krb5_msgtype, type), DECLARG(register int *,error)) OLDDECLARG(const register krb5_kdc_rep *,val) -OLDDECLARG(const krb5_msgtype, type) OLDDECLARG(register int *,error) { register struct type_KRB5_TGS__REP *retval; @@ -44,7 +42,14 @@ OLDDECLARG(register int *,error) xbzero(retval, sizeof(*retval)); retval->pvno = KRB5_PVNO; - retval->msg__type = type; + retval->msg__type = val->msg_type; + + if (val->padata) { + retval->padata = krb5_pa_data2KRB5_PA__DATA(val->padata, error); + if (*error) { + goto errout; + } + } retval->crealm = krb5_data2qbuf(val->client[0]); if (!retval->crealm) { diff --git a/src/lib/krb5/asn.1/kprep2prep.c b/src/lib/krb5/asn.1/kprep2prep.c index c7894e8..d43c913 100644 --- a/src/lib/krb5/asn.1/kprep2prep.c +++ b/src/lib/krb5/asn.1/kprep2prep.c @@ -47,20 +47,29 @@ register int *error; *error = ENOMEM; return(0); } - retval->timestamp = unix2gentime(val->timestamp, error); - if (!retval->timestamp) { - errout: - free_KRB5_EncKrbPrivPart(retval); - return(0); + if (val->timestamp) { + retval->timestamp = unix2gentime(val->timestamp, error); + if (!retval->timestamp) { + errout: + free_KRB5_EncKrbPrivPart(retval); + return(0); + } + retval->usec = val->usec; + retval->optionals |= opt_KRB5_EncKrbPrivPart_usec; } - retval->msec = val->msec; retval->s__address = krb5_addr2KRB5_HostAddress(val->s_address, error); if (!retval->s__address) { goto errout; } - retval->r__address = krb5_addr2KRB5_HostAddress(val->r_address, error); - if (!retval->r__address) { - goto errout; + if (val->r_address) { + retval->r__address = krb5_addr2KRB5_HostAddress(val->r_address, error); + if (!retval->r__address) { + goto errout; + } + } + if (val->seq_number) { + retval->seq__number = val->seq_number; + retval->optionals |= opt_KRB5_EncKrbPrivPart_seq__number; } return(retval); } diff --git a/src/lib/krb5/asn.1/ksafe2safe.c b/src/lib/krb5/asn.1/ksafe2safe.c index 8412847..4fe6b8a 100644 --- a/src/lib/krb5/asn.1/ksafe2safe.c +++ b/src/lib/krb5/asn.1/ksafe2safe.c @@ -33,7 +33,8 @@ const register krb5_safe *val; register int *error; { register struct type_KRB5_KRB__SAFE *retval; - + register struct type_KRB5_KRB__SAFE__BODY *rv2; + retval = (struct type_KRB5_KRB__SAFE *)xmalloc(sizeof(*retval)); if (!retval) { *error = ENOMEM; @@ -41,33 +42,50 @@ register int *error; } xbzero(retval, sizeof(*retval)); + rv2 = (struct type_KRB5_KRB__SAFE__BODY *)xmalloc(sizeof(*rv2)); + if (!rv2) { + xfree(retval); + *error = ENOMEM; + return(0); + } + retval->pvno = KRB5_PVNO; retval->msg__type = KRB5_SAFE; + retval->safe__body = rv2; - retval->user__data = krb5_data2qbuf(&(val->user_data)); - if (!retval->user__data) { + rv2->user__data = krb5_data2qbuf(&(val->user_data)); + if (!rv2->user__data) { xfree(retval); *error = ENOMEM; return(0); } - retval->timestamp = unix2gentime(val->timestamp, error); - if (!retval->timestamp) { - errout: - free_KRB5_KRB__SAFE(retval); - return(0); + if (val->timestamp) { + rv2->timestamp = unix2gentime(val->timestamp, error); + if (!rv2->timestamp) { + errout: + free_KRB5_KRB__SAFE(retval); + return(0); + } + rv2->usec = val->usec; + rv2->optionals |= opt_KRB5_KRB__SAFE__BODY_usec; } - retval->msec = val->msec; - retval->s__address = krb5_addr2KRB5_HostAddress(val->s_address, error); - if (!retval->s__address) { + rv2->s__address = krb5_addr2KRB5_HostAddress(val->s_address, error); + if (!rv2->s__address) { goto errout; } - retval->r__address = krb5_addr2KRB5_HostAddress(val->r_address, error); - if (!retval->r__address) { - goto errout; + if (val->r_address) { + rv2->r__address = krb5_addr2KRB5_HostAddress(val->r_address, error); + if (!rv2->r__address) { + goto errout; + } } retval->cksum = krb5_checksum2KRB5_Checksum(val->checksum, error); if (!retval->cksum) { goto errout; } + if (val->seq_number) { + rv2->seq__number = val->seq_number; + rv2->optionals |= opt_KRB5_KRB__SAFE__BODY_seq__number; + } return(retval); } diff --git a/src/lib/krb5/asn.1/ktgrq2tgrq.c b/src/lib/krb5/asn.1/ktgrq2tgrq.c index c971c78..348074b 100644 --- a/src/lib/krb5/asn.1/ktgrq2tgrq.c +++ b/src/lib/krb5/asn.1/ktgrq2tgrq.c @@ -33,7 +33,7 @@ const register krb5_kdc_req *val; register int *error; { register struct type_KRB5_KDC__REQ__BODY *retval; - + retval = (struct type_KRB5_KDC__REQ__BODY *)xmalloc(sizeof(*retval)); if (!retval) { *error = ENOMEM; @@ -80,12 +80,22 @@ register int *error; goto errout; } } - retval->ctime = unix2gentime(val->ctime, error); - if (!retval->ctime) { + retval->nonce = val->nonce; + retval->etype = (struct element_KRB5_8 *)malloc(sizeof(*retval->etype)+ + max(0,val->netypes-1)*sizeof(integer)); + if (!retval->etype) goto errout; + +#if 0 + for (i = 0; i < val->netypes; i++) { + retval->etype->element_KRB5_9[i] = val->etype[i]; } - retval->nonce = val->nonce; - retval->etype = val->etype; + retval->etype->nelem = val->netypes; +#else + /* XXX !@#*)@# busted ASN.1 compiler */ + retval->etype->element_KRB5_9 = val->etype[0]; + retval->etype->nelem = 1; +#endif if (val->addresses) { retval->addresses = @@ -94,22 +104,22 @@ register int *error; goto errout; } } - if (val->authorization_data) { + if (val->authorization_data.ciphertext.data) { retval->authorization__data = - krb5_authdata2KRB5_AuthorizationData(val->authorization_data, + krb5_enc_data2KRB5_EncryptedData(&(val->authorization_data), error); if (!retval->authorization__data) goto errout; } if (val->second_ticket) { - struct element_KRB5_6 *adtk; + struct element_KRB5_10 *adtk; krb5_ticket * const *temp; register int i; /* count elements */ for (i = 0, temp = val->second_ticket; *temp; temp++,i++); - adtk = (struct element_KRB5_6 *)xmalloc(sizeof(*adtk) + + adtk = (struct element_KRB5_10 *)xmalloc(sizeof(*adtk) + max(0,i-1)*sizeof(adtk->Ticket)); if (!adtk) { *error = ENOMEM; @@ -131,8 +141,8 @@ register int *error; } retval->additional__tickets = adtk; } else { - struct element_KRB5_6 *adtk; - adtk = (struct element_KRB5_6 *)xmalloc(sizeof(*adtk)); + struct element_KRB5_10 *adtk; + adtk = (struct element_KRB5_10 *)xmalloc(sizeof(*adtk)); if (!adtk) { *error = ENOMEM; goto errout; @@ -160,16 +170,16 @@ register int *error; xbzero(retval, sizeof(*retval)); retval->pvno = KRB5_PVNO; retval->msg__type = val->msg_type; - retval->padata__type = val->padata_type; - retval->padata = krb5_data2qbuf(&(val->padata)); - if (!retval->padata) { - xfree(retval); - *error = ENOMEM; - return(0); + if (val->padata) { + retval->padata = krb5_pa_data2KRB5_PA__DATA(val->padata, error); + if (*error) { + xfree(retval); + return 0; + } } retval->req__body = krb5_kdc_req2KRB5_KDC__REQ__BODY(val, error); if (!retval->req__body) { - xfree(retval); + free_KRB5_TGS__REQ(retval); return(0); } return(retval); diff --git a/src/lib/krb5/asn.1/ktgsr2kdcr.c b/src/lib/krb5/asn.1/ktgsr2kdcr.c index 1365fb8..8f60549 100644 --- a/src/lib/krb5/asn.1/ktgsr2kdcr.c +++ b/src/lib/krb5/asn.1/ktgsr2kdcr.c @@ -33,5 +33,5 @@ const register krb5_kdc_rep *val; register int *error; { return (struct type_KRB5_TGS__REP *) - krb5_kdc_rep2KRB5_KDC__REP(val, KRB5_TGS_REP, error); + krb5_kdc_rep2KRB5_KDC__REP(val, error); } diff --git a/src/lib/krb5/asn.1/prep2kprep.c b/src/lib/krb5/asn.1/prep2kprep.c index d3c0333..8360b70 100644 --- a/src/lib/krb5/asn.1/prep2kprep.c +++ b/src/lib/krb5/asn.1/prep2kprep.c @@ -50,20 +50,33 @@ register int *error; xfree(retval); return(0); } - retval->timestamp = gentime2unix(val->timestamp, error); - if (*error) { - errout: - krb5_free_priv_enc_part(retval); - return(0); + if (val->timestamp) { + if (!(val->optionals & opt_KRB5_EncKrbPrivPart_usec)) { + /* must have usec if we have timestamp */ + *error = ISODE_50_LOCAL_ERR_BADCOMBO; + goto errout; + } + + retval->timestamp = gentime2unix(val->timestamp, error); + if (*error) { + errout: + krb5_free_priv_enc_part(retval); + return(0); + } + retval->usec = val->usec; } - retval->msec = val->msec; retval->s_address = KRB5_HostAddress2krb5_addr(val->s__address, error); if (!retval->s_address) { goto errout; } - retval->r_address = KRB5_HostAddress2krb5_addr(val->r__address, error); - if (!retval->r_address) { - goto errout; + if (val->r__address) { + retval->r_address = KRB5_HostAddress2krb5_addr(val->r__address, error); + if (!retval->r_address) { + goto errout; + } + } + if (val->optionals & opt_KRB5_EncKrbPrivPart_seq__number) { + retval->seq_number = val->seq__number; } return(retval); } diff --git a/src/lib/krb5/asn.1/safe2ksafe.c b/src/lib/krb5/asn.1/safe2ksafe.c index 1066852..05919e4 100644 --- a/src/lib/krb5/asn.1/safe2ksafe.c +++ b/src/lib/krb5/asn.1/safe2ksafe.c @@ -42,7 +42,7 @@ register int *error; } xbzero(retval, sizeof(*retval)); - temp = qbuf2krb5_data(val->user__data, error); + temp = qbuf2krb5_data(val->safe__body->user__data, error); if (temp) { retval->user_data = *temp; xfree(temp); @@ -50,24 +50,39 @@ register int *error; xfree(retval); return(0); } - retval->timestamp = gentime2unix(val->timestamp, error); - if (*error) { - errout: - krb5_free_safe(retval); - return(0); + if (val->safe__body->timestamp) { + if (!(val->safe__body->optionals & opt_KRB5_KRB__SAFE__BODY_usec)) { + /* must have usec if we have timestamp */ + *error = ISODE_50_LOCAL_ERR_BADCOMBO; + goto errout; + } + retval->timestamp = gentime2unix(val->safe__body->timestamp, error); + if (*error) { + errout: + krb5_free_safe(retval); + return(0); + } + retval->usec = val->safe__body->usec; } - retval->msec = val->msec; - retval->s_address = KRB5_HostAddress2krb5_addr(val->s__address, error); + retval->s_address = KRB5_HostAddress2krb5_addr(val->safe__body->s__address, + error); if (!retval->s_address) { goto errout; } - retval->r_address = KRB5_HostAddress2krb5_addr(val->r__address, error); - if (!retval->r_address) { - goto errout; + if (val->safe__body->r__address) { + retval->r_address = + KRB5_HostAddress2krb5_addr(val->safe__body->r__address, error); + if (!retval->r_address) { + goto errout; + } } - retval->checksum = KRB5_Checksum2krb5_checksum(val->cksum, error); + retval->checksum = KRB5_Checksum2krb5_checksum(val->cksum, + error); if (!retval->checksum) { goto errout; } + if (val->safe__body->optionals & opt_KRB5_KRB__SAFE__BODY_seq__number) { + retval->seq_number = val->safe__body->seq__number; + } return(retval); } diff --git a/src/lib/krb5/asn.1/tgrq2ktgrq.c b/src/lib/krb5/asn.1/tgrq2ktgrq.c index 8721145..e6fcb10 100644 --- a/src/lib/krb5/asn.1/tgrq2ktgrq.c +++ b/src/lib/krb5/asn.1/tgrq2ktgrq.c @@ -26,6 +26,9 @@ static char rcsid_tgrq2ktgrq_c[] = #include <krb5/ext-proto.h> /* ISODE defines max(a,b) */ +#ifndef min +#define min(a,b) ((a) < (b) ? (a) : (b)) +#endif krb5_kdc_req * KRB5_KDC__REQ__BODY2krb5_kdc_req(val, error) @@ -33,6 +36,7 @@ const register struct type_KRB5_KDC__REQ__BODY *val; register int *error; { register krb5_kdc_req *retval; + krb5_enc_data *temp; retval = (krb5_kdc_req *)xmalloc(sizeof(*retval)); if (!retval) { @@ -74,14 +78,21 @@ register int *error; goto errout; } } - retval->ctime = gentime2unix(val->ctime, error); - if (*error) { - goto errout; - } retval->nonce = val->nonce; - retval->etype = val->etype; - + retval->etype = (krb5_enctype *) xmalloc(sizeof(*(retval->etype))*min(1,val->etype->nelem)); + if (!retval->etype) + goto errout; +#if 0 + for (i = 0; i < val->etype->nelem; i++) { + retval->etype[i] = val->etype->element_KRB5_9[i]; + } + val->netypes = val->etype->nelem; +#else + /* XXX @#$#@ broken ASN.1 compiler */ + retval->etype[0] = val->etype->element_KRB5_9; + retval->netypes = 1; +#endif if (val->addresses) { retval->addresses = @@ -91,16 +102,17 @@ register int *error; } } if (val->authorization__data) { - retval->authorization_data = - KRB5_AuthorizationData2krb5_authdata(val-> - authorization__data, - error); - if (*error) + temp = KRB5_EncryptedData2krb5_enc_data(val->authorization__data, + error); + if (temp) { + retval->authorization_data = *temp; + xfree(temp); + } else goto errout; } if (val->additional__tickets) { register krb5_ticket **aticks; - register struct element_KRB5_6 *tptr; + register struct element_KRB5_10 *tptr; register int i; tptr = val->additional__tickets; @@ -128,19 +140,14 @@ const register struct type_KRB5_TGS__REQ *val; register int *error; { register krb5_kdc_req *retval; - krb5_data *temp; if (!(retval = KRB5_KDC__REQ__BODY2krb5_kdc_req(val->req__body, error))) return retval; retval->msg_type = val->msg__type; - retval->padata_type = val->padata__type; if (val->padata) { - temp = qbuf2krb5_data(val->padata, error); - if (temp) { - retval->padata = *temp; - xfree(temp); - } else { + retval->padata = KRB5_PA__DATA2krb5_pa_data(val->padata, error); + if (!retval->padata) { krb5_free_kdc_req(retval); return(0); } diff --git a/src/lib/krb5/free/Imakefile b/src/lib/krb5/free/Imakefile index 7780d7f..d0ecd37 100644 --- a/src/lib/krb5/free/Imakefile +++ b/src/lib/krb5/free/Imakefile @@ -14,6 +14,7 @@ OBJS= \ f_address.o \ f_ap_rep.o \ f_ap_req.o \ + f_arep_enc.o \ f_authdata.o \ f_authent.o \ f_cksum.o \ @@ -26,6 +27,7 @@ OBJS= \ f_kdc_req.o \ f_keyblock.o \ f_last_req.o \ + f_padata.o \ f_princ.o \ f_priv.o \ f_priv_enc.o \ @@ -37,6 +39,7 @@ OBJS= \ SRCS= \ f_addr.c \ f_address.c \ + f_arep_enc.c \ f_ap_rep.c \ f_ap_req.c \ f_authdata.c \ @@ -51,6 +54,7 @@ SRCS= \ f_kdc_req.c \ f_keyblock.c \ f_last_req.c \ + f_padata.c \ f_princ.c \ f_priv.c \ f_priv_enc.c \ diff --git a/src/lib/krb5/free/f_authdata.c b/src/lib/krb5/free/f_authdata.c index c5d26d0..59d90f0 100644 --- a/src/lib/krb5/free/f_authdata.c +++ b/src/lib/krb5/free/f_authdata.c @@ -25,8 +25,11 @@ krb5_authdata **val; { register krb5_authdata **temp; - for (temp = val; *temp; temp++) + for (temp = val; *temp; temp++) { + if ((*temp)->contents) + xfree((*temp)->contents); xfree(*temp); + } xfree(val); return; } diff --git a/src/lib/krb5/free/f_authent.c b/src/lib/krb5/free/f_authent.c index 029c1b7..19b2158 100644 --- a/src/lib/krb5/free/f_authent.c +++ b/src/lib/krb5/free/f_authent.c @@ -27,6 +27,8 @@ krb5_authenticator *val; xfree(val->checksum); if (val->client) krb5_free_principal(val->client); + if (val->subkey) + krb5_free_keyblock(val->subkey); xfree(val); return; } diff --git a/src/lib/krb5/free/f_enc_tkt.c b/src/lib/krb5/free/f_enc_tkt.c index 66a1dfd..2b042b6 100644 --- a/src/lib/krb5/free/f_enc_tkt.c +++ b/src/lib/krb5/free/f_enc_tkt.c @@ -27,8 +27,8 @@ krb5_enc_tkt_part *val; krb5_free_keyblock(val->session); if (val->client) krb5_free_principal(val->client); - if (val->transited.data) - xfree(val->transited.data); + if (val->transited.tr_contents.data) + xfree(val->transited.tr_contents.data); if (val->caddrs) krb5_free_address(val->caddrs); if (val->authorization_data) diff --git a/src/lib/krb5/free/f_kdc_rep.c b/src/lib/krb5/free/f_kdc_rep.c index 398d31e..f22b29b 100644 --- a/src/lib/krb5/free/f_kdc_rep.c +++ b/src/lib/krb5/free/f_kdc_rep.c @@ -23,6 +23,8 @@ void krb5_free_kdc_rep(val) krb5_kdc_rep *val; { + if (val->padata) + krb5_free_pa_data(val->padata); if (val->client) krb5_free_principal(val->client); if (val->ticket) diff --git a/src/lib/krb5/free/f_kdc_req.c b/src/lib/krb5/free/f_kdc_req.c index 62f43ea..69a8aff 100644 --- a/src/lib/krb5/free/f_kdc_req.c +++ b/src/lib/krb5/free/f_kdc_req.c @@ -23,16 +23,18 @@ void krb5_free_kdc_req(val) krb5_kdc_req *val; { - if (val->padata.data) - xfree(val->padata.data); + if (val->padata) + krb5_free_pa_data(val->padata); if (val->client) krb5_free_principal(val->client); if (val->server) krb5_free_principal(val->server); if (val->addresses) krb5_free_address(val->addresses); - if (val->authorization_data) - krb5_free_authdata(val->authorization_data); + if (val->authorization_data.ciphertext.data) + xfree(val->authorization_data.ciphertext.data); + if (val->unenc_authdata) + krb5_free_authdata(val->unenc_authdata); if (val->second_ticket) krb5_free_tickets(val->second_ticket); xfree(val); diff --git a/src/lib/krb5/krb/Imakefile b/src/lib/krb5/krb/Imakefile index f2f8555..885bead 100644 --- a/src/lib/krb5/krb/Imakefile +++ b/src/lib/krb5/krb/Imakefile @@ -40,6 +40,7 @@ OBJS= addr_comp.o \ mk_req_ext.o \ mk_safe.o \ parse.o \ + pr_to_salt.o \ princ_comp.o \ rd_error.o \ rd_priv.o \ @@ -84,6 +85,7 @@ SRCS= addr_comp.c \ mk_req_ext.c \ mk_safe.c \ parse.c \ + pr_to_salt.c \ princ_comp.c \ rd_error.c \ rd_priv.c \ @@ -98,3 +100,4 @@ SRCS= addr_comp.c \ walk_rtree.c OtherdirLibraryTarget($(TOP)/lib,krb5,$(OBJS)) +INCLUDES=-I../../include diff --git a/src/lib/krb5/krb/copy_tick.c b/src/lib/krb5/krb/copy_tick.c index c66d082..ec6a9d4 100644 --- a/src/lib/krb5/krb/copy_tick.c +++ b/src/lib/krb5/krb/copy_tick.c @@ -27,7 +27,6 @@ krb5_enc_tkt_part **partto; { krb5_error_code retval; krb5_enc_tkt_part *tempto; - krb5_data *scratch; if (!(tempto = (krb5_enc_tkt_part *)malloc(sizeof(*tempto)))) return ENOMEM; @@ -48,16 +47,20 @@ krb5_enc_tkt_part **partto; xfree(tempto); return retval; } - if (retval = krb5_copy_data(&partfrom->transited, &scratch)) { + tempto->transited = partfrom->transited; + tempto->transited.tr_contents.data = + malloc(sizeof(partfrom->transited.tr_contents.length)); + if (!tempto->transited.tr_contents.data) { krb5_free_principal(tempto->client); krb5_free_keyblock(tempto->session); xfree(tempto); return retval; } - tempto->transited = *scratch; - xfree(scratch); + memcpy((char *)tempto->transited.tr_contents.data, + (char *)partfrom->transited.tr_contents.data, + partfrom->transited.tr_contents.length); if (retval = krb5_copy_addresses(partfrom->caddrs, &tempto->caddrs)) { - xfree(tempto->transited.data); + xfree(tempto->transited.tr_contents.data); krb5_free_principal(tempto->client); krb5_free_keyblock(tempto->session); xfree(tempto); @@ -67,7 +70,7 @@ krb5_enc_tkt_part **partto; if (retval = krb5_copy_authdata(partfrom->authorization_data, &tempto->authorization_data)) { krb5_free_address(tempto->caddrs); - xfree(tempto->transited.data); + xfree(tempto->transited.tr_contents.data); krb5_free_principal(tempto->client); krb5_free_keyblock(tempto->session); xfree(tempto); diff --git a/src/lib/krb5/krb/gc_via_tgt.c b/src/lib/krb5/krb/gc_via_tgt.c index b05c6fd..99efd79 100644 --- a/src/lib/krb5/krb/gc_via_tgt.c +++ b/src/lib/krb5/krb/gc_via_tgt.c @@ -66,6 +66,7 @@ OLDDECLARG(krb5_creds *, cred) cred->server, tgt->addresses, cred->authdata, + 0, /* no padata */ 0, /* no second ticket */ tgt, &tgsrep)) return retval; @@ -116,6 +117,12 @@ OLDDECLARG(krb5_creds *, cred) dec_rep->enc_part2->session->length);\ krb5_free_kdc_rep(dec_rep); } + if (dec_rep->msg_type != KRB5_TGS_REP) { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + cleanup(); + return retval; + } + /* now it's decrypted and ready for prime time */ if (!krb5_principal_compare(dec_rep->client, tgt->client)) { diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index e690f36..4571f66 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -52,7 +52,7 @@ static char rcsid_get_in_tkt_c[] = extern krb5_deltat krb5_clockskew; -#define in_clock_skew(date) (abs((date)-request.ctime) < krb5_clockskew) +#define in_clock_skew(date) (abs((date)-request.nonce) < krb5_clockskew) /* some typedef's for the function args to make things look a bit cleaner */ @@ -60,7 +60,8 @@ extern krb5_deltat krb5_clockskew; #include <krb5/widen.h> typedef krb5_error_code (*git_key_proc) PROTOTYPE((const krb5_keytype, krb5_keyblock **, - krb5_const_pointer )); + krb5_const_pointer, + krb5_pa_data **)); #include <krb5/narrow.h> typedef krb5_error_code (*git_decrypt_proc) PROTOTYPE((const krb5_keyblock *, @@ -95,13 +96,13 @@ OLDDECLARG(krb5_ccache, ccache) krb5_data *packet; krb5_data reply; krb5_keyblock *decrypt_key; + krb5_enctype etypes[1]; + krb5_timestamp time_now; request.msg_type = KRB5_AS_REQ; /* AS_REQ has no pre-authentication. */ - request.padata_type = 0; - request.padata.data = 0; - request.padata.length = 0; + request.padata = 0; request.kdc_options = options; request.client = creds->client; @@ -110,14 +111,20 @@ OLDDECLARG(krb5_ccache, ccache) request.from = creds->times.starttime; request.till = creds->times.endtime; request.rtime = creds->times.renew_till; - if (retval = krb5_timeofday(&request.ctime)) + if (retval = krb5_timeofday(&time_now)) return(retval); + /* XXX we know they are the same size... */ - request.nonce = (krb5_int32) request.ctime; - request.etype = etype; + request.nonce = (krb5_int32) time_now; + + etypes[0] = etype; + request.etype = etypes; + request.netypes = 1; request.addresses = (krb5_address **) addrs; request.second_ticket = 0; - request.authorization_data = 0; + request.authorization_data.ciphertext.length = 0; + request.authorization_data.ciphertext.data = 0; + request.unenc_authdata = 0; /* encode & send to KDC */ if (retval = encode_krb5_as_req(&request, &packet)) @@ -129,14 +136,12 @@ OLDDECLARG(krb5_ccache, ccache) /* now decode the reply...could be error or as_rep */ - if (!krb5_is_as_rep(&reply) && !krb5_is_krb_error(&reply)) - return KRB5KRB_AP_ERR_MSG_TYPE; - if (retval = decode_krb5_as_rep(&reply, &as_reply)) { - if (decode_krb5_error(&reply, &err_reply)) - return retval; /* some other reply--??? */ + if (krb5_is_krb_error(&reply)) { + if (retval = decode_krb5_error(&reply, &err_reply)) + return retval; /* some other reply--??? */ /* it was an error */ - if ((err_reply->ctime != request.ctime) || + if ((err_reply->ctime != request.nonce) || !krb5_principal_compare(err_reply->server, request.server) || !krb5_principal_compare(err_reply->client, request.client)) retval = KRB5_KDCREP_MODIFIED; @@ -149,10 +154,19 @@ OLDDECLARG(krb5_ccache, ccache) return retval; } + if (!krb5_is_as_rep(&reply)) + return KRB5KRB_AP_ERR_MSG_TYPE; + if (retval = decode_krb5_as_rep(&reply, &as_reply)) + return retval; /* some other reply--??? */ + + if (as_reply->msg_type != KRB5_AS_REP) + return KRB5KRB_AP_ERR_MSG_TYPE; + /* it was a kdc_rep--decrypt & check */ /* generate the key */ - if (retval = (*key_proc)(keytype, &decrypt_key, keyseed)) { + if (retval = (*key_proc)(keytype, &decrypt_key, keyseed, + as_reply->padata)) { krb5_free_kdc_rep(as_reply); return retval; } @@ -166,6 +180,9 @@ OLDDECLARG(krb5_ccache, ccache) } /* check the contents for sanity: */ + if (!as_reply->enc_part2->times.starttime) + as_reply->enc_part2->times.starttime = + as_reply->enc_part2->times.authtime; if (!krb5_principal_compare(as_reply->client, request.client) || !krb5_principal_compare(as_reply->enc_part2->server, request.server) || !krb5_principal_compare(as_reply->ticket->server, request.server) diff --git a/src/lib/krb5/krb/in_tkt_pwd.c b/src/lib/krb5/krb/in_tkt_pwd.c index 8c610e9..78b9ed6 100644 --- a/src/lib/krb5/krb/in_tkt_pwd.c +++ b/src/lib/krb5/krb/in_tkt_pwd.c @@ -34,42 +34,74 @@ extern char *krb5_default_pwd_prompt1; static krb5_error_code pwd_keyproc(DECLARG(const krb5_keytype, type), DECLARG(krb5_keyblock **, key), - DECLARG(krb5_const_pointer, keyseed)) + DECLARG(krb5_const_pointer, keyseed), + DECLARG(krb5_pa_data **,padata)) OLDDECLARG(const krb5_keytype, type) OLDDECLARG(krb5_keyblock **, key) OLDDECLARG(krb5_const_pointer, keyseed) +OLDDECLARG(krb5_pa_data **,padata) { + krb5_data salt; krb5_error_code retval; - struct pwd_keyproc_arg *arg, arg2; + const struct pwd_keyproc_arg *arg; + struct pwd_keyproc_arg arg2; char pwdbuf[BUFSIZ]; int pwsize = sizeof(pwdbuf); + char f_salt = 0, use_salt = 0; if (!valid_keytype(type)) return KRB5_PROG_KEYTYPE_NOSUPP; - arg = (struct pwd_keyproc_arg *)keyseed; + if (padata) { + krb5_pa_data **ptr; + + for (ptr = padata; *ptr; ptr++) + { + if ((*ptr)->pa_type == KRB5_PADATA_PW_SALT) + { + /* use KDC-supplied salt, instead of default */ + salt.length = (*ptr)->length; + salt.data = (char *)(*ptr)->contents; + use_salt = 1; + break; + } + } + } + arg = (const struct pwd_keyproc_arg *)keyseed; + if (!use_salt) { + /* need to use flattened principal */ + if (retval = krb5_principal2salt(arg->who, &salt)) + return(retval); + f_salt = 1; + } + if (!arg->password.length) { if (retval = krb5_read_password(krb5_default_pwd_prompt1, 0, - pwdbuf, &pwsize)) + pwdbuf, &pwsize)) { + if (f_salt) xfree(salt.data); return retval; + } arg2 = *arg; + arg2.password.length = pwsize; + arg2.password.data = pwdbuf; arg = &arg2; - arg->password.length = pwsize; - arg->password.data = pwdbuf; } *key = (krb5_keyblock *)malloc(sizeof(**key)); - if (!*key) + if (!*key) { + if (f_salt) xfree(salt.data); return ENOMEM; - + } if (retval = (*krb5_keytype_array[type]->system-> string_to_key)(type, *key, &arg->password, - arg->who)) { + &salt)) { free((char *) *key); + if (f_salt) xfree(salt.data); return(retval); } + if (f_salt) xfree(salt.data); return 0; } diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c index 136188d..904ef62 100644 --- a/src/lib/krb5/krb/in_tkt_sky.c +++ b/src/lib/krb5/krb/in_tkt_sky.c @@ -22,7 +22,7 @@ static char rcsid_in_tkt_skey_c [] = #include <krb5/ext-proto.h> struct skey_keyproc_arg { - krb5_keyblock *key; + const krb5_keyblock *key; krb5_principal server; /* it's a pointer, really! */ }; @@ -34,10 +34,12 @@ struct skey_keyproc_arg { static krb5_error_code skey_keyproc(DECLARG(const krb5_keytype, type), DECLARG(krb5_keyblock **, key), - DECLARG(krb5_const_pointer, keyseed)) + DECLARG(krb5_const_pointer, keyseed), + DECLARG(krb5_pa_data **, padata)) OLDDECLARG(const krb5_keytype, type) OLDDECLARG(krb5_keyblock **, key) OLDDECLARG(krb5_const_pointer, keyseed) +OLDDECLARG(krb5_pa_data **,padata) { krb5_keyblock *realkey; const struct skey_keyproc_arg *arg; @@ -129,7 +131,7 @@ OLDDECLARG(krb5_creds *, creds) krb5_keytype keytype; if (key) { - arg.key = (krb5_keyblock *)key; + arg.key = key; arg.server = 0; keytype = key->keytype; } else { diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 5a89400..483b100 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -42,15 +42,19 @@ krb5_error_code krb5_mk_priv(DECLARG(const krb5_data *, userdata), DECLARG(const krb5_enctype, etype), DECLARG(const krb5_keyblock *, key), - DECLARG(const krb5_fulladdr *, sender_addr), - DECLARG(const krb5_fulladdr *, recv_addr), + DECLARG(const krb5_address *, sender_addr), + DECLARG(const krb5_address *, recv_addr), + DECLARG(krb5_int32, seq_number), + DECLARG(krb5_int32, priv_flags), DECLARG(krb5_pointer, i_vector), DECLARG(krb5_data *, outbuf)) OLDDECLARG(const krb5_data *, userdata) OLDDECLARG(const krb5_enctype, etype) OLDDECLARG(const krb5_keyblock *, key) -OLDDECLARG(const krb5_fulladdr *, sender_addr) -OLDDECLARG(const krb5_fulladdr *, recv_addr) +OLDDECLARG(const krb5_address *, sender_addr) +OLDDECLARG(const krb5_address *, recv_addr) +OLDDECLARG(krb5_int32, seq_number) +OLDDECLARG(krb5_int32, priv_flags) OLDDECLARG(krb5_pointer, i_vector) OLDDECLARG(krb5_data *, outbuf) { @@ -66,19 +70,21 @@ OLDDECLARG(krb5_data *, outbuf) privmsg.enc_part.kvno = 0; /* XXX allow user-set? */ privmsg_enc_part.user_data = *userdata; - privmsg_enc_part.s_address = sender_addr->address; - privmsg_enc_part.r_address = recv_addr->address; - - if (retval = krb5_ms_timeofday(&privmsg_enc_part.timestamp, - &privmsg_enc_part.msec)) - return retval; - - if (krb5_fulladdr_order(sender_addr, recv_addr) > 0) - privmsg_enc_part.msec = - (privmsg_enc_part.msec & MSEC_VAL_MASK) | MSEC_DIRBIT; + privmsg_enc_part.s_address = (krb5_address *)sender_addr; + if (recv_addr) + privmsg_enc_part.r_address = (krb5_address *)recv_addr; else - /* this should be a no-op, but just to be sure... */ - privmsg_enc_part.msec = privmsg_enc_part.msec & MSEC_VAL_MASK; + privmsg_enc_part.r_address = 0; + + if (!(priv_flags & KRB5_PRIV_NOTIME)) { + if (retval = krb5_us_timeofday(&privmsg_enc_part.timestamp, + &privmsg_enc_part.usec)) + return retval; + } + if (priv_flags & KRB5_PRIV_DOSEQUENCE) { + privmsg_enc_part.seq_number = seq_number; + } else + privmsg_enc_part.seq_number = 0; /* start by encoding to-be-encrypted part of the message */ diff --git a/src/lib/krb5/krb/mk_req.c b/src/lib/krb5/krb/mk_req.c index c539d64..24e5bc7 100644 --- a/src/lib/krb5/krb/mk_req.c +++ b/src/lib/krb5/krb/mk_req.c @@ -73,6 +73,8 @@ krb5_data *outbuf; checksum, &creds.times, krb5_kdc_default_options, + 0, /* no sequence number */ + 0, /* no sub-key */ ccache, &creds, 0, /* We don't need the authenticator */ diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 1041fdc..6a5ce9c 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -58,15 +58,19 @@ static char rcsid_mk_req_ext_c[] = */ static krb5_error_code generate_authenticator PROTOTYPE((krb5_authenticator *, const krb5_creds *, - const krb5_checksum *)); + const krb5_checksum *, + krb5_keyblock *, + krb5_int32 )); krb5_error_code -krb5_mk_req_extended(ap_req_options, checksum, times, kdc_options, ccache, - creds, authentp, outbuf) +krb5_mk_req_extended(ap_req_options, checksum, times, kdc_options, + sequence, newkey, ccache, creds, authentp, outbuf) const krb5_flags ap_req_options; const krb5_checksum *checksum; const krb5_ticket_times *times; const krb5_flags kdc_options; +krb5_int32 sequence; +krb5_keyblock *newkey; krb5_ccache ccache; krb5_creds *creds; krb5_authenticator *authentp; @@ -107,7 +111,8 @@ krb5_data *outbuf; return(retval); #define cleanup_ticket() krb5_free_ticket(request.ticket) - if (retval = generate_authenticator(&authent, creds, checksum)) { + if (retval = generate_authenticator(&authent, creds, checksum, newkey, + sequence)) { cleanup_ticket(); return retval; } @@ -203,13 +208,17 @@ request.authenticator.ciphertext.data = 0;} } static krb5_error_code -generate_authenticator(authent, creds, cksum) +generate_authenticator(authent, creds, cksum, key, seq_number) krb5_authenticator *authent; const krb5_creds *creds; const krb5_checksum *cksum; +krb5_keyblock *key; +krb5_int32 seq_number; { authent->client = creds->client; authent->checksum = (krb5_checksum *)cksum; + authent->subkey = key; + authent->seq_number = seq_number; - return(krb5_ms_timeofday(&authent->ctime, &authent->cmsec)); + return(krb5_us_timeofday(&authent->ctime, &authent->cusec)); } diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index 975d0cb..12fb963 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -41,14 +41,18 @@ krb5_error_code krb5_mk_safe(DECLARG(const krb5_data *, userdata), DECLARG(const krb5_cksumtype, sumtype), DECLARG(const krb5_keyblock *, key), - DECLARG(const krb5_fulladdr *, sender_addr), - DECLARG(const krb5_fulladdr *, recv_addr), + DECLARG(const krb5_address *, sender_addr), + DECLARG(const krb5_address *, recv_addr), + DECLARG(krb5_int32, seq_number), + DECLARG(krb5_int32, safe_flags), DECLARG(krb5_data *, outbuf)) OLDDECLARG(const krb5_data *, userdata) OLDDECLARG(const krb5_cksumtype, sumtype) OLDDECLARG(const krb5_keyblock *, key) -OLDDECLARG(const krb5_fulladdr *, sender_addr) -OLDDECLARG(const krb5_fulladdr *, recv_addr) +OLDDECLARG(const krb5_address *, sender_addr) +OLDDECLARG(const krb5_address *, recv_addr) +OLDDECLARG(krb5_int32, seq_number) +OLDDECLARG(krb5_int32, safe_flags) OLDDECLARG(krb5_data *, outbuf) { krb5_error_code retval; @@ -59,20 +63,25 @@ OLDDECLARG(krb5_data *, outbuf) if (!valid_cksumtype(sumtype)) return KRB5_PROG_SUMTYPE_NOSUPP; + if (!is_coll_proof_cksum(sumtype) || !is_keyed_cksum(sumtype)) + return KRB5KRB_AP_ERR_INAPP_CKSUM; safemsg.user_data = *userdata; - safemsg.s_address = sender_addr->address; - safemsg.r_address = recv_addr->address; - - if (retval = krb5_ms_timeofday(&safemsg.timestamp, &safemsg.msec)) - return retval; - - if (krb5_fulladdr_order(sender_addr, recv_addr) > 0) - safemsg.msec = (safemsg.msec & MSEC_VAL_MASK) | MSEC_DIRBIT; + safemsg.s_address = (krb5_address *)sender_addr; + if (recv_addr) + safemsg.r_address = (krb5_address *)recv_addr; else - /* this should be a no-op, but just to be sure... */ - safemsg.msec = safemsg.msec & MSEC_VAL_MASK; + safemsg.r_address = 0; + if (!(safe_flags & KRB5_SAFE_NOTIME)) { + if (retval = krb5_us_timeofday(&safemsg.timestamp, &safemsg.usec)) + return retval; + } + if (safe_flags & KRB5_SAFE_DOSEQUENCE) { + safemsg.seq_number = seq_number; + } else + safemsg.seq_number = 0; + /* to do the checksum stuff, we need to encode the message with a zero-length zero-type checksum, then checksum the encoding, then re-encode with the diff --git a/src/lib/krb5/krb/pr_to_salt.c b/src/lib/krb5/krb/pr_to_salt.c index 4060202..74013fb 100644 --- a/src/lib/krb5/krb/pr_to_salt.c +++ b/src/lib/krb5/krb/pr_to_salt.c @@ -30,7 +30,7 @@ krb5_const_principal pr; krb5_data *ret; { int size, offset; - krb5_data **prp; + krb5_data * const * prp; if (pr == 0) { diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 8cc22df..78607bf 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -49,14 +49,18 @@ Returns system errors, integrity errors. krb5_error_code krb5_rd_priv(DECLARG(const krb5_data *, inbuf), DECLARG(const krb5_keyblock *, key), - DECLARG(const krb5_fulladdr *, sender_addr), - DECLARG(const krb5_fulladdr *, recv_addr), + DECLARG(const krb5_address *, sender_addr), + DECLARG(const krb5_address *, recv_addr), + DECLARG(krb5_int32, seq_number), + DECLARG(krb5_int32, priv_flags), DECLARG(krb5_pointer, i_vector), DECLARG(krb5_data *, outbuf)) OLDDECLARG(const krb5_data *, inbuf) OLDDECLARG(const krb5_keyblock *, key) -OLDDECLARG(const krb5_fulladdr *, sender_addr) -OLDDECLARG(const krb5_fulladdr *, recv_addr) +OLDDECLARG(const krb5_address *, sender_addr) +OLDDECLARG(const krb5_address *, recv_addr) +OLDDECLARG(krb5_int32, seq_number) +OLDDECLARG(krb5_int32, priv_flags) OLDDECLARG(krb5_pointer, i_vector) OLDDECLARG(krb5_data *, outbuf) { @@ -66,7 +70,6 @@ OLDDECLARG(krb5_data *, outbuf) krb5_priv_enc_part *privmsg_enc_part; krb5_data scratch; krb5_timestamp currenttime; - krb5_ui_2 computed_direction; if (!krb5_is_krb_priv(inbuf)) return KRB5KRB_AP_ERR_MSG_TYPE; @@ -142,25 +145,28 @@ OLDDECLARG(krb5_data *, outbuf) #define cleanup_data() {(void)memset(privmsg_enc_part->user_data.data,0,privmsg_enc_part->user_data.length); (void)xfree(privmsg_enc_part->user_data.data);} #define cleanup_mesg() {(void)xfree(privmsg_enc_part);} - if (retval = krb5_timeofday(¤ttime)) { - cleanup_data(); - cleanup_mesg(); - return retval; - } - if (!in_clock_skew(privmsg_enc_part->timestamp)) { - cleanup_data(); - cleanup_mesg(); - return KRB5KRB_AP_ERR_SKEW; + if (!(priv_flags & KRB5_PRIV_NOTIME)) { + if (retval = krb5_timeofday(¤ttime)) { + cleanup_data(); + cleanup_mesg(); + return retval; + } + if (!in_clock_skew(privmsg_enc_part->timestamp)) { + cleanup_data(); + cleanup_mesg(); + return KRB5KRB_AP_ERR_SKEW; + } + /* replay detection goes here... XXX */ } - /* - * check with the replay cache should be inserted here !!!! - */ - + if (priv_flags & KRB5_PRIV_DOSEQUENCE) + if (privmsg_enc_part->seq_number != seq_number) { + cleanup_data(); + cleanup_mesg(); + return KRB5KRB_AP_ERR_BADSEQ; + } - if (sender_addr) { - krb5_fulladdr temp_sender; - krb5_fulladdr temp_recip; + if (privmsg_enc_part->r_address) { krb5_address **our_addrs; if (retval = krb5_os_localaddr(&our_addrs)) { @@ -175,21 +181,8 @@ OLDDECLARG(krb5_data *, outbuf) return KRB5KRB_AP_ERR_BADADDR; } krb5_free_address(our_addrs); - - temp_recip = *recv_addr; - temp_recip.address = privmsg_enc_part->r_address; - - temp_sender = *sender_addr; - temp_sender.address = privmsg_enc_part->s_address; - - computed_direction = ((krb5_fulladdr_order(&temp_sender, &temp_recip) > - 0) ? MSEC_DIRBIT : 0); - if (computed_direction != (privmsg_enc_part->msec & MSEC_DIRBIT)) { - cleanup_data(); - cleanup_mesg(); - return KRB5KRB_AP_ERR_BADDIRECTION; - } } + /* XXX check sender's address */ /* everything is ok - return data to the user */ diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index cce02cb..0028ca7 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -81,11 +81,10 @@ krb5_tkt_authent *tktauthent; krb5_error_code retval; krb5_keyblock *tkt_key; krb5_keyblock tkt_key_real; - krb5_timestamp currenttime; + krb5_timestamp currenttime, starttime; - if ((server != NULL) && - (!krb5_principal_compare(server, req->ticket->server))) + if (server && !krb5_principal_compare(server, req->ticket->server)) return KRB5KRB_AP_WRONG_PRINC; /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) @@ -162,7 +161,14 @@ krb5_tkt_authent *tktauthent; return retval; } tktauthent->ticket = 0; - if (req->ticket->enc_part2->times.starttime - currenttime > krb5_clockskew) { + + /* if starttime is not in ticket, then treat it as authtime */ + if (req->ticket->enc_part2->times.starttime != 0) + starttime = req->ticket->enc_part2->times.starttime; + else + starttime = req->ticket->enc_part2->times.authtime; + + if (starttime - currenttime > krb5_clockskew) { clean_authenticator(); return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ } diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index cd194e5..b6ab7dd 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -38,16 +38,17 @@ extern krb5_deltat krb5_clockskew; returns system errors, integrity errors */ krb5_error_code -krb5_rd_safe(inbuf, key, sender_addr, recv_addr, outbuf) +krb5_rd_safe(inbuf, key, sender_addr, recv_addr, seq_number, safe_flags, outbuf) const krb5_data *inbuf; const krb5_keyblock *key; -const krb5_fulladdr *sender_addr; -const krb5_fulladdr *recv_addr; +const krb5_address *sender_addr; +const krb5_address *recv_addr; +krb5_int32 seq_number; +krb5_int32 safe_flags; krb5_data *outbuf; { krb5_error_code retval; krb5_safe *message; - krb5_ui_2 computed_direction; krb5_checksum our_cksum, *his_cksum; krb5_octet zero_octet = 0; krb5_data *scratch; @@ -63,22 +64,30 @@ krb5_data *outbuf; if (!valid_cksumtype(message->checksum->checksum_type)) return KRB5_PROG_SUMTYPE_NOSUPP; + if (!is_coll_proof_cksum(message->checksum->checksum_type) || + !is_keyed_cksum(message->checksum->checksum_type)) + return KRB5KRB_AP_ERR_INAPP_CKSUM; if (retval = krb5_timeofday(¤ttime)) { cleanup(); return retval; } - /* in_clock_skew #defined above */ - if (!in_clock_skew(message->timestamp)) { - cleanup(); - return KRB5KRB_AP_ERR_SKEW; + if (!(safe_flags & KRB5_SAFE_NOTIME)) { + /* in_clock_skew #defined above */ + if (!in_clock_skew(message->timestamp)) { + cleanup(); + return KRB5KRB_AP_ERR_SKEW; + } + /* replay detection goes here... XXX */ } - /* replay detection goes here... XXX */ + if (safe_flags & KRB5_SAFE_DOSEQUENCE) + if (message->seq_number != seq_number) { + cleanup(); + return KRB5KRB_AP_ERR_BADSEQ; + } - if (sender_addr) { - krb5_fulladdr temp_sender; - krb5_fulladdr temp_recip; + if (message->r_address) { krb5_address **our_addrs; if (retval = krb5_os_localaddr(&our_addrs)) { @@ -91,21 +100,10 @@ krb5_data *outbuf; return KRB5KRB_AP_ERR_BADADDR; } krb5_free_address(our_addrs); - - temp_recip = *recv_addr; - temp_recip.address = message->r_address; - - temp_sender = *sender_addr; - temp_sender.address = message->s_address; - - computed_direction = ((krb5_fulladdr_order(&temp_sender, &temp_recip) > - 0) ? MSEC_DIRBIT : 0); - if (computed_direction != (message->msec & MSEC_DIRBIT)) { - cleanup(); - return KRB5KRB_AP_ERR_BADDIRECTION; - } } + /* XXX check sender's address */ + /* verify the checksum */ /* to do the checksum stuff, we need to re-encode the message with a zero-length zero-type checksum, then checksum the encoding, and verify. diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 9e8d159..164c677 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -24,7 +24,7 @@ static char rcsid_send_tgs_c[] = Sends a request to the TGS and waits for a response. options is used for the options in the KRB_TGS_REQ. timestruct values are used for from, till, rtime " " " - etype is used for etype " " " + etype is used for etype " " ", and to encrypt the authorization data, if present sumtype is used for the checksum in the AP_REQ in the KRB_TGS_REQ sname is used for sname " " " addrs, if non-NULL, is used for addresses " " " @@ -47,6 +47,7 @@ krb5_send_tgs(DECLARG(const krb5_flags, kdcoptions), DECLARG(krb5_const_principal, sname), DECLARG(krb5_address * const *, addrs), DECLARG(krb5_authdata * const *,authorization_data), + DECLARG(krb5_pa_data * const *, padata), DECLARG(const krb5_data *,second_ticket), DECLARG(krb5_creds *,usecred), DECLARG(krb5_response *,rep)) @@ -57,6 +58,7 @@ OLDDECLARG(const krb5_cksumtype, sumtype) OLDDECLARG(krb5_const_principal, sname) OLDDECLARG(krb5_address * const *, addrs) OLDDECLARG(krb5_authdata * const *,authorization_data) +OLDDECLARG(krb5_pa_data * const *, padata) OLDDECLARG(const krb5_data *,second_ticket) OLDDECLARG(krb5_creds *,usecred) OLDDECLARG(krb5_response *,rep) @@ -64,9 +66,16 @@ OLDDECLARG(krb5_response *,rep) krb5_error_code retval; krb5_kdc_req tgsreq; krb5_checksum ap_checksum; - krb5_data *scratch; + krb5_data *scratch, scratch2; krb5_ticket *sec_ticket = 0; krb5_ticket *sec_ticket_arr[2]; + krb5_enctype etypes[1]; + krb5_timestamp time_now; + krb5_pa_data **combined_padata; + krb5_pa_data ap_req_padata; + + if (!valid_etype(etype)) + return KRB5_PROG_ETYPE_NOSUPP; memset((char *)&tgsreq, 0, sizeof(tgsreq)); @@ -76,17 +85,73 @@ OLDDECLARG(krb5_response *,rep) tgsreq.from = timestruct->starttime; tgsreq.till = timestruct->endtime; tgsreq.rtime = timestruct->renew_till; - if (retval = krb5_timeofday(&tgsreq.ctime)) + if (retval = krb5_timeofday(&time_now)) return(retval); /* XXX we know they are the same size... */ - tgsreq.nonce = (krb5_int32) tgsreq.ctime; + tgsreq.nonce = (krb5_int32) time_now; + + etypes[0] = etype; + tgsreq.etype = etypes; + tgsreq.netypes = 1; - tgsreq.etype = etype; tgsreq.addresses = (krb5_address **) addrs; - tgsreq.authorization_data = (krb5_authdata **)authorization_data; + + if (authorization_data) { + /* need to encrypt it in the request */ + + krb5_encrypt_block eblock; + + if (retval = encode_krb5_authdata(authorization_data, &scratch)) + return(retval); + krb5_use_cstype(&eblock, etype); + tgsreq.authorization_data.ciphertext.length = + krb5_encrypt_size(scratch->length, + eblock.crypto_entry); + /* add padding area, and zero it */ + if (!(scratch->data = realloc(scratch->data, + tgsreq.authorization_data.ciphertext.length))) { + /* may destroy scratch->data */ + xfree(scratch); + return ENOMEM; + } + memset(scratch->data + scratch->length, 0, + tgsreq.authorization_data.ciphertext.length - scratch->length); + if (!(tgsreq.authorization_data.ciphertext.data = + malloc(tgsreq.authorization_data.ciphertext.length))) { + krb5_free_data(scratch); + return ENOMEM; + } + if (retval = krb5_process_key(&eblock, &usecred->keyblock)) { + krb5_free_data(scratch); + return retval; + } + /* call the encryption routine */ + if (retval = krb5_encrypt((krb5_pointer) scratch->data, + (krb5_pointer) tgsreq.authorization_data.ciphertext.data, + scratch->length, &eblock, 0)) { + (void) krb5_finish_key(&eblock); + xfree(tgsreq.authorization_data.ciphertext.data); + krb5_free_data(scratch); + return retval; + } + krb5_free_data(scratch); + if (retval = krb5_finish_key(&eblock)) { + xfree(tgsreq.authorization_data.ciphertext.data); + return retval; + } + } +#define cleanup_authdata() { if (tgsreq.authorization_data.ciphertext.data) {\ + (void) memset(tgsreq.authorization_data.ciphertext.data, 0,\ + tgsreq.authorization_data.ciphertext.length); \ + xfree(tgsreq.authorization_data.ciphertext.data);}} + + + if (second_ticket) { - if (retval = decode_krb5_ticket(second_ticket, &sec_ticket)) + if (retval = decode_krb5_ticket(second_ticket, &sec_ticket)) { + cleanup_authdata(); return retval; + } sec_ticket_arr[0] = sec_ticket; sec_ticket_arr[1] = 0; tgsreq.second_ticket = sec_ticket_arr; @@ -100,6 +165,7 @@ OLDDECLARG(krb5_response *,rep) if (retval) { if (sec_ticket) krb5_free_ticket(sec_ticket); + cleanup_authdata(); return(retval); } @@ -108,6 +174,7 @@ OLDDECLARG(krb5_response *,rep) if (sec_ticket) krb5_free_ticket(sec_ticket); krb5_free_data(scratch); + cleanup_authdata(); return ENOMEM; } @@ -121,6 +188,7 @@ OLDDECLARG(krb5_response *,rep) krb5_free_ticket(sec_ticket); xfree(ap_checksum.contents); krb5_free_data(scratch); + cleanup_authdata(); return retval; } /* done with body */ @@ -130,8 +198,6 @@ OLDDECLARG(krb5_response *,rep) if (sec_ticket) krb5_free_ticket(sec_ticket);} /* attach ap_req to the tgsreq */ - tgsreq.padata_type = KRB5_PADATA_AP_REQ; - /* * Get an ap_req. */ @@ -139,25 +205,62 @@ OLDDECLARG(krb5_response *,rep) &ap_checksum, 0, /* don't need times */ 0L, /* don't need kdc_options for this */ + 0, /* no initial sequence */ + 0, /* no new key */ 0, /* no ccache--already have creds */ usecred, 0, /* don't need authenticator */ - &tgsreq.padata)) { + &scratch2)) { cleanup(); + cleanup_authdata(); return retval; } + ap_req_padata.pa_type = KRB5_PADATA_AP_REQ; + ap_req_padata.length = scratch2.length; + ap_req_padata.contents = (krb5_octet *)scratch2.data; + + /* combine in any other supplied padata */ + if (padata) { + krb5_pa_data * const * counter; + register int i = 0; + for (counter = padata; *counter; counter++, i++); + combined_padata = (krb5_pa_data **)malloc(i+2); + if (!combined_padata) { + cleanup(); + cleanup_authdata(); + return ENOMEM; + } + combined_padata[0] = &ap_req_padata; + for (i = 1, counter = padata; *counter; counter++, i++) + combined_padata[i] = (krb5_pa_data *) *counter; + combined_padata[i] = 0; + } else { + combined_padata = (krb5_pa_data **)malloc(2*sizeof(*combined_padata)); + if (!combined_padata) { + cleanup(); + cleanup_authdata(); + return ENOMEM; + } + combined_padata[0] = &ap_req_padata; + combined_padata[1] = 0; + } + tgsreq.padata = combined_padata; /* the TGS_REQ is assembled in tgsreq, so encode it */ if (retval = encode_krb5_tgs_req(&tgsreq, &scratch)) { cleanup(); + cleanup_authdata(); + xfree(combined_padata); return(retval); } if (sec_ticket) krb5_free_ticket(sec_ticket); + cleanup_authdata(); + xfree(combined_padata); +#undef cleanup_authdata #undef cleanup -#define cleanup() {(void) free(tgsreq.padata.data); \ - xfree(ap_checksum.contents);} +#define cleanup() {xfree(ap_checksum.contents);} /* now send request & get response from KDC */ retval = krb5_sendto_kdc(scratch, krb5_princ_realm(sname), diff --git a/src/lib/krb5/os/Imakefile b/src/lib/krb5/os/Imakefile index 17d11d0..00ec030 100644 --- a/src/lib/krb5/os/Imakefile +++ b/src/lib/krb5/os/Imakefile @@ -22,7 +22,6 @@ OBJS= \ localaddr.o \ locate_kdc.o \ lock_file.o \ - mstime.o \ net_read.o \ net_write.o \ osconfig.o \ @@ -30,7 +29,8 @@ OBJS= \ read_pwd.o \ sendto_kdc.o \ timeofday.o \ - unlck_file.o + unlck_file.o \ + ustime.o SRCS= \ an_to_ln.c \ @@ -45,7 +45,6 @@ SRCS= \ localaddr.c \ locate_kdc.c \ lock_file.c \ - mstime.c \ net_read.c \ net_write.c \ osconfig.c \ @@ -53,6 +52,8 @@ SRCS= \ rnd_confoun.c \ sendto_kdc.c \ timeofday.c \ - unlck_file.c + unlck_file.c \ + ustime.c + NormalLibraryTarget(os,${OBJS}) diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c index 7d48d4a..974e942 100644 --- a/src/lib/krb5/os/ustime.c +++ b/src/lib/krb5/os/ustime.c @@ -25,9 +25,8 @@ static char rcsid_mstime_c[] = extern int errno; krb5_error_code -krb5_ms_timeofday(seconds, milliseconds) -register krb5_int32 *seconds; -register krb5_ui_2 *milliseconds; +krb5_us_timeofday(seconds, microseconds) +register krb5_int32 *seconds, *microseconds; { struct timeval tv; @@ -36,6 +35,6 @@ register krb5_ui_2 *milliseconds; return (krb5_error_code) errno; } *seconds = tv.tv_sec; - *milliseconds = tv.tv_usec / 1000; + *microseconds = tv.tv_usec; return 0; } diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c index d418892..e4022a6 100644 --- a/src/lib/krb5/rcache/rc_dfl.c +++ b/src/lib/krb5/rcache/rc_dfl.c @@ -73,7 +73,7 @@ struct auth_replay { char *server; /* null-terminated */ char *client; /* null-terminated */ - krb5_ui_2 cmsec; + krb5_int32 cusec; krb5_timestamp ctime; } ; @@ -82,7 +82,7 @@ static int hash(rep, hsize) struct auth_replay *rep; int hsize; { - return (((rep->cmsec + rep->ctime + *rep->server + *rep->client) + return (((rep->cusec + rep->ctime + *rep->server + *rep->client) % hsize) + hsize) % hsize; /* We take this opportunity to once again complain about C's idiotic %. */ } @@ -92,7 +92,7 @@ krb5_tkt_authent *auth; struct auth_replay *rep; { krb5_error_code retval; - rep->cmsec = auth->authenticator->cmsec; + rep->cusec = auth->authenticator->cusec; rep->ctime = auth->authenticator->ctime; if (retval = krb5_unparse_name(auth->ticket->server,&rep->server)) return retval; /* shouldn't happen */ @@ -114,7 +114,7 @@ struct auth_replay *old; struct auth_replay *new; krb5_deltat t; { - if ((old->cmsec == new->cmsec) && /* most likely to distinguish */ + if ((old->cusec == new->cusec) && /* most likely to distinguish */ (old->ctime == new->ctime) && (strcmp(old->client,new->client) == 0) && (strcmp(old->server,new->server) == 0)) /* always true */ @@ -332,7 +332,7 @@ krb5_rcache id; case KRB5_RC_IO_EOF: FREE3; goto end_loop; case 0: break; default: FREE3; return KRB5_RC_IO; break; } - switch(krb5_rc_io_read(&t->d,(krb5_pointer) &rep->cmsec,sizeof(rep->cmsec))) + switch(krb5_rc_io_read(&t->d,(krb5_pointer) &rep->cusec,sizeof(rep->cusec))) { case KRB5_RC_IO_EOF: FREE3; goto end_loop; case 0: break; default: FREE3; return KRB5_RC_IO; break; @@ -386,7 +386,7 @@ krb5_tkt_authent *auth; return KRB5_RC_IO; if (krb5_rc_io_write(&t->d,(krb5_pointer) rep->server,i)) return KRB5_RC_IO; - if (krb5_rc_io_write(&t->d,(krb5_pointer) &rep->cmsec,sizeof(rep->cmsec))) + if (krb5_rc_io_write(&t->d,(krb5_pointer) &rep->cusec,sizeof(rep->cusec))) return KRB5_RC_IO; if (krb5_rc_io_write(&t->d,(krb5_pointer) &rep->ctime,sizeof(rep->ctime))) return KRB5_RC_IO; @@ -461,7 +461,7 @@ krb5_rcache id; return KRB5_RC_IO; if (krb5_rc_io_write(&tmp,(krb5_pointer) q->rep.server,i)) return KRB5_RC_IO; - if (krb5_rc_io_write(&tmp,(krb5_pointer) &q->rep.cmsec,sizeof(q->rep.cmsec))) + if (krb5_rc_io_write(&tmp,(krb5_pointer) &q->rep.cusec,sizeof(q->rep.cusec))) return KRB5_RC_IO; if (krb5_rc_io_write(&tmp,(krb5_pointer) &q->rep.ctime,sizeof(q->rep.ctime))) return KRB5_RC_IO; |