diff options
Diffstat (limited to 'src/lib')
198 files changed, 10174 insertions, 3038 deletions
diff --git a/src/lib/ChangeLog b/src/lib/ChangeLog index bfa7678..860408b 100644 --- a/src/lib/ChangeLog +++ b/src/lib/ChangeLog @@ -1,3 +1,65 @@ +2004-03-31 Jeffrey Altman <jaltman@mit.edu> + + * Makefile.in: Delay Load the ADVAPI32.DLL and SECUR32.DLL libraries + to enable the KRB5_32.DLL to load on Windows 9x systems which do + not support the LSA Kerberos functionality. + +2003-12-18 Jeffrey Altman <jaltman@mit.edu> + + * krb5_32.def: Remove exports added on 2003-12-13. Moved + to krb5int_accessor + +2003-12-13 Jeffrey Altman <jaltman@mit.edu> + + * krb4_32.def: Remove exports from KfM not yet compiled in KfW + krb_ad_tkt, krb_pw_tkt, kuserok, tkt_string, FSp_xxx + + * krb5_32.def: Add exports of private functions necessary for + building new gssapi32.dll: + krb5int_c_mandatory_cksumtype ; PRIVATE GSSAPI k5-int.h + krb5_ser_pack_int64 ; PRIVATE GSSAPI k5-int.h + krb5_ser_unpack_int64 ; PRIVATE GSSAPI k5-int.h + +2003-12-11 Jeffrey Altman <jaltman@mit.edu> + + * Makefile.in: Add secur32.lib to libraries necessary to build + krb5_32.dll. Necessary to support the new MSLSA ccache type. + +2003-12-08 Jeffrey Altman <jaltman@mit.edu> + + * krb4_32.def: Add exports for functions exported by KfM + +2003-07-21 Alexandra Ellwood <lxs@mit.edu> + + * krb5_32.def: Export krb5_principal2salt. + +2003-07-18 Jeffrey Altman <jaltman@mit.edu> + + * gssapi32.def: Export GSS OID constants + +2003-07-09 Alexandra Ellwood <lxs@mit.edu> + + * krb5_32.def: Export krb5_get_permitted_enctypes and + krb5_set_real_time for Samba. + +2003-05-27 Ken Raeburn <raeburn@mit.edu> + + * krb5_32.def: Add krb5_524_convert_creds. + +2003-05-08 Sam Hartman <hartmans@mit.edu> + + * krb5_32.def: Add krb5_c_string_to_key_with_params + +2003-05-09 Tom Yu <tlyu@mit.edu> + + * krb5_32.def: Add krb5_auth_con_getrecvsubkey, + krb5_auth_con_getsendsubkey, krb5_auth_con_setrecvsubkey, + krb5_auth_con_setsendsubkey. + +2003-04-15 Sam Hartman <hartmans@mit.edu> + + * krb5_32.def: Add krb5_set_password and krb5_set_password_using_ccache + 2003-02-10 Tom Yu <tlyu@mit.edu> * Makefile.in (K4LIBS): Revert previous. diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 01a4351..88d2d29 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -52,8 +52,9 @@ KRB5RC = krb5.rc VERSIONRC = $(BUILDTOP)\windows\version.rc WINLIBS = kernel32.lib ws2_32.lib user32.lib shell32.lib oldnames.lib \ - version.lib advapi32.lib gdi32.lib -WINDLLFLAGS = $(DLL_LINKOPTS) -base:0x1c000000 + version.lib secur32.lib advapi32.lib gdi32.lib delayimp.lib +WINDLLFLAGS = $(DLL_LINKOPTS) -base:0x1c000000 /DELAYLOAD:secur32.dll \ + /DELAYLOAD:advapi32.dll /DELAY:UNLOAD /DELAY:NOBIND NO_GLUE=$(OUTPRE)no_glue.obj K5_GLUE=$(OUTPRE)k5_glue.obj diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog index 6f73ddf..c69d4f2 100644 --- a/src/lib/crypto/ChangeLog +++ b/src/lib/crypto/ChangeLog @@ -1,3 +1,71 @@ +2004-03-22 Ken Raeburn <raeburn@mit.edu> + + * pbkdf2.c (hmac1): Make a local copy of the supplied keyblock + structure, in case we want to modify it. + +2004-02-13 Ken Raeburn <raeburn@mit.edu> + + * t_encrypt.c (compare_results): New function. + (main): Use it to check decryption results against the original + plaintext. When testing with cipher state, encrypt and then + decrypt (and verify) two messages. + * Makefile.in (t_encrypt$(EXEEXT)): Depend on CRYPTO_DEPLIB. + +2004-02-09 Ken Raeburn <raeburn@mit.edu> + + * t_cts.c (test_cts): Process encryption and decryption IVs + separately, make sure they match, and display the value. + +2003-12-13 Ken Raeburn <raeburn@mit.edu> + + * etypes.c (krb5_enctypes_list): Fill in required_ctype field. + * mandatory_sumtype.c: New file. + * Makefile.in (SRCS, OBJS, STLIBOBJS): Build it. + +2003-07-13 Kenneth Raeburn <raeburn@mit.edu> + + * pbkdf2.c (foo): Never call com_err. + +2003-06-25 Ken Raeburn <raeburn@mit.edu> + + * checksum_length.c (krb5_c_checksum_length): Handle trunc_size. + +2003-06-23 Ken Raeburn <raeburn@mit.edu> + + * cksumtypes.c (krb5_cksumtypes_list): Add aes128/256 hmacs, with + new trunc_size field. + + * make_checksum.c (krb5_c_make_checksum): If trunc_size is + specified, shrink the computed checksum down to the indicated + size. + +2003-06-05 Sam Hartman <hartmans@mit.edu> + + * string_to_key.c (krb5_c_string_to_key_with_params): Only allow + AFS s2k for DES enctypes + +2003-05-15 Sam Hartman <hartmans@mit.edu> + + * combine_keys.c (enctype_ok): new function to determine if we support combine_keys for a particular enctype + +2003-05-13 Ken Raeburn <raeburn@mit.edu> + + * etypes.c (krb5_enctypes_list): Add names aes128-cts and + aes256-cts as aliases. + +2003-05-08 Sam Hartman <hartmans@mit.edu> + + * string_to_key.c: Move krb5_c_string_to_key_with_params to krb5.h + +2003-04-13 Ken Raeburn <raeburn@mit.edu> + + * pbkdf2.c (krb5int_pbkdf2): Provide a temporary buffer for the + output from F, if the remaining space in the output buffer isn't + big enough. Free the temporary buffers before returning. + + * etypes.c (krb5_enctypes_list): Use krb5int_aes_encrypt_length, + and krb5int_aes_dk_encrypt, and krb5int_aes_dk_decrypt for AES. + 2003-03-06 Alexandra Ellwood <lxs@mit.edu> * prng.c: use Unix randomness sources on Mac OS X. diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in index e571ef7..2169d13 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in @@ -54,6 +54,7 @@ STLIBOBJS=\ keyed_checksum_types.o \ make_checksum.o \ make_random_key.o \ + mandatory_sumtype.o \ nfold.o \ old_api_glue.o \ pbkdf2.o \ @@ -86,6 +87,7 @@ OBJS=\ $(OUTPRE)keyed_checksum_types.$(OBJEXT) \ $(OUTPRE)make_checksum.$(OBJEXT) \ $(OUTPRE)make_random_key.$(OBJEXT) \ + $(OUTPRE)mandatory_sumtype.$(OBJEXT) \ $(OUTPRE)nfold.$(OBJEXT) \ $(OUTPRE)old_api_glue.$(OBJEXT) \ $(OUTPRE)pbkdf2.$(OBJEXT) \ @@ -118,6 +120,7 @@ SRCS=\ $(srcdir)/keyed_checksum_types.c\ $(srcdir)/make_checksum.c \ $(srcdir)/make_random_key.c \ + $(srcdir)/mandatory_sumtype.c \ $(srcdir)/nfold.c \ $(srcdir)/old_api_glue.c \ $(srcdir)/pbkdf2.c \ @@ -177,7 +180,7 @@ check-unix:: t_nfold t_encrypt t_prng t_hmac t_pkcs5 t_nfold$(EXEEXT): t_nfold.$(OBJEXT) nfold.$(OBJEXT) $(CC_LINK) -o $@ t_nfold.$(OBJEXT) nfold.$(OBJEXT) -t_encrypt$(EXEEXT): t_encrypt.$(OBJEXT) nfold.$(OBJEXT) +t_encrypt$(EXEEXT): t_encrypt.$(OBJEXT) nfold.$(OBJEXT) $(CRYPTO_DEPLIB) $(CC_LINK) -o $@ t_encrypt.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err t_prng$(EXEEXT): t_prng.$(OBJEXT) @@ -348,206 +351,224 @@ check-windows:: # block_size.so block_size.po $(OUTPRE)block_size.$(OBJEXT): block_size.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h etypes.h + etypes.h checksum_length.so checksum_length.po $(OUTPRE)checksum_length.$(OBJEXT): checksum_length.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - cksumtypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h cksumtypes.h cksumtype_to_string.so cksumtype_to_string.po $(OUTPRE)cksumtype_to_string.$(OBJEXT): cksumtype_to_string.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - cksumtypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h cksumtypes.h cksumtypes.so cksumtypes.po $(OUTPRE)cksumtypes.$(OBJEXT): cksumtypes.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/hash_provider/hash_provider.h \ - $(srcdir)/keyhash_provider/keyhash_provider.h cksumtypes.h + $(srcdir)/hash_provider/hash_provider.h $(srcdir)/keyhash_provider/keyhash_provider.h \ + cksumtypes.h coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): coll_proof_cksum.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - cksumtypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h cksumtypes.h combine_keys.so combine_keys.po $(OUTPRE)combine_keys.$(OBJEXT): combine_keys.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h etypes.h $(srcdir)/dk/dk.h + etypes.h $(srcdir)/dk/dk.h crypto_libinit.so crypto_libinit.po $(OUTPRE)crypto_libinit.$(OBJEXT): crypto_libinit.c \ crypto_libinit.h default_state.so default_state.po $(OUTPRE)default_state.$(OBJEXT): default_state.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h decrypt.so decrypt.po $(OUTPRE)decrypt.$(OBJEXT): decrypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h etypes.h + etypes.h encrypt.so encrypt.po $(OUTPRE)encrypt.$(OBJEXT): encrypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h etypes.h + etypes.h encrypt_length.so encrypt_length.po $(OUTPRE)encrypt_length.$(OBJEXT): encrypt_length.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - etypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h etypes.h enctype_compare.so enctype_compare.po $(OUTPRE)enctype_compare.$(OBJEXT): enctype_compare.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - etypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h etypes.h enctype_to_string.so enctype_to_string.po $(OUTPRE)enctype_to_string.$(OBJEXT): enctype_to_string.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - etypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h etypes.h etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): etypes.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/enc_provider/enc_provider.h \ - $(srcdir)/hash_provider/hash_provider.h etypes.h $(srcdir)/old/old.h \ - $(srcdir)/raw/raw.h $(srcdir)/dk/dk.h $(srcdir)/arcfour/arcfour.h \ - $(srcdir)/aes/aes_s2k.h + $(srcdir)/enc_provider/enc_provider.h $(srcdir)/hash_provider/hash_provider.h \ + etypes.h $(srcdir)/old/old.h $(srcdir)/raw/raw.h $(srcdir)/dk/dk.h \ + $(srcdir)/arcfour/arcfour.h $(srcdir)/aes/aes_s2k.h hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): hmac.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h keyed_cksum.so keyed_cksum.po $(OUTPRE)keyed_cksum.$(OBJEXT): keyed_cksum.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h cksumtypes.h + cksumtypes.h keyed_checksum_types.so keyed_checksum_types.po $(OUTPRE)keyed_checksum_types.$(OBJEXT): keyed_checksum_types.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - etypes.h cksumtypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h etypes.h cksumtypes.h make_checksum.so make_checksum.po $(OUTPRE)make_checksum.$(OBJEXT): make_checksum.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h cksumtypes.h etypes.h \ - $(srcdir)/dk/dk.h + cksumtypes.h etypes.h $(srcdir)/dk/dk.h make_random_key.so make_random_key.po $(OUTPRE)make_random_key.$(OBJEXT): make_random_key.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - etypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h etypes.h +mandatory_sumtype.so mandatory_sumtype.po $(OUTPRE)mandatory_sumtype.$(OBJEXT): mandatory_sumtype.c \ + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h etypes.h nfold.so nfold.po $(OUTPRE)nfold.$(OBJEXT): nfold.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h old_api_glue.so old_api_glue.po $(OUTPRE)old_api_glue.$(OBJEXT): old_api_glue.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): pbkdf2.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/hash_provider/hash_provider.h + $(srcdir)/hash_provider/hash_provider.h prng.so prng.po $(OUTPRE)prng.$(OBJEXT): prng.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/enc_provider/enc_provider.h \ - $(srcdir)/yarrow/yarrow.h $(srcdir)/yarrow/ytypes.h \ - $(srcdir)/yarrow/yhash.h $(srcdir)/sha1/shs.h $(srcdir)/yarrow/ycipher.h + $(srcdir)/enc_provider/enc_provider.h $(srcdir)/yarrow/yarrow.h \ + $(srcdir)/yarrow/ytypes.h $(srcdir)/yarrow/yhash.h \ + $(srcdir)/sha1/shs.h $(srcdir)/yarrow/ycipher.h state.so state.po $(OUTPRE)state.$(OBJEXT): state.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h etypes.h + etypes.h string_to_cksumtype.so string_to_cksumtype.po $(OUTPRE)string_to_cksumtype.$(OBJEXT): string_to_cksumtype.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - cksumtypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h cksumtypes.h string_to_enctype.so string_to_enctype.po $(OUTPRE)string_to_enctype.$(OBJEXT): string_to_enctype.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - etypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h etypes.h string_to_key.so string_to_key.po $(OUTPRE)string_to_key.$(OBJEXT): string_to_key.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h etypes.h + etypes.h valid_cksumtype.so valid_cksumtype.po $(OUTPRE)valid_cksumtype.$(OBJEXT): valid_cksumtype.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - cksumtypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h cksumtypes.h valid_enctype.so valid_enctype.po $(OUTPRE)valid_enctype.$(OBJEXT): valid_enctype.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h etypes.h + etypes.h verify_checksum.so verify_checksum.po $(OUTPRE)verify_checksum.$(OBJEXT): verify_checksum.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - cksumtypes.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h cksumtypes.h t_nfold.so t_nfold.po $(OUTPRE)t_nfold.$(OBJEXT): t_nfold.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h t_encrypt.so t_encrypt.po $(OUTPRE)t_encrypt.$(OBJEXT): t_encrypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h etypes.h + etypes.h t_prng.so t_prng.po $(OUTPRE)t_prng.$(OBJEXT): t_prng.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h t_hmac.so t_hmac.po $(OUTPRE)t_hmac.$(OBJEXT): t_hmac.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h t_pkcs5.so t_pkcs5.po $(OUTPRE)t_pkcs5.$(OBJEXT): t_pkcs5.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h t_cts.so t_cts.po $(OUTPRE)t_cts.$(OBJEXT): t_cts.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h vectors.so vectors.po $(OUTPRE)vectors.$(OBJEXT): vectors.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/crypto/aes/ChangeLog b/src/lib/crypto/aes/ChangeLog index 443aabd..5852b3b 100644 --- a/src/lib/crypto/aes/ChangeLog +++ b/src/lib/crypto/aes/ChangeLog @@ -1,3 +1,18 @@ +2003-05-13 Ken Raeburn <raeburn@mit.edu> + + * aes_s2k.c (DEFAULT_ITERATION_COUNT): New macro; define to 4096. + (MAX_ITERATION_COUNT): New macro. + (krb5int_aes_string_to_key): Use them. + +2003-04-29 Ken Raeburn <raeburn@mit.edu> + + * uitypes.h: Use inttypes.h if HAVE_INTTYPES_H is defined. + +2003-04-13 Ken Raeburn <raeburn@mit.edu> + + * aes_s2k.c (krb5int_aes_string_to_key): Return an error if the + supplied iteration count is really, really large. + 2003-03-04 Ken Raeburn <raeburn@mit.edu> * aes_s2k.c, aes_s2k.h: New files. diff --git a/src/lib/crypto/aes/Makefile.in b/src/lib/crypto/aes/Makefile.in index d14f0f9..4a1064a 100644 --- a/src/lib/crypto/aes/Makefile.in +++ b/src/lib/crypto/aes/Makefile.in @@ -83,7 +83,8 @@ aeskey.so aeskey.po $(OUTPRE)aeskey.$(OBJEXT): aeskey.c aesopt.h aes.h \ uitypes.h aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): aes_s2k.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h aes_s2k.h + $(srcdir)/../dk/dk.h aes_s2k.h diff --git a/src/lib/crypto/aes/aes_s2k.c b/src/lib/crypto/aes/aes_s2k.c index f3670d7..9d48bd0 100644 --- a/src/lib/crypto/aes/aes_s2k.c +++ b/src/lib/crypto/aes/aes_s2k.c @@ -1,9 +1,39 @@ -/* Insert MIT copyright here. */ +/* + * lib/crypto/aes/aes_s2k.c + * + * Copyright 2003 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * krb5int_aes_string_to_key + */ #include "k5-int.h" #include "dk.h" #include "aes_s2k.h" +#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */ +#define MAX_ITERATION_COUNT 0x1000000L + krb5_error_code krb5int_aes_string_to_key(const struct krb5_enc_provider *enc, const krb5_data *string, @@ -27,7 +57,13 @@ krb5int_aes_string_to_key(const struct krb5_enc_provider *enc, return KRB5_ERR_BAD_S2K_PARAMS; } } else - iter_count = 0xb000L; + iter_count = DEFAULT_ITERATION_COUNT; + + /* This is not a protocol specification constraint; this is an + implementation limit, which should eventually be controlled by + a config file. */ + if (iter_count >= MAX_ITERATION_COUNT) + return KRB5_ERR_BAD_S2K_PARAMS; /* * Dense key space, no parity bits or anything, so take a shortcut diff --git a/src/lib/crypto/aes/uitypes.h b/src/lib/crypto/aes/uitypes.h index 4e50ef7..02dd3b0 100644 --- a/src/lib/crypto/aes/uitypes.h +++ b/src/lib/crypto/aes/uitypes.h @@ -44,7 +44,7 @@ #endif #endif -#if defined HAS_INTTYPES_H +#if defined HAS_INTTYPES_H || defined HAVE_INTTYPES_H #include <inttypes.h> #define s_u32 u #define s_u64 ull diff --git a/src/lib/crypto/arcfour/Makefile.in b/src/lib/crypto/arcfour/Makefile.in index 8c33066..329feb4 100644 --- a/src/lib/crypto/arcfour/Makefile.in +++ b/src/lib/crypto/arcfour/Makefile.in @@ -45,13 +45,14 @@ clean-unix:: clean-libobjs # arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): arcfour.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h arcfour-int.h arcfour.h + arcfour-int.h arcfour.h string_to_key.so string_to_key.po $(OUTPRE)string_to_key.$(OBJEXT): string_to_key.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../md4/rsa-md4.h \ - arcfour-int.h arcfour.h + $(srcdir)/../md4/rsa-md4.h arcfour-int.h arcfour.h diff --git a/src/lib/crypto/checksum_length.c b/src/lib/crypto/checksum_length.c index 80040b2..f3886f4 100644 --- a/src/lib/crypto/checksum_length.c +++ b/src/lib/crypto/checksum_length.c @@ -45,6 +45,8 @@ krb5_c_checksum_length(context, cksumtype, length) if (krb5_cksumtypes_list[i].keyhash) (*(krb5_cksumtypes_list[i].keyhash->hash_size))(length); + else if (krb5_cksumtypes_list[i].trunc_size) + *length = krb5_cksumtypes_list[i].trunc_size; else (*(krb5_cksumtypes_list[i].hash->hash_size))(length); diff --git a/src/lib/crypto/cksumtypes.c b/src/lib/crypto/cksumtypes.c index 76882f8..ae7ed5f 100644 --- a/src/lib/crypto/cksumtypes.c +++ b/src/lib/crypto/cksumtypes.c @@ -84,6 +84,14 @@ const struct krb5_cksumtypes krb5_cksumtypes_list[] = { ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_hmac_md5, NULL }, + { CKSUMTYPE_HMAC_SHA1_96_AES128, KRB5_CKSUMFLAG_DERIVE, + "hmac-sha1-96-aes128", "HMAC-SHA1 AES128 key", + 0, NULL, + &krb5int_hash_sha1, 12 }, + { CKSUMTYPE_HMAC_SHA1_96_AES256, KRB5_CKSUMFLAG_DERIVE, + "hmac-sha1-96-aes256", "HMAC-SHA1 AES256 key", + 0, NULL, + &krb5int_hash_sha1, 12 }, }; const int krb5_cksumtypes_length = diff --git a/src/lib/crypto/combine_keys.c b/src/lib/crypto/combine_keys.c index 6466a95..9aad8f5 100644 --- a/src/lib/crypto/combine_keys.c +++ b/src/lib/crypto/combine_keys.c @@ -50,6 +50,25 @@ static krb5_error_code dr (const struct krb5_enc_provider *enc, const krb5_keyblock *inkey, unsigned char *outdata, const krb5_data *in_constant); +/* + * We only support this combine_keys algorithm for des and 3des keys. + * Everything else should use the PRF defined in the crypto framework. + * We don't implement that yet. + */ + +static krb5_boolean enctype_ok (krb5_enctype e) +{ + switch (e) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES3_CBC_SHA1: + return 1; + default: + return 0; + } +} + krb5_error_code krb5int_c_combine_keys (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, krb5_keyblock *outkey) { @@ -60,6 +79,9 @@ krb5_error_code krb5int_c_combine_keys krb5_keyblock tkey; krb5_error_code ret; int i, myalloc = 0; + if (!(enctype_ok(key1->enctype)&&enctype_ok(key2->enctype))) + return (KRB5_CRYPTO_INTERNAL); + if (key1->length != key2->length || key1->enctype != key2->enctype) return (KRB5_CRYPTO_INTERNAL); diff --git a/src/lib/crypto/crc32/Makefile.in b/src/lib/crypto/crc32/Makefile.in index 09d2404..29e0939 100644 --- a/src/lib/crypto/crc32/Makefile.in +++ b/src/lib/crypto/crc32/Makefile.in @@ -46,7 +46,8 @@ t_crc: t_crc.o crc32.o # crc32.so crc32.po $(OUTPRE)crc32.$(OBJEXT): crc32.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h crc-32.h + crc-32.h diff --git a/src/lib/crypto/des/Makefile.in b/src/lib/crypto/des/Makefile.in index f8065d7..607cc5f 100644 --- a/src/lib/crypto/des/Makefile.in +++ b/src/lib/crypto/des/Makefile.in @@ -100,61 +100,68 @@ clean-unix:: clean-libobjs # afsstring2key.so afsstring2key.po $(OUTPRE)afsstring2key.$(OBJEXT): afsstring2key.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h + des_int.h $(SRCTOP)/include/kerberosIV/des.h d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): d3_cbc.c des_int.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \ - f_tables.h + $(SRCTOP)/include/kerberosIV/des.h f_tables.h d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): d3_kysched.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h + des_int.h $(SRCTOP)/include/kerberosIV/des.h f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): f_cbc.c des_int.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \ - f_tables.h + $(SRCTOP)/include/kerberosIV/des.h f_tables.h f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): f_cksum.c des_int.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \ - f_tables.h + $(SRCTOP)/include/kerberosIV/des.h f_tables.h f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): f_parity.c des_int.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): f_sched.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h + des_int.h $(SRCTOP)/include/kerberosIV/des.h f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): f_tables.c des_int.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/des.h \ - f_tables.h + $(SRCTOP)/include/kerberosIV/des.h f_tables.h key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): key_sched.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h + des_int.h $(SRCTOP)/include/kerberosIV/des.h weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): weak_key.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h + des_int.h $(SRCTOP)/include/kerberosIV/des.h string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): string2key.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h des_int.h $(SRCTOP)/include/kerberosIV/des.h + des_int.h $(SRCTOP)/include/kerberosIV/des.h diff --git a/src/lib/crypto/dk/ChangeLog b/src/lib/crypto/dk/ChangeLog index 9ed3a8d..885dbf7 100644 --- a/src/lib/crypto/dk/ChangeLog +++ b/src/lib/crypto/dk/ChangeLog @@ -1,3 +1,32 @@ +2004-02-13 Ken Raeburn <raeburn@mit.edu> + + * dk_decrypt.c (krb5_dk_decrypt_maybe_trunc_hmac): New argument + IVEC_MODE. If clear, same old behavior. If set, copy out next + to last block for CTS. + (krb5_dk_decrypt, krb5int_aes_dk_decrypt): Pass extra argument. + * dk_encrypt.c (krb5int_aes_dk_encrypt): For IV, copy out next to + last block for CTS. + +2003-04-17 Ken Raeburn <raeburn@mit.edu> + + * dk_encrypt.c (krb5int_aes_dk_encrypt): Set output length + properly. + +2003-04-13 Ken Raeburn <raeburn@mit.edu> + + * dk_decrypt.c (krb5_dk_decrypt_maybe_trunc_hmac): Renamed from + krb5_dk_decrypt, made static, added extra HMACSIZE argument to + indicate size of HMAC. Cast byte values to char to silence + compiler warning. + (krb5_dk_decrypt): Call it. + (krb5int_aes_dk_decrypt): New function. + * dk_encrypt.c (krb5_dk_encrypt): Cast byte values to char to + silence compiler warning. + (krb5int_aes_encrypt_length, trunc_hmac, krb5int_aes_dk_encrypt): + New functions. + * dk.h (krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, + krb5int_aes_dk_decrypt): Declare. + 2003-03-04 Ken Raeburn <raeburn@mit.edu> * stringtokey.c (krb5int_dk_string_to_key): Renamed from diff --git a/src/lib/crypto/dk/Makefile.in b/src/lib/crypto/dk/Makefile.in index 3785ad6..cfd4821 100644 --- a/src/lib/crypto/dk/Makefile.in +++ b/src/lib/crypto/dk/Makefile.in @@ -54,28 +54,32 @@ clean-unix:: clean-libobjs # checksum.so checksum.po $(OUTPRE)checksum.$(OBJEXT): checksum.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../etypes.h \ - dk.h + $(srcdir)/../etypes.h dk.h dk_decrypt.so dk_decrypt.po $(OUTPRE)dk_decrypt.$(OBJEXT): dk_decrypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h dk.h + dk.h dk_encrypt.so dk_encrypt.po $(OUTPRE)dk_encrypt.$(OBJEXT): dk_encrypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h dk.h + dk.h derive.so derive.po $(OUTPRE)derive.$(OBJEXT): derive.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h dk.h $(srcdir)/../etypes.h + dk.h $(srcdir)/../etypes.h stringtokey.so stringtokey.po $(OUTPRE)stringtokey.$(OBJEXT): stringtokey.c dk.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/crypto/dk/dk.h b/src/lib/crypto/dk/dk.h index 0171016..a224167 100644 --- a/src/lib/crypto/dk/dk.h +++ b/src/lib/crypto/dk/dk.h @@ -38,6 +38,18 @@ krb5_error_code krb5_dk_encrypt const krb5_data *ivec, const krb5_data *input, krb5_data *output); +void krb5int_aes_encrypt_length +(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + size_t input, size_t *length); + +krb5_error_code krb5int_aes_dk_encrypt +(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, krb5_keyusage usage, + const krb5_data *ivec, + const krb5_data *input, krb5_data *output); + krb5_error_code krb5_dk_decrypt (const struct krb5_enc_provider *enc, const struct krb5_hash_provider *hash, @@ -45,6 +57,13 @@ krb5_error_code krb5_dk_decrypt const krb5_data *ivec, const krb5_data *input, krb5_data *arg_output); +krb5_error_code krb5int_aes_dk_decrypt +(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, krb5_keyusage usage, + const krb5_data *ivec, const krb5_data *input, + krb5_data *arg_output); + krb5_error_code krb5int_dk_string_to_key (const struct krb5_enc_provider *enc, const krb5_data *string, const krb5_data *salt, diff --git a/src/lib/crypto/dk/dk_decrypt.c b/src/lib/crypto/dk/dk_decrypt.c index adc4d23..febb735 100644 --- a/src/lib/crypto/dk/dk_decrypt.c +++ b/src/lib/crypto/dk/dk_decrypt.c @@ -29,6 +29,17 @@ #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */ +static krb5_error_code +krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + krb5_keyusage usage, + const krb5_data *ivec, + const krb5_data *input, + krb5_data *output, + size_t hmacsize, + int ivec_mode); + krb5_error_code krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) const struct krb5_enc_provider *enc; @@ -39,6 +50,37 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) const krb5_data *input; krb5_data *output; { + return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, + ivec, input, output, 0, 0); +} + +krb5_error_code +krb5int_aes_dk_decrypt(enc, hash, key, usage, ivec, input, output) + const struct krb5_enc_provider *enc; + const struct krb5_hash_provider *hash; + const krb5_keyblock *key; + krb5_keyusage usage; + const krb5_data *ivec; + const krb5_data *input; + krb5_data *output; +{ + return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, + ivec, input, output, 96 / 8, 1); +} + +static krb5_error_code +krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, ivec, input, output, + hmacsize, ivec_mode) + const struct krb5_enc_provider *enc; + const struct krb5_hash_provider *hash; + const krb5_keyblock *key; + krb5_keyusage usage; + const krb5_data *ivec; + const krb5_data *input; + krb5_data *output; + size_t hmacsize; + int ivec_mode; +{ krb5_error_code ret; size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen; unsigned char *plaindata, *kedata, *kidata, *cksum, *cn; @@ -52,7 +94,12 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) (*(enc->block_size))(&blocksize); (*(enc->keysize))(&keybytes, &keylength); - enclen = input->length - hashsize; + if (hmacsize == 0) + hmacsize = hashsize; + else if (hmacsize > hashsize) + return KRB5KRB_AP_ERR_BAD_INTEGRITY; + + enclen = input->length - hmacsize; if ((kedata = (unsigned char *) malloc(keylength)) == NULL) return(ENOMEM); @@ -87,7 +134,7 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) d1.data[2] = (usage>>8)&0xff; d1.data[3] = usage&0xff; - d1.data[4] = 0xAA; + d1.data[4] = (char) 0xAA; if ((ret = krb5_derive_key(enc, key, &ke, &d1)) != 0) goto cleanup; @@ -108,9 +155,15 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) if ((ret = ((*(enc->decrypt))(&ke, ivec, &d1, &d2))) != 0) goto cleanup; - if (ivec != NULL && ivec->length == blocksize) - cn = (unsigned char *) d1.data + d1.length - blocksize; - else + if (ivec != NULL && ivec->length == blocksize) { + if (ivec_mode == 0) + cn = (unsigned char *) d1.data + d1.length - blocksize; + else if (ivec_mode == 1) { + int nblocks = (d1.length + blocksize - 1) / blocksize; + cn = d1.data + blocksize * (nblocks - 2); + } else + abort(); + } else cn = NULL; /* verify the hash */ @@ -121,7 +174,7 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) if ((ret = krb5_hmac(hash, &ki, 1, &d2, &d1)) != 0) goto cleanup; - if (memcmp(cksum, input->data+enclen, hashsize) != 0) { + if (memcmp(cksum, input->data+enclen, hmacsize) != 0) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; goto cleanup; } diff --git a/src/lib/crypto/dk/dk_encrypt.c b/src/lib/crypto/dk/dk_encrypt.c index eb9fe5f..6016b1d 100644 --- a/src/lib/crypto/dk/dk_encrypt.c +++ b/src/lib/crypto/dk/dk_encrypt.c @@ -108,7 +108,7 @@ krb5_dk_encrypt(enc, hash, key, usage, ivec, input, output) d1.data[2] = (usage>>8)&0xff; d1.data[3] = usage&0xff; - d1.data[4] = 0xAA; + d1.data[4] = (char) 0xAA; if ((ret = krb5_derive_key(enc, key, &ke, &d1))) goto cleanup; @@ -177,6 +177,198 @@ cleanup: return(ret); } +/* Not necessarily "AES", per se, but "a CBC+CTS mode block cipher + with a 96-bit truncated HMAC". */ +void +krb5int_aes_encrypt_length(enc, hash, inputlen, length) + const struct krb5_enc_provider *enc; + const struct krb5_hash_provider *hash; + size_t inputlen; + size_t *length; +{ + size_t blocksize, hashsize; + + (*(enc->block_size))(&blocksize); + hashsize = 96 / 8; + + /* No roundup, since CTS requires no padding once we've hit the + block size. */ + *length = blocksize+inputlen + hashsize; +} + +static krb5_error_code +trunc_hmac (const struct krb5_hash_provider *hash, + const krb5_keyblock *ki, int num, + const krb5_data *input, const krb5_data *output) +{ + size_t hashsize; + krb5_data tmp; + krb5_error_code ret; + + (hash->hash_size)(&hashsize); + if (hashsize < output->length) + return KRB5_CRYPTO_INTERNAL; + tmp.length = hashsize; + tmp.data = malloc(hashsize); + if (tmp.data == NULL) + return errno; + ret = krb5_hmac(hash, ki, num, input, &tmp); + if (ret == 0) + memcpy(output->data, tmp.data, output->length); + memset(tmp.data, 0, hashsize); + free(tmp.data); + return ret; +} + +krb5_error_code +krb5int_aes_dk_encrypt(enc, hash, key, usage, ivec, input, output) + const struct krb5_enc_provider *enc; + const struct krb5_hash_provider *hash; + const krb5_keyblock *key; + krb5_keyusage usage; + const krb5_data *ivec; + const krb5_data *input; + krb5_data *output; +{ + size_t blocksize, keybytes, keylength, plainlen, enclen; + krb5_error_code ret; + unsigned char constantdata[K5CLENGTH]; + krb5_data d1, d2; + unsigned char *plaintext, *kedata, *kidata, *cn; + krb5_keyblock ke, ki; + + /* allocate and set up plaintext and to-be-derived keys */ + + (*(enc->block_size))(&blocksize); + (*(enc->keysize))(&keybytes, &keylength); + plainlen = blocksize+input->length; + + krb5int_aes_encrypt_length(enc, hash, input->length, &enclen); + + /* key->length, ivec will be tested in enc->encrypt */ + + if (output->length < enclen) + return(KRB5_BAD_MSIZE); + + if ((kedata = (unsigned char *) malloc(keylength)) == NULL) + return(ENOMEM); + if ((kidata = (unsigned char *) malloc(keylength)) == NULL) { + free(kedata); + return(ENOMEM); + } + if ((plaintext = (unsigned char *) malloc(plainlen)) == NULL) { + free(kidata); + free(kedata); + return(ENOMEM); + } + + ke.contents = kedata; + ke.length = keylength; + ki.contents = kidata; + ki.length = keylength; + + /* derive the keys */ + + d1.data = constantdata; + d1.length = K5CLENGTH; + + d1.data[0] = (usage>>24)&0xff; + d1.data[1] = (usage>>16)&0xff; + d1.data[2] = (usage>>8)&0xff; + d1.data[3] = usage&0xff; + + d1.data[4] = (char) 0xAA; + + if ((ret = krb5_derive_key(enc, key, &ke, &d1))) + goto cleanup; + + d1.data[4] = 0x55; + + if ((ret = krb5_derive_key(enc, key, &ki, &d1))) + goto cleanup; + + /* put together the plaintext */ + + d1.length = blocksize; + d1.data = plaintext; + + if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1))) + goto cleanup; + + memcpy(plaintext+blocksize, input->data, input->length); + + /* Ciphertext stealing; there should be no more. */ + if (plainlen != blocksize + input->length) + abort(); + + /* encrypt the plaintext */ + + d1.length = plainlen; + d1.data = plaintext; + + d2.length = plainlen; + d2.data = output->data; + + if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2)))) + goto cleanup; + + if (ivec != NULL && ivec->length == blocksize) { + int nblocks = (d2.length + blocksize - 1) / blocksize; + cn = d2.data + blocksize * (nblocks - 2); + } else + cn = NULL; + + /* hash the plaintext */ + + d2.length = enclen - plainlen; + d2.data = output->data+plainlen; + if (d2.length != 96 / 8) + abort(); + + if ((ret = trunc_hmac(hash, &ki, 1, &d1, &d2))) { + memset(d2.data, 0, d2.length); + goto cleanup; + } + + output->length = enclen; + + /* update ivec */ + if (cn != NULL) { + memcpy(ivec->data, cn, blocksize); +#if 0 + { + int i; + printf("\n%s: output:", __func__); + for (i = 0; i < output->length; i++) { + if (i % 16 == 0) + printf("\n%s: ", __func__); + printf(" %02x", i[(unsigned char *)output->data]); + } + printf("\n%s: outputIV:", __func__); + for (i = 0; i < ivec->length; i++) { + if (i % 16 == 0) + printf("\n%s: ", __func__); + printf(" %02x", i[(unsigned char *)ivec->data]); + } + printf("\n"); fflush(stdout); + } +#endif + } + + /* ret is set correctly by the prior call */ + +cleanup: + memset(kedata, 0, keylength); + memset(kidata, 0, keylength); + memset(plaintext, 0, plainlen); + + free(plaintext); + free(kidata); + free(kedata); + + return(ret); +} + #ifdef ATHENA_DES3_KLUDGE void krb5_marc_dk_encrypt_length(enc, hash, inputlen, length) diff --git a/src/lib/crypto/enc_provider/ChangeLog b/src/lib/crypto/enc_provider/ChangeLog index 08a614e..c40be6a 100644 --- a/src/lib/crypto/enc_provider/ChangeLog +++ b/src/lib/crypto/enc_provider/ChangeLog @@ -1,3 +1,19 @@ +2004-02-09 Ken Raeburn <raeburn@mit.edu> + + * aes.c (krb5int_aes_encrypt, krb5int_aes_decrypt): Copy out value + for new IV. + +2003-04-13 Ken Raeburn <raeburn@mit.edu> + + * aes.c (enc): Replaced function with a macro. + (dec): New macro. + (krb5int_aes_encrypt): Use enc and dec. Delete unused variable + OFFSET. + (krb5int_aes_decrypt): Renamed from k5_aes_dencrypt, implemented + decryption, made non-static. + (krb5int_enc_aes128, krb5int_enc_aes256): Use new name for + krb5int_aes_decrypt. + 2003-03-04 Ken Raeburn <raeburn@mit.edu> * aes.c (krb5int_aes_init_state): Implement. diff --git a/src/lib/crypto/enc_provider/Makefile.in b/src/lib/crypto/enc_provider/Makefile.in index dbc4f64..743f4ee 100644 --- a/src/lib/crypto/enc_provider/Makefile.in +++ b/src/lib/crypto/enc_provider/Makefile.in @@ -47,26 +47,28 @@ clean-unix:: clean-libobjs # des.so des.po $(OUTPRE)des.$(OBJEXT): des.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \ - $(SRCTOP)/include/kerberosIV/des.h enc_provider.h + $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h \ + enc_provider.h des3.so des3.po $(OUTPRE)des3.$(OBJEXT): des3.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h aes.so aes.po $(OUTPRE)aes.$(OBJEXT): aes.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h enc_provider.h $(srcdir)/../aes/aes.h \ - $(srcdir)/../aes/uitypes.h + enc_provider.h $(srcdir)/../aes/aes.h $(srcdir)/../aes/uitypes.h arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): arcfour.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../arcfour/arcfour-int.h \ - $(srcdir)/../arcfour/arcfour.h enc_provider.h + $(srcdir)/../arcfour/arcfour-int.h $(srcdir)/../arcfour/arcfour.h \ + enc_provider.h diff --git a/src/lib/crypto/enc_provider/aes.c b/src/lib/crypto/enc_provider/aes.c index d3dc2a5..1fc7abc 100644 --- a/src/lib/crypto/enc_provider/aes.c +++ b/src/lib/crypto/enc_provider/aes.c @@ -52,23 +52,8 @@ static void printd (const char *descr, krb5_data *d) { } printf("\n"); } -static void enc(char *out, const char *in, aes_ctx *ctx) -{ - if (aes_enc_blk(in, out, ctx) != aes_good) - abort(); -#if 0 - { - krb5_data e_in, e_out; - e_in.data = in; - e_out.data = out; - e_in.length = e_out.length = BLOCK_SIZE; - printf("encrypting [[\n"); - printd("input block", &e_in); - printd("output block", &e_out); - printf("]]\n"); - } -#endif -} +#define enc(OUT, IN, CTX) (aes_enc_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort()) +#define dec(OUT, IN, CTX) (aes_dec_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort()) static void xorblock(char *out, const char *in) { @@ -83,7 +68,6 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, { aes_ctx ctx; unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; - int offset; int nblocks = 0, blockno; /* CHECK_SIZES; */ @@ -100,8 +84,7 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, if (nblocks == 1) { /* XXX Used for DK function. */ - if (aes_enc_blk(input->data, output->data, &ctx) != aes_good) - abort(); + enc(output->data, input->data, &ctx); } else { int nleft; @@ -112,7 +95,6 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, /* Set up for next block. */ memcpy(tmp, tmp2, BLOCK_SIZE); - offset += BLOCK_SIZE; } /* Do final CTS step for last two blocks (the second of which may or may not be incomplete). */ @@ -127,23 +109,70 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, xorblock(tmp, tmp3); enc(tmp2, tmp, &ctx); memcpy(output->data + (nblocks - 2) * BLOCK_SIZE, tmp2, BLOCK_SIZE); + if (ivec) + memcpy(ivec->data, tmp2, BLOCK_SIZE); } return 0; } -static krb5_error_code -k5_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) +krb5_error_code +krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) { aes_ctx ctx; + unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; + int nblocks = 0, blockno; CHECK_SIZES; if (aes_dec_key(key->contents, key->length, &ctx) != aes_good) abort(); - abort(); + if (ivec) + memcpy(tmp, ivec->data, BLOCK_SIZE); + else + memset(tmp, 0, BLOCK_SIZE); + + nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + if (nblocks == 1) { + if (input->length < BLOCK_SIZE) + abort(); + dec(output->data, input->data, &ctx); + } else { + int nleft; + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); + xorblock(tmp2, tmp); + memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE); + memcpy(tmp, input->data + blockno * BLOCK_SIZE, BLOCK_SIZE); + } + /* Do last two blocks, the second of which (next-to-last block + of plaintext) may be incomplete. */ + dec(tmp2, input->data + (nblocks - 2) * BLOCK_SIZE, &ctx); + /* Set tmp3 to last ciphertext block, padded. */ + memset(tmp3, 0, sizeof(tmp3)); + memcpy(tmp3, input->data + (nblocks - 1) * BLOCK_SIZE, + input->length - (nblocks - 1) * BLOCK_SIZE); + /* Set tmp2 to last (possibly partial) plaintext block, and + save it. */ + xorblock(tmp2, tmp3); + memcpy(output->data + (nblocks - 1) * BLOCK_SIZE, tmp2, + input->length - (nblocks - 1) * BLOCK_SIZE); + /* Maybe keep the trailing part, and copy in the last + ciphertext block. */ + memcpy(tmp2, tmp3, input->length - (nblocks - 1) * BLOCK_SIZE); + /* Decrypt, to get next to last plaintext block xor previous + ciphertext. */ + dec(tmp3, tmp2, &ctx); + xorblock(tmp3, tmp); + memcpy(output->data + (nblocks - 2) * BLOCK_SIZE, tmp3, BLOCK_SIZE); + if (ivec) + memcpy(ivec->data, input->data + (nblocks - 2) * BLOCK_SIZE, + BLOCK_SIZE); + } return 0; } @@ -178,7 +207,7 @@ const struct krb5_enc_provider krb5int_enc_aes128 = { aes_block_size, aes128_keysize, krb5int_aes_encrypt, - k5_aes_decrypt, + krb5int_aes_decrypt, k5_aes_make_key, krb5int_aes_init_state, krb5int_default_free_state @@ -188,7 +217,7 @@ const struct krb5_enc_provider krb5int_enc_aes256 = { aes_block_size, aes256_keysize, krb5int_aes_encrypt, - k5_aes_decrypt, + krb5int_aes_decrypt, k5_aes_make_key, krb5int_aes_init_state, krb5int_default_free_state diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c index 1cc570c..6dcf026 100644 --- a/src/lib/crypto/etypes.c +++ b/src/lib/crypto/etypes.c @@ -45,93 +45,109 @@ const struct krb5_keytypes krb5_enctypes_list[] = { "des-cbc-crc", "DES cbc mode with CRC-32", &krb5int_enc_des, &krb5int_hash_crc32, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 }, { ENCTYPE_DES_CBC_MD4, "des-cbc-md4", "DES cbc mode with RSA-MD4", &krb5int_enc_des, &krb5int_hash_md4, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, CKSUMTYPE_RSA_MD4 }, { ENCTYPE_DES_CBC_MD5, "des-cbc-md5", "DES cbc mode with RSA-MD5", &krb5int_enc_des, &krb5int_hash_md5, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 }, { ENCTYPE_DES_CBC_MD5, "des", "DES cbc mode with RSA-MD5", /* alias */ &krb5int_enc_des, &krb5int_hash_md5, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 }, { ENCTYPE_DES_CBC_RAW, "des-cbc-raw", "DES cbc mode raw", &krb5int_enc_des, NULL, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, 0 }, { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw", "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, 0 }, { ENCTYPE_DES3_CBC_SHA1, "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1", "DES with HMAC/sha1", &krb5int_enc_des, &krb5int_hash_sha1, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, 0 }, { ENCTYPE_ARCFOUR_HMAC, "arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC, /* alias */ "rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC, /* alias */ "arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC_EXP, "arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */ "rc4-hmac-exp", "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */ "arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes128, &krb5int_hash_sha1, - krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_aes_string_to_key }, + krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, + krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 }, + { ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */ + "aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC", + &krb5int_enc_aes128, &krb5int_hash_sha1, + krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, + krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes256, &krb5int_hash_sha1, - krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_aes_string_to_key }, + krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, + krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 }, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */ + "aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC", + &krb5int_enc_aes256, &krb5int_hash_sha1, + krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, + krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 }, #ifdef ATHENA_DES3_KLUDGE /* @@ -143,7 +159,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = { "Triple DES with HMAC/sha1 and 32-bit length code", &krb5int_enc_des3, &krb5int_hash_sha1, krb5_marc_dk_encrypt_length, krb5_marc_dk_encrypt, krb5_marc_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, #endif }; diff --git a/src/lib/crypto/hash_provider/Makefile.in b/src/lib/crypto/hash_provider/Makefile.in index 55aa892..b9e6ba7 100644 --- a/src/lib/crypto/hash_provider/Makefile.in +++ b/src/lib/crypto/hash_provider/Makefile.in @@ -42,26 +42,26 @@ clean-unix:: clean-libobjs # hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): hash_crc32.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../crc32/crc-32.h \ - hash_provider.h + $(srcdir)/../crc32/crc-32.h hash_provider.h hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): hash_md4.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../md4/rsa-md4.h \ - hash_provider.h + $(srcdir)/../md4/rsa-md4.h hash_provider.h hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): hash_md5.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../md5/rsa-md5.h \ - hash_provider.h + $(srcdir)/../md5/rsa-md5.h hash_provider.h hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): hash_sha1.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../sha1/shs.h \ - hash_provider.h + $(srcdir)/../sha1/shs.h hash_provider.h diff --git a/src/lib/crypto/keyhash_provider/Makefile.in b/src/lib/crypto/keyhash_provider/Makefile.in index 27c3821..d134fd8 100644 --- a/src/lib/crypto/keyhash_provider/Makefile.in +++ b/src/lib/crypto/keyhash_provider/Makefile.in @@ -61,29 +61,31 @@ clean-unix:: clean-libobjs # descbc.so descbc.po $(OUTPRE)descbc.$(OBJEXT): descbc.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \ - $(SRCTOP)/include/kerberosIV/des.h keyhash_provider.h + $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h \ + keyhash_provider.h k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): k5_md4des.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \ - $(SRCTOP)/include/kerberosIV/des.h $(srcdir)/../md4/rsa-md4.h \ - keyhash_provider.h + $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h \ + $(srcdir)/../md4/rsa-md4.h keyhash_provider.h k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): k5_md5des.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../des/des_int.h \ - $(SRCTOP)/include/kerberosIV/des.h $(srcdir)/../md5/rsa-md5.h \ - keyhash_provider.h + $(srcdir)/../des/des_int.h $(SRCTOP)/include/kerberosIV/des.h \ + $(srcdir)/../md5/rsa-md5.h keyhash_provider.h hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): hmac_md5.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h keyhash_provider.h $(srcdir)/../arcfour/arcfour-int.h \ + keyhash_provider.h $(srcdir)/../arcfour/arcfour-int.h \ $(srcdir)/../arcfour/arcfour.h $(srcdir)/../md5/rsa-md5.h \ $(srcdir)/../hash_provider/hash_provider.h diff --git a/src/lib/crypto/make_checksum.c b/src/lib/crypto/make_checksum.c index 5d7be93..8a384e7 100644 --- a/src/lib/crypto/make_checksum.c +++ b/src/lib/crypto/make_checksum.c @@ -108,6 +108,13 @@ krb5_c_make_checksum(context, cksumtype, key, usage, input, cksum) if (!ret) { cksum->magic = KV5M_CHECKSUM; cksum->checksum_type = cksumtype; + if (krb5_cksumtypes_list[i].trunc_size) { + krb5_octet *trunc; + cksum->length = krb5_cksumtypes_list[i].trunc_size; + trunc = (krb5_octet *) realloc(cksum->contents, cksum->length); + if (trunc) + cksum->contents = trunc; + } } cleanup: diff --git a/src/lib/crypto/mandatory_sumtype.c b/src/lib/crypto/mandatory_sumtype.c new file mode 100644 index 0000000..f9322ff --- /dev/null +++ b/src/lib/crypto/mandatory_sumtype.c @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2003 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include "k5-int.h" +#include "etypes.h" + +krb5_error_code +krb5int_c_mandatory_cksumtype (krb5_context ctx, krb5_enctype etype, + krb5_cksumtype *cksumtype) +{ + int i; + + for (i = 0; i < krb5_enctypes_length; i++) + if (krb5_enctypes_list[i].etype == etype) { + *cksumtype = krb5_enctypes_list[i].required_ctype; + return 0; + } + + return KRB5_BAD_ENCTYPE; +} diff --git a/src/lib/crypto/md4/Makefile.in b/src/lib/crypto/md4/Makefile.in index af05935..57341c6 100644 --- a/src/lib/crypto/md4/Makefile.in +++ b/src/lib/crypto/md4/Makefile.in @@ -63,7 +63,8 @@ clean-unix:: clean-libobjs # md4.so md4.po $(OUTPRE)md4.$(OBJEXT): md4.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h rsa-md4.h + rsa-md4.h diff --git a/src/lib/crypto/md5/Makefile.in b/src/lib/crypto/md5/Makefile.in index b783893..d5e3a22 100644 --- a/src/lib/crypto/md5/Makefile.in +++ b/src/lib/crypto/md5/Makefile.in @@ -53,7 +53,8 @@ clean-unix:: clean-libobjs # md5.so md5.po $(OUTPRE)md5.$(OBJEXT): md5.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h rsa-md5.h + rsa-md5.h diff --git a/src/lib/crypto/old/ChangeLog b/src/lib/crypto/old/ChangeLog index c23b403..bab2704 100644 --- a/src/lib/crypto/old/ChangeLog +++ b/src/lib/crypto/old/ChangeLog @@ -1,3 +1,9 @@ +2003-05-23 Sam Hartman <hartmans@mit.edu> + + * des_stringtokey.c (krb5int_des_string_to_key): If param has one + byte, treat it as a type. Type 0 is normal, type 1 is AFS + string2key. + 2003-03-04 Ken Raeburn <raeburn@mit.edu> * des_stringtokey.c (krb5int_des_string_to_key): Renamed from diff --git a/src/lib/crypto/old/Makefile.in b/src/lib/crypto/old/Makefile.in index 8fc8390..acc2cdd 100644 --- a/src/lib/crypto/old/Makefile.in +++ b/src/lib/crypto/old/Makefile.in @@ -40,18 +40,21 @@ clean-unix:: clean-libobjs # des_stringtokey.so des_stringtokey.po $(OUTPRE)des_stringtokey.$(OBJEXT): des_stringtokey.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - old.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h old.h $(srcdir)/../des/des_int.h \ + $(SRCTOP)/include/kerberosIV/des.h old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): old_decrypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h old.h + old.h old_encrypt.so old_encrypt.po $(OUTPRE)old_encrypt.$(OBJEXT): old_encrypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h old.h + old.h diff --git a/src/lib/crypto/old/des_stringtokey.c b/src/lib/crypto/old/des_stringtokey.c index fd3440b..20f2f05 100644 --- a/src/lib/crypto/old/des_stringtokey.c +++ b/src/lib/crypto/old/des_stringtokey.c @@ -26,6 +26,7 @@ #include "k5-int.h" #include "old.h" +#include <des_int.h> /* XXX */ extern krb5_error_code mit_des_string_to_key_int @@ -41,7 +42,19 @@ krb5int_des_string_to_key(enc, string, salt, parm, key) const krb5_data *parm; krb5_keyblock *key; { - if (parm != NULL) - return KRB5_ERR_BAD_S2K_PARAMS; + int type; + if (parm ) { + if (parm->length != 1) + return KRB5_ERR_BAD_S2K_PARAMS; + type = parm->data[0]; + } + else type = 0; + switch(type) { + case 0: return(mit_des_string_to_key_int(key, string, salt)); + case 1: + return mit_afs_string_to_key(key, string, salt); + default: + return KRB5_ERR_BAD_S2K_PARAMS; + } } diff --git a/src/lib/crypto/pbkdf2.c b/src/lib/crypto/pbkdf2.c index d8a3f8b..af39170 100644 --- a/src/lib/crypto/pbkdf2.c +++ b/src/lib/crypto/pbkdf2.c @@ -158,6 +158,7 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, { int l, r, i; char *utmp1, *utmp2; + char utmp3[20]; /* XXX length shouldn't be hardcoded! */ if (output->length == 0 || hlen == 0) abort(); @@ -169,7 +170,13 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, r = output->length - (l - 1) * hlen; utmp1 = /*output + dklen; */ malloc(hlen); + if (utmp1 == NULL) + return errno; utmp2 = /*utmp1 + hlen; */ malloc(salt->length + 4 + hlen); + if (utmp2 == NULL) { + free(utmp1); + return errno; + } /* Step 3. */ for (i = 1; i <= l; i++) { @@ -177,11 +184,21 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, int j; #endif krb5_error_code err; + char *out; - err = F(output->data + (i-1) * hlen, utmp1, utmp2, prf, hlen, - pass, salt, count, i); - if (err) + if (i == l) + out = utmp3; + else + out = output->data + (i-1) * hlen; + err = F(out, utmp1, utmp2, prf, hlen, pass, salt, count, i); + if (err) { + free(utmp1); + free(utmp2); return err; + } + if (i == l) + memcpy(output->data + (i-1) * hlen, utmp3, + output->length - (i-1) * hlen); #if 0 printf("after F(%d), @%p:\n", i, output->data); @@ -190,6 +207,8 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, printf ("\n"); #endif } + free(utmp1); + free(utmp2); return 0; } @@ -199,7 +218,10 @@ static krb5_error_code hmac1(const struct krb5_hash_provider *h, char tmp[40]; size_t blocksize, hashsize; krb5_error_code err; + krb5_keyblock k; + k = *key; + key = &k; if (debug_hmac) printk(" test key", key); h->block_size(&blocksize); @@ -235,8 +257,6 @@ foo(krb5_keyblock *pass, krb5_data *salt, krb5_data *out) memset(out->data, 0, out->length); err = hmac1 (&krb5int_hash_sha1, pass, salt, out); - if (err) - com_err("foo", err, "computing hmac"); return err; } diff --git a/src/lib/crypto/raw/Makefile.in b/src/lib/crypto/raw/Makefile.in index d94112b..490d2c7 100644 --- a/src/lib/crypto/raw/Makefile.in +++ b/src/lib/crypto/raw/Makefile.in @@ -38,12 +38,14 @@ clean-unix:: clean-libobjs # raw_decrypt.so raw_decrypt.po $(OUTPRE)raw_decrypt.$(OBJEXT): raw_decrypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h raw.h + raw.h raw_encrypt.so raw_encrypt.po $(OUTPRE)raw_encrypt.$(OBJEXT): raw_encrypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h raw.h + raw.h diff --git a/src/lib/crypto/sha1/Makefile.in b/src/lib/crypto/sha1/Makefile.in index da3e70f..f796eaa 100644 --- a/src/lib/crypto/sha1/Makefile.in +++ b/src/lib/crypto/sha1/Makefile.in @@ -58,7 +58,7 @@ t_shs3: t_shs3.o shs.o # shs.so shs.po $(OUTPRE)shs.$(OBJEXT): shs.c shs.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/crypto/string_to_key.c b/src/lib/crypto/string_to_key.c index c9434e0..4125831 100644 --- a/src/lib/crypto/string_to_key.c +++ b/src/lib/crypto/string_to_key.c @@ -27,7 +27,6 @@ #include "k5-int.h" #include "etypes.h" -/* Eventually this declaration should move to krb5.h. */ krb5_error_code KRB5_CALLCONV krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, @@ -72,7 +71,21 @@ krb5_c_string_to_key_with_params(context, enctype, string, salt, params, key) return(KRB5_BAD_ENCTYPE); enc = krb5_enctypes_list[i].enc; +/* xxx AFS string2key function is indicated by a special length in + * the salt in much of the code. However only the DES enctypes can + * deal with this. Using s2kparams would be a much better solution.*/ + if (salt && salt->length == SALT_TYPE_AFS_LENGTH) { + switch (enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + break; + default: + return (KRB5_CRYPTO_INTERNAL); + } + } + (*(enc->keysize))(&keybytes, &keylength); if ((key->contents = (krb5_octet *) malloc(keylength)) == NULL) diff --git a/src/lib/crypto/t_cts.c b/src/lib/crypto/t_cts.c index 5bf1ecb..b105bd2 100644 --- a/src/lib/crypto/t_cts.c +++ b/src/lib/crypto/t_cts.c @@ -120,27 +120,52 @@ static void test_cts() krb5_data *); int i; - char outbuf[64]; - krb5_data in, out; + char outbuf[64], encivbuf[16], decivbuf[16], outbuf2[64]; + krb5_data in, out, enciv, deciv, out2; krb5_keyblock key; krb5_error_code err; in.data = input; out.data = outbuf; + out2.data = outbuf2; + enciv.length = deciv.length = 16; + enciv.data = encivbuf; + deciv.data = decivbuf; key.contents = aeskey; key.length = 16; + memset(enciv.data, 0, 16); printk("AES 128-bit key", &key); for (i = 0; i < sizeof(lengths)/sizeof(lengths[0]); i++) { + memset(enciv.data, 0, 16); + memset(deciv.data, 0, 16); + printf("\n"); in.length = out.length = lengths[i]; - err = krb5int_aes_encrypt(&key, 0, &in, &out); + printd("IV", &enciv); + err = krb5int_aes_encrypt(&key, &enciv, &in, &out); if (err) { printf("error %ld from krb5int_aes_encrypt\n", (long)err); exit(1); } printd("Input", &in); printd("Output", &out); + printd("Next IV", &enciv); + out2.length = out.length; + err = krb5int_aes_decrypt(&key, &deciv, &out, &out2); + if (err) { + printf("error %ld from krb5int_aes_decrypt\n", (long)err); + exit(1); + } + if (out2.length != in.length + || memcmp(in.data, out2.data, in.length)) { + printd("Decryption result DOESN'T MATCH", &out2); + exit(1); + } + if (memcmp(enciv.data, deciv.data, 16)) { + printd("Decryption IV result DOESN'T MATCH", &deciv); + exit(1); + } } } diff --git a/src/lib/crypto/t_encrypt.c b/src/lib/crypto/t_encrypt.c index 2a6e09e..3bc62e5 100644 --- a/src/lib/crypto/t_encrypt.c +++ b/src/lib/crypto/t_encrypt.c @@ -53,25 +53,51 @@ if( retval) { \ abort(); \ } else printf ("OK\n"); +int compare_results(krb5_data *d1, krb5_data *d2) +{ + if (d1->length != d2->length) { + /* Decryption can leave a little trailing cruft. + For the current cryptosystems, this can be up to 7 bytes. */ + if (d1->length + 8 <= d2->length) + return EINVAL; + if (d1->length > d2->length) + return EINVAL; + } + if (memcmp(d1->data, d2->data, d1->length)) { + return EINVAL; + } + return 0; +} + int main () { krb5_context context = 0; - krb5_data in, out, check, state; + krb5_data in, in2, out, out2, check, check2, state; int i; size_t len; - krb5_enc_data enc_out; + krb5_enc_data enc_out, enc_out2; krb5_error_code retval; krb5_keyblock *key; + in.data = "This is a test.\n"; in.length = strlen (in.data); + in2.data = "This is another test.\n"; + in2.length = strlen (in2.data); test ("Seeding random number generator", krb5_c_random_seed (context, &in)); out.data = malloc(2048); + out2.data = malloc(2048); check.data = malloc(2048); + check2.data = malloc(2048); + if (out.data == NULL || out2.data == NULL + || check.data == NULL || check2.data == NULL) + abort(); out.length = 2048; + out2.length = 2048; check.length = 2048; + check2.length = 2048; for (i = 0; interesting_enctypes[i]; i++) { krb5_enctype enctype = interesting_enctypes [i]; printf ("Testing enctype %d\n", enctype); @@ -79,8 +105,8 @@ main () krb5_init_keyblock (context, enctype, 0, &key)); test ("Generating random key", krb5_c_make_random_key (context, enctype, key)); - enc_out.ciphertext.data = out.data; - enc_out.ciphertext.length = out.length; + enc_out.ciphertext = out; + enc_out2.ciphertext = out2; /* We use an intermediate `len' because size_t may be different size than `int' */ krb5_c_encrypt_length (context, key->enctype, in.length, &len); @@ -89,14 +115,29 @@ main () krb5_c_encrypt (context, key, 7, 0, &in, &enc_out)); test ("Decrypting", krb5_c_decrypt (context, key, 7, 0, &enc_out, &check)); + test ("Comparing", compare_results (&in, &check)); + enc_out.ciphertext.length = out.length; + check.length = 2048; test ("init_state", krb5_c_init_state (context, key, 7, &state)); - test ("Encrypting with state", + test ("Encrypting with state", krb5_c_encrypt (context, key, 7, &state, &in, &enc_out)); - test ("Decrypting", - krb5_c_decrypt (context, key, 7, 0, &enc_out, &check)); + test ("Encrypting again with state", + krb5_c_encrypt (context, key, 7, &state, &in2, &enc_out2)); + test ("free_state", + krb5_c_free_state (context, key, &state)); + test ("init_state", + krb5_c_init_state (context, key, 7, &state)); + test ("Decrypting with state", + krb5_c_decrypt (context, key, 7, &state, &enc_out, &check)); + test ("Decrypting again with state", + krb5_c_decrypt (context, key, 7, &state, &enc_out2, &check2)); test ("free_state", krb5_c_free_state (context, key, &state)); + test ("Comparing", + compare_results (&in, &check)); + test ("Comparing", + compare_results (&in2, &check2)); krb5_free_keyblock (context, key); } diff --git a/src/lib/crypto/yarrow/Makefile.in b/src/lib/crypto/yarrow/Makefile.in index efae363..5357272 100644 --- a/src/lib/crypto/yarrow/Makefile.in +++ b/src/lib/crypto/yarrow/Makefile.in @@ -44,15 +44,16 @@ clean-unix:: clean-libobjs # yarrow.so yarrow.po $(OUTPRE)yarrow.$(OBJEXT): yarrow.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h yarrow.h ytypes.h yhash.h \ - $(srcdir)/../sha1/shs.h ycipher.h ylock.h ystate.h \ - yexcep.h + yarrow.h ytypes.h yhash.h $(srcdir)/../sha1/shs.h ycipher.h \ + ylock.h ystate.h yexcep.h ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): ycipher.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h yarrow.h ytypes.h yhash.h \ - $(srcdir)/../sha1/shs.h ycipher.h $(srcdir)/../enc_provider/enc_provider.h + yarrow.h ytypes.h yhash.h $(srcdir)/../sha1/shs.h ycipher.h \ + $(srcdir)/../enc_provider/enc_provider.h diff --git a/src/lib/des425/ChangeLog b/src/lib/des425/ChangeLog index acd4ea6..9ab878a 100644 --- a/src/lib/des425/ChangeLog +++ b/src/lib/des425/ChangeLog @@ -1,3 +1,8 @@ +2003-04-23 Ken Raeburn <raeburn@mit.edu> + + * quad_cksum.c, t_pcbc.c, t_quad.c, verify.c: Don't declare errno + or errmsg. + 2003-03-06 Alexandra Ellwood <lxs@mit.edu> * mac_des_glue.c, des.c, enc_dec.c, key_sched.c, str_to_key.c: diff --git a/src/lib/des425/Makefile.in b/src/lib/des425/Makefile.in index dc486f3..54960fe 100644 --- a/src/lib/des425/Makefile.in +++ b/src/lib/des425/Makefile.in @@ -119,85 +119,86 @@ install-unix:: install-libs # cksum.so cksum.po $(OUTPRE)cksum.$(OBJEXT): cksum.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h des.so des.po $(OUTPRE)des.$(OBJEXT): des.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h enc_dec.so enc_dec.po $(OUTPRE)enc_dec.$(OBJEXT): enc_dec.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h key_parity.so key_parity.po $(OUTPRE)key_parity.$(OBJEXT): key_parity.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): key_sched.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h new_rnd_key.so new_rnd_key.po $(OUTPRE)new_rnd_key.$(OBJEXT): new_rnd_key.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h pcbc_encrypt.so pcbc_encrypt.po $(OUTPRE)pcbc_encrypt.$(OBJEXT): pcbc_encrypt.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h $(srcdir)/../crypto/des/f_tables.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(srcdir)/../crypto/des/f_tables.h quad_cksum.so quad_cksum.po $(OUTPRE)quad_cksum.$(OBJEXT): quad_cksum.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h random_key.so random_key.po $(OUTPRE)random_key.$(OBJEXT): random_key.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h read_passwd.so read_passwd.po $(OUTPRE)read_passwd.$(OBJEXT): read_passwd.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h str_to_key.so str_to_key.po $(OUTPRE)str_to_key.$(OBJEXT): str_to_key.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): unix_time.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h util.so util.po $(OUTPRE)util.$(OBJEXT): util.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(srcdir)/../crypto/des/des_int.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(srcdir)/../crypto/des/des_int.h $(SRCTOP)/include/kerberosIV/des.h weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): weak_key.c $(srcdir)/../crypto/des/des_int.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/kerberosIV/des.h diff --git a/src/lib/des425/quad_cksum.c b/src/lib/des425/quad_cksum.c index b9ef031..2a7b78c 100644 --- a/src/lib/des425/quad_cksum.c +++ b/src/lib/des425/quad_cksum.c @@ -119,10 +119,6 @@ #define vaxtohs(x) two_bytes_vax_to_nets(((const unsigned char *)(x))) /* Externals */ -extern char *errmsg(); -#ifndef HAVE_ERRNO -extern int errno; -#endif extern int des_debug; /*** Routines ***************************************************** */ diff --git a/src/lib/des425/t_pcbc.c b/src/lib/des425/t_pcbc.c index 8bd6a08..2932148 100644 --- a/src/lib/des425/t_pcbc.c +++ b/src/lib/des425/t_pcbc.c @@ -30,8 +30,6 @@ #include "des_int.h" #include "des.h" -extern char *errmsg(); -extern int errno; char *progname; int des_debug; diff --git a/src/lib/des425/t_quad.c b/src/lib/des425/t_quad.c index 421a555..b9299fd 100644 --- a/src/lib/des425/t_quad.c +++ b/src/lib/des425/t_quad.c @@ -30,8 +30,6 @@ #include "des_int.h" #include "des.h" -extern char *errmsg(); -extern int errno; extern unsigned long quad_cksum(); char *progname; int des_debug; diff --git a/src/lib/des425/verify.c b/src/lib/des425/verify.c index 91718e3..653730a 100644 --- a/src/lib/des425/verify.c +++ b/src/lib/des425/verify.c @@ -37,8 +37,6 @@ #include "des_int.h" #include "des.h" -extern char *errmsg(); -extern int errno; char *progname; int nflag = 2; int vflag; diff --git a/src/lib/gssapi/ChangeLog b/src/lib/gssapi/ChangeLog index 2674710..27fc2d9 100644 --- a/src/lib/gssapi/ChangeLog +++ b/src/lib/gssapi/ChangeLog @@ -1,3 +1,8 @@ +2003-07-17 Tom Yu <tlyu@mit.edu> + + * gss_libinit.c (gssint_initialize_library): Don't call + kg_release_defcred(); it doesn't exist any more. + 2003-03-08 Ken Raeburn <raeburn@mit.edu> * Makefile.in ($(BUILDTOP)/include/gssapi/gssapi.h, diff --git a/src/lib/gssapi/Makefile.in b/src/lib/gssapi/Makefile.in index baa776e..3df77c8 100644 --- a/src/lib/gssapi/Makefile.in +++ b/src/lib/gssapi/Makefile.in @@ -122,5 +122,6 @@ gss_libinit.so gss_libinit.po $(OUTPRE)gss_libinit.$(OBJEXT): gss_libinit.c gene $(COM_ERR_DEPS) krb5/gssapi_err_krb5.h $(srcdir)/krb5/gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(srcdir)/generic/gssapiP_generic.h \ $(srcdir)/generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \ $(srcdir)/krb5/gssapi_krb5.h gss_libinit.h generic/gssapi.h diff --git a/src/lib/gssapi/generic/ChangeLog b/src/lib/gssapi/generic/ChangeLog index bd58e5a..531b309 100644 --- a/src/lib/gssapi/generic/ChangeLog +++ b/src/lib/gssapi/generic/ChangeLog @@ -1,3 +1,25 @@ +2004-02-08 Ken Raeburn <raeburn@mit.edu> + + * util_ordering.c (g_queue_externalize, g_queue_internalize): + Check for sufficient buffer space. + +2003-12-13 Ken Raeburn <raeburn@mit.edu> + + * gssapiP_generic.h: Include k5-platform.h. + (gssint_uint64): New typedef. + (g_order_init, g_order_check): Update decls. + * util_ordering.c (struct _queue): Change sequence number fields + to gssint_uint64. Add mask field. + (queue_insert): Change sequence number to gssint_uint64. + (g_order_init): Change sequence numbers to gssint_uint64. Add + "wide_nums" argument; initialize the queue mask field based on + it; all callers changed. Store a -1 as the first element. + (g_order_check): Store and check elements as offsets from + firstnum. Mask to 32 bits if desired. + * util_token.c (g_verify_token_header): Add new argument + indicating whether the pseudo-ASN.1 wrapper is required; all + callers changed. + 2003-03-06 Alexandra Ellwood <lxs@mit.edu> * disp_com_err_status.c, gssapi_generic.h: diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in index 8ac282f..b55a6e2 100644 --- a/src/lib/gssapi/generic/Makefile.in +++ b/src/lib/gssapi/generic/Makefile.in @@ -147,40 +147,52 @@ depend:: $(ETSRCS) # disp_com_err_status.so disp_com_err_status.po $(OUTPRE)disp_com_err_status.$(OBJEXT): disp_com_err_status.c \ gssapiP_generic.h gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h disp_major_status.so disp_major_status.po $(OUTPRE)disp_major_status.$(OBJEXT): disp_major_status.c \ gssapiP_generic.h gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_generic.so gssapi_generic.po $(OUTPRE)gssapi_generic.$(OBJEXT): gssapi_generic.c \ gssapiP_generic.h gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h oid_ops.so oid_ops.po $(OUTPRE)oid_ops.$(OBJEXT): oid_ops.c gssapiP_generic.h \ gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h rel_buffer.so rel_buffer.po $(OUTPRE)rel_buffer.$(OBJEXT): rel_buffer.c gssapiP_generic.h \ gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h rel_oid_set.so rel_oid_set.po $(OUTPRE)rel_oid_set.$(OBJEXT): rel_oid_set.c gssapiP_generic.h \ gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h util_buffer.so util_buffer.po $(OUTPRE)util_buffer.$(OBJEXT): util_buffer.c gssapiP_generic.h \ gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h util_oid.so util_oid.po $(OUTPRE)util_oid.$(OBJEXT): util_oid.c gssapiP_generic.h \ gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h util_ordering.so util_ordering.po $(OUTPRE)util_ordering.$(OBJEXT): util_ordering.c gssapiP_generic.h \ gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h util_set.so util_set.po $(OUTPRE)util_set.$(OBJEXT): util_set.c gssapiP_generic.h \ gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h util_token.so util_token.po $(OUTPRE)util_token.$(OBJEXT): util_token.c gssapiP_generic.h \ gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h util_validate.so util_validate.po $(OUTPRE)util_validate.$(OBJEXT): util_validate.c gssapiP_generic.h \ gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - gssapi_err_generic.h $(COM_ERR_DEPS) + gssapi_err_generic.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_err_generic.so gssapi_err_generic.po $(OUTPRE)gssapi_err_generic.$(OBJEXT): gssapi_err_generic.c \ $(COM_ERR_DEPS) diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h index 102ba69..24d51d0 100644 --- a/src/lib/gssapi/generic/gssapiP_generic.h +++ b/src/lib/gssapi/generic/gssapiP_generic.h @@ -40,6 +40,9 @@ #include "gssapi_err_generic.h" #include <errno.h> +#include "k5-platform.h" +typedef UINT64_TYPE gssint_uint64; + /** helper macros **/ #define g_OID_equal(o1,o2) \ @@ -159,8 +162,9 @@ void g_make_token_header (gss_OID mech, unsigned int body_size, unsigned char **buf, int tok_type); gss_int32 g_verify_token_header (gss_OID mech, unsigned int *body_size, - unsigned char **buf, int tok_type, - unsigned int toksize_in); + unsigned char **buf, int tok_type, + unsigned int toksize_in, + int wrapper_required); OM_uint32 g_display_major_status (OM_uint32 *minor_status, OM_uint32 status_value, @@ -171,10 +175,10 @@ OM_uint32 g_display_com_err_status (OM_uint32 *minor_status, OM_uint32 status_value, gss_buffer_t status_string); -gss_int32 g_order_init (void **queue, OM_uint32 seqnum, - int do_replay, int do_sequence); +gss_int32 g_order_init (void **queue, gssint_uint64 seqnum, + int do_replay, int do_sequence, int wide); -gss_int32 g_order_check (void **queue, OM_uint32 seqnum); +gss_int32 g_order_check (void **queue, gssint_uint64 seqnum); void g_order_free (void **queue); diff --git a/src/lib/gssapi/generic/util_ordering.c b/src/lib/gssapi/generic/util_ordering.c index 21a8b06..f7cf666 100644 --- a/src/lib/gssapi/generic/util_ordering.c +++ b/src/lib/gssapi/generic/util_ordering.c @@ -38,8 +38,14 @@ typedef struct _queue { int do_sequence; int start; int length; - unsigned int firstnum; - unsigned int elem[QUEUE_LENGTH]; + gssint_uint64 firstnum; + /* Stored as deltas from firstnum. This way, the high bit won't + overflow unless we've actually gone through 2**n messages, or + gotten something *way* out of sequence. */ + gssint_uint64 elem[QUEUE_LENGTH]; + /* All ones for 64-bit sequence numbers; 32 ones for 32-bit + sequence numbers. */ + gssint_uint64 mask; } queue; /* rep invariant: @@ -51,7 +57,7 @@ typedef struct _queue { #define QELEM(q,i) ((q)->elem[(i)%QSIZE(q)]) static void -queue_insert(queue *q, int after, unsigned int seqnum) +queue_insert(queue *q, int after, gssint_uint64 seqnum) { /* insert. this is not the fastest way, but it's easy, and it's optimized for insert at end, which is the common case */ @@ -80,10 +86,10 @@ queue_insert(queue *q, int after, unsigned int seqnum) q->length++; } } - + gss_int32 -g_order_init(void **vqueue, OM_uint32 seqnum, - int do_replay, int do_sequence) +g_order_init(void **vqueue, gssint_uint64 seqnum, + int do_replay, int do_sequence, int wide_nums) { queue *q; @@ -92,38 +98,49 @@ g_order_init(void **vqueue, OM_uint32 seqnum, q->do_replay = do_replay; q->do_sequence = do_sequence; + q->mask = wide_nums ? ~(gssint_uint64)0 : 0xffffffffUL; q->start = 0; q->length = 1; q->firstnum = seqnum; - q->elem[q->start] = seqnum-1; + q->elem[q->start] = ((gssint_uint64)0 - 1) & q->mask; *vqueue = (void *) q; return(0); } gss_int32 -g_order_check(void **vqueue, OM_uint32 seqnum) +g_order_check(void **vqueue, gssint_uint64 seqnum) { queue *q; int i; - + gssint_uint64 expected; + q = (queue *) (*vqueue); if (!q->do_replay && !q->do_sequence) return(GSS_S_COMPLETE); + /* All checks are done relative to the initial sequence number, to + avoid (or at least put off) the pain of wrapping. */ + seqnum -= q->firstnum; + /* If we're only doing 32-bit values, adjust for that again. + + Note that this will probably be the wrong thing to if we get + 2**32 messages sent with 32-bit sequence numbers. */ + seqnum &= q->mask; + /* rule 1: expected sequence number */ - if (seqnum == QELEM(q,q->start+q->length-1)+1) { + expected = (QELEM(q,q->start+q->length-1)+1) & q->mask; + if (seqnum == expected) { queue_insert(q, q->start+q->length-1, seqnum); return(GSS_S_COMPLETE); } /* rule 2: > expected sequence number */ - if ((seqnum > QELEM(q,q->start+q->length-1)+1) || - (seqnum < q->firstnum)) { + if ((seqnum > expected)) { queue_insert(q, q->start+q->length-1, seqnum); if (q->do_replay && !q->do_sequence) return(GSS_S_COMPLETE); @@ -134,7 +151,20 @@ g_order_check(void **vqueue, OM_uint32 seqnum) /* rule 3: seqnum < seqnum(first) */ if ((seqnum < QELEM(q,q->start)) && - (seqnum >= q->firstnum)) { + /* Is top bit of whatever width we're using set? + + We used to check for greater than or equal to firstnum, but + (1) we've since switched to compute values relative to + firstnum, so the lowest we can have is 0, and (2) the effect + of the original scheme was highly dependent on whether + firstnum was close to either side of 0. (Consider + firstnum==0xFFFFFFFE and we miss three packets; the next + packet is *new* but would look old.) + + This check should give us 2**31 or 2**63 messages "new", and + just as many "old". That's not quite right either. */ + (seqnum & (1 + (q->mask >> 1))) + ) { if (q->do_replay && !q->do_sequence) return(GSS_S_OLD_TOKEN); else @@ -189,6 +219,8 @@ g_queue_size(void *vqueue, size_t *sizep) gss_uint32 g_queue_externalize(void *vqueue, unsigned char **buf, size_t *lenremain) { + if (*lenremain < sizeof(queue)) + return ENOMEM; memcpy(*buf, vqueue, sizeof(queue)); *buf += sizeof(queue); *lenremain -= sizeof(queue); @@ -201,6 +233,8 @@ g_queue_internalize(void **vqueue, unsigned char **buf, size_t *lenremain) { void *q; + if (*lenremain < sizeof(queue)) + return EINVAL; if ((q = malloc(sizeof(queue))) == 0) return ENOMEM; memcpy(q, *buf, sizeof(queue)); diff --git a/src/lib/gssapi/generic/util_token.c b/src/lib/gssapi/generic/util_token.c index 30ae069..97a788c 100644 --- a/src/lib/gssapi/generic/util_token.c +++ b/src/lib/gssapi/generic/util_token.c @@ -168,12 +168,15 @@ void g_make_token_header(mech, body_size, buf, tok_type) * mechanism in the token does not match the mech argument. buf and * *body_size are left unmodified on error. */ -gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in) + +gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in, + wrapper_required) gss_OID mech; unsigned int *body_size; unsigned char **buf_in; int tok_type; unsigned int toksize_in; + int wrapper_required; { unsigned char *buf = *buf_in; int seqsize; @@ -182,8 +185,13 @@ gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in) if ((toksize-=1) < 0) return(G_BAD_TOK_HEADER); - if (*buf++ != 0x60) - return(G_BAD_TOK_HEADER); + if (*buf++ != 0x60) { + if (wrapper_required) + return(G_BAD_TOK_HEADER); + buf--; + toksize++; + goto skip_wrapper; + } if ((seqsize = der_read_length(&buf, &toksize)) < 0) return(G_BAD_TOK_HEADER); @@ -207,16 +215,17 @@ gss_int32 g_verify_token_header(mech, body_size, buf_in, tok_type, toksize_in) if (! g_OID_equal(&toid, mech)) return G_WRONG_MECH; +skip_wrapper: if (tok_type != -1) { if ((toksize-=2) < 0) return(G_BAD_TOK_HEADER); if ((*buf++ != ((tok_type>>8)&0xff)) || - (*buf++ != (tok_type&0xff))) + (*buf++ != (tok_type&0xff))) return(G_WRONG_TOKID); } - *buf_in = buf; - *body_size = toksize; + *buf_in = buf; + *body_size = toksize; - return 0; - } + return 0; +} diff --git a/src/lib/gssapi/gss_libinit.c b/src/lib/gssapi/gss_libinit.c index 7906786..0568f29 100644 --- a/src/lib/gssapi/gss_libinit.c +++ b/src/lib/gssapi/gss_libinit.c @@ -33,12 +33,9 @@ OM_uint32 gssint_initialize_library (void) void gssint_cleanup_library (void) { - OM_uint32 min_stat; assert (initialized); - (void) kg_release_defcred (&min_stat); - #if !USE_BUNDLE_ERROR_STRINGS remove_error_table(&et_k5g_error_table); remove_error_table(&et_ggss_error_table); diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 7424a25..911b305 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,213 @@ +2004-02-26 Sam Hartman <hartmans@avalanche-breakdown.mit.edu> + + * accept_sec_context.c (krb5_gss_accept_sec_context): Don't clear + the DO_TIME flag until after rd_req is called so a replay cache is + set up even in the no_credential case. + +2004-02-23 Ken Raeburn <raeburn@mit.edu> + + * wrap_size_limit.c (krb5_gss_wrap_size_limit): Fix calculation + for confidential CFX tokens. + +2004-02-09 Ken Raeburn <raeburn@mit.edu> + + * ser_sctx.c (kg_oid_externalize): Check for errors. + (kg_oid_internalize): Check for errors. Free allocated storage on + error. + (kg_queue_externalize): Check for errorrs. + (kg_queue_internalize): Check for errors. Free allocated storage + on error. + (kg_ctx_size): Update for new context data. + (kg_ctx_externalize): Update for new context data. Check for + error storing trailer. + (kg_ctx_internalize): Update for new context data. Check for + errors in a few more cases. + +2004-02-05 Jeffrey Altman <jaltman@mit.edu> + + * gssapiP_krb5.h: remove KG_IMPLFLAGS macro + + * init_sec_context.c (init_sec_context): Expand KG_IMPLFLAGS + macro with previous macro definition + + * accept_sec_context.c (accept_sec_context): Replace KG_IMPLFLAGS + macro with new definition. As per 1964 the INTEG and CONF flags + are supposed to indicate the availability of the services in + the client. By applying the previous definition of KG_IMPLFLAGS + the INTEG and CONF flags are always on. This can be a problem + because some clients such as Microsoft's Kerberos SSPI allow + CONF and INTEG to be used independently. By forcing the flags + on, we would end up with inconsist state with the client. + +2004-01-27 Ken Raeburn <raeburn@mit.edu> + + * init_sec_context.c (make_gss_checksum) [CFX_EXERCISE]: Don't + crash on null pointer in debugging code. + (new_connection): Disable CFX_EXERCISE unknown-token-id case + detection. + + * accept_sec_context.c (krb5_gss_accept_sec_context) + [CFX_EXERCISE]: Log to /tmp/gsslog whether delegation or extra + option bytes were present. + +2004-01-05 Ken Raeburn <raeburn@mit.edu> + + * init_sec_context.c: Include auth_con.h if CFX_EXERCISE is + defined. + (make_gss_checksum) [CFX_EXERCISE]: If the key enctype is aes256, + insert some stuff after the delegation slot. + (new_connection) [CFX_EXERCISE]: Don't send messages with bogus + token ids. + + * accept_sec_context.c (krb5_gss_accept_sec_context): Don't + discard the delegation flag; only look for a delegation if the + flag is set, and only look for delegation, not other options. + Ignore any other data there. + +2003-12-19 Tom Yu <tlyu@mit.edu> + + * init_sec_context.c: Include k5-int.h for accessor. + +2003-12-18 Jeffrey Altman <jaltman@mit.edu> + + * accept_sec_context.c, init_sec_context.c, ser_sctx.c: + Implement use of krb5int_accessor() for krb5int_c_mandatory_cksumtype, + krb5_ser_pack_int64, and krb5_ser_unpack_int64 + +2003-12-13 Ken Raeburn <raeburn@mit.edu> + Sam Hartman <hartmans@avalanche-breakdown.mit.edu> + + * k5sealv3.c: New file, implements Wrap and MIC tokens for CFX + extensions. + * gssapiP_krb5.h (struct _krb5_gss_ctx_id_rec): Added acceptor + subkey, 64-bit sequence numbers, checksum type, and hooks for + sending a bogus initial token for CFX testing. Changed some flags + into bitfields. + (gss_krb5int_make_seal_token_v3): Declare. + * Makefile.in (SRCS, OBJS, STLIBOBJS): Build it. + * accept_sec_context.c (krb5_gss_accept_sec_context): Add CFX + support. For G_WRONG_TOKID, send back an error token with + AP_ERR_MSG_TYPE code and return a CONTINUE_NEEDED indication. + Initialize new fields in context. + * delete_sec_context.c (krb5_gss_delete_sec_context): Free + acceptor subkey field. + * init_sec_context.c (get_credentials): Drop enctypes argument; + callers changed. + (get_requested_enctypes): Deleted. + (setup_enc): Combine some common sections. Do CFX initialization + for newer enctypes. + (new_connection) [CFX_EXERCISE]: If doing CFX, send a bogus + token. Delete the enctype list manipulation. + (mutual_auth): If CFX, save acceptor's subkey. + * k5seal.c (make_seal_token_v1): Sequence number is now 64 bits. + (kg_seal): Call out to _v3 code for CFX. + * k5unseal.c (kg_unseal): For CFX, adjust token id numbers and + call out to _v3 code. + * wrap_size_limit.c (krb5_gss_wrap_size_limit): Implement CFX + support. + + * gssapiP_krb5.h (struct _krb5_gss_ctx_id_rec): Deleted fields + ctypes and nctypes. + * delete_sec_context.c, init_sec_context.c, ser_sctx.c: Removed + references. + +2003-12-11 Alexandra Ellwood <lxs@mit.edu> + + * acquire_cred.c, gssapi_krb5.c, gssapiP_krb5.h, set_ccache.c: + Added kg_sync_ccache_name(), kg_get_ccache_name, and + kg_set_ccache_name() and rewrote gss_krb5_ccache_name() and + added a call to kg_sync_ccache_name() to acquire_init_cred() + to fix a bug where on systems with multiple ccaches that GSSAPI + gets stuck on the ccache that was default when it launched. + +2003-07-19 Ezra Peisach <epeisach@mit.edu> + + * acquire_cred.c (krb5_gss_register_acceptor_identity): Allocate + enough memory to include the null at the end of the keytab char *. + +2003-07-17 Tom Yu <tlyu@mit.edu> + + * gssapiP_krb5.h: Delete kg_release_defcred(); it's no longer + used. + + * gssapi_krb5.c: Delete defcred; it's no longer cached. + (kg_get_defcred): Don't cache. + (kg_release_defcred): Delete; it's no longer used. + + * init_sec_context.c (krb5_gss_init_sec_context): Break into more + manageable pieces. Clean up a few error condition memory leaks + previously obscured by the sheer size of this function. + (setup_enc): New function; used to be part of + krb5_gss_init_sec_context() responsible for setting up enctypes, + keyblocks, related nastiness. + (get_requested_enctypes): New function; used to be part of + krb5_gss_init_sec_context() responsible for pruning the krb5 + library's default enctype list to the limited set of enctypes + usable with GSSAPI. + (new_connection): New function; used to be part of + krb5_gss_init_sec_context() responsible for initial gss_ctx setup + and creating the AP-REQ. + (mutual_auth): New function; used to be part of + krb5_gss_init_sec_context() responsible for reading the AP-REP if + mutual auth was requested. + + * inq_cred.c (krb5_gss_inquire_cred): Rearrange due to removal of + kg_release_defcred(), particularly to explicitly release the + defcred once it's obtained. + + * rel_cred.c (krb5_gss_release_cred): Remove call to + kg_release_defcred(), and always succeed in releasing the null + credential. + + * set_ccache.c (gss_krb5_ccache_name): Remove call to + kg_release_defcred(). + +2003-07-14 Tom Yu <tlyu@mit.edu> + + * accept_sec_context.c (krb5_gss_accept_sec_context): Call + TREAD_STR with correct arguments. Patch from Emily Ratliff. + +2003-07-10 Tom Yu <tlyu@mit.edu> + + * acquire_cred.c (acquire_init_cred): Close the ccache if + krb5_cc_set_flags() fails, as krb5int_cc_default succeeds even if + the file is not there, but krb5_cc_set_flags will fail in turning + off OPENCLOSE mode if the file can't be opened. Thanks to Kent Wu. + +2003-06-13 Tom Yu <tlyu@mit.edu> + + * init_sec_context.c (make_ap_req_v1): Free checksum_data if + needed, to avoid leaking memory. Found by Kent Wu. + (krb5_gss_init_sec_context): Free default_enctypes to avoid + leaking returned value from krb5_get_tgs_ktypes. + + * k5unseal.c (kg_unseal_v1): Explicitly set token.value to NULL if + token.length == 0, to avoid spurious uninitialized memory + references when calling memcpy() with a zero length. + +2003-05-13 Tom Yu <tlyu@mit.edu> + + * gssapi_krb5.h: Remove check for GSS_RFC_COMPLIANT_OIDS. + +2003-05-09 Tom Yu <tlyu@mit.edu> + + * accept_sec_context.c (krb5_gss_accept_sec_context): Rename + remote_subkey -> recv_subkey. + + * init_sec_context.c (krb5_gss_init_sec_context): Rename + local_subkey -> send_subkey. + +2003-03-14 Sam Hartman <hartmans@mit.edu> + + * accept_sec_context.c (krb5_gss_accept_sec_context): Set + prot_ready here + + * init_sec_context.c (krb5_gss_init_sec_context): Set prot_ready + after context established + + * gssapiP_krb5.h (KG_IMPLFLAGS): Don't claim prot_ready until the + context is established because we don't currently support it. + 2003-03-06 Alexandra Ellwood <lxs@mit.edu> * disp_status.c, gssapi_krb5.h, gssapiP_krb5.h: diff --git a/src/lib/gssapi/krb5/Makefile.in b/src/lib/gssapi/krb5/Makefile.in index c0d2660..0bdc117 100644 --- a/src/lib/gssapi/krb5/Makefile.in +++ b/src/lib/gssapi/krb5/Makefile.in @@ -43,6 +43,7 @@ SRCS = \ $(srcdir)/inq_cred.c \ $(srcdir)/inq_names.c \ $(srcdir)/k5seal.c \ + $(srcdir)/k5sealv3.c \ $(srcdir)/k5unseal.c \ $(srcdir)/krb5_gss_glue.c \ $(srcdir)/process_context_token.c \ @@ -90,6 +91,7 @@ OBJS = \ $(OUTPRE)inq_cred.$(OBJEXT) \ $(OUTPRE)inq_names.$(OBJEXT) \ $(OUTPRE)k5seal.$(OBJEXT) \ + $(OUTPRE)k5sealv3.$(OBJEXT) \ $(OUTPRE)k5unseal.$(OBJEXT) \ $(OUTPRE)krb5_gss_glue.$(OBJEXT) \ $(OUTPRE)process_context_token.$(OBJEXT) \ @@ -137,6 +139,7 @@ STLIBOBJS = \ inq_cred.o \ inq_names.o \ k5seal.o \ + k5sealv3.o \ k5unseal.o \ krb5_gss_glue.o \ process_context_token.o \ @@ -215,195 +218,244 @@ install:: # accept_sec_context.so accept_sec_context.po $(OUTPRE)accept_sec_context.$(OBJEXT): accept_sec_context.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h acquire_cred.so acquire_cred.po $(OUTPRE)acquire_cred.$(OBJEXT): acquire_cred.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ + gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h add_cred.so add_cred.po $(OUTPRE)add_cred.$(OBJEXT): add_cred.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h canon_name.so canon_name.po $(OUTPRE)canon_name.$(OBJEXT): canon_name.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h compare_name.so compare_name.po $(OUTPRE)compare_name.$(OBJEXT): compare_name.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h context_time.so context_time.po $(OUTPRE)context_time.$(OBJEXT): context_time.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h copy_ccache.so copy_ccache.po $(OUTPRE)copy_ccache.$(OBJEXT): copy_ccache.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h delete_sec_context.so delete_sec_context.po $(OUTPRE)delete_sec_context.$(OBJEXT): delete_sec_context.c \ gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \ $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \ $(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \ gssapi_krb5.h gssapi_err_krb5.h disp_name.so disp_name.po $(OUTPRE)disp_name.$(OBJEXT): disp_name.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h disp_status.so disp_status.po $(OUTPRE)disp_status.$(OBJEXT): disp_status.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h duplicate_name.so duplicate_name.po $(OUTPRE)duplicate_name.$(OBJEXT): duplicate_name.c \ gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \ $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \ $(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \ gssapi_krb5.h gssapi_err_krb5.h export_name.so export_name.po $(OUTPRE)export_name.$(OBJEXT): export_name.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h export_sec_context.so export_sec_context.po $(OUTPRE)export_sec_context.$(OBJEXT): export_sec_context.c \ gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \ $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \ $(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \ gssapi_krb5.h gssapi_err_krb5.h get_tkt_flags.so get_tkt_flags.po $(OUTPRE)get_tkt_flags.$(OBJEXT): get_tkt_flags.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h gssapi_krb5.so gssapi_krb5.po $(OUTPRE)gssapi_krb5.$(OBJEXT): gssapi_krb5.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ + gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h import_name.so import_name.po $(OUTPRE)import_name.$(OBJEXT): import_name.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h import_sec_context.so import_sec_context.po $(OUTPRE)import_sec_context.$(OBJEXT): import_sec_context.c \ gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \ $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \ $(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \ gssapi_krb5.h gssapi_err_krb5.h indicate_mechs.so indicate_mechs.po $(OUTPRE)indicate_mechs.$(OBJEXT): indicate_mechs.c \ gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \ $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \ $(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \ gssapi_krb5.h gssapi_err_krb5.h init_sec_context.so init_sec_context.po $(OUTPRE)init_sec_context.$(OBJEXT): init_sec_context.c \ - gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \ - $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \ - $(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \ - gssapi_krb5.h gssapi_err_krb5.h + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ + $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ + ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h inq_context.so inq_context.po $(OUTPRE)inq_context.$(OBJEXT): inq_context.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h inq_cred.so inq_cred.po $(OUTPRE)inq_cred.$(OBJEXT): inq_cred.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h inq_names.so inq_names.po $(OUTPRE)inq_names.$(OBJEXT): inq_names.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h k5seal.so k5seal.po $(OUTPRE)k5seal.$(OBJEXT): k5seal.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h +k5sealv3.so k5sealv3.po $(OUTPRE)k5sealv3.$(OBJEXT): k5sealv3.c $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ + gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ + $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h k5unseal.so k5unseal.po $(OUTPRE)k5unseal.$(OBJEXT): k5unseal.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h krb5_gss_glue.so krb5_gss_glue.po $(OUTPRE)krb5_gss_glue.$(OBJEXT): krb5_gss_glue.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h process_context_token.so process_context_token.po $(OUTPRE)process_context_token.$(OBJEXT): process_context_token.c \ gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \ $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \ $(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \ gssapi_krb5.h gssapi_err_krb5.h rel_cred.so rel_cred.po $(OUTPRE)rel_cred.$(OBJEXT): rel_cred.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h rel_oid.so rel_oid.po $(OUTPRE)rel_oid.$(OBJEXT): rel_oid.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h rel_name.so rel_name.po $(OUTPRE)rel_name.$(OBJEXT): rel_name.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h seal.so seal.po $(OUTPRE)seal.$(OBJEXT): seal.c gssapiP_krb5.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h ser_sctx.so ser_sctx.po $(OUTPRE)ser_sctx.$(OBJEXT): ser_sctx.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ + gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h set_ccache.so set_ccache.po $(OUTPRE)set_ccache.$(OBJEXT): set_ccache.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h sign.so sign.po $(OUTPRE)sign.$(OBJEXT): sign.c gssapiP_krb5.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h unseal.so unseal.po $(OUTPRE)unseal.$(OBJEXT): unseal.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h util_cksum.so util_cksum.po $(OUTPRE)util_cksum.$(OBJEXT): util_cksum.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h util_crypt.so util_crypt.po $(OUTPRE)util_crypt.$(OBJEXT): util_crypt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ + gssapiP_krb5.h $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h util_seed.so util_seed.po $(OUTPRE)util_seed.$(OBJEXT): util_seed.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h util_seqnum.so util_seqnum.po $(OUTPRE)util_seqnum.$(OBJEXT): util_seqnum.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h \ + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h val_cred.so val_cred.po $(OUTPRE)val_cred.$(OBJEXT): val_cred.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h verify.so verify.po $(OUTPRE)verify.$(OBJEXT): verify.c gssapiP_krb5.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ - ../generic/gssapi_err_generic.h gssapi_krb5.h gssapi_err_krb5.h + ../generic/gssapi_err_generic.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5/autoconf.h gssapi_krb5.h gssapi_err_krb5.h wrap_size_limit.so wrap_size_limit.po $(OUTPRE)wrap_size_limit.$(OBJEXT): wrap_size_limit.c \ gssapiP_krb5.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) \ $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_generic.h \ $(BUILDTOP)/include/gssapi/gssapi.h ../generic/gssapi_err_generic.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5/autoconf.h \ gssapi_krb5.h gssapi_err_krb5.h gssapi_err_krb5.so gssapi_err_krb5.po $(OUTPRE)gssapi_err_krb5.$(OBJEXT): gssapi_err_krb5.c \ $(COM_ERR_DEPS) diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 5ff6146..9db7e7e 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -77,6 +77,12 @@ #endif #include <assert.h> +#ifdef CFX_EXERCISE +#define CFX_ACCEPTOR_SUBKEY (time(0) & 1) +#else +#define CFX_ACCEPTOR_SUBKEY 1 +#endif + /* Decode, decrypt and store the forwarded creds in the local ccache. */ static krb5_error_code rd_and_store_for_creds(context, auth_context, inbuf, out_cred) @@ -101,8 +107,8 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) * By the time krb5_rd_cred is called here (after krb5_rd_req has been * called in krb5_gss_accept_sec_context), the "keyblock" field of * auth_context contains a pointer to the session key, and the - * "remote_subkey" field might contain a session subkey. Either of - * these (the "remote_subkey" if it isn't NULL, otherwise the + * "recv_subkey" field might contain a session subkey. Either of + * these (the "recv_subkey" if it isn't NULL, otherwise the * "keyblock") might have been used to encrypt the encrypted part of * the KRB_CRED message that contains the forwarded credentials. (The * Java Crypto and Security Implementation from the DSTC in Australia @@ -122,7 +128,8 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) if ((retval = krb5_auth_con_init(context, &new_auth_ctx))) goto cleanup; krb5_auth_con_setflags(context, new_auth_ctx, 0); - if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf, &creds, NULL))) + if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf, + &creds, NULL))) goto cleanup; } @@ -241,7 +248,14 @@ krb5_gss_accept_sec_context(minor_status, context_handle, krb5_data scratch; gss_cred_id_t cred_handle = NULL; krb5_gss_cred_id_t deleg_cred = NULL; + krb5int_access kaccess; + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) { + *minor_status = code; + return(GSS_S_FAILURE); + } + if (GSS_ERROR(kg_get_context(minor_status, &context))) return(GSS_S_FAILURE); @@ -312,13 +326,13 @@ krb5_gss_accept_sec_context(minor_status, context_handle, if (!(code = g_verify_token_header((gss_OID) gss_mech_krb5, &(ap_req.length), &ptr, KG_TOK_CTX_AP_REQ, - input_token->length))) { + input_token->length, 1))) { mech_used = gss_mech_krb5; } else if ((code == G_WRONG_MECH) && !(code = g_verify_token_header((gss_OID) gss_mech_krb5_old, &(ap_req.length), &ptr, KG_TOK_CTX_AP_REQ, - input_token->length))) { + input_token->length, 1))) { /* * Previous versions of this library used the old mech_id * and some broken behavior (wrong IV on checksum @@ -327,6 +341,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle, * old behavior. */ mech_used = gss_mech_krb5_old; + } else if (code == G_WRONG_TOKID) { + major_status = GSS_S_CONTINUE_NEEDED; + code = KRB5KRB_AP_ERR_MSG_TYPE; + mech_used = gss_mech_krb5; + goto fail; } else { major_status = GSS_S_DEFECTIVE_TOKEN; goto fail; @@ -358,8 +377,6 @@ krb5_gss_accept_sec_context(minor_status, context_handle, major_status = GSS_S_FAILURE; goto fail; } - krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); if (cred->rcache) { if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { major_status = GSS_S_FAILURE; @@ -376,6 +393,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle, major_status = GSS_S_FAILURE; goto fail; } + krb5_auth_con_setflags(context, auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE); krb5_auth_con_getauthenticator(context, auth_context, &authdat); @@ -496,18 +515,20 @@ krb5_gss_accept_sec_context(minor_status, context_handle, reqcksum.contents = 0; TREAD_INT(ptr, gss_flags, bigend); +#if 0 gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if there's a delegation, we'll set it below */ +#endif decode_req_message = 0; /* if the checksum length > 24, there are options to process */ - if(authdat->checksum->length > 24) { + if(authdat->checksum->length > 24 && (gss_flags & GSS_C_DELEG_FLAG)) { i = authdat->checksum->length - 24; - while (i >= 4) { + if (i >= 4) { TREAD_INT16(ptr, option_id, bigend); @@ -515,23 +536,24 @@ krb5_gss_accept_sec_context(minor_status, context_handle, i -= 4; - /* have to use ptr2, since option.data is wrong type and - macro uses ptr as both lvalue and rvalue */ - if (i < option.length || option.length < 0) { code = KG_BAD_LENGTH; major_status = GSS_S_FAILURE; goto fail; } - TREAD_STR(ptr, ptr2, bigend); + /* have to use ptr2, since option.data is wrong type and + macro uses ptr as both lvalue and rvalue */ + + TREAD_STR(ptr, ptr2, option.length); option.data = (char *) ptr2; i -= option.length; - switch(option_id) { - - case KRB5_GSS_FOR_CREDS_OPTION: + if (option_id != KRB5_GSS_FOR_CREDS_OPTION) { + major_status = GSS_S_FAILURE; + goto fail; + } /* store the delegated credential */ @@ -543,16 +565,37 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } - gss_flags |= GSS_C_DELEG_FLAG; /* got a delegation */ - - break; - - /* default: */ - /* unknown options aren't an error */ - - } /* switch */ - } /* while */ - } /* if */ + } /* if i >= 4 */ + /* ignore any additional trailing data, for now */ +#ifdef CFX_EXERCISE + { + FILE *f = fopen("/tmp/gsslog", "a"); + if (f) { + fprintf(f, + "initial context token with delegation, %d extra bytes\n", + i); + fclose(f); + } + } +#endif + } else { +#ifdef CFX_EXERCISE + { + FILE *f = fopen("/tmp/gsslog", "a"); + if (f) { + if (gss_flags & GSS_C_DELEG_FLAG) + fprintf(f, + "initial context token, delegation flag but too small\n"); + else + /* no deleg flag, length might still be too big */ + fprintf(f, + "initial context token, %d extra bytes\n", + authdat->checksum->length - 24); + fclose(f); + } + } +#endif + } } /* create the ctx struct and start filling it in */ @@ -568,7 +611,10 @@ krb5_gss_accept_sec_context(minor_status, context_handle, ctx->mech_used = (gss_OID) mech_used; ctx->auth_context = auth_context; ctx->initiate = 0; - ctx->gss_flags = KG_IMPLFLAGS(gss_flags); + ctx->gss_flags = (GSS_C_TRANS_FLAG | + ((gss_flags) & (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); ctx->seed_init = 0; ctx->big_endian = bigend; @@ -592,8 +638,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } - if ((code = krb5_auth_con_getremotesubkey(context, auth_context, - &ctx->subkey))) { + if ((code = krb5_auth_con_getrecvsubkey(context, auth_context, + &ctx->subkey))) { major_status = GSS_S_FAILURE; goto fail; } @@ -616,6 +662,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } + ctx->proto = 0; switch(ctx->subkey->enctype) { case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES_CBC_CRC: @@ -635,12 +682,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, /*SUPPRESS 113*/ ctx->enc->contents[i] ^= 0xf0; - if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) { - major_status = GSS_S_FAILURE; - goto fail; - } - - break; + goto copy_subkey_to_seq; case ENCTYPE_DES3_CBC_SHA1: ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; @@ -649,36 +691,38 @@ krb5_gss_accept_sec_context(minor_status, context_handle, ctx->sealalg = SEAL_ALG_DES3KD; /* fill in the encryption descriptors */ - + copy_subkey: if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) { major_status = GSS_S_FAILURE; goto fail; } - + copy_subkey_to_seq: if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) { major_status = GSS_S_FAILURE; goto fail; } - break; - case ENCTYPE_ARCFOUR_HMAC: - ctx->signalg = SGN_ALG_HMAC_MD5 ; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; - - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc); - if (code) - goto fail; - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq); - if (code) { - krb5_free_keyblock (context, ctx->enc); - goto fail; - } - break; + + case ENCTYPE_ARCFOUR_HMAC: + ctx->signalg = SGN_ALG_HMAC_MD5 ; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; + goto copy_subkey; default: - code = KRB5_BAD_ENCTYPE; - goto fail; + ctx->signalg = -1; + ctx->sealalg = -1; + ctx->proto = 1; + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype, + &ctx->cksumtype); + if (code) + goto fail; + code = krb5_c_checksum_length(context, ctx->cksumtype, + &ctx->cksum_size); + if (code) + goto fail; + ctx->have_acceptor_subkey = 0; + goto copy_subkey; } ctx->endtime = ticket->enc_part2->times.endtime; @@ -686,7 +730,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle, krb5_free_ticket(context, ticket); /* Done with ticket */ - krb5_auth_con_getremoteseqnumber(context, auth_context, &ctx->seq_recv); + { + krb5_ui_4 seq_temp; + krb5_auth_con_getremoteseqnumber(context, auth_context, &seq_temp); + ctx->seq_recv = seq_temp; + } if ((code = krb5_timeofday(context, &now))) { major_status = GSS_S_FAILURE; @@ -701,7 +749,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, g_order_init(&(ctx->seqstate), ctx->seq_recv, (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0); + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); /* at this point, the entire context structure is filled in, so it can be released. */ @@ -710,15 +758,56 @@ krb5_gss_accept_sec_context(minor_status, context_handle, if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { unsigned char * ptr3; + krb5_ui_4 seq_temp; + int cfx_generate_subkey; + + if (ctx->proto == 1) + cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY; + else + cfx_generate_subkey = 0; + + if (cfx_generate_subkey) { + krb5_int32 acflags; + code = krb5_auth_con_getflags(context, auth_context, &acflags); + if (code == 0) { + acflags |= KRB5_AUTH_CONTEXT_USE_SUBKEY; + code = krb5_auth_con_setflags(context, auth_context, acflags); + } + if (code) { + major_status = GSS_S_FAILURE; + goto fail; + } + } + if ((code = krb5_mk_rep(context, auth_context, &ap_rep))) { major_status = GSS_S_FAILURE; goto fail; } - krb5_auth_con_getlocalseqnumber(context, auth_context, - &ctx->seq_send); + krb5_auth_con_getlocalseqnumber(context, auth_context, &seq_temp); + ctx->seq_send = seq_temp & 0xffffffffL; + + if (cfx_generate_subkey) { + /* Get the new acceptor subkey. With the code above, there + should always be one if we make it to this point. */ + code = krb5_auth_con_getsendsubkey(context, auth_context, + &ctx->acceptor_subkey); + if (code != 0) { + major_status = GSS_S_FAILURE; + goto fail; + } + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, + ctx->acceptor_subkey->enctype, + &ctx->acceptor_subkey_cksumtype); + if (code) { + major_status = GSS_S_FAILURE; + goto fail; + } + ctx->have_acceptor_subkey = 1; + } /* the reply token hasn't been sent yet, but that's ok. */ + ctx->gss_flags |= GSS_C_PROT_READY_FLAG; ctx->established = 1; token.length = g_token_size((gss_OID) mech_used, ap_rep.length); @@ -803,7 +892,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, if (ap_rep.data) krb5_free_data_contents(context, &ap_rep); - if (!GSS_ERROR(major_status)) + if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) return(major_status); /* from here on is the real "fail" code */ @@ -843,7 +932,9 @@ krb5_gss_accept_sec_context(minor_status, context_handle, krb5_free_ap_req(context, request); } - if (cred && (gss_flags & GSS_C_MUTUAL_FLAG)) { + if (cred + && ((gss_flags & GSS_C_MUTUAL_FLAG) + || (major_status == GSS_S_CONTINUE_NEEDED))) { unsigned int tmsglen; int toktype; @@ -853,7 +944,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, */ memset(&krb_error_data, 0, sizeof(krb_error_data)); - code -= ERROR_TABLE_BASE_krb5; + code -= ERROR_TABLE_BASE_krb5; if (code < 0 || code > 128) code = 60 /* KRB_ERR_GENERIC */; @@ -861,7 +952,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, (void) krb5_us_timeofday(context, &krb_error_data.stime, &krb_error_data.susec); krb_error_data.server = cred->princ; - + code = krb5_mk_error(context, &krb_error_data, &scratch); if (code) return (major_status); diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index 2c620b9..513abe5 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -92,7 +92,7 @@ krb5_gss_register_acceptor_identity(const char *keytab) free(krb5_gss_keytab); len = strlen(keytab); - krb5_gss_keytab = malloc(len); + krb5_gss_keytab = malloc(len + 1); if (krb5_gss_keytab == NULL) return GSS_S_FAILURE; @@ -190,8 +190,13 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) cred->ccache = NULL; - /* open the default credential cache */ + /* load the GSS ccache name into the kg_context */ + + if (GSS_ERROR(kg_sync_ccache_name(minor_status))) + return(GSS_S_FAILURE); + /* open the default credential cache */ + if ((code = krb5int_cc_default(context, &ccache))) { *minor_status = code; return(GSS_S_CRED_UNAVAIL); @@ -201,6 +206,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred) flags = 0; /* turns off OPENCLOSE mode */ if ((code = krb5_cc_set_flags(context, ccache, flags))) { + (void)krb5_cc_close(context, ccache); *minor_status = code; return(GSS_S_CRED_UNAVAIL); } diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c index 28c2358..94702b8 100644 --- a/src/lib/gssapi/krb5/delete_sec_context.c +++ b/src/lib/gssapi/krb5/delete_sec_context.c @@ -92,6 +92,8 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token) krb5_free_principal(context, ctx->there); if (ctx->subkey) krb5_free_keyblock(context, ctx->subkey); + if (ctx->acceptor_subkey) + krb5_free_keyblock(context, ctx->acceptor_subkey); if (ctx->auth_context) { (void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL); @@ -101,9 +103,6 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token) if (ctx->mech_used) gss_release_oid(minor_status, &ctx->mech_used); - if (ctx->ctypes) - xfree(ctx->ctypes); - /* Zero out context */ memset(ctx, 0, sizeof(*ctx)); xfree(ctx); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 3251086..514c821 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -69,6 +69,9 @@ #include "gssapi_krb5.h" #include "gssapi_err_krb5.h" +/* for debugging */ +#undef CFX_EXERCISE + /** constants **/ #define CKSUMTYPE_KG_CB 0x8003 @@ -82,11 +85,6 @@ #define KG_TOK_WRAP_MSG 0x0201 #define KG_TOK_DEL_CTX 0x0102 -#define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \ - GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG | \ - ((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \ - GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))) - #define KG2_TOK_INITIAL 0x0101 #define KG2_TOK_RESPONSE 0x0202 #define KG2_TOK_MIC 0x0303 @@ -116,10 +114,17 @@ enum seal_alg { SEAL_ALG_DES3KD = 0x0002 }; +/* for 3DES */ #define KG_USAGE_SEAL 22 #define KG_USAGE_SIGN 23 #define KG_USAGE_SEQ 24 +/* for draft-ietf-krb-wg-gssapi-cfx-01 */ +#define KG_USAGE_ACCEPTOR_SEAL 22 +#define KG_USAGE_ACCEPTOR_SIGN 23 +#define KG_USAGE_INITIATOR_SEAL 24 +#define KG_USAGE_INITIATOR_SIGN 25 + enum qop { GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */ GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002, @@ -152,15 +157,21 @@ typedef struct _krb5_gss_cred_id_rec { } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t; typedef struct _krb5_gss_ctx_id_rec { - int initiate; /* nonzero if initiating, zero if accepting */ + unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */ + unsigned int established : 1; + unsigned int big_endian : 1; + unsigned int have_acceptor_subkey : 1; + unsigned int seed_init : 1; /* XXX tested but never actually set */ +#ifdef CFX_EXERCISE + unsigned int testing_unknown_tokid : 1; /* for testing only */ +#endif OM_uint32 gss_flags; - int seed_init; unsigned char seed[16]; krb5_principal here; krb5_principal there; krb5_keyblock *subkey; int signalg; - int cksum_size; + size_t cksum_size; int sealalg; krb5_keyblock *enc; krb5_keyblock *seq; @@ -169,15 +180,22 @@ typedef struct _krb5_gss_ctx_id_rec { /* XXX these used to be signed. the old spec is inspecific, and the new spec specifies unsigned. I don't believe that the change affects the wire encoding. */ - krb5_ui_4 seq_send; - krb5_ui_4 seq_recv; + gssint_uint64 seq_send; + gssint_uint64 seq_recv; void *seqstate; - int established; - int big_endian; krb5_auth_context auth_context; gss_OID_desc *mech_used; - int nctypes; - krb5_cksumtype *ctypes; + /* Protocol spec revision + 0 => RFC 1964 with 3DES and RC4 enhancements + 1 => draft-ietf-krb-wg-gssapi-cfx-01 + No others defined so far. */ + int proto; + krb5_cksumtype cksumtype; /* for "main" subkey */ + krb5_keyblock *acceptor_subkey; /* CFX only */ + krb5_cksumtype acceptor_subkey_cksumtype; +#ifdef CFX_EXERCISE + gss_buffer_desc init_token; +#endif } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t; extern void *kg_vdb; @@ -202,8 +220,6 @@ OM_uint32 kg_get_defcred (OM_uint32 *minor_status, gss_cred_id_t *cred); -OM_uint32 kg_release_defcred (OM_uint32 *minor_status); - krb5_error_code kg_checksum_channel_bindings (krb5_context context, gss_channel_bindings_t cb, krb5_checksum *cksum, @@ -290,7 +306,15 @@ krb5_error_code kg_ctx_internalize (krb5_context kcontext, OM_uint32 kg_get_context (OM_uint32 *minor_status, krb5_context *context); - + +OM_uint32 kg_sync_ccache_name (OM_uint32 *minor_status); + +OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status, + const char **out_name); + +OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status, + const char *name); + /** declarations of internal name mechanism functions **/ OM_uint32 krb5_gss_acquire_cred @@ -589,4 +613,10 @@ gss_OID krb5_gss_convert_static_mech_oid (gss_OID oid ); +krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context, + krb5_gss_ctx_id_rec *, + const gss_buffer_desc *, + gss_buffer_t, + int, int); + #endif /* _GSSAPIP_KRB5_H_ */ diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index db6eabd..be750a7 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -125,13 +125,10 @@ const gss_OID_set_desc * const gss_mech_set_krb5_old = oidsets+1; const gss_OID_set_desc * const gss_mech_set_krb5_both = oidsets+2; void *kg_vdb = NULL; +static char *kg_ccache_name = NULL; /** default credential support */ -/* default credentials */ - -static gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL; - /* * init_sec_context() will explicitly re-acquire default credentials, * so handling the expiration/invalidation condition here isn't needed. @@ -141,37 +138,19 @@ kg_get_defcred(minor_status, cred) OM_uint32 *minor_status; gss_cred_id_t *cred; { - if (defcred == GSS_C_NO_CREDENTIAL) { - OM_uint32 major; - - if ((major = krb5_gss_acquire_cred(minor_status, - (gss_name_t) NULL, GSS_C_INDEFINITE, - GSS_C_NULL_OID_SET, GSS_C_INITIATE, - &defcred, NULL, NULL)) && - GSS_ERROR(major)) { - defcred = GSS_C_NO_CREDENTIAL; - return(major); - } + OM_uint32 major; + + if ((major = krb5_gss_acquire_cred(minor_status, + (gss_name_t) NULL, GSS_C_INDEFINITE, + GSS_C_NULL_OID_SET, GSS_C_INITIATE, + cred, NULL, NULL)) && GSS_ERROR(major)) { + return(major); } - - *cred = defcred; *minor_status = 0; return(GSS_S_COMPLETE); } OM_uint32 -kg_release_defcred(minor_status) - OM_uint32 *minor_status; -{ - if (defcred == GSS_C_NO_CREDENTIAL) { - *minor_status = 0; - return(GSS_S_COMPLETE); - } - - return(krb5_gss_release_cred(minor_status, &defcred)); -} - -OM_uint32 kg_get_context(minor_status, context) OM_uint32 *minor_status; krb5_context *context; @@ -203,3 +182,103 @@ fail: *minor_status = (OM_uint32) code; return GSS_S_FAILURE; } + +OM_uint32 +kg_sync_ccache_name (OM_uint32 *minor_status) +{ + krb5_context context = NULL; + OM_uint32 err = 0; + OM_uint32 minor; + + /* + * Sync up the kg_context ccache name with the GSSAPI ccache name. + * If kg_ccache_name is NULL -- normal unless someone has called + * gss_krb5_ccache_name() -- then the system default ccache will + * be picked up and used by resetting the context default ccache. + * This is needed for platforms which support multiple ccaches. + */ + + if (!err) { + if (GSS_ERROR(kg_get_context (&minor, &context))) { + err = minor; + } + } + + if (!err) { + /* kg_ccache_name == NULL resets the context default ccache */ + err = krb5_cc_set_default_name(context, kg_ccache_name); + } + + *minor_status = err; + return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; +} + +OM_uint32 +kg_get_ccache_name (OM_uint32 *minor_status, const char **out_name) +{ + krb5_context context = NULL; + const char *name = NULL; + OM_uint32 err = 0; + OM_uint32 minor; + + if (!err) { + if (GSS_ERROR(kg_get_context (&minor, &context))) { + err = minor; + } + } + + if (!err) { + if (kg_ccache_name != NULL) { + name = kg_ccache_name; + } else { + /* reset the context default ccache (see text above) */ + err = krb5_cc_set_default_name (context, NULL); + if (!err) { + name = krb5_cc_default_name(context); + } + } + } + + if (!err) { + if (out_name) { + *out_name = name; + } + } + + *minor_status = err; + return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; +} + +OM_uint32 +kg_set_ccache_name (OM_uint32 *minor_status, const char *name) +{ + char *new_name = NULL; + OM_uint32 err = 0; + + if (!err) { + if (name) { + new_name = malloc(strlen(name) + 1); + if (new_name == NULL) { + err = ENOMEM; + } else { + strcpy(new_name, name); + } + } + } + + if (!err) { + char *swap = NULL; + + swap = kg_ccache_name; + kg_ccache_name = new_name; + new_name = swap; + } + + if (new_name != NULL) { + free (new_name); + } + + *minor_status = err; + return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; +} + diff --git a/src/lib/gssapi/krb5/gssapi_krb5.h b/src/lib/gssapi/krb5/gssapi_krb5.h index c142802..3007a0f 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.h +++ b/src/lib/gssapi/krb5/gssapi_krb5.h @@ -31,7 +31,6 @@ extern "C" { #endif /* __cplusplus */ -#if GSS_RFC_COMPLIANT_OIDS /* Reserved static storage for GSS_oids. See rfc 1964 for more details. */ /* 2.1.1. Kerberos Principal Name Form: */ @@ -71,8 +70,6 @@ GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; * generic(1) string_uid_name(3)}. The recommended symbolic name for * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ -#endif /* GSS_RFC_COMPLIANT_OIDS */ - extern const gss_OID_desc * const gss_mech_krb5; extern const gss_OID_desc * const gss_mech_krb5_old; extern const gss_OID_set_desc * const gss_mech_set_krb5; diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 8877052..544316e 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -70,6 +70,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ +#include "k5-int.h" #include "gssapiP_krb5.h" #ifdef HAVE_MEMORY_H #include <memory.h> @@ -90,13 +91,12 @@ int krb5_gss_dbg_client_expcreds = 0; * ccache. */ static krb5_error_code get_credentials(context, cred, server, now, - endtime, enctypes, out_creds) + endtime, out_creds) krb5_context context; krb5_gss_cred_id_t cred; krb5_principal server; krb5_timestamp now; krb5_timestamp endtime; - const krb5_enctype *enctypes; krb5_creds **out_creds; { krb5_error_code code; @@ -112,10 +112,7 @@ static krb5_error_code get_credentials(context, cred, server, now, in_creds.keyblock.enctype = 0; - code = krb5_set_default_tgs_enctypes (context, enctypes); - if (code) - goto cleanup; - code = krb5_get_credentials(context, 0, cred->ccache, + code = krb5_get_credentials(context, 0, cred->ccache, &in_creds, out_creds); if (code) goto cleanup; @@ -145,6 +142,9 @@ struct gss_checksum_data { krb5_data checksum_data; }; +#ifdef CFX_EXERCISE +#include "../../krb5/krb/auth_con.h" +#endif static krb5_error_code KRB5_CALLCONV make_gss_checksum (krb5_context context, krb5_auth_context auth_context, void *cksum_data, krb5_data **out) @@ -154,6 +154,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, unsigned char *ptr; struct gss_checksum_data *data = cksum_data; krb5_data credmsg; + int junk; + data->checksum_data.data = 0; credmsg.data = 0; /* build the checksum field */ @@ -191,6 +193,21 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, } else { data->checksum_data.length = 24; } +#ifdef CFX_EXERCISE + if (data->ctx->auth_context->keyblock != NULL + && data->ctx->auth_context->keyblock->enctype == 18) { + srand(time(0) ^ getpid()); + /* Our ftp client code stupidly assumes a base64-encoded + version of the token will fit in 10K, so don't make this + too big. */ + junk = rand() & 0xff; + } else + junk = 0; +#else + junk = 0; +#endif + + data->checksum_data.length += junk; /* now allocate a buffer to hold the checksum data and (maybe) KRB_CRED msg */ @@ -219,6 +236,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, /* free credmsg data */ krb5_free_data_contents(context, &credmsg); } + if (junk) + memset(ptr, 'i', junk); *out = &data->checksum_data; return 0; } @@ -316,12 +335,529 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) code = 0; cleanup: + if (checksum_data && checksum_data->data) + krb5_free_data_contents(context, checksum_data); if (ap_req.data) krb5_free_data_contents(context, &ap_req); return (code); } +/* + * setup_enc + * + * Fill in the encryption descriptors. Called after AP-REQ is made. + */ +static OM_uint32 +setup_enc( + OM_uint32 *minor_status, + krb5_gss_ctx_id_rec *ctx, + krb5_context context) +{ + krb5_error_code code; + int i; + krb5int_access kaccess; + + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) + goto fail; + + ctx->have_acceptor_subkey = 0; + ctx->proto = 0; + ctx->cksumtype = 0; + switch(ctx->subkey->enctype) { + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_CRC: + ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW; + ctx->signalg = SGN_ALG_DES_MAC_MD5; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_DES; + + /* The encryption key is the session key XOR + 0xf0f0f0f0f0f0f0f0. */ + if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) + goto fail; + + for (i=0; i<ctx->enc->length; i++) + ctx->enc->contents[i] ^= 0xf0; + + goto copy_subkey_to_seq; + + case ENCTYPE_DES3_CBC_SHA1: + /* MIT extension */ + ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; + ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; + ctx->cksum_size = 20; + ctx->sealalg = SEAL_ALG_DES3KD; + + copy_subkey: + code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc); + if (code) + goto fail; + copy_subkey_to_seq: + code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq); + if (code) { + krb5_free_keyblock (context, ctx->enc); + goto fail; + } + break; + + case ENCTYPE_ARCFOUR_HMAC: + /* Microsoft extension */ + ctx->signalg = SGN_ALG_HMAC_MD5 ; + ctx->cksum_size = 8; + ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; + + goto copy_subkey; + + default: + /* Fill some fields we shouldn't be using on this path + with garbage. */ + ctx->signalg = -10; + ctx->sealalg = -10; + + ctx->proto = 1; + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype, + &ctx->cksumtype); + if (code) + goto fail; + code = krb5_c_checksum_length(context, ctx->cksumtype, + &ctx->cksum_size); + if (code) + goto fail; + goto copy_subkey; + } +fail: + *minor_status = code; + return GSS_S_FAILURE; +} + +/* + * new_connection + * + * Do the grunt work of setting up a new context. + */ +static OM_uint32 +new_connection( + OM_uint32 *minor_status, + krb5_gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + krb5_context context, + int default_mech) +{ + OM_uint32 major_status; + krb5_error_code code; + krb5_creds *k_cred; + krb5_gss_ctx_id_rec *ctx, *ctx_free; + krb5_timestamp now; + gss_buffer_desc token; + + major_status = GSS_S_FAILURE; + token.length = 0; + token.value = NULL; + + /* make sure the cred is usable for init */ + + if ((cred->usage != GSS_C_INITIATE) && + (cred->usage != GSS_C_BOTH)) { + *minor_status = 0; + return(GSS_S_NO_CRED); + } + + /* complain if the input token is non-null */ + + if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { +#if 0 /* def CFX_EXERCISE */ + if (*context_handle != GSS_C_NO_CONTEXT + && ((krb5_gss_ctx_id_t)*context_handle)->testing_unknown_tokid) { + /* XXX Should check for a KRB_ERROR message that we can + parse, and which contains the expected error code. */ + ctx = (krb5_gss_ctx_id_t)*context_handle; + goto resume_after_testing; + } +#endif + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + + /* create the ctx */ + + if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec))) + == NULL) { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); + } + + /* fill in the ctx */ + memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); + ctx_free = ctx; + if ((code = krb5_auth_con_init(context, &ctx->auth_context))) + goto fail; + krb5_auth_con_setflags(context, ctx->auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE); + ctx->initiate = 1; + ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | + GSS_C_TRANS_FLAG | + ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))); + ctx->seed_init = 0; + ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ + ctx->seqstate = 0; + + if ((code = krb5_timeofday(context, &now))) + goto fail; + + if (time_req == 0 || time_req == GSS_C_INDEFINITE) { + ctx->endtime = 0; + } else { + ctx->endtime = now + time_req; + } + + if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) + goto fail; + + if ((code = krb5_copy_principal(context, (krb5_principal) target_name, + &ctx->there))) + goto fail; + + code = get_credentials(context, cred, ctx->there, now, + ctx->endtime, &k_cred); + if (code) + goto fail; + + if (default_mech) { + mech_type = (gss_OID) gss_mech_krb5; + } + + if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used) + != GSS_S_COMPLETE) { + code = *minor_status; + goto fail; + } + /* + * Now try to make it static if at all possible.... + */ + ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used); + + { + /* gsskrb5 v1 */ + krb5_ui_4 seq_temp; + if ((code = make_ap_req_v1(context, ctx, + cred, k_cred, input_chan_bindings, + mech_type, &token))) { + if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) || + (code == KG_EMPTY_CCACHE)) + major_status = GSS_S_NO_CRED; + if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) + major_status = GSS_S_CREDENTIALS_EXPIRED; + goto fail; + } + + krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp); + ctx->seq_send = seq_temp; + krb5_auth_con_getsendsubkey(context, ctx->auth_context, + &ctx->subkey); + } + + major_status = setup_enc(minor_status, ctx, context); + + if (k_cred) { + krb5_free_creds(context, k_cred); + k_cred = 0; + } + + /* at this point, the context is constructed and valid, + hence, releaseable */ + + /* intern the context handle */ + + if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { + code = G_VALIDATE_FAILED; + goto fail; + } + *context_handle = (gss_ctx_id_t) ctx; + ctx_free = 0; + +#if 0 /* Sigh. We're changing the spec again. */ +#ifdef CFX_EXERCISE + if (ctx->proto == 1 + /* I think the RPC code may be broken. Don't mess around + if we're authenticating to "kadmin/whatever". */ + && ctx->there->data[0].data[0] != 'k' + /* I *know* the FTP server code is broken. */ + && ctx->there->data[0].data[0] != 'f' + ) { + /* Create a bogus token and return it, with status + GSS_S_CONTINUE_NEEDED. Save enough data that we can resume + on the next call. */ + static const unsigned char hack_token[20] = { + 0x60, 0x12, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x12, 0x01, 0x02, 0x02, 0x12, 0x34, 0x68, + 0x65, 0x6c, 0x6c, 0x6f + }; + ctx->testing_unknown_tokid = 1; + ctx->init_token = token; + token.value = malloc(20); + token.length = 20; + if (token.value == NULL) { + /* Skip testing. We'll probably die soon enough, but let's + not do it because we couldn't exercise this code + path. */ + goto resume_after_testing; + } + memcpy(token.value, hack_token, sizeof(hack_token)); + /* Can just fall through into the normal return path, because + it'll always return GSS_S_CONTINUE_NEEDED because we're + doing mutual authentication. */ + } + if (0) { + resume_after_testing: + token = ctx->init_token; + ctx->init_token.value = 0; + ctx->init_token.length = 0; + ctx->testing_unknown_tokid = 0; + ctx_free = 0; + } +#endif /* CFX_EXERCISE */ +#endif /* 0 */ + + /* compute time_rec */ + if (time_rec) { + if ((code = krb5_timeofday(context, &now))) + goto fail; + *time_rec = ctx->endtime - now; + } + + /* set the other returns */ + *output_token = token; + + if (ret_flags) + *ret_flags = ctx->gss_flags; + + if (actual_mech_type) + *actual_mech_type = mech_type; + + /* return successfully */ + + *minor_status = 0; + if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { + ctx->established = 0; + return(GSS_S_CONTINUE_NEEDED); + } else { + ctx->seq_recv = ctx->seq_send; + g_order_init(&(ctx->seqstate), ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); + ctx->gss_flags |= GSS_C_PROT_READY_FLAG; + ctx->established = 1; + return(GSS_S_COMPLETE); + } + +fail: + if (ctx_free) { + if (ctx_free->auth_context) + krb5_auth_con_free(context, ctx_free->auth_context); + if (ctx_free->here) + krb5_free_principal(context, ctx_free->here); + if (ctx_free->there) + krb5_free_principal(context, ctx_free->there); + if (ctx_free->subkey) + krb5_free_keyblock(context, ctx_free->subkey); + xfree(ctx_free); + } else + (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); + + *minor_status = code; + return (major_status); +} + +/* + * mutual_auth + * + * Handle the reply from the acceptor, if we're doing mutual auth. + */ +static OM_uint32 +mutual_auth( + OM_uint32 *minor_status, + krb5_gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + krb5_context context) +{ + OM_uint32 major_status; + unsigned char *ptr; + char *sptr; + krb5_data ap_rep; + krb5_ap_rep_enc_part *ap_rep_data; + krb5_timestamp now; + krb5_gss_ctx_id_rec *ctx; + krb5_error *krb_error; + krb5_error_code code; + krb5int_access kaccess; + + code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (code) + goto fail; + + major_status = GSS_S_FAILURE; + + /* validate the context handle */ + /*SUPPRESS 29*/ + if (! kg_validate_ctx_id(*context_handle)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_NO_CONTEXT); + } + + ctx = (gss_ctx_id_t) *context_handle; + + /* make sure the context is non-established, and that certain + arguments are unchanged */ + + if ((ctx->established) || + ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) { + code = KG_CONTEXT_ESTABLISHED; + goto fail; + } + + if (! krb5_principal_compare(context, ctx->there, + (krb5_principal) target_name)) { + (void)krb5_gss_delete_sec_context(minor_status, + context_handle, NULL); + code = 0; + major_status = GSS_S_BAD_NAME; + goto fail; + } + + /* verify the token and leave the AP_REP message in ap_rep */ + + if (input_token == GSS_C_NO_BUFFER) { + (void)krb5_gss_delete_sec_context(minor_status, + context_handle, NULL); + code = 0; + major_status = GSS_S_DEFECTIVE_TOKEN; + goto fail; + } + + ptr = (unsigned char *) input_token->value; + + if (g_verify_token_header((gss_OID) ctx->mech_used, + &(ap_rep.length), + &ptr, KG_TOK_CTX_AP_REP, + input_token->length, 1)) { + if (g_verify_token_header((gss_OID) ctx->mech_used, + &(ap_rep.length), + &ptr, KG_TOK_CTX_ERROR, + input_token->length, 1) == 0) { + + /* Handle a KRB_ERROR message from the server */ + + sptr = (char *) ptr; /* PC compiler bug */ + TREAD_STR(sptr, ap_rep.data, ap_rep.length); + + code = krb5_rd_error(context, &ap_rep, &krb_error); + if (code) + goto fail; + if (krb_error->error) + code = krb_error->error + ERROR_TABLE_BASE_krb5; + else + code = 0; + krb5_free_error(context, krb_error); + goto fail; + } else { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + } + + sptr = (char *) ptr; /* PC compiler bug */ + TREAD_STR(sptr, ap_rep.data, ap_rep.length); + + /* decode the ap_rep */ + if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep, + &ap_rep_data))) { + /* + * XXX A hack for backwards compatiblity. + * To be removed in 1999 -- proven + */ + krb5_auth_con_setuseruserkey(context, ctx->auth_context, + ctx->subkey); + if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep, + &ap_rep_data))) + goto fail; + } + + /* store away the sequence number */ + ctx->seq_recv = ap_rep_data->seq_number; + g_order_init(&(ctx->seqstate), ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto); + + if (ctx->proto == 1 && ap_rep_data->subkey) { + /* Keep acceptor's subkey. */ + ctx->have_acceptor_subkey = 1; + code = krb5_copy_keyblock(context, ap_rep_data->subkey, + &ctx->acceptor_subkey); + if (code) + goto fail; + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, + ctx->acceptor_subkey->enctype, + &ctx->acceptor_subkey_cksumtype); + if (code) + goto fail; + } + + /* free the ap_rep_data */ + krb5_free_ap_rep_enc_part(context, ap_rep_data); + + /* set established */ + ctx->established = 1; + + /* set returns */ + + if (time_rec) { + if ((code = krb5_timeofday(context, &now))) + goto fail; + *time_rec = ctx->endtime - now; + } + + if (ret_flags) + *ret_flags = ctx->gss_flags; + + if (actual_mech_type) + *actual_mech_type = mech_type; + + /* success */ + + *minor_status = 0; + return GSS_S_COMPLETE; + +fail: + (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); + + *minor_status = code; + return (major_status); +} + OM_uint32 krb5_gss_init_sec_context(minor_status, claimant_cred_handle, context_handle, target_name, mech_type, @@ -344,25 +880,10 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, { krb5_context context; krb5_gss_cred_id_t cred; - krb5_creds *k_cred = 0; - static const krb5_enctype wanted_enctypes[] = { -#if 1 - ENCTYPE_DES3_CBC_SHA1, -#endif - ENCTYPE_ARCFOUR_HMAC, - ENCTYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4, - }; -#define N_WANTED_ENCTYPES (sizeof(wanted_enctypes)/sizeof(wanted_enctypes[0])) - krb5_enctype requested_enctypes[N_WANTED_ENCTYPES + 1]; - krb5_enctype *default_enctypes = 0; - krb5_error_code code; - krb5_gss_ctx_id_rec *ctx, *ctx_free; - krb5_timestamp now; - gss_buffer_desc token; - int i, j, k, err; + int err; int default_mech = 0; OM_uint32 major_status; + OM_uint32 tmp_min_stat; if (GSS_ERROR(kg_get_context(minor_status, &context))) return(GSS_S_FAILURE); @@ -374,35 +895,28 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, output_token->value = NULL; if (actual_mech_type) *actual_mech_type = NULL; - token.value = 0; - ctx_free = 0; + + /* verify that the target_name is valid and usable */ + + if (! kg_validate_name(target_name)) { + *minor_status = (OM_uint32) G_VALIDATE_FAILED; + return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); + } /* verify the credential, or use the default */ /*SUPPRESS 29*/ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) { - OM_uint32 major; - - /* - * Release default cred prior to re-acquiring it, to notice when - * the ccache has changed. - */ - major = kg_release_defcred(minor_status); - if (GSS_ERROR(major)) - return major; - if ((major = kg_get_defcred(minor_status, &claimant_cred_handle)) && - GSS_ERROR(major)) { - return(major); + major_status = kg_get_defcred(minor_status, &cred); + if (major_status && GSS_ERROR(major_status)) { + return(major_status); } } else { - OM_uint32 major; - - major = krb5_gss_validate_cred(minor_status, claimant_cred_handle); - if (GSS_ERROR(major)) - return(major); + major_status = krb5_gss_validate_cred(minor_status, claimant_cred_handle); + if (GSS_ERROR(major_status)) + return(major_status); + cred = (krb5_gss_cred_id_t) claimant_cred_handle; } - cred = (krb5_gss_cred_id_t) claimant_cred_handle; - /* verify the mech_type */ err = 0; @@ -426,414 +940,37 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, } if (err) { + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(minor_status, (gss_cred_id_t)cred); *minor_status = 0; return(GSS_S_BAD_MECH); } - /* verify that the target_name is valid and usable */ - - if (! kg_validate_name(target_name)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME); - } - /* is this a new connection or not? */ /*SUPPRESS 29*/ - if (*context_handle == GSS_C_NO_CONTEXT) { - /* make sure the cred is usable for init */ - - if ((cred->usage != GSS_C_INITIATE) && - (cred->usage != GSS_C_BOTH)) { - *minor_status = 0; - return(GSS_S_NO_CRED); - } - - /* complain if the input token is non-null */ - - if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { - *minor_status = 0; - return(GSS_S_DEFECTIVE_TOKEN); - } - - /* create the ctx */ - - if ((ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec))) - == NULL) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - - /* fill in the ctx */ - memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); - ctx_free = ctx; - if ((code = krb5_auth_con_init(context, &ctx->auth_context))) - goto fail; - krb5_auth_con_setflags(context, ctx->auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - ctx->initiate = 1; - ctx->gss_flags = KG_IMPLFLAGS(req_flags); - ctx->seed_init = 0; - ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ - ctx->seqstate = 0; - ctx->nctypes = 0; - ctx->ctypes = 0; - - if ((code = krb5_timeofday(context, &now))) - goto fail; - - if (time_req == 0 || time_req == GSS_C_INDEFINITE) { - ctx->endtime = 0; - } else { - ctx->endtime = now + time_req; - } - - if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) - goto fail; - - if ((code = krb5_copy_principal(context, (krb5_principal) target_name, - &ctx->there))) - goto fail; - - code = krb5_get_tgs_ktypes (context, 0, &default_enctypes); - if (code) - goto fail; - /* "i" denotes *next* slot to fill. Don't forget to save room - for a trailing zero. */ - i = 0; - for (j = 0; - (default_enctypes[j] != 0 - /* This part should be redundant, but let's be paranoid. */ - && i < N_WANTED_ENCTYPES); - j++) { - - int is_duplicate_enctype; - int is_wanted_enctype; - - krb5_enctype e = default_enctypes[j]; - - /* Is this enctype one of the ones we want for GSSAPI? */ - is_wanted_enctype = 0; - for (k = 0; k < N_WANTED_ENCTYPES; k++) { - if (wanted_enctypes[k] == e) { - is_wanted_enctype = 1; - break; - } - } - /* If unwanted, go to the next one. */ - if (!is_wanted_enctype) - continue; - - /* Is this enctype already in the list of enctypes to - request? (Is it a duplicate?) */ - is_duplicate_enctype = 0; - for (k = 0; k < i; k++) { - if (requested_enctypes[k] == e) { - is_duplicate_enctype = 1; - break; - } - } - /* If it is not a duplicate, add it. */ - if (!is_duplicate_enctype) - requested_enctypes[i++] = e; - } - requested_enctypes[i++] = 0; - - if ((code = get_credentials(context, cred, ctx->there, now, - ctx->endtime, requested_enctypes, &k_cred))) - goto fail; - - if (default_mech) { - mech_type = (gss_OID) gss_mech_krb5; - } - - if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used) - != GSS_S_COMPLETE) { - code = *minor_status; - goto fail; - } - /* - * Now try to make it static if at all possible.... - */ - ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used); - - { - /* gsskrb5 v1 */ - if ((code = make_ap_req_v1(context, ctx, - cred, k_cred, input_chan_bindings, - mech_type, &token))) { - if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) || - (code == KG_EMPTY_CCACHE)) - major_status = GSS_S_NO_CRED; - if (code == KRB5KRB_AP_ERR_TKT_EXPIRED) - major_status = GSS_S_CREDENTIALS_EXPIRED; - goto fail; - } - - krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, - &ctx->seq_send); - krb5_auth_con_getlocalsubkey(context, ctx->auth_context, - &ctx->subkey); - - /* fill in the encryption descriptors */ - - switch(ctx->subkey->enctype) { - case ENCTYPE_DES_CBC_MD5: - case ENCTYPE_DES_CBC_MD4: - case ENCTYPE_DES_CBC_CRC: - ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW; - ctx->signalg = SGN_ALG_DES_MAC_MD5; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_DES; - - /* The encryption key is the session key XOR - 0xf0f0f0f0f0f0f0f0. */ - if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) - goto fail; - - for (i=0; i<ctx->enc->length; i++) - /*SUPPRESS 113*/ - ctx->enc->contents[i] ^= 0xf0; - - if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) - goto fail; - - break; - - case ENCTYPE_DES3_CBC_SHA1: - ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW; - ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; - ctx->cksum_size = 20; - ctx->sealalg = SEAL_ALG_DES3KD; - - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc); - if (code) - goto fail; - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq); - if (code) { - krb5_free_keyblock (context, ctx->enc); - goto fail; - } - break; - case ENCTYPE_ARCFOUR_HMAC: - ctx->signalg = SGN_ALG_HMAC_MD5 ; - ctx->cksum_size = 8; - ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ; - - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc); - if (code) - goto fail; - code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq); - if (code) { - krb5_free_keyblock (context, ctx->enc); - goto fail; - } - break; -#if 0 - case ENCTYPE_DES3_CBC_MD5: - enctype = ENCTYPE_DES3_CBC_RAW; - ctx->signalg = 3; - ctx->cksum_size = 16; - ctx->sealalg = 1; - break; + if (*context_handle == GSS_C_NO_CONTEXT +#ifdef CFX_EXERCISE + || ((krb5_gss_ctx_id_t)*context_handle)->testing_unknown_tokid #endif - default: - *minor_status = KRB5_BAD_ENCTYPE; - return GSS_S_FAILURE; - } - - } - - if (k_cred) { - krb5_free_creds(context, k_cred); - k_cred = 0; - } - - /* at this point, the context is constructed and valid, - hence, releaseable */ - - /* intern the context handle */ - - if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { - code = G_VALIDATE_FAILED; - goto fail; - } - *context_handle = (gss_ctx_id_t) ctx; - ctx_free = 0; - - /* compute time_rec */ - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; - *time_rec = ctx->endtime - now; - } - - /* set the other returns */ - *output_token = token; - - if (ret_flags) - *ret_flags = ctx->gss_flags; - - if (actual_mech_type) - *actual_mech_type = mech_type; - - /* return successfully */ - - *minor_status = 0; - if (ctx->gss_flags & GSS_C_MUTUAL_FLAG) { - ctx->established = 0; - return(GSS_S_CONTINUE_NEEDED); - } else { - ctx->seq_recv = ctx->seq_send; - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0); - ctx->established = 1; - /* fall through to GSS_S_COMPLETE */ - } + ) { + major_status = new_connection(minor_status, cred, context_handle, + target_name, mech_type, req_flags, + time_req, input_chan_bindings, + input_token, actual_mech_type, + output_token, ret_flags, time_rec, + context, default_mech); } else { - unsigned char *ptr; - char *sptr; - krb5_data ap_rep; - krb5_ap_rep_enc_part *ap_rep_data; - krb5_error *krb_error; - - /* validate the context handle */ - /*SUPPRESS 29*/ - if (! kg_validate_ctx_id(*context_handle)) { - *minor_status = (OM_uint32) G_VALIDATE_FAILED; - return(GSS_S_NO_CONTEXT); - } - - ctx = (gss_ctx_id_t) *context_handle; - - /* make sure the context is non-established, and that certain - arguments are unchanged */ - - if ((ctx->established) || - (((gss_cred_id_t) cred) != claimant_cred_handle) || - ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) { - code = KG_CONTEXT_ESTABLISHED; - goto fail; - } - - if (! krb5_principal_compare(context, ctx->there, - (krb5_principal) target_name)) { - (void)krb5_gss_delete_sec_context(minor_status, - context_handle, NULL); - code = 0; - major_status = GSS_S_BAD_NAME; - goto fail; - } - - /* verify the token and leave the AP_REP message in ap_rep */ - - if (input_token == GSS_C_NO_BUFFER) { - (void)krb5_gss_delete_sec_context(minor_status, - context_handle, NULL); - code = 0; - major_status = GSS_S_DEFECTIVE_TOKEN; - goto fail; - } - - ptr = (unsigned char *) input_token->value; - - if ((err = g_verify_token_header((gss_OID) ctx->mech_used, - &(ap_rep.length), - &ptr, KG_TOK_CTX_AP_REP, - input_token->length))) { - if (g_verify_token_header((gss_OID) ctx->mech_used, - &(ap_rep.length), - &ptr, KG_TOK_CTX_ERROR, - input_token->length) == 0) { - - /* Handle a KRB_ERROR message from the server */ - - sptr = (char *) ptr; /* PC compiler bug */ - TREAD_STR(sptr, ap_rep.data, ap_rep.length); - - code = krb5_rd_error(context, &ap_rep, &krb_error); - if (code) - goto fail; - if (krb_error->error) - code = krb_error->error + ERROR_TABLE_BASE_krb5; - else - code = 0; - krb5_free_error(context, krb_error); - goto fail; - } else { - *minor_status = 0; - return(GSS_S_DEFECTIVE_TOKEN); - } - } - - sptr = (char *) ptr; /* PC compiler bug */ - TREAD_STR(sptr, ap_rep.data, ap_rep.length); - - /* decode the ap_rep */ - if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep, - &ap_rep_data))) { - /* - * XXX A hack for backwards compatiblity. - * To be removed in 1999 -- proven - */ - krb5_auth_con_setuseruserkey(context, ctx->auth_context, - ctx->subkey); - if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep, - &ap_rep_data))) - goto fail; - } - - /* store away the sequence number */ - ctx->seq_recv = ap_rep_data->seq_number; - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0); - - /* free the ap_rep_data */ - krb5_free_ap_rep_enc_part(context, ap_rep_data); - - /* set established */ - ctx->established = 1; - - /* set returns */ - - if (time_rec) { - if ((code = krb5_timeofday(context, &now))) - goto fail; - *time_rec = ctx->endtime - now; - } - - if (ret_flags) - *ret_flags = ctx->gss_flags; - - if (actual_mech_type) - *actual_mech_type = mech_type; - - /* success */ - - *minor_status = 0; - /* fall through to GSS_S_COMPLETE */ + major_status = mutual_auth(minor_status, cred, context_handle, + target_name, mech_type, req_flags, + time_req, input_chan_bindings, + input_token, actual_mech_type, + output_token, ret_flags, time_rec, + context); } - return(GSS_S_COMPLETE); + if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t)cred); -fail: - if (ctx_free) { - if (ctx_free->auth_context) - krb5_auth_con_free(context, ctx_free->auth_context); - if (ctx_free->here) - krb5_free_principal(context, ctx_free->here); - if (ctx_free->there) - krb5_free_principal(context, ctx_free->there); - if (ctx_free->subkey) - krb5_free_keyblock(context, ctx_free->subkey); - if (ctx_free->ctypes) - krb5_free_cksumtypes(context, ctx_free->ctypes); - xfree(ctx_free); - } else - (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); - - *minor_status = code; - return (major_status); + return(major_status); } diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c index a79034d..8378216 100644 --- a/src/lib/gssapi/krb5/inq_cred.c +++ b/src/lib/gssapi/krb5/inq_cred.c @@ -91,6 +91,8 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, gss_OID_set mechs; OM_uint32 ret; + ret = GSS_S_FAILURE; + if (GSS_ERROR(kg_get_context(minor_status, &context))) return(GSS_S_FAILURE); @@ -102,7 +104,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, if (cred_handle == GSS_C_NO_CREDENTIAL) { OM_uint32 major; - if ((major = kg_get_defcred(minor_status, &cred_handle)) && + if ((major = kg_get_defcred(minor_status, (gss_cred_id_t)&cred)) && GSS_ERROR(major)) { return(major); } @@ -112,13 +114,13 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, major = krb5_gss_validate_cred(minor_status, cred_handle); if (GSS_ERROR(major)) return(major); + cred = (krb5_gss_cred_id_t) cred_handle; } - cred = (krb5_gss_cred_id_t) cred_handle; - if ((code = krb5_timeofday(context, &now))) { *minor_status = code; - return(GSS_S_FAILURE); + ret = GSS_S_FAILURE; + goto fail; } if (cred->tgt_expire > 0) { @@ -132,7 +134,8 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, if (cred->princ && (code = krb5_copy_principal(context, cred->princ, &ret_name))) { *minor_status = code; - return(GSS_S_FAILURE); + ret = GSS_S_FAILURE; + goto fail; } } @@ -149,7 +152,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, &mechs)))) { krb5_free_principal(context, ret_name); /* *minor_status set above */ - return(ret); + goto fail; } } @@ -172,8 +175,18 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, if (mechanisms) *mechanisms = mechs; + if (cred_handle == GSS_C_NO_CREDENTIAL) + krb5_gss_release_cred(minor_status, (gss_cred_id_t)cred); + *minor_status = 0; return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE); +fail: + if (cred_handle == GSS_C_NO_CREDENTIAL) { + OM_uint32 tmp_min_stat; + + krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t)cred); + } + return ret; } /* V2 interface */ diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 3c8702a..7999a3e 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -54,7 +54,7 @@ static krb5_error_code make_seal_token_v1 (krb5_context context, krb5_keyblock *enc, krb5_keyblock *seq, - krb5_ui_4 *seqnum, + gssint_uint64 *seqnum, int direction, gss_buffer_t text, gss_buffer_t token, @@ -304,6 +304,7 @@ make_seal_token_v1 (krb5_context context, /* that's it. return the token */ (*seqnum)++; + *seqnum &= 0xffffffffL; token->length = tlen; token->value = (void *) t; @@ -334,50 +335,16 @@ kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req, output_message_buffer->length = 0; output_message_buffer->value = NULL; - /* only default qop or matching established cryptosystem is allowed */ - -#if 0 - switch (qop_req & GSS_KRB5_CONF_C_QOP_MASK) { - case GSS_C_QOP_DEFAULT: - break; - default: - unknown_qop: - *minor_status = (OM_uint32) G_UNKNOWN_QOP; - return GSS_S_FAILURE; - case GSS_KRB5_CONF_C_QOP_DES: - if (ctx->sealalg != SEAL_ALG_DES) { - bad_qop: - *minor_status = (OM_uint32) G_BAD_QOP; - return GSS_S_FAILURE; - } - break; - case GSS_KRB5_CONF_C_QOP_DES3: - if (ctx->sealalg != SEAL_ALG_DES3) - goto bad_qop; - break; - } - switch (qop_req & GSS_KRB5_INTEG_C_QOP_MASK) { - case GSS_C_QOP_DEFAULT: - break; - default: - goto unknown_qop; - case GSS_KRB5_INTEG_C_QOP_MD5: - case GSS_KRB5_INTEG_C_QOP_DES_MD5: - case GSS_KRB5_INTEG_C_QOP_DES_MAC: - if (ctx->sealalg != SEAL_ALG_DES) - goto bad_qop; - break; - case GSS_KRB5_INTEG_C_QOP_HMAC_SHA1: - if (ctx->sealalg != SEAL_ALG_DES3KD) - goto bad_qop; - break; - } -#else + /* Only default qop or matching established cryptosystem is allowed. + + There are NO EXTENSIONS to this set for AES and friends! The + new spec says "just use 0". The old spec plus extensions would + actually allow for certain non-zero values. Fix this to handle + them later. */ if (qop_req != 0) { *minor_status = (OM_uint32) G_UNKNOWN_QOP; return GSS_S_FAILURE; } -#endif /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { @@ -397,12 +364,26 @@ kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req, return(GSS_S_FAILURE); } - code = make_seal_token_v1(context, ctx->enc, ctx->seq, - &ctx->seq_send, ctx->initiate, - input_message_buffer, output_message_buffer, - ctx->signalg, ctx->cksum_size, ctx->sealalg, - conf_req_flag, toktype, ctx->big_endian, - ctx->mech_used); + switch (ctx->proto) + { + case 0: + code = make_seal_token_v1(context, ctx->enc, ctx->seq, + &ctx->seq_send, ctx->initiate, + input_message_buffer, output_message_buffer, + ctx->signalg, ctx->cksum_size, ctx->sealalg, + conf_req_flag, toktype, ctx->big_endian, + ctx->mech_used); + break; + case 1: + code = gss_krb5int_make_seal_token_v3(context, ctx, + input_message_buffer, + output_message_buffer, + conf_req_flag, toktype); + break; + default: + code = G_UNKNOWN_QOP; /* XXX */ + break; + } if (code) { *minor_status = code; diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c new file mode 100644 index 0000000..710c6f5 --- /dev/null +++ b/src/lib/gssapi/krb5/k5sealv3.c @@ -0,0 +1,502 @@ +/* + * lib/gssapi/krb5/k5sealv3.c + * + * Copyright 2003,2004 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + */ +/* draft-ietf-krb-wg-gssapi-cfx-05 */ + +#include <assert.h> +#include "k5-platform.h" /* for 64-bit support */ +#include "k5-int.h" /* for zap() */ +#include "gssapiP_krb5.h" +#include <stdarg.h> + +static int +rotate_left (void *ptr, size_t bufsiz, size_t rc) +{ + /* Optimize for receiving. After some debugging is done, the MIT + implementation won't do any rotates on sending, and while + debugging, they'll be randomly chosen. + + Return 1 for success, 0 for failure (ENOMEM). */ + void *tbuf; + + if (bufsiz == 0) + return 1; + rc = rc % bufsiz; + if (rc == 0) + return 1; + + tbuf = malloc(rc); + if (tbuf == 0) + return 0; + memcpy(tbuf, ptr, rc); + memmove(ptr, (char *)ptr + rc, bufsiz - rc); + memcpy((char *)ptr + bufsiz - rc, tbuf, rc); + free(tbuf); + return 1; +} + +static const gss_buffer_desc empty_message = { 0, 0 }; + +#define FLAG_SENDER_IS_ACCEPTOR 0x01 +#define FLAG_WRAP_CONFIDENTIAL 0x02 +#define FLAG_ACCEPTOR_SUBKEY 0x04 + +krb5_error_code +gss_krb5int_make_seal_token_v3 (krb5_context context, + krb5_gss_ctx_id_rec *ctx, + const gss_buffer_desc * message, + gss_buffer_t token, + int conf_req_flag, int toktype) +{ + size_t bufsize = 16; + unsigned char *outbuf = 0; + krb5_error_code err; + int key_usage; + unsigned char acceptor_flag; + const gss_buffer_desc *message2 = message; + size_t rrc, ec; + unsigned short tok_id; + krb5_checksum sum; + krb5_keyblock *key; + + assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0); + assert(ctx->big_endian == 0); + + acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; + key_usage = (toktype == KG_TOK_WRAP_MSG + ? (ctx->initiate + ? KG_USAGE_INITIATOR_SEAL + : KG_USAGE_ACCEPTOR_SEAL) + : (ctx->initiate + ? KG_USAGE_INITIATOR_SIGN + : KG_USAGE_ACCEPTOR_SIGN)); + if (ctx->have_acceptor_subkey) { + key = ctx->acceptor_subkey; + } else { + key = ctx->enc; + } + +#ifdef CFX_EXERCISE + { + static int initialized = 0; + if (!initialized) { + srand(time(0)); + initialized = 1; + } + } +#endif + + if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { + krb5_data plain; + krb5_enc_data cipher; + size_t ec_max; + + /* 300: Adds some slop. */ + if (SIZE_MAX - 300 < message->length) + return ENOMEM; + ec_max = SIZE_MAX - message->length - 300; + if (ec_max > 0xffff) + ec_max = 0xffff; +#ifdef CFX_EXERCISE + /* For testing only. For performance, always set ec = 0. */ + ec = ec_max & rand(); +#else + ec = 0; +#endif + plain.length = message->length + 16 + ec; + plain.data = malloc(message->length + 16 + ec); + if (plain.data == NULL) + return ENOMEM; + + /* Get size of ciphertext. */ + bufsize = 16 + krb5_encrypt_size (plain.length, ctx->enc->enctype); + /* Allocate space for header plus encrypted data. */ + outbuf = malloc(bufsize); + if (outbuf == NULL) { + free(plain.data); + return ENOMEM; + } + + /* TOK_ID */ + store_16_be(0x0504, outbuf); + /* flags */ + outbuf[2] = (acceptor_flag + | (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0) + | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); + /* filler */ + outbuf[3] = 0xff; + /* EC */ + store_16_be(ec, outbuf+4); + /* RRC */ + store_16_be(0, outbuf+6); + store_64_be(ctx->seq_send, outbuf+8); + + memcpy(plain.data, message->value, message->length); + memset(plain.data + message->length, 'x', ec); + memcpy(plain.data + message->length + ec, outbuf, 16); + + cipher.ciphertext.data = outbuf + 16; + cipher.ciphertext.length = bufsize - 16; + cipher.enctype = key->enctype; + err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher); + zap(plain.data, plain.length); + free(plain.data); + plain.data = 0; + if (err) + goto error; + + /* Now that we know we're returning a valid token.... */ + ctx->seq_send++; + +#ifdef CFX_EXERCISE + rrc = rand() & 0xffff; + if (rotate_left(outbuf+16, bufsize-16, + (bufsize-16) - (rrc % (bufsize - 16)))) + store_16_be(rrc, outbuf+6); + /* If the rotate fails, don't worry about it. */ +#endif + } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) { + krb5_data plain; + + /* Here, message is the application-supplied data; message2 is + what goes into the output token. They may be the same, or + message2 may be empty (for MIC). */ + + tok_id = 0x0504; + + wrap_with_checksum: + plain.length = message->length + 16; + plain.data = malloc(message->length + 16); + if (plain.data == NULL) + return ENOMEM; + + if (ctx->cksum_size > 0xffff) + abort(); + + bufsize = 16 + message2->length + ctx->cksum_size; + outbuf = malloc(bufsize); + if (outbuf == NULL) { + free(plain.data); + plain.data = 0; + err = ENOMEM; + goto error; + } + + /* TOK_ID */ + store_16_be(tok_id, outbuf); + /* flags */ + outbuf[2] = (acceptor_flag + | (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0)); + /* filler */ + outbuf[3] = 0xff; + if (toktype == KG_TOK_WRAP_MSG) { + /* Use 0 for checksum calculation, substitute + checksum length later. */ + /* EC */ + store_16_be(0, outbuf+4); + /* RRC */ + store_16_be(0, outbuf+6); + } else { + /* MIC and DEL store 0xFF in EC and RRC. */ + store_16_be(0xffff, outbuf+4); + store_16_be(0xffff, outbuf+6); + } + store_64_be(ctx->seq_send, outbuf+8); + + memcpy(plain.data, message->value, message->length); + memcpy(plain.data + message->length, outbuf, 16); + + /* Fill in the output token -- data contents, if any, and + space for the checksum. */ + if (message2->length) + memcpy(outbuf + 16, message2->value, message2->length); + + sum.contents = outbuf + 16 + message2->length; + sum.length = ctx->cksum_size; + + err = krb5_c_make_checksum(context, ctx->cksumtype, key, + key_usage, &plain, &sum); + zap(plain.data, plain.length); + free(plain.data); + plain.data = 0; + if (err) { + zap(outbuf,bufsize); + free(outbuf); + goto error; + } + if (sum.length != ctx->cksum_size) + abort(); + memcpy(outbuf + 16 + message2->length, sum.contents, ctx->cksum_size); + krb5_free_checksum_contents(context, &sum); + sum.contents = 0; + /* Now that we know we're actually generating the token... */ + ctx->seq_send++; + + if (toktype == KG_TOK_WRAP_MSG) { +#ifdef CFX_EXERCISE + rrc = rand() & 0xffff; + /* If the rotate fails, don't worry about it. */ + if (rotate_left(outbuf+16, bufsize-16, + (bufsize-16) - (rrc % (bufsize - 16)))) + store_16_be(rrc, outbuf+6); +#endif + /* Fix up EC field. */ + store_16_be(ctx->cksum_size, outbuf+4); + } else { + store_16_be(0xffff, outbuf+6); + } + } else if (toktype == KG_TOK_MIC_MSG) { + tok_id = 0x0404; + message2 = &empty_message; + goto wrap_with_checksum; + } else if (toktype == KG_TOK_DEL_CTX) { + tok_id = 0x0405; + message = message2 = &empty_message; + goto wrap_with_checksum; + } else + abort(); + + token->value = outbuf; + token->length = bufsize; + return 0; + +error: + free(outbuf); + token->value = NULL; + token->length = 0; + return err; +} + +/* message_buffer is an input if SIGN, output if SEAL, and ignored if DEL_CTX + conf_state is only valid if SEAL. */ + +OM_uint32 +gss_krb5int_unseal_token_v3(krb5_context *contextptr, + OM_uint32 *minor_status, + krb5_gss_ctx_id_rec *ctx, + unsigned char *ptr, int bodysize, + gss_buffer_t message_buffer, + int *conf_state, int *qop_state, int toktype) +{ + krb5_context context = *contextptr; + krb5_data plain; + gssint_uint64 seqnum; + size_t ec, rrc; + int key_usage; + unsigned char acceptor_flag; + krb5_checksum sum; + krb5_error_code err; + krb5_boolean valid; + krb5_keyblock *key; + + assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0); + assert(ctx->big_endian == 0); + assert(ctx->proto == 1); + + if (qop_state) + *qop_state = GSS_C_QOP_DEFAULT; + + acceptor_flag = ctx->initiate ? FLAG_SENDER_IS_ACCEPTOR : 0; + key_usage = (toktype == KG_TOK_WRAP_MSG + ? (!ctx->initiate + ? KG_USAGE_INITIATOR_SEAL + : KG_USAGE_ACCEPTOR_SEAL) + : (!ctx->initiate + ? KG_USAGE_INITIATOR_SIGN + : KG_USAGE_ACCEPTOR_SIGN)); + + /* Oops. I wrote this code assuming ptr would be at the start of + the token header. */ + ptr -= 2; + bodysize += 2; + + if (bodysize < 16) { + defective: + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) { + *minor_status = G_BAD_DIRECTION; + return GSS_S_BAD_SIG; + } + + /* Two things to note here. + + First, we can't really enforce the use of the acceptor's subkey, + if we're the acceptor; the initiator may have sent messages + before getting the subkey. We could probably enforce it if + we're the initiator. + + Second, if someone tweaks the code to not set the flag telling + the krb5 library to generate a new subkey in the AP-REP + message, the MIT library may include a subkey anyways -- + namely, a copy of the AP-REQ subkey, if it was provided. So + the initiator may think we wanted a subkey, and set the flag, + even though we weren't trying to set the subkey. The "other" + key, the one not asserted by the acceptor, will have the same + value in that case, though, so we can just ignore the flag. */ + if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) { + key = ctx->acceptor_subkey; + } else { + key = ctx->enc; + } + + if (toktype == KG_TOK_WRAP_MSG) { + if (load_16_be(ptr) != 0x0504) + goto defective; + if (ptr[3] != 0xff) + goto defective; + ec = load_16_be(ptr+4); + rrc = load_16_be(ptr+6); + seqnum = load_64_be(ptr+8); + if (!rotate_left(ptr+16, bodysize-16, rrc)) { + no_mem: + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) { + /* confidentiality */ + krb5_enc_data cipher; + unsigned char *althdr; + + if (conf_state) + *conf_state = 1; + /* Do we have no decrypt_size function? + + For all current cryptosystems, the ciphertext size will + be larger than the plaintext size. */ + cipher.enctype = key->enctype; + cipher.ciphertext.length = bodysize - 16; + cipher.ciphertext.data = ptr + 16; + plain.length = bodysize - 16; + plain.data = malloc(plain.length); + if (plain.data == NULL) + goto no_mem; + err = krb5_c_decrypt(context, key, key_usage, 0, + &cipher, &plain); + if (err) { + free(plain.data); + goto error; + } + /* Don't use bodysize here! Use the fact that + cipher.ciphertext.length has been adjusted to the + correct length. */ + althdr = plain.data + plain.length - 16; + if (load_16_be(althdr) != 0x0504 + || althdr[2] != ptr[2] + || althdr[3] != ptr[3] + || memcmp(althdr+8, ptr+8, 8)) + goto defective; + message_buffer->value = plain.data; + message_buffer->length = plain.length - ec - 16; + } else { + /* no confidentiality */ + if (conf_state) + *conf_state = 0; + if (ec + 16 < ec) + /* overflow check */ + goto defective; + if (ec + 16 > bodysize) + goto defective; + /* We have: header | msg | cksum. + We need cksum(msg | header). + Rotate the first two. */ + store_16_be(0, ptr+4); + store_16_be(0, ptr+6); + plain.length = bodysize-ec; + plain.data = ptr; + if (!rotate_left(ptr, bodysize-ec, 16)) + goto no_mem; + sum.length = ec; + if (sum.length != ctx->cksum_size) { + *minor_status = 0; + return GSS_S_BAD_SIG; + } + sum.contents = ptr+bodysize-ec; + sum.checksum_type = ctx->cksumtype; + err = krb5_c_verify_checksum(context, key, key_usage, + &plain, &sum, &valid); + if (err) + goto error; + if (!valid) { + *minor_status = 0; + return GSS_S_BAD_SIG; + } + message_buffer->length = plain.length - 16; + message_buffer->value = malloc(message_buffer->length); + if (message_buffer->value == NULL) + goto no_mem; + memcpy(message_buffer->value, plain.data, message_buffer->length); + } + err = g_order_check(&ctx->seqstate, seqnum); + *minor_status = 0; + return err; + } else if (toktype == KG_TOK_MIC_MSG) { + /* wrap token, no confidentiality */ + if (load_16_be(ptr) != 0x0404) + goto defective; + verify_mic_1: + if (ptr[3] != 0xff) + goto defective; + if (load_32_be(ptr+4) != 0xffffffffL) + goto defective; + seqnum = load_64_be(ptr+8); + plain.length = message_buffer->length + 16; + plain.data = malloc(plain.length); + if (plain.data == NULL) + goto no_mem; + if (message_buffer->length) + memcpy(plain.data, message_buffer->value, message_buffer->length); + memcpy(plain.data + message_buffer->length, ptr, 16); + sum.length = bodysize - 16; + sum.contents = ptr + 16; + sum.checksum_type = ctx->cksumtype; + err = krb5_c_verify_checksum(context, key, key_usage, + &plain, &sum, &valid); + if (err) { + error: + free(plain.data); + *minor_status = err; + return GSS_S_BAD_SIG; /* XXX */ + } + if (!valid) { + free(plain.data); + *minor_status = 0; + return GSS_S_BAD_SIG; + } + err = g_order_check(&ctx->seqstate, seqnum); + *minor_status = 0; + return err; + } else if (toktype == KG_TOK_DEL_CTX) { + if (load_16_be(ptr) != 0x0405) + goto defective; + message_buffer = &empty_message; + goto verify_mic_1; + } else { + goto defective; + } +} diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 347d6b8..6851352 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -224,6 +224,8 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, return(GSS_S_FAILURE); } memcpy(token.value, plain+conflen, token.length); + } else { + token.value = NULL; } } else if (toktype == KG_TOK_SIGN_MSG) { token = *message_buffer; @@ -488,6 +490,7 @@ kg_unseal(context, minor_status, context_handle, input_token_buffer, unsigned char *ptr; unsigned int bodysize; int err; + int toktype2; /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { @@ -508,14 +511,38 @@ kg_unseal(context, minor_status, context_handle, input_token_buffer, ptr = (unsigned char *) input_token_buffer->value; - if (!(err = g_verify_token_header((gss_OID) ctx->mech_used, - &bodysize, &ptr, toktype, - input_token_buffer->length))) { - return(kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, - message_buffer, conf_state, qop_state, - toktype)); + if (ctx->proto) + switch (toktype) { + case KG_TOK_SIGN_MSG: + toktype2 = 0x0404; + break; + case KG_TOK_SEAL_MSG: + toktype2 = 0x0504; + break; + case KG_TOK_DEL_CTX: + toktype2 = 0x0405; + break; + default: + toktype2 = toktype; + break; + } + else + toktype2 = toktype; + err = g_verify_token_header((gss_OID) ctx->mech_used, + &bodysize, &ptr, toktype2, + input_token_buffer->length, + !ctx->proto); + if (err) { + *minor_status = err; + return GSS_S_DEFECTIVE_TOKEN; } - *minor_status = err; - return(GSS_S_DEFECTIVE_TOKEN); + if (ctx->proto == 0) + return kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, + message_buffer, conf_state, qop_state, + toktype); + else + return gss_krb5int_unseal_token_v3(context, minor_status, ctx, + ptr, bodysize, message_buffer, + conf_state, qop_state, toktype); } diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c index 0d81399..43d5ca1 100644 --- a/src/lib/gssapi/krb5/rel_cred.c +++ b/src/lib/gssapi/krb5/rel_cred.c @@ -34,8 +34,10 @@ krb5_gss_release_cred(minor_status, cred_handle) if (GSS_ERROR(kg_get_context(minor_status, &context))) return(GSS_S_FAILURE); - if (*cred_handle == GSS_C_NO_CREDENTIAL) - return(kg_release_defcred(minor_status)); + if (*cred_handle == GSS_C_NO_CREDENTIAL) { + *minor_status = 0; + return(GSS_S_COMPLETE); + } if (! kg_delete_cred_id(*cred_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c index 8ab9401..e0d0ee0 100644 --- a/src/lib/gssapi/krb5/ser_sctx.c +++ b/src/lib/gssapi/krb5/ser_sctx.c @@ -51,14 +51,21 @@ kg_oid_externalize(kcontext, arg, buffer, lenremain) size_t *lenremain; { gss_OID oid = (gss_OID) arg; + krb5_error_code err; - (void) krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain); - (void) krb5_ser_pack_int32((krb5_int32) oid->length, - buffer, lenremain); - (void) krb5_ser_pack_bytes((krb5_octet *) oid->elements, - oid->length, buffer, lenremain); - (void) krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain); - return 0; + err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain); + if (err) + return err; + err = krb5_ser_pack_int32((krb5_int32) oid->length, + buffer, lenremain); + if (err) + return err; + err = krb5_ser_pack_bytes((krb5_octet *) oid->elements, + oid->length, buffer, lenremain); + if (err) + return err; + err = krb5_ser_pack_int32(KV5M_GSS_OID, buffer, lenremain); + return err; } static krb5_error_code @@ -86,22 +93,35 @@ kg_oid_internalize(kcontext, argp, buffer, lenremain) oid = (gss_OID) malloc(sizeof(gss_OID_desc)); if (oid == NULL) return ENOMEM; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { + free(oid); + return EINVAL; + } oid->length = ibuf; oid->elements = malloc(ibuf); if (oid->elements == 0) { free(oid); return ENOMEM; } - (void) krb5_ser_unpack_bytes((krb5_octet *) oid->elements, - oid->length, &bp, &remain); + if (krb5_ser_unpack_bytes((krb5_octet *) oid->elements, + oid->length, &bp, &remain)) { + free(oid->elements); + free(oid); + return EINVAL; + } /* Read in and check our trailing magic number */ - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - return (EINVAL); + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { + free(oid->elements); + free(oid); + return (EINVAL); + } - if (ibuf != KV5M_GSS_OID) + if (ibuf != KV5M_GSS_OID) { + free(oid->elements); + free(oid); return (EINVAL); + } *buffer = bp; *lenremain = remain; @@ -140,10 +160,13 @@ kg_queue_externalize(kcontext, arg, buffer, lenremain) krb5_octet **buffer; size_t *lenremain; { - (void) krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); - g_queue_externalize(arg, buffer, lenremain); - (void) krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); - return 0; + krb5_error_code err; + err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); + if (err == 0) + err = g_queue_externalize(arg, buffer, lenremain); + if (err == 0) + err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); + return err; } static krb5_error_code @@ -156,6 +179,7 @@ kg_queue_internalize(kcontext, argp, buffer, lenremain) krb5_int32 ibuf; krb5_octet *bp; size_t remain; + krb5_error_code err; bp = *buffer; remain = *lenremain; @@ -167,14 +191,20 @@ kg_queue_internalize(kcontext, argp, buffer, lenremain) if (ibuf != KV5M_GSS_QUEUE) return (EINVAL); - g_queue_internalize(argp, &bp, &remain); + err = g_queue_internalize(argp, &bp, &remain); + if (err) + return err; /* Read in and check our trailing magic number */ - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - return (EINVAL); + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { + g_order_free(argp); + return (EINVAL); + } - if (ibuf != KV5M_GSS_QUEUE) + if (ibuf != KV5M_GSS_QUEUE) { + g_order_free(argp); return (EINVAL); + } *buffer = bp; *lenremain = remain; @@ -218,26 +248,38 @@ kg_ctx_size(kcontext, arg, sizep) * krb5_gss_ctx_id_rec requires: * krb5_int32 for KG_CONTEXT * krb5_int32 for initiate. - * krb5_int32 for mutual. + * krb5_int32 for established. + * krb5_int32 for big_endian. + * krb5_int32 for have_acceptor_subkey. * krb5_int32 for seed_init. + * krb5_int32 for gss_flags. * sizeof(seed) for seed + * ... for here + * ... for there + * ... for subkey * krb5_int32 for signalg. * krb5_int32 for cksum_size. * krb5_int32 for sealalg. + * ... for enc + * ... for seq * krb5_int32 for endtime. * krb5_int32 for flags. - * krb5_int32 for seq_send. - * krb5_int32 for seq_recv. - * krb5_int32 for established. - * krb5_int32 for big_endian. - * krb5_int32 for nctypes. + * krb5_int64 for seq_send. + * krb5_int64 for seq_recv. + * ... for seqstate + * ... for auth_context + * ... for mech_used + * krb5_int32 for proto + * krb5_int32 for cksumtype + * ... for acceptor_subkey + * krb5_int32 for acceptor_key_cksumtype * krb5_int32 for trailer. */ kret = EINVAL; if ((ctx = (krb5_gss_ctx_id_rec *) arg)) { required = 16*sizeof(krb5_int32); + required += 2*sizeof(krb5_int64); required += sizeof(ctx->seed); - required += ctx->nctypes*sizeof(krb5_int32); kret = 0; if (!kret && ctx->here) @@ -283,6 +325,11 @@ kg_ctx_size(kcontext, arg, sizep) KV5M_AUTH_CONTEXT, (krb5_pointer) ctx->auth_context, &required); + if (!kret && ctx->acceptor_subkey) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->acceptor_subkey, + &required); if (!kret) *sizep += required; } @@ -304,7 +351,11 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) size_t required; krb5_octet *bp; size_t remain; - int i; + krb5int_access kaccess; + + kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (kret) + return(kret); required = 0; bp = *buffer; @@ -320,10 +371,16 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) /* Now static data */ (void) krb5_ser_pack_int32((krb5_int32) ctx->initiate, &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->gss_flags, + (void) krb5_ser_pack_int32((krb5_int32) ctx->established, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey, &bp, &remain); (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init, &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) ctx->gss_flags, + &bp, &remain); (void) krb5_ser_pack_bytes((krb5_octet *) ctx->seed, sizeof(ctx->seed), &bp, &remain); @@ -337,15 +394,9 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) &bp, &remain); (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags, &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->seq_send, + (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_send, &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->seq_recv, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->established, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->nctypes, + (void) (*kaccess.krb5_ser_pack_int64)((krb5_int64) ctx->seq_recv, &bp, &remain); /* Now dynamic data */ @@ -395,15 +446,25 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) (krb5_pointer) ctx->auth_context, &bp, &remain); - for (i=0; i<ctx->nctypes; i++) { - if (!kret) { - kret = krb5_ser_pack_int32((krb5_int32) ctx->ctypes[i], + if (!kret) + kret = krb5_ser_pack_int32((krb5_int32) ctx->proto, + &bp, &remain); + if (!kret) + kret = krb5_ser_pack_int32((krb5_int32) ctx->cksumtype, + &bp, &remain); + if (!kret && ctx->acceptor_subkey) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) ctx->acceptor_subkey, &bp, &remain); - } - } - + if (!kret) + kret = krb5_ser_pack_int32((krb5_int32) ctx->acceptor_subkey_cksumtype, + &bp, &remain); + + /* trailer */ + if (!kret) + kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain); if (!kret) { - (void) krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain); *buffer = bp; *lenremain = remain; } @@ -427,7 +488,11 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) krb5_int32 ibuf; krb5_octet *bp; size_t remain; - int i; + krb5int_access kaccess; + + kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); + if (kret) + return(kret); bp = *buffer; remain = *lenremain; @@ -439,7 +504,9 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) kret = ENOMEM; /* Get a context */ - if ((remain >= ((10*sizeof(krb5_int32))+sizeof(ctx->seed))) && + if ((remain >= (16*sizeof(krb5_int32) + + 2*sizeof(krb5_int64) + + sizeof(ctx->seed))) && (ctx = (krb5_gss_ctx_id_rec *) xmalloc(sizeof(krb5_gss_ctx_id_rec)))) { memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); @@ -448,9 +515,15 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->initiate = (int) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->gss_flags = (int) ibuf; + ctx->established = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->big_endian = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->have_acceptor_subkey = (int) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->seed_init = (int) ibuf; + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->gss_flags = (int) ibuf; (void) krb5_ser_unpack_bytes((krb5_octet *) ctx->seed, sizeof(ctx->seed), &bp, &remain); @@ -464,14 +537,12 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) ctx->endtime = (krb5_timestamp) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->krb_flags = (krb5_flags) ibuf; - (void) krb5_ser_unpack_int32(&ctx->seq_send, &bp, &remain); - (void) krb5_ser_unpack_int32(&ctx->seq_recv, &bp, &remain); - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->established = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->big_endian = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->nctypes = (int) ibuf; + (void) (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_send, &bp, &remain); + kret = (*kaccess.krb5_ser_unpack_int64)(&ctx->seq_recv, &bp, &remain); + if (kret) { + free(ctx); + return kret; + } if ((kret = kg_oid_internalize(kcontext, &ctx->mech_used, &bp, &remain))) { @@ -531,34 +602,36 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) KV5M_AUTH_CONTEXT, (krb5_pointer *) &ctx->auth_context, &bp, &remain); - - if (!kret) { - if (ctx->nctypes) { - if ((ctx->ctypes = (krb5_cksumtype *) - malloc(ctx->nctypes*sizeof(krb5_cksumtype))) == NULL){ - kret = ENOMEM; - } - - for (i=0; i<ctx->nctypes; i++) { - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->ctypes[i] = (krb5_cksumtype) ibuf; - } - } - } + + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->proto = ibuf; + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->cksumtype = ibuf; + if (!kret && + (kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) &ctx->acceptor_subkey, + &bp, &remain))) { + if (kret == EINVAL) + kret = 0; } + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ctx->acceptor_subkey_cksumtype = ibuf; /* Get trailer */ - if (!kret && - !(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)) && - (ibuf == KG_CONTEXT)) { + if (!kret) + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && ibuf != KG_CONTEXT) + kret = EINVAL; + + if (!kret) { *buffer = bp; *lenremain = remain; *argp = (krb5_pointer) ctx; - } - else { - if (!kret && (ibuf != KG_CONTEXT)) - kret = EINVAL; + } else { if (ctx->seq) krb5_free_keyblock(kcontext, ctx->seq); if (ctx->enc) diff --git a/src/lib/gssapi/krb5/set_ccache.c b/src/lib/gssapi/krb5/set_ccache.c index 9a61220..9a6cdda 100644 --- a/src/lib/gssapi/krb5/set_ccache.c +++ b/src/lib/gssapi/krb5/set_ccache.c @@ -36,36 +36,55 @@ gss_krb5_ccache_name(minor_status, name, out_name) const char *name; const char **out_name; { - krb5_context context; - krb5_error_code retval; - OM_uint32 foo_stat; - static char *oldname = NULL; - const char *tmpname = NULL; + static char *gss_out_name = NULL; + + char *old_name = NULL; + OM_uint32 err = 0; + OM_uint32 minor = 0; - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return (GSS_S_FAILURE); + if (out_name) { + const char *tmp_name = NULL; - if (out_name) { - if (oldname != NULL) - free(oldname); - /* - * Save copy of previous default ccname, since - * cc_set_default_name will free it and we don't want - * to hang on to a pointer to freed memory. - */ - tmpname = krb5_cc_default_name(context); - oldname = malloc(strlen(tmpname) + 1); - if (oldname == NULL) - return GSS_S_FAILURE; - strcpy(oldname, tmpname); - *out_name = oldname; - } - - retval = krb5_cc_set_default_name(context, name); - if (retval) { - *minor_status = retval; - return GSS_S_FAILURE; - } - kg_release_defcred(&foo_stat); - return GSS_S_COMPLETE; + if (!err) { + if (GSS_ERROR(kg_get_ccache_name (&minor, &tmp_name))) { + err = minor; + } + } + + if (!err) { + old_name = malloc(strlen(tmp_name) + 1); + if (old_name == NULL) { + err = ENOMEM; + } else { + strcpy(old_name, tmp_name); + } + } + + if (!err) { + char *swap = NULL; + + swap = gss_out_name; + gss_out_name = old_name; + old_name = swap; + } + } + + if (!err) { + if (GSS_ERROR(kg_set_ccache_name (&minor, name))) { + err = minor; + } + } + + if (!err) { + if (out_name) { + *out_name = gss_out_name; + } + } + + if (old_name != NULL) { + free (old_name); + } + + *minor_status = err; + return (*minor_status == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; } diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c index 43ccc64..b91c7f7 100644 --- a/src/lib/gssapi/krb5/wrap_size_limit.c +++ b/src/lib/gssapi/krb5/wrap_size_limit.c @@ -110,6 +110,40 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, return(GSS_S_NO_CONTEXT); } + if (ctx->proto == 1) { + /* No pseudo-ASN.1 wrapper overhead, so no sequence length and + OID. */ + OM_uint32 sz = req_output_size; + /* Token header: 16 octets. */ + if (conf_req_flag) { + while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size) + sz--; + /* Allow for encrypted copy of header. */ + if (sz > 16) + sz -= 16; + else + sz = 0; +#ifdef CFX_EXERCISE + /* Allow for EC padding. In the MIT implementation, only + added while testing. */ + if (sz > 65535) + sz -= 65535; + else + sz = 0; +#endif + } else { + /* Allow for token header and checksum. */ + if (sz < 16 + ctx->cksum_size) + sz = 0; + else + sz -= (16 + ctx->cksum_size); + } + + *max_input_size = sz; + *minor_status = 0; + return GSS_S_COMPLETE; + } + /* Calculate the token size and subtract that from the output size */ overhead = 7 + ctx->mech_used->length; data_size = req_output_size; diff --git a/src/lib/gssapi32.def b/src/lib/gssapi32.def index 3a43be2..e951cb9 100644 --- a/src/lib/gssapi32.def +++ b/src/lib/gssapi32.def @@ -72,7 +72,14 @@ EXPORTS ; ; GSS-API variables ; - gss_nt_user_name DATA - gss_nt_machine_uid_name DATA - gss_nt_string_uid_name DATA - gss_nt_service_name DATA + gss_nt_user_name DATA + gss_nt_machine_uid_name DATA + gss_nt_string_uid_name DATA + gss_nt_service_name DATA + GSS_C_NT_USER_NAME DATA + GSS_C_NT_MACHINE_UID_NAME DATA + GSS_C_NT_STRING_UID_NAME DATA + GSS_C_NT_HOSTBASED_SERVICE DATA + GSS_C_NT_HOSTBASED_SERVICE_X DATA + GSS_C_NT_ANONYMOUS DATA + GSS_C_NT_EXPORT_NAME DATA diff --git a/src/lib/kadm5/ChangeLog b/src/lib/kadm5/ChangeLog index d663d7f..9411c2f 100644 --- a/src/lib/kadm5/ChangeLog +++ b/src/lib/kadm5/ChangeLog @@ -1,3 +1,27 @@ +2004-02-12 Tom Yu <tlyu@mit.edu> + + * configure.in: Invoke PRIOCNTL_HACK. + +2003-06-03 Tom Yu <tlyu@mit.edu> + + * alt_prof.c (krb5_read_realm_params): Don't bother reading in + realm_keysalts or realm_num_keysalts, as they're no longer used. + +2003-05-30 Ken Raeburn <raeburn@mit.edu> + + * alt_prof.c (kadm5_get_config_params): Change default max_life to + one day. + +2003-05-13 Ken Raeburn <raeburn@mit.edu> + + * alt_prof.c (kadm5_get_config_params): Remove aes256 from the + default supported enctypes list for now. + +2003-04-18 Ken Raeburn <raeburn@mit.edu> + + * alt_prof.c (kadm5_get_config_params): Add aes256 to the default + supported enctypes list. + 2003-01-10 Ken Raeburn <raeburn@mit.edu> * configure.in: Don't explicitly invoke AC_PROG_ARCHIVE, diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in index 9546a6b..50bdfb6 100644 --- a/src/lib/kadm5/Makefile.in +++ b/src/lib/kadm5/Makefile.in @@ -122,10 +122,11 @@ ovsec_glue.so ovsec_glue.po $(OUTPRE)ovsec_glue.$(OBJEXT): ovsec_glue.c $(BUILDT $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h misc_free.so misc_free.po $(OUTPRE)misc_free.$(OBJEXT): misc_free.c $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ @@ -133,11 +134,12 @@ misc_free.so misc_free.po $(OUTPRE)misc_free.$(OBJEXT): misc_free.c $(BUILDTOP)/ $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - server_internal.h admin_internal.h adb.h $(DB_DEPS) + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h server_internal.h \ + admin_internal.h adb.h $(DB_DEPS) kadm_rpc_xdr.so kadm_rpc_xdr.po $(OUTPRE)kadm_rpc_xdr.$(OBJEXT): kadm_rpc_xdr.c $(BUILDTOP)/include/gssrpc/rpc.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \ $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ @@ -145,11 +147,12 @@ kadm_rpc_xdr.so kadm_rpc_xdr.po $(OUTPRE)kadm_rpc_xdr.$(OBJEXT): kadm_rpc_xdr.c $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/admin_xdr.h + $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/admin.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \ + $(BUILDTOP)/include/kadm5/admin_xdr.h chpass_util.so chpass_util.po $(OUTPRE)chpass_util.$(OBJEXT): chpass_util.c $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ @@ -157,28 +160,29 @@ chpass_util.so chpass_util.po $(OUTPRE)chpass_util.$(OBJEXT): chpass_util.c $(BU $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - admin_internal.h + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h admin_internal.h alt_prof.so alt_prof.po $(OUTPRE)alt_prof.$(OBJEXT): alt_prof.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ - $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ - $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ - $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(SRCTOP)/include/krb5/adm_proto.h + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \ + $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ + $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \ + $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(SRCTOP)/include/krb5/adm_proto.h str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): str_conv.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h admin_internal.h $(BUILDTOP)/include/kadm5/admin.h \ + admin_internal.h $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ @@ -188,8 +192,8 @@ str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): str_conv.c $(SRCTOP)/includ $(SRCTOP)/include/krb5/adm_proto.h logger.so logger.po $(OUTPRE)logger.$(OBJEXT): logger.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/adm_proto.h \ - $(SRCTOP)/include/syslog.h + $(SRCTOP)/include/krb5/adm_proto.h $(SRCTOP)/include/syslog.h diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index 758c885..659068b 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -605,7 +605,7 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, params.max_life = dtvalue; params.mask |= KADM5_CONFIG_MAX_LIFE; } else { - params.max_life = 36000; /* 10 hours */ + params.max_life = 24 * 60 * 60; /* 1 day */ params.mask |= KADM5_CONFIG_MAX_LIFE; } @@ -702,7 +702,7 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, if (aprofile) krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); if (svalue == NULL) - svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal"); + svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal"); params.keysalts = NULL; params.num_keysalts = 0; @@ -936,27 +936,8 @@ krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp) krb5_xfree(svalue); } - /* Get the value for the supported enctype/salttype matrix */ - /* XXX This is so that the kdc will search a different - enctype list than kadmind */ - if (!kret) { - hierarchy[2] = "kdc_supported_enctypes"; - kret = krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); - if (kret) { - hierarchy[2] = "supported_enctypes"; - kret = krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); - } - if (!kret) { - krb5_string_to_keysalts(svalue, - ", \t", /* Tuple separators */ - ":.-", /* Key/salt separators */ - 0, /* No duplicates */ - &rparams->realm_keysalts, - &rparams->realm_num_keysalts); - krb5_xfree(svalue); - } - kret = 0; - } + rparams->realm_keysalts = NULL; + rparams->realm_num_keysalts = 0; cleanup: if (aprofile) diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in index daf317a..2f09492 100644 --- a/src/lib/kadm5/clnt/Makefile.in +++ b/src/lib/kadm5/clnt/Makefile.in @@ -84,12 +84,12 @@ clnt_policy.so clnt_policy.po $(OUTPRE)clnt_policy.$(OBJEXT): clnt_policy.c $(BU $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \ - $(BUILDTOP)/include/kadm5/admin_internal.h + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \ + client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h client_rpc.so client_rpc.po $(OUTPRE)client_rpc.$(OBJEXT): client_rpc.c $(BUILDTOP)/include/gssrpc/rpc.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \ $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ @@ -98,10 +98,10 @@ client_rpc.so client_rpc.po $(OUTPRE)client_rpc.$(OBJEXT): client_rpc.c $(BUILDT $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h + $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h client_principal.so client_principal.po $(OUTPRE)client_principal.$(OBJEXT): client_principal.c \ $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ @@ -110,26 +110,27 @@ client_principal.so client_principal.po $(OUTPRE)client_principal.$(OBJEXT): cli $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \ - client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h + $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h client_init.so client_init.po $(OUTPRE)client_init.$(OBJEXT): client_init.c $(COM_ERR_DEPS) \ $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ - $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \ - $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ - $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \ - $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \ - client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \ - $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ - $(BUILDTOP)/include/gssrpc/auth_gssapi.h + $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/admin.h \ + $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ + $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ + $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/gssrpc/auth_gssapi.h clnt_privs.so clnt_privs.po $(OUTPRE)clnt_privs.$(OBJEXT): clnt_privs.c $(BUILDTOP)/include/gssrpc/rpc.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \ $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ @@ -137,12 +138,12 @@ clnt_privs.so clnt_privs.po $(OUTPRE)clnt_privs.$(OBJEXT): clnt_privs.c $(BUILDT $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_rpc.h client_internal.h \ - $(BUILDTOP)/include/kadm5/admin_internal.h + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \ + client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h clnt_chpass_util.so clnt_chpass_util.po $(OUTPRE)clnt_chpass_util.$(OBJEXT): clnt_chpass_util.c \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \ @@ -151,9 +152,9 @@ clnt_chpass_util.so clnt_chpass_util.po $(OUTPRE)clnt_chpass_util.$(OBJEXT): cln $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h client_internal.h \ - $(BUILDTOP)/include/kadm5/admin_internal.h + $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + client_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h diff --git a/src/lib/kadm5/configure.in b/src/lib/kadm5/configure.in index 8a00e26..915c950 100644 --- a/src/lib/kadm5/configure.in +++ b/src/lib/kadm5/configure.in @@ -19,5 +19,6 @@ dnl KRB5_BUILD_LIBOBJS KRB5_BUILD_LIBRARY_WITH_DEPS KRB5_BUILD_PROGRAM +KRB5_AC_PRIOCNTL_HACK dnl V5_AC_OUTPUT_MAKEFILE(. clnt srv unit-test) diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog index 6d3e3de..eea6987 100644 --- a/src/lib/kadm5/srv/ChangeLog +++ b/src/lib/kadm5/srv/ChangeLog @@ -1,3 +1,19 @@ +2003-09-02 Alexandra Ellwood <lxs@mit.edu> + + * svr_principal.c: Added Apple password server support. + +2003-06-13 Tom Yu <tlyu@mit.edu> + + * server_kdb.c (kdb_init_hist): Force history principal's key to + be of the same enctype as the master key, as searches for it later + on explicitly specify the enctype. + +2003-04-01 Tom Yu <tlyu@mit.edu> + + * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables. + (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS). + (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB). + 2003-01-12 Ezra Peisach <epeisach@bu.edu> * svr_iters.c (kadm5_get_either): For POSIX_REGEXPS diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in index db61a8c..d46216c 100644 --- a/src/lib/kadm5/srv/Makefile.in +++ b/src/lib/kadm5/srv/Makefile.in @@ -13,18 +13,14 @@ LIBMAJOR=5 LIBMINOR=1 STOBJLISTS=../OBJS.ST OBJS.ST -SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@) -SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT) -SHLIB_DBLIB-sys = - SHLIB_EXPDEPS=\ $(TOPLIBD)/libgssrpc$(SHLIBEXT) \ $(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \ - $(TOPLIBD)/libkdb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS) \ + $(TOPLIBD)/libkdb5$(SHLIBEXT) \ $(TOPLIBD)/libkrb5$(SHLIBEXT) \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(COM_ERR_DEPLIB) -SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(DB_LIB) \ +SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \ -lkrb5 -lk5crypto -lcom_err @GEN_LIB@ SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) @@ -113,11 +109,12 @@ svr_policy.so svr_policy.po $(OUTPRE)svr_policy.$(OBJEXT): svr_policy.c $(BUILDT $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/adb.h \ + $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \ $(BUILDTOP)/include/kadm5/admin_internal.h svr_principal.so svr_principal.po $(OUTPRE)svr_principal.$(OBJEXT): svr_principal.c $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ @@ -126,53 +123,56 @@ svr_principal.so svr_principal.po $(OUTPRE)svr_principal.$(OBJEXT): svr_principa $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/adb.h \ + $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \ $(BUILDTOP)/include/kadm5/admin_internal.h server_acl.so server_acl.po $(OUTPRE)server_acl.$(OBJEXT): server_acl.c $(SRCTOP)/include/syslog.h \ $(BUILDTOP)/include/gssapi/gssapi_generic.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ - $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ - $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ - $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \ - $(DB_DEPS) $(SRCTOP)/include/krb5/adm_proto.h server_acl.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \ + $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ + $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \ + $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/admin_internal.h \ + $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(SRCTOP)/include/krb5/adm_proto.h \ + server_acl.h server_kdb.so server_kdb.po $(OUTPRE)server_kdb.$(OBJEXT): server_kdb.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ - $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ - $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ - $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \ - $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) -server_misc.so server_misc.po $(OUTPRE)server_misc.$(OBJEXT): server_misc.c $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/adb.h \ - $(BUILDTOP)/include/gssrpc/types.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \ $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \ $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/server_internal.h \ - $(BUILDTOP)/include/kadm5/admin_internal.h + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \ + $(DB_DEPS) +server_misc.so server_misc.po $(OUTPRE)server_misc.$(OBJEXT): server_misc.c $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ + $(BUILDTOP)/include/kadm5/adb.h $(BUILDTOP)/include/gssrpc/types.h \ + $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ + $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ + $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ + $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h server_init.so server_init.po $(OUTPRE)server_init.$(OBJEXT): server_init.c $(COM_ERR_DEPS) \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/gssrpc/xdr.h \ @@ -181,12 +181,12 @@ server_init.so server_init.po $(OUTPRE)server_init.$(OBJEXT): server_init.c $(CO $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/server_internal.h \ - $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \ - $(DB_DEPS) + $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \ + $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) server_dict.so server_dict.po $(OUTPRE)server_dict.$(OBJEXT): server_dict.c $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ @@ -194,13 +194,14 @@ server_dict.so server_dict.po $(OUTPRE)server_dict.$(OBJEXT): server_dict.c $(BU $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(SRCTOP)/include/krb5/adm_proto.h $(SRCTOP)/include/syslog.h \ - $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \ - $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(SRCTOP)/include/krb5/adm_proto.h \ + $(SRCTOP)/include/syslog.h $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \ + $(DB_DEPS) svr_iters.so svr_iters.po $(OUTPRE)svr_iters.$(OBJEXT): svr_iters.c $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ @@ -208,11 +209,12 @@ svr_iters.so svr_iters.po $(OUTPRE)svr_iters.$(OBJEXT): svr_iters.c $(BUILDTOP)/ $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/adb.h \ + $(DB_DEPS) $(BUILDTOP)/include/kadm5/server_internal.h \ $(BUILDTOP)/include/kadm5/admin_internal.h svr_chpass_util.so svr_chpass_util.po $(OUTPRE)svr_chpass_util.$(OBJEXT): svr_chpass_util.c \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ @@ -222,12 +224,12 @@ svr_chpass_util.so svr_chpass_util.po $(OUTPRE)svr_chpass_util.$(OBJEXT): svr_ch $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/server_internal.h \ - $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/adb.h \ - $(DB_DEPS) + $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/kadm5/admin_internal.h \ + $(BUILDTOP)/include/kadm5/adb.h $(DB_DEPS) adb_xdr.so adb_xdr.po $(OUTPRE)adb_xdr.$(OBJEXT): adb_xdr.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ @@ -235,46 +237,46 @@ adb_xdr.so adb_xdr.po $(OUTPRE)adb_xdr.$(OBJEXT): adb_xdr.c $(BUILDTOP)/include/ $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/adb.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/admin_xdr.h \ - $(BUILDTOP)/include/kadm5/kadm_rpc.h + $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/admin_xdr.h $(BUILDTOP)/include/kadm5/kadm_rpc.h adb_policy.so adb_policy.po $(OUTPRE)adb_policy.$(OBJEXT): adb_policy.c $(BUILDTOP)/include/kadm5/adb.h \ $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \ - $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ - $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \ - $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h + $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ + $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ + $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ + $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h adb_free.so adb_free.po $(OUTPRE)adb_free.$(OBJEXT): adb_free.c $(BUILDTOP)/include/kadm5/adb.h \ $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \ - $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ - $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \ - $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h + $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ + $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ + $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ + $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h adb_openclose.so adb_openclose.po $(OUTPRE)adb_openclose.$(OBJEXT): adb_openclose.c $(BUILDTOP)/include/kadm5/adb.h \ $(BUILDTOP)/include/gssrpc/types.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/xdr.h \ - $(BUILDTOP)/include/gssrpc/auth.h $(BUILDTOP)/include/gssrpc/clnt.h \ - $(BUILDTOP)/include/gssrpc/rpc_msg.h $(BUILDTOP)/include/gssrpc/auth_unix.h \ - $(BUILDTOP)/include/gssrpc/svc_auth.h $(BUILDTOP)/include/gssrpc/svc.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h + $(DB_DEPS) $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/gssrpc/rpc.h \ + $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ + $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ + $(BUILDTOP)/include/gssrpc/svc.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/adb_err.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index 231fcb3..97d38c7 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -107,6 +107,7 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r) int ret = 0; char *realm, *hist_name; krb5_key_data *key_data; + krb5_key_salt_tuple ks[1]; if (r == NULL) { if ((ret = krb5_get_default_realm(handle->context, &realm))) @@ -144,11 +145,13 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r) history principal, anyway. */ hist_kvno = 2; - - ret = kadm5_create_principal(handle, &ent, - (KADM5_PRINCIPAL | KADM5_MAX_LIFE | - KADM5_ATTRIBUTES), - "to-be-random"); + ks[0].ks_enctype = handle->params.enctype; + ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL; + ret = kadm5_create_principal_3(handle, &ent, + (KADM5_PRINCIPAL | KADM5_MAX_LIFE | + KADM5_ATTRIBUTES), + 1, ks, + "to-be-random"); if (ret) goto done; @@ -156,7 +159,8 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r) hist_princ = NULL; - ret = kadm5_randkey_principal(handle, ent.principal, NULL, NULL); + ret = kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks, + NULL, NULL); hist_princ = ent.principal; diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index c1b8bc5..c567f83 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -19,6 +19,9 @@ static char *rcsid = "$Header$"; #include "server_internal.h" #include <stdarg.h> #include <stdlib.h> +#ifdef USE_PASSWORD_SERVER +#include <sys/wait.h> +#endif extern krb5_principal master_princ; extern krb5_principal hist_princ; @@ -1065,6 +1068,105 @@ static kadm5_ret_t add_to_history(krb5_context context, } #undef KADM_MOD +#ifdef USE_PASSWORD_SERVER + +/* FIXME: don't use global variable for this */ +krb5_boolean use_password_server = 0; + +static krb5_boolean +kadm5_use_password_server (void) +{ + return use_password_server; +} + +void +kadm5_set_use_password_server (void) +{ + use_password_server = 1; +} + +/* + * kadm5_launch_task () runs a program (task_path) to synchronize the + * Apple password server with the Kerberos database. Password server + * programs can receive arguments on the command line (task_argv) + * and a block of data via stdin (data_buffer). + * + * Because a failure to communicate with the tool results in the + * password server falling out of sync with the database, + * kadm5_launch_task() always fails if it can't talk to the tool. + */ + +static kadm5_ret_t +kadm5_launch_task (krb5_context context, + const char *task_path, char * const task_argv[], + const char *data_buffer) +{ + kadm5_ret_t ret = 0; + int data_pipe[2]; + + if (data_buffer != NULL) { + ret = pipe (data_pipe); + if (ret) { ret = errno; } + } + + if (!ret) { + pid_t pid = fork (); + if (pid == -1) { + ret = errno; + } else if (pid == 0) { + /* The child: */ + + if (data_buffer != NULL) { + if (dup2 (data_pipe[0], STDIN_FILENO) == -1) { + _exit (1); + } + } else { + close (data_pipe[0]); + } + + close (data_pipe[1]); + + execv (task_path, task_argv); + + _exit (1); /* Fail if execv fails */ + } else { + /* The parent: */ + int status; + + if (data_buffer != NULL) { + /* Write out the buffer to the child */ + if (krb5_net_write (context, data_pipe[1], + data_buffer, strlen (data_buffer)) < 0) { + /* kill the child to make sure waitpid() won't hang later */ + ret = errno; + kill (pid, SIGKILL); + } + } + + close (data_buffer[0]); + close (data_buffer[1]); + + waitpid (pid, &status, 0); + + if (!ret) { + if (WIFEXITED (status)) { + /* child read password and exited. Check the return value. */ + if ((WEXITSTATUS (status) != 0) && (WEXITSTATUS (status) != 252)) { + ret = KRB5KDC_ERR_POLICY; /* password change rejected */ + } + } else { + /* child read password but crashed or was killed */ + ret = KRB5KRB_ERR_GENERIC; /* FIXME: better error */ + } + } + } + } + + return ret; +} + +#endif + kadm5_ret_t kadm5_chpass_principal(void *server_handle, krb5_principal principal, char *password) @@ -1193,6 +1295,42 @@ kadm5_chpass_principal_3(void *server_handle, kdb.pw_expiration = 0; } +#ifdef USE_PASSWORD_SERVER + if (kadm5_use_password_server () && + (krb5_princ_size (handle->context, principal) == 1)) { + krb5_data *princ = krb5_princ_component (handle->context, principal, 0); + const char *path = "/usr/sbin/mkpassdb"; + char *argv[] = { "mkpassdb", "-setpassword", NULL, NULL }; + char *pstring = NULL; + char pwbuf[256]; + int pwlen = strlen (password); + + if (pwlen > 254) pwlen = 254; + strncpy (pwbuf, password, pwlen); + pwbuf[pwlen] = '\n'; + pwbuf[pwlen + 1] = '\0'; + + if (!ret) { + pstring = malloc ((princ->length + 1) * sizeof (char)); + if (pstring == NULL) { ret = errno; } + } + + if (!ret) { + memcpy (pstring, princ->data, princ->length); + pstring [princ->length] = '\0'; + argv[2] = pstring; + + ret = kadm5_launch_task (handle->context, path, argv, pwbuf); + } + + if (pstring != NULL) + free (pstring); + + if (ret) + goto done; + } +#endif + ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); if (ret) goto done; diff --git a/src/lib/kadm5/unit-test/ChangeLog b/src/lib/kadm5/unit-test/ChangeLog index f4da36d..85c048d 100644 --- a/src/lib/kadm5/unit-test/ChangeLog +++ b/src/lib/kadm5/unit-test/ChangeLog @@ -1,3 +1,39 @@ +2004-02-13 Tom Yu <tlyu@mit.edu> + + * config/unix.exp (PRIOCNTL_HACK): Use "==" instead of "eq", which + is not present in tcl-8.3. + +2004-02-12 Tom Yu <tlyu@mit.edu> + + * config/unix.exp (PRIOCNTL_HACK): Wrap "spawn" to do priocntl + things to work around Solaris 9 pty-close bug. + + * Makefile.in (unit-test-client-body, unit-test-server-body): Add + PRIOCNTL_HACK. + +2003-10-16 Tom Yu <tlyu@mit.edu> + + * api.1/lock.exp: Work around a race condition in the Solaris 9 + pty implementation: output sent to a pty slave immediately before + last close/exit can get lost on the way to the master. This is + Sun bug #4927647. The workaround consists of changing the tests + to always make lock-test wait to read a character prior to + exiting, so any output prior to the "wait" directive will not get + lost. + +2003-06-02 Ken Raeburn <raeburn@mit.edu> + + * api.2/init-v2.exp (test117): Update lifetime expected for new + defaults. + +2003-05-21 Tom Yu <tlyu@mit.edu> + + * api.0/init.exp (test6, test7): Be slightly more lenient about + matching password prompt. + + * api.2/init.exp (test6, test7): Be slightly more lenient about + matching password prompt. + 2003-01-07 Ken Raeburn <raeburn@mit.edu> * Makefile.ov: Deleted. diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/unit-test/Makefile.in index d38362b..382ac14 100644 --- a/src/lib/kadm5/unit-test/Makefile.in +++ b/src/lib/kadm5/unit-test/Makefile.in @@ -115,14 +115,16 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client $(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \ KINIT=$(BUILDTOP)/clients/kinit/kinit \ KDESTROY=$(BUILDTOP)/clients/kdestroy/kdestroy \ - KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local $(RUNTESTFLAGS) + KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \ + PRIOCNTL_HACK=@PRIOCNTL_HACK@ $(RUNTESTFLAGS) -mv api.log capi.log -mv api.sum capi.sum unit-test-server-body: site.exp test-handle-server lock-test $(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \ LOCKTEST=./lock-test \ - KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local $(RUNTESTFLAGS) + KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \ + PRIOCNTL_HACK=@PRIOCNTL_HACK@ $(RUNTESTFLAGS) -mv api.log sapi.log -mv api.sum sapi.sum diff --git a/src/lib/kadm5/unit-test/api.0/init.exp b/src/lib/kadm5/unit-test/api.0/init.exp index f232d23..d39ecce 100644 --- a/src/lib/kadm5/unit-test/api.0/init.exp +++ b/src/lib/kadm5/unit-test/api.0/init.exp @@ -77,7 +77,7 @@ proc test6 {} { send "ovsec_kadm_init admin null \$OVSEC_KADM_ADMIN_SERVICE null \$OVSEC_KADM_STRUCT_VERSION \$OVSEC_KADM_API_VERSION_1 server_handle\n" expect { - {Enter password:} { } + -re "assword\[^\r\n\]*: *" { } eof { fail "$test: eof instead of password prompt" api_exit @@ -103,7 +103,7 @@ proc test7 {} { send "ovsec_kadm_init admin \"\" \$OVSEC_KADM_ADMIN_SERVICE null \$OVSEC_KADM_STRUCT_VERSION \$OVSEC_KADM_API_VERSION_1 server_handle\n" expect { - {Enter password:} { } + -re "assword\[^\r\n\]*: *" { } -re "\n\[^\n\]+key:\[^\n\]*$" { } eof { fail "$test: eof instead of password prompt" diff --git a/src/lib/kadm5/unit-test/api.1/lock.exp b/src/lib/kadm5/unit-test/api.1/lock.exp index e61a28f..6adef59 100644 --- a/src/lib/kadm5/unit-test/api.1/lock.exp +++ b/src/lib/kadm5/unit-test/api.1/lock.exp @@ -137,60 +137,78 @@ proc lock_test_continue {test my_spawn_id test_failed fail_output cont cmds} { return {} } -lock_test 1 [list \ +set lock1 [lock_test_start 1 [list \ [list shared "shared"] \ [list release "released"] \ - [list eof 0]] + [list wait ""] \ + [list eof 0]]] +eval lock_test_continue $lock1 -lock_test 2 [list \ +set lock2 [lock_test_start 2 [list \ [list exclusive exclusive] \ [list release released] \ - [list eof 0]] + [list wait ""] \ + [list eof 0]]] +eval lock_test_continue $lock2 -lock_test 3 [list \ +set lock3 [lock_test_start 5 [list \ [list permanent permanent] \ [list release released] \ - [list eof 0]] + [list wait ""] \ + [list eof 0]]] +eval lock_test_continue $lock3 -lock_test 4 [list \ +set lock4 [lock_test_start 4 [list \ [list release "Database not locked"] \ - [list eof 0]] + [list wait ""] \ + [list eof 0]]] +eval lock_test_continue $lock4 set lock5 [lock_test_start 5 [list \ [list shared shared] \ [list wait ""] \ [list eof 0]]] -lock_test 5.1 [list \ +set lock5_1 [lock_test_start 5.1 [list \ [list shared shared] \ - [list eof 0]] + [list wait ""] \ + [list eof 0]]] +eval lock_test_continue $lock5_1 eval lock_test_continue $lock5 set lock6 [lock_test_start 6 [list \ [list exclusive exclusive] \ [list wait ""] \ [list eof 0]]] -lock_test 6.1 [list \ +set lock6_1 [lock_test_start 6.1 [list \ [list shared "Cannot lock database"] \ - [list eof 0]] + [list wait ""] \ + [list eof 0]]] +eval lock_test_continue $lock6_1 eval lock_test_continue $lock6 set lock7 [lock_test_start 7 [list \ [list shared shared] \ [list wait ""] \ [list eof 0]]] -lock_test 7.1 [list \ +set lock7_1 [lock_test_start 7.1 [list \ [list exclusive "Cannot lock database"] \ - [list eof 0]] + [list wait ""] \ + [list eof 0]]] +eval lock_test_continue $lock7_1 eval lock_test_continue $lock7 set lock8 [lock_test_start 8 [list \ [list permanent permanent] \ [list wait ""] \ [list release "released" ] \ + [list wait ""] \ [list eof 0]]] -lock_test 8.1 [list \ +set lock8_1 [lock_test_start 8.1 [list \ [list "" "administration database lock file missing while opening database" ] \ - [list eof 1]] + [list wait ""] \ + [list eof 1]]] +eval lock_test_continue $lock8_1 +eval set lock8 \[lock_test_continue $lock8\] eval lock_test_continue $lock8 set lock9 [lock_test_start 9 [list \ @@ -198,13 +216,17 @@ set lock9 [lock_test_start 9 [list \ [list release released] \ [list wait ""] \ [list exclusive "database lock file missing while getting exclusive"] \ + [list wait ""] \ [list eof 0]]] set lock9_1 [lock_test_start 9.1 [list \ [list permanent permanent] \ [list wait ""] \ [list release released] \ + [list wait ""] \ [list eof 0]]] +eval set lock9 \[lock_test_continue $lock9\] eval lock_test_continue $lock9 +eval set lock9_1 \[lock_test_continue $lock9_1\] eval lock_test_continue $lock9_1 if {! [file exists $lockfile]} { @@ -214,10 +236,12 @@ set lock10 [lock_test_start 10 [list \ [list permanent permanent] \ [list wait ""] \ [list release released] \ + [list wait ""] \ [list eof 0]]] if {[file exists $lockfile]} { fail "test 10: lock file exists" } +eval set lock10 \[lock_test_continue $lock10\] eval lock_test_continue $lock10 if {[file exists $lockfile]} { pass "test 11: lock file exists" @@ -229,15 +253,18 @@ set lock12 [lock_test_start 12 [list \ [list shared shared] \ [list wait ""] \ [list eof 0]]] -lock_test 12.1 [list \ +set lock12_1 [lock_test_start 12.1 [list \ [list "get test-pol" retrieved] \ - [list eof 0]] + [list wait ""] \ + [list eof 0]]] +eval lock_test_continue $lock12_1 eval lock_test_continue $lock12 set lock13 [lock_test_start 13 [list \ [list "get lock13" "Principal or policy does not exist"] \ [list wait ""] \ [list "get lock13" retrieved] \ + [list wait ""] \ [list eof 0]]] set test13_spawn_id $spawn_id # create_policy could call api_exit immediately when it starts up. @@ -248,6 +275,7 @@ api_start create_policy lock13 set api_spawn_id $spawn_id set spawn_id $test13_spawn_id +eval set lock13 \[lock_test_continue $lock13\] eval lock_test_continue $lock13 set spawn_id $api_spawn_id delete_policy lock13 diff --git a/src/lib/kadm5/unit-test/api.2/init-v2.exp b/src/lib/kadm5/unit-test/api.2/init-v2.exp index 58fe1a8..0893009 100644 --- a/src/lib/kadm5/unit-test/api.2/init-v2.exp +++ b/src/lib/kadm5/unit-test/api.2/init-v2.exp @@ -532,10 +532,10 @@ proc test117 {} { } } - if {$max_life == 36000} { + if {$max_life == 86400} { pass "$test" } else { - fail "$test: max_life $max_life should be 36000" + fail "$test: max_life $max_life should be 86400" } if {! [cmd {kadm5_destroy $server_handle}]} { diff --git a/src/lib/kadm5/unit-test/api.2/init.exp b/src/lib/kadm5/unit-test/api.2/init.exp index a1a2bc5..335f6e0 100644 --- a/src/lib/kadm5/unit-test/api.2/init.exp +++ b/src/lib/kadm5/unit-test/api.2/init.exp @@ -80,7 +80,7 @@ proc test6 {} { send "kadm5_init admin null \$KADM5_ADMIN_SERVICE null \$KADM5_STRUCT_VERSION \$KADM5_API_VERSION_2 server_handle\n" expect { - {Enter password:} { } + -re "assword\[^\r\n\]*:" { } eof { fail "$test: eof instead of password prompt" api_exit @@ -106,7 +106,7 @@ proc test7 {} { send "kadm5_init admin \"\" \$KADM5_ADMIN_SERVICE null \$KADM5_STRUCT_VERSION \$KADM5_API_VERSION_2 server_handle\n" expect { - {Enter password:} { } + -re "assword\[^\r\n\]*:" { } -re "key:$" { } eof { fail "$test: eof instead of password prompt" diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/unit-test/config/unix.exp index 0472789..a78515f 100644 --- a/src/lib/kadm5/unit-test/config/unix.exp +++ b/src/lib/kadm5/unit-test/config/unix.exp @@ -14,6 +14,44 @@ if {[info exists exp_version_4]} { set wait_status_index 3 } +# Hack around Solaris 9 kernel race condition that causes last output +# from a pty to get dropped. +if { $PRIOCNTL_HACK } { + catch {exec priocntl -s -c FX -m 30 -p 30 -i pid [getpid]} + rename spawn oldspawn + proc spawn { args } { + upvar 1 spawn_id spawn_id + set newargs {} + set inflags 1 + set eatnext 0 + foreach arg $args { + if { $arg == "-ignore" \ + || $arg == "-open" \ + || $arg == "-leaveopen" } { + lappend newargs $arg + set eatnext 1 + continue + } + if [string match "-*" $arg] { + lappend newargs $arg + continue + } + if { $eatnext } { + set eatnext 0 + lappend newargs $arg + continue + } + if { $inflags } { + set inflags 0 + set newargs [concat $newargs {priocntl -e -c FX -p 0}] + } + lappend newargs $arg + } + set pid [eval oldspawn $newargs] + return $pid + } +} + # Variables for keeping track of api process state set api_pid "0" diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog index d685be6..87f60aa 100644 --- a/src/lib/kdb/ChangeLog +++ b/src/lib/kdb/ChangeLog @@ -1,3 +1,31 @@ +2003-05-22 Ezra Peisach <epeisach@mit.edu> + + * keytab.c (is_xrealm_tgt): Use strncmp instead of strcmp - as + principal and realm name do not need to be null terminated. + +2003-04-01 Tom Yu <tlyu@mit.edu> + + * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables. + (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS). + (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB). + (DBOBJLISTS, STOBJLISTS): Pull in object lists of in-tree libdb so + we don't need to install libdb. Don't do this if building with + system libdb, though, since we need to explicitly link against the + system libdb in that case. + +2003-03-18 Tom Yu <tlyu@mit.edu> + + * keytab.c (krb5_ktkdb_get_entry): Do not perform the enctype + comparison if the requested enctype is a wildcard. + +2003-03-16 Sam Hartman <hartmans@mit.edu> + + * keytab.c (krb5_ktkdb_get_entry): Match only against the first + enctype for non-cross-realm tickets so we will only accept + tickets that the current configuration would have issued. For + cross-realm tickets be liberal and match against the specified + enctype. + 2003-03-05 Tom Yu <tlyu@mit.edu> * kdb_xdr.c (krb5_dbe_search_enctype): Check for ktype > 0 rather diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in index ea80b76..4ca36b0 100644 --- a/src/lib/kdb/Makefile.in +++ b/src/lib/kdb/Makefile.in @@ -12,17 +12,20 @@ LIBMAJOR=4 LIBMINOR=0 RELDIR=kdb # Depends on libk5crypto and libkrb5 -SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@) -SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT) -SHLIB_DBLIB-sys = SHLIB_EXPDEPS = \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS) -SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(DB_LIB) $(LIBS) + $(TOPLIBD)/libkrb5$(SHLIBEXT) +SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(KDB5_DB_LIB) $(LIBS) SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) +DBDIR = $(BUILDTOP)/util/db2 +DBOBJLISTS = $(DBOBJLISTS-@DB_VERSION@) +DBOBJLISTS-sys = +DBOBJLISTS-k5 = $(DBDIR)/hash/OBJS.ST $(DBDIR)/btree/OBJS.ST \ + $(DBDIR)/db/OBJS.ST $(DBDIR)/mpool/OBJS.ST $(DBDIR)/recno/OBJS.ST \ + $(DBDIR)/clib/OBJS.ST all:: @@ -38,7 +41,7 @@ SRCS= \ $(srcdir)/setup_mkey.c \ $(srcdir)/store_mkey.c -STOBJLISTS=OBJS.ST +STOBJLISTS=OBJS.ST $(DBOBJLISTS) STLIBOBJS= \ keytab.o \ encrypt_key.o \ @@ -77,53 +80,55 @@ clean:: # keytab.so keytab.po $(OUTPRE)keytab.$(OBJEXT): keytab.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/kdb_kt.h + $(SRCTOP)/include/krb5/kdb_kt.h encrypt_key.so encrypt_key.po $(OUTPRE)encrypt_key.$(OBJEXT): encrypt_key.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h decrypt_key.so decrypt_key.po $(OUTPRE)decrypt_key.$(OBJEXT): decrypt_key.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h kdb_cpw.so kdb_cpw.po $(OUTPRE)kdb_cpw.$(OBJEXT): kdb_cpw.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/krb5/adm.h + $(SRCTOP)/include/krb5/adm.h kdb_db2.so kdb_db2.po $(OUTPRE)kdb_db2.$(OBJEXT): kdb_db2.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(DB_DEPS) kdb_compat.h \ - kdb_db2.h + $(DB_DEPS) kdb_compat.h kdb_db2.h kdb_xdr.so kdb_xdr.po $(OUTPRE)kdb_xdr.$(OBJEXT): kdb_xdr.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h verify_mky.so verify_mky.po $(OUTPRE)verify_mky.$(OBJEXT): verify_mky.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h fetch_mkey.so fetch_mkey.po $(OUTPRE)fetch_mkey.$(OBJEXT): fetch_mkey.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h setup_mkey.so setup_mkey.po $(OUTPRE)setup_mkey.$(OBJEXT): setup_mkey.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h store_mkey.so store_mkey.po $(OUTPRE)store_mkey.$(OBJEXT): store_mkey.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c index 6ec375a..5db382c 100644 --- a/src/lib/kdb/keytab.c +++ b/src/lib/kdb/keytab.c @@ -24,10 +24,14 @@ * or implied warranty. * */ +#include <string.h> #include "k5-int.h" #include "kdb_kt.h" +static int +is_xrealm_tgt(krb5_context, krb5_const_principal); + krb5_error_code krb5_ktkdb_close (krb5_context, krb5_keytab); krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_principal, @@ -116,6 +120,8 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) krb5_db_entry db_entry; krb5_boolean more = 0; int n = 0; + int xrealm_tgt = is_xrealm_tgt(context, principal); + int similar; if (ktkdb_ctx) context = ktkdb_ctx; @@ -150,16 +156,33 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) if (kerror) goto error; + /* For cross realm tgts, we match whatever enctype is provided; + * for other principals, we only match the first enctype that is + * found. Since the TGS and AS code do the same thing, then we + * will only successfully decrypt tickets we have issued.*/ kerror = krb5_dbe_find_enctype(context, &db_entry, - enctype, -1, kvno, &key_data); + xrealm_tgt?enctype:-1, + -1, kvno, &key_data); if (kerror) goto error; + kerror = krb5_dbekd_decrypt_key_data(context, master_key, key_data, &entry->key, NULL); if (kerror) goto error; + if (enctype > 0) { + kerror = krb5_c_enctype_compare(context, enctype, + entry->key.enctype, &similar); + if (kerror) + goto error; + + if (!similar) { + kerror = KRB5_KDB_NO_PERMITTED_KEY; + goto error; + } + } /* * Coerce the enctype of the output keyblock in case we got an * inexact match on the enctype. @@ -176,3 +199,27 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) krb5_db_close_database(context); return(kerror); } + +/* + * is_xrealm_tgt: Returns true if the principal is a cross-realm TGT + * principal-- a principal with first component krbtgt and second + * component not equal to realm. + */ +static int +is_xrealm_tgt(krb5_context context, krb5_const_principal princ) +{ + krb5_data *dat; + if (krb5_princ_size(context, princ) != 2) + return 0; + dat = krb5_princ_component(context, princ, 0); + if (strncmp("krbtgt", dat->data, dat->length) != 0) + return 0; + dat = krb5_princ_component(context, princ, 1); + if (dat->length != princ->realm.length) + return 1; + if (strncmp(dat->data, princ->realm.data, dat->length) == 0) + return 0; + return 1; + +} + diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog index 9c53ca1..0842831 100644 --- a/src/lib/krb4/ChangeLog +++ b/src/lib/krb4/ChangeLog @@ -1,3 +1,132 @@ +2003-08-15 Alexandra Ellwood <lxs@mit.edu> + + * mk_auth.c: krb_check_auth clears the return value for the + schedule parameter with a memset. This prevents callers + from using the key schedule, which breaks code. + +2003-08-06 Alexandra Ellwood <lxs@mit.edu> + + * configure.in: Don't assume all darwin boxes are powerpc. + (eg: OpenDarwin/x86). + +2003-07-11 Alexandra Ellwood <lxs@mit.edu> + + * RealmsConfig-glue.c: Check for NULL realm argument and n + not equal to 1. Fill in realm with an empty string on error + in case the caller doesn't check the return value. + +2003-07-11 Alexandra Ellwood <lxs@mit.edu> + + * RealmsConfig-glue.c: Don't fail when krb5.conf is valid + and krb.conf isn't. Also, don't assert v4 realm is in profile + unless that realm is a valid v4 realm. + +2003-07-07 Alexandra Ellwood <lxs@mit.edu> + + * RealmsConfig-glue.c: krb_prof_get_nth() no longer assumes that + its retlen argument is correct (call strcpy instead of strncpy) + because this argument is a guess for some callers + (eg: krb_get_admhst()) + +2003-06-11 Tom Yu <tlyu@mit.edu> + + * Makefile.in (KRB_ERR_C): New variable; Darwin needs err_txt.o to + have a dependency on krb_err.c so that krb_err.c will be generated + first. + + * configure.in: Set KRB_ERR_C to krb_err.c on Darwin. + +2003-06-09 Ken Raeburn <raeburn@mit.edu> + + * RealmsConfig-glue.c (krb_get_krbhst): Don't fall back to DNS if + entries were found in krb.conf, and just not enough to fill the + request. + +2003-06-06 Ken Raeburn <raeburn@mit.edu> + + * RealmsConfig-glue.c: Include k5-int.h. + (dnscache): New variable. + (DNS_CACHE_TIMEOUT): New macro. + (krb_get_krbhst) [KRB5_DNS_LOOKUP]: If no krb.conf info is found, + try DNS SRV records for "kerberos-iv". Cache results in case + they're immediately requested again. + +2003-06-06 Tom Yu <tlyu@mit.edu> + + * g_cnffile.c (krb__get_srvtabname): Make retname be a static + array rather than a static pointer, to avoid callers' possible + retention of free()d pointers. Yes, this may cause difficulty + with making this function thread-safe. + +2003-06-04 Tom Yu <tlyu@mit.edu> + + * password_to_key.c (mit_passwd_to_key, afs_passwd_to_key): Delete + spurious space from prompt. + +2003-06-03 Ken Raeburn <raeburn@mit.edu> + + * RealmsConfig-glue.c (get_krbhst_default): Deleted. + (krb_get_krbhst): Don't call it. + +2003-06-03 Sam Hartman <hartmans@mit.edu> + + * g_pw_in_tkt.c (passwd_to_key): Fix password prompt + + * password_to_key.c (mit_passwd_to_key): Fix password prompt + (afs_passwd_to_key): Fix password prompt + + * g_in_tkt.c (krb_get_in_tkt_preauth_creds): Keep copy of + ciphertext while trying different keyprocs + +2003-06-02 Tom Yu <tlyu@mit.edu> + + * change_password.c (krb_change_password): Explicitly zero the + session key. Zero the key derived from the new password. + + * mk_req.c (krb_mk_req): Explicitly zero the session key. + (krb_mk_req_creds_prealm): Don't zero the session key, in case the + caller wants to make use of it. + +2003-05-24 Ken Raeburn <raeburn@mit.edu> + + * lifetime.c (krb_life_to_time, krb_time_to_life): Rewrite to use + support functions in the krb5 library via krb5int_accessor. Moved + old implementation into krb5 library. + +2003-05-12 Tom Yu <tlyu@mit.edu> + + * Makefile.in: Add setting of KRB_ERR on Windows. + +2003-05-11 Sam Hartman <hartmans@mit.edu> + + * Makefile.in: Build krb_err.c when appropriate. + + * configure.in: Set KRB_ERR to be the object file generated by + krb_err.c on non-Darwin + + * err_txt.c : Don't include krb_err.c on non-Darwin UNIX. Doing + so may break with some compile_et implementations. Also not + included on Windows. + +2003-05-01 Alexandra Ellwood <lxs@mit.edu> + ÊÊ + * kadm_stream.c: Fixed vts_long() and vts_short() so they return a + pointer to the beginning of the memory they allocate and place + their data at the end of the buffer which was passed in. + +2003-04-15 Alexandra Ellwood <lxs@mit.edu> + ÊÊ + * g_ad_tkt.c: accidentally checked a non-space character into + the USE_LOGIN_LIBRARY part of get_ad_tkt so it doesn't build + on the Mac. Oops. + +2003-04-14 Alexandra Ellwood <lxs@mit.edu> + ÊÊ + * g_ad_tkt.c: Added support for login library to get_ad_tkt. + Support is copied from Mac Kerberos4 library and conditionalized + for USE_LOGIN_LIBRARY to avoid changing get_ad_tkt's behavior for + non-Kerberos Login Library builds. + 2003-03-06 Alexandra Ellwood <lxs@mit.edu> * CCache-glue.c: Added prototypes for deprecated functions. diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in index 0a8ecff..572a3ad 100644 --- a/src/lib/krb4/Makefile.in +++ b/src/lib/krb4/Makefile.in @@ -29,6 +29,12 @@ SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) EHDRDIR=$(BUILDTOP)$(S)include$(S)kerberosIV +KRB_ERR=@KRB_ERR@ +##DOS##KRB_ERR=$(OUTPRE)krb_err.$(OBJEXT) + +# Name of generated krb_err.c, needed for err_txt.* dependency on Darwin. +KRB_ERR_C=@KRB_ERR_C@ +##DOS##KRB_ERR_C= OBJS = \ $(OUTPRE)change_password.$(OBJEXT) \ @@ -72,7 +78,7 @@ OBJS = \ $(OUTPRE)rd_preauth.$(OBJEXT) \ $(OUTPRE)mk_preauth.$(OBJEXT) \ $(OSOBJS) $(CACHEOBJS) $(SETENVOBJS) $(STRCASEOBJS) $(SHMOBJS) \ - $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) + $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) $(KRB_ERR) SRCS = \ change_password.c \ @@ -217,7 +223,7 @@ krb_err_txt.c: krb_err.et $(srcdir)$(S)et_errtxt.awk # Will be empty on Darwin, krb_err_txt.c elsewhere. KRB_ERR_TXT=@KRB_ERR_TXT@ ##DOS##KRB_ERR_TXT=krb_err_txt.c -err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_TXT) +err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_C) $(KRB_ERR_TXT) depend-dependencies: krb_err.h $(EHDRDIR)$(S)krb_err.h \ kadm_err.h $(EHDRDIR)$(S)kadm_err.h \ @@ -335,11 +341,14 @@ kname_parse.so kname_parse.po $(OUTPRE)kname_parse.$(OBJEXT): kname_parse.c $(SR err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ - krb_err.c + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h lifetime.so lifetime.po $(OUTPRE)lifetime.$(OBJEXT): lifetime.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ - $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h g_in_tkt.so g_in_tkt.po $(OUTPRE)g_in_tkt.$(OBJEXT): g_in_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \ @@ -409,9 +418,10 @@ send_to_kdc.so send_to_kdc.po $(OUTPRE)send_to_kdc.$(OBJEXT): send_to_kdc.c $(SR $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krbports.h \ $(SRCTOP)/include/kerberosIV/prot.h $(BUILDTOP)/include/krb5/autoconf.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/fake-addrinfo.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/kdb.h krb4int.h + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/krb5/kdb.h \ + krb4int.h stime.so stime.po $(OUTPRE)stime.$(OBJEXT): stime.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h \ @@ -434,9 +444,9 @@ tf_util.so tf_util.po $(OUTPRE)tf_util.$(OBJEXT): tf_util.c $(SRCTOP)/include/ke $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - krb4int.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krb4int.h dest_tkt.so dest_tkt.po $(OUTPRE)dest_tkt.$(OBJEXT): dest_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-util.h \ @@ -489,9 +499,9 @@ rd_svc_key.so rd_svc_key.po $(OUTPRE)rd_svc_key.$(OBJEXT): rd_svc_key.c $(SRCTOP $(KRB_ERR_H_DEP) $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb54proto.h \ - $(SRCTOP)/include/kerberosIV/prot.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ + $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/kerberosIV/prot.h cr_err_repl.so cr_err_repl.po $(OUTPRE)cr_err_repl.$(OBJEXT): cr_err_repl.c $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h @@ -538,12 +548,14 @@ g_cnffile.so g_cnffile.po $(OUTPRE)g_cnffile.$(OBJEXT): g_cnffile.c $(SRCTOP)/in $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - krb4int.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krb4int.h RealmsConfig-glue.so RealmsConfig-glue.po $(OUTPRE)RealmsConfig-glue.$(OBJEXT): RealmsConfig-glue.c \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/krb4/RealmsConfig-glue.c b/src/lib/krb4/RealmsConfig-glue.c index 52437ee..0635284 100644 --- a/src/lib/krb4/RealmsConfig-glue.c +++ b/src/lib/krb4/RealmsConfig-glue.c @@ -37,6 +37,7 @@ #include "profile.h" #include "krb.h" #include "krb4int.h" +#include "k5-int.h" /* for accessor, addrlist stuff */ #include "port-sockets.h" #define KRB5_PRIVATE 1 @@ -142,10 +143,11 @@ krb_prof_get_nth( } if (result == KSUCCESS) { /* Return error rather than truncating. */ + /* Don't strncpy because retlen is a guess for some callers */ if (strlen(value) >= retlen) result = KFAILURE; else - strncpy(ret, value, retlen); + strcpy(ret, value); } cleanup: if (name != NULL) @@ -188,76 +190,112 @@ krb_get_lrealm( char *realm, int n) { - long profErr = 0; - char *realmString = NULL; - char *realmStringV4 = NULL; - profile_t profile = NULL; - int result; - FILE *cnffile = NULL; - char scratch[SCRATCHSZ]; - - if (n != 1 || realm == NULL) - return KFAILURE; + int result = KSUCCESS; + profile_t profile = NULL; + char *profileDefaultRealm = NULL; + char **profileV4Realms = NULL; + int profileHasDefaultRealm = 0; + int profileDefaultRealmIsV4RealmInProfile = 0; + char krbConfLocalRealm[REALM_SZ]; + int krbConfHasLocalRealm = 0; - result = KFAILURE; /* Start out with failure. */ - - profErr = krb_get_profile(&profile); - if (profErr) - goto cleanup; + if ((realm == NULL) || (n != 1)) { result = KFAILURE; } - profErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION, - REALMS_V4_DEFAULT_REALM, NULL, NULL, - &realmString); - if (profErr || realmString == NULL) - goto cleanup; + if (result == KSUCCESS) { + /* Some callers don't check the return value so we initialize + * to an empty string in case it never gets filled in. */ + realm [0] = '\0'; + } + + if (result == KSUCCESS) { + int profileErr = krb_get_profile (&profile); + + if (!profileErr) { + /* Get the default realm from the profile */ + profileErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION, + REALMS_V4_DEFAULT_REALM, NULL, NULL, + &profileDefaultRealm); + if (profileDefaultRealm == NULL) { profileErr = KFAILURE; } + } + + if (!profileErr) { + /* If there is an equivalent v4 realm to the default realm, use that instead */ + char *profileV4EquivalentRealm = NULL; + + if (profile_get_string (profile, "realms", profileDefaultRealm, "v4_realm", NULL, + &profileV4EquivalentRealm) == 0 && + profileV4EquivalentRealm != NULL) { + + profile_release_string (profileDefaultRealm); + profileDefaultRealm = profileV4EquivalentRealm; + } + } + + if (!profileErr) { + if (strlen (profileDefaultRealm) < REALM_SZ) { + profileHasDefaultRealm = 1; /* a reasonable default realm */ + } else { + profileErr = KFAILURE; + } + } + + if (!profileErr) { + /* Walk through the v4 realms list looking for the default realm */ + const char *profileV4RealmsList[] = { REALMS_V4_PROF_REALMS_SECTION, NULL }; + + if (profile_get_subsection_names (profile, profileV4RealmsList, + &profileV4Realms) == 0 && + profileV4Realms != NULL) { + + char **profileRealm; + for (profileRealm = profileV4Realms; *profileRealm != NULL; profileRealm++) { + if (strcmp (*profileRealm, profileDefaultRealm) == 0) { + /* default realm is a v4 realm */ + profileDefaultRealmIsV4RealmInProfile = 1; + break; + } + } + } + } + } + + if (result == KSUCCESS) { + /* Try to get old-style config file lookup for fallback. */ + FILE *cnffile = NULL; + char scratch[SCRATCHSZ]; + + cnffile = krb__get_cnffile(); + if (cnffile != NULL) { + if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) { + if (strlen(scratch) < REALM_SZ) { + strncpy(krbConfLocalRealm, scratch, REALM_SZ); + krbConfHasLocalRealm = 1; + } + } + fclose(cnffile); + } + } - if (strlen(realmString) >= REALM_SZ) - goto cleanup; - strncpy(realm, realmString, REALM_SZ); - /* - * Step 2: the default realm is actually v5 realm, so we have to - * check for the case where v4 and v5 realms are different. - */ - profErr = profile_get_string(profile, "realms", realm, "v4_realm", - NULL, &realmStringV4); - if (profErr || realmStringV4 == NULL) - goto cleanup; + if (result == KSUCCESS) { + /* + * We want to favor the profile value over the krb.conf value + * but not stop suppporting its use with a v5-only profile. + * So we only use the krb.conf realm when the default profile + * realm doesn't exist in the v4 realm section of the profile. + */ + if (krbConfHasLocalRealm && !profileDefaultRealmIsV4RealmInProfile) { + strncpy (realm, krbConfLocalRealm, REALM_SZ); + } else if (profileHasDefaultRealm) { + strncpy (realm, profileDefaultRealm, REALM_SZ); + } else { + result = KFAILURE; /* No default realm */ + } + } - if (strlen(realmStringV4) >= REALM_SZ) - goto cleanup; - strncpy(realm, realmStringV4, REALM_SZ); - result = KSUCCESS; -cleanup: - if (realmString != NULL) - profile_release_string(realmString); - if (realmStringV4 != NULL) - profile_release_string(realmStringV4); - if (profile != NULL) - profile_abandon(profile); + if (profileDefaultRealm != NULL) { profile_release_string (profileDefaultRealm); } + if (profileV4Realms != NULL) { profile_free_list (profileV4Realms); } + if (profile != NULL) { profile_abandon (profile); } - if (result == KSUCCESS) - return result; - /* - * Do old-style config file lookup. - */ - do { - cnffile = krb__get_cnffile(); - if (cnffile == NULL) - break; - if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) { - if (strlen(scratch) >= REALM_SZ) - result = KFAILURE; - else { - strncpy(realm, scratch, REALM_SZ); - result = KSUCCESS; - } - } - fclose(cnffile); - } while (0); - if (result == KFAILURE && strlen(KRB_REALM) < REALM_SZ) { - strncpy(realm, KRB_REALM, REALM_SZ); - result = KSUCCESS; - } return result; } @@ -359,23 +397,6 @@ krb_get_kpasswdhst( REALMS_V4_PROF_KPASSWD_KDC); } -static int -get_krbhst_default(h, r, n) - char *h; - char *r; - int n; -{ - if (n != 1) - return KFAILURE; - if (strlen(KRB_HOST) + 1 + strlen(r) >= MAXHOSTNAMELEN) - return KFAILURE; - /* KRB_HOST.REALM (ie. kerberos.CYGNUS.COM) */ - strcpy(h, KRB_HOST); - strcat(h, "."); - strcat(h, r); - return KSUCCESS; -} - /* * Realm, index -> KDC mapping * @@ -411,6 +432,15 @@ get_krbhst_default(h, r, n) * kerberos. In the long run, this functionality will be provided by a * nameserver. */ +#ifdef KRB5_DNS_LOOKUP +static struct { + time_t when; + char realm[REALM_SZ+1]; + struct srv_dns_entry *srv; +} dnscache = { 0, { 0 }, 0 }; +#define DNS_CACHE_TIMEOUT 60 /* seconds */ +#endif + int KRB5_CALLCONV krb_get_krbhst( char *host, @@ -423,10 +453,36 @@ krb_get_krbhst( char linebuf[BUFSIZ]; char tr[SCRATCHSZ]; char scratch[SCRATCHSZ]; +#ifdef KRB5_DNS_LOOKUP + time_t now; +#endif if (n < 1 || host == NULL || realm == NULL) return KFAILURE; +#ifdef KRB5_DNS_LOOKUP + /* We'll only have this realm's info in the DNS cache if there is + no data in the local config files. + + XXX The files could've been updated in the last few seconds. + Do we care? */ + if (!strncmp(dnscache.realm, realm, REALM_SZ) + && (time(&now), abs(dnscache.when - now) < DNS_CACHE_TIMEOUT)) { + struct srv_dns_entry *entry; + + get_from_dnscache: + /* n starts at 1, addrs indices run 0..naddrs */ + for (i = 1, entry = dnscache.srv; i < n && entry; i++) + entry = entry->next; + if (entry == NULL) + return KFAILURE; + if (strlen(entry->host) + 6 >= MAXHOSTNAMELEN) + return KFAILURE; + sprintf(host, "%s:%d", entry->host, entry->port); + return KSUCCESS; + } +#endif + result = krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n, REALMS_V4_PROF_REALMS_SECTION, REALMS_V4_PROF_KDC); @@ -461,14 +517,43 @@ krb_get_krbhst( i++; } fclose(cnffile); - if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN) + if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN) { strcpy(host, scratch); - else - result = KFAILURE; + return KSUCCESS; + } + if (i > 0) + /* Found some, but not as many as requested. */ + return KFAILURE; } while (0); - if (result == KFAILURE) - result = get_krbhst_default(host, realm, n); - return result; +#ifdef KRB5_DNS_LOOKUP + do { + krb5int_access k5; + krb5_error_code err; + krb5_data realmdat; + struct srv_dns_entry *srv; + + err = krb5int_accessor(&k5, KRB5INT_ACCESS_VERSION); + if (err) + break; + + realmdat.data = realm; + realmdat.length = strlen(realm); + err = k5.make_srv_query_realm(&realmdat, "_kerberos-iv", "_udp", &srv); + if (err) + break; + + if (srv == 0) + break; + + if (dnscache.srv) + k5.free_srv_dns_data(dnscache.srv); + dnscache.srv = srv; + strncpy(dnscache.realm, realm, REALM_SZ); + dnscache.when = now; + goto get_from_dnscache; + } while (0); +#endif + return KFAILURE; } /* diff --git a/src/lib/krb4/change_password.c b/src/lib/krb4/change_password.c index a6e4d7b..7c3bcd0 100644 --- a/src/lib/krb4/change_password.c +++ b/src/lib/krb4/change_password.c @@ -100,6 +100,7 @@ krb_change_password(char *principal, char *instance, char *realm, p = key; KRB4_GET32BE(tempKey, p); sendSize += vts_long(tempKey, &sendStream, (int)sendSize); + tempKey = 0; if (newPassword) { sendSize += vts_string(newPassword, &sendStream, (int)sendSize); @@ -120,5 +121,7 @@ disconnect: kadm_cli_disconn(&client_parm); cleanup: + memset(&client_parm.creds.session, 0, sizeof(client_parm.creds.session)); + memset(&key, 0, sizeof(key)); return err; } diff --git a/src/lib/krb4/configure.in b/src/lib/krb4/configure.in index 87aeebc..d428656 100644 --- a/src/lib/krb4/configure.in +++ b/src/lib/krb4/configure.in @@ -3,14 +3,20 @@ CONFIG_RULES AC_TYPE_MODE_T AC_TYPE_UID_T case $krb5_cv_host in - powerpc-apple-darwin*) + *-apple-darwin*) KRB_ERR_TXT= + KRB_ERR= + KRB_ERR_C=krb_err.c ;; *) + KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)' KRB_ERR_TXT=krb_err_txt.c + KRB_ERR_C= ;; esac AC_SUBST([KRB_ERR_TXT]) +AC_SUBST([KRB_ERR]) +AC_SUBST([KRB_ERR_C]) AC_PROG_AWK KRB5_BUILD_LIBOBJS KRB5_BUILD_LIBRARY_WITH_DEPS diff --git a/src/lib/krb4/err_txt.c b/src/lib/krb4/err_txt.c index 9d942a0..a7a290c 100644 --- a/src/lib/krb4/err_txt.c +++ b/src/lib/krb4/err_txt.c @@ -31,17 +31,14 @@ * This is gross. We want krb_err_txt to match the contents of the * com_err error table, but the text is static in krb_err.c. We can't * alias it by making a pointer to it, either, so we have to suck in - * another copy of it that is named differently. Also, to avoid - * multiple registrations of the error table, we want to override - * initialize_krb_error_table() in case someone decides to call it. - */ + * another copy of it that is named differently. */ +#if TARGET_OS_MAC #undef initialize_krb_error_table #define initialize_krb_error_table krb4int_init_krb_err_tbl void krb4int_init_krb_err_tbl(void); #include "krb_err.c" #undef initialize_krb_error_table -#if TARGET_OS_MAC /* * Depends on the name of the static table generated by compile_et, * but since this is only on Darwin, where we will always use a @@ -69,12 +66,6 @@ krb4int_et_init(void) } void -initialize_krb_error_table(void) -{ - krb4int_et_init(); -} - -void krb4int_et_fini(void) { if (inited) diff --git a/src/lib/krb4/g_ad_tkt.c b/src/lib/krb4/g_ad_tkt.c index daae751..353fdce 100644 --- a/src/lib/krb4/g_ad_tkt.c +++ b/src/lib/krb4/g_ad_tkt.c @@ -256,6 +256,15 @@ get_ad_tkt(service, sinstance, realm, lifetime) size_t snamelen, sinstlen; kerror = krb_get_tf_realm(TKT_FILE, lrealm); +#if USE_LOGIN_LIBRARY + if (kerror == GC_NOTKT) { + /* No tickets... call krb_get_cred (KLL will prompt) and try again. */ + if ((kerror = krb_get_cred ("krbtgt", realm, realm, &cr)) == KSUCCESS) { + /* Now get the realm again. */ + kerror = krb_get_tf_realm (TKT_FILE, lrealm); + } + } +#endif if (kerror != KSUCCESS) return kerror; diff --git a/src/lib/krb4/g_cnffile.c b/src/lib/krb4/g_cnffile.c index 8d61f50..dd5ed5c 100644 --- a/src/lib/krb4/g_cnffile.c +++ b/src/lib/krb4/g_cnffile.c @@ -56,7 +56,7 @@ krb__get_srvtabname(default_srvtabname) const char* names[3]; char **full_name = 0, **cpp; krb5_error_code retval; - static char *retname; + static char retname[MAXPATHLEN]; if (!krb5__krb4_context) krb5_init_context(&krb5__krb4_context); @@ -67,18 +67,16 @@ krb__get_srvtabname(default_srvtabname) retval = profile_get_values(krb5__krb4_context->profile, names, &full_name); if (retval == 0 && full_name && full_name[0]) { - if (retname != NULL) - free(retname); - retname = strdup(full_name[0]); + retname[0] = '\0'; + strncat(retname, full_name[0], sizeof(retname)); for (cpp = full_name; *cpp; cpp++) krb5_xfree(*cpp); krb5_xfree(full_name); return retname; } } - if (retname != NULL) - free(retname); - retname = strdup(default_srvtabname); + retname[0] = '\0'; + strncat(retname, default_srvtabname, sizeof(retname)); return retname; } diff --git a/src/lib/krb4/g_in_tkt.c b/src/lib/krb4/g_in_tkt.c index 4d5286a..58a91b0 100644 --- a/src/lib/krb4/g_in_tkt.c +++ b/src/lib/krb4/g_in_tkt.c @@ -424,6 +424,9 @@ krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life, /* Attempt to decrypt the reply. Loop trying password_to_key algorithms until we succeed or we get an error other than "bad password" */ do { + KTEXT_ST cip_copy_st; + memcpy(&cip_copy_st, &cip_st, sizeof(cip_st)); + cip = &cip_copy_st; if (decrypt_proc == NULL) { decrypt_tkt (user, instance, realm, arg, keyprocs[i], &cip); } else { @@ -432,6 +435,7 @@ krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life, kerror = krb_parse_in_tkt_creds(user, instance, realm, service, sinstance, life, cip, byteorder, creds); } while ((keyprocs [++i] != NULL) && (kerror == INTK_BADPW)); + cip = &cip_st; /* Fill in the local address if the caller wants it */ if (laddrp != NULL) { diff --git a/src/lib/krb4/g_pw_in_tkt.c b/src/lib/krb4/g_pw_in_tkt.c index 494a059..d687818 100644 --- a/src/lib/krb4/g_pw_in_tkt.c +++ b/src/lib/krb4/g_pw_in_tkt.c @@ -79,7 +79,7 @@ passwd_to_key(user,instance,realm,passwd,key) if (passwd) string_to_key(passwd, key); else { - des_read_password((des_cblock *)key, "Password: ", 0); + des_read_password((des_cblock *)key, "Password", 0); } #endif /* NOENCRYPTION */ #endif /* unix */ diff --git a/src/lib/krb4/kadm_stream.c b/src/lib/krb4/kadm_stream.c index 3a9861e..dc9fef1 100644 --- a/src/lib/krb4/kadm_stream.c +++ b/src/lib/krb4/kadm_stream.c @@ -129,8 +129,11 @@ vts_short(KRB_UINT32 dat, u_char **st, int loc) if (p == NULL) return -1; + *st = p; /* KRB4_PUT32BE will modify p */ + + p += loc; /* place bytes at the end */ KRB4_PUT16BE(p, dat); - *st = p; + return 2; } @@ -145,8 +148,11 @@ vts_long(KRB_UINT32 dat, u_char **st, int loc) if (p == NULL) return -1; + *st = p; /* KRB4_PUT32BE will modify p */ + + p += loc; /* place bytes at the end */ KRB4_PUT32BE(p, dat); - *st = p; + return 4; } diff --git a/src/lib/krb4/lifetime.c b/src/lib/krb4/lifetime.c index b43ed45..826e090 100644 --- a/src/lib/krb4/lifetime.c +++ b/src/lib/krb4/lifetime.c @@ -1,5 +1,5 @@ /* - * Copyright 2000, 2001 by the Massachusetts Institute of Technology. + * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -24,72 +24,7 @@ */ #include "krb.h" - -/* - * Only lifetime bytes values less than 128 are on a linear scale. - * The following table contains an exponential scale that covers the - * lifetime values 128 to 191 inclusive (a total of 64 values). - * Values greater than 191 get interpreted the same as 191, but they - * will never be generated by the functions in this file. - * - * The ratio is approximately 1.069144898 (actually exactly - * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30 - * days, and 38400 = 128*5 minutes. This allows a lifetime byte of - * 191 to correspond to a ticket life of exactly 30 days and a - * lifetime byte of 128 to correspond to exactly 128*5 minutes, with - * the other values spread on an exponential curve fit in between - * them. This table should correspond exactly to the set of extended - * ticket lifetime values used by AFS and CMU. - * - * The following awk script is sufficient to reproduce the table: - * BEGIN { - * r = exp(log(2592000/38400)/63); - * x = 38400; - * for (i=0;i<64;i++) { - * printf("%d\n",x+0.5); - * x *= r; - * } - * } - */ -#ifndef SHORT_LIFETIME -#define NLIFETIMES 64 -static const KRB4_32 lifetimes[NLIFETIMES] = { - 38400, 41055, /* 00:10:40:00, 00:11:24:15 */ - 43894, 46929, /* 00:12:11:34, 00:13:02:09 */ - 50174, 53643, /* 00:13:56:14, 00:14:54:03 */ - 57352, 61318, /* 00:15:55:52, 00:17:01:58 */ - 65558, 70091, /* 00:18:12:38, 00:19:28:11 */ - 74937, 80119, /* 00:20:48:57, 00:22:15:19 */ - 85658, 91581, /* 00:23:47:38, 01:01:26:21 */ - 97914, 104684, /* 01:03:11:54, 01:05:04:44 */ - 111922, 119661, /* 01:07:05:22, 01:09:14:21 */ - 127935, 136781, /* 01:11:32:15, 01:13:59:41 */ - 146239, 156350, /* 01:16:37:19, 01:19:25:50 */ - 167161, 178720, /* 01:22:26:01, 02:01:38:40 */ - 191077, 204289, /* 02:05:04:37, 02:08:44:49 */ - 218415, 233517, /* 02:12:40:15, 02:16:51:57 */ - 249664, 266926, /* 02:21:21:04, 03:02:08:46 */ - 285383, 305116, /* 03:07:16:23, 03:12:45:16 */ - 326213, 348769, /* 03:18:36:53, 04:00:52:49 */ - 372885, 398668, /* 04:07:34:45, 04:14:44:28 */ - 426234, 455705, /* 04:22:23:54, 05:06:35:05 */ - 487215, 520904, /* 05:15:20:15, 06:00:41:44 */ - 556921, 595430, /* 06:10:42:01, 06:21:23:50 */ - 636601, 680618, /* 07:08:50:01, 07:21:03:38 */ - 727680, 777995, /* 08:10:08:00, 09:00:06:35 */ - 831789, 889303, /* 09:15:03:09, 10:07:01:43 */ - 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */ - 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */ - 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */ - 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */ - 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */ - 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */ - 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */ - 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */ -}; -#define MINFIXED 0x80 -#define MAXFIXED (MINFIXED + NLIFETIMES - 1) -#endif /* !SHORT_LIFETIME */ +#include "k5-int.h" /* * krb_life_to_time @@ -100,17 +35,12 @@ static const KRB4_32 lifetimes[NLIFETIMES] = { KRB4_32 KRB5_CALLCONV krb_life_to_time(KRB4_32 start, int life) { - if (life < 0 || life > 255) /* possibly sign botch in caller */ + krb5int_access k5internals; + + if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION) + || k5internals.krb_life_to_time == NULL) return start; -#ifndef SHORT_LIFETIME - if (life < MINFIXED) - return start + life * 5 * 60; - if (life > MAXFIXED) - return start + lifetimes[NLIFETIMES - 1]; - return start + lifetimes[life - MINFIXED]; -#else /* SHORT_LIFETIME */ - return start + life * 5 * 60; -#endif /* SHORT_LIFETIME */ + return k5internals.krb_life_to_time(start, life); } /* @@ -123,27 +53,10 @@ krb_life_to_time(KRB4_32 start, int life) int KRB5_CALLCONV krb_time_to_life(KRB4_32 start, KRB4_32 end) { - KRB4_32 dt; -#ifndef SHORT_LIFETIME - int i; -#endif + krb5int_access k5internals; - dt = end - start; - if (dt <= 0) + if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION) + || k5internals.krb_time_to_life == NULL) return 0; -#ifndef SHORT_LIFETIME - if (dt < lifetimes[0]) - return (dt + 5 * 60 - 1) / (5 * 60); - /* This depends on the array being ordered. */ - for (i = 0; i < NLIFETIMES; i++) { - if (lifetimes[i] >= dt) - return i + MINFIXED; - } - return MAXFIXED; -#else /* SHORT_LIFETIME */ - if (dt > 5 * 60 * 255) - return 255; - else - return (dt + 5 * 60 - 1) / (5 * 60); -#endif /* SHORT_LIFETIME */ + return k5internals.krb_time_to_life(start, end); } diff --git a/src/lib/krb4/mk_auth.c b/src/lib/krb4/mk_auth.c index 9159ce1..cf85ea2 100644 --- a/src/lib/krb4/mk_auth.c +++ b/src/lib/krb4/mk_auth.c @@ -230,7 +230,6 @@ krb_check_auth (buf, checksum, msg_data, session, schedule, laddr, faddr) return KFAILURE; cc = krb_rd_priv(buf->dat, (unsigned KRB4_32)buf->length, schedule, (C_Block *)session, faddr, laddr, msg_data); - memset(schedule, 0, sizeof(schedule)); if (cc) return cc; diff --git a/src/lib/krb4/mk_req.c b/src/lib/krb4/mk_req.c index 698d2c2..3066f43 100644 --- a/src/lib/krb4/mk_req.c +++ b/src/lib/krb4/mk_req.c @@ -114,7 +114,6 @@ krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) + 1 + 1 + ticket->length) || ticket->length < 0 || ticket->length > 255) { authent->length = 0; - memset(creds->session, 0, sizeof(creds->session)); return KFAILURE; } @@ -150,7 +149,6 @@ krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) myrealmlen = strlen(myrealm) + 1; if (sizeof(req_id->dat) / 8 < (pnamelen + pinstlen + myrealmlen + 4 + 1 + 4 + 7) / 8) { - memset(creds->session, 0, sizeof(creds->session)); return KFAILURE; } @@ -185,7 +183,6 @@ krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) (long)req_id->length, key_s, &creds->session, 1); /* clean up */ memset(key_s, 0, sizeof(key_s)); - memset(creds->session, 0, sizeof(creds->session)); #endif /* NOENCRYPTION */ /* Copy it into the authenticator */ @@ -252,7 +249,9 @@ krb_mk_req(authent, service, instance, realm, checksum) if (retval != KSUCCESS) return retval; - return krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm); + retval = krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm); + memset(&creds.session, 0, sizeof(creds.session)); + return retval; } int KRB5_CALLCONV diff --git a/src/lib/krb4/password_to_key.c b/src/lib/krb4/password_to_key.c index 56b5f8e..c6e60d9 100644 --- a/src/lib/krb4/password_to_key.c +++ b/src/lib/krb4/password_to_key.c @@ -90,7 +90,7 @@ mit_passwd_to_key( des_string_to_key(passwd, key); } else { #if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - des_read_password((des_cblock *)key, "Password: ", 0); + des_read_password((des_cblock *)key, "Password", 0); #else return (-1); #endif @@ -143,7 +143,7 @@ afs_passwd_to_key( afs_string_to_key(passwd, realm, key); } else { #if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - des_read_password((des_cblock *)key, "Password: ", 0); + des_read_password((des_cblock *)key, "Password", 0); #else return (-1); #endif diff --git a/src/lib/krb4_32.def b/src/lib/krb4_32.def index d5a3c33..11814ce 100644 --- a/src/lib/krb4_32.def +++ b/src/lib/krb4_32.def @@ -54,3 +54,33 @@ EXPORTS ; kstream_destroy ; kstream_set_buffer_mode krb_in_tkt + +; Added to match exports from KfM + krb_change_password + decomp_ticket + krb_err_txt + ;krb_ad_tkt + krb_get_in_tkt + krb_get_in_tkt_creds + krb_get_pw_in_tkt_creds + ;krb_pw_tkt + k_isrealm + k_isinst + k_isname + kname_unparse + ;kuserok + krb_set_lifetime + krb_rd_req_int + krb_sendauth + ;tkt_string + krb_set_tkt_string + krb_get_num_cred + krb_get_nth_cred + krb_delete_cred + dest_all_tkts + krb_get_profile + ;FSp_krb_get_svc_in_tkt + ;FSp_put_svc_key + ;FSp_read_service_key + krb_time_to_life + krb_life_to_time diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in index dc5c7b9..96efb56 100644 --- a/src/lib/krb5/Makefile.in +++ b/src/lib/krb5/Makefile.in @@ -130,8 +130,8 @@ install-unix:: install-libs # Makefile dependencies follow. This must be the last section in # the Makefile.in file # -krb5_libinit.so krb5_libinit.po $(OUTPRE)krb5_libinit.$(OBJEXT): krb5_libinit.c $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(BUILDTOP)/include/krb5_err.h $(BUILDTOP)/include/kv5m_err.h \ - $(BUILDTOP)/include/asn1_err.h $(BUILDTOP)/include/kdb5_err.h \ - krb5_libinit.h +krb5_libinit.so krb5_libinit.po $(OUTPRE)krb5_libinit.$(OBJEXT): krb5_libinit.c $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/krb5.h $(BUILDTOP)/include/krb5_err.h \ + $(BUILDTOP)/include/kv5m_err.h $(BUILDTOP)/include/asn1_err.h \ + $(BUILDTOP)/include/kdb5_err.h krb5_libinit.h diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog index b1ff161..18e4c07 100644 --- a/src/lib/krb5/asn.1/ChangeLog +++ b/src/lib/krb5/asn.1/ChangeLog @@ -1,3 +1,103 @@ +2003-10-08 Tom Yu <tlyu@mit.edu> + + * asn1_k_encode.c (asn1_encode_krb_saved_safe_body): New function; + kludge to insert a raw pre-encoded KRB-SAFE-BODY. + + * asn1_k_encode.h (asn1_encode_krb_saved_safe_body): Add + prototype. + + * krb5_decode.c (decode_krb5_safe_with_body): New function; saves + a copy of the encoding of the KRB-SAFE-BODY to avoid problems + caused by re-encoding it during verification. + + * krb5_encode.c (encode_krb5_safe_with_body): New function; + re-encode a KRB-SAFE using a saved KRB-SAFE-BODY encoding, to + avoid trouble with re-encoding a KRB-SAFE-BODY. + +2003-07-22 Sam Hartman <hartmans@avalanche-breakdown.mit.edu> + + * asn1_k_decode.c (asn1_decode_etype_info2_entry_1_3): Decoder for + the broken 1.3 ASN.1 behavior for etype_info2; see bug 1681. + + * asn1_k_decode.h (asn1_decode_etype_info2): Add v1_3_behavior + flag for parsing the broken 1.3 behavior of using an octetString + instead of generalString + + * asn1_k_decode.c (asn1_decode_etype_info2_entry): Expect etype_info2 as generalstring not octetstring + +2003-06-20 Sam Hartman <hartmans@mit.edu> + + * asn1_k_decode.h (asn1_decode_etype_info2): Prototype. Also + deleted prototype for asn1_decode_etype_info_entry as that is not + used outside asn1_k_decode.c + + * krb5_decode.c (decode_krb5_etype_info2): Call etype_info2 decoder + + * asn1_k_decode.c (asn1_decode_etype_info_entry): Split out + etype_info2 and etype_info decoder so we ignore tag 2 in the + heimdal encoder + (asn1_decode_etype_info2): new function + +2003-05-23 Sam Hartman <hartmans@mit.edu> + + * asn1_k_decode.c (asn1_decode_etype_info_entry): Fix logic error + that incorrectly set up s2kparams.data + +2003-05-20 Ezra Peisach <epeisach@bu.edu> + + * asn1_k_encode.c (asn1_encode_krb_safe_body): Use + asn1_encode_unsigned_integer for sequence number. + + * asn1_k_decode.c (asn1_decode_krb_safe_body): Use + asn1_decode_seqnum to decode sequence number. + + +2003-05-18 Tom Yu <tlyu@mit.edu> + + * asn1_decode.c (asn1_decode_maybe_unsigned): New function; decode + negative 32-bit numbers into positive unsigned numbers for the + sake of backwards compatibility with old code. + + * asn1_decode.h: Add prototype for asn1_decode_maybe_unsigned. + + * asn1_k_decode.c (asn1_decode_seqnum): New function; wrapper + around asn1_decode_maybe_unsigned. + + * asn1_k_decode.h: Add prototype for asn1_decode_seqnum. + + * krb5_decode.c (decode_krb5_authenticator) + (decode_krb5_ap_rep_enc_part, decode_krb5_enc_priv_part): Sequence + numbers are now unsigned. Use asn1_decode_seqnum to handle + backwards compat with negative sequence numbers. + + * krb5_encode.c (encode_krb5_authenticator) + (encode_krb5_ap_rep_enc_part, encode_krb5_enc_priv_part): Sequence + numbers are now unsigned. + +2003-05-06 Sam Hartman <hartmans@mit.edu> + + * krb5_decode.c (decode_krb5_etype_info2): New function; currently + the same code as decode_krb5_etype_info. This means that we can + manage to accept s2kparams in etype_info which is wrong but + probably harmless. + + * asn1_k_decode.c (asn1_decode_etype_info_entry): Add etype_info2 + support + + * asn1_k_encode.c (asn1_encode_etype_info_entry): Add support for + etype-info2 + + * krb5_encode.c (encode_krb5_etype_info2): New function + +2003-04-15 Sam Hartman <hartmans@mit.edu> + + * krb5_encode.c (encode_krb5_setpw_req): new function + +2003-04-13 Ezra Peisach <epeisach@mit.edu> + + * asn1_k_decode.c (asn1_decode_kdc_req_body): Fix memory leak if + optional server field is lacking, + 2003-03-11 Ken Raeburn <raeburn@mit.edu> * asn1_get.c (asn1_get_tag): Deleted. diff --git a/src/lib/krb5/asn.1/Makefile.in b/src/lib/krb5/asn.1/Makefile.in index 6757046..8de97f0 100644 --- a/src/lib/krb5/asn.1/Makefile.in +++ b/src/lib/krb5/asn.1/Makefile.in @@ -61,61 +61,66 @@ clean-unix:: clean-libobjs # asn1_decode.so asn1_decode.po $(OUTPRE)asn1_decode.$(OBJEXT): asn1_decode.c asn1_decode.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - krbasn1.h asn1buf.h asn1_get.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_get.h asn1_k_decode.so asn1_k_decode.po $(OUTPRE)asn1_k_decode.$(OBJEXT): asn1_k_decode.c asn1_k_decode.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - krbasn1.h asn1buf.h asn1_decode.h asn1_get.h asn1_misc.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_decode.h \ + asn1_get.h asn1_misc.h asn1_encode.so asn1_encode.po $(OUTPRE)asn1_encode.$(OBJEXT): asn1_encode.c asn1_encode.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - krbasn1.h asn1buf.h asn1_make.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_make.h asn1_get.so asn1_get.po $(OUTPRE)asn1_get.$(OBJEXT): asn1_get.c asn1_get.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - krbasn1.h asn1buf.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1_make.so asn1_make.po $(OUTPRE)asn1_make.$(OBJEXT): asn1_make.c asn1_make.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - krbasn1.h asn1buf.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krbasn1.h asn1buf.h asn1buf.so asn1buf.po $(OUTPRE)asn1buf.$(OBJEXT): asn1buf.c asn1buf.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h krbasn1.h asn1_get.h + krbasn1.h asn1_get.h krb5_decode.so krb5_decode.po $(OUTPRE)krb5_decode.$(OBJEXT): krb5_decode.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) krbasn1.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - asn1_k_decode.h asn1buf.h asn1_decode.h asn1_get.h + $(SRCTOP)/include/krb5/kdb.h asn1_k_decode.h asn1buf.h \ + asn1_decode.h asn1_get.h krb5_encode.so krb5_encode.po $(OUTPRE)krb5_encode.$(OBJEXT): krb5_encode.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) asn1_k_encode.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - asn1buf.h krbasn1.h asn1_encode.h asn1_make.h + $(SRCTOP)/include/krb5/kdb.h asn1buf.h krbasn1.h asn1_encode.h \ + asn1_make.h asn1_k_encode.so asn1_k_encode.po $(OUTPRE)asn1_k_encode.$(OBJEXT): asn1_k_encode.c asn1_k_encode.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - asn1buf.h krbasn1.h asn1_make.h asn1_encode.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h asn1buf.h krbasn1.h asn1_make.h \ + asn1_encode.h asn1_misc.so asn1_misc.po $(OUTPRE)asn1_misc.$(OBJEXT): asn1_misc.c asn1_misc.h \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - krbasn1.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h krbasn1.h diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c index 56904c5..6586320 100644 --- a/src/lib/krb5/asn.1/asn1_decode.c +++ b/src/lib/krb5/asn.1/asn1_decode.c @@ -1,7 +1,7 @@ /* * src/lib/krb5/asn.1/asn1_decode.c * - * Copyright 1994 by the Massachusetts Institute of Technology. + * Copyright 1994, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -106,6 +106,50 @@ asn1_error_code asn1_decode_unsigned_integer(asn1buf *buf, long unsigned int *va cleanup(); } +/* + * asn1_decode_maybe_unsigned + * + * This is needed because older releases of MIT krb5 have signed + * sequence numbers. We want to accept both signed and unsigned + * sequence numbers, in the range -2^31..2^32-1, mapping negative + * numbers into their positive equivalents in the same way that C's + * normal integer conversions do, i.e., would preserve bits on a + * two's-complement architecture. + */ +asn1_error_code asn1_decode_maybe_unsigned(asn1buf *buf, unsigned long *val) +{ + setup(); + asn1_octet o; + unsigned long n, bitsremain; + unsigned int i; + + tag(ASN1_INTEGER); + o = 0; + n = 0; + bitsremain = ~0UL; + for (i = 0; i < length; i++) { + /* Accounts for u_long width not being a multiple of 8. */ + if (bitsremain < 0xff) return ASN1_OVERFLOW; + retval = asn1buf_remove_octet(buf, &o); + if (retval) return retval; + if (bitsremain == ~0UL) { + if (i == 0) + n = (o & 0x80) ? ~0UL : 0UL; /* grab sign bit */ + /* + * Skip leading zero or 0xFF octets to humor non-compliant encoders. + */ + if (n == 0 && o == 0) + continue; + if (n == ~0UL && o == 0xff) + continue; + } + n = (n << 8) | o; + bitsremain >>= 8; + } + *val = n; + cleanup(); +} + asn1_error_code asn1_decode_oid(asn1buf *buf, unsigned int *retlen, asn1_octet **val) { setup(); diff --git a/src/lib/krb5/asn.1/asn1_decode.h b/src/lib/krb5/asn.1/asn1_decode.h index 449a589..cafbf3f 100644 --- a/src/lib/krb5/asn.1/asn1_decode.h +++ b/src/lib/krb5/asn.1/asn1_decode.h @@ -62,6 +62,8 @@ asn1_error_code asn1_decode_integer (asn1buf *buf, long *val); asn1_error_code asn1_decode_unsigned_integer (asn1buf *buf, unsigned long *val); +asn1_error_code asn1_decode_maybe_unsigned + (asn1buf *buf, unsigned long *val); asn1_error_code asn1_decode_null (asn1buf *buf); diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index c64ebb8..3ffb701 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -320,6 +320,17 @@ integer_convert(asn1_decode_authdatatype,krb5_authdatatype) unsigned_integer_convert(asn1_decode_ui_2,krb5_ui_2) unsigned_integer_convert(asn1_decode_ui_4,krb5_ui_4) +asn1_error_code asn1_decode_seqnum(asn1buf *buf, krb5_ui_4 *val) +{ + asn1_error_code retval; + unsigned long n; + + retval = asn1_decode_maybe_unsigned(buf, &n); + if (retval) return retval; + *val = (krb5_ui_4)n & 0xffffffff; + return 0; +} + asn1_error_code asn1_decode_msgtype(asn1buf *buf, krb5_msgtype *val) { asn1_error_code retval; @@ -541,7 +552,9 @@ asn1_error_code asn1_decode_kdc_req(asn1buf *buf, krb5_kdc_req *val) asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val) { setup(); - { begin_structure(); + { + krb5_principal psave; + begin_structure(); get_field(val->kdc_options,0,asn1_decode_kdc_options); if(tagnum == 1){ alloc_field(val->client,krb5_principal_data); } opt_field(val->client,1,asn1_decode_principal_name,NULL); @@ -550,7 +563,19 @@ asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val) if(val->client != NULL){ retval = asn1_krb5_realm_copy(val->client,val->server); if(retval) return retval; } + + /* If opt_field server is missing, memory reference to server is + lost and results in memory leak */ + psave = val->server; opt_field(val->server,3,asn1_decode_principal_name,NULL); + if(val->server == NULL){ + if(psave->realm.data) { + free(psave->realm.data); + psave->realm.data = NULL; + psave->realm.length=0; + } + free(psave); + } opt_field(val->from,4,asn1_decode_kerberos_time,0); get_field(val->till,5,asn1_decode_kerberos_time); opt_field(val->rtime,6,asn1_decode_kerberos_time,0); @@ -580,7 +605,7 @@ asn1_error_code asn1_decode_krb_safe_body(asn1buf *buf, krb5_safe *val) get_lenfield(val->user_data.length,val->user_data.data,0,asn1_decode_charstring); opt_field(val->timestamp,1,asn1_decode_kerberos_time,0); opt_field(val->usec,2,asn1_decode_int32,0); - opt_field(val->seq_number,3,asn1_decode_int32,0); + opt_field(val->seq_number,3,asn1_decode_seqnum,0); alloc_field(val->s_address,krb5_address); get_field(*(val->s_address),4,asn1_decode_host_address); if(tagnum == 5){ @@ -782,7 +807,33 @@ asn1_error_code asn1_decode_sequence_of_checksum(asn1buf *buf, krb5_checksum *** decode_array_body(krb5_checksum, asn1_decode_checksum); } -asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val) +static asn1_error_code asn1_decode_etype_info2_entry(asn1buf *buf, krb5_etype_info_entry *val ) +{ + setup(); + { begin_structure(); + get_field(val->etype,0,asn1_decode_enctype); + if (tagnum == 1) { + get_lenfield(val->length,val->salt,1,asn1_decode_generalstring); + } else { + val->length = KRB5_ETYPE_NO_SALT; + val->salt = 0; + } + if ( tagnum ==2) { + krb5_octet *params ; + get_lenfield( val->s2kparams.length, params, + 2, asn1_decode_octetstring); + val->s2kparams.data = ( char *) params; + } else { + val->s2kparams.data = NULL; + val->s2kparams.length = 0; + } + end_structure(); + val->magic = KV5M_ETYPE_INFO_ENTRY; + } + cleanup(); +} + +static asn1_error_code asn1_decode_etype_info2_entry_1_3(asn1buf *buf, krb5_etype_info_entry *val ) { setup(); { begin_structure(); @@ -793,17 +844,59 @@ asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry val->length = KRB5_ETYPE_NO_SALT; val->salt = 0; } + if ( tagnum ==2) { + krb5_octet *params ; + get_lenfield( val->s2kparams.length, params, + 2, asn1_decode_octetstring); + val->s2kparams.data = ( char *) params; + } else { + val->s2kparams.data = NULL; + val->s2kparams.length = 0; + } end_structure(); val->magic = KV5M_ETYPE_INFO_ENTRY; } cleanup(); } -asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val) + +static asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val ) +{ + setup(); + { begin_structure(); + get_field(val->etype,0,asn1_decode_enctype); + if (tagnum == 1) { + get_lenfield(val->length,val->salt,1,asn1_decode_octetstring); + } else { + val->length = KRB5_ETYPE_NO_SALT; + val->salt = 0; + } + val->s2kparams.data = NULL; + val->s2kparams.length = 0; + + end_structure(); + val->magic = KV5M_ETYPE_INFO_ENTRY; + } + cleanup(); +} + +asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val ) { decode_array_body(krb5_etype_info_entry,asn1_decode_etype_info_entry); } +asn1_error_code asn1_decode_etype_info2(asn1buf *buf, krb5_etype_info_entry ***val , + krb5_boolean v1_3_behavior) +{ + if (v1_3_behavior) { + decode_array_body(krb5_etype_info_entry, + asn1_decode_etype_info2_entry_1_3); + } else { + decode_array_body(krb5_etype_info_entry, + asn1_decode_etype_info2_entry); + } +} + asn1_error_code asn1_decode_passwdsequence(asn1buf *buf, passwd_phrase_element *val) { setup(); diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h index 8f8b0bc..1852e76 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.h +++ b/src/lib/krb5/asn.1/asn1_k_decode.h @@ -89,6 +89,8 @@ asn1_error_code asn1_decode_ui_2 (asn1buf *buf, krb5_ui_2 *val); asn1_error_code asn1_decode_ui_4 (asn1buf *buf, krb5_ui_4 *val); +asn1_error_code asn1_decode_seqnum + (asn1buf *buf, krb5_ui_4 *val); asn1_error_code asn1_decode_kerberos_time (asn1buf *buf, krb5_timestamp *val); asn1_error_code asn1_decode_sam_flags @@ -185,6 +187,8 @@ asn1_error_code asn1_decode_sequence_of_passwdsequence asn1_error_code asn1_decode_etype_info (asn1buf *buf, krb5_etype_info_entry ***val); +asn1_error_code asn1_decode_etype_info2 + (asn1buf *buf, krb5_etype_info_entry ***val, krb5_boolean v1_3_behavior); #endif diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index 9226f7c..00cfab0 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -27,6 +27,7 @@ #include "asn1_k_encode.h" #include "asn1_make.h" #include "asn1_encode.h" +#include <assert.h> /**** asn1 macros ****/ #if 0 @@ -643,7 +644,7 @@ asn1_error_code asn1_encode_krb_safe_body(asn1buf *buf, const krb5_safe *val, un asn1_addfield(val->r_address,5,asn1_encode_host_address); asn1_addfield(val->s_address,4,asn1_encode_host_address); if(val->seq_number) - asn1_addfield(val->seq_number,3,asn1_encode_integer); + asn1_addfield(val->seq_number,3,asn1_encode_unsigned_integer); if(val->timestamp){ asn1_addfield(val->usec,2,asn1_encode_integer); asn1_addfield(val->timestamp,1,asn1_encode_kerberos_time); @@ -708,24 +709,33 @@ asn1_error_code asn1_encode_krb_cred_info(asn1buf *buf, const krb5_cred_info *va asn1_cleanup(); } -asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val, unsigned int *retlen) +asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val, + unsigned int *retlen, int etype_info2) { asn1_setup(); + assert(val->s2kparams.data == NULL || etype_info2); if(val == NULL || (val->length > 0 && val->length != KRB5_ETYPE_NO_SALT && val->salt == NULL)) return ASN1_MISSING_FIELD; - - if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT) + if(val->s2kparams.data != NULL) + asn1_addlenfield(val->s2kparams.length, val->s2kparams.data, 2, + asn1_encode_octetstring); + if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT){ + if (etype_info2) asn1_addlenfield(val->length,val->salt,1, - asn1_encode_octetstring); - asn1_addfield(val->etype,0,asn1_encode_integer); + asn1_encode_generalstring) + else asn1_addlenfield(val->length,val->salt,1, + asn1_encode_octetstring); + } +asn1_addfield(val->etype,0,asn1_encode_integer); asn1_makeseq(); asn1_cleanup(); } -asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val, unsigned int *retlen) +asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val, + unsigned int *retlen, int etype_info2) { asn1_setup(); int i; @@ -734,7 +744,7 @@ asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry for(i=0; val[i] != NULL; i++); /* get to the end of the array */ for(i--; i>=0; i--){ - retval = asn1_encode_etype_info_entry(buf,val[i],&length); + retval = asn1_encode_etype_info_entry(buf,val[i],&length, etype_info2); if(retval) return retval; sum += length; } @@ -932,3 +942,20 @@ asn1_error_code asn1_encode_predicted_sam_response(asn1buf *buf, const krb5_pred asn1_cleanup(); } + +/* + * Do some ugliness to insert a raw pre-encoded KRB-SAFE-BODY. + */ +asn1_error_code asn1_encode_krb_saved_safe_body(asn1buf *buf, const krb5_data *body, unsigned int *retlen) +{ + asn1_error_code retval; + + retval = asn1buf_insert_octetstring(buf, body->length, + (krb5_octet *)body->data); + if (retval){ + asn1buf_destroy(&buf); + return retval; + } + *retlen = body->length; + return 0; +} diff --git a/src/lib/krb5/asn.1/asn1_k_encode.h b/src/lib/krb5/asn.1/asn1_k_encode.h index 5914e09..caa46c5 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.h +++ b/src/lib/krb5/asn.1/asn1_k_encode.h @@ -219,11 +219,11 @@ asn1_error_code asn1_encode_alt_method asn1_error_code asn1_encode_etype_info_entry (asn1buf *buf, const krb5_etype_info_entry *val, - unsigned int *retlen); + unsigned int *retlen, int etype_info2); asn1_error_code asn1_encode_etype_info (asn1buf *buf, const krb5_etype_info_entry **val, - unsigned int *retlen); + unsigned int *retlen, int etype_info2); asn1_error_code asn1_encode_passwdsequence (asn1buf *buf, const passwd_phrase_element *val, unsigned int *retlen); @@ -266,4 +266,7 @@ asn1_error_code asn1_encode_predicted_sam_response (asn1buf *buf, const krb5_predicted_sam_response *val, unsigned int *retlen); +asn1_error_code asn1_encode_krb_saved_safe_body + (asn1buf *buf, const krb5_data *body, unsigned int *retlen); + #endif diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 03a3029..596997f 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -90,6 +90,7 @@ if((var) == NULL) clean_return(ENOMEM) construction = t2.construction; \ tagnum = t2.tagnum; \ indef = t2.indef; \ + taglen = t2.length; \ } #define get_eoc() \ @@ -107,6 +108,7 @@ if((var) == NULL) clean_return(ENOMEM) /* decode sequence header and initialize tagnum with the first field */ #define begin_structure()\ +unsigned int taglen;\ asn1buf subbuf;\ int seqindef;\ int indef;\ @@ -219,7 +221,7 @@ krb5_error_code decode_krb5_authenticator(const krb5_data *code, krb5_authentica get_field((*rep)->ctime,5,asn1_decode_kerberos_time); if(tagnum == 6){ alloc_field((*rep)->subkey,krb5_keyblock); } opt_field(*((*rep)->subkey),6,asn1_decode_encryption_key); - opt_field((*rep)->seq_number,7,asn1_decode_int32); + opt_field((*rep)->seq_number,7,asn1_decode_seqnum); opt_field((*rep)->authorization_data,8,asn1_decode_authorization_data); (*rep)->magic = KV5M_AUTHENTICATOR; end_structure(); @@ -440,7 +442,7 @@ krb5_error_code decode_krb5_ap_rep_enc_part(const krb5_data *code, krb5_ap_rep_e get_field((*rep)->cusec,1,asn1_decode_int32); if(tagnum == 2){ alloc_field((*rep)->subkey,krb5_keyblock); } opt_field(*((*rep)->subkey),2,asn1_decode_encryption_key); - opt_field((*rep)->seq_number,3,asn1_decode_int32); + opt_field((*rep)->seq_number,3,asn1_decode_seqnum); end_structure(); (*rep)->magic = KV5M_AP_REP_ENC_PART; } @@ -494,8 +496,26 @@ krb5_error_code decode_krb5_kdc_req_body(const krb5_data *code, krb5_kdc_req **r cleanup(free); } -krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep) +/* + * decode_krb5_safe_with_body + * + * Like decode_krb5_safe(), but grabs the encoding of the + * KRB-SAFE-BODY as well, in case re-encoding would produce a + * different encoding. (Yes, we're using DER, but there's this + * annoying problem with pre-1.3.x code using signed sequence numbers, + * which we permissively decode and cram into unsigned 32-bit numbers. + * When they're re-encoded, they're no longer negative if they started + * out negative, so checksum verification fails.) + * + * This does *not* perform any copying; the returned pointer to the + * encoded KRB-SAFE-BODY points into the input buffer. + */ +krb5_error_code decode_krb5_safe_with_body( + const krb5_data *code, + krb5_safe **rep, + krb5_data *body) { + krb5_data tmpbody; setup(); alloc_field(*rep,krb5_safe); clear_field(rep,checksum); @@ -511,12 +531,26 @@ krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep) if(msg_type != KRB5_SAFE) clean_return(KRB5_BADMSGTYPE); #endif } + /* + * Gross kludge to extract pointer to encoded safe-body. Relies + * on tag prefetch done by next_tag(). Don't handle indefinite + * encoding, as it's too much work. + */ + if (!indef) { + tmpbody.length = taglen; + tmpbody.data = subbuf.next; + } else { + tmpbody.length = 0; + tmpbody.data = NULL; + } get_field(**rep,2,asn1_decode_krb_safe_body); alloc_field((*rep)->checksum,krb5_checksum); get_field(*((*rep)->checksum),3,asn1_decode_checksum); (*rep)->magic = KV5M_SAFE; end_structure(); } + if (body != NULL) + *body = tmpbody; cleanup_manual(); error_out: if (rep && *rep) { @@ -526,6 +560,11 @@ error_out: return retval; } +krb5_error_code decode_krb5_safe(const krb5_data *code, krb5_safe **rep) +{ + return decode_krb5_safe_with_body(code, rep, NULL); +} + krb5_error_code decode_krb5_priv(const krb5_data *code, krb5_priv **rep) { setup(); @@ -561,7 +600,7 @@ krb5_error_code decode_krb5_enc_priv_part(const krb5_data *code, krb5_priv_enc_p get_lenfield((*rep)->user_data.length,(*rep)->user_data.data,0,asn1_decode_charstring); opt_field((*rep)->timestamp,1,asn1_decode_kerberos_time); opt_field((*rep)->usec,2,asn1_decode_int32); - opt_field((*rep)->seq_number,3,asn1_decode_int32); + opt_field((*rep)->seq_number,3,asn1_decode_seqnum); alloc_field((*rep)->s_address,krb5_address); get_field(*((*rep)->s_address),4,asn1_decode_host_address); if(tagnum == 5){ alloc_field((*rep)->r_address,krb5_address); } @@ -744,6 +783,21 @@ krb5_error_code decode_krb5_etype_info(const krb5_data *code, krb5_etype_info_en cleanup_none(); /* we're not allocating anything here */ } +krb5_error_code decode_krb5_etype_info2(const krb5_data *code, krb5_etype_info_entry ***rep) +{ + setup_buf_only(); + *rep = 0; + retval = asn1_decode_etype_info2(&buf,rep, 0); + if (retval == ASN1_BAD_ID) { + retval = asn1buf_wrap_data(&buf,code); + if(retval) clean_return(retval); + retval = asn1_decode_etype_info2(&buf, rep, 1); + } + if(retval) clean_return(retval); + cleanup_none(); /* we're not allocating anything here */ +} + + krb5_error_code decode_krb5_enc_data(const krb5_data *code, krb5_enc_data **rep) { setup_buf_only(); diff --git a/src/lib/krb5/asn.1/krb5_encode.c b/src/lib/krb5/asn.1/krb5_encode.c index 2a4f7bb..ecdfa18 100644 --- a/src/lib/krb5/asn.1/krb5_encode.c +++ b/src/lib/krb5/asn.1/krb5_encode.c @@ -166,7 +166,7 @@ krb5_error_code encode_krb5_authenticator(const krb5_authenticator *rep, krb5_da /* seq-number[7] INTEGER OPTIONAL */ if(rep->seq_number != 0) - krb5_addfield(rep->seq_number,7,asn1_encode_integer); + krb5_addfield(rep->seq_number,7,asn1_encode_unsigned_integer); /* subkey[6] EncryptionKey OPTIONAL */ if(rep->subkey != NULL) @@ -305,6 +305,7 @@ krb5_error_code encode_krb5_enc_kdc_rep_part(const krb5_enc_kdc_rep_part *rep, k #ifdef KRB5_ENCKRB5KDCREPPART_COMPAT krb5_apptag(26); #else + /* XXX WRONG!!! Should use 25 || 26, not the outer KDC_REP tags! */ if (rep->msg_type == KRB5_AS_REP) { krb5_apptag(ASN1_KRB_AS_REP); } else if (rep->msg_type == KRB5_TGS_REP) { krb5_apptag(ASN1_KRB_TGS_REP); } else return KRB5_BADMSGTYPE; @@ -395,7 +396,7 @@ krb5_error_code encode_krb5_ap_rep_enc_part(const krb5_ap_rep_enc_part *rep, krb /* seq-number[3] INTEGER OPTIONAL */ if(rep->seq_number) - krb5_addfield(rep->seq_number,3,asn1_encode_integer); + krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer); /* subkey[2] EncryptionKey OPTIONAL */ if(rep->subkey != NULL) @@ -477,6 +478,43 @@ krb5_error_code encode_krb5_safe(const krb5_safe *rep, krb5_data **code) krb5_cleanup(); } +/* + * encode_krb5_safe_with_body + * + * Like encode_krb5_safe(), except takes a saved KRB-SAFE-BODY + * encoding to avoid problems with re-encoding. + */ +krb5_error_code encode_krb5_safe_with_body( + const krb5_safe *rep, + const krb5_data *body, + krb5_data **code) +{ + krb5_setup(); + + if (body == NULL) { + asn1buf_destroy(&buf); + return ASN1_MISSING_FIELD; + } + + /* cksum[3] Checksum */ + krb5_addfield(rep->checksum,3,asn1_encode_checksum); + + /* safe-body[2] KRB-SAFE-BODY */ + krb5_addfield(body,2,asn1_encode_krb_saved_safe_body); + + /* msg-type[1] INTEGER */ + krb5_addfield(ASN1_KRB_SAFE,1,asn1_encode_integer); + + /* pvno[0] INTEGER */ + krb5_addfield(KVNO,0,asn1_encode_integer); + + /* KRB-SAFE ::= [APPLICATION 20] SEQUENCE */ + krb5_makeseq(); + krb5_apptag(20); + + krb5_cleanup(); +} + krb5_error_code encode_krb5_priv(const krb5_priv *rep, krb5_data **code) { krb5_setup(); @@ -510,7 +548,7 @@ krb5_error_code encode_krb5_enc_priv_part(const krb5_priv_enc_part *rep, krb5_da /* seq-number[3] INTEGER OPTIONAL */ if(rep->seq_number) - krb5_addfield(rep->seq_number,3,asn1_encode_integer); + krb5_addfield(rep->seq_number,3,asn1_encode_unsigned_integer); /* usec[2] INTEGER OPTIONAL */ if(rep->timestamp){ @@ -678,11 +716,21 @@ krb5_error_code encode_krb5_alt_method(const krb5_alt_method *rep, krb5_data **c krb5_error_code encode_krb5_etype_info(const krb5_etype_info_entry **rep, krb5_data **code) { krb5_setup(); - retval = asn1_encode_etype_info(buf,rep,&length); + retval = asn1_encode_etype_info(buf,rep,&length, 0); + if(retval) return retval; + sum += length; + krb5_cleanup(); +} + +krb5_error_code encode_krb5_etype_info2(const krb5_etype_info_entry **rep, krb5_data **code) +{ + krb5_setup(); + retval = asn1_encode_etype_info(buf,rep,&length, 1); if(retval) return retval; sum += length; krb5_cleanup(); } + krb5_error_code encode_krb5_enc_data(const krb5_enc_data *rep, krb5_data **code) { @@ -822,3 +870,20 @@ krb5_error_code encode_krb5_predicted_sam_response(const krb5_predicted_sam_resp sum += length; krb5_cleanup(); } + +krb5_error_code encode_krb5_setpw_req(const krb5_principal target, + char *password, krb5_data **code) +{ + /* Macros really want us to have a variable called rep which we do not need*/ + const char *rep = "dummy string"; + + krb5_setup(); + + krb5_addfield(target,2,asn1_encode_realm); + krb5_addfield(target,1,asn1_encode_principal_name); + krb5_addlenfield(strlen(password), password,0,asn1_encode_octetstring); + krb5_makeseq(); + + + krb5_cleanup(); +} diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog index 0b44b4d..18e15ab 100644 --- a/src/lib/krb5/ccache/ChangeLog +++ b/src/lib/krb5/ccache/ChangeLog @@ -1,3 +1,212 @@ +2004-05-15 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: The FAILED() macro only considered an error + to be a failure if the value is negative. ConstructTicketRequest() + returns positive errors. Do not use FAILED() to test the result. + Fix a potential leak of LSA allocated memory. Fix a leak of + LocalAlloc memory. + +2004-04-13 Jeffrey Altman <jaltman@mit.edu> + + * ccbase.c: + Since we have to reserve all the single letter + prefixes make them apply to all platforms + +2004-04-13 Jeffrey Altman <jaltman@mit.edu> + + * ccbase.c: + On Windows, if there is a ccache name provided without + a prefix but which appears to start with a drive letter, + treat it as a FILE: ccache instead of failing with a + ccache type unknown error. + +2004-04-06 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: + In at least one case on Win2003 it appears that it is possible + for the logon session to be authenticated via NTLM and yet for + there to be Kerberos credentials obtained by the LSA on behalf + of the logged in user. Therefore, we are removing the test + for IsKerberosLogon() within krb5_lcc_resolve() + which was meant to avoid the need to perform GetMSTGT() when + there was no possibility of credentials being found. + +2004-03-31 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: Add IsWindows2000() function and use it to return + errors whenever the MSLSA: ccache type is used on platforms + older than Windows 2000. This is needed to prevent calls to + the functions loaded from ADVAPI32.DLL and SECUR32.DLL which + do not exist on the Windows 9x platforms. + +2004-03-18 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: + Add missing return statements in krb5_lcc_start_seq_get() + + Return error if principal name cannot be determined during + krb5_lcc_resolve() + + * cc-int.h: + New file - Add prototypes for cc internal functions + + * cc_retr.c - include cc-int.h + +2004-02-04 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: + Remove reference to <ntstatus.h> as it is not present in the August 2001 + Platform SDK used by Pismere. Instead copy the error value. + +2004-02-02 Jeffrey Altman <jaltman@mit.edu> + + * cc_msla.c: + GetMSCacheTicketFromCacheInfo() uses the tktinfo->TicketFlags as the + value to assign to TicketRequest->TicketFlags. This field is blindly + inserted into the kdc-options[0] field of the TGS_REQ. If there are + bits such as TRANSIT_POLICY_CHECKED in the TicketFlags, this will result + in an unknown TGS_OPTION being processed by the KDC. + + This has been fixed by mapping the Ticket Flags to KDC options. + We only map Forwardable, Forwarded, Proxiable, and Renewable. The others + should not be used. + +2004-02-02 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: the MSLSA code was crashing on Pismere machines when + logging on with cross realm credentials. On these machines there are + 8 tickets within the LSA cache from two different realms. One of the + krbtgt/CLIENT-REALM@CLIENT-REALM tickets (not the Initial ticket but + a Forwarded ticket) is inaccessible to the ms2mit.exe and leash32.exe + processes. The attempt to access the ticket returns a SubStatus code + of STATUS_LOGON_FAILURE (0xC000006DL) which is supposed to mean that + the logon attempt was invalid due to bad authentication information. + kerbtray has no problem listing this ticket. The other seven tickets + in the cache including the Initial Ticket are accessible. Modified + krb5_lcc_next_cred() to skip to the next ticket if an attempt to read + a single ticket fails. + +2004-01-31 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: Optimize the get next logic by storing a handle to + the MS TGT in the lcc_cursor data structure + +2004-01-31 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: Do not return tickets to the caller if they contain + NULL session keys. This is to prevent useless TGTs from being + placed into the MIT credential cache. + +2004-01-30 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: As per extensive conversations with Doug Engert we have + concluded that MS is not specifying a complete set of domain information + when it comes to service tickets other than the initial TGT. What happens + is the client principal domain cannot be derived from the fields they + export. Code has now been added to obtain the domain from the initial + TGT and use that when constructing the client principals for all tickets. + + This behavior can be turned off by setting a registry either on a per-user + or a system-wide basis: + + {HKCU,HKLM}\Software\MIT\Kerberos5 + PreserveInitialTicketIdentity = 0x0 (DWORD) + + +2004-01-06 Jeffrey Altman <jaltman@mit.edu> + + * cc_file.c, cc_memory.c: + Add stub implementations for unimplemented krb5_cc_remove_cred() + Returns KRB5_CC_NOSUPP + + * cc_mslsa.c: + Add implementation for krb5_cc_remove_cred(). Returns KRB5_CC_READONLY. + +2003-12-18 Jeffrey Altman <jaltman@mit.edu> + + * cc_retr.c: Extract the test to determine if a credential matches + a requested credential according to the specified fields into + a private function: krb5int_cc_creds_match_request() + + * cc_mslsa.c: Extend the functionality of krb5_lcc_retrieve() to + perform a MS Kerberos LSA ticket request if there is no matching + credential in the cache. The MS Kerberos LSA places the following + restriction on what tickets it will place into the LSA cache: + tickets obtained by an application request for a specific + set of kerberos flags or enctype will not be cached. + Therefore, we first make a request with no flags or enctype in + the hope that we will be lucky and get the right ones anyway. + If not, we make the application's request and return that ticket + if it matches the other criteria. + + Implemented a similar technique for krb5_lcc_store(). Since we + can not write to the cache, when a store request is made we + instead perform a ticket request through the lsa for a matching + credential. If we receive one, we return success. Otherwise, + we return the KRB5_CC_READONLY error. + + With these changes I am now able to operate entirely with the MSLSA + ccache as the default cache provided the MS LSA credentials are + for the principal I wish to use. Obviously, one cannot change + principals while the MSLSA ccache is the default. + +2003-12-15 Jeffrey Altman <jaltman@mit.edu> + + * cc_msla.c: Enable purging of the MS Kerberos LSA cache when the TGT + has expired. This will force the LSA to get a new TGT instead of + returning the expired version. + +2003-12-15 Jeffrey Altman <jaltman@mit.edu> + + * cc_mslsa.c: Perform a GetMSTGT() call as part of krb5_lcc_start_seq_get + to ensure that the tgt is refreshed + +2003-12-13 Jeffrey Altman <jaltman@mit.edu> + + * Makefile.in: Remove extranenous spaces in ##WIN32## constructs + defining MSLSA_SRC MSLSA_OBJ + +2003-12-12 Tom Yu <tlyu@mit.edu> + + * Makefile.in: Move ##WIN32## constructs from inside + backslash-continued lists, as it was breaking them. Move explicit + dependency information from under automatic dependencies. + +2003-12-11 Jeffrey Altman <jaltman@mit.edu> + + * Makefile.in, ccbase.c, cc_mslsa.c (new) + + Remove all of the code which was duplicated between ms2mit.c + and the KfW Leash libraries (and who knows how many applications + shipped by third parties) and use it as the basis for a new + krb5_ccache type, "MSLSA:". The "MSLSA:" ccache type is a + read-only ccache which can be used either as a monitor of the + contents of the Microsoft LSA cache or as a source for copying + the contents to another ccache type. The purpose of migrating + this code to the krb5_32.dll is to avoid the need for applications + to be consistently updated each time Microsoft makes a change + to the behavior of the LSA cache. Changes have occurred with + the release of 2000, XP, and 2003 so far. Also, the code for + working with the MS LSA cache is not well documented and many + mistakes were made in the original versions of the ms2mit.c + code base. Unfortunately, the ms2mit.c code has been copied + into many other applications. + + With access to this new ccache type, the ms2mit.c source file + is reduced from 890 lines to 80 lines including the copyright + banner. + +2003-11-26 Jeffrey Altman <jaltman@mit.edu> + + * cc_default.c: Add support for Leash Kinit Dialog on Windows to + krb5int_c_default() + +2003-07-22 Sam Hartman <hartmans@mit.edu> + + * ccbase.c: Always register the file credentials cache type. If + we do not, then when USE_CCAPI is defined, it will not be + available. + 2003-03-06 Alexandra Ellwood <lxs@mit.edu> * ccdefault.c: Remove Mac header goober and include diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in index bbf61be..01e6544 100644 --- a/src/lib/krb5/ccache/Makefile.in +++ b/src/lib/krb5/ccache/Makefile.in @@ -17,6 +17,9 @@ LOCALINCLUDES = -I$(srcdir)$(S)ccapi $(WIN_INCLUDES) ##DOS##OBJFILE=..\$(OUTPRE)$(PREFIXDIR).lst ##WIN16##LIBNAME=..\krb5.lib +##WIN32##MSLSA_OBJ = $(OUTPRE)cc_mslsa.$(OBJEXT) +##WIN32##MSLSA_SRC = $(srcdir)/cc_mslsa.c + MAC_SUBDIRS = ccapi STLIBOBJS= \ @@ -37,7 +40,7 @@ OBJS= $(OUTPRE)ccbase.$(OBJEXT) \ $(OUTPRE)cc_file.$(OBJEXT) \ $(OUTPRE)cc_memory.$(OBJEXT) \ $(OUTPRE)ccfns.$(OBJEXT) \ - $(OUTPRE)ser_cc.$(OBJEXT) + $(OUTPRE)ser_cc.$(OBJEXT) $(MSLSA_OBJ) SRCS= $(srcdir)/ccbase.c \ $(srcdir)/cccopy.c \ @@ -47,7 +50,7 @@ SRCS= $(srcdir)/ccbase.c \ $(srcdir)/cc_file.c \ $(srcdir)/cc_memory.c \ $(srcdir)/ccfns.c \ - $(srcdir)/ser_cc.c + $(srcdir)/ser_cc.c $(MSLSA_SRC) ##DOS##OBJS=$(OBJS) $(OUTPRE)ccfns.$(OBJEXT) @@ -97,7 +100,7 @@ check-unix:: t_cc clean-unix:: $(RM) t_cc t_cc.o - +##WIN32## $(OUTPRE)cc_mslsa.$(OBJEXT): cc_mslsa.c $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) # @libobj_frag@ @@ -108,47 +111,49 @@ clean-unix:: # ccbase.so ccbase.po $(OUTPRE)ccbase.$(OBJEXT): ccbase.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + fcc.h cccopy.so cccopy.po $(OUTPRE)cccopy.$(OBJEXT): cccopy.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ccdefault.so ccdefault.po $(OUTPRE)ccdefault.$(OBJEXT): ccdefault.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ccdefops.so ccdefops.po $(OUTPRE)ccdefops.$(OBJEXT): ccdefops.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h fcc.h + fcc.h cc_retr.so cc_retr.po $(OUTPRE)cc_retr.$(OBJEXT): cc_retr.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h cc_file.so cc_file.po $(OUTPRE)cc_file.$(OBJEXT): cc_file.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h cc_memory.so cc_memory.po $(OUTPRE)cc_memory.$(OBJEXT): cc_memory.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ccfns.so ccfns.po $(OUTPRE)ccfns.$(OBJEXT): ccfns.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ser_cc.so ser_cc.po $(OUTPRE)ser_cc.$(OBJEXT): ser_cc.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h new file mode 100644 index 0000000..48ee4fb --- /dev/null +++ b/src/lib/krb5/ccache/cc-int.h @@ -0,0 +1,39 @@ +/* + * lib/krb5/ccache/file/cc-int.h + * + * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * This file contains constant and function declarations used in the + * file-based credential cache routines. + */ + +#ifndef __KRB5_CCACHE_H__ +#define __KRB5_CCACHE_H__ + +#include "k5-int.h" + +krb5_boolean +krb5int_cc_creds_match_request(krb5_context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds); + +#endif /* __KRB5_CCACHE_H__ */ diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c index eb051c1..dff3038 100644 --- a/src/lib/krb5/ccache/cc_file.c +++ b/src/lib/krb5/ccache/cc_file.c @@ -2305,6 +2305,18 @@ lose: #undef TCHECK } +/* + * Non-functional stub implementation for krb5_fcc_remove + * + * Errors: + * KRB5_CC_NOSUPP - not implemented + */ +static krb5_error_code KRB5_CALLCONV +krb5_fcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, + krb5_creds *creds) +{ + return KRB5_CC_NOSUPP; +} /* * Requires: @@ -2413,7 +2425,7 @@ const krb5_cc_ops krb5_fcc_ops = { krb5_fcc_start_seq_get, krb5_fcc_next_cred, krb5_fcc_end_seq_get, - NULL, /* XXX krb5_fcc_remove, */ + krb5_fcc_remove_cred, krb5_fcc_set_flags, }; @@ -2473,6 +2485,6 @@ const krb5_cc_ops krb5_cc_file_ops = { krb5_fcc_start_seq_get, krb5_fcc_next_cred, krb5_fcc_end_seq_get, - NULL, /* XXX krb5_fcc_remove, */ + krb5_fcc_remove_cred, krb5_fcc_set_flags, }; diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c index 97ec327..c3aeb1e 100644 --- a/src/lib/krb5/ccache/cc_memory.c +++ b/src/lib/krb5/ccache/cc_memory.c @@ -519,6 +519,20 @@ krb5_mcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) return ret; } +/* + * Non-functional stub implementation for krb5_mcc_remove + * + * Errors: + * KRB5_CC_NOSUPP - not implemented + */ +static krb5_error_code KRB5_CALLCONV +krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, + krb5_creds *creds) +{ + return KRB5_CC_NOSUPP; +} + + /* * Requires: * id is a cred cache returned by krb5_mcc_resolve or @@ -553,6 +567,6 @@ const krb5_cc_ops krb5_mcc_ops = { krb5_mcc_start_seq_get, krb5_mcc_next_cred, krb5_mcc_end_seq_get, - NULL, /* XXX krb5_mcc_remove, */ + krb5_mcc_remove_cred, krb5_mcc_set_flags, }; diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c new file mode 100644 index 0000000..93a938d --- /dev/null +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -0,0 +1,1621 @@ +/* + * lib/krb5/ccache/cc_mslsa.c + * + * Copyright 2003 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * Copyright 2000 by Carnegie Mellon University + * + * All Rights Reserved + * + * Permission to use, copy, modify, and distribute this software and its + * documentation for any purpose and without fee is hereby granted, + * provided that the above copyright notice appear in all copies and that + * both that copyright notice and this permission notice appear in + * supporting documentation, and that the name of Carnegie Mellon + * University not be used in advertising or publicity pertaining to + * distribution of the software without specific, written prior + * permission. + * + * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND + * FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR + * ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Implementation of read-only microsoft windows lsa credentials cache + */ + +#ifdef _WIN32 +#define UNICODE +#define _UNICODE + +#include "k5-int.h" +#include "com_err.h" +#include "cc-int.h" + +#include <stdio.h> +#include <errno.h> +#include <stdlib.h> +#include <conio.h> +#include <time.h> +#define SECURITY_WIN32 +#include <security.h> +#include <ntsecapi.h> + +#define MAX_MSG_SIZE 256 +#define MAX_MSPRINC_SIZE 1024 + +static BOOL IsWindows2000 (void) +{ + static BOOL fChecked = FALSE; + static BOOL fIsWin2K = FALSE; + + if (!fChecked) + { + OSVERSIONINFO Version; + fChecked = TRUE; + + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); + + if (GetVersionEx (&Version)) + { + if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && + Version.dwMajorVersion >= 5) + fIsWin2K = TRUE; + } + } + + return fIsWin2K; +} + +static VOID +ShowWinError(LPSTR szAPI, DWORD dwError) +{ + + // TODO - Write errors to event log so that scripts that don't + // check for errors will still get something in the event log + + WCHAR szMsgBuf[MAX_MSG_SIZE]; + DWORD dwRes; + + printf("Error calling function %s: %lu\n", szAPI, dwError); + + dwRes = FormatMessage ( + FORMAT_MESSAGE_FROM_SYSTEM, + NULL, + dwError, + MAKELANGID (LANG_ENGLISH, SUBLANG_ENGLISH_US), + szMsgBuf, + MAX_MSG_SIZE, + NULL); + if (0 == dwRes) { + printf("FormatMessage failed with %d\n", GetLastError()); + ExitProcess(EXIT_FAILURE); + } + + printf("%S",szMsgBuf); +} + +static VOID +ShowLsaError(LPSTR szAPI, NTSTATUS Status) +{ + // + // Convert the NTSTATUS to Winerror. Then call ShowWinError(). + // + ShowWinError(szAPI, LsaNtStatusToWinError(Status)); +} + + + +static BOOL +WINAPI +UnicodeToANSI(LPTSTR lpInputString, LPSTR lpszOutputString, int nOutStringLen) +{ + CPINFO CodePageInfo; + + GetCPInfo(CP_ACP, &CodePageInfo); + + if (CodePageInfo.MaxCharSize > 1) + // Only supporting non-Unicode strings + return FALSE; + else if (((LPBYTE) lpInputString)[1] == '\0') + { + // Looks like unicode, better translate it + WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) lpInputString, -1, + lpszOutputString, nOutStringLen, NULL, NULL); + } + else + lstrcpyA(lpszOutputString, (LPSTR) lpInputString); + return TRUE; +} // UnicodeToANSI + +static VOID +WINAPI +ANSIToUnicode(LPSTR lpInputString, LPTSTR lpszOutputString, int nOutStringLen) +{ + + CPINFO CodePageInfo; + + lstrcpy(lpszOutputString, (LPTSTR) lpInputString); + + GetCPInfo(CP_ACP, &CodePageInfo); + + if (CodePageInfo.MaxCharSize > 1) + // It must already be a Unicode string + return; + else if (((LPBYTE) lpInputString)[1] != '\0') + { + // Looks like ANSI, better translate it + MultiByteToWideChar(CP_ACP, 0, (LPCSTR) lpInputString, -1, + (LPWSTR) lpszOutputString, nOutStringLen); + } + else + lstrcpy(lpszOutputString, (LPTSTR) lpInputString); +} // ANSIToUnicode + + +static void +MITPrincToMSPrinc(krb5_context context, krb5_principal principal, UNICODE_STRING * msprinc) +{ + char *aname = NULL; + + if (!krb5_unparse_name(context, principal, &aname)) { + msprinc->Length = strlen(aname) * sizeof(WCHAR); + ANSIToUnicode(aname, msprinc->Buffer, msprinc->MaximumLength); + krb5_free_unparsed_name(context,aname); + } +} + +static void +MSPrincToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_context context, krb5_principal *principal) +{ + WCHAR princbuf[512],tmpbuf[128]; + char aname[512]; + USHORT i; + princbuf[0]=0; + for (i=0;i<msprinc->NameCount;i++) { + wcsncpy(tmpbuf, msprinc->Names[i].Buffer, + msprinc->Names[i].Length/sizeof(WCHAR)); + tmpbuf[msprinc->Names[i].Length/sizeof(WCHAR)]=0; + if (princbuf[0]) + wcscat(princbuf, L"/"); + wcscat(princbuf, tmpbuf); + } + wcscat(princbuf, L"@"); + wcscat(princbuf, realm); + UnicodeToANSI(princbuf, aname, sizeof(aname)); + krb5_parse_name(context, aname, principal); +} + + +static time_t +FileTimeToUnixTime(LARGE_INTEGER *ltime) +{ + FILETIME filetime, localfiletime; + SYSTEMTIME systime; + struct tm utime; + filetime.dwLowDateTime=ltime->LowPart; + filetime.dwHighDateTime=ltime->HighPart; + FileTimeToLocalFileTime(&filetime, &localfiletime); + FileTimeToSystemTime(&localfiletime, &systime); + utime.tm_sec=systime.wSecond; + utime.tm_min=systime.wMinute; + utime.tm_hour=systime.wHour; + utime.tm_mday=systime.wDay; + utime.tm_mon=systime.wMonth-1; + utime.tm_year=systime.wYear-1900; + utime.tm_isdst=-1; + return(mktime(&utime)); +} + +static void +MSSessionKeyToMITKeyblock(KERB_CRYPTO_KEY *mskey, krb5_context context, krb5_keyblock *keyblock) +{ + krb5_keyblock tmpblock; + tmpblock.magic=KV5M_KEYBLOCK; + tmpblock.enctype=mskey->KeyType; + tmpblock.length=mskey->Length; + tmpblock.contents=mskey->Value; + krb5_copy_keyblock_contents(context, &tmpblock, keyblock); +} + + +static void +MSFlagsToMITFlags(ULONG msflags, ULONG *mitflags) +{ + *mitflags=msflags; +} + +static void +MSTicketToMITTicket(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_data *ticket) +{ + krb5_data tmpdata, *newdata; + tmpdata.magic=KV5M_DATA; + tmpdata.length=msticket->EncodedTicketSize; + tmpdata.data=msticket->EncodedTicket; + + // TODO: fix this up a little. this is ugly and will break krb5_free_data() + krb5_copy_data(context, &tmpdata, &newdata); + memcpy(ticket, newdata, sizeof(krb5_data)); +} + +/* + * PreserveInitialTicketIdentity() + * + * This will find the "PreserveInitialTicketIdentity" key in the registry. + * Returns 1 to preserve and 0 to not. + */ + +static DWORD +PreserveInitialTicketIdentity(void) +{ + HKEY hKey; + DWORD size = sizeof(DWORD); + DWORD type = REG_DWORD; + const char *key_path = "Software\\MIT\\Kerberos5"; + const char *value_name = "PreserveInitialTicketIdentity"; + DWORD retval = 1; /* default to Preserve */ + + if (RegOpenKeyExA(HKEY_CURRENT_USER, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS) + goto syskey; + if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS) + { + RegCloseKey(hKey); + goto syskey; + } + RegCloseKey(hKey); + goto done; + + syskey: + if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS) + goto done; + if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS) + { + RegCloseKey(hKey); + goto done; + } + RegCloseKey(hKey); + + done: + return retval; +} + + +static void +MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING InitialTicketDomain, + krb5_context context, krb5_creds *creds) +{ + WCHAR wrealm[128]; + ZeroMemory(creds, sizeof(krb5_creds)); + creds->magic=KV5M_CREDS; + + // construct Client Principal + if ( PreserveInitialTicketIdentity() ) { + wcsncpy(wrealm, InitialTicketDomain.Buffer, InitialTicketDomain.Length/sizeof(WCHAR)); + wrealm[InitialTicketDomain.Length/sizeof(WCHAR)]=0; + } else { + wcsncpy(wrealm, msticket->DomainName.Buffer, msticket->DomainName.Length/sizeof(WCHAR)); + wrealm[msticket->DomainName.Length/sizeof(WCHAR)]=0; + } + MSPrincToMITPrinc(msticket->ClientName, wrealm, context, &creds->client); + + // construct Service Principal + wcsncpy(wrealm, msticket->DomainName.Buffer, + msticket->DomainName.Length/sizeof(WCHAR)); + wrealm[msticket->DomainName.Length/sizeof(WCHAR)]=0; + MSPrincToMITPrinc(msticket->ServiceName, wrealm, context, &creds->server); + + MSSessionKeyToMITKeyblock(&msticket->SessionKey, context, + &creds->keyblock); + MSFlagsToMITFlags(msticket->TicketFlags, &creds->ticket_flags); + creds->times.starttime=FileTimeToUnixTime(&msticket->StartTime); + creds->times.endtime=FileTimeToUnixTime(&msticket->EndTime); + creds->times.renew_till=FileTimeToUnixTime(&msticket->RenewUntil); + + /* MS Tickets are addressless. MIT requires an empty address + * not a NULL list of addresses. + */ + creds->addresses = (krb5_address **)malloc(sizeof(krb5_address *)); + memset(creds->addresses, 0, sizeof(krb5_address *)); + + MSTicketToMITTicket(msticket, context, &creds->ticket); +} + +static BOOL +PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId) +{ + LSA_STRING Name; + NTSTATUS Status; + + Status = LsaConnectUntrusted( + pLogonHandle + ); + + if (FAILED(Status)) + { + ShowLsaError("LsaConnectUntrusted", Status); + return FALSE; + } + + Name.Buffer = MICROSOFT_KERBEROS_NAME_A; + Name.Length = strlen(Name.Buffer); + Name.MaximumLength = Name.Length + 1; + + Status = LsaLookupAuthenticationPackage( + *pLogonHandle, + &Name, + pPackageId + ); + + if (FAILED(Status)) + { + ShowLsaError("LsaLookupAuthenticationPackage", Status); + return FALSE; + } + + return TRUE; + +} + + +static DWORD +ConcatenateUnicodeStrings(UNICODE_STRING *pTarget, UNICODE_STRING Source1, UNICODE_STRING Source2) +{ + // + // The buffers for Source1 and Source2 cannot overlap pTarget's + // buffer. Source1.Length + Source2.Length must be <= 0xFFFF, + // otherwise we overflow... + // + + USHORT TotalSize = Source1.Length + Source2.Length; + PBYTE buffer = (PBYTE) pTarget->Buffer; + + if (TotalSize > pTarget->MaximumLength) + return ERROR_INSUFFICIENT_BUFFER; + + if ( pTarget->Buffer != Source1.Buffer ) + memcpy(buffer, Source1.Buffer, Source1.Length); + memcpy(buffer + Source1.Length, Source2.Buffer, Source2.Length); + + pTarget->Length = TotalSize; + return ERROR_SUCCESS; +} + +static BOOL +get_STRING_from_registry(HKEY hBaseKey, char * key, char * value, char * outbuf, DWORD outlen) +{ + HKEY hKey; + DWORD dwCount; + LONG rc; + + if (!outbuf || outlen == 0) + return FALSE; + + rc = RegOpenKeyExA(hBaseKey, key, 0, KEY_QUERY_VALUE, &hKey); + if (rc) + return FALSE; + + dwCount = outlen; + rc = RegQueryValueExA(hKey, value, 0, 0, (LPBYTE) outbuf, &dwCount); + RegCloseKey(hKey); + + return rc?FALSE:TRUE; +} + +static BOOL +GetSecurityLogonSessionData(PSECURITY_LOGON_SESSION_DATA * ppSessionData) +{ + NTSTATUS Status = 0; + HANDLE TokenHandle; + TOKEN_STATISTICS Stats; + DWORD ReqLen; + BOOL Success; + + if (!ppSessionData) + return FALSE; + *ppSessionData = NULL; + + Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle ); + if ( !Success ) + return FALSE; + + Success = GetTokenInformation( TokenHandle, TokenStatistics, &Stats, sizeof(TOKEN_STATISTICS), &ReqLen ); + CloseHandle( TokenHandle ); + if ( !Success ) + return FALSE; + + Status = LsaGetLogonSessionData( &Stats.AuthenticationId, ppSessionData ); + if ( FAILED(Status) || !ppSessionData ) + return FALSE; + + return TRUE; +} + +// +// IsKerberosLogon() does not validate whether or not there are valid tickets in the +// cache. It validates whether or not it is reasonable to assume that if we +// attempted to retrieve valid tickets we could do so. Microsoft does not +// automatically renew expired tickets. Therefore, the cache could contain +// expired or invalid tickets. Microsoft also caches the user's password +// and will use it to retrieve new TGTs if the cache is empty and tickets +// are requested. + +static BOOL +IsKerberosLogon(VOID) +{ + PSECURITY_LOGON_SESSION_DATA pSessionData = NULL; + BOOL Success = FALSE; + + if ( GetSecurityLogonSessionData(&pSessionData) ) { + if ( pSessionData->AuthenticationPackage.Buffer ) { + WCHAR buffer[256]; + WCHAR *usBuffer; + int usLength; + + Success = FALSE; + usBuffer = (pSessionData->AuthenticationPackage).Buffer; + usLength = (pSessionData->AuthenticationPackage).Length; + if (usLength < 256) + { + lstrcpyn (buffer, usBuffer, usLength); + lstrcat (buffer,L""); + if ( !lstrcmp(L"Kerberos",buffer) ) + Success = TRUE; + } + } + LsaFreeReturnBuffer(pSessionData); + } + return Success; +} + +static DWORD +ConstructTicketRequest(UNICODE_STRING DomainName, PKERB_RETRIEVE_TKT_REQUEST * outRequest, ULONG * outSize) +{ + DWORD Error; + UNICODE_STRING TargetPrefix; + USHORT TargetSize; + ULONG RequestSize; + PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL; + + *outRequest = NULL; + *outSize = 0; + + // + // Set up the "krbtgt/" target prefix into a UNICODE_STRING so we + // can easily concatenate it later. + // + + TargetPrefix.Buffer = L"krbtgt/"; + TargetPrefix.Length = wcslen(TargetPrefix.Buffer) * sizeof(WCHAR); + TargetPrefix.MaximumLength = TargetPrefix.Length; + + // + // We will need to concatenate the "krbtgt/" prefix and the + // Logon Session's DnsDomainName into our request's target name. + // + // Therefore, first compute the necessary buffer size for that. + // + // Note that we might theoretically have integer overflow. + // + + TargetSize = TargetPrefix.Length + DomainName.Length; + + // + // The ticket request buffer needs to be a single buffer. That buffer + // needs to include the buffer for the target name. + // + + RequestSize = sizeof(*pTicketRequest) + TargetSize; + + // + // Allocate the request buffer and make sure it's zero-filled. + // + + pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); + if (!pTicketRequest) + return GetLastError(); + + // + // Concatenate the target prefix with the previous reponse's + // target domain. + // + + pTicketRequest->TargetName.Length = 0; + pTicketRequest->TargetName.MaximumLength = TargetSize; + pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1); + Error = ConcatenateUnicodeStrings(&(pTicketRequest->TargetName), + TargetPrefix, + DomainName); + *outRequest = pTicketRequest; + *outSize = RequestSize; + return Error; +} + +static BOOL +PurgeMSTGT(HANDLE LogonHandle, ULONG PackageId) +{ + NTSTATUS Status = 0; + NTSTATUS SubStatus = 0; + KERB_PURGE_TKT_CACHE_REQUEST PurgeRequest; + + PurgeRequest.MessageType = KerbPurgeTicketCacheMessage; + PurgeRequest.LogonId.LowPart = 0; + PurgeRequest.LogonId.HighPart = 0; + PurgeRequest.ServerName.Buffer = L""; + PurgeRequest.ServerName.Length = 0; + PurgeRequest.ServerName.MaximumLength = 0; + PurgeRequest.RealmName.Buffer = L""; + PurgeRequest.RealmName.Length = 0; + PurgeRequest.RealmName.MaximumLength = 0; + Status = LsaCallAuthenticationPackage(LogonHandle, + PackageId, + &PurgeRequest, + sizeof(PurgeRequest), + NULL, + NULL, + &SubStatus + ); + if (FAILED(Status) || FAILED(SubStatus)) + return FALSE; + return TRUE; +} + +#define ENABLE_PURGING 1 +// to allow the purging of expired tickets from LSA cache. This is necessary +// to force the retrieval of new TGTs. Microsoft does not appear to retrieve +// new tickets when they expire. Instead they continue to accept the expired +// tickets. This is safe to do because the LSA purges its cache when it +// retrieves a new TGT (ms calls this renew) but not when it renews the TGT +// (ms calls this refresh). + +static BOOL +GetMSTGT(HANDLE LogonHandle, ULONG PackageId,KERB_EXTERNAL_TICKET **ticket) +{ + // + // INVARIANTS: + // + // (FAILED(Status) || FAILED(SubStatus)) ==> error + // bIsLsaError ==> LsaCallAuthenticationPackage() error + // + + BOOL bIsLsaError = FALSE; + NTSTATUS Status = 0; + NTSTATUS SubStatus = 0; + DWORD Error; + + KERB_QUERY_TKT_CACHE_REQUEST CacheRequest; + PKERB_RETRIEVE_TKT_REQUEST pTicketRequest; + PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL; + ULONG RequestSize; + ULONG ResponseSize; +#ifdef ENABLE_PURGING + int purge_cache = 0; +#endif /* ENABLE_PURGING */ + int ignore_cache = 0; + + CacheRequest.MessageType = KerbRetrieveTicketMessage; + CacheRequest.LogonId.LowPart = 0; + CacheRequest.LogonId.HighPart = 0; + + Status = LsaCallAuthenticationPackage( + LogonHandle, + PackageId, + &CacheRequest, + sizeof(CacheRequest), + &pTicketResponse, + &ResponseSize, + &SubStatus + ); + + if (FAILED(Status)) + { + // if the call to LsaCallAuthenticationPackage failed we cannot + // perform any queries most likely because the Kerberos package + // is not available or we do not have access + bIsLsaError = TRUE; + goto cleanup; + } + + if (FAILED(SubStatus)) { + PSECURITY_LOGON_SESSION_DATA pSessionData = NULL; + BOOL Success = FALSE; + OSVERSIONINFOEX verinfo; + int supported = 0; + + // SubStatus 0x8009030E is not documented. However, it appears + // to mean there is no TGT + if (SubStatus != 0x8009030E) { + bIsLsaError = TRUE; + goto cleanup; + } + + verinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); + GetVersionEx((OSVERSIONINFO *)&verinfo); + supported = (verinfo.dwMajorVersion > 5) || + (verinfo.dwMajorVersion == 5 && verinfo.dwMinorVersion >= 1); + + // If we could not get a TGT from the cache we won't know what the + // Kerberos Domain should have been. On Windows XP and 2003 Server + // we can extract it from the Security Logon Session Data. However, + // the required fields are not supported on Windows 2000. :( + if ( supported && GetSecurityLogonSessionData(&pSessionData) ) { + if ( pSessionData->DnsDomainName.Buffer ) { + Error = ConstructTicketRequest(pSessionData->DnsDomainName, + &pTicketRequest, &RequestSize); + LsaFreeReturnBuffer(pSessionData); + if ( Error ) + goto cleanup; + } else { + LsaFreeReturnBuffer(pSessionData); + bIsLsaError = TRUE; + goto cleanup; + } + } else { + CHAR UserDnsDomain[256]; + WCHAR UnicodeUserDnsDomain[256]; + UNICODE_STRING wrapper; + if ( !get_STRING_from_registry(HKEY_CURRENT_USER, + "Volatile Environment", + "USERDNSDOMAIN", + UserDnsDomain, + sizeof(UserDnsDomain) + ) ) + { + goto cleanup; + } + + ANSIToUnicode(UserDnsDomain,UnicodeUserDnsDomain,256); + wrapper.Buffer = UnicodeUserDnsDomain; + wrapper.Length = wcslen(UnicodeUserDnsDomain) * sizeof(WCHAR); + wrapper.MaximumLength = 256; + + Error = ConstructTicketRequest(wrapper, + &pTicketRequest, &RequestSize); + if ( Error ) + goto cleanup; + } + } else { +#ifdef PURGE_ALL + purge_cache = 1; +#else + switch (pTicketResponse->Ticket.SessionKey.KeyType) { + case KERB_ETYPE_DES_CBC_CRC: + case KERB_ETYPE_DES_CBC_MD4: + case KERB_ETYPE_DES_CBC_MD5: + case KERB_ETYPE_NULL: + case KERB_ETYPE_RC4_HMAC_NT: { + FILETIME Now, MinLife, EndTime, LocalEndTime; + __int64 temp; + // FILETIME is in units of 100 nano-seconds + // If obtained tickets are either expired or have a lifetime + // less than 20 minutes, retry ... + GetSystemTimeAsFileTime(&Now); + EndTime.dwLowDateTime=pTicketResponse->Ticket.EndTime.LowPart; + EndTime.dwHighDateTime=pTicketResponse->Ticket.EndTime.HighPart; + FileTimeToLocalFileTime(&EndTime, &LocalEndTime); + temp = Now.dwHighDateTime; + temp <<= 32; + temp = Now.dwLowDateTime; + temp += 1200 * 10000; + MinLife.dwHighDateTime = (DWORD)((temp >> 32) & 0xFFFFFFFF); + MinLife.dwLowDateTime = (DWORD)(temp & 0xFFFFFFFF); + if (CompareFileTime(&MinLife, &LocalEndTime) >= 0) { +#ifdef ENABLE_PURGING + purge_cache = 1; +#else + ignore_cache = 1; +#endif /* ENABLE_PURGING */ + break; + } + if (pTicketResponse->Ticket.TicketFlags & KERB_TICKET_FLAGS_invalid) { + ignore_cache = 1; + break; // invalid, need to attempt a TGT request + } + goto cleanup; // all done + } + case KERB_ETYPE_RC4_MD4: + default: + // not supported + ignore_cache = 1; + break; + } +#endif /* PURGE_ALL */ + + Error = ConstructTicketRequest(pTicketResponse->Ticket.TargetDomainName, + &pTicketRequest, &RequestSize); + if ( Error ) { + goto cleanup; + } + + // + // Free the previous response buffer so we can get the new response. + // + + if ( pTicketResponse ) { + memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE)); + LsaFreeReturnBuffer(pTicketResponse); + pTicketResponse = NULL; + } + +#ifdef ENABLE_PURGING + if ( purge_cache ) { + // + // Purge the existing tickets which we cannot use so new ones can + // be requested. It is not possible to purge just the TGT. All + // service tickets must be purged. + // + PurgeMSTGT(LogonHandle, PackageId); + } +#endif /* ENABLE_PURGING */ + } + + // + // Intialize the request of the request. + // + + pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage; + pTicketRequest->LogonId.LowPart = 0; + pTicketRequest->LogonId.HighPart = 0; + // Note: pTicketRequest->TargetName set up above +#ifdef ENABLE_PURGING + pTicketRequest->CacheOptions = ((ignore_cache || !purge_cache) ? + KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L); +#else + pTicketRequest->CacheOptions = (ignore_cache ? KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L); +#endif /* ENABLE_PURGING */ + pTicketRequest->TicketFlags = 0L; + pTicketRequest->EncryptionType = 0L; + + Status = LsaCallAuthenticationPackage( + LogonHandle, + PackageId, + pTicketRequest, + RequestSize, + &pTicketResponse, + &ResponseSize, + &SubStatus + ); + + if (FAILED(Status) || FAILED(SubStatus)) + { + bIsLsaError = TRUE; + goto cleanup; + } + + // + // Check to make sure the new tickets we received are of a type we support + // + + switch (pTicketResponse->Ticket.SessionKey.KeyType) { + case KERB_ETYPE_DES_CBC_CRC: + case KERB_ETYPE_DES_CBC_MD4: + case KERB_ETYPE_DES_CBC_MD5: + case KERB_ETYPE_NULL: + case KERB_ETYPE_RC4_HMAC_NT: + goto cleanup; // all done + case KERB_ETYPE_RC4_MD4: + default: + // not supported + break; + } + + + // + // Try once more but this time specify the Encryption Type + // (This will not store the retrieved tickets in the LSA cache) + // + pTicketRequest->EncryptionType = ENCTYPE_DES_CBC_CRC; + pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE; + + if ( pTicketResponse ) { + memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE)); + LsaFreeReturnBuffer(pTicketResponse); + pTicketResponse = NULL; + } + + Status = LsaCallAuthenticationPackage( + LogonHandle, + PackageId, + pTicketRequest, + RequestSize, + &pTicketResponse, + &ResponseSize, + &SubStatus + ); + + if (FAILED(Status) || FAILED(SubStatus)) + { + bIsLsaError = TRUE; + goto cleanup; + } + + cleanup: + if ( pTicketRequest ) + LocalFree(pTicketRequest); + + if (FAILED(Status) || FAILED(SubStatus)) + { + if (bIsLsaError) + { + // XXX - Will be fixed later + if (FAILED(Status)) + ShowLsaError("LsaCallAuthenticationPackage", Status); + if (FAILED(SubStatus)) + ShowLsaError("LsaCallAuthenticationPackage", SubStatus); + } + else + { + ShowWinError("GetMSTGT", Status); + } + + if (pTicketResponse) { + memset(pTicketResponse,0,sizeof(KERB_RETRIEVE_TKT_RESPONSE)); + LsaFreeReturnBuffer(pTicketResponse); + pTicketResponse = NULL; + } + return(FALSE); + } + + *ticket = &(pTicketResponse->Ticket); + return(TRUE); +} + +static BOOL +GetQueryTktCacheResponse( HANDLE LogonHandle, ULONG PackageId, + PKERB_QUERY_TKT_CACHE_RESPONSE * ppResponse) +{ + NTSTATUS Status = 0; + NTSTATUS SubStatus = 0; + + KERB_QUERY_TKT_CACHE_REQUEST CacheRequest; + PKERB_QUERY_TKT_CACHE_RESPONSE pQueryResponse = NULL; + ULONG ResponseSize; + + CacheRequest.MessageType = KerbQueryTicketCacheMessage; + CacheRequest.LogonId.LowPart = 0; + CacheRequest.LogonId.HighPart = 0; + + Status = LsaCallAuthenticationPackage( + LogonHandle, + PackageId, + &CacheRequest, + sizeof(CacheRequest), + &pQueryResponse, + &ResponseSize, + &SubStatus + ); + + if ( !(FAILED(Status) || FAILED(SubStatus)) ) { + *ppResponse = pQueryResponse; + return TRUE; + } + + return FALSE; +} + +static void +FreeQueryResponse(PKERB_QUERY_TKT_CACHE_RESPONSE pResponse) +{ + LsaFreeReturnBuffer(pResponse); +} + + +static BOOL +GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId, + krb5_context context, krb5_creds *creds, PKERB_EXTERNAL_TICKET *ticket) +{ + NTSTATUS Status = 0; + NTSTATUS SubStatus = 0; + ULONG RequestSize; + PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL; + PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL; + ULONG ResponseSize; + + RequestSize = sizeof(*pTicketRequest) + MAX_MSPRINC_SIZE; + + pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); + if (!pTicketRequest) + return FALSE; + + pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage; + pTicketRequest->LogonId.LowPart = 0; + pTicketRequest->LogonId.HighPart = 0; + + pTicketRequest->TargetName.Length = 0; + pTicketRequest->TargetName.MaximumLength = MAX_MSPRINC_SIZE; + pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1); + MITPrincToMSPrinc(context, creds->server, &pTicketRequest->TargetName); + pTicketRequest->CacheOptions = 0; + pTicketRequest->TicketFlags = creds->ticket_flags; + pTicketRequest->EncryptionType = creds->keyblock.enctype; + + Status = LsaCallAuthenticationPackage( + LogonHandle, + PackageId, + pTicketRequest, + RequestSize, + &pTicketResponse, + &ResponseSize, + &SubStatus + ); + + LocalFree(pTicketRequest); + + if (FAILED(Status) || FAILED(SubStatus)) + return(FALSE); + + /* otherwise return ticket */ + *ticket = &(pTicketResponse->Ticket); + return(TRUE); + +} + +static BOOL +GetMSCacheTicketFromCacheInfo( HANDLE LogonHandle, ULONG PackageId, + PKERB_TICKET_CACHE_INFO tktinfo, PKERB_EXTERNAL_TICKET *ticket) +{ + NTSTATUS Status = 0; + NTSTATUS SubStatus = 0; + ULONG RequestSize; + PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL; + PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL; + ULONG ResponseSize; + + RequestSize = sizeof(*pTicketRequest) + tktinfo->ServerName.Length; + + pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); + if (!pTicketRequest) + return FALSE; + + pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage; + pTicketRequest->LogonId.LowPart = 0; + pTicketRequest->LogonId.HighPart = 0; + pTicketRequest->TargetName.Length = tktinfo->ServerName.Length; + pTicketRequest->TargetName.MaximumLength = tktinfo->ServerName.Length; + pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1); + memcpy(pTicketRequest->TargetName.Buffer,tktinfo->ServerName.Buffer, tktinfo->ServerName.Length); + pTicketRequest->CacheOptions = 0; + pTicketRequest->EncryptionType = tktinfo->EncryptionType; + pTicketRequest->TicketFlags = 0; + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwardable ) + pTicketRequest->TicketFlags |= KDC_OPT_FORWARDABLE; + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwarded ) + pTicketRequest->TicketFlags |= KDC_OPT_FORWARDED; + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_proxiable ) + pTicketRequest->TicketFlags |= KDC_OPT_PROXIABLE; + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_renewable ) + pTicketRequest->TicketFlags |= KDC_OPT_RENEWABLE; + + Status = LsaCallAuthenticationPackage( + LogonHandle, + PackageId, + pTicketRequest, + RequestSize, + &pTicketResponse, + &ResponseSize, + &SubStatus + ); + + LocalFree(pTicketRequest); + + if (FAILED(Status) || FAILED(SubStatus)) + return(FALSE); + + /* otherwise return ticket */ + *ticket = &(pTicketResponse->Ticket); + return(TRUE); + +} + +static krb5_error_code KRB5_CALLCONV krb5_lcc_close + (krb5_context, krb5_ccache id); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_destroy + (krb5_context, krb5_ccache id); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_end_seq_get + (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_generate_new + (krb5_context, krb5_ccache *id); + +static const char * KRB5_CALLCONV krb5_lcc_get_name + (krb5_context, krb5_ccache id); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_get_principal + (krb5_context, krb5_ccache id, krb5_principal *princ); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_initialize + (krb5_context, krb5_ccache id, krb5_principal princ); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_next_cred + (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor, + krb5_creds *creds); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_resolve + (krb5_context, krb5_ccache *id, const char *residual); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_retrieve + (krb5_context, krb5_ccache id, krb5_flags whichfields, + krb5_creds *mcreds, krb5_creds *creds); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_start_seq_get + (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_store + (krb5_context, krb5_ccache id, krb5_creds *creds); + +static krb5_error_code KRB5_CALLCONV krb5_lcc_set_flags + (krb5_context, krb5_ccache id, krb5_flags flags); + +extern const krb5_cc_ops krb5_lcc_ops; + +krb5_error_code krb5_change_cache (void); + +krb5_boolean +krb5int_cc_creds_match_request(krb5_context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds); + +#define KRB5_OK 0 + +typedef struct _krb5_lcc_data { + HANDLE LogonHandle; + ULONG PackageId; + char * cc_name; + krb5_principal princ; +} krb5_lcc_data; + +typedef struct _krb5_lcc_cursor { + PKERB_QUERY_TKT_CACHE_RESPONSE response; + int index; + PKERB_EXTERNAL_TICKET mstgt; +} krb5_lcc_cursor; + + +/* + * Requires: + * residual is ignored + * + * Modifies: + * id + * + * Effects: + * Acccess the MS Kerberos LSA cache in the current logon session + * Ignore the residual. + * + * Returns: + * A filled in krb5_ccache structure "id". + * + * Errors: + * KRB5_CC_NOMEM - there was insufficient memory to allocate the + * + * krb5_ccache. id is undefined. + * permission errors + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) +{ + krb5_ccache lid; + krb5_lcc_data *data; + HANDLE LogonHandle; + ULONG PackageId; + KERB_EXTERNAL_TICKET *msticket; + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + +#ifdef COMMENT + /* In at least one case on Win2003 it appears that it is possible + * for the logon session to be authenticated via NTLM and yet for + * there to be Kerberos credentials obtained by the LSA on behalf + * of the logged in user. Therefore, we are removing this test + * which was meant to avoid the need to perform GetMSTGT() when + * there was no possibility of credentials being found. + */ + if (!IsKerberosLogon()) + return KRB5_FCC_NOFILE; +#endif + + if(!PackageConnectLookup(&LogonHandle, &PackageId)) + return KRB5_FCC_NOFILE; + + lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); + if (lid == NULL) { + CloseHandle(LogonHandle); + return KRB5_CC_NOMEM; + } + + lid->ops = &krb5_lcc_ops; + + lid->data = (krb5_pointer) malloc(sizeof(krb5_lcc_data)); + if (lid->data == NULL) { + krb5_xfree(lid); + CloseHandle(LogonHandle); + return KRB5_CC_NOMEM; + } + + lid->magic = KV5M_CCACHE; + data = (krb5_lcc_data *)lid->data; + data->LogonHandle = LogonHandle; + data->PackageId = PackageId; + + data->cc_name = (char *)malloc(strlen(residual)+1); + if (data->cc_name == NULL) { + krb5_xfree(lid->data); + krb5_xfree(lid); + CloseHandle(LogonHandle); + return KRB5_CC_NOMEM; + } + strcpy(data->cc_name, residual); + + /* + * we must obtain a tgt from the cache in order to determine the principal + */ + if (GetMSTGT(data->LogonHandle, data->PackageId, &msticket)) { + /* convert the ticket */ + krb5_creds creds; + MSCredToMITCred(msticket, msticket->DomainName, context, &creds); + LsaFreeReturnBuffer(msticket); + + krb5_copy_principal(context, creds.client, &data->princ); + krb5_free_cred_contents(context,&creds); + } else { + data->princ = 0; + krb5_xfree(data->cc_name); + krb5_xfree(lid->data); + krb5_xfree(lid); + CloseHandle(LogonHandle); + return KRB5_FCC_NOFILE; + } + + /* + * other routines will get errors on open, and callers must expect them, + * if cache is non-existent/unusable + */ + *id = lid; + return KRB5_OK; +} + +/* + * not supported + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) +{ + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + return KRB5_CC_READONLY; +} + + +/* + * Modifies: + * id + * + * Effects: + * Closes the microsoft lsa cache, invalidates the id, and frees any resources + * associated with the cache. + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_close(krb5_context context, krb5_ccache id) +{ + register int closeval = KRB5_OK; + register krb5_lcc_data *data; + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + if (id) { + data = (krb5_lcc_data *) id->data; + + if (data) { + CloseHandle(data->LogonHandle); + krb5_xfree(data); + } + krb5_xfree(id); + } + return closeval; +} + +/* + * Effects: + * Destroys the contents of id. + * + * Errors: + * system errors + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_destroy(krb5_context context, krb5_ccache id) +{ + register krb5_lcc_data *data; + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + if (id) { + data = (krb5_lcc_data *) id->data; + + return PurgeMSTGT(data->LogonHandle, data->PackageId) ? KRB5_FCC_INTERNAL : KRB5_OK; + } + return KRB5_FCC_INTERNAL; +} + +/* + * Effects: + * Prepares for a sequential search of the credentials cache. + * Returns a krb5_cc_cursor to be used with krb5_lcc_next_cred and + * krb5_lcc_end_seq_get. + * + * If the cache is modified between the time of this call and the time + * of the final krb5_lcc_end_seq_get, the results are undefined. + * + * Errors: + * KRB5_CC_NOMEM + * KRB5_FCC_INTERNAL - system errors + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_start_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) +{ + krb5_lcc_cursor *lcursor; + krb5_lcc_data *data = (krb5_lcc_data *)id->data; + KERB_EXTERNAL_TICKET *msticket; + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + lcursor = (krb5_lcc_cursor *) malloc(sizeof(krb5_lcc_cursor)); + if (lcursor == NULL) { + *cursor = 0; + return KRB5_CC_NOMEM; + } + + /* + * obtain a tgt to refresh the ccache in case the ticket is expired + */ + if (!GetMSTGT(data->LogonHandle, data->PackageId, &lcursor->mstgt)) { + free(lcursor); + *cursor = 0; + return KRB5_FCC_INTERNAL; + } + + if ( !GetQueryTktCacheResponse(data->LogonHandle, data->PackageId, &lcursor->response) ) { + LsaFreeReturnBuffer(lcursor->mstgt); + free(lcursor); + *cursor = 0; + return KRB5_FCC_INTERNAL; + } + lcursor->index = 0; + *cursor = (krb5_cc_cursor) lcursor; + return KRB5_OK; +} + + +/* + * Requires: + * cursor is a krb5_cc_cursor originally obtained from + * krb5_lcc_start_seq_get. + * + * Modifes: + * cursor + * + * Effects: + * Fills in creds with the TGT obtained from the MS LSA + * + * The cursor is updated to indicate TGT retrieval + * + * Errors: + * KRB5_CC_END + * KRB5_FCC_INTERNAL - system errors + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, krb5_creds *creds) +{ + krb5_lcc_cursor *lcursor = (krb5_lcc_cursor *) *cursor; + krb5_lcc_data *data; + KERB_EXTERNAL_TICKET *msticket; + krb5_error_code retval = KRB5_OK; + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + data = (krb5_lcc_data *)id->data; + + next_cred: + if ( lcursor->index >= lcursor->response->CountOfTickets ) { + if (retval == KRB5_OK) + return KRB5_CC_END; + else { + LsaFreeReturnBuffer(lcursor->mstgt); + LsaFreeReturnBuffer(lcursor->response); + free(*cursor); + *cursor = 0; + return retval; + } + } + + if (!GetMSCacheTicketFromCacheInfo(data->LogonHandle, data->PackageId, + &lcursor->response->Tickets[lcursor->index++],&msticket)) { + retval = KRB5_FCC_INTERNAL; + goto next_cred; + } + + /* Don't return tickets with NULL Session Keys */ + if ( msticket->SessionKey.KeyType == KERB_ETYPE_NULL) { + LsaFreeReturnBuffer(msticket); + goto next_cred; + } + + /* convert the ticket */ + MSCredToMITCred(msticket, lcursor->mstgt->DomainName, context, creds); + LsaFreeReturnBuffer(msticket); + return KRB5_OK; +} + +/* + * Requires: + * cursor is a krb5_cc_cursor originally obtained from + * krb5_lcc_start_seq_get. + * + * Modifies: + * id, cursor + * + * Effects: + * Finishes sequential processing of the file credentials ccache id, + * and invalidates the cursor (it must never be used after this call). + */ +/* ARGSUSED */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) +{ + krb5_lcc_cursor *lcursor = (krb5_lcc_cursor *) *cursor; + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + if ( lcursor ) { + LsaFreeReturnBuffer(lcursor->mstgt); + LsaFreeReturnBuffer(lcursor->response); + free(*cursor); + } + *cursor = 0; + + return KRB5_OK; +} + + +/* + * Errors: + * KRB5_CC_READONLY - not supported + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_generate_new (krb5_context context, krb5_ccache *id) +{ + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + return KRB5_CC_READONLY; +} + +/* + * Requires: + * id is a ms lsa credential cache + * + * Returns: + * The ccname specified during the krb5_lcc_resolve call + */ +static const char * KRB5_CALLCONV +krb5_lcc_get_name (krb5_context context, krb5_ccache id) +{ + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + if ( !id ) + return ""; + + return (char *) ((krb5_lcc_data *) id->data)->cc_name; +} + +/* + * Modifies: + * id, princ + * + * Effects: + * Retrieves the primary principal from id, as set with + * krb5_lcc_initialize. The principal is returned is allocated + * storage that must be freed by the caller via krb5_free_principal. + * + * Errors: + * system errors + * KRB5_CC_NOT_KTYPE + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ) +{ + krb5_error_code kret = KRB5_OK; + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + /* obtain principal */ + return krb5_copy_principal(context, ((krb5_lcc_data *) id->data)->princ, princ); +} + + +static krb5_error_code KRB5_CALLCONV +krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, + krb5_creds *mcreds, krb5_creds *creds) +{ + krb5_error_code kret = KRB5_OK; + krb5_lcc_data *data = (krb5_lcc_data *)id->data; + KERB_EXTERNAL_TICKET *msticket = 0, *mstgt = 0; + krb5_creds * mcreds_noflags; + krb5_creds fetchcreds; + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + memset(&fetchcreds, 0, sizeof(krb5_creds)); + + /* first try to find out if we have an existing ticket which meets the requirements */ + kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds); + if ( !kret ) + return KRB5_OK; + + /* if not, we must try to get a ticket without specifying any flags or etypes */ + krb5_copy_creds(context, mcreds, &mcreds_noflags); + mcreds_noflags->ticket_flags = 0; + mcreds_noflags->keyblock.enctype = 0; + + if (!GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, mcreds_noflags, &msticket)) { + kret = KRB5_CC_NOTFOUND; + goto cleanup; + } + + /* try again to find out if we have an existing ticket which meets the requirements */ + kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds); + if ( !kret ) + goto cleanup; + + /* if not, obtain a ticket using the request flags and enctype even though it will not + * be stored in the LSA cache for future use. + */ + if ( msticket ) { + LsaFreeReturnBuffer(msticket); + msticket = 0; + } + + if (!GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, mcreds, &msticket)) { + kret = KRB5_CC_NOTFOUND; + goto cleanup; + } + + /* convert the ticket */ + GetMSTGT(data->LogonHandle, data->PackageId, &mstgt); + + MSCredToMITCred(msticket, mstgt ? mstgt->DomainName : msticket->DomainName, context, &fetchcreds); + + /* check to see if this ticket matches the request using logic from + * krb5_cc_retrieve_cred_default() + */ + if ( krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds) ) { + *creds = fetchcreds; + } else { + krb5_free_cred_contents(context, &fetchcreds); + kret = KRB5_CC_NOTFOUND; + } + + cleanup: + if ( mstgt ) + LsaFreeReturnBuffer(mstgt); + if ( msticket ) + LsaFreeReturnBuffer(msticket); + if ( mcreds_noflags ) + krb5_free_creds(context, mcreds_noflags); + return kret; +} + + +/* + * We can't write to the MS LSA cache. So we request the cache to obtain a ticket for the same + * principal in the hope that next time the application requires a ticket for the service it + * is attempt to store, the retrieved ticket will be good enough. + * + * Errors: + * KRB5_CC_READONLY - not supported + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) +{ + krb5_error_code kret = KRB5_OK; + krb5_lcc_data *data = (krb5_lcc_data *)id->data; + KERB_EXTERNAL_TICKET *msticket = 0; + krb5_creds * creds_noflags; + + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + /* if not, we must try to get a ticket without specifying any flags or etypes */ + krb5_copy_creds(context, creds, &creds_noflags); + creds_noflags->ticket_flags = 0; + creds_noflags->keyblock.enctype = 0; + + if (GetMSCacheTicketFromMITCred(data->LogonHandle, data->PackageId, context, creds_noflags, &msticket)) { + LsaFreeReturnBuffer(msticket); + return KRB5_OK; + } + return KRB5_CC_READONLY; +} + +/* + * The ability to remove a credential from the MS LSA cache cannot be implemented. + * + * Errors: + * KRB5_CC_READONLY: + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, + krb5_creds *creds) +{ + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + return KRB5_CC_READONLY; +} + + +/* + * Effects: + * None - ignored + */ +static krb5_error_code KRB5_CALLCONV +krb5_lcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) +{ + if (!IsWindows2000()) + return KRB5_FCC_NOFILE; + + return KRB5_OK; +} + +const krb5_cc_ops krb5_lcc_ops = { + 0, + "MSLSA", + krb5_lcc_get_name, + krb5_lcc_resolve, + krb5_lcc_generate_new, + krb5_lcc_initialize, + krb5_lcc_destroy, + krb5_lcc_close, + krb5_lcc_store, + krb5_lcc_retrieve, + krb5_lcc_get_principal, + krb5_lcc_start_seq_get, + krb5_lcc_next_cred, + krb5_lcc_end_seq_get, + krb5_lcc_remove_cred, + krb5_lcc_set_flags +}; +#endif /* _WIN32 */
\ No newline at end of file diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c index ebd6193..5ddb2cc 100644 --- a/src/lib/krb5/ccache/cc_retr.c +++ b/src/lib/krb5/ccache/cc_retr.c @@ -27,6 +27,7 @@ */ #include "k5-int.h" +#include "cc-int.h" #define KRB5_OK 0 @@ -157,6 +158,40 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes) * KRB5_CC_NOT_KTYPE */ +krb5_boolean +krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds) +{ + if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) && + srvname_match(context, mcreds, creds)) || + standard_fields_match(context, mcreds, creds)) + && + (! set(KRB5_TC_MATCH_IS_SKEY) || + mcreds->is_skey == creds->is_skey) + && + (! set(KRB5_TC_MATCH_FLAGS_EXACT) || + mcreds->ticket_flags == creds->ticket_flags) + && + (! set(KRB5_TC_MATCH_FLAGS) || + flags_match(mcreds->ticket_flags, creds->ticket_flags)) + && + (! set(KRB5_TC_MATCH_TIMES_EXACT) || + times_match_exact(&mcreds->times, &creds->times)) + && + (! set(KRB5_TC_MATCH_TIMES) || + times_match(&mcreds->times, &creds->times)) + && + ( ! set(KRB5_TC_MATCH_AUTHDATA) || + authdata_match(mcreds->authdata, creds->authdata)) + && + (! set(KRB5_TC_MATCH_2ND_TKT) || + data_match (&mcreds->second_ticket, &creds->second_ticket)) + && + ((! set(KRB5_TC_MATCH_KTYPE))|| + (mcreds->keyblock.enctype == creds->keyblock.enctype))) + return TRUE; + return FALSE; +} + static krb5_error_code krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds, int nktypes, krb5_enctype *ktypes) { @@ -178,34 +213,8 @@ krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, krb5_flags whic return kret; while ((kret = krb5_cc_next_cred(context, id, &cursor, &fetchcreds)) == KRB5_OK) { - if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) && - srvname_match(context, mcreds, &fetchcreds)) || - standard_fields_match(context, mcreds, &fetchcreds)) - && - (! set(KRB5_TC_MATCH_IS_SKEY) || - mcreds->is_skey == fetchcreds.is_skey) - && - (! set(KRB5_TC_MATCH_FLAGS_EXACT) || - mcreds->ticket_flags == fetchcreds.ticket_flags) - && - (! set(KRB5_TC_MATCH_FLAGS) || - flags_match(mcreds->ticket_flags, fetchcreds.ticket_flags)) - && - (! set(KRB5_TC_MATCH_TIMES_EXACT) || - times_match_exact(&mcreds->times, &fetchcreds.times)) - && - (! set(KRB5_TC_MATCH_TIMES) || - times_match(&mcreds->times, &fetchcreds.times)) - && - ( ! set(KRB5_TC_MATCH_AUTHDATA) || - authdata_match(mcreds->authdata, fetchcreds.authdata)) - && - (! set(KRB5_TC_MATCH_2ND_TKT) || - data_match (&mcreds->second_ticket, &fetchcreds.second_ticket)) - && - ((! set(KRB5_TC_MATCH_KTYPE))|| - (mcreds->keyblock.enctype == fetchcreds.keyblock.enctype))) - { + if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds)) + { if (ktypes) { fetched.pref = pref (fetchcreds.keyblock.enctype, nktypes, ktypes); diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c index ddd5e80..8bb178e 100644 --- a/src/lib/krb5/ccache/ccbase.c +++ b/src/lib/krb5/ccache/ccbase.c @@ -29,6 +29,8 @@ #include "k5-int.h" +#include "fcc.h" + struct krb5_cc_typelist { krb5_cc_ops *ops; @@ -36,9 +38,19 @@ struct krb5_cc_typelist }; extern const krb5_cc_ops krb5_mcc_ops; -static struct krb5_cc_typelist cc_entry = { &krb5_mcc_ops, NULL }; +#ifdef _WIN32 +extern const krb5_cc_ops krb5_lcc_ops; +static struct krb5_cc_typelist cc_lcc_entry = { &krb5_lcc_ops, NULL }; +static struct krb5_cc_typelist cc_mcc_entry = { &krb5_mcc_ops, &cc_lcc_entry }; +#else +static struct krb5_cc_typelist cc_mcc_entry = { &krb5_mcc_ops, NULL }; +#endif + +static struct krb5_cc_typelist cc_fcc_entry = { &krb5_cc_file_ops, + &cc_mcc_entry }; + +static struct krb5_cc_typelist *cc_typehead = &cc_fcc_entry; -static struct krb5_cc_typelist *cc_typehead = &cc_entry; /* * Register a new credentials cache type @@ -99,8 +111,22 @@ krb5_cc_resolve (krb5_context context, const char *name, krb5_ccache *cache) if (!pfx) return ENOMEM; - memcpy (pfx, name, pfxlen); - pfx[pfxlen] = '\0'; + if ( pfxlen == 1 && isalpha(name[0]) ) { + /* We found a drive letter not a prefix - use FILE: */ + pfx = strdup("FILE:"); + if (!pfx) + return ENOMEM; + + resid = name; + } else { + resid = name + pfxlen + 1; + + pfx = malloc (pfxlen+1); + if (!pfx) + return ENOMEM; + memcpy (pfx, name, pfxlen); + pfx[pfxlen] = '\0'; + } *cache = (krb5_ccache) 0; diff --git a/src/lib/krb5/ccache/ccdefault.c b/src/lib/krb5/ccache/ccdefault.c index 71e6f9c..3dfb1a3 100644 --- a/src/lib/krb5/ccache/ccdefault.c +++ b/src/lib/krb5/ccache/ccdefault.c @@ -31,6 +31,11 @@ #ifdef USE_LOGIN_LIBRARY #include "KerberosLoginPrivate.h" +#else +#ifdef USE_LEASH +static void (*pLeash_AcquireInitialTicketsIfNeeded)(krb5_context,krb5_principal) = NULL; +static HANDLE hLeashDLL = INVALID_HANDLE_VALUE; +#endif #endif @@ -111,6 +116,29 @@ krb5int_cc_default(krb5_context context, krb5_ccache *ccache) if (desiredPrincipal != nil) KLDisposePrincipal (desiredPrincipal); } +#else +#ifdef USE_LEASH + + if ( hLeashDLL == INVALID_HANDLE_VALUE ) { + hLeashDLL = LoadLibrary("leashw32.dll"); + if ( hLeashDLL != INVALID_HANDLE_VALUE ) { + (FARPROC) pLeash_AcquireInitialTicketsIfNeeded = + GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded"); + } + } + + if ( pLeash_AcquireInitialTicketsIfNeeded ) + { + krb5_os_context os_ctx; + + if (!context || context->magic != KV5M_CONTEXT) + return KV5M_CONTEXT; + + os_ctx = context->os_context; + + pLeash_AcquireInitialTicketsIfNeeded(context,os_ctx->default_ccprincipal); + } +#endif #endif return krb5_cc_default (context, ccache); diff --git a/src/lib/krb5/error_tables/.Sanitize b/src/lib/krb5/error_tables/.Sanitize index b952162..ba18e42 100644 --- a/src/lib/krb5/error_tables/.Sanitize +++ b/src/lib/krb5/error_tables/.Sanitize @@ -34,6 +34,7 @@ configure.in init_ets.c kdb5_err.et krb5_err.et +krb524_err.et kv5m_err.et Things-to-lose: diff --git a/src/lib/krb5/error_tables/ChangeLog b/src/lib/krb5/error_tables/ChangeLog index 2de7f07..c51b6c7 100644 --- a/src/lib/krb5/error_tables/ChangeLog +++ b/src/lib/krb5/error_tables/ChangeLog @@ -1,3 +1,30 @@ +2004-01-06 Jeffrey Altman <jaltman@mit.edu> + + * krb5_err.et (KRB5_CC_NOSUPP) new ccache error code + +2003-12-12 Jeffrey Altman <jaltman@mit.edu> + + * krb5_err.et (KRB5_CC_READONLY) new ccache error code + +2003-07-19 Ezra Peisach <epeisach@mit.edu> + + * init_ets.c (krb5_init_ets): Only initialize error tables once - + so that init_conext/free_context loops do not result in memory + leaks. + +2003-06-03 Ken Raeburn <raeburn@mit.edu> + + * krb5_err.et (KRB5_ERR_NO_SERVICE): New error code. + +2003-05-24 Ken Raeburn <raeburn@mit.edu> + + * krb524_err.et: New file, moved from ../../../krb524. Add new + error code KRB524_KRB4_DISABLED. + * Makefile.in (STLIBOBJS, HDRS, OBJS, ETSRCS, SRCS, awk-windows): + Add it. + ($(OUTPRE)krb524_err.$(OBJEXT)): List dependence on .c file. + * init_ets.c (krb5_init_ets): Call initialize_k524_error_table. + 2003-03-04 Ken Raeburn <raeburn@mit.edu> * krb5_err.et (KRB5_ERR_BAD_S2K_PARAMS): New error code. diff --git a/src/lib/krb5/error_tables/Makefile.in b/src/lib/krb5/error_tables/Makefile.in index da1f770..0192f79 100644 --- a/src/lib/krb5/error_tables/Makefile.in +++ b/src/lib/krb5/error_tables/Makefile.in @@ -12,13 +12,14 @@ THDRDIR=$(BUILDTOP)$(S)include EHDRDIR=$(BUILDTOP)$(S)include$(S)krb5 STLIBOBJS= asn1_err.o kdb5_err.o krb5_err.o \ - kv5m_err.o init_ets.o + kv5m_err.o krb524_err.o init_ets.o -HDRS= asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h +HDRS= asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h krb524_err.h OBJS= $(OUTPRE)asn1_err.$(OBJEXT) $(OUTPRE)kdb5_err.$(OBJEXT) $(OUTPRE)krb5_err.$(OBJEXT) \ - $(OUTPRE)kv5m_err.$(OBJEXT) $(OUTPRE)init_ets.$(OBJEXT) -ETSRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c -SRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c \ + $(OUTPRE)kv5m_err.$(OBJEXT) $(OUTPRE)krb524_err.$(OBJEXT) \ + $(OUTPRE)init_ets.$(OBJEXT) +ETSRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c krb524_err.c +SRCS= asn1_err.c kdb5_err.c krb5_err.c kv5m_err.c krb524_err.c \ $(srcdir)/init_ets.c ##DOS##LIBOBJS = $(OBJS) @@ -40,14 +41,17 @@ awk-windows: $(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=kdb5_err.h kdb5_err.et $(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=krb5_err.h krb5_err.et $(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=kv5m_err.h kv5m_err.et + $(AWK) -f $(SRCTOP)/util/et/et_h.awk outfile=krb524_err.h krb524_err.et $(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=asn1_err.c asn1_err.et $(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=kdb5_err.c kdb5_err.et $(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=krb5_err.c krb5_err.et $(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=kv5m_err.c kv5m_err.et + $(AWK) -f $(SRCTOP)/util/et/et_c.awk outfile=krb524_err.c krb524_err.et if exist asn1_err.h copy asn1_err.h "$(EHDRDIR)" if exist kdb5_err.h copy kdb5_err.h "$(EHDRDIR)" if exist krb5_err.h copy krb5_err.h "$(EHDRDIR)" if exist kv5m_err.h copy kv5m_err.h "$(EHDRDIR)" + if exist krb524_err.h copy krb524_err.h "$(EHDRDIR)" # # dependencies for traditional makes @@ -56,6 +60,7 @@ $(OUTPRE)asn1_err.$(OBJEXT): asn1_err.c $(OUTPRE)kdb5_err.$(OBJEXT): kdb5_err.c $(OUTPRE)krb5_err.$(OBJEXT): krb5_err.c $(OUTPRE)kv5m_err.$(OBJEXT): kv5m_err.c +$(OUTPRE)krb524_err.$(OBJEXT): krb524_err.c clean-unix:: clean-libobjs $(RM) $(HDRS) $(ETSRCS) @@ -71,9 +76,10 @@ asn1_err.so asn1_err.po $(OUTPRE)asn1_err.$(OBJEXT): asn1_err.c $(COM_ERR_DEPS) kdb5_err.so kdb5_err.po $(OUTPRE)kdb5_err.$(OBJEXT): kdb5_err.c $(COM_ERR_DEPS) krb5_err.so krb5_err.po $(OUTPRE)krb5_err.$(OBJEXT): krb5_err.c $(COM_ERR_DEPS) kv5m_err.so kv5m_err.po $(OUTPRE)kv5m_err.$(OBJEXT): kv5m_err.c $(COM_ERR_DEPS) +krb524_err.so krb524_err.po $(OUTPRE)krb524_err.$(OBJEXT): krb524_err.c $(COM_ERR_DEPS) init_ets.so init_ets.po $(OUTPRE)init_ets.$(OBJEXT): init_ets.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/krb5/error_tables/init_ets.c b/src/lib/krb5/error_tables/init_ets.c index 0ac810a..56a750e 100644 --- a/src/lib/krb5/error_tables/init_ets.c +++ b/src/lib/krb5/error_tables/init_ets.c @@ -32,10 +32,16 @@ void krb5_init_ets (krb5_context context) { - initialize_krb5_error_table(); - initialize_kv5m_error_table(); - initialize_kdb5_error_table(); - initialize_asn1_error_table(); + static int inited = 0; + + if (inited == 0) { + initialize_krb5_error_table(); + initialize_kv5m_error_table(); + initialize_kdb5_error_table(); + initialize_asn1_error_table(); + initialize_k524_error_table(); + inited++; + } } void diff --git a/src/lib/krb5/error_tables/krb524_err.et b/src/lib/krb5/error_tables/krb524_err.et new file mode 100644 index 0000000..5a4a004 --- /dev/null +++ b/src/lib/krb5/error_tables/krb524_err.et @@ -0,0 +1,34 @@ +# Copyright 1994 by OpenVision Technologies, Inc. +# +# Permission to use, copy, modify, distribute, and sell this software +# and its documentation for any purpose is hereby granted without fee, +# provided that the above copyright notice appears in all copies and +# that both that copyright notice and this permission notice appear in +# supporting documentation, and that the name of OpenVision not be used +# in advertising or publicity pertaining to distribution of the software +# without specific, written prior permission. OpenVision makes no +# representations about the suitability of this software for any +# purpose. It is provided "as is" without express or implied warranty. +# +# OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, +# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO +# EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR +# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF +# USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR +# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +# + +error_table k524 + +error_code KRB524_BADKEY, "Cannot convert V5 keyblock" +error_code KRB524_BADADDR, "Cannot convert V5 address information" +error_code KRB524_BADPRINC, "Cannot convert V5 principal" +error_code KRB524_BADREALM, "V5 realm name longer than V4 maximum" +error_code KRB524_V4ERR, "Kerberos V4 error" +error_code KRB524_ENCFULL, "Encoding too large" +error_code KRB524_DECEMPTY, "Decoding out of data" +error_code KRB524_NOTRESP, "Service not responding" +error_code KRB524_KRB4_DISABLED, "Kerberos version 4 support is disabled" + +end diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et index b401c92..b03d376 100644 --- a/src/lib/krb5/error_tables/krb5_err.et +++ b/src/lib/krb5/error_tables/krb5_err.et @@ -336,4 +336,8 @@ error_code KRB5_ERR_NUMERIC_REALM, "Cannot determine realm for numeric host addr error_code KRB5_ERR_BAD_S2K_PARAMS, "Invalid key generation parameters from KDC" +error_code KRB5_ERR_NO_SERVICE, "service not available" + +error_code KRB5_CC_READONLY, "Ccache function not supported: read-only ccache type" +error_code KRB5_CC_NOSUPP, "Ccache function not supported: not implemented" end diff --git a/src/lib/krb5/keytab/ChangeLog b/src/lib/krb5/keytab/ChangeLog index ef0e702..ab8200d 100644 --- a/src/lib/krb5/keytab/ChangeLog +++ b/src/lib/krb5/keytab/ChangeLog @@ -1,3 +1,42 @@ +2004-04-13 Jeffrey Altman <jaltman@mit.edu> + + * ktbase.c: + Since we have to reserve all the single letter + prefixes make them apply to all platforms + +2004-04-13 Jeffrey Altman <jaltman@mit.edu> + + * ktbase.c: On Windows, improve the treat drive letter + prefix string as a FILE: keytab change to work if the + default keytab type was changed to not be of type FILE: + +2004-04-08 Jeffrey Altman <jaltman@mit.edu> + + * ktbase.c: Restore the thread safety fixes + +2004-04-08 Jeffrey Altman <jaltman@mit.edu> + + * ktbase.c: On Windows, if we see a colon do not assume it means + we found a prefix string unless the length of the prefix is + not equal to one. If it is one, it means we found a drive letter + and not a prefix. + +2003-05-22 Tom Yu <tlyu@mit.edu> + + * kt_file.c (krb5_ktfile_get_entry): Check principal name prior to + checking enctype. Suggested by Wyllys Ingersoll. + +2003-05-19 Sam Hartman <hartmans@mit.edu> + + * ktbase.c: Register writable keytab by default + +2003-04-01 Nalin Dahyabhai <nalin@redhat.com> + + * kt_file.c (krb5_ktfileint_internal_read_entry): Use + krb5_princ_size instead of direct field access. + (krb5_ktfileint_write_entry, krb5_ktfileint_size_entry): + Likewise. + 2003-02-08 Tom Yu <tlyu@mit.edu> * kt_file.c (krb5_ktfile_get_entry): Fix comment; not going to diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in index 545cd27..731c34b 100644 --- a/src/lib/krb5/keytab/Makefile.in +++ b/src/lib/krb5/keytab/Makefile.in @@ -64,47 +64,47 @@ clean-windows:: # ktadd.so ktadd.po $(OUTPRE)ktadd.$(OBJEXT): ktadd.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ktbase.so ktbase.po $(OUTPRE)ktbase.$(OBJEXT): ktbase.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ktdefault.so ktdefault.po $(OUTPRE)ktdefault.$(OBJEXT): ktdefault.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ktfr_entry.so ktfr_entry.po $(OUTPRE)ktfr_entry.$(OBJEXT): ktfr_entry.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ktremove.so ktremove.po $(OUTPRE)ktremove.$(OBJEXT): ktremove.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ktfns.so ktfns.po $(OUTPRE)ktfns.$(OBJEXT): ktfns.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h kt_file.so kt_file.po $(OUTPRE)kt_file.$(OBJEXT): kt_file.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h kt_srvtab.so kt_srvtab.po $(OUTPRE)kt_srvtab.$(OBJEXT): kt_srvtab.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h read_servi.so read_servi.po $(OUTPRE)read_servi.$(OBJEXT): read_servi.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c index 9e4f15a..3175de7 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c @@ -258,6 +258,14 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal and copy new_entry there, or free new_entry. Otherwise, it leaks. */ + /* if the principal isn't the one requested, free new_entry + and continue to the next. */ + + if (!krb5_principal_compare(context, principal, new_entry.principal)) { + krb5_kt_free_entry(context, &new_entry); + continue; + } + /* if the enctype is not ignored and doesn't match, free new_entry and continue to the next */ @@ -281,14 +289,6 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal } - /* if the principal isn't the one requested, free new_entry - and continue to the next. */ - - if (!krb5_principal_compare(context, principal, new_entry.principal)) { - krb5_kt_free_entry(context, &new_entry); - continue; - } - if (kvno == IGNORE_VNO) { /* if this is the first match, or if the new vno is bigger, free the current and keep the new. Otherwise, @@ -1324,7 +1324,7 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke return 0; fail: - for (i = 0; i < ret_entry->principal->length; i++) { + for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) { princ = krb5_princ_component(context, ret_entry->principal, i); if (princ->data) free(princ->data); @@ -1375,9 +1375,9 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent } if (KTVERSION(id) == KRB5_KT_VNO_1) { - count = (krb5_int16) entry->principal->length + 1; + count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1; } else { - count = htons((u_short) entry->principal->length); + count = htons((u_short) krb5_princ_size(context, entry->principal)); } if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) { @@ -1396,7 +1396,7 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent goto abend; } - count = (krb5_int16) entry->principal->length; + count = (krb5_int16) krb5_princ_size(context, entry->principal); for (i = 0; i < count; i++) { princ = krb5_princ_component(context, entry->principal, i); size = princ->length; @@ -1494,7 +1494,7 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i krb5_int32 total_size, i; krb5_error_code retval = 0; - count = (krb5_int16) entry->principal->length; + count = (krb5_int16) krb5_princ_size(context, entry->principal); total_size = sizeof(count); total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16)); diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c index 41f473d..a03379d 100644 --- a/src/lib/krb5/keytab/ktbase.c +++ b/src/lib/krb5/keytab/ktbase.c @@ -30,15 +30,20 @@ #include "k5-int.h" extern const krb5_kt_ops krb5_ktf_ops; +extern const krb5_kt_ops krb5_ktf_writable_ops; extern const krb5_kt_ops krb5_kts_ops; struct krb5_kt_typelist { const krb5_kt_ops *ops; struct krb5_kt_typelist *next; }; +static struct krb5_kt_typelist krb5_kt_typelist_wrfile = { + &krb5_ktf_writable_ops, + 0 +}; static struct krb5_kt_typelist krb5_kt_typelist_file = { &krb5_ktf_ops, - 0 + &krb5_kt_typelist_wrfile }; static struct krb5_kt_typelist krb5_kt_typelist_srvtab = { &krb5_kts_ops, @@ -93,14 +98,31 @@ krb5_kt_resolve (krb5_context context, const char *name, krb5_keytab *ktid) } pfxlen = cp - name; - resid = name + pfxlen + 1; + +#if defined(_WIN32) + if ( pfxlen == 1 ) { + /* We found a drive letter not a prefix */ + return (*krb5_kt_dfl_ops.resolve)(context, name, ktid); + } +#endif + + if ( pfxlen == 1 && isalpha(name[0]) ) { + /* We found a drive letter not a prefix - use FILE: */ + pfx = strdup("FILE:"); + if (!pfx) + return ENOMEM; + + resid = name; + } else { + resid = name + pfxlen + 1; - pfx = malloc (pfxlen+1); - if (!pfx) - return ENOMEM; + pfx = malloc (pfxlen+1); + if (!pfx) + return ENOMEM; - memcpy (pfx, name, pfxlen); - pfx[pfxlen] = '\0'; + memcpy (pfx, name, pfxlen); + pfx[pfxlen] = '\0'; + } *ktid = (krb5_keytab) 0; diff --git a/src/lib/krb5/krb/.Sanitize b/src/lib/krb5/krb/.Sanitize index 7457c84..a2ab3a0 100644 --- a/src/lib/krb5/krb/.Sanitize +++ b/src/lib/krb5/krb/.Sanitize @@ -37,6 +37,7 @@ chk_trans.c cleanup.h configure configure.in +conv_creds.c conv_princ.c copy_addrs.c copy_athctr.c @@ -60,8 +61,6 @@ gen_seqnum.c gen_subkey.c get_creds.c get_in_tkt.c -in_tkt_ktb.c -in_tkt_pwd.c in_tkt_sky.c init_ctx.c int-proto.h @@ -106,6 +105,7 @@ t_ref_kerb.out t_ser.c tgtname.c unparse.c +v4lifetime.c valid_times.c walk_rtree.c diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index c936ca4..274245a 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,328 @@ +2004-05-12 Jeffrey Altman <jaltman@mit.edu> + + * send_tgs.c: krb5_send_tgs() was broken in the case of a KRB_ERROR + message. The krb5_response message_type field was never set + resulting in stack garbage being used instead. This would + break code which used transitive cross-realm to obtain service + tickets. + +2004-04-15 Sam Hartman <hartmans@mit.edu> + + * gic_pwd.c (krb5_get_init_creds_password): Free the as reply in + the !use_master case (Thanks to Lijian Liu) + +2004-02-06 Sam Hartman <hartmans@avalanche-breakdown.mit.edu> + + * init_ctx.c (DEFAULT_ETYPE_LIST): Include aes128-cts + +2003-12-13 Ken Raeburn <raeburn@mit.edu> + + * mk_req_ext.c (krb5int_generate_and_save_subkey): New function, + split out from krb5_mk_req_extended. + (krb5_mk_req_extended): Call it. + * mk_rep.c (krb5_mk_rep): If KRB5_AUTH_CONTEXT_USE_SUBKEY flag is + set, call krb5int_generate_and_save_subkey to set up a new subkey + to send to the client. + + * serialize.c (krb5_ser_pack_int64, krb5_ser_unpack_int64): New + functions. + +2003-10-30 Tom Yu <tlyu@mit.edu> + + * gen_seqnum.c (krb5_generate_seq_number): Fix mask; was short by + 4 bits. + +2003-10-08 Tom Yu <tlyu@mit.edu> + + * rd_safe.c (krb5_rd_safe_basic): Save the encoded KRB-SAFE-BODY + to avoid trouble caused by re-encoding. Also, handle correctly + implemented RFC 1510 KRB-SAFE, i.e., checksummed over + KRB-SAFE-BODY only. + +2003-09-02 Tom Yu <tlyu@mit.edu> + + * conv_creds.c (krb524_convert_creds_plain): Apply patch from + Cesar Garcia to fix lifetime computation. + +2003-08-19 SamHartman <hartmans@avalanche-breakdown.mit.edu> + + * rd_cred.c (decrypt_credencdata): Don't double free credentials. + +2003-08-08 Tom Yu <tlyu@mit.edu> + + * gic_pwd.c (krb5_get_init_creds_password): If DNS SRV support is + turned off, the second call to get_init_creds() will fail with + KRB5_REALM_UNKNOWN under certain circumstances. If that happens, + return the error from the first call to get_init_creds(), which + will be more useful to the user. + +2003-07-22 Sam Hartman <hartmans@avalanche-breakdown.mit.edu> + + * preauth2.c (krb5_do_preauth): Use the etype_info2 decoder for decoding etype_info2 + (krb5_do_preauth): If an invalid encoding of etype_info or + etype_info2 is received, ignore it rather than failing the request + +2003-07-09 Alexandra Ellwood <lxs@mit.edu> + + * init_ctx.c: Export krb5_get_permitted_enctypes for Samba. + +2003-06-27 Tom Yu <tlyu@mit.edu> + + * gic_keytab.c (krb5_get_in_tkt_with_keytab): Pass (void*)keytab, + not &keytab, to get_init_creds. Thanks to Herb Lewis. + +2003-06-16 Sam Hartman <hartmans@mit.edu> + + * fwd_tgt.c (krb5_fwd_tgt_creds): Set use_conf_ktypes to true while getting the TGT key + +2003-06-13 Tom Yu <tlyu@mit.edu> + + * rd_rep.c (krb5_rd_rep): Free subkeys before replacing them, if + needed. This avoids a memory leak. + +2003-06-11 Tom Yu <tlyu@mit.edu> + + * srv_rcache.c (krb5_get_server_rcache): Octal escapes begin with + hyphen now, since backslash is a pathname separator on DOS. + +2003-06-06 Sam Hartman <hartmans@mit.edu> + + * get_in_tkt.c (krb5_get_init_creds): Mask out renewable_ok if the + request is for a renewable ticket with rtime greater than till + +2003-06-06 Ezra Peisach <epeisach@mit.edu> + + * mk_req_ext.c (krb5_generate_authenticator): Sequence numbers are + unsigned now. + +2003-05-30 Ken Raeburn <raeburn@mit.edu> + + * get_in_tkt.c (krb5_get_init_creds): Change hardcoded default + ticket lifetime from 10 hours to 24 hours. + + * init_ctx.c (DEFAULT_KDC_TIMESYNC): Define as 1 always. + (DEFAULT_CCACHE_TYPE): Define as 4 always. + +2003-05-30 Alexandra Ellwood <lxs@mit.edu> + + * get_in_tkt.c: (verify_as_reply) Only check the renewable lifetime + of tickets whose request options included KDC_OPT_RENEWABLE_OK + if those options did not also include KDC_OPT_RENEWABLE. Otherwise + verify_as_reply() will fail for all renewable tickets. + +2003-05-27 Ken Raeburn <raeburn@mit.edu> + + * conv_creds.c: Enable support on Windows always. + (krb5_524_convert_creds): Renamed from krb524_convert_creds_kdc. + (krb524_convert_creds_kdc, krb524_init_ets) [!_WIN32]: Backwards + compatibility functions. + +2003-05-27 Sam Hartman <hartmans@mit.edu> + + * gic_keytab.c (krb5_get_in_tkt_with_keytab): as below + + * gic_pwd.c (krb5_get_in_tkt_with_password): Store client and + server principals to avoid memory leak + +2003-05-24 Ken Raeburn <raeburn@mit.edu> + + * conv_creds.c: New file, moved from krb524/conv_creds.c and + krb524/encode.c. Rename exported encode routine, make other + encode and decode routines static. If KRB5_KRB4_COMPAT is not + defined, return an error. + * v4lifetime.c: New file, moved from lib/krb4/lifetime.c. Renamed + functions, changed interface to use krb5 types. + * Makefile.in (STLIBOBJS, OBJS, SRCS): Add them. + +2003-05-23 Sam Hartman <hartmans@mit.edu> + + * get_in_tkt.c (krb5_get_init_creds): Initialize options based on + context.kdc_default_options + +2003-05-22 Tom Yu <tlyu@mit.edu> + + * gen_seqnum.c (krb5_generate_seq_number): Fix think-o on sequence + number mask. + + * auth_con.c (krb5int_auth_con_chkseqnum): New function; implement + heuristic for broken Heimdal sequence number encoding. + (chk_heimdal_seqnum): Auxiliary function for above. + + * auth_con.h: Add flags for sequence number heuristic. + + * rd_priv.c: Use krb5int_auth_con_chkseqnum. + + * rd_safe.c: Use krb5int_auth_con_chkseqnum. + +2003-05-22 Sam Hartman <hartmans@mit.edu> + + * gic_pwd.c (krb5int_populate_gic_opt): returns void + +2003-05-21 Tom Yu <tlyu@mit.edu> + + * gic_pwd.c (krb5_get_in_tkt_with_password): Set pw0.length + correctly if a password is passed in. + +2003-05-20 Sam Hartman <hartmans@mit.edu> + + * Makefile.in (SRCS): Remove in_ktb.c + + * gic_keytab.c (krb5_get_in_tkt_with_keytab): Move from + in_tkt_keytab.c and rewrite to use krb5_get_init_creds + + * gic_pwd.c (krb5_get_in_tkt_with_password): Moved here from + in_tkt_pwd.c so it can share code with + krb5_get_init_creds_password. Rewritten to call + krb5_get_in_tkt_password + + * Makefile.in (SRCS): Delete in_tkt_pwd.c + +2003-05-18 Tom Yu <tlyu@mit.edu> + + * auth_con.h: Sequence numbers are now unsigned. + + * gen_seqnum.c (krb5_generate_seq_number): Constrain initial + sequence number space to facilitate backwards compatibility. + +2003-05-16 Ken Raeburn <raeburn@mit.edu> + + * chpw.c (krb5int_rd_chpw_rep): Allow new kpasswd error codes up + through _INITIAL_FLAG_NEEDED. + +2003-05-13 Sam Hartman <hartmans@mit.edu> + + * fwd_tgt.c (krb5_fwd_tgt_creds): Try with no specified enctype if + forwarding a specific enctype fails. l + + * get_in_tkt.c (krb5_get_init_creds): Free s2kparams + + * preauth2.c (krb5_do_preauth): Fix memory management + (pa_salt): Use copy_data_contents + + * copy_data.c (krb5int_copy_data_contents): New function + +2003-05-09 Sam Hartman <hartmans@mit.edu> + + * preauth2.c: Patch from Sun to reorganize code for handling + etype_info requests. More efficient and easier to implement etype_info2 + (krb5_do_preauth): Support enctype_info2 + +2003-05-08 Sam Hartman <hartmans@mit.edu> + + * preauth2.c: Add s2kparams to the declaration of a preauth + function, to every instance of a preauth function and to every + call to gak_fct + + * get_in_tkt.c (krb5_get_init_creds): Add s2kparams support + + * gic_keytab.c (krb5_get_as_key_keytab): Add s2kparams + + * gic_pwd.c (krb5_get_as_key_password): Add s2kparams support + +2003-05-09 Ken Raeburn <raeburn@mit.edu> + + * init_ctx.c (init_common): Copy tgs_ktypes array to + conf_tgs_ktypes. Clear use_conf_ktypes. + (krb5_free_context): Free conf_tgs_ktypes. + (krb5_get_tgs_ktypes): Use use_conf_ktypes to choose between + tgs_ktypes and conf_tgs_ktypes. + + * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Set use_conf_ktypes + in context to 1 for all operations except the acquisition of the + desired service ticket. + +2003-05-09 Tom Yu <tlyu@mit.edu> + + * auth_con.c (krb5_auth_con_setsendsubkey) + (krb5_auth_con_setrecvsubkey, krb5_auth_con_getsendsubkey) + (krb5_auth_con_getrecvsubkey): New functions. Set or retrieve + subkeys from an auth_context. + (krb5_auth_con_getlocalsubkey, krb5_auth_con_getremotesubkey): + Reimplement in terms of the above. + + * auth_con.h, ser_actx.c: Rename {local,remote}_subkey -> + {send,recv}_subkey. + + * chpw.c (krb5int_rd_chpw_rep): Save send_subkey prior to rd_rep; + use saved send_subkey to smash recv_subkey obtained from rd_rep. + + * mk_req_ext.c (krb5_mk_req_extended): Rename + {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if + subkey generation is requested. + + * mk_cred.c, mk_priv.c, mk_safe.c: Rename {local,remote}_subkey -> + {send,recv}_subkey. Use either send_subkey or keyblock, in that + order. + + * rd_cred.c, rd_priv.c, rd_safe.c: Rename {local,remote}_subkey -> + {send,recv}_subkey. Use either recv_subkey or keyblock, in that + order. + + * rd_rep.c (krb5_rd_rep): Rename {local,remote}_subkey -> + {send,recv}_subkey. Set both subkeys if a subkey is present in + the AP-REP message. + + * rd_req_dec.c (krb5_rd_req_decoded_opt): Rename + {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if + a subkey is present in the AP-REQ message. + +2003-05-06 Sam Hartman <hartmans@mit.edu> + + * kfree.c (krb5_free_etype_info): Free s2kparams + +2003-04-27 Sam Hartman <hartmans@mit.edu> + + * chpw.c (krb5int_setpw_result_code_string): Make internal + +2003-04-25 Sam Hartman <hartmans@mit.edu> + + * chpw.c (krb5int_rd_setpw_rep): Fix error handling; allow + krberrors to be read correctly; fix memory alloctaion so that + allocated structures are freed. + +2003-04-24 Ezra Peisach <epeisach@mit.edu> + + * kfree.c (krb5_free_pwd_sequences): Correction to previous + fix. Free contents of krb5_data - not just the pointer. + +2003-04-23 Ezra Peisach <epeisach@mit.edu> + + * kfree.c (krb5_free_pwd_sequences): Actually free the entire + sequence of passwd_phase_elements and not just the first one. + +2003-04-16 Sam Hartman <hartmans@mit.edu> + + * chpw.c (krb5int_mk_setpw_req): Use encode_krb5_setpw_req. Fix + memory handling to free data that is allocated + +2003-04-15 Sam Hartman <hartmans@mit.edu> + + * chpw.c (krb5int_mk_setpw_req krb5int_rd_setpw_rep): New function + +2003-04-13 Ken Raeburn <raeburn@mit.edu> + + * init_ctx.c (DEFAULT_ETYPE_LIST): Add AES with 256 bits at the + front of the list. No 128-bit support by defaut. + +2003-04-01 Nalin Dahyabhai <nalin@redhat.com> + + * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name + length before examining components. + + * parse.c (krb5_parse_name): Double-check principal name length + before filling in components. + + * srv_rcache.c (krb5_get_server_rcache): Check for null pointer + supplied in place of name. + + * unparse.c (krb5_unparse_name_ext): Don't move buffer pointer + backwards if nothing has been put into the buffer yet. + +2003-04-01 Sam Hartman <hartmans@mit.edu> + + * rd_req.c (krb5_rd_req): If AUTH_CONTEXT_DO_TIME is cleared, + don't set up a replay cache. + 2003-03-08 Ezra Peisach <epeisach@mit.edu> * t_kerb.c: Only include krb.h if krb4 support compiled in, diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in index 18627b1..b703e56 100644 --- a/src/lib/krb5/krb/Makefile.in +++ b/src/lib/krb5/krb/Makefile.in @@ -23,6 +23,7 @@ STLIBOBJS= \ bld_princ.o \ chk_trans.o \ chpw.o \ + conv_creds.o \ conv_princ.o \ copy_addrs.o \ copy_auth.o \ @@ -51,8 +52,6 @@ STLIBOBJS= \ gic_keytab.o \ gic_opt.o \ gic_pwd.o \ - in_tkt_ktb.o \ - in_tkt_pwd.o \ in_tkt_sky.o \ init_ctx.o \ init_keyblock.o \ @@ -95,6 +94,7 @@ STLIBOBJS= \ str_conv.o \ tgtname.o \ unparse.o \ + v4lifetime.o \ valid_times.o \ vfy_increds.o \ vic_opt.o \ @@ -109,6 +109,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \ $(OUTPRE)bld_princ.$(OBJEXT) \ $(OUTPRE)chk_trans.$(OBJEXT) \ $(OUTPRE)chpw.$(OBJEXT) \ + $(OUTPRE)conv_creds.$(OBJEXT) \ $(OUTPRE)conv_princ.$(OBJEXT) \ $(OUTPRE)copy_addrs.$(OBJEXT) \ $(OUTPRE)copy_auth.$(OBJEXT) \ @@ -137,8 +138,6 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \ $(OUTPRE)gic_keytab.$(OBJEXT) \ $(OUTPRE)gic_opt.$(OBJEXT) \ $(OUTPRE)gic_pwd.$(OBJEXT) \ - $(OUTPRE)in_tkt_ktb.$(OBJEXT) \ - $(OUTPRE)in_tkt_pwd.$(OBJEXT) \ $(OUTPRE)in_tkt_sky.$(OBJEXT) \ $(OUTPRE)init_ctx.$(OBJEXT) \ $(OUTPRE)init_keyblock.$(OBJEXT) \ @@ -181,6 +180,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \ $(OUTPRE)str_conv.$(OBJEXT) \ $(OUTPRE)tgtname.$(OBJEXT) \ $(OUTPRE)unparse.$(OBJEXT) \ + $(OUTPRE)v4lifetime.$(OBJEXT) \ $(OUTPRE)valid_times.$(OBJEXT) \ $(OUTPRE)vfy_increds.$(OBJEXT) \ $(OUTPRE)vic_opt.$(OBJEXT) \ @@ -196,6 +196,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/brand.c \ $(srcdir)/chk_trans.c \ $(srcdir)/chpw.c \ + $(srcdir)/conv_creds.c \ $(srcdir)/conv_princ.c \ $(srcdir)/copy_addrs.c \ $(srcdir)/copy_auth.c \ @@ -224,8 +225,6 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/gic_keytab.c \ $(srcdir)/gic_opt.c \ $(srcdir)/gic_pwd.c \ - $(srcdir)/in_tkt_ktb.c \ - $(srcdir)/in_tkt_pwd.c \ $(srcdir)/in_tkt_sky.c \ $(srcdir)/init_ctx.c \ $(srcdir)/init_keyblock.c \ @@ -268,6 +267,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/str_conv.c \ $(srcdir)/tgtname.c \ $(srcdir)/unparse.c \ + $(srcdir)/v4lifetime.c \ $(srcdir)/valid_times.c \ $(srcdir)/vfy_increds.c \ $(srcdir)/vic_opt.c \ @@ -367,449 +367,482 @@ clean:: # addr_comp.so addr_comp.po $(OUTPRE)addr_comp.$(OBJEXT): addr_comp.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h addr_order.so addr_order.po $(OUTPRE)addr_order.$(OBJEXT): addr_order.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h addr_srch.so addr_srch.po $(OUTPRE)addr_srch.$(OBJEXT): addr_srch.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h appdefault.so appdefault.po $(OUTPRE)appdefault.$(OBJEXT): appdefault.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h auth_con.so auth_con.po $(OUTPRE)auth_con.$(OBJEXT): auth_con.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h bld_pr_ext.so bld_pr_ext.po $(OUTPRE)bld_pr_ext.$(OBJEXT): bld_pr_ext.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h bld_princ.so bld_princ.po $(OUTPRE)bld_princ.$(OBJEXT): bld_princ.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h brand.so brand.po $(OUTPRE)brand.$(OBJEXT): brand.c chk_trans.so chk_trans.po $(OUTPRE)chk_trans.$(OBJEXT): chk_trans.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h chpw.so chpw.po $(OUTPRE)chpw.$(OBJEXT): chpw.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/krb5_err.h \ - auth_con.h -conv_princ.so conv_princ.po $(OUTPRE)conv_princ.$(OBJEXT): conv_princ.c $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5_err.h auth_con.h +conv_creds.so conv_creds.po $(OUTPRE)conv_creds.$(OBJEXT): conv_creds.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(KRB_ERR_H_DEP) +conv_princ.so conv_princ.po $(OUTPRE)conv_princ.$(OBJEXT): conv_princ.c $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h copy_addrs.so copy_addrs.po $(OUTPRE)copy_addrs.$(OBJEXT): copy_addrs.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h copy_auth.so copy_auth.po $(OUTPRE)copy_auth.$(OBJEXT): copy_auth.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h copy_athctr.so copy_athctr.po $(OUTPRE)copy_athctr.$(OBJEXT): copy_athctr.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h copy_cksum.so copy_cksum.po $(OUTPRE)copy_cksum.$(OBJEXT): copy_cksum.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h copy_creds.so copy_creds.po $(OUTPRE)copy_creds.$(OBJEXT): copy_creds.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h copy_data.so copy_data.po $(OUTPRE)copy_data.$(OBJEXT): copy_data.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h copy_key.so copy_key.po $(OUTPRE)copy_key.$(OBJEXT): copy_key.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h copy_princ.so copy_princ.po $(OUTPRE)copy_princ.$(OBJEXT): copy_princ.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h copy_tick.so copy_tick.po $(OUTPRE)copy_tick.$(OBJEXT): copy_tick.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h cp_key_cnt.so cp_key_cnt.po $(OUTPRE)cp_key_cnt.$(OBJEXT): cp_key_cnt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h decode_kdc.so decode_kdc.po $(OUTPRE)decode_kdc.$(OBJEXT): decode_kdc.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h decrypt_tk.so decrypt_tk.po $(OUTPRE)decrypt_tk.$(OBJEXT): decrypt_tk.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h deltat.so deltat.po $(OUTPRE)deltat.$(OBJEXT): deltat.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h enc_helper.so enc_helper.po $(OUTPRE)enc_helper.$(OBJEXT): enc_helper.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h encode_kdc.so encode_kdc.po $(OUTPRE)encode_kdc.$(OBJEXT): encode_kdc.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h encrypt_tk.so encrypt_tk.po $(OUTPRE)encrypt_tk.$(OBJEXT): encrypt_tk.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h free_rtree.so free_rtree.po $(OUTPRE)free_rtree.$(OBJEXT): free_rtree.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h fwd_tgt.so fwd_tgt.po $(OUTPRE)fwd_tgt.$(OBJEXT): fwd_tgt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h gc_frm_kdc.so gc_frm_kdc.po $(OUTPRE)gc_frm_kdc.$(OBJEXT): gc_frm_kdc.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h gc_via_tkt.so gc_via_tkt.po $(OUTPRE)gc_via_tkt.$(OBJEXT): gc_via_tkt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h gen_seqnum.so gen_seqnum.po $(OUTPRE)gen_seqnum.$(OBJEXT): gen_seqnum.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h gen_subkey.so gen_subkey.po $(OUTPRE)gen_subkey.$(OBJEXT): gen_subkey.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h get_creds.so get_creds.po $(OUTPRE)get_creds.$(OBJEXT): get_creds.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h get_in_tkt.so get_in_tkt.po $(OUTPRE)get_in_tkt.$(OBJEXT): get_in_tkt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h $(srcdir)/../os/os-proto.h + int-proto.h $(srcdir)/../os/os-proto.h gic_keytab.so gic_keytab.po $(OUTPRE)gic_keytab.$(OBJEXT): gic_keytab.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h gic_opt.so gic_opt.po $(OUTPRE)gic_opt.$(OBJEXT): gic_opt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h gic_pwd.so gic_pwd.po $(OUTPRE)gic_pwd.$(OBJEXT): gic_pwd.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h -in_tkt_ktb.so in_tkt_ktb.po $(OUTPRE)in_tkt_ktb.$(OBJEXT): in_tkt_ktb.c $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h -in_tkt_pwd.so in_tkt_pwd.po $(OUTPRE)in_tkt_pwd.$(OBJEXT): in_tkt_pwd.c $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h in_tkt_sky.so in_tkt_sky.po $(OUTPRE)in_tkt_sky.$(OBJEXT): in_tkt_sky.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h init_ctx.so init_ctx.po $(OUTPRE)init_ctx.$(OBJEXT): init_ctx.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h brand.c $(srcdir)/../krb5_libinit.h + brand.c $(srcdir)/../krb5_libinit.h init_keyblock.so init_keyblock.po $(OUTPRE)init_keyblock.$(OBJEXT): init_keyblock.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h kdc_rep_dc.so kdc_rep_dc.po $(OUTPRE)kdc_rep_dc.$(OBJEXT): kdc_rep_dc.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h kfree.so kfree.po $(OUTPRE)kfree.$(OBJEXT): kfree.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h mk_cred.so mk_cred.po $(OUTPRE)mk_cred.$(OBJEXT): mk_cred.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h cleanup.h auth_con.h + cleanup.h auth_con.h mk_error.so mk_error.po $(OUTPRE)mk_error.$(OBJEXT): mk_error.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h mk_priv.so mk_priv.po $(OUTPRE)mk_priv.$(OBJEXT): mk_priv.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h cleanup.h auth_con.h + cleanup.h auth_con.h mk_rep.so mk_rep.po $(OUTPRE)mk_rep.$(OBJEXT): mk_rep.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h mk_req.so mk_req.po $(OUTPRE)mk_req.$(OBJEXT): mk_req.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h mk_req_ext.so mk_req_ext.po $(OUTPRE)mk_req_ext.$(OBJEXT): mk_req_ext.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h mk_safe.so mk_safe.po $(OUTPRE)mk_safe.$(OBJEXT): mk_safe.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h cleanup.h auth_con.h + cleanup.h auth_con.h parse.so parse.po $(OUTPRE)parse.$(OBJEXT): parse.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h pr_to_salt.so pr_to_salt.po $(OUTPRE)pr_to_salt.$(OBJEXT): pr_to_salt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h preauth.so preauth.po $(OUTPRE)preauth.$(OBJEXT): preauth.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h preauth2.so preauth2.po $(OUTPRE)preauth2.$(OBJEXT): preauth2.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h princ_comp.so princ_comp.po $(OUTPRE)princ_comp.$(OBJEXT): princ_comp.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h rd_cred.so rd_cred.po $(OUTPRE)rd_cred.$(OBJEXT): rd_cred.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h cleanup.h auth_con.h + cleanup.h auth_con.h rd_error.so rd_error.po $(OUTPRE)rd_error.$(OBJEXT): rd_error.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h rd_priv.so rd_priv.po $(OUTPRE)rd_priv.$(OBJEXT): rd_priv.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h cleanup.h auth_con.h + cleanup.h auth_con.h rd_rep.so rd_rep.po $(OUTPRE)rd_rep.$(OBJEXT): rd_rep.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h rd_req.so rd_req.po $(OUTPRE)rd_req.$(OBJEXT): rd_req.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h rd_req_dec.so rd_req_dec.po $(OUTPRE)rd_req_dec.$(OBJEXT): rd_req_dec.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): rd_safe.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h cleanup.h auth_con.h + cleanup.h auth_con.h recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): recvauth.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): sendauth.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h send_tgs.so send_tgs.po $(OUTPRE)send_tgs.$(OBJEXT): send_tgs.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ser_actx.so ser_actx.po $(OUTPRE)ser_actx.$(OBJEXT): ser_actx.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h auth_con.h + int-proto.h auth_con.h ser_adata.so ser_adata.po $(OUTPRE)ser_adata.$(OBJEXT): ser_adata.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h ser_addr.so ser_addr.po $(OUTPRE)ser_addr.$(OBJEXT): ser_addr.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h ser_auth.so ser_auth.po $(OUTPRE)ser_auth.$(OBJEXT): ser_auth.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h ser_cksum.so ser_cksum.po $(OUTPRE)ser_cksum.$(OBJEXT): ser_cksum.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h ser_ctx.so ser_ctx.po $(OUTPRE)ser_ctx.$(OBJEXT): ser_ctx.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ser_eblk.so ser_eblk.po $(OUTPRE)ser_eblk.$(OBJEXT): ser_eblk.c ser_key.so ser_key.po $(OUTPRE)ser_key.$(OBJEXT): ser_key.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h ser_princ.so ser_princ.po $(OUTPRE)ser_princ.$(OBJEXT): ser_princ.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h serialize.so serialize.po $(OUTPRE)serialize.$(OBJEXT): serialize.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h set_realm.so set_realm.po $(OUTPRE)set_realm.$(OBJEXT): set_realm.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h srv_rcache.so srv_rcache.po $(OUTPRE)srv_rcache.$(OBJEXT): srv_rcache.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): str_conv.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h tgtname.so tgtname.po $(OUTPRE)tgtname.$(OBJEXT): tgtname.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h unparse.so unparse.po $(OUTPRE)unparse.$(OBJEXT): unparse.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h +v4lifetime.so v4lifetime.po $(OUTPRE)v4lifetime.$(OBJEXT): v4lifetime.c $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h valid_times.so valid_times.po $(OUTPRE)valid_times.$(OBJEXT): valid_times.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h vfy_increds.so vfy_increds.po $(OUTPRE)vfy_increds.$(OBJEXT): vfy_increds.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h vic_opt.so vic_opt.po $(OUTPRE)vic_opt.$(OBJEXT): vic_opt.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h walk_rtree.so walk_rtree.po $(OUTPRE)walk_rtree.$(OBJEXT): walk_rtree.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h int-proto.h + int-proto.h t_walk_rtree.so t_walk_rtree.po $(OUTPRE)t_walk_rtree.$(OBJEXT): t_walk_rtree.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h t_kerb.so t_kerb.po $(OUTPRE)t_kerb.$(OBJEXT): t_kerb.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(KRB_ERR_H_DEP) \ $(BUILDTOP)/include/profile.h t_ser.so t_ser.po $(OUTPRE)t_ser.$(OBJEXT): t_ser.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h auth_con.h + auth_con.h t_deltat.so t_deltat.po $(OUTPRE)t_deltat.$(OBJEXT): t_deltat.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h t_expand.so t_expand.po $(OUTPRE)t_expand.$(OBJEXT): t_expand.c chk_trans.c \ $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/k5-platform.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index 09ccf98..cd3acf1 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -1,6 +1,8 @@ #include "k5-int.h" #include "auth_con.h" +static krb5_boolean chk_heimdal_seqnum(krb5_ui_4, krb5_ui_4); + static krb5_error_code actx_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **outad) { @@ -59,10 +61,10 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) krb5_free_authenticator(context, auth_context->authentp); if (auth_context->keyblock) krb5_free_keyblock(context, auth_context->keyblock); - if (auth_context->local_subkey) - krb5_free_keyblock(context, auth_context->local_subkey); - if (auth_context->remote_subkey) - krb5_free_keyblock(context, auth_context->remote_subkey); + if (auth_context->send_subkey) + krb5_free_keyblock(context, auth_context->send_subkey); + if (auth_context->recv_subkey) + krb5_free_keyblock(context, auth_context->recv_subkey); if (auth_context->rcache) krb5_rc_close(context, auth_context->rcache); if (auth_context->permitted_etypes) @@ -176,17 +178,53 @@ krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_ krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) { - if (auth_context->local_subkey) - return krb5_copy_keyblock(context,auth_context->local_subkey,keyblock); + return krb5_auth_con_getsendsubkey(context, auth_context, keyblock); +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) +{ + return krb5_auth_con_getrecvsubkey(context, auth_context, keyblock); +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) +{ + if (ac->send_subkey != NULL) + krb5_free_keyblock(ctx, ac->send_subkey); + ac->send_subkey = NULL; + if (keyblock !=NULL) + return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey); + else + return 0; +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) +{ + if (ac->recv_subkey != NULL) + krb5_free_keyblock(ctx, ac->recv_subkey); + ac->recv_subkey = NULL; + if (keyblock != NULL) + return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey); + else + return 0; +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) +{ + if (ac->send_subkey != NULL) + return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock); *keyblock = NULL; return 0; } krb5_error_code KRB5_CALLCONV -krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) +krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { - if (auth_context->remote_subkey) - return krb5_copy_keyblock(context,auth_context->remote_subkey,keyblock); + if (ac->recv_subkey != NULL) + return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock); *keyblock = NULL; return 0; } @@ -359,3 +397,167 @@ krb5_auth_con_get_checksum_func( krb5_context context, *data = auth_context->checksum_func_data; return 0; } + +/* + * krb5int_auth_con_chkseqnum + * + * We use a somewhat complex heuristic for validating received + * sequence numbers. We must accommodate both our older + * implementation, which sends negative sequence numbers, and the + * broken Heimdal implementation (at least as of 0.5.2), which + * violates X.690 BER for integer encodings. The requirement of + * handling negative sequence numbers removes one of easier means of + * detecting a Heimdal implementation, so we resort to this mess + * here. + * + * X.690 BER (and consequently DER, which are the required encoding + * rules in RFC1510) encode all integer types as signed integers. + * This means that the MSB being set on the first octet of the + * contents of the encoding indicates a negative value. Heimdal does + * not prepend the required zero octet to unsigned integer encodings + * which would otherwise have the MSB of the first octet of their + * encodings set. + * + * Our ASN.1 library implements a special decoder for sequence + * numbers, accepting both negative and positive 32-bit numbers but + * mapping them both into the space of positive unsigned 32-bit + * numbers in the obvious bit-pattern-preserving way. This maintains + * compatibility with our older implementations. This also means that + * encodings emitted by Heimdal are ambiguous. + * + * Heimdal counter value received uint32 value + * + * 0x00000080 0xFFFFFF80 + * 0x000000FF 0xFFFFFFFF + * 0x00008000 0xFFFF8000 + * 0x0000FFFF 0xFFFFFFFF + * 0x00800000 0xFF800000 + * 0x00FFFFFF 0xFFFFFFFF + * 0xFF800000 0xFF800000 + * 0xFFFFFFFF 0xFFFFFFFF + * + * We use two auth_context flags, SANE_SEQ and HEIMDAL_SEQ, which are + * only set after we can unambiguously determine the sanity of the + * sending implementation. Once one of these flags is set, we accept + * only the sequence numbers appropriate to the remote implementation + * type. We can make the determination in two different ways. The + * first is to note the receipt of a "negative" sequence number when a + * "positive" one was expected. The second is to note the receipt of + * a sequence number that wraps through "zero" in a weird way. The + * latter corresponds to the receipt of an initial sequence number in + * the ambiguous range. + * + * There are 2^7 + 2^15 + 2^23 + 2^23 = 16810112 total ambiguous + * initial Heimdal counter values, but we receive them as one of 2^23 + * possible values. There is a ~1/256 chance of a Heimdal + * implementation sending an intial sequence number in the ambiguous + * range. + * + * We have to do special treatment when receiving sequence numbers + * between 0xFF800000..0xFFFFFFFF, or when wrapping through zero + * weirdly (due to ambiguous initial sequence number). If we are + * expecting a value corresponding to an ambiguous Heimdal counter + * value, and we receive an exact match, we can mark the remote end as + * sane. + */ +krb5_boolean +krb5int_auth_con_chkseqnum( + krb5_context ctx, + krb5_auth_context ac, + krb5_ui_4 in_seq) +{ + krb5_ui_4 exp_seq; + + exp_seq = ac->remote_seq_number; + + /* + * If sender is known to be sane, accept _only_ exact matches. + */ + if (ac->auth_context_flags & KRB5_AUTH_CONN_SANE_SEQ) + return in_seq == exp_seq; + + /* + * If sender is not known to be sane, first check the ambiguous + * range of received values, 0xFF800000..0xFFFFFFFF. + */ + if ((in_seq & 0xFF800000) == 0xFF800000) { + /* + * If expected sequence number is in the range + * 0xFF800000..0xFFFFFFFF, then we can't make any + * determinations about the sanity of the sending + * implementation. + */ + if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq) + return 1; + /* + * If sender is not known for certain to be a broken Heimdal + * implementation, check for exact match. + */ + if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ) + && in_seq == exp_seq) + return 1; + /* + * Now apply hairy algorithm for matching sequence numbers + * sent by broken Heimdal implementations. If it matches, we + * know for certain it's a broken Heimdal sender. + */ + if (chk_heimdal_seqnum(exp_seq, in_seq)) { + ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; + return 1; + } + return 0; + } + + /* + * Received value not in the ambiguous range? If the _expected_ + * value is in the range of ambiguous Hemidal counter values, and + * it matches the received value, sender is known to be sane. + */ + if (in_seq == exp_seq) { + if (( exp_seq & 0xFFFFFF80) == 0x00000080 + || (exp_seq & 0xFFFF8000) == 0x00008000 + || (exp_seq & 0xFF800000) == 0x00800000) + ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ; + return 1; + } + + /* + * Magic wraparound for the case where the intial sequence number + * is in the ambiguous range. This means that the sender's + * counter is at a different count than ours, so we correct ours, + * and mark the sender as being a broken Heimdal implementation. + */ + if (exp_seq == 0 + && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) { + switch (in_seq) { + case 0x100: + case 0x10000: + case 0x1000000: + ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; + exp_seq = in_seq; + return 1; + default: + return 0; + } + } + return 0; +} + +static krb5_boolean +chk_heimdal_seqnum(krb5_ui_4 exp_seq, krb5_ui_4 in_seq) +{ + if (( exp_seq & 0xFF800000) == 0x00800000 + && (in_seq & 0xFF800000) == 0xFF800000 + && (in_seq & 0x00FFFFFF) == exp_seq) + return 1; + else if (( exp_seq & 0xFFFF8000) == 0x00008000 + && (in_seq & 0xFFFF8000) == 0xFFFF8000 + && (in_seq & 0x0000FFFF) == exp_seq) + return 1; + else if (( exp_seq & 0xFFFFFF80) == 0x00000080 + && (in_seq & 0xFFFFFF80) == 0xFFFFFF80 + && (in_seq & 0x000000FF) == exp_seq) + return 1; + else + return 0; +} diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h index d83d6b8..9543de3 100644 --- a/src/lib/krb5/krb/auth_con.h +++ b/src/lib/krb5/krb/auth_con.h @@ -9,12 +9,12 @@ struct _krb5_auth_context { krb5_address * local_addr; krb5_address * local_port; krb5_keyblock * keyblock; - krb5_keyblock * local_subkey; - krb5_keyblock * remote_subkey; + krb5_keyblock * send_subkey; + krb5_keyblock * recv_subkey; krb5_int32 auth_context_flags; - krb5_int32 remote_seq_number; - krb5_int32 local_seq_number; + krb5_ui_4 remote_seq_number; + krb5_ui_4 local_seq_number; krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/ krb5_cksumtype req_cksumtype; /* mk_safe, ... */ krb5_cksumtype safe_cksumtype; /* mk_safe, ... */ @@ -30,5 +30,7 @@ struct _krb5_auth_context { #define KRB5_AUTH_CONN_INITIALIZED 0x00010000 #define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000 #define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000 +#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000 +#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000 #endif diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c index bb2cfe9..a455cc4 100644 --- a/src/lib/krb5/krb/chpw.c +++ b/src/lib/krb5/krb/chpw.c @@ -1,11 +1,15 @@ +/* +** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc. +*/ #include <string.h> #include "k5-int.h" #include "krb5_err.h" #include "auth_con.h" -krb5_error_code KRB5_CALLCONV -krb5_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet) + +krb5_error_code +krb5int_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet) { krb5_error_code ret = 0; krb5_data clearpw; @@ -66,8 +70,8 @@ cleanup: return(ret); } -krb5_error_code KRB5_CALLCONV -krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data) +krb5_error_code +krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data) { char *ptr; int plen, vno; @@ -116,8 +120,18 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data ap_rep.data = ptr; ptr += ap_rep.length; - if ((ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc))) + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmp); return(ret); + } krb5_free_ap_rep_enc_part(context, ap_rep_enc); @@ -126,18 +140,17 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data cipherresult.data = ptr; cipherresult.length = (packet->data + packet->length) - ptr; - /* XXX there's no api to do this right. The problem is that - if there's a remote subkey, it will be used. This is - not what the spec requires */ - - tmp = auth_context->remote_subkey; - auth_context->remote_subkey = NULL; + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); + krb5_free_keyblock(context, tmp); + if (ret) + return ret; ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, &replay); - auth_context->remote_subkey = tmp; - if (ret) return(ret); } else { @@ -161,7 +174,7 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *result_code = (*result_code<<8) | (*ptr++ & 0xff); if ((*result_code < KRB5_KPASSWD_SUCCESS) || - (*result_code > KRB5_KPASSWD_SOFTERROR)) { + (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) { ret = KRB5KRB_AP_ERR_MODIFIED; goto cleanup; } @@ -221,3 +234,284 @@ krb5_chpw_result_code_string(krb5_context context, int result_code, char **code_ return(0); } + +krb5_error_code +krb5int_mk_setpw_req( + krb5_context context, + krb5_auth_context auth_context, + krb5_data *ap_req, + krb5_principal targprinc, + char *passwd, + krb5_data *packet ) +{ + krb5_error_code ret; + krb5_data cipherpw; + krb5_data *encoded_setpw; + + char *ptr; + int count = 2; + + cipherpw.data = NULL; + cipherpw.length = 0; + + if (ret = krb5_auth_con_setflags(context, auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE)) + return(ret); + + ret = encode_krb5_setpw_req(targprinc, passwd, &encoded_setpw); + if (ret) { + return ret; + } + + if ( (ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) { + krb5_free_data( context, encoded_setpw); + return(ret); + } + krb5_free_data( context, encoded_setpw); + + + packet->length = 6 + ap_req->length + cipherpw.length; + packet->data = (char *) malloc(packet->length); + if (packet->data == NULL) { + ret = ENOMEM; + goto cleanup; + } + ptr = packet->data; +/* +** build the packet - +*/ +/* put in the length */ + *ptr++ = (packet->length>>8) & 0xff; + *ptr++ = packet->length & 0xff; +/* put in the version */ + *ptr++ = (char)0xff; + *ptr++ = (char)0x80; +/* the ap_req length is big endian */ + *ptr++ = (ap_req->length>>8) & 0xff; + *ptr++ = ap_req->length & 0xff; +/* put in the request data */ + memcpy(ptr, ap_req->data, ap_req->length); + ptr += ap_req->length; +/* +** put in the "private" password data - +*/ + memcpy(ptr, cipherpw.data, cipherpw.length); + ret = 0; + cleanup: + if (cipherpw.data) + krb5_free_data_contents(context, &cipherpw); + if ((ret != 0) && packet->data) { + free( packet->data); + packet->data = NULL; + } + return ret; +} + +krb5_error_code +krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5_data *packet, + int *result_code, krb5_data *result_data ) +{ + char *ptr; + unsigned int message_length, version_number; + krb5_data ap_rep; + krb5_ap_rep_enc_part *ap_rep_enc; + krb5_error_code ret; + krb5_data cipherresult; + krb5_data clearresult; + krb5_replay_data replay; + krb5_keyblock *tmpkey; +/* +** validate the packet length - +*/ + if (packet->length < 4) + return(KRB5KRB_AP_ERR_MODIFIED); + + ptr = packet->data; + +/* +** see if it is an error +*/ + if (krb5_is_krb_error(packet)) { + krb5_error *krberror; + if (ret = krb5_rd_error(context, packet, &krberror)) + return(ret); + if (krberror->e_data.data == NULL) { + ret = ERROR_TABLE_BASE_krb5 + krberror->error; + krb5_free_error(context, krberror); + return (ret); + } + clearresult = krberror->e_data; + krberror->e_data.data = NULL; /*So we can free it later*/ + krberror->e_data.length = 0; + krb5_free_error(context, krberror); + + } else { /* Not an error*/ + +/* +** validate the message length - +** length is big endian +*/ + message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; +/* +** make sure the message length and packet length agree - +*/ + if (message_length != packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); +/* +** get the version number - +*/ + version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; +/* +** make sure we support the version returned - +*/ +/* +** set password version is 0xff80, change password version is 1 +*/ + if (version_number != 0xff80 && version_number != 1) + return(KRB5KDC_ERR_BAD_PVNO); +/* +** now fill in ap_rep with the reply - +*/ +/* +** get the reply length - +*/ + ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; +/* +** validate ap_rep length agrees with the packet length - +*/ + if (ptr + ap_rep.length >= packet->data + packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); +/* +** if data was returned, set the ap_rep ptr - +*/ + if( ap_rep.length ) { + ap_rep.data = ptr; + ptr += ap_rep.length; + + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmpkey); + return(ret); + } + + krb5_free_ap_rep_enc_part(context, ap_rep_enc); +/* +** now decrypt the result - +*/ + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; + + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); + krb5_free_keyblock(context, tmpkey); + if (ret) + return ret; + + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + NULL); + if (ret) + return(ret); + } /*We got an ap_rep*/ + else + return (KRB5KRB_AP_ERR_MODIFIED); + } /*Response instead of error*/ + +/* +** validate the cleartext length +*/ + if (clearresult.length < 2) { + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } +/* +** now decode the result - +*/ + ptr = clearresult.data; + + *result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + +/* +** result code 5 is access denied +*/ + if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5)) + { + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } +/* +** all success replies should be authenticated/encrypted +*/ + if( (ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS) ) + { + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } + + if (result_data) { + result_data->length = (clearresult.data + clearresult.length) - ptr; + + if (result_data->length) + { + result_data->data = (char *) malloc(result_data->length); + if (result_data->data) + memcpy(result_data->data, ptr, result_data->length); + } + else + result_data->data = NULL; + } + ret = 0; + + cleanup: + krb5_free_data_contents(context, &clearresult); + return(ret); +} + +krb5_error_code +krb5int_setpw_result_code_string( krb5_context context, int result_code, const char **code_string ) +{ + switch (result_code) + { + case KRB5_KPASSWD_MALFORMED: + *code_string = "Malformed request error"; + break; + case KRB5_KPASSWD_HARDERROR: + *code_string = "Server error"; + break; + case KRB5_KPASSWD_AUTHERROR: + *code_string = "Authentication error"; + break; + case KRB5_KPASSWD_SOFTERROR: + *code_string = "Password change rejected"; + break; + case 5: /* access denied */ + *code_string = "Access denied"; + break; + case 6: /* bad version */ + *code_string = "Wrong protocol version"; + break; + case 7: /* initial flag is needed */ + *code_string = "Initial password required"; + break; + case 0: + *code_string = "Success"; + default: + *code_string = "Password change failed"; + break; + } + + return(0); +} + diff --git a/src/lib/krb5/krb/conv_creds.c b/src/lib/krb5/krb/conv_creds.c new file mode 100644 index 0000000..3a4e66d --- /dev/null +++ b/src/lib/krb5/krb/conv_creds.c @@ -0,0 +1,277 @@ +/* + * Copyright 1994 by OpenVision Technologies, Inc. + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without fee, + * provided that the above copyright notice appears in all copies and + * that both that copyright notice and this permission notice appear in + * supporting documentation, and that the name of OpenVision not be used + * in advertising or publicity pertaining to distribution of the software + * without specific, written prior permission. OpenVision makes no + * representations about the suitability of this software for any + * purpose. It is provided "as is" without express or implied warranty. + * + * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO + * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF + * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR + * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#include "k5-int.h" +#include <stdio.h> +#include <string.h> +#include <sys/types.h> +#include "port-sockets.h" +#include "socket-utils.h" + +#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck */ +#include "kerberosIV/krb.h" + +#ifdef USE_CCAPI +#include <CredentialsCache.h> +#endif + +#define krb524_debug krb5int_krb524_debug +int krb524_debug = 0; + +static krb5_error_code krb524_convert_creds_plain +(krb5_context context, krb5_creds *v5creds, + CREDENTIALS *v4creds); + +static int decode_v4tkt + (struct ktext *v4tkt, char *buf, unsigned int *encoded_len); + +krb5_error_code KRB5_CALLCONV +krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, + CREDENTIALS *v4creds) +{ + krb5_error_code ret; + krb5_data reply; + char *p; + struct sockaddr_storage ss; + socklen_t slen = sizeof(ss); + + ret = krb524_convert_creds_plain(context, v5creds, v4creds); + if (ret) + return ret; + + reply.data = NULL; + ret = krb5int_524_sendto_kdc(context, &v5creds->ticket, + &v5creds->server->realm, &reply, + ss2sa(&ss), &slen); + if (ret) + return ret; + +#if TARGET_OS_MAC +#ifdef USE_CCAPI + v4creds->stk_type = cc_v4_stk_des; +#endif + if (slen == sizeof(struct sockaddr_in) + && ss2sa(&ss)->sa_family == AF_INET) { + v4creds->address = ss2sin(&ss)->sin_addr.s_addr; + } + /* Otherwise, leave it set to all-zero. */ +#endif + + p = reply.data; + ret = ntohl(*((krb5_error_code *) p)); + p += sizeof(krb5_int32); + reply.length -= sizeof(krb5_int32); + if (ret) + goto fail; + + v4creds->kvno = ntohl(*((krb5_error_code *) p)); + p += sizeof(krb5_int32); + reply.length -= sizeof(krb5_int32); + ret = decode_v4tkt(&v4creds->ticket_st, p, &reply.length); + +fail: + if (reply.data) + free(reply.data); + reply.data = NULL; + return ret; +} + +static krb5_error_code +krb524_convert_creds_plain(context, v5creds, v4creds) + krb5_context context; + krb5_creds *v5creds; + CREDENTIALS *v4creds; +{ + int ret; + krb5_timestamp endtime; + char dummy[REALM_SZ]; + memset((char *) v4creds, 0, sizeof(CREDENTIALS)); + + if ((ret = krb5_524_conv_principal(context, v5creds->client, + v4creds->pname, v4creds->pinst, + dummy))) + return ret; + if ((ret = krb5_524_conv_principal(context, v5creds->server, + v4creds->service, v4creds->instance, + v4creds->realm))) + return ret; + + /* Check enctype too */ + if (v5creds->keyblock.length != sizeof(C_Block)) { + if (krb524_debug) + fprintf(stderr, "v5 session keyblock length %d != C_Block size %d\n", + v5creds->keyblock.length, + (int) sizeof(C_Block)); + return KRB524_BADKEY; + } else + memcpy(v4creds->session, (char *) v5creds->keyblock.contents, + sizeof(C_Block)); + + /* V4 has no concept of authtime or renew_till, so ignore them */ + v4creds->issue_date = v5creds->times.starttime; + v4creds->lifetime = krb5int_krb_time_to_life(v5creds->times.starttime, + v5creds->times.endtime); + endtime = krb5int_krb_life_to_time(v4creds->issue_date, + v4creds->lifetime); + /* + * Adjust start time backwards to deal with rounding up in + * krb_time_to_life(), to match code on server side. + */ + if (endtime > v5creds->times.endtime) + v4creds->issue_date -= endtime - v5creds->times.endtime; + + return 0; +} + +/* this used to be krb524/encode.c, under same copyright as above */ +/* + * I'm sure that this is reinventing the wheel, but I don't know where + * the wheel is hidden. + */ + +int encode_v4tkt (KTEXT_ST *, char *, unsigned int *); +static int encode_bytes (char **, int *, char *, unsigned int), + encode_int32 (char **, int *, krb5_int32 *); + +static int decode_bytes (char **, int *, char *, unsigned int), + decode_int32 (char **, int *, krb5_int32 *); + +static int encode_bytes(out, outlen, in, len) + char **out; + int *outlen; + char *in; + unsigned int len; +{ + if (len > *outlen) + return KRB524_ENCFULL; + memcpy(*out, in, len); + *out += len; + *outlen -= len; + return 0; +} + +static int encode_int32(out, outlen, v) + char **out; + int *outlen; + krb5_int32 *v; +{ + krb5_int32 nv; /* Must be 4 bytes */ + + nv = htonl(*v); + return encode_bytes(out, outlen, (char *) &nv, sizeof(nv)); +} + +int krb5int_encode_v4tkt(v4tkt, buf, encoded_len) + KTEXT_ST *v4tkt; + char *buf; + unsigned int *encoded_len; +{ + int buflen, ret; + + buflen = *encoded_len; + + if ((ret = encode_int32(&buf, &buflen, &v4tkt->length))) + return ret; + if ((ret = encode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN))) + return ret; + if ((ret = encode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz))) + return ret; + + *encoded_len -= buflen; + return 0; +} + +/* decode functions */ + +static int decode_bytes(out, outlen, in, len) + char **out; + int *outlen; + char *in; + unsigned int len; +{ + if (len > *outlen) + return KRB524_DECEMPTY; + memcpy(in, *out, len); + *out += len; + *outlen -= len; + return 0; +} + +static int decode_int32(out, outlen, v) + char **out; + int *outlen; + krb5_int32 *v; +{ + int ret; + krb5_int32 nv; /* Must be four bytes */ + + if ((ret = decode_bytes(out, outlen, (char *) &nv, sizeof(nv)))) + return ret; + *v = ntohl(nv); + return 0; +} + +static int decode_v4tkt(v4tkt, buf, encoded_len) + KTEXT_ST *v4tkt; + char *buf; + unsigned int *encoded_len; +{ + int buflen, ret; + + buflen = *encoded_len; + if ((ret = decode_int32(&buf, &buflen, &v4tkt->length))) + return ret; + if ((ret = decode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN))) + return ret; + if ((ret = decode_int32(&buf, &buflen, (krb5_int32 *) &v4tkt->mbz))) + return ret; + *encoded_len -= buflen; + return 0; +} + +#else /* no krb4 compat */ + +krb5_error_code KRB5_CALLCONV +krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, + struct credentials *v4creds) +{ + return KRB524_KRB4_DISABLED; +} + +#endif + +/* These may be needed for object-level backwards compatibility on Mac + OS and UNIX, but Windows should be okay. */ +#ifndef _WIN32 +#undef krb524_convert_creds_kdc +krb5_error_code KRB5_CALLCONV +krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, + struct credentials *v4creds) +{ + return krb5_524_convert_creds(context, v5creds, v4creds); +} + +#undef krb524_init_ets +void KRB5_CALLCONV krb524_init_ets () +{ +} +#endif diff --git a/src/lib/krb5/krb/copy_data.c b/src/lib/krb5/krb/copy_data.c index 2899c5a..1be2a2d 100644 --- a/src/lib/krb5/krb/copy_data.c +++ b/src/lib/krb5/krb/copy_data.c @@ -58,3 +58,25 @@ krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdat *outdata = tempdata; return 0; } + +krb5_error_code +krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_data *outdata) +{ + if (!indata) { + return EINVAL; + } + + + outdata->length = indata->length; + if (outdata->length) { + if (!(outdata->data = malloc(outdata->length))) { + krb5_xfree(outdata); + return ENOMEM; + } + memcpy((char *)outdata->data, (char *)indata->data, outdata->length); + } else + outdata->data = 0; + outdata->magic = KV5M_DATA; + + return 0; +} diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c index aa42f8c..4e2c8f0 100644 --- a/src/lib/krb5/krb/fwd_tgt.c +++ b/src/lib/krb5/krb/fwd_tgt.c @@ -56,6 +56,7 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r int free_rhost = 0; krb5_enctype enctype = 0; krb5_keyblock *session_key; + krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes; memset((char *)&creds, 0, sizeof(creds)); memset((char *)&tgt, 0, sizeof(creds)); @@ -109,8 +110,10 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r goto errout; /* fetch tgt directly from cache */ + context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES, &creds, &tgt); + context->use_conf_ktypes = old_use_conf_ktypes; if (retval) goto errout; @@ -161,9 +164,15 @@ retval = KRB5_FWD_BAD_PRINCIPAL; kdcoptions &= ~(KDC_OPT_FORWARDABLE); if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) - goto errout; - + addrs, &creds, &pcreds))) { + if (enctype) { + creds.keyblock.enctype = 0; + if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, + addrs, &creds, &pcreds))) + goto errout; + } + else goto errout; + } retval = krb5_mk_1cred(context, auth_context, pcreds, &scratch, &replaydata); krb5_free_creds(context, pcreds); diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index fdf00e6..8ca62cc 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1994 by the Massachusetts Institute of Technology. + * Copyright (c) 1994,2003 by the Massachusetts Institute of Technology. * Copyright (c) 1994 CyberSAFE Corporation * Copyright (c) 1993 Open Computing Security Group * Copyright (c) 1990,1991 by the Massachusetts Institute of Technology. @@ -76,6 +76,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds krb5_principal *top_server = NULL; krb5_principal *next_server = NULL; unsigned int nservers = 0; + krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes; /* in case we never get a TGT, zero the return */ @@ -114,6 +115,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds goto cleanup; } + context->use_conf_ktypes = 1; if ((retval = krb5_cc_retrieve_cred(context, ccache, KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, &tgtq, &tgt))) { @@ -231,21 +233,17 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds krb5_free_cred_contents(context, &tgtq); memset(&tgtq, 0, sizeof(tgtq)); -#ifdef HAVE_C_STRUCTURE_ASSIGNMENT tgtq.times = tgt.times; -#else - memcpy(&tgtq.times, &tgt.times, sizeof(krb5_ticket_times)); -#endif - if ((retval = krb5_copy_principal(context, tgt.client, &tgtq.client))) goto cleanup; if ((retval = krb5_copy_principal(context, int_server, &tgtq.server))) goto cleanup; tgtq.is_skey = FALSE; tgtq.ticket_flags = tgt.ticket_flags; - if ((retval = krb5_get_cred_via_tkt(context, &tgt, - FLAGS2OPTS(tgtq.ticket_flags), - tgt.addresses, &tgtq, &tgtr))) { + retval = krb5_get_cred_via_tkt(context, &tgt, + FLAGS2OPTS(tgtq.ticket_flags), + tgt.addresses, &tgtq, &tgtr); + if (retval) { /* * couldn't get one so now loop backwards through the realms @@ -301,12 +299,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds goto cleanup; tgtq.is_skey = FALSE; tgtq.ticket_flags = tgt.ticket_flags; - if ((retval = krb5_get_cred_via_tkt(context, &tgt, - FLAGS2OPTS(tgtq.ticket_flags), - tgt.addresses, - &tgtq, &tgtr))) { + retval = krb5_get_cred_via_tkt(context, &tgt, + FLAGS2OPTS(tgtq.ticket_flags), + tgt.addresses, + &tgtq, &tgtr); + if (retval) continue; - } /* save tgt in return array */ if ((retval = krb5_copy_creds(context, tgtr, @@ -341,7 +339,9 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds for (next_server = top_server; *next_server; next_server++) { krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1); krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1); - if (realm_1->length == realm_2->length && + if (realm_1 != NULL && + realm_2 != NULL && + realm_1->length == realm_2->length && !memcmp(realm_1->data, realm_2->data, realm_1->length)) { break; } @@ -374,10 +374,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds goto cleanup; } - retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) | - kdcopt | - (in_cred->second_ticket.length ? - KDC_OPT_ENC_TKT_IN_SKEY : 0), + context->use_conf_ktypes = old_use_conf_ktypes; + retval = krb5_get_cred_via_tkt(context, &tgt, + FLAGS2OPTS(tgt.ticket_flags) | + kdcopt | + (in_cred->second_ticket.length ? + KDC_OPT_ENC_TKT_IN_SKEY : 0), tgt.addresses, in_cred, out_cred); /* cleanup and return */ @@ -393,6 +395,7 @@ cleanup: if (ret_tgts) free(ret_tgts); krb5_free_cred_contents(context, &tgt); } + context->use_conf_ktypes = old_use_conf_ktypes; return(retval); } diff --git a/src/lib/krb5/krb/gen_seqnum.c b/src/lib/krb5/krb/gen_seqnum.c index 196a437..3737640 100644 --- a/src/lib/krb5/krb/gen_seqnum.c +++ b/src/lib/krb5/krb/gen_seqnum.c @@ -36,7 +36,7 @@ #endif krb5_error_code -krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_int32 *seqno) +krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui_4 *seqno) { krb5_data seed; krb5_error_code retval; @@ -48,5 +48,20 @@ krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_in seed.length = sizeof(*seqno); seed.data = (char *) seqno; - return(krb5_c_random_make_octets(context, &seed)); + retval = krb5_c_random_make_octets(context, &seed); + if (retval) + return retval; + /* + * Work around implementation incompatibilities by not generating + * initial sequence numbers greater than 2^30. Previous MIT + * implementations use signed sequence numbers, so initial + * sequence numbers 2^31 to 2^32-1 inclusive will be rejected. + * Letting the maximum initial sequence number be 2^30-1 allows + * for about 2^30 messages to be sent before wrapping into + * "negative" numbers. + */ + *seqno &= 0x3fffffff; + if (*seqno == 0) + *seqno = 1; + return 0; } diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index dc06c53..df5ebaf 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/get_in_tkt.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -262,6 +262,7 @@ verify_as_reply(krb5_context context, (request->rtime != 0) && (as_reply->enc_part2->times.renew_till > request->rtime)) || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) && + !(request->kdc_options & KDC_OPT_RENEWABLE) && (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && (request->till != 0) && (as_reply->enc_part2->times.renew_till > request->till)) @@ -409,6 +410,15 @@ make_preauth_list(krb5_context context, } #define MAX_IN_TKT_LOOPS 16 +static krb5_enctype get_in_tkt_enctypes[] = { + ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_MD4, + ENCTYPE_DES_CBC_CRC, + 0 +}; + krb5_error_code KRB5_CALLCONV krb5_get_in_tkt(krb5_context context, @@ -460,8 +470,13 @@ krb5_get_in_tkt(krb5_context context, request.from = creds->times.starttime; request.till = creds->times.endtime; request.rtime = creds->times.renew_till; - if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype))) + + request.ktype = malloc (sizeof(get_in_tkt_enctypes)); + if (request.ktype == NULL) { + retval = ENOMEM; goto cleanup; + } + memcpy(request.ktype, get_in_tkt_enctypes, sizeof(get_in_tkt_enctypes)); for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++); if (ktypes) { int i, req, next = 0; @@ -734,6 +749,7 @@ krb5_get_init_creds(krb5_context context, krb5_deltat renew_life; int loopcount; krb5_data salt; + krb5_data s2kparams; krb5_keyblock as_key; krb5_error *err_reply; krb5_kdc_rep *local_as_reply; @@ -742,6 +758,8 @@ krb5_get_init_creds(krb5_context context, /* initialize everything which will be freed at cleanup */ + s2kparams.data = NULL; + s2kparams.length = 0; request.server = NULL; request.ktype = NULL; request.addresses = NULL; @@ -761,7 +779,7 @@ krb5_get_init_creds(krb5_context context, /* request.padata is filled in later */ - request.kdc_options = 0; + request.kdc_options = context->kdc_default_options; /* forwardable */ @@ -854,11 +872,13 @@ krb5_get_init_creds(krb5_context context, if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) request.till += options->tkt_life; else - request.till += 10*60*60; /* this used to be hardcoded in kinit.c */ + request.till += 24*60*60; /* this used to be hardcoded in kinit.c */ if (renew_life > 0) { request.rtime = request.from; request.rtime += renew_life; + if (request.rtime >= request.till) + request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK); } else { request.rtime = 0; } @@ -927,7 +947,7 @@ krb5_get_init_creds(krb5_context context, if ((ret = krb5_do_preauth(context, &request, padata, &request.padata, - &salt, &etype, &as_key, prompter, + &salt, &s2kparams, &etype, &as_key, prompter, prompter_data, gak_fct, gak_data))) goto cleanup; @@ -973,7 +993,7 @@ krb5_get_init_creds(krb5_context context, if ((ret = krb5_do_preauth(context, &request, local_as_reply->padata, &padata, - &salt, &etype, &as_key, prompter, + &salt, &s2kparams, &etype, &as_key, prompter, prompter_data, gak_fct, gak_data))) goto cleanup; @@ -1005,7 +1025,7 @@ krb5_get_init_creds(krb5_context context, if ((ret = ((*gak_fct)(context, request.client, local_as_reply->enc_part.enctype, - prompter, prompter_data, &salt, + prompter, prompter_data, &salt, &s2kparams, &as_key, gak_data)))) goto cleanup; @@ -1050,6 +1070,7 @@ cleanup: if (salt.data && (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)))) krb5_xfree(salt.data); + krb5_free_data_contents(context, &s2kparams); if (as_reply) *as_reply = local_as_reply; else if (local_as_reply) diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c index a7cb773..38a88ee 100644 --- a/src/lib/krb5/krb/gic_keytab.c +++ b/src/lib/krb5/krb/gic_keytab.c @@ -1,3 +1,29 @@ +/* + * lib/krb5/krb/gic_keytab.c + * + * Copyright (C) 2002, 2003 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + #include "k5-int.h" static krb5_error_code @@ -8,6 +34,7 @@ krb5_get_as_key_keytab( krb5_prompter_fct prompter, void *prompter_data, krb5_data *salt, + krb5_data *params, krb5_keyblock *as_key, void *gak_data) { @@ -115,3 +142,57 @@ cleanup: return(ret); } +krb5_error_code KRB5_CALLCONV +krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + krb5_keytab arg_keytab, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) +{ + krb5_error_code retval; + krb5_get_init_creds_opt opt; + char * server = NULL; + krb5_keytab keytab; + krb5_principal client_princ, server_princ; + + krb5int_populate_gic_opt(context, &opt, + options, addrs, ktypes, + pre_auth_types); + if (arg_keytab == NULL) { + retval = krb5_kt_default(context, &keytab); + if (retval) + return retval; + } + else keytab = arg_keytab; + + retval = krb5_unparse_name( context, creds->server, &server); + if (retval) + goto cleanup; + server_princ = creds->server; + client_princ = creds->client; + retval = krb5_get_init_creds (context, + creds, creds->client, + krb5_prompter_posix, NULL, + 0, server, &opt, + krb5_get_as_key_keytab, (void *)keytab, + 0, ret_as_reply); + krb5_free_unparsed_name( context, server); + if (retval) { + goto cleanup; + } + if (creds->server) + krb5_free_principal( context, creds->server); + if (creds->client) + krb5_free_principal( context, creds->client); + creds->client = client_princ; + creds->server = server_princ; + + /* store it in the ccache! */ + if (ccache) + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + goto cleanup; + cleanup: if (arg_keytab == NULL) + krb5_kt_close(context, keytab); + return retval; +} + diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 7b5e0ba..af95b97 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -9,6 +9,7 @@ krb5_get_as_key_password( krb5_prompter_fct prompter, void *prompter_data, krb5_data *salt, + krb5_data *params, krb5_keyblock *as_key, void *gak_data) { @@ -42,7 +43,7 @@ krb5_get_as_key_password( return(EIO); if ((ret = krb5_unparse_name(context, client, &clientstr))) - return(ret); + return(ret); strcpy(promptstr, "Password for "); strncat(promptstr, clientstr, sizeof(promptstr)-strlen(promptstr)-1); @@ -74,7 +75,8 @@ krb5_get_as_key_password( defsalt.length = 0; } - ret = krb5_c_string_to_key(context, etype, password, salt, as_key); + ret = krb5_c_string_to_key_with_params(context, etype, password, salt, + params->data?params:NULL, as_key); if (defsalt.length) krb5_xfree(defsalt.data); @@ -144,6 +146,10 @@ krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_princ if (!use_master) { use_master = 1; + if (as_reply) { + krb5_free_kdc_rep( context, as_reply); + as_reply = NULL; + } ret2 = krb5_get_init_creds(context, creds, client, prompter, data, start_time, in_tkt_service, options, krb5_get_as_key_password, (void *) &pw0, @@ -158,7 +164,8 @@ krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_princ slave we were able to contact */ if ((ret2 == KRB5_KDC_UNREACH) || - (ret2 == KRB5_REALM_CANT_RESOLVE)) + (ret2 == KRB5_REALM_CANT_RESOLVE) || + (ret2 == KRB5_REALM_UNKNOWN)) goto cleanup; ret = ret2; @@ -366,3 +373,109 @@ cleanup: return(ret); } +void krb5int_populate_gic_opt ( + krb5_context context, krb5_get_init_creds_opt *opt, + krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types) +{ + int i; + krb5_get_init_creds_opt_init(opt); + if (addrs) + krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs); + if (ktypes) { + for (i=0; ktypes[i]; i++); + if (i) + krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i); + } + if (pre_auth_types) { + for (i=0; pre_auth_types[i]; i++); + if (i) + krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i); + } + if (options&KDC_OPT_FORWARDABLE) + krb5_get_init_creds_opt_set_forwardable(opt, 1); + else krb5_get_init_creds_opt_set_forwardable(opt, 0); + if (options&KDC_OPT_PROXIABLE) + krb5_get_init_creds_opt_set_proxiable(opt, 1); + else krb5_get_init_creds_opt_set_proxiable(opt, 0); + + +} + +/* + Rewrites get_in_tkt in terms of newer get_init_creds API. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. + + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. + + If password is non-NULL, it is converted using the cryptosystem entry + point for a string conversion routine, seeded with the client's name. + If password is passed as NULL, the password is read from the terminal, + and then converted into a key. + + A succesful call will place the ticket in the credentials cache ccache. + + returns system errors, encryption errors + */ +krb5_error_code KRB5_CALLCONV +krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + const char *password, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) +{ + krb5_error_code retval; + krb5_data pw0; + char pw0array[1024]; + krb5_get_init_creds_opt opt; + char * server; + krb5_principal server_princ, client_princ; + + pw0array[0] = '\0'; + pw0.data = pw0array; + if (password) { + pw0.length = strlen(password); + if (pw0.length > sizeof(pw0array)) + return EINVAL; + strncpy(pw0.data, password, sizeof(pw0array)); + if (pw0.length == 0) + pw0.length = sizeof(pw0array); + } else { + pw0.length = sizeof(pw0array); + } + krb5int_populate_gic_opt(context, &opt, + options, addrs, ktypes, + pre_auth_types); + retval = krb5_unparse_name( context, creds->server, &server); + if (retval) + return (retval); + server_princ = creds->server; + client_princ = creds->client; + retval = krb5_get_init_creds (context, + creds, creds->client, + krb5_prompter_posix, NULL, + 0, server, &opt, + krb5_get_as_key_password, &pw0, + 0, ret_as_reply); + krb5_free_unparsed_name( context, server); + if (retval) { + return (retval); + } + if (creds->server) + krb5_free_principal( context, creds->server); + if (creds->client) + krb5_free_principal( context, creds->client); + creds->client = client_princ; + creds->server = server_princ; + /* store it in the ccache! */ + if (ccache) + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + return (retval); + return retval; + } + diff --git a/src/lib/krb5/krb/in_tkt_ktb.c b/src/lib/krb5/krb/in_tkt_ktb.c deleted file mode 100644 index db4f3b4..0000000 --- a/src/lib/krb5/krb/in_tkt_ktb.c +++ /dev/null @@ -1,125 +0,0 @@ -/* - * lib/krb5/krb/in_tkt_ktb.c - * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * krb5_get_in_tkt_with_keytab() - * - */ - -#include "k5-int.h" - -struct keytab_keyproc_arg { - krb5_keytab keytab; - krb5_principal client; -}; - -/* - * Key-generator for in_tkt_keytab, below. - * "keyseed" is actually a krb5_keytab, or NULL if we should fetch - * from system area. - */ -static krb5_error_code keytab_keyproc - (krb5_context, - const krb5_enctype, - krb5_data *, - krb5_const_pointer, - krb5_keyblock **); - -static krb5_error_code -keytab_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt, - krb5_const_pointer keyseed, krb5_keyblock **key) -{ - const struct keytab_keyproc_arg * arg = - (const struct keytab_keyproc_arg *)keyseed; - krb5_keyblock *realkey; - krb5_error_code retval = 0; - krb5_keytab kt_id; - krb5_keytab_entry kt_ent; - - kt_id = arg->keytab; - - if (!krb5_c_valid_enctype(type)) - return KRB5_PROG_ETYPE_NOSUPP; - - if (kt_id == NULL) - /* Fetch from default keytab location */ - if ((retval = krb5_kt_default(context, &kt_id))) - return retval; - - - if ((retval = krb5_kt_get_entry(context, kt_id, arg->client, - 0, /* don't have vno available */ - type, &kt_ent))) - goto cleanup; - - if ((retval = krb5_copy_keyblock(context, &kt_ent.key, &realkey))) { - (void) krb5_kt_free_entry(context, &kt_ent); - goto cleanup; - } - - (void) krb5_kt_free_entry(context, &kt_ent); - *key = realkey; - -cleanup: - if (! arg->keytab) - krb5_kt_close(context, kt_id); - return retval; -} - -/* - Similar to krb5_get_in_tkt_with_skey. - - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. - - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. - - A succesful call will place the ticket in the credentials cache ccache. - - returns system errors, encryption errors - - */ -krb5_error_code KRB5_CALLCONV -krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - krb5_keytab keytab, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) -{ - struct keytab_keyproc_arg arg; - - arg.keytab = keytab; - arg.client = creds->client; - - return(krb5_get_in_tkt(context, options, addrs, ktypes, - pre_auth_types, - keytab_keyproc, (krb5_pointer)&arg, - krb5_kdc_rep_decrypt_proc, 0, creds, - ccache, ret_as_reply)); -} diff --git a/src/lib/krb5/krb/in_tkt_pwd.c b/src/lib/krb5/krb/in_tkt_pwd.c deleted file mode 100644 index 1d9ad2e..0000000 --- a/src/lib/krb5/krb/in_tkt_pwd.c +++ /dev/null @@ -1,123 +0,0 @@ -/* - * lib/krb5/krb/in_tkt_pwd.c - * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * krb5_get_in_tkt_with_password() - */ - -#include "k5-int.h" - -extern char *krb5_default_pwd_prompt1; - -/* - * key-producing procedure for use by krb5_get_in_tkt_with_password. - */ -static krb5_error_code pwd_keyproc - (krb5_context, - const krb5_enctype, - krb5_data *, - krb5_const_pointer, - krb5_keyblock **); - -static krb5_error_code -pwd_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt, - krb5_const_pointer keyseed, krb5_keyblock **key) -{ - krb5_error_code retval; - krb5_data * password; - unsigned int pwsize; - - password = (krb5_data *)keyseed; - - if (!password->length) { - pwsize = BUFSIZ; - if ((password->data = malloc(pwsize)) == NULL) - return ENOMEM; - - if ((retval = krb5_read_password(context, krb5_default_pwd_prompt1, 0, - password->data, &pwsize))) { - return retval; - } - password->length = pwsize; - } - - if (!(*key = (krb5_keyblock *)malloc(sizeof(**key)))) - return ENOMEM; - - if ((retval = krb5_c_string_to_key(context, type, password, salt, *key))) - krb5_xfree(*key); - - return(retval); -} - -/* - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. - - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. - - If password is non-NULL, it is converted using the cryptosystem entry - point for a string conversion routine, seeded with the client's name. - If password is passed as NULL, the password is read from the terminal, - and then converted into a key. - - A succesful call will place the ticket in the credentials cache ccache. - - returns system errors, encryption errors - */ -krb5_error_code KRB5_CALLCONV -krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - const char *password, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) -{ - krb5_error_code retval; - krb5_data data; - - - if ((data.data = (char *)password)) { - data.length = strlen(password); - } else { - data.length = 0; - } - - retval = krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, - pwd_keyproc, (krb5_pointer) &data, - krb5_kdc_rep_decrypt_proc, 0, - creds, ccache, ret_as_reply); - - if ((password == NULL) && (data.data)) { - memset(data.data, 0, strlen(data.data)); - free(data.data); - } - - return retval; -} - diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 59b6123..2740d83 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/init_ctx.c * - * Copyright 1994,1999,2000, 2002 by the Massachusetts Institute of Technology. + * Copyright 1994,1999,2000, 2002, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -65,9 +65,15 @@ them. This'll be fixed, but for better compatibility, let's prefer des-crc for now. */ #define DEFAULT_ETYPE_LIST \ + "aes256-cts-hmac-sha1-96 " \ + "aes128-cts-hmac-sha1-96 " \ "des3-cbc-sha1 arcfour-hmac-md5 " \ "des-cbc-crc des-cbc-md5 des-cbc-md4 " +/* Not included: + "aes128-cts-hmac-sha1-96 " \ + */ + #if (defined(_WIN32)) extern krb5_error_code krb5_vercheck(); extern void krb5_win_ccdll_load(krb5_context context); @@ -142,6 +148,13 @@ init_common (krb5_context *context, krb5_boolean secure) if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL))) goto cleanup; + ctx->conf_tgs_ktypes = calloc(ctx->tgs_ktype_count, sizeof(krb5_enctype)); + if (ctx->conf_tgs_ktypes == NULL && ctx->tgs_ktype_count != 0) + goto cleanup; + memcpy(ctx->conf_tgs_ktypes, ctx->tgs_ktypes, + sizeof(krb5_enctype) * ctx->tgs_ktype_count); + ctx->conf_tgs_ktypes_count = ctx->tgs_ktype_count; + if ((retval = krb5_os_init_context(ctx))) goto cleanup; @@ -189,11 +202,7 @@ init_common (krb5_context *context, krb5_boolean secure) "kdc_default_options", 0, KDC_OPT_RENEWABLE_OK, &tmp); ctx->kdc_default_options = tmp; -#if TARGET_OS_MAC #define DEFAULT_KDC_TIMESYNC 1 -#else -#define DEFAULT_KDC_TIMESYNC 0 -#endif profile_get_integer(ctx->profile, "libdefaults", "kdc_timesync", 0, DEFAULT_KDC_TIMESYNC, &tmp); @@ -207,16 +216,13 @@ init_common (krb5_context *context, krb5_boolean secure) * Note: DCE 1.0.3a only supports a cache type of 1 * DCE 1.1 supports a cache type of 2. */ -#if TARGET_OS_MAC #define DEFAULT_CCACHE_TYPE 4 -#else -#define DEFAULT_CCACHE_TYPE 3 -#endif profile_get_integer(ctx->profile, "libdefaults", "ccache_type", 0, DEFAULT_CCACHE_TYPE, &tmp); ctx->fcc_default_format = tmp + 0x0500; ctx->scc_default_format = tmp + 0x0500; ctx->prompt_types = 0; + ctx->use_conf_ktypes = 0; ctx->udp_pref_limit = -1; *context = ctx; @@ -243,6 +249,11 @@ krb5_free_context(krb5_context ctx) ctx->tgs_ktypes = 0; } + if (ctx->conf_tgs_ktypes) { + free(ctx->conf_tgs_ktypes); + ctx->conf_tgs_ktypes = 0; + } + if (ctx->default_realm) { free(ctx->default_realm); ctx->default_realm = 0; @@ -291,7 +302,8 @@ krb5_set_default_in_tkt_ktypes(krb5_context context, const krb5_enctype *ktypes) } static krb5_error_code -get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr, int ctx_count, krb5_enctype *ctx_list) +get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr, + int ctx_count, krb5_enctype *ctx_list) { krb5_enctype *old_ktypes; @@ -426,12 +438,19 @@ krb5_error_code KRB5_CALLCONV krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes) { - return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes", - context->tgs_ktype_count, - context->tgs_ktypes)); + if (context->use_conf_ktypes) + /* This one is set *only* by reading the config file; it's not + set by the application. */ + return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes", + context->conf_tgs_ktypes_count, + context->conf_tgs_ktypes)); + else + return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes", + context->tgs_ktype_count, + context->tgs_ktypes)); } -krb5_error_code +krb5_error_code KRB5_CALLCONV krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes) { return(get_profile_etype_list(context, ktypes, "permitted_enctypes", diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 46d485d..4700439 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -246,6 +246,7 @@ void krb5_free_etype_info(krb5_context context, krb5_etype_info info) for(i=0; info[i] != NULL; i++) { if (info[i]->salt) free(info[i]->salt); + krb5_free_data_contents( context, &info[i]->s2kparams); free(info[i]); } free(info); @@ -429,14 +430,20 @@ krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val) void KRB5_CALLCONV krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val) { - if ((*val)->passwd) { - krb5_xfree((*val)->passwd); - (*val)->passwd = 0; - } - if ((*val)->phrase) { - krb5_xfree((*val)->phrase); - (*val)->phrase = 0; + register passwd_phrase_element **temp; + + for (temp = val; *temp; temp++) { + if ((*temp)->passwd) { + krb5_free_data(context, (*temp)->passwd); + (*temp)->passwd = 0; + } + if ((*temp)->phrase) { + krb5_free_data(context, (*temp)->phrase); + (*temp)->phrase = 0; + } + krb5_xfree(*temp); } + krb5_xfree(val); } diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 6389298..04248c0 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -182,9 +182,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds * memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1)); /* Get keyblock */ - if ((keyblock = auth_context->local_subkey) == NULL) - if ((keyblock = auth_context->remote_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->send_subkey) == NULL) + keyblock = auth_context->keyblock; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 196b6ee..efe254a 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -119,9 +119,8 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, memset((char *) &replaydata, 0, sizeof(krb5_replay_data)); /* Get keyblock */ - if ((keyblock = auth_context->local_subkey) == NULL) - if ((keyblock = auth_context->remote_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->send_subkey) == NULL) + keyblock = auth_context->keyblock; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c index 31f3fe5..393f634 100644 --- a/src/lib/krb5/krb/mk_rep.c +++ b/src/lib/krb5/krb/mk_rep.c @@ -59,7 +59,14 @@ krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *out repl.ctime = auth_context->authentp->ctime; repl.cusec = auth_context->authentp->cusec; - repl.subkey = auth_context->authentp->subkey; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) { + retval = krb5int_generate_and_save_subkey (context, auth_context, + auth_context->keyblock); + if (retval) + return retval; + repl.subkey = auth_context->send_subkey; + } else + repl.subkey = auth_context->authentp->subkey; repl.seq_number = auth_context->local_seq_number; /* encode it before encrypting */ diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 1ed14a9..cdb8f69 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -68,7 +68,39 @@ static krb5_error_code krb5_generate_authenticator (krb5_context, krb5_authenticator *, krb5_principal, krb5_checksum *, krb5_keyblock *, - krb5_int32, krb5_authdata ** ); + krb5_ui_4, krb5_authdata ** ); + +krb5_error_code +krb5int_generate_and_save_subkey (krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock *keyblock) +{ + /* Provide some more fodder for random number code. + This isn't strong cryptographically; the point here is not + to guarantee randomness, but to make it less likely that multiple + sessions could pick the same subkey. */ + struct { + krb5_int32 sec, usec; + } rnd_data; + krb5_data d; + krb5_error_code retval; + + krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec); + d.length = sizeof (rnd_data); + d.data = (char *) &rnd_data; + (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d); + + if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey))) + return retval; + retval = krb5_copy_keyblock(context, auth_context->send_subkey, + &auth_context->recv_subkey); + if (retval) { + krb5_free_keyblock(context, auth_context->send_subkey); + auth_context->send_subkey = NULL; + return retval; + } + return 0; +} krb5_error_code KRB5_CALLCONV krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, @@ -130,22 +162,10 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, goto cleanup; } - if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) { - /* Provide some more fodder for random number code. - This isn't strong cryptographically; the point here is not - to guarantee randomness, but to make it less likely that multiple - sessions could pick the same subkey. */ - struct { - krb5_int32 sec, usec; - } rnd_data; - krb5_data d; - krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec); - d.length = sizeof (rnd_data); - d.data = (char *) &rnd_data; - (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d); - - if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock, - &(*auth_context)->local_subkey))) + if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) { + retval = krb5int_generate_and_save_subkey (context, *auth_context, + &in_creds->keyblock); + if (retval) goto cleanup; } @@ -178,7 +198,7 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, if ((retval = krb5_generate_authenticator(context, (*auth_context)->authentp, (in_creds)->client, checksump, - (*auth_context)->local_subkey, + (*auth_context)->send_subkey, (*auth_context)->local_seq_number, (in_creds)->authdata))) goto cleanup_cksum; @@ -232,7 +252,7 @@ cleanup: } static krb5_error_code -krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_int32 seq_number, krb5_authdata **authorization) +krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, krb5_keyblock *key, krb5_ui_4 seq_number, krb5_authdata **authorization) { krb5_error_code retval; diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index 992a456..eefcab7 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -120,9 +120,8 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da memset((char *) &replaydata, 0, sizeof(krb5_replay_data)); /* Get keyblock */ - if ((keyblock = auth_context->local_subkey) == NULL) - if ((keyblock = auth_context->remote_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->send_subkey) == NULL) + keyblock = auth_context->keyblock; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c index abbcfbe..3debb6a 100644 --- a/src/lib/krb5/krb/parse.c +++ b/src/lib/krb5/krb/parse.c @@ -170,11 +170,13 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip cp++; size++; } else if (c == COMPONENT_SEP) { - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; size = 0; i++; } else if (c == REALM_SEP) { - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; size = 0; parsed_realm = cp+1; } else @@ -183,7 +185,8 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip if (parsed_realm) krb5_princ_realm(context, principal)->length = size; else - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; if (i + 1 != components) { #if !defined(_WIN32) && !defined(macintosh) fprintf(stderr, diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index e50440e..6238a82 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -35,7 +35,7 @@ typedef krb5_error_code (*pa_function)(krb5_context, krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter_fct, @@ -57,7 +57,7 @@ krb5_error_code pa_salt(krb5_context context, krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, @@ -65,22 +65,11 @@ krb5_error_code pa_salt(krb5_context context, { krb5_data tmp; - /* screw the abstraction. If there was a *reasonable* copy_data, - I'd use it. But I'm inside the library, which is the twilight - zone of source code, so I can do anything. */ - + tmp.data = in_padata->contents; tmp.length = in_padata->length; - if (tmp.length) { - if ((tmp.data = malloc(tmp.length)) == NULL) - return ENOMEM; - memcpy(tmp.data, in_padata->contents, tmp.length); - } else { - tmp.data = NULL; - } - - *salt = tmp; - - /* assume that no other salt was allocated */ + krb5_free_data_contents(context, salt); + krb5int_copy_data_contents(context, &tmp, salt); + if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT) salt->length = SALT_TYPE_AFS_LENGTH; @@ -94,6 +83,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, @@ -119,7 +109,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context, if ((ret = ((*gak_fct)(context, request->client, *etype ? *etype : request->ktype[0], prompter, prompter_data, - salt, as_key, gak_data)))) + salt, s2kparams, as_key, gak_data)))) return(ret); } @@ -233,6 +223,7 @@ krb5_error_code pa_sam(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, @@ -283,7 +274,7 @@ krb5_error_code pa_sam(krb5_context context, *etype = ENCTYPE_DES_CBC_CRC; if ((ret = (gak_fct)(context, request->client, *etype, prompter, - prompter_data, salt, as_key, gak_data))) + prompter_data, salt, s2kparams, as_key, gak_data))) return(ret); } sprintf(name, "%.*s", @@ -472,6 +463,7 @@ krb5_error_code pa_sam_2(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, @@ -542,7 +534,7 @@ krb5_error_code pa_sam_2(krb5_context context, retval = (gak_fct)(context, request->client, sc2b->sam_etype, prompter, - prompter_data, salt, as_key, gak_data); + prompter_data, salt, s2kparams, as_key, gak_data); if (retval) { krb5_free_sam_challenge_2(context, sc2); krb5_free_sam_challenge_2_body(context, sc2b); @@ -827,87 +819,19 @@ static const pa_types_t pa_types[] = { }, }; -static void -sort_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_etype_info_entry **etype_info) -{ -/* Originally adapted from a proposed solution in ticket 1006. This - * solution is not efficient, but implementing an efficient sort - * with a comparison function based on order in the kdc request would - * be difficult.*/ - krb5_etype_info_entry *tmp; - int i, j, e; - krb5_boolean similar; - - if (etype_info == NULL) - return; - - /* First, move up etype_info_entries whose enctype exactly matches a - * requested enctype. - */ - e = 0; - for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ ) - { - if (request->ktype[i] == etype_info[e]->etype) - { - e++; - continue; - } - for ( j = e+1 ; etype_info[j] ; j++ ) - if (request->ktype[i] == etype_info[j]->etype) - break; - if (etype_info[j] == NULL) - continue; - - tmp = etype_info[j]; - etype_info[j] = etype_info[e]; - etype_info[e] = tmp; - e++; - } - - /* Then move up etype_info_entries whose enctype is similar to a - * requested enctype. - */ - for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ ) - { - if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[e]->etype, &similar) != 0) - continue; - - if (similar) - { - e++; - continue; - } - for ( j = e+1 ; etype_info[j] ; j++ ) - { - if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[j]->etype, &similar) != 0) - continue; - - if (similar) - break; - } - if (etype_info[j] == NULL) - continue; - - tmp = etype_info[j]; - etype_info[j] = etype_info[e]; - etype_info[e] = tmp; - e++; - } -} - - krb5_error_code krb5_do_preauth(krb5_context context, krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_pa_data ***out_padata, - krb5_data *salt, krb5_enctype *etype, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, krb5_gic_get_as_key_fct gak_fct, void *gak_data) { int h, i, j, out_pa_list_size; - krb5_pa_data *out_pa, **out_pa_list; + int seen_etype_info2 = 0; + krb5_pa_data *out_pa = NULL, **out_pa_list = NULL; krb5_data scratch; krb5_etype_info etype_info = NULL; krb5_error_code ret; @@ -938,6 +862,7 @@ krb5_do_preauth(krb5_context context, for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) { realdone = 0; for (i=0; in_padata[i] && !realdone; i++) { + int k, l, etype_found, valid_etype_found; /* * This is really gross, but is necessary to prevent * lossge when talking to a 1.0.x KDC, which returns an @@ -946,27 +871,81 @@ krb5_do_preauth(krb5_context context, */ switch (in_padata[i]->pa_type) { case KRB5_PADATA_ETYPE_INFO: - if (etype_info) - continue; + case KRB5_PADATA_ETYPE_INFO2: + { + krb5_preauthtype pa_type = in_padata[i]->pa_type; + if (etype_info) { + if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2) + continue; + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + } + } + scratch.length = in_padata[i]->length; scratch.data = (char *) in_padata[i]->contents; - ret = decode_krb5_etype_info(&scratch, &etype_info); + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + seen_etype_info2++; + ret = decode_krb5_etype_info2(&scratch, &etype_info); + } + else ret = decode_krb5_etype_info(&scratch, &etype_info); if (ret) { - if (out_pa_list) { - out_pa_list[out_pa_list_size++] = NULL; - krb5_free_pa_data(context, out_pa_list); - } - return ret; + ret = 0; /*Ignore error and etype_info element*/ + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + continue; } if (etype_info[0] == NULL) { krb5_free_etype_info(context, etype_info); etype_info = NULL; break; } - sort_etype_info(context, request, etype_info); - salt->data = (char *) etype_info[0]->salt; - salt->length = etype_info[0]->length; - *etype = etype_info[0]->etype; + /* + * Select first etype in our request which is also in + * etype-info (preferring client request ktype order). + */ + for (etype_found = 0, valid_etype_found = 0, k = 0; + !etype_found && k < request->nktypes; k++) { + for (l = 0; etype_info[l]; l++) { + if (etype_info[l]->etype == request->ktype[k]) { + etype_found++; + break; + } + /* check if program has support for this etype for more + * precise error reporting. + */ + if (valid_enctype(etype_info[l]->etype)) + valid_etype_found++; + } + } + if (!etype_found) { + if (valid_etype_found) { + /* supported enctype but not requested */ + ret = KRB5_CONFIG_ETYPE_NOSUPP; + goto cleanup; + } + else { + /* unsupported enctype */ + ret = KRB5_PROG_ETYPE_NOSUPP; + goto cleanup; + } + + } + scratch.data = (char *) etype_info[l]->salt; + scratch.length = etype_info[l]->length; + krb5_free_data_contents(context, salt); + if (scratch.length == KRB5_ETYPE_NO_SALT) + salt->data = NULL; + else + if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0) + goto cleanup; + *etype = etype_info[l]->etype; + krb5_free_data_contents(context, s2kparams); + if ((ret = krb5int_copy_data_contents(context, + &etype_info[l]->s2kparams, + s2kparams)) != 0) + goto cleanup; #ifdef DEBUG for (j = 0; etype_info[j]; j++) { krb5_etype_info_entry *e = etype_info[j]; @@ -978,6 +957,7 @@ krb5_do_preauth(krb5_context context, } #endif break; + } case KRB5_PADATA_PW_SALT: case KRB5_PADATA_AFS3_SALT: if (etype_info) @@ -993,16 +973,10 @@ krb5_do_preauth(krb5_context context, if ((ret = ((*pa_types[j].fct)(context, request, in_padata[i], &out_pa, - salt, etype, as_key, + salt, s2kparams, etype, as_key, prompter, prompter_data, gak_fct, gak_data)))) { - if (out_pa_list) { - out_pa_list[out_pa_list_size++] = NULL; - krb5_free_pa_data(context, out_pa_list); - } - if (etype_info) - krb5_free_etype_info(context, etype_info); - return(ret); + goto cleanup; } if (out_pa) { @@ -1010,18 +984,22 @@ krb5_do_preauth(krb5_context context, if ((out_pa_list = (krb5_pa_data **) malloc(2*sizeof(krb5_pa_data *))) - == NULL) - return(ENOMEM); + == NULL) { + ret = ENOMEM; + goto cleanup; + } } else { if ((out_pa_list = (krb5_pa_data **) realloc(out_pa_list, (out_pa_list_size+2)* sizeof(krb5_pa_data *))) - == NULL) - /* XXX this will leak the pointers which + == NULL) { + /* XXX this will leak the pointers which have already been allocated. oh well. */ - return(ENOMEM); + ret = ENOMEM; + goto cleanup; + } } out_pa_list[out_pa_list_size++] = out_pa; @@ -1037,6 +1015,16 @@ krb5_do_preauth(krb5_context context, out_pa_list[out_pa_list_size++] = NULL; *out_padata = out_pa_list; - + if (etype_info) + krb5_free_etype_info(context, etype_info); + return(0); + cleanup: + if (out_pa_list) { + out_pa_list[out_pa_list_size++] = NULL; + krb5_free_pa_data(context, out_pa_list); + } + if (etype_info) + krb5_free_etype_info(context, etype_info); + return (ret); } diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index 228219f..11be47f 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -33,15 +33,11 @@ decrypt_credencdata(krb5_context context, krb5_cred *pcred, krb5_keyblock *pkeyb /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart))) - goto cleanup_encpart; + goto cleanup; *pcredenc = *ppart; retval = 0; -cleanup_encpart: - memset(ppart, 0, sizeof(*ppart)); - krb5_xfree(ppart); - cleanup: memset(scratch.data, 0, scratch.length); krb5_xfree(scratch.data); @@ -169,9 +165,8 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *pc krb5_replay_data replaydata; /* Get keyblock */ - if ((keyblock = auth_context->remote_subkey) == NULL) - if ((keyblock = auth_context->local_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->recv_subkey) == NULL) + keyblock = auth_context->keyblock; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 8132056..cf74807 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -156,9 +156,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_da krb5_replay_data replaydata; /* Get keyblock */ - if ((keyblock = auth_context->remote_subkey) == NULL) - if ((keyblock = auth_context->local_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->recv_subkey) == NULL) + keyblock = auth_context->keyblock; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && @@ -247,7 +246,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_da } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (auth_context->remote_seq_number != replaydata.seq) { + if (!krb5int_auth_con_chkseqnum(context, auth_context, + replaydata.seq)) { retval = KRB5KRB_AP_ERR_BADORDER; goto error; } diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index e35e43f..8019229 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -81,8 +81,24 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat /* Set auth subkey */ if ((*repl)->subkey) { + if (auth_context->recv_subkey) { + krb5_free_keyblock(context, auth_context->recv_subkey); + auth_context->recv_subkey = NULL; + } retval = krb5_copy_keyblock(context, (*repl)->subkey, - &auth_context->remote_subkey); + &auth_context->recv_subkey); + if (retval) + goto clean_scratch; + if (auth_context->send_subkey) { + krb5_free_keyblock(context, auth_context->send_subkey); + auth_context->send_subkey = NULL; + } + retval = krb5_copy_keyblock(context, (*repl)->subkey, + &auth_context->send_subkey); + if (retval) { + krb5_free_keyblock(context, auth_context->send_subkey); + auth_context->send_subkey = NULL; + } } /* Get remote sequence number */ diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index f844e3c..9a2f458 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -83,7 +83,9 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_da server = request->ticket->server; } /* Get an rcache if necessary. */ - if (((*auth_context)->rcache == NULL) && server) { + if (((*auth_context)->rcache == NULL) + && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) +&& server) { if ((retval = krb5_get_server_rcache(context, krb5_princ_component(context,server,0), &(*auth_context)->rcache))) goto cleanup_auth_context; diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index fa126b4..3c398ae 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -290,10 +290,18 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c if ((*auth_context)->authentp->subkey) { if ((retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey, - &((*auth_context)->remote_subkey)))) + &((*auth_context)->recv_subkey)))) goto cleanup; + retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey, + &((*auth_context)->send_subkey)); + if (retval) { + krb5_free_keyblock(context, (*auth_context)->recv_subkey); + (*auth_context)->recv_subkey = NULL; + goto cleanup; + } } else { - (*auth_context)->remote_subkey = 0; + (*auth_context)->recv_subkey = 0; + (*auth_context)->send_subkey = 0; } if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session, diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 0f6cec2..15dc6dc 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -51,6 +51,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb { krb5_error_code retval; krb5_safe * message; + krb5_data safe_body; krb5_checksum our_cksum, *his_cksum; krb5_octet zero_octet = 0; krb5_data *scratch; @@ -59,7 +60,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb if (!krb5_is_krb_safe(inbuf)) return KRB5KRB_AP_ERR_MSG_TYPE; - if ((retval = decode_krb5_safe(inbuf, &message))) + if ((retval = decode_krb5_safe_with_body(inbuf, &message, &safe_body))) return retval; if (!krb5_c_valid_cksumtype(message->checksum->checksum_type)) { @@ -113,7 +114,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb message->checksum = &our_cksum; - if ((retval = encode_krb5_safe(message, &scratch))) + if ((retval = encode_krb5_safe_with_body(message, &safe_body, &scratch))) goto cleanup; message->checksum = his_cksum; @@ -126,8 +127,17 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyb krb5_free_data(context, scratch); if (!valid) { - retval = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + /* + * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in + * case someone actually implements it correctly. + */ + retval = krb5_c_verify_checksum(context, keyblock, + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + &safe_body, his_cksum, &valid); + if (!valid) { + retval = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } } replaydata->timestamp = message->timestamp; @@ -161,9 +171,8 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da return KRB5_RC_REQUIRED; /* Get keyblock */ - if ((keyblock = auth_context->remote_subkey) == NULL) - if ((keyblock = auth_context->local_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->recv_subkey) == NULL) + keyblock = auth_context->keyblock; { krb5_address * premote_fulladdr = NULL; @@ -240,7 +249,8 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (auth_context->remote_seq_number != replaydata.seq) { + if (!krb5int_auth_con_chkseqnum(context, auth_context, + replaydata.seq)) { retval = KRB5KRB_AP_ERR_BADORDER; goto error; } diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 244d18e..34a98c0 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -278,6 +278,7 @@ send_again: } krb5_free_error(context, err_reply); } + rep->message_type = KRB5_ERROR; } else if (krb5_is_tgs_rep(&rep->response)) rep->message_type = KRB5_TGS_REP; else /* XXX: assume it's an error */ diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c index a8ec90e..32519e1 100644 --- a/src/lib/krb5/krb/ser_actx.c +++ b/src/lib/krb5/krb/ser_actx.c @@ -151,21 +151,21 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) required += sizeof(krb5_int32); } - /* Calculate size required by local_subkey, if appropriate */ - if (!kret && auth_context->local_subkey) { + /* Calculate size required by send_subkey, if appropriate */ + if (!kret && auth_context->send_subkey) { kret = krb5_size_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) auth_context->local_subkey, + (krb5_pointer) auth_context->send_subkey, &required); if (!kret) required += sizeof(krb5_int32); } - /* Calculate size required by remote_subkey, if appropriate */ - if (!kret && auth_context->remote_subkey) { + /* Calculate size required by recv_subkey, if appropriate */ + if (!kret && auth_context->recv_subkey) { kret = krb5_size_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) auth_context->remote_subkey, + (krb5_pointer) auth_context->recv_subkey, &required); if (!kret) required += sizeof(krb5_int32); @@ -300,23 +300,23 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe } /* Now handle subkey, if appropriate */ - if (!kret && auth_context->local_subkey) { + if (!kret && auth_context->send_subkey) { (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); kret = krb5_externalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer) - auth_context->local_subkey, + auth_context->send_subkey, &bp, &remain); } /* Now handle subkey, if appropriate */ - if (!kret && auth_context->remote_subkey) { + if (!kret && auth_context->recv_subkey) { (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); kret = krb5_externalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer) - auth_context->remote_subkey, + auth_context->recv_subkey, &bp, &remain); } @@ -474,26 +474,26 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } - /* This is the local_subkey */ + /* This is the send_subkey */ if (!kret && (tag == TOKEN_LSKBLOCK)) { if (!(kret = krb5_internalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer *) &auth_context-> - local_subkey, + send_subkey, &bp, &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } - /* This is the remote_subkey */ + /* This is the recv_subkey */ if (!kret) { if (tag == TOKEN_RSKBLOCK) { kret = krb5_internalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer *) &auth_context-> - remote_subkey, + recv_subkey, &bp, &remain); } diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c index 7c5f17a..9cbcef7 100644 --- a/src/lib/krb5/krb/serialize.c +++ b/src/lib/krb5/krb/serialize.c @@ -174,7 +174,7 @@ krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer * } /* - * krb5_ser_pack_int32() - Pack a 4-byte integer if space is availble. + * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available. * Update buffer pointer and remaining space. */ krb5_error_code KRB5_CALLCONV @@ -194,6 +194,23 @@ krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp) } /* + * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available. + * Update buffer pointer and remaining space. + */ +krb5_error_code KRB5_CALLCONV +krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp) +{ + if (*remainp >= sizeof(krb5_int64)) { + store_64_be(iarg, (unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); + } + else + return(ENOMEM); +} + +/* * krb5_ser_pack_bytes() - Pack a string of bytes. */ krb5_error_code KRB5_CALLCONV @@ -229,6 +246,22 @@ krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp) } /* + * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there. + */ +krb5_error_code KRB5_CALLCONV +krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp) +{ + if (*remainp >= sizeof(krb5_int64)) { + *intp = load_64_be((unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); + } + else + return(ENOMEM); +} + +/* * krb5_ser_unpack_bytes() - Unpack a byte string if it's there. */ krb5_error_code KRB5_CALLCONV diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c index aa41bc5..e66d2d3 100644 --- a/src/lib/krb5/krb/srv_rcache.c +++ b/src/lib/krb5/krb/srv_rcache.c @@ -48,6 +48,9 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache unsigned long uid = geteuid(); #endif + if (piece == NULL) + return ENOMEM; + rcache = (krb5_rcache) malloc(sizeof(*rcache)); if (!rcache) return ENOMEM; @@ -58,7 +61,7 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache len = piece->length + 3 + 1; for (i = 0; i < piece->length; i++) { - if (piece->data[i] == '\\') + if (piece->data[i] == '-') len++; else if (!isvalidrcname((int) piece->data[i])) len += 3; @@ -78,14 +81,14 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache strcpy(cachename, "rc_"); p = 3; for (i = 0; i < piece->length; i++) { - if (piece->data[i] == '\\') { - cachename[p++] = '\\'; - cachename[p++] = '\\'; + if (piece->data[i] == '-') { + cachename[p++] = '-'; + cachename[p++] = '-'; continue; } if (!isvalidrcname((int) piece->data[i])) { sprintf(tmp, "%03o", piece->data[i]); - cachename[p++] = '\\'; + cachename[p++] = '-'; cachename[p++] = tmp[0]; cachename[p++] = tmp[1]; cachename[p++] = tmp[2]; diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c index f0e52dc..6f1a3c9 100644 --- a/src/lib/krb5/krb/unparse.c +++ b/src/lib/krb5/krb/unparse.c @@ -149,7 +149,8 @@ krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, regi *q++ = COMPONENT_SEP; } - q--; /* Back up last component separator */ + if (i > 0) + q--; /* Back up last component separator */ *q++ = REALM_SEP; cp = krb5_princ_realm(context, principal)->data; diff --git a/src/lib/krb5/krb/v4lifetime.c b/src/lib/krb5/krb/v4lifetime.c new file mode 100644 index 0000000..94bf5f6 --- /dev/null +++ b/src/lib/krb5/krb/v4lifetime.c @@ -0,0 +1,149 @@ +/* + * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + +#include "k5-int.h" + +/* + * Only lifetime bytes values less than 128 are on a linear scale. + * The following table contains an exponential scale that covers the + * lifetime values 128 to 191 inclusive (a total of 64 values). + * Values greater than 191 get interpreted the same as 191, but they + * will never be generated by the functions in this file. + * + * The ratio is approximately 1.069144898 (actually exactly + * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30 + * days, and 38400 = 128*5 minutes. This allows a lifetime byte of + * 191 to correspond to a ticket life of exactly 30 days and a + * lifetime byte of 128 to correspond to exactly 128*5 minutes, with + * the other values spread on an exponential curve fit in between + * them. This table should correspond exactly to the set of extended + * ticket lifetime values used by AFS and CMU. + * + * The following awk script is sufficient to reproduce the table: + * BEGIN { + * r = exp(log(2592000/38400)/63); + * x = 38400; + * for (i=0;i<64;i++) { + * printf("%d\n",x+0.5); + * x *= r; + * } + * } + */ +#ifndef SHORT_LIFETIME +#define NLIFETIMES 64 +static const krb5_int32 lifetimes[NLIFETIMES] = { + 38400, 41055, /* 00:10:40:00, 00:11:24:15 */ + 43894, 46929, /* 00:12:11:34, 00:13:02:09 */ + 50174, 53643, /* 00:13:56:14, 00:14:54:03 */ + 57352, 61318, /* 00:15:55:52, 00:17:01:58 */ + 65558, 70091, /* 00:18:12:38, 00:19:28:11 */ + 74937, 80119, /* 00:20:48:57, 00:22:15:19 */ + 85658, 91581, /* 00:23:47:38, 01:01:26:21 */ + 97914, 104684, /* 01:03:11:54, 01:05:04:44 */ + 111922, 119661, /* 01:07:05:22, 01:09:14:21 */ + 127935, 136781, /* 01:11:32:15, 01:13:59:41 */ + 146239, 156350, /* 01:16:37:19, 01:19:25:50 */ + 167161, 178720, /* 01:22:26:01, 02:01:38:40 */ + 191077, 204289, /* 02:05:04:37, 02:08:44:49 */ + 218415, 233517, /* 02:12:40:15, 02:16:51:57 */ + 249664, 266926, /* 02:21:21:04, 03:02:08:46 */ + 285383, 305116, /* 03:07:16:23, 03:12:45:16 */ + 326213, 348769, /* 03:18:36:53, 04:00:52:49 */ + 372885, 398668, /* 04:07:34:45, 04:14:44:28 */ + 426234, 455705, /* 04:22:23:54, 05:06:35:05 */ + 487215, 520904, /* 05:15:20:15, 06:00:41:44 */ + 556921, 595430, /* 06:10:42:01, 06:21:23:50 */ + 636601, 680618, /* 07:08:50:01, 07:21:03:38 */ + 727680, 777995, /* 08:10:08:00, 09:00:06:35 */ + 831789, 889303, /* 09:15:03:09, 10:07:01:43 */ + 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */ + 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */ + 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */ + 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */ + 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */ + 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */ + 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */ + 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */ +}; +#define MINFIXED 0x80 +#define MAXFIXED (MINFIXED + NLIFETIMES - 1) +#endif /* !SHORT_LIFETIME */ + +/* + * krb_life_to_time + * + * Given a start date and a lifetime byte, compute the expiration + * date. + */ +krb5_int32 +krb5int_krb_life_to_time(krb5_int32 start, int life) +{ + if (life < 0 || life > 255) /* possibly sign botch in caller */ + return start; +#ifndef SHORT_LIFETIME + if (life < MINFIXED) + return start + life * 5 * 60; + if (life > MAXFIXED) + return start + lifetimes[NLIFETIMES - 1]; + return start + lifetimes[life - MINFIXED]; +#else /* SHORT_LIFETIME */ + return start + life * 5 * 60; +#endif /* SHORT_LIFETIME */ +} + +/* + * krb_time_to_life + * + * Given the start date and the end date, compute the lifetime byte. + * Round up, since we can adjust the start date backwards if we are + * issuing the ticket to cause it to expire at the correct time. + */ +int +krb5int_krb_time_to_life(krb5_int32 start, krb5_int32 end) +{ + krb5_int32 dt; +#ifndef SHORT_LIFETIME + int i; +#endif + + dt = end - start; + if (dt <= 0) + return 0; +#ifndef SHORT_LIFETIME + if (dt < lifetimes[0]) + return (dt + 5 * 60 - 1) / (5 * 60); + /* This depends on the array being ordered. */ + for (i = 0; i < NLIFETIMES; i++) { + if (lifetimes[i] >= dt) + return i + MINFIXED; + } + return MAXFIXED; +#else /* SHORT_LIFETIME */ + if (dt > 5 * 60 * 255) + return 255; + else + return (dt + 5 * 60 - 1) / (5 * 60); +#endif /* SHORT_LIFETIME */ +} diff --git a/src/lib/krb5/os/.Sanitize b/src/lib/krb5/os/.Sanitize index cf13ff1..e17c876 100644 --- a/src/lib/krb5/os/.Sanitize +++ b/src/lib/krb5/os/.Sanitize @@ -61,6 +61,7 @@ read_msg.c read_pwd.c realm_dom.c ref_std_conf.out +send524.c sendto_kdc.c sn2princ.c timeofday.c diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog index 51638d9..a5a0dc8 100644 --- a/src/lib/krb5/os/ChangeLog +++ b/src/lib/krb5/os/ChangeLog @@ -1,3 +1,142 @@ +2004-03-22 Ken Raeburn <raeburn@mit.edu> + + * sendto_kdc.c (get_so_error): New function. + (service_tcp_fd): Call it for write fds as well as exception fds. + +2004-02-25 Ken Raeburn <raeburn@mit.edu> + + * sendto_kdc.c (start_connection): Close socket if connect() call + fails for an unexpected reason. + +2004-02-09 Sam Hartman <hartmans@mit.edu> + + * changepw.c (krb5_locate_kpasswd): Run htons on the default port + +2003-12-22 Jeffrey Altman <jaltman@mit.edu> + + * dnssrv.c: wrap within #ifdef KRB5_DNS_LOOKUP to prevent references + to resolver functions when DNS support is not being compiled + +2003-12-18 Jeffrey Altman <jaltman@mit.edu> + + * accessor.c: Add new functions for use by gssapi + +2003-12-12 Tom Yu <tlyu@mit.edu> + + * an_to_ln.c (krb5_aname_to_localname): Don't write one byte past + the end of a string. Found by Christopher Nebergall. + +2003-10-27 Jeffrey Altman <jaltman@mit.edu> + + * sendto_kdc.c: sockets must be closed with closesocket() and + and not close() in order to ensure portability among different + operating systems. + +2003-08-21 Ken Raeburn <raeburn@mit.edu> + + * dnssrv.c: New file; split out DNS SRV RR query support... + * locate_kdc.c: ...from here. Always compile in the calls. + * Makefile.in (STLIBOBJS, OBJS, SRCS): Add it. + +2003-07-25 Ken Raeburn <raeburn@mit.edu> + + * locate_kdc.c (krb5_locate_kdc): Always pass 0 to locate_server + as the get_masters argument. Instead, if get_masters is set, + look up "master_kdc" in the config file instead of "kdc". + +2003-07-09 Alexandra Ellwood <lxs@mit.edu> + + * toffset.c: Export and krb5_set_real_time for Samba. + +2003-06-06 Ken Raeburn <raeburn@mit.edu> + + * locate_kdc.c (struct srv_dns_entry): Moved to k5-int.h. + (krb5int_make_srv_query_realm): Renamed from make_srv_query_realm. + (krb5int_free_srv_dns_data): New function. + (krb5_locate_srv_dns_1): Use it. + + * accessor.c (krb5int_accessor): Fill in make_srv_query_realm and + free_srv_dns_data fields. + +2003-06-05 Ken Raeburn <raeburn@mit.edu> + + * locate_kdc.c (make_srv_query_realm): Punt if strdup fails. + Always return what data we can, even if memory allocation or other + problems prevent us from returning more. + (krb5_locate_srv_dns_1): Always return what data we can. Fix + memory leak. Free up temporary storage as quickly as possible, + while building up address list to return. + +2003-06-03 Ken Raeburn <raeburn@mit.edu> + + * accessor.c (krb5int_accessor): Initialize restored locate_server + field. + + * locate_kdc.c (struct srv_dns_entry): Move to top level. + (make_srv_query_realm): Separate from krb5_locate_srv_dns_1; just + do query and return results. + (krb5_locate_srv_dns_1): Call it, and build addlist entries. + Check for one RR with a target of ".", and return an error. + (krb5_locate_srv_dns): Deleted. + + * t_locate_kdc.c (main): Call krb5_locate_srv_dns_1. + + * changepw.c (krb5_locate_kpasswd): Check specifically for certain + errors before using fallback heuristics. + +2003-06-03 Alexandra Ellwood <lxs@mit.edu> + + * init_os_ctx.c: Included header to get __KLAllowHomeDirectoryAccess(). + +2003-05-27 Ken Raeburn <raeburn@mit.edu> + + * send524.c (krb5int_524_sendto_kdc): Enable support on Windows + always. + +2003-05-24 Ken Raeburn <raeburn@mit.edu> + + * send524.c: New file, moved from krb524/sendmsg.c. Rename + function to have krb5int_ prefix. If KRB5_KRB4_COMPAT not + defined, return an error. + * accessor.c (krb5int_accessor): Update for deleted and added + fields. If KRB5_KRB4_COMPAT is not defined, just use null + pointers for the new fields. + +2003-05-06 Alexandra Ellwood <lxs@mit.edu> + + * init_os_ctx.c: Added support for KLL's __KLAllowHomeDirectoryAccess() + function so that krb4, krb5 and gssapi will not access the user's homedir + if the application forbids it. + +2003-04-28 Sam Hartman <hartmans@mit.edu> + + * changepw.c (krb5_change_set_password): Locate server in realm of + creds.server, not in realm of target principal because target + principal is null in the changepw case. + +2003-04-27 Sam Hartman <hartmans@mit.edu> + + * changepw.c (krb5_change_set_password): Call + krb5_setpw_result_code_string not krb5_setpw_result_code_string + +2003-04-24 Sam Hartman <hartmans@mit.edu> + + * changepw.c (krb5_change_set_password): return error from + auth_con_setaddrs not last socket errno if auth_con_setaddrs fails + +2003-04-15 Sam Hartman <hartmans@mit.edu> + + * changepw.c (krb5_change_set_password): Patches from Paul Nelson + to implement Microsoft set password protocol + (krb5_set_password_using_ccache): Use kadmin/changepw in target realm, not local realm and use a two-component principal + (krb5_change_set_password): Find the kpasswd server for the realm + of the target principal not the client + +2003-04-13 Ken Raeburn <raeburn@mit.edu> + + * read_pwd.c (krb5_read_password): Always free temporary storage + used for verification version of password. + 2003-03-06 Alexandra Ellwood <lxs@mit.edu> * c_ustime.c: Removed Mac OS 9 code. diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in index acd37b2..27431a0 100644 --- a/src/lib/krb5/os/Makefile.in +++ b/src/lib/krb5/os/Makefile.in @@ -18,6 +18,7 @@ STLIBOBJS= \ def_realm.o \ ccdefname.o \ changepw.o \ + dnssrv.o \ free_krbhs.o \ free_hstrl.o \ full_ipadr.o \ @@ -46,6 +47,7 @@ STLIBOBJS= \ read_pwd.o \ realm_dom.o \ realm_iter.o \ + send524.o \ sendto_kdc.o \ sn2princ.o \ timeofday.o \ @@ -61,6 +63,7 @@ OBJS= \ $(OUTPRE)def_realm.$(OBJEXT) \ $(OUTPRE)ccdefname.$(OBJEXT) \ $(OUTPRE)changepw.$(OBJEXT) \ + $(OUTPRE)dnssrv.$(OBJEXT) \ $(OUTPRE)free_krbhs.$(OBJEXT) \ $(OUTPRE)free_hstrl.$(OBJEXT) \ $(OUTPRE)full_ipadr.$(OBJEXT) \ @@ -89,6 +92,7 @@ OBJS= \ $(OUTPRE)read_pwd.$(OBJEXT) \ $(OUTPRE)realm_dom.$(OBJEXT) \ $(OUTPRE)realm_iter.$(OBJEXT) \ + $(OUTPRE)send524.$(OBJEXT) \ $(OUTPRE)sendto_kdc.$(OBJEXT) \ $(OUTPRE)sn2princ.$(OBJEXT) \ $(OUTPRE)timeofday.$(OBJEXT) \ @@ -104,6 +108,7 @@ SRCS= \ $(srcdir)/def_realm.c \ $(srcdir)/ccdefname.c \ $(srcdir)/changepw.c \ + $(srcdir)/dnssrv.c \ $(srcdir)/free_krbhs.c \ $(srcdir)/free_hstrl.c \ $(srcdir)/full_ipadr.c \ @@ -132,6 +137,7 @@ SRCS= \ $(srcdir)/realm_dom.c \ $(srcdir)/realm_iter.c \ $(srcdir)/port2ip.c \ + $(srcdir)/send524.c \ $(srcdir)/sendto_kdc.c \ $(srcdir)/sn2princ.c \ $(srcdir)/timeofday.c \ @@ -235,210 +241,235 @@ clean:: # accessor.so accessor.po $(OUTPRE)accessor.$(OBJEXT): accessor.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h + os-proto.h an_to_ln.so an_to_ln.po $(OUTPRE)an_to_ln.$(OBJEXT): an_to_ln.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h c_ustime.so c_ustime.po $(OUTPRE)c_ustime.$(OBJEXT): c_ustime.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h def_realm.so def_realm.po $(OUTPRE)def_realm.$(OBJEXT): def_realm.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h + os-proto.h ccdefname.so ccdefname.po $(OUTPRE)ccdefname.$(OBJEXT): ccdefname.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h changepw.so changepw.po $(OUTPRE)changepw.$(OBJEXT): changepw.c $(SRCTOP)/include/fake-addrinfo.h \ $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/krb5/kdb.h os-proto.h +dnssrv.so dnssrv.po $(OUTPRE)dnssrv.$(OBJEXT): dnssrv.c $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ os-proto.h free_krbhs.so free_krbhs.po $(OUTPRE)free_krbhs.$(OBJEXT): free_krbhs.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h free_hstrl.so free_hstrl.po $(OUTPRE)free_hstrl.$(OBJEXT): free_hstrl.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h full_ipadr.so full_ipadr.po $(OUTPRE)full_ipadr.$(OBJEXT): full_ipadr.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h + os-proto.h get_krbhst.so get_krbhst.po $(OUTPRE)get_krbhst.$(OBJEXT): get_krbhst.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h gen_port.so gen_port.po $(OUTPRE)gen_port.$(OBJEXT): gen_port.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h + os-proto.h genaddrs.so genaddrs.po $(OUTPRE)genaddrs.$(OBJEXT): genaddrs.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h + os-proto.h gen_rname.so gen_rname.po $(OUTPRE)gen_rname.$(OBJEXT): gen_rname.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h + os-proto.h gmt_mktime.so gmt_mktime.po $(OUTPRE)gmt_mktime.$(OBJEXT): gmt_mktime.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h hostaddr.so hostaddr.po $(OUTPRE)hostaddr.$(OBJEXT): hostaddr.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/fake-addrinfo.h + $(SRCTOP)/include/fake-addrinfo.h hst_realm.so hst_realm.po $(OUTPRE)hst_realm.$(OBJEXT): hst_realm.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h $(SRCTOP)/include/fake-addrinfo.h + os-proto.h $(SRCTOP)/include/fake-addrinfo.h init_os_ctx.so init_os_ctx.po $(OUTPRE)init_os_ctx.$(OBJEXT): init_os_ctx.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h + os-proto.h krbfileio.so krbfileio.po $(OUTPRE)krbfileio.$(OBJEXT): krbfileio.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ktdefname.so ktdefname.po $(OUTPRE)ktdefname.$(OBJEXT): ktdefname.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): kuserok.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h mk_faddr.so mk_faddr.po $(OUTPRE)mk_faddr.$(OBJEXT): mk_faddr.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h + os-proto.h localaddr.so localaddr.po $(OUTPRE)localaddr.$(OBJEXT): localaddr.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/foreachaddr.c + $(SRCTOP)/include/foreachaddr.c locate_kdc.so locate_kdc.po $(OUTPRE)locate_kdc.$(OBJEXT): locate_kdc.c $(SRCTOP)/include/fake-addrinfo.h \ $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - os-proto.h + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/krb5/kdb.h os-proto.h lock_file.so lock_file.po $(OUTPRE)lock_file.$(OBJEXT): lock_file.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h net_read.so net_read.po $(OUTPRE)net_read.$(OBJEXT): net_read.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h net_write.so net_write.po $(OUTPRE)net_write.$(OBJEXT): net_write.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h osconfig.so osconfig.po $(OUTPRE)osconfig.$(OBJEXT): osconfig.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h prompter.so prompter.po $(OUTPRE)prompter.$(OBJEXT): prompter.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h promptusr.so promptusr.po $(OUTPRE)promptusr.$(OBJEXT): promptusr.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h read_msg.so read_msg.po $(OUTPRE)read_msg.$(OBJEXT): read_msg.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h read_pwd.so read_pwd.po $(OUTPRE)read_pwd.$(OBJEXT): read_pwd.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h realm_dom.so realm_dom.po $(OUTPRE)realm_dom.$(OBJEXT): realm_dom.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h realm_iter.so realm_iter.po $(OUTPRE)realm_iter.$(OBJEXT): realm_iter.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h port2ip.so port2ip.po $(OUTPRE)port2ip.$(OBJEXT): port2ip.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h os-proto.h + os-proto.h +send524.so send524.po $(OUTPRE)send524.$(OBJEXT): send524.c $(SRCTOP)/include/fake-addrinfo.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/krb5/kdb.h os-proto.h sendto_kdc.so sendto_kdc.po $(OUTPRE)sendto_kdc.$(OBJEXT): sendto_kdc.c $(SRCTOP)/include/fake-addrinfo.h \ $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - os-proto.h $(SRCTOP)/include/cm.h + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ + $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ + $(SRCTOP)/include/krb5/kdb.h os-proto.h $(SRCTOP)/include/cm.h sn2princ.so sn2princ.po $(OUTPRE)sn2princ.$(OBJEXT): sn2princ.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/fake-addrinfo.h + $(SRCTOP)/include/fake-addrinfo.h timeofday.so timeofday.po $(OUTPRE)timeofday.$(OBJEXT): timeofday.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h toffset.so toffset.po $(OUTPRE)toffset.$(OBJEXT): toffset.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h unlck_file.so unlck_file.po $(OUTPRE)unlck_file.$(OBJEXT): unlck_file.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ustime.so ustime.po $(OUTPRE)ustime.$(OBJEXT): ustime.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h write_msg.so write_msg.po $(OUTPRE)write_msg.$(OBJEXT): write_msg.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c index 509d317..4e907b1 100644 --- a/src/lib/krb5/os/accessor.c +++ b/src/lib/krb5/os/accessor.c @@ -35,18 +35,32 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version) if (version == KRB5INT_ACCESS_VERSION) { krb5int_access internals_temp; - internals_temp.krb5_locate_server = krb5int_locate_server; - internals_temp.krb5_locate_kdc = krb5_locate_kdc; internals_temp.free_addrlist = krb5int_free_addrlist; - internals_temp.krb5_max_skdc_timeout = krb5_max_skdc_timeout; - internals_temp.krb5_skdc_timeout_shift = krb5_skdc_timeout_shift; - internals_temp.krb5_skdc_timeout_1 = krb5_skdc_timeout_1; - internals_temp.krb5_max_dgram_size = krb5_max_dgram_size; internals_temp.krb5_hmac = krb5_hmac; internals_temp.md5_hash_provider = &krb5int_hash_md5; internals_temp.arcfour_enc_provider = &krb5int_enc_arcfour; + internals_temp.locate_server = &krb5int_locate_server; internals_temp.sendto_udp = &krb5int_sendto; internals_temp.add_host_to_list = krb5int_add_host_to_list; +#ifdef KRB5_DNS_LOOKUP + internals_temp.make_srv_query_realm = krb5int_make_srv_query_realm; + internals_temp.free_srv_dns_data = krb5int_free_srv_dns_data; +#else + internals_temp.make_srv_query_realm = 0; + internals_temp.free_srv_dns_data = 0; +#endif +#ifdef KRB5_KRB4_COMPAT + internals_temp.krb_life_to_time = krb5int_krb_life_to_time; + internals_temp.krb_time_to_life = krb5int_krb_time_to_life; + internals_temp.krb524_encode_v4tkt = krb5int_encode_v4tkt; +#else + internals_temp.krb_life_to_time = 0; + internals_temp.krb_time_to_life = 0; + internals_temp.krb524_encode_v4tkt = 0; +#endif + internals_temp.krb5int_c_mandatory_cksumtype = krb5int_c_mandatory_cksumtype; + internals_temp.krb5_ser_pack_int64 = krb5_ser_pack_int64; + internals_temp.krb5_ser_unpack_int64 = krb5_ser_unpack_int64; *internals = internals_temp; return 0; } diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c index 426399e..c42b821 100644 --- a/src/lib/krb5/os/an_to_ln.c +++ b/src/lib/krb5/os/an_to_ln.c @@ -643,7 +643,7 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, const const char *hierarchy[5]; char **mapping_values; int i, nvalid; - char *cp; + char *cp, *s; char *typep, *argp; unsigned int lnsize; @@ -677,11 +677,14 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, const /* Just use the last one. */ /* Trim the value. */ - cp = &mapping_values[nvalid-1] - [strlen(mapping_values[nvalid-1])]; - while (isspace((int) (*cp))) cp--; - cp++; - *cp = '\0'; + s = mapping_values[nvalid-1]; + cp = s + strlen(s); + while (cp > s) { + cp--; + if (!isspace((int)(*cp))) + break; + *cp = '\0'; + } /* Copy out the value if there's enough room */ if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize) diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c index 60cb3a9..df558b6 100644 --- a/src/lib/krb5/os/changepw.c +++ b/src/lib/krb5/os/changepw.c @@ -24,6 +24,10 @@ * or implied warranty. * */ +/* + * krb5_set_password - Implements set password per RFC 3244 + * Added by Paul W. Nelson, Thursby Software Systems, Inc. + */ #define NEED_SOCKETS #include "fake-addrinfo.h" @@ -49,8 +53,8 @@ krb5_locate_kpasswd(krb5_context context, const krb5_data *realm, code = krb5int_locate_server (context, realm, addrlist, 0, "kpasswd_server", "_kpasswd", 0, - DEFAULT_KPASSWD_PORT, 0, 0); - if (code) { + htons(DEFAULT_KPASSWD_PORT), 0, 0); + if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { code = krb5int_locate_server (context, realm, addrlist, 0, "admin_server", "_kerberos-adm", 1, DEFAULT_KPASSWD_PORT, 0, 0); @@ -69,8 +73,16 @@ krb5_locate_kpasswd(krb5_context context, const krb5_data *realm, } +/* +** The logic for setting and changing a password is mostly the same +** krb5_change_set_password handles both cases +** if set_password_for is NULL, then a password change is performed, +** otherwise, the password is set for the principal indicated in set_password_for +*/ krb5_error_code KRB5_CALLCONV -krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string) +krb5_change_set_password( + krb5_context context, krb5_creds *creds, char *newpw, krb5_principal set_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string) { krb5_auth_context auth_context; krb5_data ap_req, chpw_req, chpw_rep; @@ -104,7 +116,7 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int * goto cleanup; if ((code = krb5_locate_kpasswd(context, - krb5_princ_realm(context, creds->client), + krb5_princ_realm(context, creds->server), &al))) goto cleanup; @@ -218,14 +230,15 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int * if ((code = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL))) { - code = SOCKET_ERRNO; - goto cleanup; + goto cleanup; } - if ((code = krb5_mk_chpw_req(context, auth_context, &ap_req, - newpw, &chpw_req))) + if( set_password_for ) + code = krb5int_mk_setpw_req(context, auth_context, &ap_req, set_password_for, newpw, &chpw_req); + else + code = krb5int_mk_chpw_req(context, auth_context, &ap_req, newpw, &chpw_req); + if (code) { - code = SOCKET_ERRNO; goto cleanup; } @@ -289,19 +302,23 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int * NULL, &remote_kaddr))) goto cleanup; - if ((code = krb5_rd_chpw_rep(context, auth_context, &chpw_rep, - &local_result_code, - result_string))) - goto cleanup; + if( set_password_for ) + code = krb5int_rd_setpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string); + else + code = krb5int_rd_chpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string); + if (code) + goto cleanup; if (result_code) *result_code = local_result_code; if (result_code_string) { - if ((code = krb5_chpw_result_code_string(context, - local_result_code, - &code_string))) - goto cleanup; + if( set_password_for ) + code = krb5int_setpw_result_code_string(context, local_result_code, (const char **)&code_string); + else + code = krb5_chpw_result_code_string(context, local_result_code, &code_string); + if(code) + goto cleanup; result_code_string->length = strlen(code_string); result_code_string->data = malloc(result_code_string->length); @@ -343,3 +360,71 @@ cleanup: return(code); } + +krb5_error_code KRB5_CALLCONV +krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string) +{ + return krb5_change_set_password( + context, creds, newpw, NULL, result_code, result_code_string, result_string ); +} + +/* + * krb5_set_password - Implements set password per RFC 3244 + * + */ + +krb5_error_code KRB5_CALLCONV +krb5_set_password( + krb5_context context, + krb5_creds *creds, + char *newpw, + krb5_principal change_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string + ) +{ + return krb5_change_set_password( + context, creds, newpw, change_password_for, result_code, result_code_string, result_string ); +} + +krb5_error_code KRB5_CALLCONV +krb5_set_password_using_ccache( + krb5_context context, + krb5_ccache ccache, + char *newpw, + krb5_principal change_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string + ) +{ + krb5_creds creds; + krb5_creds *credsp; + krb5_error_code code; + +/* +** get the proper creds for use with krb5_set_password - +*/ + memset( &creds, 0, sizeof(creds) ); +/* +** first get the principal for the password service - +*/ + code = krb5_cc_get_principal( context, ccache, &creds.client ); + if( !code ) + { + code = krb5_build_principal( context, &creds.server, + krb5_princ_realm(context, change_password_for)->length, + krb5_princ_realm(context, change_password_for)->data, + "kadmin", "changepw", NULL ); + if(!code) + { + code = krb5_get_credentials(context, 0, ccache, &creds, &credsp); + if( ! code ) + { + code = krb5_set_password(context, credsp, newpw, change_password_for, + result_code, result_code_string, + result_string); + krb5_free_creds(context, credsp); + } + } + krb5_free_cred_contents(context, &creds); + } + return code; +} diff --git a/src/lib/krb5/os/dnssrv.c b/src/lib/krb5/os/dnssrv.c new file mode 100644 index 0000000..1c1586a --- /dev/null +++ b/src/lib/krb5/os/dnssrv.c @@ -0,0 +1,273 @@ +/* + * lib/krb5/os/dnssrv.c + * + * Copyright 1990,2000,2001,2002,2003 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * do DNS SRV RR queries + */ + +#ifdef KRB5_DNS_LOOKUP +#define NEED_SOCKETS +#include "k5-int.h" +#include "os-proto.h" +#include <stdio.h> +#ifdef WSHELPER +#include <wshelper.h> +#else /* WSHELPER */ +#include <arpa/inet.h> +#include <arpa/nameser.h> +#include <resolv.h> +#include <netdb.h> +#endif /* WSHELPER */ +#ifndef T_SRV +#define T_SRV 33 +#endif /* T_SRV */ + +/* for old Unixes and friends ... */ +#ifndef MAXHOSTNAMELEN +#define MAXHOSTNAMELEN 64 +#endif + +#define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1) + +/* + * Lookup a KDC via DNS SRV records + */ + +void krb5int_free_srv_dns_data (struct srv_dns_entry *p) +{ + struct srv_dns_entry *next; + while (p) { + next = p->next; + free(p->host); + free(p); + p = next; + } +} + +/* Do DNS SRV query, return results in *answers. + + Make best effort to return all the data we can. On memory or + decoding errors, just return what we've got. Always return 0, + currently. */ + +krb5_error_code +krb5int_make_srv_query_realm(const krb5_data *realm, + const char *service, + const char *protocol, + struct srv_dns_entry **answers) +{ + union { + unsigned char bytes[2048]; + HEADER hdr; + } answer; + unsigned char *p=NULL; + char host[MAX_DNS_NAMELEN], *h; + int type, rrclass; + int priority, weight, size, len, numanswers, numqueries, rdlen; + unsigned short port; + const int hdrsize = sizeof(HEADER); + + struct srv_dns_entry *head = NULL; + struct srv_dns_entry *srv = NULL, *entry = NULL; + + /* + * First off, build a query of the form: + * + * service.protocol.realm + * + * which will most likely be something like: + * + * _kerberos._udp.REALM + * + */ + + if (memchr(realm->data, 0, realm->length)) + return 0; + if ( strlen(service) + strlen(protocol) + realm->length + 6 + > MAX_DNS_NAMELEN ) + return 0; + sprintf(host, "%s.%s.%.*s", service, protocol, (int) realm->length, + realm->data); + + /* Realm names don't (normally) end with ".", but if the query + doesn't end with "." and doesn't get an answer as is, the + resolv code will try appending the local domain. Since the + realm names are absolutes, let's stop that. + + But only if a name has been specified. If we are performing + a search on the prefix alone then the intention is to allow + the local domain or domain search lists to be expanded. */ + + h = host + strlen (host); + if ((h[-1] != '.') && ((h - host + 1) < sizeof(host))) + strcpy (h, "."); + +#ifdef TEST + fprintf (stderr, "sending DNS SRV query for %s\n", host); +#endif + + size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes)); + + if ((size < hdrsize) || (size > sizeof(answer.bytes))) + goto out; + + /* + * We got an answer! First off, parse the header and figure out how + * many answers we got back. + */ + + p = answer.bytes; + + numqueries = ntohs(answer.hdr.qdcount); + numanswers = ntohs(answer.hdr.ancount); + + p += sizeof(HEADER); + + /* + * We need to skip over all of the questions, so we have to iterate + * over every query record. dn_expand() is able to tell us the size + * of compress DNS names, so we use it. + */ + +#define INCR_CHECK(x,y) x += y; if (x > size + answer.bytes) goto out +#define CHECK(x,y) if (x + y > size + answer.bytes) goto out +#define NTOHSP(x,y) x[0] << 8 | x[1]; x += y + + while (numqueries--) { + len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host)); + if (len < 0) + goto out; + INCR_CHECK(p, len + 4); + } + + /* + * We're now pointing at the answer records. Only process them if + * they're actually T_SRV records (they might be CNAME records, + * for instance). + * + * But in a DNS reply, if you get a CNAME you always get the associated + * "real" RR for that CNAME. RFC 1034, 3.6.2: + * + * CNAME RRs cause special action in DNS software. When a name server + * fails to find a desired RR in the resource set associated with the + * domain name, it checks to see if the resource set consists of a CNAME + * record with a matching class. If so, the name server includes the CNAME + * record in the response and restarts the query at the domain name + * specified in the data field of the CNAME record. The one exception to + * this rule is that queries which match the CNAME type are not restarted. + * + * In other words, CNAMEs do not need to be expanded by the client. + */ + + while (numanswers--) { + + /* First is the name; use dn_expand to get the compressed size */ + len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host)); + if (len < 0) + goto out; + INCR_CHECK(p, len); + + /* Next is the query type */ + CHECK(p, 2); + type = NTOHSP(p,2); + + /* Next is the query class; also skip over 4 byte TTL */ + CHECK(p, 6); + rrclass = NTOHSP(p,6); + + /* Record data length */ + + CHECK(p,2); + rdlen = NTOHSP(p,2); + + /* + * If this is an SRV record, process it. Record format is: + * + * Priority + * Weight + * Port + * Server name + */ + + if (rrclass == C_IN && type == T_SRV) { + CHECK(p,2); + priority = NTOHSP(p,2); + CHECK(p, 2); + weight = NTOHSP(p,2); + CHECK(p, 2); + port = NTOHSP(p,2); + len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host)); + if (len < 0) + goto out; + INCR_CHECK(p, len); + + /* + * We got everything! Insert it into our list, but make sure + * it's in the right order. Right now we don't do anything + * with the weight field + */ + + srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry)); + if (srv == NULL) + goto out; + + srv->priority = priority; + srv->weight = weight; + srv->port = port; + srv->host = strdup(host); + if (srv->host == NULL) { + free(srv); + goto out; + } + + if (head == NULL || head->priority > srv->priority) { + srv->next = head; + head = srv; + } else + /* + * This is confusing. Only insert an entry into this + * spot if: + * The next person has a higher priority (lower priorities + * are preferred). + * Or + * There is no next entry (we're at the end) + */ + for (entry = head; entry != NULL; entry = entry->next) + if ((entry->next && + entry->next->priority > srv->priority) || + entry->next == NULL) { + srv->next = entry->next; + entry->next = srv; + break; + } + } else + INCR_CHECK(p, rdlen); + } + + out: + *answers = head; + return 0; +} +#endif diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c index eb2321d..c43771d 100644 --- a/src/lib/krb5/os/init_os_ctx.c +++ b/src/lib/krb5/os/init_os_ctx.c @@ -31,6 +31,10 @@ #include "k5-int.h" #include "os-proto.h" +#ifdef USE_LOGIN_LIBRARY +#include "KerberosLoginPrivate.h" +#endif + #if defined(_WIN32) static krb5_error_code @@ -234,8 +238,14 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) unsigned int ent_len; const char *s, *t; +#ifdef USE_LOGIN_LIBRARY + /* If __KLAllowHomeDirectoryAccess() == FALSE, we are probably + trying to authenticate to a fileserver for the user's homedir. */ + if (secure || !__KLAllowHomeDirectoryAccess ()) { +#else if (secure) { - filepath = DEFAULT_SECURE_PROFILE_PATH; +#endif + filepath = DEFAULT_SECURE_PROFILE_PATH; } else { filepath = getenv("KRB5_CONFIG"); if (!filepath) filepath = DEFAULT_PROFILE_PATH; diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c index 9c9fed4..ce90127 100644 --- a/src/lib/krb5/os/locate_kdc.c +++ b/src/lib/krb5/os/locate_kdc.c @@ -502,12 +502,6 @@ krb5_locate_srv_conf(krb5_context context, const krb5_data *realm, } #endif -#ifdef KRB5_DNS_LOOKUP - -/* - * Lookup a KDC via DNS SRV records - */ - static krb5_error_code krb5_locate_srv_dns_1 (const krb5_data *realm, const char *service, @@ -515,196 +509,14 @@ krb5_locate_srv_dns_1 (const krb5_data *realm, struct addrlist *addrlist, int family) { - union { - unsigned char bytes[2048]; - HEADER hdr; - } answer; - unsigned char *p=NULL; - char host[MAX_DNS_NAMELEN], *h; - int type, rrclass; - int priority, weight, size, len, numanswers, numqueries, rdlen; - unsigned short port; - const int hdrsize = sizeof(HEADER); - struct srv_dns_entry { - struct srv_dns_entry *next; - int priority; - int weight; - unsigned short port; - char *host; - }; - struct srv_dns_entry *head = NULL; - struct srv_dns_entry *srv = NULL, *entry = NULL; + struct srv_dns_entry *entry = NULL, *next; krb5_error_code code = 0; - /* - * First off, build a query of the form: - * - * service.protocol.realm - * - * which will most likely be something like: - * - * _kerberos._udp.REALM - * - */ - - if ( strlen(service) + strlen(protocol) + realm->length + 6 - > MAX_DNS_NAMELEN ) - goto out; - sprintf(host, "%s.%s.%.*s", service, protocol, (int) realm->length, - realm->data); - - /* Realm names don't (normally) end with ".", but if the query - doesn't end with "." and doesn't get an answer as is, the - resolv code will try appending the local domain. Since the - realm names are absolutes, let's stop that. - - But only if a name has been specified. If we are performing - a search on the prefix alone then the intention is to allow - the local domain or domain search lists to be expanded. */ - - h = host + strlen (host); - if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host))) - strcpy (h, "."); - -#ifdef TEST - fprintf (stderr, "sending DNS SRV query for %s\n", host); -#endif - - size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes)); - - if ((size < hdrsize) || (size > sizeof(answer.bytes))) - goto out; - - /* - * We got an answer! First off, parse the header and figure out how - * many answers we got back. - */ - - p = answer.bytes; - - numqueries = ntohs(answer.hdr.qdcount); - numanswers = ntohs(answer.hdr.ancount); - - p += sizeof(HEADER); - - /* - * We need to skip over all of the questions, so we have to iterate - * over every query record. dn_expand() is able to tell us the size - * of compress DNS names, so we use it. - */ - -#define INCR_CHECK(x,y) x += y; if (x > size + answer.bytes) goto out -#define CHECK(x,y) if (x + y > size + answer.bytes) goto out -#define NTOHSP(x,y) x[0] << 8 | x[1]; x += y - - while (numqueries--) { - len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host)); - if (len < 0) - goto out; - INCR_CHECK(p, len + 4); - } - - /* - * We're now pointing at the answer records. Only process them if - * they're actually T_SRV records (they might be CNAME records, - * for instance). - * - * But in a DNS reply, if you get a CNAME you always get the associated - * "real" RR for that CNAME. RFC 1034, 3.6.2: - * - * CNAME RRs cause special action in DNS software. When a name server - * fails to find a desired RR in the resource set associated with the - * domain name, it checks to see if the resource set consists of a CNAME - * record with a matching class. If so, the name server includes the CNAME - * record in the response and restarts the query at the domain name - * specified in the data field of the CNAME record. The one exception to - * this rule is that queries which match the CNAME type are not restarted. - * - * In other words, CNAMEs do not need to be expanded by the client. - */ - - while (numanswers--) { - - /* First is the name; use dn_expand to get the compressed size */ - len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host)); - if (len < 0) - goto out; - INCR_CHECK(p, len); - - /* Next is the query type */ - CHECK(p, 2); - type = NTOHSP(p,2); - - /* Next is the query class; also skip over 4 byte TTL */ - CHECK(p, 6); - rrclass = NTOHSP(p,6); - - /* Record data length */ - - CHECK(p,2); - rdlen = NTOHSP(p,2); - - /* - * If this is an SRV record, process it. Record format is: - * - * Priority - * Weight - * Port - * Server name - */ + code = krb5int_make_srv_query_realm(realm, service, protocol, &head); + if (code) + return 0; - if (rrclass == C_IN && type == T_SRV) { - CHECK(p,2); - priority = NTOHSP(p,2); - CHECK(p, 2); - weight = NTOHSP(p,2); - CHECK(p, 2); - port = NTOHSP(p,2); - len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host)); - if (len < 0) - goto out; - INCR_CHECK(p, len); - - /* - * We got everything! Insert it into our list, but make sure - * it's in the right order. Right now we don't do anything - * with the weight field - */ - - srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry)); - if (srv == NULL) - goto out; - - srv->priority = priority; - srv->weight = weight; - srv->port = port; - srv->host = strdup(host); - - if (head == NULL || head->priority > srv->priority) { - srv->next = head; - head = srv; - } else - /* - * This is confusing. Only insert an entry into this - * spot if: - * The next person has a higher priority (lower priorities - * are preferred). - * Or - * There is no next entry (we're at the end) - */ - for (entry = head; entry != NULL; entry = entry->next) - if ((entry->next && - entry->next->priority > srv->priority) || - entry->next == NULL) { - srv->next = entry->next; - entry->next = srv; - break; - } - } else - INCR_CHECK(p, rdlen); - } - /* * Okay! Now we've got a linked list of entries sorted by * priority. Start looking up A records and returning @@ -712,53 +524,44 @@ krb5_locate_srv_dns_1 (const krb5_data *realm, */ if (head == NULL) - goto out; + return 0; + + /* Check for the "." case indicating no support. */ + if (head->next == 0 && head->host[0] == 0) { + free(head->host); + free(head); + return KRB5_ERR_NO_SERVICE; + } #ifdef TEST fprintf (stderr, "walking answer list:\n"); #endif - for (entry = head; entry != NULL; entry = entry->next) { + for (entry = head; entry != NULL; entry = next) { #ifdef TEST fprintf (stderr, "\tport=%d host=%s\n", entry->port, entry->host); #endif + next = entry->next; code = add_host_to_list (addrlist, entry->host, htons (entry->port), 0, (strcmp("_tcp", protocol) ? SOCK_DGRAM : SOCK_STREAM), family); if (code) break; + if (entry == head) { + free(entry->host); + free(entry); + head = next; + entry = 0; + } } #ifdef TEST fprintf (stderr, "[end]\n"); #endif - for (entry = head; entry != NULL; ) { - free(entry->host); - entry->host = NULL; - srv = entry; - entry = entry->next; - free(srv); - srv = NULL; - } - - out: - if (srv) - free(srv); - + krb5int_free_srv_dns_data(head); return code; } -#ifdef TEST -static krb5_error_code -krb5_locate_srv_dns(const krb5_data *realm, - const char *service, const char *protocol, - struct addrlist *al) -{ - return krb5_locate_srv_dns_1 (realm, service, protocol, al, 0); -} -#endif -#endif /* KRB5_DNS_LOOKUP */ - /* * Wrapper function for the two backends */ @@ -852,7 +655,8 @@ krb5_locate_kdc(krb5_context context, const krb5_data *realm, sec_udpport = 0; } - return krb5int_locate_server(context, realm, addrlist, get_masters, "kdc", + return krb5int_locate_server(context, realm, addrlist, 0, + get_masters ? "master_kdc" : "kdc", (get_masters ? "_kerberos-master" : "_kerberos"), diff --git a/src/lib/krb5/os/read_pwd.c b/src/lib/krb5/os/read_pwd.c index 9023b8e..1bb631c 100644 --- a/src/lib/krb5/os/read_pwd.c +++ b/src/lib/krb5/os/read_pwd.c @@ -64,15 +64,12 @@ krb5_read_password(krb5_context context, const char *prompt, const char *prompt2 return ENOMEM; retval = krb5_prompter_posix(NULL, NULL,NULL, NULL, 1, &k5prompt); - if (retval) { - free(verify_data.data); - } else { + if (retval == 0) { /* compare */ - if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) { + if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) retval = KRB5_LIBOS_BADPWDMATCH; - free(verify_data.data); - } } + free(verify_data.data); } if (!retval) *size_return = k5prompt.reply->length; diff --git a/src/lib/krb5/os/send524.c b/src/lib/krb5/os/send524.c new file mode 100644 index 0000000..0ca8e93 --- /dev/null +++ b/src/lib/krb5/os/send524.c @@ -0,0 +1,111 @@ +/* + * Copyright 1990,1991,1997 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * Send a packet to a service and await a reply, using an exponential + * backoff retry algorithm. This is based on krb5_sendto_kdc. + */ + +/* Grab socket stuff. This might want to go away later. */ +#define NEED_SOCKETS +#define NEED_LOWLEVEL_IO +#include "fake-addrinfo.h" /* for custom addrinfo if needed */ +#include "k5-int.h" + +#ifndef _WIN32 +#include <unistd.h> +#include <sys/time.h> +#endif + +#include <stdlib.h> +#include <string.h> + +#include "os-proto.h" + +/* + * krb524_sendto_kdc: + * + * A slightly modified version of krb5_sendto_kdc. + * + * send the formatted request 'message' to a KDC for realm 'realm' and + * return the response (if any) in 'reply'. + * + * If the message is sent and a response is received, 0 is returned, + * otherwise an error code is returned. + * + * The storage for 'reply' is allocated and should be freed by the caller + * when finished. + */ + +krb5_error_code +krb5int_524_sendto_kdc (context, message, realm, reply, addr, addrlen) + krb5_context context; + const krb5_data * message; + const krb5_data * realm; + krb5_data * reply; + struct sockaddr *addr; + socklen_t *addrlen; +{ +#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck! */ + int i; + struct addrlist al = ADDRLIST_INIT; + struct servent *serv; + krb5_error_code retval; + int port; + + /* + * find KDC location(s) for realm + */ + + serv = getservbyname(KRB524_SERVICE, "udp"); + port = serv ? serv->s_port : htons (KRB524_PORT); + + retval = krb5int_locate_server(context, realm, &al, 0, + "krb524_server", "_krb524", + SOCK_DGRAM, port, + 0, PF_INET); + if (retval == KRB5_REALM_CANT_RESOLVE || retval == KRB5_REALM_UNKNOWN) { + /* Fallback heuristic: Assume krb524 port on every KDC might + work. */ + retval = krb5_locate_kdc(context, realm, &al, 0, SOCK_DGRAM, PF_INET); + /* + * Bash the ports numbers. + */ + if (retval == 0) + for (i = 0; i < al.naddrs; i++) { + al.addrs[i]->ai_socktype = SOCK_DGRAM; + if (al.addrs[i]->ai_family == AF_INET) + sa2sin (al.addrs[i]->ai_addr)->sin_port = port; + } + } + if (retval) + return retval; + if (al.naddrs == 0) + return KRB5_REALM_UNKNOWN; + + retval = krb5int_sendto (context, message, &al, reply, addr, addrlen); + krb5int_free_addrlist (&al); + return retval; +#else + return KRB524_KRB4_DISABLED; +#endif +} diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c index 0f5b9f2..1b336a6 100644 --- a/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c @@ -562,6 +562,7 @@ start_connection (struct conn_state *state, struct select_state *selstate) state->state = CONNECTING; } else { dprint("connect failed: %m\n", SOCKET_ERRNO); + (void) closesocket(fd); state->err = SOCKET_ERRNO; state->state = FAILED; return -2; @@ -677,6 +678,25 @@ kill_conn(struct conn_state *conn, struct select_state *selstate, int err) selstate->nfds--; } +/* Check socket for error. */ +static int +get_so_error(int fd) +{ + int e, sockerr; + socklen_t sockerrlen; + + sockerr = 0; + sockerrlen = sizeof(sockerr); + e = getsockopt(fd, SOL_SOCKET, SO_ERROR, &sockerr, &sockerrlen); + if (e != 0) { + /* What to do now? */ + e = SOCKET_ERRNO; + dprint("getsockopt(SO_ERROR) on fd failed: %m\n", e); + return e; + } + return sockerr; +} + /* Return nonzero only if we're finished and the caller should exit its loop. This happens in two cases: We have a complete message, or the socket has closed and no others are open. */ @@ -706,35 +726,29 @@ service_tcp_fd (struct conn_state *conn, struct select_state *selstate, return e == 0; } if (ssflags & SSF_EXCEPTION) { -#ifdef DEBUG - int sockerr; - socklen_t sockerrlen; -#endif handle_exception: -#ifdef DEBUG - sockerrlen = sizeof(sockerr); - e = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, - &sockerr, &sockerrlen); - if (e != 0) { - /* What to do now? */ - e = SOCKET_ERRNO; - dprint("getsockopt(SO_ERROR) on exception fd failed: %m\n", e); - goto kill_conn; - } - /* Okay, got the error back. Either way, kill the - connection. */ - e = sockerr; -#else - e = 1; /* need only be non-zero */ -#endif + e = get_so_error(conn->fd); + if (e) + dprint("socket error on exception fd: %m", e); + else + dprint("no socket error info available on exception fd"); goto kill_conn; } /* * Connect finished -- but did it succeed or fail? * UNIX sets can_write if failed. - * Try writing, I guess, and find out. + * Call getsockopt to see if error pending. + * + * (For most UNIX systems it works to just try writing the + * first time and detect an error. But Bill Dodd at IBM + * reports that some version of AIX, SIGPIPE can result.) */ + e = get_so_error(conn->fd); + if (e) { + dprint("socket error on write fd: %m", e); + goto kill_conn; + } conn->state = WRITING; goto try_writing; @@ -1073,7 +1087,7 @@ krb5int_sendto (krb5_context context, const krb5_data *message, egress: for (i = 0; i < n_conns; i++) { if (conns[i].fd != INVALID_SOCKET) - close(conns[i].fd); + closesocket(conns[i].fd); if (conns[i].state == READING && conns[i].x.in.buf != 0 && conns[i].x.in.buf != udpbuf) diff --git a/src/lib/krb5/os/t_locate_kdc.c b/src/lib/krb5/os/t_locate_kdc.c index a3d6828..03dac07 100644 --- a/src/lib/krb5/os/t_locate_kdc.c +++ b/src/lib/krb5/os/t_locate_kdc.c @@ -117,7 +117,7 @@ int main (int argc, char *argv[]) break; case LOOKUP_DNS: - err = krb5_locate_srv_dns (&realm, "_kerberos", "_udp", &al); + err = krb5_locate_srv_dns_1 (&realm, "_kerberos", "_udp", &al, 0); break; case LOOKUP_WHATEVER: diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c index aad995a..4578f82 100644 --- a/src/lib/krb5/os/toffset.c +++ b/src/lib/krb5/os/toffset.c @@ -35,7 +35,7 @@ * between the system time and the "real time" as passed to this * routine */ -krb5_error_code +krb5_error_code KRB5_CALLCONV krb5_set_real_time(krb5_context context, krb5_int32 seconds, krb5_int32 microseconds) { krb5_os_context os_ctx = context->os_context; diff --git a/src/lib/krb5/rcache/Makefile.in b/src/lib/krb5/rcache/Makefile.in index 79b6a28..d67b044 100644 --- a/src/lib/krb5/rcache/Makefile.in +++ b/src/lib/krb5/rcache/Makefile.in @@ -49,38 +49,40 @@ clean-unix:: clean-libobjs # rc_base.so rc_base.po $(OUTPRE)rc_base.$(OBJEXT): rc_base.c rc_base.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h rc_dfl.so rc_dfl.po $(OUTPRE)rc_dfl.$(OBJEXT): rc_dfl.c rc_base.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h rc_dfl.h rc_io.h + rc_dfl.h rc_io.h rc_io.so rc_io.po $(OUTPRE)rc_io.$(OBJEXT): rc_io.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) rc_base.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/profile.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - rc_dfl.h rc_io.h + $(SRCTOP)/include/krb5/kdb.h rc_dfl.h rc_io.h rcdef.so rcdef.po $(OUTPRE)rcdef.$(OBJEXT): rcdef.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h rc_dfl.h + rc_dfl.h rc_conv.so rc_conv.po $(OUTPRE)rc_conv.$(OBJEXT): rc_conv.c rc_base.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h ser_rc.so ser_rc.po $(OUTPRE)ser_rc.$(OBJEXT): ser_rc.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h rcfns.so rcfns.po $(OUTPRE)rcfns.$(OBJEXT): rcfns.c $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h + $(SRCTOP)/include/k5-platform.h $(BUILDTOP)/include/krb5.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index 53172a8..58b4390 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -36,8 +36,10 @@ EXPORTS krb5_auth_con_getlocalseqnumber krb5_auth_con_getlocalsubkey krb5_auth_con_getrcache ; KRB5_CALLCONV_WRONG + krb5_auth_con_getrecvsubkey krb5_auth_con_getremoteseqnumber krb5_auth_con_getremotesubkey + krb5_auth_con_getsendsubkey krb5_auth_con_init krb5_auth_con_initivector ; DEPRECATED krb5_auth_con_setaddrs ; KRB5_CALLCONV_WRONG @@ -45,6 +47,8 @@ EXPORTS krb5_auth_con_setflags krb5_auth_con_setports krb5_auth_con_setrcache + krb5_auth_con_setrecvsubkey + krb5_auth_con_setsendsubkey krb5_auth_con_setuseruserkey krb5_build_principal krb5_build_principal_ext @@ -63,6 +67,7 @@ EXPORTS krb5_c_random_make_octets krb5_c_random_seed krb5_c_string_to_key +krb5_c_string_to_key_with_params krb5_c_valid_cksumtype krb5_c_valid_enctype krb5_c_verify_checksum @@ -153,6 +158,7 @@ EXPORTS krb5_get_init_creds_opt_set_salt krb5_get_init_creds_opt_set_tkt_life krb5_get_init_creds_password + krb5_get_permitted_enctypes krb5_get_prompt_types krb5_get_renewed_creds krb5_get_server_rcache @@ -187,6 +193,7 @@ EXPORTS krb5_os_localaddr krb5_parse_name krb5_principal_compare + krb5_principal2salt krb5_process_key krb5_prompter_posix krb5_random_key @@ -204,7 +211,10 @@ EXPORTS krb5_sendauth krb5_set_default_realm krb5_set_default_tgs_enctypes +krb5_set_password +krb5_set_password_using_ccache krb5_set_principal_realm + krb5_set_real_time krb5_sname_to_principal krb5_string_to_cksumtype krb5_string_to_deltat @@ -224,6 +234,10 @@ EXPORTS krb5_verify_init_creds_opt_init krb5_verify_init_creds_opt_set_ap_req_nofail + krb5_524_convert_creds +; Don't add krb524_convert_creds_kdc or krb524_init_ets here; +; they've never been exported by this library, and are deprecated. -KR + krb5int_accessor ; INTERNAL (to end all internals) ; To Add (exported on Mac OS X): @@ -265,3 +279,4 @@ EXPORTS krb5_rc_close ; PRIVATE GSSAPI krb5.hin krb5_free_enc_tkt_part ; PRIVATE GSSAPI krb5.hin krb5_decrypt_tkt_part ; PRIVATE GSSAPI krb5.hin +
\ No newline at end of file diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index 6534240..279ec8a 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,16 @@ +2003-04-23 Ken Raeburn <raeburn@mit.edu> + + * bindresvport.c: Include errno.h. + (gssrpc_bindresvport): Don't declare errno. + * clnt_tcp.c: Don't declare errno. + * svc.c: Don't declare errno. Include errno.h. + +2003-03-24 Tom Yu <tlyu@mit.edu> + + * xdr_mem.c (xdrmem_create): Perform some additional size checks. + (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes): Check x_handy + prior to decrementing it. + 2003-01-12 Ezra Peisach <epeisach@bu.edu> * svc_auth_gssapi.c (_svcauth_gssapi_unset_names): If invoked more diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c index 36b3ed5..28017d6 100644 --- a/src/lib/rpc/bindresvport.c +++ b/src/lib/rpc/bindresvport.c @@ -41,6 +41,7 @@ static char sccsid[] = "@(#)bindresvport.c 2.2 88/07/29 4.0 RPCSRC 1.8 88/02/08 #include <sys/socket.h> #include <netinet/in.h> #include <gssrpc/rpc.h> +#include <errno.h> /* * Bind a socket to a privileged IP port @@ -53,7 +54,6 @@ gssrpc_bindresvport(sd, sockin) int res; static short port; struct sockaddr_in myaddr; - extern int errno; int i; #define STARTPORT 600 diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c index abadf33..9906bca 100644 --- a/src/lib/rpc/clnt_tcp.c +++ b/src/lib/rpc/clnt_tcp.c @@ -60,8 +60,6 @@ static char sccsid[] = "@(#)clnt_tcp.c 1.37 87/10/05 Copyr 1984 Sun Micro"; #define MCALL_MSG_SIZE 24 -extern int errno; - static enum clnt_stat clnttcp_call(CLIENT *, rpc_u_int32, xdrproc_t, void *, xdrproc_t, void *, struct timeval); static void clnttcp_abort(CLIENT *); diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index 7429acd..9026815 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -46,8 +46,7 @@ static char sccsid[] = "@(#)svc.c 1.41 87/10/13 Copyr 1984 Sun Micro"; #include <gssrpc/pmap_clnt.h> #include <stdio.h> #include <string.h> - -extern int errno; +#include <errno.h> #ifdef FD_SETSIZE static SVCXPRT **xports; diff --git a/src/lib/rpc/unit-test/ChangeLog b/src/lib/rpc/unit-test/ChangeLog index e565321..63ecf44 100644 --- a/src/lib/rpc/unit-test/ChangeLog +++ b/src/lib/rpc/unit-test/ChangeLog @@ -1,3 +1,15 @@ +2004-02-13 Tom Yu <tlyu@mit.edu> + + * config/unix.exp (PRIOCNTL_HACK): Use "==" instead of "eq", which + is not present in tcl-8.3. + +2004-02-12 Tom Yu <tlyu@mit.edu> + + * configure.in: Invoke KRB5_AC_PRIOCNTL_HACK. + + * config/unix.exp (PRIOCNTL_HACK): Wrap "spawn" to do priocntl + things to work around Solaris 9 pty-close bug. + 2003-01-07 Ken Raeburn <raeburn@mit.edu> * Makefile.ov: Deleted. diff --git a/src/lib/rpc/unit-test/Makefile.in b/src/lib/rpc/unit-test/Makefile.in index a9ed5c3..a4c2fc5 100644 --- a/src/lib/rpc/unit-test/Makefile.in +++ b/src/lib/rpc/unit-test/Makefile.in @@ -54,6 +54,7 @@ unit-test-body: $(RUNTEST) SERVER=./server CLIENT=./client \ KINIT=$(BUILDTOP)/clients/kinit/kinit \ KDESTROY=$(BUILDTOP)/clients/kdestroy/kdestroy \ + PRIOCNTL_HACK=@PRIOCNTL_HACK@ \ PASS="$(PASS)" --tool rpc_test $(RUNTESTFLAGS) ; \ then \ echo Cleaning up... ; \ diff --git a/src/lib/rpc/unit-test/config/unix.exp b/src/lib/rpc/unit-test/config/unix.exp index 49ae4d1..495472e 100644 --- a/src/lib/rpc/unit-test/config/unix.exp +++ b/src/lib/rpc/unit-test/config/unix.exp @@ -9,6 +9,44 @@ set kdestroy $KDESTROY set hostname [exec hostname] +# Hack around Solaris 9 kernel race condition that causes last output +# from a pty to get dropped. +if { $PRIOCNTL_HACK } { + catch {exec priocntl -s -c FX -m 30 -p 30 -i pid [getpid]} + rename spawn oldspawn + proc spawn { args } { + upvar 1 spawn_id spawn_id + set newargs {} + set inflags 1 + set eatnext 0 + foreach arg $args { + if { $arg == "-ignore" \ + || $arg == "-open" \ + || $arg == "-leaveopen" } { + lappend newargs $arg + set eatnext 1 + continue + } + if [string match "-*" $arg] { + lappend newargs $arg + continue + } + if { $eatnext } { + set eatnext 0 + lappend newargs $arg + continue + } + if { $inflags } { + set inflags 0 + set newargs [concat $newargs {priocntl -e -c FX -p 0}] + } + lappend newargs $arg + } + set pid [eval oldspawn $newargs] + return $pid + } +} + # this will initialize the database and keytab load_lib "helpers.exp" diff --git a/src/lib/rpc/unit-test/configure.in b/src/lib/rpc/unit-test/configure.in index 68ac8d1..d06cb6f 100644 --- a/src/lib/rpc/unit-test/configure.in +++ b/src/lib/rpc/unit-test/configure.in @@ -25,4 +25,5 @@ changequote([, ]) AC_SUBST(PASS) dnl CHECK_SIGNALS +KRB5_AC_PRIOCNTL_HACK V5_AC_OUTPUT_MAKEFILE diff --git a/src/lib/rpc/xdr_mem.c b/src/lib/rpc/xdr_mem.c index 18265da..58e2d82 100644 --- a/src/lib/rpc/xdr_mem.c +++ b/src/lib/rpc/xdr_mem.c @@ -48,6 +48,7 @@ static char sccsid[] = "@(#)xdr_mem.c 1.19 87/08/11 Copyr 1984 Sun Micro"; #include <netinet/in.h> #include <stdio.h> #include <string.h> +#include <limits.h> static bool_t xdrmem_getlong(XDR *, long *); static bool_t xdrmem_putlong(XDR *, long *); @@ -84,7 +85,7 @@ xdrmem_create(xdrs, addr, size, op) xdrs->x_op = op; xdrs->x_ops = &xdrmem_ops; xdrs->x_private = xdrs->x_base = addr; - xdrs->x_handy = size; + xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */ } static void @@ -99,8 +100,10 @@ xdrmem_getlong(xdrs, lp) long *lp; { - if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0) + if (xdrs->x_handy < sizeof(rpc_int32)) return (FALSE); + else + xdrs->x_handy -= sizeof(rpc_int32); *lp = (long)ntohl(*((rpc_u_int32 *)(xdrs->x_private))); xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32); return (TRUE); @@ -112,8 +115,10 @@ xdrmem_putlong(xdrs, lp) long *lp; { - if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0) + if (xdrs->x_handy < sizeof(rpc_int32)) return (FALSE); + else + xdrs->x_handy -= sizeof(rpc_int32); *(rpc_int32 *)xdrs->x_private = (rpc_int32)htonl((rpc_u_int32)(*lp)); xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32); return (TRUE); @@ -126,8 +131,10 @@ xdrmem_getbytes(xdrs, addr, len) register unsigned int len; { - if ((xdrs->x_handy -= len) < 0) + if (xdrs->x_handy < len) return (FALSE); + else + xdrs->x_handy -= len; memmove(addr, xdrs->x_private, len); xdrs->x_private = (char *)xdrs->x_private + len; return (TRUE); @@ -140,8 +147,10 @@ xdrmem_putbytes(xdrs, addr, len) register unsigned int len; { - if ((xdrs->x_handy -= len) < 0) + if (xdrs->x_handy < len) return (FALSE); + else + xdrs->x_handy -= len; memmove(xdrs->x_private, addr, len); xdrs->x_private = (char *)xdrs->x_private + len; return (TRUE); @@ -180,7 +189,7 @@ xdrmem_inline(xdrs, len) { rpc_int32 *buf = 0; - if (xdrs->x_handy >= len) { + if (len >= 0 && xdrs->x_handy >= len) { xdrs->x_handy -= len; buf = (rpc_int32 *) xdrs->x_private; xdrs->x_private = (char *)xdrs->x_private + len; |