diff options
| author | Doug Rabson <dfr@FreeBSD.org> | 2008-05-07 13:39:42 +0000 |
|---|---|---|
| committer | Doug Rabson <dfr@FreeBSD.org> | 2008-05-07 13:39:42 +0000 |
| commit | c19800e8cd5640693f36f2040db4ab5e8d738146 (patch) | |
| tree | 4dbb862199a916e3ffe75f1cb08703ec0e662ffc /crypto/heimdal/lib/krb5 | |
| parent | 8d4ba808a53020900c275b6f1cf21fc6e9f3bf36 (diff) | |
| download | src-c19800e8cd5640693f36f2040db4ab5e8d738146.tar.gz src-c19800e8cd5640693f36f2040db4ab5e8d738146.zip | |
Vendor import of Heimdal 1.1
Notes
Notes:
svn path=/vendor-crypto/heimdal/dist/; revision=178825
Diffstat (limited to 'crypto/heimdal/lib/krb5')
208 files changed, 34810 insertions, 5467 deletions
diff --git a/crypto/heimdal/lib/krb5/Makefile.am b/crypto/heimdal/lib/krb5/Makefile.am index 7ca638bcbde0..ced9616e162c 100644 --- a/crypto/heimdal/lib/krb5/Makefile.am +++ b/crypto/heimdal/lib/krb5/Makefile.am @@ -1,41 +1,71 @@ -# $Id: Makefile.am,v 1.156.2.4 2004/06/21 10:52:01 lha Exp $ +# $Id: Makefile.am 22501 2008-01-21 15:43:21Z lha $ include $(top_srcdir)/Makefile.am.common -INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) -I../com_err -I$(srcdir)/../com_err +AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I../com_err -I$(srcdir)/../com_err bin_PROGRAMS = verify_krb5_conf -noinst_PROGRAMS = dump_config test_get_addrs krbhst-test test_alname +noinst_PROGRAMS = \ + krbhst-test \ + test_alname \ + test_crypto \ + test_get_addrs \ + test_kuserok \ + test_renew \ + test_forward TESTS = \ aes-test \ - n-fold-test \ - string-to-key-test \ derived-key-test \ - store-test \ + n-fold-test \ + name-45-test \ parse-name-test \ + store-test \ + string-to-key-test \ + test_acl \ + test_addr \ test_cc \ - name-45-test + test_config \ + test_prf \ + test_store \ + test_crypto_wrapping \ + test_keytab \ + test_mem \ + test_pac \ + test_plugin \ + test_princ \ + test_pkinit_dh2key \ + test_time -check_PROGRAMS = $(TESTS) +check_PROGRAMS = $(TESTS) test_hostname LDADD = libkrb5.la \ - $(LIB_des) \ + $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) +if PKINIT +LIB_pkinit = ../hx509/libhx509.la +endif + libkrb5_la_LIBADD = \ - ../com_err/error.lo ../com_err/com_err.lo \ - $(LIB_des) \ + $(LIB_pkinit) \ + $(LIB_com_err) \ + $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) + $(LIBADD_roken) \ + $(LIB_door_create) \ + $(LIB_dlopen) lib_LTLIBRARIES = libkrb5.la -ERR_FILES = krb5_err.c heim_err.c k524_err.c +ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c -libkrb5_la_SOURCES = \ +libkrb5_la_CPPFLAGS = -DBUILD_KRB5_LIB $(AM_CPPFLAGS) + +dist_libkrb5_la_SOURCES = \ + acache.c \ acl.c \ add_et_list.c \ addr_families.c \ @@ -57,7 +87,9 @@ libkrb5_la_SOURCES = \ crc.c \ creds.c \ crypto.c \ + doxygen.c \ data.c \ + digest.c \ eai_to_heim_errno.c \ error_string.c \ expand_hostname.c \ @@ -77,15 +109,20 @@ libkrb5_la_SOURCES = \ get_in_tkt_with_keytab.c \ get_in_tkt_with_skey.c \ get_port.c \ + heim_threads.h \ init_creds.c \ init_creds_pw.c \ + kcm.c \ + kcm.h \ keyblock.c \ keytab.c \ keytab_any.c \ keytab_file.c \ - keytab_memory.c \ keytab_keyfile.c \ keytab_krb4.c \ + keytab_memory.c \ + krb5_locl.h \ + krb5-v4compat.h \ krbhst.c \ kuserok.c \ log.c \ @@ -97,10 +134,13 @@ libkrb5_la_SOURCES = \ mk_req.c \ mk_req_ext.c \ mk_safe.c \ + mit_glue.c \ net_read.c \ net_write.c \ n-fold.c \ + pac.c \ padata.c \ + pkinit.c \ principal.c \ prog_setup.c \ prompter_posix.c \ @@ -122,75 +162,137 @@ libkrb5_la_SOURCES = \ store_emem.c \ store_fd.c \ store_mem.c \ + plugin.c \ ticket.c \ time.c \ transited.c \ + v4_glue.c \ verify_init.c \ verify_user.c \ version.c \ warn.c \ - write_message.c \ + write_message.c + +nodist_libkrb5_la_SOURCES = \ $(ERR_FILES) -libkrb5_la_LDFLAGS = -version-info 20:0:3 +libkrb5_la_LDFLAGS = -version-info 24:0:0 + +if versionscript +libkrb5_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map +endif -$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h +$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h $(srcdir)/krb5-protos.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h + cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB_FUNCTION -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h $(srcdir)/krb5-private.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h - -#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo + cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h man_MANS = \ kerberos.8 \ krb5.3 \ krb5.conf.5 \ + krb524_convert_creds_kdc.3 \ krb5_425_conv_principal.3 \ + krb5_acl_match_file.3 \ krb5_address.3 \ krb5_aname_to_localname.3 \ krb5_appdefault.3 \ krb5_auth_context.3 \ - krb5_build_principal.3 \ + krb5_c_make_checksum.3 \ krb5_ccache.3 \ + krb5_check_transited.3 \ + krb5_compare_creds.3 \ krb5_config.3 \ krb5_context.3 \ krb5_create_checksum.3 \ + krb5_creds.3 \ krb5_crypto_init.3 \ krb5_data.3 \ + krb5_digest.3 \ + krb5_eai_to_heim_errno.3 \ krb5_encrypt.3 \ - krb5_free_addresses.3 \ - krb5_free_principal.3 \ + krb5_expand_hostname.3 \ + krb5_find_padata.3 \ + krb5_generate_random_block.3 \ krb5_get_all_client_addrs.3 \ + krb5_get_credentials.3 \ + krb5_get_creds.3 \ + krb5_get_forwarded_creds.3 \ + krb5_get_in_cred.3 \ + krb5_get_init_creds.3 \ krb5_get_krbhst.3 \ + krb5_getportbyname.3 \ krb5_init_context.3 \ + krb5_is_thread_safe.3 \ + krb5_keyblock.3 \ krb5_keytab.3 \ krb5_krbhst_init.3 \ krb5_kuserok.3 \ + krb5_mk_req.3 \ + krb5_mk_safe.3 \ krb5_openlog.3 \ krb5_parse_name.3 \ - krb5_principal_get_realm.3 \ + krb5_principal.3 \ + krb5_rcache.3 \ + krb5_rd_error.3 \ + krb5_rd_safe.3 \ krb5_set_default_realm.3 \ krb5_set_password.3 \ - krb5_sname_to_principal.3 \ + krb5_storage.3 \ + krb5_string_to_key.3 \ + krb5_ticket.3 \ krb5_timeofday.3 \ krb5_unparse_name.3 \ + krb5_verify_init_creds.3 \ krb5_verify_user.3 \ krb5_warn.3 \ verify_krb5_conf.8 -include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h k524_err.h +dist_include_HEADERS = \ + krb5.h \ + krb5-protos.h \ + krb5-private.h \ + krb5_ccapi.h + +nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h -CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h k524_err.c k524_err.h +# XXX use nobase_include_HEADERS = krb5/locate_plugin.h +krb5dir = $(includedir)/krb5 +krb5_HEADERS = locate_plugin.h -$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h k524_err.h +build_HEADERZ = \ + heim_threads.h \ + $(krb5_HEADERS) \ + krb_err.h + +CLEANFILES = \ + krb5_err.c krb5_err.h \ + krb_err.c krb_err.h \ + heim_err.c heim_err.h \ + k524_err.c k524_err.h + +$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h + +EXTRA_DIST = \ + krb5_err.et \ + krb_err.et \ + heim_err.et \ + k524_err.et \ + $(man_MANS) \ + version-script.map \ + krb5.moduli + +#sysconf_DATA = krb5.moduli # to help stupid solaris make krb5_err.h: krb5_err.et +krb_err.h: krb_err.et + heim_err.h: heim_err.et k524_err.h: k524_err.et diff --git a/crypto/heimdal/lib/krb5/Makefile.in b/crypto/heimdal/lib/krb5/Makefile.in index 78017a784cbc..60e09251227f 100644 --- a/crypto/heimdal/lib/krb5/Makefile.in +++ b/crypto/heimdal/lib/krb5/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -14,25 +14,19 @@ @SET_MAKE@ -# $Id: Makefile.am,v 1.156.2.4 2004/06/21 10:52:01 lha Exp $ +# $Id: Makefile.am 22501 2008-01-21 15:43:21Z lha $ -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ +# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $ -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ +# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $ -SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c dump_config.c krbhst-test.c n-fold-test.c name-45-test.c parse-name-test.c store-test.c string-to-key-test.c test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c @@ -44,27 +38,40 @@ POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : +build_triplet = @build@ host_triplet = @host@ -DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \ +DIST_COMMON = $(dist_include_HEADERS) $(krb5_HEADERS) \ + $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ + $(top_srcdir)/Makefile.am.common \ $(top_srcdir)/cf/Makefile.am.common bin_PROGRAMS = verify_krb5_conf$(EXEEXT) -noinst_PROGRAMS = dump_config$(EXEEXT) test_get_addrs$(EXEEXT) \ - krbhst-test$(EXEEXT) test_alname$(EXEEXT) -check_PROGRAMS = $(am__EXEEXT_1) +noinst_PROGRAMS = krbhst-test$(EXEEXT) test_alname$(EXEEXT) \ + test_crypto$(EXEEXT) test_get_addrs$(EXEEXT) \ + test_kuserok$(EXEEXT) test_renew$(EXEEXT) \ + test_forward$(EXEEXT) +TESTS = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \ + n-fold-test$(EXEEXT) name-45-test$(EXEEXT) \ + parse-name-test$(EXEEXT) store-test$(EXEEXT) \ + string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \ + test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \ + test_prf$(EXEEXT) test_store$(EXEEXT) \ + test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \ + test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \ + test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \ + test_time$(EXEEXT) +check_PROGRAMS = $(am__EXEEXT_1) test_hostname$(EXEEXT) +@versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map subdir = lib/krb5 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ + $(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \ $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ $(top_srcdir)/cf/broken-glob.m4 \ $(top_srcdir)/cf/broken-realloc.m4 \ $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ $(top_srcdir)/cf/capabilities.m4 \ $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ $(top_srcdir)/cf/check-man.m4 \ $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ @@ -77,6 +84,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ $(top_srcdir)/cf/find-func-no-libs2.m4 \ $(top_srcdir)/cf/find-func.m4 \ $(top_srcdir)/cf/find-if-not-broken.m4 \ + $(top_srcdir)/cf/framework-security.m4 \ $(top_srcdir)/cf/have-struct-field.m4 \ $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ $(top_srcdir)/cf/krb-bigendian.m4 \ @@ -85,56 +93,108 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ $(top_srcdir)/cf/krb-readline.m4 \ $(top_srcdir)/cf/krb-struct-spwd.m4 \ $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in + $(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \ + $(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \ + $(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \ + $(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \ + $(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \ + $(top_srcdir)/cf/roken-frag.m4 \ + $(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \ + $(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \ + $(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \ + $(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \ + $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/include/config.h CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \ + "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" \ + "$(DESTDIR)$(krb5dir)" "$(DESTDIR)$(includedir)" libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = -libkrb5_la_DEPENDENCIES = ../com_err/error.lo ../com_err/com_err.lo \ +libkrb5_la_DEPENDENCIES = $(LIB_pkinit) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(top_builddir)/lib/asn1/libasn1.la \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) -am__objects_1 = krb5_err.lo heim_err.lo k524_err.lo -am_libkrb5_la_OBJECTS = acl.lo add_et_list.lo addr_families.lo \ - aname_to_localname.lo appdefault.lo asn1_glue.lo \ - auth_context.lo build_ap_req.lo build_auth.lo cache.lo \ - changepw.lo codec.lo config_file.lo config_file_netinfo.lo \ - convert_creds.lo constants.lo context.lo copy_host_realm.lo \ - crc.lo creds.lo crypto.lo data.lo eai_to_heim_errno.lo \ - error_string.lo expand_hostname.lo fcache.lo free.lo \ - free_host_realm.lo generate_seq_number.lo generate_subkey.lo \ - get_addrs.lo get_cred.lo get_default_principal.lo \ - get_default_realm.lo get_for_creds.lo get_host_realm.lo \ - get_in_tkt.lo get_in_tkt_pw.lo get_in_tkt_with_keytab.lo \ - get_in_tkt_with_skey.lo get_port.lo init_creds.lo \ - init_creds_pw.lo keyblock.lo keytab.lo keytab_any.lo \ - keytab_file.lo keytab_memory.lo keytab_keyfile.lo \ - keytab_krb4.lo krbhst.lo kuserok.lo log.lo mcache.lo misc.lo \ - mk_error.lo mk_priv.lo mk_rep.lo mk_req.lo mk_req_ext.lo \ - mk_safe.lo net_read.lo net_write.lo n-fold.lo padata.lo \ - principal.lo prog_setup.lo prompter_posix.lo rd_cred.lo \ - rd_error.lo rd_priv.lo rd_rep.lo rd_req.lo rd_safe.lo \ - read_message.lo recvauth.lo replay.lo send_to_kdc.lo \ - sendauth.lo set_default_realm.lo sock_principal.lo store.lo \ - store_emem.lo store_fd.lo store_mem.lo ticket.lo time.lo \ - transited.lo verify_init.lo verify_user.lo version.lo warn.lo \ - write_message.lo $(am__objects_1) -libkrb5_la_OBJECTS = $(am_libkrb5_la_OBJECTS) +dist_libkrb5_la_OBJECTS = libkrb5_la-acache.lo libkrb5_la-acl.lo \ + libkrb5_la-add_et_list.lo libkrb5_la-addr_families.lo \ + libkrb5_la-aname_to_localname.lo libkrb5_la-appdefault.lo \ + libkrb5_la-asn1_glue.lo libkrb5_la-auth_context.lo \ + libkrb5_la-build_ap_req.lo libkrb5_la-build_auth.lo \ + libkrb5_la-cache.lo libkrb5_la-changepw.lo libkrb5_la-codec.lo \ + libkrb5_la-config_file.lo libkrb5_la-config_file_netinfo.lo \ + libkrb5_la-convert_creds.lo libkrb5_la-constants.lo \ + libkrb5_la-context.lo libkrb5_la-copy_host_realm.lo \ + libkrb5_la-crc.lo libkrb5_la-creds.lo libkrb5_la-crypto.lo \ + libkrb5_la-doxygen.lo libkrb5_la-data.lo libkrb5_la-digest.lo \ + libkrb5_la-eai_to_heim_errno.lo libkrb5_la-error_string.lo \ + libkrb5_la-expand_hostname.lo libkrb5_la-fcache.lo \ + libkrb5_la-free.lo libkrb5_la-free_host_realm.lo \ + libkrb5_la-generate_seq_number.lo \ + libkrb5_la-generate_subkey.lo libkrb5_la-get_addrs.lo \ + libkrb5_la-get_cred.lo libkrb5_la-get_default_principal.lo \ + libkrb5_la-get_default_realm.lo libkrb5_la-get_for_creds.lo \ + libkrb5_la-get_host_realm.lo libkrb5_la-get_in_tkt.lo \ + libkrb5_la-get_in_tkt_pw.lo \ + libkrb5_la-get_in_tkt_with_keytab.lo \ + libkrb5_la-get_in_tkt_with_skey.lo libkrb5_la-get_port.lo \ + libkrb5_la-init_creds.lo libkrb5_la-init_creds_pw.lo \ + libkrb5_la-kcm.lo libkrb5_la-keyblock.lo libkrb5_la-keytab.lo \ + libkrb5_la-keytab_any.lo libkrb5_la-keytab_file.lo \ + libkrb5_la-keytab_keyfile.lo libkrb5_la-keytab_krb4.lo \ + libkrb5_la-keytab_memory.lo libkrb5_la-krbhst.lo \ + libkrb5_la-kuserok.lo libkrb5_la-log.lo libkrb5_la-mcache.lo \ + libkrb5_la-misc.lo libkrb5_la-mk_error.lo \ + libkrb5_la-mk_priv.lo libkrb5_la-mk_rep.lo \ + libkrb5_la-mk_req.lo libkrb5_la-mk_req_ext.lo \ + libkrb5_la-mk_safe.lo libkrb5_la-mit_glue.lo \ + libkrb5_la-net_read.lo libkrb5_la-net_write.lo \ + libkrb5_la-n-fold.lo libkrb5_la-pac.lo libkrb5_la-padata.lo \ + libkrb5_la-pkinit.lo libkrb5_la-principal.lo \ + libkrb5_la-prog_setup.lo libkrb5_la-prompter_posix.lo \ + libkrb5_la-rd_cred.lo libkrb5_la-rd_error.lo \ + libkrb5_la-rd_priv.lo libkrb5_la-rd_rep.lo \ + libkrb5_la-rd_req.lo libkrb5_la-rd_safe.lo \ + libkrb5_la-read_message.lo libkrb5_la-recvauth.lo \ + libkrb5_la-replay.lo libkrb5_la-send_to_kdc.lo \ + libkrb5_la-sendauth.lo libkrb5_la-set_default_realm.lo \ + libkrb5_la-sock_principal.lo libkrb5_la-store.lo \ + libkrb5_la-store_emem.lo libkrb5_la-store_fd.lo \ + libkrb5_la-store_mem.lo libkrb5_la-plugin.lo \ + libkrb5_la-ticket.lo libkrb5_la-time.lo \ + libkrb5_la-transited.lo libkrb5_la-v4_glue.lo \ + libkrb5_la-verify_init.lo libkrb5_la-verify_user.lo \ + libkrb5_la-version.lo libkrb5_la-warn.lo \ + libkrb5_la-write_message.lo +am__objects_1 = libkrb5_la-krb5_err.lo libkrb5_la-krb_err.lo \ + libkrb5_la-heim_err.lo libkrb5_la-k524_err.lo +nodist_libkrb5_la_OBJECTS = $(am__objects_1) +libkrb5_la_OBJECTS = $(dist_libkrb5_la_OBJECTS) \ + $(nodist_libkrb5_la_OBJECTS) +libkrb5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libkrb5_la_LDFLAGS) $(LDFLAGS) -o $@ binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -am__EXEEXT_1 = aes-test$(EXEEXT) n-fold-test$(EXEEXT) \ - string-to-key-test$(EXEEXT) derived-key-test$(EXEEXT) \ - store-test$(EXEEXT) parse-name-test$(EXEEXT) test_cc$(EXEEXT) \ - name-45-test$(EXEEXT) +am__EXEEXT_1 = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \ + n-fold-test$(EXEEXT) name-45-test$(EXEEXT) \ + parse-name-test$(EXEEXT) store-test$(EXEEXT) \ + string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \ + test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \ + test_prf$(EXEEXT) test_store$(EXEEXT) \ + test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \ + test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \ + test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \ + test_time$(EXEEXT) PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) aes_test_SOURCES = aes-test.c aes_test_OBJECTS = aes-test.$(OBJEXT) @@ -146,11 +206,6 @@ derived_key_test_OBJECTS = derived-key-test.$(OBJEXT) derived_key_test_LDADD = $(LDADD) derived_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -dump_config_SOURCES = dump_config.c -dump_config_OBJECTS = dump_config.$(OBJEXT) -dump_config_LDADD = $(LDADD) -dump_config_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ - $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) krbhst_test_SOURCES = krbhst-test.c krbhst_test_OBJECTS = krbhst-test.$(OBJEXT) krbhst_test_LDADD = $(LDADD) @@ -181,6 +236,16 @@ string_to_key_test_OBJECTS = string-to-key-test.$(OBJEXT) string_to_key_test_LDADD = $(LDADD) string_to_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_acl_SOURCES = test_acl.c +test_acl_OBJECTS = test_acl.$(OBJEXT) +test_acl_LDADD = $(LDADD) +test_acl_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_addr_SOURCES = test_addr.c +test_addr_OBJECTS = test_addr.$(OBJEXT) +test_addr_LDADD = $(LDADD) +test_addr_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) test_alname_SOURCES = test_alname.c test_alname_OBJECTS = test_alname.$(OBJEXT) test_alname_LDADD = $(LDADD) @@ -191,52 +256,140 @@ test_cc_OBJECTS = test_cc.$(OBJEXT) test_cc_LDADD = $(LDADD) test_cc_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_config_SOURCES = test_config.c +test_config_OBJECTS = test_config.$(OBJEXT) +test_config_LDADD = $(LDADD) +test_config_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_crypto_SOURCES = test_crypto.c +test_crypto_OBJECTS = test_crypto.$(OBJEXT) +test_crypto_LDADD = $(LDADD) +test_crypto_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_crypto_wrapping_SOURCES = test_crypto_wrapping.c +test_crypto_wrapping_OBJECTS = test_crypto_wrapping.$(OBJEXT) +test_crypto_wrapping_LDADD = $(LDADD) +test_crypto_wrapping_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_forward_SOURCES = test_forward.c +test_forward_OBJECTS = test_forward.$(OBJEXT) +test_forward_LDADD = $(LDADD) +test_forward_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) test_get_addrs_SOURCES = test_get_addrs.c test_get_addrs_OBJECTS = test_get_addrs.$(OBJEXT) test_get_addrs_LDADD = $(LDADD) test_get_addrs_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_hostname_SOURCES = test_hostname.c +test_hostname_OBJECTS = test_hostname.$(OBJEXT) +test_hostname_LDADD = $(LDADD) +test_hostname_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_keytab_SOURCES = test_keytab.c +test_keytab_OBJECTS = test_keytab.$(OBJEXT) +test_keytab_LDADD = $(LDADD) +test_keytab_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_kuserok_SOURCES = test_kuserok.c +test_kuserok_OBJECTS = test_kuserok.$(OBJEXT) +test_kuserok_LDADD = $(LDADD) +test_kuserok_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_mem_SOURCES = test_mem.c +test_mem_OBJECTS = test_mem.$(OBJEXT) +test_mem_LDADD = $(LDADD) +test_mem_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_pac_SOURCES = test_pac.c +test_pac_OBJECTS = test_pac.$(OBJEXT) +test_pac_LDADD = $(LDADD) +test_pac_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_pkinit_dh2key_SOURCES = test_pkinit_dh2key.c +test_pkinit_dh2key_OBJECTS = test_pkinit_dh2key.$(OBJEXT) +test_pkinit_dh2key_LDADD = $(LDADD) +test_pkinit_dh2key_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_plugin_SOURCES = test_plugin.c +test_plugin_OBJECTS = test_plugin.$(OBJEXT) +test_plugin_LDADD = $(LDADD) +test_plugin_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_prf_SOURCES = test_prf.c +test_prf_OBJECTS = test_prf.$(OBJEXT) +test_prf_LDADD = $(LDADD) +test_prf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_princ_SOURCES = test_princ.c +test_princ_OBJECTS = test_princ.$(OBJEXT) +test_princ_LDADD = $(LDADD) +test_princ_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_renew_SOURCES = test_renew.c +test_renew_OBJECTS = test_renew.$(OBJEXT) +test_renew_LDADD = $(LDADD) +test_renew_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_store_SOURCES = test_store.c +test_store_OBJECTS = test_store.$(OBJEXT) +test_store_LDADD = $(LDADD) +test_store_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) +test_time_SOURCES = test_time.c +test_time_OBJECTS = test_time.$(OBJEXT) +test_time_LDADD = $(LDADD) +test_time_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ + $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) verify_krb5_conf_SOURCES = verify_krb5_conf.c verify_krb5_conf_OBJECTS = verify_krb5_conf.$(OBJEXT) verify_krb5_conf_LDADD = $(LDADD) verify_krb5_conf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \ $(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include +DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@ depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c \ - dump_config.c krbhst-test.c n-fold-test.c name-45-test.c \ - parse-name-test.c store-test.c string-to-key-test.c \ - test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c -DIST_SOURCES = $(libkrb5_la_SOURCES) aes-test.c derived-key-test.c \ - dump_config.c krbhst-test.c n-fold-test.c name-45-test.c \ - parse-name-test.c store-test.c string-to-key-test.c \ - test_alname.c test_cc.c test_get_addrs.c verify_krb5_conf.c +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(dist_libkrb5_la_SOURCES) $(nodist_libkrb5_la_SOURCES) \ + aes-test.c derived-key-test.c krbhst-test.c n-fold-test.c \ + name-45-test.c parse-name-test.c store-test.c \ + string-to-key-test.c test_acl.c test_addr.c test_alname.c \ + test_cc.c test_config.c test_crypto.c test_crypto_wrapping.c \ + test_forward.c test_get_addrs.c test_hostname.c test_keytab.c \ + test_kuserok.c test_mem.c test_pac.c test_pkinit_dh2key.c \ + test_plugin.c test_prf.c test_princ.c test_renew.c \ + test_store.c test_time.c verify_krb5_conf.c +DIST_SOURCES = $(dist_libkrb5_la_SOURCES) aes-test.c \ + derived-key-test.c krbhst-test.c n-fold-test.c name-45-test.c \ + parse-name-test.c store-test.c string-to-key-test.c test_acl.c \ + test_addr.c test_alname.c test_cc.c test_config.c \ + test_crypto.c test_crypto_wrapping.c test_forward.c \ + test_get_addrs.c test_hostname.c test_keytab.c test_kuserok.c \ + test_mem.c test_pac.c test_pkinit_dh2key.c test_plugin.c \ + test_prf.c test_princ.c test_renew.c test_store.c test_time.c \ + verify_krb5_conf.c man3dir = $(mandir)/man3 man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 MANS = $(man_MANS) -includeHEADERS_INSTALL = $(INSTALL_HEADER) -HEADERS = $(include_HEADERS) +dist_includeHEADERS_INSTALL = $(INSTALL_HEADER) +krb5HEADERS_INSTALL = $(INSTALL_HEADER) +nodist_includeHEADERS_INSTALL = $(INSTALL_HEADER) +HEADERS = $(dist_include_HEADERS) $(krb5_HEADERS) \ + $(nodist_include_HEADERS) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ @@ -246,8 +399,6 @@ AWK = @AWK@ CANONICAL_HOST = @CANONICAL_HOST@ CATMAN = @CATMAN@ CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ CC = @CC@ CFLAGS = @CFLAGS@ COMPILE_ET = @COMPILE_ET@ @@ -258,11 +409,10 @@ CXXCPP = @CXXCPP@ CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ DEFS = @DEFS@ DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ +DIR_hcrypto = @DIR_hcrypto@ +DIR_hdbdir = @DIR_hdbdir@ DIR_roken = @DIR_roken@ ECHO = @ECHO@ ECHO_C = @ECHO_C@ @@ -270,42 +420,27 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ F77 = @F77@ FFLAGS = @FFLAGS@ +GREP = @GREP@ GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ +INCLUDE_hcrypto = @INCLUDE_hcrypto@ INCLUDE_hesiod = @INCLUDE_hesiod@ INCLUDE_krb4 = @INCLUDE_krb4@ INCLUDE_openldap = @INCLUDE_openldap@ INCLUDE_readline = @INCLUDE_readline@ +INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ LDFLAGS = @LDFLAGS@ +LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBADD_roken = @LIBADD_roken@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ @@ -323,12 +458,9 @@ LIB_crypt = @LIB_crypt@ LIB_db_create = @LIB_db_create@ LIB_dbm_firstkey = @LIB_dbm_firstkey@ LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ LIB_dlopen = @LIB_dlopen@ LIB_dn_expand = @LIB_dn_expand@ +LIB_door_create = @LIB_door_create@ LIB_el_init = @LIB_el_init@ LIB_freeaddrinfo = @LIB_freeaddrinfo@ LIB_gai_strerror = @LIB_gai_strerror@ @@ -338,15 +470,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@ LIB_getnameinfo = @LIB_getnameinfo@ LIB_getpwnam_r = @LIB_getpwnam_r@ LIB_getsockopt = @LIB_getsockopt@ +LIB_hcrypto = @LIB_hcrypto@ +LIB_hcrypto_a = @LIB_hcrypto_a@ +LIB_hcrypto_appl = @LIB_hcrypto_appl@ +LIB_hcrypto_so = @LIB_hcrypto_so@ LIB_hesiod = @LIB_hesiod@ LIB_hstrerror = @LIB_hstrerror@ LIB_kdb = @LIB_kdb@ LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ LIB_loadquery = @LIB_loadquery@ LIB_logout = @LIB_logout@ LIB_logwtmp = @LIB_logwtmp@ @@ -355,6 +486,7 @@ LIB_openpty = @LIB_openpty@ LIB_otp = @LIB_otp@ LIB_pidfile = @LIB_pidfile@ LIB_readline = @LIB_readline@ +LIB_res_ndestroy = @LIB_res_ndestroy@ LIB_res_nsearch = @LIB_res_nsearch@ LIB_res_search = @LIB_res_search@ LIB_roken = @LIB_roken@ @@ -366,15 +498,10 @@ LIB_tgetent = @LIB_tgetent@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ +MKDIR_P = @MKDIR_P@ NROFF = @NROFF@ OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -382,74 +509,81 @@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PTHREADS_CFLAGS = @PTHREADS_CFLAGS@ +PTHREADS_LIBS = @PTHREADS_LIBS@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +VERSIONING = @VERSIONING@ VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ WFLAGS = @WFLAGS@ WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ +XMKMF = @XMKMF@ X_CFLAGS = @X_CFLAGS@ X_EXTRA_LIBS = @X_EXTRA_LIBS@ X_LIBS = @X_LIBS@ X_PRE_LIBS = @X_PRE_LIBS@ YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ ac_ct_CXX = @ac_ct_CXX@ ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ am__leading_dot = @am__leading_dot@ +am__tar = @am__tar@ +am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ +builddir = @builddir@ datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ +datarootdir = @datarootdir@ +docdir = @docdir@ dpagaix_cflags = @dpagaix_cflags@ dpagaix_ldadd = @dpagaix_ldadd@ dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ +dvidir = @dvidir@ exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ +htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ +localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ +psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I../com_err -I$(srcdir)/../com_err +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 +AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \ + $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I../com_err \ + -I$(srcdir)/../com_err @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME AM_CFLAGS = $(WFLAGS) CP = cp @@ -466,31 +600,28 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) @KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la +@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la -TESTS = \ - aes-test \ - n-fold-test \ - string-to-key-test \ - derived-key-test \ - store-test \ - parse-name-test \ - test_cc \ - name-45-test - LDADD = libkrb5.la \ - $(LIB_des) \ + $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) +@PKINIT_TRUE@LIB_pkinit = ../hx509/libhx509.la libkrb5_la_LIBADD = \ - ../com_err/error.lo ../com_err/com_err.lo \ - $(LIB_des) \ + $(LIB_pkinit) \ + $(LIB_com_err) \ + $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) + $(LIBADD_roken) \ + $(LIB_door_create) \ + $(LIB_dlopen) lib_LTLIBRARIES = libkrb5.la -ERR_FILES = krb5_err.c heim_err.c k524_err.c -libkrb5_la_SOURCES = \ +ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c +libkrb5_la_CPPFLAGS = -DBUILD_KRB5_LIB $(AM_CPPFLAGS) +dist_libkrb5_la_SOURCES = \ + acache.c \ acl.c \ add_et_list.c \ addr_families.c \ @@ -512,7 +643,9 @@ libkrb5_la_SOURCES = \ crc.c \ creds.c \ crypto.c \ + doxygen.c \ data.c \ + digest.c \ eai_to_heim_errno.c \ error_string.c \ expand_hostname.c \ @@ -532,15 +665,20 @@ libkrb5_la_SOURCES = \ get_in_tkt_with_keytab.c \ get_in_tkt_with_skey.c \ get_port.c \ + heim_threads.h \ init_creds.c \ init_creds_pw.c \ + kcm.c \ + kcm.h \ keyblock.c \ keytab.c \ keytab_any.c \ keytab_file.c \ - keytab_memory.c \ keytab_keyfile.c \ keytab_krb4.c \ + keytab_memory.c \ + krb5_locl.h \ + krb5-v4compat.h \ krbhst.c \ kuserok.c \ log.c \ @@ -552,10 +690,13 @@ libkrb5_la_SOURCES = \ mk_req.c \ mk_req_ext.c \ mk_safe.c \ + mit_glue.c \ net_read.c \ net_write.c \ n-fold.c \ + pac.c \ padata.c \ + pkinit.c \ principal.c \ prog_setup.c \ prompter_posix.c \ @@ -577,62 +718,117 @@ libkrb5_la_SOURCES = \ store_emem.c \ store_fd.c \ store_mem.c \ + plugin.c \ ticket.c \ time.c \ transited.c \ + v4_glue.c \ verify_init.c \ verify_user.c \ version.c \ warn.c \ - write_message.c \ - $(ERR_FILES) + write_message.c -libkrb5_la_LDFLAGS = -version-info 20:0:3 +nodist_libkrb5_la_SOURCES = \ + $(ERR_FILES) -#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo +libkrb5_la_LDFLAGS = -version-info 24:0:0 $(am__append_1) man_MANS = \ kerberos.8 \ krb5.3 \ krb5.conf.5 \ + krb524_convert_creds_kdc.3 \ krb5_425_conv_principal.3 \ + krb5_acl_match_file.3 \ krb5_address.3 \ krb5_aname_to_localname.3 \ krb5_appdefault.3 \ krb5_auth_context.3 \ - krb5_build_principal.3 \ + krb5_c_make_checksum.3 \ krb5_ccache.3 \ + krb5_check_transited.3 \ + krb5_compare_creds.3 \ krb5_config.3 \ krb5_context.3 \ krb5_create_checksum.3 \ + krb5_creds.3 \ krb5_crypto_init.3 \ krb5_data.3 \ + krb5_digest.3 \ + krb5_eai_to_heim_errno.3 \ krb5_encrypt.3 \ - krb5_free_addresses.3 \ - krb5_free_principal.3 \ + krb5_expand_hostname.3 \ + krb5_find_padata.3 \ + krb5_generate_random_block.3 \ krb5_get_all_client_addrs.3 \ + krb5_get_credentials.3 \ + krb5_get_creds.3 \ + krb5_get_forwarded_creds.3 \ + krb5_get_in_cred.3 \ + krb5_get_init_creds.3 \ krb5_get_krbhst.3 \ + krb5_getportbyname.3 \ krb5_init_context.3 \ + krb5_is_thread_safe.3 \ + krb5_keyblock.3 \ krb5_keytab.3 \ krb5_krbhst_init.3 \ krb5_kuserok.3 \ + krb5_mk_req.3 \ + krb5_mk_safe.3 \ krb5_openlog.3 \ krb5_parse_name.3 \ - krb5_principal_get_realm.3 \ + krb5_principal.3 \ + krb5_rcache.3 \ + krb5_rd_error.3 \ + krb5_rd_safe.3 \ krb5_set_default_realm.3 \ krb5_set_password.3 \ - krb5_sname_to_principal.3 \ + krb5_storage.3 \ + krb5_string_to_key.3 \ + krb5_ticket.3 \ krb5_timeofday.3 \ krb5_unparse_name.3 \ + krb5_verify_init_creds.3 \ krb5_verify_user.3 \ krb5_warn.3 \ verify_krb5_conf.8 -include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h k524_err.h -CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h k524_err.c k524_err.h +dist_include_HEADERS = \ + krb5.h \ + krb5-protos.h \ + krb5-private.h \ + krb5_ccapi.h + +nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h + +# XXX use nobase_include_HEADERS = krb5/locate_plugin.h +krb5dir = $(includedir)/krb5 +krb5_HEADERS = locate_plugin.h +build_HEADERZ = \ + heim_threads.h \ + $(krb5_HEADERS) \ + krb_err.h + +CLEANFILES = \ + krb5_err.c krb5_err.h \ + krb_err.c krb_err.h \ + heim_err.c heim_err.h \ + k524_err.c k524_err.h + +EXTRA_DIST = \ + krb5_err.et \ + krb_err.et \ + heim_err.et \ + k524_err.et \ + $(man_MANS) \ + version-script.map \ + krb5.moduli + all: all-am .SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj +.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -664,10 +860,10 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ if test -f $$p; then \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ + f=$(am__strip_dir) \ echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ else :; fi; \ @@ -676,7 +872,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES) uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p="`echo $$p | sed -e 's|^.*/||'`"; \ + p=$(am__strip_dir) \ echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ done @@ -685,15 +881,15 @@ clean-libLTLIBRARIES: -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" = "$$p" && dir=.; \ + test "$$dir" != "$$p" || dir=.; \ echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libkrb5_la_LDFLAGS) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS) + $(libkrb5_la_LINK) -rpath $(libdir) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS) install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" + test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" @list='$(bin_PROGRAMS)'; for p in $$list; do \ p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ if test -f $$p \ @@ -735,43 +931,94 @@ clean-noinstPROGRAMS: done aes-test$(EXEEXT): $(aes_test_OBJECTS) $(aes_test_DEPENDENCIES) @rm -f aes-test$(EXEEXT) - $(LINK) $(aes_test_LDFLAGS) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS) + $(LINK) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS) derived-key-test$(EXEEXT): $(derived_key_test_OBJECTS) $(derived_key_test_DEPENDENCIES) @rm -f derived-key-test$(EXEEXT) - $(LINK) $(derived_key_test_LDFLAGS) $(derived_key_test_OBJECTS) $(derived_key_test_LDADD) $(LIBS) -dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES) - @rm -f dump_config$(EXEEXT) - $(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS) + $(LINK) $(derived_key_test_OBJECTS) $(derived_key_test_LDADD) $(LIBS) krbhst-test$(EXEEXT): $(krbhst_test_OBJECTS) $(krbhst_test_DEPENDENCIES) @rm -f krbhst-test$(EXEEXT) - $(LINK) $(krbhst_test_LDFLAGS) $(krbhst_test_OBJECTS) $(krbhst_test_LDADD) $(LIBS) + $(LINK) $(krbhst_test_OBJECTS) $(krbhst_test_LDADD) $(LIBS) n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES) @rm -f n-fold-test$(EXEEXT) - $(LINK) $(n_fold_test_LDFLAGS) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS) + $(LINK) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS) name-45-test$(EXEEXT): $(name_45_test_OBJECTS) $(name_45_test_DEPENDENCIES) @rm -f name-45-test$(EXEEXT) - $(LINK) $(name_45_test_LDFLAGS) $(name_45_test_OBJECTS) $(name_45_test_LDADD) $(LIBS) + $(LINK) $(name_45_test_OBJECTS) $(name_45_test_LDADD) $(LIBS) parse-name-test$(EXEEXT): $(parse_name_test_OBJECTS) $(parse_name_test_DEPENDENCIES) @rm -f parse-name-test$(EXEEXT) - $(LINK) $(parse_name_test_LDFLAGS) $(parse_name_test_OBJECTS) $(parse_name_test_LDADD) $(LIBS) + $(LINK) $(parse_name_test_OBJECTS) $(parse_name_test_LDADD) $(LIBS) store-test$(EXEEXT): $(store_test_OBJECTS) $(store_test_DEPENDENCIES) @rm -f store-test$(EXEEXT) - $(LINK) $(store_test_LDFLAGS) $(store_test_OBJECTS) $(store_test_LDADD) $(LIBS) + $(LINK) $(store_test_OBJECTS) $(store_test_LDADD) $(LIBS) string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_DEPENDENCIES) @rm -f string-to-key-test$(EXEEXT) - $(LINK) $(string_to_key_test_LDFLAGS) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS) + $(LINK) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS) +test_acl$(EXEEXT): $(test_acl_OBJECTS) $(test_acl_DEPENDENCIES) + @rm -f test_acl$(EXEEXT) + $(LINK) $(test_acl_OBJECTS) $(test_acl_LDADD) $(LIBS) +test_addr$(EXEEXT): $(test_addr_OBJECTS) $(test_addr_DEPENDENCIES) + @rm -f test_addr$(EXEEXT) + $(LINK) $(test_addr_OBJECTS) $(test_addr_LDADD) $(LIBS) test_alname$(EXEEXT): $(test_alname_OBJECTS) $(test_alname_DEPENDENCIES) @rm -f test_alname$(EXEEXT) - $(LINK) $(test_alname_LDFLAGS) $(test_alname_OBJECTS) $(test_alname_LDADD) $(LIBS) + $(LINK) $(test_alname_OBJECTS) $(test_alname_LDADD) $(LIBS) test_cc$(EXEEXT): $(test_cc_OBJECTS) $(test_cc_DEPENDENCIES) @rm -f test_cc$(EXEEXT) - $(LINK) $(test_cc_LDFLAGS) $(test_cc_OBJECTS) $(test_cc_LDADD) $(LIBS) + $(LINK) $(test_cc_OBJECTS) $(test_cc_LDADD) $(LIBS) +test_config$(EXEEXT): $(test_config_OBJECTS) $(test_config_DEPENDENCIES) + @rm -f test_config$(EXEEXT) + $(LINK) $(test_config_OBJECTS) $(test_config_LDADD) $(LIBS) +test_crypto$(EXEEXT): $(test_crypto_OBJECTS) $(test_crypto_DEPENDENCIES) + @rm -f test_crypto$(EXEEXT) + $(LINK) $(test_crypto_OBJECTS) $(test_crypto_LDADD) $(LIBS) +test_crypto_wrapping$(EXEEXT): $(test_crypto_wrapping_OBJECTS) $(test_crypto_wrapping_DEPENDENCIES) + @rm -f test_crypto_wrapping$(EXEEXT) + $(LINK) $(test_crypto_wrapping_OBJECTS) $(test_crypto_wrapping_LDADD) $(LIBS) +test_forward$(EXEEXT): $(test_forward_OBJECTS) $(test_forward_DEPENDENCIES) + @rm -f test_forward$(EXEEXT) + $(LINK) $(test_forward_OBJECTS) $(test_forward_LDADD) $(LIBS) test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES) @rm -f test_get_addrs$(EXEEXT) - $(LINK) $(test_get_addrs_LDFLAGS) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS) + $(LINK) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS) +test_hostname$(EXEEXT): $(test_hostname_OBJECTS) $(test_hostname_DEPENDENCIES) + @rm -f test_hostname$(EXEEXT) + $(LINK) $(test_hostname_OBJECTS) $(test_hostname_LDADD) $(LIBS) +test_keytab$(EXEEXT): $(test_keytab_OBJECTS) $(test_keytab_DEPENDENCIES) + @rm -f test_keytab$(EXEEXT) + $(LINK) $(test_keytab_OBJECTS) $(test_keytab_LDADD) $(LIBS) +test_kuserok$(EXEEXT): $(test_kuserok_OBJECTS) $(test_kuserok_DEPENDENCIES) + @rm -f test_kuserok$(EXEEXT) + $(LINK) $(test_kuserok_OBJECTS) $(test_kuserok_LDADD) $(LIBS) +test_mem$(EXEEXT): $(test_mem_OBJECTS) $(test_mem_DEPENDENCIES) + @rm -f test_mem$(EXEEXT) + $(LINK) $(test_mem_OBJECTS) $(test_mem_LDADD) $(LIBS) +test_pac$(EXEEXT): $(test_pac_OBJECTS) $(test_pac_DEPENDENCIES) + @rm -f test_pac$(EXEEXT) + $(LINK) $(test_pac_OBJECTS) $(test_pac_LDADD) $(LIBS) +test_pkinit_dh2key$(EXEEXT): $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_DEPENDENCIES) + @rm -f test_pkinit_dh2key$(EXEEXT) + $(LINK) $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_LDADD) $(LIBS) +test_plugin$(EXEEXT): $(test_plugin_OBJECTS) $(test_plugin_DEPENDENCIES) + @rm -f test_plugin$(EXEEXT) + $(LINK) $(test_plugin_OBJECTS) $(test_plugin_LDADD) $(LIBS) +test_prf$(EXEEXT): $(test_prf_OBJECTS) $(test_prf_DEPENDENCIES) + @rm -f test_prf$(EXEEXT) + $(LINK) $(test_prf_OBJECTS) $(test_prf_LDADD) $(LIBS) +test_princ$(EXEEXT): $(test_princ_OBJECTS) $(test_princ_DEPENDENCIES) + @rm -f test_princ$(EXEEXT) + $(LINK) $(test_princ_OBJECTS) $(test_princ_LDADD) $(LIBS) +test_renew$(EXEEXT): $(test_renew_OBJECTS) $(test_renew_DEPENDENCIES) + @rm -f test_renew$(EXEEXT) + $(LINK) $(test_renew_OBJECTS) $(test_renew_LDADD) $(LIBS) +test_store$(EXEEXT): $(test_store_OBJECTS) $(test_store_DEPENDENCIES) + @rm -f test_store$(EXEEXT) + $(LINK) $(test_store_OBJECTS) $(test_store_LDADD) $(LIBS) +test_time$(EXEEXT): $(test_time_OBJECTS) $(test_time_DEPENDENCIES) + @rm -f test_time$(EXEEXT) + $(LINK) $(test_time_OBJECTS) $(test_time_LDADD) $(LIBS) verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES) @rm -f verify_krb5_conf$(EXEEXT) - $(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS) + $(LINK) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -788,18 +1035,332 @@ distclean-compile: .c.lo: $(LTCOMPILE) -c -o $@ $< +libkrb5_la-acache.lo: acache.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acache.lo `test -f 'acache.c' || echo '$(srcdir)/'`acache.c + +libkrb5_la-acl.lo: acl.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acl.lo `test -f 'acl.c' || echo '$(srcdir)/'`acl.c + +libkrb5_la-add_et_list.lo: add_et_list.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-add_et_list.lo `test -f 'add_et_list.c' || echo '$(srcdir)/'`add_et_list.c + +libkrb5_la-addr_families.lo: addr_families.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-addr_families.lo `test -f 'addr_families.c' || echo '$(srcdir)/'`addr_families.c + +libkrb5_la-aname_to_localname.lo: aname_to_localname.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-aname_to_localname.lo `test -f 'aname_to_localname.c' || echo '$(srcdir)/'`aname_to_localname.c + +libkrb5_la-appdefault.lo: appdefault.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-appdefault.lo `test -f 'appdefault.c' || echo '$(srcdir)/'`appdefault.c + +libkrb5_la-asn1_glue.lo: asn1_glue.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-asn1_glue.lo `test -f 'asn1_glue.c' || echo '$(srcdir)/'`asn1_glue.c + +libkrb5_la-auth_context.lo: auth_context.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-auth_context.lo `test -f 'auth_context.c' || echo '$(srcdir)/'`auth_context.c + +libkrb5_la-build_ap_req.lo: build_ap_req.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_ap_req.lo `test -f 'build_ap_req.c' || echo '$(srcdir)/'`build_ap_req.c + +libkrb5_la-build_auth.lo: build_auth.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_auth.lo `test -f 'build_auth.c' || echo '$(srcdir)/'`build_auth.c + +libkrb5_la-cache.lo: cache.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-cache.lo `test -f 'cache.c' || echo '$(srcdir)/'`cache.c + +libkrb5_la-changepw.lo: changepw.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-changepw.lo `test -f 'changepw.c' || echo '$(srcdir)/'`changepw.c + +libkrb5_la-codec.lo: codec.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-codec.lo `test -f 'codec.c' || echo '$(srcdir)/'`codec.c + +libkrb5_la-config_file.lo: config_file.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-config_file.lo `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c + +libkrb5_la-config_file_netinfo.lo: config_file_netinfo.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-config_file_netinfo.lo `test -f 'config_file_netinfo.c' || echo '$(srcdir)/'`config_file_netinfo.c + +libkrb5_la-convert_creds.lo: convert_creds.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-convert_creds.lo `test -f 'convert_creds.c' || echo '$(srcdir)/'`convert_creds.c + +libkrb5_la-constants.lo: constants.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-constants.lo `test -f 'constants.c' || echo '$(srcdir)/'`constants.c + +libkrb5_la-context.lo: context.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-context.lo `test -f 'context.c' || echo '$(srcdir)/'`context.c + +libkrb5_la-copy_host_realm.lo: copy_host_realm.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-copy_host_realm.lo `test -f 'copy_host_realm.c' || echo '$(srcdir)/'`copy_host_realm.c + +libkrb5_la-crc.lo: crc.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c + +libkrb5_la-creds.lo: creds.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-creds.lo `test -f 'creds.c' || echo '$(srcdir)/'`creds.c + +libkrb5_la-crypto.lo: crypto.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c + +libkrb5_la-doxygen.lo: doxygen.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c + +libkrb5_la-data.lo: data.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c + +libkrb5_la-digest.lo: digest.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-digest.lo `test -f 'digest.c' || echo '$(srcdir)/'`digest.c + +libkrb5_la-eai_to_heim_errno.lo: eai_to_heim_errno.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-eai_to_heim_errno.lo `test -f 'eai_to_heim_errno.c' || echo '$(srcdir)/'`eai_to_heim_errno.c + +libkrb5_la-error_string.lo: error_string.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c + +libkrb5_la-expand_hostname.lo: expand_hostname.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-expand_hostname.lo `test -f 'expand_hostname.c' || echo '$(srcdir)/'`expand_hostname.c + +libkrb5_la-fcache.lo: fcache.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-fcache.lo `test -f 'fcache.c' || echo '$(srcdir)/'`fcache.c + +libkrb5_la-free.lo: free.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free.lo `test -f 'free.c' || echo '$(srcdir)/'`free.c + +libkrb5_la-free_host_realm.lo: free_host_realm.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free_host_realm.lo `test -f 'free_host_realm.c' || echo '$(srcdir)/'`free_host_realm.c + +libkrb5_la-generate_seq_number.lo: generate_seq_number.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_seq_number.lo `test -f 'generate_seq_number.c' || echo '$(srcdir)/'`generate_seq_number.c + +libkrb5_la-generate_subkey.lo: generate_subkey.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_subkey.lo `test -f 'generate_subkey.c' || echo '$(srcdir)/'`generate_subkey.c + +libkrb5_la-get_addrs.lo: get_addrs.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_addrs.lo `test -f 'get_addrs.c' || echo '$(srcdir)/'`get_addrs.c + +libkrb5_la-get_cred.lo: get_cred.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_cred.lo `test -f 'get_cred.c' || echo '$(srcdir)/'`get_cred.c + +libkrb5_la-get_default_principal.lo: get_default_principal.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_principal.lo `test -f 'get_default_principal.c' || echo '$(srcdir)/'`get_default_principal.c + +libkrb5_la-get_default_realm.lo: get_default_realm.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_realm.lo `test -f 'get_default_realm.c' || echo '$(srcdir)/'`get_default_realm.c + +libkrb5_la-get_for_creds.lo: get_for_creds.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_for_creds.lo `test -f 'get_for_creds.c' || echo '$(srcdir)/'`get_for_creds.c + +libkrb5_la-get_host_realm.lo: get_host_realm.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_host_realm.lo `test -f 'get_host_realm.c' || echo '$(srcdir)/'`get_host_realm.c + +libkrb5_la-get_in_tkt.lo: get_in_tkt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt.lo `test -f 'get_in_tkt.c' || echo '$(srcdir)/'`get_in_tkt.c + +libkrb5_la-get_in_tkt_pw.lo: get_in_tkt_pw.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt_pw.lo `test -f 'get_in_tkt_pw.c' || echo '$(srcdir)/'`get_in_tkt_pw.c + +libkrb5_la-get_in_tkt_with_keytab.lo: get_in_tkt_with_keytab.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt_with_keytab.lo `test -f 'get_in_tkt_with_keytab.c' || echo '$(srcdir)/'`get_in_tkt_with_keytab.c + +libkrb5_la-get_in_tkt_with_skey.lo: get_in_tkt_with_skey.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt_with_skey.lo `test -f 'get_in_tkt_with_skey.c' || echo '$(srcdir)/'`get_in_tkt_with_skey.c + +libkrb5_la-get_port.lo: get_port.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_port.lo `test -f 'get_port.c' || echo '$(srcdir)/'`get_port.c + +libkrb5_la-init_creds.lo: init_creds.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds.lo `test -f 'init_creds.c' || echo '$(srcdir)/'`init_creds.c + +libkrb5_la-init_creds_pw.lo: init_creds_pw.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds_pw.lo `test -f 'init_creds_pw.c' || echo '$(srcdir)/'`init_creds_pw.c + +libkrb5_la-kcm.lo: kcm.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kcm.lo `test -f 'kcm.c' || echo '$(srcdir)/'`kcm.c + +libkrb5_la-keyblock.lo: keyblock.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c + +libkrb5_la-keytab.lo: keytab.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c + +libkrb5_la-keytab_any.lo: keytab_any.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_any.lo `test -f 'keytab_any.c' || echo '$(srcdir)/'`keytab_any.c + +libkrb5_la-keytab_file.lo: keytab_file.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_file.lo `test -f 'keytab_file.c' || echo '$(srcdir)/'`keytab_file.c + +libkrb5_la-keytab_keyfile.lo: keytab_keyfile.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_keyfile.lo `test -f 'keytab_keyfile.c' || echo '$(srcdir)/'`keytab_keyfile.c + +libkrb5_la-keytab_krb4.lo: keytab_krb4.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_krb4.lo `test -f 'keytab_krb4.c' || echo '$(srcdir)/'`keytab_krb4.c + +libkrb5_la-keytab_memory.lo: keytab_memory.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_memory.lo `test -f 'keytab_memory.c' || echo '$(srcdir)/'`keytab_memory.c + +libkrb5_la-krbhst.lo: krbhst.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krbhst.lo `test -f 'krbhst.c' || echo '$(srcdir)/'`krbhst.c + +libkrb5_la-kuserok.lo: kuserok.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kuserok.lo `test -f 'kuserok.c' || echo '$(srcdir)/'`kuserok.c + +libkrb5_la-log.lo: log.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c + +libkrb5_la-mcache.lo: mcache.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mcache.lo `test -f 'mcache.c' || echo '$(srcdir)/'`mcache.c + +libkrb5_la-misc.lo: misc.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-misc.lo `test -f 'misc.c' || echo '$(srcdir)/'`misc.c + +libkrb5_la-mk_error.lo: mk_error.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_error.lo `test -f 'mk_error.c' || echo '$(srcdir)/'`mk_error.c + +libkrb5_la-mk_priv.lo: mk_priv.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_priv.lo `test -f 'mk_priv.c' || echo '$(srcdir)/'`mk_priv.c + +libkrb5_la-mk_rep.lo: mk_rep.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_rep.lo `test -f 'mk_rep.c' || echo '$(srcdir)/'`mk_rep.c + +libkrb5_la-mk_req.lo: mk_req.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req.lo `test -f 'mk_req.c' || echo '$(srcdir)/'`mk_req.c + +libkrb5_la-mk_req_ext.lo: mk_req_ext.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req_ext.lo `test -f 'mk_req_ext.c' || echo '$(srcdir)/'`mk_req_ext.c + +libkrb5_la-mk_safe.lo: mk_safe.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_safe.lo `test -f 'mk_safe.c' || echo '$(srcdir)/'`mk_safe.c + +libkrb5_la-mit_glue.lo: mit_glue.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mit_glue.lo `test -f 'mit_glue.c' || echo '$(srcdir)/'`mit_glue.c + +libkrb5_la-net_read.lo: net_read.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c + +libkrb5_la-net_write.lo: net_write.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c + +libkrb5_la-n-fold.lo: n-fold.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c + +libkrb5_la-pac.lo: pac.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pac.lo `test -f 'pac.c' || echo '$(srcdir)/'`pac.c + +libkrb5_la-padata.lo: padata.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-padata.lo `test -f 'padata.c' || echo '$(srcdir)/'`padata.c + +libkrb5_la-pkinit.lo: pkinit.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pkinit.lo `test -f 'pkinit.c' || echo '$(srcdir)/'`pkinit.c + +libkrb5_la-principal.lo: principal.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-principal.lo `test -f 'principal.c' || echo '$(srcdir)/'`principal.c + +libkrb5_la-prog_setup.lo: prog_setup.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prog_setup.lo `test -f 'prog_setup.c' || echo '$(srcdir)/'`prog_setup.c + +libkrb5_la-prompter_posix.lo: prompter_posix.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prompter_posix.lo `test -f 'prompter_posix.c' || echo '$(srcdir)/'`prompter_posix.c + +libkrb5_la-rd_cred.lo: rd_cred.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_cred.lo `test -f 'rd_cred.c' || echo '$(srcdir)/'`rd_cred.c + +libkrb5_la-rd_error.lo: rd_error.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_error.lo `test -f 'rd_error.c' || echo '$(srcdir)/'`rd_error.c + +libkrb5_la-rd_priv.lo: rd_priv.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_priv.lo `test -f 'rd_priv.c' || echo '$(srcdir)/'`rd_priv.c + +libkrb5_la-rd_rep.lo: rd_rep.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_rep.lo `test -f 'rd_rep.c' || echo '$(srcdir)/'`rd_rep.c + +libkrb5_la-rd_req.lo: rd_req.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_req.lo `test -f 'rd_req.c' || echo '$(srcdir)/'`rd_req.c + +libkrb5_la-rd_safe.lo: rd_safe.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_safe.lo `test -f 'rd_safe.c' || echo '$(srcdir)/'`rd_safe.c + +libkrb5_la-read_message.lo: read_message.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-read_message.lo `test -f 'read_message.c' || echo '$(srcdir)/'`read_message.c + +libkrb5_la-recvauth.lo: recvauth.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-recvauth.lo `test -f 'recvauth.c' || echo '$(srcdir)/'`recvauth.c + +libkrb5_la-replay.lo: replay.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-replay.lo `test -f 'replay.c' || echo '$(srcdir)/'`replay.c + +libkrb5_la-send_to_kdc.lo: send_to_kdc.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-send_to_kdc.lo `test -f 'send_to_kdc.c' || echo '$(srcdir)/'`send_to_kdc.c + +libkrb5_la-sendauth.lo: sendauth.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sendauth.lo `test -f 'sendauth.c' || echo '$(srcdir)/'`sendauth.c + +libkrb5_la-set_default_realm.lo: set_default_realm.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-set_default_realm.lo `test -f 'set_default_realm.c' || echo '$(srcdir)/'`set_default_realm.c + +libkrb5_la-sock_principal.lo: sock_principal.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sock_principal.lo `test -f 'sock_principal.c' || echo '$(srcdir)/'`sock_principal.c + +libkrb5_la-store.lo: store.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store.lo `test -f 'store.c' || echo '$(srcdir)/'`store.c + +libkrb5_la-store_emem.lo: store_emem.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_emem.lo `test -f 'store_emem.c' || echo '$(srcdir)/'`store_emem.c + +libkrb5_la-store_fd.lo: store_fd.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_fd.lo `test -f 'store_fd.c' || echo '$(srcdir)/'`store_fd.c + +libkrb5_la-store_mem.lo: store_mem.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_mem.lo `test -f 'store_mem.c' || echo '$(srcdir)/'`store_mem.c + +libkrb5_la-plugin.lo: plugin.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-plugin.lo `test -f 'plugin.c' || echo '$(srcdir)/'`plugin.c + +libkrb5_la-ticket.lo: ticket.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-ticket.lo `test -f 'ticket.c' || echo '$(srcdir)/'`ticket.c + +libkrb5_la-time.lo: time.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-time.lo `test -f 'time.c' || echo '$(srcdir)/'`time.c + +libkrb5_la-transited.lo: transited.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-transited.lo `test -f 'transited.c' || echo '$(srcdir)/'`transited.c + +libkrb5_la-v4_glue.lo: v4_glue.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-v4_glue.lo `test -f 'v4_glue.c' || echo '$(srcdir)/'`v4_glue.c + +libkrb5_la-verify_init.lo: verify_init.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_init.lo `test -f 'verify_init.c' || echo '$(srcdir)/'`verify_init.c + +libkrb5_la-verify_user.lo: verify_user.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_user.lo `test -f 'verify_user.c' || echo '$(srcdir)/'`verify_user.c + +libkrb5_la-version.lo: version.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-version.lo `test -f 'version.c' || echo '$(srcdir)/'`version.c + +libkrb5_la-warn.lo: warn.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c + +libkrb5_la-write_message.lo: write_message.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-write_message.lo `test -f 'write_message.c' || echo '$(srcdir)/'`write_message.c + +libkrb5_la-krb5_err.lo: krb5_err.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb5_err.lo `test -f 'krb5_err.c' || echo '$(srcdir)/'`krb5_err.c + +libkrb5_la-krb_err.lo: krb_err.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb_err.lo `test -f 'krb_err.c' || echo '$(srcdir)/'`krb_err.c + +libkrb5_la-heim_err.lo: heim_err.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-heim_err.lo `test -f 'heim_err.c' || echo '$(srcdir)/'`heim_err.c + +libkrb5_la-k524_err.lo: k524_err.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-k524_err.lo `test -f 'k524_err.c' || echo '$(srcdir)/'`k524_err.c + mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: install-man3: $(man3_MANS) $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)" + test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)" @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ for i in $$l2; do \ @@ -844,7 +1405,7 @@ uninstall-man3: done install-man5: $(man5_MANS) $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)" + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ for i in $$l2; do \ @@ -889,7 +1450,7 @@ uninstall-man5: done install-man8: $(man8_MANS) $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ for i in $$l2; do \ @@ -932,20 +1493,54 @@ uninstall-man8: echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ done -install-includeHEADERS: $(include_HEADERS) +install-dist_includeHEADERS: $(dist_include_HEADERS) + @$(NORMAL_INSTALL) + test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)" + @list='$(dist_include_HEADERS)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(dist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ + $(dist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ + done + +uninstall-dist_includeHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(dist_include_HEADERS)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ + rm -f "$(DESTDIR)$(includedir)/$$f"; \ + done +install-krb5HEADERS: $(krb5_HEADERS) @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ + test -z "$(krb5dir)" || $(MKDIR_P) "$(DESTDIR)$(krb5dir)" + @list='$(krb5_HEADERS)'; for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ + f=$(am__strip_dir) \ + echo " $(krb5HEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(krb5dir)/$$f'"; \ + $(krb5HEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(krb5dir)/$$f"; \ done -uninstall-includeHEADERS: +uninstall-krb5HEADERS: @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f="`echo $$p | sed -e 's|^.*/||'`"; \ + @list='$(krb5_HEADERS)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(krb5dir)/$$f'"; \ + rm -f "$(DESTDIR)$(krb5dir)/$$f"; \ + done +install-nodist_includeHEADERS: $(nodist_include_HEADERS) + @$(NORMAL_INSTALL) + test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)" + @list='$(nodist_include_HEADERS)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(nodist_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ + $(nodist_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ + done + +uninstall-nodist_includeHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(nodist_include_HEADERS)'; for p in $$list; do \ + f=$(am__strip_dir) \ echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ rm -f "$(DESTDIR)$(includedir)/$$f"; \ done @@ -970,9 +1565,11 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ done | \ $(AWK) ' { files[$$0] = 1; } \ END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) @@ -997,9 +1594,9 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ srcdir=$(srcdir); export srcdir; \ - list='$(TESTS)'; \ + list=' $(TESTS) '; \ if test -n "$$list"; then \ for tst in $$list; do \ if test -f ./$$tst; then dir=./; \ @@ -1008,7 +1605,7 @@ check-TESTS: $(TESTS) if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ + *$$ws$$tst$$ws*) \ xpass=`expr $$xpass + 1`; \ failed=`expr $$failed + 1`; \ echo "XPASS: $$tst"; \ @@ -1020,7 +1617,7 @@ check-TESTS: $(TESTS) elif test $$? -ne 77; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ - *" $$tst "*) \ + *$$ws$$tst$$ws*) \ xfail=`expr $$xfail + 1`; \ echo "XFAIL: $$tst"; \ ;; \ @@ -1051,42 +1648,40 @@ check-TESTS: $(TESTS) skipped=""; \ if test "$$skip" -ne 0; then \ skipped="($$skip tests were not run)"; \ - test `echo "$$skipped" | wc -c` -gt `echo "$$banner" | wc -c` && \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$skipped"; \ fi; \ report=""; \ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ report="Please report to $(PACKAGE_BUGREPORT)"; \ - test `echo "$$report" | wc -c` -gt `echo "$$banner" | wc -c` && \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$report"; \ fi; \ dashes=`echo "$$dashes" | sed s/./=/g`; \ echo "$$dashes"; \ echo "$$banner"; \ - test -n "$$skipped" && echo "$$skipped"; \ - test -n "$$report" && echo "$$report"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ echo "$$dashes"; \ test "$$failed" -eq 0; \ else :; fi distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/../.. $(distdir)/../../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ fi; \ @@ -1109,8 +1704,8 @@ all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \ install-binPROGRAMS: install-libLTLIBRARIES installdirs: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ + for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" "$(DESTDIR)$(includedir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am @@ -1132,7 +1727,7 @@ clean-generic: -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -1146,7 +1741,7 @@ clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \ distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags + distclean-tags dvi: dvi-am @@ -1158,18 +1753,27 @@ info: info-am info-am: -install-data-am: install-includeHEADERS install-man +install-data-am: install-dist_includeHEADERS install-krb5HEADERS \ + install-man install-nodist_includeHEADERS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-data-hook +install-dvi: install-dvi-am + install-exec-am: install-binPROGRAMS install-libLTLIBRARIES @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-exec-hook +install-html: install-html-am + install-info: install-info-am install-man: install-man3 install-man5 install-man8 +install-pdf: install-pdf-am + +install-ps: install-ps-am + installcheck-am: maintainer-clean: maintainer-clean-am @@ -1189,28 +1793,39 @@ ps: ps-am ps-am: -uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \ - uninstall-info-am uninstall-libLTLIBRARIES uninstall-man +uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \ + uninstall-krb5HEADERS uninstall-libLTLIBRARIES uninstall-man \ + uninstall-nodist_includeHEADERS + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) uninstall-hook uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8 +.MAKE: install-am install-data-am install-exec-am install-strip \ + uninstall-am + .PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \ check-local clean clean-binPROGRAMS clean-checkPROGRAMS \ clean-generic clean-libLTLIBRARIES clean-libtool \ - clean-noinstPROGRAMS ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-data install-data-am install-exec \ - install-exec-am install-includeHEADERS install-info \ - install-info-am install-libLTLIBRARIES install-man \ - install-man3 install-man5 install-man8 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + clean-noinstPROGRAMS ctags dist-hook distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-binPROGRAMS install-data \ + install-data-am install-data-hook install-dist_includeHEADERS \ + install-dvi install-dvi-am install-exec install-exec-am \ + install-exec-hook install-html install-html-am install-info \ + install-info-am install-krb5HEADERS install-libLTLIBRARIES \ + install-man install-man3 install-man5 install-man8 \ + install-nodist_includeHEADERS install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags uninstall uninstall-am uninstall-binPROGRAMS \ - uninstall-includeHEADERS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man uninstall-man3 \ - uninstall-man5 uninstall-man8 + uninstall-dist_includeHEADERS uninstall-hook \ + uninstall-krb5HEADERS uninstall-libLTLIBRARIES uninstall-man \ + uninstall-man3 uninstall-man5 uninstall-man8 \ + uninstall-nodist_includeHEADERS install-suid-programs: @@ -1225,8 +1840,8 @@ install-suid-programs: install-exec-hook: install-suid-programs -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ +install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) + @foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ for f in $$foo; do \ f=`basename $$f`; \ if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ @@ -1236,19 +1851,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ) echo " $(CP) $$file $(buildinclude)/$$f"; \ $(CP) $$file $(buildinclude)/$$f; \ fi ; \ + done ; \ + foo='$(nobase_include_HEADERS)'; \ + for f in $$foo; do \ + if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ + else file="$$f"; fi; \ + $(mkdir_p) $(buildinclude)/`dirname $$f` ; \ + if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ + : ; else \ + echo " $(CP) $$file $(buildinclude)/$$f"; \ + $(CP) $$file $(buildinclude)/$$f; \ + fi ; \ done all-local: install-build-headers check-local:: - @if test '$(CHECK_LOCAL)'; then \ + @if test '$(CHECK_LOCAL)' = "no-check-local"; then \ + foo=''; elif test '$(CHECK_LOCAL)'; then \ foo='$(CHECK_LOCAL)'; else \ foo='$(PROGRAMS)'; fi; \ if test "$$foo"; then \ failed=0; all=0; \ for i in $$foo; do \ all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ + if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \ echo "PASS: $$i"; \ else \ echo "FAIL: $$i"; \ @@ -1264,7 +1891,7 @@ check-local:: echo "$$dashes"; \ echo "$$banner"; \ echo "$$dashes"; \ - test "$$failed" -eq 0; \ + test "$$failed" -eq 0 || exit 1; \ fi .x.c: @@ -1334,29 +1961,58 @@ dist-cat8-mans: dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) + $(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) + +uninstall-cat-mans: + $(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) install-data-hook: install-cat-mans +uninstall-hook: uninstall-cat-mans .et.h: $(COMPILE_ET) $< .et.c: $(COMPILE_ET) $< -$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h +# +# Useful target for debugging +# + +check-valgrind: + tobjdir=`cd $(top_builddir) && pwd` ; \ + tsrcdir=`cd $(top_srcdir) && pwd` ; \ + env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check + +# +# Target to please samba build farm, builds distfiles in-tree. +# Will break when automake changes... +# + +distdir-in-tree: $(DISTFILES) $(INFO_DEPS) + list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" != .; then \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \ + fi ; \ + done + +$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h $(srcdir)/krb5-protos.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h + cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB_FUNCTION -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h $(srcdir)/krb5-private.h: - cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h + cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h -$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h k524_err.h +$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h + +#sysconf_DATA = krb5.moduli # to help stupid solaris make krb5_err.h: krb5_err.et +krb_err.h: krb_err.et + heim_err.h: heim_err.et k524_err.h: k524_err.et diff --git a/crypto/heimdal/lib/krb5/acache.c b/crypto/heimdal/lib/krb5/acache.c new file mode 100644 index 000000000000..30a6d90c3451 --- /dev/null +++ b/crypto/heimdal/lib/krb5/acache.c @@ -0,0 +1,961 @@ +/* + * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" +#include <krb5_ccapi.h> +#ifdef HAVE_DLFCN_H +#include <dlfcn.h> +#endif + +RCSID("$Id: acache.c 22099 2007-12-03 17:14:34Z lha $"); + +/* XXX should we fetch these for each open ? */ +static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER; +static cc_initialize_func init_func; + +#ifdef HAVE_DLOPEN +static void *cc_handle; +#endif + +typedef struct krb5_acc { + char *cache_name; + cc_context_t context; + cc_ccache_t ccache; +} krb5_acc; + +static krb5_error_code acc_close(krb5_context, krb5_ccache); + +#define ACACHE(X) ((krb5_acc *)(X)->data.data) + +static const struct { + cc_int32 error; + krb5_error_code ret; +} cc_errors[] = { + { ccErrBadName, KRB5_CC_BADNAME }, + { ccErrCredentialsNotFound, KRB5_CC_NOTFOUND }, + { ccErrCCacheNotFound, KRB5_FCC_NOFILE }, + { ccErrContextNotFound, KRB5_CC_NOTFOUND }, + { ccIteratorEnd, KRB5_CC_END }, + { ccErrNoMem, KRB5_CC_NOMEM }, + { ccErrServerUnavailable, KRB5_CC_NOSUPP }, + { ccNoError, 0 } +}; + +static krb5_error_code +translate_cc_error(krb5_context context, cc_int32 error) +{ + int i; + krb5_clear_error_string(context); + for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++) + if (cc_errors[i].error == error) + return cc_errors[i].ret; + return KRB5_FCC_INTERNAL; +} + +static krb5_error_code +init_ccapi(krb5_context context) +{ + const char *lib; + + HEIMDAL_MUTEX_lock(&acc_mutex); + if (init_func) { + HEIMDAL_MUTEX_unlock(&acc_mutex); + krb5_clear_error_string(context); + return 0; + } + + lib = krb5_config_get_string(context, NULL, + "libdefaults", "ccapi_library", + NULL); + if (lib == NULL) { +#ifdef __APPLE__ + lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos"; +#else + lib = "/usr/lib/libkrb5_cc.so"; +#endif + } + +#ifdef HAVE_DLOPEN + +#ifndef RTLD_LAZY +#define RTLD_LAZY 0 +#endif + + cc_handle = dlopen(lib, RTLD_LAZY); + if (cc_handle == NULL) { + HEIMDAL_MUTEX_unlock(&acc_mutex); + krb5_set_error_string(context, "Failed to load %s", lib); + return KRB5_CC_NOSUPP; + } + + init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize"); + HEIMDAL_MUTEX_unlock(&acc_mutex); + if (init_func == NULL) { + krb5_set_error_string(context, "Failed to find cc_initialize" + "in %s: %s", lib, dlerror()); + dlclose(cc_handle); + return KRB5_CC_NOSUPP; + } + + return 0; +#else + HEIMDAL_MUTEX_unlock(&acc_mutex); + krb5_set_error_string(context, "no support for shared object"); + return KRB5_CC_NOSUPP; +#endif +} + +static krb5_error_code +make_cred_from_ccred(krb5_context context, + const cc_credentials_v5_t *incred, + krb5_creds *cred) +{ + krb5_error_code ret; + int i; + + memset(cred, 0, sizeof(*cred)); + + ret = krb5_parse_name(context, incred->client, &cred->client); + if (ret) + goto fail; + + ret = krb5_parse_name(context, incred->server, &cred->server); + if (ret) + goto fail; + + cred->session.keytype = incred->keyblock.type; + cred->session.keyvalue.length = incred->keyblock.length; + cred->session.keyvalue.data = malloc(incred->keyblock.length); + if (cred->session.keyvalue.data == NULL) + goto nomem; + memcpy(cred->session.keyvalue.data, incred->keyblock.data, + incred->keyblock.length); + + cred->times.authtime = incred->authtime; + cred->times.starttime = incred->starttime; + cred->times.endtime = incred->endtime; + cred->times.renew_till = incred->renew_till; + + ret = krb5_data_copy(&cred->ticket, + incred->ticket.data, + incred->ticket.length); + if (ret) + goto nomem; + + ret = krb5_data_copy(&cred->second_ticket, + incred->second_ticket.data, + incred->second_ticket.length); + if (ret) + goto nomem; + + cred->authdata.val = NULL; + cred->authdata.len = 0; + + cred->addresses.val = NULL; + cred->addresses.len = 0; + + for (i = 0; incred->authdata && incred->authdata[i]; i++) + ; + + if (i) { + cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0])); + if (cred->authdata.val == NULL) + goto nomem; + cred->authdata.len = i; + for (i = 0; i < cred->authdata.len; i++) { + cred->authdata.val[i].ad_type = incred->authdata[i]->type; + ret = krb5_data_copy(&cred->authdata.val[i].ad_data, + incred->authdata[i]->data, + incred->authdata[i]->length); + if (ret) + goto nomem; + } + } + + for (i = 0; incred->addresses && incred->addresses[i]; i++) + ; + + if (i) { + cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0])); + if (cred->addresses.val == NULL) + goto nomem; + cred->addresses.len = i; + + for (i = 0; i < cred->addresses.len; i++) { + cred->addresses.val[i].addr_type = incred->addresses[i]->type; + ret = krb5_data_copy(&cred->addresses.val[i].address, + incred->addresses[i]->data, + incred->addresses[i]->length); + if (ret) + goto nomem; + } + } + + cred->flags.i = 0; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE) + cred->flags.b.forwardable = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED) + cred->flags.b.forwarded = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE) + cred->flags.b.proxiable = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY) + cred->flags.b.proxy = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE) + cred->flags.b.may_postdate = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED) + cred->flags.b.postdated = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID) + cred->flags.b.invalid = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE) + cred->flags.b.renewable = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL) + cred->flags.b.initial = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH) + cred->flags.b.pre_authent = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH) + cred->flags.b.hw_authent = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED) + cred->flags.b.transited_policy_checked = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE) + cred->flags.b.ok_as_delegate = 1; + if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS) + cred->flags.b.anonymous = 1; + + return 0; + +nomem: + ret = ENOMEM; + krb5_set_error_string(context, "malloc - out of memory"); + +fail: + krb5_free_cred_contents(context, cred); + return ret; +} + +static void +free_ccred(cc_credentials_v5_t *cred) +{ + int i; + + if (cred->addresses) { + for (i = 0; cred->addresses[i] != 0; i++) { + if (cred->addresses[i]->data) + free(cred->addresses[i]->data); + free(cred->addresses[i]); + } + free(cred->addresses); + } + if (cred->server) + free(cred->server); + if (cred->client) + free(cred->client); + memset(cred, 0, sizeof(*cred)); +} + +static krb5_error_code +make_ccred_from_cred(krb5_context context, + const krb5_creds *incred, + cc_credentials_v5_t *cred) +{ + krb5_error_code ret; + int i; + + memset(cred, 0, sizeof(*cred)); + + ret = krb5_unparse_name(context, incred->client, &cred->client); + if (ret) + goto fail; + + ret = krb5_unparse_name(context, incred->server, &cred->server); + if (ret) + goto fail; + + cred->keyblock.type = incred->session.keytype; + cred->keyblock.length = incred->session.keyvalue.length; + cred->keyblock.data = incred->session.keyvalue.data; + + cred->authtime = incred->times.authtime; + cred->starttime = incred->times.starttime; + cred->endtime = incred->times.endtime; + cred->renew_till = incred->times.renew_till; + + cred->ticket.length = incred->ticket.length; + cred->ticket.data = incred->ticket.data; + + cred->second_ticket.length = incred->second_ticket.length; + cred->second_ticket.data = incred->second_ticket.data; + + /* XXX this one should also be filled in */ + cred->authdata = NULL; + + cred->addresses = calloc(incred->addresses.len + 1, + sizeof(cred->addresses[0])); + if (cred->addresses == NULL) { + + ret = ENOMEM; + goto fail; + } + + for (i = 0; i < incred->addresses.len; i++) { + cc_data *addr; + addr = malloc(sizeof(*addr)); + if (addr == NULL) { + ret = ENOMEM; + goto fail; + } + addr->type = incred->addresses.val[i].addr_type; + addr->length = incred->addresses.val[i].address.length; + addr->data = malloc(addr->length); + if (addr->data == NULL) { + ret = ENOMEM; + goto fail; + } + memcpy(addr->data, incred->addresses.val[i].address.data, + addr->length); + cred->addresses[i] = addr; + } + cred->addresses[i] = NULL; + + cred->ticket_flags = 0; + if (incred->flags.b.forwardable) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDABLE; + if (incred->flags.b.forwarded) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDED; + if (incred->flags.b.proxiable) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXIABLE; + if (incred->flags.b.proxy) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXY; + if (incred->flags.b.may_postdate) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_MAY_POSTDATE; + if (incred->flags.b.postdated) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_POSTDATED; + if (incred->flags.b.invalid) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INVALID; + if (incred->flags.b.renewable) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_RENEWABLE; + if (incred->flags.b.initial) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INITIAL; + if (incred->flags.b.pre_authent) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PRE_AUTH; + if (incred->flags.b.hw_authent) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_HW_AUTH; + if (incred->flags.b.transited_policy_checked) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED; + if (incred->flags.b.ok_as_delegate) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE; + if (incred->flags.b.anonymous) + cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_ANONYMOUS; + + return 0; + +fail: + free_ccred(cred); + + krb5_clear_error_string(context); + return ret; +} + +static char * +get_cc_name(cc_ccache_t cache) +{ + cc_string_t name; + cc_int32 error; + char *str; + + error = (*cache->func->get_name)(cache, &name); + if (error) + return NULL; + + str = strdup(name->data); + (*name->func->release)(name); + return str; +} + + +static const char* +acc_get_name(krb5_context context, + krb5_ccache id) +{ + krb5_acc *a = ACACHE(id); + static char n[255]; + char *name; + + name = get_cc_name(a->ccache); + if (name == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return NULL; + } + strlcpy(n, name, sizeof(n)); + free(name); + return n; +} + +static krb5_error_code +acc_alloc(krb5_context context, krb5_ccache *id) +{ + krb5_error_code ret; + cc_int32 error; + krb5_acc *a; + + ret = init_ccapi(context); + if (ret) + return ret; + + ret = krb5_data_alloc(&(*id)->data, sizeof(*a)); + if (ret) { + krb5_clear_error_string(context); + return ret; + } + + a = ACACHE(*id); + + error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL); + if (error) { + krb5_data_free(&(*id)->data); + return translate_cc_error(context, error); + } + + a->cache_name = NULL; + + return 0; +} + +static krb5_error_code +acc_resolve(krb5_context context, krb5_ccache *id, const char *res) +{ + krb5_error_code ret; + cc_int32 error; + krb5_acc *a; + + ret = acc_alloc(context, id); + if (ret) + return ret; + + a = ACACHE(*id); + + error = (*a->context->func->open_ccache)(a->context, res, + &a->ccache); + if (error == 0) { + a->cache_name = get_cc_name(a->ccache); + if (a->cache_name == NULL) { + acc_close(context, *id); + *id = NULL; + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + } else if (error == ccErrCCacheNotFound) { + a->ccache = NULL; + a->cache_name = NULL; + error = 0; + } else { + *id = NULL; + return translate_cc_error(context, error); + } + + return 0; +} + +static krb5_error_code +acc_gen_new(krb5_context context, krb5_ccache *id) +{ + krb5_error_code ret; + krb5_acc *a; + + ret = acc_alloc(context, id); + if (ret) + return ret; + + a = ACACHE(*id); + + a->ccache = NULL; + a->cache_name = NULL; + + return 0; +} + +static krb5_error_code +acc_initialize(krb5_context context, + krb5_ccache id, + krb5_principal primary_principal) +{ + krb5_acc *a = ACACHE(id); + krb5_error_code ret; + int32_t error; + char *name; + + ret = krb5_unparse_name(context, primary_principal, &name); + if (ret) + return ret; + + error = (*a->context->func->create_new_ccache)(a->context, + cc_credentials_v5, + name, + &a->ccache); + free(name); + + return translate_cc_error(context, error); +} + +static krb5_error_code +acc_close(krb5_context context, + krb5_ccache id) +{ + krb5_acc *a = ACACHE(id); + + if (a->ccache) { + (*a->ccache->func->release)(a->ccache); + a->ccache = NULL; + } + if (a->cache_name) { + free(a->cache_name); + a->cache_name = NULL; + } + (*a->context->func->release)(a->context); + a->context = NULL; + krb5_data_free(&id->data); + return 0; +} + +static krb5_error_code +acc_destroy(krb5_context context, + krb5_ccache id) +{ + krb5_acc *a = ACACHE(id); + cc_int32 error = 0; + + if (a->ccache) { + error = (*a->ccache->func->destroy)(a->ccache); + a->ccache = NULL; + } + if (a->context) { + error = (a->context->func->release)(a->context); + a->context = NULL; + } + return translate_cc_error(context, error); +} + +static krb5_error_code +acc_store_cred(krb5_context context, + krb5_ccache id, + krb5_creds *creds) +{ + krb5_acc *a = ACACHE(id); + cc_credentials_union cred; + cc_credentials_v5_t v5cred; + krb5_error_code ret; + cc_int32 error; + + if (a->ccache == NULL) { + krb5_set_error_string(context, "No API credential found"); + return KRB5_CC_NOTFOUND; + } + + cred.version = cc_credentials_v5; + cred.credentials.credentials_v5 = &v5cred; + + ret = make_ccred_from_cred(context, + creds, + &v5cred); + if (ret) + return ret; + + error = (*a->ccache->func->store_credentials)(a->ccache, &cred); + if (error) + ret = translate_cc_error(context, error); + + free_ccred(&v5cred); + + return ret; +} + +static krb5_error_code +acc_get_principal(krb5_context context, + krb5_ccache id, + krb5_principal *principal) +{ + krb5_acc *a = ACACHE(id); + krb5_error_code ret; + int32_t error; + cc_string_t name; + + if (a->ccache == NULL) { + krb5_set_error_string(context, "No API credential found"); + return KRB5_CC_NOTFOUND; + } + + error = (*a->ccache->func->get_principal)(a->ccache, + cc_credentials_v5, + &name); + if (error) + return translate_cc_error(context, error); + + ret = krb5_parse_name(context, name->data, principal); + + (*name->func->release)(name); + return ret; +} + +static krb5_error_code +acc_get_first (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor) +{ + cc_credentials_iterator_t iter; + krb5_acc *a = ACACHE(id); + int32_t error; + + if (a->ccache == NULL) { + krb5_set_error_string(context, "No API credential found"); + return KRB5_CC_NOTFOUND; + } + + error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter); + if (error) { + krb5_clear_error_string(context); + return ENOENT; + } + *cursor = iter; + return 0; +} + + +static krb5_error_code +acc_get_next (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor, + krb5_creds *creds) +{ + cc_credentials_iterator_t iter = *cursor; + cc_credentials_t cred; + krb5_error_code ret; + int32_t error; + + while (1) { + error = (*iter->func->next)(iter, &cred); + if (error) + return translate_cc_error(context, error); + if (cred->data->version == cc_credentials_v5) + break; + (*cred->func->release)(cred); + } + + ret = make_cred_from_ccred(context, + cred->data->credentials.credentials_v5, + creds); + (*cred->func->release)(cred); + return ret; +} + +static krb5_error_code +acc_end_get (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor) +{ + cc_credentials_iterator_t iter = *cursor; + (*iter->func->release)(iter); + return 0; +} + +static krb5_error_code +acc_remove_cred(krb5_context context, + krb5_ccache id, + krb5_flags which, + krb5_creds *cred) +{ + cc_credentials_iterator_t iter; + krb5_acc *a = ACACHE(id); + cc_credentials_t ccred; + krb5_error_code ret; + cc_int32 error; + char *client, *server; + + if (a->ccache == NULL) { + krb5_set_error_string(context, "No API credential found"); + return KRB5_CC_NOTFOUND; + } + + if (cred->client) { + ret = krb5_unparse_name(context, cred->client, &client); + if (ret) + return ret; + } else + client = NULL; + + ret = krb5_unparse_name(context, cred->server, &server); + if (ret) { + free(client); + return ret; + } + + error = (*a->ccache->func->new_credentials_iterator)(a->ccache, &iter); + if (error) { + free(server); + free(client); + return translate_cc_error(context, error); + } + + ret = KRB5_CC_NOTFOUND; + while (1) { + cc_credentials_v5_t *v5cred; + + error = (*iter->func->next)(iter, &ccred); + if (error) + break; + + if (ccred->data->version != cc_credentials_v5) + goto next; + + v5cred = ccred->data->credentials.credentials_v5; + + if (client && strcmp(v5cred->client, client) != 0) + goto next; + + if (strcmp(v5cred->server, server) != 0) + goto next; + + (*a->ccache->func->remove_credentials)(a->ccache, ccred); + ret = 0; + next: + (*ccred->func->release)(ccred); + } + + (*iter->func->release)(iter); + + if (ret) + krb5_set_error_string(context, "Can't find credential %s in cache", + server); + free(server); + free(client); + + return ret; +} + +static krb5_error_code +acc_set_flags(krb5_context context, + krb5_ccache id, + krb5_flags flags) +{ + return 0; +} + +static krb5_error_code +acc_get_version(krb5_context context, + krb5_ccache id) +{ + return 0; +} + +struct cache_iter { + cc_context_t context; + cc_ccache_iterator_t iter; +}; + +static krb5_error_code +acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) +{ + struct cache_iter *iter; + krb5_error_code ret; + cc_int32 error; + + ret = init_ccapi(context); + if (ret) + return ret; + + iter = calloc(1, sizeof(*iter)); + if (iter == NULL) { + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + + error = (*init_func)(&iter->context, ccapi_version_3, NULL, NULL); + if (error) { + free(iter); + return translate_cc_error(context, error); + } + + error = (*iter->context->func->new_ccache_iterator)(iter->context, + &iter->iter); + if (error) { + free(iter); + krb5_clear_error_string(context); + return ENOENT; + } + *cursor = iter; + return 0; +} + +static krb5_error_code +acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) +{ + struct cache_iter *iter = cursor; + cc_ccache_t cache; + krb5_acc *a; + krb5_error_code ret; + int32_t error; + + error = (*iter->iter->func->next)(iter->iter, &cache); + if (error) + return translate_cc_error(context, error); + + ret = _krb5_cc_allocate(context, &krb5_acc_ops, id); + if (ret) { + (*cache->func->release)(cache); + return ret; + } + + ret = acc_alloc(context, id); + if (ret) { + (*cache->func->release)(cache); + free(*id); + return ret; + } + + a = ACACHE(*id); + a->ccache = cache; + + a->cache_name = get_cc_name(a->ccache); + if (a->cache_name == NULL) { + acc_close(context, *id); + *id = NULL; + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + return 0; +} + +static krb5_error_code +acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) +{ + struct cache_iter *iter = cursor; + + (*iter->iter->func->release)(iter->iter); + iter->iter = NULL; + (*iter->context->func->release)(iter->context); + iter->context = NULL; + free(iter); + return 0; +} + +static krb5_error_code +acc_move(krb5_context context, krb5_ccache from, krb5_ccache to) +{ + krb5_acc *afrom = ACACHE(from); + krb5_acc *ato = ACACHE(to); + int32_t error; + + if (ato->ccache == NULL) { + cc_string_t name; + + error = (*afrom->ccache->func->get_principal)(afrom->ccache, + cc_credentials_v5, + &name); + if (error) + return translate_cc_error(context, error); + + error = (*ato->context->func->create_new_ccache)(ato->context, + cc_credentials_v5, + name->data, + &ato->ccache); + (*name->func->release)(name); + if (error) + return translate_cc_error(context, error); + } + + + error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache); + return translate_cc_error(context, error); +} + +static krb5_error_code +acc_default_name(krb5_context context, char **str) +{ + krb5_error_code ret; + cc_context_t cc; + cc_string_t name; + int32_t error; + + ret = init_ccapi(context); + if (ret) + return ret; + + error = (*init_func)(&cc, ccapi_version_3, NULL, NULL); + if (error) + return translate_cc_error(context, error); + + error = (*cc->func->get_default_ccache_name)(cc, &name); + if (error) { + (*cc->func->release)(cc); + return translate_cc_error(context, error); + } + + asprintf(str, "API:%s", name->data); + (*name->func->release)(name); + (*cc->func->release)(cc); + + if (*str == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + + +/** + * Variable containing the API based credential cache implemention. + * + * @ingroup krb5_ccache + */ + +const krb5_cc_ops krb5_acc_ops = { + "API", + acc_get_name, + acc_resolve, + acc_gen_new, + acc_initialize, + acc_destroy, + acc_close, + acc_store_cred, + NULL, /* acc_retrieve */ + acc_get_principal, + acc_get_first, + acc_get_next, + acc_end_get, + acc_remove_cred, + acc_set_flags, + acc_get_version, + acc_get_cache_first, + acc_get_cache_next, + acc_end_cache_get, + acc_move, + acc_default_name +}; diff --git a/crypto/heimdal/lib/krb5/acl.c b/crypto/heimdal/lib/krb5/acl.c index c3568699c2a0..cab68367f80a 100644 --- a/crypto/heimdal/lib/krb5/acl.c +++ b/crypto/heimdal/lib/krb5/acl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2002, 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <fnmatch.h> -RCSID("$Id: acl.c,v 1.3 2002/04/18 16:16:24 joda Exp $"); +RCSID("$Id: acl.c 22119 2007-12-03 22:02:48Z lha $"); struct acl_field { enum { acl_string, acl_fnmatch, acl_retval } type; @@ -46,9 +46,24 @@ struct acl_field { }; static void -acl_free_list(struct acl_field *acl) +free_retv(struct acl_field *acl) +{ + while(acl != NULL) { + if (acl->type == acl_retval) { + if (*acl->u.retv) + free(*acl->u.retv); + *acl->u.retv = NULL; + } + acl = acl->next; + } +} + +static void +acl_free_list(struct acl_field *acl, int retv) { struct acl_field *next; + if (retv) + free_retv(acl); while(acl != NULL) { next = acl->next; free(acl); @@ -69,7 +84,7 @@ acl_parse_format(krb5_context context, tmp = malloc(sizeof(*tmp)); if(tmp == NULL) { krb5_set_error_string(context, "malloc: out of memory"); - acl_free_list(acl); + acl_free_list(acl, 0); return ENOMEM; } if(*p == 's') { @@ -81,6 +96,13 @@ acl_parse_format(krb5_context context, } else if(*p == 'r') { tmp->type = acl_retval; tmp->u.retv = va_arg(ap, char **); + *tmp->u.retv = NULL; + } else { + krb5_set_error_string(context, "acl_parse_format: " + "unknown format specifier %c", *p); + acl_free_list(acl, 0); + free(tmp); + return EINVAL; } tmp->next = NULL; if(acl == NULL) @@ -99,9 +121,9 @@ acl_match_field(krb5_context context, struct acl_field *field) { if(field->type == acl_string) { - return !strcmp(string, field->u.cstr); + return !strcmp(field->u.cstr, string); } else if(field->type == acl_fnmatch) { - return !fnmatch(string, field->u.cstr, 0); + return !fnmatch(field->u.cstr, string, 0); } else if(field->type == acl_retval) { *field->u.retv = strdup(string); return TRUE; @@ -115,19 +137,68 @@ acl_match_acl(krb5_context context, const char *string) { char buf[256]; - for(;strsep_copy(&string, " \t", buf, sizeof(buf)) != -1; - acl = acl->next) { + while(strsep_copy(&string, " \t", buf, sizeof(buf)) != -1) { if(buf[0] == '\0') continue; /* skip ws */ + if (acl == NULL) + return FALSE; if(!acl_match_field(context, buf, acl)) { return FALSE; } + acl = acl->next; } + if (acl) + return FALSE; return TRUE; } +/** + * krb5_acl_match_string matches ACL format against a string. + * + * The ACL format has three format specifiers: s, f, and r. Each + * specifier will retrieve one argument from the variable arguments + * for either matching or storing data. The input string is split up + * using " " (space) and "\t" (tab) as a delimiter; multiple and "\t" + * in a row are considered to be the same. + * + * List of format specifiers: + * - s Matches a string using strcmp(3) (case sensitive). + * - f Matches the string with fnmatch(3). Theflags + * argument (the last argument) passed to the fnmatch function is 0. + * - r Returns a copy of the string in the char ** passed in; the copy + * must be freed with free(3). There is no need to free(3) the + * string on error: the function will clean up and set the pointer + * to NULL. + * + * @param context Kerberos 5 context + * @param string string to match with + * @param format format to match + * @param ... parameter to format string + * + * @return Return an error code or 0. + * + * + * @code + * char *s; + * + * ret = krb5_acl_match_string(context, "foo", "s", "foo"); + * if (ret) + * krb5_errx(context, 1, "acl didn't match"); + * ret = krb5_acl_match_string(context, "foo foo baz/kaka", + * "ss", "foo", &s, "foo/\\*"); + * if (ret) { + * // no need to free(s) on error + * assert(s == NULL); + * krb5_errx(context, 1, "acl didn't match"); + * } + * free(s); + * @endcode + * + * @sa krb5_acl_match_file + * @ingroup krb5_support + */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_acl_match_string(krb5_context context, const char *string, const char *format, @@ -145,7 +216,7 @@ krb5_acl_match_string(krb5_context context, return ret; found = acl_match_acl(context, acl, string); - acl_free_list(acl); + acl_free_list(acl, !found); if (found) { return 0; } else { @@ -154,7 +225,23 @@ krb5_acl_match_string(krb5_context context, } } -krb5_error_code +/** + * krb5_acl_match_file matches ACL format against each line in a file + * using krb5_acl_match_string(). Lines starting with # are treated + * like comments and ignored. + * + * @param context Kerberos 5 context. + * @param file file with acl listed in the file. + * @param format format to match. + * @param ... parameter to format string. + * + * @return Return an error code or 0. + * + * @sa krb5_acl_match_string + * @ingroup krb5_support + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_acl_match_file(krb5_context context, const char *file, const char *format, @@ -192,10 +279,11 @@ krb5_acl_match_file(krb5_context context, found = TRUE; break; } + free_retv(acl); } fclose(f); - acl_free_list(acl); + acl_free_list(acl, !found); if (found) { return 0; } else { diff --git a/crypto/heimdal/lib/krb5/add_et_list.c b/crypto/heimdal/lib/krb5/add_et_list.c index cfc42f493ca9..a6005c685903 100644 --- a/crypto/heimdal/lib/krb5/add_et_list.c +++ b/crypto/heimdal/lib/krb5/add_et_list.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: add_et_list.c,v 1.2 1999/12/02 17:05:07 joda Exp $"); +RCSID("$Id: add_et_list.c 13713 2004-04-13 14:33:45Z lha $"); /* * Add a specified list of error messages to the et list in context. @@ -41,7 +41,7 @@ RCSID("$Id: add_et_list.c,v 1.2 1999/12/02 17:05:07 joda Exp $"); * the current et_list. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_et_list (krb5_context context, void (*func)(struct et_list **)) { diff --git a/crypto/heimdal/lib/krb5/addr_families.c b/crypto/heimdal/lib/krb5/addr_families.c index be32458eaa3b..f364f5974d47 100644 --- a/crypto/heimdal/lib/krb5/addr_families.c +++ b/crypto/heimdal/lib/krb5/addr_families.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: addr_families.c,v 1.38 2003/03/25 12:37:02 joda Exp $"); +RCSID("$Id: addr_families.c 22039 2007-11-10 11:47:35Z lha $"); struct addr_operations { int af; @@ -52,6 +52,8 @@ struct addr_operations { int (*order_addr)(krb5_context, const krb5_address*, const krb5_address*); int (*free_addr)(krb5_context, krb5_address*); int (*copy_addr)(krb5_context, const krb5_address*, krb5_address*); + int (*mask_boundary)(krb5_context, const krb5_address*, unsigned long, + krb5_address*, krb5_address*); }; /* @@ -61,20 +63,20 @@ struct addr_operations { static krb5_error_code ipv4_sockaddr2addr (const struct sockaddr *sa, krb5_address *a) { - const struct sockaddr_in *sin = (const struct sockaddr_in *)sa; + const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa; unsigned char buf[4]; a->addr_type = KRB5_ADDRESS_INET; - memcpy (buf, &sin->sin_addr, 4); + memcpy (buf, &sin4->sin_addr, 4); return krb5_data_copy(&a->address, buf, 4); } static krb5_error_code ipv4_sockaddr2port (const struct sockaddr *sa, int16_t *port) { - const struct sockaddr_in *sin = (const struct sockaddr_in *)sa; + const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa; - *port = sin->sin_port; + *port = sin4->sin_port; return 0; } @@ -128,9 +130,9 @@ ipv4_h_addr2addr (const char *addr, static krb5_boolean ipv4_uninteresting (const struct sockaddr *sa) { - const struct sockaddr_in *sin = (const struct sockaddr_in *)sa; + const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa; - if (sin->sin_addr.s_addr == INADDR_ANY) + if (sin4->sin_addr.s_addr == INADDR_ANY) return TRUE; return FALSE; @@ -192,6 +194,40 @@ ipv4_parse_addr (krb5_context context, const char *address, krb5_address *addr) return 0; } +static int +ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr, + unsigned long len, krb5_address *low, krb5_address *high) +{ + unsigned long ia; + uint32_t l, h, m = 0xffffffff; + + if (len > 32) { + krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len); + return KRB5_PROG_ATYPE_NOSUPP; + } + m = m << (32 - len); + + _krb5_get_int(inaddr->address.data, &ia, inaddr->address.length); + + l = ia & m; + h = l | ~m; + + low->addr_type = KRB5_ADDRESS_INET; + if(krb5_data_alloc(&low->address, 4) != 0) + return -1; + _krb5_put_int(low->address.data, l, low->address.length); + + high->addr_type = KRB5_ADDRESS_INET; + if(krb5_data_alloc(&high->address, 4) != 0) { + krb5_free_address(context, low); + return -1; + } + _krb5_put_int(high->address.data, h, high->address.length); + + return 0; +} + + /* * AF_INET6 - aka IPv6 implementation */ @@ -350,6 +386,55 @@ ipv6_parse_addr (krb5_context context, const char *address, krb5_address *addr) return -1; } +static int +ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, + unsigned long len, krb5_address *low, krb5_address *high) +{ + struct in6_addr addr, laddr, haddr; + uint32_t m; + int i, sub_len; + + if (len > 128) { + krb5_set_error_string(context, "IPv6 prefix too large (%ld)", len); + return KRB5_PROG_ATYPE_NOSUPP; + } + + if (inaddr->address.length != sizeof(addr)) { + krb5_set_error_string(context, "IPv6 addr bad length"); + return KRB5_PROG_ATYPE_NOSUPP; + } + + memcpy(&addr, inaddr->address.data, inaddr->address.length); + + for (i = 0; i < 16; i++) { + sub_len = min(8, len); + + m = 0xff << (8 - sub_len); + + laddr.s6_addr[i] = addr.s6_addr[i] & m; + haddr.s6_addr[i] = (addr.s6_addr[i] & m) | ~m; + + if (len > 8) + len -= 8; + else + len = 0; + } + + low->addr_type = KRB5_ADDRESS_INET6; + if (krb5_data_alloc(&low->address, sizeof(laddr.s6_addr)) != 0) + return -1; + memcpy(low->address.data, laddr.s6_addr, sizeof(laddr.s6_addr)); + + high->addr_type = KRB5_ADDRESS_INET6; + if (krb5_data_alloc(&high->address, sizeof(haddr.s6_addr)) != 0) { + krb5_free_address(context, low); + return -1; + } + memcpy(high->address.data, haddr.s6_addr, sizeof(haddr.s6_addr)); + + return 0; +} + #endif /* IPv6 */ /* @@ -367,8 +452,8 @@ static int arange_parse_addr (krb5_context context, const char *address, krb5_address *addr) { - char buf[1024]; - krb5_addresses low, high; + char buf[1024], *p; + krb5_address low0, high0; struct arange *a; krb5_error_code ret; @@ -377,39 +462,84 @@ arange_parse_addr (krb5_context context, address += 6; - /* should handle netmasks */ - strsep_copy(&address, "-", buf, sizeof(buf)); - ret = krb5_parse_address(context, buf, &low); - if(ret) - return ret; - if(low.len != 1) { - krb5_free_addresses(context, &low); - return -1; - } + p = strrchr(address, '/'); + if (p) { + krb5_addresses addrmask; + char *q; + long num; - strsep_copy(&address, "-", buf, sizeof(buf)); - ret = krb5_parse_address(context, buf, &high); - if(ret) { - krb5_free_addresses(context, &low); - return ret; - } + if (strlcpy(buf, address, sizeof(buf)) > sizeof(buf)) + return -1; + buf[p - address] = '\0'; + ret = krb5_parse_address(context, buf, &addrmask); + if (ret) + return ret; + if(addrmask.len != 1) { + krb5_free_addresses(context, &addrmask); + return -1; + } + + address += p - address + 1; + + num = strtol(address, &q, 10); + if (q == address || *q != '\0' || num < 0) { + krb5_free_addresses(context, &addrmask); + return -1; + } + + ret = krb5_address_prefixlen_boundary(context, &addrmask.val[0], num, + &low0, &high0); + krb5_free_addresses(context, &addrmask); + if (ret) + return ret; - if(high.len != 1 || high.val[0].addr_type != low.val[0].addr_type) { + } else { + krb5_addresses low, high; + + strsep_copy(&address, "-", buf, sizeof(buf)); + ret = krb5_parse_address(context, buf, &low); + if(ret) + return ret; + if(low.len != 1) { + krb5_free_addresses(context, &low); + return -1; + } + + strsep_copy(&address, "-", buf, sizeof(buf)); + ret = krb5_parse_address(context, buf, &high); + if(ret) { + krb5_free_addresses(context, &low); + return ret; + } + + if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) { + krb5_free_addresses(context, &low); + krb5_free_addresses(context, &high); + return -1; + } + + ret = krb5_copy_address(context, &high.val[0], &high0); + if (ret == 0) { + ret = krb5_copy_address(context, &low.val[0], &low0); + if (ret) + krb5_free_address(context, &high0); + } krb5_free_addresses(context, &low); krb5_free_addresses(context, &high); - return -1; + if (ret) + return ret; } krb5_data_alloc(&addr->address, sizeof(*a)); addr->addr_type = KRB5_ADDRESS_ARANGE; a = addr->address.data; - if(krb5_address_order(context, &low.val[0], &high.val[0]) < 0) { - a->low = low.val[0]; - a->high = high.val[0]; + if(krb5_address_order(context, &low0, &high0) < 0) { + a->low = low0; + a->high = high0; } else { - a->low = high.val[0]; - a->high = low.val[0]; + a->low = high0; + a->high = low0; } return 0; } @@ -421,6 +551,7 @@ arange_free (krb5_context context, krb5_address *addr) a = addr->address.data; krb5_free_address(context, &a->low); krb5_free_address(context, &a->high); + krb5_data_free(&addr->address); return 0; } @@ -457,20 +588,35 @@ arange_print_addr (const krb5_address *addr, char *str, size_t len) { struct arange *a; krb5_error_code ret; - size_t l, ret_len = 0; + size_t l, size, ret_len; a = addr->address.data; l = strlcpy(str, "RANGE:", len); + ret_len = l; + if (l > len) + l = len; + size = l; + + ret = krb5_print_address (&a->low, str + size, len - size, &l); + if (ret) + return ret; ret_len += l; + if (len - size > l) + size += l; + else + size = len; - ret = krb5_print_address (&a->low, str + ret_len, len - ret_len, &l); - ret_len += l; - - l = strlcat(str, "-", len); + l = strlcat(str + size, "-", len - size); ret_len += l; + if (len - size > l) + size += l; + else + size = len; - ret = krb5_print_address (&a->high, str + ret_len, len - ret_len, &l); + ret = krb5_print_address (&a->high, str + size, len - size, &l); + if (ret) + return ret; ret_len += l; return ret_len; @@ -518,10 +664,13 @@ arange_order_addr(krb5_context context, static int addrport_print_addr (const krb5_address *addr, char *str, size_t len) { + krb5_error_code ret; krb5_address addr1, addr2; uint16_t port = 0; - size_t ret_len = 0, l; - krb5_storage *sp = krb5_storage_from_data((krb5_data*)&addr->address); + size_t ret_len = 0, l, size = 0; + krb5_storage *sp; + + sp = krb5_storage_from_data((krb5_data*)rk_UNCONST(&addr->address)); /* for totally obscure reasons, these are not in network byteorder */ krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); @@ -538,10 +687,24 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len) } l = strlcpy(str, "ADDRPORT:", len); ret_len += l; - krb5_print_address(&addr1, str + ret_len, len - ret_len, &l); - ret_len += l; - l = snprintf(str + ret_len, len - ret_len, ",PORT=%u", port); + if (len > l) + size += l; + else + size = len; + + ret = krb5_print_address(&addr1, str + size, len - size, &l); + if (ret) + return ret; ret_len += l; + if (len - size > l) + size += l; + else + size = len; + + ret = snprintf(str + size, len - size, ",PORT=%u", port); + if (ret < 0) + return EINVAL; + ret_len += ret; return ret_len; } @@ -552,7 +715,8 @@ static struct addr_operations at[] = { ipv4_addr2sockaddr, ipv4_h_addr2sockaddr, ipv4_h_addr2addr, - ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr}, + ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr, + NULL, NULL, NULL, ipv4_mask_boundary }, #ifdef HAVE_IPV6 {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), ipv6_sockaddr2addr, @@ -560,7 +724,8 @@ static struct addr_operations at[] = { ipv6_addr2sockaddr, ipv6_h_addr2sockaddr, ipv6_h_addr2addr, - ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr} , + ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr, + NULL, NULL, NULL, ipv6_mask_boundary } , #endif {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, NULL, NULL, NULL, NULL, NULL, @@ -602,7 +767,20 @@ find_atype(int atype) return NULL; } -krb5_error_code +/** + * krb5_sockaddr2address stores a address a "struct sockaddr" sa in + * the krb5_address addr. + * + * @param context a Keberos context + * @param sa a struct sockaddr to extract the address from + * @param addr an Kerberos 5 address to store the address in. + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2address (krb5_context context, const struct sockaddr *sa, krb5_address *addr) { @@ -615,7 +793,21 @@ krb5_sockaddr2address (krb5_context context, return (*a->sockaddr2addr)(sa, addr); } -krb5_error_code +/** + * krb5_sockaddr2port extracts a port (if possible) from a "struct + * sockaddr. + * + * @param context a Keberos context + * @param sa a struct sockaddr to extract the port from + * @param port a pointer to an int16_t store the port in. + * + * @return Return an error code or 0. Will return + * KRB5_PROG_ATYPE_NOSUPP in case address type is not supported. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2port (krb5_context context, const struct sockaddr *sa, int16_t *port) { @@ -628,7 +820,28 @@ krb5_sockaddr2port (krb5_context context, return (*a->sockaddr2port)(sa, port); } -krb5_error_code +/** + * krb5_addr2sockaddr sets the "struct sockaddr sockaddr" from addr + * and port. The argument sa_size should initially contain the size of + * the sa and after the call, it will contain the actual length of the + * address. In case of the sa is too small to fit the whole address, + * the up to *sa_size will be stored, and then *sa_size will be set to + * the required length. + * + * @param context a Keberos context + * @param addr the address to copy the from + * @param sa the struct sockaddr that will be filled in + * @param sa_size pointer to length of sa, and after the call, it will + * contain the actual length of the address. + * @param port set port in sa. + * + * @return Return an error code or 0. Will return + * KRB5_PROG_ATYPE_NOSUPP in case address type is not supported. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_addr2sockaddr (krb5_context context, const krb5_address *addr, struct sockaddr *sa, @@ -643,7 +856,8 @@ krb5_addr2sockaddr (krb5_context context, return KRB5_PROG_ATYPE_NOSUPP; } if (a->addr2sockaddr == NULL) { - krb5_set_error_string (context, "Can't convert address type %d to sockaddr", + krb5_set_error_string (context, + "Can't convert address type %d to sockaddr", addr->addr_type); return KRB5_PROG_ATYPE_NOSUPP; } @@ -651,7 +865,16 @@ krb5_addr2sockaddr (krb5_context context, return 0; } -size_t +/** + * krb5_max_sockaddr_size returns the max size of the .Li struct + * sockaddr that the Kerberos library will return. + * + * @return Return an size_t of the maximum struct sockaddr. + * + * @ingroup krb5_address + */ + +size_t KRB5_LIB_FUNCTION krb5_max_sockaddr_size (void) { if (max_sockaddr_size == 0) { @@ -663,7 +886,19 @@ krb5_max_sockaddr_size (void) return max_sockaddr_size; } -krb5_boolean +/** + * krb5_sockaddr_uninteresting returns TRUE for all .Fa sa that the + * kerberos library thinks are uninteresting. One example are link + * local addresses. + * + * @param sa pointer to struct sockaddr that might be interesting. + * + * @return Return a non zero for uninteresting addresses. + * + * @ingroup krb5_address + */ + +krb5_boolean KRB5_LIB_FUNCTION krb5_sockaddr_uninteresting(const struct sockaddr *sa) { struct addr_operations *a = find_af(sa->sa_family); @@ -672,7 +907,26 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa) return (*a->uninteresting)(sa); } -krb5_error_code +/** + * krb5_h_addr2sockaddr initializes a "struct sockaddr sa" from af and + * the "struct hostent" (see gethostbyname(3) ) h_addr_list + * component. The argument sa_size should initially contain the size + * of the sa, and after the call, it will contain the actual length of + * the address. + * + * @param context a Keberos context + * @param af addresses + * @param addr address + * @param sa returned struct sockaddr + * @param sa_size size of sa + * @param port port to set in sa. + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2sockaddr (krb5_context context, int af, const char *addr, struct sockaddr *sa, @@ -688,7 +942,21 @@ krb5_h_addr2sockaddr (krb5_context context, return 0; } -krb5_error_code +/** + * krb5_h_addr2addr works like krb5_h_addr2sockaddr with the exception + * that it operates on a krb5_address instead of a struct sockaddr. + * + * @param context a Keberos context + * @param af address family + * @param haddr host address from struct hostent. + * @param addr returned krb5_address. + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2addr (krb5_context context, int af, const char *haddr, krb5_address *addr) @@ -701,7 +969,24 @@ krb5_h_addr2addr (krb5_context context, return (*a->h_addr2addr)(haddr, addr); } -krb5_error_code +/** + * krb5_anyaddr fills in a "struct sockaddr sa" that can be used to + * bind(2) to. The argument sa_size should initially contain the size + * of the sa, and after the call, it will contain the actual length + * of the address. + * + * @param context a Keberos context + * @param af address family + * @param sa sockaddr + * @param sa_size lenght of sa. + * @param port for to fill into sa. + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_anyaddr (krb5_context context, int af, struct sockaddr *sa, @@ -719,12 +1004,28 @@ krb5_anyaddr (krb5_context context, return 0; } -krb5_error_code +/** + * krb5_print_address prints the address in addr to the string string + * that have the length len. If ret_len is not NULL, it will be filled + * with the length of the string if size were unlimited (not including + * the final NUL) . + * + * @param addr address to be printed + * @param str pointer string to print the address into + * @param len length that will fit into area pointed to by "str". + * @param ret_len return length the str. + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_print_address (const krb5_address *addr, char *str, size_t len, size_t *ret_len) { - size_t ret; struct addr_operations *a = find_atype(addr->addr_type); + int ret; if (a == NULL || a->print_addr == NULL) { char *s; @@ -733,13 +1034,13 @@ krb5_print_address (const krb5_address *addr, s = str; l = snprintf(s, len, "TYPE_%d:", addr->addr_type); - if (l < 0) + if (l < 0 || l >= len) return EINVAL; s += l; len -= l; for(i = 0; i < addr->address.length; i++) { l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]); - if (l < 0) + if (l < 0 || l >= len) return EINVAL; len -= l; s += l; @@ -749,12 +1050,27 @@ krb5_print_address (const krb5_address *addr, return 0; } ret = (*a->print_addr)(addr, str, len); + if (ret < 0) + return EINVAL; if(ret_len != NULL) *ret_len = ret; return 0; } -krb5_error_code +/** + * krb5_parse_address returns the resolved hostname in string to the + * krb5_addresses addresses . + * + * @param context a Keberos context + * @param string + * @param addresses + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_address(krb5_context context, const char *string, krb5_addresses *addresses) @@ -764,11 +1080,18 @@ krb5_parse_address(krb5_context context, int error; int save_errno; + addresses->len = 0; + addresses->val = NULL; + for(i = 0; i < num_addrs; i++) { if(at[i].parse_addr) { krb5_address addr; if((*at[i].parse_addr)(context, string, &addr) == 0) { ALLOC_SEQ(addresses, 1); + if (addresses->val == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } addresses->val[0] = addr; return 0; } @@ -787,17 +1110,41 @@ krb5_parse_address(krb5_context context, ++n; ALLOC_SEQ(addresses, n); + if (addresses->val == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + freeaddrinfo(ai); + return ENOMEM; + } + addresses->len = 0; for (a = ai, i = 0; a != NULL; a = a->ai_next) { - if(krb5_sockaddr2address (context, ai->ai_addr, - &addresses->val[i]) == 0) - i++; + if (krb5_sockaddr2address (context, ai->ai_addr, &addresses->val[i])) + continue; + if(krb5_address_search(context, &addresses->val[i], addresses)) + continue; + addresses->len = i; + i++; } freeaddrinfo (ai); return 0; } -int +/** + * krb5_address_order compares the addresses addr1 and addr2 so that + * it can be used for sorting addresses. If the addresses are the same + * address krb5_address_order will return 0. Behavies like memcmp(2). + * + * @param context a Keberos context + * @param addr1 krb5_address to compare + * @param addr2 krb5_address to compare + * + * @return < 0 if address addr1 in "less" then addr2. 0 if addr1 and + * addr2 is the same address, > 0 if addr2 is "less" then addr1. + * + * @ingroup krb5_address + */ + +int KRB5_LIB_FUNCTION krb5_address_order(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) @@ -831,7 +1178,20 @@ krb5_address_order(krb5_context context, addr1->address.length); } -krb5_boolean +/** + * krb5_address_compare compares the addresses addr1 and addr2. + * Returns TRUE if the two addresses are the same. + * + * @param context a Keberos context + * @param addr1 address to compare + * @param addr2 address to compare + * + * @return Return an TRUE is the address are the same FALSE if not + * + * @ingroup krb5_address + */ + +krb5_boolean KRB5_LIB_FUNCTION krb5_address_compare(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) @@ -839,7 +1199,20 @@ krb5_address_compare(krb5_context context, return krb5_address_order (context, addr1, addr2) == 0; } -krb5_boolean +/** + * krb5_address_search checks if the address addr is a member of the + * address set list addrlist . + * + * @param context a Keberos context. + * @param addr address to search for. + * @param addrlist list of addresses to look in for addr. + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_boolean KRB5_LIB_FUNCTION krb5_address_search(krb5_context context, const krb5_address *addr, const krb5_addresses *addrlist) @@ -852,18 +1225,43 @@ krb5_address_search(krb5_context context, return FALSE; } -krb5_error_code +/** + * krb5_free_address frees the data stored in the address that is + * alloced with any of the krb5_address functions. + * + * @param context a Keberos context + * @param address addresss to be freed. + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_free_address(krb5_context context, krb5_address *address) { - struct addr_operations *a = find_af (address->addr_type); + struct addr_operations *a = find_atype (address->addr_type); if(a != NULL && a->free_addr != NULL) return (*a->free_addr)(context, address); krb5_data_free (&address->address); + memset(address, 0, sizeof(*address)); return 0; } -krb5_error_code +/** + * krb5_free_addresses frees the data stored in the address that is + * alloced with any of the krb5_address functions. + * + * @param context a Keberos context + * @param addresses addressses to be freed. + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_free_addresses(krb5_context context, krb5_addresses *addresses) { @@ -871,10 +1269,25 @@ krb5_free_addresses(krb5_context context, for(i = 0; i < addresses->len; i++) krb5_free_address(context, &addresses->val[i]); free(addresses->val); + addresses->len = 0; + addresses->val = NULL; return 0; } -krb5_error_code +/** + * krb5_copy_address copies the content of address + * inaddr to outaddr. + * + * @param context a Keberos context + * @param inaddr pointer to source address + * @param outaddr pointer to destination address + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_address(krb5_context context, const krb5_address *inaddr, krb5_address *outaddr) @@ -885,7 +1298,20 @@ krb5_copy_address(krb5_context context, return copy_HostAddress(inaddr, outaddr); } -krb5_error_code +/** + * krb5_copy_addresses copies the content of addresses + * inaddr to outaddr. + * + * @param context a Keberos context + * @param inaddr pointer to source addresses + * @param outaddr pointer to destination addresses + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_addresses(krb5_context context, const krb5_addresses *inaddr, krb5_addresses *outaddr) @@ -899,7 +1325,20 @@ krb5_copy_addresses(krb5_context context, return 0; } -krb5_error_code +/** + * krb5_append_addresses adds the set of addresses in source to + * dest. While copying the addresses, duplicates are also sorted out. + * + * @param context a Keberos context + * @param dest destination of copy operation + * @param source adresses that are going to be added to dest + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_append_addresses(krb5_context context, krb5_addresses *dest, const krb5_addresses *source) @@ -929,11 +1368,20 @@ krb5_append_addresses(krb5_context context, return 0; } -/* +/** * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port) + * + * @param context a Keberos context + * @param res built address from addr/port + * @param addr address to use + * @param port port to use + * + * @return Return an error code or 0. + * + * @ingroup krb5_address */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_addrport (krb5_context context, krb5_address **res, const krb5_address *addr, int16_t port) { @@ -951,6 +1399,7 @@ krb5_make_addrport (krb5_context context, if (ret) { krb5_set_error_string(context, "malloc: out of memory"); free (*res); + *res = NULL; return ret; } p = (*res)->address.data; @@ -982,3 +1431,33 @@ krb5_make_addrport (krb5_context context, return 0; } + +/** + * Calculate the boundary addresses of `inaddr'/`prefixlen' and store + * them in `low' and `high'. + * + * @param context a Keberos context + * @param inaddr address in prefixlen that the bondery searched + * @param prefixlen width of boundery + * @param low lowest address + * @param high highest address + * + * @return Return an error code or 0. + * + * @ingroup krb5_address + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_address_prefixlen_boundary(krb5_context context, + const krb5_address *inaddr, + unsigned long prefixlen, + krb5_address *low, + krb5_address *high) +{ + struct addr_operations *a = find_atype (inaddr->addr_type); + if(a != NULL && a->mask_boundary != NULL) + return (*a->mask_boundary)(context, inaddr, prefixlen, low, high); + krb5_set_error_string(context, "Address family %d doesn't support " + "address mask operation", inaddr->addr_type); + return KRB5_PROG_ATYPE_NOSUPP; +} diff --git a/crypto/heimdal/lib/krb5/aes-test.c b/crypto/heimdal/lib/krb5/aes-test.c index cfee8e25a738..82b3431add54 100644 --- a/crypto/heimdal/lib/krb5/aes-test.c +++ b/crypto/heimdal/lib/krb5/aes-test.c @@ -31,30 +31,25 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "krb5_locl.h" +#include <hex.h> +#include <err.h> #ifdef HAVE_OPENSSL #include <openssl/evp.h> #endif -RCSID("$Id: aes-test.c,v 1.3 2003/03/25 11:30:41 lha Exp $"); +RCSID("$Id: aes-test.c 18301 2006-10-07 13:50:34Z lha $"); static int verbose = 0; static void -hex_dump_data(krb5_data *data) +hex_dump_data(const void *data, size_t length) { - unsigned char *p = data->data; - int i, j; - - for (i = j = 0; i < data->length; i++, j++) { - printf("%02x ", p[i]); - if (j > 15) { - printf("\n"); - j = 0; - } - } - if (j != 0) - printf("\n"); + char *p; + + hex_encode(data, length, &p); + printf("%s\n", p); + free(p); } struct { @@ -63,11 +58,10 @@ struct { int saltlen; int iterations; krb5_enctype enctype; - int keylen; + size_t keylen; char *pbkdf2; char *key; } keys[] = { -#ifdef ENABLE_AES { "password", "ATHENA.MIT.EDUraeburn", -1, 1, @@ -185,7 +179,6 @@ struct { "\x4b\x6d\x98\x39\xf8\x44\x06\xdf\x1f\x09\xcc\x16\x6d\xb4\xb8\x3c" "\x57\x18\x48\xb7\x84\xa3\xd6\xbd\xc3\x46\x58\x9a\x3e\x39\x3f\x9e" }, -#endif { "foo", "", -1, 0, @@ -207,11 +200,9 @@ string_to_key_test(krb5_context context) { krb5_data password, opaque; krb5_error_code ret; - krb5_keyblock key; krb5_salt salt; int i, val = 0; char iter[4]; - char keyout[32]; for (i = 0; i < sizeof(keys)/sizeof(keys[0]); i++) { @@ -229,119 +220,100 @@ string_to_key_test(krb5_context context) opaque.length = sizeof(iter); _krb5_put_int(iter, keys[i].iterations, 4); - if (verbose) - printf("%d: password: %s salt: %s\n", - i, keys[i].password, keys[i].salt); - - if (keys[i].keylen > sizeof(keyout)) - abort(); - -#ifdef ENABLE_AES if (keys[i].pbkdf2) { + unsigned char keyout[32]; + + if (keys[i].keylen > sizeof(keyout)) + abort(); -#ifdef HAVE_OPENSSL PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length, salt.saltvalue.data, salt.saltvalue.length, keys[i].iterations, keys[i].keylen, keyout); if (memcmp(keyout, keys[i].pbkdf2, keys[i].keylen) != 0) { - krb5_warnx(context, "%d: openssl key pbkdf2", i); + krb5_warnx(context, "%d: pbkdf2", i); val = 1; continue; } -#endif - ret = krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, - keys[i].iterations - 1, - keys[i].enctype, - &key); + if (verbose) { + printf("PBKDF2:\n"); + hex_dump_data(keyout, keys[i].keylen); + } + } + + { + krb5_keyblock key; + + ret = krb5_string_to_key_data_salt_opaque (context, + keys[i].enctype, + password, + salt, + opaque, + &key); if (ret) { - krb5_warn(context, ret, "%d: krb5_PKCS5_PBKDF2", i); + krb5_warn(context, ret, "%d: string_to_key_data_salt_opaque", + i); val = 1; continue; } if (key.keyvalue.length != keys[i].keylen) { - krb5_warnx(context, "%d: size key pbkdf2", i); + krb5_warnx(context, "%d: key wrong length (%lu/%lu)", + i, (unsigned long)key.keyvalue.length, + (unsigned long)keys[i].keylen); val = 1; continue; } - - if (memcmp(key.keyvalue.data, keys[i].pbkdf2, keys[i].keylen) != 0) { - krb5_warnx(context, "%d: key pbkdf2 pl %d", - i, password.length); + + if (memcmp(key.keyvalue.data, keys[i].key, keys[i].keylen) != 0) { + krb5_warnx(context, "%d: key wrong", i); val = 1; continue; } - + if (verbose) { - printf("PBKDF2:\n"); - hex_dump_data(&key.keyvalue); + printf("key:\n"); + hex_dump_data(key.keyvalue.data, key.keyvalue.length); } - krb5_free_keyblock_contents(context, &key); } -#endif - - ret = krb5_string_to_key_data_salt_opaque (context, keys[i].enctype, - password, salt, opaque, - &key); - if (ret) { - krb5_warn(context, ret, "%d: string_to_key_data_salt_opaque", i); - val = 1; - continue; - } - - if (key.keyvalue.length != keys[i].keylen) { - krb5_warnx(context, "%d: key wrong length (%d/%d)", - i, key.keyvalue.length, keys[i].keylen); - val = 1; - continue; - } - - if (memcmp(key.keyvalue.data, keys[i].key, keys[i].keylen) != 0) { - krb5_warnx(context, "%d: key wrong", i); - val = 1; - continue; - } - - if (verbose) { - printf("key:\n"); - hex_dump_data(&key.keyvalue); - } - krb5_free_keyblock_contents(context, &key); } return val; } -#ifdef ENABLE_AES - -struct { +struct enc_test { size_t len; char *input; char *output; -} encs[] = { + char *nextiv; +}; + +struct enc_test encs1[] = { { 17, "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" "\x20", "\xc6\x35\x35\x68\xf2\xbf\x8c\xb4\xd8\xa5\x80\x36\x2d\xa7\xff\x7f" - "\x97" + "\x97", + "\xc6\x35\x35\x68\xf2\xbf\x8c\xb4\xd8\xa5\x80\x36\x2d\xa7\xff\x7f" }, { 31, "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20", "\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1\xd4\x45\xd4\xc8\xef\xf7\xed\x22" - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5" + "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5", + "\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1\xd4\x45\xd4\xc8\xef\xf7\xed\x22" }, { 32, "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43", "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8" - "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" + "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84", + "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8" }, { 47, @@ -350,7 +322,18 @@ struct { "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c", "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" "\xb3\xff\xfd\x94\x0c\x16\xa1\x8c\x1b\x55\x49\xd2\xf8\x38\x02\x9e" - "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5" + "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5", + "\xb3\xff\xfd\x94\x0c\x16\xa1\x8c\x1b\x55\x49\xd2\xf8\x38\x02\x9e" + }, + { + 48, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" + "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20", + "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" + "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8" + "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8", + "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8" }, { 64, @@ -361,16 +344,137 @@ struct { "\x97\x68\x72\x68\xd6\xec\xcc\xc0\xc0\x7b\x25\xe2\x5e\xcf\xe5\x84" "\x39\x31\x25\x23\xa7\x86\x62\xd5\xbe\x7f\xcb\xcc\x98\xeb\xf5\xa8" "\x48\x07\xef\xe8\x36\xee\x89\xa5\x26\x73\x0d\xbc\x2f\x7b\xc8\x40" - "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8" + "\x9d\xad\x8b\xbb\x96\xc4\xcd\xc0\x3b\xc1\x03\xe1\xa1\x94\xbb\xd8", + "\x48\x07\xef\xe8\x36\xee\x89\xa5\x26\x73\x0d\xbc\x2f\x7b\xc8\x40" } }; -char *enc_key = + +struct enc_test encs2[] = { + { + 17, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20", + "\x5c\x13\x26\x27\xc4\xcb\xca\x04\x14\x43\x8a\xb5\x97\x97\x7c\x10" + "\x16" + }, + { + 31, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20", + "\x16\xb3\xd8\xe5\xcd\x93\xe6\x2c\x28\x70\xa0\x36\x6e\x9a\xb9\x74" + "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53" + }, + { + 32, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43", + "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" + "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" + }, + { + 47, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" + "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c", + "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" + "\xe5\x56\xb4\x88\x41\xb9\xde\x27\xf0\x07\xa1\x6e\x89\x94\x47\xf1" + "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff" + }, + { + 48, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" + "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20", + "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" + "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" + "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" + }, + { + 64, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" + "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" + "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e", + "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" + "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" + "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67" + "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" + }, + { + 78, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" + "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" + "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", + "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" + "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" + "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" + "\x73\xfb\x2c\x36\x76\xaf\xcf\x31\xff\xe3\x8a\x89\x0c\x7e\x99\x3f" + "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62" + }, + { + 83, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" + "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" + "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41", + "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" + "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" + "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" + "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67" + "\x65\x39\x3a\xdb\x92\x05\x4d\x4f\x08\xa1\xfa\x59\xda\x56\x58\x0e" + "\x3b\xac\x12" + }, + { + 92, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" + "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" + "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", + "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" + "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" + "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" + "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67" + "\x0c\xff\xd7\x63\x50\xf8\x4e\xf9\xec\x56\x1c\x79\xc5\xc8\xfe\x50" + "\x3b\xac\x12\x6e\xd3\x2d\x02\xc4\xe5\x06\x43\x5f" + }, + { + 96, + "\x49\x20\x77\x6f\x75\x6c\x64\x20\x6c\x69\x6b\x65\x20\x74\x68\x65" + "\x20\x47\x65\x6e\x65\x72\x61\x6c\x20\x47\x61\x75\x27\x73\x20\x43" + "\x68\x69\x63\x6b\x65\x6e\x2c\x20\x70\x6c\x65\x61\x73\x65\x2c\x20" + "\x61\x6e\x64\x20\x77\x6f\x6e\x74\x6f\x6e\x20\x73\x6f\x75\x70\x2e" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", + "\x16\xc1\xee\xdf\x39\xc8\x3f\xfb\xc5\xf6\x72\xe9\xc1\x6e\x53\x0c" + "\x69\xde\xce\x59\x83\x6a\x82\xe1\xcd\x21\x93\xd0\x9e\x2a\xff\xc8" + "\xfd\x68\xd1\x56\x32\x23\x7b\xfa\xb0\x09\x86\x3b\x17\x53\xfa\x30" + "\x70\x29\xf2\x6f\x7c\x79\xc1\x77\x91\xad\x94\xb0\x78\x62\x27\x67" + "\x08\x28\x49\xad\xfc\x2d\x8e\x86\xae\x69\xa5\xa8\xd9\x29\x9e\xe4" + "\x3b\xac\x12\x6e\xd3\x2d\x02\xc4\xe5\x06\x43\x5f\x4c\x41\xd1\xb8" + } +}; + + + +char *aes_key1 = "\x63\x68\x69\x63\x6b\x65\x6e\x20\x74\x65\x72\x69\x79\x61\x6b\x69"; +char *aes_key2 = + "\x63\x68\x69\x63\x6b\x65\x6e\x20\x74\x65\x72\x69\x79\x61\x6b\x69" + "\x2c\x20\x79\x75\x6d\x6d\x79\x20\x79\x75\x6d\x6d\x79\x21\x21\x21"; + + static int -samep(int testn, char *type, const char *p1, const char *p2, size_t len) +samep(int testn, char *type, const void *pp1, const void *pp2, size_t len) { + const unsigned char *p1 = pp1, *p2 = pp2; size_t i; int val = 1; @@ -390,59 +494,258 @@ samep(int testn, char *type, const char *p1, const char *p2, size_t len) } static int -encryption_test(krb5_context context) +encryption_test(krb5_context context, const void *key, size_t keylen, + struct enc_test *enc, int numenc) { - char iv[AES_BLOCK_SIZE]; - int i, val = 0; + unsigned char iv[AES_BLOCK_SIZE]; + int i, val, failed = 0; AES_KEY ekey, dkey; - char *p; + unsigned char *p; + + AES_set_encrypt_key(key, keylen, &ekey); + AES_set_decrypt_key(key, keylen, &dkey); - AES_set_encrypt_key(enc_key, 128, &ekey); - AES_set_decrypt_key(enc_key, 128, &dkey); + for (i = 0; i < numenc; i++) { + val = 0; - for (i = 0; i < sizeof(encs)/sizeof(encs[0]); i++) { if (verbose) printf("test: %d\n", i); memset(iv, 0, sizeof(iv)); - p = malloc(encs[i].len + 1); + p = malloc(enc[i].len + 1); if (p == NULL) krb5_errx(context, 1, "malloc"); - p[encs[i].len] = '\0'; + p[enc[i].len] = '\0'; - memcpy(p, encs[i].input, encs[i].len); + memcpy(p, enc[i].input, enc[i].len); - _krb5_aes_cts_encrypt(p, p, encs[i].len, + _krb5_aes_cts_encrypt(p, p, enc[i].len, &ekey, iv, AES_ENCRYPT); - if (p[encs[i].len] != '\0') { + if (p[enc[i].len] != '\0') { krb5_warnx(context, "%d: encrypt modified off end", i); val = 1; } - if (!samep(i, "cipher", p, encs[i].output, encs[i].len)) + if (!samep(i, "cipher", p, enc[i].output, enc[i].len)) { + krb5_warnx(context, "%d: cipher", i); val = 1; + } + + if (enc[i].nextiv && !samep(i, "iv", iv, enc[i].nextiv, 16)){ /*XXX*/ + krb5_warnx(context, "%d: iv", i); + val = 1; + } memset(iv, 0, sizeof(iv)); - _krb5_aes_cts_encrypt(p, p, encs[i].len, + _krb5_aes_cts_encrypt(p, p, enc[i].len, &dkey, iv, AES_DECRYPT); - if (p[encs[i].len] != '\0') { + if (p[enc[i].len] != '\0') { krb5_warnx(context, "%d: decrypt modified off end", i); val = 1; } - if (!samep(i, "clear", p, encs[i].input, encs[i].len)) + if (!samep(i, "clear", p, enc[i].input, enc[i].len)) val = 1; + if (enc[i].nextiv && !samep(i, "iv", iv, enc[i].nextiv, 16)){ /*XXX*/ + krb5_warnx(context, "%d: iv", i); + val = 1; + } + free(p); + + if (val) { + printf("test %d failed\n", i); + failed = 1; + } + val = 0; } - return val; + return failed; +} + +static int +krb_enc(krb5_context context, + krb5_crypto crypto, + unsigned usage, + krb5_data *cipher, + krb5_data *clear) +{ + krb5_data decrypt; + krb5_error_code ret; + + krb5_data_zero(&decrypt); + + ret = krb5_decrypt(context, + crypto, + usage, + cipher->data, + cipher->length, + &decrypt); + + if (ret) { + krb5_warn(context, ret, "krb5_decrypt"); + return ret; + } + + if (decrypt.length != clear->length || + memcmp(decrypt.data, clear->data, decrypt.length) != 0) { + krb5_warnx(context, "clear text not same"); + return EINVAL; + } + + krb5_data_free(&decrypt); + + return 0; +} + +static int +krb_enc_mit(krb5_context context, + krb5_enctype enctype, + krb5_keyblock *key, + unsigned usage, + krb5_data *cipher, + krb5_data *clear) +{ + krb5_error_code ret; + krb5_enc_data e; + krb5_data decrypt; + size_t len; + + e.kvno = 0; + e.enctype = enctype; + e.ciphertext = *cipher; + + ret = krb5_c_decrypt(context, *key, usage, NULL, &e, &decrypt); + if (ret) + return ret; + + if (decrypt.length != clear->length || + memcmp(decrypt.data, clear->data, decrypt.length) != 0) { + krb5_warnx(context, "clear text not same"); + return EINVAL; + } + + krb5_data_free(&decrypt); + + ret = krb5_c_encrypt_length(context, enctype, clear->length, &len); + if (ret) + return ret; + + if (len != cipher->length) { + krb5_warnx(context, "c_encrypt_length wrong %lu != %lu", + (unsigned long)len, (unsigned long)cipher->length); + return EINVAL; + } + + return 0; +} + + +struct { + krb5_enctype enctype; + unsigned usage; + size_t keylen; + void *key; + size_t elen; + void* edata; + size_t plen; + void *pdata; +} krbencs[] = { + { + ETYPE_AES256_CTS_HMAC_SHA1_96, + 7, + 32, + "\x47\x75\x69\x64\x65\x6c\x69\x6e\x65\x73\x20\x74\x6f\x20\x41\x75" + "\x74\x68\x6f\x72\x73\x20\x6f\x66\x20\x49\x6e\x74\x65\x72\x6e\x65", + 44, + "\xcf\x79\x8f\x0d\x76\xf3\xe0\xbe\x8e\x66\x94\x70\xfa\xcc\x9e\x91" + "\xa9\xec\x1c\x5c\x21\xfb\x6e\xef\x1a\x7a\xc8\xc1\xcc\x5a\x95\x24" + "\x6f\x9f\xf4\xd5\xbe\x5d\x59\x97\x44\xd8\x47\xcd", + 16, + "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x2e\x0a" + } +}; + + +static int +krb_enc_test(krb5_context context) +{ + krb5_error_code ret; + krb5_crypto crypto; + krb5_keyblock kb; + krb5_data cipher, plain; + int i, failed = 0; + + for (i = 0; i < sizeof(krbencs)/sizeof(krbencs[0]); i++) { + + kb.keytype = krbencs[i].enctype; + kb.keyvalue.length = krbencs[i].keylen; + kb.keyvalue.data = krbencs[i].key; + + ret = krb5_crypto_init(context, &kb, krbencs[i].enctype, &crypto); + + cipher.length = krbencs[i].elen; + cipher.data = krbencs[i].edata; + plain.length = krbencs[i].plen; + plain.data = krbencs[i].pdata; + + ret = krb_enc(context, crypto, krbencs[i].usage, &cipher, &plain); + + if (ret) { + failed = 1; + printf("krb_enc failed with %d\n", ret); + } + krb5_crypto_destroy(context, crypto); + + ret = krb_enc_mit(context, krbencs[i].enctype, &kb, + krbencs[i].usage, &cipher, &plain); + if (ret) { + failed = 1; + printf("krb_enc_mit failed with %d\n", ret); + } + + } + + return failed; +} + + +static int +random_to_key(krb5_context context) +{ + krb5_error_code ret; + krb5_keyblock key; + + ret = krb5_random_to_key(context, + ETYPE_DES3_CBC_SHA1, + "\x21\x39\x04\x58\x6A\xBD\x7F" + "\x21\x39\x04\x58\x6A\xBD\x7F" + "\x21\x39\x04\x58\x6A\xBD\x7F", + 21, + &key); + if (ret){ + krb5_warn(context, ret, "random_to_key"); + return 1; + } + if (key.keyvalue.length != 24) + return 1; + + if (memcmp(key.keyvalue.data, + "\x20\x38\x04\x58\x6b\xbc\x7f\xc7" + "\x20\x38\x04\x58\x6b\xbc\x7f\xc7" + "\x20\x38\x04\x58\x6b\xbc\x7f\xc7", + 24) != 0) + return 1; + + krb5_free_keyblock_contents(context, &key); + + return 0; } -#endif /* ENABLE_AES */ int main(int argc, char **argv) @@ -457,9 +760,12 @@ main(int argc, char **argv) val |= string_to_key_test(context); -#ifdef ENABLE_AES - val |= encryption_test(context); -#endif + val |= encryption_test(context, aes_key1, 128, + encs1, sizeof(encs1)/sizeof(encs1[0])); + val |= encryption_test(context, aes_key2, 256, + encs2, sizeof(encs2)/sizeof(encs2[0])); + val |= krb_enc_test(context); + val |= random_to_key(context); if (verbose && val == 0) printf("all ok\n"); diff --git a/crypto/heimdal/lib/krb5/aname_to_localname.c b/crypto/heimdal/lib/krb5/aname_to_localname.c index d5b5f87a6c6c..5800404d9819 100644 --- a/crypto/heimdal/lib/krb5/aname_to_localname.c +++ b/crypto/heimdal/lib/krb5/aname_to_localname.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 1999, 2002 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,9 @@ #include <krb5_locl.h> -RCSID("$Id: aname_to_localname.c,v 1.6 2003/04/16 16:01:06 lha Exp $"); +RCSID("$Id: aname_to_localname.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_aname_to_localname (krb5_context context, krb5_const_principal aname, size_t lnsize, diff --git a/crypto/heimdal/lib/krb5/appdefault.c b/crypto/heimdal/lib/krb5/appdefault.c index 831b6036bfed..b0bb171f4a14 100644 --- a/crypto/heimdal/lib/krb5/appdefault.c +++ b/crypto/heimdal/lib/krb5/appdefault.c @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: appdefault.c,v 1.7 2001/09/16 04:48:55 assar Exp $"); +RCSID("$Id: appdefault.c 14465 2005-01-05 05:40:59Z lukeh $"); -void +void KRB5_LIB_FUNCTION krb5_appdefault_boolean(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, krb5_boolean def_val, krb5_boolean *ret_val) @@ -77,7 +77,7 @@ krb5_appdefault_boolean(krb5_context context, const char *appname, *ret_val = def_val; } -void +void KRB5_LIB_FUNCTION krb5_appdefault_string(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, const char *def_val, char **ret_val) @@ -121,17 +121,22 @@ krb5_appdefault_string(krb5_context context, const char *appname, *ret_val = NULL; } -void +void KRB5_LIB_FUNCTION krb5_appdefault_time(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, time_t def_val, time_t *ret_val) { - time_t t; - char tstr[32]; + krb5_deltat t; char *val; - snprintf(tstr, sizeof(tstr), "%ld", (long)def_val); - krb5_appdefault_string(context, appname, realm, option, tstr, &val); - t = parse_time (val, NULL); + + krb5_appdefault_string(context, appname, realm, option, NULL, &val); + if (val == NULL) { + *ret_val = def_val; + return; + } + if (krb5_string_to_deltat(val, &t)) + *ret_val = def_val; + else + *ret_val = t; free(val); - *ret_val = t; } diff --git a/crypto/heimdal/lib/krb5/asn1_glue.c b/crypto/heimdal/lib/krb5/asn1_glue.c index ac83ff78bdce..b3f775b4bea3 100644 --- a/crypto/heimdal/lib/krb5/asn1_glue.c +++ b/crypto/heimdal/lib/krb5/asn1_glue.c @@ -37,23 +37,28 @@ #include "krb5_locl.h" -RCSID("$Id: asn1_glue.c,v 1.7 1999/12/02 17:05:07 joda Exp $"); +RCSID("$Id: asn1_glue.c 21745 2007-07-31 16:11:25Z lha $"); -krb5_error_code -krb5_principal2principalname (PrincipalName *p, - const krb5_principal from) +krb5_error_code KRB5_LIB_FUNCTION +_krb5_principal2principalname (PrincipalName *p, + const krb5_principal from) { return copy_PrincipalName(&from->name, p); } -krb5_error_code -principalname2krb5_principal (krb5_principal *principal, - const PrincipalName from, - const Realm realm) +krb5_error_code KRB5_LIB_FUNCTION +_krb5_principalname2krb5_principal (krb5_context context, + krb5_principal *principal, + const PrincipalName from, + const Realm realm) { krb5_principal p = malloc(sizeof(*p)); + if (p == NULL) + return ENOMEM; copy_PrincipalName(&from, &p->name); p->realm = strdup(realm); + if (p->realm == NULL) + return ENOMEM; *principal = p; return 0; } diff --git a/crypto/heimdal/lib/krb5/auth_context.c b/crypto/heimdal/lib/krb5/auth_context.c index 2e7a8f49cbb9..323f17a24534 100644 --- a/crypto/heimdal/lib/krb5/auth_context.c +++ b/crypto/heimdal/lib/krb5/auth_context.c @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: auth_context.c,v 1.59 2002/09/02 17:11:02 joda Exp $"); +RCSID("$Id: auth_context.c 21745 2007-07-31 16:11:25Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context) { @@ -66,7 +66,7 @@ krb5_auth_con_init(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) { @@ -88,7 +88,7 @@ krb5_auth_con_free(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, int32_t flags) @@ -98,7 +98,7 @@ krb5_auth_con_setflags(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, int32_t *flags) @@ -107,8 +107,31 @@ krb5_auth_con_getflags(krb5_context context, return 0; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_auth_con_addflags(krb5_context context, + krb5_auth_context auth_context, + int32_t addflags, + int32_t *flags) +{ + if (flags) + *flags = auth_context->flags; + auth_context->flags |= addflags; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_auth_con_removeflags(krb5_context context, + krb5_auth_context auth_context, + int32_t removeflags, + int32_t *flags) +{ + if (flags) + *flags = auth_context->flags; + auth_context->flags &= ~removeflags; + return 0; +} -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address *local_addr, @@ -118,20 +141,22 @@ krb5_auth_con_setaddrs(krb5_context context, if (auth_context->local_address) krb5_free_address (context, auth_context->local_address); else - auth_context->local_address = malloc(sizeof(krb5_address)); + if ((auth_context->local_address = malloc(sizeof(krb5_address))) == NULL) + return ENOMEM; krb5_copy_address(context, local_addr, auth_context->local_address); } if (remote_addr) { if (auth_context->remote_address) krb5_free_address (context, auth_context->remote_address); else - auth_context->remote_address = malloc(sizeof(krb5_address)); + if ((auth_context->remote_address = malloc(sizeof(krb5_address))) == NULL) + return ENOMEM; krb5_copy_address(context, remote_addr, auth_context->remote_address); } return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int fd, int flags) @@ -190,7 +215,7 @@ krb5_auth_con_genaddrs(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setaddrs_from_fd (krb5_context context, krb5_auth_context auth_context, void *p_fd) @@ -204,7 +229,7 @@ krb5_auth_con_setaddrs_from_fd (krb5_context context, return krb5_auth_con_genaddrs(context, auth_context, fd, flags); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address **local_addr, @@ -247,7 +272,7 @@ copy_key(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) @@ -255,7 +280,7 @@ krb5_auth_con_getkey(krb5_context context, return copy_key(context, auth_context->keyblock, keyblock); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) @@ -263,7 +288,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context, return copy_key(context, auth_context->local_subkey, keyblock); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) @@ -271,7 +296,7 @@ krb5_auth_con_getremotesubkey(krb5_context context, return copy_key(context, auth_context->remote_subkey, keyblock); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) @@ -281,7 +306,7 @@ krb5_auth_con_setkey(krb5_context context, return copy_key(context, keyblock, &auth_context->keyblock); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) @@ -291,7 +316,7 @@ krb5_auth_con_setlocalsubkey(krb5_context context, return copy_key(context, keyblock, &auth_context->local_subkey); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_generatelocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *key) @@ -299,7 +324,9 @@ krb5_auth_con_generatelocalsubkey(krb5_context context, krb5_error_code ret; krb5_keyblock *subkey; - ret = krb5_generate_subkey (context, key, &subkey); + ret = krb5_generate_subkey_extended (context, key, + auth_context->keytype, + &subkey); if(ret) return ret; if(auth_context->local_subkey) @@ -309,7 +336,7 @@ krb5_auth_con_generatelocalsubkey(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) @@ -319,7 +346,7 @@ krb5_auth_con_setremotesubkey(krb5_context context, return copy_key(context, keyblock, &auth_context->remote_subkey); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setcksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype) @@ -328,7 +355,7 @@ krb5_auth_con_setcksumtype(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getcksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype *cksumtype) @@ -337,7 +364,7 @@ krb5_auth_con_getcksumtype(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setkeytype (krb5_context context, krb5_auth_context auth_context, krb5_keytype keytype) @@ -346,7 +373,7 @@ krb5_auth_con_setkeytype (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getkeytype (krb5_context context, krb5_auth_context auth_context, krb5_keytype *keytype) @@ -356,7 +383,7 @@ krb5_auth_con_getkeytype (krb5_context context, } #if 0 -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setenctype(krb5_context context, krb5_auth_context auth_context, krb5_enctype etype) @@ -370,7 +397,7 @@ krb5_auth_con_setenctype(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getenctype(krb5_context context, krb5_auth_context auth_context, krb5_enctype *etype) @@ -379,7 +406,7 @@ krb5_auth_con_getenctype(krb5_context context, } #endif -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, int32_t *seqnumber) @@ -388,7 +415,7 @@ krb5_auth_con_getlocalseqnumber(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setlocalseqnumber (krb5_context context, krb5_auth_context auth_context, int32_t seqnumber) @@ -397,7 +424,7 @@ krb5_auth_con_setlocalseqnumber (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, int32_t *seqnumber) @@ -406,7 +433,7 @@ krb5_auth_getremoteseqnumber(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setremoteseqnumber (krb5_context context, krb5_auth_context auth_context, int32_t seqnumber) @@ -416,7 +443,7 @@ krb5_auth_con_setremoteseqnumber (krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator *authenticator) @@ -433,7 +460,7 @@ krb5_auth_con_getauthenticator(krb5_context context, } -void +void KRB5_LIB_FUNCTION krb5_free_authenticator(krb5_context context, krb5_authenticator *authenticator) { @@ -443,7 +470,7 @@ krb5_free_authenticator(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setuserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) @@ -453,7 +480,7 @@ krb5_auth_con_setuserkey(krb5_context context, return krb5_copy_keyblock(context, keyblock, &auth_context->keyblock); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache *rcache) @@ -462,7 +489,7 @@ krb5_auth_con_getrcache(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache rcache) @@ -473,7 +500,7 @@ krb5_auth_con_setrcache(krb5_context context, #if 0 /* not implemented */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) { @@ -481,7 +508,7 @@ krb5_auth_con_initivector(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setivector(krb5_context context, krb5_auth_context auth_context, krb5_pointer ivector) diff --git a/crypto/heimdal/lib/krb5/build_ap_req.c b/crypto/heimdal/lib/krb5/build_ap_req.c index cab5e6fd2df6..b1968fe817b7 100644 --- a/crypto/heimdal/lib/krb5/build_ap_req.c +++ b/crypto/heimdal/lib/krb5/build_ap_req.c @@ -33,9 +33,9 @@ #include <krb5_locl.h> -RCSID("$Id: build_ap_req.c,v 1.18 2002/09/04 16:26:04 joda Exp $"); +RCSID("$Id: build_ap_req.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_ap_req (krb5_context context, krb5_enctype enctype, krb5_creds *cred, @@ -68,7 +68,8 @@ krb5_build_ap_req (krb5_context context, ASN1_MALLOC_ENCODE(AP_REQ, retdata->data, retdata->length, &ap, &len, ret); - + if(ret == 0 && retdata->length != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); free_AP_REQ(&ap); return ret; diff --git a/crypto/heimdal/lib/krb5/build_auth.c b/crypto/heimdal/lib/krb5/build_auth.c index 9a2ca3e28ebf..f8739c044d16 100644 --- a/crypto/heimdal/lib/krb5/build_auth.c +++ b/crypto/heimdal/lib/krb5/build_auth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,73 @@ #include <krb5_locl.h> -RCSID("$Id: build_auth.c,v 1.38 2002/09/04 16:26:04 joda Exp $"); +RCSID("$Id: build_auth.c 17033 2006-04-10 08:53:21Z lha $"); -krb5_error_code +static krb5_error_code +make_etypelist(krb5_context context, + krb5_authdata **auth_data) +{ + EtypeList etypes; + krb5_error_code ret; + krb5_authdata ad; + u_char *buf; + size_t len; + size_t buf_size; + + ret = krb5_init_etype(context, &etypes.len, &etypes.val, NULL); + if (ret) + return ret; + + ASN1_MALLOC_ENCODE(EtypeList, buf, buf_size, &etypes, &len, ret); + if (ret) { + free_EtypeList(&etypes); + return ret; + } + if(buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + free_EtypeList(&etypes); + + ALLOC_SEQ(&ad, 1); + if (ad.val == NULL) { + free(buf); + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + ad.val[0].ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION; + ad.val[0].ad_data.length = len; + ad.val[0].ad_data.data = buf; + + ASN1_MALLOC_ENCODE(AD_IF_RELEVANT, buf, buf_size, &ad, &len, ret); + if (ret) { + free_AuthorizationData(&ad); + return ret; + } + if(buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + free_AuthorizationData(&ad); + + ALLOC(*auth_data, 1); + if (*auth_data == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + ALLOC_SEQ(*auth_data, 1); + if ((*auth_data)->val == NULL) { + free(buf); + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + (*auth_data)->val[0].ad_type = KRB5_AUTHDATA_IF_RELEVANT; + (*auth_data)->val[0].ad_data.length = len; + (*auth_data)->val[0].ad_data.data = buf; + + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_build_authenticator (krb5_context context, krb5_auth_context auth_context, krb5_enctype enctype, @@ -45,86 +109,94 @@ krb5_build_authenticator (krb5_context context, krb5_data *result, krb5_key_usage usage) { - Authenticator *auth; - u_char *buf = NULL; - size_t buf_size; - size_t len; - krb5_error_code ret; - krb5_crypto crypto; - - auth = malloc(sizeof(*auth)); - if (auth == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - memset (auth, 0, sizeof(*auth)); - auth->authenticator_vno = 5; - copy_Realm(&cred->client->realm, &auth->crealm); - copy_PrincipalName(&cred->client->name, &auth->cname); - - { - int32_t sec, usec; - - krb5_us_timeofday (context, &sec, &usec); - auth->ctime = sec; - auth->cusec = usec; - } - ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey); - if(ret) - goto fail; - - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - krb5_generate_seq_number (context, - &cred->session, - &auth_context->local_seqnumber); - ALLOC(auth->seq_number, 1); - *auth->seq_number = auth_context->local_seqnumber; - } else - auth->seq_number = NULL; - auth->authorization_data = NULL; - auth->cksum = cksum; - - /* XXX - Copy more to auth_context? */ - - if (auth_context) { + Authenticator *auth; + u_char *buf = NULL; + size_t buf_size; + size_t len; + krb5_error_code ret; + krb5_crypto crypto; + + auth = calloc(1, sizeof(*auth)); + if (auth == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + auth->authenticator_vno = 5; + copy_Realm(&cred->client->realm, &auth->crealm); + copy_PrincipalName(&cred->client->name, &auth->cname); + + krb5_us_timeofday (context, &auth->ctime, &auth->cusec); + + ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey); + if(ret) + goto fail; + + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { + if(auth_context->local_seqnumber == 0) + krb5_generate_seq_number (context, + &cred->session, + &auth_context->local_seqnumber); + ALLOC(auth->seq_number, 1); + if(auth->seq_number == NULL) { + ret = ENOMEM; + goto fail; + } + *auth->seq_number = auth_context->local_seqnumber; + } else + auth->seq_number = NULL; + auth->authorization_data = NULL; + auth->cksum = cksum; + + if (cksum != NULL && cksum->cksumtype == CKSUMTYPE_GSSAPI) { + /* + * This is not GSS-API specific, we only enable it for + * GSS for now + */ + ret = make_etypelist(context, &auth->authorization_data); + if (ret) + goto fail; + } + + /* XXX - Copy more to auth_context? */ + auth_context->authenticator->ctime = auth->ctime; auth_context->authenticator->cusec = auth->cusec; - } - - ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret); - - if (ret) - goto fail; - - ret = krb5_crypto_init(context, &cred->session, enctype, &crypto); - if (ret) - goto fail; - ret = krb5_encrypt (context, - crypto, - usage /* KRB5_KU_AP_REQ_AUTH */, - buf + buf_size - len, - len, - result); - krb5_crypto_destroy(context, crypto); - - if (ret) - goto fail; - - free (buf); - - if (auth_result) - *auth_result = auth; - else { - /* Don't free the `cksum', it's allocated by the caller */ - auth->cksum = NULL; + + ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret); + if (ret) + goto fail; + if(buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + ret = krb5_crypto_init(context, &cred->session, enctype, &crypto); + if (ret) + goto fail; + ret = krb5_encrypt (context, + crypto, + usage /* KRB5_KU_AP_REQ_AUTH */, + buf + buf_size - len, + len, + result); + krb5_crypto_destroy(context, crypto); + + if (ret) + goto fail; + + free (buf); + + if (auth_result) + *auth_result = auth; + else { + /* Don't free the `cksum', it's allocated by the caller */ + auth->cksum = NULL; + free_Authenticator (auth); + free (auth); + } + return ret; + fail: free_Authenticator (auth); free (auth); - } - return ret; -fail: - free_Authenticator (auth); - free (auth); - free (buf); - return ret; + free (buf); + return ret; } diff --git a/crypto/heimdal/lib/krb5/cache.c b/crypto/heimdal/lib/krb5/cache.c index 26cda9a62604..5db6d2b2cf8a 100644 --- a/crypto/heimdal/lib/krb5/cache.c +++ b/crypto/heimdal/lib/krb5/cache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,15 +33,23 @@ #include "krb5_locl.h" -RCSID("$Id: cache.c,v 1.52 2003/03/16 18:23:59 lha Exp $"); +RCSID("$Id: cache.c 22127 2007-12-04 00:54:37Z lha $"); -/* +/** * Add a new ccache type with operations `ops', overwriting any * existing one if `override'. - * Return an error code or 0. + * + * @param context a Keberos context + * @param ops type of plugin symbol + * @param override flag to select if the registration is to overide + * an existing ops with the same name. + * + * @return Return an error code or 0. + * + * @ingroup krb5_ccache */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_register(krb5_context context, const krb5_cc_ops *ops, krb5_boolean override) @@ -77,46 +85,74 @@ krb5_cc_register(krb5_context context, } /* - * Allocate memory for a new ccache in `id' with operations `ops' - * and name `residual'. - * Return 0 or an error code. + * Allocate the memory for a `id' and the that function table to + * `ops'. Returns 0 or and error code. */ -static krb5_error_code -allocate_ccache (krb5_context context, - const krb5_cc_ops *ops, - const char *residual, - krb5_ccache *id) +krb5_error_code +_krb5_cc_allocate(krb5_context context, + const krb5_cc_ops *ops, + krb5_ccache *id) { - krb5_error_code ret; krb5_ccache p; - p = malloc(sizeof(*p)); + p = malloc (sizeof(*p)); if(p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return KRB5_CC_NOMEM; } p->ops = ops; *id = p; - ret = p->ops->resolve(context, id, residual); + + return 0; +} + +/* + * Allocate memory for a new ccache in `id' with operations `ops' + * and name `residual'. Return 0 or an error code. + */ + +static krb5_error_code +allocate_ccache (krb5_context context, + const krb5_cc_ops *ops, + const char *residual, + krb5_ccache *id) +{ + krb5_error_code ret; + + ret = _krb5_cc_allocate(context, ops, id); + if (ret) + return ret; + ret = (*id)->ops->resolve(context, id, residual); if(ret) - free(p); + free(*id); return ret; } -/* +/** * Find and allocate a ccache in `id' from the specification in `residual'. * If the ccache name doesn't contain any colon, interpret it as a file name. - * Return 0 or an error code. + * + * @param context a Keberos context. + * @param name string name of a credential cache. + * @param id return pointer to a found credential cache. + * + * @return Return 0 or an error code. In case of an error, id is set + * to NULL. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *id) { int i; + *id = NULL; + for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) { size_t prefix_len = strlen(context->cc_ops[i].prefix); @@ -135,54 +171,130 @@ krb5_cc_resolve(krb5_context context, } } -/* +/** * Generate a new ccache of type `ops' in `id'. - * Return 0 or an error code. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_gen_new(krb5_context context, const krb5_cc_ops *ops, krb5_ccache *id) { - krb5_ccache p; + return krb5_cc_new_unique(context, ops->prefix, NULL, id); +} - p = malloc (sizeof(*p)); - if (p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return KRB5_CC_NOMEM; +/** + * Generates a new unique ccache of `type` in `id'. If `type' is NULL, + * the library chooses the default credential cache type. The supplied + * `hint' (that can be NULL) is a string that the credential cache + * type can use to base the name of the credential on, this is to make + * it easier for the user to differentiate the credentials. + * + * @return Returns 0 or an error code. + * + * @ingroup krb5_ccache + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_new_unique(krb5_context context, const char *type, + const char *hint, krb5_ccache *id) +{ + const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE; + krb5_error_code ret; + + if (type) { + ops = krb5_cc_get_prefix_ops(context, type); + if (ops == NULL) { + krb5_set_error_string(context, + "Credential cache type %s is unknown", type); + return KRB5_CC_UNKNOWN_TYPE; + } } - p->ops = ops; - *id = p; - return p->ops->gen_new(context, id); + + ret = _krb5_cc_allocate(context, ops, id); + if (ret) + return ret; + return (*id)->ops->gen_new(context, id); } -/* +/** * Return the name of the ccache `id' + * + * @ingroup krb5_ccache */ -const char* + +const char* KRB5_LIB_FUNCTION krb5_cc_get_name(krb5_context context, krb5_ccache id) { return id->ops->get_name(context, id); } -/* +/** * Return the type of the ccache `id'. + * + * @ingroup krb5_ccache */ -const char* + +const char* KRB5_LIB_FUNCTION krb5_cc_get_type(krb5_context context, krb5_ccache id) { return id->ops->prefix; } -/* +/** + * Return the complete resolvable name the ccache `id' in `str´. + * `str` should be freed with free(3). + * Returns 0 or an error (and then *str is set to NULL). + * + * @ingroup krb5_ccache + */ + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_get_full_name(krb5_context context, + krb5_ccache id, + char **str) +{ + const char *type, *name; + + *str = NULL; + + type = krb5_cc_get_type(context, id); + if (type == NULL) { + krb5_set_error_string(context, "cache have no name of type"); + return KRB5_CC_UNKNOWN_TYPE; + } + + name = krb5_cc_get_name(context, id); + if (name == NULL) { + krb5_set_error_string(context, "cache of type %s have no name", type); + return KRB5_CC_BADNAME; + } + + if (asprintf(str, "%s:%s", type, name) == -1) { + krb5_set_error_string(context, "malloc - out of memory"); + *str = NULL; + return ENOMEM; + } + return 0; +} + +/** * Return krb5_cc_ops of a the ccache `id'. + * + * @ingroup krb5_ccache */ + const krb5_cc_ops * krb5_cc_get_ops(krb5_context context, krb5_ccache id) { @@ -190,27 +302,159 @@ krb5_cc_get_ops(krb5_context context, krb5_ccache id) } /* - * Set the default cc name for `context' to `name'. + * Expand variables in `str' into `res' */ krb5_error_code +_krb5_expand_default_cc_name(krb5_context context, const char *str, char **res) +{ + size_t tlen, len = 0; + char *tmp, *tmp2, *append; + + *res = NULL; + + while (str && *str) { + tmp = strstr(str, "%{"); + if (tmp && tmp != str) { + append = malloc((tmp - str) + 1); + if (append) { + memcpy(append, str, tmp - str); + append[tmp - str] = '\0'; + } + str = tmp; + } else if (tmp) { + tmp2 = strchr(tmp, '}'); + if (tmp2 == NULL) { + free(*res); + *res = NULL; + krb5_set_error_string(context, "variable missing }"); + return KRB5_CONFIG_BADFORMAT; + } + if (strncasecmp(tmp, "%{uid}", 6) == 0) + asprintf(&append, "%u", (unsigned)getuid()); + else if (strncasecmp(tmp, "%{null}", 7) == 0) + append = strdup(""); + else { + free(*res); + *res = NULL; + krb5_set_error_string(context, + "expand default cache unknown " + "variable \"%.*s\"", + (int)(tmp2 - tmp) - 2, tmp + 2); + return KRB5_CONFIG_BADFORMAT; + } + str = tmp2 + 1; + } else { + append = strdup(str); + str = NULL; + } + if (append == NULL) { + free(*res); + *res = NULL; + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + + tlen = strlen(append); + tmp = realloc(*res, len + tlen + 1); + if (tmp == NULL) { + free(append); + free(*res); + *res = NULL; + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + *res = tmp; + memcpy(*res + len, append, tlen + 1); + len = len + tlen; + free(append); + } + return 0; +} + +/* + * Return non-zero if envirnoment that will determine default krb5cc + * name has changed. + */ + +static int +environment_changed(krb5_context context) +{ + const char *e; + + /* if the cc name was set, don't change it */ + if (context->default_cc_name_set) + return 0; + + if(issuid()) + return 0; + + e = getenv("KRB5CCNAME"); + if (e == NULL) { + if (context->default_cc_name_env) { + free(context->default_cc_name_env); + context->default_cc_name_env = NULL; + return 1; + } + } else { + if (context->default_cc_name_env == NULL) + return 1; + if (strcmp(e, context->default_cc_name_env) != 0) + return 1; + } + return 0; +} + +/** + * Set the default cc name for `context' to `name'. + * + * @ingroup krb5_ccache + */ + + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_set_default_name(krb5_context context, const char *name) { krb5_error_code ret = 0; char *p; if (name == NULL) { - char *e; - e = getenv("KRB5CCNAME"); - if (e) - p = strdup(e); - else - asprintf(&p,"FILE:/tmp/krb5cc_%u", (unsigned)getuid()); - } else + const char *e = NULL; + + if(!issuid()) { + e = getenv("KRB5CCNAME"); + if (e) { + p = strdup(e); + if (context->default_cc_name_env) + free(context->default_cc_name_env); + context->default_cc_name_env = strdup(e); + } + } + if (e == NULL) { + e = krb5_config_get_string(context, NULL, "libdefaults", + "default_cc_name", NULL); + if (e) { + ret = _krb5_expand_default_cc_name(context, e, &p); + if (ret) + return ret; + } + if (e == NULL) { + const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE; + ret = (*ops->default_name)(context, &p); + if (ret) + return ret; + } + } + context->default_cc_name_set = 0; + } else { p = strdup(name); + context->default_cc_name_set = 1; + } - if (p == NULL) + if (p == NULL) { + krb5_set_error_string(context, "malloc - out of memory"); return ENOMEM; + } if (context->default_cc_name) free(context->default_cc_name); @@ -220,100 +464,133 @@ krb5_cc_set_default_name(krb5_context context, const char *name) return ret; } -/* - * Return a pointer to a context static string containing the default ccache name. +/** + * Return a pointer to a context static string containing the default + * ccache name. + * + * @return String to the default credential cache name. + * + * @ingroup krb5_ccache */ -const char* + +const char* KRB5_LIB_FUNCTION krb5_cc_default_name(krb5_context context) { - if (context->default_cc_name == NULL) + if (context->default_cc_name == NULL || environment_changed(context)) krb5_cc_set_default_name(context, NULL); return context->default_cc_name; } -/* +/** * Open the default ccache in `id'. - * Return 0 or an error code. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_default(krb5_context context, krb5_ccache *id) { const char *p = krb5_cc_default_name(context); - if (p == NULL) + if (p == NULL) { + krb5_set_error_string(context, "malloc - out of memory"); return ENOMEM; + } return krb5_cc_resolve(context, p, id); } -/* +/** * Create a new ccache in `id' for `primary_principal'. - * Return 0 or an error code. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) { - return id->ops->init(context, id, primary_principal); + return (*id->ops->init)(context, id, primary_principal); } -/* +/** * Remove the ccache `id'. - * Return 0 or an error code. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_destroy(krb5_context context, krb5_ccache id) { krb5_error_code ret; - ret = id->ops->destroy(context, id); + ret = (*id->ops->destroy)(context, id); krb5_cc_close (context, id); return ret; } -/* +/** * Stop using the ccache `id' and free the related resources. - * Return 0 or an error code. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_close(krb5_context context, krb5_ccache id) { krb5_error_code ret; - ret = id->ops->close(context, id); + ret = (*id->ops->close)(context, id); free(id); return ret; } -/* +/** * Store `creds' in the ccache `id'. - * Return 0 or an error code. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_store_cred(krb5_context context, krb5_ccache id, krb5_creds *creds) { - return id->ops->store(context, id, creds); + return (*id->ops->store)(context, id, creds); } -/* +/** * Retrieve the credential identified by `mcreds' (and `whichfields') - * from `id' in `creds'. - * Return 0 or an error code. + * from `id' in `creds'. 'creds' must be free by the caller using + * krb5_free_cred_contents. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_retrieve_cred(krb5_context context, krb5_ccache id, krb5_flags whichfields, @@ -322,77 +599,129 @@ krb5_cc_retrieve_cred(krb5_context context, { krb5_error_code ret; krb5_cc_cursor cursor; - krb5_cc_start_seq_get(context, id, &cursor); + + if (id->ops->retrieve != NULL) { + return (*id->ops->retrieve)(context, id, whichfields, + mcreds, creds); + } + + ret = krb5_cc_start_seq_get(context, id, &cursor); + if (ret) + return ret; while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){ if(krb5_compare_creds(context, whichfields, mcreds, creds)){ ret = 0; break; } - krb5_free_creds_contents (context, creds); + krb5_free_cred_contents (context, creds); } krb5_cc_end_seq_get(context, id, &cursor); return ret; } -/* +/** * Return the principal of `id' in `principal'. - * Return 0 or an error code. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *principal) { - return id->ops->get_princ(context, id, principal); + return (*id->ops->get_princ)(context, id, principal); } -/* +/** * Start iterating over `id', `cursor' is initialized to the * beginning. - * Return 0 or an error code. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_start_seq_get (krb5_context context, const krb5_ccache id, krb5_cc_cursor *cursor) { - return id->ops->get_first(context, id, cursor); + return (*id->ops->get_first)(context, id, cursor); } -/* +/** * Retrieve the next cred pointed to by (`id', `cursor') in `creds' * and advance `cursor'. - * Return 0 or an error code. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_next_cred (krb5_context context, const krb5_ccache id, krb5_cc_cursor *cursor, krb5_creds *creds) { - return id->ops->get_next(context, id, cursor, creds); + return (*id->ops->get_next)(context, id, cursor, creds); } -/* +/** + * Like krb5_cc_next_cred, but allow for selective retrieval + * + * @ingroup krb5_ccache + */ + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_next_cred_match(krb5_context context, + const krb5_ccache id, + krb5_cc_cursor * cursor, + krb5_creds * creds, + krb5_flags whichfields, + const krb5_creds * mcreds) +{ + krb5_error_code ret; + while (1) { + ret = krb5_cc_next_cred(context, id, cursor, creds); + if (ret) + return ret; + if (mcreds == NULL || krb5_compare_creds(context, whichfields, mcreds, creds)) + return 0; + krb5_free_cred_contents(context, creds); + } +} + +/** * Destroy the cursor `cursor'. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_end_seq_get (krb5_context context, const krb5_ccache id, krb5_cc_cursor *cursor) { - return id->ops->end_get(context, id, cursor); + return (*id->ops->end_get)(context, id, cursor); } -/* +/** * Remove the credential identified by `cred', `which' from `id'. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags which, @@ -407,26 +736,35 @@ krb5_cc_remove_cred(krb5_context context, return (*id->ops->remove_cred)(context, id, which, cred); } -/* +/** * Set the flags of `id' to `flags'. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) { - return id->ops->set_flags(context, id, flags); + return (*id->ops->set_flags)(context, id, flags); } -/* +/** * Copy the contents of `from' to `to'. + * + * @ingroup krb5_ccache */ -krb5_error_code -krb5_cc_copy_cache(krb5_context context, - const krb5_ccache from, - krb5_ccache to) + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_copy_cache_match(krb5_context context, + const krb5_ccache from, + krb5_ccache to, + krb5_flags whichfields, + const krb5_creds * mcreds, + unsigned int *matched) { krb5_error_code ret; krb5_cc_cursor cursor; @@ -434,37 +772,302 @@ krb5_cc_copy_cache(krb5_context context, krb5_principal princ; ret = krb5_cc_get_principal(context, from, &princ); - if(ret) + if (ret) return ret; ret = krb5_cc_initialize(context, to, princ); - if(ret){ + if (ret) { krb5_free_principal(context, princ); return ret; } ret = krb5_cc_start_seq_get(context, from, &cursor); - if(ret){ + if (ret) { krb5_free_principal(context, princ); return ret; } - while(ret == 0 && krb5_cc_next_cred(context, from, &cursor, &cred) == 0){ + if (matched) + *matched = 0; + while (ret == 0 && + krb5_cc_next_cred_match(context, from, &cursor, &cred, + whichfields, mcreds) == 0) { + if (matched) + (*matched)++; ret = krb5_cc_store_cred(context, to, &cred); - krb5_free_creds_contents (context, &cred); + krb5_free_cred_contents(context, &cred); } krb5_cc_end_seq_get(context, from, &cursor); krb5_free_principal(context, princ); return ret; } -/* +/** + * Just like krb5_cc_copy_cache_match, but copy everything. + * + * @ingroup krb5_ccache + */ + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_copy_cache(krb5_context context, + const krb5_ccache from, + krb5_ccache to) +{ + return krb5_cc_copy_cache_match(context, from, to, 0, NULL, NULL); +} + +/** * Return the version of `id'. + * + * @ingroup krb5_ccache */ -krb5_error_code + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_get_version(krb5_context context, const krb5_ccache id) { if(id->ops->get_version) - return id->ops->get_version(context, id); + return (*id->ops->get_version)(context, id); else return 0; } + +/** + * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred + * + * @ingroup krb5_ccache + */ + + +void KRB5_LIB_FUNCTION +krb5_cc_clear_mcred(krb5_creds *mcred) +{ + memset(mcred, 0, sizeof(*mcred)); +} + +/** + * Get the cc ops that is registered in `context' to handle the + * `prefix'. `prefix' can be a complete credential cache name or a + * prefix, the function will only use part up to the first colon (:) + * if there is one. + * Returns NULL if ops not found. + * + * @ingroup krb5_ccache + */ + + +const krb5_cc_ops * +krb5_cc_get_prefix_ops(krb5_context context, const char *prefix) +{ + char *p, *p1; + int i; + + if (prefix[0] == '/') + return &krb5_fcc_ops; + + p = strdup(prefix); + if (p == NULL) { + krb5_set_error_string(context, "malloc - out of memory"); + return NULL; + } + p1 = strchr(p, ':'); + if (p1) + *p1 = '\0'; + + for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) { + if(strcmp(context->cc_ops[i].prefix, p) == 0) { + free(p); + return &context->cc_ops[i]; + } + } + free(p); + return NULL; +} + +struct krb5_cc_cache_cursor_data { + const krb5_cc_ops *ops; + krb5_cc_cursor cursor; +}; + +/** + * Start iterating over all caches of `type'. If `type' is NULL, the + * default type is * used. `cursor' is initialized to the beginning. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache + */ + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_cache_get_first (krb5_context context, + const char *type, + krb5_cc_cache_cursor *cursor) +{ + const krb5_cc_ops *ops; + krb5_error_code ret; + + if (type == NULL) + type = krb5_cc_default_name(context); + + ops = krb5_cc_get_prefix_ops(context, type); + if (ops == NULL) { + krb5_set_error_string(context, "Unknown type \"%s\" when iterating " + "trying to iterate the credential caches", type); + return KRB5_CC_UNKNOWN_TYPE; + } + + if (ops->get_cache_first == NULL) { + krb5_set_error_string(context, "Credential cache type %s doesn't support " + "iterations over caches", ops->prefix); + return KRB5_CC_NOSUPP; + } + + *cursor = calloc(1, sizeof(**cursor)); + if (*cursor == NULL) { + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + + (*cursor)->ops = ops; + + ret = ops->get_cache_first(context, &(*cursor)->cursor); + if (ret) { + free(*cursor); + *cursor = NULL; + } + return ret; +} + +/** + * Retrieve the next cache pointed to by (`cursor') in `id' + * and advance `cursor'. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache + */ + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_cache_next (krb5_context context, + krb5_cc_cache_cursor cursor, + krb5_ccache *id) +{ + return cursor->ops->get_cache_next(context, cursor->cursor, id); +} + +/** + * Destroy the cursor `cursor'. + * + * @return Return 0 or an error code. + * + * @ingroup krb5_ccache + */ + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_cache_end_seq_get (krb5_context context, + krb5_cc_cache_cursor cursor) +{ + krb5_error_code ret; + ret = cursor->ops->end_cache_get(context, cursor->cursor); + cursor->ops = NULL; + free(cursor); + return ret; +} + +/** + * Search for a matching credential cache of type `type' that have the + * `principal' as the default principal. If NULL is used for `type', + * the default type is used. On success, `id' needs to be freed with + * krb5_cc_close or krb5_cc_destroy. + * + * @return On failure, error code is returned and `id' is set to NULL. + * + * @ingroup krb5_ccache + */ + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_cache_match (krb5_context context, + krb5_principal client, + const char *type, + krb5_ccache *id) +{ + krb5_cc_cache_cursor cursor; + krb5_error_code ret; + krb5_ccache cache = NULL; + + *id = NULL; + + ret = krb5_cc_cache_get_first (context, type, &cursor); + if (ret) + return ret; + + while ((ret = krb5_cc_cache_next (context, cursor, &cache)) == 0) { + krb5_principal principal; + + ret = krb5_cc_get_principal(context, cache, &principal); + if (ret == 0) { + krb5_boolean match; + + match = krb5_principal_compare(context, principal, client); + krb5_free_principal(context, principal); + if (match) + break; + } + + krb5_cc_close(context, cache); + cache = NULL; + } + + krb5_cc_cache_end_seq_get(context, cursor); + + if (cache == NULL) { + char *str; + + krb5_unparse_name(context, client, &str); + + krb5_set_error_string(context, "Principal %s not found in a " + "credential cache", str ? str : "<out of memory>"); + if (str) + free(str); + return KRB5_CC_NOTFOUND; + } + *id = cache; + + return 0; +} + +/** + * Move the content from one credential cache to another. The + * operation is an atomic switch. + * + * @param context a Keberos context + * @param from the credential cache to move the content from + * @param to the credential cache to move the content to + + * @return On sucess, from is freed. On failure, error code is + * returned and from and to are both still allocated. + * + * @ingroup krb5_ccache + */ + +krb5_error_code +krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to) +{ + krb5_error_code ret; + + if (strcmp(from->ops->prefix, to->ops->prefix) != 0) { + krb5_set_error_string(context, "Moving credentials between diffrent " + "types not yet supported"); + return KRB5_CC_NOSUPP; + } + + ret = (*to->ops->move)(context, from, to); + if (ret == 0) { + memset(from, 0, sizeof(*from)); + free(from); + } + return ret; +} diff --git a/crypto/heimdal/lib/krb5/changepw.c b/crypto/heimdal/lib/krb5/changepw.c index 1c4013b50049..703cf43eb6fb 100644 --- a/crypto/heimdal/lib/krb5/changepw.c +++ b/crypto/heimdal/lib/krb5/changepw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: changepw.c,v 1.38.2.1 2004/06/21 08:38:10 lha Exp $"); +RCSID("$Id: changepw.c 21505 2007-07-12 12:28:38Z lha $"); static void str2data (krb5_data *d, @@ -46,10 +46,12 @@ str2data (krb5_data *d, ...) { va_list args; + char *str; va_start(args, fmt); - d->length = vasprintf ((char **)&d->data, fmt, args); + d->length = vasprintf (&str, fmt, args); va_end(args); + d->data = str; } /* @@ -67,7 +69,7 @@ chgpw_send_request (krb5_context context, krb5_principal targprinc, int is_stream, int sock, - char *passwd, + const char *passwd, const char *host) { krb5_error_code ret; @@ -98,7 +100,7 @@ chgpw_send_request (krb5_context context, if (ret) return ret; - passwd_data.data = passwd; + passwd_data.data = rk_UNCONST(passwd); passwd_data.length = strlen(passwd); krb5_data_zero (&krb_priv_data); @@ -160,7 +162,7 @@ setpw_send_request (krb5_context context, krb5_principal targprinc, int is_stream, int sock, - char *passwd, + const char *passwd, const char *host) { krb5_error_code ret; @@ -186,7 +188,7 @@ setpw_send_request (krb5_context context, return ret; chpw.newpasswd.length = strlen(passwd); - chpw.newpasswd.data = passwd; + chpw.newpasswd.data = rk_UNCONST(passwd); if (targprinc) { chpw.targname = &targprinc->name; chpw.targrealm = &targprinc->realm; @@ -271,7 +273,7 @@ process_reply (krb5_context context, krb5_error_code ret; u_char reply[1024 * 3]; ssize_t len; - u_int16_t pkt_len, pkt_ver; + uint16_t pkt_len, pkt_ver; krb5_data ap_rep_data; int save_errno; @@ -319,7 +321,7 @@ process_reply (krb5_context context, if (len < 6) { str2data (result_string, "server %s sent to too short message " - "(%d bytes)", host, len); + "(%ld bytes)", host, (long)len); *result_code = KRB5_KPASSWD_MALFORMED; return 0; } @@ -456,7 +458,7 @@ typedef krb5_error_code (*kpwd_send_request) (krb5_context, krb5_principal, int, int, - char *, + const char *, const char *); typedef krb5_error_code (*kpwd_process_reply) (krb5_context, krb5_auth_context, @@ -467,7 +469,7 @@ typedef krb5_error_code (*kpwd_process_reply) (krb5_context, krb5_data *, const char *); -struct kpwd_proc { +static struct kpwd_proc { const char *name; int flags; #define SUPPORT_TCP 1 @@ -509,7 +511,7 @@ static krb5_error_code change_password_loop (krb5_context context, krb5_creds *creds, krb5_principal targprinc, - char *newpw, + const char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string, @@ -522,7 +524,12 @@ change_password_loop (krb5_context context, int sock; int i; int done = 0; - krb5_realm realm = creds->client->realm; + krb5_realm realm; + + if (targprinc) + realm = targprinc->realm; + else + realm = creds->client->realm; ret = krb5_auth_con_init (context, &auth_context); if (ret) @@ -643,10 +650,12 @@ change_password_loop (krb5_context context, if (done) return 0; else { - if (ret == KRB5_KDC_UNREACH) + if (ret == KRB5_KDC_UNREACH) { krb5_set_error_string(context, "unable to reach any changepw server " " in realm %s", realm); + *result_code = KRB5_KPASSWD_HARDERROR; + } return ret; } } @@ -658,10 +667,10 @@ change_password_loop (krb5_context context, * the operation in `result_*' and an error code or 0. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_change_password (krb5_context context, krb5_creds *creds, - char *newpw, + const char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string) @@ -684,10 +693,10 @@ krb5_change_password (krb5_context context, * */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_password(krb5_context context, krb5_creds *creds, - char *newpw, + const char *newpw, krb5_principal targprinc, int *result_code, krb5_data *result_code_string, @@ -710,7 +719,7 @@ krb5_set_password(krb5_context context, for (i = 0; procs[i].name != NULL; i++) { *result_code = 0; - ret = change_password_loop(context, creds, targprinc, newpw, + ret = change_password_loop(context, creds, principal, newpw, result_code, result_code_string, result_string, &procs[i]); @@ -727,10 +736,10 @@ krb5_set_password(krb5_context context, * */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, - char *newpw, + const char *newpw, krb5_principal targprinc, int *result_code, krb5_data *result_code_string, @@ -792,7 +801,7 @@ krb5_set_password_using_ccache(krb5_context context, * */ -const char* +const char* KRB5_LIB_FUNCTION krb5_passwd_result_to_string (krb5_context context, int result) { diff --git a/crypto/heimdal/lib/krb5/codec.c b/crypto/heimdal/lib/krb5/codec.c index 6a49e68ec9ab..0d36b4b44268 100644 --- a/crypto/heimdal/lib/krb5/codec.c +++ b/crypto/heimdal/lib/krb5/codec.c @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: codec.c,v 1.7 2001/05/16 22:08:08 assar Exp $"); +RCSID("$Id: codec.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncTicketPart (krb5_context context, const void *data, size_t length, @@ -45,7 +45,7 @@ krb5_decode_EncTicketPart (krb5_context context, return decode_EncTicketPart(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncTicketPart (krb5_context context, void *data, size_t length, @@ -55,7 +55,7 @@ krb5_encode_EncTicketPart (krb5_context context, return encode_EncTicketPart(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncASRepPart (krb5_context context, const void *data, size_t length, @@ -65,7 +65,7 @@ krb5_decode_EncASRepPart (krb5_context context, return decode_EncASRepPart(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncASRepPart (krb5_context context, void *data, size_t length, @@ -75,7 +75,7 @@ krb5_encode_EncASRepPart (krb5_context context, return encode_EncASRepPart(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncTGSRepPart (krb5_context context, const void *data, size_t length, @@ -85,7 +85,7 @@ krb5_decode_EncTGSRepPart (krb5_context context, return decode_EncTGSRepPart(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncTGSRepPart (krb5_context context, void *data, size_t length, @@ -95,7 +95,7 @@ krb5_encode_EncTGSRepPart (krb5_context context, return encode_EncTGSRepPart(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncAPRepPart (krb5_context context, const void *data, size_t length, @@ -105,7 +105,7 @@ krb5_decode_EncAPRepPart (krb5_context context, return decode_EncAPRepPart(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncAPRepPart (krb5_context context, void *data, size_t length, @@ -115,7 +115,7 @@ krb5_encode_EncAPRepPart (krb5_context context, return encode_EncAPRepPart(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_Authenticator (krb5_context context, const void *data, size_t length, @@ -125,7 +125,7 @@ krb5_decode_Authenticator (krb5_context context, return decode_Authenticator(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_Authenticator (krb5_context context, void *data, size_t length, @@ -135,7 +135,7 @@ krb5_encode_Authenticator (krb5_context context, return encode_Authenticator(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncKrbCredPart (krb5_context context, const void *data, size_t length, @@ -145,7 +145,7 @@ krb5_decode_EncKrbCredPart (krb5_context context, return decode_EncKrbCredPart(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncKrbCredPart (krb5_context context, void *data, size_t length, @@ -155,7 +155,7 @@ krb5_encode_EncKrbCredPart (krb5_context context, return encode_EncKrbCredPart (data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ETYPE_INFO (krb5_context context, const void *data, size_t length, @@ -165,7 +165,7 @@ krb5_decode_ETYPE_INFO (krb5_context context, return decode_ETYPE_INFO(data, length, t, len); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_ETYPE_INFO (krb5_context context, void *data, size_t length, @@ -174,3 +174,23 @@ krb5_encode_ETYPE_INFO (krb5_context context, { return encode_ETYPE_INFO (data, length, t, len); } + +krb5_error_code KRB5_LIB_FUNCTION +krb5_decode_ETYPE_INFO2 (krb5_context context, + const void *data, + size_t length, + ETYPE_INFO2 *t, + size_t *len) +{ + return decode_ETYPE_INFO2(data, length, t, len); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_encode_ETYPE_INFO2 (krb5_context context, + void *data, + size_t length, + ETYPE_INFO2 *t, + size_t *len) +{ + return encode_ETYPE_INFO2 (data, length, t, len); +} diff --git a/crypto/heimdal/lib/krb5/config_file.c b/crypto/heimdal/lib/krb5/config_file.c index 47c1a945cb1d..ac5eba39dcff 100644 --- a/crypto/heimdal/lib/krb5/config_file.c +++ b/crypto/heimdal/lib/krb5/config_file.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,18 +32,50 @@ */ #include "krb5_locl.h" -RCSID("$Id: config_file.c,v 1.46.4.2 2003/10/13 13:46:10 lha Exp $"); +RCSID("$Id: config_file.c 19213 2006-12-04 23:36:36Z lha $"); #ifndef HAVE_NETINFO +/* Gaah! I want a portable funopen */ +struct fileptr { + const char *s; + FILE *f; +}; + +static char * +config_fgets(char *str, size_t len, struct fileptr *ptr) +{ + /* XXX this is not correct, in that they don't do the same if the + line is longer than len */ + if(ptr->f != NULL) + return fgets(str, len, ptr->f); + else { + /* this is almost strsep_copy */ + const char *p; + ssize_t l; + if(*ptr->s == '\0') + return NULL; + p = ptr->s + strcspn(ptr->s, "\n"); + if(*p == '\n') + p++; + l = min(len, p - ptr->s); + if(len > 0) { + memcpy(str, ptr->s, l); + str[l] = '\0'; + } + ptr->s = p; + return str; + } +} + static krb5_error_code parse_section(char *p, krb5_config_section **s, krb5_config_section **res, const char **error_message); -static krb5_error_code parse_binding(FILE *f, unsigned *lineno, char *p, +static krb5_error_code parse_binding(struct fileptr *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, const char **error_message); -static krb5_error_code parse_list(FILE *f, unsigned *lineno, +static krb5_error_code parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, const char **error_message); @@ -114,7 +146,7 @@ parse_section(char *p, krb5_config_section **s, krb5_config_section **parent, */ static krb5_error_code -parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, +parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, const char **error_message) { char buf[BUFSIZ]; @@ -122,12 +154,11 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, krb5_config_binding *b = NULL; unsigned beg_lineno = *lineno; - while(fgets(buf, sizeof(buf), f) != NULL) { + while(config_fgets(buf, sizeof(buf), f) != NULL) { char *p; ++*lineno; - if (buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; + buf[strcspn(buf, "\r\n")] = '\0'; p = buf; while(isspace((unsigned char)*p)) ++p; @@ -153,7 +184,7 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, */ static krb5_error_code -parse_binding(FILE *f, unsigned *lineno, char *p, +parse_binding(struct fileptr *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, const char **error_message) { @@ -209,31 +240,21 @@ parse_binding(FILE *f, unsigned *lineno, char *p, */ static krb5_error_code -krb5_config_parse_file_debug (const char *fname, - krb5_config_section **res, - unsigned *lineno, - const char **error_message) +krb5_config_parse_debug (struct fileptr *f, + krb5_config_section **res, + unsigned *lineno, + const char **error_message) { - FILE *f; - krb5_config_section *s; - krb5_config_binding *b; + krb5_config_section *s = NULL; + krb5_config_binding *b = NULL; char buf[BUFSIZ]; - krb5_error_code ret = 0; + krb5_error_code ret; - s = NULL; - b = NULL; - *lineno = 0; - f = fopen (fname, "r"); - if (f == NULL) { - *error_message = "cannot open file"; - return ENOENT; - } - while (fgets(buf, sizeof(buf), f) != NULL) { + while (config_fgets(buf, sizeof(buf), f) != NULL) { char *p; ++*lineno; - if(buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; + buf[strcspn(buf, "\r\n")] = '\0'; p = buf; while(isspace((unsigned char)*p)) ++p; @@ -241,40 +262,64 @@ krb5_config_parse_file_debug (const char *fname, continue; if (*p == '[') { ret = parse_section(p, &s, res, error_message); - if (ret) { - goto out; - } + if (ret) + return ret; b = NULL; } else if (*p == '}') { *error_message = "unmatched }"; - ret = EINVAL; /* XXX */ - goto out; + return EINVAL; /* XXX */ } else if(*p != '\0') { if (s == NULL) { *error_message = "binding before section"; - ret = EINVAL; - goto out; + return EINVAL; } ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message); if (ret) - goto out; + return ret; } } -out: - fclose (f); - return ret; + return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_config_parse_string_multi(krb5_context context, + const char *string, + krb5_config_section **res) +{ + const char *str; + unsigned lineno = 0; + krb5_error_code ret; + struct fileptr f; + f.f = NULL; + f.s = string; + + ret = krb5_config_parse_debug (&f, res, &lineno, &str); + if (ret) { + krb5_set_error_string (context, "%s:%u: %s", "<constant>", lineno, str); + return ret; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file_multi (krb5_context context, const char *fname, krb5_config_section **res) { const char *str; - unsigned lineno; + unsigned lineno = 0; krb5_error_code ret; + struct fileptr f; + f.f = fopen(fname, "r"); + f.s = NULL; + if(f.f == NULL) { + ret = errno; + krb5_set_error_string (context, "open %s: %s", fname, strerror(ret)); + return ret; + } - ret = krb5_config_parse_file_debug (fname, res, &lineno, &str); + ret = krb5_config_parse_debug (&f, res, &lineno, &str); + fclose(f.f); if (ret) { krb5_set_error_string (context, "%s:%u: %s", fname, lineno, str); return ret; @@ -282,7 +327,7 @@ krb5_config_parse_file_multi (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file (krb5_context context, const char *fname, krb5_config_section **res) @@ -313,7 +358,7 @@ free_binding (krb5_context context, krb5_config_binding *b) } } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_file_free (krb5_context context, krb5_config_section *s) { free_binding (context, s); @@ -443,7 +488,7 @@ krb5_config_vget_list (krb5_context context, return krb5_config_vget (context, c, krb5_config_list, args); } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string (krb5_context context, const krb5_config_section *c, ...) @@ -457,7 +502,7 @@ krb5_config_get_string (krb5_context context, return ret; } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string (krb5_context context, const krb5_config_section *c, va_list args) @@ -465,7 +510,7 @@ krb5_config_vget_string (krb5_context context, return krb5_config_vget (context, c, krb5_config_string, args); } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string_default (krb5_context context, const krb5_config_section *c, const char *def_value, @@ -479,7 +524,7 @@ krb5_config_vget_string_default (krb5_context context, return ret; } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string_default (krb5_context context, const krb5_config_section *c, const char *def_value, @@ -494,7 +539,7 @@ krb5_config_get_string_default (krb5_context context, return ret; } -char ** +char ** KRB5_LIB_FUNCTION krb5_config_vget_strings(krb5_context context, const krb5_config_section *c, va_list args) @@ -513,10 +558,10 @@ krb5_config_vget_strings(krb5_context context, goto cleanup; s = strtok_r(tmp, " \t", &pos); while(s){ - char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings)); - if(tmp == NULL) + char **tmp2 = realloc(strings, (nstr + 1) * sizeof(*strings)); + if(tmp2 == NULL) goto cleanup; - strings = tmp; + strings = tmp2; strings[nstr] = strdup(s); nstr++; if(strings[nstr-1] == NULL) @@ -527,7 +572,7 @@ krb5_config_vget_strings(krb5_context context, } if(nstr){ char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings)); - if(strings == NULL) + if(tmp == NULL) goto cleanup; strings = tmp; strings[nstr] = NULL; @@ -554,7 +599,7 @@ krb5_config_get_strings(krb5_context context, return ret; } -void +void KRB5_LIB_FUNCTION krb5_config_free_strings(char **strings) { char **s = strings; @@ -565,7 +610,7 @@ krb5_config_free_strings(char **strings) free(strings); } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool_default (krb5_context context, const krb5_config_section *c, krb5_boolean def_value, @@ -581,7 +626,7 @@ krb5_config_vget_bool_default (krb5_context context, return FALSE; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool (krb5_context context, const krb5_config_section *c, va_list args) @@ -589,7 +634,7 @@ krb5_config_vget_bool (krb5_context context, return krb5_config_vget_bool_default (context, c, FALSE, args); } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool_default (krb5_context context, const krb5_config_section *c, krb5_boolean def_value, @@ -603,7 +648,7 @@ krb5_config_get_bool_default (krb5_context context, return ret; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool (krb5_context context, const krb5_config_section *c, ...) @@ -616,20 +661,24 @@ krb5_config_get_bool (krb5_context context, return ret; } -int +int KRB5_LIB_FUNCTION krb5_config_vget_time_default (krb5_context context, const krb5_config_section *c, int def_value, va_list args) { const char *str; + krb5_deltat t; + str = krb5_config_vget_string (context, c, args); if(str == NULL) return def_value; - return parse_time (str, NULL); + if (krb5_string_to_deltat(str, &t)) + return def_value; + return t; } -int +int KRB5_LIB_FUNCTION krb5_config_vget_time (krb5_context context, const krb5_config_section *c, va_list args) @@ -637,7 +686,7 @@ krb5_config_vget_time (krb5_context context, return krb5_config_vget_time_default (context, c, -1, args); } -int +int KRB5_LIB_FUNCTION krb5_config_get_time_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -651,7 +700,7 @@ krb5_config_get_time_default (krb5_context context, return ret; } -int +int KRB5_LIB_FUNCTION krb5_config_get_time (krb5_context context, const krb5_config_section *c, ...) @@ -665,7 +714,7 @@ krb5_config_get_time (krb5_context context, } -int +int KRB5_LIB_FUNCTION krb5_config_vget_int_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -686,7 +735,7 @@ krb5_config_vget_int_default (krb5_context context, } } -int +int KRB5_LIB_FUNCTION krb5_config_vget_int (krb5_context context, const krb5_config_section *c, va_list args) @@ -694,7 +743,7 @@ krb5_config_vget_int (krb5_context context, return krb5_config_vget_int_default (context, c, -1, args); } -int +int KRB5_LIB_FUNCTION krb5_config_get_int_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -708,7 +757,7 @@ krb5_config_get_int_default (krb5_context context, return ret; } -int +int KRB5_LIB_FUNCTION krb5_config_get_int (krb5_context context, const krb5_config_section *c, ...) diff --git a/crypto/heimdal/lib/krb5/config_file_netinfo.c b/crypto/heimdal/lib/krb5/config_file_netinfo.c index a035e887b921..1e01e7c5ffbc 100644 --- a/crypto/heimdal/lib/krb5/config_file_netinfo.c +++ b/crypto/heimdal/lib/krb5/config_file_netinfo.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: config_file_netinfo.c,v 1.3 2001/05/14 06:14:45 assar Exp $"); +RCSID("$Id: config_file_netinfo.c 13863 2004-05-25 21:46:46Z lha $"); /* * Netinfo implementation from Luke Howard <lukeh@xedoc.com.au> @@ -130,7 +130,7 @@ ni_idlist2binding(void *ni, ni_idlist *idlist, krb5_config_section **ret) return NI_OK; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file (krb5_context context, const char *fname, krb5_config_section **res) diff --git a/crypto/heimdal/lib/krb5/constants.c b/crypto/heimdal/lib/krb5/constants.c index 280bf620af6f..5188a1d3a864 100644 --- a/crypto/heimdal/lib/krb5/constants.c +++ b/crypto/heimdal/lib/krb5/constants.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,11 @@ #include "krb5_locl.h" -RCSID("$Id: constants.c,v 1.7 2002/08/16 20:52:15 joda Exp $"); +RCSID("$Id: constants.c 14253 2004-09-23 07:57:37Z joda $"); -const char *krb5_config_file = SYSCONFDIR "/krb5.conf:/etc/krb5.conf"; +const char *krb5_config_file = +#ifdef __APPLE__ +"/Library/Preferences/edu.mit.Kerberos:" +#endif +SYSCONFDIR "/krb5.conf:/etc/krb5.conf"; const char *krb5_defkeyname = KEYTAB_DEFAULT; diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c index d3982e8e9a8f..256783310e93 100644 --- a/crypto/heimdal/lib/krb5/context.c +++ b/crypto/heimdal/lib/krb5/context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,12 +34,19 @@ #include "krb5_locl.h" #include <com_err.h> -RCSID("$Id: context.c,v 1.83.2.1 2004/08/20 15:30:24 lha Exp $"); +RCSID("$Id: context.c 22293 2007-12-14 05:25:59Z lha $"); #define INIT_FIELD(C, T, E, D, F) \ (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ "libdefaults", F, NULL) +#define INIT_FLAG(C, O, V, D, F) \ + do { \ + if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \ + (C)->O |= V; \ + } \ + } while(0) + /* * Set the list of etypes `ret_etypes' from the configuration variable * `name' @@ -65,8 +72,12 @@ set_etypes (krb5_context context, return ENOMEM; } for(j = 0, k = 0; j < i; j++) { - if(krb5_string_to_enctype(context, etypes_str[j], &etypes[k]) == 0) - k++; + krb5_enctype e; + if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0) + continue; + if (krb5_enctype_valid(context, e) != 0) + continue; + etypes[k++] = e; } etypes[k] = ETYPE_NULL; krb5_config_free_strings(etypes_str); @@ -176,21 +187,49 @@ init_context_from_config_file(krb5_context context) /* prefer dns_lookup_kdc over srv_lookup. */ INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup"); INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc"); + INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size"); + INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname"); + INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac"); context->default_cc_name = NULL; + context->default_cc_name_set = 0; return 0; } -krb5_error_code +/** + * Initializes the context structure and reads the configuration file + * /etc/krb5.conf. The structure should be freed by calling + * krb5_free_context() when it is no longer being used. + * + * @param context pointer to returned context + * + * @return Returns 0 to indicate success. Otherwise an errno code is + * returned. Failure means either that something bad happened during + * initialization (typically ENOMEM) or that Kerberos should not be + * used ENXIO. + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_init_context(krb5_context *context) { krb5_context p; krb5_error_code ret; char **files; + *context = NULL; + p = calloc(1, sizeof(*p)); if(!p) return ENOMEM; + p->mutex = malloc(sizeof(HEIMDAL_MUTEX)); + if (p->mutex == NULL) { + free(p); + return ENOMEM; + } + HEIMDAL_MUTEX_init(p->mutex); + ret = krb5_get_default_config_files(&files); if(ret) goto out; @@ -204,12 +243,18 @@ krb5_init_context(krb5_context *context) p->cc_ops = NULL; p->num_cc_ops = 0; + krb5_cc_register(p, &krb5_acc_ops, TRUE); krb5_cc_register(p, &krb5_fcc_ops, TRUE); krb5_cc_register(p, &krb5_mcc_ops, TRUE); +#ifdef HAVE_KCM + krb5_cc_register(p, &krb5_kcm_ops, TRUE); +#endif p->num_kt_types = 0; p->kt_types = NULL; krb5_kt_register (p, &krb5_fkt_ops); + krb5_kt_register (p, &krb5_wrfkt_ops); + krb5_kt_register (p, &krb5_javakt_ops); krb5_kt_register (p, &krb5_mkt_ops); krb5_kt_register (p, &krb5_akf_ops); krb5_kt_register (p, &krb4_fkt_ops); @@ -225,11 +270,21 @@ out: return ret; } -void +/** + * Frees the krb5_context allocated by krb5_init_context(). + * + * @param context context to be freed. + * + * @ingroup krb5 +*/ + +void KRB5_LIB_FUNCTION krb5_free_context(krb5_context context) { if (context->default_cc_name) free(context->default_cc_name); + if (context->default_cc_name_env) + free(context->default_cc_name_env); free(context->etypes); free(context->etypes_des); krb5_free_host_realm (context, context->default_realms); @@ -242,17 +297,35 @@ krb5_free_context(krb5_context context) krb5_closelog(context, context->warn_dest); krb5_set_extra_addresses(context, NULL); krb5_set_ignore_addresses(context, NULL); + krb5_set_send_to_kdc_func(context, NULL, NULL); + if (context->mutex != NULL) { + HEIMDAL_MUTEX_destroy(context->mutex); + free(context->mutex); + } + memset(context, 0, sizeof(*context)); free(context); } -krb5_error_code +/** + * Reinit the context from a new set of filenames. + * + * @param context context to add configuration too. + * @param filenames array of filenames, end of list is indicated with a NULL filename. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_set_config_files(krb5_context context, char **filenames) { krb5_error_code ret; krb5_config_binding *tmp = NULL; while(filenames != NULL && *filenames != NULL && **filenames != '\0') { ret = krb5_config_parse_file_multi(context, *filenames, &tmp); - if(ret != 0 && ret != ENOENT) { + if(ret != 0 && ret != ENOENT && ret != EACCES) { krb5_config_file_free(context, tmp); return ret; } @@ -270,54 +343,158 @@ krb5_set_config_files(krb5_context context, char **filenames) return ret; } -krb5_error_code -krb5_get_default_config_files(char ***pfilenames) +static krb5_error_code +add_file(char ***pfilenames, int *len, char *file) { - const char *p, *q; - char **pp; - int n, i; + char **pp = *pfilenames; + int i; - const char *files = NULL; - if (pfilenames == NULL) - return EINVAL; - if(!issuid()) - files = getenv("KRB5_CONFIG"); - if (files == NULL) - files = krb5_config_file; + for(i = 0; i < *len; i++) { + if(strcmp(pp[i], file) == 0) { + free(file); + return 0; + } + } - for(n = 0, p = files; strsep_copy(&p, ":", NULL, 0) != -1; n++); - pp = malloc((n + 1) * sizeof(*pp)); - if(pp == NULL) + pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp)); + if (pp == NULL) { + free(file); return ENOMEM; + } + + pp[*len] = file; + pp[*len + 1] = NULL; + *pfilenames = pp; + *len += 1; + return 0; +} + +/* + * `pq' isn't free, it's up the the caller + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp) +{ + krb5_error_code ret; + const char *p, *q; + char **pp; + int len; + char *fn; - n = 0; - p = files; + pp = NULL; + + len = 0; + p = filelist; while(1) { ssize_t l; q = p; l = strsep_copy(&q, ":", NULL, 0); if(l == -1) break; - pp[n] = malloc(l + 1); - if(pp[n] == NULL) { + fn = malloc(l + 1); + if(fn == NULL) { krb5_free_config_files(pp); return ENOMEM; } - l = strsep_copy(&p, ":", pp[n], l + 1); - for(i = 0; i < n; i++) - if(strcmp(pp[i], pp[n]) == 0) { - free(pp[n]); - goto skip; + l = strsep_copy(&p, ":", fn, l + 1); + ret = add_file(&pp, &len, fn); + if (ret) { + krb5_free_config_files(pp); + return ret; + } + } + + if (pq != NULL) { + int i; + + for (i = 0; pq[i] != NULL; i++) { + fn = strdup(pq[i]); + if (fn == NULL) { + krb5_free_config_files(pp); + return ENOMEM; } - n++; - skip:; + ret = add_file(&pp, &len, fn); + if (ret) { + krb5_free_config_files(pp); + return ret; + } + } } - pp[n] = NULL; + + *ret_pp = pp; + return 0; +} + +/** + * Prepend the filename to the global configuration list. + * + * @param filelist a filename to add to the default list of filename + * @param pfilenames return array of filenames, should be freed with krb5_free_config_files(). + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) +{ + krb5_error_code ret; + char **defpp, **pp = NULL; + + ret = krb5_get_default_config_files(&defpp); + if (ret) + return ret; + + ret = krb5_prepend_config_files(filelist, defpp, &pp); + krb5_free_config_files(defpp); + if (ret) { + return ret; + } *pfilenames = pp; return 0; } -void +/** + * Get the global configuration list. + * + * @param pfilenames return array of filenames, should be freed with krb5_free_config_files(). + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_default_config_files(char ***pfilenames) +{ + const char *files = NULL; + + if (pfilenames == NULL) + return EINVAL; + if(!issuid()) + files = getenv("KRB5_CONFIG"); + if (files == NULL) + files = krb5_config_file; + + return krb5_prepend_config_files(files, NULL, pfilenames); +} + +/** + * Free a list of configuration files. + * + * @param filenames list to be freed. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +void KRB5_LIB_FUNCTION krb5_free_config_files(char **filenames) { char **p; @@ -326,14 +503,25 @@ krb5_free_config_files(char **filenames) free(filenames); } -/* - * set `etype' to a malloced list of the default enctypes +/** + * Returns the list of Kerberos encryption types sorted in order of + * most preferred to least preferred encryption type. Note that some + * encryption types might be disabled, so you need to check with + * krb5_enctype_valid() before using the encryption type. + * + * @return list of enctypes, terminated with ETYPE_NULL. Its a static + * array completed into the Kerberos library so the content doesn't + * need to be freed. + * + * @ingroup krb5 */ -static krb5_error_code -default_etypes(krb5_context context, krb5_enctype **etype) +const krb5_enctype * KRB5_LIB_FUNCTION +krb5_kerberos_enctypes(krb5_context context) { - krb5_enctype p[] = { + static const krb5_enctype p[] = { + ETYPE_AES256_CTS_HMAC_SHA1_96, + ETYPE_AES128_CTS_HMAC_SHA1_96, ETYPE_DES3_CBC_SHA1, ETYPE_DES3_CBC_MD5, ETYPE_ARCFOUR_HMAC_MD5, @@ -342,30 +530,67 @@ default_etypes(krb5_context context, krb5_enctype **etype) ETYPE_DES_CBC_CRC, ETYPE_NULL }; + return p; +} - *etype = malloc(sizeof(p)); - if(*etype == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; +/* + * set `etype' to a malloced list of the default enctypes + */ + +static krb5_error_code +default_etypes(krb5_context context, krb5_enctype **etype) +{ + const krb5_enctype *p; + krb5_enctype *e = NULL, *ep; + int i, n = 0; + + p = krb5_kerberos_enctypes(context); + + for (i = 0; p[i] != ETYPE_NULL; i++) { + if (krb5_enctype_valid(context, p[i]) != 0) + continue; + ep = realloc(e, (n + 2) * sizeof(*e)); + if (ep == NULL) { + free(e); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + e = ep; + e[n] = p[i]; + e[n + 1] = ETYPE_NULL; + n++; } - memcpy(*etype, p, sizeof(p)); + *etype = e; return 0; } -krb5_error_code +/** + * Set the default encryption types that will be use in communcation + * with the KDC, clients and servers. + * + * @param context Kerberos 5 context. + * @param etypes Encryption types, array terminated with ETYPE_NULL (0). + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_in_tkt_etypes(krb5_context context, const krb5_enctype *etypes) { - int i; krb5_enctype *p = NULL; + int i; if(etypes) { - for (i = 0; etypes[i]; ++i) - if(!krb5_enctype_valid(context, etypes[i])) { - krb5_set_error_string(context, "enctype %d not supported", - etypes[i]); - return KRB5_PROG_ETYPE_NOSUPP; - } + for (i = 0; etypes[i]; ++i) { + krb5_error_code ret; + ret = krb5_enctype_valid(context, etypes[i]); + if (ret) + return ret; + } ++i; ALLOC(p, i); if(!p) { @@ -380,8 +605,21 @@ krb5_set_default_in_tkt_etypes(krb5_context context, return 0; } +/** + * Get the default encryption types that will be use in communcation + * with the KDC, clients and servers. + * + * @param context Kerberos 5 context. + * @param etypes Encryption types, array terminated with + * ETYPE_NULL(0), caller should free array with krb5_xfree(): + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_in_tkt_etypes(krb5_context context, krb5_enctype **etypes) { @@ -407,7 +645,19 @@ krb5_get_default_in_tkt_etypes(krb5_context context, return 0; } -const char * +/** + * Return the error string for the error code. The caller must not + * free the string. + * + * @param context Kerberos 5 context. + * @param code Kerberos error code. + * + * @return the error message matching code + * + * @ingroup krb5 + */ + +const char* KRB5_LIB_FUNCTION krb5_get_err_text(krb5_context context, krb5_error_code code) { const char *p = NULL; @@ -420,7 +670,15 @@ krb5_get_err_text(krb5_context context, krb5_error_code code) return p; } -void +/** + * Init the built-in ets in the Kerberos library. + * + * @param context kerberos context to add the ets too + * + * @ingroup krb5 + */ + +void KRB5_LIB_FUNCTION krb5_init_ets(krb5_context context) { if(context->et_list == NULL){ @@ -428,22 +686,57 @@ krb5_init_ets(krb5_context context) krb5_add_et_list(context, initialize_asn1_error_table_r); krb5_add_et_list(context, initialize_heim_error_table_r); krb5_add_et_list(context, initialize_k524_error_table_r); +#ifdef PKINIT + krb5_add_et_list(context, initialize_hx_error_table_r); +#endif } } -void +/** + * Make the kerberos library default to the admin KDC. + * + * @param context Kerberos 5 context. + * @param flag boolean flag to select if the use the admin KDC or not. + * + * @ingroup krb5 + */ + +void KRB5_LIB_FUNCTION krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag) { context->use_admin_kdc = flag; } -krb5_boolean +/** + * Make the kerberos library default to the admin KDC. + * + * @param context Kerberos 5 context. + * + * @return boolean flag to telling the context will use admin KDC as the default KDC. + * + * @ingroup krb5 + */ + +krb5_boolean KRB5_LIB_FUNCTION krb5_get_use_admin_kdc (krb5_context context) { return context->use_admin_kdc; } -krb5_error_code +/** + * Add extra address to the address list that the library will add to + * the client's address list when communicating with the KDC. + * + * @param context Kerberos 5 context. + * @param addresses addreses to add + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) { @@ -454,7 +747,20 @@ krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) return krb5_set_extra_addresses(context, addresses); } -krb5_error_code +/** + * Set extra address to the address list that the library will add to + * the client's address list when communicating with the KDC. + * + * @param context Kerberos 5 context. + * @param addresses addreses to set + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) { if(context->extra_addresses) @@ -477,7 +783,20 @@ krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) return krb5_copy_addresses(context, addresses, context->extra_addresses); } -krb5_error_code +/** + * Get extra address to the address list that the library will add to + * the client's address list when communicating with the KDC. + * + * @param context Kerberos 5 context. + * @param addresses addreses to set + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) { if(context->extra_addresses == NULL) { @@ -487,7 +806,20 @@ krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) return krb5_copy_addresses(context,context->extra_addresses, addresses); } -krb5_error_code +/** + * Add extra addresses to ignore when fetching addresses from the + * underlaying operating system. + * + * @param context Kerberos 5 context. + * @param addresses addreses to ignore + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) { @@ -498,7 +830,20 @@ krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) return krb5_set_ignore_addresses(context, addresses); } -krb5_error_code +/** + * Set extra addresses to ignore when fetching addresses from the + * underlaying operating system. + * + * @param context Kerberos 5 context. + * @param addresses addreses to ignore + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) { if(context->ignore_addresses) @@ -520,7 +865,20 @@ krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) return krb5_copy_addresses(context, addresses, context->ignore_addresses); } -krb5_error_code +/** + * Get extra addresses to ignore when fetching addresses from the + * underlaying operating system. + * + * @param context Kerberos 5 context. + * @param addresses list addreses ignored + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) { if(context->ignore_addresses == NULL) { @@ -530,16 +888,146 @@ krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) return krb5_copy_addresses(context, context->ignore_addresses, addresses); } -krb5_error_code +/** + * Set version of fcache that the library should use. + * + * @param context Kerberos 5 context. + * @param version version number. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_set_fcache_version(krb5_context context, int version) { context->fcache_vno = version; return 0; } -krb5_error_code +/** + * Get version of fcache that the library should use. + * + * @param context Kerberos 5 context. + * @param version version number. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_fcache_version(krb5_context context, int *version) { *version = context->fcache_vno; return 0; } + +/** + * Runtime check if the Kerberos library was complied with thread support. + * + * @return TRUE if the library was compiled with thread support, FALSE if not. + * + * @ingroup krb5 + */ + + +krb5_boolean KRB5_LIB_FUNCTION +krb5_is_thread_safe(void) +{ +#ifdef ENABLE_PTHREAD_SUPPORT + return TRUE; +#else + return FALSE; +#endif +} + +/** + * Set if the library should use DNS to canonicalize hostnames. + * + * @param context Kerberos 5 context. + * @param flag if its dns canonicalizion is used or not. + * + * @ingroup krb5 + */ + +void KRB5_LIB_FUNCTION +krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag) +{ + if (flag) + context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME; + else + context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME; +} + +/** + * Get if the library uses DNS to canonicalize hostnames. + * + * @param context Kerberos 5 context. + * + * @return return non zero if the library uses DNS to canonicalize hostnames. + * + * @ingroup krb5 + */ + +krb5_boolean KRB5_LIB_FUNCTION +krb5_get_dns_canonicalize_hostname (krb5_context context) +{ + return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0; +} + +/** + * Get current offset in time to the KDC. + * + * @param context Kerberos 5 context. + * @param sec seconds part of offset. + * @param usec micro seconds part of offset. + * + * @return return non zero if the library uses DNS to canonicalize hostnames. + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec) +{ + if (sec) + *sec = context->kdc_sec_offset; + if (usec) + *usec = context->kdc_usec_offset; + return 0; +} + +/** + * Get max time skew allowed. + * + * @param context Kerberos 5 context. + * + * @return timeskew in seconds. + * + * @ingroup krb5 + */ + +time_t KRB5_LIB_FUNCTION +krb5_get_max_time_skew (krb5_context context) +{ + return context->max_skew; +} + +/** + * Set max time skew allowed. + * + * @param context Kerberos 5 context. + * @param t timeskew in seconds. + * + * @ingroup krb5 + */ + +void KRB5_LIB_FUNCTION +krb5_set_max_time_skew (krb5_context context, time_t t) +{ + context->max_skew = t; +} diff --git a/crypto/heimdal/lib/krb5/convert_creds.c b/crypto/heimdal/lib/krb5/convert_creds.c index 0c119e742b08..b2af0187eac3 100644 --- a/crypto/heimdal/lib/krb5/convert_creds.c +++ b/crypto/heimdal/lib/krb5/convert_creds.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: convert_creds.c,v 1.26 2003/03/18 03:11:16 lha Exp $"); +RCSID("$Id: convert_creds.c 22050 2007-11-11 11:20:46Z lha $"); #include "krb5-v4compat.h" @@ -42,70 +42,23 @@ check_ticket_flags(TicketFlags f) return 0; /* maybe add some more tests here? */ } -/* include this here, to avoid dependencies on libkrb */ - -static const int _tkt_lifetimes[TKTLIFENUMFIXED] = { - 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318, - 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684, - 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720, - 191077, 204289, 218415, 233517, 249664, 266926, 285383, 305116, - 326213, 348769, 372885, 398668, 426234, 455705, 487215, 520904, - 556921, 595430, 636601, 680618, 727680, 777995, 831789, 889303, - 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247, - 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000 -}; - -int -_krb5_krb_time_to_life(time_t start, time_t end) -{ - int i; - time_t life = end - start; - - if (life > MAXTKTLIFETIME || life <= 0) - return 0; -#if 0 - if (krb_no_long_lifetimes) - return (life + 5*60 - 1)/(5*60); -#endif - - if (end >= NEVERDATE) - return TKTLIFENOEXPIRE; - if (life < _tkt_lifetimes[0]) - return (life + 5*60 - 1)/(5*60); - for (i=0; i<TKTLIFENUMFIXED; i++) - if (life <= _tkt_lifetimes[i]) - return i + TKTLIFEMINFIXED; - return 0; - -} - -time_t -_krb5_krb_life_to_time(int start, int life_) -{ - unsigned char life = (unsigned char) life_; - -#if 0 - if (krb_no_long_lifetimes) - return start + life*5*60; -#endif - - if (life == TKTLIFENOEXPIRE) - return NEVERDATE; - if (life < TKTLIFEMINFIXED) - return start + life*5*60; - if (life > TKTLIFEMAXFIXED) - return start + MAXTKTLIFETIME; - return start + _tkt_lifetimes[life - TKTLIFEMINFIXED]; -} - - -/* Convert the v5 credentials in `in_cred' to v4-dito in `v4creds'. - * This is done by sending them to the 524 function in the KDC. If +/** + * Convert the v5 credentials in in_cred to v4-dito in v4creds. This + * is done by sending them to the 524 function in the KDC. If * `in_cred' doesn't contain a DES session key, then a new one is * gotten from the KDC and stored in the cred cache `ccache'. + * + * @param context Kerberos 5 context. + * @param in_cred the credential to convert + * @param v4creds the converted credential + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5_v4compat */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc(krb5_context context, krb5_creds *in_cred, struct credentials *v4creds) @@ -126,8 +79,8 @@ krb524_convert_creds_kdc(krb5_context context, krb5_krbhst_handle handle; ret = krb5_krbhst_init(context, - *krb5_princ_realm(context, - v5_creds->server), + krb5_principal_get_realm(context, + v5_creds->server), KRB5_KRBHST_KRB524, &handle); if (ret) @@ -191,7 +144,22 @@ out2: return ret; } -krb5_error_code +/** + * Convert the v5 credentials in in_cred to v4-dito in v4creds, + * check the credential cache ccache before checking with the KDC. + * + * @param context Kerberos 5 context. + * @param ccache credential cache used to check for des-ticket. + * @param in_cred the credential to convert + * @param v4creds the converted credential + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5_v4compat + */ + +krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc_ccache(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, @@ -212,18 +180,18 @@ krb524_convert_creds_kdc_ccache(krb5_context context, template.session.keytype = ENCTYPE_DES_CBC_CRC; ret = krb5_copy_principal (context, in_cred->client, &template.client); if (ret) { - krb5_free_creds_contents (context, &template); + krb5_free_cred_contents (context, &template); return ret; } ret = krb5_copy_principal (context, in_cred->server, &template.server); if (ret) { - krb5_free_creds_contents (context, &template); + krb5_free_cred_contents (context, &template); return ret; } ret = krb5_get_credentials (context, 0, ccache, &template, &v5_creds); - krb5_free_creds_contents (context, &template); + krb5_free_cred_contents (context, &template); if (ret) return ret; } diff --git a/crypto/heimdal/lib/krb5/copy_host_realm.c b/crypto/heimdal/lib/krb5/copy_host_realm.c index 38fdfa894d2d..8c4f39b4ac4c 100644 --- a/crypto/heimdal/lib/krb5/copy_host_realm.c +++ b/crypto/heimdal/lib/krb5/copy_host_realm.c @@ -33,13 +33,22 @@ #include "krb5_locl.h" -RCSID("$Id: copy_host_realm.c,v 1.4 2001/05/14 06:14:45 assar Exp $"); +RCSID("$Id: copy_host_realm.c 22057 2007-11-11 15:13:13Z lha $"); -/* +/** * Copy the list of realms from `from' to `to'. + * + * @param context Kerberos 5 context. + * @param from list of realms to copy from. + * @param to list of realms to copy to, free list of krb5_free_host_realm(). + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_host_realm(krb5_context context, const krb5_realm *from, krb5_realm **to) diff --git a/crypto/heimdal/lib/krb5/crc.c b/crypto/heimdal/lib/krb5/crc.c index c7cedd8c9efa..072c29d68974 100644 --- a/crypto/heimdal/lib/krb5/crc.c +++ b/crypto/heimdal/lib/krb5/crc.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $"); +RCSID("$Id: crc.c 17442 2006-05-05 09:31:15Z lha $"); static u_long table[256]; @@ -62,8 +62,8 @@ _krb5_crc_init_table(void) flag = 1; } -u_int32_t -_krb5_crc_update (const char *p, size_t len, u_int32_t res) +uint32_t +_krb5_crc_update (const char *p, size_t len, uint32_t res) { while (len--) res = table[(res ^ *p++) & 0xFF] ^ (res >> 8); diff --git a/crypto/heimdal/lib/krb5/creds.c b/crypto/heimdal/lib/krb5/creds.c index 01c1c30a1cb9..17ef46dfa3b6 100644 --- a/crypto/heimdal/lib/krb5/creds.c +++ b/crypto/heimdal/lib/krb5/creds.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,16 +33,32 @@ #include "krb5_locl.h" -RCSID("$Id: creds.c,v 1.15 2001/05/14 06:14:45 assar Exp $"); +RCSID("$Id: creds.c 22062 2007-11-11 15:41:50Z lha $"); -krb5_error_code -krb5_free_cred_contents (krb5_context context, krb5_creds *c) +#undef __attribute__ +#define __attribute__(X) + +/* keep this for compatibility with older code */ +krb5_error_code KRB5_LIB_FUNCTION __attribute__((deprecated)) +krb5_free_creds_contents (krb5_context context, krb5_creds *c) { - return krb5_free_creds_contents (context, c); + return krb5_free_cred_contents (context, c); } -krb5_error_code -krb5_free_creds_contents (krb5_context context, krb5_creds *c) +/** + * Free content of krb5_creds. + * + * @param context Kerberos 5 context. + * @param c krb5_creds to free. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_free_cred_contents (krb5_context context, krb5_creds *c) { krb5_free_principal (context, c->client); c->client = NULL; @@ -53,10 +69,24 @@ krb5_free_creds_contents (krb5_context context, krb5_creds *c) krb5_data_free (&c->second_ticket); free_AuthorizationData (&c->authdata); krb5_free_addresses (context, &c->addresses); + memset(c, 0, sizeof(*c)); return 0; } -krb5_error_code +/** + * Copy content of krb5_creds. + * + * @param context Kerberos 5 context. + * @param incred source credential + * @param c destination credential, free with krb5_free_cred_contents(). + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_creds_contents (krb5_context context, const krb5_creds *incred, krb5_creds *c) @@ -96,11 +126,24 @@ krb5_copy_creds_contents (krb5_context context, return 0; fail: - krb5_free_creds_contents (context, c); + krb5_free_cred_contents (context, c); return ret; } -krb5_error_code +/** + * Copy krb5_creds. + * + * @param context Kerberos 5 context. + * @param incred source credential + * @param outcred destination credential, free with krb5_free_creds(). + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_creds (krb5_context context, const krb5_creds *incred, krb5_creds **outcred) @@ -117,35 +160,110 @@ krb5_copy_creds (krb5_context context, return krb5_copy_creds_contents (context, incred, c); } -krb5_error_code +/** + * Free krb5_creds. + * + * @param context Kerberos 5 context. + * @param c krb5_creds to free. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned, see krb5_get_error_message(). + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_free_creds (krb5_context context, krb5_creds *c) { - krb5_free_creds_contents (context, c); + krb5_free_cred_contents (context, c); free (c); return 0; } -/* +/* XXX this do not belong here */ +static krb5_boolean +krb5_times_equal(const krb5_times *a, const krb5_times *b) +{ + return a->starttime == b->starttime && + a->authtime == b->authtime && + a->endtime == b->endtime && + a->renew_till == b->renew_till; +} + +/** * Return TRUE if `mcreds' and `creds' are equal (`whichfields' * determines what equal means). + * + * @param context Kerberos 5 context. + * @param whichfields which fields to compare. + * @param mcreds cred to compare with. + * @param creds cred to compare with. + * + * @return return TRUE if mcred and creds are equal, FALSE if not. + * + * @ingroup krb5 */ -krb5_boolean -krb5_compare_creds(krb5_context context, krb5_flags whichfields, - const krb5_creds *mcreds, const krb5_creds *creds) +krb5_boolean KRB5_LIB_FUNCTION +krb5_compare_creds(krb5_context context, krb5_flags whichfields, + const krb5_creds * mcreds, const krb5_creds * creds) { - krb5_boolean match; - - if(whichfields & KRB5_TC_DONT_MATCH_REALM) - match = krb5_principal_compare_any_realm(context, - mcreds->server, - creds->server); - else - match = krb5_principal_compare(context, mcreds->server, creds->server); - if(match && (whichfields & KRB5_TC_MATCH_KEYTYPE) && - !krb5_enctypes_compatible_keys (context, - mcreds->session.keytype, - creds->session.keytype)) - match = FALSE; + krb5_boolean match = TRUE; + + if (match && mcreds->server) { + if (whichfields & (KRB5_TC_DONT_MATCH_REALM | KRB5_TC_MATCH_SRV_NAMEONLY)) + match = krb5_principal_compare_any_realm (context, mcreds->server, + creds->server); + else + match = krb5_principal_compare (context, mcreds->server, + creds->server); + } + + if (match && mcreds->client) { + if(whichfields & KRB5_TC_DONT_MATCH_REALM) + match = krb5_principal_compare_any_realm (context, mcreds->client, + creds->client); + else + match = krb5_principal_compare (context, mcreds->client, + creds->client); + } + + if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE)) + match = krb5_enctypes_compatible_keys(context, + mcreds->session.keytype, + creds->session.keytype); + + if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT)) + match = mcreds->flags.i == creds->flags.i; + + if (match && (whichfields & KRB5_TC_MATCH_FLAGS)) + match = (creds->flags.i & mcreds->flags.i) == mcreds->flags.i; + + if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT)) + match = krb5_times_equal(&mcreds->times, &creds->times); + + if (match && (whichfields & KRB5_TC_MATCH_TIMES)) + /* compare only expiration times */ + match = (mcreds->times.renew_till <= creds->times.renew_till) && + (mcreds->times.endtime <= creds->times.endtime); + + if (match && (whichfields & KRB5_TC_MATCH_AUTHDATA)) { + unsigned int i; + if(mcreds->authdata.len != creds->authdata.len) + match = FALSE; + else + for(i = 0; match && i < mcreds->authdata.len; i++) + match = (mcreds->authdata.val[i].ad_type == + creds->authdata.val[i].ad_type) && + (krb5_data_cmp(&mcreds->authdata.val[i].ad_data, + &creds->authdata.val[i].ad_data) == 0); + } + if (match && (whichfields & KRB5_TC_MATCH_2ND_TKT)) + match = (krb5_data_cmp(&mcreds->second_ticket, &creds->second_ticket) == 0); + + if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY)) + match = ((mcreds->second_ticket.length == 0) == + (creds->second_ticket.length == 0)); + return match; } diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index 3da8d303e312..2e6349094683 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.73.2.4 2004/03/06 16:38:00 lha Exp $"); +RCSID("$Id: crypto.c 22200 2007-12-07 13:48:01Z lha $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -66,6 +66,7 @@ struct krb5_crypto_data { #define F_VARIANT 8 /* uses `variant' keys (6.4.3) */ #define F_PSEUDO 16 /* not a real protocol type */ #define F_SPECIAL 32 /* backwards */ +#define F_DISABLED 64 /* enctype/checksum disabled */ struct salt_type { krb5_salttype type; @@ -86,6 +87,7 @@ struct key_type { void (*random_key)(krb5_context, krb5_keyblock*); void (*schedule)(krb5_context, struct key_data *); struct salt_type *string_to_key; + void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t); }; struct checksum_type { @@ -109,6 +111,7 @@ struct checksum_type { struct encryption_type { krb5_enctype type; const char *name; + heim_oid *oid; size_t blocksize; size_t padsize; size_t confoundersize; @@ -119,9 +122,12 @@ struct encryption_type { krb5_error_code (*encrypt)(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec); + size_t prf_length; + krb5_error_code (*prf)(krb5_context, + krb5_crypto, const krb5_data *, krb5_data *); }; #define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA) @@ -147,92 +153,38 @@ static krb5_error_code hmac(krb5_context context, struct key_data *keyblock, Checksum *result); static void free_key_data(krb5_context context, struct key_data *key); -static krb5_error_code usage2arcfour (krb5_context, int *); +static krb5_error_code usage2arcfour (krb5_context, unsigned *); +static void xor (DES_cblock *, const unsigned char *); /************************************************************ * * ************************************************************/ +static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER; + + static void krb5_DES_random_key(krb5_context context, krb5_keyblock *key) { - des_cblock *k = key->keyvalue.data; + DES_cblock *k = key->keyvalue.data; do { - krb5_generate_random_block(k, sizeof(des_cblock)); - des_set_odd_parity(k); - } while(des_is_weak_key(k)); + krb5_generate_random_block(k, sizeof(DES_cblock)); + DES_set_odd_parity(k); + } while(DES_is_weak_key(k)); } static void krb5_DES_schedule(krb5_context context, - struct key_data *key) -{ - des_set_key(key->key->keyvalue.data, key->schedule->data); -} - -static void -DES_string_to_key_int(unsigned char *data, size_t length, des_cblock *key) + struct key_data *key) { - des_key_schedule schedule; - int i; - int reverse = 0; - unsigned char *p; - - unsigned char swap[] = { 0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe, - 0x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf }; - memset(key, 0, 8); - - p = (unsigned char*)key; - for (i = 0; i < length; i++) { - unsigned char tmp = data[i]; - if (!reverse) - *p++ ^= (tmp << 1); - else - *--p ^= (swap[tmp & 0xf] << 4) | swap[(tmp & 0xf0) >> 4]; - if((i % 8) == 7) - reverse = !reverse; - } - des_set_odd_parity(key); - if(des_is_weak_key(key)) - (*key)[7] ^= 0xF0; - des_set_key(key, schedule); - des_cbc_cksum((void*)data, key, length, schedule, key); - memset(schedule, 0, sizeof(schedule)); - des_set_odd_parity(key); + DES_set_key(key->key->keyvalue.data, key->schedule->data); } -static krb5_error_code -krb5_DES_string_to_key(krb5_context context, - krb5_enctype enctype, - krb5_data password, - krb5_salt salt, - krb5_data opaque, - krb5_keyblock *key) -{ - unsigned char *s; - size_t len; - des_cblock tmp; - - len = password.length + salt.saltvalue.length; - s = malloc(len); - if(len > 0 && s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - memcpy(s, password.data, password.length); - memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); - DES_string_to_key_int(s, len, &tmp); - key->keytype = enctype; - krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); - memset(&tmp, 0, sizeof(tmp)); - memset(s, 0, len); - free(s); - return 0; -} +#ifdef ENABLE_AFS_STRING_TO_KEY /* This defines the Andrew string_to_key function. It accepts a password - * string as input and converts its via a one-way encryption algorithm to a DES + * string as input and converts it via a one-way encryption algorithm to a DES * encryption key. It is compatible with the original Andrew authentication * service password database. */ @@ -243,7 +195,7 @@ krb5_DES_string_to_key(krb5_context context, static void krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, krb5_data cell, - des_cblock *key) + DES_cblock *key) { char password[8+1]; /* crypt is limited to 8 chars anyway */ int i; @@ -256,14 +208,14 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, } password[8] = '\0'; - memcpy(key, crypt(password, "p1") + 2, sizeof(des_cblock)); + memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock)); /* parity is inserted into the LSB so left shift each byte up one bit. This allows ascii characters with a zero MSB to retain as much significance as possible. */ - for (i = 0; i < sizeof(des_cblock); i++) + for (i = 0; i < sizeof(DES_cblock); i++) ((unsigned char*)key)[i] <<= 1; - des_set_odd_parity (key); + DES_set_odd_parity (key); } /* @@ -272,11 +224,11 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, static void krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, krb5_data cell, - des_cblock *key) + DES_cblock *key) { - des_key_schedule schedule; - des_cblock temp_key; - des_cblock ivec; + DES_key_schedule schedule; + DES_cblock temp_key; + DES_cblock ivec; char password[512]; size_t passlen; @@ -292,20 +244,20 @@ krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, passlen = min(sizeof(password), pw.length + cell.length); memcpy(&ivec, "kerberos", 8); memcpy(&temp_key, "kerberos", 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum (password, &ivec, passlen, schedule, &ivec); + DES_set_odd_parity (&temp_key); + DES_set_key (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec); memcpy(&temp_key, &ivec, 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum (password, key, passlen, schedule, &ivec); + DES_set_odd_parity (&temp_key); + DES_set_key (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec); memset(&schedule, 0, sizeof(schedule)); memset(&temp_key, 0, sizeof(temp_key)); memset(&ivec, 0, sizeof(ivec)); memset(password, 0, sizeof(password)); - des_set_odd_parity (key); + DES_set_odd_parity (key); } static krb5_error_code @@ -316,7 +268,7 @@ DES_AFS3_string_to_key(krb5_context context, krb5_data opaque, krb5_keyblock *key) { - des_cblock tmp; + DES_cblock tmp; if(password.length > 8) krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp); else @@ -326,31 +278,121 @@ DES_AFS3_string_to_key(krb5_context context, memset(&key, 0, sizeof(key)); return 0; } +#endif /* ENABLE_AFS_STRING_TO_KEY */ + +static void +DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key) +{ + DES_key_schedule schedule; + int i; + int reverse = 0; + unsigned char *p; + + unsigned char swap[] = { 0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe, + 0x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf }; + memset(key, 0, 8); + + p = (unsigned char*)key; + for (i = 0; i < length; i++) { + unsigned char tmp = data[i]; + if (!reverse) + *p++ ^= (tmp << 1); + else + *--p ^= (swap[tmp & 0xf] << 4) | swap[(tmp & 0xf0) >> 4]; + if((i % 8) == 7) + reverse = !reverse; + } + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) + (*key)[7] ^= 0xF0; + DES_set_key(key, &schedule); + DES_cbc_cksum((void*)data, key, length, &schedule, key); + memset(&schedule, 0, sizeof(schedule)); + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) + (*key)[7] ^= 0xF0; +} + +static krb5_error_code +krb5_DES_string_to_key(krb5_context context, + krb5_enctype enctype, + krb5_data password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + unsigned char *s; + size_t len; + DES_cblock tmp; + +#ifdef ENABLE_AFS_STRING_TO_KEY + if (opaque.length == 1) { + unsigned long v; + _krb5_get_int(opaque.data, &v, 1); + if (v == 1) + return DES_AFS3_string_to_key(context, enctype, password, + salt, opaque, key); + } +#endif + + len = password.length + salt.saltvalue.length; + s = malloc(len); + if(len > 0 && s == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + memcpy(s, password.data, password.length); + memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); + DES_string_to_key_int(s, len, &tmp); + key->keytype = enctype; + krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp)); + memset(&tmp, 0, sizeof(tmp)); + memset(s, 0, len); + free(s); + return 0; +} + +static void +krb5_DES_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) +{ + DES_cblock *k = key->keyvalue.data; + memcpy(k, data, key->keyvalue.length); + DES_set_odd_parity(k); + if(DES_is_weak_key(k)) + xor(k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); +} + +/* + * + */ static void DES3_random_key(krb5_context context, krb5_keyblock *key) { - des_cblock *k = key->keyvalue.data; + DES_cblock *k = key->keyvalue.data; do { - krb5_generate_random_block(k, 3 * sizeof(des_cblock)); - des_set_odd_parity(&k[0]); - des_set_odd_parity(&k[1]); - des_set_odd_parity(&k[2]); - } while(des_is_weak_key(&k[0]) || - des_is_weak_key(&k[1]) || - des_is_weak_key(&k[2])); + krb5_generate_random_block(k, 3 * sizeof(DES_cblock)); + DES_set_odd_parity(&k[0]); + DES_set_odd_parity(&k[1]); + DES_set_odd_parity(&k[2]); + } while(DES_is_weak_key(&k[0]) || + DES_is_weak_key(&k[1]) || + DES_is_weak_key(&k[2])); } static void DES3_schedule(krb5_context context, struct key_data *key) { - des_cblock *k = key->key->keyvalue.data; - des_key_schedule *s = key->schedule->data; - des_set_key(&k[0], s[0]); - des_set_key(&k[1], s[1]); - des_set_key(&k[2], s[2]); + DES_cblock *k = key->key->keyvalue.data; + DES_key_schedule *s = key->schedule->data; + DES_set_key(&k[0], &s[0]); + DES_set_key(&k[1], &s[1]); + DES_set_key(&k[2], &s[2]); } /* @@ -358,7 +400,7 @@ DES3_schedule(krb5_context context, */ static void -xor (des_cblock *key, const unsigned char *b) +xor (DES_cblock *key, const unsigned char *b) { unsigned char *a = (unsigned char*)key; a[0] ^= b[0]; @@ -382,7 +424,8 @@ DES3_string_to_key(krb5_context context, char *str; size_t len; unsigned char tmp[24]; - des_cblock keys[3]; + DES_cblock keys[3]; + krb5_error_code ret; len = password.length + salt.saltvalue.length; str = malloc(len); @@ -393,29 +436,35 @@ DES3_string_to_key(krb5_context context, memcpy(str, password.data, password.length); memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length); { - des_cblock ivec; - des_key_schedule s[3]; + DES_cblock ivec; + DES_key_schedule s[3]; int i; - _krb5_n_fold(str, len, tmp, 24); + ret = _krb5_n_fold(str, len, tmp, 24); + if (ret) { + memset(str, 0, len); + free(str); + krb5_set_error_string(context, "out of memory"); + return ret; + } for(i = 0; i < 3; i++){ memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); - des_set_key(keys + i, s[i]); + DES_set_key(keys + i, &s[i]); } memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(tmp, + DES_ede3_cbc_encrypt(tmp, tmp, sizeof(tmp), - s[0], s[1], s[2], &ivec, DES_ENCRYPT); + &s[0], &s[1], &s[2], &ivec, DES_ENCRYPT); memset(s, 0, sizeof(s)); memset(&ivec, 0, sizeof(ivec)); for(i = 0; i < 3; i++){ memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } memset(tmp, 0, sizeof(tmp)); @@ -457,19 +506,47 @@ DES3_string_to_key_derived(krb5_context context, return ret; } -/* - * ARCFOUR - */ - static void -ARCFOUR_random_key(krb5_context context, krb5_keyblock *key) +DES3_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) { - krb5_generate_random_block (key->keyvalue.data, - key->keyvalue.length); + unsigned char *x = key->keyvalue.data; + const u_char *q = data; + DES_cblock *k; + int i, j; + + memset(x, 0, sizeof(x)); + for (i = 0; i < 3; ++i) { + unsigned char foo; + for (j = 0; j < 7; ++j) { + unsigned char b = q[7 * i + j]; + + x[8 * i + j] = b; + } + foo = 0; + for (j = 6; j >= 0; --j) { + foo |= q[7 * i + j] & 1; + foo <<= 1; + } + x[8 * i + 7] = foo; + } + k = key->keyvalue.data; + for (i = 0; i < 3; i++) { + DES_set_odd_parity(&k[i]); + if(DES_is_weak_key(&k[i])) + xor(&k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + } } +/* + * ARCFOUR + */ + static void -ARCFOUR_schedule(krb5_context context, struct key_data *kd) +ARCFOUR_schedule(krb5_context context, + struct key_data *kd) { RC4_set_key (kd->schedule->data, kd->key->keyvalue.length, kd->key->keyvalue.data); @@ -487,12 +564,14 @@ ARCFOUR_string_to_key(krb5_context context, size_t len; int i; MD4_CTX m; + krb5_error_code ret; len = 2 * password.length; s = malloc (len); if (len != 0 && s == NULL) { krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + ret = ENOMEM; + goto out; } for (p = s, i = 0; i < password.length; ++i) { *p++ = ((char *)password.data)[i]; @@ -501,125 +580,24 @@ ARCFOUR_string_to_key(krb5_context context, MD4_Init (&m); MD4_Update (&m, s, len); key->keytype = enctype; - krb5_data_alloc (&key->keyvalue, 16); + ret = krb5_data_alloc (&key->keyvalue, 16); + if (ret) { + krb5_set_error_string(context, "malloc: out of memory"); + goto out; + } MD4_Final (key->keyvalue.data, &m); memset (s, 0, len); + ret = 0; +out: free (s); - return 0; + return ret; } -#ifdef ENABLE_AES /* * AES */ -/* iter is really 1 based, so iter == 0 will be 1 iteration */ - -krb5_error_code -krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, - krb5_data password, krb5_salt salt, u_int32_t iter, - krb5_keytype type, krb5_keyblock *key) -{ - struct checksum_type *c = _find_checksum(cktype); - struct key_type *kt; - size_t datalen, leftofkey; - krb5_error_code ret; - u_int32_t keypart; - struct key_data ksign; - krb5_keyblock kb; - Checksum result; - char *data, *tmpcksum; - int i, j; - char *p; - - if (c == NULL) { - krb5_set_error_string(context, "checksum %d not supported", cktype); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - - kt = _find_keytype(type); - if (kt == NULL) { - krb5_set_error_string(context, "key type %d not supported", type); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - - key->keytype = type; - ret = krb5_data_alloc (&key->keyvalue, kt->bits / 8); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - return ret; - } - - ret = krb5_data_alloc (&result.checksum, c->checksumsize); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - krb5_data_free (&key->keyvalue); - return ret; - } - - tmpcksum = malloc(c->checksumsize); - if (tmpcksum == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - krb5_data_free (&key->keyvalue); - krb5_data_free (&result.checksum); - return ENOMEM; - } - - datalen = salt.saltvalue.length + 4; - data = malloc(datalen); - if (data == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - free(tmpcksum); - krb5_data_free (&key->keyvalue); - krb5_data_free (&result.checksum); - return ENOMEM; - } - - kb.keyvalue = password; - ksign.key = &kb; - - memcpy(data, salt.saltvalue.data, salt.saltvalue.length); - - keypart = 1; - leftofkey = key->keyvalue.length; - p = key->keyvalue.data; - - while (leftofkey) { - int len; - - if (leftofkey > c->checksumsize) - len = c->checksumsize; - else - len = leftofkey; - - _krb5_put_int(data + datalen - 4, keypart, 4); - - ret = hmac(context, c, data, datalen, 0, &ksign, &result); - if (ret) - krb5_abortx(context, "hmac failed"); - memcpy(p, result.checksum.data, len); - memcpy(tmpcksum, result.checksum.data, result.checksum.length); - for (i = 0; i < iter; i++) { - ret = hmac(context, c, tmpcksum, result.checksum.length, - 0, &ksign, &result); - if (ret) - krb5_abortx(context, "hmac failed"); - memcpy(tmpcksum, result.checksum.data, result.checksum.length); - for (j = 0; j < len; j++) - p[j] ^= tmpcksum[j]; - } - - p += len; - leftofkey -= len; - keypart++; - } - - free(data); - free(tmpcksum); - krb5_data_free (&result.checksum); - - return 0; -} +int _krb5_AES_string_to_default_iterator = 4096; static krb5_error_code AES_string_to_key(krb5_context context, @@ -630,66 +608,132 @@ AES_string_to_key(krb5_context context, krb5_keyblock *key) { krb5_error_code ret; - u_int32_t iter; + uint32_t iter; struct encryption_type *et; struct key_data kd; if (opaque.length == 0) - iter = 45056 - 1; + iter = _krb5_AES_string_to_default_iterator; else if (opaque.length == 4) { unsigned long v; _krb5_get_int(opaque.data, &v, 4); - iter = ((u_int32_t)v) - 1; + iter = ((uint32_t)v); } else return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */ - et = _find_enctype(enctype); if (et == NULL) return KRB5_PROG_KEYTYPE_NOSUPP; - ret = krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, - iter, enctype, key); - if (ret) + kd.schedule = NULL; + ALLOC(kd.key, 1); + if(kd.key == NULL) { + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + kd.key->keytype = enctype; + ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); + if (ret) { + krb5_set_error_string(context, "Failed to allocate pkcs5 key"); return ret; + } - ret = krb5_copy_keyblock(context, key, &kd.key); - kd.schedule = NULL; + ret = PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length, + salt.saltvalue.data, salt.saltvalue.length, + iter, + et->keytype->size, kd.key->keyvalue.data); + if (ret != 1) { + free_key_data(context, &kd); + krb5_set_error_string(context, "Error calculating s2k"); + return KRB5_PROG_KEYTYPE_NOSUPP; + } ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos")); - - if (ret) { - krb5_data_free(&key->keyvalue); - } else { + if (ret == 0) ret = krb5_copy_keyblock_contents(context, kd.key, key); - free_key_data(context, &kd); - } + free_key_data(context, &kd); return ret; } +struct krb5_aes_schedule { + AES_KEY ekey; + AES_KEY dkey; +}; + static void -AES_schedule(krb5_context context, struct key_data *kd) +AES_schedule(krb5_context context, + struct key_data *kd) { - AES_KEY *key = kd->schedule->data; + struct krb5_aes_schedule *key = kd->schedule->data; int bits = kd->key->keyvalue.length * 8; - - AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key[0]); - AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key[1]); + + memset(key, 0, sizeof(*key)); + AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key->ekey); + AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key->dkey); } /* * */ -extern struct salt_type AES_salt[]; +static struct salt_type des_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + krb5_DES_string_to_key + }, +#ifdef ENABLE_AFS_STRING_TO_KEY + { + KRB5_AFS3_SALT, + "afs3-salt", + DES_AFS3_string_to_key + }, +#endif + { 0 } +}; -#endif /* ENABLE_AES */ +static struct salt_type des3_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key + }, + { 0 } +}; -extern struct salt_type des_salt[], - des3_salt[], des3_salt_derived[], arcfour_salt[]; +static struct salt_type des3_salt_derived[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key_derived + }, + { 0 } +}; -struct key_type keytype_null = { +static struct salt_type AES_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + AES_string_to_key + }, + { 0 } +}; + +static struct salt_type arcfour_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + ARCFOUR_string_to_key + }, + { 0 } +}; + +/* + * + */ + +static struct key_type keytype_null = { KEYTYPE_NULL, "null", 0, @@ -700,83 +744,82 @@ struct key_type keytype_null = { NULL }; -struct key_type keytype_des = { +static struct key_type keytype_des = { KEYTYPE_DES, "des", 56, - sizeof(des_cblock), - sizeof(des_key_schedule), + sizeof(DES_cblock), + sizeof(DES_key_schedule), krb5_DES_random_key, krb5_DES_schedule, - des_salt + des_salt, + krb5_DES_random_to_key }; -struct key_type keytype_des3 = { +static struct key_type keytype_des3 = { KEYTYPE_DES3, "des3", 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_key_schedule), DES3_random_key, DES3_schedule, - des3_salt + des3_salt, + DES3_random_to_key }; -struct key_type keytype_des3_derived = { +static struct key_type keytype_des3_derived = { KEYTYPE_DES3, "des3", 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_key_schedule), DES3_random_key, DES3_schedule, - des3_salt_derived + des3_salt_derived, + DES3_random_to_key }; -#ifdef ENABLE_AES -struct key_type keytype_aes128 = { +static struct key_type keytype_aes128 = { KEYTYPE_AES128, "aes-128", 128, 16, - sizeof(AES_KEY) * 2, + sizeof(struct krb5_aes_schedule), NULL, AES_schedule, AES_salt }; -struct key_type keytype_aes256 = { +static struct key_type keytype_aes256 = { KEYTYPE_AES256, "aes-256", 256, - 16, - sizeof(AES_KEY) * 2, + 32, + sizeof(struct krb5_aes_schedule), NULL, AES_schedule, AES_salt }; -#endif /* ENABLE_AES */ -struct key_type keytype_arcfour = { +static struct key_type keytype_arcfour = { KEYTYPE_ARCFOUR, "arcfour", 128, 16, sizeof(RC4_KEY), - ARCFOUR_random_key, + NULL, ARCFOUR_schedule, arcfour_salt }; -struct key_type *keytypes[] = { +static struct key_type *keytypes[] = { &keytype_null, &keytype_des, &keytype_des3_derived, &keytype_des3, -#ifdef ENABLE_AES &keytype_aes128, &keytype_aes256, -#endif /* ENABLE_AES */ &keytype_arcfour }; @@ -793,59 +836,7 @@ _find_keytype(krb5_keytype type) } -struct salt_type des_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - krb5_DES_string_to_key - }, - { - KRB5_AFS3_SALT, - "afs3-salt", - DES_AFS3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt_derived[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key_derived - }, - { 0 } -}; - -#ifdef ENABLE_AES -struct salt_type AES_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - AES_string_to_key - }, - { 0 } -}; -#endif /* ENABLE_AES */ - -struct salt_type arcfour_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - ARCFOUR_string_to_key - }, - { 0 } -}; - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_salttype_to_string (krb5_context context, krb5_enctype etype, krb5_salttype stype, @@ -874,7 +865,7 @@ krb5_salttype_to_string (krb5_context context, return HEIM_ERR_SALTTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_salttype (krb5_context context, krb5_enctype etype, const char *string, @@ -899,7 +890,7 @@ krb5_string_to_salttype (krb5_context context, return HEIM_ERR_SALTTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_pw_salt(krb5_context context, krb5_const_principal principal, krb5_salt *salt) @@ -928,7 +919,7 @@ krb5_get_pw_salt(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_salt(krb5_context context, krb5_salt salt) { @@ -936,7 +927,7 @@ krb5_free_salt(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -954,7 +945,7 @@ krb5_string_to_key_data (krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key (krb5_context context, krb5_enctype enctype, const char *password, @@ -962,12 +953,12 @@ krb5_string_to_key (krb5_context context, krb5_keyblock *key) { krb5_data pw; - pw.data = (void*)password; + pw.data = rk_UNCONST(password); pw.length = strlen(password); return krb5_string_to_key_data(context, enctype, pw, principal, key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -986,7 +977,7 @@ krb5_string_to_key_data_salt (krb5_context context, * `opaque'), returning the resulting key in `key' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt_opaque (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -1016,7 +1007,7 @@ krb5_string_to_key_data_salt_opaque (krb5_context context, * in `key' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_salt (krb5_context context, krb5_enctype enctype, const char *password, @@ -1024,12 +1015,27 @@ krb5_string_to_key_salt (krb5_context context, krb5_keyblock *key) { krb5_data pw; - pw.data = (void*)password; + pw.data = rk_UNCONST(password); pw.length = strlen(password); return krb5_string_to_key_data_salt(context, enctype, pw, salt, key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_string_to_key_salt_opaque (krb5_context context, + krb5_enctype enctype, + const char *password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + krb5_data pw; + pw.data = rk_UNCONST(password); + pw.length = strlen(password); + return krb5_string_to_key_data_salt_opaque(context, enctype, + pw, salt, opaque, key); +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_string(krb5_context context, krb5_keytype keytype, char **string) @@ -1047,7 +1053,7 @@ krb5_keytype_to_string(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_keytype(krb5_context context, const char *string, krb5_keytype *keytype) @@ -1062,7 +1068,7 @@ krb5_string_to_keytype(krb5_context context, return KRB5_PROG_KEYTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_keysize(krb5_context context, krb5_enctype type, size_t *keysize) @@ -1077,7 +1083,22 @@ krb5_enctype_keysize(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_keybits(krb5_context context, + krb5_enctype type, + size_t *keybits) +{ + struct encryption_type *et = _find_enctype(type); + if(et == NULL) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + *keybits = et->keytype->bits; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_random_keyblock(krb5_context context, krb5_enctype type, krb5_keyblock *key) @@ -1150,7 +1171,7 @@ CRC32_checksum(krb5_context context, unsigned usage, Checksum *C) { - u_int32_t crc; + uint32_t crc; unsigned char *r = C->checksum.data; _krb5_crc_init_table (); crc = _krb5_crc_update (data, len, 0); @@ -1184,7 +1205,7 @@ RSA_MD4_DES_checksum(krb5_context context, Checksum *cksum) { MD4_CTX md4; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = cksum->checksum.data; krb5_generate_random_block(p, 8); @@ -1193,7 +1214,7 @@ RSA_MD4_DES_checksum(krb5_context context, MD4_Update (&md4, data, len); MD4_Final (p + 8, &md4); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(p, + DES_cbc_encrypt(p, p, 24, key->schedule->data, @@ -1212,11 +1233,11 @@ RSA_MD4_DES_verify(krb5_context context, MD4_CTX md4; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; + DES_cblock ivec; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, + DES_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, key->schedule->data, @@ -1259,7 +1280,7 @@ RSA_MD5_DES_checksum(krb5_context context, Checksum *C) { MD5_CTX md5; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = C->checksum.data; krb5_generate_random_block(p, 8); @@ -1268,7 +1289,7 @@ RSA_MD5_DES_checksum(krb5_context context, MD5_Update (&md5, data, len); MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(p, + DES_cbc_encrypt(p, p, 24, key->schedule->data, @@ -1287,15 +1308,15 @@ RSA_MD5_DES_verify(krb5_context context, MD5_CTX md5; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *sched = key->schedule->data; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, + DES_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, - sched[0], + &sched[0], &ivec, DES_DECRYPT); MD5_Init (&md5); @@ -1320,9 +1341,9 @@ RSA_MD5_DES3_checksum(krb5_context context, Checksum *C) { MD5_CTX md5; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = C->checksum.data; - des_key_schedule *sched = key->schedule->data; + DES_key_schedule *sched = key->schedule->data; krb5_generate_random_block(p, 8); MD5_Init (&md5); @@ -1330,10 +1351,10 @@ RSA_MD5_DES3_checksum(krb5_context context, MD5_Update (&md5, data, len); MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(p, + DES_ede3_cbc_encrypt(p, p, 24, - sched[0], sched[1], sched[2], + &sched[0], &sched[1], &sched[2], &ivec, DES_ENCRYPT); } @@ -1349,15 +1370,15 @@ RSA_MD5_DES3_verify(krb5_context context, MD5_CTX md5; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *sched = key->schedule->data; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(C->checksum.data, + DES_ede3_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, - sched[0], sched[1], sched[2], + &sched[0], &sched[1], &sched[2], &ivec, DES_DECRYPT); MD5_Init (&md5); @@ -1446,7 +1467,7 @@ hmac(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_hmac(krb5_context context, krb5_cksumtype cktype, const void *data, @@ -1578,16 +1599,16 @@ HMAC_MD5_checksum_enc(krb5_context context, krb5_abortx(context, "hmac failed"); } -struct checksum_type checksum_none = { +static struct checksum_type checksum_none = { CKSUMTYPE_NONE, "none", 1, 0, - 0, + 0, NONE_checksum, NULL }; -struct checksum_type checksum_crc32 = { +static struct checksum_type checksum_crc32 = { CKSUMTYPE_CRC32, "crc32", 1, @@ -1596,7 +1617,7 @@ struct checksum_type checksum_crc32 = { CRC32_checksum, NULL }; -struct checksum_type checksum_rsa_md4 = { +static struct checksum_type checksum_rsa_md4 = { CKSUMTYPE_RSA_MD4, "rsa-md4", 64, @@ -1605,7 +1626,7 @@ struct checksum_type checksum_rsa_md4 = { RSA_MD4_checksum, NULL }; -struct checksum_type checksum_rsa_md4_des = { +static struct checksum_type checksum_rsa_md4_des = { CKSUMTYPE_RSA_MD4_DES, "rsa-md4-des", 64, @@ -1615,7 +1636,7 @@ struct checksum_type checksum_rsa_md4_des = { RSA_MD4_DES_verify }; #if 0 -struct checksum_type checksum_des_mac = { +static struct checksum_type checksum_des_mac = { CKSUMTYPE_DES_MAC, "des-mac", 0, @@ -1623,7 +1644,7 @@ struct checksum_type checksum_des_mac = { 0, DES_MAC_checksum }; -struct checksum_type checksum_des_mac_k = { +static struct checksum_type checksum_des_mac_k = { CKSUMTYPE_DES_MAC_K, "des-mac-k", 0, @@ -1631,7 +1652,7 @@ struct checksum_type checksum_des_mac_k = { 0, DES_MAC_K_checksum }; -struct checksum_type checksum_rsa_md4_des_k = { +static struct checksum_type checksum_rsa_md4_des_k = { CKSUMTYPE_RSA_MD4_DES_K, "rsa-md4-des-k", 0, @@ -1641,7 +1662,7 @@ struct checksum_type checksum_rsa_md4_des_k = { RSA_MD4_DES_K_verify }; #endif -struct checksum_type checksum_rsa_md5 = { +static struct checksum_type checksum_rsa_md5 = { CKSUMTYPE_RSA_MD5, "rsa-md5", 64, @@ -1650,7 +1671,7 @@ struct checksum_type checksum_rsa_md5 = { RSA_MD5_checksum, NULL }; -struct checksum_type checksum_rsa_md5_des = { +static struct checksum_type checksum_rsa_md5_des = { CKSUMTYPE_RSA_MD5_DES, "rsa-md5-des", 64, @@ -1659,7 +1680,7 @@ struct checksum_type checksum_rsa_md5_des = { RSA_MD5_DES_checksum, RSA_MD5_DES_verify }; -struct checksum_type checksum_rsa_md5_des3 = { +static struct checksum_type checksum_rsa_md5_des3 = { CKSUMTYPE_RSA_MD5_DES3, "rsa-md5-des3", 64, @@ -1668,7 +1689,7 @@ struct checksum_type checksum_rsa_md5_des3 = { RSA_MD5_DES3_checksum, RSA_MD5_DES3_verify }; -struct checksum_type checksum_sha1 = { +static struct checksum_type checksum_sha1 = { CKSUMTYPE_SHA1, "sha1", 64, @@ -1677,7 +1698,7 @@ struct checksum_type checksum_sha1 = { SHA1_checksum, NULL }; -struct checksum_type checksum_hmac_sha1_des3 = { +static struct checksum_type checksum_hmac_sha1_des3 = { CKSUMTYPE_HMAC_SHA1_DES3, "hmac-sha1-des3", 64, @@ -1687,8 +1708,7 @@ struct checksum_type checksum_hmac_sha1_des3 = { NULL }; -#ifdef ENABLE_AES -struct checksum_type checksum_hmac_sha1_aes128 = { +static struct checksum_type checksum_hmac_sha1_aes128 = { CKSUMTYPE_HMAC_SHA1_96_AES_128, "hmac-sha1-96-aes128", 64, @@ -1698,7 +1718,7 @@ struct checksum_type checksum_hmac_sha1_aes128 = { NULL }; -struct checksum_type checksum_hmac_sha1_aes256 = { +static struct checksum_type checksum_hmac_sha1_aes256 = { CKSUMTYPE_HMAC_SHA1_96_AES_256, "hmac-sha1-96-aes256", 64, @@ -1707,9 +1727,8 @@ struct checksum_type checksum_hmac_sha1_aes256 = { SP_HMAC_SHA1_checksum, NULL }; -#endif /* ENABLE_AES */ -struct checksum_type checksum_hmac_md5 = { +static struct checksum_type checksum_hmac_md5 = { CKSUMTYPE_HMAC_MD5, "hmac-md5", 64, @@ -1719,7 +1738,7 @@ struct checksum_type checksum_hmac_md5 = { NULL }; -struct checksum_type checksum_hmac_md5_enc = { +static struct checksum_type checksum_hmac_md5_enc = { CKSUMTYPE_HMAC_MD5_ENC, "hmac-md5-enc", 64, @@ -1729,7 +1748,7 @@ struct checksum_type checksum_hmac_md5_enc = { NULL }; -struct checksum_type *checksum_types[] = { +static struct checksum_type *checksum_types[] = { &checksum_none, &checksum_crc32, &checksum_rsa_md4, @@ -1744,10 +1763,8 @@ struct checksum_type *checksum_types[] = { &checksum_rsa_md5_des3, &checksum_sha1, &checksum_hmac_sha1_des3, -#ifdef ENABLE_AES &checksum_hmac_sha1_aes128, &checksum_hmac_sha1_aes256, -#endif &checksum_hmac_md5, &checksum_hmac_md5_enc }; @@ -1809,9 +1826,15 @@ create_checksum (krb5_context context, struct key_data *dkey; int keyed_checksum; + if (ct->flags & F_DISABLED) { + krb5_clear_error_string (context); + return KRB5_PROG_SUMTYPE_NOSUPP; + } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); + krb5_set_error_string (context, "Checksum type %s is keyed " + "but no crypto context (key) was passed in", + ct->name); return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } if(keyed_checksum) { @@ -1821,7 +1844,9 @@ create_checksum (krb5_context context, } else dkey = NULL; result->cksumtype = ct->type; - krb5_data_alloc(&result->checksum, ct->checksumsize); + ret = krb5_data_alloc(&result->checksum, ct->checksumsize); + if (ret) + return (ret); (*ct->checksum)(context, dkey, data, len, usage, result); return 0; } @@ -1833,7 +1858,7 @@ arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto) (crypto->key.key->keytype == KEYTYPE_ARCFOUR); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_create_checksum(krb5_context context, krb5_crypto crypto, krb5_key_usage usage, @@ -1885,7 +1910,7 @@ verify_checksum(krb5_context context, struct checksum_type *ct; ct = _find_checksum(cksum->cksumtype); - if (ct == NULL) { + if (ct == NULL || (ct->flags & F_DISABLED)) { krb5_set_error_string (context, "checksum type %d not supported", cksum->cksumtype); return KRB5_PROG_SUMTYPE_NOSUPP; @@ -1896,7 +1921,9 @@ verify_checksum(krb5_context context, } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); + krb5_set_error_string (context, "Checksum type %s is keyed " + "but no crypto context (key) was passed in", + ct->name); return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } if(keyed_checksum) @@ -1923,7 +1950,7 @@ verify_checksum(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_checksum(krb5_context context, krb5_crypto crypto, krb5_key_usage usage, @@ -1951,7 +1978,31 @@ krb5_verify_checksum(krb5_context context, data, len, cksum); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_checksum_type(krb5_context context, + krb5_crypto crypto, + krb5_cksumtype *type) +{ + struct checksum_type *ct = NULL; + + if (crypto != NULL) { + ct = crypto->et->keyed_checksum; + if (ct == NULL) + ct = crypto->et->checksum; + } + + if (ct == NULL) { + krb5_set_error_string (context, "checksum type not found"); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + + *type = ct->type; + + return 0; +} + + +krb5_error_code KRB5_LIB_FUNCTION krb5_checksumsize(krb5_context context, krb5_cksumtype type, size_t *size) @@ -1966,32 +2017,49 @@ krb5_checksumsize(krb5_context context, return 0; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_keyed(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_KEYED; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_collision_proof(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_CPROOF; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_checksum_disable(krb5_context context, + krb5_cksumtype type) +{ + struct checksum_type *ct = _find_checksum(type); + if(ct == NULL) { + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + ct->flags |= F_DISABLED; + return 0; +} + /************************************************************ * * ************************************************************/ @@ -2001,7 +2069,7 @@ NULL_encrypt(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec) { @@ -2013,14 +2081,14 @@ DES_CBC_encrypt_null_ivec(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_cbc_encrypt(data, data, len, s, &ivec, encryptp); return 0; } @@ -2029,14 +2097,14 @@ DES_CBC_encrypt_key_ivec(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_cbc_encrypt(data, data, len, s, &ivec, encryptp); return 0; } @@ -2045,17 +2113,17 @@ DES3_CBC_encrypt(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec) { - des_cblock local_ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock local_ivec; + DES_key_schedule *s = key->schedule->data; if(ivec == NULL) { ivec = &local_ivec; memset(local_ivec, 0, sizeof(local_ivec)); } - des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], ivec, encrypt); + DES_ede3_cbc_encrypt(data, data, len, &s[0], &s[1], &s[2], ivec, encryptp); return 0; } @@ -2064,16 +2132,16 @@ DES_CFB64_encrypt_null_ivec(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ignore_ivec) { - des_cblock ivec; + DES_cblock ivec; int num = 0; - des_key_schedule *s = key->schedule->data; + DES_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); - des_cfb64_encrypt(data, data, len, *s, &ivec, &num, encrypt); + DES_cfb64_encrypt(data, data, len, s, &ivec, &num, encryptp); return 0; } @@ -2082,31 +2150,28 @@ DES_PCBC_encrypt_key_ivec(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - des_pcbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_pcbc_encrypt(data, data, len, s, &ivec, encryptp); return 0; } -#ifdef ENABLE_AES - /* * AES draft-raeburn-krb-rijndael-krb-02 */ -void +void KRB5_LIB_FUNCTION _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const void *aes_key, - unsigned char *ivec, const int enc) + size_t len, const AES_KEY *key, + unsigned char *ivec, const int encryptp) { unsigned char tmp[AES_BLOCK_SIZE]; - const AES_KEY *key = aes_key; /* XXX remove this when we always have AES */ int i; /* @@ -2114,7 +2179,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, * then at least one blocksize. */ - if (enc == AES_ENCRYPT) { + if (encryptp) { while(len > AES_BLOCK_SIZE) { for (i = 0; i < AES_BLOCK_SIZE; i++) @@ -2134,10 +2199,11 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, AES_encrypt(tmp, out - AES_BLOCK_SIZE, key); memcpy(out, ivec, len); + memcpy(ivec, out - AES_BLOCK_SIZE, AES_BLOCK_SIZE); } else { - char tmp2[AES_BLOCK_SIZE]; - char tmp3[AES_BLOCK_SIZE]; + unsigned char tmp2[AES_BLOCK_SIZE]; + unsigned char tmp3[AES_BLOCK_SIZE]; while(len > AES_BLOCK_SIZE * 2) { memcpy(tmp, in, AES_BLOCK_SIZE); @@ -2152,6 +2218,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, len -= AES_BLOCK_SIZE; + memcpy(tmp, in, AES_BLOCK_SIZE); /* save last iv */ AES_decrypt(in, tmp2, key); memcpy(tmp3, in + AES_BLOCK_SIZE, len); @@ -2163,6 +2230,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, AES_decrypt(tmp3, out, key); for (i = 0; i < AES_BLOCK_SIZE; i++) out[i] ^= ivec[i]; + memcpy(ivec, tmp, AES_BLOCK_SIZE); } } @@ -2171,22 +2239,23 @@ AES_CTS_encrypt(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec) { - AES_KEY *k = key->schedule->data; + struct krb5_aes_schedule *aeskey = key->schedule->data; char local_ivec[AES_BLOCK_SIZE]; + AES_KEY *k; - if (encrypt) - k = &k[0]; + if (encryptp) + k = &aeskey->ekey; else - k = &k[1]; + k = &aeskey->dkey; if (len < AES_BLOCK_SIZE) krb5_abortx(context, "invalid use of AES_CTS_encrypt"); if (len == AES_BLOCK_SIZE) { - if (encrypt) + if (encryptp) AES_encrypt(data, data, k); else AES_decrypt(data, data, k); @@ -2195,12 +2264,11 @@ AES_CTS_encrypt(krb5_context context, memset(local_ivec, 0, sizeof(local_ivec)); ivec = local_ivec; } - _krb5_aes_cts_encrypt(data, data, len, k, ivec, encrypt); + _krb5_aes_cts_encrypt(data, data, len, k, ivec, encryptp); } return 0; } -#endif /* ENABLE_AES */ /* * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 @@ -2213,7 +2281,7 @@ ARCFOUR_subencrypt(krb5_context context, struct key_data *key, void *data, size_t len, - int usage, + unsigned usage, void *ivec) { struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); @@ -2276,7 +2344,7 @@ ARCFOUR_subdecrypt(krb5_context context, struct key_data *key, void *data, size_t len, - int usage, + unsigned usage, void *ivec) { struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); @@ -2349,7 +2417,7 @@ ARCFOUR_subdecrypt(krb5_context context, */ static krb5_error_code -usage2arcfour (krb5_context context, int *usage) +usage2arcfour (krb5_context context, unsigned *usage) { switch (*usage) { case KRB5_KU_AS_REP_ENC_PART : /* 3 */ @@ -2375,40 +2443,98 @@ ARCFOUR_encrypt(krb5_context context, struct key_data *key, void *data, size_t len, - krb5_boolean encrypt, + krb5_boolean encryptp, int usage, void *ivec) { krb5_error_code ret; - if((ret = usage2arcfour (context, &usage)) != 0) + unsigned keyusage = usage; + + if((ret = usage2arcfour (context, &keyusage)) != 0) return ret; - if (encrypt) - return ARCFOUR_subencrypt (context, key, data, len, usage, ivec); + if (encryptp) + return ARCFOUR_subencrypt (context, key, data, len, keyusage, ivec); else - return ARCFOUR_subdecrypt (context, key, data, len, usage, ivec); + return ARCFOUR_subdecrypt (context, key, data, len, keyusage, ivec); } /* + * + */ + +static krb5_error_code +AES_PRF(krb5_context context, + krb5_crypto crypto, + const krb5_data *in, + krb5_data *out) +{ + struct checksum_type *ct = crypto->et->checksum; + krb5_error_code ret; + Checksum result; + krb5_keyblock *derived; + + result.cksumtype = ct->type; + ret = krb5_data_alloc(&result.checksum, ct->checksumsize); + if (ret) { + krb5_set_error_string(context, "out memory"); + return ret; + } + + (*ct->checksum)(context, NULL, in->data, in->length, 0, &result); + + if (result.checksum.length < crypto->et->blocksize) + krb5_abortx(context, "internal prf error"); + + derived = NULL; + ret = krb5_derive_key(context, crypto->key.key, + crypto->et->type, "prf", 3, &derived); + if (ret) + krb5_abortx(context, "krb5_derive_key"); + + ret = krb5_data_alloc(out, crypto->et->blocksize); + if (ret) + krb5_abortx(context, "malloc failed"); + + { + AES_KEY key; + + AES_set_encrypt_key(derived->keyvalue.data, + crypto->et->keytype->bits, &key); + AES_encrypt(result.checksum.data, out->data, &key); + memset(&key, 0, sizeof(key)); + } + + krb5_data_free(&result.checksum); + krb5_free_keyblock(context, derived); + + return ret; +} + +/* * these should currently be in reverse preference order. * (only relevant for !F_PSEUDO) */ static struct encryption_type enctype_null = { ETYPE_NULL, "null", + NULL, 1, 1, 0, &keytype_null, &checksum_none, NULL, - 0, + F_DISABLED, NULL_encrypt, + 0, + NULL }; static struct encryption_type enctype_des_cbc_crc = { ETYPE_DES_CBC_CRC, "des-cbc-crc", + NULL, 8, 8, 8, @@ -2417,10 +2543,13 @@ static struct encryption_type enctype_des_cbc_crc = { NULL, 0, DES_CBC_encrypt_key_ivec, + 0, + NULL }; static struct encryption_type enctype_des_cbc_md4 = { ETYPE_DES_CBC_MD4, "des-cbc-md4", + NULL, 8, 8, 8, @@ -2429,10 +2558,13 @@ static struct encryption_type enctype_des_cbc_md4 = { &checksum_rsa_md4_des, 0, DES_CBC_encrypt_null_ivec, + 0, + NULL }; static struct encryption_type enctype_des_cbc_md5 = { ETYPE_DES_CBC_MD5, "des-cbc-md5", + NULL, 8, 8, 8, @@ -2441,22 +2573,28 @@ static struct encryption_type enctype_des_cbc_md5 = { &checksum_rsa_md5_des, 0, DES_CBC_encrypt_null_ivec, + 0, + NULL }; static struct encryption_type enctype_arcfour_hmac_md5 = { ETYPE_ARCFOUR_HMAC_MD5, "arcfour-hmac-md5", + NULL, 1, 1, 8, &keytype_arcfour, &checksum_hmac_md5, - /* &checksum_hmac_md5_enc */ NULL, + NULL, F_SPECIAL, - ARCFOUR_encrypt + ARCFOUR_encrypt, + 0, + NULL }; static struct encryption_type enctype_des3_cbc_md5 = { ETYPE_DES3_CBC_MD5, "des3-cbc-md5", + NULL, 8, 8, 8, @@ -2465,10 +2603,13 @@ static struct encryption_type enctype_des3_cbc_md5 = { &checksum_rsa_md5_des3, 0, DES3_CBC_encrypt, + 0, + NULL }; static struct encryption_type enctype_des3_cbc_sha1 = { ETYPE_DES3_CBC_SHA1, "des3-cbc-sha1", + NULL, 8, 8, 8, @@ -2477,10 +2618,13 @@ static struct encryption_type enctype_des3_cbc_sha1 = { &checksum_hmac_sha1_des3, F_DERIVED, DES3_CBC_encrypt, + 0, + NULL }; static struct encryption_type enctype_old_des3_cbc_sha1 = { ETYPE_OLD_DES3_CBC_SHA1, "old-des3-cbc-sha1", + NULL, 8, 8, 8, @@ -2489,36 +2633,43 @@ static struct encryption_type enctype_old_des3_cbc_sha1 = { &checksum_hmac_sha1_des3, 0, DES3_CBC_encrypt, + 0, + NULL }; -#ifdef ENABLE_AES static struct encryption_type enctype_aes128_cts_hmac_sha1 = { ETYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", + NULL, 16, 1, 16, &keytype_aes128, &checksum_sha1, &checksum_hmac_sha1_aes128, - 0, + F_DERIVED, AES_CTS_encrypt, + 16, + AES_PRF }; static struct encryption_type enctype_aes256_cts_hmac_sha1 = { ETYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", + NULL, 16, 1, 16, &keytype_aes256, &checksum_sha1, &checksum_hmac_sha1_aes256, - 0, + F_DERIVED, AES_CTS_encrypt, + 16, + AES_PRF }; -#endif /* ENABLE_AES */ static struct encryption_type enctype_des_cbc_none = { ETYPE_DES_CBC_NONE, "des-cbc-none", + NULL, 8, 8, 0, @@ -2527,10 +2678,13 @@ static struct encryption_type enctype_des_cbc_none = { NULL, F_PSEUDO, DES_CBC_encrypt_null_ivec, + 0, + NULL }; static struct encryption_type enctype_des_cfb64_none = { ETYPE_DES_CFB64_NONE, "des-cfb64-none", + NULL, 1, 1, 0, @@ -2539,10 +2693,13 @@ static struct encryption_type enctype_des_cfb64_none = { NULL, F_PSEUDO, DES_CFB64_encrypt_null_ivec, + 0, + NULL }; static struct encryption_type enctype_des_pcbc_none = { ETYPE_DES_PCBC_NONE, "des-pcbc-none", + NULL, 8, 8, 0, @@ -2551,10 +2708,13 @@ static struct encryption_type enctype_des_pcbc_none = { NULL, F_PSEUDO, DES_PCBC_encrypt_key_ivec, + 0, + NULL }; static struct encryption_type enctype_des3_cbc_none = { ETYPE_DES3_CBC_NONE, "des3-cbc-none", + NULL, 8, 8, 0, @@ -2563,6 +2723,8 @@ static struct encryption_type enctype_des3_cbc_none = { NULL, F_PSEUDO, DES3_CBC_encrypt, + 0, + NULL }; static struct encryption_type *etypes[] = { @@ -2574,10 +2736,8 @@ static struct encryption_type *etypes[] = { &enctype_des3_cbc_md5, &enctype_des3_cbc_sha1, &enctype_old_des3_cbc_sha1, -#ifdef ENABLE_AES &enctype_aes128_cts_hmac_sha1, &enctype_aes256_cts_hmac_sha1, -#endif &enctype_des_cbc_none, &enctype_des_cfb64_none, &enctype_des_pcbc_none, @@ -2598,7 +2758,7 @@ _find_enctype(krb5_enctype type) } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_string(krb5_context context, krb5_enctype etype, char **string) @@ -2608,6 +2768,7 @@ krb5_enctype_to_string(krb5_context context, if(e == NULL) { krb5_set_error_string (context, "encryption type %d not supported", etype); + *string = NULL; return KRB5_PROG_ETYPE_NOSUPP; } *string = strdup(e->name); @@ -2618,7 +2779,7 @@ krb5_enctype_to_string(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_enctype(krb5_context context, const char *string, krb5_enctype *etype) @@ -2634,7 +2795,42 @@ krb5_string_to_enctype(krb5_context context, return KRB5_PROG_ETYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +_krb5_enctype_to_oid(krb5_context context, + krb5_enctype etype, + heim_oid *oid) +{ + struct encryption_type *et = _find_enctype(etype); + if(et == NULL) { + krb5_set_error_string (context, "encryption type %d not supported", + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + if(et->oid == NULL) { + krb5_set_error_string (context, "%s have not oid", et->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + krb5_clear_error_string(context); + return der_copy_oid(et->oid, oid); +} + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_oid_to_enctype(krb5_context context, + const heim_oid *oid, + krb5_enctype *etype) +{ + int i; + for(i = 0; i < num_etypes; i++) { + if(etypes[i]->oid && der_heim_oid_cmp(etypes[i]->oid, oid) == 0) { + *etype = etypes[i]->type; + return 0; + } + } + krb5_set_error_string(context, "enctype for oid not supported"); + return KRB5_PROG_ETYPE_NOSUPP; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_keytype(krb5_context context, krb5_enctype etype, krb5_keytype *keytype) @@ -2650,7 +2846,7 @@ krb5_enctype_to_keytype(krb5_context context, } #if 0 -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctype(krb5_context context, krb5_keytype keytype, krb5_enctype *etype) @@ -2664,7 +2860,7 @@ krb5_keytype_to_enctype(krb5_context context, } #endif -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes (krb5_context context, krb5_keytype keytype, unsigned *len, @@ -2700,7 +2896,7 @@ krb5_keytype_to_enctypes (krb5_context context, * else, do `krb5_keytype_to_enctypes'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes_default (krb5_context context, krb5_keytype keytype, unsigned *len, @@ -2726,15 +2922,45 @@ krb5_keytype_to_enctypes_default (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_valid(krb5_context context, krb5_enctype etype) { - return _find_enctype(etype) != NULL; + struct encryption_type *e = _find_enctype(etype); + if(e == NULL) { + krb5_set_error_string (context, "encryption type %d not supported", + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + if (e->flags & F_DISABLED) { + krb5_set_error_string (context, "encryption type %s is disabled", + e->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + return 0; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_cksumtype_valid(krb5_context context, + krb5_cksumtype ctype) +{ + struct checksum_type *c = _find_checksum(ctype); + if (c == NULL) { + krb5_set_error_string (context, "checksum type %d not supported", + ctype); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + if (c->flags & F_DISABLED) { + krb5_set_error_string (context, "checksum type %s is disabled", + c->name); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + return 0; +} + + /* if two enctypes have compatible keys */ -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_enctypes_compatible_keys(krb5_context context, krb5_enctype etype1, krb5_enctype etype2) @@ -2765,7 +2991,7 @@ static krb5_error_code encrypt_internal_derived(krb5_context context, krb5_crypto crypto, unsigned usage, - void *data, + const void *data, size_t len, krb5_data *result, void *ivec) @@ -2834,7 +3060,7 @@ encrypt_internal_derived(krb5_context context, static krb5_error_code encrypt_internal(krb5_context context, krb5_crypto crypto, - void *data, + const void *data, size_t len, krb5_data *result, void *ivec) @@ -2903,7 +3129,7 @@ static krb5_error_code encrypt_internal_special(krb5_context context, krb5_crypto crypto, int usage, - void *data, + const void *data, size_t len, krb5_data *result, void *ivec) @@ -2954,9 +3180,10 @@ decrypt_internal_derived(krb5_context context, unsigned long l; checksum_sz = CHECKSUMSIZE(et->keyed_checksum); - if (len < checksum_sz) { - krb5_clear_error_string (context); - return EINVAL; /* XXX - better error code? */ + if (len < checksum_sz + et->confoundersize) { + krb5_set_error_string(context, "Encrypted data shorter then " + "checksum + confunder"); + return KRB5_BAD_MSIZE; } if (((len - checksum_sz) % et->padsize) != 0) { @@ -3009,7 +3236,7 @@ decrypt_internal_derived(krb5_context context, l = len - et->confoundersize; memmove(p, p + et->confoundersize, l); result->data = realloc(p, l); - if(result->data == NULL) { + if(result->data == NULL && l != 0) { free(p); krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; @@ -3074,7 +3301,7 @@ decrypt_internal(krb5_context context, l = len - et->confoundersize - checksum_sz; memmove(p, p + et->confoundersize + checksum_sz, l); result->data = realloc(p, l); - if(result->data == NULL) { + if(result->data == NULL && l != 0) { free(p); krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; @@ -3118,7 +3345,7 @@ decrypt_internal_special(krb5_context context, memmove (p, p + cksum_sz + et->confoundersize, sz); result->data = realloc(p, sz); - if(result->data == NULL) { + if(result->data == NULL && sz != 0) { free(p); krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; @@ -3128,11 +3355,11 @@ decrypt_internal_special(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, - void *data, + const void *data, size_t len, krb5_data *result, void *ivec) @@ -3147,18 +3374,18 @@ krb5_encrypt_ivec(krb5_context context, return encrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt(krb5_context context, krb5_crypto crypto, unsigned usage, - void *data, + const void *data, size_t len, krb5_data *result) { return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3176,7 +3403,7 @@ krb5_encrypt_EncryptedData(krb5_context context, return krb5_encrypt(context, crypto, usage, data, len, &result->cipher); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3195,7 +3422,7 @@ krb5_decrypt_ivec(krb5_context context, return decrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3207,7 +3434,7 @@ krb5_decrypt(krb5_context context, NULL); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3222,25 +3449,24 @@ krb5_decrypt_EncryptedData(krb5_context context, * * ************************************************************/ -#ifdef HAVE_OPENSSL -#include <openssl/rand.h> +#define ENTROPY_NEEDED 128 -/* From openssl/crypto/rand/rand_lcl.h */ -#define ENTROPY_NEEDED 20 static int seed_something(void) { - int fd = -1; char buf[1024], seedfile[256]; /* If there is a seed file, load it. But such a file cannot be trusted, so use 0 for the entropy estimate */ if (RAND_file_name(seedfile, sizeof(seedfile))) { + int fd; fd = open(seedfile, O_RDONLY); if (fd >= 0) { - read(fd, buf, sizeof(buf)); - /* Use the full buffer anyway */ - RAND_add(buf, sizeof(buf), 0.0); + ssize_t ret; + ret = read(fd, buf, sizeof(buf)); + if (ret > 0) + RAND_add(buf, ret, 0.0); + close(fd); } else seedfile[0] = '\0'; } else @@ -3272,82 +3498,34 @@ seed_something(void) return -1; } -void +void KRB5_LIB_FUNCTION krb5_generate_random_block(void *buf, size_t len) { static int rng_initialized = 0; + HEIMDAL_MUTEX_lock(&crypto_mutex); if (!rng_initialized) { if (seed_something()) - krb5_abortx(NULL, "Fatal: could not seed the random number generator"); + krb5_abortx(NULL, "Fatal: could not seed the " + "random number generator"); rng_initialized = 1; } - RAND_bytes(buf, len); -} - -#else - -void -krb5_generate_random_block(void *buf, size_t len) -{ - des_cblock key, out; - static des_cblock counter; - static des_key_schedule schedule; - int i; - static int initialized = 0; - - if(!initialized) { - des_new_random_key(&key); - des_set_key(&key, schedule); - memset(&key, 0, sizeof(key)); - des_new_random_key(&counter); - } - while(len > 0) { - des_ecb_encrypt(&counter, &out, schedule, DES_ENCRYPT); - for(i = 7; i >=0; i--) - if(counter[i]++) - break; - memcpy(buf, out, min(len, sizeof(out))); - len -= min(len, sizeof(out)); - buf = (char*)buf + sizeof(out); - } + HEIMDAL_MUTEX_unlock(&crypto_mutex); + if (RAND_bytes(buf, len) != 1) + krb5_abortx(NULL, "Failed to generate random block"); } -#endif static void DES3_postproc(krb5_context context, unsigned char *k, size_t len, struct key_data *key) { - unsigned char x[24]; - int i, j; + DES3_random_to_key(context, key->key, k, len); - memset(x, 0, sizeof(x)); - for (i = 0; i < 3; ++i) { - unsigned char foo; - - for (j = 0; j < 7; ++j) { - unsigned char b = k[7 * i + j]; - - x[8 * i + j] = b; - } - foo = 0; - for (j = 6; j >= 0; --j) { - foo |= k[7 * i + j] & 1; - foo <<= 1; - } - x[8 * i + 7] = foo; - } - k = key->key->keyvalue.data; - memcpy(k, x, 24); - memset(x, 0, sizeof(x)); if (key->schedule) { krb5_free_data(context, key->schedule); key->schedule = NULL; } - des_set_odd_parity((des_cblock*)k); - des_set_odd_parity((des_cblock*)(k + 8)); - des_set_odd_parity((des_cblock*)(k + 16)); } static krb5_error_code @@ -3360,20 +3538,24 @@ derive_key(krb5_context context, unsigned char *k; unsigned int nblocks = 0, i; krb5_error_code ret = 0; - struct key_type *kt = et->keytype; + ret = _key_schedule(context, key); if(ret) return ret; - if(et->blocksize * 8 < kt->bits || - len != et->blocksize) { + if(et->blocksize * 8 < kt->bits || len != et->blocksize) { nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8); k = malloc(nblocks * et->blocksize); if(k == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - _krb5_n_fold(constant, len, k, et->blocksize); + ret = _krb5_n_fold(constant, len, k, et->blocksize); + if (ret) { + free(k); + krb5_set_error_string(context, "out of memory"); + return ret; + } for(i = 0; i < nblocks; i++) { if(i > 0) memcpy(k + i * et->blocksize, @@ -3399,7 +3581,12 @@ derive_key(krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - _krb5_n_fold(c, len, k, res_len); + ret = _krb5_n_fold(c, len, k, res_len); + if (ret) { + free(k); + krb5_set_error_string(context, "out of memory"); + return ret; + } free(c); } @@ -3408,12 +3595,10 @@ derive_key(krb5_context context, case KEYTYPE_DES3: DES3_postproc(context, k, nblocks * et->blocksize, key); break; -#ifdef ENABLE_AES case KEYTYPE_AES128: case KEYTYPE_AES256: memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length); break; -#endif /* ENABLE_AES */ default: krb5_set_error_string(context, "derive_key() called with unknown keytype (%u)", @@ -3421,6 +3606,10 @@ derive_key(krb5_context context, ret = KRB5_CRYPTO_INTERNAL; break; } + if (key->schedule) { + krb5_free_data(context, key->schedule); + key->schedule = NULL; + } memset(k, 0, nblocks * et->blocksize); free(k); return ret; @@ -3440,7 +3629,7 @@ _new_derived_key(krb5_crypto crypto, unsigned usage) return &d->key; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_derive_key(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3452,6 +3641,8 @@ krb5_derive_key(krb5_context context, struct encryption_type *et; struct key_data d; + *derived_key = NULL; + et = _find_enctype (etype); if (et == NULL) { krb5_set_error_string(context, "encryption type %d not supported", @@ -3459,16 +3650,15 @@ krb5_derive_key(krb5_context context, return KRB5_PROG_ETYPE_NOSUPP; } - ret = krb5_copy_keyblock(context, key, derived_key); + ret = krb5_copy_keyblock(context, key, &d.key); if (ret) return ret; - d.key = *derived_key; d.schedule = NULL; ret = derive_key(context, et, &d, constant, constant_len); - if (ret) - return ret; - ret = krb5_copy_keyblock(context, d.key, derived_key); + if (ret == 0) + ret = krb5_copy_keyblock(context, d.key, derived_key); + free_key_data(context, &d); return ret; } @@ -3500,7 +3690,7 @@ _get_derived_key(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_init(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3515,20 +3705,23 @@ krb5_crypto_init(krb5_context context, if(etype == ETYPE_NULL) etype = key->keytype; (*crypto)->et = _find_enctype(etype); - if((*crypto)->et == NULL) { + if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) { free(*crypto); + *crypto = NULL; krb5_set_error_string (context, "encryption type %d not supported", etype); return KRB5_PROG_ETYPE_NOSUPP; } if((*crypto)->et->keytype->size != key->keyvalue.length) { free(*crypto); + *crypto = NULL; krb5_set_error_string (context, "encryption key has bad length"); return KRB5_BAD_KEYSIZE; } ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key); if(ret) { free(*crypto); + *crypto = NULL; return ret; } (*crypto)->key.schedule = NULL; @@ -3553,7 +3746,7 @@ free_key_usage(krb5_context context, struct key_usage *ku) free_key_data(context, &ku->key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_destroy(krb5_context context, krb5_crypto crypto) { @@ -3567,7 +3760,7 @@ krb5_crypto_destroy(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_getblocksize(krb5_context context, krb5_crypto crypto, size_t *blocksize) @@ -3576,7 +3769,49 @@ krb5_crypto_getblocksize(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getenctype(krb5_context context, + krb5_crypto crypto, + krb5_enctype *enctype) +{ + *enctype = crypto->et->type; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getpadsize(krb5_context context, + krb5_crypto crypto, + size_t *padsize) +{ + *padsize = crypto->et->padsize; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getconfoundersize(krb5_context context, + krb5_crypto crypto, + size_t *confoundersize) +{ + *confoundersize = crypto->et->confoundersize; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_disable(krb5_context context, + krb5_enctype enctype) +{ + struct encryption_type *et = _find_enctype(enctype); + if(et == NULL) { + if (context) + krb5_set_error_string (context, "encryption type %d not supported", + enctype); + return KRB5_PROG_ETYPE_NOSUPP; + } + et->flags |= F_DISABLED; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_derived(krb5_context context, const void *str, size_t len, @@ -3586,7 +3821,7 @@ krb5_string_to_key_derived(krb5_context context, struct encryption_type *et = _find_enctype(etype); krb5_error_code ret; struct key_data kd; - size_t keylen = et->keytype->bits / 8; + size_t keylen; u_char *tmp; if(et == NULL) { @@ -3594,6 +3829,8 @@ krb5_string_to_key_derived(krb5_context context, etype); return KRB5_PROG_ETYPE_NOSUPP; } + keylen = et->keytype->bits / 8; + ALLOC(kd.key, 1); if(kd.key == NULL) { krb5_set_error_string (context, "malloc: out of memory"); @@ -3611,7 +3848,12 @@ krb5_string_to_key_derived(krb5_context context, krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } - _krb5_n_fold(str, len, tmp, keylen); + ret = _krb5_n_fold(str, len, tmp, keylen); + if (ret) { + free(tmp); + krb5_set_error_string(context, "out of memory"); + return ret; + } kd.schedule = NULL; DES3_postproc (context, tmp, keylen, &kd); /* XXX */ memset(tmp, 0, keylen); @@ -3633,9 +3875,10 @@ wrapped_length (krb5_context context, { struct encryption_type *et = crypto->et; size_t padsize = et->padsize; + size_t checksumsize = CHECKSUMSIZE(et->checksum); size_t res; - res = et->confoundersize + et->checksum->checksumsize + data_len; + res = et->confoundersize + checksumsize + data_len; res = (res + padsize - 1) / padsize * padsize; return res; } @@ -3651,7 +3894,10 @@ wrapped_length_dervied (krb5_context context, res = et->confoundersize + data_len; res = (res + padsize - 1) / padsize * padsize; - res += et->checksum->checksumsize; + if (et->keyed_checksum) + res += et->keyed_checksum->checksumsize; + else + res += et->checksum->checksumsize; return res; } @@ -3670,12 +3916,185 @@ krb5_get_wrapped_length (krb5_context context, return wrapped_length (context, crypto, data_len); } +/* + * Return the size of an encrypted packet of length `data_len' + */ + +static size_t +crypto_overhead (krb5_context context, + krb5_crypto crypto) +{ + struct encryption_type *et = crypto->et; + size_t res; + + res = CHECKSUMSIZE(et->checksum); + res += et->confoundersize; + if (et->padsize > 1) + res += et->padsize; + return res; +} + +static size_t +crypto_overhead_dervied (krb5_context context, + krb5_crypto crypto) +{ + struct encryption_type *et = crypto->et; + size_t res; + + if (et->keyed_checksum) + res = CHECKSUMSIZE(et->keyed_checksum); + else + res = CHECKSUMSIZE(et->checksum); + res += et->confoundersize; + if (et->padsize > 1) + res += et->padsize; + return res; +} + +size_t +krb5_crypto_overhead (krb5_context context, krb5_crypto crypto) +{ + if (derived_crypto (context, crypto)) + return crypto_overhead_dervied (context, crypto); + else + return crypto_overhead (context, crypto); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_random_to_key(krb5_context context, + krb5_enctype type, + const void *data, + size_t size, + krb5_keyblock *key) +{ + krb5_error_code ret; + struct encryption_type *et = _find_enctype(type); + if(et == NULL) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + if ((et->keytype->bits + 7) / 8 > size) { + krb5_set_error_string(context, "encryption key %s needs %d bytes " + "of random to make an encryption key out of it", + et->name, (int)et->keytype->size); + return KRB5_PROG_ETYPE_NOSUPP; + } + ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); + if(ret) + return ret; + key->keytype = type; + if (et->keytype->random_to_key) + (*et->keytype->random_to_key)(context, key, data, size); + else + memcpy(key->keyvalue.data, data, et->keytype->size); + + return 0; +} + +krb5_error_code +_krb5_pk_octetstring2key(krb5_context context, + krb5_enctype type, + const void *dhdata, + size_t dhsize, + const heim_octet_string *c_n, + const heim_octet_string *k_n, + krb5_keyblock *key) +{ + struct encryption_type *et = _find_enctype(type); + krb5_error_code ret; + size_t keylen, offset; + void *keydata; + unsigned char counter; + unsigned char shaoutput[20]; + + if(et == NULL) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + keylen = (et->keytype->bits + 7) / 8; + + keydata = malloc(keylen); + if (keydata == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + counter = 0; + offset = 0; + do { + SHA_CTX m; + + SHA1_Init(&m); + SHA1_Update(&m, &counter, 1); + SHA1_Update(&m, dhdata, dhsize); + if (c_n) + SHA1_Update(&m, c_n->data, c_n->length); + if (k_n) + SHA1_Update(&m, k_n->data, k_n->length); + SHA1_Final(shaoutput, &m); + + memcpy((unsigned char *)keydata + offset, + shaoutput, + min(keylen - offset, sizeof(shaoutput))); + + offset += sizeof(shaoutput); + counter++; + } while(offset < keylen); + memset(shaoutput, 0, sizeof(shaoutput)); + + ret = krb5_random_to_key(context, type, keydata, keylen, key); + memset(keydata, 0, sizeof(keylen)); + free(keydata); + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_prf_length(krb5_context context, + krb5_enctype type, + size_t *length) +{ + struct encryption_type *et = _find_enctype(type); + + if(et == NULL || et->prf_length == 0) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + + *length = et->prf_length; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_prf(krb5_context context, + const krb5_crypto crypto, + const krb5_data *input, + krb5_data *output) +{ + struct encryption_type *et = crypto->et; + + krb5_data_zero(output); + + if(et->prf == NULL) { + krb5_set_error_string(context, "kerberos prf for %s not supported", + et->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + + return (*et->prf)(context, crypto, input, output); +} + + + + #ifdef CRYPTO_DEBUG static krb5_error_code krb5_get_keyid(krb5_context context, krb5_keyblock *key, - u_int32_t *keyid) + uint32_t *keyid) { MD5_CTX md5; unsigned char tmp[16]; @@ -3689,16 +4108,16 @@ krb5_get_keyid(krb5_context context, static void krb5_crypto_debug(krb5_context context, - int encrypt, + int encryptp, size_t len, krb5_keyblock *key) { - u_int32_t keyid; + uint32_t keyid; char *kt; krb5_get_keyid(context, key, &keyid); krb5_enctype_to_string(context, key->keytype, &kt); krb5_warnx(context, "%s %lu bytes with key-id %#x (%s)", - encrypt ? "encrypting" : "decrypting", + encryptp ? "encrypting" : "decrypting", (unsigned long)len, keyid, kt); @@ -3735,7 +4154,7 @@ main() d = _new_derived_key(crypto, usage); if(d == NULL) - return ENOMEM; + krb5_errx(context, 1, "_new_derived_key failed"); krb5_copy_keyblock(context, crypto->key.key, &d->key); _krb5_put_int(constant, usage, 4); derive_key(context, crypto->et, d, constant, sizeof(constant)); @@ -3761,11 +4180,10 @@ main() "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"; */ key.keyvalue.length = 4; - d = calloc(1, sizeof(*d)); - + d = ecalloc(1, sizeof(*d)); d->key = &key; res.checksum.length = 20; - res.checksum.data = malloc(res.checksum.length); + res.checksum.data = emalloc(res.checksum.length); SP_HMAC_SHA1_checksum(context, d, data, 28, &res); return 0; diff --git a/crypto/heimdal/lib/krb5/data.c b/crypto/heimdal/lib/krb5/data.c index d2bfeb2090db..eda1a8b2598b 100644 --- a/crypto/heimdal/lib/krb5/data.c +++ b/crypto/heimdal/lib/krb5/data.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,30 +33,65 @@ #include "krb5_locl.h" -RCSID("$Id: data.c,v 1.17 2003/03/25 22:07:17 lha Exp $"); +RCSID("$Id: data.c 22064 2007-11-11 16:28:14Z lha $"); -void +/** + * Reset the (potentially uninitalized) krb5_data structure. + * + * @param p krb5_data to reset. + * + * @ingroup krb5 + */ + +void KRB5_LIB_FUNCTION krb5_data_zero(krb5_data *p) { p->length = 0; p->data = NULL; } -void +/** + * Free the content of krb5_data structure, its ok to free a zeroed + * structure. When done, the structure will be zeroed. + * + * @param p krb5_data to free. + * + * @ingroup krb5 + */ + +void KRB5_LIB_FUNCTION krb5_data_free(krb5_data *p) { if(p->data != NULL) free(p->data); - p->length = 0; + krb5_data_zero(p); } -void +/** + * Same as krb5_data_free(). + * + * @param context Kerberos 5 context. + * @param data krb5_data to free. + * + * @ingroup krb5 + */ + +void KRB5_LIB_FUNCTION krb5_free_data_contents(krb5_context context, krb5_data *data) { krb5_data_free(data); } -void +/** + * Free krb5_data (and its content). + * + * @param context Kerberos 5 context. + * @param p krb5_data to free. + * + * @ingroup krb5 + */ + +void KRB5_LIB_FUNCTION krb5_free_data(krb5_context context, krb5_data *p) { @@ -64,7 +99,19 @@ krb5_free_data(krb5_context context, free(p); } -krb5_error_code +/** + * Allocate data of and krb5_data. + * + * @param p krb5_data to free. + * @param len size to allocate. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned. + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_data_alloc(krb5_data *p, int len) { p->data = malloc(len); @@ -74,7 +121,19 @@ krb5_data_alloc(krb5_data *p, int len) return 0; } -krb5_error_code +/** + * Grow (or shrink) the content of krb5_data to a new size. + * + * @param p krb5_data to free. + * @param len new size. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned. + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_data_realloc(krb5_data *p, int len) { void *tmp; @@ -86,7 +145,20 @@ krb5_data_realloc(krb5_data *p, int len) return 0; } -krb5_error_code +/** + * Copy the data of len into the krb5_data. + * + * @param p krb5_data to copy into. + * @param data data to copy.. + * @param len new size. + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned. + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_data_copy(krb5_data *p, const void *data, size_t len) { if (len) { @@ -99,7 +171,20 @@ krb5_data_copy(krb5_data *p, const void *data, size_t len) return 0; } -krb5_error_code +/** + * Copy the data into a newly allocated krb5_data. + * + * @param context Kerberos 5 context. + * @param indata the krb5_data data to copy + * @param outdata new krb5_date to copy too. Free with krb5_free_data(). + * + * @return Returns 0 to indicate success. Otherwise an kerberos et + * error code is returned. + * + * @ingroup krb5 + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata) @@ -110,10 +195,30 @@ krb5_copy_data(krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - ret = copy_octet_string(indata, *outdata); + ret = der_copy_octet_string(indata, *outdata); if(ret) { krb5_clear_error_string (context); free(*outdata); + *outdata = NULL; } return ret; } + +/** + * Compare to data. + * + * @param data1 krb5_data to compare + * @param data2 krb5_data to compare + * + * @return return the same way as memcmp(), useful when sorting. + * + * @ingroup krb5 + */ + +int KRB5_LIB_FUNCTION +krb5_data_cmp(const krb5_data *data1, const krb5_data *data2) +{ + if (data1->length != data2->length) + return data1->length - data2->length; + return memcmp(data1->data, data2->data, data1->length); +} diff --git a/crypto/heimdal/lib/krb5/derived-key-test.c b/crypto/heimdal/lib/krb5/derived-key-test.c index 0a47dd3f2576..debadb8bb956 100644 --- a/crypto/heimdal/lib/krb5/derived-key-test.c +++ b/crypto/heimdal/lib/krb5/derived-key-test.c @@ -31,8 +31,9 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "krb5_locl.h" +#include <err.h> -RCSID("$Id: derived-key-test.c,v 1.1 2001/03/12 07:44:52 assar Exp $"); +RCSID("$Id: derived-key-test.c 16342 2005-12-02 14:14:43Z lha $"); enum { MAXSIZE = 24 }; @@ -76,7 +77,7 @@ static struct testcase { {0} }; -int +int KRB5_LIB_FUNCTION main(int argc, char **argv) { struct testcase *t; @@ -114,6 +115,9 @@ main(int argc, char **argv) printf ("\n"); val = 1; } + krb5_free_keyblock(context, dkey); } + krb5_free_context(context); + return val; } diff --git a/crypto/heimdal/lib/krb5/digest.c b/crypto/heimdal/lib/krb5/digest.c new file mode 100644 index 000000000000..6e612ed6bbb0 --- /dev/null +++ b/crypto/heimdal/lib/krb5/digest.c @@ -0,0 +1,1199 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" +RCSID("$Id: digest.c 22156 2007-12-04 20:02:49Z lha $"); +#include "digest_asn1.h" + +struct krb5_digest_data { + char *cbtype; + char *cbbinding; + + DigestInit init; + DigestInitReply initReply; + DigestRequest request; + DigestResponse response; +}; + +krb5_error_code +krb5_digest_alloc(krb5_context context, krb5_digest *digest) +{ + krb5_digest d; + + d = calloc(1, sizeof(*d)); + if (d == NULL) { + *digest = NULL; + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest = d; + + return 0; +} + +void +krb5_digest_free(krb5_digest digest) +{ + if (digest == NULL) + return; + free_DigestInit(&digest->init); + free_DigestInitReply(&digest->initReply); + free_DigestRequest(&digest->request); + free_DigestResponse(&digest->response); + memset(digest, 0, sizeof(*digest)); + free(digest); + return; +} + +krb5_error_code +krb5_digest_set_server_cb(krb5_context context, + krb5_digest digest, + const char *type, + const char *binding) +{ + if (digest->init.channel) { + krb5_set_error_string(context, "server channel binding already set"); + return EINVAL; + } + digest->init.channel = calloc(1, sizeof(*digest->init.channel)); + if (digest->init.channel == NULL) + goto error; + + digest->init.channel->cb_type = strdup(type); + if (digest->init.channel->cb_type == NULL) + goto error; + + digest->init.channel->cb_binding = strdup(binding); + if (digest->init.channel->cb_binding == NULL) + goto error; + return 0; +error: + if (digest->init.channel) { + free(digest->init.channel->cb_type); + free(digest->init.channel->cb_binding); + free(digest->init.channel); + digest->init.channel = NULL; + } + krb5_set_error_string(context, "out of memory"); + return ENOMEM; +} + +krb5_error_code +krb5_digest_set_type(krb5_context context, + krb5_digest digest, + const char *type) +{ + if (digest->init.type) { + krb5_set_error_string(context, "client type already set"); + return EINVAL; + } + digest->init.type = strdup(type); + if (digest->init.type == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_hostname(krb5_context context, + krb5_digest digest, + const char *hostname) +{ + if (digest->init.hostname) { + krb5_set_error_string(context, "server hostname already set"); + return EINVAL; + } + digest->init.hostname = malloc(sizeof(*digest->init.hostname)); + if (digest->init.hostname == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest->init.hostname = strdup(hostname); + if (*digest->init.hostname == NULL) { + krb5_set_error_string(context, "out of memory"); + free(digest->init.hostname); + digest->init.hostname = NULL; + return ENOMEM; + } + return 0; +} + +const char * +krb5_digest_get_server_nonce(krb5_context context, + krb5_digest digest) +{ + return digest->initReply.nonce; +} + +krb5_error_code +krb5_digest_set_server_nonce(krb5_context context, + krb5_digest digest, + const char *nonce) +{ + if (digest->request.serverNonce) { + krb5_set_error_string(context, "nonce already set"); + return EINVAL; + } + digest->request.serverNonce = strdup(nonce); + if (digest->request.serverNonce == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +const char * +krb5_digest_get_opaque(krb5_context context, + krb5_digest digest) +{ + return digest->initReply.opaque; +} + +krb5_error_code +krb5_digest_set_opaque(krb5_context context, + krb5_digest digest, + const char *opaque) +{ + if (digest->request.opaque) { + krb5_set_error_string(context, "opaque already set"); + return EINVAL; + } + digest->request.opaque = strdup(opaque); + if (digest->request.opaque == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +const char * +krb5_digest_get_identifier(krb5_context context, + krb5_digest digest) +{ + if (digest->initReply.identifier == NULL) + return NULL; + return *digest->initReply.identifier; +} + +krb5_error_code +krb5_digest_set_identifier(krb5_context context, + krb5_digest digest, + const char *id) +{ + if (digest->request.identifier) { + krb5_set_error_string(context, "identifier already set"); + return EINVAL; + } + digest->request.identifier = calloc(1, sizeof(*digest->request.identifier)); + if (digest->request.identifier == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest->request.identifier = strdup(id); + if (*digest->request.identifier == NULL) { + krb5_set_error_string(context, "out of memory"); + free(digest->request.identifier); + digest->request.identifier = NULL; + return ENOMEM; + } + return 0; +} + +static krb5_error_code +digest_request(krb5_context context, + krb5_realm realm, + krb5_ccache ccache, + krb5_key_usage usage, + const DigestReqInner *ireq, + DigestRepInner *irep) +{ + DigestREQ req; + DigestREP rep; + krb5_error_code ret; + krb5_data data, data2; + size_t size; + krb5_crypto crypto = NULL; + krb5_auth_context ac = NULL; + krb5_principal principal = NULL; + krb5_ccache id = NULL; + krb5_realm r = NULL; + + krb5_data_zero(&data); + krb5_data_zero(&data2); + memset(&req, 0, sizeof(req)); + memset(&rep, 0, sizeof(rep)); + + if (ccache == NULL) { + ret = krb5_cc_default(context, &id); + if (ret) + goto out; + } else + id = ccache; + + if (realm == NULL) { + ret = krb5_get_default_realm(context, &r); + if (ret) + goto out; + } else + r = realm; + + /* + * + */ + + ret = krb5_make_principal(context, &principal, + r, KRB5_DIGEST_NAME, r, NULL); + if (ret) + goto out; + + ASN1_MALLOC_ENCODE(DigestReqInner, data.data, data.length, + ireq, &size, ret); + if (ret) { + krb5_set_error_string(context, + "Failed to encode digest inner request"); + goto out; + } + if (size != data.length) + krb5_abortx(context, "ASN.1 internal encoder error"); + + ret = krb5_mk_req_exact(context, &ac, + AP_OPTS_USE_SUBKEY|AP_OPTS_MUTUAL_REQUIRED, + principal, NULL, id, &req.apReq); + if (ret) + goto out; + + { + krb5_keyblock *key; + + ret = krb5_auth_con_getlocalsubkey(context, ac, &key); + if (ret) + goto out; + if (key == NULL) { + krb5_set_error_string(context, "Digest failed to get local subkey"); + ret = EINVAL; + goto out; + } + + ret = krb5_crypto_init(context, key, 0, &crypto); + krb5_free_keyblock (context, key); + if (ret) + goto out; + } + + ret = krb5_encrypt_EncryptedData(context, crypto, usage, + data.data, data.length, 0, + &req.innerReq); + if (ret) + goto out; + + krb5_data_free(&data); + + ASN1_MALLOC_ENCODE(DigestREQ, data.data, data.length, + &req, &size, ret); + if (ret) { + krb5_set_error_string(context, "Failed to encode DigestREQest"); + goto out; + } + if (size != data.length) + krb5_abortx(context, "ASN.1 internal encoder error"); + + ret = krb5_sendto_kdc(context, &data, &r, &data2); + if (ret) + goto out; + + ret = decode_DigestREP(data2.data, data2.length, &rep, NULL); + if (ret) { + krb5_set_error_string(context, "Failed to parse digest response"); + goto out; + } + + { + krb5_ap_rep_enc_part *repl; + + ret = krb5_rd_rep(context, ac, &rep.apRep, &repl); + if (ret) + goto out; + + krb5_free_ap_rep_enc_part(context, repl); + } + { + krb5_keyblock *key; + + ret = krb5_auth_con_getremotesubkey(context, ac, &key); + if (ret) + goto out; + if (key == NULL) { + ret = EINVAL; + krb5_set_error_string(context, + "Digest reply have no remote subkey"); + goto out; + } + + krb5_crypto_destroy(context, crypto); + ret = krb5_crypto_init(context, key, 0, &crypto); + krb5_free_keyblock (context, key); + if (ret) + goto out; + } + + krb5_data_free(&data); + ret = krb5_decrypt_EncryptedData(context, crypto, usage, + &rep.innerRep, &data); + if (ret) + goto out; + + ret = decode_DigestRepInner(data.data, data.length, irep, NULL); + if (ret) { + krb5_set_error_string(context, "Failed to decode digest inner reply"); + goto out; + } + +out: + if (ccache == NULL && id) + krb5_cc_close(context, id); + if (realm == NULL && r) + free(r); + if (crypto) + krb5_crypto_destroy(context, crypto); + if (ac) + krb5_auth_con_free(context, ac); + if (principal) + krb5_free_principal(context, principal); + + krb5_data_free(&data); + krb5_data_free(&data2); + + free_DigestREQ(&req); + free_DigestREP(&rep); + + return ret; +} + +krb5_error_code +krb5_digest_init_request(krb5_context context, + krb5_digest digest, + krb5_realm realm, + krb5_ccache ccache) +{ + DigestReqInner ireq; + DigestRepInner irep; + krb5_error_code ret; + + memset(&ireq, 0, sizeof(ireq)); + memset(&irep, 0, sizeof(irep)); + + if (digest->init.type == NULL) { + krb5_set_error_string(context, "Type missing from init req"); + return EINVAL; + } + + ireq.element = choice_DigestReqInner_init; + ireq.u.init = digest->init; + + ret = digest_request(context, realm, ccache, + KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep); + if (ret) + goto out; + + if (irep.element == choice_DigestRepInner_error) { + krb5_set_error_string(context, "Digest init error: %s", + irep.u.error.reason); + ret = irep.u.error.code; + goto out; + } + + if (irep.element != choice_DigestRepInner_initReply) { + krb5_set_error_string(context, "digest reply not an initReply"); + ret = EINVAL; + goto out; + } + + ret = copy_DigestInitReply(&irep.u.initReply, &digest->initReply); + if (ret) { + krb5_set_error_string(context, "Failed to copy initReply"); + goto out; + } + +out: + free_DigestRepInner(&irep); + + return ret; +} + + +krb5_error_code +krb5_digest_set_client_nonce(krb5_context context, + krb5_digest digest, + const char *nonce) +{ + if (digest->request.clientNonce) { + krb5_set_error_string(context, "clientNonce already set"); + return EINVAL; + } + digest->request.clientNonce = + calloc(1, sizeof(*digest->request.clientNonce)); + if (digest->request.clientNonce == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest->request.clientNonce = strdup(nonce); + if (*digest->request.clientNonce == NULL) { + krb5_set_error_string(context, "out of memory"); + free(digest->request.clientNonce); + digest->request.clientNonce = NULL; + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_digest(krb5_context context, + krb5_digest digest, + const char *dgst) +{ + if (digest->request.digest) { + krb5_set_error_string(context, "digest already set"); + return EINVAL; + } + digest->request.digest = strdup(dgst); + if (digest->request.digest == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_username(krb5_context context, + krb5_digest digest, + const char *username) +{ + if (digest->request.username) { + krb5_set_error_string(context, "username already set"); + return EINVAL; + } + digest->request.username = strdup(username); + if (digest->request.username == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_authid(krb5_context context, + krb5_digest digest, + const char *authid) +{ + if (digest->request.authid) { + krb5_set_error_string(context, "authid already set"); + return EINVAL; + } + digest->request.authid = malloc(sizeof(*digest->request.authid)); + if (digest->request.authid == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest->request.authid = strdup(authid); + if (*digest->request.authid == NULL) { + krb5_set_error_string(context, "out of memory"); + free(digest->request.authid); + digest->request.authid = NULL; + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_authentication_user(krb5_context context, + krb5_digest digest, + krb5_principal authentication_user) +{ + krb5_error_code ret; + + if (digest->request.authentication_user) { + krb5_set_error_string(context, "authentication_user already set"); + return EINVAL; + } + ret = krb5_copy_principal(context, + authentication_user, + &digest->request.authentication_user); + if (digest->request.authentication_user == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_realm(krb5_context context, + krb5_digest digest, + const char *realm) +{ + if (digest->request.realm) { + krb5_set_error_string(context, "realm already set"); + return EINVAL; + } + digest->request.realm = malloc(sizeof(*digest->request.realm)); + if (digest->request.realm == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest->request.realm = strdup(realm); + if (*digest->request.realm == NULL) { + krb5_set_error_string(context, "out of memory"); + free(digest->request.realm); + digest->request.realm = NULL; + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_method(krb5_context context, + krb5_digest digest, + const char *method) +{ + if (digest->request.method) { + krb5_set_error_string(context, "method already set"); + return EINVAL; + } + digest->request.method = malloc(sizeof(*digest->request.method)); + if (digest->request.method == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest->request.method = strdup(method); + if (*digest->request.method == NULL) { + krb5_set_error_string(context, "out of memory"); + free(digest->request.method); + digest->request.method = NULL; + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_uri(krb5_context context, + krb5_digest digest, + const char *uri) +{ + if (digest->request.uri) { + krb5_set_error_string(context, "uri already set"); + return EINVAL; + } + digest->request.uri = malloc(sizeof(*digest->request.uri)); + if (digest->request.uri == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest->request.uri = strdup(uri); + if (*digest->request.uri == NULL) { + krb5_set_error_string(context, "out of memory"); + free(digest->request.uri); + digest->request.uri = NULL; + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_nonceCount(krb5_context context, + krb5_digest digest, + const char *nonce_count) +{ + if (digest->request.nonceCount) { + krb5_set_error_string(context, "nonceCount already set"); + return EINVAL; + } + digest->request.nonceCount = + malloc(sizeof(*digest->request.nonceCount)); + if (digest->request.nonceCount == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest->request.nonceCount = strdup(nonce_count); + if (*digest->request.nonceCount == NULL) { + krb5_set_error_string(context, "out of memory"); + free(digest->request.nonceCount); + digest->request.nonceCount = NULL; + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_set_qop(krb5_context context, + krb5_digest digest, + const char *qop) +{ + if (digest->request.qop) { + krb5_set_error_string(context, "qop already set"); + return EINVAL; + } + digest->request.qop = malloc(sizeof(*digest->request.qop)); + if (digest->request.qop == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + *digest->request.qop = strdup(qop); + if (*digest->request.qop == NULL) { + krb5_set_error_string(context, "out of memory"); + free(digest->request.qop); + digest->request.qop = NULL; + return ENOMEM; + } + return 0; +} + +int +krb5_digest_set_responseData(krb5_context context, + krb5_digest digest, + const char *response) +{ + digest->request.responseData = strdup(response); + if (digest->request.responseData == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_digest_request(krb5_context context, + krb5_digest digest, + krb5_realm realm, + krb5_ccache ccache) +{ + DigestReqInner ireq; + DigestRepInner irep; + krb5_error_code ret; + + memset(&ireq, 0, sizeof(ireq)); + memset(&irep, 0, sizeof(irep)); + + ireq.element = choice_DigestReqInner_digestRequest; + ireq.u.digestRequest = digest->request; + + if (digest->request.type == NULL) { + if (digest->init.type == NULL) { + krb5_set_error_string(context, "Type missing from req"); + return EINVAL; + } + ireq.u.digestRequest.type = digest->init.type; + } + + if (ireq.u.digestRequest.digest == NULL) + ireq.u.digestRequest.digest = "md5"; + + ret = digest_request(context, realm, ccache, + KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep); + if (ret) + return ret; + + if (irep.element == choice_DigestRepInner_error) { + krb5_set_error_string(context, "Digest response error: %s", + irep.u.error.reason); + ret = irep.u.error.code; + goto out; + } + + if (irep.element != choice_DigestRepInner_response) { + krb5_set_error_string(context, "digest reply not an DigestResponse"); + ret = EINVAL; + goto out; + } + + ret = copy_DigestResponse(&irep.u.response, &digest->response); + if (ret) { + krb5_set_error_string(context, "Failed to copy initReply"); + goto out; + } + +out: + free_DigestRepInner(&irep); + + return ret; +} + +krb5_boolean +krb5_digest_rep_get_status(krb5_context context, + krb5_digest digest) +{ + return digest->response.success ? TRUE : FALSE; +} + +const char * +krb5_digest_get_rsp(krb5_context context, + krb5_digest digest) +{ + if (digest->response.rsp == NULL) + return NULL; + return *digest->response.rsp; +} + +krb5_error_code +krb5_digest_get_tickets(krb5_context context, + krb5_digest digest, + Ticket **tickets) +{ + *tickets = NULL; + return 0; +} + + +krb5_error_code +krb5_digest_get_client_binding(krb5_context context, + krb5_digest digest, + char **type, + char **binding) +{ + if (digest->response.channel) { + *type = strdup(digest->response.channel->cb_type); + *binding = strdup(digest->response.channel->cb_binding); + if (*type == NULL || *binding == NULL) { + free(*type); + free(*binding); + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + } else { + *type = NULL; + *binding = NULL; + } + return 0; +} + +krb5_error_code +krb5_digest_get_session_key(krb5_context context, + krb5_digest digest, + krb5_data *data) +{ + krb5_error_code ret; + + krb5_data_zero(data); + if (digest->response.session_key == NULL) + return 0; + ret = der_copy_octet_string(digest->response.session_key, data); + if (ret) + krb5_clear_error_string(context); + + return ret; +} + +struct krb5_ntlm_data { + NTLMInit init; + NTLMInitReply initReply; + NTLMRequest request; + NTLMResponse response; +}; + +krb5_error_code +krb5_ntlm_alloc(krb5_context context, + krb5_ntlm *ntlm) +{ + *ntlm = calloc(1, sizeof(**ntlm)); + if (*ntlm == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_ntlm_free(krb5_context context, krb5_ntlm ntlm) +{ + free_NTLMInit(&ntlm->init); + free_NTLMInitReply(&ntlm->initReply); + free_NTLMRequest(&ntlm->request); + free_NTLMResponse(&ntlm->response); + memset(ntlm, 0, sizeof(*ntlm)); + free(ntlm); + return 0; +} + + +krb5_error_code +krb5_ntlm_init_request(krb5_context context, + krb5_ntlm ntlm, + krb5_realm realm, + krb5_ccache ccache, + uint32_t flags, + const char *hostname, + const char *domainname) +{ + DigestReqInner ireq; + DigestRepInner irep; + krb5_error_code ret; + + memset(&ireq, 0, sizeof(ireq)); + memset(&irep, 0, sizeof(irep)); + + ntlm->init.flags = flags; + if (hostname) { + ALLOC(ntlm->init.hostname, 1); + *ntlm->init.hostname = strdup(hostname); + } + if (domainname) { + ALLOC(ntlm->init.domain, 1); + *ntlm->init.domain = strdup(domainname); + } + + ireq.element = choice_DigestReqInner_ntlmInit; + ireq.u.ntlmInit = ntlm->init; + + ret = digest_request(context, realm, ccache, + KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep); + if (ret) + goto out; + + if (irep.element == choice_DigestRepInner_error) { + krb5_set_error_string(context, "Digest init error: %s", + irep.u.error.reason); + ret = irep.u.error.code; + goto out; + } + + if (irep.element != choice_DigestRepInner_ntlmInitReply) { + krb5_set_error_string(context, "ntlm reply not an initReply"); + ret = EINVAL; + goto out; + } + + ret = copy_NTLMInitReply(&irep.u.ntlmInitReply, &ntlm->initReply); + if (ret) { + krb5_set_error_string(context, "Failed to copy initReply"); + goto out; + } + +out: + free_DigestRepInner(&irep); + + return ret; +} + +krb5_error_code +krb5_ntlm_init_get_flags(krb5_context context, + krb5_ntlm ntlm, + uint32_t *flags) +{ + *flags = ntlm->initReply.flags; + return 0; +} + +krb5_error_code +krb5_ntlm_init_get_challange(krb5_context context, + krb5_ntlm ntlm, + krb5_data *challange) +{ + krb5_error_code ret; + + ret = der_copy_octet_string(&ntlm->initReply.challange, challange); + if (ret) + krb5_clear_error_string(context); + + return ret; +} + +krb5_error_code +krb5_ntlm_init_get_opaque(krb5_context context, + krb5_ntlm ntlm, + krb5_data *opaque) +{ + krb5_error_code ret; + + ret = der_copy_octet_string(&ntlm->initReply.opaque, opaque); + if (ret) + krb5_clear_error_string(context); + + return ret; +} + +krb5_error_code +krb5_ntlm_init_get_targetname(krb5_context context, + krb5_ntlm ntlm, + char **name) +{ + *name = strdup(ntlm->initReply.targetname); + if (*name == NULL) { + krb5_clear_error_string(context); + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_ntlm_init_get_targetinfo(krb5_context context, + krb5_ntlm ntlm, + krb5_data *data) +{ + krb5_error_code ret; + + if (ntlm->initReply.targetinfo == NULL) { + krb5_data_zero(data); + return 0; + } + + ret = krb5_data_copy(data, + ntlm->initReply.targetinfo->data, + ntlm->initReply.targetinfo->length); + if (ret) { + krb5_clear_error_string(context); + return ret; + } + return 0; +} + + +krb5_error_code +krb5_ntlm_request(krb5_context context, + krb5_ntlm ntlm, + krb5_realm realm, + krb5_ccache ccache) +{ + DigestReqInner ireq; + DigestRepInner irep; + krb5_error_code ret; + + memset(&ireq, 0, sizeof(ireq)); + memset(&irep, 0, sizeof(irep)); + + ireq.element = choice_DigestReqInner_ntlmRequest; + ireq.u.ntlmRequest = ntlm->request; + + ret = digest_request(context, realm, ccache, + KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep); + if (ret) + return ret; + + if (irep.element == choice_DigestRepInner_error) { + krb5_set_error_string(context, "NTLM response error: %s", + irep.u.error.reason); + ret = irep.u.error.code; + goto out; + } + + if (irep.element != choice_DigestRepInner_ntlmResponse) { + krb5_set_error_string(context, "NTLM reply not an NTLMResponse"); + ret = EINVAL; + goto out; + } + + ret = copy_NTLMResponse(&irep.u.ntlmResponse, &ntlm->response); + if (ret) { + krb5_set_error_string(context, "Failed to copy NTLMResponse"); + goto out; + } + +out: + free_DigestRepInner(&irep); + + return ret; +} + +krb5_error_code +krb5_ntlm_req_set_flags(krb5_context context, + krb5_ntlm ntlm, + uint32_t flags) +{ + ntlm->request.flags = flags; + return 0; +} + +krb5_error_code +krb5_ntlm_req_set_username(krb5_context context, + krb5_ntlm ntlm, + const char *username) +{ + ntlm->request.username = strdup(username); + if (ntlm->request.username == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_ntlm_req_set_targetname(krb5_context context, + krb5_ntlm ntlm, + const char *targetname) +{ + ntlm->request.targetname = strdup(targetname); + if (ntlm->request.targetname == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +krb5_error_code +krb5_ntlm_req_set_lm(krb5_context context, + krb5_ntlm ntlm, + void *hash, size_t len) +{ + ntlm->request.lm.data = malloc(len); + if (ntlm->request.lm.data == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + ntlm->request.lm.length = len; + memcpy(ntlm->request.lm.data, hash, len); + return 0; +} + +krb5_error_code +krb5_ntlm_req_set_ntlm(krb5_context context, + krb5_ntlm ntlm, + void *hash, size_t len) +{ + ntlm->request.ntlm.data = malloc(len); + if (ntlm->request.ntlm.data == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + ntlm->request.ntlm.length = len; + memcpy(ntlm->request.ntlm.data, hash, len); + return 0; +} + +krb5_error_code +krb5_ntlm_req_set_opaque(krb5_context context, + krb5_ntlm ntlm, + krb5_data *opaque) +{ + ntlm->request.opaque.data = malloc(opaque->length); + if (ntlm->request.opaque.data == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + ntlm->request.opaque.length = opaque->length; + memcpy(ntlm->request.opaque.data, opaque->data, opaque->length); + return 0; +} + +krb5_error_code +krb5_ntlm_req_set_session(krb5_context context, + krb5_ntlm ntlm, + void *sessionkey, size_t length) +{ + ntlm->request.sessionkey = calloc(1, sizeof(*ntlm->request.sessionkey)); + if (ntlm->request.sessionkey == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + ntlm->request.sessionkey->data = malloc(length); + if (ntlm->request.sessionkey->data == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + memcpy(ntlm->request.sessionkey->data, sessionkey, length); + ntlm->request.sessionkey->length = length; + return 0; +} + +krb5_boolean +krb5_ntlm_rep_get_status(krb5_context context, + krb5_ntlm ntlm) +{ + return ntlm->response.success ? TRUE : FALSE; +} + +krb5_error_code +krb5_ntlm_rep_get_sessionkey(krb5_context context, + krb5_ntlm ntlm, + krb5_data *data) +{ + if (ntlm->response.sessionkey == NULL) { + krb5_set_error_string(context, "no ntlm session key"); + return EINVAL; + } + krb5_clear_error_string(context); + return krb5_data_copy(data, + ntlm->response.sessionkey->data, + ntlm->response.sessionkey->length); +} + +/** + * Get the supported/allowed mechanism for this principal. + * + * @param context A Keberos context. + * @param realm The realm of the KDC. + * @param ccache The credential cache to use when talking to the KDC. + * @param flags The supported mechanism. + * + * @return Return an error code or 0. + * + * @ingroup krb5_digest + */ + +krb5_error_code +krb5_digest_probe(krb5_context context, + krb5_realm realm, + krb5_ccache ccache, + unsigned *flags) +{ + DigestReqInner ireq; + DigestRepInner irep; + krb5_error_code ret; + + memset(&ireq, 0, sizeof(ireq)); + memset(&irep, 0, sizeof(irep)); + + ireq.element = choice_DigestReqInner_supportedMechs; + + ret = digest_request(context, realm, ccache, + KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep); + if (ret) + goto out; + + if (irep.element == choice_DigestRepInner_error) { + krb5_set_error_string(context, "Digest probe error: %s", + irep.u.error.reason); + ret = irep.u.error.code; + goto out; + } + + if (irep.element != choice_DigestRepInner_supportedMechs) { + krb5_set_error_string(context, "Digest reply not an probe"); + ret = EINVAL; + goto out; + } + + *flags = DigestTypes2int(irep.u.supportedMechs); + +out: + free_DigestRepInner(&irep); + + return ret; +} diff --git a/crypto/heimdal/lib/krb5/doxygen.c b/crypto/heimdal/lib/krb5/doxygen.c new file mode 100644 index 000000000000..b7c6f8fcfdd0 --- /dev/null +++ b/crypto/heimdal/lib/krb5/doxygen.c @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" +RCSID("$Id$"); + +/** + * + */ + +/*! \mainpage Heimdal Kerberos 5 library + * + * \section intro Introduction + * + * Heimdal libkrb5 library is a implementation of the Kerberos + * protocol. + * + * Kerberos is a system for authenticating users and services on a + * network. It is built upon the assumption that the network is + * ``unsafe''. For example, data sent over the network can be + * eavesdropped and altered, and addresses can also be faked. + * Therefore they cannot be used for authentication purposes. + * + * The project web page:\n + * http://www.h5l.org/ + * + */ + +/** @defgroup krb5 Heimdal Kerberos 5 library */ +/** @defgroup krb5_address Heimdal Kerberos 5 address functions */ +/** @defgroup krb5_ccache Heimdal Kerberos 5 credential cache functions */ +/** @defgroup krb5_credential Heimdal Kerberos 5 credential handing functions */ +/** @defgroup krb5_deprecated Heimdal Kerberos 5 deprecated functions */ +/** @defgroup krb5_digest Heimdal Kerberos 5 digest service */ +/** @defgroup krb5_error Heimdal Kerberos 5 error reporting functions */ +/** @defgroup krb5_v4compat Heimdal Kerberos 4 compatiblity functions */ +/** @defgroup krb5_support Heimdal Kerberos 5 support functions */ diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c index b30640f72dbc..19315cea8678 100644 --- a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c +++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c @@ -33,15 +33,20 @@ #include <krb5_locl.h> -RCSID("$Id: eai_to_heim_errno.c,v 1.3.8.1 2004/02/13 16:15:16 lha Exp $"); +RCSID("$Id: eai_to_heim_errno.c 22065 2007-11-11 16:41:06Z lha $"); -/* - * convert the getaddrinfo error code in `eai_errno' into a - * krb5_error_code. `system_error' should have the value of the errno - * after the failed call. +/** + * Convert the getaddrinfo() error code to a Kerberos et error code. + * + * @param eai_errno contains the error code from getaddrinfo(). + * @param system_error should have the value of errno after the failed getaddrinfo(). + * + * @return Kerberos error code representing the EAI errors. + * + * @ingroup krb5_error */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_eai_to_heim_errno(int eai_errno, int system_error) { switch(eai_errno) { @@ -78,7 +83,18 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error) } } -krb5_error_code +/** + * Convert the gethostname() error code (h_error) to a Kerberos et + * error code. + * + * @param eai_errno contains the error code from gethostname(). + * + * @return Kerberos error code representing the gethostname errors. + * + * @ingroup krb5_error + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_h_errno_to_heim_errno(int eai_errno) { switch(eai_errno) { diff --git a/crypto/heimdal/lib/krb5/error_string.c b/crypto/heimdal/lib/krb5/error_string.c index bf734481c176..ff6e98a3dcaf 100644 --- a/crypto/heimdal/lib/krb5/error_string.c +++ b/crypto/heimdal/lib/krb5/error_string.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2001, 2003, 2005 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,28 +33,32 @@ #include "krb5_locl.h" -RCSID("$Id: error_string.c,v 1.1 2001/05/06 23:07:22 assar Exp $"); +RCSID("$Id: error_string.c 22142 2007-12-04 16:56:02Z lha $"); #undef __attribute__ #define __attribute__(X) -void +void KRB5_LIB_FUNCTION krb5_free_error_string(krb5_context context, char *str) { + HEIMDAL_MUTEX_lock(context->mutex); if (str != context->error_buf) free(str); + HEIMDAL_MUTEX_unlock(context->mutex); } -void +void KRB5_LIB_FUNCTION krb5_clear_error_string(krb5_context context) { + HEIMDAL_MUTEX_lock(context->mutex); if (context->error_string != NULL && context->error_string != context->error_buf) free(context->error_string); context->error_string = NULL; + HEIMDAL_MUTEX_unlock(context->mutex); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_error_string(krb5_context context, const char *fmt, ...) __attribute__((format (printf, 2, 3))) { @@ -67,29 +71,85 @@ krb5_set_error_string(krb5_context context, const char *fmt, ...) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vset_error_string(krb5_context context, const char *fmt, va_list args) __attribute__ ((format (printf, 2, 0))) { krb5_clear_error_string(context); + HEIMDAL_MUTEX_lock(context->mutex); vasprintf(&context->error_string, fmt, args); if(context->error_string == NULL) { vsnprintf (context->error_buf, sizeof(context->error_buf), fmt, args); context->error_string = context->error_buf; } + HEIMDAL_MUTEX_unlock(context->mutex); return 0; } -char* +/** + * Return the error message in context. On error or no error string, + * the function returns NULL. + * + * @param context Kerberos 5 context + * + * @return an error string, needs to be freed with + * krb5_free_error_string(). The functions return NULL on error. + * + * @ingroup krb5_error + */ + +char * KRB5_LIB_FUNCTION krb5_get_error_string(krb5_context context) { - char *ret = context->error_string; - context->error_string = NULL; + char *ret = NULL; + + HEIMDAL_MUTEX_lock(context->mutex); + if (context->error_string) + ret = strdup(context->error_string); + HEIMDAL_MUTEX_unlock(context->mutex); return ret; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_have_error_string(krb5_context context) { - return context->error_string != NULL; + char *str; + HEIMDAL_MUTEX_lock(context->mutex); + str = context->error_string; + HEIMDAL_MUTEX_unlock(context->mutex); + return str != NULL; +} + +/** + * Return the error message for `code' in context. On error the + * function returns NULL. + * + * @param context Kerberos 5 context + * @param code Error code related to the error + * + * @return an error string, needs to be freed with + * krb5_free_error_string(). The functions return NULL on error. + * + * @ingroup krb5_error + */ + +char * KRB5_LIB_FUNCTION +krb5_get_error_message(krb5_context context, krb5_error_code code) +{ + const char *cstr; + char *str; + + str = krb5_get_error_string(context); + if (str) + return str; + + cstr = krb5_get_err_text(context, code); + if (cstr) + return strdup(cstr); + + if (asprintf(&str, "<unknown error: %d>", code) == -1) + return NULL; + + return str; } + diff --git a/crypto/heimdal/lib/krb5/expand_hostname.c b/crypto/heimdal/lib/krb5/expand_hostname.c index 7ed2dd53f159..28e39afb42f7 100644 --- a/crypto/heimdal/lib/krb5/expand_hostname.c +++ b/crypto/heimdal/lib/krb5/expand_hostname.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: expand_hostname.c,v 1.11 2001/09/18 09:35:47 joda Exp $"); +RCSID("$Id: expand_hostname.c 22229 2007-12-08 21:40:59Z lha $"); static krb5_error_code copy_hostname(krb5_context context, @@ -54,7 +54,7 @@ copy_hostname(krb5_context context, * allocated space returned in `new_hostname'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_expand_hostname (krb5_context context, const char *orig_hostname, char **new_hostname) @@ -62,6 +62,9 @@ krb5_expand_hostname (krb5_context context, struct addrinfo *ai, *a, hints; int error; + if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0) + return copy_hostname (context, orig_hostname, new_hostname); + memset (&hints, 0, sizeof(hints)); hints.ai_flags = AI_CANONNAME; @@ -114,7 +117,7 @@ vanilla_hostname (krb5_context context, * allocated space in `host' and return realms in `realms'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_expand_hostname_realms (krb5_context context, const char *orig_hostname, char **new_hostname, @@ -124,6 +127,10 @@ krb5_expand_hostname_realms (krb5_context context, int error; krb5_error_code ret = 0; + if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0) + return vanilla_hostname (context, orig_hostname, new_hostname, + realms); + memset (&hints, 0, sizeof(hints)); hints.ai_flags = AI_CANONNAME; diff --git a/crypto/heimdal/lib/krb5/fcache.c b/crypto/heimdal/lib/krb5/fcache.c index 38006c3e3a17..3857b58bf675 100644 --- a/crypto/heimdal/lib/krb5/fcache.c +++ b/crypto/heimdal/lib/krb5/fcache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: fcache.c,v 1.34.6.6 2004/03/10 13:30:59 lha Exp $"); +RCSID("$Id: fcache.c 22522 2008-01-24 11:56:25Z lha $"); typedef struct krb5_fcache{ char *filename; @@ -105,18 +105,33 @@ _krb5_xlock(krb5_context context, int fd, krb5_boolean exclusive, } int -_krb5_xunlock(int fd) +_krb5_xunlock(krb5_context context, int fd) { -#ifdef HAVE_FCNTL_LOCK + int ret; +#ifdef HAVE_FCNTL struct flock l; l.l_start = 0; l.l_len = 0; l.l_type = F_UNLCK; l.l_whence = SEEK_SET; - return fcntl(fd, F_SETLKW, &l); + ret = fcntl(fd, F_SETLKW, &l); #else - return flock(fd, LOCK_UN); + ret = flock(fd, LOCK_UN); #endif + if (ret < 0) + ret = errno; + switch (ret) { + case 0: + break; + case EINVAL: /* filesystem doesn't support locking, let the user have it */ + ret = 0; + break; + default: + krb5_set_error_string(context, + "Failed to unlock file: %s", strerror(ret)); + break; + } + return ret; } static krb5_error_code @@ -129,7 +144,7 @@ fcc_lock(krb5_context context, krb5_ccache id, static krb5_error_code fcc_unlock(krb5_context context, int fd) { - return _krb5_xunlock(fd); + return _krb5_xunlock(context, fd); } static krb5_error_code @@ -254,10 +269,11 @@ fcc_gen_new(krb5_context context, krb5_ccache *id) } fd = mkstemp(file); if(fd < 0) { + int ret = errno; + krb5_set_error_string(context, "mkstemp %s", file); free(f); free(file); - krb5_set_error_string(context, "mkstemp %s", file); - return errno; + return ret; } close(fd); f->filename = file; @@ -405,13 +421,12 @@ fcc_store_cred(krb5_context context, sp = krb5_storage_from_fd(fd); krb5_storage_set_eof_code(sp, KRB5_CC_END); storage_set_flags(context, sp, FCACHE(id)->version); - if (krb5_config_get_bool_default(context, NULL, FALSE, - "libdefaults", - "fcc-mit-ticketflags", - NULL)) - ret = _krb5_store_creds_heimdal_0_7(sp, creds); - else - ret = _krb5_store_creds_heimdal_pre_0_7(sp, creds); + if (!krb5_config_get_bool_default(context, NULL, TRUE, + "libdefaults", + "fcc-mit-ticketflags", + NULL)) + krb5_storage_set_flags(sp, KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER); + ret = krb5_store_creds(sp, creds); krb5_storage_free(sp); } fcc_unlock(context, fd); @@ -436,28 +451,37 @@ init_fcc (krb5_context context, krb5_error_code ret; ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY, 0); - if(ret) return ret; sp = krb5_storage_from_fd(fd); if(sp == NULL) { + krb5_clear_error_string(context); ret = ENOMEM; goto out; } krb5_storage_set_eof_code(sp, KRB5_CC_END); ret = krb5_ret_int8(sp, &pvno); if(ret != 0) { - if(ret == KRB5_CC_END) - ret = ENOENT; /* empty file */ + if(ret == KRB5_CC_END) { + krb5_set_error_string(context, "Empty credential cache file: %s", + FILENAME(id)); + ret = ENOENT; + } else + krb5_set_error_string(context, "Error reading pvno in " + "cache file: %s", FILENAME(id)); goto out; } if(pvno != 5) { + krb5_set_error_string(context, "Bad version number in credential " + "cache file: %s", FILENAME(id)); ret = KRB5_CCACHE_BADVNO; goto out; } ret = krb5_ret_int8(sp, &tag); /* should not be host byte order */ if(ret != 0) { + krb5_set_error_string(context, "Error reading tag in " + "cache file: %s", FILENAME(id)); ret = KRB5_CC_FORMAT; goto out; } @@ -470,32 +494,42 @@ init_fcc (krb5_context context, ret = krb5_ret_int16 (sp, &length); if(ret) { ret = KRB5_CC_FORMAT; + krb5_set_error_string(context, "Error reading tag length in " + "cache file: %s", FILENAME(id)); goto out; } while(length > 0) { - int16_t tag, data_len; + int16_t dtag, data_len; int i; int8_t dummy; - ret = krb5_ret_int16 (sp, &tag); + ret = krb5_ret_int16 (sp, &dtag); if(ret) { + krb5_set_error_string(context, "Error reading dtag in " + "cache file: %s", FILENAME(id)); ret = KRB5_CC_FORMAT; goto out; } ret = krb5_ret_int16 (sp, &data_len); if(ret) { + krb5_set_error_string(context, "Error reading dlength in " + "cache file: %s", FILENAME(id)); ret = KRB5_CC_FORMAT; goto out; } - switch (tag) { + switch (dtag) { case FCC_TAG_DELTATIME : ret = krb5_ret_int32 (sp, &context->kdc_sec_offset); if(ret) { + krb5_set_error_string(context, "Error reading kdc_sec in " + "cache file: %s", FILENAME(id)); ret = KRB5_CC_FORMAT; goto out; } ret = krb5_ret_int32 (sp, &context->kdc_usec_offset); if(ret) { + krb5_set_error_string(context, "Error reading kdc_usec in " + "cache file: %s", FILENAME(id)); ret = KRB5_CC_FORMAT; goto out; } @@ -504,6 +538,9 @@ init_fcc (krb5_context context, for (i = 0; i < data_len; ++i) { ret = krb5_ret_int8 (sp, &dummy); if(ret) { + krb5_set_error_string(context, "Error reading unknown " + "tag in cache file: %s", + FILENAME(id)); ret = KRB5_CC_FORMAT; goto out; } @@ -520,6 +557,9 @@ init_fcc (krb5_context context, break; default : ret = KRB5_CCACHE_BADVNO; + krb5_set_error_string(context, "Unknown version number (%d) in " + "credential cache file: %s", + (int)tag, FILENAME(id)); goto out; } *ret_sp = sp; @@ -547,6 +587,8 @@ fcc_get_principal(krb5_context context, if (ret) return ret; ret = krb5_ret_principal(sp, principal); + if (ret) + krb5_clear_error_string(context); krb5_storage_free(sp); fcc_unlock(context, fd); close(fd); @@ -567,15 +609,22 @@ fcc_get_first (krb5_context context, krb5_principal principal; *cursor = malloc(sizeof(struct fcc_cursor)); + if (*cursor == NULL) { + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + memset(*cursor, 0, sizeof(struct fcc_cursor)); ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp, &FCC_CURSOR(*cursor)->fd); if (ret) { free(*cursor); + *cursor = NULL; return ret; } ret = krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal); if(ret) { + krb5_clear_error_string(context); fcc_end_get(context, id, cursor); return ret; } @@ -595,6 +644,8 @@ fcc_get_next (krb5_context context, return ret; ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds); + if (ret) + krb5_clear_error_string(context); fcc_unlock(context, FCC_CURSOR(*cursor)->fd); return ret; @@ -618,7 +669,31 @@ fcc_remove_cred(krb5_context context, krb5_flags which, krb5_creds *cred) { - return 0; /* XXX */ + krb5_error_code ret; + krb5_ccache copy; + + ret = krb5_cc_gen_new(context, &krb5_mcc_ops, ©); + if (ret) + return ret; + + ret = krb5_cc_copy_cache(context, id, copy); + if (ret) { + krb5_cc_destroy(context, copy); + return ret; + } + + ret = krb5_cc_remove_cred(context, copy, which, cred); + if (ret) { + krb5_cc_destroy(context, copy); + return ret; + } + + fcc_destroy(context, id); + + ret = krb5_cc_copy_cache(context, copy, id); + krb5_cc_destroy(context, copy); + + return ret; } static krb5_error_code @@ -636,6 +711,151 @@ fcc_get_version(krb5_context context, return FCACHE(id)->version; } +struct fcache_iter { + int first; +}; + +static krb5_error_code +fcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) +{ + struct fcache_iter *iter; + + iter = calloc(1, sizeof(*iter)); + if (iter == NULL) { + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + iter->first = 1; + *cursor = iter; + return 0; +} + +static krb5_error_code +fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) +{ + struct fcache_iter *iter = cursor; + krb5_error_code ret; + const char *fn; + char *expandedfn = NULL; + + if (!iter->first) { + krb5_clear_error_string(context); + return KRB5_CC_END; + } + iter->first = 0; + + fn = krb5_cc_default_name(context); + if (strncasecmp(fn, "FILE:", 5) != 0) { + ret = _krb5_expand_default_cc_name(context, + KRB5_DEFAULT_CCNAME_FILE, + &expandedfn); + if (ret) + return ret; + } + ret = krb5_cc_resolve(context, fn, id); + if (expandedfn) + free(expandedfn); + + return ret; +} + +static krb5_error_code +fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) +{ + struct fcache_iter *iter = cursor; + free(iter); + return 0; +} + +static krb5_error_code +fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) +{ + krb5_error_code ret = 0; + + ret = rename(FILENAME(from), FILENAME(to)); + if (ret && errno != EXDEV) { + ret = errno; + krb5_set_error_string(context, + "Rename of file from %s to %s failed: %s", + FILENAME(from), FILENAME(to), + strerror(ret)); + return ret; + } else if (ret && errno == EXDEV) { + /* make a copy and delete the orignal */ + krb5_ssize_t sz1, sz2; + int fd1, fd2; + char buf[BUFSIZ]; + + ret = fcc_open(context, from, &fd1, O_RDONLY | O_BINARY, 0); + if(ret) + return ret; + + unlink(FILENAME(to)); + + ret = fcc_open(context, to, &fd2, + O_WRONLY | O_CREAT | O_EXCL | O_BINARY, 0600); + if(ret) + goto out1; + + while((sz1 = read(fd1, buf, sizeof(buf))) > 0) { + sz2 = write(fd2, buf, sz1); + if (sz1 != sz2) { + ret = EIO; + krb5_set_error_string(context, + "Failed to write data from one file " + "credential cache to the other"); + goto out2; + } + } + if (sz1 < 0) { + ret = EIO; + krb5_set_error_string(context, + "Failed to read data from one file " + "credential cache to the other"); + goto out2; + } + erase_file(FILENAME(from)); + + out2: + fcc_unlock(context, fd2); + close(fd2); + + out1: + fcc_unlock(context, fd1); + close(fd1); + + if (ret) { + erase_file(FILENAME(to)); + return ret; + } + } + + /* make sure ->version is uptodate */ + { + krb5_storage *sp; + int fd; + ret = init_fcc (context, to, &sp, &fd); + krb5_storage_free(sp); + fcc_unlock(context, fd); + close(fd); + } + return ret; +} + +static krb5_error_code +fcc_default_name(krb5_context context, char **str) +{ + return _krb5_expand_default_cc_name(context, + KRB5_DEFAULT_CCNAME_FILE, + str); +} + +/** + * Variable containing the FILE based credential cache implemention. + * + * @ingroup krb5_ccache + */ + const krb5_cc_ops krb5_fcc_ops = { "FILE", fcc_get_name, @@ -652,5 +872,10 @@ const krb5_cc_ops krb5_fcc_ops = { fcc_end_get, fcc_remove_cred, fcc_set_flags, - fcc_get_version + fcc_get_version, + fcc_get_cache_first, + fcc_get_cache_next, + fcc_end_cache_get, + fcc_move, + fcc_default_name }; diff --git a/crypto/heimdal/lib/krb5/free.c b/crypto/heimdal/lib/krb5/free.c index 251ec320106d..1b0bd05412f2 100644 --- a/crypto/heimdal/lib/krb5/free.c +++ b/crypto/heimdal/lib/krb5/free.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 1999, 2004 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,18 +33,19 @@ #include "krb5_locl.h" -RCSID("$Id: free.c,v 1.5 1999/12/02 17:05:09 joda Exp $"); +RCSID("$Id: free.c 15175 2005-05-18 10:06:16Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep) { free_KDC_REP(&rep->kdc_rep); free_EncTGSRepPart(&rep->enc_part); free_KRB_ERROR(&rep->error); + memset(rep, 0, sizeof(*rep)); return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_xfree (void *ptr) { free (ptr); diff --git a/crypto/heimdal/lib/krb5/free_host_realm.c b/crypto/heimdal/lib/krb5/free_host_realm.c index a69f29b988ff..6b13ce7d0e04 100644 --- a/crypto/heimdal/lib/krb5/free_host_realm.c +++ b/crypto/heimdal/lib/krb5/free_host_realm.c @@ -33,13 +33,13 @@ #include "krb5_locl.h" -RCSID("$Id: free_host_realm.c,v 1.4 1999/12/02 17:05:09 joda Exp $"); +RCSID("$Id: free_host_realm.c 13863 2004-05-25 21:46:46Z lha $"); /* * Free all memory allocated by `realmlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_host_realm(krb5_context context, krb5_realm *realmlist) { diff --git a/crypto/heimdal/lib/krb5/generate_seq_number.c b/crypto/heimdal/lib/krb5/generate_seq_number.c index 795c3f3ff68a..8a04f048c8c8 100644 --- a/crypto/heimdal/lib/krb5/generate_seq_number.c +++ b/crypto/heimdal/lib/krb5/generate_seq_number.c @@ -33,16 +33,16 @@ #include <krb5_locl.h> -RCSID("$Id: generate_seq_number.c,v 1.8 2001/05/08 14:05:37 assar Exp $"); +RCSID("$Id: generate_seq_number.c 17442 2006-05-05 09:31:15Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, - u_int32_t *seqno) + uint32_t *seqno) { krb5_error_code ret; krb5_keyblock *subkey; - u_int32_t q; + uint32_t q; u_char *p; int i; diff --git a/crypto/heimdal/lib/krb5/generate_subkey.c b/crypto/heimdal/lib/krb5/generate_subkey.c index 3fb22f970e0b..fb99cbbf3f74 100644 --- a/crypto/heimdal/lib/krb5/generate_subkey.c +++ b/crypto/heimdal/lib/krb5/generate_subkey.c @@ -33,13 +33,22 @@ #include <krb5_locl.h> -RCSID("$Id: generate_subkey.c,v 1.8 2001/05/14 06:14:46 assar Exp $"); +RCSID("$Id: generate_subkey.c 14455 2005-01-05 02:39:21Z lukeh $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_subkey(krb5_context context, const krb5_keyblock *key, krb5_keyblock **subkey) { + return krb5_generate_subkey_extended(context, key, key->keytype, subkey); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_generate_subkey_extended(krb5_context context, + const krb5_keyblock *key, + krb5_enctype etype, + krb5_keyblock **subkey) +{ krb5_error_code ret; ALLOC(*subkey, 1); @@ -47,8 +56,17 @@ krb5_generate_subkey(krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - ret = krb5_generate_random_keyblock(context, key->keytype, *subkey); - if(ret) + + if (etype == ETYPE_NULL) + etype = key->keytype; /* use session key etype */ + + /* XXX should we use the session key as input to the RF? */ + ret = krb5_generate_random_keyblock(context, etype, *subkey); + if (ret != 0) { free(*subkey); + *subkey = NULL; + } + return ret; } + diff --git a/crypto/heimdal/lib/krb5/get_addrs.c b/crypto/heimdal/lib/krb5/get_addrs.c index 94a0350e8bc1..a7fd2ea84b1b 100644 --- a/crypto/heimdal/lib/krb5/get_addrs.c +++ b/crypto/heimdal/lib/krb5/get_addrs.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: get_addrs.c,v 1.45 2003/01/25 15:19:49 lha Exp $"); +RCSID("$Id: get_addrs.c 13863 2004-05-25 21:46:46Z lha $"); #ifdef __osf__ /* hate */ @@ -268,7 +268,7 @@ get_addrs_int (krb5_context context, krb5_addresses *res, int flags) * Only include loopback address if there are no other. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res) { int flags = LOOP_IF_NONE | EXTRA_ADDRESSES; @@ -284,7 +284,7 @@ krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res) * If that fails, we return the address corresponding to `hostname'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_all_server_addrs (krb5_context context, krb5_addresses *res) { return get_addrs_int (context, res, LOOP | SCAN_INTERFACES); diff --git a/crypto/heimdal/lib/krb5/get_cred.c b/crypto/heimdal/lib/krb5/get_cred.c index cae47f5763d7..ce0ec6d29283 100644 --- a/crypto/heimdal/lib/krb5/get_cred.c +++ b/crypto/heimdal/lib/krb5/get_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: get_cred.c,v 1.91.4.3 2004/01/09 00:47:17 lha Exp $"); +RCSID("$Id: get_cred.c 21668 2007-07-22 11:28:05Z lha $"); /* * Take the `body' and encode it into `padata' using the credentials @@ -62,12 +62,12 @@ make_pa_tgs_req(krb5_context context, in_data.length = len; in_data.data = buf; - ret = krb5_mk_req_internal(context, &ac, 0, &in_data, creds, - &padata->padata_value, - KRB5_KU_TGS_REQ_AUTH_CKSUM, - usage - /* KRB5_KU_TGS_REQ_AUTH */); -out: + ret = _krb5_mk_req_internal(context, &ac, 0, &in_data, creds, + &padata->padata_value, + KRB5_KU_TGS_REQ_AUTH_CKSUM, + usage + /* KRB5_KU_TGS_REQ_AUTH */); + out: free (buf); if(ret) return ret; @@ -86,14 +86,17 @@ set_auth_data (krb5_context context, krb5_keyblock *key) { if(authdata->len) { - size_t len; + size_t len, buf_size; unsigned char *buf; krb5_crypto crypto; krb5_error_code ret; - ASN1_MALLOC_ENCODE(AuthorizationData, buf, len, authdata, &len, ret); + ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, authdata, + &len, ret); if (ret) return ret; + if (buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); ALLOC(req_body->enc_authorization_data, 1); if (req_body->enc_authorization_data == NULL) { @@ -105,6 +108,7 @@ set_auth_data (krb5_context context, if (ret) { free (buf); free (req_body->enc_authorization_data); + req_body->enc_authorization_data = NULL; return ret; } krb5_encrypt_EncryptedData(context, @@ -138,6 +142,7 @@ init_tgs_req (krb5_context context, krb5_creds *in_creds, krb5_creds *krbtgt, unsigned nonce, + const METHOD_DATA *padata, krb5_keyblock **subkey, TGS_REQ *t, krb5_key_usage usage) @@ -216,12 +221,22 @@ init_tgs_req (krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); goto fail; } - ALLOC_SEQ(t->padata, 1); + ALLOC_SEQ(t->padata, 1 + padata->len); if (t->padata->val == NULL) { ret = ENOMEM; krb5_set_error_string(context, "malloc: out of memory"); goto fail; } + { + int i; + for (i = 0; i < padata->len; i++) { + ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]); + if (ret) { + krb5_set_error_string(context, "malloc: out of memory"); + goto fail; + } + } + } { krb5_auth_context ac; @@ -252,7 +267,8 @@ init_tgs_req (krb5_context context, } } - ret = set_auth_data (context, &t->req_body, &in_creds->authdata, key); + ret = set_auth_data (context, &t->req_body, &in_creds->authdata, + key ? key : &krbtgt->session); if (ret) { if (key) krb5_free_keyblock (context, key); @@ -263,7 +279,7 @@ init_tgs_req (krb5_context context, ret = make_pa_tgs_req(context, ac, &t->req_body, - t->padata->val, + &t->padata->val[0], krbtgt, usage); if(ret) { @@ -345,7 +361,7 @@ decrypt_tkt_with_subkey (krb5_context context, krb5_crypto_destroy(context, crypto); if(ret && subkey){ /* DCE compat -- try to decrypt with subkey */ - ret = krb5_crypto_init(context, (krb5_keyblock*)subkey, 0, &crypto); + ret = krb5_crypto_init(context, subkey, 0, &crypto); if (ret) return ret; ret = krb5_decrypt_EncryptedData (context, @@ -378,8 +394,10 @@ get_cred_kdc_usage(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, krb5_addresses *addresses, - krb5_creds *in_creds, + krb5_creds *in_creds, krb5_creds *krbtgt, + krb5_principal impersonate_principal, + Ticket *second_ticket, krb5_creds *out_creds, krb5_key_usage usage) { @@ -391,58 +409,119 @@ get_cred_kdc_usage(krb5_context context, krb5_error_code ret; unsigned nonce; krb5_keyblock *subkey = NULL; - u_char *buf = NULL; - size_t buf_size; size_t len; - Ticket second_ticket; + Ticket second_ticket_data; + METHOD_DATA padata; + krb5_data_zero(&resp); + krb5_data_zero(&enc); + padata.val = NULL; + padata.len = 0; + krb5_generate_random_block(&nonce, sizeof(nonce)); nonce &= 0xffffffff; - if(flags.b.enc_tkt_in_skey){ + if(flags.b.enc_tkt_in_skey && second_ticket == NULL){ ret = decode_Ticket(in_creds->second_ticket.data, in_creds->second_ticket.length, - &second_ticket, &len); + &second_ticket_data, &len); if(ret) return ret; + second_ticket = &second_ticket_data; + } + + + if (impersonate_principal) { + krb5_crypto crypto; + PA_S4U2Self self; + krb5_data data; + void *buf; + size_t size; + + self.name = impersonate_principal->name; + self.realm = impersonate_principal->realm; + self.auth = estrdup("Kerberos"); + + ret = _krb5_s4u2self_to_checksumdata(context, &self, &data); + if (ret) { + free(self.auth); + goto out; + } + + ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto); + if (ret) { + free(self.auth); + krb5_data_free(&data); + goto out; + } + + ret = krb5_create_checksum(context, + crypto, + KRB5_KU_OTHER_CKSUM, + 0, + data.data, + data.length, + &self.cksum); + krb5_crypto_destroy(context, crypto); + krb5_data_free(&data); + if (ret) { + free(self.auth); + goto out; + } + + ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret); + free(self.auth); + free_Checksum(&self.cksum); + if (ret) + goto out; + if (len != size) + krb5_abortx(context, "internal asn1 error"); + + ret = krb5_padata_add(context, &padata, KRB5_PADATA_S4U2SELF, buf, len); + if (ret) + goto out; } ret = init_tgs_req (context, id, addresses, flags, - flags.b.enc_tkt_in_skey ? &second_ticket : NULL, + second_ticket, in_creds, krbtgt, nonce, + &padata, &subkey, &req, usage); - if(flags.b.enc_tkt_in_skey) - free_Ticket(&second_ticket); if (ret) goto out; - ASN1_MALLOC_ENCODE(TGS_REQ, buf, buf_size, &req, &enc.length, ret); + ASN1_MALLOC_ENCODE(TGS_REQ, enc.data, enc.length, &req, &len, ret); if (ret) goto out; - if(enc.length != buf_size) + if(enc.length != len) krb5_abortx(context, "internal error in ASN.1 encoder"); /* don't free addresses */ req.req_body.addresses = NULL; free_TGS_REQ(&req); - enc.data = buf + buf_size - enc.length; - if (ret) - goto out; - /* * Send and receive */ + { + krb5_sendto_ctx stctx; + ret = krb5_sendto_ctx_alloc(context, &stctx); + if (ret) + return ret; + krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL); - ret = krb5_sendto_kdc (context, &enc, - &krbtgt->server->name.name_string.val[1], &resp); + ret = krb5_sendto_context (context, stctx, &enc, + krbtgt->server->name.name_string.val[1], + &resp); + krb5_sendto_ctx_free(context, stctx); + } if(ret) goto out; @@ -469,13 +548,11 @@ get_cred_kdc_usage(krb5_context context, KRB5_KU_TGS_REP_ENC_PART_SESSION, &krbtgt->addresses, nonce, - TRUE, - flags.b.request_anonymous, + EXTRACT_TICKET_ALLOW_CNAME_MISMATCH| + EXTRACT_TICKET_ALLOW_SERVER_MISMATCH, decrypt_tkt_with_subkey, subkey); krb5_free_kdc_rep(context, &rep); - if (ret) - goto out; } else if(krb5_rd_error(context, &resp, &error) == 0) { ret = krb5_error_from_rd_error(context, &error, in_creds); krb5_free_error_contents(context, &error); @@ -486,14 +563,17 @@ get_cred_kdc_usage(krb5_context context, ret = KRB5KRB_AP_ERR_MSG_TYPE; krb5_clear_error_string(context); } + +out: + if (second_ticket == &second_ticket_data) + free_Ticket(&second_ticket_data); + free_METHOD_DATA(&padata); krb5_data_free(&resp); - out: + krb5_data_free(&enc); if(subkey){ krb5_free_keyblock_contents(context, subkey); free(subkey); } - if (buf) - free (buf); return ret; } @@ -505,16 +585,20 @@ get_cred_kdc(krb5_context context, krb5_addresses *addresses, krb5_creds *in_creds, krb5_creds *krbtgt, + krb5_principal impersonate_principal, + Ticket *second_ticket, krb5_creds *out_creds) { krb5_error_code ret; ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds, - krbtgt, out_creds, KRB5_KU_TGS_REQ_AUTH); + krbtgt, impersonate_principal, second_ticket, + out_creds, KRB5_KU_TGS_REQ_AUTH); if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { krb5_clear_error_string (context); ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds, - krbtgt, out_creds, KRB5_KU_AP_REQ_AUTH); + krbtgt, impersonate_principal, second_ticket, + out_creds, KRB5_KU_AP_REQ_AUTH); } return ret; } @@ -524,6 +608,7 @@ get_cred_kdc(krb5_context context, static krb5_error_code get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, krb5_creds *in_creds, krb5_creds *krbtgt, + krb5_principal impersonate_principal, Ticket *second_ticket, krb5_creds *out_creds) { krb5_error_code ret; @@ -534,12 +619,13 @@ get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, if(addresses.len == 0) addrs = NULL; ret = get_cred_kdc(context, id, flags, addrs, - in_creds, krbtgt, out_creds); + in_creds, krbtgt, impersonate_principal, second_ticket, + out_creds); krb5_free_addresses(context, &addresses); return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_kdc_cred(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, @@ -566,13 +652,27 @@ krb5_get_kdc_cred(krb5_context context, return ret; } ret = get_cred_kdc(context, id, flags, addresses, - in_creds, krbtgt, *out_creds); + in_creds, krbtgt, NULL, NULL, *out_creds); krb5_free_creds (context, krbtgt); if(ret) free(*out_creds); return ret; } +static void +not_found(krb5_context context, krb5_const_principal p) +{ + krb5_error_code ret; + char *str; + + ret = krb5_unparse_name(context, p, &str); + if(ret) { + krb5_clear_error_string(context); + return; + } + krb5_set_error_string(context, "Matching credential (%s) not found", str); + free(str); +} static krb5_error_code find_cred(krb5_context context, @@ -583,6 +683,8 @@ find_cred(krb5_context context, { krb5_error_code ret; krb5_creds mcreds; + + krb5_cc_clear_mcred(&mcreds); mcreds.server = server; ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM, &mcreds, out_creds); @@ -596,7 +698,7 @@ find_cred(krb5_context context, } tgts++; } - krb5_clear_error_string(context); + not_found(context, server); return KRB5_CC_NOTFOUND; } @@ -639,6 +741,8 @@ get_cred_from_kdc_flags(krb5_context context, krb5_kdc_flags flags, krb5_ccache ccache, krb5_creds *in_creds, + krb5_principal impersonate_principal, + Ticket *second_ticket, krb5_creds **out_creds, krb5_creds ***ret_tgts) { @@ -648,8 +752,8 @@ get_cred_from_kdc_flags(krb5_context context, *out_creds = NULL; - client_realm = *krb5_princ_realm(context, in_creds->client); - server_realm = *krb5_princ_realm(context, in_creds->server); + client_realm = krb5_principal_get_realm(context, in_creds->client); + server_realm = krb5_principal_get_realm(context, in_creds->server); memset(&tmp_creds, 0, sizeof(tmp_creds)); ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client); if(ret) @@ -696,31 +800,37 @@ get_cred_from_kdc_flags(krb5_context context, if (noaddr) ret = get_cred_kdc(context, ccache, flags, NULL, - in_creds, &tgts, *out_creds); + in_creds, &tgts, + impersonate_principal, + second_ticket, + *out_creds); else ret = get_cred_kdc_la(context, ccache, flags, - in_creds, &tgts, *out_creds); + in_creds, &tgts, + impersonate_principal, + second_ticket, + *out_creds); if (ret) { free (*out_creds); *out_creds = NULL; } } - krb5_free_creds_contents(context, &tgts); + krb5_free_cred_contents(context, &tgts); krb5_free_principal(context, tmp_creds.server); krb5_free_principal(context, tmp_creds.client); return ret; } } if(krb5_realm_compare(context, in_creds->client, in_creds->server)) { - krb5_clear_error_string (context); + not_found(context, in_creds->server); return KRB5_CC_NOTFOUND; } /* XXX this can loop forever */ while(1){ - general_string tgt_inst; + heim_general_string tgt_inst; ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, - &tgt, ret_tgts); + NULL, NULL, &tgt, ret_tgts); if(ret) { krb5_free_principal(context, tmp_creds.server); krb5_free_principal(context, tmp_creds.client); @@ -761,13 +871,16 @@ get_cred_from_kdc_flags(krb5_context context, krb5_boolean noaddr; krb5_appdefault_boolean(context, NULL, tgt->server->realm, - "no-addresses", FALSE, &noaddr); + "no-addresses", KRB5_ADDRESSLESS_DEFAULT, + &noaddr); if (noaddr) ret = get_cred_kdc (context, ccache, flags, NULL, - in_creds, tgt, *out_creds); + in_creds, tgt, NULL, NULL, + *out_creds); else ret = get_cred_kdc_la(context, ccache, flags, - in_creds, tgt, *out_creds); + in_creds, tgt, NULL, NULL, + *out_creds); if (ret) { free (*out_creds); *out_creds = NULL; @@ -777,7 +890,7 @@ get_cred_from_kdc_flags(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, @@ -788,10 +901,11 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_kdc_flags f; f.i = flags; return get_cred_from_kdc_flags(context, f, ccache, - in_creds, out_creds, ret_tgts); + in_creds, NULL, NULL, + out_creds, ret_tgts); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_cred_from_kdc(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, @@ -803,7 +917,7 @@ krb5_get_cred_from_kdc(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_credentials_with_flags(krb5_context context, krb5_flags options, krb5_kdc_flags flags, @@ -823,38 +937,67 @@ krb5_get_credentials_with_flags(krb5_context context, return ENOMEM; } + if (in_creds->session.keytype) + options |= KRB5_TC_MATCH_KEYTYPE; + + /* + * If we got a credential, check if credential is expired before + * returning it. + */ ret = krb5_cc_retrieve_cred(context, - ccache, - in_creds->session.keytype ? - KRB5_TC_MATCH_KEYTYPE : 0, - in_creds, res_creds); - if(ret == 0) { - *out_creds = res_creds; - return 0; + ccache, + in_creds->session.keytype ? + KRB5_TC_MATCH_KEYTYPE : 0, + in_creds, res_creds); + /* + * If we got a credential, check if credential is expired before + * returning it, but only if KRB5_GC_EXPIRED_OK is not set. + */ + if (ret == 0) { + krb5_timestamp timeret; + + /* If expired ok, don't bother checking */ + if(options & KRB5_GC_EXPIRED_OK) { + *out_creds = res_creds; + return 0; + } + + krb5_timeofday(context, &timeret); + if(res_creds->times.endtime > timeret) { + *out_creds = res_creds; + return 0; + } + if(options & KRB5_GC_CACHED) + krb5_cc_remove_cred(context, ccache, 0, res_creds); + + } else if(ret != KRB5_CC_END) { + free(res_creds); + return ret; } free(res_creds); - if(ret != KRB5_CC_END) - return ret; if(options & KRB5_GC_CACHED) { - krb5_clear_error_string (context); - return KRB5_CC_NOTFOUND; + not_found(context, in_creds->server); + return KRB5_CC_NOTFOUND; } if(options & KRB5_GC_USER_USER) flags.b.enc_tkt_in_skey = 1; + if (flags.b.enc_tkt_in_skey) + options |= KRB5_GC_NO_STORE; + tgts = NULL; ret = get_cred_from_kdc_flags(context, flags, ccache, - in_creds, out_creds, &tgts); + in_creds, NULL, NULL, out_creds, &tgts); for(i = 0; tgts && tgts[i]; i++) { krb5_cc_store_cred(context, ccache, tgts[i]); krb5_free_creds(context, tgts[i]); } free(tgts); - if(ret == 0 && flags.b.enc_tkt_in_skey == 0) + if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0) krb5_cc_store_cred(context, ccache, *out_creds); return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_credentials(krb5_context context, krb5_flags options, krb5_ccache ccache, @@ -866,3 +1009,269 @@ krb5_get_credentials(krb5_context context, return krb5_get_credentials_with_flags(context, options, flags, ccache, in_creds, out_creds); } + +struct krb5_get_creds_opt_data { + krb5_principal self; + krb5_flags options; + krb5_enctype enctype; + Ticket *ticket; +}; + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt) +{ + *opt = calloc(1, sizeof(**opt)); + if (*opt == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + return 0; +} + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt) +{ + if (opt->self) + krb5_free_principal(context, opt->self); + memset(opt, 0, sizeof(*opt)); + free(opt); +} + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_options(krb5_context context, + krb5_get_creds_opt opt, + krb5_flags options) +{ + opt->options = options; +} + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_add_options(krb5_context context, + krb5_get_creds_opt opt, + krb5_flags options) +{ + opt->options |= options; +} + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_enctype(krb5_context context, + krb5_get_creds_opt opt, + krb5_enctype enctype) +{ + opt->enctype = enctype; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_impersonate(krb5_context context, + krb5_get_creds_opt opt, + krb5_const_principal self) +{ + if (opt->self) + krb5_free_principal(context, opt->self); + return krb5_copy_principal(context, self, &opt->self); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_ticket(krb5_context context, + krb5_get_creds_opt opt, + const Ticket *ticket) +{ + if (opt->ticket) { + free_Ticket(opt->ticket); + free(opt->ticket); + opt->ticket = NULL; + } + if (ticket) { + krb5_error_code ret; + + opt->ticket = malloc(sizeof(*ticket)); + if (opt->ticket == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + ret = copy_Ticket(ticket, opt->ticket); + if (ret) { + free(opt->ticket); + opt->ticket = NULL; + krb5_set_error_string(context, "malloc: out of memory"); + return ret; + } + } + return 0; +} + + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds(krb5_context context, + krb5_get_creds_opt opt, + krb5_ccache ccache, + krb5_const_principal inprinc, + krb5_creds **out_creds) +{ + krb5_kdc_flags flags; + krb5_flags options; + krb5_creds in_creds; + krb5_error_code ret; + krb5_creds **tgts; + krb5_creds *res_creds; + int i; + + memset(&in_creds, 0, sizeof(in_creds)); + in_creds.server = rk_UNCONST(inprinc); + + ret = krb5_cc_get_principal(context, ccache, &in_creds.client); + if (ret) + return ret; + + options = opt->options; + flags.i = 0; + + *out_creds = NULL; + res_creds = calloc(1, sizeof(*res_creds)); + if (res_creds == NULL) { + krb5_free_principal(context, in_creds.client); + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + if (opt->enctype) { + in_creds.session.keytype = opt->enctype; + options |= KRB5_TC_MATCH_KEYTYPE; + } + + /* + * If we got a credential, check if credential is expired before + * returning it. + */ + ret = krb5_cc_retrieve_cred(context, + ccache, + opt->enctype ? KRB5_TC_MATCH_KEYTYPE : 0, + &in_creds, res_creds); + /* + * If we got a credential, check if credential is expired before + * returning it, but only if KRB5_GC_EXPIRED_OK is not set. + */ + if (ret == 0) { + krb5_timestamp timeret; + + /* If expired ok, don't bother checking */ + if(options & KRB5_GC_EXPIRED_OK) { + *out_creds = res_creds; + krb5_free_principal(context, in_creds.client); + return 0; + } + + krb5_timeofday(context, &timeret); + if(res_creds->times.endtime > timeret) { + *out_creds = res_creds; + krb5_free_principal(context, in_creds.client); + return 0; + } + if(options & KRB5_GC_CACHED) + krb5_cc_remove_cred(context, ccache, 0, res_creds); + + } else if(ret != KRB5_CC_END) { + free(res_creds); + krb5_free_principal(context, in_creds.client); + return ret; + } + free(res_creds); + if(options & KRB5_GC_CACHED) { + not_found(context, in_creds.server); + krb5_free_principal(context, in_creds.client); + return KRB5_CC_NOTFOUND; + } + if(options & KRB5_GC_USER_USER) { + flags.b.enc_tkt_in_skey = 1; + options |= KRB5_GC_NO_STORE; + } + if (options & KRB5_GC_FORWARDABLE) + flags.b.forwardable = 1; + if (options & KRB5_GC_NO_TRANSIT_CHECK) + flags.b.disable_transited_check = 1; + if (options & KRB5_GC_CONSTRAINED_DELEGATION) { + flags.b.request_anonymous = 1; /* XXX ARGH confusion */ + flags.b.constrained_delegation = 1; + } + + tgts = NULL; + ret = get_cred_from_kdc_flags(context, flags, ccache, + &in_creds, opt->self, opt->ticket, + out_creds, &tgts); + krb5_free_principal(context, in_creds.client); + for(i = 0; tgts && tgts[i]; i++) { + krb5_cc_store_cred(context, ccache, tgts[i]); + krb5_free_creds(context, tgts[i]); + } + free(tgts); + if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0) + krb5_cc_store_cred(context, ccache, *out_creds); + return ret; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_renewed_creds(krb5_context context, + krb5_creds *creds, + krb5_const_principal client, + krb5_ccache ccache, + const char *in_tkt_service) +{ + krb5_error_code ret; + krb5_kdc_flags flags; + krb5_creds in, *template, *out = NULL; + + memset(&in, 0, sizeof(in)); + memset(creds, 0, sizeof(*creds)); + + ret = krb5_copy_principal(context, client, &in.client); + if (ret) + return ret; + + if (in_tkt_service) { + ret = krb5_parse_name(context, in_tkt_service, &in.server); + if (ret) { + krb5_free_principal(context, in.client); + return ret; + } + } else { + const char *realm = krb5_principal_get_realm(context, client); + + ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME, + realm, NULL); + if (ret) { + krb5_free_principal(context, in.client); + return ret; + } + } + + flags.i = 0; + flags.b.renewable = flags.b.renew = 1; + + /* + * Get template from old credential cache for the same entry, if + * this failes, no worries. + */ + ret = krb5_get_credentials(context, KRB5_GC_CACHED, ccache, &in, &template); + if (ret == 0) { + flags.b.forwardable = template->flags.b.forwardable; + flags.b.proxiable = template->flags.b.proxiable; + krb5_free_creds (context, template); + } + + ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out); + krb5_free_principal(context, in.client); + krb5_free_principal(context, in.server); + if (ret) + return ret; + + ret = krb5_copy_creds_contents(context, out, creds); + krb5_free_creds(context, out); + + return ret; +} diff --git a/crypto/heimdal/lib/krb5/get_default_principal.c b/crypto/heimdal/lib/krb5/get_default_principal.c index f8ed48f9583f..83fb2b0fa984 100644 --- a/crypto/heimdal/lib/krb5/get_default_principal.c +++ b/crypto/heimdal/lib/krb5/get_default_principal.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: get_default_principal.c,v 1.7 2001/05/14 06:14:46 assar Exp $"); +RCSID("$Id: get_default_principal.c 14870 2005-04-20 20:53:29Z lha $"); /* * Try to find out what's a reasonable default principal. @@ -50,23 +50,21 @@ get_env_user(void) return user; } +/* + * Will only use operating-system dependant operation to get the + * default principal, for use of functions that in ccache layer to + * avoid recursive calls. + */ + krb5_error_code -krb5_get_default_principal (krb5_context context, - krb5_principal *princ) +_krb5_get_default_principal_local (krb5_context context, + krb5_principal *princ) { krb5_error_code ret; - krb5_ccache id; const char *user; uid_t uid; - ret = krb5_cc_default (context, &id); - if (ret == 0) { - ret = krb5_cc_get_principal (context, id, princ); - krb5_cc_close (context, id); - if (ret == 0) - return 0; - } - + *princ = NULL; uid = getuid(); if(uid == 0) { @@ -93,6 +91,25 @@ krb5_get_default_principal (krb5_context context, } ret = krb5_make_principal(context, princ, NULL, user, NULL); } - return ret; } + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_default_principal (krb5_context context, + krb5_principal *princ) +{ + krb5_error_code ret; + krb5_ccache id; + + *princ = NULL; + + ret = krb5_cc_default (context, &id); + if (ret == 0) { + ret = krb5_cc_get_principal (context, id, princ); + krb5_cc_close (context, id); + if (ret == 0) + return 0; + } + + return _krb5_get_default_principal_local(context, princ); +} diff --git a/crypto/heimdal/lib/krb5/get_default_realm.c b/crypto/heimdal/lib/krb5/get_default_realm.c index 74a880d144e5..09c8577b2601 100644 --- a/crypto/heimdal/lib/krb5/get_default_realm.c +++ b/crypto/heimdal/lib/krb5/get_default_realm.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,14 +33,14 @@ #include "krb5_locl.h" -RCSID("$Id: get_default_realm.c,v 1.10 2001/07/19 16:55:27 assar Exp $"); +RCSID("$Id: get_default_realm.c 13863 2004-05-25 21:46:46Z lha $"); /* * Return a NULL-terminated list of default realms in `realms'. * Free this memory with krb5_free_host_realm. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_realms (krb5_context context, krb5_realm **realms) { @@ -56,22 +56,22 @@ krb5_get_default_realms (krb5_context context, } /* - * Return the first default realm. For compatability. + * Return the first default realm. For compatibility. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_realm(krb5_context context, krb5_realm *realm) { + krb5_error_code ret; char *res; if (context->default_realms == NULL || context->default_realms[0] == NULL) { - krb5_error_code ret = krb5_set_default_realm (context, NULL); - if (ret) { - krb5_set_error_string(context, "no default realm configured"); - return KRB5_CONFIG_NODEFREALM; - } + krb5_clear_error_string(context); + ret = krb5_set_default_realm (context, NULL); + if (ret) + return ret; } res = strdup (context->default_realms[0]); diff --git a/crypto/heimdal/lib/krb5/get_for_creds.c b/crypto/heimdal/lib/krb5/get_for_creds.c index 6bdffe5500ee..cb8b7c8641a6 100644 --- a/crypto/heimdal/lib/krb5/get_for_creds.c +++ b/crypto/heimdal/lib/krb5/get_for_creds.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: get_for_creds.c,v 1.34.4.1 2004/01/09 00:51:55 lha Exp $"); +RCSID("$Id: get_for_creds.c 22504 2008-01-21 15:49:58Z lha $"); static krb5_error_code add_addrs(krb5_context context, @@ -50,7 +50,7 @@ add_addrs(krb5_context context, ++n; tmp = realloc(addr->val, (addr->len + n) * sizeof(*addr->val)); - if (tmp == NULL) { + if (tmp == NULL && (addr->len + n) != 0) { krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; goto fail; @@ -83,14 +83,26 @@ fail: return ret; } -/* - * Forward credentials for `client' to host `hostname`, - * making them forwardable if `forwardable', and returning the - * blob of data to sent in `out_data'. - * If hostname == NULL, pick it from `server' +/** + * Forward credentials for client to host hostname , making them + * forwardable if forwardable, and returning the blob of data to sent + * in out_data. If hostname == NULL, pick it from server. + * + * @param context A kerberos 5 context. + * @param auth_context the auth context with the key to encrypt the out_data. + * @param hostname the host to forward the tickets too. + * @param client the client to delegate from. + * @param server the server to delegate the credential too. + * @param ccache credential cache to use. + * @param forwardable make the forwarded ticket forwabledable. + * @param out_data the resulting credential. + * + * @return Return an error code or 0. + * + * @ingroup krb5_credential */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_fwd_tgt_creds (krb5_context context, krb5_auth_context auth_context, const char *hostname, @@ -147,11 +159,34 @@ krb5_fwd_tgt_creds (krb5_context context, return ret; } -/* +/** + * Gets tickets forwarded to hostname. If the tickets that are + * forwarded are address-less, the forwarded tickets will also be + * address-less. + * + * If the ticket have any address, hostname will be used for figure + * out the address to forward the ticket too. This since this might + * use DNS, its insecure and also doesn't represent configured all + * addresses of the host. For example, the host might have two + * adresses, one IPv4 and one IPv6 address where the later is not + * published in DNS. This IPv6 address might be used communications + * and thus the resulting ticket useless. + * + * @param context A kerberos 5 context. + * @param auth_context the auth context with the key to encrypt the out_data. + * @param ccache credential cache to use + * @param flags the flags to control the resulting ticket flags + * @param hostname the host to forward the tickets too. + * @param in_creds the in client and server ticket names. The client + * and server components forwarded to the remote host. + * @param out_data the resulting credential. * + * @return Return an error code or 0. + * + * @ingroup krb5_credential */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_forwarded_creds (krb5_context context, krb5_auth_context auth_context, krb5_ccache ccache, @@ -173,33 +208,32 @@ krb5_get_forwarded_creds (krb5_context context, krb5_crypto crypto; struct addrinfo *ai; int save_errno; - krb5_keyblock *key; krb5_creds *ticket; - char *realm; - - if (in_creds->client && in_creds->client->realm) - realm = in_creds->client->realm; - else - realm = in_creds->server->realm; + paddrs = NULL; addrs.len = 0; addrs.val = NULL; - paddrs = &addrs; - - /* - * If tickets are address-less, forward address-less tickets. - */ - ret = _krb5_get_krbtgt (context, - ccache, - realm, - &ticket); + ret = krb5_get_credentials(context, 0, ccache, in_creds, &ticket); if(ret == 0) { - if (ticket->addresses.len == 0) - paddrs = NULL; + if (ticket->addresses.len) + paddrs = &addrs; krb5_free_creds (context, ticket); + } else { + krb5_boolean noaddr; + krb5_appdefault_boolean(context, NULL, + krb5_principal_get_realm(context, + in_creds->client), + "no-addresses", KRB5_ADDRESSLESS_DEFAULT, + &noaddr); + if (!noaddr) + paddrs = &addrs; } - + + /* + * If tickets have addresses, get the address of the remote host. + */ + if (paddrs != NULL) { ret = getaddrinfo (hostname, NULL, NULL, &ai); @@ -216,7 +250,7 @@ krb5_get_forwarded_creds (krb5_context context, return ret; } - kdc_flags.i = flags; + kdc_flags.b = int2KDCOptions(flags); ret = krb5_get_kdc_cred (context, ccache, @@ -226,9 +260,8 @@ krb5_get_forwarded_creds (krb5_context context, in_creds, &out_creds); krb5_free_addresses (context, &addrs); - if (ret) { + if (ret) return ret; - } memset (&cred, 0, sizeof(cred)); cred.pvno = 5; @@ -254,7 +287,8 @@ krb5_get_forwarded_creds (krb5_context context, } if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { - int32_t sec, usec; + krb5_timestamp sec; + int32_t usec; krb5_us_timeofday (context, &sec, &usec); @@ -277,30 +311,28 @@ krb5_get_forwarded_creds (krb5_context context, enc_krb_cred_part.usec = NULL; } - if (auth_context->local_address && auth_context->local_port) { - krb5_boolean noaddr; - krb5_const_realm realm; + if (auth_context->local_address && auth_context->local_port && paddrs) { - realm = krb5_principal_get_realm(context, out_creds->server); - krb5_appdefault_boolean(context, NULL, realm, "no-addresses", FALSE, - &noaddr); - if (!noaddr) { - ret = krb5_make_addrport (context, - &enc_krb_cred_part.s_address, - auth_context->local_address, - auth_context->local_port); - if (ret) - goto out4; - } + ret = krb5_make_addrport (context, + &enc_krb_cred_part.s_address, + auth_context->local_address, + auth_context->local_port); + if (ret) + goto out4; } if (auth_context->remote_address) { if (auth_context->remote_port) { krb5_boolean noaddr; - krb5_const_realm realm; - - realm = krb5_principal_get_realm(context, out_creds->server); - krb5_appdefault_boolean(context, NULL, realm, "no-addresses", + krb5_const_realm srealm; + + srealm = krb5_principal_get_realm(context, out_creds->server); + /* Is this correct, and should we use the paddrs == NULL + trick here as well? Having an address-less ticket may + indicate that we don't know our own global address, but + it does not necessary mean that we don't know the + server's. */ + krb5_appdefault_boolean(context, NULL, srealm, "no-addresses", FALSE, &noaddr); if (!noaddr) { ret = krb5_make_addrport (context, @@ -367,31 +399,46 @@ krb5_get_forwarded_creds (krb5_context context, if(buf_size != len) krb5_abortx(context, "internal error in ASN.1 encoder"); - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; + /** + * Some older of the MIT gssapi library used clear-text tickets + * (warped inside AP-REQ encryption), use the krb5_auth_context + * flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those + * tickets. The session key is used otherwise to encrypt the + * forwarded ticket. + */ - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { + if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) { + cred.enc_part.etype = ENCTYPE_NULL; + cred.enc_part.kvno = NULL; + cred.enc_part.cipher.data = buf; + cred.enc_part.cipher.length = buf_size; + } else { + /* + * Here older versions then 0.7.2 of Heimdal used the local or + * remote subkey. That is wrong, the session key should be + * used. Heimdal 0.7.2 and newer have code to try both in the + * receiving end. + */ + + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); + if (ret) { + free(buf); + free_KRB_CRED(&cred); + return ret; + } + ret = krb5_encrypt_EncryptedData (context, + crypto, + KRB5_KU_KRB_CRED, + buf, + len, + 0, + &cred.enc_part); free(buf); - free_KRB_CRED(&cred); - return ret; - } - ret = krb5_encrypt_EncryptedData (context, - crypto, - KRB5_KU_KRB_CRED, - buf, - len, - 0, - &cred.enc_part); - free(buf); - krb5_crypto_destroy(context, crypto); - if (ret) { - free_KRB_CRED(&cred); - return ret; + krb5_crypto_destroy(context, crypto); + if (ret) { + free_KRB_CRED(&cred); + return ret; + } } ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret); diff --git a/crypto/heimdal/lib/krb5/get_host_realm.c b/crypto/heimdal/lib/krb5/get_host_realm.c index f2b4280f8b8f..d709e4b38d17 100644 --- a/crypto/heimdal/lib/krb5/get_host_realm.c +++ b/crypto/heimdal/lib/krb5/get_host_realm.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <resolve.h> -RCSID("$Id: get_host_realm.c,v 1.29 2002/08/28 13:36:57 nectar Exp $"); +RCSID("$Id: get_host_realm.c 18541 2006-10-17 19:28:36Z lha $"); /* To automagically find the correct realm of a host (without * [domain_realm] in krb5.conf) add a text record for your domain with @@ -94,30 +94,41 @@ dns_find_realm(krb5_context context, const char *domain, krb5_realm **realms) { - static char *default_labels[] = { "_kerberos", NULL }; + static const char *default_labels[] = { "_kerberos", NULL }; char dom[MAXHOSTNAMELEN]; struct dns_reply *r; - char **labels; + const char **labels; + char **config_labels; int i, ret; - labels = krb5_config_get_strings(context, NULL, "libdefaults", - "dns_lookup_realm_labels", NULL); - if(labels == NULL) + config_labels = krb5_config_get_strings(context, NULL, "libdefaults", + "dns_lookup_realm_labels", NULL); + if(config_labels != NULL) + labels = (const char **)config_labels; + else labels = default_labels; if(*domain == '.') domain++; for (i = 0; labels[i] != NULL; i++) { - if(snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain) >= - sizeof(dom)) + ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain); + if(ret < 0 || ret >= sizeof(dom)) { + if (config_labels) + krb5_config_free_strings(config_labels); return -1; + } r = dns_lookup(dom, "TXT"); if(r != NULL) { ret = copy_txt_to_realms (r->head, realms); dns_free_data(r); - if(ret == 0) + if(ret == 0) { + if (config_labels) + krb5_config_free_strings(config_labels); return 0; + } } } + if (config_labels) + krb5_config_free_strings(config_labels); return -1; } @@ -149,11 +160,11 @@ config_find_realm(krb5_context context, * fall back to guessing */ -krb5_error_code -krb5_get_host_realm_int (krb5_context context, - const char *host, - krb5_boolean use_dns, - krb5_realm **realms) +krb5_error_code KRB5_LIB_FUNCTION +_krb5_get_host_realm_int (krb5_context context, + const char *host, + krb5_boolean use_dns, + krb5_realm **realms) { const char *p, *q; krb5_boolean dns_locate_enable; @@ -200,21 +211,47 @@ krb5_get_host_realm_int (krb5_context context, } /* - * Return the realm(s) of `host' as a NULL-terminated list in `realms'. + * Return the realm(s) of `host' as a NULL-terminated list in + * `realms'. Free `realms' with krb5_free_host_realm(). */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_host_realm(krb5_context context, - const char *host, + const char *targethost, krb5_realm **realms) { + const char *host = targethost; char hostname[MAXHOSTNAMELEN]; + krb5_error_code ret; + int use_dns; if (host == NULL) { - if (gethostname (hostname, sizeof(hostname))) + if (gethostname (hostname, sizeof(hostname))) { + *realms = NULL; return errno; + } host = hostname; } - return krb5_get_host_realm_int (context, host, 1, realms); + /* + * If our local hostname is without components, don't even try to dns. + */ + + use_dns = (strchr(host, '.') != NULL); + + ret = _krb5_get_host_realm_int (context, host, use_dns, realms); + if (ret && targethost != NULL) { + /* + * If there was no realm mapping for the host (and we wasn't + * looking for ourself), guess at the local realm, maybe our + * KDC knows better then we do and we get a referral back. + */ + ret = krb5_get_default_realms(context, realms); + if (ret) { + krb5_set_error_string(context, "Unable to find realm of host %s", + host); + return KRB5_ERR_HOST_REALM_UNKNOWN; + } + } + return ret; } diff --git a/crypto/heimdal/lib/krb5/get_in_tkt.c b/crypto/heimdal/lib/krb5/get_in_tkt.c index 88943e7e0fc9..ffd4ca2b04e4 100644 --- a/crypto/heimdal/lib/krb5/get_in_tkt.c +++ b/crypto/heimdal/lib/krb5/get_in_tkt.c @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: get_in_tkt.c,v 1.107.2.1 2003/09/18 21:00:09 lha Exp $"); +RCSID("$Id: get_in_tkt.c 20226 2007-02-16 03:31:50Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_init_etype (krb5_context context, unsigned *len, krb5_enctype **val, @@ -125,26 +125,27 @@ _krb5_extract_ticket(krb5_context context, krb5_key_usage key_usage, krb5_addresses *addrs, unsigned nonce, - krb5_boolean allow_server_mismatch, - krb5_boolean ignore_cname, + unsigned flags, krb5_decrypt_proc decrypt_proc, krb5_const_pointer decryptarg) { krb5_error_code ret; krb5_principal tmp_principal; int tmp; + size_t len; time_t tmp_time; krb5_timestamp sec_now; - ret = principalname2krb5_principal (&tmp_principal, - rep->kdc_rep.cname, - rep->kdc_rep.crealm); + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, + rep->kdc_rep.cname, + rep->kdc_rep.crealm); if (ret) goto out; /* compare client */ - if (!ignore_cname) { + if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0){ tmp = krb5_principal_compare (context, tmp_principal, creds->client); if (!tmp) { krb5_free_principal (context, tmp_principal); @@ -159,25 +160,29 @@ _krb5_extract_ticket(krb5_context context, /* extract ticket */ ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, - &rep->kdc_rep.ticket, &creds->ticket.length, ret); + &rep->kdc_rep.ticket, &len, ret); if(ret) goto out; + if (creds->ticket.length != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); creds->second_ticket.length = 0; creds->second_ticket.data = NULL; /* compare server */ - ret = principalname2krb5_principal (&tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, + rep->kdc_rep.ticket.sname, + rep->kdc_rep.ticket.realm); if (ret) goto out; - if(allow_server_mismatch){ + if(flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH){ krb5_free_principal(context, creds->server); creds->server = tmp_principal; tmp_principal = NULL; - }else{ - tmp = krb5_principal_compare (context, tmp_principal, creds->server); + } else { + tmp = krb5_principal_compare (context, tmp_principal, + creds->server); krb5_free_principal (context, tmp_principal); if (!tmp) { ret = KRB5KRB_AP_ERR_MODIFIED; @@ -195,12 +200,19 @@ _krb5_extract_ticket(krb5_context context, if (ret) goto out; -#if 0 - /* XXX should this decode be here, or in the decrypt_proc? */ - ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1); - if(ret) - goto out; -#endif + /* verify names */ + if(flags & EXTRACT_TICKET_MATCH_REALM){ + const char *srealm = krb5_principal_get_realm(context, creds->server); + const char *crealm = krb5_principal_get_realm(context, creds->client); + + if (strcmp(rep->enc_part.srealm, srealm) != 0 || + strcmp(rep->enc_part.srealm, crealm) != 0) + { + ret = KRB5KRB_AP_ERR_MODIFIED; + krb5_clear_error_string(context); + goto out; + } + } /* compare nonces */ @@ -310,12 +322,11 @@ make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, size_t len; EncryptedData encdata; krb5_error_code ret; - int32_t sec, usec; + int32_t usec; int usec2; krb5_crypto crypto; - krb5_us_timeofday (context, &sec, &usec); - p.patimestamp = sec; + krb5_us_timeofday (context, &p.patimestamp, &usec); usec2 = usec; p.pausec = &usec2; @@ -407,7 +418,7 @@ add_padata(krb5_context context, static krb5_error_code init_as_req (krb5_context context, - krb5_kdc_flags opts, + KDCOptions opts, krb5_creds *creds, const krb5_addresses *addrs, const krb5_enctype *etypes, @@ -425,7 +436,7 @@ init_as_req (krb5_context context, a->pvno = 5; a->msg_type = krb_as_req; - a->req_body.kdc_options = opts.b; + a->req_body.kdc_options = opts; a->req_body.cname = malloc(sizeof(*a->req_body.cname)); if (a->req_body.cname == NULL) { ret = ENOMEM; @@ -438,10 +449,10 @@ init_as_req (krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); goto fail; } - ret = krb5_principal2principalname (a->req_body.cname, creds->client); + ret = _krb5_principal2principalname (a->req_body.cname, creds->client); if (ret) goto fail; - ret = krb5_principal2principalname (a->req_body.sname, creds->server); + ret = _krb5_principal2principalname (a->req_body.sname, creds->server); if (ret) goto fail; ret = copy_Realm(&creds->client->realm, &a->req_body.realm); @@ -516,19 +527,12 @@ init_as_req (krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); goto fail; } + a->padata->val = NULL; + a->padata->len = 0; for(i = 0; i < preauth->len; i++) { if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){ int j; - PA_DATA *tmp = realloc(a->padata->val, - (a->padata->len + - preauth->val[i].info.len) * - sizeof(*a->padata->val)); - if(tmp == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto fail; - } - a->padata->val = tmp; + for(j = 0; j < preauth->val[i].info.len; j++) { krb5_salt *sp = &salt; if(preauth->val[i].info.val[j].salttype) @@ -591,7 +595,7 @@ fail: static int set_ptypes(krb5_context context, KRB_ERROR *error, - krb5_preauthtype **ptypes, + const krb5_preauthtype **ptypes, krb5_preauthdata **preauth) { static krb5_preauthdata preauth2; @@ -630,7 +634,7 @@ set_ptypes(krb5_context context, return(1); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_cred(krb5_context context, krb5_flags options, const krb5_addresses *addrs, @@ -652,14 +656,14 @@ krb5_get_in_cred(krb5_context context, krb5_salt salt; krb5_keyblock *key; size_t size; - krb5_kdc_flags opts; + KDCOptions opts; PA_DATA *pa; krb5_enctype etype; krb5_preauthdata *my_preauth = NULL; unsigned nonce; int done; - opts.i = options; + opts = int2KDCOptions(options); krb5_generate_random_block (&nonce, sizeof(nonce)); nonce &= 0xffffffff; @@ -680,6 +684,7 @@ krb5_get_in_cred(krb5_context context, if (my_preauth) { free_ETYPE_INFO(&my_preauth->val[0].info); free (my_preauth->val); + my_preauth = NULL; } if (ret) return ret; @@ -737,14 +742,14 @@ krb5_get_in_cred(krb5_context context, pa = NULL; etype = rep.kdc_rep.enc_part.etype; if(rep.kdc_rep.padata){ - int index = 0; + int i = 0; pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, - KRB5_PADATA_PW_SALT, &index); + KRB5_PADATA_PW_SALT, &i); if(pa == NULL) { - index = 0; + i = 0; pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, - KRB5_PADATA_AFS3_SALT, &index); + KRB5_PADATA_AFS3_SALT, &i); } } if(pa) { @@ -764,18 +769,23 @@ krb5_get_in_cred(krb5_context context, if (ret) goto out; - ret = _krb5_extract_ticket(context, - &rep, - creds, - key, - keyseed, - KRB5_KU_AS_REP_ENC_PART, - NULL, - nonce, - FALSE, - opts.b.request_anonymous, - decrypt_proc, - decryptarg); + { + unsigned flags = 0; + if (opts.request_anonymous) + flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; + + ret = _krb5_extract_ticket(context, + &rep, + creds, + key, + keyseed, + KRB5_KU_AS_REP_ENC_PART, + NULL, + nonce, + flags, + decrypt_proc, + decryptarg); + } memset (key->keyvalue.data, 0, key->keyvalue.length); krb5_free_keyblock_contents (context, key); free (key); @@ -788,7 +798,7 @@ out: return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt(krb5_context context, krb5_flags options, const krb5_addresses *addrs, @@ -803,12 +813,9 @@ krb5_get_in_tkt(krb5_context context, krb5_kdc_rep *ret_as_reply) { krb5_error_code ret; - krb5_kdc_flags opts; - opts.i = 0; - opts.b = int2KDCOptions(options); ret = krb5_get_in_cred (context, - opts.i, + options, addrs, etypes, ptypes, diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_pw.c b/crypto/heimdal/lib/krb5/get_in_tkt_pw.c index a4f5c80134e5..21b27c61b47e 100644 --- a/crypto/heimdal/lib/krb5/get_in_tkt_pw.c +++ b/crypto/heimdal/lib/krb5/get_in_tkt_pw.c @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: get_in_tkt_pw.c,v 1.16 2001/05/14 06:14:48 assar Exp $"); +RCSID("$Id: get_in_tkt_pw.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_password_key_proc (krb5_context context, krb5_enctype type, krb5_salt salt, @@ -52,7 +52,7 @@ krb5_password_key_proc (krb5_context context, return ENOMEM; } if (password == NULL) { - if(des_read_pw_string (buf, sizeof(buf), "Password: ", 0)) { + if(UI_UTIL_read_pw_string (buf, sizeof(buf), "Password: ", 0)) { free (*key); krb5_clear_error_string(context); return KRB5_LIBOS_PWDINTR; @@ -64,7 +64,7 @@ krb5_password_key_proc (krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_password (krb5_context context, krb5_flags options, krb5_addresses *addrs, diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c index c5feee4581ef..52f95c4bc45e 100644 --- a/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c +++ b/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c @@ -33,16 +33,16 @@ #include "krb5_locl.h" -RCSID("$Id: get_in_tkt_with_keytab.c,v 1.6 2001/05/14 06:14:48 assar Exp $"); +RCSID("$Id: get_in_tkt_with_keytab.c 15477 2005-06-17 04:56:44Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytab_key_proc (krb5_context context, krb5_enctype enctype, krb5_salt salt, krb5_const_pointer keyseed, krb5_keyblock **key) { - krb5_keytab_key_proc_args *args = (krb5_keytab_key_proc_args *)keyseed; + krb5_keytab_key_proc_args *args = rk_UNCONST(keyseed); krb5_keytab keytab = args->keytab; krb5_principal principal = args->principal; krb5_error_code ret; @@ -68,7 +68,7 @@ krb5_keytab_key_proc (krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_keytab (krb5_context context, krb5_flags options, krb5_addresses *addrs, @@ -79,16 +79,10 @@ krb5_get_in_tkt_with_keytab (krb5_context context, krb5_creds *creds, krb5_kdc_rep *ret_as_reply) { - krb5_keytab_key_proc_args *a; + krb5_keytab_key_proc_args a; - a = malloc(sizeof(*a)); - if (a == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; - } - - a->principal = creds->client; - a->keytab = keytab; + a.principal = creds->client; + a.keytab = keytab; return krb5_get_in_tkt (context, options, @@ -96,7 +90,7 @@ krb5_get_in_tkt_with_keytab (krb5_context context, etypes, pre_auth_types, krb5_keytab_key_proc, - a, + &a, NULL, NULL, creds, diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c index 773d36175812..1936fa166458 100644 --- a/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c +++ b/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: get_in_tkt_with_skey.c,v 1.3 1999/12/02 17:05:10 joda Exp $"); +RCSID("$Id: get_in_tkt_with_skey.c 13863 2004-05-25 21:46:46Z lha $"); static krb5_error_code krb5_skey_key_proc (krb5_context context, @@ -45,7 +45,7 @@ krb5_skey_key_proc (krb5_context context, return krb5_copy_keyblock (context, keyseed, key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_skey (krb5_context context, krb5_flags options, krb5_addresses *addrs, diff --git a/crypto/heimdal/lib/krb5/get_port.c b/crypto/heimdal/lib/krb5/get_port.c index 6c517414bc0d..85587ea76620 100644 --- a/crypto/heimdal/lib/krb5/get_port.c +++ b/crypto/heimdal/lib/krb5/get_port.c @@ -33,9 +33,9 @@ #include <krb5_locl.h> -RCSID("$Id: get_port.c,v 1.8 2001/01/27 19:24:34 joda Exp $"); +RCSID("$Id: get_port.c 13863 2004-05-25 21:46:46Z lha $"); -int +int KRB5_LIB_FUNCTION krb5_getportbyname (krb5_context context, const char *service, const char *proto, diff --git a/crypto/heimdal/lib/krb5/heim_err.et b/crypto/heimdal/lib/krb5/heim_err.et index 67642a53db55..1b8ab49bc11e 100644 --- a/crypto/heimdal/lib/krb5/heim_err.et +++ b/crypto/heimdal/lib/krb5/heim_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: heim_err.et,v 1.12 2001/06/21 03:51:36 assar Exp $" +id "$Id: heim_err.et 13352 2004-02-13 16:23:40Z lha $" error_table heim @@ -18,6 +18,14 @@ error_code EOF, "End of file" error_code BAD_MKEY, "Failed to get the master key" error_code SERVICE_NOMATCH, "Unacceptable service used" +index 64 +prefix HEIM_PKINIT +error_code NO_CERTIFICATE, "Certificate missing" +error_code NO_PRIVATE_KEY, "Private key missing" +error_code NO_VALID_CA, "No valid certificate authority" +error_code CERTIFICATE_INVALID, "Certificate invalid" +error_code PRIVATE_KEY_INVALID, "Private key invalid" + index 128 prefix HEIM_EAI #error_code NOERROR, "no error" diff --git a/crypto/heimdal/lib/krb5/heim_threads.h b/crypto/heimdal/lib/krb5/heim_threads.h new file mode 100644 index 000000000000..3c27d13d81b9 --- /dev/null +++ b/crypto/heimdal/lib/krb5/heim_threads.h @@ -0,0 +1,175 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: heim_threads.h 14409 2004-12-18 16:03:38Z lha $ */ + +/* + * Provide wrapper macros for thread synchronization primitives so we + * can use native thread functions for those operating system that + * supports it. + * + * This is so libkrb5.so (or more importantly, libgssapi.so) can have + * thread support while the program that that dlopen(3)s the library + * don't need to be linked to libpthread. + */ + +#ifndef HEIM_THREADS_H +#define HEIM_THREADS_H 1 + +/* assume headers already included */ + +#if defined(__NetBSD__) && __NetBSD_Version__ >= 106120000 && __NetBSD_Version__< 299001200 && defined(ENABLE_PTHREAD_SUPPORT) + +/* + * NetBSD have a thread lib that we can use that part of libc that + * works regardless if application are linked to pthreads or not. + * NetBSD newer then 2.99.11 just use pthread.h, and the same thing + * will happen. + */ +#include <threadlib.h> + +#define HEIMDAL_MUTEX mutex_t +#define HEIMDAL_MUTEX_INITIALIZER MUTEX_INITIALIZER +#define HEIMDAL_MUTEX_init(m) mutex_init(m, NULL) +#define HEIMDAL_MUTEX_lock(m) mutex_lock(m) +#define HEIMDAL_MUTEX_unlock(m) mutex_unlock(m) +#define HEIMDAL_MUTEX_destroy(m) mutex_destroy(m) + +#define HEIMDAL_RWLOCK rwlock_t +#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER +#define HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL) +#define HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l) +#define HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l) +#define HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l) +#define HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l) +#define HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l) +#define HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l) + +#define HEIMDAL_thread_key thread_key_t +#define HEIMDAL_key_create(k,d,r) do { r = thr_keycreate(k,d); } while(0) +#define HEIMDAL_setspecific(k,s,r) do { r = thr_setspecific(k,s); } while(0) +#define HEIMDAL_getspecific(k) thr_getspecific(k) +#define HEIMDAL_key_delete(k) thr_keydelete(k) + +#elif defined(ENABLE_PTHREAD_SUPPORT) && (!defined(__NetBSD__) || __NetBSD_Version__ >= 299001200) + +#include <pthread.h> + +#define HEIMDAL_MUTEX pthread_mutex_t +#define HEIMDAL_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER +#define HEIMDAL_MUTEX_init(m) pthread_mutex_init(m, NULL) +#define HEIMDAL_MUTEX_lock(m) pthread_mutex_lock(m) +#define HEIMDAL_MUTEX_unlock(m) pthread_mutex_unlock(m) +#define HEIMDAL_MUTEX_destroy(m) pthread_mutex_destroy(m) + +#define HEIMDAL_RWLOCK rwlock_t +#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER +#define HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL) +#define HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l) +#define HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l) +#define HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l) +#define HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l) +#define HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l) +#define HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l) + +#define HEIMDAL_thread_key pthread_key_t +#define HEIMDAL_key_create(k,d,r) do { r = pthread_key_create(k,d); } while(0) +#define HEIMDAL_setspecific(k,s,r) do { r = pthread_setspecific(k,s); } while(0) +#define HEIMDAL_getspecific(k) pthread_getspecific(k) +#define HEIMDAL_key_delete(k) pthread_key_delete(k) + +#elif defined(HEIMDAL_DEBUG_THREADS) + +/* no threads support, just do consistency checks */ +#include <stdlib.h> + +#define HEIMDAL_MUTEX int +#define HEIMDAL_MUTEX_INITIALIZER 0 +#define HEIMDAL_MUTEX_init(m) do { (*(m)) = 0; } while(0) +#define HEIMDAL_MUTEX_lock(m) do { if ((*(m))++ != 0) abort(); } while(0) +#define HEIMDAL_MUTEX_unlock(m) do { if ((*(m))-- != 1) abort(); } while(0) +#define HEIMDAL_MUTEX_destroy(m) do {if ((*(m)) != 0) abort(); } while(0) + +#define HEIMDAL_RWLOCK rwlock_t int +#define HEIMDAL_RWLOCK_INITIALIZER 0 +#define HEIMDAL_RWLOCK_init(l) do { } while(0) +#define HEIMDAL_RWLOCK_rdlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_wrlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_tryrdlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_trywrlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_unlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_destroy(l) do { } while(0) + +#define HEIMDAL_internal_thread_key 1 + +#else /* no thread support, no debug case */ + +#define HEIMDAL_MUTEX int +#define HEIMDAL_MUTEX_INITIALIZER 0 +#define HEIMDAL_MUTEX_init(m) do { (void)(m); } while(0) +#define HEIMDAL_MUTEX_lock(m) do { (void)(m); } while(0) +#define HEIMDAL_MUTEX_unlock(m) do { (void)(m); } while(0) +#define HEIMDAL_MUTEX_destroy(m) do { (void)(m); } while(0) + +#define HEIMDAL_RWLOCK rwlock_t int +#define HEIMDAL_RWLOCK_INITIALIZER 0 +#define HEIMDAL_RWLOCK_init(l) do { } while(0) +#define HEIMDAL_RWLOCK_rdlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_wrlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_tryrdlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_trywrlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_unlock(l) do { } while(0) +#define HEIMDAL_RWLOCK_destroy(l) do { } while(0) + +#define HEIMDAL_internal_thread_key 1 + +#endif /* no thread support */ + +#ifdef HEIMDAL_internal_thread_key + +typedef struct heim_thread_key { + void *value; + void (*destructor)(void *); +} heim_thread_key; + +#define HEIMDAL_thread_key heim_thread_key +#define HEIMDAL_key_create(k,d,r) \ + do { (k)->value = NULL; (k)->destructor = (d); r = 0; } while(0) +#define HEIMDAL_setspecific(k,s,r) do { (k).value = s ; r = 0; } while(0) +#define HEIMDAL_getspecific(k) ((k).value) +#define HEIMDAL_key_delete(k) do { (*(k).destructor)((k).value); } while(0) + +#undef HEIMDAL_internal_thread_key +#endif /* HEIMDAL_internal_thread_key */ + +#endif /* HEIM_THREADS_H */ diff --git a/crypto/heimdal/lib/krb5/init_creds.c b/crypto/heimdal/lib/krb5/init_creds.c index 6f9300596ec2..a59c903bd9e1 100644 --- a/crypto/heimdal/lib/krb5/init_creds.c +++ b/crypto/heimdal/lib/krb5/init_creds.c @@ -1,45 +1,149 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$Id: init_creds.c,v 1.9 2001/07/03 18:42:07 assar Exp $"); +RCSID("$Id: init_creds.c 21711 2007-07-27 14:22:02Z lha $"); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) { memset (opt, 0, sizeof(*opt)); opt->flags = 0; + opt->opt_private = NULL; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_alloc(krb5_context context, + krb5_get_init_creds_opt **opt) +{ + krb5_get_init_creds_opt *o; + + *opt = NULL; + o = calloc(1, sizeof(*o)); + if (o == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + krb5_get_init_creds_opt_init(o); + o->opt_private = calloc(1, sizeof(*o->opt_private)); + if (o->opt_private == NULL) { + krb5_set_error_string(context, "out of memory"); + free(o); + return ENOMEM; + } + o->opt_private->refcount = 1; + *opt = o; + return 0; +} + +krb5_error_code +_krb5_get_init_creds_opt_copy(krb5_context context, + const krb5_get_init_creds_opt *in, + krb5_get_init_creds_opt **out) +{ + krb5_get_init_creds_opt *opt; + + *out = NULL; + opt = calloc(1, sizeof(*opt)); + if (opt == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + if (in) + *opt = *in; + if(opt->opt_private == NULL) { + opt->opt_private = calloc(1, sizeof(*opt->opt_private)); + if (opt->opt_private == NULL) { + krb5_set_error_string(context, "out of memory"); + free(opt); + return ENOMEM; + } + opt->opt_private->refcount = 1; + } else + opt->opt_private->refcount++; + *out = opt; + return 0; +} + +void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_free_krb5_error(krb5_get_init_creds_opt *opt) +{ + if (opt->opt_private == NULL || opt->opt_private->error == NULL) + return; + free_KRB_ERROR(opt->opt_private->error); + free(opt->opt_private->error); + opt->opt_private->error = NULL; +} + +void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_set_krb5_error(krb5_context context, + krb5_get_init_creds_opt *opt, + const KRB_ERROR *error) +{ + krb5_error_code ret; + + if (opt->opt_private == NULL) + return; + + _krb5_get_init_creds_opt_free_krb5_error(opt); + + opt->opt_private->error = malloc(sizeof(*opt->opt_private->error)); + if (opt->opt_private->error == NULL) + return; + ret = copy_KRB_ERROR(error, opt->opt_private->error); + if (ret) { + free(opt->opt_private->error); + opt->opt_private->error = NULL; + } +} + + +void KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_free(krb5_context context, + krb5_get_init_creds_opt *opt) +{ + if (opt == NULL || opt->opt_private == NULL) + return; + if (opt->opt_private->refcount < 1) /* abort ? */ + return; + if (--opt->opt_private->refcount == 0) { + _krb5_get_init_creds_opt_free_krb5_error(opt); + _krb5_get_init_creds_opt_free_pkinit(opt); + free(opt->opt_private); + } + memset(opt, 0, sizeof(*opt)); + free(opt); } static int @@ -91,11 +195,9 @@ get_config_bool (krb5_context context, * [realms] or [libdefaults] for some of the values. */ -static krb5_addresses no_addrs = {0, NULL}; - -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_default_flags(krb5_context context, - const char *appname, + const char *appname, krb5_const_realm realm, krb5_get_init_creds_opt *opt) { @@ -115,22 +217,22 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, t = get_config_time (context, realm, "ticket_lifetime", 0); if(t != 0) krb5_get_init_creds_opt_set_tkt_life(opt, t); - + krb5_appdefault_time(context, appname, realm, "renew_lifetime", 0, &t); if (t == 0) t = get_config_time (context, realm, "renew_lifetime", 0); if(t != 0) krb5_get_init_creds_opt_set_renew_life(opt, t); - krb5_appdefault_boolean(context, appname, realm, "no-addresses", FALSE, &b); - if (b) - krb5_get_init_creds_opt_set_address_list (opt, &no_addrs); + krb5_appdefault_boolean(context, appname, realm, "no-addresses", + KRB5_ADDRESSLESS_DEFAULT, &b); + krb5_get_init_creds_opt_set_addressless (context, opt, b); #if 0 krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b); krb5_get_init_creds_opt_set_anonymous (opt, b); - krb5_get_init_creds_opt_set_etype_list(opt, enctype, + krb5_get_init_creds_opt_set_etype_list(opt, enctype, etype_str.num_strings); krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, @@ -143,7 +245,7 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life) { @@ -151,7 +253,7 @@ krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, opt->tkt_life = tkt_life; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, krb5_deltat renew_life) { @@ -159,7 +261,7 @@ krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, opt->renew_life = renew_life; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, int forwardable) { @@ -167,7 +269,7 @@ krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, opt->forwardable = forwardable; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, int proxiable) { @@ -175,7 +277,7 @@ krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, opt->proxiable = proxiable; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length) @@ -185,7 +287,7 @@ krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, opt->etype_list_length = etype_list_length; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, krb5_addresses *addresses) { @@ -193,7 +295,7 @@ krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, opt->address_list = addresses; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, krb5_preauthtype *preauth_list, int preauth_list_length) @@ -203,7 +305,7 @@ krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, opt->preauth_list = preauth_list; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt) { @@ -211,10 +313,130 @@ krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, opt->salt = salt; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, int anonymous) { opt->flags |= KRB5_GET_INIT_CREDS_OPT_ANONYMOUS; opt->anonymous = anonymous; } + +static krb5_error_code +require_ext_opt(krb5_context context, + krb5_get_init_creds_opt *opt, + const char *type) +{ + if (opt->opt_private == NULL) { + krb5_set_error_string(context, "%s on non extendable opt", type); + return EINVAL; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pa_password(krb5_context context, + krb5_get_init_creds_opt *opt, + const char *password, + krb5_s2k_proc key_proc) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_pa_password"); + if (ret) + return ret; + opt->opt_private->password = password; + opt->opt_private->key_proc = key_proc; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pac_request(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_boolean req_pac) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req"); + if (ret) + return ret; + opt->opt_private->req_pac = req_pac ? + KRB5_INIT_CREDS_TRISTATE_TRUE : + KRB5_INIT_CREDS_TRISTATE_FALSE; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_get_error(krb5_context context, + krb5_get_init_creds_opt *opt, + KRB_ERROR **error) +{ + krb5_error_code ret; + + *error = NULL; + + ret = require_ext_opt(context, opt, "init_creds_opt_get_error"); + if (ret) + return ret; + + if (opt->opt_private->error == NULL) + return 0; + + *error = malloc(sizeof(**error)); + if (*error == NULL) { + krb5_set_error_string(context, "malloc - out memory"); + return ENOMEM; + } + + ret = copy_KRB_ERROR(opt->opt_private->error, *error); + if (ret) + krb5_clear_error_string(context); + + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_addressless(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_boolean addressless) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req"); + if (ret) + return ret; + if (addressless) + opt->opt_private->addressless = KRB5_INIT_CREDS_TRISTATE_TRUE; + else + opt->opt_private->addressless = KRB5_INIT_CREDS_TRISTATE_FALSE; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_canonicalize(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_boolean req) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_canonicalize"); + if (ret) + return ret; + if (req) + opt->opt_private->flags |= KRB5_INIT_CREDS_CANONICALIZE; + else + opt->opt_private->flags &= ~KRB5_INIT_CREDS_CANONICALIZE; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_win2k(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_boolean req) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_win2k"); + if (ret) + return ret; + if (req) + opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK; + else + opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_CANON_CHECK; + return 0; +} + diff --git a/crypto/heimdal/lib/krb5/init_creds_pw.c b/crypto/heimdal/lib/krb5/init_creds_pw.c index e54e7c4f2df8..441adff8fdf9 100644 --- a/crypto/heimdal/lib/krb5/init_creds_pw.c +++ b/crypto/heimdal/lib/krb5/init_creds_pw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,70 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds_pw.c,v 1.55.2.1 2004/08/30 23:21:07 lha Exp $"); +RCSID("$Id: init_creds_pw.c 21931 2007-08-27 14:11:55Z lha $"); + +typedef struct krb5_get_init_creds_ctx { + KDCOptions flags; + krb5_creds cred; + krb5_addresses *addrs; + krb5_enctype *etypes; + krb5_preauthtype *pre_auth_types; + const char *in_tkt_service; + unsigned nonce; + unsigned pk_nonce; + + krb5_data req_buffer; + AS_REQ as_req; + int pa_counter; + + const char *password; + krb5_s2k_proc key_proc; + + krb5_get_init_creds_tristate req_pac; + + krb5_pk_init_ctx pk_init_ctx; + int ic_flags; +} krb5_get_init_creds_ctx; + +static krb5_error_code +default_s2k_func(krb5_context context, krb5_enctype type, + krb5_const_pointer keyseed, + krb5_salt salt, krb5_data *s2kparms, + krb5_keyblock **key) +{ + krb5_error_code ret; + krb5_data password; + krb5_data opaque; + + password.data = rk_UNCONST(keyseed); + password.length = strlen(keyseed); + if (s2kparms) + opaque = *s2kparms; + else + krb5_data_zero(&opaque); + + *key = malloc(sizeof(**key)); + if (*key == NULL) + return ENOMEM; + ret = krb5_string_to_key_data_salt_opaque(context, type, password, + salt, opaque, *key); + if (ret) { + free(*key); + *key = NULL; + } + return ret; +} + +static void +free_init_creds_ctx(krb5_context context, krb5_get_init_creds_ctx *ctx) +{ + if (ctx->etypes) + free(ctx->etypes); + if (ctx->pre_auth_types) + free (ctx->pre_auth_types); + free_AS_REQ(&ctx->as_req); + memset(&ctx->as_req, 0, sizeof(ctx->as_req)); +} static int get_config_time (krb5_context context, @@ -68,7 +131,7 @@ init_cred (krb5_context context, krb5_get_init_creds_opt *options) { krb5_error_code ret; - krb5_realm *client_realm; + krb5_const_realm client_realm; int tmp; krb5_timestamp now; @@ -85,7 +148,7 @@ init_cred (krb5_context context, goto out; } - client_realm = krb5_princ_realm (context, cred->client); + client_realm = krb5_principal_get_realm (context, cred->client); if (start_time) cred->times.starttime = now + start_time; @@ -107,12 +170,12 @@ init_cred (krb5_context context, ret = krb5_parse_name (context, in_tkt_service, &cred->server); if (ret) goto out; - server_realm = strdup (*client_realm); + server_realm = strdup (client_realm); free (*krb5_princ_realm(context, cred->server)); krb5_princ_set_realm (context, cred->server, &server_realm); } else { ret = krb5_make_principal(context, &cred->server, - *client_realm, KRB5_TGS_NAME, *client_realm, + client_realm, KRB5_TGS_NAME, client_realm, NULL); if (ret) goto out; @@ -120,7 +183,7 @@ init_cred (krb5_context context, return 0; out: - krb5_free_creds_contents (context, cred); + krb5_free_cred_contents (context, cred); return ret; } @@ -133,11 +196,11 @@ report_expiration (krb5_context context, krb5_prompter_fct prompter, krb5_data *data, const char *str, - time_t time) + time_t now) { char *p; - asprintf (&p, "%s%s", str, ctime(&time)); + asprintf (&p, "%s%s", str, ctime(&now)); (*prompter) (context, data, NULL, p, 0, NULL); free (p); } @@ -148,7 +211,7 @@ report_expiration (krb5_context context, static void print_expire (krb5_context context, - krb5_realm *realm, + krb5_const_realm realm, krb5_kdc_rep *rep, krb5_prompter_fct prompter, krb5_data *data) @@ -162,7 +225,7 @@ print_expire (krb5_context context, krb5_timeofday (context, &sec); t = sec + get_config_time (context, - *realm, + realm, "warn_pwexpire", 7 * 24 * 60 * 60); @@ -194,75 +257,113 @@ print_expire (krb5_context context, } } +static krb5_addresses no_addrs = { 0, NULL }; + static krb5_error_code get_init_creds_common(krb5_context context, - krb5_creds *creds, krb5_principal client, krb5_deltat start_time, const char *in_tkt_service, krb5_get_init_creds_opt *options, - krb5_addresses **addrs, - krb5_enctype **etypes, - krb5_creds *cred, - krb5_preauthtype **pre_auth_types, - krb5_kdc_flags *flags) + krb5_get_init_creds_ctx *ctx) { - krb5_error_code ret; - krb5_realm *client_realm; krb5_get_init_creds_opt default_opt; + krb5_error_code ret; + krb5_enctype *etypes; + krb5_preauthtype *pre_auth_types; + + memset(ctx, 0, sizeof(*ctx)); if (options == NULL) { krb5_get_init_creds_opt_init (&default_opt); options = &default_opt; + } else { + _krb5_get_init_creds_opt_free_krb5_error(options); } - ret = init_cred (context, cred, client, start_time, + if (options->opt_private) { + ctx->password = options->opt_private->password; + ctx->key_proc = options->opt_private->key_proc; + ctx->req_pac = options->opt_private->req_pac; + ctx->pk_init_ctx = options->opt_private->pk_init_ctx; + ctx->ic_flags = options->opt_private->flags; + } else + ctx->req_pac = KRB5_INIT_CREDS_TRISTATE_UNSET; + + if (ctx->key_proc == NULL) + ctx->key_proc = default_s2k_func; + + if (ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) + ctx->flags.canonicalize = 1; + + ctx->pre_auth_types = NULL; + ctx->addrs = NULL; + ctx->etypes = NULL; + ctx->pre_auth_types = NULL; + ctx->in_tkt_service = in_tkt_service; + + ret = init_cred (context, &ctx->cred, client, start_time, in_tkt_service, options); if (ret) return ret; - client_realm = krb5_princ_realm (context, cred->client); - - flags->i = 0; - if (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE) - flags->b.forwardable = options->forwardable; + ctx->flags.forwardable = options->forwardable; if (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE) - flags->b.proxiable = options->proxiable; + ctx->flags.proxiable = options->proxiable; if (start_time) - flags->b.postdated = 1; - if (cred->times.renew_till) - flags->b.renewable = 1; - if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST) - *addrs = options->address_list; + ctx->flags.postdated = 1; + if (ctx->cred.times.renew_till) + ctx->flags.renewable = 1; + if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST) { + ctx->addrs = options->address_list; + } else if (options->opt_private) { + switch (options->opt_private->addressless) { + case KRB5_INIT_CREDS_TRISTATE_UNSET: +#if KRB5_ADDRESSLESS_DEFAULT == TRUE + ctx->addrs = &no_addrs; +#else + ctx->addrs = NULL; +#endif + break; + case KRB5_INIT_CREDS_TRISTATE_FALSE: + ctx->addrs = NULL; + break; + case KRB5_INIT_CREDS_TRISTATE_TRUE: + ctx->addrs = &no_addrs; + break; + } + } if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) { - *etypes = malloc((options->etype_list_length + 1) + etypes = malloc((options->etype_list_length + 1) * sizeof(krb5_enctype)); - if (*etypes == NULL) { + if (etypes == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - memcpy (*etypes, options->etype_list, + memcpy (etypes, options->etype_list, options->etype_list_length * sizeof(krb5_enctype)); - (*etypes)[options->etype_list_length] = ETYPE_NULL; + etypes[options->etype_list_length] = ETYPE_NULL; + ctx->etypes = etypes; } if (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) { - *pre_auth_types = malloc((options->preauth_list_length + 1) - * sizeof(krb5_preauthtype)); - if (*pre_auth_types == NULL) { + pre_auth_types = malloc((options->preauth_list_length + 1) + * sizeof(krb5_preauthtype)); + if (pre_auth_types == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - memcpy (*pre_auth_types, options->preauth_list, + memcpy (pre_auth_types, options->preauth_list, options->preauth_list_length * sizeof(krb5_preauthtype)); - (*pre_auth_types)[options->preauth_list_length] = KRB5_PADATA_NONE; + pre_auth_types[options->preauth_list_length] = KRB5_PADATA_NONE; + ctx->pre_auth_types = pre_auth_types; } if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT) ; /* XXX */ if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS) - flags->b.request_anonymous = options->anonymous; + ctx->flags.request_anonymous = options->anonymous; return 0; } @@ -293,7 +394,7 @@ change_password (krb5_context context, krb5_get_init_creds_opt_set_tkt_life (&options, 60); krb5_get_init_creds_opt_set_forwardable (&options, FALSE); krb5_get_init_creds_opt_set_proxiable (&options, FALSE); - if (old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) + if (old_options && old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) krb5_get_init_creds_opt_set_preauth_list (&options, old_options->preauth_list, old_options->preauth_list_length); @@ -355,7 +456,7 @@ change_password (krb5_context context, asprintf (&p, "%s: %.*s\n", result_code ? "Error" : "Success", (int)result_string.length, - (char*)result_string.data); + result_string.length > 0 ? (char*)result_string.data : ""); ret = (*prompter) (context, data, NULL, p, 0, NULL); free (p); @@ -372,81 +473,1012 @@ out: memset (buf2, 0, sizeof(buf2)); krb5_data_free (&result_string); krb5_data_free (&result_code_string); - krb5_free_creds_contents (context, &cpw_cred); + krb5_free_cred_contents (context, &cpw_cred); return ret; } -krb5_error_code -krb5_get_init_creds_password(krb5_context context, - krb5_creds *creds, - krb5_principal client, - const char *password, - krb5_prompter_fct prompter, - void *data, - krb5_deltat start_time, - const char *in_tkt_service, - krb5_get_init_creds_opt *options) +krb5_error_code KRB5_LIB_FUNCTION +krb5_keyblock_key_proc (krb5_context context, + krb5_keytype type, + krb5_data *salt, + krb5_const_pointer keyseed, + krb5_keyblock **key) { + return krb5_copy_keyblock (context, keyseed, key); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_keytab(krb5_context context, + krb5_creds *creds, + krb5_principal client, + krb5_keytab keytab, + krb5_deltat start_time, + const char *in_tkt_service, + krb5_get_init_creds_opt *options) +{ + krb5_get_init_creds_ctx ctx; krb5_error_code ret; - krb5_kdc_flags flags; - krb5_addresses *addrs = NULL; - krb5_enctype *etypes = NULL; - krb5_preauthtype *pre_auth_types = NULL; - krb5_creds this_cred; - krb5_kdc_rep kdc_reply; - char buf[BUFSIZ]; - krb5_data password_data; - int done; + krb5_keytab_key_proc_args *a; + + ret = get_init_creds_common(context, client, start_time, + in_tkt_service, options, &ctx); + if (ret) + goto out; - memset(&kdc_reply, 0, sizeof(kdc_reply)); + a = malloc (sizeof(*a)); + if (a == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + a->principal = ctx.cred.client; + a->keytab = keytab; + + ret = krb5_get_in_cred (context, + KDCOptions2int(ctx.flags), + ctx.addrs, + ctx.etypes, + ctx.pre_auth_types, + NULL, + krb5_keytab_key_proc, + a, + NULL, + NULL, + &ctx.cred, + NULL); + free (a); + + if (ret == 0 && creds) + *creds = ctx.cred; + else + krb5_free_cred_contents (context, &ctx.cred); + + out: + free_init_creds_ctx(context, &ctx); + return ret; +} + +/* + * + */ + +static krb5_error_code +init_creds_init_as_req (krb5_context context, + KDCOptions opts, + const krb5_creds *creds, + const krb5_addresses *addrs, + const krb5_enctype *etypes, + AS_REQ *a) +{ + krb5_error_code ret; + + memset(a, 0, sizeof(*a)); + + a->pvno = 5; + a->msg_type = krb_as_req; + a->req_body.kdc_options = opts; + a->req_body.cname = malloc(sizeof(*a->req_body.cname)); + if (a->req_body.cname == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "malloc: out of memory"); + goto fail; + } + a->req_body.sname = malloc(sizeof(*a->req_body.sname)); + if (a->req_body.sname == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "malloc: out of memory"); + goto fail; + } + + ret = _krb5_principal2principalname (a->req_body.cname, creds->client); + if (ret) + goto fail; + ret = copy_Realm(&creds->client->realm, &a->req_body.realm); + if (ret) + goto fail; + + ret = _krb5_principal2principalname (a->req_body.sname, creds->server); + if (ret) + goto fail; + + if(creds->times.starttime) { + a->req_body.from = malloc(sizeof(*a->req_body.from)); + if (a->req_body.from == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "malloc: out of memory"); + goto fail; + } + *a->req_body.from = creds->times.starttime; + } + if(creds->times.endtime){ + ALLOC(a->req_body.till, 1); + *a->req_body.till = creds->times.endtime; + } + if(creds->times.renew_till){ + a->req_body.rtime = malloc(sizeof(*a->req_body.rtime)); + if (a->req_body.rtime == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "malloc: out of memory"); + goto fail; + } + *a->req_body.rtime = creds->times.renew_till; + } + a->req_body.nonce = 0; + ret = krb5_init_etype (context, + &a->req_body.etype.len, + &a->req_body.etype.val, + etypes); + if (ret) + goto fail; - ret = get_init_creds_common(context, creds, client, start_time, - in_tkt_service, options, - &addrs, &etypes, &this_cred, &pre_auth_types, - &flags); - if(ret) + /* + * This means no addresses + */ + + if (addrs && addrs->len == 0) { + a->req_body.addresses = NULL; + } else { + a->req_body.addresses = malloc(sizeof(*a->req_body.addresses)); + if (a->req_body.addresses == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "malloc: out of memory"); + goto fail; + } + + if (addrs) + ret = krb5_copy_addresses(context, addrs, a->req_body.addresses); + else { + ret = krb5_get_all_client_addrs (context, a->req_body.addresses); + if(ret == 0 && a->req_body.addresses->len == 0) { + free(a->req_body.addresses); + a->req_body.addresses = NULL; + } + } + if (ret) + goto fail; + } + + a->req_body.enc_authorization_data = NULL; + a->req_body.additional_tickets = NULL; + + a->padata = NULL; + + return 0; + fail: + free_AS_REQ(a); + memset(a, 0, sizeof(*a)); + return ret; +} + +struct pa_info_data { + krb5_enctype etype; + krb5_salt salt; + krb5_data *s2kparams; +}; + +static void +free_paid(krb5_context context, struct pa_info_data *ppaid) +{ + krb5_free_salt(context, ppaid->salt); + if (ppaid->s2kparams) + krb5_free_data(context, ppaid->s2kparams); +} + + +static krb5_error_code +set_paid(struct pa_info_data *paid, krb5_context context, + krb5_enctype etype, + krb5_salttype salttype, void *salt_string, size_t salt_len, + krb5_data *s2kparams) +{ + paid->etype = etype; + paid->salt.salttype = salttype; + paid->salt.saltvalue.data = malloc(salt_len + 1); + if (paid->salt.saltvalue.data == NULL) { + krb5_clear_error_string(context); + return ENOMEM; + } + memcpy(paid->salt.saltvalue.data, salt_string, salt_len); + ((char *)paid->salt.saltvalue.data)[salt_len] = '\0'; + paid->salt.saltvalue.length = salt_len; + if (s2kparams) { + krb5_error_code ret; + + ret = krb5_copy_data(context, s2kparams, &paid->s2kparams); + if (ret) { + krb5_clear_error_string(context); + krb5_free_salt(context, paid->salt); + return ret; + } + } else + paid->s2kparams = NULL; + + return 0; +} + +static struct pa_info_data * +pa_etype_info2(krb5_context context, + const krb5_principal client, + const AS_REQ *asreq, + struct pa_info_data *paid, + heim_octet_string *data) +{ + krb5_error_code ret; + ETYPE_INFO2 e; + size_t sz; + int i, j; + + memset(&e, 0, sizeof(e)); + ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz); + if (ret) goto out; + if (e.len == 0) + goto out; + for (j = 0; j < asreq->req_body.etype.len; j++) { + for (i = 0; i < e.len; i++) { + if (asreq->req_body.etype.val[j] == e.val[i].etype) { + krb5_salt salt; + if (e.val[i].salt == NULL) + ret = krb5_get_pw_salt(context, client, &salt); + else { + salt.saltvalue.data = *e.val[i].salt; + salt.saltvalue.length = strlen(*e.val[i].salt); + ret = 0; + } + if (ret == 0) + ret = set_paid(paid, context, e.val[i].etype, + KRB5_PW_SALT, + salt.saltvalue.data, + salt.saltvalue.length, + e.val[i].s2kparams); + if (e.val[i].salt == NULL) + krb5_free_salt(context, salt); + if (ret == 0) { + free_ETYPE_INFO2(&e); + return paid; + } + } + } + } + out: + free_ETYPE_INFO2(&e); + return NULL; +} - if (password == NULL) { - krb5_prompt prompt; - char *p, *q; +static struct pa_info_data * +pa_etype_info(krb5_context context, + const krb5_principal client, + const AS_REQ *asreq, + struct pa_info_data *paid, + heim_octet_string *data) +{ + krb5_error_code ret; + ETYPE_INFO e; + size_t sz; + int i, j; - krb5_unparse_name (context, this_cred.client, &p); - asprintf (&q, "%s's Password: ", p); - free (p); - prompt.prompt = q; - password_data.data = buf; - password_data.length = sizeof(buf); - prompt.hidden = 1; - prompt.reply = &password_data; - prompt.type = KRB5_PROMPT_TYPE_PASSWORD; + memset(&e, 0, sizeof(e)); + ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz); + if (ret) + goto out; + if (e.len == 0) + goto out; + for (j = 0; j < asreq->req_body.etype.len; j++) { + for (i = 0; i < e.len; i++) { + if (asreq->req_body.etype.val[j] == e.val[i].etype) { + krb5_salt salt; + salt.salttype = KRB5_PW_SALT; + if (e.val[i].salt == NULL) + ret = krb5_get_pw_salt(context, client, &salt); + else { + salt.saltvalue = *e.val[i].salt; + ret = 0; + } + if (e.val[i].salttype) + salt.salttype = *e.val[i].salttype; + if (ret == 0) { + ret = set_paid(paid, context, e.val[i].etype, + salt.salttype, + salt.saltvalue.data, + salt.saltvalue.length, + NULL); + if (e.val[i].salt == NULL) + krb5_free_salt(context, salt); + } + if (ret == 0) { + free_ETYPE_INFO(&e); + return paid; + } + } + } + } + out: + free_ETYPE_INFO(&e); + return NULL; +} - ret = (*prompter) (context, data, NULL, NULL, 1, &prompt); - free (q); +static struct pa_info_data * +pa_pw_or_afs3_salt(krb5_context context, + const krb5_principal client, + const AS_REQ *asreq, + struct pa_info_data *paid, + heim_octet_string *data) +{ + krb5_error_code ret; + if (paid->etype == ENCTYPE_NULL) + return NULL; + ret = set_paid(paid, context, + paid->etype, + paid->salt.salttype, + data->data, + data->length, + NULL); + if (ret) + return NULL; + return paid; +} + + +struct pa_info { + krb5_preauthtype type; + struct pa_info_data *(*salt_info)(krb5_context, + const krb5_principal, + const AS_REQ *, + struct pa_info_data *, + heim_octet_string *); +}; + +static struct pa_info pa_prefs[] = { + { KRB5_PADATA_ETYPE_INFO2, pa_etype_info2 }, + { KRB5_PADATA_ETYPE_INFO, pa_etype_info }, + { KRB5_PADATA_PW_SALT, pa_pw_or_afs3_salt }, + { KRB5_PADATA_AFS3_SALT, pa_pw_or_afs3_salt } +}; + +static PA_DATA * +find_pa_data(const METHOD_DATA *md, int type) +{ + int i; + if (md == NULL) + return NULL; + for (i = 0; i < md->len; i++) + if (md->val[i].padata_type == type) + return &md->val[i]; + return NULL; +} + +static struct pa_info_data * +process_pa_info(krb5_context context, + const krb5_principal client, + const AS_REQ *asreq, + struct pa_info_data *paid, + METHOD_DATA *md) +{ + struct pa_info_data *p = NULL; + int i; + + for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) { + PA_DATA *pa = find_pa_data(md, pa_prefs[i].type); + if (pa == NULL) + continue; + paid->salt.salttype = pa_prefs[i].type; + p = (*pa_prefs[i].salt_info)(context, client, asreq, + paid, &pa->padata_value); + } + return p; +} + +static krb5_error_code +make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md, + krb5_enctype etype, krb5_keyblock *key) +{ + PA_ENC_TS_ENC p; + unsigned char *buf; + size_t buf_size; + size_t len; + EncryptedData encdata; + krb5_error_code ret; + int32_t usec; + int usec2; + krb5_crypto crypto; + + krb5_us_timeofday (context, &p.patimestamp, &usec); + usec2 = usec; + p.pausec = &usec2; + + ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret); + if (ret) + return ret; + if(buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) { + free(buf); + return ret; + } + ret = krb5_encrypt_EncryptedData(context, + crypto, + KRB5_KU_PA_ENC_TIMESTAMP, + buf, + len, + 0, + &encdata); + free(buf); + krb5_crypto_destroy(context, crypto); + if (ret) + return ret; + + ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret); + free_EncryptedData(&encdata); + if (ret) + return ret; + if(buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + ret = krb5_padata_add(context, md, KRB5_PADATA_ENC_TIMESTAMP, buf, len); + if (ret) + free(buf); + return ret; +} + +static krb5_error_code +add_enc_ts_padata(krb5_context context, + METHOD_DATA *md, + krb5_principal client, + krb5_s2k_proc key_proc, + krb5_const_pointer keyseed, + krb5_enctype *enctypes, + unsigned netypes, + krb5_salt *salt, + krb5_data *s2kparams) +{ + krb5_error_code ret; + krb5_salt salt2; + krb5_enctype *ep; + int i; + + if(salt == NULL) { + /* default to standard salt */ + ret = krb5_get_pw_salt (context, client, &salt2); + salt = &salt2; + } + if (!enctypes) { + enctypes = context->etypes; + netypes = 0; + for (ep = enctypes; *ep != ETYPE_NULL; ep++) + netypes++; + } + + for (i = 0; i < netypes; ++i) { + krb5_keyblock *key; + + ret = (*key_proc)(context, enctypes[i], keyseed, + *salt, s2kparams, &key); + if (ret) + continue; + ret = make_pa_enc_timestamp (context, md, enctypes[i], key); + krb5_free_keyblock (context, key); + if (ret) + return ret; + } + if(salt == &salt2) + krb5_free_salt(context, salt2); + return 0; +} + +static krb5_error_code +pa_data_to_md_ts_enc(krb5_context context, + const AS_REQ *a, + const krb5_principal client, + krb5_get_init_creds_ctx *ctx, + struct pa_info_data *ppaid, + METHOD_DATA *md) +{ + if (ctx->key_proc == NULL || ctx->password == NULL) + return 0; + + if (ppaid) { + add_enc_ts_padata(context, md, client, + ctx->key_proc, ctx->password, + &ppaid->etype, 1, + &ppaid->salt, ppaid->s2kparams); + } else { + krb5_salt salt; + + /* make a v5 salted pa-data */ + add_enc_ts_padata(context, md, client, + ctx->key_proc, ctx->password, + a->req_body.etype.val, a->req_body.etype.len, + NULL, NULL); + + /* make a v4 salted pa-data */ + salt.salttype = KRB5_PW_SALT; + krb5_data_zero(&salt.saltvalue); + add_enc_ts_padata(context, md, client, + ctx->key_proc, ctx->password, + a->req_body.etype.val, a->req_body.etype.len, + &salt, NULL); + } + return 0; +} + +static krb5_error_code +pa_data_to_key_plain(krb5_context context, + const krb5_principal client, + krb5_get_init_creds_ctx *ctx, + krb5_salt salt, + krb5_data *s2kparams, + krb5_enctype etype, + krb5_keyblock **key) +{ + krb5_error_code ret; + + ret = (*ctx->key_proc)(context, etype, ctx->password, + salt, s2kparams, key); + return ret; +} + + +static krb5_error_code +pa_data_to_md_pkinit(krb5_context context, + const AS_REQ *a, + const krb5_principal client, + krb5_get_init_creds_ctx *ctx, + METHOD_DATA *md) +{ + if (ctx->pk_init_ctx == NULL) + return 0; +#ifdef PKINIT + return _krb5_pk_mk_padata(context, + ctx->pk_init_ctx, + &a->req_body, + ctx->pk_nonce, + md); +#else + krb5_set_error_string(context, "no support for PKINIT compiled in"); + return EINVAL; +#endif +} + +static krb5_error_code +pa_data_add_pac_request(krb5_context context, + krb5_get_init_creds_ctx *ctx, + METHOD_DATA *md) +{ + size_t len, length; + krb5_error_code ret; + PA_PAC_REQUEST req; + void *buf; + + switch (ctx->req_pac) { + case KRB5_INIT_CREDS_TRISTATE_UNSET: + return 0; /* don't bother */ + case KRB5_INIT_CREDS_TRISTATE_TRUE: + req.include_pac = 1; + break; + case KRB5_INIT_CREDS_TRISTATE_FALSE: + req.include_pac = 0; + } + + ASN1_MALLOC_ENCODE(PA_PAC_REQUEST, buf, length, + &req, &len, ret); + if (ret) + return ret; + if(len != length) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + ret = krb5_padata_add(context, md, KRB5_PADATA_PA_PAC_REQUEST, buf, len); + if (ret) + free(buf); + + return 0; +} + +/* + * Assumes caller always will free `out_md', even on error. + */ + +static krb5_error_code +process_pa_data_to_md(krb5_context context, + const krb5_creds *creds, + const AS_REQ *a, + krb5_get_init_creds_ctx *ctx, + METHOD_DATA *in_md, + METHOD_DATA **out_md, + krb5_prompter_fct prompter, + void *prompter_data) +{ + krb5_error_code ret; + + ALLOC(*out_md, 1); + if (*out_md == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + (*out_md)->len = 0; + (*out_md)->val = NULL; + + /* + * Make sure we don't sent both ENC-TS and PK-INIT pa data, no + * need to expose our password protecting our PKCS12 key. + */ + + if (ctx->pk_init_ctx) { + + ret = pa_data_to_md_pkinit(context, a, creds->client, ctx, *out_md); + if (ret) + return ret; + + } else if (in_md->len != 0) { + struct pa_info_data paid, *ppaid; + + memset(&paid, 0, sizeof(paid)); + + paid.etype = ENCTYPE_NULL; + ppaid = process_pa_info(context, creds->client, a, &paid, in_md); + + pa_data_to_md_ts_enc(context, a, creds->client, ctx, ppaid, *out_md); + if (ppaid) + free_paid(context, ppaid); + } + + pa_data_add_pac_request(context, ctx, *out_md); + + if ((*out_md)->len == 0) { + free(*out_md); + *out_md = NULL; + } + + return 0; +} + +static krb5_error_code +process_pa_data_to_key(krb5_context context, + krb5_get_init_creds_ctx *ctx, + krb5_creds *creds, + AS_REQ *a, + krb5_kdc_rep *rep, + const krb5_krbhst_info *hi, + krb5_keyblock **key) +{ + struct pa_info_data paid, *ppaid = NULL; + krb5_error_code ret; + krb5_enctype etype; + PA_DATA *pa; + + memset(&paid, 0, sizeof(paid)); + + etype = rep->kdc_rep.enc_part.etype; + + if (rep->kdc_rep.padata) { + paid.etype = etype; + ppaid = process_pa_info(context, creds->client, a, &paid, + rep->kdc_rep.padata); + } + if (ppaid == NULL) { + ret = krb5_get_pw_salt (context, creds->client, &paid.salt); + if (ret) + return ret; + paid.etype = etype; + paid.s2kparams = NULL; + } + + pa = NULL; + if (rep->kdc_rep.padata) { + int idx = 0; + pa = krb5_find_padata(rep->kdc_rep.padata->val, + rep->kdc_rep.padata->len, + KRB5_PADATA_PK_AS_REP, + &idx); + if (pa == NULL) { + idx = 0; + pa = krb5_find_padata(rep->kdc_rep.padata->val, + rep->kdc_rep.padata->len, + KRB5_PADATA_PK_AS_REP_19, + &idx); + } + } + if (pa && ctx->pk_init_ctx) { +#ifdef PKINIT + ret = _krb5_pk_rd_pa_reply(context, + a->req_body.realm, + ctx->pk_init_ctx, + etype, + hi, + ctx->pk_nonce, + &ctx->req_buffer, + pa, + key); +#else + krb5_set_error_string(context, "no support for PKINIT compiled in"); + ret = EINVAL; +#endif + } else if (ctx->password) + ret = pa_data_to_key_plain(context, creds->client, ctx, + paid.salt, paid.s2kparams, etype, key); + else { + krb5_set_error_string(context, "No usable pa data type"); + ret = EINVAL; + } + + free_paid(context, &paid); + return ret; +} + +static krb5_error_code +init_cred_loop(krb5_context context, + krb5_get_init_creds_opt *init_cred_opts, + const krb5_prompter_fct prompter, + void *prompter_data, + krb5_get_init_creds_ctx *ctx, + krb5_creds *creds, + krb5_kdc_rep *ret_as_reply) +{ + krb5_error_code ret; + krb5_kdc_rep rep; + METHOD_DATA md; + krb5_data resp; + size_t len; + size_t size; + krb5_krbhst_info *hi = NULL; + krb5_sendto_ctx stctx = NULL; + + + memset(&md, 0, sizeof(md)); + memset(&rep, 0, sizeof(rep)); + + _krb5_get_init_creds_opt_free_krb5_error(init_cred_opts); + + if (ret_as_reply) + memset(ret_as_reply, 0, sizeof(*ret_as_reply)); + + ret = init_creds_init_as_req(context, ctx->flags, creds, + ctx->addrs, ctx->etypes, &ctx->as_req); + if (ret) + return ret; + + ret = krb5_sendto_ctx_alloc(context, &stctx); + if (ret) + goto out; + krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL); + + /* Set a new nonce. */ + krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce)); + ctx->nonce &= 0xffffffff; + /* XXX these just needs to be the same when using Windows PK-INIT */ + ctx->pk_nonce = ctx->nonce; + + /* + * Increase counter when we want other pre-auth types then + * KRB5_PA_ENC_TIMESTAMP. + */ +#define MAX_PA_COUNTER 3 + + ctx->pa_counter = 0; + while (ctx->pa_counter < MAX_PA_COUNTER) { + + ctx->pa_counter++; + + if (ctx->as_req.padata) { + free_METHOD_DATA(ctx->as_req.padata); + free(ctx->as_req.padata); + ctx->as_req.padata = NULL; + } + + /* Set a new nonce. */ + ctx->as_req.req_body.nonce = ctx->nonce; + + /* fill_in_md_data */ + ret = process_pa_data_to_md(context, creds, &ctx->as_req, ctx, + &md, &ctx->as_req.padata, + prompter, prompter_data); + if (ret) + goto out; + + krb5_data_free(&ctx->req_buffer); + + ASN1_MALLOC_ENCODE(AS_REQ, + ctx->req_buffer.data, ctx->req_buffer.length, + &ctx->as_req, &len, ret); + if (ret) + goto out; + if(len != ctx->req_buffer.length) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + ret = krb5_sendto_context (context, stctx, &ctx->req_buffer, + creds->client->realm, &resp); + if (ret) + goto out; + + memset (&rep, 0, sizeof(rep)); + ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size); + if (ret == 0) { + krb5_data_free(&resp); + krb5_clear_error_string(context); + break; + } else { + /* let's try to parse it as a KRB-ERROR */ + KRB_ERROR error; + + ret = krb5_rd_error(context, &resp, &error); + if(ret && resp.data && ((char*)resp.data)[0] == 4) + ret = KRB5KRB_AP_ERR_V4_REPLY; + krb5_data_free(&resp); + if (ret) + goto out; + + ret = krb5_error_from_rd_error(context, &error, creds); + + /* + * If no preauth was set and KDC requires it, give it one + * more try. + */ + + if (ret == KRB5KDC_ERR_PREAUTH_REQUIRED) { + free_METHOD_DATA(&md); + memset(&md, 0, sizeof(md)); + + if (error.e_data) { + ret = decode_METHOD_DATA(error.e_data->data, + error.e_data->length, + &md, + NULL); + if (ret) + krb5_set_error_string(context, + "failed to decode METHOD DATA"); + } else { + /* XXX guess what the server want here add add md */ + } + krb5_free_error_contents(context, &error); + if (ret) + goto out; + } else { + _krb5_get_init_creds_opt_set_krb5_error(context, + init_cred_opts, + &error); + if (ret_as_reply) + rep.error = error; + else + krb5_free_error_contents(context, &error); + goto out; + } + } + } + + { + krb5_keyblock *key = NULL; + unsigned flags = 0; + + if (ctx->flags.request_anonymous) + flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; + if (ctx->flags.canonicalize) { + flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH; + flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; + flags |= EXTRACT_TICKET_MATCH_REALM; + } + + ret = process_pa_data_to_key(context, ctx, creds, + &ctx->as_req, &rep, hi, &key); + if (ret) + goto out; + + ret = _krb5_extract_ticket(context, + &rep, + creds, + key, + NULL, + KRB5_KU_AS_REP_ENC_PART, + NULL, + ctx->nonce, + flags, + NULL, + NULL); + krb5_free_keyblock(context, key); + } + /* + * Verify referral data + */ + if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) && + (ctx->ic_flags & KRB5_INIT_CREDS_NO_C_CANON_CHECK) == 0) + { + PA_ClientCanonicalized canon; + krb5_crypto crypto; + krb5_data data; + PA_DATA *pa; + size_t len; + + pa = find_pa_data(rep.kdc_rep.padata, KRB5_PADATA_CLIENT_CANONICALIZED); + if (pa == NULL) { + ret = EINVAL; + krb5_set_error_string(context, "Client canonicalizion not signed"); + goto out; + } + + ret = decode_PA_ClientCanonicalized(pa->padata_value.data, + pa->padata_value.length, + &canon, &len); if (ret) { - memset (buf, 0, sizeof(buf)); - ret = KRB5_LIBOS_PWDINTR; - krb5_clear_error_string (context); + krb5_set_error_string(context, "Failed to decode " + "PA_ClientCanonicalized"); + goto out; + } + + ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length, + &canon.names, &len, ret); + if (ret) + goto out; + if (data.length != len) + krb5_abortx(context, "internal asn.1 error"); + + ret = krb5_crypto_init(context, &creds->session, 0, &crypto); + if (ret) { + free(data.data); + free_PA_ClientCanonicalized(&canon); + goto out; + } + + ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES, + data.data, data.length, + &canon.canon_checksum); + krb5_crypto_destroy(context, crypto); + free(data.data); + free_PA_ClientCanonicalized(&canon); + if (ret) { + krb5_set_error_string(context, "Failed to verify " + "client canonicalized data"); goto out; } - password = password_data.data; } +out: + if (stctx) + krb5_sendto_ctx_free(context, stctx); + krb5_data_free(&ctx->req_buffer); + free_METHOD_DATA(&md); + memset(&md, 0, sizeof(md)); + + if (ret == 0 && ret_as_reply) + *ret_as_reply = rep; + else + krb5_free_kdc_rep (context, &rep); + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds(krb5_context context, + krb5_creds *creds, + krb5_principal client, + krb5_prompter_fct prompter, + void *data, + krb5_deltat start_time, + const char *in_tkt_service, + krb5_get_init_creds_opt *options) +{ + krb5_get_init_creds_ctx ctx; + krb5_kdc_rep kdc_reply; + krb5_error_code ret; + char buf[BUFSIZ]; + int done; + + memset(&kdc_reply, 0, sizeof(kdc_reply)); + + ret = get_init_creds_common(context, client, start_time, + in_tkt_service, options, &ctx); + if (ret) + goto out; done = 0; while(!done) { memset(&kdc_reply, 0, sizeof(kdc_reply)); - ret = krb5_get_in_cred (context, - flags.i, - addrs, - etypes, - pre_auth_types, - NULL, - krb5_password_key_proc, - password, - NULL, - NULL, - &this_cred, - &kdc_reply); + + ret = init_cred_loop(context, + options, + prompter, + data, + &ctx, + &ctx.cred, + &kdc_reply); + switch (ret) { case 0 : done = 1; @@ -454,18 +1486,19 @@ krb5_get_init_creds_password(krb5_context context, case KRB5KDC_ERR_KEY_EXPIRED : /* try to avoid recursion */ - if (prompter == NULL) + /* don't try to change password where then where none */ + if (prompter == NULL || ctx.password == NULL) goto out; krb5_clear_error_string (context); - if (in_tkt_service != NULL - && strcmp (in_tkt_service, "kadmin/changepw") == 0) + if (ctx.in_tkt_service != NULL + && strcmp (ctx.in_tkt_service, "kadmin/changepw") == 0) goto out; ret = change_password (context, client, - password, + ctx.password, buf, sizeof(buf), prompter, @@ -473,7 +1506,7 @@ krb5_get_init_creds_password(krb5_context context, options); if (ret) goto out; - password = buf; + ctx.password = buf; break; default: goto out; @@ -482,94 +1515,144 @@ krb5_get_init_creds_password(krb5_context context, if (prompter) print_expire (context, - krb5_princ_realm (context, this_cred.client), + krb5_principal_get_realm (context, ctx.cred.client), &kdc_reply, prompter, data); -out: - memset (buf, 0, sizeof(buf)); + out: + memset (buf, 0, sizeof(buf)); + free_init_creds_ctx(context, &ctx); krb5_free_kdc_rep (context, &kdc_reply); - - free (pre_auth_types); - free (etypes); - if (ret == 0 && creds) - *creds = this_cred; + if (ret == 0) + *creds = ctx.cred; else - krb5_free_creds_contents (context, &this_cred); + krb5_free_cred_contents (context, &ctx.cred); + return ret; } -krb5_error_code -krb5_keyblock_key_proc (krb5_context context, - krb5_keytype type, - krb5_data *salt, - krb5_const_pointer keyseed, - krb5_keyblock **key) +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_password(krb5_context context, + krb5_creds *creds, + krb5_principal client, + const char *password, + krb5_prompter_fct prompter, + void *data, + krb5_deltat start_time, + const char *in_tkt_service, + krb5_get_init_creds_opt *in_options) +{ + krb5_get_init_creds_opt *options; + char buf[BUFSIZ]; + krb5_error_code ret; + + if (in_options == NULL) { + const char *realm = krb5_principal_get_realm(context, client); + ret = krb5_get_init_creds_opt_alloc(context, &options); + if (ret == 0) + krb5_get_init_creds_opt_set_default_flags(context, + NULL, + realm, + options); + } else + ret = _krb5_get_init_creds_opt_copy(context, in_options, &options); + if (ret) + return ret; + + if (password == NULL && + options->opt_private->password == NULL && + options->opt_private->pk_init_ctx == NULL) + { + krb5_prompt prompt; + krb5_data password_data; + char *p, *q; + + krb5_unparse_name (context, client, &p); + asprintf (&q, "%s's Password: ", p); + free (p); + prompt.prompt = q; + password_data.data = buf; + password_data.length = sizeof(buf); + prompt.hidden = 1; + prompt.reply = &password_data; + prompt.type = KRB5_PROMPT_TYPE_PASSWORD; + + ret = (*prompter) (context, data, NULL, NULL, 1, &prompt); + free (q); + if (ret) { + memset (buf, 0, sizeof(buf)); + krb5_get_init_creds_opt_free(context, options); + ret = KRB5_LIBOS_PWDINTR; + krb5_clear_error_string (context); + return ret; + } + password = password_data.data; + } + + if (options->opt_private->password == NULL) { + ret = krb5_get_init_creds_opt_set_pa_password(context, options, + password, NULL); + if (ret) { + krb5_get_init_creds_opt_free(context, options); + memset(buf, 0, sizeof(buf)); + return ret; + } + } + + ret = krb5_get_init_creds(context, creds, client, prompter, + data, start_time, in_tkt_service, options); + krb5_get_init_creds_opt_free(context, options); + memset(buf, 0, sizeof(buf)); + return ret; +} + +static krb5_error_code +init_creds_keyblock_key_proc (krb5_context context, + krb5_enctype type, + krb5_salt salt, + krb5_const_pointer keyseed, + krb5_keyblock **key) { return krb5_copy_keyblock (context, keyseed, key); } -krb5_error_code -krb5_get_init_creds_keytab(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_keytab keytab, - krb5_deltat start_time, - const char *in_tkt_service, - krb5_get_init_creds_opt *options) +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_keyblock(krb5_context context, + krb5_creds *creds, + krb5_principal client, + krb5_keyblock *keyblock, + krb5_deltat start_time, + const char *in_tkt_service, + krb5_get_init_creds_opt *options) { + struct krb5_get_init_creds_ctx ctx; krb5_error_code ret; - krb5_kdc_flags flags; - krb5_addresses *addrs = NULL; - krb5_enctype *etypes = NULL; - krb5_preauthtype *pre_auth_types = NULL; - krb5_creds this_cred; - krb5_keytab_key_proc_args *a; - ret = get_init_creds_common(context, creds, client, start_time, - in_tkt_service, options, - &addrs, &etypes, &this_cred, &pre_auth_types, - &flags); - if(ret) - goto out; - - a = malloc (sizeof(*a)); - if (a == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; + ret = get_init_creds_common(context, client, start_time, + in_tkt_service, options, &ctx); + if (ret) goto out; - } - a->principal = this_cred.client; - a->keytab = keytab; ret = krb5_get_in_cred (context, - flags.i, - addrs, - etypes, - pre_auth_types, + KDCOptions2int(ctx.flags), + ctx.addrs, + ctx.etypes, + ctx.pre_auth_types, NULL, - krb5_keytab_key_proc, - a, + init_creds_keyblock_key_proc, + keyblock, NULL, NULL, - &this_cred, + &ctx.cred, NULL); - free (a); - if (ret) - goto out; - free (pre_auth_types); - free (etypes); - if (creds) - *creds = this_cred; + if (ret == 0 && creds) + *creds = ctx.cred; else - krb5_free_creds_contents (context, &this_cred); - return 0; + krb5_free_cred_contents (context, &ctx.cred); -out: - free (pre_auth_types); - free (etypes); - krb5_free_creds_contents (context, &this_cred); + out: + free_init_creds_ctx(context, &ctx); return ret; } diff --git a/crypto/heimdal/lib/krb5/k524_err.et b/crypto/heimdal/lib/krb5/k524_err.et index 2dc60f46ae2b..0ca25f74d474 100644 --- a/crypto/heimdal/lib/krb5/k524_err.et +++ b/crypto/heimdal/lib/krb5/k524_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: k524_err.et,v 1.1 2001/06/20 02:44:11 joda Exp $" +id "$Id: k524_err.et 10141 2001-06-20 02:45:58Z joda $" error_table k524 diff --git a/crypto/heimdal/lib/krb5/kcm.c b/crypto/heimdal/lib/krb5/kcm.c new file mode 100644 index 000000000000..8afaa6ea80a1 --- /dev/null +++ b/crypto/heimdal/lib/krb5/kcm.c @@ -0,0 +1,1122 @@ +/* + * Copyright (c) 2005, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +#ifdef HAVE_KCM +/* + * Client library for Kerberos Credentials Manager (KCM) daemon + */ + +#ifdef HAVE_SYS_UN_H +#include <sys/un.h> +#endif + +#include "kcm.h" + +RCSID("$Id: kcm.c 22108 2007-12-03 17:23:53Z lha $"); + +typedef struct krb5_kcmcache { + char *name; + struct sockaddr_un path; + char *door_path; +} krb5_kcmcache; + +#define KCMCACHE(X) ((krb5_kcmcache *)(X)->data.data) +#define CACHENAME(X) (KCMCACHE(X)->name) +#define KCMCURSOR(C) (*(uint32_t *)(C)) + +static krb5_error_code +try_door(krb5_context context, const krb5_kcmcache *k, + krb5_data *request_data, + krb5_data *response_data) +{ +#ifdef HAVE_DOOR_CREATE + door_arg_t arg; + int fd; + int ret; + + memset(&arg, 0, sizeof(arg)); + + fd = open(k->door_path, O_RDWR); + if (fd < 0) + return KRB5_CC_IO; + + arg.data_ptr = request_data->data; + arg.data_size = request_data->length; + arg.desc_ptr = NULL; + arg.desc_num = 0; + arg.rbuf = NULL; + arg.rsize = 0; + + ret = door_call(fd, &arg); + close(fd); + if (ret != 0) + return KRB5_CC_IO; + + ret = krb5_data_copy(response_data, arg.rbuf, arg.rsize); + munmap(arg.rbuf, arg.rsize); + if (ret) + return ret; + + return 0; +#else + return KRB5_CC_IO; +#endif +} + +static krb5_error_code +try_unix_socket(krb5_context context, const krb5_kcmcache *k, + krb5_data *request_data, + krb5_data *response_data) +{ + krb5_error_code ret; + int fd; + + fd = socket(AF_UNIX, SOCK_STREAM, 0); + if (fd < 0) + return KRB5_CC_IO; + + if (connect(fd, rk_UNCONST(&k->path), sizeof(k->path)) != 0) { + close(fd); + return KRB5_CC_IO; + } + + ret = _krb5_send_and_recv_tcp(fd, context->kdc_timeout, + request_data, response_data); + close(fd); + return ret; +} + +static krb5_error_code +kcm_send_request(krb5_context context, + krb5_kcmcache *k, + krb5_storage *request, + krb5_data *response_data) +{ + krb5_error_code ret; + krb5_data request_data; + int i; + + response_data->data = NULL; + response_data->length = 0; + + ret = krb5_storage_to_data(request, &request_data); + if (ret) { + krb5_clear_error_string(context); + return KRB5_CC_NOMEM; + } + + ret = KRB5_CC_IO; + + for (i = 0; i < context->max_retries; i++) { + ret = try_door(context, k, &request_data, response_data); + if (ret == 0 && response_data->length != 0) + break; + ret = try_unix_socket(context, k, &request_data, response_data); + if (ret == 0 && response_data->length != 0) + break; + } + + krb5_data_free(&request_data); + + if (ret) { + krb5_clear_error_string(context); + ret = KRB5_CC_IO; + } + + return ret; +} + +static krb5_error_code +kcm_storage_request(krb5_context context, + kcm_operation opcode, + krb5_storage **storage_p) +{ + krb5_storage *sp; + krb5_error_code ret; + + *storage_p = NULL; + + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return KRB5_CC_NOMEM; + } + + /* Send MAJOR | VERSION | OPCODE */ + ret = krb5_store_int8(sp, KCM_PROTOCOL_VERSION_MAJOR); + if (ret) + goto fail; + ret = krb5_store_int8(sp, KCM_PROTOCOL_VERSION_MINOR); + if (ret) + goto fail; + ret = krb5_store_int16(sp, opcode); + if (ret) + goto fail; + + *storage_p = sp; + fail: + if (ret) { + krb5_set_error_string(context, "Failed to encode request"); + krb5_storage_free(sp); + } + + return ret; +} + +static krb5_error_code +kcm_alloc(krb5_context context, const char *name, krb5_ccache *id) +{ + krb5_kcmcache *k; + const char *path; + + k = malloc(sizeof(*k)); + if (k == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return KRB5_CC_NOMEM; + } + + if (name != NULL) { + k->name = strdup(name); + if (k->name == NULL) { + free(k); + krb5_set_error_string(context, "malloc: out of memory"); + return KRB5_CC_NOMEM; + } + } else + k->name = NULL; + + path = krb5_config_get_string_default(context, NULL, + _PATH_KCM_SOCKET, + "libdefaults", + "kcm_socket", + NULL); + + k->path.sun_family = AF_UNIX; + strlcpy(k->path.sun_path, path, sizeof(k->path.sun_path)); + + path = krb5_config_get_string_default(context, NULL, + _PATH_KCM_DOOR, + "libdefaults", + "kcm_door", + NULL); + k->door_path = strdup(path); + + (*id)->data.data = k; + (*id)->data.length = sizeof(*k); + + return 0; +} + +static krb5_error_code +kcm_call(krb5_context context, + krb5_kcmcache *k, + krb5_storage *request, + krb5_storage **response_p, + krb5_data *response_data_p) +{ + krb5_data response_data; + krb5_error_code ret; + int32_t status; + krb5_storage *response; + + if (response_p != NULL) + *response_p = NULL; + + ret = kcm_send_request(context, k, request, &response_data); + if (ret) { + return ret; + } + + response = krb5_storage_from_data(&response_data); + if (response == NULL) { + krb5_data_free(&response_data); + return KRB5_CC_IO; + } + + ret = krb5_ret_int32(response, &status); + if (ret) { + krb5_storage_free(response); + krb5_data_free(&response_data); + return KRB5_CC_FORMAT; + } + + if (status) { + krb5_storage_free(response); + krb5_data_free(&response_data); + return status; + } + + if (response_p != NULL) { + *response_data_p = response_data; + *response_p = response; + + return 0; + } + + krb5_storage_free(response); + krb5_data_free(&response_data); + + return 0; +} + +static void +kcm_free(krb5_context context, krb5_ccache *id) +{ + krb5_kcmcache *k = KCMCACHE(*id); + + if (k != NULL) { + if (k->name != NULL) + free(k->name); + if (k->door_path) + free(k->door_path); + memset(k, 0, sizeof(*k)); + krb5_data_free(&(*id)->data); + } + + *id = NULL; +} + +static const char * +kcm_get_name(krb5_context context, + krb5_ccache id) +{ + return CACHENAME(id); +} + +static krb5_error_code +kcm_resolve(krb5_context context, krb5_ccache *id, const char *res) +{ + return kcm_alloc(context, res, id); +} + +/* + * Request: + * + * Response: + * NameZ + */ +static krb5_error_code +kcm_gen_new(krb5_context context, krb5_ccache *id) +{ + krb5_kcmcache *k; + krb5_error_code ret; + krb5_storage *request, *response; + krb5_data response_data; + + ret = kcm_alloc(context, NULL, id); + if (ret) + return ret; + + k = KCMCACHE(*id); + + ret = kcm_storage_request(context, KCM_OP_GEN_NEW, &request); + if (ret) { + kcm_free(context, id); + return ret; + } + + ret = kcm_call(context, k, request, &response, &response_data); + if (ret) { + krb5_storage_free(request); + kcm_free(context, id); + return ret; + } + + ret = krb5_ret_stringz(response, &k->name); + if (ret) + ret = KRB5_CC_IO; + + krb5_storage_free(request); + krb5_storage_free(response); + krb5_data_free(&response_data); + + if (ret) + kcm_free(context, id); + + return ret; +} + +/* + * Request: + * NameZ + * Principal + * + * Response: + * + */ +static krb5_error_code +kcm_initialize(krb5_context context, + krb5_ccache id, + krb5_principal primary_principal) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_INITIALIZE, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_principal(request, primary_principal); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + +static krb5_error_code +kcm_close(krb5_context context, + krb5_ccache id) +{ + kcm_free(context, &id); + return 0; +} + +/* + * Request: + * NameZ + * + * Response: + * + */ +static krb5_error_code +kcm_destroy(krb5_context context, + krb5_ccache id) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_DESTROY, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + +/* + * Request: + * NameZ + * Creds + * + * Response: + * + */ +static krb5_error_code +kcm_store_cred(krb5_context context, + krb5_ccache id, + krb5_creds *creds) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_STORE, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_creds(request, creds); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + +/* + * Request: + * NameZ + * WhichFields + * MatchCreds + * + * Response: + * Creds + * + */ +static krb5_error_code +kcm_retrieve(krb5_context context, + krb5_ccache id, + krb5_flags which, + const krb5_creds *mcred, + krb5_creds *creds) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request, *response; + krb5_data response_data; + + ret = kcm_storage_request(context, KCM_OP_RETRIEVE, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int32(request, which); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_creds_tag(request, rk_UNCONST(mcred)); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, &response, &response_data); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_ret_creds(response, creds); + if (ret) + ret = KRB5_CC_IO; + + krb5_storage_free(request); + krb5_storage_free(response); + krb5_data_free(&response_data); + + return ret; +} + +/* + * Request: + * NameZ + * + * Response: + * Principal + */ +static krb5_error_code +kcm_get_principal(krb5_context context, + krb5_ccache id, + krb5_principal *principal) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request, *response; + krb5_data response_data; + + ret = kcm_storage_request(context, KCM_OP_GET_PRINCIPAL, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, &response, &response_data); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_ret_principal(response, principal); + if (ret) + ret = KRB5_CC_IO; + + krb5_storage_free(request); + krb5_storage_free(response); + krb5_data_free(&response_data); + + return ret; +} + +/* + * Request: + * NameZ + * + * Response: + * Cursor + * + */ +static krb5_error_code +kcm_get_first (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request, *response; + krb5_data response_data; + int32_t tmp; + + ret = kcm_storage_request(context, KCM_OP_GET_FIRST, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, &response, &response_data); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_ret_int32(response, &tmp); + if (ret || tmp < 0) + ret = KRB5_CC_IO; + + krb5_storage_free(request); + krb5_storage_free(response); + krb5_data_free(&response_data); + + if (ret) + return ret; + + *cursor = malloc(sizeof(tmp)); + if (*cursor == NULL) + return KRB5_CC_NOMEM; + + KCMCURSOR(*cursor) = tmp; + + return 0; +} + +/* + * Request: + * NameZ + * Cursor + * + * Response: + * Creds + */ +static krb5_error_code +kcm_get_next (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor, + krb5_creds *creds) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request, *response; + krb5_data response_data; + + ret = kcm_storage_request(context, KCM_OP_GET_NEXT, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int32(request, KCMCURSOR(*cursor)); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, &response, &response_data); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_ret_creds(response, creds); + if (ret) + ret = KRB5_CC_IO; + + krb5_storage_free(request); + krb5_storage_free(response); + krb5_data_free(&response_data); + + return ret; +} + +/* + * Request: + * NameZ + * Cursor + * + * Response: + * + */ +static krb5_error_code +kcm_end_get (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_END_GET, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int32(request, KCMCURSOR(*cursor)); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + if (ret) { + krb5_storage_free(request); + return ret; + } + + krb5_storage_free(request); + + KCMCURSOR(*cursor) = 0; + free(*cursor); + *cursor = NULL; + + return ret; +} + +/* + * Request: + * NameZ + * WhichFields + * MatchCreds + * + * Response: + * + */ +static krb5_error_code +kcm_remove_cred(krb5_context context, + krb5_ccache id, + krb5_flags which, + krb5_creds *cred) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_REMOVE_CRED, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int32(request, which); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_creds_tag(request, cred); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + +static krb5_error_code +kcm_set_flags(krb5_context context, + krb5_ccache id, + krb5_flags flags) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_SET_FLAGS, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int32(request, flags); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + +static krb5_error_code +kcm_get_version(krb5_context context, + krb5_ccache id) +{ + return 0; +} + +static krb5_error_code +kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to) +{ + krb5_set_error_string(context, "kcm_move not implemented"); + return EINVAL; +} + +static krb5_error_code +kcm_default_name(krb5_context context, char **str) +{ + return _krb5_expand_default_cc_name(context, + KRB5_DEFAULT_CCNAME_KCM, + str); +} + +/** + * Variable containing the KCM based credential cache implemention. + * + * @ingroup krb5_ccache + */ + +const krb5_cc_ops krb5_kcm_ops = { + "KCM", + kcm_get_name, + kcm_resolve, + kcm_gen_new, + kcm_initialize, + kcm_destroy, + kcm_close, + kcm_store_cred, + kcm_retrieve, + kcm_get_principal, + kcm_get_first, + kcm_get_next, + kcm_end_get, + kcm_remove_cred, + kcm_set_flags, + kcm_get_version, + NULL, + NULL, + NULL, + kcm_move, + kcm_default_name +}; + +krb5_boolean +_krb5_kcm_is_running(krb5_context context) +{ + krb5_error_code ret; + krb5_ccache_data ccdata; + krb5_ccache id = &ccdata; + krb5_boolean running; + + ret = kcm_alloc(context, NULL, &id); + if (ret) + return 0; + + running = (_krb5_kcm_noop(context, id) == 0); + + kcm_free(context, &id); + + return running; +} + +/* + * Request: + * + * Response: + * + */ +krb5_error_code +_krb5_kcm_noop(krb5_context context, + krb5_ccache id) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_NOOP, &request); + if (ret) + return ret; + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + + +/* + * Request: + * NameZ + * Mode + * + * Response: + * + */ +krb5_error_code +_krb5_kcm_chmod(krb5_context context, + krb5_ccache id, + uint16_t mode) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_CHMOD, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int16(request, mode); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + + +/* + * Request: + * NameZ + * UID + * GID + * + * Response: + * + */ +krb5_error_code +_krb5_kcm_chown(krb5_context context, + krb5_ccache id, + uint32_t uid, + uint32_t gid) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_CHOWN, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int32(request, uid); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int32(request, gid); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + + +/* + * Request: + * NameZ + * ServerPrincipalPresent + * ServerPrincipal OPTIONAL + * Key + * + * Repsonse: + * + */ +krb5_error_code +_krb5_kcm_get_initial_ticket(krb5_context context, + krb5_ccache id, + krb5_principal server, + krb5_keyblock *key) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_GET_INITIAL_TICKET, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int8(request, (server == NULL) ? 0 : 1); + if (ret) { + krb5_storage_free(request); + return ret; + } + + if (server != NULL) { + ret = krb5_store_principal(request, server); + if (ret) { + krb5_storage_free(request); + return ret; + } + } + + ret = krb5_store_keyblock(request, *key); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + + +/* + * Request: + * NameZ + * KDCFlags + * EncryptionType + * ServerPrincipal + * + * Repsonse: + * + */ +krb5_error_code +_krb5_kcm_get_ticket(krb5_context context, + krb5_ccache id, + krb5_kdc_flags flags, + krb5_enctype enctype, + krb5_principal server) +{ + krb5_error_code ret; + krb5_kcmcache *k = KCMCACHE(id); + krb5_storage *request; + + ret = kcm_storage_request(context, KCM_OP_GET_TICKET, &request); + if (ret) + return ret; + + ret = krb5_store_stringz(request, k->name); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int32(request, flags.i); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_int32(request, enctype); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = krb5_store_principal(request, server); + if (ret) { + krb5_storage_free(request); + return ret; + } + + ret = kcm_call(context, k, request, NULL, NULL); + + krb5_storage_free(request); + return ret; +} + + +#endif /* HAVE_KCM */ diff --git a/crypto/heimdal/lib/krb5/kcm.h b/crypto/heimdal/lib/krb5/kcm.h new file mode 100644 index 000000000000..10dfa440f1d7 --- /dev/null +++ b/crypto/heimdal/lib/krb5/kcm.h @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2005, PADL Software Pty Ltd. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of PADL Software nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef __KCM_H__ +#define __KCM_H__ + +/* + * KCM protocol definitions + */ + +#define KCM_PROTOCOL_VERSION_MAJOR 1 +#define KCM_PROTOCOL_VERSION_MINOR 0 + +typedef enum kcm_operation { + KCM_OP_NOOP, + KCM_OP_GET_NAME, + KCM_OP_RESOLVE, + KCM_OP_GEN_NEW, + KCM_OP_INITIALIZE, + KCM_OP_DESTROY, + KCM_OP_STORE, + KCM_OP_RETRIEVE, + KCM_OP_GET_PRINCIPAL, + KCM_OP_GET_FIRST, + KCM_OP_GET_NEXT, + KCM_OP_END_GET, + KCM_OP_REMOVE_CRED, + KCM_OP_SET_FLAGS, + KCM_OP_CHOWN, + KCM_OP_CHMOD, + KCM_OP_GET_INITIAL_TICKET, + KCM_OP_GET_TICKET, + KCM_OP_MAX +} kcm_operation; + +#define _PATH_KCM_SOCKET "/var/run/.kcm_socket" +#define _PATH_KCM_DOOR "/var/run/.kcm_door" + +#endif /* __KCM_H__ */ + diff --git a/crypto/heimdal/lib/krb5/kerberos.8 b/crypto/heimdal/lib/krb5/kerberos.8 index b0b4980778bd..e45c947d10c8 100644 --- a/crypto/heimdal/lib/krb5/kerberos.8 +++ b/crypto/heimdal/lib/krb5/kerberos.8 @@ -1,35 +1,35 @@ .\" Copyright (c) 2000 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: kerberos.8,v 1.6 2003/03/10 02:19:23 lha Exp $ +.\" $Id: kerberos.8 16121 2005-10-03 14:24:36Z lha $ .\" .Dd September 1, 2000 .Dt KERBEROS 8 @@ -94,11 +94,14 @@ filesystem. The problems with version 4 are that it has many limitations, the code was not too well written (since it had been developed over a long time), and it has a number of known security problems. To resolve many -of these issues work on version five started, and resulted in IETF -RFC1510 in 1993. Since then much work has been put into the further -development, and a new RFC will hopefully appear soon. +of these issues work on version five started, and resulted in IETF RFC +1510 in 1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120, +also known as Kerberos clarifications. With the arrival of IETF RFC +4120, the work on adding extensibility and internationalization have +started (Kerberos extensions), and a new RFC will hopefully appear +soon. .Pp -This manual manual page is part of the +This manual page is part of the .Nm Heimdal Kerberos 5 distribution, which has been in development at the Royal Institute of Technology in Stockholm, Sweden, since about 1997. diff --git a/crypto/heimdal/lib/krb5/keyblock.c b/crypto/heimdal/lib/krb5/keyblock.c index 7eb7067aabe4..ff4f972e57d7 100644 --- a/crypto/heimdal/lib/krb5/keyblock.c +++ b/crypto/heimdal/lib/krb5/keyblock.c @@ -33,9 +33,16 @@ #include "krb5_locl.h" -RCSID("$Id: keyblock.c,v 1.12 2001/05/14 06:14:48 assar Exp $"); +RCSID("$Id: keyblock.c 15167 2005-05-18 04:21:57Z lha $"); -void +void KRB5_LIB_FUNCTION +krb5_keyblock_zero(krb5_keyblock *keyblock) +{ + keyblock->keytype = 0; + krb5_data_zero(&keyblock->keyvalue); +} + +void KRB5_LIB_FUNCTION krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *keyblock) { @@ -43,10 +50,11 @@ krb5_free_keyblock_contents(krb5_context context, if (keyblock->keyvalue.data != NULL) memset(keyblock->keyvalue.data, 0, keyblock->keyvalue.length); krb5_data_free (&keyblock->keyvalue); + keyblock->keytype = ENCTYPE_NULL; } } -void +void KRB5_LIB_FUNCTION krb5_free_keyblock(krb5_context context, krb5_keyblock *keyblock) { @@ -56,7 +64,7 @@ krb5_free_keyblock(krb5_context context, } } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_keyblock_contents (krb5_context context, const krb5_keyblock *inblock, krb5_keyblock *to) @@ -64,7 +72,7 @@ krb5_copy_keyblock_contents (krb5_context context, return copy_EncryptionKey(inblock, to); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_keyblock (krb5_context context, const krb5_keyblock *inblock, krb5_keyblock **to) @@ -79,3 +87,47 @@ krb5_copy_keyblock (krb5_context context, *to = k; return krb5_copy_keyblock_contents (context, inblock, k); } + +krb5_enctype +krb5_keyblock_get_enctype(const krb5_keyblock *block) +{ + return block->keytype; +} + +/* + * Fill in `key' with key data of type `enctype' from `data' of length + * `size'. Key should be freed using krb5_free_keyblock_contents. + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_keyblock_init(krb5_context context, + krb5_enctype type, + const void *data, + size_t size, + krb5_keyblock *key) +{ + krb5_error_code ret; + size_t len; + + memset(key, 0, sizeof(*key)); + + ret = krb5_enctype_keysize(context, type, &len); + if (ret) + return ret; + + if (len != size) { + krb5_set_error_string(context, "Encryption key %d is %lu bytes " + "long, %lu was passed in", + type, (unsigned long)len, (unsigned long)size); + return KRB5_PROG_ETYPE_NOSUPP; + } + ret = krb5_data_copy(&key->keyvalue, data, len); + if(ret) { + krb5_set_error_string(context, "malloc failed: %lu", + (unsigned long)len); + return ret; + } + key->keytype = type; + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/keytab.c b/crypto/heimdal/lib/krb5/keytab.c index 9adf99bc0803..f6c7858c12ec 100644 --- a/crypto/heimdal/lib/krb5/keytab.c +++ b/crypto/heimdal/lib/krb5/keytab.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,14 +33,14 @@ #include "krb5_locl.h" -RCSID("$Id: keytab.c,v 1.55 2003/03/27 03:45:01 lha Exp $"); +RCSID("$Id: keytab.c 20211 2007-02-09 07:11:03Z lha $"); /* * Register a new keytab in `ops' * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_register(krb5_context context, const krb5_kt_ops *ops) { @@ -48,7 +48,7 @@ krb5_kt_register(krb5_context context, if (strlen(ops->prefix) > KRB5_KT_PREFIX_MAX_LEN - 1) { krb5_set_error_string(context, "krb5_kt_register; prefix too long"); - return KRB5_KT_NAME_TOOLONG; + return KRB5_KT_BADNAME; } tmp = realloc(context->kt_types, @@ -70,7 +70,7 @@ krb5_kt_register(krb5_context context, * Return 0 or an error */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *id) @@ -123,7 +123,7 @@ krb5_kt_resolve(krb5_context context, * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default_name(krb5_context context, char *name, size_t namesize) { if (strlcpy (name, context->default_keytab, namesize) >= namesize) { @@ -138,7 +138,7 @@ krb5_kt_default_name(krb5_context context, char *name, size_t namesize) * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize) { const char *kt = NULL; @@ -169,7 +169,7 @@ krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize) * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default(krb5_context context, krb5_keytab *id) { return krb5_kt_resolve (context, context->default_keytab, id); @@ -181,7 +181,7 @@ krb5_kt_default(krb5_context context, krb5_keytab *id) * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, @@ -215,7 +215,7 @@ krb5_kt_read_service_key(krb5_context context, * `prefixsize'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_type(krb5_context context, krb5_keytab keytab, char *prefix, @@ -230,7 +230,7 @@ krb5_kt_get_type(krb5_context context, * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name, @@ -240,19 +240,53 @@ krb5_kt_get_name(krb5_context context, } /* - * Finish using the keytab in `id'. All resources will be released. - * Return 0 or an error. + * Retrieve the full name of the keytab `keytab' and store the name in + * `str'. `str' needs to be freed by the caller using free(3). + * Returns 0 or an error. On error, *str is set to NULL. + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_kt_get_full_name(krb5_context context, + krb5_keytab keytab, + char **str) +{ + char type[KRB5_KT_PREFIX_MAX_LEN]; + char name[MAXPATHLEN]; + krb5_error_code ret; + + *str = NULL; + + ret = krb5_kt_get_type(context, keytab, type, sizeof(type)); + if (ret) + return ret; + + ret = krb5_kt_get_name(context, keytab, name, sizeof(name)); + if (ret) + return ret; + + if (asprintf(str, "%s:%s", type, name) == -1) { + krb5_set_error_string(context, "malloc - out of memory"); + *str = NULL; + return ENOMEM; + } + + return 0; +} + +/* + * Finish using the keytab in `id'. All resources will be released, + * even on errors. Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_close(krb5_context context, krb5_keytab id) { krb5_error_code ret; ret = (*id->close)(context, id); - if(ret == 0) - free(id); + memset(id, 0, sizeof(*id)); + free(id); return ret; } @@ -262,7 +296,7 @@ krb5_kt_close(krb5_context context, * Return TRUE if they compare the same, FALSE otherwise. */ -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_kt_compare(krb5_context context, krb5_keytab_entry *entry, krb5_const_principal principal, @@ -286,7 +320,7 @@ krb5_kt_compare(krb5_context context, * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal principal, @@ -302,8 +336,10 @@ krb5_kt_get_entry(krb5_context context, return (*id->get)(context, id, principal, kvno, enctype, entry); ret = krb5_kt_start_seq_get (context, id, &cursor); - if (ret) + if (ret) { + krb5_clear_error_string(context); return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */ + } entry->vno = 0; while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) { @@ -328,10 +364,12 @@ krb5_kt_get_entry(krb5_context context, if (entry->vno) { return 0; } else { - char princ[256], kt_name[256], kvno_str[25]; + char princ[256], kvno_str[25], *kt_name; + char *enctype_str = NULL; krb5_unparse_name_fixed (context, principal, princ, sizeof(princ)); - krb5_kt_get_name (context, id, kt_name, sizeof(kt_name)); + krb5_kt_get_full_name (context, id, &kt_name); + krb5_enctype_to_string(context, enctype, &enctype_str); if (kvno) snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno); @@ -339,10 +377,13 @@ krb5_kt_get_entry(krb5_context context, kvno_str[0] = '\0'; krb5_set_error_string (context, - "failed to find %s%s in keytab %s", + "Failed to find %s%s in keytab %s (%s)", princ, kvno_str, - kt_name); + kt_name ? kt_name : "unknown keytab", + enctype_str ? enctype_str : "unknown enctype"); + free(kt_name); + free(enctype_str); return KRB5_KT_NOTFOUND; } } @@ -351,7 +392,7 @@ krb5_kt_get_entry(krb5_context context, * Copy the contents of `in' into `out'. * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_copy_entry_contents(krb5_context context, const krb5_keytab_entry *in, krb5_keytab_entry *out) @@ -380,40 +421,22 @@ fail: * Free the contents of `entry'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry) { - krb5_free_principal (context, entry->principal); - krb5_free_keyblock_contents (context, &entry->keyblock); - return 0; -} - -#if 0 -static int -xxxlock(int fd, int write) -{ - if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) { - sleep(1); - if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) - return -1; - } + krb5_free_principal (context, entry->principal); + krb5_free_keyblock_contents (context, &entry->keyblock); + memset(entry, 0, sizeof(*entry)); return 0; } -static void -xxxunlock(int fd) -{ - flock(fd, LOCK_UN); -} -#endif - /* * Set `cursor' to point at the beginning of `id'. * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) @@ -433,7 +456,7 @@ krb5_kt_start_seq_get(krb5_context context, * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_next_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, @@ -452,7 +475,7 @@ krb5_kt_next_entry(krb5_context context, * Release all resources associated with `cursor'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_end_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) @@ -471,7 +494,7 @@ krb5_kt_end_seq_get(krb5_context context, * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) @@ -490,7 +513,7 @@ krb5_kt_add_entry(krb5_context context, * Return 0 or an error. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) diff --git a/crypto/heimdal/lib/krb5/keytab_any.c b/crypto/heimdal/lib/krb5/keytab_any.c index 667788c69d4d..54272d48453f 100644 --- a/crypto/heimdal/lib/krb5/keytab_any.c +++ b/crypto/heimdal/lib/krb5/keytab_any.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_any.c,v 1.7 2002/10/21 13:36:59 joda Exp $"); +RCSID("$Id: keytab_any.c 17035 2006-04-10 09:20:13Z lha $"); struct any_data { krb5_keytab kt; @@ -162,23 +162,22 @@ any_next_entry (krb5_context context, ret = krb5_kt_next_entry(context, ed->a->kt, entry, &ed->cursor); if (ret == 0) return 0; - else if (ret == KRB5_KT_END) { - ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor); - if (ret2) - return ret2; - while ((ed->a = ed->a->next) != NULL) { - ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); - if (ret2 == 0) - break; - } - if (ed->a == NULL) { - krb5_clear_error_string (context); - return KRB5_KT_END; - } - } else + else if (ret != KRB5_KT_END) return ret; - } while (ret == KRB5_KT_END); - return ret; + + ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor); + if (ret2) + return ret2; + while ((ed->a = ed->a->next) != NULL) { + ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); + if (ret2 == 0) + break; + } + if (ed->a == NULL) { + krb5_clear_error_string (context); + return KRB5_KT_END; + } + } while (1); } static krb5_error_code diff --git a/crypto/heimdal/lib/krb5/keytab_file.c b/crypto/heimdal/lib/krb5/keytab_file.c index f2ff53867cc8..4ada3a463ea8 100644 --- a/crypto/heimdal/lib/krb5/keytab_file.c +++ b/crypto/heimdal/lib/krb5/keytab_file.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,16 +33,20 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_file.c,v 1.12 2002/09/24 16:43:30 joda Exp $"); +RCSID("$Id: keytab_file.c 17457 2006-05-05 12:36:57Z lha $"); #define KRB5_KT_VNO_1 1 #define KRB5_KT_VNO_2 2 #define KRB5_KT_VNO KRB5_KT_VNO_2 +#define KRB5_KT_FL_JAVA 1 + + /* file operations -------------------------------------------- */ struct fkt_data { char *filename; + int flags; }; static krb5_error_code @@ -70,7 +74,7 @@ krb5_kt_ret_data(krb5_context context, static krb5_error_code krb5_kt_ret_string(krb5_context context, krb5_storage *sp, - general_string *data) + heim_general_string *data) { int ret; int16_t size; @@ -109,7 +113,7 @@ krb5_kt_store_data(krb5_context context, static krb5_error_code krb5_kt_store_string(krb5_storage *sp, - general_string data) + heim_general_string data) { int ret; size_t len = strlen(data); @@ -160,7 +164,7 @@ krb5_kt_ret_principal(krb5_context context, int i; int ret; krb5_principal p; - int16_t tmp; + int16_t len; ALLOC(p, 1); if(p == NULL) { @@ -168,25 +172,34 @@ krb5_kt_ret_principal(krb5_context context, return ENOMEM; } - ret = krb5_ret_int16(sp, &tmp); - if(ret) - return ret; + ret = krb5_ret_int16(sp, &len); + if(ret) { + krb5_set_error_string(context, + "Failed decoding length of keytab principal"); + goto out; + } if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) - tmp--; - p->name.name_string.len = tmp; + len--; + if (len < 0) { + krb5_set_error_string(context, + "Keytab principal contains invalid length"); + ret = KRB5_KT_END; + goto out; + } ret = krb5_kt_ret_string(context, sp, &p->realm); if(ret) - return ret; - p->name.name_string.val = calloc(p->name.name_string.len, - sizeof(*p->name.name_string.val)); + goto out; + p->name.name_string.val = calloc(len, sizeof(*p->name.name_string.val)); if(p->name.name_string.val == NULL) { krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + ret = ENOMEM; + goto out; } + p->name.name_string.len = len; for(i = 0; i < p->name.name_string.len; i++){ ret = krb5_kt_ret_string(context, sp, p->name.name_string.val + i); if(ret) - return ret; + goto out; } if (krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) p->name.name_type = KRB5_NT_UNKNOWN; @@ -195,10 +208,13 @@ krb5_kt_ret_principal(krb5_context context, ret = krb5_ret_int32(sp, &tmp32); p->name.name_type = tmp32; if (ret) - return ret; + goto out; } *princ = p; return 0; +out: + krb5_free_principal(context, p); + return ret; } static krb5_error_code @@ -246,11 +262,25 @@ fkt_resolve(krb5_context context, const char *name, krb5_keytab id) krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } + d->flags = 0; id->data = d; return 0; } static krb5_error_code +fkt_resolve_java14(krb5_context context, const char *name, krb5_keytab id) +{ + krb5_error_code ret; + + ret = fkt_resolve(context, name, id); + if (ret == 0) { + struct fkt_data *d = id->data; + d->flags |= KRB5_KT_FL_JAVA; + } + return ret; +} + +static krb5_error_code fkt_close(krb5_context context, krb5_keytab id) { struct fkt_data *d = id->data; @@ -294,6 +324,7 @@ static krb5_error_code fkt_start_seq_get_int(krb5_context context, krb5_keytab id, int flags, + int exclusive, krb5_kt_cursor *c) { int8_t pvno, tag; @@ -307,16 +338,30 @@ fkt_start_seq_get_int(krb5_context context, strerror(ret)); return ret; } + ret = _krb5_xlock(context, c->fd, exclusive, d->filename); + if (ret) { + close(c->fd); + return ret; + } c->sp = krb5_storage_from_fd(c->fd); + if (c->sp == NULL) { + _krb5_xunlock(context, c->fd); + close(c->fd); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } krb5_storage_set_eof_code(c->sp, KRB5_KT_END); ret = krb5_ret_int8(c->sp, &pvno); if(ret) { krb5_storage_free(c->sp); + _krb5_xunlock(context, c->fd); close(c->fd); + krb5_clear_error_string(context); return ret; } if(pvno != 5) { krb5_storage_free(c->sp); + _krb5_xunlock(context, c->fd); close(c->fd); krb5_clear_error_string (context); return KRB5_KEYTAB_BADVNO; @@ -324,7 +369,9 @@ fkt_start_seq_get_int(krb5_context context, ret = krb5_ret_int8(c->sp, &tag); if (ret) { krb5_storage_free(c->sp); + _krb5_xunlock(context, c->fd); close(c->fd); + krb5_clear_error_string(context); return ret; } id->version = tag; @@ -337,7 +384,7 @@ fkt_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *c) { - return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY, c); + return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY, 0, c); } static krb5_error_code @@ -381,14 +428,14 @@ loop: * if it's zero, assume that the 8bit one was right, * otherwise trust the new value */ curpos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR); - if(len + 4 + pos - curpos == 4) { + if(len + 4 + pos - curpos >= 4) { ret = krb5_ret_int32(cursor->sp, &tmp32); if (ret == 0 && tmp32 != 0) { entry->vno = tmp32; } } if(start) *start = pos; - if(end) *end = *start + 4 + len; + if(end) *end = pos + 4 + len; out: krb5_storage_seek(cursor->sp, pos + 4 + len, SEEK_SET); return ret; @@ -409,6 +456,7 @@ fkt_end_seq_get(krb5_context context, krb5_kt_cursor *cursor) { krb5_storage_free(cursor->sp); + _krb5_xunlock(context, cursor->fd); close(cursor->fd); return 0; } @@ -448,17 +496,25 @@ fkt_add_entry(krb5_context context, strerror(ret)); return ret; } + ret = _krb5_xlock(context, fd, 1, d->filename); + if (ret) { + close(fd); + return ret; + } sp = krb5_storage_from_fd(fd); krb5_storage_set_eof_code(sp, KRB5_KT_END); ret = fkt_setup_keytab(context, id, sp); if(ret) { - krb5_storage_free(sp); - close(fd); - return ret; + goto out; } storage_set_flags(context, sp, id->version); } else { int8_t pvno, tag; + ret = _krb5_xlock(context, fd, 1, d->filename); + if (ret) { + close(fd); + return ret; + } sp = krb5_storage_from_fd(fd); krb5_storage_set_eof_code(sp, KRB5_KT_END); ret = krb5_ret_int8(sp, &pvno); @@ -469,28 +525,21 @@ fkt_add_entry(krb5_context context, if(ret) { krb5_set_error_string(context, "%s: keytab is corrupted: %s", d->filename, strerror(ret)); - krb5_storage_free(sp); - close(fd); - return ret; + goto out; } storage_set_flags(context, sp, id->version); } else { if(pvno != 5) { - krb5_storage_free(sp); - close(fd); - krb5_clear_error_string (context); ret = KRB5_KEYTAB_BADVNO; krb5_set_error_string(context, "%s: %s", d->filename, strerror(ret)); - return ret; + goto out; } ret = krb5_ret_int8 (sp, &tag); if (ret) { krb5_set_error_string(context, "%s: reading tag: %s", d->filename, strerror(ret)); - krb5_storage_free(sp); - close(fd); - return ret; + goto out; } id->version = tag; storage_set_flags(context, sp, id->version); @@ -525,10 +574,12 @@ fkt_add_entry(krb5_context context, krb5_storage_free(emem); goto out; } - ret = krb5_store_int32 (emem, entry->vno); - if (ret) { - krb5_storage_free(emem); - goto out; + if ((d->flags & KRB5_KT_FL_JAVA) == 0) { + ret = krb5_store_int32 (emem, entry->vno); + if (ret) { + krb5_storage_free(emem); + goto out; + } } ret = krb5_storage_to_data(emem, &keytab); @@ -559,6 +610,7 @@ fkt_add_entry(krb5_context context, krb5_data_free(&keytab); out: krb5_storage_free(sp); + _krb5_xunlock(context, fd); close(fd); return ret; } @@ -574,7 +626,7 @@ fkt_remove_entry(krb5_context context, int found = 0; krb5_error_code ret; - ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY, &cursor); + ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY, 1, &cursor); if(ret != 0) goto out; /* return other error here? */ while(fkt_next_entry_int(context, id, &e, &cursor, @@ -593,6 +645,7 @@ fkt_remove_entry(krb5_context context, len -= min(len, sizeof(buf)); } } + krb5_kt_free_entry(context, &e); } krb5_kt_end_seq_get(context, id, &cursor); out: @@ -615,3 +668,29 @@ const krb5_kt_ops krb5_fkt_ops = { fkt_add_entry, fkt_remove_entry }; + +const krb5_kt_ops krb5_wrfkt_ops = { + "WRFILE", + fkt_resolve, + fkt_get_name, + fkt_close, + NULL, /* get */ + fkt_start_seq_get, + fkt_next_entry, + fkt_end_seq_get, + fkt_add_entry, + fkt_remove_entry +}; + +const krb5_kt_ops krb5_javakt_ops = { + "JAVA14", + fkt_resolve_java14, + fkt_get_name, + fkt_close, + NULL, /* get */ + fkt_start_seq_get, + fkt_next_entry, + fkt_end_seq_get, + fkt_add_entry, + fkt_remove_entry +}; diff --git a/crypto/heimdal/lib/krb5/keytab_keyfile.c b/crypto/heimdal/lib/krb5/keytab_keyfile.c index aca930fa5595..77455ba5f7c2 100644 --- a/crypto/heimdal/lib/krb5/keytab_keyfile.c +++ b/crypto/heimdal/lib/krb5/keytab_keyfile.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_keyfile.c,v 1.15 2002/10/21 15:42:06 joda Exp $"); +RCSID("$Id: keytab_keyfile.c 20695 2007-05-30 14:09:09Z lha $"); /* afs keyfile operations --------------------------------------- */ @@ -63,8 +63,7 @@ struct akf_data { */ static int -get_cell_and_realm (krb5_context context, - struct akf_data *d) +get_cell_and_realm (krb5_context context, struct akf_data *d) { FILE *f; char buf[BUFSIZ], *cp; @@ -94,6 +93,8 @@ get_cell_and_realm (krb5_context context, f = fopen (AFS_SERVERMAGICKRBCONF, "r"); if (f != NULL) { if (fgets (buf, sizeof(buf), f) == NULL) { + free (d->cell); + d->cell = NULL; fclose (f); krb5_set_error_string (context, "no realm in %s", AFS_SERVERMAGICKRBCONF); @@ -104,11 +105,12 @@ get_cell_and_realm (krb5_context context, } /* uppercase */ for (cp = buf; *cp != '\0'; cp++) - *cp = toupper(*cp); + *cp = toupper((unsigned char)*cp); d->realm = strdup (buf); if (d->realm == NULL) { free (d->cell); + d->cell = NULL; krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } @@ -288,9 +290,16 @@ akf_add_entry(krb5_context context, krb5_storage *sp; - if (entry->keyblock.keyvalue.length != 8 - || entry->keyblock.keytype != ETYPE_DES_CBC_MD5) + if (entry->keyblock.keyvalue.length != 8) return 0; + switch(entry->keyblock.keytype) { + case ETYPE_DES_CBC_CRC: + case ETYPE_DES_CBC_MD4: + case ETYPE_DES_CBC_MD5: + break; + default: + return 0; + } fd = open (d->filename, O_RDWR | O_BINARY); if (fd < 0) { @@ -329,50 +338,72 @@ akf_add_entry(krb5_context context, return ret; } } + + /* + * Make sure we don't add the entry twice, assumes the DES + * encryption types are all the same key. + */ + if (len > 0) { + int32_t kvno; + int i; + + for (i = 0; i < len; i++) { + ret = krb5_ret_int32(sp, &kvno); + if (ret) { + krb5_set_error_string (context, "Failed to get kvno "); + goto out; + } + if(krb5_storage_seek(sp, 8, SEEK_CUR) < 0) { + krb5_set_error_string (context, "seek: %s", strerror(ret)); + goto out; + } + if (kvno == entry->vno) { + ret = 0; + goto out; + } + } + } + len++; if(krb5_storage_seek(sp, 0, SEEK_SET) < 0) { ret = errno; - krb5_storage_free(sp); - close(fd); krb5_set_error_string (context, "seek: %s", strerror(ret)); - return ret; + goto out; } ret = krb5_store_int32(sp, len); if(ret) { - krb5_storage_free(sp); - close(fd); + krb5_set_error_string(context, "keytab keyfile failed new length"); return ret; } - if(krb5_storage_seek(sp, (len - 1) * (8 + 4), SEEK_CUR) < 0) { ret = errno; - krb5_storage_free(sp); - close(fd); - krb5_set_error_string (context, "seek: %s", strerror(ret)); - return ret; + krb5_set_error_string (context, "seek to end: %s", strerror(ret)); + goto out; } ret = krb5_store_int32(sp, entry->vno); if(ret) { - krb5_storage_free(sp); - close(fd); - return ret; + krb5_set_error_string(context, "keytab keyfile failed store kvno"); + goto out; } ret = krb5_storage_write(sp, entry->keyblock.keyvalue.data, entry->keyblock.keyvalue.length); if(ret != entry->keyblock.keyvalue.length) { - krb5_storage_free(sp); - close(fd); - if(ret < 0) - return errno; - return ENOTTY; + if (ret < 0) + ret = errno; + else + ret = ENOTTY; + krb5_set_error_string(context, "keytab keyfile failed to add key"); + goto out; } + ret = 0; +out: krb5_storage_free(sp); close (fd); - return 0; + return ret; } const krb5_kt_ops krb5_akf_ops = { diff --git a/crypto/heimdal/lib/krb5/keytab_krb4.c b/crypto/heimdal/lib/krb5/keytab_krb4.c index 2405f8256ae7..907836c144f7 100644 --- a/crypto/heimdal/lib/krb5/keytab_krb4.c +++ b/crypto/heimdal/lib/krb5/keytab_krb4.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_krb4.c,v 1.10 2002/04/18 14:04:46 joda Exp $"); +RCSID("$Id: keytab_krb4.c 17046 2006-04-10 17:10:53Z lha $"); struct krb4_kt_data { char *filename; @@ -139,6 +139,11 @@ krb4_kt_start_seq_get_int (krb5_context context, return ret; } c->sp = krb5_storage_from_fd(c->fd); + if(c->sp == NULL) { + close(c->fd); + free(ed); + return ENOMEM; + } krb5_storage_set_eof_code(c->sp, KRB5_KT_END); return 0; } @@ -157,10 +162,10 @@ read_v4_entry (krb5_context context, krb5_kt_cursor *c, struct krb4_cursor_extra_data *ed) { + unsigned char des_key[8]; krb5_error_code ret; char *service, *instance, *realm; int8_t kvno; - des_cblock key; ret = krb5_ret_stringz(c->sp, &service); if (ret) @@ -188,7 +193,7 @@ read_v4_entry (krb5_context context, krb5_free_principal (context, ed->entry.principal); return ret; } - ret = krb5_storage_read(c->sp, key, 8); + ret = krb5_storage_read(c->sp, des_key, sizeof(des_key)); if (ret < 0) { krb5_free_principal(context, ed->entry.principal); return ret; @@ -199,7 +204,7 @@ read_v4_entry (krb5_context context, } ed->entry.vno = kvno; ret = krb5_data_copy (&ed->entry.keyblock.keyvalue, - key, 8); + des_key, sizeof(des_key)); if (ret) return ret; ed->entry.timestamp = time(NULL); @@ -302,11 +307,11 @@ krb4_kt_add_entry (krb5_context context, } } sp = krb5_storage_from_fd(fd); - krb5_storage_set_eof_code(sp, KRB5_KT_END); if(sp == NULL) { close(fd); return ENOMEM; } + krb5_storage_set_eof_code(sp, KRB5_KT_END); ret = krb4_store_keytab_entry(context, entry, sp); krb5_storage_free(sp); if(close (fd) < 0) @@ -316,8 +321,8 @@ krb4_kt_add_entry (krb5_context context, static krb5_error_code krb4_kt_remove_entry(krb5_context context, - krb5_keytab id, - krb5_keytab_entry *entry) + krb5_keytab id, + krb5_keytab_entry *entry) { struct krb4_kt_data *d = id->data; krb5_error_code ret; @@ -327,17 +332,27 @@ krb4_kt_remove_entry(krb5_context context, int remove_flag = 0; sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } ret = krb5_kt_start_seq_get(context, id, &cursor); + if (ret) { + krb5_storage_free(sp); + return ret; + } while(krb5_kt_next_entry(context, id, &e, &cursor) == 0) { if(!krb5_kt_compare(context, &e, entry->principal, entry->vno, entry->keyblock.keytype)) { ret = krb4_store_keytab_entry(context, &e, sp); if(ret) { + krb5_kt_free_entry(context, &e); krb5_storage_free(sp); return ret; } } else remove_flag = 1; + krb5_kt_free_entry(context, &e); } krb5_kt_end_seq_get(context, id, &cursor); if(remove_flag) { @@ -361,12 +376,14 @@ krb4_kt_remove_entry(krb5_context context, if(write(fd, data.data, data.length) != data.length) { memset(data.data, 0, data.length); + krb5_data_free(&data); close(fd); krb5_set_error_string(context, "failed writing to \"%s\"", d->filename); return errno; } memset(data.data, 0, data.length); if(fstat(fd, &st) < 0) { + krb5_data_free(&data); close(fd); krb5_set_error_string(context, "failed getting size of \"%s\"", d->filename); return errno; @@ -377,6 +394,7 @@ krb4_kt_remove_entry(krb5_context context, n = min(st.st_size, sizeof(buf)); n = write(fd, buf, n); if(n <= 0) { + krb5_data_free(&data); close(fd); krb5_set_error_string(context, "failed writing to \"%s\"", d->filename); return errno; @@ -385,6 +403,7 @@ krb4_kt_remove_entry(krb5_context context, st.st_size -= n; } if(ftruncate(fd, data.length) < 0) { + krb5_data_free(&data); close(fd); krb5_set_error_string(context, "failed truncating \"%s\"", d->filename); return errno; @@ -395,8 +414,10 @@ krb4_kt_remove_entry(krb5_context context, return errno; } return 0; - } else + } else { + krb5_storage_free(sp); return KRB5_KT_NOTFOUND; + } } diff --git a/crypto/heimdal/lib/krb5/keytab_memory.c b/crypto/heimdal/lib/krb5/keytab_memory.c index cde894335f60..0ad8720c3fb8 100644 --- a/crypto/heimdal/lib/krb5/keytab_memory.c +++ b/crypto/heimdal/lib/krb5/keytab_memory.c @@ -33,26 +33,64 @@ #include "krb5_locl.h" -RCSID("$Id: keytab_memory.c,v 1.5 2001/05/14 06:14:49 assar Exp $"); +RCSID("$Id: keytab_memory.c 16352 2005-12-05 18:39:46Z lha $"); /* memory operations -------------------------------------------- */ struct mkt_data { krb5_keytab_entry *entries; int num_entries; + char *name; + int refcount; + struct mkt_data *next; }; +/* this mutex protects mkt_head, ->refcount, and ->next + * content is not protected (name is static and need no protection) + */ +static HEIMDAL_MUTEX mkt_mutex = HEIMDAL_MUTEX_INITIALIZER; +static struct mkt_data *mkt_head; + + static krb5_error_code mkt_resolve(krb5_context context, const char *name, krb5_keytab id) { struct mkt_data *d; - d = malloc(sizeof(*d)); + + HEIMDAL_MUTEX_lock(&mkt_mutex); + + for (d = mkt_head; d != NULL; d = d->next) + if (strcmp(d->name, name) == 0) + break; + if (d) { + if (d->refcount < 1) + krb5_abortx(context, "Double close on memory keytab, " + "refcount < 1 %d", d->refcount); + d->refcount++; + id->data = d; + HEIMDAL_MUTEX_unlock(&mkt_mutex); + return 0; + } + + d = calloc(1, sizeof(*d)); if(d == NULL) { + HEIMDAL_MUTEX_unlock(&mkt_mutex); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + d->name = strdup(name); + if (d->name == NULL) { + HEIMDAL_MUTEX_unlock(&mkt_mutex); + free(d); krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } d->entries = NULL; d->num_entries = 0; + d->refcount = 1; + d->next = mkt_head; + mkt_head = d; + HEIMDAL_MUTEX_unlock(&mkt_mutex); id->data = d; return 0; } @@ -60,8 +98,27 @@ mkt_resolve(krb5_context context, const char *name, krb5_keytab id) static krb5_error_code mkt_close(krb5_context context, krb5_keytab id) { - struct mkt_data *d = id->data; + struct mkt_data *d = id->data, **dp; int i; + + HEIMDAL_MUTEX_lock(&mkt_mutex); + if (d->refcount < 1) + krb5_abortx(context, + "krb5 internal error, memory keytab refcount < 1 on close"); + + if (--d->refcount > 0) { + HEIMDAL_MUTEX_unlock(&mkt_mutex); + return 0; + } + for (dp = &mkt_head; *dp != NULL; dp = &(*dp)->next) { + if (*dp == d) { + *dp = d->next; + break; + } + } + HEIMDAL_MUTEX_unlock(&mkt_mutex); + + free(d->name); for(i = 0; i < d->num_entries; i++) krb5_kt_free_entry(context, &d->entries[i]); free(d->entries); @@ -75,7 +132,8 @@ mkt_get_name(krb5_context context, char *name, size_t namesize) { - strlcpy(name, "", namesize); + struct mkt_data *d = id->data; + strlcpy(name, d->name, namesize); return 0; } @@ -133,7 +191,13 @@ mkt_remove_entry(krb5_context context, { struct mkt_data *d = id->data; krb5_keytab_entry *e, *end; + int found = 0; + if (d->num_entries == 0) { + krb5_clear_error_string(context); + return KRB5_KT_NOTFOUND; + } + /* do this backwards to minimize copying */ for(end = d->entries + d->num_entries, e = end - 1; e >= d->entries; e--) { if(krb5_kt_compare(context, e, entry->principal, @@ -143,10 +207,15 @@ mkt_remove_entry(krb5_context context, memset(end - 1, 0, sizeof(*end)); d->num_entries--; end--; + found = 1; } } + if (!found) { + krb5_clear_error_string (context); + return KRB5_KT_NOTFOUND; + } e = realloc(d->entries, d->num_entries * sizeof(*d->entries)); - if(e != NULL) + if(e != NULL || d->num_entries == 0) d->entries = e; return 0; } diff --git a/crypto/heimdal/lib/krb5/krb5-private.h b/crypto/heimdal/lib/krb5/krb5-private.h index 669e9547c5a0..7e04446fe07c 100644 --- a/crypto/heimdal/lib/krb5/krb5-private.h +++ b/crypto/heimdal/lib/krb5/krb5-private.h @@ -4,23 +4,51 @@ #include <stdarg.h> -void +void KRB5_LIB_FUNCTION _krb5_aes_cts_encrypt ( const unsigned char */*in*/, unsigned char */*out*/, size_t /*len*/, - const void */*aes_key*/, + const AES_KEY */*key*/, unsigned char */*ivec*/, - const int /*enc*/); + const int /*encryptp*/); + +krb5_error_code +_krb5_cc_allocate ( + krb5_context /*context*/, + const krb5_cc_ops */*ops*/, + krb5_ccache */*id*/); void _krb5_crc_init_table (void); -u_int32_t +uint32_t _krb5_crc_update ( const char */*p*/, size_t /*len*/, - u_int32_t /*res*/); + uint32_t /*res*/); + +krb5_error_code +_krb5_dh_group_ok ( + krb5_context /*context*/, + unsigned long /*bits*/, + heim_integer */*p*/, + heim_integer */*g*/, + heim_integer */*q*/, + struct krb5_dh_moduli **/*moduli*/, + char **/*name*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_enctype_to_oid ( + krb5_context /*context*/, + krb5_enctype /*etype*/, + heim_oid */*oid*/); + +krb5_error_code +_krb5_expand_default_cc_name ( + krb5_context /*context*/, + const char */*str*/, + char **/*res*/); int _krb5_extract_ticket ( @@ -32,12 +60,47 @@ _krb5_extract_ticket ( krb5_key_usage /*key_usage*/, krb5_addresses */*addrs*/, unsigned /*nonce*/, - krb5_boolean /*allow_server_mismatch*/, - krb5_boolean /*ignore_cname*/, + unsigned /*flags*/, krb5_decrypt_proc /*decrypt_proc*/, krb5_const_pointer /*decryptarg*/); -krb5_ssize_t +void +_krb5_free_krbhst_info (krb5_krbhst_info */*hi*/); + +void +_krb5_free_moduli (struct krb5_dh_moduli **/*moduli*/); + +krb5_error_code +_krb5_get_default_principal_local ( + krb5_context /*context*/, + krb5_principal */*princ*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_get_host_realm_int ( + krb5_context /*context*/, + const char */*host*/, + krb5_boolean /*use_dns*/, + krb5_realm **/*realms*/); + +krb5_error_code +_krb5_get_init_creds_opt_copy ( + krb5_context /*context*/, + const krb5_get_init_creds_opt */*in*/, + krb5_get_init_creds_opt **/*out*/); + +void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_free_krb5_error (krb5_get_init_creds_opt */*opt*/); + +void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_free_pkinit (krb5_get_init_creds_opt */*opt*/); + +void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_set_krb5_error ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + const KRB_ERROR */*error*/); + +krb5_ssize_t KRB5_LIB_FUNCTION _krb5_get_int ( void */*buffer*/, unsigned long */*value*/, @@ -50,44 +113,324 @@ _krb5_get_krbtgt ( krb5_realm /*realm*/, krb5_creds **/*cred*/); -time_t +krb5_error_code +_krb5_kcm_chmod ( + krb5_context /*context*/, + krb5_ccache /*id*/, + uint16_t /*mode*/); + +krb5_error_code +_krb5_kcm_chown ( + krb5_context /*context*/, + krb5_ccache /*id*/, + uint32_t /*uid*/, + uint32_t /*gid*/); + +krb5_error_code +_krb5_kcm_get_initial_ticket ( + krb5_context /*context*/, + krb5_ccache /*id*/, + krb5_principal /*server*/, + krb5_keyblock */*key*/); + +krb5_error_code +_krb5_kcm_get_ticket ( + krb5_context /*context*/, + krb5_ccache /*id*/, + krb5_kdc_flags /*flags*/, + krb5_enctype /*enctype*/, + krb5_principal /*server*/); + +krb5_boolean +_krb5_kcm_is_running (krb5_context /*context*/); + +krb5_error_code +_krb5_kcm_noop ( + krb5_context /*context*/, + krb5_ccache /*id*/); + +krb5_error_code +_krb5_kdc_retry ( + krb5_context /*context*/, + krb5_sendto_ctx /*ctx*/, + void */*data*/, + const krb5_data */*reply*/, + int */*action*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_cr_err_reply ( + krb5_context /*context*/, + const char */*name*/, + const char */*inst*/, + const char */*realm*/, + uint32_t /*time_ws*/, + uint32_t /*e*/, + const char */*e_string*/, + krb5_data */*data*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_create_auth_reply ( + krb5_context /*context*/, + const char */*pname*/, + const char */*pinst*/, + const char */*prealm*/, + int32_t /*time_ws*/, + int /*n*/, + uint32_t /*x_date*/, + unsigned char /*kvno*/, + const krb5_data */*cipher*/, + krb5_data */*data*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_create_ciph ( + krb5_context /*context*/, + const krb5_keyblock */*session*/, + const char */*service*/, + const char */*instance*/, + const char */*realm*/, + uint32_t /*life*/, + unsigned char /*kvno*/, + const krb5_data */*ticket*/, + uint32_t /*kdc_time*/, + const krb5_keyblock */*key*/, + krb5_data */*enc_data*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_create_ticket ( + krb5_context /*context*/, + unsigned char /*flags*/, + const char */*pname*/, + const char */*pinstance*/, + const char */*prealm*/, + int32_t /*paddress*/, + const krb5_keyblock */*session*/, + int16_t /*life*/, + int32_t /*life_sec*/, + const char */*sname*/, + const char */*sinstance*/, + const krb5_keyblock */*key*/, + krb5_data */*enc_data*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_decomp_ticket ( + krb5_context /*context*/, + const krb5_data */*enc_ticket*/, + const krb5_keyblock */*key*/, + const char */*local_realm*/, + char **/*sname*/, + char **/*sinstance*/, + struct _krb5_krb_auth_data */*ad*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_dest_tkt ( + krb5_context /*context*/, + const char */*tkfile*/); + +void KRB5_LIB_FUNCTION +_krb5_krb_free_auth_data ( + krb5_context /*context*/, + struct _krb5_krb_auth_data */*ad*/); + +time_t KRB5_LIB_FUNCTION _krb5_krb_life_to_time ( int /*start*/, int /*life_*/); -int +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_rd_req ( + krb5_context /*context*/, + krb5_data */*authent*/, + const char */*service*/, + const char */*instance*/, + const char */*local_realm*/, + int32_t /*from_addr*/, + const krb5_keyblock */*key*/, + struct _krb5_krb_auth_data */*ad*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_tf_setup ( + krb5_context /*context*/, + struct credentials */*v4creds*/, + const char */*tkfile*/, + int /*append*/); + +int KRB5_LIB_FUNCTION _krb5_krb_time_to_life ( time_t /*start*/, time_t /*end*/); -void +krb5_error_code +_krb5_krbhost_info_move ( + krb5_context /*context*/, + krb5_krbhst_info */*from*/, + krb5_krbhst_info **/*to*/); + +krb5_error_code +_krb5_mk_req_internal ( + krb5_context /*context*/, + krb5_auth_context */*auth_context*/, + const krb5_flags /*ap_req_options*/, + krb5_data */*in_data*/, + krb5_creds */*in_creds*/, + krb5_data */*outbuf*/, + krb5_key_usage /*checksum_usage*/, + krb5_key_usage /*encrypt_usage*/); + +krb5_error_code KRB5_LIB_FUNCTION _krb5_n_fold ( const void */*str*/, size_t /*len*/, void */*key*/, size_t /*size*/); -krb5_ssize_t +krb5_error_code KRB5_LIB_FUNCTION +_krb5_oid_to_enctype ( + krb5_context /*context*/, + const heim_oid */*oid*/, + krb5_enctype */*etype*/); + +krb5_error_code +_krb5_pac_sign ( + krb5_context /*context*/, + krb5_pac /*p*/, + time_t /*authtime*/, + krb5_principal /*principal*/, + const krb5_keyblock */*server_key*/, + const krb5_keyblock */*priv_key*/, + krb5_data */*data*/); + +krb5_error_code +_krb5_parse_moduli ( + krb5_context /*context*/, + const char */*file*/, + struct krb5_dh_moduli ***/*moduli*/); + +krb5_error_code +_krb5_parse_moduli_line ( + krb5_context /*context*/, + const char */*file*/, + int /*lineno*/, + char */*p*/, + struct krb5_dh_moduli **/*m*/); + +void KRB5_LIB_FUNCTION +_krb5_pk_allow_proxy_certificate ( + struct krb5_pk_identity */*id*/, + int /*boolean*/); + +void KRB5_LIB_FUNCTION +_krb5_pk_cert_free (struct krb5_pk_cert */*cert*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_load_id ( + krb5_context /*context*/, + struct krb5_pk_identity **/*ret_id*/, + const char */*user_id*/, + const char */*anchor_id*/, + char * const */*chain_list*/, + char * const */*revoke_list*/, + krb5_prompter_fct /*prompter*/, + void */*prompter_data*/, + char */*password*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_mk_ContentInfo ( + krb5_context /*context*/, + const krb5_data */*buf*/, + const heim_oid */*oid*/, + struct ContentInfo */*content_info*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_mk_padata ( + krb5_context /*context*/, + void */*c*/, + const KDC_REQ_BODY */*req_body*/, + unsigned /*nonce*/, + METHOD_DATA */*md*/); + +krb5_error_code +_krb5_pk_octetstring2key ( + krb5_context /*context*/, + krb5_enctype /*type*/, + const void */*dhdata*/, + size_t /*dhsize*/, + const heim_octet_string */*c_n*/, + const heim_octet_string */*k_n*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_rd_pa_reply ( + krb5_context /*context*/, + const char */*realm*/, + void */*c*/, + krb5_enctype /*etype*/, + const krb5_krbhst_info */*hi*/, + unsigned /*nonce*/, + const krb5_data */*req_buffer*/, + PA_DATA */*pa*/, + krb5_keyblock **/*key*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_verify_sign ( + krb5_context /*context*/, + const void */*data*/, + size_t /*length*/, + struct krb5_pk_identity */*id*/, + heim_oid */*contentType*/, + krb5_data */*content*/, + struct krb5_pk_cert **/*signer*/); + +krb5_error_code +_krb5_plugin_find ( + krb5_context /*context*/, + enum krb5_plugin_type /*type*/, + const char */*name*/, + struct krb5_plugin **/*list*/); + +void +_krb5_plugin_free (struct krb5_plugin */*list*/); + +struct krb5_plugin * +_krb5_plugin_get_next (struct krb5_plugin */*p*/); + +void * +_krb5_plugin_get_symbol (struct krb5_plugin */*p*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_principal2principalname ( + PrincipalName */*p*/, + const krb5_principal /*from*/); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_principalname2krb5_principal ( + krb5_context /*context*/, + krb5_principal */*principal*/, + const PrincipalName /*from*/, + const Realm /*realm*/); + +krb5_ssize_t KRB5_LIB_FUNCTION _krb5_put_int ( void */*buffer*/, unsigned long /*value*/, size_t /*size*/); -krb5_error_code -_krb5_store_creds_heimdal_0_7 ( - krb5_storage */*sp*/, - krb5_creds */*creds*/); +krb5_error_code KRB5_LIB_FUNCTION +_krb5_rd_req_out_ctx_alloc ( + krb5_context /*context*/, + krb5_rd_req_out_ctx */*ctx*/); -krb5_error_code -_krb5_store_creds_heimdal_pre_0_7 ( - krb5_storage */*sp*/, - krb5_creds */*creds*/); +krb5_error_code KRB5_LIB_FUNCTION +_krb5_s4u2self_to_checksumdata ( + krb5_context /*context*/, + const PA_S4U2Self */*self*/, + krb5_data */*data*/); -krb5_error_code -_krb5_store_creds_internal ( - krb5_storage */*sp*/, - krb5_creds */*creds*/, - int /*v0_6*/); +int +_krb5_send_and_recv_tcp ( + int /*fd*/, + time_t /*tmout*/, + const krb5_data */*req*/, + krb5_data */*rep*/); int _krb5_xlock ( @@ -97,6 +440,8 @@ _krb5_xlock ( const char */*filename*/); int -_krb5_xunlock (int /*fd*/); +_krb5_xunlock ( + krb5_context /*context*/, + int /*fd*/); #endif /* __krb5_private_h__ */ diff --git a/crypto/heimdal/lib/krb5/krb5-protos.h b/crypto/heimdal/lib/krb5/krb5-protos.h index 58788aebab53..647d8886b7cc 100644 --- a/crypto/heimdal/lib/krb5/krb5-protos.h +++ b/crypto/heimdal/lib/krb5/krb5-protos.h @@ -8,20 +8,32 @@ #define __attribute__(x) #endif -krb5_error_code +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef KRB5_LIB_FUNCTION +#if defined(_WIN32) +#define KRB5_LIB_FUNCTION _stdcall +#else +#define KRB5_LIB_FUNCTION +#endif +#endif + +krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc ( krb5_context /*context*/, krb5_creds */*in_cred*/, struct credentials */*v4creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc_ccache ( krb5_context /*context*/, krb5_ccache /*ccache*/, krb5_creds */*in_cred*/, struct credentials */*v4creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_425_conv_principal ( krb5_context /*context*/, const char */*name*/, @@ -29,7 +41,7 @@ krb5_425_conv_principal ( const char */*realm*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_425_conv_principal_ext ( krb5_context /*context*/, const char */*name*/, @@ -37,9 +49,20 @@ krb5_425_conv_principal_ext ( const char */*realm*/, krb5_boolean (*/*func*/)(krb5_context, krb5_principal), krb5_boolean /*resolve*/, + krb5_principal */*principal*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_425_conv_principal_ext2 ( + krb5_context /*context*/, + const char */*name*/, + const char */*instance*/, + const char */*realm*/, + krb5_boolean (*/*func*/)(krb5_context, void *, krb5_principal), + void */*funcctx*/, + krb5_boolean /*resolve*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_524_conv_principal ( krb5_context /*context*/, const krb5_principal /*principal*/, @@ -47,17 +70,7 @@ krb5_524_conv_principal ( char */*instance*/, char */*realm*/); -krb5_error_code -krb5_PKCS5_PBKDF2 ( - krb5_context /*context*/, - krb5_cksumtype /*cktype*/, - krb5_data /*password*/, - krb5_salt /*salt*/, - u_int32_t /*iter*/, - krb5_keytype /*type*/, - krb5_keyblock */*key*/); - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abort ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -65,59 +78,59 @@ krb5_abort ( ...) __attribute__ ((noreturn, format (printf, 3, 4))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abortx ( krb5_context /*context*/, const char */*fmt*/, ...) __attribute__ ((noreturn, format (printf, 2, 3))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_acl_match_file ( krb5_context /*context*/, const char */*file*/, const char */*format*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_acl_match_string ( krb5_context /*context*/, const char */*string*/, const char */*format*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_et_list ( krb5_context /*context*/, void (*/*func*/)(struct et_list **)); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_extra_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_ignore_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_dest ( krb5_context /*context*/, krb5_log_facility */*f*/, const char */*orig*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_func ( krb5_context /*context*/, krb5_log_facility */*fac*/, int /*min*/, int /*max*/, - krb5_log_log_func_t /*log*/, - krb5_log_close_func_t /*close*/, + krb5_log_log_func_t /*log_func*/, + krb5_log_close_func_t /*close_func*/, void */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addr2sockaddr ( krb5_context /*context*/, const krb5_address */*addr*/, @@ -125,32 +138,40 @@ krb5_addr2sockaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_address_compare ( krb5_context /*context*/, const krb5_address */*addr1*/, const krb5_address */*addr2*/); -int +int KRB5_LIB_FUNCTION krb5_address_order ( krb5_context /*context*/, const krb5_address */*addr1*/, const krb5_address */*addr2*/); -krb5_boolean +krb5_error_code KRB5_LIB_FUNCTION +krb5_address_prefixlen_boundary ( + krb5_context /*context*/, + const krb5_address */*inaddr*/, + unsigned long /*prefixlen*/, + krb5_address */*low*/, + krb5_address */*high*/); + +krb5_boolean KRB5_LIB_FUNCTION krb5_address_search ( krb5_context /*context*/, const krb5_address */*addr*/, const krb5_addresses */*addrlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_aname_to_localname ( krb5_context /*context*/, krb5_const_principal /*aname*/, size_t /*lnsize*/, char */*lname*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_anyaddr ( krb5_context /*context*/, int /*af*/, @@ -158,7 +179,7 @@ krb5_anyaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -void +void KRB5_LIB_FUNCTION krb5_appdefault_boolean ( krb5_context /*context*/, const char */*appname*/, @@ -167,7 +188,7 @@ krb5_appdefault_boolean ( krb5_boolean /*def_val*/, krb5_boolean */*ret_val*/); -void +void KRB5_LIB_FUNCTION krb5_appdefault_string ( krb5_context /*context*/, const char */*appname*/, @@ -176,7 +197,7 @@ krb5_appdefault_string ( const char */*def_val*/, char **/*ret_val*/); -void +void KRB5_LIB_FUNCTION krb5_appdefault_time ( krb5_context /*context*/, const char */*appname*/, @@ -185,176 +206,190 @@ krb5_appdefault_time ( time_t /*def_val*/, time_t */*ret_val*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_append_addresses ( krb5_context /*context*/, krb5_addresses */*dest*/, const krb5_addresses */*source*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_auth_con_addflags ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + int32_t /*addflags*/, + int32_t */*flags*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_free ( krb5_context /*context*/, krb5_auth_context /*auth_context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_genaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int /*fd*/, int /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_generatelocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_address **/*local_addr*/, krb5_address **/*remote_addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getauthenticator ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_authenticator */*authenticator*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getcksumtype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_cksumtype */*cksumtype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getkeytype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keytype */*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getlocalseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getlocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getrcache ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_rcache */*rcache*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getremotesubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_init ( krb5_context /*context*/, krb5_auth_context */*auth_context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_auth_con_removeflags ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + int32_t /*removeflags*/, + int32_t */*flags*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_address */*local_addr*/, krb5_address */*remote_addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setaddrs_from_fd ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, void */*p_fd*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setcksumtype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_cksumtype /*cksumtype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setkeytype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keytype /*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setlocalseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setlocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setrcache ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_rcache /*rcache*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setremoteseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setremotesubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setuserkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_getremoteseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_ap_req ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -363,7 +398,7 @@ krb5_build_ap_req ( krb5_data /*authenticator*/, krb5_data */*retdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_authenticator ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -374,7 +409,7 @@ krb5_build_authenticator ( krb5_data */*result*/, krb5_key_usage /*usage*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -382,7 +417,7 @@ krb5_build_principal ( krb5_const_realm /*realm*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_ext ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -390,7 +425,7 @@ krb5_build_principal_ext ( krb5_const_realm /*realm*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_va ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -398,7 +433,7 @@ krb5_build_principal_va ( krb5_const_realm /*realm*/, va_list /*ap*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_va_ext ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -406,43 +441,199 @@ krb5_build_principal_va_ext ( krb5_const_realm /*realm*/, va_list /*ap*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_block_size ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + size_t */*blocksize*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_checksum_length ( + krb5_context /*context*/, + krb5_cksumtype /*cksumtype*/, + size_t */*length*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_decrypt ( + krb5_context /*context*/, + const krb5_keyblock /*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*ivec*/, + krb5_enc_data */*input*/, + krb5_data */*output*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_encrypt ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*ivec*/, + const krb5_data */*input*/, + krb5_enc_data */*output*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_encrypt_length ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + size_t /*inputlen*/, + size_t */*length*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_enctype_compare ( + krb5_context /*context*/, + krb5_enctype /*e1*/, + krb5_enctype /*e2*/, + krb5_boolean */*similar*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_get_checksum ( + krb5_context /*context*/, + const krb5_checksum */*cksum*/, + krb5_cksumtype */*type*/, + krb5_data **/*data*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_is_coll_proof_cksum (krb5_cksumtype /*ctype*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_is_keyed_cksum (krb5_cksumtype /*ctype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_keylengths ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + size_t */*ilen*/, + size_t */*keylen*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_make_checksum ( + krb5_context /*context*/, + krb5_cksumtype /*cksumtype*/, + const krb5_keyblock */*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*input*/, + krb5_checksum */*cksum*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_make_random_key ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + krb5_keyblock */*random_key*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_prf ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + const krb5_data */*input*/, + krb5_data */*output*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_prf_length ( + krb5_context /*context*/, + krb5_enctype /*type*/, + size_t */*length*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_set_checksum ( + krb5_context /*context*/, + krb5_checksum */*cksum*/, + krb5_cksumtype /*type*/, + const krb5_data */*data*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_valid_cksumtype (krb5_cksumtype /*ctype*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_valid_enctype (krb5_enctype /*etype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_verify_checksum ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*data*/, + const krb5_checksum */*cksum*/, + krb5_boolean */*valid*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_cache_end_seq_get ( + krb5_context /*context*/, + krb5_cc_cache_cursor /*cursor*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_cache_get_first ( + krb5_context /*context*/, + const char */*type*/, + krb5_cc_cache_cursor */*cursor*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_cache_match ( + krb5_context /*context*/, + krb5_principal /*client*/, + const char */*type*/, + krb5_ccache */*id*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_cache_next ( + krb5_context /*context*/, + krb5_cc_cache_cursor /*cursor*/, + krb5_ccache */*id*/); + +void KRB5_LIB_FUNCTION +krb5_cc_clear_mcred (krb5_creds */*mcred*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_close ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_copy_cache ( krb5_context /*context*/, const krb5_ccache /*from*/, krb5_ccache /*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_copy_cache_match ( + krb5_context /*context*/, + const krb5_ccache /*from*/, + krb5_ccache /*to*/, + krb5_flags /*whichfields*/, + const krb5_creds * /*mcreds*/, + unsigned int */*matched*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_default ( krb5_context /*context*/, krb5_ccache */*id*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_cc_default_name (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_destroy ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_end_seq_get ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_gen_new ( krb5_context /*context*/, const krb5_cc_ops */*ops*/, krb5_ccache */*id*/); -const char* +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_get_full_name ( + krb5_context /*context*/, + krb5_ccache /*id*/, + char **/*str*/); + +const char* KRB5_LIB_FUNCTION krb5_cc_get_name ( krb5_context /*context*/, krb5_ccache /*id*/); @@ -452,55 +643,82 @@ krb5_cc_get_ops ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +const krb5_cc_ops * +krb5_cc_get_prefix_ops ( + krb5_context /*context*/, + const char */*prefix*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_get_principal ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_principal */*principal*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_cc_get_type ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_get_version ( krb5_context /*context*/, const krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_initialize ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_principal /*primary_principal*/); krb5_error_code +krb5_cc_move ( + krb5_context /*context*/, + krb5_ccache /*from*/, + krb5_ccache /*to*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_new_unique ( + krb5_context /*context*/, + const char */*type*/, + const char */*hint*/, + krb5_ccache */*id*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_next_cred ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_next_cred_match ( + krb5_context /*context*/, + const krb5_ccache /*id*/, + krb5_cc_cursor * /*cursor*/, + krb5_creds * /*creds*/, + krb5_flags /*whichfields*/, + const krb5_creds * /*mcreds*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_register ( krb5_context /*context*/, const krb5_cc_ops */*ops*/, krb5_boolean /*override*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_remove_cred ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_flags /*which*/, krb5_creds */*cred*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_resolve ( krb5_context /*context*/, const char */*name*/, krb5_ccache */*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_retrieve_cred ( krb5_context /*context*/, krb5_ccache /*id*/, @@ -508,39 +726,39 @@ krb5_cc_retrieve_cred ( const krb5_creds */*mcreds*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_set_default_name ( krb5_context /*context*/, const char */*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_set_flags ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_start_seq_get ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_store_cred ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_change_password ( krb5_context /*context*/, krb5_creds */*creds*/, - char */*newpw*/, + const char */*newpw*/, int */*result_code*/, krb5_data */*result_code_string*/, krb5_data */*result_string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited ( krb5_context /*context*/, krb5_const_realm /*client_realm*/, @@ -549,50 +767,65 @@ krb5_check_transited ( int /*num_realms*/, int */*bad_realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited_realms ( krb5_context /*context*/, const char *const */*realms*/, int /*num_realms*/, int */*bad_realm*/); -krb5_boolean +krb5_error_code KRB5_LIB_FUNCTION +krb5_checksum_disable ( + krb5_context /*context*/, + krb5_cksumtype /*type*/); + +void KRB5_LIB_FUNCTION +krb5_checksum_free ( + krb5_context /*context*/, + krb5_checksum */*cksum*/); + +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_collision_proof ( krb5_context /*context*/, krb5_cksumtype /*type*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_keyed ( krb5_context /*context*/, krb5_cksumtype /*type*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_checksumsize ( krb5_context /*context*/, krb5_cksumtype /*type*/, size_t */*size*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_cksumtype_valid ( + krb5_context /*context*/, + krb5_cksumtype /*ctype*/); + +void KRB5_LIB_FUNCTION krb5_clear_error_string (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_closelog ( krb5_context /*context*/, krb5_log_facility */*fac*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_compare_creds ( krb5_context /*context*/, krb5_flags /*whichfields*/, - const krb5_creds */*mcreds*/, - const krb5_creds */*creds*/); + const krb5_creds * /*mcreds*/, + const krb5_creds * /*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_file_free ( krb5_context /*context*/, krb5_config_section */*s*/); -void +void KRB5_LIB_FUNCTION krb5_config_free_strings (char **/*strings*/); const void * @@ -602,26 +835,26 @@ krb5_config_get ( int /*type*/, ...); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool_default ( krb5_context /*context*/, const krb5_config_section */*c*/, krb5_boolean /*def_value*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_int ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_int_default ( krb5_context /*context*/, const krb5_config_section */*c*/, @@ -642,13 +875,13 @@ krb5_config_get_next ( int /*type*/, ...); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string_default ( krb5_context /*context*/, const krb5_config_section */*c*/, @@ -661,31 +894,37 @@ krb5_config_get_strings ( const krb5_config_section */*c*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_time ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_time_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file ( krb5_context /*context*/, const char */*fname*/, krb5_config_section **/*res*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file_multi ( krb5_context /*context*/, const char */*fname*/, krb5_config_section **/*res*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_config_parse_string_multi ( + krb5_context /*context*/, + const char */*string*/, + krb5_config_section **/*res*/); + const void * krb5_config_vget ( krb5_context /*context*/, @@ -693,26 +932,26 @@ krb5_config_vget ( int /*type*/, va_list /*args*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool_default ( krb5_context /*context*/, const krb5_config_section */*c*/, krb5_boolean /*def_value*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_int ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_int_default ( krb5_context /*context*/, const krb5_config_section */*c*/, @@ -733,99 +972,105 @@ krb5_config_vget_next ( int /*type*/, va_list /*args*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string_default ( krb5_context /*context*/, const krb5_config_section */*c*/, const char */*def_value*/, va_list /*args*/); -char ** +char ** KRB5_LIB_FUNCTION krb5_config_vget_strings ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_time ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_time_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, va_list /*args*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_address ( krb5_context /*context*/, const krb5_address */*inaddr*/, krb5_address */*outaddr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_addresses ( krb5_context /*context*/, const krb5_addresses */*inaddr*/, krb5_addresses */*outaddr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_copy_checksum ( + krb5_context /*context*/, + const krb5_checksum */*old*/, + krb5_checksum **/*new*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_creds ( krb5_context /*context*/, const krb5_creds */*incred*/, krb5_creds **/*outcred*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_creds_contents ( krb5_context /*context*/, const krb5_creds */*incred*/, krb5_creds */*c*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_data ( krb5_context /*context*/, const krb5_data */*indata*/, krb5_data **/*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_host_realm ( krb5_context /*context*/, const krb5_realm */*from*/, krb5_realm **/*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_keyblock ( krb5_context /*context*/, const krb5_keyblock */*inblock*/, krb5_keyblock **/*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_keyblock_contents ( krb5_context /*context*/, const krb5_keyblock */*inblock*/, krb5_keyblock */*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_principal ( krb5_context /*context*/, krb5_const_principal /*inprinc*/, krb5_principal */*outprinc*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_ticket ( krb5_context /*context*/, const krb5_ticket */*from*/, krb5_ticket **/*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_create_checksum ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -835,47 +1080,94 @@ krb5_create_checksum ( size_t /*len*/, Checksum */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_destroy ( krb5_context /*context*/, krb5_crypto /*crypto*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_checksum_type ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + krb5_cksumtype */*type*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_getblocksize ( krb5_context /*context*/, krb5_crypto /*crypto*/, size_t */*blocksize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getconfoundersize ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + size_t */*confoundersize*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getenctype ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + krb5_enctype */*enctype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getpadsize ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + size_t */*padsize*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_init ( krb5_context /*context*/, const krb5_keyblock */*key*/, krb5_enctype /*etype*/, krb5_crypto */*crypto*/); -krb5_error_code +size_t +krb5_crypto_overhead ( + krb5_context /*context*/, + krb5_crypto /*crypto*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_prf ( + krb5_context /*context*/, + const krb5_crypto /*crypto*/, + const krb5_data */*input*/, + krb5_data */*output*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_prf_length ( + krb5_context /*context*/, + krb5_enctype /*type*/, + size_t */*length*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_data_alloc ( krb5_data */*p*/, int /*len*/); -krb5_error_code +int KRB5_LIB_FUNCTION +krb5_data_cmp ( + const krb5_data */*data1*/, + const krb5_data */*data2*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_data_copy ( krb5_data */*p*/, const void */*data*/, size_t /*len*/); -void +void KRB5_LIB_FUNCTION krb5_data_free (krb5_data */*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_data_realloc ( krb5_data */*p*/, int /*len*/); -void +void KRB5_LIB_FUNCTION krb5_data_zero (krb5_data */*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_Authenticator ( krb5_context /*context*/, const void */*data*/, @@ -883,7 +1175,7 @@ krb5_decode_Authenticator ( Authenticator */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ETYPE_INFO ( krb5_context /*context*/, const void */*data*/, @@ -891,7 +1183,15 @@ krb5_decode_ETYPE_INFO ( ETYPE_INFO */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_decode_ETYPE_INFO2 ( + krb5_context /*context*/, + const void */*data*/, + size_t /*length*/, + ETYPE_INFO2 */*t*/, + size_t */*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncAPRepPart ( krb5_context /*context*/, const void */*data*/, @@ -899,7 +1199,7 @@ krb5_decode_EncAPRepPart ( EncAPRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncASRepPart ( krb5_context /*context*/, const void */*data*/, @@ -907,7 +1207,7 @@ krb5_decode_EncASRepPart ( EncASRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncKrbCredPart ( krb5_context /*context*/, const void */*data*/, @@ -915,7 +1215,7 @@ krb5_decode_EncKrbCredPart ( EncKrbCredPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncTGSRepPart ( krb5_context /*context*/, const void */*data*/, @@ -923,7 +1223,7 @@ krb5_decode_EncTGSRepPart ( EncTGSRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncTicketPart ( krb5_context /*context*/, const void */*data*/, @@ -931,13 +1231,13 @@ krb5_decode_EncTicketPart ( EncTicketPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ap_req ( krb5_context /*context*/, const krb5_data */*inbuf*/, krb5_ap_req */*ap_req*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -946,7 +1246,7 @@ krb5_decrypt ( size_t /*len*/, krb5_data */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_EncryptedData ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -954,7 +1254,7 @@ krb5_decrypt_EncryptedData ( const EncryptedData */*e*/, krb5_data */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ivec ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -964,7 +1264,7 @@ krb5_decrypt_ivec ( krb5_data */*result*/, void */*ivec*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ticket ( krb5_context /*context*/, Ticket */*ticket*/, @@ -972,7 +1272,7 @@ krb5_decrypt_ticket ( EncTicketPart */*out*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_derive_key ( krb5_context /*context*/, const krb5_keyblock */*key*/, @@ -982,6 +1282,182 @@ krb5_derive_key ( krb5_keyblock **/*derived_key*/); krb5_error_code +krb5_digest_alloc ( + krb5_context /*context*/, + krb5_digest */*digest*/); + +void +krb5_digest_free (krb5_digest /*digest*/); + +krb5_error_code +krb5_digest_get_client_binding ( + krb5_context /*context*/, + krb5_digest /*digest*/, + char **/*type*/, + char **/*binding*/); + +const char * +krb5_digest_get_identifier ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +const char * +krb5_digest_get_opaque ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +const char * +krb5_digest_get_rsp ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +const char * +krb5_digest_get_server_nonce ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +krb5_error_code +krb5_digest_get_session_key ( + krb5_context /*context*/, + krb5_digest /*digest*/, + krb5_data */*data*/); + +krb5_error_code +krb5_digest_get_tickets ( + krb5_context /*context*/, + krb5_digest /*digest*/, + Ticket **/*tickets*/); + +krb5_error_code +krb5_digest_init_request ( + krb5_context /*context*/, + krb5_digest /*digest*/, + krb5_realm /*realm*/, + krb5_ccache /*ccache*/); + +krb5_error_code +krb5_digest_probe ( + krb5_context /*context*/, + krb5_realm /*realm*/, + krb5_ccache /*ccache*/, + unsigned */*flags*/); + +krb5_boolean +krb5_digest_rep_get_status ( + krb5_context /*context*/, + krb5_digest /*digest*/); + +krb5_error_code +krb5_digest_request ( + krb5_context /*context*/, + krb5_digest /*digest*/, + krb5_realm /*realm*/, + krb5_ccache /*ccache*/); + +krb5_error_code +krb5_digest_set_authentication_user ( + krb5_context /*context*/, + krb5_digest /*digest*/, + krb5_principal /*authentication_user*/); + +krb5_error_code +krb5_digest_set_authid ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*authid*/); + +krb5_error_code +krb5_digest_set_client_nonce ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*nonce*/); + +krb5_error_code +krb5_digest_set_digest ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*dgst*/); + +krb5_error_code +krb5_digest_set_hostname ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*hostname*/); + +krb5_error_code +krb5_digest_set_identifier ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*id*/); + +krb5_error_code +krb5_digest_set_method ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*method*/); + +krb5_error_code +krb5_digest_set_nonceCount ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*nonce_count*/); + +krb5_error_code +krb5_digest_set_opaque ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*opaque*/); + +krb5_error_code +krb5_digest_set_qop ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*qop*/); + +krb5_error_code +krb5_digest_set_realm ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*realm*/); + +int +krb5_digest_set_responseData ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*response*/); + +krb5_error_code +krb5_digest_set_server_cb ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*type*/, + const char */*binding*/); + +krb5_error_code +krb5_digest_set_server_nonce ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*nonce*/); + +krb5_error_code +krb5_digest_set_type ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*type*/); + +krb5_error_code +krb5_digest_set_uri ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*uri*/); + +krb5_error_code +krb5_digest_set_username ( + krb5_context /*context*/, + krb5_digest /*digest*/, + const char */*username*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_decode ( krb5_context /*context*/, krb5_data /*tr*/, @@ -990,18 +1466,18 @@ krb5_domain_x500_decode ( const char */*client_realm*/, const char */*server_realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_encode ( char **/*realms*/, int /*num_realms*/, krb5_data */*encoding*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_eai_to_heim_errno ( int /*eai_errno*/, int /*system_error*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_Authenticator ( krb5_context /*context*/, void */*data*/, @@ -1009,7 +1485,7 @@ krb5_encode_Authenticator ( Authenticator */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_ETYPE_INFO ( krb5_context /*context*/, void */*data*/, @@ -1017,7 +1493,15 @@ krb5_encode_ETYPE_INFO ( ETYPE_INFO */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_encode_ETYPE_INFO2 ( + krb5_context /*context*/, + void */*data*/, + size_t /*length*/, + ETYPE_INFO2 */*t*/, + size_t */*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncAPRepPart ( krb5_context /*context*/, void */*data*/, @@ -1025,7 +1509,7 @@ krb5_encode_EncAPRepPart ( EncAPRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncASRepPart ( krb5_context /*context*/, void */*data*/, @@ -1033,7 +1517,7 @@ krb5_encode_EncASRepPart ( EncASRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncKrbCredPart ( krb5_context /*context*/, void */*data*/, @@ -1041,7 +1525,7 @@ krb5_encode_EncKrbCredPart ( EncKrbCredPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncTGSRepPart ( krb5_context /*context*/, void */*data*/, @@ -1049,7 +1533,7 @@ krb5_encode_EncTGSRepPart ( EncTGSRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncTicketPart ( krb5_context /*context*/, void */*data*/, @@ -1057,16 +1541,16 @@ krb5_encode_EncTicketPart ( EncTicketPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt ( krb5_context /*context*/, krb5_crypto /*crypto*/, unsigned /*usage*/, - void */*data*/, + const void */*data*/, size_t /*len*/, krb5_data */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_EncryptedData ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1076,46 +1560,57 @@ krb5_encrypt_EncryptedData ( int /*kvno*/, EncryptedData */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_ivec ( krb5_context /*context*/, krb5_crypto /*crypto*/, unsigned /*usage*/, - void */*data*/, + const void */*data*/, size_t /*len*/, krb5_data */*result*/, void */*ivec*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_disable ( + krb5_context /*context*/, + krb5_enctype /*enctype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_keybits ( + krb5_context /*context*/, + krb5_enctype /*type*/, + size_t */*keybits*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_keysize ( krb5_context /*context*/, krb5_enctype /*type*/, size_t */*keysize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_keytype ( krb5_context /*context*/, krb5_enctype /*etype*/, krb5_keytype */*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_valid ( krb5_context /*context*/, krb5_enctype /*etype*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_enctypes_compatible_keys ( krb5_context /*context*/, krb5_enctype /*etype1*/, krb5_enctype /*etype2*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_err ( krb5_context /*context*/, int /*eval*/, @@ -1124,13 +1619,16 @@ krb5_err ( ...) __attribute__ ((noreturn, format (printf, 4, 5))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION + __attribute__((deprecated)) krb5_free_creds_contents (krb5_context context, krb5_creds *c); + +krb5_error_code KRB5_LIB_FUNCTION krb5_error_from_rd_error ( krb5_context /*context*/, const krb5_error */*error*/, const krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_errx ( krb5_context /*context*/, int /*eval*/, @@ -1138,13 +1636,13 @@ krb5_errx ( ...) __attribute__ ((noreturn, format (printf, 3, 4))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_expand_hostname ( krb5_context /*context*/, const char */*orig_hostname*/, char **/*new_hostname*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_expand_hostname_realms ( krb5_context /*context*/, const char */*orig_hostname*/, @@ -1156,9 +1654,9 @@ krb5_find_padata ( PA_DATA */*val*/, unsigned /*len*/, int /*type*/, - int */*index*/); + int */*idx*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_format_time ( krb5_context /*context*/, time_t /*t*/, @@ -1166,113 +1664,118 @@ krb5_format_time ( size_t /*len*/, krb5_boolean /*include_time*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_address ( krb5_context /*context*/, krb5_address */*address*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -void +void KRB5_LIB_FUNCTION krb5_free_ap_rep_enc_part ( krb5_context /*context*/, krb5_ap_rep_enc_part */*val*/); -void +void KRB5_LIB_FUNCTION krb5_free_authenticator ( krb5_context /*context*/, krb5_authenticator */*authenticator*/); -void +void KRB5_LIB_FUNCTION +krb5_free_checksum ( + krb5_context /*context*/, + krb5_checksum */*cksum*/); + +void KRB5_LIB_FUNCTION +krb5_free_checksum_contents ( + krb5_context /*context*/, + krb5_checksum */*cksum*/); + +void KRB5_LIB_FUNCTION krb5_free_config_files (char **/*filenames*/); -void +void KRB5_LIB_FUNCTION krb5_free_context (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_cred_contents ( krb5_context /*context*/, krb5_creds */*c*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_creds ( krb5_context /*context*/, krb5_creds */*c*/); -krb5_error_code -krb5_free_creds_contents ( - krb5_context /*context*/, - krb5_creds */*c*/); - -void +void KRB5_LIB_FUNCTION krb5_free_data ( krb5_context /*context*/, krb5_data */*p*/); -void +void KRB5_LIB_FUNCTION krb5_free_data_contents ( krb5_context /*context*/, krb5_data */*data*/); -void +void KRB5_LIB_FUNCTION krb5_free_error ( krb5_context /*context*/, krb5_error */*error*/); -void +void KRB5_LIB_FUNCTION krb5_free_error_contents ( krb5_context /*context*/, krb5_error */*error*/); -void +void KRB5_LIB_FUNCTION krb5_free_error_string ( krb5_context /*context*/, char */*str*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_host_realm ( krb5_context /*context*/, krb5_realm */*realmlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_kdc_rep ( krb5_context /*context*/, krb5_kdc_rep */*rep*/); -void +void KRB5_LIB_FUNCTION krb5_free_keyblock ( krb5_context /*context*/, krb5_keyblock */*keyblock*/); -void +void KRB5_LIB_FUNCTION krb5_free_keyblock_contents ( krb5_context /*context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_krbhst ( krb5_context /*context*/, char **/*hostlist*/); -void +void KRB5_LIB_FUNCTION krb5_free_principal ( krb5_context /*context*/, krb5_principal /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_salt ( krb5_context /*context*/, krb5_salt /*salt*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_ticket ( krb5_context /*context*/, krb5_ticket */*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_fwd_tgt_creds ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -1283,40 +1786,47 @@ krb5_fwd_tgt_creds ( int /*forwardable*/, krb5_data */*out_data*/); -void +void KRB5_LIB_FUNCTION krb5_generate_random_block ( void */*buf*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_random_keyblock ( krb5_context /*context*/, krb5_enctype /*type*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_seq_number ( krb5_context /*context*/, const krb5_keyblock */*key*/, - u_int32_t */*seqno*/); + uint32_t */*seqno*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_subkey ( krb5_context /*context*/, const krb5_keyblock */*key*/, krb5_keyblock **/*subkey*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_generate_subkey_extended ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + krb5_enctype /*etype*/, + krb5_keyblock **/*subkey*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_all_client_addrs ( krb5_context /*context*/, krb5_addresses */*res*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_all_server_addrs ( krb5_context /*context*/, krb5_addresses */*res*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_cred_from_kdc ( krb5_context /*context*/, krb5_ccache /*ccache*/, @@ -1324,7 +1834,7 @@ krb5_get_cred_from_kdc ( krb5_creds **/*out_creds*/, krb5_creds ***/*ret_tgts*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_cred_from_kdc_opt ( krb5_context /*context*/, krb5_ccache /*ccache*/, @@ -1333,7 +1843,7 @@ krb5_get_cred_from_kdc_opt ( krb5_creds ***/*ret_tgts*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_credentials ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1341,7 +1851,7 @@ krb5_get_credentials ( krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_credentials_with_flags ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1350,48 +1860,104 @@ krb5_get_credentials_with_flags ( krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_ccache /*ccache*/, + krb5_const_principal /*inprinc*/, + krb5_creds **/*out_creds*/); + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_add_options ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_flags /*options*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_alloc ( + krb5_context /*context*/, + krb5_get_creds_opt */*opt*/); + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_free ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/); + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_enctype ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_enctype /*enctype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_impersonate ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_const_principal /*self*/); + +void KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_options ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + krb5_flags /*options*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_creds_opt_set_ticket ( + krb5_context /*context*/, + krb5_get_creds_opt /*opt*/, + const Ticket */*ticket*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_config_files (char ***/*pfilenames*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_in_tkt_etypes ( krb5_context /*context*/, krb5_enctype **/*etypes*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_principal ( krb5_context /*context*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_realm ( krb5_context /*context*/, krb5_realm */*realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_realms ( krb5_context /*context*/, krb5_realm **/*realms*/); -const char * +krb5_boolean KRB5_LIB_FUNCTION +krb5_get_dns_canonicalize_hostname (krb5_context /*context*/); + +const char* KRB5_LIB_FUNCTION krb5_get_err_text ( krb5_context /*context*/, krb5_error_code /*code*/); -char* +char * KRB5_LIB_FUNCTION +krb5_get_error_message ( + krb5_context /*context*/, + krb5_error_code /*code*/); + +char * KRB5_LIB_FUNCTION krb5_get_error_string (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_extra_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_fcache_version ( krb5_context /*context*/, int */*version*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_forwarded_creds ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -1401,25 +1967,18 @@ krb5_get_forwarded_creds ( krb5_creds */*in_creds*/, krb5_data */*out_data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_host_realm ( krb5_context /*context*/, - const char */*host*/, + const char */*targethost*/, krb5_realm **/*realms*/); -krb5_error_code -krb5_get_host_realm_int ( - krb5_context /*context*/, - const char */*host*/, - krb5_boolean /*use_dns*/, - krb5_realm **/*realms*/); - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_ignore_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_cred ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1434,7 +1993,7 @@ krb5_get_in_cred ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1449,7 +2008,7 @@ krb5_get_in_tkt ( krb5_ccache /*ccache*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_keytab ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1461,7 +2020,7 @@ krb5_get_in_tkt_with_keytab ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_password ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1473,7 +2032,7 @@ krb5_get_in_tkt_with_password ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_skey ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1485,7 +2044,28 @@ krb5_get_in_tkt_with_skey ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds ( + krb5_context /*context*/, + krb5_creds */*creds*/, + krb5_principal /*client*/, + krb5_prompter_fct /*prompter*/, + void */*data*/, + krb5_deltat /*start_time*/, + const char */*in_tkt_service*/, + krb5_get_init_creds_opt */*options*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_keyblock ( + krb5_context /*context*/, + krb5_creds */*creds*/, + krb5_principal /*client*/, + krb5_keyblock */*keyblock*/, + krb5_deltat /*start_time*/, + const char */*in_tkt_service*/, + krb5_get_init_creds_opt */*options*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_init_creds_keytab ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -1495,64 +2075,125 @@ krb5_get_init_creds_keytab ( const char */*in_tkt_service*/, krb5_get_init_creds_opt */*options*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_alloc ( + krb5_context /*context*/, + krb5_get_init_creds_opt **/*opt*/); + +void KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_free ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_get_error ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + KRB_ERROR **/*error*/); + +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_address_list ( krb5_get_init_creds_opt */*opt*/, krb5_addresses */*addresses*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_addressless ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_boolean /*addressless*/); + +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_anonymous ( krb5_get_init_creds_opt */*opt*/, int /*anonymous*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_canonicalize ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_boolean /*req*/); + +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_default_flags ( krb5_context /*context*/, const char */*appname*/, krb5_const_realm /*realm*/, krb5_get_init_creds_opt */*opt*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_etype_list ( krb5_get_init_creds_opt */*opt*/, krb5_enctype */*etype_list*/, int /*etype_list_length*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_forwardable ( krb5_get_init_creds_opt */*opt*/, int /*forwardable*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pa_password ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + const char */*password*/, + krb5_s2k_proc /*key_proc*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pac_request ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_boolean /*req_pac*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pkinit ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_principal /*principal*/, + const char */*user_id*/, + const char */*x509_anchors*/, + char * const * /*pool*/, + char * const * /*pki_revoke*/, + int /*flags*/, + krb5_prompter_fct /*prompter*/, + void */*prompter_data*/, + char */*password*/); + +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_preauth_list ( krb5_get_init_creds_opt */*opt*/, krb5_preauthtype */*preauth_list*/, int /*preauth_list_length*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_proxiable ( krb5_get_init_creds_opt */*opt*/, int /*proxiable*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_renew_life ( krb5_get_init_creds_opt */*opt*/, krb5_deltat /*renew_life*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_salt ( krb5_get_init_creds_opt */*opt*/, krb5_data */*salt*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_tkt_life ( krb5_get_init_creds_opt */*opt*/, krb5_deltat /*tkt_life*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_win2k ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_boolean /*req*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_init_creds_password ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -1562,9 +2203,9 @@ krb5_get_init_creds_password ( void */*data*/, krb5_deltat /*start_time*/, const char */*in_tkt_service*/, - krb5_get_init_creds_opt */*options*/); + krb5_get_init_creds_opt */*in_options*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_kdc_cred ( krb5_context /*context*/, krb5_ccache /*id*/, @@ -1574,66 +2215,86 @@ krb5_get_kdc_cred ( krb5_creds */*in_creds*/, krb5_creds **out_creds ); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_kdc_sec_offset ( + krb5_context /*context*/, + int32_t */*sec*/, + int32_t */*usec*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb524hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_admin_hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_changepw_hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krbhst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +time_t KRB5_LIB_FUNCTION +krb5_get_max_time_skew (krb5_context /*context*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_pw_salt ( krb5_context /*context*/, krb5_const_principal /*principal*/, krb5_salt */*salt*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_renewed_creds ( + krb5_context /*context*/, + krb5_creds */*creds*/, + krb5_const_principal /*client*/, + krb5_ccache /*ccache*/, + const char */*in_tkt_service*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_server_rcache ( krb5_context /*context*/, const krb5_data */*piece*/, krb5_rcache */*id*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_get_use_admin_kdc (krb5_context /*context*/); +krb5_log_facility * KRB5_LIB_FUNCTION +krb5_get_warn_dest (krb5_context /*context*/); + size_t krb5_get_wrapped_length ( krb5_context /*context*/, krb5_crypto /*crypto*/, size_t /*data_len*/); -int +int KRB5_LIB_FUNCTION krb5_getportbyname ( krb5_context /*context*/, const char */*service*/, const char */*proto*/, int /*default_port*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2addr ( krb5_context /*context*/, int /*af*/, const char */*haddr*/, krb5_address */*addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2sockaddr ( krb5_context /*context*/, int /*af*/, @@ -1642,13 +2303,13 @@ krb5_h_addr2sockaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_errno_to_heim_errno (int /*eai_errno*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_have_error_string (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_hmac ( krb5_context /*context*/, krb5_cksumtype /*cktype*/, @@ -1658,26 +2319,43 @@ krb5_hmac ( krb5_keyblock */*key*/, Checksum */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_init_context (krb5_context */*context*/); -void +void KRB5_LIB_FUNCTION krb5_init_ets (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_init_etype ( krb5_context /*context*/, unsigned */*len*/, krb5_enctype **/*val*/, const krb5_enctype */*etypes*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_initlog ( krb5_context /*context*/, const char */*program*/, krb5_log_facility **/*fac*/); -krb5_error_code +krb5_boolean KRB5_LIB_FUNCTION +krb5_is_thread_safe (void); + +const krb5_enctype * KRB5_LIB_FUNCTION +krb5_kerberos_enctypes (krb5_context /*context*/); + +krb5_enctype +krb5_keyblock_get_enctype (const krb5_keyblock */*block*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_keyblock_init ( + krb5_context /*context*/, + krb5_enctype /*type*/, + const void */*data*/, + size_t /*size*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_keyblock_key_proc ( krb5_context /*context*/, krb5_keytype /*type*/, @@ -1685,7 +2363,10 @@ krb5_keyblock_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); -krb5_error_code +void KRB5_LIB_FUNCTION +krb5_keyblock_zero (krb5_keyblock */*keyblock*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_keytab_key_proc ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -1693,81 +2374,89 @@ krb5_keytab_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes ( krb5_context /*context*/, krb5_keytype /*keytype*/, unsigned */*len*/, krb5_enctype **/*val*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes_default ( krb5_context /*context*/, krb5_keytype /*keytype*/, unsigned */*len*/, krb5_enctype **/*val*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_string ( krb5_context /*context*/, krb5_keytype /*keytype*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_format_string ( krb5_context /*context*/, const krb5_krbhst_info */*host*/, char */*hostname*/, size_t /*hostlen*/); -void +void KRB5_LIB_FUNCTION krb5_krbhst_free ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_get_addrinfo ( krb5_context /*context*/, krb5_krbhst_info */*host*/, struct addrinfo **/*ai*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_init ( krb5_context /*context*/, const char */*realm*/, unsigned int /*type*/, krb5_krbhst_handle */*handle*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_krbhst_init_flags ( + krb5_context /*context*/, + const char */*realm*/, + unsigned int /*type*/, + int /*flags*/, + krb5_krbhst_handle */*handle*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/, krb5_krbhst_info **/*host*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next_as_string ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/, char */*hostname*/, size_t /*hostlen*/); -void +void KRB5_LIB_FUNCTION krb5_krbhst_reset ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_add_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_close ( krb5_context /*context*/, krb5_keytab /*id*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_kt_compare ( krb5_context /*context*/, krb5_keytab_entry */*entry*/, @@ -1775,41 +2464,41 @@ krb5_kt_compare ( krb5_kvno /*vno*/, krb5_enctype /*enctype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_copy_entry_contents ( krb5_context /*context*/, const krb5_keytab_entry */*in*/, krb5_keytab_entry */*out*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default ( krb5_context /*context*/, krb5_keytab */*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default_modify_name ( krb5_context /*context*/, char */*name*/, size_t /*namesize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default_name ( krb5_context /*context*/, char */*name*/, size_t /*namesize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_end_seq_get ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_kt_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_free_entry ( krb5_context /*context*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_entry ( krb5_context /*context*/, krb5_keytab /*id*/, @@ -1818,28 +2507,34 @@ krb5_kt_get_entry ( krb5_enctype /*enctype*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_kt_get_full_name ( + krb5_context /*context*/, + krb5_keytab /*keytab*/, + char **/*str*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_name ( krb5_context /*context*/, krb5_keytab /*keytab*/, char */*name*/, size_t /*namesize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_type ( krb5_context /*context*/, krb5_keytab /*keytab*/, char */*prefix*/, size_t /*prefixsize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_next_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/, krb5_kt_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_read_service_key ( krb5_context /*context*/, krb5_pointer /*keyprocarg*/, @@ -1848,36 +2543,36 @@ krb5_kt_read_service_key ( krb5_enctype /*enctype*/, krb5_keyblock **/*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_register ( krb5_context /*context*/, const krb5_kt_ops */*ops*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_remove_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_resolve ( krb5_context /*context*/, const char */*name*/, krb5_keytab */*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_start_seq_get ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_kt_cursor */*cursor*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_kuserok ( krb5_context /*context*/, krb5_principal /*principal*/, const char */*luser*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -1886,7 +2581,7 @@ krb5_log ( ...) __attribute__((format (printf, 4, 5))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log_msg ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -1896,24 +2591,24 @@ krb5_log_msg ( ...) __attribute__((format (printf, 5, 6))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_addrport ( krb5_context /*context*/, krb5_address **/*res*/, const krb5_address */*addr*/, int16_t /*port*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_principal ( krb5_context /*context*/, krb5_principal */*principal*/, krb5_const_realm /*realm*/, ...); -size_t +size_t KRB5_LIB_FUNCTION krb5_max_sockaddr_size (void); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_error ( krb5_context /*context*/, krb5_error_code /*error_code*/, @@ -1925,21 +2620,21 @@ krb5_mk_error ( int */*client_usec*/, krb5_data */*reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_priv ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*userdata*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_rep ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_data */*outbuf*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -1950,7 +2645,7 @@ krb5_mk_req ( krb5_ccache /*ccache*/, krb5_data */*outbuf*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req_exact ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -1960,7 +2655,7 @@ krb5_mk_req_exact ( krb5_ccache /*ccache*/, krb5_data */*outbuf*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req_extended ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -1969,63 +2664,241 @@ krb5_mk_req_extended ( krb5_creds */*in_creds*/, krb5_data */*outbuf*/); -krb5_error_code -krb5_mk_req_internal ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - const krb5_flags /*ap_req_options*/, - krb5_data */*in_data*/, - krb5_creds */*in_creds*/, - krb5_data */*outbuf*/, - krb5_key_usage /*checksum_usage*/, - krb5_key_usage /*encrypt_usage*/); - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_safe ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*userdata*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_net_read ( krb5_context /*context*/, void */*p_fd*/, void */*buf*/, size_t /*len*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_net_write ( krb5_context /*context*/, void */*p_fd*/, const void */*buf*/, size_t /*len*/); +krb5_ssize_t KRB5_LIB_FUNCTION +krb5_net_write_block ( + krb5_context /*context*/, + void */*p_fd*/, + const void */*buf*/, + size_t /*len*/, + time_t /*timeout*/); + krb5_error_code +krb5_ntlm_alloc ( + krb5_context /*context*/, + krb5_ntlm */*ntlm*/); + +krb5_error_code +krb5_ntlm_free ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/); + +krb5_error_code +krb5_ntlm_init_get_challange ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + krb5_data */*challange*/); + +krb5_error_code +krb5_ntlm_init_get_flags ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + uint32_t */*flags*/); + +krb5_error_code +krb5_ntlm_init_get_opaque ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + krb5_data */*opaque*/); + +krb5_error_code +krb5_ntlm_init_get_targetinfo ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + krb5_data */*data*/); + +krb5_error_code +krb5_ntlm_init_get_targetname ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + char **/*name*/); + +krb5_error_code +krb5_ntlm_init_request ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + krb5_realm /*realm*/, + krb5_ccache /*ccache*/, + uint32_t /*flags*/, + const char */*hostname*/, + const char */*domainname*/); + +krb5_error_code +krb5_ntlm_rep_get_sessionkey ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + krb5_data */*data*/); + +krb5_boolean +krb5_ntlm_rep_get_status ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/); + +krb5_error_code +krb5_ntlm_req_set_flags ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + uint32_t /*flags*/); + +krb5_error_code +krb5_ntlm_req_set_lm ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + void */*hash*/, + size_t /*len*/); + +krb5_error_code +krb5_ntlm_req_set_ntlm ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + void */*hash*/, + size_t /*len*/); + +krb5_error_code +krb5_ntlm_req_set_opaque ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + krb5_data */*opaque*/); + +krb5_error_code +krb5_ntlm_req_set_session ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + void */*sessionkey*/, + size_t /*length*/); + +krb5_error_code +krb5_ntlm_req_set_targetname ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + const char */*targetname*/); + +krb5_error_code +krb5_ntlm_req_set_username ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + const char */*username*/); + +krb5_error_code +krb5_ntlm_request ( + krb5_context /*context*/, + krb5_ntlm /*ntlm*/, + krb5_realm /*realm*/, + krb5_ccache /*ccache*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_openlog ( krb5_context /*context*/, const char */*program*/, krb5_log_facility **/*fac*/); krb5_error_code +krb5_pac_add_buffer ( + krb5_context /*context*/, + krb5_pac /*p*/, + uint32_t /*type*/, + const krb5_data */*data*/); + +void +krb5_pac_free ( + krb5_context /*context*/, + krb5_pac /*pac*/); + +krb5_error_code +krb5_pac_get_buffer ( + krb5_context /*context*/, + krb5_pac /*p*/, + uint32_t /*type*/, + krb5_data */*data*/); + +krb5_error_code +krb5_pac_get_types ( + krb5_context /*context*/, + krb5_pac /*p*/, + size_t */*len*/, + uint32_t **/*types*/); + +krb5_error_code +krb5_pac_init ( + krb5_context /*context*/, + krb5_pac */*pac*/); + +krb5_error_code +krb5_pac_parse ( + krb5_context /*context*/, + const void */*ptr*/, + size_t /*len*/, + krb5_pac */*pac*/); + +krb5_error_code +krb5_pac_verify ( + krb5_context /*context*/, + const krb5_pac /*pac*/, + time_t /*authtime*/, + krb5_const_principal /*principal*/, + const krb5_keyblock */*server*/, + const krb5_keyblock */*privsvr*/); + +int KRB5_LIB_FUNCTION +krb5_padata_add ( + krb5_context /*context*/, + METHOD_DATA */*md*/, + int /*type*/, + void */*buf*/, + size_t /*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_address ( krb5_context /*context*/, const char */*string*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_name ( krb5_context /*context*/, const char */*name*/, krb5_principal */*principal*/); -const char* +krb5_error_code KRB5_LIB_FUNCTION +krb5_parse_name_flags ( + krb5_context /*context*/, + const char */*name*/, + int /*flags*/, + krb5_principal */*principal*/); + +krb5_error_code +krb5_parse_nametype ( + krb5_context /*context*/, + const char */*str*/, + int32_t */*nametype*/); + +const char* KRB5_LIB_FUNCTION krb5_passwd_result_to_string ( krb5_context /*context*/, int /*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_password_key_proc ( krb5_context /*context*/, krb5_enctype /*type*/, @@ -2033,64 +2906,83 @@ krb5_password_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); -krb5_realm* +krb5_error_code +krb5_plugin_register ( + krb5_context /*context*/, + enum krb5_plugin_type /*type*/, + const char */*name*/, + void */*symbol*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files ( + const char */*filelist*/, + char **/*pq*/, + char ***/*ret_pp*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files_default ( + const char */*filelist*/, + char ***/*pfilenames*/); + +krb5_realm * KRB5_LIB_FUNCTION krb5_princ_realm ( krb5_context /*context*/, krb5_principal /*principal*/); -void +void KRB5_LIB_FUNCTION krb5_princ_set_realm ( krb5_context /*context*/, krb5_principal /*principal*/, krb5_realm */*realm*/); -krb5_error_code -krb5_principal2principalname ( - PrincipalName */*p*/, - const krb5_principal /*from*/); - -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_compare ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_compare_any_realm ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_principal_get_comp_string ( krb5_context /*context*/, - krb5_principal /*principal*/, + krb5_const_principal /*principal*/, unsigned int /*component*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_principal_get_realm ( krb5_context /*context*/, - krb5_principal /*principal*/); + krb5_const_principal /*principal*/); -int +int KRB5_LIB_FUNCTION krb5_principal_get_type ( krb5_context /*context*/, - krb5_principal /*principal*/); + krb5_const_principal /*principal*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_match ( krb5_context /*context*/, krb5_const_principal /*princ*/, krb5_const_principal /*pattern*/); -krb5_error_code +void KRB5_LIB_FUNCTION +krb5_principal_set_type ( + krb5_context /*context*/, + krb5_principal /*principal*/, + int /*type*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_print_address ( const krb5_address */*addr*/, char */*str*/, size_t /*len*/, size_t */*ret_len*/); -int +int KRB5_LIB_FUNCTION krb5_program_setup ( krb5_context */*context*/, int /*argc*/, @@ -2099,7 +2991,7 @@ krb5_program_setup ( int /*num_args*/, void (*/*usage*/)(int, struct getargs*, int)); -int +int KRB5_LIB_FUNCTION krb5_prompter_posix ( krb5_context /*context*/, void */*data*/, @@ -2108,120 +3000,128 @@ krb5_prompter_posix ( int /*num_prompts*/, krb5_prompt prompts[]); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_random_to_key ( + krb5_context /*context*/, + krb5_enctype /*type*/, + const void */*data*/, + size_t /*size*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_close ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_default ( krb5_context /*context*/, krb5_rcache */*id*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_rc_default_name (krb5_context /*context*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_rc_default_type (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_destroy ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_expunge ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_get_lifespan ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_deltat */*auth_lifespan*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_rc_get_name ( krb5_context /*context*/, krb5_rcache /*id*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_rc_get_type ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_initialize ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_deltat /*auth_lifespan*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_recover ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve ( krb5_context /*context*/, krb5_rcache /*id*/, const char */*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve_full ( krb5_context /*context*/, krb5_rcache */*id*/, const char */*string_name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve_type ( krb5_context /*context*/, krb5_rcache */*id*/, const char */*type*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_store ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_donot_replay */*rep*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_data */*in_data*/, krb5_creds ***/*ret_creds*/, - krb5_replay_data */*out_data*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred2 ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_ccache /*ccache*/, krb5_data */*in_data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_error ( krb5_context /*context*/, - krb5_data */*msg*/, + const krb5_data */*msg*/, KRB_ERROR */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_priv ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_rep ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_ap_rep_enc_part **/*repl*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2231,7 +3131,67 @@ krb5_rd_req ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_ctx ( + krb5_context /*context*/, + krb5_auth_context */*auth_context*/, + const krb5_data */*inbuf*/, + krb5_const_principal /*server*/, + krb5_rd_req_in_ctx /*inctx*/, + krb5_rd_req_out_ctx */*outctx*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_ctx_alloc ( + krb5_context /*context*/, + krb5_rd_req_in_ctx */*ctx*/); + +void KRB5_LIB_FUNCTION +krb5_rd_req_in_ctx_free ( + krb5_context /*context*/, + krb5_rd_req_in_ctx /*ctx*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_keyblock ( + krb5_context /*context*/, + krb5_rd_req_in_ctx /*in*/, + krb5_keyblock */*keyblock*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_keytab ( + krb5_context /*context*/, + krb5_rd_req_in_ctx /*in*/, + krb5_keytab /*keytab*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_pac_check ( + krb5_context /*context*/, + krb5_rd_req_in_ctx /*in*/, + krb5_boolean /*flag*/); + +void KRB5_LIB_FUNCTION +krb5_rd_req_out_ctx_free ( + krb5_context /*context*/, + krb5_rd_req_out_ctx /*ctx*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_ap_req_options ( + krb5_context /*context*/, + krb5_rd_req_out_ctx /*out*/, + krb5_flags */*ap_req_options*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_keyblock ( + krb5_context /*context*/, + krb5_rd_req_out_ctx /*out*/, + krb5_keyblock **/*keyblock*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_ticket ( + krb5_context /*context*/, + krb5_rd_req_out_ctx /*out*/, + krb5_ticket **/*ticket*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req_with_keyblock ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2241,41 +3201,41 @@ krb5_rd_req_with_keyblock ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_safe ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_message ( krb5_context /*context*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_priv_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_safe_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_realm_compare ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_recvauth ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2286,7 +3246,7 @@ krb5_recvauth ( krb5_keytab /*keytab*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_recvauth_match_version ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2298,79 +3258,104 @@ krb5_recvauth_match_version ( krb5_keytab /*keytab*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_address ( krb5_storage */*sp*/, krb5_address */*adr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_addrs ( krb5_storage */*sp*/, krb5_addresses */*adr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_authdata ( krb5_storage */*sp*/, krb5_authdata */*auth*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_creds ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_creds_tag ( + krb5_storage */*sp*/, + krb5_creds */*creds*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_data ( krb5_storage */*sp*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int16 ( krb5_storage */*sp*/, int16_t */*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int32 ( krb5_storage */*sp*/, int32_t */*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int8 ( krb5_storage */*sp*/, int8_t */*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_keyblock ( krb5_storage */*sp*/, krb5_keyblock */*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_principal ( krb5_storage */*sp*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_string ( krb5_storage */*sp*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_stringnl ( + krb5_storage */*sp*/, + char **/*string*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_stringz ( krb5_storage */*sp*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_times ( krb5_storage */*sp*/, krb5_times */*times*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint16 ( + krb5_storage */*sp*/, + uint16_t */*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint32 ( + krb5_storage */*sp*/, + uint32_t */*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint8 ( + krb5_storage */*sp*/, + uint8_t */*value*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_salttype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, krb5_salttype /*stype*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendauth ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2386,96 +3371,155 @@ krb5_sendauth ( krb5_ap_rep_enc_part **/*rep_result*/, krb5_creds **/*out_creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendto ( krb5_context /*context*/, const krb5_data */*send_data*/, krb5_krbhst_handle /*handle*/, krb5_data */*receive*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_sendto_context ( + krb5_context /*context*/, + krb5_sendto_ctx /*ctx*/, + const krb5_data */*send_data*/, + const krb5_realm /*realm*/, + krb5_data */*receive*/); + +void KRB5_LIB_FUNCTION +krb5_sendto_ctx_add_flags ( + krb5_sendto_ctx /*ctx*/, + int /*flags*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_sendto_ctx_alloc ( + krb5_context /*context*/, + krb5_sendto_ctx */*ctx*/); + +void KRB5_LIB_FUNCTION +krb5_sendto_ctx_free ( + krb5_context /*context*/, + krb5_sendto_ctx /*ctx*/); + +int KRB5_LIB_FUNCTION +krb5_sendto_ctx_get_flags (krb5_sendto_ctx /*ctx*/); + +void KRB5_LIB_FUNCTION +krb5_sendto_ctx_set_func ( + krb5_sendto_ctx /*ctx*/, + krb5_sendto_ctx_func /*func*/, + void */*data*/); + +void KRB5_LIB_FUNCTION +krb5_sendto_ctx_set_type ( + krb5_sendto_ctx /*ctx*/, + int /*type*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_sendto_kdc ( krb5_context /*context*/, const krb5_data */*send_data*/, const krb5_realm */*realm*/, krb5_data */*receive*/); -krb5_error_code -krb5_sendto_kdc2 ( +krb5_error_code KRB5_LIB_FUNCTION +krb5_sendto_kdc_flags ( krb5_context /*context*/, const krb5_data */*send_data*/, const krb5_realm */*realm*/, krb5_data */*receive*/, - krb5_boolean /*master*/); + int /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_config_files ( krb5_context /*context*/, char **/*filenames*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_in_tkt_etypes ( krb5_context /*context*/, const krb5_enctype */*etypes*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_realm ( krb5_context /*context*/, const char */*realm*/); -krb5_error_code +void KRB5_LIB_FUNCTION +krb5_set_dns_canonicalize_hostname ( + krb5_context /*context*/, + krb5_boolean /*flag*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_set_error_string ( krb5_context /*context*/, const char */*fmt*/, ...) __attribute__((format (printf, 2, 3))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_extra_addresses ( krb5_context /*context*/, const krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_fcache_version ( krb5_context /*context*/, int /*version*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_ignore_addresses ( krb5_context /*context*/, const krb5_addresses */*addresses*/); -krb5_error_code +void KRB5_LIB_FUNCTION +krb5_set_max_time_skew ( + krb5_context /*context*/, + time_t /*t*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_set_password ( krb5_context /*context*/, krb5_creds */*creds*/, - char */*newpw*/, + const char */*newpw*/, krb5_principal /*targprinc*/, int */*result_code*/, krb5_data */*result_code_string*/, krb5_data */*result_string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_password_using_ccache ( krb5_context /*context*/, krb5_ccache /*ccache*/, - char */*newpw*/, + const char */*newpw*/, krb5_principal /*targprinc*/, int */*result_code*/, krb5_data */*result_code_string*/, krb5_data */*result_string*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_set_real_time ( + krb5_context /*context*/, + krb5_timestamp /*sec*/, + int32_t /*usec*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_set_send_to_kdc_func ( + krb5_context /*context*/, + krb5_send_to_kdc_func /*func*/, + void */*data*/); + +void KRB5_LIB_FUNCTION krb5_set_use_admin_kdc ( krb5_context /*context*/, krb5_boolean /*flag*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_warn_dest ( krb5_context /*context*/, krb5_log_facility */*fac*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sname_to_principal ( krb5_context /*context*/, const char */*hostname*/, @@ -2483,7 +3527,7 @@ krb5_sname_to_principal ( int32_t /*type*/, krb5_principal */*ret_princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sock_to_principal ( krb5_context /*context*/, int /*sock*/, @@ -2491,174 +3535,204 @@ krb5_sock_to_principal ( int32_t /*type*/, krb5_principal */*ret_princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2address ( krb5_context /*context*/, const struct sockaddr */*sa*/, krb5_address */*addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2port ( krb5_context /*context*/, const struct sockaddr */*sa*/, int16_t */*port*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_sockaddr_uninteresting (const struct sockaddr */*sa*/); -void +void KRB5_LIB_FUNCTION krb5_std_usage ( int /*code*/, struct getargs */*args*/, int /*num_args*/); -void +void KRB5_LIB_FUNCTION krb5_storage_clear_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_emem (void); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_storage_free (krb5_storage */*sp*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_data (krb5_data */*data*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_fd (int /*fd*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_mem ( void */*buf*/, size_t /*len*/); -krb5_flags +krb5_storage * KRB5_LIB_FUNCTION +krb5_storage_from_readonly_mem ( + const void */*buf*/, + size_t /*len*/); + +krb5_flags KRB5_LIB_FUNCTION krb5_storage_get_byteorder ( krb5_storage */*sp*/, krb5_flags /*byteorder*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_storage_is_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_storage_read ( krb5_storage */*sp*/, void */*buf*/, size_t /*len*/); -off_t +off_t KRB5_LIB_FUNCTION krb5_storage_seek ( krb5_storage */*sp*/, off_t /*offset*/, int /*whence*/); -void +void KRB5_LIB_FUNCTION krb5_storage_set_byteorder ( krb5_storage */*sp*/, krb5_flags /*byteorder*/); -void +void KRB5_LIB_FUNCTION krb5_storage_set_eof_code ( krb5_storage */*sp*/, int /*code*/); -void +void KRB5_LIB_FUNCTION krb5_storage_set_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_storage_to_data ( krb5_storage */*sp*/, krb5_data */*data*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_storage_write ( krb5_storage */*sp*/, const void */*buf*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_address ( krb5_storage */*sp*/, krb5_address /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_addrs ( krb5_storage */*sp*/, krb5_addresses /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_authdata ( krb5_storage */*sp*/, krb5_authdata /*auth*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_creds ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_creds_tag ( + krb5_storage */*sp*/, + krb5_creds */*creds*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_data ( krb5_storage */*sp*/, krb5_data /*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int16 ( krb5_storage */*sp*/, int16_t /*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int32 ( krb5_storage */*sp*/, int32_t /*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int8 ( krb5_storage */*sp*/, int8_t /*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_keyblock ( krb5_storage */*sp*/, krb5_keyblock /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_principal ( krb5_storage */*sp*/, - krb5_principal /*p*/); + krb5_const_principal /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_string ( krb5_storage */*sp*/, const char */*s*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_stringnl ( + krb5_storage */*sp*/, + const char */*s*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_stringz ( krb5_storage */*sp*/, const char */*s*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_times ( krb5_storage */*sp*/, krb5_times /*times*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint16 ( + krb5_storage */*sp*/, + uint16_t /*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint32 ( + krb5_storage */*sp*/, + uint32_t /*value*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint8 ( + krb5_storage */*sp*/, + uint8_t /*value*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_deltat ( const char */*string*/, krb5_deltat */*deltat*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_enctype ( krb5_context /*context*/, const char */*string*/, krb5_enctype */*etype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2666,7 +3740,7 @@ krb5_string_to_key ( krb5_principal /*principal*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2674,7 +3748,7 @@ krb5_string_to_key_data ( krb5_principal /*principal*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2682,7 +3756,7 @@ krb5_string_to_key_data_salt ( krb5_salt /*salt*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt_opaque ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2691,7 +3765,7 @@ krb5_string_to_key_data_salt_opaque ( krb5_data /*opaque*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_derived ( krb5_context /*context*/, const void */*str*/, @@ -2699,7 +3773,7 @@ krb5_string_to_key_derived ( krb5_enctype /*etype*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_salt ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2707,57 +3781,105 @@ krb5_string_to_key_salt ( krb5_salt /*salt*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_string_to_key_salt_opaque ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + const char */*password*/, + krb5_salt /*salt*/, + krb5_data /*opaque*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_keytype ( krb5_context /*context*/, const char */*string*/, krb5_keytype */*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_salttype ( krb5_context /*context*/, krb5_enctype /*etype*/, const char */*string*/, krb5_salttype */*salttype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_authorization_data_type ( + krb5_context /*context*/, + krb5_ticket */*ticket*/, + int /*type*/, + krb5_data */*data*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_client ( + krb5_context /*context*/, + const krb5_ticket */*ticket*/, + krb5_principal */*client*/); + +time_t KRB5_LIB_FUNCTION +krb5_ticket_get_endtime ( + krb5_context /*context*/, + const krb5_ticket */*ticket*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_server ( + krb5_context /*context*/, + const krb5_ticket */*ticket*/, + krb5_principal */*server*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_timeofday ( krb5_context /*context*/, krb5_timestamp */*timeret*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name ( krb5_context /*context*/, krb5_const_principal /*principal*/, char **/*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_fixed ( krb5_context /*context*/, krb5_const_principal /*principal*/, char */*name*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_unparse_name_fixed_flags ( + krb5_context /*context*/, + krb5_const_principal /*principal*/, + int /*flags*/, + char */*name*/, + size_t /*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_fixed_short ( krb5_context /*context*/, krb5_const_principal /*principal*/, char */*name*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_unparse_name_flags ( + krb5_context /*context*/, + krb5_const_principal /*principal*/, + int /*flags*/, + char **/*name*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_short ( krb5_context /*context*/, krb5_const_principal /*principal*/, char **/*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_us_timeofday ( krb5_context /*context*/, - int32_t */*sec*/, + krb5_timestamp */*sec*/, int32_t */*usec*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabort ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -2765,14 +3887,14 @@ krb5_vabort ( va_list /*ap*/) __attribute__ ((noreturn, format (printf, 3, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabortx ( krb5_context /*context*/, const char */*fmt*/, va_list /*ap*/) __attribute__ ((noreturn, format (printf, 2, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2783,7 +3905,7 @@ krb5_verify_ap_req ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req2 ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2795,14 +3917,14 @@ krb5_verify_ap_req2 ( krb5_ticket **/*ticket*/, krb5_key_usage /*usage*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_authenticator_checksum ( krb5_context /*context*/, krb5_auth_context /*ac*/, void */*data*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_checksum ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -2811,7 +3933,7 @@ krb5_verify_checksum ( size_t /*len*/, Checksum */*cksum*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_init_creds ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -2820,43 +3942,51 @@ krb5_verify_init_creds ( krb5_ccache */*ccache*/, krb5_verify_init_creds_opt */*options*/); -void +void KRB5_LIB_FUNCTION krb5_verify_init_creds_opt_init (krb5_verify_init_creds_opt */*options*/); -void +void KRB5_LIB_FUNCTION krb5_verify_init_creds_opt_set_ap_req_nofail ( krb5_verify_init_creds_opt */*options*/, int /*ap_req_nofail*/); -void +int KRB5_LIB_FUNCTION +krb5_verify_opt_alloc ( + krb5_context /*context*/, + krb5_verify_opt **/*opt*/); + +void KRB5_LIB_FUNCTION +krb5_verify_opt_free (krb5_verify_opt */*opt*/); + +void KRB5_LIB_FUNCTION krb5_verify_opt_init (krb5_verify_opt */*opt*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_ccache ( krb5_verify_opt */*opt*/, krb5_ccache /*ccache*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_flags ( krb5_verify_opt */*opt*/, unsigned int /*flags*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_keytab ( krb5_verify_opt */*opt*/, krb5_keytab /*keytab*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_secure ( krb5_verify_opt */*opt*/, krb5_boolean /*secure*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_service ( krb5_verify_opt */*opt*/, const char */*service*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user ( krb5_context /*context*/, krb5_principal /*principal*/, @@ -2865,7 +3995,7 @@ krb5_verify_user ( krb5_boolean /*secure*/, const char */*service*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user_lrealm ( krb5_context /*context*/, krb5_principal /*principal*/, @@ -2874,14 +4004,14 @@ krb5_verify_user_lrealm ( krb5_boolean /*secure*/, const char */*service*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user_opt ( krb5_context /*context*/, krb5_principal /*principal*/, const char */*password*/, krb5_verify_opt */*opt*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verr ( krb5_context /*context*/, int /*eval*/, @@ -2890,7 +4020,7 @@ krb5_verr ( va_list /*ap*/) __attribute__ ((noreturn, format (printf, 4, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verrx ( krb5_context /*context*/, int /*eval*/, @@ -2898,7 +4028,7 @@ krb5_verrx ( va_list /*ap*/) __attribute__ ((noreturn, format (printf, 3, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -2907,7 +4037,7 @@ krb5_vlog ( va_list /*ap*/) __attribute__((format (printf, 4, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog_msg ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -2917,14 +4047,14 @@ krb5_vlog_msg ( va_list /*ap*/) __attribute__((format (printf, 5, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vset_error_string ( krb5_context /*context*/, const char */*fmt*/, va_list /*args*/) __attribute__ ((format (printf, 2, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarn ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -2932,14 +4062,14 @@ krb5_vwarn ( va_list /*ap*/) __attribute__ ((format (printf, 3, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarnx ( krb5_context /*context*/, const char */*fmt*/, va_list /*ap*/) __attribute__ ((format (printf, 2, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warn ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -2947,40 +4077,38 @@ krb5_warn ( ...) __attribute__ ((format (printf, 3, 4))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warnx ( krb5_context /*context*/, const char */*fmt*/, ...) __attribute__ ((format (printf, 2, 3))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_message ( krb5_context /*context*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_priv_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_safe_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_xfree (void */*ptr*/); -krb5_error_code -principalname2krb5_principal ( - krb5_principal */*principal*/, - const PrincipalName /*from*/, - const Realm /*realm*/); +#ifdef __cplusplus +} +#endif #endif /* __krb5_protos_h__ */ diff --git a/crypto/heimdal/lib/krb5/krb5-v4compat.h b/crypto/heimdal/lib/krb5/krb5-v4compat.h index 2f89281ed20d..dfd7e944607f 100644 --- a/crypto/heimdal/lib/krb5/krb5-v4compat.h +++ b/crypto/heimdal/lib/krb5/krb5-v4compat.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,11 +31,13 @@ * SUCH DAMAGE. */ -/* $Id: krb5-v4compat.h,v 1.2 2003/03/18 03:08:20 lha Exp $ */ +/* $Id: krb5-v4compat.h 21575 2007-07-16 07:44:54Z lha $ */ #ifndef __KRB5_V4COMPAT_H__ #define __KRB5_V4COMPAT_H__ +#include "krb_err.h" + /* * This file must only be included with v4 compat glue stuff in * heimdal sources. @@ -43,6 +45,26 @@ * It MUST NOT be installed. */ +#define KRB_PROT_VERSION 4 + +#define AUTH_MSG_KDC_REQUEST (1<<1) +#define AUTH_MSG_KDC_REPLY (2<<1) +#define AUTH_MSG_APPL_REQUEST (3<<1) +#define AUTH_MSG_APPL_REQUEST_MUTUAL (4<<1) +#define AUTH_MSG_ERR_REPLY (5<<1) +#define AUTH_MSG_PRIVATE (6<<1) +#define AUTH_MSG_SAFE (7<<1) +#define AUTH_MSG_APPL_ERR (8<<1) +#define AUTH_MSG_KDC_FORWARD (9<<1) +#define AUTH_MSG_KDC_RENEW (10<<1) +#define AUTH_MSG_DIE (63<<1) + +/* General definitions */ +#define KSUCCESS 0 +#define KFAILURE 255 + +/* */ + #define MAX_KTXT_LEN 1250 #define ANAME_SZ 40 @@ -53,14 +75,14 @@ struct ktext { unsigned int length; /* Length of the text */ unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ - u_int32_t mbz; /* zero to catch runaway strings */ + uint32_t mbz; /* zero to catch runaway strings */ }; struct credentials { char service[ANAME_SZ]; /* Service name */ char instance[INST_SZ]; /* Instance */ char realm[REALM_SZ]; /* Auth domain */ - des_cblock session; /* Session key */ + char session[8]; /* Session key */ int lifetime; /* Lifetime */ int kvno; /* Key version number */ struct ktext ticket_st; /* The ticket itself */ @@ -69,7 +91,6 @@ struct credentials { char pinst[INST_SZ]; /* Principal's instance */ }; - #define TKTLIFENUMFIXED 64 #define TKTLIFEMINFIXED 0x80 #define TKTLIFEMAXFIXED 0xBF @@ -81,11 +102,29 @@ struct credentials { #define KERB_ERR_NULL_KEY 10 -int -_krb5_krb_time_to_life(time_t start, time_t end); +#define CLOCK_SKEW 5*60 + +#ifndef TKT_ROOT +#define TKT_ROOT "/tmp/tkt" +#endif + +struct _krb5_krb_auth_data { + int8_t k_flags; /* Flags from ticket */ + char *pname; /* Principal's name */ + char *pinst; /* His Instance */ + char *prealm; /* His Realm */ + uint32_t checksum; /* Data checksum (opt) */ + krb5_keyblock session; /* Session Key */ + unsigned char life; /* Life of ticket */ + uint32_t time_sec; /* Time ticket issued */ + uint32_t address; /* Address in ticket */ +}; -time_t -_krb5_krb_life_to_time(int start, int life_); +time_t _krb5_krb_life_to_time (int, int); +int _krb5_krb_time_to_life (time_t, time_t); +krb5_error_code _krb5_krb_tf_setup (krb5_context, struct credentials *, + const char *, int); +krb5_error_code _krb5_krb_dest_tkt(krb5_context, const char *); #define krb_time_to_life _krb5_krb_time_to_life #define krb_life_to_time _krb5_krb_life_to_time diff --git a/crypto/heimdal/lib/krb5/krb5.3 b/crypto/heimdal/lib/krb5/krb5.3 index 8e169a0ca67f..3ce8c1fe9c11 100644 --- a/crypto/heimdal/lib/krb5/krb5.3 +++ b/crypto/heimdal/lib/krb5/krb5.3 @@ -1,57 +1,68 @@ -.\" Copyright (c) 2001, 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001, 2003 - 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.Dd March 20, 2003 +.\" $Id: krb5.3 18212 2006-10-03 10:39:35Z lha $ +.\" +.Dd May 1, 2006 .Dt KRB5 3 .Os .Sh NAME .Nm krb5 -.Nd kerberos 5 library +.Nd Kerberos 5 library .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h .Sh DESCRIPTION These functions constitute the Kerberos 5 library, .Em libkrb5 . -Declarations for these functions may be obtained from the include file -.Pa krb5.h . .Sh LIST OF FUNCTIONS .sp 2 .nf -.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u +.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u \fIName/Page\fP \fIDescription\fP -.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u+6nC +.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u+6nC .sp 5p +krb524_convert_creds_kdc.3 +krb524_convert_creds_kdc_cache.3 krb5_425_conv_principal.3 krb5_425_conv_principal_ext.3 krb5_524_conv_principal.3 +krb5_abort.3 +krb5_abortx.3 +krb5_acl_match_file.3 +krb5_acl_match_string.3 +krb5_add_et_list.3 +krb5_add_extra_addresses.3 +krb5_add_ignore_addresses.3 krb5_addlog_dest.3 krb5_addlog_func.3 krb5_addr2sockaddr.3 @@ -60,45 +71,68 @@ krb5_address_compare.3 krb5_address_order.3 krb5_address_search.3 krb5_addresses.3 +krb5_aname_to_localname.3 krb5_anyaddr.3 krb5_appdefault_boolean.3 krb5_appdefault_string.3 krb5_appdefault_time.3 krb5_append_addresses.3 +krb5_auth_con_addflags.3 krb5_auth_con_free.3 krb5_auth_con_genaddrs.3 +krb5_auth_con_generatelocalsubkey.3 krb5_auth_con_getaddrs.3 +krb5_auth_con_getauthenticator.3 +krb5_auth_con_getcksumtype.3 krb5_auth_con_getflags.3 krb5_auth_con_getkey.3 +krb5_auth_con_getkeytype.3 +krb5_auth_con_getlocalseqnumber.3 krb5_auth_con_getlocalsubkey.3 krb5_auth_con_getrcache.3 krb5_auth_con_getremotesubkey.3 krb5_auth_con_getuserkey.3 krb5_auth_con_init.3 krb5_auth_con_initivector.3 +krb5_auth_con_removeflags.3 krb5_auth_con_setaddrs.3 krb5_auth_con_setaddrs_from_fd.3 +krb5_auth_con_setcksumtype.3 krb5_auth_con_setflags.3 krb5_auth_con_setivector.3 krb5_auth_con_setkey.3 +krb5_auth_con_setkeytype.3 +krb5_auth_con_setlocalseqnumber.3 krb5_auth_con_setlocalsubkey.3 krb5_auth_con_setrcache.3 +krb5_auth_con_setremoteseqnumber.3 krb5_auth_con_setremotesubkey.3 krb5_auth_con_setuserkey.3 krb5_auth_context.3 -krb5_auth_getauthenticator.3 -krb5_auth_getcksumtype.3 -krb5_auth_getkeytype.3 -krb5_auth_getlocalseqnumber.3 krb5_auth_getremoteseqnumber.3 -krb5_auth_setcksumtype.3 -krb5_auth_setkeytype.3 -krb5_auth_setlocalseqnumber.3 -krb5_auth_setremoteseqnumber.3 krb5_build_principal.3 krb5_build_principal_ext.3 krb5_build_principal_va.3 krb5_build_principal_va_ext.3 +krb5_c_block_size.3 +krb5_c_checksum_length.3 +krb5_c_decrypt.3 +krb5_c_encrypt.3 +krb5_c_encrypt_length.3 +krb5_c_enctype_compare.3 +krb5_c_get_checksum.3 +krb5_c_is_coll_proof_cksum.3 +krb5_c_is_keyed_cksum.3 +krb5_c_make_checksum.3 +krb5_c_make_random_key.3 +krb5_c_set_checksum.3 +krb5_c_valid_cksumtype.3 +krb5_c_valid_enctype.3 +krb5_c_verify_checksum.3 +krb5_cc_cache_end_seq_get.3 +krb5_cc_cache_get_first.3 +krb5_cc_cache_match.3 +krb5_cc_cache_next.3 krb5_cc_close.3 krb5_cc_copy_cache.3 krb5_cc_default.3 @@ -106,11 +140,14 @@ krb5_cc_default_name.3 krb5_cc_destroy.3 krb5_cc_end_seq_get.3 krb5_cc_gen_new.3 +krb5_cc_get_full_name.3 krb5_cc_get_name.3 +krb5_cc_get_ops.3 krb5_cc_get_principal.3 krb5_cc_get_type.3 krb5_cc_get_version.3 krb5_cc_initialize.3 +krb5_cc_new_unique.3 krb5_cc_next_cred.3 krb5_cc_register.3 krb5_cc_remove_cred.3 @@ -119,20 +156,62 @@ krb5_cc_retrieve_cred.3 krb5_cc_set_default_name.3 krb5_cc_set_flags.3 krb5_cc_store_cred.3 +krb5_change_password.3 +krb5_check_transited.3 +krb5_check_transited_realms.3 +krb5_checksum_disable.3 +krb5_checksum_free.3 krb5_checksum_is_collision_proof.3 krb5_checksum_is_keyed.3 krb5_checksumsize.3 +krb5_clear_error_string.3 krb5_closelog.3 +krb5_config_file_free.3 +krb5_config_free_strings.3 +krb5_config_get.3 +krb5_config_get_bool.3 krb5_config_get_bool_default.3 +krb5_config_get_int.3 krb5_config_get_int_default.3 +krb5_config_get_list.3 +krb5_config_get_next.3 +krb5_config_get_string.3 krb5_config_get_string_default.3 +krb5_config_get_strings.3 +krb5_config_get_time.3 krb5_config_get_time_default.3 +krb5_config_parse_file.3 +krb5_config_parse_file_multi.3 +krb5_config_vget.3 +krb5_config_vget_bool.3 +krb5_config_vget_bool_default.3 +krb5_config_vget_int.3 +krb5_config_vget_int_default.3 +krb5_config_vget_list.3 +krb5_config_vget_next.3 +krb5_config_vget_string.3 +krb5_config_vget_string_default.3 +krb5_config_vget_strings.3 +krb5_config_vget_time.3 +krb5_config_vget_time_default.3 krb5_context.3 krb5_copy_address.3 krb5_copy_addresses.3 +krb5_copy_checksum.3 krb5_copy_data.3 +krb5_copy_host_realm.3 +krb5_copy_keyblock.3 +krb5_copy_keyblock_contents.3 +krb5_copy_principal.3 +krb5_copy_ticket.3 krb5_create_checksum.3 +krb5_creds.3 krb5_crypto_destroy.3 +krb5_crypto_get_checksum_type.3 +krb5_crypto_getblocksize.3 +krb5_crypto_getconfoundersize.3 +krb5_crypto_getenctype.3 +krb5_crypto_getpadsize.3 krb5_crypto_init.3 krb5_data_alloc.3 krb5_data_copy.3 @@ -141,36 +220,140 @@ krb5_data_realloc.3 krb5_data_zero.3 krb5_decrypt.3 krb5_decrypt_EncryptedData.3 +krb5_digest.3 +krb5_digest_alloc.3 +krb5_digest_free.3 +krb5_digest_get_a1_hash.3 +krb5_digest_get_client_binding.3 +krb5_digest_get_identifier.3 +krb5_digest_get_opaque.3 +krb5_digest_get_responseData.3 +krb5_digest_get_rsp.3 +krb5_digest_get_server_nonce.3 +krb5_digest_get_tickets.3 +krb5_digest_init_request.3 +krb5_digest_request.3 +krb5_digest_set_authentication_user.3 +krb5_digest_set_authid.3 +krb5_digest_set_client_nonce.3 +krb5_digest_set_digest.3 +krb5_digest_set_hostname.3 +krb5_digest_set_identifier.3 +krb5_digest_set_method.3 +krb5_digest_set_nonceCount.3 +krb5_digest_set_opaque.3 +krb5_digest_set_qop.3 +krb5_digest_set_realm.3 +krb5_digest_set_server_cb.3 +krb5_digest_set_server_nonce.3 +krb5_digest_set_type.3 +krb5_digest_set_uri.3 +krb5_digest_set_username.3 +krb5_domain_x500_decode.3 +krb5_domain_x500_encode.3 +krb5_eai_to_heim_errno.3 krb5_encrypt.3 krb5_encrypt_EncryptedData.3 +krb5_enctype_disable.3 +krb5_enctype_to_string.3 +krb5_enctype_valid.3 krb5_err.3 krb5_errx.3 +krb5_expand_hostname.3 +krb5_expand_hostname_realms.3 +krb5_find_padata.3 +krb5_format_time.3 krb5_free_address.3 krb5_free_addresses.3 +krb5_free_authenticator.3 +krb5_free_checksum.3 +krb5_free_checksum_contents.3 +krb5_free_config_files.3 krb5_free_context.3 krb5_free_data.3 krb5_free_data_contents.3 +krb5_free_error_string.3 krb5_free_host_realm.3 +krb5_free_kdc_rep.3 +krb5_free_keyblock.3 +krb5_free_keyblock_contents.3 krb5_free_krbhst.3 krb5_free_principal.3 +krb5_free_salt.3 +krb5_free_ticket.3 +krb5_fwd_tgt_creds.3 +krb5_generate_random_block.3 +krb5_generate_random_keyblock.3 +krb5_generate_subkey.3 krb5_get_all_client_addrs.3 krb5_get_all_server_addrs.3 +krb5_get_cred_from_kdc.3 +krb5_get_cred_from_kdc_opt.3 +krb5_get_credentials.3 +krb5_get_credentials_with_flags.3 +krb5_get_default_config_files.3 +krb5_get_default_principal.3 krb5_get_default_realm.3 krb5_get_default_realms.3 +krb5_get_err_text.3 +krb5_get_error_message.3 +krb5_get_error_string.3 +krb5_get_extra_addresses.3 +krb5_get_fcache_version.3 +krb5_get_forwarded_creds.3 krb5_get_host_realm.3 +krb5_get_ignore_addresses.3 +krb5_get_in_cred.3 +krb5_get_in_tkt.3 +krb5_get_in_tkt_with_keytab.3 +krb5_get_in_tkt_with_password.3 +krb5_get_in_tkt_with_skey.3 +krb5_get_init_creds.3 +krb5_get_init_creds_keytab.3 +krb5_get_init_creds_opt_alloc.3 +krb5_get_init_creds_opt_free.3 +krb5_get_init_creds_opt_free_pkinit.3 +krb5_get_init_creds_opt_init.3 +krb5_get_init_creds_opt_set_address_list.3 +krb5_get_init_creds_opt_set_anonymous.3 +krb5_get_init_creds_opt_set_default_flags.3 +krb5_get_init_creds_opt_set_etype_list.3 +krb5_get_init_creds_opt_set_forwardable.3 +krb5_get_init_creds_opt_set_pa_password.3 +krb5_get_init_creds_opt_set_paq_request.3 +krb5_get_init_creds_opt_set_pkinit.3 +krb5_get_init_creds_opt_set_preauth_list.3 +krb5_get_init_creds_opt_set_proxiable.3 +krb5_get_init_creds_opt_set_renew_life.3 +krb5_get_init_creds_opt_set_salt.3 +krb5_get_init_creds_opt_set_tkt_life.3 +krb5_get_init_creds_password.3 +krb5_get_kdc_cred.3 krb5_get_krb524hst.3 krb5_get_krb_admin_hst.3 krb5_get_krb_changepw_hst.3 krb5_get_krbhst.3 +krb5_get_pw_salt.3 +krb5_get_server_rcache.3 +krb5_get_use_admin_kdc.3 +krb5_get_wrapped_length.3 +krb5_getportbyname.3 krb5_h_addr2addr.3 krb5_h_addr2sockaddr.3 +krb5_h_errno_to_heim_errno.3 +krb5_have_error_string.3 +krb5_hmac.3 krb5_init_context.3 +krb5_init_ets.3 krb5_initlog.3 +krb5_keyblock_get_enctype.3 +krb5_keyblock_zero.3 krb5_keytab_entry.3 krb5_krbhst_format_string.3 krb5_krbhst_free.3 krb5_krbhst_get_addrinfo.3 krb5_krbhst_init.3 +krb5_krbhst_init_flags.3 krb5_krbhst_next.3 krb5_krbhst_next_as_string.3 krb5_krbhst_reset.3 @@ -179,13 +362,14 @@ krb5_kt_close.3 krb5_kt_compare.3 krb5_kt_copy_entry_contents.3 krb5_kt_cursor.3 -krb5_kt_cursor.3 krb5_kt_default.3 +krb5_kt_default_modify_name.3 krb5_kt_default_name.3 krb5_kt_end_seq_get.3 krb5_kt_free_entry.3 krb5_kt_get_entry.3 krb5_kt_get_name.3 +krb5_kt_get_type.3 krb5_kt_next_entry.3 krb5_kt_ops.3 krb5_kt_read_service_key.3 @@ -193,30 +377,132 @@ krb5_kt_register.3 krb5_kt_remove_entry.3 krb5_kt_resolve.3.3 krb5_kt_start_seq_get +krb5_kuserok.3 krb5_log.3 krb5_log_msg.3 krb5_make_addrport.3 krb5_make_principal.3 krb5_max_sockaddr_size.3 krb5_openlog.3 +krb5_padata_add.3 krb5_parse_address.3 krb5_parse_name.3 +krb5_passwd_result_to_string.3 +krb5_password_key_proc.3 +krb5_prepend_config_files.3 +krb5_prepend_config_files_default.3 +krb5_princ_realm.3 +krb5_princ_set_realm.3 krb5_principal.3 +krb5_principal_compare.3 +krb5_principal_compare_any_realm.3 krb5_principal_get_comp_string.3 krb5_principal_get_realm.3 +krb5_principal_get_type.3 +krb5_principal_match.3 +krb5_principal_set_type.3 krb5_print_address.3 +krb5_rc_close.3 +krb5_rc_default.3 +krb5_rc_default_name.3 +krb5_rc_default_type.3 +krb5_rc_destroy.3 +krb5_rc_expunge.3 +krb5_rc_get_lifespan.3 +krb5_rc_get_name.3 +krb5_rc_get_type.3 +krb5_rc_initialize.3 +krb5_rc_recover.3 +krb5_rc_resolve.3 +krb5_rc_resolve_full.3 +krb5_rc_resolve_type.3 +krb5_rc_store.3 +krb5_rcache.3 +krb5_realm_compare.3 +krb5_ret_address.3 +krb5_ret_addrs.3 +krb5_ret_authdata.3 +krb5_ret_creds.3 +krb5_ret_data.3 +krb5_ret_int16.3 +krb5_ret_int32.3 +krb5_ret_int8.3 +krb5_ret_keyblock.3 +krb5_ret_principal.3 +krb5_ret_string.3 +krb5_ret_stringz.3 +krb5_ret_times.3 +krb5_set_config_files.3 krb5_set_default_realm.3 +krb5_set_error_string.3 +krb5_set_extra_addresses.3 +krb5_set_fcache_version.3 +krb5_set_ignore_addresses.3 +krb5_set_password.3 +krb5_set_password_using_ccache.3 +krb5_set_real_time.3 +krb5_set_use_admin_kdc.3 krb5_set_warn_dest.3 krb5_sname_to_principal.3 krb5_sock_to_principal.3 krb5_sockaddr2address.3 krb5_sockaddr2port.3 krb5_sockaddr_uninteresting.3 +krb5_storage.3 +krb5_storage_clear_flags.3 +krb5_storage_emem.3 +krb5_storage_free.3 +krb5_storage_from_data.3 +krb5_storage_from_fd.3 +krb5_storage_from_mem.3 +krb5_storage_get_byteorder.3 +krb5_storage_is_flags.3 +krb5_storage_read.3 +krb5_storage_seek.3 +krb5_storage_set_byteorder.3 +krb5_storage_set_eof_code.3 +krb5_storage_set_flags.3 +krb5_storage_to_data.3 +krb5_storage_write.3 +krb5_store_address.3 +krb5_store_addrs.3 +krb5_store_authdata.3 +krb5_store_creds.3 +krb5_store_data.3 +krb5_store_int16.3 +krb5_store_int32.3 +krb5_store_int8.3 +krb5_store_keyblock.3 +krb5_store_principal.3 +krb5_store_string.3 +krb5_store_stringz.3 +krb5_store_times.3 +krb5_string_to_deltat.3 +krb5_string_to_enctype.3 +krb5_string_to_key.3 +krb5_string_to_key_data.3 +krb5_string_to_key_data_salt.3 +krb5_string_to_key_data_salt_opaque.3 +krb5_string_to_key_salt.3 +krb5_string_to_key_salt_opaque.3 +krb5_ticket.3 +krb5_ticket_get_authorization_data_type.3 +krb5_ticket_get_client.3 +krb5_ticket_get_server.3 krb5_timeofday.3 krb5_unparse_name.3 +krb5_unparse_name_fixed.3 +krb5_unparse_name_fixed_short.3 +krb5_unparse_name_short.3 krb5_us_timeofday.3 +krb5_vabort.3 +krb5_vabortx.3 krb5_verify_checksum.3 +krb5_verify_init_creds.3 +krb5_verify_init_creds_opt_init.3 +krb5_verify_init_creds_opt_set_ap_req_nofail.3 krb5_verify_opt_init.3 +krb5_verify_opt_set_ccache.3 krb5_verify_opt_set_flags.3 krb5_verify_opt_set_keytab.3 krb5_verify_opt_set_secure.3 @@ -228,11 +514,11 @@ krb5_verr.3 krb5_verrx.3 krb5_vlog.3 krb5_vlog_msg.3 +krb5_vset_error_string.3 krb5_vwarn.3 krb5_vwarnx.3 krb5_warn.3 krb5_warnx.3 -krn5_kuserok.3 .ta .Fi .Sh SEE ALSO diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5 index c9f8771c8a9d..ceb16a401aa6 100644 --- a/crypto/heimdal/lib/krb5/krb5.conf.5 +++ b/crypto/heimdal/lib/krb5/krb5.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5.conf.5,v 1.35.2.2 2004/03/09 19:52:07 lha Exp $ +.\" $Id: krb5.conf.5 15514 2005-06-23 18:43:34Z lha $ .\" -.Dd March 9, 2004 +.Dd May 4, 2005 .Dt KRB5.CONF 5 .Os HEIMDAL .Sh NAME @@ -88,6 +88,7 @@ values can be either yes/true or no/false. .It time values can be a list of year, month, day, hour, min, second. Example: 1 month 2 days 30 min. +If no unit is given, seconds is assumed. .It etypes valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and @@ -148,8 +149,8 @@ times. Default is 300 seconds (five minutes). .It Li kdc_timeout = Va time Maximum time to wait for a reply from the kdc, default is 3 seconds. -.It v4_name_convert -.It v4_instance_resolve +.It Li v4_name_convert +.It Li v4_instance_resolve These are described in the .Xr krb5_425_conv_principal 3 manual page. @@ -162,6 +163,12 @@ manual page. This is deprecated, see the .Li capaths section below. +.It Li default_cc_name = Va ccname +the default credentials cache name. +The string can contain variables that are expanded on runtime. +Only support variable now is +.Li %{uid} +that expands to the current user id. .It Li default_etypes = Va etypes ... A list of default encryption types to use. .It Li default_etypes_des = Va etypes ... @@ -178,6 +185,9 @@ Try to keep track of the time differential between the local machine and the KDC, and then compensate for that when issuing requests. .It Li max_retries = Va number The max number of times to try to contact each KDC. +.It Li large_msg_size = Va number +The threshold where protocols with tiny maximum message sizes are not +considered usable to send messages to the KDC. .It Li ticket_lifetime = Va time Default ticket lifetime. .It Li renew_lifetime = Va time @@ -241,6 +251,13 @@ Each binding in this section looks like: The domain can be either a full name of a host or a trailing component, in the latter case the domain-string should start with a period. +The trailing component only matches hosts that are in the same domain, ie +.Dq .example.com +matches +.Dq foo.example.com , +but not +.Dq foo.test.example.com . +.Pp The realm may be the token `dns_locate', in which case the actual realm will be determined using DNS (independently of the setting of the `dns_lookup_realm' option). @@ -330,72 +347,94 @@ manual page for a list of defined destinations. .El .It Li [kdc] .Bl -tag -width "xxx" -offset indent -.It database Li = { +.It Li database Li = { .Bl -tag -width "xxx" -offset indent -.It dbname Li = Va DATABASENAME +.It Li dbname Li = Va DATABASENAME Use this database for this realm. -.It realm Li = Va REALM +See the info documetation how to configure diffrent database backends. +.It Li realm Li = Va REALM Specifies the realm that will be stored in this database. -.It mkey_file Li = Pa FILENAME +It realm isn't set, it will used as the default database, there can +only be one entry that doesn't have a +.Li realm +stanza. +.It Li mkey_file Li = Pa FILENAME Use this keytab file for the master key of this database. If not specified .Va DATABASENAME Ns .mkey will be used. -.It acl_file Li = PA FILENAME +.It Li acl_file Li = PA FILENAME Use this file for the ACL list of this database. -.It log_file Li = Pa FILENAME +.It Li log_file Li = Pa FILENAME Use this file as the log of changes performed to the database. This file is used by .Nm ipropd-master for propagating changes to slaves. .El .It Li } -.It max-request = Va SIZE +.It Li max-request = Va SIZE Maximum size of a kdc request. -.It require-preauth = Va BOOL +.It Li require-preauth = Va BOOL If set pre-authentication is required. Since krb4 requests are not pre-authenticated they will be rejected. -.It ports = Va "list of ports" +.It Li ports = Va "list of ports" List of ports the kdc should listen to. -.It addresses = Va "list of interfaces" +.It Li addresses = Va "list of interfaces" List of addresses the kdc should bind to. -.It enable-kerberos4 = Va BOOL +.It Li enable-kerberos4 = Va BOOL Turn on Kerberos 4 support. -.It v4-realm = Va REALM +.It Li v4-realm = Va REALM To what realm v4 requests should be mapped. -.It enable-524 = Va BOOL +.It Li enable-524 = Va BOOL Should the Kerberos 524 converting facility be turned on. -Default is same as +Default is the same as .Va enable-kerberos4 . -.It enable-http = Va BOOL +.It Li enable-http = Va BOOL Should the kdc answer kdc-requests over http. -.It enable-kaserver = Va BOOL +.It Li enable-kaserver = Va BOOL If this kdc should emulate the AFS kaserver. -.It check-ticket-addresses = Va BOOL -verify the addresses in the tickets used in tgs requests. +.It Li check-ticket-addresses = Va BOOL +Verify the addresses in the tickets used in tgs requests. .\" XXX -.It allow-null-ticket-addresses = Va BOOL -Allow addresses-less tickets. +.It Li allow-null-ticket-addresses = Va BOOL +Allow address-less tickets. .\" XXX -.It allow-anonymous = Va BOOL +.It Li allow-anonymous = Va BOOL If the kdc is allowed to hand out anonymous tickets. -.It encode_as_rep_as_tgs_rep = Va BOOL +.It Li encode_as_rep_as_tgs_rep = Va BOOL Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. .\" XXX -.It kdc_warn_pwexpire = Va TIME +.It Li kdc_warn_pwexpire = Va TIME The time before expiration that the user should be warned that her password is about to expire. -.It logging = Va Logging +.It Li logging = Va Logging What type of logging the kdc should use, see also [logging]/kdc. -.It use_2b = Va principal list -List of principals to use AFS 2b tokens for. +.It Li use_2b = { +.Bl -tag -width "xxx" -offset indent +.It Va principal Li = Va BOOL +boolean value if the 524 daemon should return AFS 2b tokens for +.Fa principal . +.It ... +.El +.It Li } +.It Li hdb-ldap-structural-object Va structural object +If the LDAP backend is used for storing principals, this is the +structural object that will be used when creating and when reading +objects. +The default value is account . +.It Li hdb-ldap-create-base Va creation dn +is the dn that will be appended to the principal when creating entries. +Default value is the search dn. .El .It Li [kadmin] .Bl -tag -width "xxx" -offset indent -.It require-preauth = Va BOOL +.It Li require-preauth = Va BOOL If pre-authentication is required to talk to the kadmin server. -.It default_keys = Va keytypes... -for each entry in +.It Li password_lifetime = Va time +If a principal already have its password set for expiration, this is +the time it will be valid for after a change. +.It Li default_keys = Va keytypes... +For each entry in .Va default_keys try to parse it as a sequence of .Va etype:salttype:salt @@ -409,20 +448,34 @@ is omitted it means everything, and if string is omitted it means the default salt string (for that principal and encryption type). Additional special values of keytypes are: .Bl -tag -width "xxx" -offset indent -.It v5 +.It Li v5 The Kerberos 5 salt .Va pw-salt -.It v4 +.It Li v4 The Kerberos 4 salt .Va des:pw-salt: .El -.It use_v4_salt = Va BOOL +.It Li use_v4_salt = Va BOOL When true, this is the same as .Pp .Va default_keys = Va des3:pw-salt Va v4 .Pp and is only left for backwards compatibility. .El +.It Li [password-quality] +Check the Password quality assurance in the info documentation for +more information. +.Bl -tag -width "xxx" -offset indent +.It Li check_library = Va library-name +Library name that contains the password check_function +.It Li check_function = Va function-name +Function name for checking passwords in check_library +.It Li policy_libraries = Va library1 ... libraryN +List of libraries that can do password policy checks +.It Li policies = Va policy1 ... policyN +List of policy names to apply to the password. Builtin policies are +among other minimum-length, character-class, external-check. +.El .El .Sh ENVIRONMENT .Ev KRB5_CONFIG diff --git a/crypto/heimdal/lib/krb5/krb5.h b/crypto/heimdal/lib/krb5/krb5.h index 9a327f104c9d..571eb6192ae0 100644 --- a/crypto/heimdal/lib/krb5/krb5.h +++ b/crypto/heimdal/lib/krb5/krb5.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5.h,v 1.209.2.2 2004/06/21 08:32:00 lha Exp $ */ +/* $Id: krb5.h 22100 2007-12-03 17:15:00Z lha $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -64,22 +64,48 @@ typedef int32_t krb5_error_code; typedef int krb5_kvno; -typedef u_int32_t krb5_flags; +typedef uint32_t krb5_flags; typedef void *krb5_pointer; typedef const void *krb5_const_pointer; -typedef octet_string krb5_data; - struct krb5_crypto_data; typedef struct krb5_crypto_data *krb5_crypto; +struct krb5_get_creds_opt_data; +typedef struct krb5_get_creds_opt_data *krb5_get_creds_opt; + +struct krb5_digest_data; +typedef struct krb5_digest_data *krb5_digest; +struct krb5_ntlm_data; +typedef struct krb5_ntlm_data *krb5_ntlm; + +struct krb5_pac_data; +typedef struct krb5_pac_data *krb5_pac; + +typedef struct krb5_rd_req_in_ctx_data *krb5_rd_req_in_ctx; +typedef struct krb5_rd_req_out_ctx_data *krb5_rd_req_out_ctx; + typedef CKSUMTYPE krb5_cksumtype; typedef Checksum krb5_checksum; typedef ENCTYPE krb5_enctype; +typedef heim_octet_string krb5_data; + +/* PKINIT related forward declarations */ +struct ContentInfo; +struct krb5_pk_identity; +struct krb5_pk_cert; + +/* krb5_enc_data is a mit compat structure */ +typedef struct krb5_enc_data { + krb5_enctype enctype; + krb5_kvno kvno; + krb5_data ciphertext; +} krb5_enc_data; + /* alternative names */ enum { ENCTYPE_NULL = ETYPE_NULL, @@ -92,6 +118,9 @@ enum { ENCTYPE_ENCRYPT_RSA_PRIV = ETYPE_ENCRYPT_RSA_PRIV, ENCTYPE_ENCRYPT_RSA_PUB = ETYPE_ENCRYPT_RSA_PUB, ENCTYPE_DES3_CBC_SHA1 = ETYPE_DES3_CBC_SHA1, + ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_ARCFOUR_HMAC = ETYPE_ARCFOUR_HMAC_MD5, ENCTYPE_ARCFOUR_HMAC_MD5 = ETYPE_ARCFOUR_HMAC_MD5, ENCTYPE_ARCFOUR_HMAC_MD5_56 = ETYPE_ARCFOUR_HMAC_MD5_56, ENCTYPE_ENCTYPE_PK_CROSS = ETYPE_ENCTYPE_PK_CROSS, @@ -170,8 +199,34 @@ typedef enum krb5_key_usage { /* seal in GSSAPI krb5 mechanism */ KRB5_KU_USAGE_SIGN = 23, /* sign in GSSAPI krb5 mechanism */ - KRB5_KU_USAGE_SEQ = 24 + KRB5_KU_USAGE_SEQ = 24, /* SEQ in GSSAPI krb5 mechanism */ + KRB5_KU_USAGE_ACCEPTOR_SEAL = 22, + /* acceptor sign in GSSAPI CFX krb5 mechanism */ + KRB5_KU_USAGE_ACCEPTOR_SIGN = 23, + /* acceptor seal in GSSAPI CFX krb5 mechanism */ + KRB5_KU_USAGE_INITIATOR_SEAL = 24, + /* initiator sign in GSSAPI CFX krb5 mechanism */ + KRB5_KU_USAGE_INITIATOR_SIGN = 25, + /* initiator seal in GSSAPI CFX krb5 mechanism */ + KRB5_KU_PA_SERVER_REFERRAL_DATA = 22, + /* encrypted server referral data */ + KRB5_KU_SAM_CHECKSUM = 25, + /* Checksum for the SAM-CHECKSUM field */ + KRB5_KU_SAM_ENC_TRACK_ID = 26, + /* Encryption of the SAM-TRACK-ID field */ + KRB5_KU_PA_SERVER_REFERRAL = 26, + /* Keyusage for the server referral in a TGS req */ + KRB5_KU_SAM_ENC_NONCE_SAD = 27, + /* Encryption of the SAM-NONCE-OR-SAD field */ + KRB5_KU_DIGEST_ENCRYPT = -18, + /* Encryption key usage used in the digest encryption field */ + KRB5_KU_DIGEST_OPAQUE = -19, + /* Checksum key usage used in the digest opaque field */ + KRB5_KU_KRB5SIGNEDPATH = -21, + /* Checksum key usage on KRB5SignedPath */ + KRB5_KU_CANONICALIZED_NAMES = -23 + /* Checksum key usage on PA-CANONICALIZED */ } krb5_key_usage; typedef krb5_key_usage krb5_keyusage; @@ -200,6 +255,7 @@ typedef struct krb5_preauthdata { typedef enum krb5_address_type { KRB5_ADDRESS_INET = 2, + KRB5_ADDRESS_NETBIOS = 20, KRB5_ADDRESS_INET6 = 24, KRB5_ADDRESS_ADDRPORT = 256, KRB5_ADDRESS_IPPORT = 257 @@ -302,10 +358,24 @@ typedef union { #define KRB5_GC_CACHED (1U << 0) #define KRB5_GC_USER_USER (1U << 1) +#define KRB5_GC_EXPIRED_OK (1U << 2) +#define KRB5_GC_NO_STORE (1U << 3) +#define KRB5_GC_FORWARDABLE (1U << 4) +#define KRB5_GC_NO_TRANSIT_CHECK (1U << 5) +#define KRB5_GC_CONSTRAINED_DELEGATION (1U << 6) /* constants for compare_creds (and cc_retrieve_cred) */ #define KRB5_TC_DONT_MATCH_REALM (1U << 31) #define KRB5_TC_MATCH_KEYTYPE (1U << 30) +#define KRB5_TC_MATCH_KTYPE KRB5_TC_MATCH_KEYTYPE /* MIT name */ +#define KRB5_TC_MATCH_SRV_NAMEONLY (1 << 29) +#define KRB5_TC_MATCH_FLAGS_EXACT (1 << 28) +#define KRB5_TC_MATCH_FLAGS (1 << 27) +#define KRB5_TC_MATCH_TIMES_EXACT (1 << 26) +#define KRB5_TC_MATCH_TIMES (1 << 25) +#define KRB5_TC_MATCH_AUTHDATA (1 << 24) +#define KRB5_TC_MATCH_2ND_TKT (1 << 23) +#define KRB5_TC_MATCH_IS_SKEY (1 << 22) typedef AuthorizationData krb5_authdata; @@ -323,6 +393,8 @@ typedef struct krb5_creds { krb5_ticket_flags flags; } krb5_creds; +typedef struct krb5_cc_cache_cursor_data *krb5_cc_cache_cursor; + typedef struct krb5_cc_ops { const char *prefix; const char* (*get_name)(krb5_context, krb5_ccache); @@ -333,7 +405,7 @@ typedef struct krb5_cc_ops { krb5_error_code (*close)(krb5_context, krb5_ccache); krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*); krb5_error_code (*retrieve)(krb5_context, krb5_ccache, - krb5_flags, krb5_creds*, krb5_creds); + krb5_flags, const krb5_creds*, krb5_creds *); krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*); krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *); krb5_error_code (*get_next)(krb5_context, krb5_ccache, @@ -343,6 +415,11 @@ typedef struct krb5_cc_ops { krb5_flags, krb5_creds*); krb5_error_code (*set_flags)(krb5_context, krb5_ccache, krb5_flags); int (*get_version)(krb5_context, krb5_ccache); + krb5_error_code (*get_cache_first)(krb5_context, krb5_cc_cursor *); + krb5_error_code (*get_cache_next)(krb5_context, krb5_cc_cursor, krb5_ccache *); + krb5_error_code (*end_cache_get)(krb5_context, krb5_cc_cursor); + krb5_error_code (*move)(krb5_context, krb5_ccache, krb5_ccache); + krb5_error_code (*default_name)(krb5_context, char **); } krb5_cc_ops; struct krb5_log_facility; @@ -362,41 +439,6 @@ typedef struct krb5_config_binding krb5_config_binding; typedef krb5_config_binding krb5_config_section; -typedef struct krb5_context_data { - krb5_enctype *etypes; - krb5_enctype *etypes_des; - char **default_realms; - time_t max_skew; - time_t kdc_timeout; - unsigned max_retries; - int32_t kdc_sec_offset; - int32_t kdc_usec_offset; - krb5_config_section *cf; - struct et_list *et_list; - struct krb5_log_facility *warn_dest; - krb5_cc_ops *cc_ops; - int num_cc_ops; - const char *http_proxy; - const char *time_fmt; - krb5_boolean log_utc; - const char *default_keytab; - const char *default_keytab_modify; - krb5_boolean use_admin_kdc; - krb5_addresses *extra_addresses; - krb5_boolean scan_interfaces; /* `ifconfig -a' */ - krb5_boolean srv_lookup; /* do SRV lookups */ - krb5_boolean srv_try_txt; /* try TXT records also */ - int32_t fcache_vno; /* create cache files w/ this - version */ - int num_kt_types; /* # of registered keytab types */ - struct krb5_keytab_data *kt_types; /* registered keytab types */ - const char *date_fmt; - char *error_string; - char error_buf[256]; - krb5_addresses *ignore_addresses; - char *default_cc_name; -} krb5_context_data; - typedef struct krb5_ticket { EncTicketPart ticket; krb5_principal client; @@ -419,6 +461,7 @@ typedef Authenticator krb5_donot_replay; #define KRB5_STORAGE_BYTEORDER_BE 0x00 /* default */ #define KRB5_STORAGE_BYTEORDER_LE 0x20 #define KRB5_STORAGE_BYTEORDER_HOST 0x40 +#define KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER 0x80 struct krb5_storage_data; typedef struct krb5_storage_data krb5_storage; @@ -427,7 +470,7 @@ typedef struct krb5_keytab_entry { krb5_principal principal; krb5_kvno vno; krb5_keyblock keyblock; - u_int32_t timestamp; + uint32_t timestamp; } krb5_keytab_entry; typedef struct krb5_kt_cursor { @@ -470,17 +513,19 @@ typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args; typedef struct krb5_replay_data { krb5_timestamp timestamp; - u_int32_t usec; - u_int32_t seq; + int32_t usec; + uint32_t seq; } krb5_replay_data; /* flags for krb5_auth_con_setflags */ enum { - KRB5_AUTH_CONTEXT_DO_TIME = 1, - KRB5_AUTH_CONTEXT_RET_TIME = 2, - KRB5_AUTH_CONTEXT_DO_SEQUENCE = 4, - KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8, - KRB5_AUTH_CONTEXT_PERMIT_ALL = 16 + KRB5_AUTH_CONTEXT_DO_TIME = 1, + KRB5_AUTH_CONTEXT_RET_TIME = 2, + KRB5_AUTH_CONTEXT_DO_SEQUENCE = 4, + KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8, + KRB5_AUTH_CONTEXT_PERMIT_ALL = 16, + KRB5_AUTH_CONTEXT_USE_SUBKEY = 32, + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED = 64 }; /* flags for krb5_auth_con_genaddrs */ @@ -502,8 +547,8 @@ typedef struct krb5_auth_context_data { krb5_keyblock *local_subkey; krb5_keyblock *remote_subkey; - u_int32_t local_seqnumber; - u_int32_t remote_seqnumber; + uint32_t local_seqnumber; + uint32_t remote_seqnumber; krb5_authenticator authenticator; @@ -528,7 +573,7 @@ typedef void (*krb5_log_log_func_t)(const char*, const char*, void*); typedef void (*krb5_log_close_func_t)(void*); typedef struct krb5_log_facility { - const char *program; + char *program; int len; struct facility *val; } krb5_log_facility; @@ -542,6 +587,8 @@ typedef EncAPRepPart krb5_ap_rep_enc_part; #define KRB5_TGS_NAME_SIZE (6) #define KRB5_TGS_NAME ("krbtgt") +#define KRB5_DIGEST_NAME ("digest") + /* variables */ extern const char *krb5_config_file; @@ -551,7 +598,8 @@ typedef enum { KRB5_PROMPT_TYPE_PASSWORD = 0x1, KRB5_PROMPT_TYPE_NEW_PASSWORD = 0x2, KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN = 0x3, - KRB5_PROMPT_TYPE_PREAUTH = 0x4 + KRB5_PROMPT_TYPE_PREAUTH = 0x4, + KRB5_PROMPT_TYPE_INFO = 0x5 } krb5_prompt_type; typedef struct _krb5_prompt { @@ -561,24 +609,30 @@ typedef struct _krb5_prompt { krb5_prompt_type type; } krb5_prompt; -typedef int (*krb5_prompter_fct)(krb5_context context, - void *data, - const char *name, - const char *banner, - int num_prompts, - krb5_prompt prompts[]); - -typedef krb5_error_code (*krb5_key_proc)(krb5_context context, - krb5_enctype type, - krb5_salt salt, - krb5_const_pointer keyseed, - krb5_keyblock **key); -typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context context, - krb5_keyblock *key, - krb5_key_usage usage, - krb5_const_pointer decrypt_arg, - krb5_kdc_rep *dec_rep); - +typedef int (*krb5_prompter_fct)(krb5_context /*context*/, + void * /*data*/, + const char * /*name*/, + const char * /*banner*/, + int /*num_prompts*/, + krb5_prompt /*prompts*/[]); +typedef krb5_error_code (*krb5_key_proc)(krb5_context /*context*/, + krb5_enctype /*type*/, + krb5_salt /*salt*/, + krb5_const_pointer /*keyseed*/, + krb5_keyblock ** /*key*/); +typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context /*context*/, + krb5_keyblock * /*key*/, + krb5_key_usage /*usage*/, + krb5_const_pointer /*decrypt_arg*/, + krb5_kdc_rep * /*dec_rep*/); +typedef krb5_error_code (*krb5_s2k_proc)(krb5_context /*context*/, + krb5_enctype /*type*/, + krb5_const_pointer /*keyseed*/, + krb5_salt /*salt*/, + krb5_data * /*s2kparms*/, + krb5_keyblock ** /*key*/); + +struct _krb5_get_init_creds_opt_private; typedef struct _krb5_get_init_creds_opt { krb5_flags flags; @@ -590,14 +644,12 @@ typedef struct _krb5_get_init_creds_opt { krb5_enctype *etype_list; int etype_list_length; krb5_addresses *address_list; -#if 0 /* this is the MIT-way */ - krb5_address **address_list; -#endif /* XXX the next three should not be used, as they may be removed later */ krb5_preauthtype *preauth_list; int preauth_list_length; krb5_data *salt; + struct _krb5_get_init_creds_opt_private *opt_private; } krb5_get_init_creds_opt; #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 @@ -609,6 +661,7 @@ typedef struct _krb5_get_init_creds_opt { #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0100 +#define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK 0x0200 typedef struct _krb5_verify_init_creds_opt { krb5_flags flags; @@ -628,10 +681,14 @@ typedef struct krb5_verify_opt { #define KRB5_VERIFY_LREALMS 1 #define KRB5_VERIFY_NO_ADDRESSES 2 +extern const krb5_cc_ops krb5_acc_ops; extern const krb5_cc_ops krb5_fcc_ops; extern const krb5_cc_ops krb5_mcc_ops; +extern const krb5_cc_ops krb5_kcm_ops; extern const krb5_kt_ops krb5_fkt_ops; +extern const krb5_kt_ops krb5_wrfkt_ops; +extern const krb5_kt_ops krb5_javakt_ops; extern const krb5_kt_ops krb5_mkt_ops; extern const krb5_kt_ops krb5_akf_ops; extern const krb5_kt_ops krb4_fkt_ops; @@ -660,6 +717,7 @@ typedef struct krb5_krbhst_data *krb5_krbhst_handle; #define KRB5_KRBHST_ADMIN 2 #define KRB5_KRBHST_CHANGEPW 3 #define KRB5_KRBHST_KRB524 4 +#define KRB5_KRBHST_KCA 5 typedef struct krb5_krbhst_info { enum { KRB5_KRBHST_UDP, @@ -672,6 +730,45 @@ typedef struct krb5_krbhst_info { char hostname[1]; /* has to come last */ } krb5_krbhst_info; +/* flags for krb5_krbhst_init_flags (and krb5_send_to_kdc_flags) */ +enum { + KRB5_KRBHST_FLAGS_MASTER = 1, + KRB5_KRBHST_FLAGS_LARGE_MSG = 2 +}; + +typedef krb5_error_code (*krb5_send_to_kdc_func)(krb5_context, + void *, + krb5_krbhst_info *, + const krb5_data *, + krb5_data *); + +/* flags for krb5_parse_name_flags */ +enum { + KRB5_PRINCIPAL_PARSE_NO_REALM = 1, + KRB5_PRINCIPAL_PARSE_MUST_REALM = 2, + KRB5_PRINCIPAL_PARSE_ENTERPRISE = 4 +}; + +/* flags for krb5_unparse_name_flags */ +enum { + KRB5_PRINCIPAL_UNPARSE_SHORT = 1, + KRB5_PRINCIPAL_UNPARSE_NO_REALM = 2, + KRB5_PRINCIPAL_UNPARSE_DISPLAY = 4 +}; + +typedef struct krb5_sendto_ctx_data *krb5_sendto_ctx; + +#define KRB5_SENDTO_DONE 0 +#define KRB5_SENDTO_RESTART 1 +#define KRB5_SENDTO_CONTINUE 2 + +typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *); + +struct krb5_plugin; +enum krb5_plugin_type { + PLUGIN_TYPE_DATA = 1, + PLUGIN_TYPE_FUNC +}; struct credentials; /* this is to keep the compiler happy */ struct getargs; diff --git a/crypto/heimdal/lib/krb5/krb5.moduli b/crypto/heimdal/lib/krb5/krb5.moduli new file mode 100644 index 000000000000..f67d2b29be86 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5.moduli @@ -0,0 +1,3 @@ +# $Id: krb5.moduli 16154 2005-10-08 15:39:42Z lha $ +# comment security-bits-decimal secure-prime(p)-hex generator(g)-hex (q)-hex +rfc3526-MODP-group14 1760 FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF 02 7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68948127044533E63A0105DF531D89CD9128A5043CC71A026EF7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9EE1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AFC1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36B3861AA7255E4C0278BA3604650C10BE19482F23171B671DF1CF3B960C074301CD93C1D17603D147DAE2AEF837A62964EF15E5FB4AAC0B8C1CCAA4BE754AB5728AE9130C4C7D02880AB9472D455655347FFFFFFFFFFFFFFF diff --git a/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3 b/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3 new file mode 100644 index 000000000000..1f4b9bf8a9ec --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb524_convert_creds_kdc.3 @@ -0,0 +1,86 @@ +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb524_convert_creds_kdc.3 15239 2005-05-25 13:19:16Z lha $ +.\" +.Dd March 20, 2004 +.Dt KRB524_CONVERT_CREDS_KDC 3 +.Os HEIMDAL +.Sh NAME +.Nm krb524_convert_creds_kdc , +.Nm krb524_convert_creds_kdc_ccache +.Nd converts Kerberos 5 credentials to Kerberos 4 credentials +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb524_convert_creds_kdc +.Fa "krb5_context context" +.Fa "krb5_creds *in_cred" +.Fa "struct credentials *v4creds" +.Fc +.Ft krb5_error_code +.Fo krb524_convert_creds_kdc_ccache +.Fa "krb5_context context" +.Fa "krb5_ccache ccache" +.Fa "krb5_creds *in_cred" +.Fa "struct credentials *v4creds" +.Fc +.Sh DESCRIPTION +Convert the Kerberos 5 credential to Kerberos 4 credential. +This is done by sending them to the 524 service in the KDC. +.Pp +.Fn krb524_convert_creds_kdc +converts the Kerberos 5 credential in +.Fa in_cred +to Kerberos 4 credential that is stored in +.Fa credentials . +.Pp +.Fn krb524_convert_creds_kdc_ccache +is diffrent from +.Fn krb524_convert_creds_kdc +in that way that if +.Fa in_cred +doesn't contain a DES session key, then a new one is fetched from the +KDC and stored in the cred cache +.Fa ccache , +and then the KDC is queried to convert the credential. +.Pp +This interfaces are used to make the migration to Kerberos 5 from +Kerberos 4 easier. +There are few services that still need Kerberos 4, and this is mainly +for compatibility for those services. +Some services, like AFS, really have Kerberos 5 supports, but still +uses the 524 interface to make the migration easier. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 index 78bb62cb40b5..16c118f8ace7 100644 --- a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 +++ b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 @@ -1,37 +1,37 @@ -.\" Copyright (c) 1997-2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1997-2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_425_conv_principal.3,v 1.10 2003/04/16 13:58:13 lha Exp $ +.\" $Id: krb5_425_conv_principal.3 12734 2003-09-03 00:13:07Z lha $ .\" -.Dd April 11, 1999 +.Dd September 3, 2003 .Dt KRB5_425_CONV_PRINCIPAL 3 .Os HEIMDAL .Sh NAME @@ -193,11 +193,11 @@ b-host.bar.com .Ed the following conversions will be made: .Bd -literal -offset indent -rcmd.a-host \(-> host/a-host.foo.com -ftp.b-host \(-> ftp/b-host.bar.com -pop.foo \(-> pop/foo.com -ftp.other \(-> ftp/other.foo.com -other.a-host \(-> other/a-host +rcmd.a-host -\*(Gt host/a-host.foo.com +ftp.b-host -\*(Gt ftp/b-host.bar.com +pop.foo -\*(Gt pop/foo.com +ftp.other -\*(Gt ftp/other.foo.com +other.a-host -\*(Gt other/a-host .Ed .Pp The first three are what you expect. If you remove the diff --git a/crypto/heimdal/lib/krb5/krb5_acl_match_file.3 b/crypto/heimdal/lib/krb5/krb5_acl_match_file.3 new file mode 100644 index 000000000000..342645edd2d2 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_acl_match_file.3 @@ -0,0 +1,111 @@ +.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_acl_match_file.3 17534 2006-05-11 22:43:44Z lha $ +.\" +.Dd May 12, 2006 +.Dt KRB5_ACL_MATCH_FILE 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_acl_match_file , +.Nm krb5_acl_match_string +.Nd ACL matching functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.Ft krb5_error_code +.Fo krb5_acl_match_file +.Fa "krb5_context context" +.Fa "const char *file" +.Fa "const char *format" +.Fa "..." +.Fc +.Ft krb5_error_code +.Fo krb5_acl_match_string +.Fa "krb5_context context" +.Fa "const char *string" +.Fa "const char *format" +.Fa "..." +.Fc +.Sh DESCRIPTION +.Nm krb5_acl_match_file +matches ACL format against each line in a file. +Lines starting with # are treated like comments and ignored. +.Pp +.Nm krb5_acl_match_string +matches ACL format against a string. +.Pp +The ACL format has three format specifiers: s, f, and r. +Each specifier will retrieve one argument from the variable arguments +for either matching or storing data. +The input string is split up using " " and "\et" as a delimiter; multiple +" " and "\et" in a row are considered to be the same. +.Pp +.Bl -tag -width "fXX" -offset indent +.It s +Matches a string using +.Xr strcmp 3 +(case sensitive). +.It f +Matches the string with +.Xr fnmatch 3 . +The +.Fa flags +argument (the last argument) passed to the fnmatch function is 0. +.It r +Returns a copy of the string in the char ** passed in; the copy must be +freed with +.Xr free 3 . +There is no need to +.Xr free 3 +the string on error: the function will clean up and set the pointer to +.Dv NULL . +.El +.Pp +All unknown format specifiers cause an error. +.Sh EXAMPLES +.Bd -literal -offset indent +char *s; + +ret = krb5_acl_match_string(context, "foo", "s", "foo"); +if (ret) + krb5_errx(context, 1, "acl didn't match"); +ret = krb5_acl_match_string(context, "foo foo baz/kaka", + "ss", "foo", &s, "foo/*"); +if (ret) { + /* no need to free(s) on error */ + assert(s == NULL); + krb5_errx(context, 1, "acl didn't match"); +} +free(s); +.Ed +.Sh SEE ALSO +.Xr krb5 3 diff --git a/crypto/heimdal/lib/krb5/krb5_address.3 b/crypto/heimdal/lib/krb5/krb5_address.3 index dc780add575d..06f7fa5cd02c 100644 --- a/crypto/heimdal/lib/krb5/krb5_address.3 +++ b/crypto/heimdal/lib/krb5/krb5_address.3 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003, 2005 - 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_address.3,v 1.4 2003/04/16 13:58:12 lha Exp $ -.\" -.Dd March 11, 2002 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_address.3 17461 2006-05-05 13:13:18Z lha $ +.\" +.Dd May 1, 2006 .Dt KRB5_ADDRESS 3 .Os HEIMDAL .Sh NAME @@ -56,7 +56,7 @@ .Nm krb5_copy_addresses , .Nm krb5_append_addresses , .Nm krb5_make_addrport -.Nd mange addresses in Kerberos. +.Nd mange addresses in Kerberos .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS @@ -192,7 +192,7 @@ The structure holds a set of krb5_address:es. .Pp .Fn krb5_sockaddr2address -stores a address a +stores a address a .Li "struct sockaddr" .Fa sa in the krb5_address @@ -213,8 +213,9 @@ from .Fa addr and .Fa port . -.Fa Sa_size -should be initially contain the size of the +The argument +.Fa sa_size +should initially contain the size of the .Fa sa , and after the call, it will contain the actual length of the address. .Pp @@ -228,7 +229,7 @@ returns .Dv TRUE for all .Fa sa -that for that the kerberos library thinks are uninteresting. +that the kerberos library thinks are uninteresting. One example are link local addresses. .Pp .Fn krb5_h_addr2sockaddr @@ -241,14 +242,13 @@ and the .Li "struct hostent" (see .Xr gethostbyname 3 ) -.Fa h_addr_list +.Fa h_addr_list component. -.Fa Sa_size -should be initially contain the size of the +The argument +.Fa sa_size +should initially contain the size of the .Fa sa , and after the call, it will contain the actual length of the address. -.Fa sa -argument. .Pp .Fn krb5_h_addr2addr works like @@ -256,55 +256,59 @@ works like with the exception that it operates on a .Li krb5_address instead of a -.Li struct sockaddr +.Li struct sockaddr . .Pp .Fn krb5_anyaddr fills in a .Li "struct sockaddr" .Fa sa that can be used to -.Xf bind 3 +.Xr bind 2 to. -.Fa Sa_size -should be initially contain the size of the +The argument +.Fa sa_size +should initially contain the size of the .Fa sa , and after the call, it will contain the actual length of the address. .Pp .Fn krb5_print_address prints the address in .Fa addr -to the a string +to the string .Fa string that have the length .Fa len . If .Fa ret_len -if not +is not .Dv NULL , -it will be filled in length of the string. +it will be filled with the length of the string if size were unlimited (not +including the final +.Ql \e0 ) . .Pp .Fn krb5_parse_address -Returns the resolving a hostname in +Returns the resolved hostname in .Fa string to the .Li krb5_addresses .Fa addresses . .Pp .Fn krb5_address_order -compares to addresses +compares the addresses .Fa addr1 and .Fa addr2 so that it can be used for sorting addresses. If the addresses are the same address -.Fa krb5_address_order will be return 0. +.Fa krb5_address_order +will return 0. .Pp .Fn krb5_address_compare compares the addresses .Fa addr1 and .Fa addr2 . -returns +Returns .Dv TRUE if the two addresses are the same. .Pp @@ -344,7 +348,7 @@ to While copying the addresses, duplicates are also sorted out. .Pp .Fn krb5_make_addrport -allocates and creates an +allocates and creates an krb5_address in .Fa res of type KRB5_ADDRESS_ADDRPORT from diff --git a/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3 b/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3 index 900e1d948393..a0c3e4b41507 100644 --- a/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3 +++ b/crypto/heimdal/lib/krb5/krb5_aname_to_localname.3 @@ -1,42 +1,42 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_aname_to_localname.3,v 1.2 2003/04/16 13:58:13 lha Exp $ +.\" $Id: krb5_aname_to_localname.3 22071 2007-11-14 20:04:50Z lha $ .\" -.Dd March 17, 2003 +.Dd February 18, 2006 .Dt KRB5_ANAME_TO_LOCALNAME 3 .Os HEIMDAL .Sh NAME .Nm krb5_aname_to_localname -.Nd converts a principal to a system local name. +.Nd converts a principal to a system local name .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS @@ -51,28 +51,28 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Sh DESCRIPTION This function takes a principal .Fa name , -verifies its in the local realm (using +verifies that it is in the local realm (using .Fn krb5_get_default_realms ) and then returns the local name of the principal. .Pp If .Fa name -isn't in one of the local realms and error is returned. +isn't in one of the local realms an error is returned. .Pp -If size +If the size .Fa ( lnsize ) of the local name .Fa ( lname ) -is to small, an error is returned. +is too small, an error is returned. .Pp .Fn krb5_aname_to_localname -should only be use by application that implements protocols that -doesn't transport the login name and thus needs to convert a principal +should only be use by an application that implements protocols that +don't transport the login name and thus needs to convert a principal to a local name. .Pp -Protocols should be designed so that the it autheticates using -Kerberos, send over the login name and then verifies in the principal -that authenticated is allowed to login and the login name. +Protocols should be designed so that they authenticate using +Kerberos, send over the login name and then verify the principal +that is authenticated is allowed to login and the login name. A way to check if a user is allowed to login is using the function .Fn krb5_kuserok . .Sh SEE ALSO diff --git a/crypto/heimdal/lib/krb5/krb5_appdefault.3 b/crypto/heimdal/lib/krb5/krb5_appdefault.3 index f913fdc33cb3..f5b532937db4 100644 --- a/crypto/heimdal/lib/krb5/krb5_appdefault.3 +++ b/crypto/heimdal/lib/krb5/krb5_appdefault.3 @@ -1,35 +1,35 @@ .\" Copyright (c) 2000 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_appdefault.3,v 1.10 2003/04/16 13:58:10 lha Exp $ +.\" $Id: krb5_appdefault.3 12329 2003-05-26 14:09:04Z lha $ .\" .Dd July 25, 2000 .Dt KRB5_APPDEFAULT 3 diff --git a/crypto/heimdal/lib/krb5/krb5_auth_context.3 b/crypto/heimdal/lib/krb5/krb5_auth_context.3 index 69db32486bbd..66d150ef8589 100644 --- a/crypto/heimdal/lib/krb5/krb5_auth_context.3 +++ b/crypto/heimdal/lib/krb5/krb5_auth_context.3 @@ -1,70 +1,74 @@ -.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_auth_context.3,v 1.8 2003/04/16 13:58:13 lha Exp $ +.\" $Id: krb5_auth_context.3 15240 2005-05-25 13:47:58Z lha $ .\" -.Dd January 21, 2001 +.Dd May 17, 2005 .Dt KRB5_AUTH_CONTEXT 3 .Os HEIMDAL .Sh NAME -.Nm krb5_auth_context , -.Nm krb5_auth_con_init , +.Nm krb5_auth_con_addflags , .Nm krb5_auth_con_free , -.Nm krb5_auth_con_setflags , +.Nm krb5_auth_con_genaddrs , +.Nm krb5_auth_con_generatelocalsubkey , +.Nm krb5_auth_con_getaddrs , +.Nm krb5_auth_con_getauthenticator , .Nm krb5_auth_con_getflags , +.Nm krb5_auth_con_getkey , +.Nm krb5_auth_con_getlocalsubkey , +.Nm krb5_auth_con_getrcache , +.Nm krb5_auth_con_getremotesubkey , +.Nm krb5_auth_con_getuserkey , +.Nm krb5_auth_con_init , +.Nm krb5_auth_con_initivector , +.Nm krb5_auth_con_removeflags , .Nm krb5_auth_con_setaddrs , .Nm krb5_auth_con_setaddrs_from_fd , -.Nm krb5_auth_con_getaddrs , -.Nm krb5_auth_con_genaddrs , -.Nm krb5_auth_con_getkey , +.Nm krb5_auth_con_setflags , +.Nm krb5_auth_con_setivector , .Nm krb5_auth_con_setkey , -.Nm krb5_auth_con_getuserkey , -.Nm krb5_auth_con_setuserkey , -.Nm krb5_auth_con_getlocalsubkey , .Nm krb5_auth_con_setlocalsubkey , -.Nm krb5_auth_con_getremotesubkey , +.Nm krb5_auth_con_setrcache , .Nm krb5_auth_con_setremotesubkey , -.Nm krb5_auth_setcksumtype , +.Nm krb5_auth_con_setuserkey , +.Nm krb5_auth_context , .Nm krb5_auth_getcksumtype , -.Nm krb5_auth_setkeytype , .Nm krb5_auth_getkeytype , .Nm krb5_auth_getlocalseqnumber , -.Nm krb5_auth_setlocalseqnumber , .Nm krb5_auth_getremoteseqnumber , +.Nm krb5_auth_setcksumtype , +.Nm krb5_auth_setkeytype , +.Nm krb5_auth_setlocalseqnumber , .Nm krb5_auth_setremoteseqnumber , -.Nm krb5_auth_getauthenticator , -.Nm krb5_auth_con_getrcache , -.Nm krb5_auth_con_setrcache , -.Nm krb5_auth_con_initivector , -.Nm krb5_auth_con_setivector +.Nm krb5_free_authenticator .Nd manage authentication on connection level .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) @@ -93,6 +97,20 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "int32_t *flags" .Fc .Ft krb5_error_code +.Fo krb5_auth_con_addflags +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "int32_t addflags" +.Fa "int32_t *flags" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_removeflags +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "int32_t removelags" +.Fa "int32_t *flags" +.Fc +.Ft krb5_error_code .Fo krb5_auth_con_setaddrs .Fa "krb5_context context" .Fa "krb5_auth_context auth_context" @@ -138,6 +156,12 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_keyblock **keyblock" .Fc .Ft krb5_error_code +.Fo krb5_auth_con_generatelocalsubkey +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa krb5_keyblock *key" +.Fc +.Ft krb5_error_code .Fo krb5_auth_con_initivector .Fa "krb5_context context" .Fa "krb5_auth_context auth_context" @@ -148,6 +172,11 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_auth_context *auth_context" .Fa "krb5_pointer ivector" .Fc +.Ft void +.Fo krb5_free_authenticator +.Fa "krb5_context context" +.Fa "krb5_authenticator *authenticator" +.Fc .Sh DESCRIPTION The .Nm krb5_auth_context @@ -174,19 +203,56 @@ The structure must be freed by .Fn krb5_auth_con_free . .Pp -.Fn krb5_auth_con_getflags +.Fn krb5_auth_con_getflags , +.Fn krb5_auth_con_setflags , +.Fn krb5_auth_con_addflags and -.Fn krb5_auth_con_setflags +.Fn krb5_auth_con_removeflags gets and modifies the flags for a .Nm krb5_auth_context structure. Possible flags to set are: .Bl -tag -width Ds -.It Dv KRB5_AUTH_CONTEXT_DO_TIME -check timestamp on incoming packets. -.\".It Dv KRB5_AUTH_CONTEXT_RET_TIME .It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE Generate and check sequence-number on each packet. -.\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE +.It Dv KRB5_AUTH_CONTEXT_DO_TIME +Check timestamp on incoming packets. +.It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE , Dv KRB5_AUTH_CONTEXT_RET_TIME +Return sequence numbers and time stamps in the outdata parameters. +.It Dv KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED +will force +.Fn krb5_get_forwarded_creds +and +.Fn krb5_fwd_tgt_creds +to create unencrypted ) +.Dv ENCTYPE_NULL ) +credentials. +This is for use with old MIT server and JAVA based servers as +they can't handle encrypted +.Dv KRB-CRED . +Note that sending such +.Dv KRB-CRED +is clear exposes crypto keys and tickets and is insecure, +make sure the packet is encrypted in the protocol. +.Xr krb5_rd_cred 3 , +.Xr krb5_rd_priv 3 , +.Xr krb5_rd_safe 3 , +.Xr krb5_mk_priv 3 +and +.Xr krb5_mk_safe 3 . +Setting this flag requires that parameter to be passed to these +functions. +.Pp +The flags +.Dv KRB5_AUTH_CONTEXT_DO_TIME +also modifies the behavior the function +.Fn krb5_get_forwarded_creds +by removing the timestamp in the forward credential message, this have +backward compatibility problems since not all versions of the heimdal +supports timeless credentional messages. +Is very useful since it always the sender of the message to cache +forward message and thus avoiding a round trip to the KDC for each +time a credential is forwarded. +The same functionality can be obtained by using address-less tickets. .\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL .El .Pp @@ -263,7 +329,8 @@ is equivalent to .Fn krb5_auth_con_getremotesubkey and .Fn krb5_auth_con_setremotesubkey -gets and sets the keyblock for the local and remote subkey. The keyblock returned by +gets and sets the keyblock for the local and remote subkey. +The keyblock returned by .Fn krb5_auth_con_getlocalsubkey and .Fn krb5_auth_con_getremotesubkey @@ -276,6 +343,10 @@ and sets and gets the checksum type that should be used for this connection. .Pp +.Fn krb5_auth_con_generatelocalsubkey +generates a local subkey that have the same encryption type as +.Fa key . +.Pp .Fn krb5_auth_getremoteseqnumber .Fn krb5_auth_setremoteseqnumber , .Fn krb5_auth_getlocalseqnumber @@ -290,7 +361,7 @@ and gets and gets the keytype of the keyblock in .Nm krb5_auth_context . .Pp -.Fn krb5_auth_getauthenticator +.Fn krb5_auth_con_getauthenticator Retrieves the authenticator that was used during mutual authentication. The .Dv authenticator @@ -312,6 +383,13 @@ sets the i_vector portion of .Fa auth_context to .Fa ivector . +.Pp +.Fn krb5_free_authenticator +free the content of +.Fa authenticator +and +.Fa authenticator +itself. .Sh SEE ALSO .Xr krb5_context 3 , .Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3 b/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3 new file mode 100644 index 000000000000..a323ccee1d32 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_c_make_checksum.3 @@ -0,0 +1,297 @@ +.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_c_make_checksum.3 19066 2006-11-17 22:09:25Z lha $ +.\" +.Dd Nov 17, 2006 +.Dt KRB5_C_MAKE_CHECKSUM 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_c_block_size , +.Nm krb5_c_decrypt , +.Nm krb5_c_encrypt , +.Nm krb5_c_encrypt_length , +.Nm krb5_c_enctype_compare , +.Nm krb5_c_get_checksum , +.Nm krb5_c_is_coll_proof_cksum , +.Nm krb5_c_is_keyed_cksum , +.Nm krb5_c_keylength , +.Nm krb5_c_make_checksum , +.Nm krb5_c_make_random_key , +.Nm krb5_c_set_checksum , +.Nm krb5_c_valid_cksumtype , +.Nm krb5_c_valid_enctype , +.Nm krb5_c_verify_checksum , +.Nm krb5_c_checksum_length +.Nd Kerberos 5 crypto API +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Ft krb5_error_code +.Fo krb5_c_block_size +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "size_t *blocksize" +.Fc +.Ft krb5_error_code +.Fo krb5_c_decrypt +.Fa "krb5_context context" +.Fa "const krb5_keyblock key" +.Fa "krb5_keyusage usage" +.Fa "const krb5_data *ivec" +.Fa "krb5_enc_data *input" +.Fa "krb5_data *output" +.Fc +.Ft krb5_error_code +.Fo krb5_c_encrypt +.Fa "krb5_context context" +.Fa "const krb5_keyblock *key" +.Fa "krb5_keyusage usage" +.Fa "const krb5_data *ivec" +.Fa "const krb5_data *input" +.Fa "krb5_enc_data *output" +.Fc +.Ft krb5_error_code +.Fo krb5_c_encrypt_length +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "size_t inputlen" +.Fa "size_t *length" +.Fc +.Ft krb5_error_code +.Fo krb5_c_enctype_compare +.Fa "krb5_context context" +.Fa "krb5_enctype e1" +.Fa "krb5_enctype e2" +.Fa "krb5_boolean *similar" +.Fc +.Ft krb5_error_code +.Fo krb5_c_make_random_key +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "krb5_keyblock *random_key" +.Fc +.Ft krb5_error_code +.Fo krb5_c_make_checksum +.Fa "krb5_context context" +.Fa "krb5_cksumtype cksumtype" +.Fa "const krb5_keyblock *key" +.Fa "krb5_keyusage usage" +.Fa "const krb5_data *input" +.Fa "krb5_checksum *cksum" +.Fc +.Ft krb5_error_code +.Fo krb5_c_verify_checksum +.Fa "krb5_context context +.Fa "const krb5_keyblock *key" +.Fa "krb5_keyusage usage" +.Fa "const krb5_data *data" +.Fa "const krb5_checksum *cksum" +.Fa "krb5_boolean *valid" +.Fc +.Ft krb5_error_code +.Fo krb5_c_checksum_length +.Fa "krb5_context context" +.Fa "krb5_cksumtype cksumtype" +.Fa "size_t *length" +.Fc +.Ft krb5_error_code +.Fo krb5_c_get_checksum +.Fa "krb5_context context" +.Fa "const krb5_checksum *cksum" +.Fa "krb5_cksumtype *type" +.Fa "krb5_data **data" +.Fc +.Ft krb5_error_code +.Fo krb5_c_set_checksum +.Fa "krb5_context context" +.Fa "krb5_checksum *cksum" +.Fa "krb5_cksumtype type" +.Fa "const krb5_data *data" +.Fc +.Ft krb5_boolean +.Fo krb5_c_valid_enctype +.Fa krb5_enctype etype" +.Fc +.Ft krb5_boolean +.Fo krb5_c_valid_cksumtype +.Fa "krb5_cksumtype ctype" +.Fc +.Ft krb5_boolean +.Fo krb5_c_is_coll_proof_cksum +.Fa "krb5_cksumtype ctype" +.Fc +.Ft krb5_boolean +.Fo krb5_c_is_keyed_cksum +.Fa "krb5_cksumtype ctype" +.Fc +.Ft krb5_error_code +.Fo krb5_c_keylengths +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "size_t *inlength" +.Fa "size_t *keylength" +.Fc +.Sh DESCRIPTION +The functions starting with krb5_c are compat functions with MIT kerberos. +.Pp +The +.Li krb5_enc_data +structure holds and encrypted data. +There are two public accessable members of +.Li krb5_enc_data . +.Li enctype +that holds the encryption type of the data encrypted and +.Li ciphertext +that is a +.Ft krb5_data +that might contain the encrypted data. +.Pp +.Fn krb5_c_block_size +returns the blocksize of the encryption type. +.Pp +.Fn krb5_c_decrypt +decrypts +.Fa input +and store the data in +.Fa output. +If +.Fa ivec +is +.Dv NULL +the default initialization vector for that encryption type will be used. +.Pp +.Fn krb5_c_encrypt +encrypts the plaintext in +.Fa input +and store the ciphertext in +.Fa output . +.Pp +.Fn krb5_c_encrypt_length +returns the length the encrypted data given the plaintext length. +.Pp +.Fn krb5_c_enctype_compare +compares to encryption types and returns if they use compatible +encryption key types. +.Pp +.Fn krb5_c_make_checksum +creates a checksum +.Fa cksum +with the checksum type +.Fa cksumtype +of the data in +.Fa data . +.Fa key +and +.Fa usage +are used if the checksum is a keyed checksum type. +Returns 0 or an error code. +.Pp +.Fn krb5_c_verify_checksum +verifies the checksum +of +.Fa data +in +.Fa cksum +that was created with +.Fa key +using the key usage +.Fa usage . +.Fa verify +is set to non-zero if the checksum verifies correctly and zero if not. +Returns 0 or an error code. +.Pp +.Fn krb5_c_checksum_length +returns the length of the checksum. +.Pp +.Fn krb5_c_set_checksum +sets the +.Li krb5_checksum +structure given +.Fa type +and +.Fa data . +The content of +.Fa cksum +should be freeed with +.Fn krb5_c_free_checksum_contents . +.Pp +.Fn krb5_c_get_checksum +retrieves the components of the +.Li krb5_checksum . +structure. +.Fa data +should be free with +.Fn krb5_free_data . +If some either of +.Fa data +or +.Fa checksum +is not needed for the application, +.Dv NULL +can be passed in. +.Pp +.Fn krb5_c_valid_enctype +returns true if +.Fa etype +is a valid encryption type. +.Pp +.Fn krb5_c_valid_cksumtype +returns true if +.Fa ctype +is a valid checksum type. +.Pp +.Fn krb5_c_is_keyed_cksum +return true if +.Fa ctype +is a keyed checksum type. +.Pp +.Fn krb5_c_is_coll_proof_cksum +returns true if +.Fa ctype +is a collition proof checksum type. +.Pp +.Fn krb5_c_keylengths +return the minimum length ( +.Fa inlength ) +bytes needed to create a key and the +length ( +.Fa keylength ) +of the resulting key +for the +.Fa enctype . +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_create_checksum 3 , +.Xr krb5_free_data 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_ccache.3 b/crypto/heimdal/lib/krb5/krb5_ccache.3 index ec48c5f37a50..3fca5956e7dd 100644 --- a/crypto/heimdal/lib/krb5/krb5_ccache.3 +++ b/crypto/heimdal/lib/krb5/krb5_ccache.3 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_ccache.3,v 1.7 2003/04/16 13:58:12 lha Exp $ -.\" -.Dd March 16, 2003 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_ccache.3 22071 2007-11-14 20:04:50Z lha $ +.\" +.Dd October 19, 2005 .Dt KRB5_CCACHE 3 .Os HEIMDAL .Sh NAME @@ -40,6 +40,7 @@ .Nm krb5_cc_ops , .Nm krb5_fcc_ops , .Nm krb5_mcc_ops , +.Nm krb5_cc_clear_mcred , .Nm krb5_cc_close , .Nm krb5_cc_copy_cache , .Nm krb5_cc_default , @@ -47,21 +48,26 @@ .Nm krb5_cc_destroy , .Nm krb5_cc_end_seq_get , .Nm krb5_cc_gen_new , +.Nm krb5_cc_get_full_name , .Nm krb5_cc_get_name , +.Nm krb5_cc_get_ops , +.Nm krb5_cc_get_prefix_ops , .Nm krb5_cc_get_principal , .Nm krb5_cc_get_type , -.Nm krb5_cc_get_ops , .Nm krb5_cc_get_version , .Nm krb5_cc_initialize , +.Nm krb5_cc_next_cred , +.Nm krb5_cc_next_cred_match , +.Nm krb5_cc_new_unique , .Nm krb5_cc_register , +.Nm krb5_cc_remove_cred , .Nm krb5_cc_resolve , .Nm krb5_cc_retrieve_cred , -.Nm krb5_cc_remove_cred , .Nm krb5_cc_set_default_name , -.Nm krb5_cc_store_cred , .Nm krb5_cc_set_flags , -.Nm krb5_cc_next_cred -.Nd mange credential cache. +.Nm krb5_cc_start_seq_get , +.Nm krb5_cc_store_cred +.Nd mange credential cache .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS @@ -77,90 +83,105 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Pp .Li "struct krb5_cc_ops *krb5_mcc_ops;" .Pp +.Ft void +.Fo krb5_cc_clear_mcred +.Fa "krb5_creds *mcred" +.Fc .Ft krb5_error_code .Fo krb5_cc_close -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fc .Ft krb5_error_code .Fo krb5_cc_copy_cache -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "const krb5_ccache from" .Fa "krb5_ccache to" .Fc .Ft krb5_error_code .Fo krb5_cc_default -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache *id" .Fc .Ft "const char *" .Fo krb5_cc_default_name -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fc .Ft krb5_error_code .Fo krb5_cc_destroy -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fc .Ft krb5_error_code .Fo krb5_cc_end_seq_get -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "const krb5_ccache id" .Fa "krb5_cc_cursor *cursor" .Fc .Ft krb5_error_code .Fo krb5_cc_gen_new -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "const krb5_cc_ops *ops" .Fa "krb5_ccache *id" .Fc +.Ft krb5_error_code +.Fo krb5_cc_get_full_name +.Fa "krb5_context context" +.Fa "krb5_ccache id" +.Fa "char **str" +.Fc .Ft "const char *" .Fo krb5_cc_get_name -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fc .Ft krb5_error_code .Fo krb5_cc_get_principal -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fa "krb5_principal *principal" .Fc .Ft "const char *" .Fo krb5_cc_get_type -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fc .Ft "const krb5_cc_ops *" .Fo krb5_cc_get_ops -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fc +.Ft "const krb5_cc_ops *" +.Fo krb5_cc_get_prefix_ops +.Fa "krb5_context context" +.Fa "const char *prefix" +.Fc .Ft krb5_error_code .Fo krb5_cc_get_version -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "const krb5_ccache id" .Fc .Ft krb5_error_code .Fo krb5_cc_initialize -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fa "krb5_principal primary_principal" .Fc .Ft krb5_error_code .Fo krb5_cc_register -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "const krb5_cc_ops *ops" .Fa "krb5_boolean override" .Fc .Ft krb5_error_code .Fo krb5_cc_resolve -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "const char *name" .Fa "krb5_ccache *id" .Fc .Ft krb5_error_code .Fo krb5_cc_retrieve_cred -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fa "krb5_flags whichfields" .Fa "const krb5_creds *mcreds" @@ -168,34 +189,56 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fc .Ft krb5_error_code .Fo krb5_cc_remove_cred -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fa "krb5_flags which" .Fa "krb5_creds *cred" .Fc .Ft krb5_error_code .Fo krb5_cc_set_default_name -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "const char *name" .Fc .Ft krb5_error_code +.Fo krb5_cc_start_seq_get +.Fa "krb5_context context" +.Fa "const krb5_ccache id" +.Fa "krb5_cc_cursor *cursor" +.Fc +.Ft krb5_error_code .Fo krb5_cc_store_cred -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_ccache id" .Fa "krb5_creds *creds" .Fc .Ft krb5_error_code .Fo krb5_cc_set_flags -.Fa "krb5_context *context" +.Fa "krb5_context context" .Fa "krb5_cc_set_flags id" .Fa "krb5_flags flags" .Fc .Ft krb5_error_code .Fo krb5_cc_next_cred -.Fa "krb5_context *context" +.Fa "krb5_context context" +.Fa "const krb5_ccache id" +.Fa "krb5_cc_cursor *cursor" +.Fa "krb5_creds *creds" +.Fc +.Ft krb5_error_code +.Fo krb5_cc_next_cred_match +.Fa "krb5_context context" .Fa "const krb5_ccache id" .Fa "krb5_cc_cursor *cursor" .Fa "krb5_creds *creds" +.Fa "krb5_flags whichfields" +.Fa "const krb5_creds *mcreds" +.Fc +.Ft krb5_error_code +.Fo krb5_cc_new_unique +.Fa "krb5_context context" +.Fa "const char *type" +.Fa "const char *hint" +.Fa "krb5_ccache *id" .Fc .Sh DESCRIPTION The @@ -231,68 +274,108 @@ gets and sets the default name for the .Fa context . .Pp .Fn krb5_cc_default -opens the default ccache in +opens the default credential cache in .Fa id . Return 0 or an error code. .Pp .Fn krb5_cc_gen_new -generates a new ccache of type +generates a new credential cache of type .Fa ops in .Fa id . Return 0 or an error code. +The Heimdal version of this function also runs +.Fn krb5_cc_initialize +on the credential cache, but since the MIT version doesn't, portable +code must call krb5_cc_initialize. +.Pp +.Fn krb5_cc_new_unique +generates a new unique credential cache of +.Fa type +in +.Fa id . +If type is +.Dv NULL , +the library chooses the default credential cache type. +The supplied +.Fa hint +(that can be +.Dv NULL ) +is a string that the credential cache type can use to base the name of +the credential on, this is to make it easier for the user to +differentiate the credentials. +The returned credential cache +.Fa id +should be freed using +.Fn krb5_cc_close +or +.Fn krb5_cc_destroy . +Returns 0 or an error code. .Pp .Fn krb5_cc_resolve -finds and allocates a ccache in +finds and allocates a credential cache in .Fa id -from the specification in +from the specification in .Fa residual . -If the ccache name doesn't contain any colon (:), interpret it as a +If the credential cache name doesn't contain any colon (:), interpret it as a file name. Return 0 or an error code. .Pp .Fn krb5_cc_initialize -creates a new ccache in +creates a new credential cache in .Fa id for .Fa primary_principal . Return 0 or an error code. .Pp .Fn krb5_cc_close -stops using the ccache +stops using the credential cache .Fa id and frees the related resources. Return 0 or an error code. .Fn krb5_cc_destroy -removes the ccache +removes the credential cache and closes (by calling .Fn krb5_cc_close ) .Fa id . Return 0 or an error code. .Pp .Fn krb5_cc_copy_cache -copys the contents of +copys the contents of .Fa from -to +to .Fa to . .Pp +.Fn krb5_cc_get_full_name +returns the complete resolvable name of the credential cache +.Fa id +in +.Fa str . +.Fa str +should be freed with +.Xr free 3 . +Returns 0 or an error, on error +.Fa *str +is set to +.Dv NULL . +.Pp .Fn krb5_cc_get_name -returns the name of the ccache +returns the name of the credential cache .Fa id . .Pp .Fn krb5_cc_get_principal -returns the principal of +returns the principal of .Fa id in .Fa principal . Return 0 or an error code. .Pp .Fn krb5_cc_get_type -returns the type of the ccache +returns the type of the credential cache .Fa id . .Pp .Fn krb5_cc_get_ops -returns the ops of the ccache +returns the ops of the credential cache .Fa id . .Pp .Fn krb5_cc_get_version @@ -300,23 +383,32 @@ returns the version of .Fa id . .Pp .Fn krb5_cc_register -Adds a new ccache type with operations +Adds a new credential cache type with operations .Fa ops , overwriting any existing one if .Fa override . Return an error code or 0. .Pp +.Fn krb5_cc_get_prefix_ops +Get the cc ops that is registered in +.Fa context +to handle the +.Fa prefix . +Returns +.Dv NULL +if ops not found. +.Pp .Fn krb5_cc_remove_cred removes the credential identified by .Fa ( cred , .Fa which ) -from +from .Fa id . .Pp .Fn krb5_cc_store_cred stores .Fa creds -in the ccache +in the credential cache .Fa id . Return 0 or an error code. .Pp @@ -326,8 +418,14 @@ sets the flags of to .Fa flags . .Pp +.Fn krb5_cc_clear_mcred +clears the +.Fa mcreds +argument so it is reset and can be used with +.Fa krb5_cc_retrieve_cred . +.Pp .Fn krb5_cc_retrieve_cred , -retrieves the credential identified by +retrieves the credential identified by .Fa mcreds (and .Fa whichfields ) @@ -335,8 +433,16 @@ from .Fa id in .Fa creds . +.Fa creds +should be freed using +.Fn krb5_free_cred_contents . Return 0 or an error code. .Pp +.Fn krb5_cc_start_seq_get +initiates the +.Li krb5_cc_cursor +structure to be used for iteration over the credential cache. +.Pp .Fn krb5_cc_next_cred retrieves the next cred pointed to by .Fa ( id , @@ -347,9 +453,64 @@ and advance .Fa cursor . Return 0 or an error code. .Pp +.Fn krb5_cc_next_cred_match +is similar to +.Fn krb5_cc_next_cred +except that it will only return creds matching +.Fa whichfields +and +.Fa mcreds +(as interpreted by +.Xr krb5_compare_creds 3 . ) +.Pp .Fn krb5_cc_end_seq_get Destroys the cursor .Fa cursor . +.Sh EXAMPLE +This is a minimalistic version of +.Nm klist . +.Pp +.Bd -literal +#include <krb5.h> + +int +main (int argc, char **argv) +{ + krb5_context context; + krb5_cc_cursor cursor; + krb5_error_code ret; + krb5_ccache id; + krb5_creds creds; + + if (krb5_init_context (&context) != 0) + errx(1, "krb5_context"); + + ret = krb5_cc_default (context, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_default"); + + ret = krb5_cc_start_seq_get(context, id, &cursor); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_start_seq_get"); + + while((ret = krb5_cc_next_cred(context, id, &cursor, &creds)) == 0){ + char *principal; + + krb5_unparse_name_short(context, creds.server, &principal); + printf("principal: %s\\n", principal); + free(principal); + krb5_free_cred_contents (context, &creds); + } + ret = krb5_cc_end_seq_get(context, id, &cursor); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_end_seq_get"); + + krb5_cc_close(context, id); + + krb5_free_context(context); + return 0; +} +.Ed .Sh SEE ALSO .Xr krb5 3 , .Xr krb5.conf 5 , diff --git a/crypto/heimdal/lib/krb5/krb5_ccapi.h b/crypto/heimdal/lib/krb5/krb5_ccapi.h new file mode 100644 index 000000000000..59a38425c252 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_ccapi.h @@ -0,0 +1,230 @@ +/* + * Copyright (c) 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: krb5_ccapi.h 22090 2007-12-02 23:23:43Z lha $ */ + +#ifndef KRB5_CCAPI_H +#define KRB5_CCAPI_H 1 + +#include <krb5-types.h> + +enum { + cc_credentials_v5 = 2 +}; + +enum { + ccapi_version_3 = 3, + ccapi_version_4 = 4 +}; + +enum { + ccNoError = 0, + + ccIteratorEnd = 201, + ccErrBadParam, + ccErrNoMem, + ccErrInvalidContext, + ccErrInvalidCCache, + + ccErrInvalidString, /* 206 */ + ccErrInvalidCredentials, + ccErrInvalidCCacheIterator, + ccErrInvalidCredentialsIterator, + ccErrInvalidLock, + + ccErrBadName, /* 211 */ + ccErrBadCredentialsVersion, + ccErrBadAPIVersion, + ccErrContextLocked, + ccErrContextUnlocked, + + ccErrCCacheLocked, /* 216 */ + ccErrCCacheUnlocked, + ccErrBadLockType, + ccErrNeverDefault, + ccErrCredentialsNotFound, + + ccErrCCacheNotFound, /* 221 */ + ccErrContextNotFound, + ccErrServerUnavailable, + ccErrServerInsecure, + ccErrServerCantBecomeUID, + + ccErrTimeOffsetNotSet /* 226 */ +}; + +typedef int32_t cc_int32; +typedef uint32_t cc_uint32; +typedef struct cc_context_t *cc_context_t; +typedef struct cc_ccache_t *cc_ccache_t; +typedef struct cc_ccache_iterator_t *cc_ccache_iterator_t; +typedef struct cc_credentials_v5_t cc_credentials_v5_t; +typedef struct cc_credentials_t *cc_credentials_t; +typedef struct cc_credentials_iterator_t *cc_credentials_iterator_t; +typedef struct cc_string_t *cc_string_t; +typedef time_t cc_time_t; + +typedef struct cc_data { + cc_uint32 type; + cc_uint32 length; + void *data; +} cc_data; + +struct cc_credentials_v5_t { + char *client; + char *server; + cc_data keyblock; + cc_time_t authtime; + cc_time_t starttime; + cc_time_t endtime; + cc_time_t renew_till; + cc_uint32 is_skey; + cc_uint32 ticket_flags; +#define KRB5_CCAPI_TKT_FLG_FORWARDABLE 0x40000000 +#define KRB5_CCAPI_TKT_FLG_FORWARDED 0x20000000 +#define KRB5_CCAPI_TKT_FLG_PROXIABLE 0x10000000 +#define KRB5_CCAPI_TKT_FLG_PROXY 0x08000000 +#define KRB5_CCAPI_TKT_FLG_MAY_POSTDATE 0x04000000 +#define KRB5_CCAPI_TKT_FLG_POSTDATED 0x02000000 +#define KRB5_CCAPI_TKT_FLG_INVALID 0x01000000 +#define KRB5_CCAPI_TKT_FLG_RENEWABLE 0x00800000 +#define KRB5_CCAPI_TKT_FLG_INITIAL 0x00400000 +#define KRB5_CCAPI_TKT_FLG_PRE_AUTH 0x00200000 +#define KRB5_CCAPI_TKT_FLG_HW_AUTH 0x00100000 +#define KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000 +#define KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE 0x00040000 +#define KRB5_CCAPI_TKT_FLG_ANONYMOUS 0x00020000 + cc_data **addresses; + cc_data ticket; + cc_data second_ticket; + cc_data **authdata; +}; + + +typedef struct cc_string_functions { + cc_int32 (*release)(cc_string_t); +} cc_string_functions; + +struct cc_string_t { + const char *data; + const cc_string_functions *func; +}; + +typedef struct cc_credentials_union { + cc_int32 version; + union { + cc_credentials_v5_t* credentials_v5; + } credentials; +} cc_credentials_union; + +struct cc_credentials_functions { + cc_int32 (*release)(cc_credentials_t); + cc_int32 (*compare)(cc_credentials_t, cc_credentials_t, cc_uint32*); +}; + +struct cc_credentials_t { + const cc_credentials_union* data; + const struct cc_credentials_functions* func; +}; + +struct cc_credentials_iterator_functions { + cc_int32 (*release)(cc_credentials_iterator_t); + cc_int32 (*next)(cc_credentials_iterator_t, cc_credentials_t*); +}; + +struct cc_credentials_iterator_t { + const struct cc_credentials_iterator_functions *func; +}; + +struct cc_ccache_iterator_functions { + cc_int32 (*release) (cc_ccache_iterator_t); + cc_int32 (*next)(cc_ccache_iterator_t, cc_ccache_t*); +}; + +struct cc_ccache_iterator_t { + const struct cc_ccache_iterator_functions* func; +}; + +typedef struct cc_ccache_functions { + cc_int32 (*release)(cc_ccache_t); + cc_int32 (*destroy)(cc_ccache_t); + cc_int32 (*set_default)(cc_ccache_t); + cc_int32 (*get_credentials_version)(cc_ccache_t, cc_uint32*); + cc_int32 (*get_name)(cc_ccache_t, cc_string_t*); + cc_int32 (*get_principal)(cc_ccache_t, cc_uint32, cc_string_t*); + cc_int32 (*set_principal)(cc_ccache_t, cc_uint32, const char*); + cc_int32 (*store_credentials)(cc_ccache_t, const cc_credentials_union*); + cc_int32 (*remove_credentials)(cc_ccache_t, cc_credentials_t); + cc_int32 (*new_credentials_iterator)(cc_ccache_t, + cc_credentials_iterator_t*); + cc_int32 (*move)(cc_ccache_t, cc_ccache_t); + cc_int32 (*lock)(cc_ccache_t, cc_uint32, cc_uint32); + cc_int32 (*unlock)(cc_ccache_t); + cc_int32 (*get_last_default_time)(cc_ccache_t, cc_time_t*); + cc_int32 (*get_change_time)(cc_ccache_t, cc_time_t*); + cc_int32 (*compare)(cc_ccache_t, cc_ccache_t, cc_uint32*); + cc_int32 (*get_kdc_time_offset)(cc_ccache_t, cc_int32, cc_time_t *); + cc_int32 (*set_kdc_time_offset)(cc_ccache_t, cc_int32, cc_time_t); + cc_int32 (*clear_kdc_time_offset)(cc_ccache_t, cc_int32); +} cc_ccache_functions; + +struct cc_ccache_t { + const cc_ccache_functions *func; +}; + +struct cc_context_functions { + cc_int32 (*release)(cc_context_t); + cc_int32 (*get_change_time)(cc_context_t, cc_time_t *); + cc_int32 (*get_default_ccache_name)(cc_context_t, cc_string_t*); + cc_int32 (*open_ccache)(cc_context_t, const char*, cc_ccache_t *); + cc_int32 (*open_default_ccache)(cc_context_t, cc_ccache_t*); + cc_int32 (*create_ccache)(cc_context_t,const char*, cc_uint32, + const char*, cc_ccache_t*); + cc_int32 (*create_default_ccache)(cc_context_t, cc_uint32, + const char*, cc_ccache_t*); + cc_int32 (*create_new_ccache)(cc_context_t, cc_uint32, + const char*, cc_ccache_t*); + cc_int32 (*new_ccache_iterator)(cc_context_t, cc_ccache_iterator_t*); + cc_int32 (*lock)(cc_context_t, cc_uint32, cc_uint32); + cc_int32 (*unlock)(cc_context_t); + cc_int32 (*compare)(cc_context_t, cc_context_t, cc_uint32*); +}; + +struct cc_context_t { + const struct cc_context_functions* func; +}; + +typedef cc_int32 +(*cc_initialize_func)(cc_context_t*, cc_int32, cc_int32 *, char const **); + +#endif /* KRB5_CCAPI_H */ diff --git a/crypto/heimdal/lib/krb5/krb5_check_transited.3 b/crypto/heimdal/lib/krb5/krb5_check_transited.3 new file mode 100644 index 000000000000..65ce0774225f --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_check_transited.3 @@ -0,0 +1,106 @@ +.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_check_transited.3 17382 2006-05-01 07:09:16Z lha $ +.\" +.Dd May 1, 2006 +.Dt KRB5_CHECK_TRANSITED 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_check_transited , +.Nm krb5_check_transited_realms , +.Nm krb5_domain_x500_decode , +.Nm krb5_domain_x500_encode +.Nd realm transit verification and encoding/decoding functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_check_transited +.Fa "krb5_context context" +.Fa "krb5_const_realm client_realm" +.Fa "krb5_const_realm server_realm" +.Fa "krb5_realm *realms" +.Fa "int num_realms" +.Fa "int *bad_realm" +.Fc +.Ft krb5_error_code +.Fo krb5_check_transited_realms +.Fa "krb5_context context" +.Fa "const char *const *realms" +.Fa "int num_realms" +.Fa "int *bad_realm" +.Fc +.Ft krb5_error_code +.Fo krb5_domain_x500_decode +.Fa "krb5_context context" +.Fa "krb5_data tr" +.Fa "char ***realms" +.Fa "int *num_realms" +.Fa "const char *client_realm" +.Fa "const char *server_realm" +.Fc +.Ft krb5_error_code +.Fo krb5_domain_x500_encode +.Fa "char **realms" +.Fa "int num_realms" +.Fa "krb5_data *encoding" +.Fc +.Sh DESCRIPTION +.Fn krb5_check_transited +checks the path from +.Fa client_realm +to +.Fa server_realm +where +.Fa realms +and +.Fa num_realms +is the realms between them. +If the function returns an error value, +.Fa bad_realm +will be set to the realm in the list causing the error. +.Fn krb5_check_transited +is used internally by the KDC and libkrb5 and should not be called by +client applications. +.Pp +.Fn krb5_check_transited_realms +is deprecated. +.Pp +.Fn krb5_domain_x500_encode +and +.Fn krb5_domain_x500_decode +encodes and decodes the realm names in the X500 format that Kerberos +uses to describe the transited realms in krbtgts. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_compare_creds.3 b/crypto/heimdal/lib/krb5/krb5_compare_creds.3 new file mode 100644 index 000000000000..9fd2bbbbb684 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_compare_creds.3 @@ -0,0 +1,104 @@ +.\" Copyright (c) 2004-2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_compare_creds.3 15110 2005-05-10 09:21:06Z lha $ +.\" +.Dd May 10, 2005 +.Dt KRB5_COMPARE_CREDS 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_compare_creds +.Nd compare Kerberos 5 credentials +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_boolean +.Fo krb5_compare_creds +.Fa "krb5_context context" +.Fa "krb5_flags whichfields" +.Fa "const krb5_creds *mcreds" +.Fa "const krb5_creds *creds" +.Fc +.Sh DESCRIPTION +.Fn krb5_compare_creds +compares +.Fa mcreds +(usually filled in by the application) +to +.Fa creds +(most often from a credentials cache) +and return +.Dv TRUE +if they are equal. +Unless +.Va mcreds-\*[Gt]server +is +.Dv NULL , +the service of the credentials are always compared. If the client +name in +.Fa mcreds +is present, the client names are also compared. This function is +normally only called indirectly via +.Xr krb5_cc_retrieve_cred 3 . +.Pp +The following flags, set in +.Fa whichfields , +affects the comparison: +.Bl -tag -width KRB5_TC_MATCH_SRV_NAMEONLY -compact -offset indent +.It KRB5_TC_MATCH_SRV_NAMEONLY +Consider all realms equal when comparing the service principal. +.It KRB5_TC_MATCH_KEYTYPE +Compare enctypes. +.It KRB5_TC_MATCH_FLAGS_EXACT +Make sure that the ticket flags are identical. +.It KRB5_TC_MATCH_FLAGS +Make sure that all ticket flags set in +.Fa mcreds +are also present in +.Fa creds . +.It KRB5_TC_MATCH_TIMES_EXACT +Compares the ticket times exactly. +.It KRB5_TC_MATCH_TIMES +Compares only the expiration times of the creds. +.It KRB5_TC_MATCH_AUTHDATA +Compares the authdata fields. +.It KRB5_TC_MATCH_2ND_TKT +Compares the second tickets (used by user-to-user authentication). +.It KRB5_TC_MATCH_IS_SKEY +Compares the existance of the second ticket. +.El +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_cc_retrieve_cred 3 , +.Xr krb5_creds 3 , +.Xr krb5_get_init_creds 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_config.3 b/crypto/heimdal/lib/krb5/krb5_config.3 index 471389e54aca..9c302ae2f3a3 100644 --- a/crypto/heimdal/lib/krb5/krb5_config.3 +++ b/crypto/heimdal/lib/krb5/krb5_config.3 @@ -1,26 +1,239 @@ -.\" Copyright (c) 2000 Kungliga Tekniska Högskolan -.\" $Id: krb5_config.3,v 1.5 2003/04/16 13:58:14 lha Exp $ -.Dd July 25, 2000 -.Dt KRB5_CONFIG 3 +.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" +.\" $Id: krb5_config.3 21905 2007-08-10 10:16:45Z lha $ +.\" +.Dd August 10, 2007 +.Dt KRB5_CONFIG_GET 3 .Os HEIMDAL .Sh NAME +.Nm krb5_config_file_free , +.Nm krb5_config_free_strings , +.Nm krb5_config_get , +.Nm krb5_config_get_bool , .Nm krb5_config_get_bool_default , +.Nm krb5_config_get_int , .Nm krb5_config_get_int_default , +.Nm krb5_config_get_list , +.Nm krb5_config_get_next , +.Nm krb5_config_get_string , .Nm krb5_config_get_string_default , -.Nm krb5_config_get_time_default +.Nm krb5_config_get_strings , +.Nm krb5_config_get_time , +.Nm krb5_config_get_time_default , +.Nm krb5_config_parse_file , +.Nm krb5_config_parse_file_multi , +.Nm krb5_config_vget , +.Nm krb5_config_vget_bool , +.Nm krb5_config_vget_bool_default , +.Nm krb5_config_vget_int , +.Nm krb5_config_vget_int_default , +.Nm krb5_config_vget_list , +.Nm krb5_config_vget_next , +.Nm krb5_config_vget_string , +.Nm krb5_config_vget_string_default , +.Nm krb5_config_vget_strings , +.Nm krb5_config_vget_time , +.Nm krb5_config_vget_time_default .Nd get configuration value .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h +.Ft krb5_error_code +.Fo krb5_config_file_free +.Fa "krb5_context context" +.Fa "krb5_config_section *s" +.Fc +.Ft void +.Fo krb5_config_free_strings +.Fa "char **strings" +.Fc +.Ft "const void *" +.Fo krb5_config_get +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "int type" +.Fa "..." +.Fc .Ft krb5_boolean -.Fn krb5_config_get_bool_default "krb5_context context" "krb5_config_section *c" "krb5_boolean def_value" "..." +.Fo krb5_config_get_bool +.Fa "krb5_context context" +.Fa "krb5_config_section *c" +.Fa "..." +.Fc +.Ft krb5_boolean +.Fo krb5_config_get_bool_default +.Fa "krb5_context context" +.Fa "krb5_config_section *c" +.Fa "krb5_boolean def_value" +.Fa "..." +.Fc +.Ft int +.Fo krb5_config_get_int +.Fa "krb5_context context" +.Fa "krb5_config_section *c" +.Fa "..." +.Fc .Ft int -.Fn krb5_config_get_int_default "krb5_context context" "krb5_config_section *c" "int def_value" "..." +.Fo krb5_config_get_int_default +.Fa "krb5_context context" +.Fa "krb5_config_section *c" +.Fa "int def_value" +.Fa "..." +.Fc .Ft const char* -.Fn krb5_config_get_string_default "krb5_context context" "krb5_config_section *c" "const char *def_value" "..." +.Fo krb5_config_get_string +.Fa "krb5_context context" +.Fa "krb5_config_section *c" +.Fa "..." +.Fc +.Ft const char* +.Fo krb5_config_get_string_default +.Fa "krb5_context context" +.Fa "krb5_config_section *c" +.Fa "const char *def_value" +.Fa "..." +.Fc +.Ft "char**" +.Fo krb5_config_get_strings +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "..." +.Fc +.Ft int +.Fo krb5_config_get_time +.Fa "krb5_context context" +.Fa "krb5_config_section *c" +.Fa "..." +.Fc +.Ft int +.Fo krb5_config_get_time_default +.Fa "krb5_context context" +.Fa "krb5_config_section *c" +.Fa "int def_value" +.Fa "..." +.Fc +.Ft krb5_error_code +.Fo krb5_config_parse_file +.Fa "krb5_context context" +.Fa "const char *fname" +.Fa "krb5_config_section **res" +.Fc +.Ft krb5_error_code +.Fo krb5_config_parse_file_multi +.Fa "krb5_context context" +.Fa "const char *fname" +.Fa "krb5_config_section **res" +.Fc +.Ft "const void *" +.Fo krb5_config_vget +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "int type" +.Fa "va_list args" +.Fc +.Ft krb5_boolean +.Fo krb5_config_vget_bool +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "va_list args" +.Fc +.Ft krb5_boolean +.Fo krb5_config_vget_bool_default +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "krb5_boolean def_value" +.Fa "va_list args" +.Fc +.Ft int +.Fo krb5_config_vget_int +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "va_list args" +.Fc .Ft int -.Fn krb5_config_get_time_default "krb5_context context" "krb5_config_section *c" "int def_value" "..." +.Fo krb5_config_vget_int_default +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "int def_value" +.Fa "va_list args" +.Fc +.Ft "const krb5_config_binding *" +.Fo krb5_config_vget_list +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "va_list args" +.Fc +.Ft "const void *" +.Fo krb5_config_vget_next +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "const krb5_config_binding **pointer" +.Fa "int type" +.Fa "va_list args" +.Fc +.Ft "const char *" +.Fo krb5_config_vget_string +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "va_list args" +.Fc +.Ft "const char *" +.Fo krb5_config_vget_string_default +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "const char *def_value" +.Fa "va_list args" +.Fc +.Ft char ** +.Fo krb5_config_vget_strings +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "va_list args" +.Fc +.Ft int +.Fo krb5_config_vget_time +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "va_list args" +.Fc +.Ft int +.Fo krb5_config_vget_time_default +.Fa "krb5_context context" +.Fa "const krb5_config_section *c" +.Fa "int def_value" +.Fa "va_list args" +.Fc .Sh DESCRIPTION These functions get values from the .Xr krb5.conf 5 @@ -31,7 +244,8 @@ parameter. The variable arguments should be a list of strings naming each subsection to look for. For example: .Bd -literal -offset indent -krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "log_utc", NULL) +krb5_config_get_bool_default(context, NULL, FALSE, + "libdefaults", "log_utc", NULL); .Ed .Pp gets the boolean value for the @@ -57,9 +271,37 @@ seconds, so the string .Sq 2 weeks will be converted to 1209600 (2 * 7 * 24 * 60 * 60). -.Sh BUGS -Other than for the string case, there's no way to tell whether there -was a value specified or not. +.Pp +.Fn krb5_config_get_string +returns a +.Ft "const char *" +to a string in the configuration database. The string not be valid +after reload of the configuration database +.\" or a call to .Fn krb5_config_set_string , +so a caller should make a local copy if its need to keep the database. +.Pp +.Fn krb5_config_free_strings +free +.Fa strings +as returned by +.Fn krb5_config_get_strings +and +.Fn krb5_config_vget_strings . +If the argument +.Fa strings +is a +.Dv NULL +pointer, no action occurs. +.Pp +.Fn krb5_config_file_free +free the result of +.Fn krb5_config_parse_file +and +.Fn krb5_config_parse_file_multi . .Sh SEE ALSO .Xr krb5_appdefault 3 , +.Xr krb5_init_context 3 , .Xr krb5.conf 5 +.Sh BUGS +For the default functions, other than for the string case, there's no +way to tell whether there was a value specified or not. diff --git a/crypto/heimdal/lib/krb5/krb5_context.3 b/crypto/heimdal/lib/krb5/krb5_context.3 index 95d11207d49a..5bfcc26c7103 100644 --- a/crypto/heimdal/lib/krb5/krb5_context.3 +++ b/crypto/heimdal/lib/krb5/krb5_context.3 @@ -1,35 +1,35 @@ -.\" Copyright (c) 2001 - 200 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_context.3,v 1.5 2003/03/10 02:19:28 lha Exp $ +.\" $Id: krb5_context.3 12329 2003-05-26 14:09:04Z lha $ .\" .Dd January 21, 2001 .Dt KRB5_CONTEXT 3 @@ -37,6 +37,10 @@ .Sh NAME .Nm krb5_context .Nd krb5 state structure +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h .Sh DESCRIPTION The .Nm diff --git a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 b/crypto/heimdal/lib/krb5/krb5_create_checksum.3 index 6704113bd7e5..43d5b4e5d32c 100644 --- a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 +++ b/crypto/heimdal/lib/krb5/krb5_create_checksum.3 @@ -1,60 +1,146 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1999-2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_create_checksum.3,v 1.6 2003/04/16 13:58:14 lha Exp $ +.\" $Id: krb5_create_checksum.3 15921 2005-08-12 09:01:22Z lha $ .\" -.Dd April 7, 1999 +.Dd August 12, 2005 .Dt NAME 3 .Os HEIMDAL .Sh NAME +.Nm krb5_checksum , +.Nm krb5_checksum_disable , .Nm krb5_checksum_is_collision_proof , .Nm krb5_checksum_is_keyed , .Nm krb5_checksumsize , +.Nm krb5_cksumtype_valid , +.Nm krb5_copy_checksum , .Nm krb5_create_checksum , +.Nm krb5_crypto_get_checksum_type +.Nm krb5_free_checksum , +.Nm krb5_free_checksum_contents , +.Nm krb5_hmac , .Nm krb5_verify_checksum -.Nd creates and verifies checksums +.Nd creates, handles and verifies checksums .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h -.Ft krb5_error_code -.Fn krb5_create_checksum "krb5_context context" "krb5_crypto crypto" "unsigned usage_or_type" "void *data" "size_t len" "Checksum *result" -.Ft krb5_error_code -.Fn krb5_verify_checksum "krb5_context context" "krb5_crypto crypto" "krb5_key_usage usage" "void *data" "size_t len" "Checksum *cksum" +.Pp +.Li "typedef Checksum krb5_checksum;" +.Ft void +.Fo krb5_checksum_disable +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fc .Ft krb5_boolean -.Fn krb5_checksum_is_collision_proof "krb5_context context" "krb5_cksumtype type" +.Fo krb5_checksum_is_collision_proof +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fc .Ft krb5_boolean -.Fn krb5_checksum_is_keyed "krb5_context context" "krb5_cksumtype type" +.Fo krb5_checksum_is_keyed +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fc +.Ft krb5_error_code +.Fo krb5_cksumtype_valid +.Fa "krb5_context context" +.Fa "krb5_cksumtype ctype" +.Fc +.Ft krb5_error_code +.Fo krb5_checksumsize +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fa "size_t *size" +.Fc +.Ft krb5_error_code +.Fo krb5_create_checksum +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_key_usage usage" +.Fa "int type" +.Fa "void *data" +.Fa "size_t len" +.Fa "Checksum *result" +.Fc +.Ft krb5_error_code +.Fo krb5_verify_checksum +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_key_usage usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "Checksum *cksum" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_get_checksum_type +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_cksumtype *type" +.Fc +.Ft void +.Fo krb5_free_checksum +.Fa "krb5_context context" +.Fa "krb5_checksum *cksum" +.Fc +.Ft void +.Fo krb5_free_checksum_contents +.Fa "krb5_context context" +.Fa "krb5_checksum *cksum" +.Fc +.Ft krb5_error_code +.Fo krb5_hmac +.Fa "krb5_context context" +.Fa "krb5_cksumtype cktype" +.Fa "const void *data" +.Fa "size_t len" +.Fa "unsigned usage" +.Fa "krb5_keyblock *key" +.Fa "Checksum *result" +.Fc +.Ft krb5_error_code +.Fo krb5_copy_checksum +.Fa "krb5_context context" +.Fa "const krb5_checksum *old" +.Fa "krb5_checksum **new" +.Fc .Sh DESCRIPTION -These functions are used to create and verify checksums. +The +.Li krb5_checksum +structure holds a Kerberos checksum. +There is no component inside +.Li krb5_checksum +that is directly referable. +.Pp +The functions are used to create and verify checksums. .Fn krb5_create_checksum creates a checksum of the specified data, and puts it in .Fa result . @@ -73,7 +159,7 @@ specifies a key-usage. .Pp .Fn krb5_verify_checksum verifies the -.Fa checksum , +.Fa checksum against the provided data. .Pp .Fn krb5_checksum_is_collision_proof @@ -88,8 +174,53 @@ value is a function of both the data, and a separate key). Examples of keyed hash algorithms are HMAC-SHA1-DES3, and RSA-MD5-DES. The .Dq plain hash functions MD5, and SHA1 are not keyed. +.Pp +.Fn krb5_crypto_get_checksum_type +returns the checksum type that will be used when creating a checksum for the given +.Fa crypto +context. +This function is useful in combination with +.Fn krb5_checksumsize +when you want to know the size a checksum will +use when you create it. +.Pp +.Fn krb5_cksumtype_valid +returns 0 or an error if the checksumtype is implemented and not +currently disabled in this kerberos library. +.Pp +.Fn krb5_checksumsize +returns the size of the outdata of checksum function. +.Pp +.Fn krb5_copy_checksum +returns a copy of the checksum +.Fn krb5_free_checksum +should use used to free the +.Fa new +checksum. +.Pp +.Fn krb5_free_checksum +free the checksum and the content of the checksum. +.Pp +.Fn krb5_free_checksum_contents +frees the content of checksum in +.Fa cksum . +.Pp +.Fn krb5_hmac +calculates the HMAC over +.Fa data +(with length +.Fa len ) +using the keyusage +.Fa usage +and keyblock +.Fa key . +Note that keyusage is not always used in checksums. +.Pp +.Nm krb5_checksum_disable +globally disables the checksum type. .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO .Xr krb5_crypto_init 3 , +.Xr krb5_c_encrypt 3 , .Xr krb5_encrypt 3 diff --git a/crypto/heimdal/lib/krb5/krb5_creds.3 b/crypto/heimdal/lib/krb5/krb5_creds.3 new file mode 100644 index 000000000000..9eb9a2be9492 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_creds.3 @@ -0,0 +1,119 @@ +.\" Copyright (c) 2004, 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_creds.3 17383 2006-05-01 07:13:03Z lha $ +.\" +.Dd May 1, 2006 +.Dt KRB5_CREDS 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_creds , +.Nm krb5_copy_creds , +.Nm krb5_copy_creds_contents , +.Nm krb5_free_creds , +.Nm krb5_free_cred_contents +.Nd Kerberos 5 credential handling functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_copy_creds +.Fa "krb5_context context" +.Fa "const krb5_creds *incred" +.Fa "krb5_creds **outcred" +.Fc +.Ft krb5_error_code +.Fo krb5_copy_creds_contents +.Fa "krb5_context context" +.Fa "const krb5_creds *incred" +.Fa "krb5_creds *outcred" +.Fc +.Ft krb5_error_code +.Fo krb5_free_creds +.Fa "krb5_context context" +.Fa "krb5_creds *outcred" +.Fc +.Ft krb5_error_code +.Fo krb5_free_cred_contents +.Fa "krb5_context context" +.Fa "krb5_creds *cred" +.Fc +.Sh DESCRIPTION +.Vt krb5_creds +holds Kerberos credentials: +.Bd -literal -offset +typedef struct krb5_creds { + krb5_principal client; + krb5_principal server; + krb5_keyblock session; + krb5_times times; + krb5_data ticket; + krb5_data second_ticket; + krb5_authdata authdata; + krb5_addresses addresses; + krb5_ticket_flags flags; +} krb5_creds; +.Ed +.Pp +.Fn krb5_copy_creds +makes a copy of +.Fa incred +to +.Fa outcred . +.Fa outcred +should be freed with +.Fn krb5_free_creds +by the caller. +.Pp +.Fn krb5_copy_creds_contents +makes a copy of the content of +.Fa incred +to +.Fa outcreds . +.Fa outcreds +should be freed by the called with +.Fn krb5_free_creds_contents . +.Pp +.Fn krb5_free_creds +frees the content of the +.Fa cred +structure and the structure itself. +.Pp +.Fn krb5_free_cred_contents +frees the content of the +.Fa cred +structure. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_compare_creds 3 , +.Xr krb5_get_init_creds 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 b/crypto/heimdal/lib/krb5/krb5_crypto_init.3 index 4b0284cbfe2d..822006e08f4c 100644 --- a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 +++ b/crypto/heimdal/lib/krb5/krb5_crypto_init.3 @@ -1,43 +1,43 @@ .\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_crypto_init.3,v 1.6 2003/04/16 13:58:15 lha Exp $ +.\" $Id: krb5_crypto_init.3 13563 2004-03-20 12:00:01Z lha $ .\" .Dd April 7, 1999 .Dt NAME 3 .Os HEIMDAL .Sh NAME -.Nm krb5_crypto_init , -.Nm krb5_crypto_destroy -.Nd initialize encryption context +.Nm krb5_crypto_destroy , +.Nm krb5_crypto_init +.Nd encryption support in krb5 .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS @@ -47,22 +47,19 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Ft krb5_error_code .Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto" .Sh DESCRIPTION -These functions are used to initialize an encryption context that can -be used to encrypt or checksum data. +Heimdal exports parts of the Kerberos crypto interface for applications. .Pp -The -.Fn krb5_crypt_init -initializes the encrytion context -.Fa crypto . -The -.Fa key -parameter is the key to use for encryption, and checksums. The -encryption type to use is taken from the key, but can be overridden +Each kerberos encrytion/checksum function takes a crypto context. +.Pp +To setup and destroy crypto contextes there are two functions +.Fn krb5_crypto_init +and +.Fn krb5_crypto_destroy . +The encryption type to use is taken from the key, but can be overridden with the .Fa enctype parameter . -.Pp -.Fn krb5_crypto_destroy -frees a previously allocated encrypion context. +This can be useful for encryptions types which is compatiable (DES for +example). .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/crypto/heimdal/lib/krb5/krb5_data.3 b/crypto/heimdal/lib/krb5/krb5_data.3 index 355d934149c2..2ccff19251da 100644 --- a/crypto/heimdal/lib/krb5/krb5_data.3 +++ b/crypto/heimdal/lib/krb5/krb5_data.3 @@ -1,50 +1,51 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003 - 2005, 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_data.3,v 1.4 2003/04/16 13:58:13 lha Exp $ -.\" -.Dd March 20, 2003 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_data.3 20040 2007-01-23 20:35:12Z lha $ +.\" +.Dd Jan 23, 2007 .Dt KRB5_DATA 3 .Os HEIMDAL .Sh NAME -.Nm krb5_data -.Nm krb5_data_zero -.Nm krb5_data_free -.Nm krb5_free_data_contents -.Nm krb5_free_data -.Nm krb5_data_alloc -.Nm krb5_data_realloc -.Nm krb5_data_copy -.Nm krb5_copy_data -.Nd operates on the Kerberos datatype krb5_data. +.Nm krb5_data , +.Nm krb5_data_zero , +.Nm krb5_data_free , +.Nm krb5_free_data_contents , +.Nm krb5_free_data , +.Nm krb5_data_alloc , +.Nm krb5_data_realloc , +.Nm krb5_data_copy , +.Nm krb5_copy_data , +.Nm krb5_data_cmp +.Nd operates on the Kerberos datatype krb5_data .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS @@ -67,6 +68,8 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fn krb5_data_copy "krb5_data *p" "const void *data" "size_t len" .Ft krb5_error_code .Fn krb5_copy_data "krb5_context context" "const krb5_data *indata" "krb5_data **outdata" +.Ft krb5_error_code +.Fn krb5_data_cmp "const krb5_data *data1" "const krb5_data *data2" .Sh DESCRIPTION The .Li krb5_data @@ -86,7 +89,9 @@ resets the content of .Pp .Fn krb5_data_free free the data in -.Fa p . +.Fa p +and reset the content of the structure with +.Fn krb5_data_zero . .Pp .Fn krb5_free_data_contents works the same way as @@ -99,13 +104,13 @@ frees the data in .Fa p and .Fa p -itself . +itself. .Pp .Fn krb5_data_alloc allocates .Fa len bytes in -.Fa p +.Fa p . Returns 0 or an error. .Pp .Fn krb5_data_realloc @@ -143,6 +148,11 @@ doesn't contain anything needs to be freed. should be freed using .Fn krb5_free_data . Returns 0 or an error. +.Pp +.Fn krb5_data_cmp +will compare two data object and check if they are the same in a +simular way as memcmp does it. The return value can be used for +sorting. .Sh SEE ALSO .Xr krb5 3 , .Xr krb5_storage 3 , diff --git a/crypto/heimdal/lib/krb5/krb5_digest.3 b/crypto/heimdal/lib/krb5/krb5_digest.3 new file mode 100644 index 000000000000..f9d7571b072d --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_digest.3 @@ -0,0 +1,260 @@ +.\" Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_digest.3 20259 2007-02-17 23:49:54Z lha $ +.\" +.Dd February 18, 2007 +.Dt KRB5_DIGEST 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_digest , +.Nm krb5_digest_alloc , +.Nm krb5_digest_free , +.Nm krb5_digest_set_server_cb , +.Nm krb5_digest_set_type , +.Nm krb5_digest_set_hostname , +.Nm krb5_digest_get_server_nonce , +.Nm krb5_digest_set_server_nonce , +.Nm krb5_digest_get_opaque , +.Nm krb5_digest_set_opaque , +.Nm krb5_digest_get_identifier , +.Nm krb5_digest_set_identifier , +.Nm krb5_digest_init_request , +.Nm krb5_digest_set_client_nonce , +.Nm krb5_digest_set_digest , +.Nm krb5_digest_set_username , +.Nm krb5_digest_set_authid , +.Nm krb5_digest_set_authentication_user , +.Nm krb5_digest_set_realm , +.Nm krb5_digest_set_method , +.Nm krb5_digest_set_uri , +.Nm krb5_digest_set_nonceCount , +.Nm krb5_digest_set_qop , +.Nm krb5_digest_request , +.Nm krb5_digest_get_responseData , +.Nm krb5_digest_get_rsp , +.Nm krb5_digest_get_tickets , +.Nm krb5_digest_get_client_binding , +.Nm krb5_digest_get_a1_hash +.Nd remote digest (HTTP-DIGEST, SASL, CHAP) suppport +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Li "typedef struct krb5_digest *krb5_digest;" +.Pp +.Ft krb5_error_code +.Fo krb5_digest_alloc +.Fa "krb5_context context" +.Fa "krb5_digest *digest" +.Fc +.Ft void +.Fo krb5_digest_free +.Fa "krb5_digest digest" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_type +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *type" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_server_cb +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *type" +.Fa "const char *binding" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_hostname +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *hostname" +.Fc +.Ft "const char *" +.Fo krb5_digest_get_server_nonce +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_server_nonce +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *nonce" +.Fc +.Ft "const char *" +.Fo krb5_digest_get_opaque +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_opaque +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *opaque" +.Fc +.Ft "const char *" +.Fo krb5_digest_get_identifier +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_identifier +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *id" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_init_request +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "krb5_realm realm" +.Fa "krb5_ccache ccache" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_client_nonce +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *nonce" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_digest +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *dgst" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_username +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *username" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_authid +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *authid" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_authentication_user +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "krb5_principal authentication_user" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_realm +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *realm" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_method +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *method" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_uri +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *uri" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_nonceCount +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *nonce_count" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_set_qop +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "const char *qop" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_request +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "krb5_realm realm" +.Fa "krb5_ccache ccache" +.Fc +.Ft "const char *" +.Fo krb5_digest_get_responseData +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fc +.Ft "const char *" +.Fo krb5_digest_get_rsp +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_get_tickets +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "Ticket **tickets" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_get_client_binding +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "char **type" +.Fa "char **binding" +.Fc +.Ft krb5_error_code +.Fo krb5_digest_get_a1_hash +.Fa "krb5_context context" +.Fa "krb5_digest digest" +.Fa "krb5_data *data" +.Fc +.Sh DESCRIPTION +The +.Fn krb5_digest_alloc +function allocatates the +.Fa digest +structure. The structure should be freed with +.Fn krb5_digest_free +when it is no longer being used. +.Pp +.Fn krb5_digest_alloc +returns 0 to indicate success. +Otherwise an kerberos code is returned and the pointer that +.Fa digest +points to is set to +.Dv NULL . +.Pp +.Fn krb5_digest_free +free the structure +.Fa digest . +.Sh SEE ALSO +.Xr krb5 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3 b/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3 new file mode 100644 index 000000000000..fcada92bc94b --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_eai_to_heim_errno.3 @@ -0,0 +1,68 @@ +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_eai_to_heim_errno.3 14086 2004-08-03 11:13:46Z lha $ +.\" +.Dd April 13, 2004 +.Dt KRB5_EAI_TO_HEIM_ERRNO 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_eai_to_heim_errno , +.Nm krb5_h_errno_to_heim_errno +.Nd convert resolver error code to com_err error codes +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_eai_to_heim_errno +.Fa "int eai_errno" +.Fa "int system_error" +.Fc +.Ft krb5_error_code +.Fo krb5_h_errno_to_heim_errno +.Fa "int eai_errno" +.Fc +.Sh DESCRIPTION +.Fn krb5_eai_to_heim_errno +and +.Fn krb5_h_errno_to_heim_errno +convert +.Xr getaddrinfo 3 , +.Xr getnameinfo 3 , +and +.Xr h_errno 3 +to com_err error code that are used by Heimdal, this is useful for for +function returning kerberos errors and needs to communicate failures +from resolver function. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_encrypt.3 b/crypto/heimdal/lib/krb5/krb5_encrypt.3 index 84140bffc0ce..76cb4c700c1c 100644 --- a/crypto/heimdal/lib/krb5/krb5_encrypt.3 +++ b/crypto/heimdal/lib/krb5/krb5_encrypt.3 @@ -1,61 +1,192 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_encrypt.3,v 1.7 2003/04/16 13:58:15 lha Exp $ +.\" $Id: krb5_encrypt.3 22071 2007-11-14 20:04:50Z lha $ .\" -.Dd April 7, 1999 +.Dd March 20, 2004 .Dt KRB5_ENCRYPT 3 .Os HEIMDAL .Sh NAME +.Nm krb5_crypto_getblocksize , +.Nm krb5_crypto_getconfoundersize +.Nm krb5_crypto_getenctype , +.Nm krb5_crypto_getpadsize , +.Nm krb5_crypto_overhead , .Nm krb5_decrypt , .Nm krb5_decrypt_EncryptedData , +.Nm krb5_decrypt_ivec , +.Nm krb5_decrypt_ticket , .Nm krb5_encrypt , -.Nm krb5_encrypt_EncryptedData -.Nd encrypt and decrypt data +.Nm krb5_encrypt_EncryptedData , +.Nm krb5_encrypt_ivec , +.Nm krb5_enctype_disable , +.Nm krb5_enctype_keysize , +.Nm krb5_enctype_to_string , +.Nm krb5_enctype_valid , +.Nm krb5_get_wrapped_length , +.Nm krb5_string_to_enctype +.Nd "encrypt and decrypt data, set and get encryption type parameters" .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_error_code -.Fn krb5_encrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" +.Fo krb5_encrypt +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fc .Ft krb5_error_code -.Fn krb5_encrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "int kvno" "EncryptedData *result" +.Fo krb5_encrypt_EncryptedData +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "int kvno" +.Fa "EncryptedData *result" +.Fc .Ft krb5_error_code -.Fn krb5_decrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" +.Fo krb5_encrypt_ivec +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fa "void *ivec" +.Fc .Ft krb5_error_code -.Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result" +.Fo krb5_decrypt +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fc +.Ft krb5_error_code +.Fo krb5_decrypt_EncryptedData +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "EncryptedData *e" +.Fa "krb5_data *result" +.Fc +.Ft krb5_error_code +.Fo krb5_decrypt_ivec +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fa "void *ivec" +.Fc +.Ft krb5_error_code +.Fo krb5_decrypt_ticket +.Fa "krb5_context context" +.Fa "Ticket *ticket" +.Fa "krb5_keyblock *key" +.Fa "EncTicketPart *out" +.Fa "krb5_flags flags" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getblocksize +.Fa "krb5_context context" +.Fa "size_t *blocksize" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getenctype +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_enctype *enctype" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getpadsize +.Fa "krb5_context context" +.Fa size_t *padsize" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getconfoundersize +.Fa "krb5_context context" +.Fa "krb5_crypto crypto +.Fa size_t *confoundersize" +.Fc +.Ft krb5_error_code +.Fo krb5_enctype_keysize +.Fa "krb5_context context" +.Fa "krb5_enctype type" +.Fa "size_t *keysize" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_overhead +.Fa "krb5_context context" +.Fa size_t *padsize" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_enctype +.Fa "krb5_context context" +.Fa "const char *string" +.Fa "krb5_enctype *etype" +.Fc +.Ft krb5_error_code +.Fo krb5_enctype_to_string +.Fa "krb5_context context" +.Fa "krb5_enctype etype" +.Fa "char **string" +.Fc +.Ft krb5_error_code +.Fo krb5_enctype_valid +.Fa "krb5_context context" +.Fa "krb5_enctype etype" +.Fc +.Ft void +.Fo krb5_enctype_disable +.Fa "krb5_context context" +.Fa "krb5_enctype etype" +.Fc +.Ft size_t +.Fo krb5_get_wrapped_length +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "size_t data_len" +.Fc .Sh DESCRIPTION These functions are used to encrypt and decrypt data. .Pp -.Fn krb5_encrypt +.Fn krb5_encrypt_ivec puts the encrypted version of .Fa data (of size @@ -65,6 +196,20 @@ in If the encryption type supports using derived keys, .Fa usage should be the appropriate key-usage. +.Fa ivec +is a pointer to a initial IV, it is modified to the end IV at the end of +the round. +Ivec should be the size of +If +.Dv NULL +is passed in, the default IV is used. +.Fn krb5_encrypt +does the same as +.Fn krb5_encrypt_ivec +but with +.Fa ivec +being +.Dv NULL . .Fn krb5_encrypt_EncryptedData does the same as .Fn krb5_encrypt , @@ -72,14 +217,60 @@ but it puts the encrypted data in a .Fa EncryptedData structure instead. If .Fa kvno -is not zero, it will be put in the -.Fa kvno field in the +is not zero, it will be put in the (optional) +.Fa kvno +field in the .Fa EncryptedData . .Pp +.Fn krb5_decrypt_ivec , .Fn krb5_decrypt , and .Fn krb5_decrypt_EncryptedData works similarly. +.Pp +.Fn krb5_decrypt_ticket +decrypts the encrypted part of +.Fa ticket +with +.Fa key . +.Fn krb5_decrypt_ticket +also verifies the timestamp in the ticket, invalid flag and if the KDC +haven't verified the transited path, the transit path. +.Pp +.Fn krb5_enctype_keysize , +.Fn krb5_crypto_getconfoundersize , +.Fn krb5_crypto_getblocksize , +.Fn krb5_crypto_getenctype , +.Fn krb5_crypto_getpadsize , +.Fn krb5_crypto_overhead +all returns various (sometimes) useful information from a crypto context. +.Fn krb5_crypto_overhead +is the combination of krb5_crypto_getconfoundersize, +krb5_crypto_getblocksize and krb5_crypto_getpadsize and return the +maximum overhead size. +.Pp +.Fn krb5_enctype_to_string +converts a encryption type number to a string that can be printable +and stored. The strings returned should be freed with +.Xr free 3 . +.Pp +.Fn krb5_string_to_enctype +converts a encryption type strings to a encryption type number that +can use used for other Kerberos crypto functions. +.Pp +.Fn krb5_enctype_valid +returns 0 if the encrypt is supported and not disabled, otherwise and +error code is returned. +.Pp +.Fn krb5_enctype_disable +(globally, for all contextes) disables the +.Fa enctype . +.Pp +.Fn krb5_get_wrapped_length +returns the size of an encrypted packet by +.Fa crypto +of length +.Fa data_len . .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/crypto/heimdal/lib/krb5/krb5_err.et b/crypto/heimdal/lib/krb5/krb5_err.et index 34279239eaed..6714401e4503 100644 --- a/crypto/heimdal/lib/krb5/krb5_err.et +++ b/crypto/heimdal/lib/krb5/krb5_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $" +id "$Id: krb5_err.et 21050 2007-06-12 02:00:40Z lha $" error_table krb5 @@ -35,8 +35,10 @@ error_code KEY_EXPIRED, "Password has expired" error_code PREAUTH_FAILED, "Preauthentication failed" error_code PREAUTH_REQUIRED, "Additional pre-authentication required" error_code SERVER_NOMATCH, "Requested server and ticket don't match" +error_code KDC_ERR_MUST_USE_USER2USER, "Server principal valid for user2user only" +error_code PATH_NOT_ACCEPTED, "KDC Policy rejects transited path" +error_code SVC_UNAVAILABLE, "A service is not available" -# 27-30 are reserved index 31 prefix KRB5KRB_AP error_code ERR_BAD_INTEGRITY, "Decrypt integrity check failed" @@ -70,28 +72,45 @@ error_code FIELD_TOOLONG, "Field is too long for this implementation" # pkinit index 62 -prefix KDC_ERROR +prefix KRB5_KDC_ERR error_code CLIENT_NOT_TRUSTED, "Client not trusted" error_code KDC_NOT_TRUSTED, "KDC not trusted" error_code INVALID_SIG, "Invalid signature" -error_code KEY_TOO_WEAK, "Key too weak" -error_code CERTIFICATE_MISMATCH, "Certificate mismatch" +error_code DH_KEY_PARAMETERS_NOT_ACCEPTED, "DH parameters not accepted" + +index 68 +prefix KRB5_KDC_ERR +error_code WRONG_REALM, "Wrong realm" + +index 69 prefix KRB5_AP_ERR error_code USER_TO_USER_REQUIRED, "User to user required" -prefix KDC_ERROR -error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate" -error_code INVALID_CERTIFICATE, "Invalid certificate" -error_code REVOKED_CERTIFICATE, "Revoked certificate" -error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown" -error_code REVOCATION_STATUS_UNAVAILABLE,"Revocation status unavailable" -error_code CLIENT_NAME_MISMATCH, "Client name mismatch" -error_code KDC_NAME_MISMATCH, "KDC name mismatch" -# 77-127 are reserved +index 70 +prefix KRB5_KDC_ERR +error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate" +error_code INVALID_CERTIFICATE, "Certificate invalid" +error_code REVOKED_CERTIFICATE, "Certificate revoked" +error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown" +error_code REVOCATION_STATUS_UNAVAILABLE, "Revocation status unavaible" +error_code CLIENT_NAME_MISMATCH, "Client name mismatch in certificate" +error_code INCONSISTENT_KEY_PURPOSE, "Inconsistent key purpose" +error_code DIGEST_IN_CERT_NOT_ACCEPTED, "Digest in certificate not accepted" +error_code PA_CHECKSUM_MUST_BE_INCLUDED, "paChecksum must be included" +error_code DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED, "Digest in signedData not accepted" +error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not supported" + +## these are never used +#index 80 +#prefix KRB5_IAKERB +#error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC" +#error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC" + +# 82-127 are reserved index 128 prefix -error_code KRB5_ERR_RCSID, "$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $" +error_code KRB5_ERR_RCSID, "$Id: krb5_err.et 21050 2007-06-12 02:00:40Z lha $" error_code KRB5_LIBOS_BADLOCKFLAG, "Invalid flag for file lock mode" error_code KRB5_LIBOS_CANTREADPWD, "Cannot read password" @@ -186,6 +205,7 @@ error_code KRB5_FCC_INTERNAL, "Internal file credentials cache error" error_code KRB5_CC_WRITE, "Error writing to credentials cache file" error_code KRB5_CC_NOMEM, "No more memory to allocate (in credentials cache code)" error_code KRB5_CC_FORMAT, "Bad format in credentials cache" +error_code KRB5_CC_NOT_KTYPE, "No credentials found with supported encryption types" # errors for dual tgt library calls error_code KRB5_INVALID_FLAGS, "Invalid KDC option combination (library internal error)" @@ -230,6 +250,17 @@ error_code KRB5_GET_IN_TKT_LOOP, "Looping detected inside krb5_get_in_tkt" error_code KRB5_CONFIG_NODEFREALM, "Configuration file does not specify default realm" error_code KRB5_SAM_UNSUPPORTED, "Bad SAM flags in obtain_sam_padata" -error_code KRB5_KT_NAME_TOOLONG, "Keytab name too long" +error_code KRB5_SAM_INVALID_ETYPE, "Invalid encryption type in SAM challenge" +error_code KRB5_SAM_NO_CHECKSUM, "Missing checksum in SAM challenge" +error_code KRB5_SAM_BAD_CHECKSUM, "Bad checksum in SAM challenge" + +index 238 +error_code KRB5_OBSOLETE_FN, "Program called an obsolete, deleted function" + +index 245 +error_code KRB5_ERR_BAD_S2K_PARAMS, "Invalid key generation parameters from KDC" +error_code KRB5_ERR_NO_SERVICE, "Service not available" +error_code KRB5_CC_NOSUPP, "Credential cache function not supported" +error_code KRB5_DELTAT_BADFORMAT, "Invalid format of Kerberos lifetime or clock skew string" end diff --git a/crypto/heimdal/lib/krb5/krb5_expand_hostname.3 b/crypto/heimdal/lib/krb5/krb5_expand_hostname.3 new file mode 100644 index 000000000000..ffd98dad1688 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_expand_hostname.3 @@ -0,0 +1,93 @@ +.\" Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_expand_hostname.3 17461 2006-05-05 13:13:18Z lha $ +.\" +.Dd May 5, 2006 +.Dt KRB5_EXPAND_HOSTNAME 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_expand_hostname , +.Nm krb5_expand_hostname_realms +.Nd Kerberos 5 host name canonicalization functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Ft krb5_error_code +.Fo krb5_expand_hostname +.Fa "krb5_context context" +.Fa "const char *orig_hostname" +.Fa "char **new_hostname" +.Fc +.Ft krb5_error_code +.Fo krb5_expand_hostname_realms +.Fa "krb5_context context" +.Fa "const char *orig_hostname" +.Fa "char **new_hostname" +.Fa "char ***realms" +.Fc +.Sh DESCRIPTION +.Fn krb5_expand_hostname +tries to make +.Fa orig_hostname +into a more canonical one in the newly allocated space returned in +.Fa new_hostname . +Caller must free the hostname with +.Xr free 3 . +.Pp +.Fn krb5_expand_hostname_realms +expands +.Fa orig_hostname +to a name we believe to be a hostname in newly +allocated space in +.Fa new_hostname +and return the realms +.Fa new_hostname +is belive to belong to in +.Fa realms . +.Fa Realms +is a array terminated with +.Dv NULL . +Caller must free the +.Fa realms +with +.Fn krb5_free_host_realm +and +.Fa new_hostname +with +.Xr free 3 . +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_free_host_realm 3 , +.Xr krb5_get_host_realm 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_find_padata.3 b/crypto/heimdal/lib/krb5/krb5_find_padata.3 new file mode 100644 index 000000000000..b72678493152 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_find_padata.3 @@ -0,0 +1,87 @@ +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_find_padata.3 13595 2004-03-21 13:17:41Z lha $ +.\" +.Dd March 21, 2004 +.Dt KRB5_FIND_PADATA 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_find_padata , +.Nm krb5_padata_add +.Nd Kerberos 5 pre-authentication data handling functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Ft "PA_DATA *" +.Fo krb5_find_padata +.Fa "PA_DATA *val" +.Fa "unsigned len" +.Fa "int type" +.Fa "int *index" +.Fc +.Ft int +.Fo krb5_padata_add +.Fa "krb5_context context" +.Fa "METHOD_DATA *md" +.Fa "int type" +.Fa "void *buf" +.Fa "size_t len" +.Fc +.Sh DESCRIPTION +.Fn krb5_find_padata +tries to find the pre-authentication data entry of type +.Fa type +in the array +.Fa val +of length +.Fa len . +The search is started at entry pointed out by +.Fa *index +(zero based indexing). +If the type isn't found, +.Dv NULL +is returned. +.Pp +.Fn krb5_padata_add +adds a pre-authentication data entry of type +.Fa type +pointed out by +.Fa buf +and +.Fa len +to +.Fa md . +.Sh SEE ALSO +.Xr krb5 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_generate_random_block.3 b/crypto/heimdal/lib/krb5/krb5_generate_random_block.3 new file mode 100644 index 000000000000..4b46954fa90a --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_generate_random_block.3 @@ -0,0 +1,57 @@ +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_generate_random_block.3 17385 2006-05-01 08:48:55Z lha $ +.\" +.Dd March 21, 2004 +.Dt KRB5_GENERATE_RANDOM_BLOCK 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_generate_random_block +.Nd Kerberos 5 random functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft void +.Fo krb5_generate_random_block +.Fa "void *buf" +.Fa "size_t len" +.Fc +.Sh DESCRIPTION +.Fn krb5_generate_random_block +generates a cryptographically strong pseudo-random block into the buffer +.Fa buf +of length +.Fa len . +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 b/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 index 0aef63e3186b..f6f4c85c97aa 100644 --- a/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 +++ b/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 @@ -1,38 +1,39 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_get_all_client_addrs.3,v 1.6 2003/04/16 13:58:16 lha Exp $ +.\" $Id: krb5_get_all_client_addrs.3 12329 2003-05-26 14:09:04Z lha $ .\" .Dd July 1, 2001 .Dt KRB5_GET_ADDRS 3 +.Os HEIMDAL .Sh NAME .Nm krb5_get_all_client_addrs , .Nm krb5_get_all_server_addrs diff --git a/crypto/heimdal/lib/krb5/krb5_get_credentials.3 b/crypto/heimdal/lib/krb5/krb5_get_credentials.3 new file mode 100644 index 000000000000..32e0ffe1eef3 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_get_credentials.3 @@ -0,0 +1,208 @@ +.\" Copyright (c) 2004 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_get_credentials.3 22071 2007-11-14 20:04:50Z lha $ +.\" +.Dd July 26, 2004 +.Dt KRB5_GET_CREDENTIALS 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_get_credentials , +.Nm krb5_get_credentials_with_flags , +.Nm krb5_get_cred_from_kdc , +.Nm krb5_get_cred_from_kdc_opt , +.Nm krb5_get_kdc_cred , +.Nm krb5_get_renewed_creds +.Nd get credentials from the KDC using krbtgt +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_get_credentials +.Fa "krb5_context context" +.Fa "krb5_flags options" +.Fa "krb5_ccache ccache" +.Fa "krb5_creds *in_creds" +.Fa "krb5_creds **out_creds" +.Fc +.Ft krb5_error_code +.Fo krb5_get_credentials_with_flags +.Fa "krb5_context context" +.Fa "krb5_flags options" +.Fa "krb5_kdc_flags flags" +.Fa "krb5_ccache ccache" +.Fa "krb5_creds *in_creds" +.Fa "krb5_creds **out_creds" +.Fc +.Ft krb5_error_code +.Fo krb5_get_cred_from_kdc +.Fa "krb5_context context" +.Fa "krb5_ccache ccache" +.Fa "krb5_creds *in_creds" +.Fa "krb5_creds **out_creds" +.Fa "krb5_creds ***ret_tgts" +.Fc +.Ft krb5_error_code +.Fo krb5_get_cred_from_kdc_opt +.Fa "krb5_context context" +.Fa "krb5_ccache ccache" +.Fa "krb5_creds *in_creds" +.Fa "krb5_creds **out_creds" +.Fa "krb5_creds ***ret_tgts" +.Fa "krb5_flags flags" +.Fc +.Ft krb5_error_code +.Fo krb5_get_kdc_cred +.Fa "krb5_context context" +.Fa "krb5_ccache id" +.Fa "krb5_kdc_flags flags" +.Fa "krb5_addresses *addresses" +.Fa "Ticket *second_ticket" +.Fa "krb5_creds *in_creds" +.Fa "krb5_creds **out_creds" +.Fc +.Ft krb5_error_code +.Fo krb5_get_renewed_creds +.Fa "krb5_context context" +.Fa "krb5_creds *creds" +.Fa "krb5_const_principal client" +.Fa "krb5_ccache ccache" +.Fa "const char *in_tkt_service" +.Fc +.Sh DESCRIPTION +.Fn krb5_get_credentials_with_flags +get credentials specified by +.Fa in_creds->server +and +.Fa in_creds->client +(the rest of the +.Fa in_creds +structure is ignored) +by first looking in the +.Fa ccache +and if doesn't exists or is expired, fetch the credential from the KDC +using the krbtgt in +.Fa ccache . +The credential is returned in +.Fa out_creds +and should be freed using the function +.Fn krb5_free_creds . +.Pp +Valid flags to pass into +.Fa options +argument are: +.Pp +.Bl -tag -width "KRB5_GC_USER_USER" -compact +.It KRB5_GC_CACHED +Only check the +.Fa ccache , +don't got out on network to fetch credential. +.It KRB5_GC_USER_USER +Request a user to user ticket. +This option doesn't store the resulting user to user credential in +the +.Fa ccache . +.It KRB5_GC_EXPIRED_OK +returns the credential even if it is expired, default behavior is trying +to refetch the credential from the KDC. +.El +.Pp +.Fa Flags +are KDCOptions, note the caller must fill in the bit-field and not +use the integer associated structure. +.Pp +.Fn krb5_get_credentials +works the same way as +.Fn krb5_get_credentials_with_flags +except that the +.Fa flags +field is missing. +.Pp +.Fn krb5_get_cred_from_kdc +and +.Fn krb5_get_cred_from_kdc_opt +fetches the credential from the KDC very much like +.Fn krb5_get_credentials, but doesn't look in the +.Fa ccache +if the credential exists there first. +.Pp +.Fn krb5_get_kdc_cred +does the same as the functions above, but the caller must fill in all +the information andits closer to the wire protocol. +.Pp +.Fn krb5_get_renewed_creds +renews a credential given by +.Fa in_tkt_service +(if +.Dv NULL +the default +.Li krbtgt ) +using the credential cache +.Fa ccache . +The result is stored in +.Fa creds +and should be freed using +.Fa krb5_free_creds . +.Sh EXAMPLES +Here is a example function that get a credential from a credential cache +.Fa id +or the KDC and returns it to the caller. +.Bd -literal +#include <krb5.h> + +int +getcred(krb5_context context, krb5_ccache id, krb5_creds **creds) +{ + krb5_error_code ret; + krb5_creds in; + + ret = krb5_parse_name(context, "client@EXAMPLE.COM", + &in.client); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_parse_name(context, "host/server.example.com@EXAMPLE.COM", + &in.server); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_get_credentials(context, 0, id, &in, creds); + if (ret) + krb5_err(context, 1, ret, "krb5_get_credentials"); + + return 0; +} +.Ed +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_get_forwarded_creds 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_get_creds.3 b/crypto/heimdal/lib/krb5/krb5_get_creds.3 new file mode 100644 index 000000000000..189c93f408da --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_get_creds.3 @@ -0,0 +1,173 @@ +.\" Copyright (c) 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_get_creds.3 22071 2007-11-14 20:04:50Z lha $ +.\" +.Dd June 15, 2006 +.Dt KRB5_GET_CREDS 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_get_creds , +.Nm krb5_get_creds_opt_add_options , +.Nm krb5_get_creds_opt_alloc , +.Nm krb5_get_creds_opt_free , +.Nm krb5_get_creds_opt_set_enctype , +.Nm krb5_get_creds_opt_set_impersonate , +.Nm krb5_get_creds_opt_set_options , +.Nm krb5_get_creds_opt_set_ticket +.Nd get credentials from the KDC +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_get_creds +.Fa "krb5_context context" +.Fa "krb5_get_creds_opt opt" +.Fa "krb5_ccache ccache" +.Fa "krb5_const_principal inprinc" +.Fa "krb5_creds **out_creds" +.Fc +.Ft void +.Fo krb5_get_creds_opt_add_options +.Fa "krb5_context context" +.Fa "krb5_get_creds_opt opt" +.Fa "krb5_flags options" +.Fc +.Ft krb5_error_code +.Fo krb5_get_creds_opt_alloc +.Fa "krb5_context context" +.Fa "krb5_get_creds_opt *opt" +.Fc +.Ft void +.Fo krb5_get_creds_opt_free +.Fa "krb5_context context" +.Fa "krb5_get_creds_opt opt" +.Fc +.Ft void +.Fo krb5_get_creds_opt_set_enctype +.Fa "krb5_context context" +.Fa "krb5_get_creds_opt opt" +.Fa "krb5_enctype enctype" +.Fc +.Ft krb5_error_code +.Fo krb5_get_creds_opt_set_impersonate +.Fa "krb5_context context" +.Fa "krb5_get_creds_opt opt" +.Fa "krb5_const_principal self" +.Fc +.Ft void +.Fo krb5_get_creds_opt_set_options +.Fa "krb5_context context" +.Fa "krb5_get_creds_opt opt" +.Fa "krb5_flags options" +.Fc +.Ft krb5_error_code +.Fo krb5_get_creds_opt_set_ticket +.Fa "krb5_context context" +.Fa "krb5_get_creds_opt opt" +.Fa "const Ticket *ticket" +.Fc +.Sh DESCRIPTION +.Fn krb5_get_creds +fetches credentials specified by +.Fa opt +by first looking in the +.Fa ccache , +and then it doesn't exists, fetch the credential from the KDC +using the krbtgts in +.Fa ccache . +The credential is returned in +.Fa out_creds +and should be freed using the function +.Fn krb5_free_creds . +.Pp +The structure +.Li krb5_get_creds_opt +controls the behavior of +.Fn krb5_get_creds . +The structure is opaque to consumers that can set the content of the +structure with accessors functions. All accessor functions make copies +of the data that is passed into accessor functions, so external +consumers free the memory before calling +.Fn krb5_get_creds . +.Pp +The structure +.Li krb5_get_creds_opt +is allocated with +.Fn krb5_get_creds_opt_alloc +and freed with +.Fn krb5_get_creds_opt_free . +The free function also frees the content of the structure set by the +accessor functions. +.Pp +.Fn krb5_get_creds_opt_add_options +and +.Fn krb5_get_creds_opt_set_options +adds and sets options to the +.Fi krb5_get_creds_opt +structure . +The possible options to set are +.Bl -tag -width "KRB5_GC_USER_USER" -compact +.It KRB5_GC_CACHED +Only check the +.Fa ccache , +don't got out on network to fetch credential. +.It KRB5_GC_USER_USER +request a user to user ticket. +This options doesn't store the resulting user to user credential in +the +.Fa ccache . +.It KRB5_GC_EXPIRED_OK +returns the credential even if it is expired, default behavior is trying +to refetch the credential from the KDC. +.It KRB5_GC_NO_STORE +Do not store the resulting credentials in the +.Fa ccache . +.El +.Pp +.Fn krb5_get_creds_opt_set_enctype +sets the preferred encryption type of the application. Don't set this +unless you have to since if there is no match in the KDC, the function +call will fail. +.Pp +.Fn krb5_get_creds_opt_set_impersonate +sets the principal to impersonate., Returns a ticket that have the +impersonation principal as a client and the requestor as the +service. Note that the requested principal have to be the same as the +client principal in the krbtgt. +.Pp +.Fn krb5_get_creds_opt_set_ticket +sets the extra ticket used in user-to-user or contrained delegation use case. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_get_credentials 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3 b/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3 new file mode 100644 index 000000000000..bbe46ec44784 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_get_forwarded_creds.3 @@ -0,0 +1,79 @@ +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_get_forwarded_creds.3 14068 2004-07-26 13:34:33Z lha $ +.\" +.Dd July 26, 2004 +.Dt KRB5_GET_FORWARDED_CREDS 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_get_forwarded_creds , +.Nm krb5_fwd_tgt_creds +.Nd get forwarded credentials from the KDC +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_get_forwarded_creds +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "krb5_ccache ccache" +.Fa "krb5_flags flags" +.Fa "const char *hostname" +.Fa "krb5_creds *in_creds" +.Fa "krb5_data *out_data" +.Fc +.Ft krb5_error_code +.Fo krb5_fwd_tgt_creds +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "const char *hostname" +.Fa "krb5_principal client" +.Fa "krb5_principal server" +.Fa "krb5_ccache ccache" +.Fa "int forwardable" +.Fa "krb5_data *out_data" +.Fc +.Sh DESCRIPTION +.Fn krb5_get_forwarded_creds +and +.Fn krb5_fwd_tgt_creds +get tickets forwarded to +.Fa hostname. +If the tickets that are forwarded are address-less, the forwarded +tickets will also be address-less, otherwise +.Fa hostname +will be used for figure out the address to forward the ticket too. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_get_credentials 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_get_in_cred.3 b/crypto/heimdal/lib/krb5/krb5_get_in_cred.3 new file mode 100644 index 000000000000..290e3c5c694d --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_get_in_cred.3 @@ -0,0 +1,274 @@ +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_get_in_cred.3 17593 2006-05-29 14:55:18Z lha $ +.\" +.Dd May 31, 2003 +.Dt KRB5_GET_IN_TKT 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_get_in_tkt , +.Nm krb5_get_in_cred , +.Nm krb5_get_in_tkt_with_password , +.Nm krb5_get_in_tkt_with_keytab , +.Nm krb5_get_in_tkt_with_skey , +.Nm krb5_free_kdc_rep , +.Nm krb5_password_key_proc +.Nd deprecated initial authentication functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Ft krb5_error_code +.Fo krb5_get_in_tkt +.Fa "krb5_context context" +.Fa "krb5_flags options" +.Fa "const krb5_addresses *addrs" +.Fa "const krb5_enctype *etypes" +.Fa "const krb5_preauthtype *ptypes" +.Fa "krb5_key_proc key_proc" +.Fa "krb5_const_pointer keyseed" +.Fa "krb5_decrypt_proc decrypt_proc" +.Fa "krb5_const_pointer decryptarg" +.Fa "krb5_creds *creds" +.Fa "krb5_ccache ccache" +.Fa "krb5_kdc_rep *ret_as_reply" +.Fc +.Ft krb5_error_code +.Fo krb5_get_in_cred +.Fa "krb5_context context" +.Fa "krb5_flags options" +.Fa "const krb5_addresses *addrs" +.Fa "const krb5_enctype *etypes" +.Fa "const krb5_preauthtype *ptypes" +.Fa "const krb5_preauthdata *preauth" +.Fa "krb5_key_proc key_proc" +.Fa "krb5_const_pointer keyseed" +.Fa "krb5_decrypt_proc decrypt_proc" +.Fa "krb5_const_pointer decryptarg" +.Fa "krb5_creds *creds" +.Fa "krb5_kdc_rep *ret_as_reply" +.Fc +.Ft krb5_error_code +.Fo krb5_get_in_tkt_with_password +.Fa "krb5_context context" +.Fa "krb5_flags options" +.Fa "krb5_addresses *addrs" +.Fa "const krb5_enctype *etypes" +.Fa "const krb5_preauthtype *pre_auth_types" +.Fa "const char *password" +.Fa "krb5_ccache ccache" +.Fa "krb5_creds *creds" +.Fa "krb5_kdc_rep *ret_as_reply" +.Fc +.Ft krb5_error_code +.Fo krb5_get_in_tkt_with_keytab +.Fa "krb5_context context" +.Fa "krb5_flags options" +.Fa "krb5_addresses *addrs" +.Fa "const krb5_enctype *etypes" +.Fa "const krb5_preauthtype *pre_auth_types" +.Fa "krb5_keytab keytab" +.Fa "krb5_ccache ccache" +.Fa "krb5_creds *creds" +.Fa "krb5_kdc_rep *ret_as_reply" +.Fc +.Ft krb5_error_code +.Fo krb5_get_in_tkt_with_skey +.Fa "krb5_context context" +.Fa "krb5_flags options" +.Fa "krb5_addresses *addrs" +.Fa "const krb5_enctype *etypes" +.Fa "const krb5_preauthtype *pre_auth_types" +.Fa "const krb5_keyblock *key" +.Fa "krb5_ccache ccache" +.Fa "krb5_creds *creds" +.Fa "krb5_kdc_rep *ret_as_reply" +.Fc +.Ft krb5_error_code +.Fo krb5_free_kdc_rep +.Fa "krb5_context context" +.Fa "krb5_kdc_rep *rep" +.Fc +.Ft krb5_error_code +.Fo krb5_password_key_proc +.Fa "krb5_context context" +.Fa "krb5_enctype type" +.Fa "krb5_salt salt" +.Fa "krb5_const_pointer keyseed" +.Fa "krb5_keyblock **key" +.Fc +.Sh DESCRIPTION +.Bf Em +All the functions in this manual page are deprecated in the MIT +implementation, and will soon be deprecated in Heimdal too, don't use them. +.Ef +.Pp +Getting initial credential ticket for a principal. +.Nm krb5_get_in_cred +is the function all other krb5_get_in function uses to fetch tickets. +The other krb5_get_in function are more specialized and therefor +somewhat easier to use. +.Pp +If your need is only to verify a user and password, consider using +.Xr krb5_verify_user 3 +instead, it have a much simpler interface. +.Pp +.Nm krb5_get_in_tkt +and +.Nm krb5_get_in_cred +fetches initial credential, queries after key using the +.Fa key_proc +argument. +The differences between the two function is that +.Nm krb5_get_in_tkt +stores the credential in a +.Li krb5_creds +while +.Nm krb5_get_in_cred +stores the credential in a +.Li krb5_ccache . +.Pp +.Nm krb5_get_in_tkt_with_password , +.Nm krb5_get_in_tkt_with_keytab , +and +.Nm krb5_get_in_tkt_with_skey +does the same work as +.Nm krb5_get_in_cred +but are more specialized. +.Pp +.Nm krb5_get_in_tkt_with_password +uses the clients password to authenticate. +If the password argument is +.DV NULL +the user user queried with the default password query function. +.Pp +.Nm krb5_get_in_tkt_with_keytab +searches the given keytab for a service entry for the client principal. +If the keytab is +.Dv NULL +the default keytab is used. +.Pp +.Nm krb5_get_in_tkt_with_skey +uses a key to get the initial credential. +.Pp +There are some common arguments to the krb5_get_in functions, these are: +.Pp +.Fa options +are the +.Dv KDC_OPT +flags. +.Pp +.Fa etypes +is a +.Dv NULL +terminated array of encryption types that the client approves. +.Pp +.Fa addrs +a list of the addresses that the initial ticket. +If it is +.Dv NULL +the list will be generated by the library. +.Pp +.Fa pre_auth_types +a +.Dv NULL +terminated array of pre-authentication types. +If +.Fa pre_auth_types +is +.Dv NULL +the function will try without pre-authentication and return those +pre-authentication that the KDC returned. +.Pp +.Fa ret_as_reply +will (if not +.Dv NULL ) +be filled in with the response of the KDC and should be free with +.Fn krb5_free_kdc_rep . +.Pp +.Fa key_proc +is a pointer to a function that should return a key salted appropriately. +Using +.Dv NULL +will use the default password query function. +.Pp +.Fa decrypt_proc +Using +.Dv NULL +will use the default decryption function. +.Pp +.Fa decryptarg +will be passed to the decryption function +.Fa decrypt_proc . +.Pp +.Fa creds +creds should be filled in with the template for a credential that +should be requested. +The client and server elements of the creds structure must be filled in. +Upon return of the function it will be contain the content of the +requested credential +.Fa ( krb5_get_in_cred ) , +or it will be freed with +.Xr krb5_free_creds 3 +(all the other krb5_get_in functions). +.Pp +.Fa ccache +will store the credential in the credential cache +.Fa ccache . +The credential cache will not be initialized, thats up the the caller. +.Pp +.Nm krb5_password_key_proc +is a library function that is suitable using as the +.Fa krb5_key_proc +argument to +.Nm krb5_get_in_cred +or +.Nm krb5_get_in_tkt . +.Fa keyseed +should be a pointer to a +.Dv NUL +terminated string or +.Dv NULL . +.Nm krb5_password_key_proc +will query the user for the pass on the console if the password isn't +given as the argument +.Fa keyseed . +.Pp +.Fn krb5_free_kdc_rep +frees the content of +.Fa rep . +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_verify_user 3 , +.Xr krb5.conf 5 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_get_init_creds.3 b/crypto/heimdal/lib/krb5/krb5_get_init_creds.3 new file mode 100644 index 000000000000..3838c1449a57 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_get_init_creds.3 @@ -0,0 +1,398 @@ +.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_get_init_creds.3 20266 2007-02-18 10:41:10Z lha $ +.\" +.Dd Sep 16, 2006 +.Dt KRB5_GET_INIT_CREDS 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_get_init_creds , +.Nm krb5_get_init_creds_keytab , +.Nm krb5_get_init_creds_opt , +.Nm krb5_get_init_creds_opt_alloc , +.Nm krb5_get_init_creds_opt_free , +.Nm krb5_get_init_creds_opt_init , +.Nm krb5_get_init_creds_opt_set_address_list , +.Nm krb5_get_init_creds_opt_set_addressless , +.Nm krb5_get_init_creds_opt_set_anonymous , +.Nm krb5_get_init_creds_opt_set_default_flags , +.Nm krb5_get_init_creds_opt_set_etype_list , +.Nm krb5_get_init_creds_opt_set_forwardable , +.Nm krb5_get_init_creds_opt_set_pa_password , +.Nm krb5_get_init_creds_opt_set_paq_request , +.Nm krb5_get_init_creds_opt_set_preauth_list , +.Nm krb5_get_init_creds_opt_set_proxiable , +.Nm krb5_get_init_creds_opt_set_renew_life , +.Nm krb5_get_init_creds_opt_set_salt , +.Nm krb5_get_init_creds_opt_set_tkt_life , +.Nm krb5_get_init_creds_opt_set_canonicalize , +.Nm krb5_get_init_creds_opt_set_win2k , +.Nm krb5_get_init_creds_password , +.Nm krb5_prompt , +.Nm krb5_prompter_posix +.Nd Kerberos 5 initial authentication functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Ft krb5_get_init_creds_opt; +.Pp +.Ft krb5_error_code +.Fo krb5_get_init_creds_opt_alloc +.Fa "krb5_context context" +.Fa "krb5_get_init_creds_opt **opt" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_free +.Fa "krb5_context context" +.Fa "krb5_get_init_creds_opt *opt" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_init +.Fa "krb5_get_init_creds_opt *opt" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_address_list +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_addresses *addresses" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_addressless +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_boolean addressless" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_anonymous +.Fa "krb5_get_init_creds_opt *opt" +.Fa "int anonymous" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_default_flags +.Fa "krb5_context context" +.Fa "const char *appname" +.Fa "krb5_const_realm realm" +.Fa "krb5_get_init_creds_opt *opt" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_etype_list +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_enctype *etype_list" +.Fa "int etype_list_length" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_forwardable +.Fa "krb5_get_init_creds_opt *opt" +.Fa "int forwardable" +.Fc +.Ft krb5_error_code +.Fo krb5_get_init_creds_opt_set_pa_password +.Fa "krb5_context context" +.Fa "krb5_get_init_creds_opt *opt" +.Fa "const char *password" +.Fa "krb5_s2k_proc key_proc" +.Fc +.Ft krb5_error_code +.Fo krb5_get_init_creds_opt_set_paq_request +.Fa "krb5_context context" +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_boolean req_pac" +.Fc +.Ft krb5_error_code +.Fo krb5_get_init_creds_opt_set_pkinit +.Fa "krb5_context context" +.Fa "krb5_get_init_creds_opt *opt" +.Fa "const char *cert_file" +.Fa "const char *key_file" +.Fa "const char *x509_anchors" +.Fa "int flags" +.Fa "char *password" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_preauth_list +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_preauthtype *preauth_list" +.Fa "int preauth_list_length" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_proxiable +.Fa "krb5_get_init_creds_opt *opt" +.Fa "int proxiable" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_renew_life +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_deltat renew_life" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_salt +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_data *salt" +.Fc +.Ft void +.Fo krb5_get_init_creds_opt_set_tkt_life +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_deltat tkt_life" +.Fc +.Ft krb5_error_code +.Fo krb5_get_init_creds_opt_set_canonicalize +.Fa "krb5_context context" +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_boolean req" +.Fc +.Ft krb5_error_code +.Fo krb5_get_init_creds_opt_set_win2k +.Fa "krb5_context context" +.Fa "krb5_get_init_creds_opt *opt" +.Fa "krb5_boolean req" +.Fc +.Ft krb5_error_code +.Fo krb5_get_init_creds +.Fa "krb5_context context" +.Fa "krb5_creds *creds" +.Fa "krb5_principal client" +.Fa "krb5_prompter_fct prompter" +.Fa "void *prompter_data" +.Fa "krb5_deltat start_time" +.Fa "const char *in_tkt_service" +.Fa "krb5_get_init_creds_opt *options" +.Fc +.Ft krb5_error_code +.Fo krb5_get_init_creds_password +.Fa "krb5_context context" +.Fa "krb5_creds *creds" +.Fa "krb5_principal client" +.Fa "const char *password" +.Fa "krb5_prompter_fct prompter" +.Fa "void *prompter_data" +.Fa "krb5_deltat start_time" +.Fa "const char *in_tkt_service" +.Fa "krb5_get_init_creds_opt *in_options" +.Fc +.Ft krb5_error_code +.Fo krb5_get_init_creds_keytab +.Fa "krb5_context context" +.Fa "krb5_creds *creds" +.Fa "krb5_principal client" +.Fa "krb5_keytab keytab" +.Fa "krb5_deltat start_time" +.Fa "const char *in_tkt_service" +.Fa "krb5_get_init_creds_opt *options" +.Fc +.Ft int +.Fo krb5_prompter_posix +.Fa "krb5_context context" +.Fa "void *data" +.Fa "const char *name" +.Fa "const char *banner" +.Fa "int num_prompts" +.Fa "krb5_prompt prompts[]" +.Fc +.Sh DESCRIPTION +Getting initial credential ticket for a principal. +That may include changing an expired password, and doing preauthentication. +This interface that replaces the deprecated +.Fa krb5_in_tkt +and +.Fa krb5_in_cred +functions. +.Pp +If you only want to verify a username and password, consider using +.Xr krb5_verify_user 3 +instead, since it also verifies that initial credentials with using a +keytab to make sure the response was from the KDC. +.Pp +First a +.Li krb5_get_init_creds_opt +structure is initialized +with +.Fn krb5_get_init_creds_opt_alloc +or +.Fn krb5_get_init_creds_opt_init . +.Fn krb5_get_init_creds_opt_alloc +allocates a extendible structures that needs to be freed with +.Fn krb5_get_init_creds_opt_free . +The structure may be modified by any of the +.Fn krb5_get_init_creds_opt_set +functions to change request parameters and authentication information. +.Pp +If the caller want to use the default options, +.Dv NULL +can be passed instead. +.Pp +The the actual request to the KDC is done by any of the +.Fn krb5_get_init_creds , +.Fn krb5_get_init_creds_password , +or +.Fn krb5_get_init_creds_keytab +functions. +.Fn krb5_get_init_creds +is the least specialized function and can, with the right in data, +behave like the latter two. +The latter two are there for compatibility with older releases and +they are slightly easier to use. +.Pp +.Li krb5_prompt +is a structure containing the following elements: +.Bd -literal +typedef struct { + const char *prompt; + int hidden; + krb5_data *reply; + krb5_prompt_type type +} krb5_prompt; +.Ed +.Pp +.Fa prompt +is the prompt that should shown to the user +If +.Fa hidden +is set, the prompter function shouldn't echo the output to the display +device. +.Fa reply +must be preallocated; it will not be allocated by the prompter +function. +Possible values for the +.Fa type +element are: +.Pp +.Bl -tag -width Ds -compact -offset indent +.It KRB5_PROMPT_TYPE_PASSWORD +.It KRB5_PROMPT_TYPE_NEW_PASSWORD +.It KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN +.It KRB5_PROMPT_TYPE_PREAUTH +.It KRB5_PROMPT_TYPE_INFO +.El +.Pp +.Fn krb5_prompter_posix +is the default prompter function in a POSIX environment. +It matches the +.Fa krb5_prompter_fct +and can be used in the +.Fa krb5_get_init_creds +functions. +.Fn krb5_prompter_posix +doesn't require +.Fa prompter_data. +.Pp +If the +.Fa start_time +is zero, then the requested ticket will be valid +beginning immediately. +Otherwise, the +.Fa start_time +indicates how far in the future the ticket should be postdated. +.Pp +If the +.Fa in_tkt_service +name is +.Dv non-NULL , +that principal name will be +used as the server name for the initial ticket request. +The realm of the name specified will be ignored and will be set to the +realm of the client name. +If no in_tkt_service name is specified, +krbtgt/CLIENT-REALM@CLIENT-REALM will be used. +.Pp +For the rest of arguments, a configuration or library default will be +used if no value is specified in the options structure. +.Pp +.Fn krb5_get_init_creds_opt_set_address_list +sets the list of +.Fa addresses +that is should be stored in the ticket. +.Pp +.Fn krb5_get_init_creds_opt_set_addressless +controls if the ticket is requested with addresses or not, +.Fn krb5_get_init_creds_opt_set_address_list +overrides this option. +.Pp +.Fn krb5_get_init_creds_opt_set_anonymous +make the request anonymous if the +.Fa anonymous +parameter is non-zero. +.Pp +.Fn krb5_get_init_creds_opt_set_default_flags +sets the default flags using the configuration file. +.Pp +.Fn krb5_get_init_creds_opt_set_etype_list +set a list of enctypes that the client is willing to support in the +request. +.Pp +.Fn krb5_get_init_creds_opt_set_forwardable +request a forwardable ticket. +.Pp +.Fn krb5_get_init_creds_opt_set_pa_password +set the +.Fa password +and +.Fa key_proc +that is going to be used to get a new ticket. +.Fa password +or +.Fa key_proc +can be +.Dv NULL +if the caller wants to use the default values. +If the +.Fa password +is unset and needed, the user will be prompted for it. +.Pp +.Fn krb5_get_init_creds_opt_set_paq_request +sets the password that is going to be used to get a new ticket. +.Pp +.Fn krb5_get_init_creds_opt_set_preauth_list +sets the list of client-supported preauth types. +.Pp +.Fn krb5_get_init_creds_opt_set_proxiable +makes the request proxiable. +.Pp +.Fn krb5_get_init_creds_opt_set_renew_life +sets the requested renewable lifetime. +.Pp +.Fn krb5_get_init_creds_opt_set_salt +sets the salt that is going to be used in the request. +.Pp +.Fn krb5_get_init_creds_opt_set_tkt_life +sets requested ticket lifetime. +.Pp +.Fn krb5_get_init_creds_opt_set_canonicalize +requests that the KDC canonicalize the client pricipal if possible. +.Pp +.Fn krb5_get_init_creds_opt_set_win2k +turns on compatibility with Windows 2000. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_creds 3 , +.Xr krb5_verify_user 3 , +.Xr krb5.conf 5 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 b/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 index 76ad20bc6efe..d613a0d6df11 100644 --- a/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 +++ b/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 @@ -1,44 +1,44 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_get_krbhst.3,v 1.6 2003/04/16 13:58:16 lha Exp $ +.\" $Id: krb5_get_krbhst.3 14905 2005-04-24 07:46:59Z lha $ .\" -.Dd June 17, 2001 +.Dd April 24, 2005 .Dt KRB5_GET_KRBHST 3 .Os HEIMDAL .Sh NAME -.Nm krb5_get_krbhst -.Nm krb5_get_krb_admin_hst -.Nm krb5_get_krb_changepw_hst -.Nm krb5_get_krb524hst +.Nm krb5_get_krbhst , +.Nm krb5_get_krb_admin_hst , +.Nm krb5_get_krb_changepw_hst , +.Nm krb5_get_krb524hst , .Nm krb5_free_krbhst .Nd lookup Kerberos KDC hosts .Sh LIBRARY @@ -71,7 +71,7 @@ is a terminated list of strings, pointing to the requested Kerberos hosts. These should be freed with .Fn krb5_free_krbhst when done with. -.Sh EXAMPLE +.Sh EXAMPLES The following code will print the KDCs of the realm .Dq MY.REALM . .Bd -literal -offset indent diff --git a/crypto/heimdal/lib/krb5/krb5_getportbyname.3 b/crypto/heimdal/lib/krb5/krb5_getportbyname.3 new file mode 100644 index 000000000000..143606090031 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_getportbyname.3 @@ -0,0 +1,67 @@ +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_getportbyname.3 22071 2007-11-14 20:04:50Z lha $ +.\" +.Dd August 15, 2004 +.Dt NAME 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_getportbyname +.Nd get port number by name +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft int +.Fo krb5_getportbyname +.Fa "krb5_context context" +.Fa "const char *service" +.Fa "const char *proto" +.Fa "int default_port" +.Fc +.Sh DESCRIPTION +.Fn krb5_getportbyname +gets the port number for +.Fa service / +.Fa proto +pair from the global service table for and returns it in network order. +If it isn't found in the global table, the +.Fa default_port +(given in host order) +is returned. +.Sh EXAMPLE +.Bd -literal +int port = krb5_getportbyname(context, "kerberos", "tcp", 88); +.Ed +.\" .Sh BUGS +.Sh SEE ALSO +.Xr krb5 3 diff --git a/crypto/heimdal/lib/krb5/krb5_init_context.3 b/crypto/heimdal/lib/krb5/krb5_init_context.3 index 76213fb13eb2..cf9d69698501 100644 --- a/crypto/heimdal/lib/krb5/krb5_init_context.3 +++ b/crypto/heimdal/lib/krb5/krb5_init_context.3 @@ -1,51 +1,187 @@ -.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_init_context.3,v 1.9 2003/04/16 13:58:11 lha Exp $ -.\" -.Dd January 21, 2001 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_init_context.3 19980 2007-01-17 18:06:33Z lha $ +.\" +.Dd December 8, 2004 .Dt KRB5_CONTEXT 3 .Os HEIMDAL .Sh NAME +.Nm krb5_add_et_list , +.Nm krb5_add_extra_addresses , +.Nm krb5_add_ignore_addresses , +.Nm krb5_context , +.Nm krb5_free_config_files , +.Nm krb5_free_context , +.Nm krb5_get_default_config_files , +.Nm krb5_get_dns_canonize_hostname , +.Nm krb5_get_extra_addresses , +.Nm krb5_get_fcache_version , +.Nm krb5_get_ignore_addresses , +.Nm krb5_get_kdc_sec_offset , +.Nm krb5_get_max_time_skew , +.Nm krb5_get_use_admin_kdc .Nm krb5_init_context , -.Nm krb5_free_context -.Nd create and delete krb5_context structures +.Nm krb5_init_ets , +.Nm krb5_prepend_config_files , +.Nm krb5_prepend_config_files_default , +.Nm krb5_set_config_files , +.Nm krb5_set_dns_canonize_hostname , +.Nm krb5_set_extra_addresses , +.Nm krb5_set_fcache_version , +.Nm krb5_set_ignore_addresses , +.Nm krb5_set_max_time_skew , +.Nm krb5_set_use_admin_kdc , +.Nd create, modify and delete krb5_context structures .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h +.Pp +.Li "struct krb5_context;" +.Pp +.Ft krb5_error_code +.Fo krb5_init_context +.Fa "krb5_context *context" +.Fc +.Ft void +.Fo krb5_free_context +.Fa "krb5_context context" +.Fc +.Ft void +.Fo krb5_init_ets +.Fa "krb5_context context" +.Fc +.Ft krb5_error_code +.Fo krb5_add_et_list +.Fa "krb5_context context" +.Fa "void (*func)(struct et_list **)" +.Fc +.Ft krb5_error_code +.Fo krb5_add_extra_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_set_extra_addresses +.Fa "krb5_context context" +.Fa "const krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_get_extra_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc .Ft krb5_error_code -.Fn krb5_init_context "krb5_context *context" +.Fo krb5_add_ignore_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_set_ignore_addresses +.Fa "krb5_context context" +.Fa "const krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_get_ignore_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_set_fcache_version +.Fa "krb5_context context" +.Fa "int version" +.Fc +.Ft krb5_error_code +.Fo krb5_get_fcache_version +.Fa "krb5_context context" +.Fa "int *version" +.Fc .Ft void -.Fn krb5_free_context "krb5_context context" +.Fo krb5_set_dns_canonize_hostname +.Fa "krb5_context context" +.Fa "krb5_boolean flag" +.Fc +.Ft krb5_boolean +.Fo krb5_get_dns_canonize_hostname +.Fa "krb5_context context" +.Fc +.Ft krb5_error_code +.Fo krb5_get_kdc_sec_offset +.Fa "krb5_context context" +.Fa "int32_t *sec" +.Fa "int32_t *usec" +.Fc +.Ft krb5_error_code +.Fo krb5_set_config_files +.Fa "krb5_context context" +.Fa "char **filenames" +.Fc +.Ft krb5_error_code +.Fo krb5_prepend_config_files +.Fa "const char *filelist" +.Fa "char **pq" +.Fa "char ***ret_pp" +.Fc +.Ft krb5_error_code +.Fo krb5_prepend_config_files_default +.Fa "const char *filelist" +.Fa "char ***pfilenames" +.Fc +.Ft krb5_error_code +.Fo krb5_get_default_config_files +.Fa "char ***pfilenames" +.Fc +.Ft void +.Fo krb5_free_config_files +.Fa "char **filenames" +.Fc +.Ft void +.Fo krb5_set_use_admin_kdc +.Fa "krb5_context context" +.Fa "krb5_boolean flag" +.Fc +.Ft krb5_boolean +.Fo krb5_get_use_admin_kdc +.Fa "krb5_context context" +.Fc +.Ft time_t +.Fo krb5_get_max_time_skew +.Fa "krb5_context context" +.Fc +.Ft krb5_error_code +.Fo krb5_set_max_time_skew +.Fa "krb5_context context" +.Fa "time_t time" +.Fc .Sh DESCRIPTION The .Fn krb5_init_context @@ -57,7 +193,7 @@ structure and reads the configuration file The structure should be freed by calling .Fn krb5_free_context when it is no longer being used. -.Sh RETURN VALUES +.Pp .Fn krb5_init_context returns 0 to indicate success. Otherwise an errno code is returned. @@ -66,7 +202,107 @@ Failure means either that something bad happened during initialization .Bq ENOMEM ) or that Kerberos should not be used .Bq ENXIO . +.Pp +.Fn krb5_init_ets +adds all +.Xr com_err 3 +libs to +.Fa context . +This is done by +.Fn krb5_init_context . +.Pp +.Fn krb5_add_et_list +adds a +.Xr com_err 3 +error-code handler +.Fa func +to the specified +.Fa context . +The error handler must generated by the the re-rentrant version of the +.Xr compile_et 3 +program. +.Fn krb5_add_extra_addresses +add a list of addresses that should be added when requesting tickets. +.Pp +.Fn krb5_add_ignore_addresses +add a list of addresses that should be ignored when requesting tickets. +.Pp +.Fn krb5_get_extra_addresses +get the list of addresses that should be added when requesting tickets. +.Pp +.Fn krb5_get_ignore_addresses +get the list of addresses that should be ignored when requesting tickets. +.Pp +.Fn krb5_set_ignore_addresses +set the list of addresses that should be ignored when requesting tickets. +.Pp +.Fn krb5_set_extra_addresses +set the list of addresses that should be added when requesting tickets. +.Pp +.Fn krb5_set_fcache_version +sets the version of file credentials caches that should be used. +.Pp +.Fn krb5_get_fcache_version +gets the version of file credentials caches that should be used. +.Pp +.Fn krb5_set_dns_canonize_hostname +sets if the context is configured to canonicalize hostnames using DNS. +.Pp +.Fn krb5_get_dns_canonize_hostname +returns if the context is configured to canonicalize hostnames using DNS. +.Pp +.Fn krb5_get_kdc_sec_offset +returns the offset between the localtime and the KDC's time. +.Fa sec +and +.Fa usec +are both optional argument and +.Dv NULL +can be passed in. +.Pp +.Fn krb5_set_config_files +set the list of configuration files to use and re-initialize the +configuration from the files. +.Pp +.Fn krb5_prepend_config_files +parse the +.Fa filelist +and prepend the result to the already existing list +.Fa pq +The result is returned in +.Fa ret_pp +and should be freed with +.Fn krb5_free_config_files . +.Pp +.Fn krb5_prepend_config_files_default +parse the +.Fa filelist +and append that to the default +list of configuration files. +.Pp +.Fn krb5_get_default_config_files +get a list of default configuration files. +.Pp +.Fn krb5_free_config_files +free a list of configuration files returned by +.Fn krb5_get_default_config_files , +.Fn krb5_prepend_config_files_default , +or +.Fn krb5_prepend_config_files . +.Pp +.Fn krb5_set_use_admin_kdc +sets if all KDC requests should go admin KDC. +.Pp +.Fn krb5_get_use_admin_kdc +gets if all KDC requests should go admin KDC. +.Pp +.Fn krb5_get_max_time_skew +and +.Fn krb5_set_max_time_skew +get and sets the maximum allowed time skew between client and server. .Sh SEE ALSO .Xr errno 2 , +.Xr krb5 3 , +.Xr krb5_config 3 , .Xr krb5_context 3 , .Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3 b/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3 new file mode 100644 index 000000000000..9f0a919d3571 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_is_thread_safe.3 @@ -0,0 +1,58 @@ +.\" Copyright (c) 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_is_thread_safe.3 17462 2006-05-05 13:18:39Z lha $ +.\" +.Dd May 5, 2006 +.Dt KRB5_IS_THREAD_SAFE 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_is_thread_safe +.Nd "is the Kerberos library compiled with multithread support" +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_boolean +.Fn krb5_is_thread_safe "void" +.Sh DESCRIPTION +.Nm +returns +.Dv TRUE +if the library was compiled with with multithread support. +If the library isn't compiled, the consumer have to use a global lock +to make sure Kerboros functions are not called at the same time by +diffrent threads. +.\" .Sh EXAMPLE +.\" .Sh BUGS +.Sh SEE ALSO +.Xr krb5_create_checksum 3 , +.Xr krb5_encrypt 3 diff --git a/crypto/heimdal/lib/krb5/krb5_keyblock.3 b/crypto/heimdal/lib/krb5/krb5_keyblock.3 new file mode 100644 index 000000000000..9fabd32a0d01 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_keyblock.3 @@ -0,0 +1,218 @@ +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_keyblock.3 17385 2006-05-01 08:48:55Z lha $ +.\" +.Dd May 1, 2006 +.Dt KRB5_KEYBLOCK 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_keyblock , +.Nm krb5_keyblock_get_enctype , +.Nm krb5_copy_keyblock , +.Nm krb5_copy_keyblock_contents , +.Nm krb5_free_keyblock , +.Nm krb5_free_keyblock_contents , +.Nm krb5_generate_random_keyblock , +.Nm krb5_generate_subkey , +.Nm krb5_generate_subkey_extended , +.Nm krb5_keyblock_init , +.Nm krb5_keyblock_zero , +.Nm krb5_random_to_key +.Nd Kerberos 5 key handling functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Li krb5_keyblock ; +.Ft krb5_enctype +.Fo krb5_keyblock_get_enctype +.Fa "const krb5_keyblock *block" +.Fc +.Ft krb5_error_code +.Fo krb5_copy_keyblock +.Fa "krb5_context context" +.Fa "krb5_keyblock **to" +.Fc +.Ft krb5_error_code +.Fo krb5_copy_keyblock_contents +.Fa "krb5_context context" +.Fa "const krb5_keyblock *inblock" +.Fa "krb5_keyblock *to" +.Fc +.Ft void +.Fo krb5_free_keyblock +.Fa "krb5_context context" +.Fa "krb5_keyblock *keyblock" +.Fc +.Ft void +.Fo krb5_free_keyblock_contents +.Fa "krb5_context context" +.Fa "krb5_keyblock *keyblock" +.Fc +.Ft krb5_error_code +.Fo krb5_generate_random_keyblock +.Fa "krb5_context context" +.Fa "krb5_enctype type" +.Fa "krb5_keyblock *key" +.Fc +.Ft krb5_error_code +.Fo krb5_generate_subkey +.Fa "krb5_context context" +.Fa "const krb5_keyblock *key" +.Fa "krb5_keyblock **subkey" +.Fc +.Ft krb5_error_code +.Fo krb5_generate_subkey_extended +.Fa "krb5_context context" +.Fa "const krb5_keyblock *key" +.Fa "krb5_enctype enctype" +.Fa "krb5_keyblock **subkey" +.Fc +.Ft krb5_error_code +.Fo krb5_keyblock_init +.Fa "krb5_context context" +.Fa "krb5_enctype type" +.Fa "const void *data" +.Fa "size_t size" +.Fa "krb5_keyblock *key" +.Fc +.Ft void +.Fo krb5_keyblock_zero +.Fa "krb5_keyblock *keyblock" +.Fc +.Ft krb5_error_code +.Fo krb5_random_to_key +.Fa "krb5_context context" +.Fa "krb5_enctype type" +.Fa "const void *data" +.Fa "size_t size" +.Fa "krb5_keyblock *key" +.Fc +.Sh DESCRIPTION +.Li krb5_keyblock +holds the encryption key for a specific encryption type. +There is no component inside +.Li krb5_keyblock +that is directly referable. +.Pp +.Fn krb5_keyblock_get_enctype +returns the encryption type of the keyblock. +.Pp +.Fn krb5_copy_keyblock +makes a copy the keyblock +.Fa inblock +to the +output +.Fa out . +.Fa out +should be freed by the caller with +.Fa krb5_free_keyblock . +.Pp +.Fn krb5_copy_keyblock_contents +copies the contents of +.Fa inblock +to the +.Fa to +keyblock. +The destination keyblock is overritten. +.Pp +.Fn krb5_free_keyblock +zeros out and frees the content and the keyblock itself. +.Pp +.Fn krb5_free_keyblock_contents +zeros out and frees the content of the keyblock. +.Pp +.Fn krb5_generate_random_keyblock +creates a new content of the keyblock +.Fa key +of type encrytion type +.Fa type . +The content of +.Fa key +is overwritten and not freed, so the caller should be sure it is +freed before calling the function. +.Pp +.Fn krb5_generate_subkey +generates a +.Fa subkey +of the same type as +.Fa key . +The caller must free the subkey with +.Fa krb5_free_keyblock . +.Pp +.Fn krb5_generate_subkey_extended +generates a +.Fa subkey +of the specified encryption type +.Fa type . +If +.Fa type +is +.Dv ETYPE_NULL , +of the same type as +.Fa key . +The caller must free the subkey with +.Fa krb5_free_keyblock . +.Pp +.Fn krb5_keyblock_init +Fill in +.Fa key +with key data of type +.Fa enctype +from +.Fa data +of length +.Fa size . +Key should be freed using +.Fn krb5_free_keyblock_contents . +.Pp +.Fn krb5_keyblock_zero +zeros out the keyblock to to make sure no keymaterial is in +memory. +Note that +.Fn krb5_free_keyblock_contents +also zeros out the memory. +.Pp +.Fn krb5_random_to_key +converts the random bytestring to a protocol key according to Kerberos +crypto frame work. +It the resulting key will be of type +.Fa enctype . +It may be assumed that all the bits of the input string are equally +random, even though the entropy present in the random source may be +limited +.\" .Sh EXAMPLES +.Sh SEE ALSO +.Xr krb5_crypto_init 3 , +.Xr krb5 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_keytab.3 b/crypto/heimdal/lib/krb5/krb5_keytab.3 index 164eb49992a0..b6cb1a26cc00 100644 --- a/crypto/heimdal/lib/krb5/krb5_keytab.3 +++ b/crypto/heimdal/lib/krb5/krb5_keytab.3 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_keytab.3,v 1.9 2003/04/16 13:58:16 lha Exp $ +.\" $Id: krb5_keytab.3 22071 2007-11-14 20:04:50Z lha $ .\" -.Dd February 5, 2001 +.Dd August 12, 2005 .Dt KRB5_KEYTAB 3 .Os HEIMDAL .Sh NAME @@ -43,6 +43,7 @@ .Nm krb5_kt_compare , .Nm krb5_kt_copy_entry_contents , .Nm krb5_kt_default , +.Nm krb5_kt_default_modify_name , .Nm krb5_kt_default_name , .Nm krb5_kt_end_seq_get , .Nm krb5_kt_free_entry , @@ -92,6 +93,12 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_keytab *id" .Fc .Ft krb5_error_code +.Fo krb5_kt_default_modify_name +.Fa "krb5_context context" +.Fa "char *name" +.Fa "size_t namesize" +.Fc +.Ft krb5_error_code .Fo krb5_kt_default_name .Fa "krb5_context context" .Fa "char *name" @@ -191,8 +198,20 @@ are: .Bl -tag -width Ds .It Nm file store the keytab in a file, the type's name is -.Li KEYFILE . +.Li FILE . The residual part is a filename. +For compatibility with other Kerberos implemtation +.Li WRFILE +and +.LI JAVA14 +is also accepted. +.Li WRFILE +has the same format as +.Li FILE . +.Li JAVA14 +have a format that is compatible with older versions of MIT kerberos +and SUN's Java based installation. They store a truncted kvno, so +when the knvo excess 255, they are truncted in this format. .It Nm keyfile store the keytab in a .Li AFS @@ -211,10 +230,11 @@ The residual part is a filename. The keytab is stored in a memory segment. This allows sensitive and/or temporary data not to be stored on disk. The type's name is .Li MEMORY . -There are no residual part, the only pointer back to the keytab is the -.Fa id -returned by -.Fn krb5_kt_resolve . +Each +.Li MEMORY +keytab is referenced counted by and opened by the residual name, so two +handles can point to the same memory area. +When the last user closes the entry, it disappears. .El .Pp .Nm krb5_keytab_entry @@ -244,8 +264,10 @@ Returns 0 or an error. The opposite of .Fn krb5_kt_resolve is .Fn krb5_kt_close . +.Pp .Fn krb5_kt_close -frees all resources allocated to the keytab. +frees all resources allocated to the keytab, even on failure. +Returns 0 or an error. .Pp .Fn krb5_kt_default sets the argument @@ -253,15 +275,22 @@ sets the argument to the default keytab. Returns 0 or an error. .Pp +.Fn krb5_kt_default_modify_name +copies the name of the default modify keytab into +.Fa name . +Return 0 or KRB5_CONFIG_NOTENUFSPACE if +.Fa namesize +is too short. +.Pp .Fn krb5_kt_default_name -copy the name of the default keytab into +copies the name of the default keytab into .Fa name . Return 0 or KRB5_CONFIG_NOTENUFSPACE if .Fa namesize is too short. .Pp .Fn krb5_kt_add_entry -Add a new +adds a new .Fa entry to the keytab .Fa id . @@ -306,7 +335,7 @@ and store the prefix/name for type of the keytab into .Fa prefix , .Fa prefixsize . The prefix will have the maximum length of -.Dv KRB5_KT_PREFIX_MAX_LEN +.Dv KRB5_KT_PREFIX_MAX_LEN (including terminating .Dv NUL ) . Returns 0 or an error. @@ -329,6 +358,8 @@ pointed to by .Fa cursor and advance the .Fa cursor . +On success the returne entry must be freed with +.Fn krb5_kt_free_entry . Returns 0 or an error. .Pp .Fn krb5_kt_end_seq_get @@ -338,23 +369,45 @@ releases all resources associated with .Fn krb5_kt_get_entry retrieves the keytab entry for .Fa principal , -.Fa kvno, +.Fa kvno , .Fa enctype into .Fa entry from the keytab .Fa id . +When comparing an entry in the keytab to determine a match, the +function +.Fn krb5_kt_compare +is used, so the wildcard rules applies to the argument of +.F krb5_kt_get_entry +too. +On success the returne entry must be freed with +.Fn krb5_kt_free_entry . Returns 0 or an error. .Pp .Fn krb5_kt_read_service_key reads the key identified by -.Ns ( Fa principal , +.Fa ( principal , .Fa vno , .Fa enctype ) from the keytab in .Fa keyprocarg -(the default if == NULL) into +(the system default keytab if +.Dv NULL +is used) into .Fa *key . +.Fa keyprocarg +is the same argument as to +.Fa name +argument to +.Fn krb5_kt_resolve . +Internal +.Fn krb5_kt_compare +will be used, so the same wildcard rules applies +to +.Fn krb5_kt_read_service_key . +On success the returned key must be freed with +.Fa krb5_free_keyblock . Returns 0 or an error. .Pp .Fn krb5_kt_remove_entry @@ -362,13 +415,20 @@ removes the entry .Fa entry from the keytab .Fa id . -Returns 0 or an error. +When comparing an entry in the keytab to determine a match, the +function +.Fn krb5_kt_compare +is use, so the wildcard rules applies to the argument of +.Fn krb5_kt_remove_entry . +Returns 0, +.Dv KRB5_KT_NOTFOUND +if not entry matched or another error. .Pp .Fn krb5_kt_register registers a new keytab type .Fa ops . Returns 0 or an error. -.Sh EXAMPLE +.Sh EXAMPLES This is a minimalistic version of .Nm ktutil . .Pp @@ -402,10 +462,21 @@ main (int argc, char **argv) ret = krb5_kt_end_seq_get(context, keytab, &cursor); if (ret) krb5_err(context, 1, ret, "krb5_kt_end_seq_get"); + ret = krb5_kt_close(context, keytab); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_close"); krb5_free_context(context); return 0; } .Ed +.Sh COMPATIBILITY +Heimdal stored the ticket flags in machine bit-field order before +Heimdal 0.7. The behavior is possible to change in with the option +.Li [libdefaults]fcc-mit-ticketflags . +Heimdal 0.7 also code to detech that ticket flags was in the wrong +order and correct them. This matters when doing delegation in GSS-API +because the client code looks at the flag to determin if it is possible +to do delegation if the user requested it. .Sh SEE ALSO .Xr krb5.conf 5 , .Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 b/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 index 87ea3f9b0aba..1d906bfafc0b 100644 --- a/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 +++ b/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 @@ -1,41 +1,42 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001-2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_krbhst_init.3,v 1.7 2003/04/16 13:58:16 lha Exp $ +.\" $Id: krb5_krbhst_init.3 15110 2005-05-10 09:21:06Z lha $ .\" -.Dd June 17, 2001 +.Dd May 10, 2005 .Dt KRB5_KRBHST_INIT 3 .Os HEIMDAL .Sh NAME .Nm krb5_krbhst_init , +.Nm krb5_krbhst_init_flags , .Nm krb5_krbhst_next , .Nm krb5_krbhst_next_as_string , .Nm krb5_krbhst_reset , @@ -50,6 +51,8 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Ft krb5_error_code .Fn krb5_krbhst_init "krb5_context context" "const char *realm" "unsigned int type" "krb5_krbhst_handle *handle" .Ft krb5_error_code +.Fn krb5_krbhst_init_flags "krb5_context context" "const char *realm" "unsigned int type" "int flags" "krb5_krbhst_handle *handle" +.Ft krb5_error_code .Fn "krb5_krbhst_next" "krb5_context context" "krb5_krbhst_handle handle" "krb5_krbhst_info **host" .Ft krb5_error_code .Fn krb5_krbhst_next_as_string "krb5_context context" "krb5_krbhst_handle handle" "char *hostname" "size_t hostlen" @@ -69,13 +72,15 @@ for Kerberos 4 ticket conversion. .Pp First a handle to a particular service is obtained by calling .Fn krb5_krbhst_init +(or +.Fn krb5_krbhst_init_flags ) with the .Fa realm of interest and the type of service to lookup. The .Fa type can be one of: .Pp -.Bl -hang -compact -offset indent +.Bl -tag -width Ds -compact -offset indent .It KRB5_KRBHST_KDC .It KRB5_KRBHST_ADMIN .It KRB5_KRBHST_CHANGEPW @@ -87,9 +92,25 @@ The is returned to the caller, and should be passed to the other functions. .Pp +The +.Fa flag +argument to +.Nm krb5_krbhst_init_flags +is the same flags as +.Fn krb5_send_to_kdc_flags +uses. +Possible values are: +.Pp +.Bl -tag -width KRB5_KRBHST_FLAGS_LARGE_MSG -compact -offset indent +.It KRB5_KRBHST_FLAGS_MASTER +only talk to master (readwrite) KDC +.It KRB5_KRBHST_FLAGS_LARGE_MSG +this is a large message, so use transport that can handle that. +.El +.Pp For each call to .Fn krb5_krbhst_next -information a new host is returned. The former function returns in +information on a new host is returned. The former function returns in .Fa host a pointer to a structure containing information about the host, such as protocol, hostname, and port: @@ -107,7 +128,7 @@ typedef struct krb5_krbhst_info { .Pp The related function, .Fn krb5_krbhst_next_as_string , -return the same information as a url-like string. +return the same information as a URL-like string. .Pp When there are no more hosts, these functions return .Dv KRB5_KDC_UNREACH . @@ -132,9 +153,9 @@ and that will return a .Va struct addrinfo that can then be used for communicating with the server mentioned. -.Sh EXAMPLE +.Sh EXAMPLES The following code will print the KDCs of the realm -.Dq MY.REALM . +.Dq MY.REALM : .Bd -literal -offset indent krb5_krbhst_handle handle; char host[MAXHOSTNAMELEN]; @@ -145,8 +166,9 @@ while(krb5_krbhst_next_as_string(context, handle, krb5_krbhst_free(context, handle); .Ed .\" .Sh BUGS -.Sh HISTORY -These functions first appeared in Heimdal 0.3g. .Sh SEE ALSO .Xr getaddrinfo 3 , -.Xr krb5_get_krbhst 3 +.Xr krb5_get_krbhst 3 , +.Xr krb5_send_to_kdc_flags 3 +.Sh HISTORY +These functions first appeared in Heimdal 0.3g. diff --git a/crypto/heimdal/lib/krb5/krb5_kuserok.3 b/crypto/heimdal/lib/krb5/krb5_kuserok.3 index 15392023dac4..e5e5c9937de3 100644 --- a/crypto/heimdal/lib/krb5/krb5_kuserok.3 +++ b/crypto/heimdal/lib/krb5/krb5_kuserok.3 @@ -1,94 +1,103 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003-2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_kuserok.3,v 1.5 2003/04/16 13:58:10 lha Exp $ +.\" $Id: krb5_kuserok.3 15083 2005-05-04 12:11:22Z joda $ .\" -.Dd Oct 17, 2002 +.Dd May 4, 2005 .Dt KRB5_KUSEROK 3 .Os HEIMDAL .Sh NAME .Nm krb5_kuserok -.Nd verifies if a principal can log in as a user +.Nd "checks if a principal is permitted to login as a user" .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_boolean -.Fo krb5_kuserok +.Fo krb5_kuserok .Fa "krb5_context context" .Fa "krb5_principal principal" -.Fa "const char *name" +.Fa "const char *user" .Fc .Sh DESCRIPTION -This function takes a local user -.Fa name -and verifies if +This function takes the name of a local +.Fa user +and checks if .Fa principal is allowed to log in as that user. .Pp -First -.Nm -check if there is a local account name -.Fa username. -If there isn't, -.Nm -returns -.Dv FALSE . +The +.Fa user +may have a +.Pa ~/.k5login +file listing principals that are allowed to login as that user. If +that file does not exist, all principals with a first component +identical to the username, and a realm considered local, are allowed +access. .Pp -Then -.Nm -checks if principal is the same as user@realm in any of the default -realms. If that is the case, +The +.Pa .k5login +file must contain one principal per line, be owned by +.Fa user , +and not be writable by group or other (but must be readable by +anyone). +.Pp +Note that if the file exists, no implicit access rights are given to +.Fa user Ns @ Ns Aq localrealm . +.Pp +Optionally, a set of files may be put in +.Pa ~/.k5login.d ( Ns +a directory), in which case they will all be checked in the same +manner as +.Pa .k5login . +The files may be called anything, but files starting with a hash +.Dq ( # ) , +or ending with a tilde +.Dq ( ~ ) +are ignored. Subdirectories are not traversed. Note that this +directory may not be checked by other implementations. +.Sh RETURN VALUES .Nm returns -.Dv TRUE . -.Pp -After that it reads the file -.Pa .k5login -(if it exists) in the users home directory and checks if -.Fa principal -is in the file. -If it does exists, .Dv TRUE -is returned. -If neither of the above turns out to be true, -.DV FALSE -is returned. -.Pp +if access should be granted, +.Dv FALSE +otherwise. +.Sh HISTORY The -.Pa .k5login -should contain one principal per line. +.Pa ~/.k5login.d +feature appeared in Heimdal 0.7. .Sh SEE ALSO .Xr krb5_get_default_realms 3 , .Xr krb5_verify_user 3 , .Xr krb5_verify_user_lrealm 3 , -.Xr krb5_verify_user_opt 3, +.Xr krb5_verify_user_opt 3 , .Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_locl.h b/crypto/heimdal/lib/krb5/krb5_locl.h index b3d6a92f8f50..8b7c41cc80d9 100644 --- a/crypto/heimdal/lib/krb5/krb5_locl.h +++ b/crypto/heimdal/lib/krb5/krb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5_locl.h,v 1.71 2002/09/10 20:10:45 joda Exp $ */ +/* $Id: krb5_locl.h 22226 2007-12-08 21:31:53Z lha $ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -50,6 +50,9 @@ #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> #endif +#ifdef HAVE_SYS_MMAN_H +#include <sys/mman.h> +#endif #ifdef HAVE_UNISTD_H #include <unistd.h> #endif @@ -61,6 +64,9 @@ #include <sys/ioctl.h> #endif #ifdef HAVE_PWD_H +#undef _POSIX_PTHREAD_SEMANTICS +/* This gets us the 5-arg getpwnam_r on Solaris 9. */ +#define _POSIX_PTHREAD_SEMANTICS #include <pwd.h> #endif @@ -109,20 +115,51 @@ struct sockaddr_dl; #ifdef HAVE_SYS_FILE_H #include <sys/file.h> #endif + +#ifdef HAVE_CRYPT_H +#undef des_encrypt +#define des_encrypt wingless_pigs_mostly_fail_to_fly +#include <crypt.h> +#undef des_encrypt +#endif + +#ifdef HAVE_DOOR_CREATE +#include <door.h> +#endif + #include <roken.h> #include <parse_time.h> #include <base64.h> #include "crypto-headers.h" + #include <krb5_asn1.h> + +struct send_to_kdc; + +/* XXX glue for pkinit */ +struct krb5_pk_identity; +struct krb5_pk_cert; +struct ContentInfo; +typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx; +struct krb5_dh_moduli; + +/* v4 glue */ +struct _krb5_krb_auth_data; + #include <der.h> #include <krb5.h> #include <krb5_err.h> #include <asn1_err.h> +#ifdef PKINIT +#include <hx509_err.h> +#endif #include <krb5-private.h> +#include "heim_threads.h" + #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) @@ -130,8 +167,101 @@ struct sockaddr_dl; #define KEYTAB_DEFAULT "ANY:FILE:" SYSCONFDIR "/krb5.keytab,krb4:" SYSCONFDIR "/srvtab" #define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab" +#define MODULI_FILE SYSCONFDIR "/krb5.moduli" + #ifndef O_BINARY #define O_BINARY 0 #endif +#define KRB5_BUFSIZ 1024 + +typedef enum { + KRB5_INIT_CREDS_TRISTATE_UNSET = 0, + KRB5_INIT_CREDS_TRISTATE_TRUE, + KRB5_INIT_CREDS_TRISTATE_FALSE +} krb5_get_init_creds_tristate; + +struct _krb5_get_init_creds_opt_private { + int refcount; + /* ENC_TIMESTAMP */ + const char *password; + krb5_s2k_proc key_proc; + /* PA_PAC_REQUEST */ + krb5_get_init_creds_tristate req_pac; + /* PKINIT */ + krb5_pk_init_ctx pk_init_ctx; + KRB_ERROR *error; + krb5_get_init_creds_tristate addressless; + int flags; +#define KRB5_INIT_CREDS_CANONICALIZE 1 +#define KRB5_INIT_CREDS_NO_C_CANON_CHECK 2 +}; + +typedef struct krb5_context_data { + krb5_enctype *etypes; + krb5_enctype *etypes_des; + char **default_realms; + time_t max_skew; + time_t kdc_timeout; + unsigned max_retries; + int32_t kdc_sec_offset; + int32_t kdc_usec_offset; + krb5_config_section *cf; + struct et_list *et_list; + struct krb5_log_facility *warn_dest; + krb5_cc_ops *cc_ops; + int num_cc_ops; + const char *http_proxy; + const char *time_fmt; + krb5_boolean log_utc; + const char *default_keytab; + const char *default_keytab_modify; + krb5_boolean use_admin_kdc; + krb5_addresses *extra_addresses; + krb5_boolean scan_interfaces; /* `ifconfig -a' */ + krb5_boolean srv_lookup; /* do SRV lookups */ + krb5_boolean srv_try_txt; /* try TXT records also */ + int32_t fcache_vno; /* create cache files w/ this + version */ + int num_kt_types; /* # of registered keytab types */ + struct krb5_keytab_data *kt_types; /* registered keytab types */ + const char *date_fmt; + char *error_string; + char error_buf[256]; + krb5_addresses *ignore_addresses; + char *default_cc_name; + char *default_cc_name_env; + int default_cc_name_set; + void *mutex; /* protects error_string/error_buf */ + int large_msg_size; + int flags; +#define KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME 1 +#define KRB5_CTX_F_CHECK_PAC 2 + struct send_to_kdc *send_to_kdc; +} krb5_context_data; + +#define KRB5_DEFAULT_CCNAME_FILE "FILE:/tmp/krb5cc_%{uid}" +#define KRB5_DEFAULT_CCNAME_API "API:" +#define KRB5_DEFAULT_CCNAME_KCM "KCM:%{uid}" + +#define EXTRACT_TICKET_ALLOW_CNAME_MISMATCH 1 +#define EXTRACT_TICKET_ALLOW_SERVER_MISMATCH 2 +#define EXTRACT_TICKET_MATCH_REALM 4 + +/* + * Configurable options + */ + +#ifndef KRB5_DEFAULT_CCTYPE +#ifdef __APPLE__ +#define KRB5_DEFAULT_CCTYPE (&krb5_acc_ops) +#else +#define KRB5_DEFAULT_CCTYPE (&krb5_fcc_ops) +#endif +#endif + +#ifndef KRB5_ADDRESSLESS_DEFAULT +#define KRB5_ADDRESSLESS_DEFAULT TRUE +#endif + #endif /* __KRB5_LOCL_H__ */ diff --git a/crypto/heimdal/lib/krb5/krb5_mk_req.3 b/crypto/heimdal/lib/krb5/krb5_mk_req.3 new file mode 100644 index 000000000000..e37d8e7e975f --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_mk_req.3 @@ -0,0 +1,187 @@ +.\" Copyright (c) 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_mk_req.3 16100 2005-09-26 05:38:55Z lha $ +.\" +.Dd August 27, 2005 +.Dt KRB5_MK_REQ 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_mk_req , +.Nm krb5_mk_req_exact , +.Nm krb5_mk_req_extended , +.Nm krb5_rd_req , +.Nm krb5_rd_req_with_keyblock , +.Nm krb5_mk_rep , +.Nm krb5_mk_rep_exact , +.Nm krb5_mk_rep_extended , +.Nm krb5_rd_rep , +.Nm krb5_build_ap_req , +.Nm krb5_verify_ap_req +.Nd create and read application authentication request +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_mk_req +.Fa "krb5_context context" +.Fa "krb5_auth_context *auth_context" +.Fa "const krb5_flags ap_req_options" +.Fa "const char *service" +.Fa "const char *hostname" +.Fa "krb5_data *in_data" +.Fa "krb5_ccache ccache" +.Fa "krb5_data *outbuf" +.Fc +.Ft krb5_error_code +.Fo krb5_mk_req_extended +.Fa "krb5_context context" +.Fa "krb5_auth_context *auth_context" +.Fa "const krb5_flags ap_req_options" +.Fa "krb5_data *in_data" +.Fa "krb5_creds *in_creds" +.Fa "krb5_data *outbuf" +.Fc +.Ft krb5_error_code +.Fo krb5_rd_req +.Fa "krb5_context context" +.Fa "krb5_auth_context *auth_context" +.Fa "const krb5_data *inbuf" +.Fa "krb5_const_principal server" +.Fa "krb5_keytab keytab" +.Fa "krb5_flags *ap_req_options" +.Fa "krb5_ticket **ticket" +.Fc +.Ft krb5_error_code +.Fo krb5_build_ap_req +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "krb5_creds *cred" +.Fa "krb5_flags ap_options" +.Fa "krb5_data authenticator" +.Fa "krb5_data *retdata" +.Fc +.Ft krb5_error_code +.Fo krb5_verify_ap_req +.Fa "krb5_context context" +.Fa "krb5_auth_context *auth_context" +.Fa "krb5_ap_req *ap_req" +.Fa "krb5_const_principal server" +.Fa "krb5_keyblock *keyblock" +.Fa "krb5_flags flags" +.Fa "krb5_flags *ap_req_options" +.Fa "krb5_ticket **ticket" +.Fc +.Sh DESCRIPTION +The functions documented in this manual page document the functions +that facilitates the exchange between a Kerberos client and server. +They are the core functions used in the authentication exchange +between the client and the server. +.Pp +The +.Nm krb5_mk_req +and +.Nm krb5_mk_req_extended +creates the Kerberos message +.Dv KRB_AP_REQ +that is sent from the client to the server as the first packet in a client/server exchange. The result that should be sent to server is stored in +.Fa outbuf . +.Pp +.Fa auth_context +should be allocated with +.Fn krb5_auth_con_init +or +.Dv NULL +passed in, in that case, it will be allocated and freed internally. +.Pp +The input data +.Fa in_data +will have a checksum calculated over it and checksum will be +transported in the message to the server. +.Pp +.Fa ap_req_options +can be set to one or more of the following flags: +.Pp +.Bl -tag -width indent +.It Dv AP_OPTS_USE_SESSION_KEY +Use the session key when creating the request, used for user to user +authentication. +.It Dv AP_OPTS_MUTUAL_REQUIRED +Mark the request as mutual authenticate required so that the receiver +returns a mutual authentication packet. +.El +.Pp +The +.Nm krb5_rd_req +read the AP_REQ in +.Fa inbuf +and verify and extract the content. +If +.Fa server +is specified, that server will be fetched from the +.Fa keytab +and used unconditionally. +If +.Fa server +is +.Dv NULL , +the +.Fa keytab +will be search for a matching principal. +.Pp +The +.Fa keytab +argument specifies what keytab to search for receiving principals. +The arguments +.Fa ap_req_options +and +.Fa ticket +returns the content. +.Pp +When the AS-REQ is a user to user request, neither of +.Fa keytab +or +.Fa principal +are used, instead +.Fn krb5_rd_req +expects the session key to be set in +.Fa auth_context . +.Pp +The +.Nm krb5_verify_ap_req +and +.Nm krb5_build_ap_req +both constructs and verify the AP_REQ message, should not be used by +external code. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_mk_safe.3 b/crypto/heimdal/lib/krb5/krb5_mk_safe.3 new file mode 100644 index 000000000000..25b65411f80b --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_mk_safe.3 @@ -0,0 +1,82 @@ +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_mk_safe.3 17385 2006-05-01 08:48:55Z lha $ +.\" +.Dd May 1, 2006 +.Dt KRB5_MK_SAFE 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_mk_safe , +.Nm krb5_mk_priv +.Nd generates integrity protected and/or encrypted messages +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Ft krb5_error_code +.Fn krb5_mk_priv "krb5_context context" "krb5_auth_context auth_context" "const krb5_data *userdata" "krb5_data *outbuf" "krb5_replay_data *outdata" +.Ft krb5_error_code +.Fn krb5_mk_safe "krb5_context context" "krb5_auth_context auth_context" "const krb5_data *userdata" "krb5_data *outbuf" "krb5_replay_data *outdata" +.Sh DESCRIPTION +.Fn krb5_mk_safe +and +.Fn krb5_mk_priv +formats +.Li KRB-SAFE +(integrity protected) +and +.Li KRB-PRIV +(also encrypted) +messages into +.Fa outbuf . +The actual message data is taken from +.Fa userdata . +If the +.Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE +or +.Dv KRB5_AUTH_CONTEXT_DO_TIME +flags are set in the +.Fa auth_context , +sequence numbers and time stamps are generated. +If the +.Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE +or +.Dv KRB5_AUTH_CONTEXT_RET_TIME +flags are set +they are also returned in the +.Fa outdata +parameter. +.Sh SEE ALSO +.Xr krb5_auth_con_init 3 , +.Xr krb5_rd_priv 3 , +.Xr krb5_rd_safe 3 diff --git a/crypto/heimdal/lib/krb5/krb5_openlog.3 b/crypto/heimdal/lib/krb5/krb5_openlog.3 index cb1ccc9ee930..4acad4175ae8 100644 --- a/crypto/heimdal/lib/krb5/krb5_openlog.3 +++ b/crypto/heimdal/lib/krb5/krb5_openlog.3 @@ -1,35 +1,35 @@ .\" Copyright (c) 1997, 1999, 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_openlog.3,v 1.9 2003/04/16 13:58:12 lha Exp $ +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_openlog.3 12329 2003-05-26 14:09:04Z lha $ .Dd August 6, 1997 .Dt KRB5_OPENLOG 3 .Os HEIMDAL @@ -206,7 +206,7 @@ destination, otherwise not. Either of the min and max valued may be omitted, in this case min is assumed to be zero, and max is assumed to be infinity. If you don't include a dash, both min and max gets set to the specified value. If no range is specified, all messages gets logged. -.Sh EXAMPLE +.Sh EXAMPLES .Bd -literal -offset indent [logging] kdc = 0/FILE:/var/log/kdc.log @@ -223,6 +223,9 @@ other messages will be logged to syslog with priority and facility .Li LOG_USER . All other programs will log all messages to their stderr. +.Sh SEE ALSO +.Xr syslog 3 , +.Xr krb5.conf 5 .Sh BUGS These functions use .Fn asprintf @@ -237,6 +240,3 @@ thread-safe, depending on the implementation of .Fn openlog , and .Fn syslog . -.Sh SEE ALSO -.Xr syslog 3 , -.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_parse_name.3 b/crypto/heimdal/lib/krb5/krb5_parse_name.3 index b936c63d3f7d..e876ee3cb0b3 100644 --- a/crypto/heimdal/lib/krb5/krb5_parse_name.3 +++ b/crypto/heimdal/lib/krb5/krb5_parse_name.3 @@ -1,37 +1,37 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_parse_name.3,v 1.8 2003/04/16 13:58:17 lha Exp $ +.\" $Id: krb5_parse_name.3 17385 2006-05-01 08:48:55Z lha $ .\" -.Dd August 8, 1997 +.Dd May 1, 2006 .Dt KRB5_PARSE_NAME 3 .Os HEIMDAL .Sh NAME @@ -57,8 +57,8 @@ The string should consist of one or more name components separated with slashes optionally followed with an .Dq @ and a realm name. A slash or @ may be contained in a name component by -quoting it with a back-slash -.Pq Dq \ . +quoting it with a backslash +.Pq Dq \e . A realm should not contain slashes or colons. .Sh SEE ALSO .Xr krb5_425_conv_principal 3 , diff --git a/crypto/heimdal/lib/krb5/krb5_principal.3 b/crypto/heimdal/lib/krb5/krb5_principal.3 new file mode 100644 index 000000000000..1b0c2da32a97 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_principal.3 @@ -0,0 +1,384 @@ +.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_principal.3 21255 2007-06-21 04:36:31Z lha $ +.\" +.Dd May 1, 2006 +.Dt KRB5_PRINCIPAL 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_get_default_principal , +.Nm krb5_principal , +.Nm krb5_build_principal , +.Nm krb5_build_principal_ext , +.Nm krb5_build_principal_va , +.Nm krb5_build_principal_va_ext , +.Nm krb5_copy_principal , +.Nm krb5_free_principal , +.Nm krb5_make_principal , +.Nm krb5_parse_name , +.Nm krb5_parse_name_flags , +.Nm krb5_parse_nametype , +.Nm krb5_princ_realm , +.Nm krb5_princ_set_realm , +.Nm krb5_principal_compare , +.Nm krb5_principal_compare_any_realm , +.Nm krb5_principal_get_comp_string , +.Nm krb5_principal_get_realm , +.Nm krb5_principal_get_type , +.Nm krb5_principal_match , +.Nm krb5_principal_set_type , +.Nm krb5_realm_compare , +.Nm krb5_sname_to_principal , +.Nm krb5_sock_to_principal , +.Nm krb5_unparse_name , +.Nm krb5_unparse_name_flags , +.Nm krb5_unparse_name_fixed , +.Nm krb5_unparse_name_fixed_flags , +.Nm krb5_unparse_name_fixed_short , +.Nm krb5_unparse_name_short +.Nd Kerberos 5 principal handling functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Li krb5_principal ; +.Ft void +.Fn krb5_free_principal "krb5_context context" "krb5_principal principal" +.Ft krb5_error_code +.Fn krb5_parse_name "krb5_context context" "const char *name" "krb5_principal *principal" +.Ft krb5_error_code +.Fn krb5_parse_name_flags "krb5_context context" "const char *name" "int flags" "krb5_principal *principal" +.Ft krb5_error_code +.Fn "krb5_unparse_name" "krb5_context context" "krb5_const_principal principal" "char **name" +.Ft krb5_error_code +.Fn "krb5_unparse_name_flags" "krb5_context context" "krb5_const_principal principal" "int flags" "char **name" +.Ft krb5_error_code +.Fn krb5_unparse_name_fixed "krb5_context context" "krb5_const_principal principal" "char *name" "size_t len" +.Ft krb5_error_code +.Fn krb5_unparse_name_fixed_flags "krb5_context context" "krb5_const_principal principal" "int flags" "char *name" "size_t len" +.Ft krb5_error_code +.Fn "krb5_unparse_name_short" "krb5_context context" "krb5_const_principal principal" "char **name" +.Ft krb5_error_code +.Fn krb5_unparse_name_fixed_short "krb5_context context" "krb5_const_principal principal" "char *name" "size_t len" +.Ft krb5_realm * +.Fn krb5_princ_realm "krb5_context context" "krb5_principal principal" +.Ft void +.Fn krb5_princ_set_realm "krb5_context context" "krb5_principal principal" "krb5_realm *realm" +.Ft krb5_error_code +.Fn krb5_build_principal "krb5_context context" "krb5_principal *principal" "int rlen" "krb5_const_realm realm" "..." +.Ft krb5_error_code +.Fn krb5_build_principal_va "krb5_context context" "krb5_principal *principal" "int rlen" "krb5_const_realm realm" "va_list ap" +.Ft krb5_error_code +.Fn "krb5_build_principal_ext" "krb5_context context" "krb5_principal *principal" "int rlen" "krb5_const_realm realm" "..." +.Ft krb5_error_code +.Fn krb5_build_principal_va_ext "krb5_context context" "krb5_principal *principal" "int rlen" "krb5_const_realm realm" "va_list ap" +.Ft krb5_error_code +.Fn krb5_make_principal "krb5_context context" "krb5_principal *principal" "krb5_const_realm realm" "..." +.Ft krb5_error_code +.Fn krb5_copy_principal "krb5_context context" "krb5_const_principal inprinc" "krb5_principal *outprinc" +.Ft krb5_boolean +.Fn krb5_principal_compare "krb5_context context" "krb5_const_principal princ1" "krb5_const_principal princ2" +.Ft krb5_boolean +.Fn krb5_principal_compare_any_realm "krb5_context context" "krb5_const_principal princ1" "krb5_const_principal princ2" +.Ft "const char *" +.Fn krb5_principal_get_comp_string "krb5_context context" "krb5_const_principal principal" "unsigned int component" +.Ft "const char *" +.Fn krb5_principal_get_realm "krb5_context context" "krb5_const_principal principal" +.Ft int +.Fn krb5_principal_get_type "krb5_context context" "krb5_const_principal principal" +.Ft krb5_boolean +.Fn krb5_principal_match "krb5_context context" "krb5_const_principal principal" "krb5_const_principal pattern" +.Ft void +.Fn krb5_principal_set_type "krb5_context context" "krb5_principal principal" "int type" +.Ft krb5_boolean +.Fn krb5_realm_compare "krb5_context context" "krb5_const_principal princ1" "krb5_const_principal princ2" +.Ft krb5_error_code +.Fn krb5_sname_to_principal "krb5_context context" "const char *hostname" "const char *sname" "int32_t type" "krb5_principal *ret_princ" +.Ft krb5_error_code +.Fn krb5_sock_to_principal "krb5_context context" "int socket" "const char *sname" "int32_t type" "krb5_principal *principal" +.Ft krb5_error_code +.Fn krb5_get_default_principal "krb5_context context" "krb5_principal *princ" +.Ft krb5_error_code +.Fn krb5_parse_nametype "krb5_context context" "const char *str" "int32_t *type" +.Sh DESCRIPTION +.Li krb5_principal +holds the name of a user or service in Kerberos. +.Pp +A principal has two parts, a +.Li PrincipalName +and a +.Li realm . +The PrincipalName consists of one or more components. In printed form, +the components are separated by /. +The PrincipalName also has a name-type. +.Pp +Examples of a principal are +.Li nisse/root@EXAMPLE.COM +and +.Li host/datan.kth.se@KTH.SE . +.Fn krb5_parse_name +and +.Fn krb5_parse_name_flags +passes a principal name in +.Fa name +to the kerberos principal structure. +.Fn krb5_parse_name_flags +takes an extra +.Fa flags +argument the following flags can be passed in +.Bl -tag -width Ds +.It Dv KRB5_PRINCIPAL_PARSE_NO_REALM +requries the input string to be without a realm, and no realm is +stored in the +.Fa principal +return argument. +.It Dv KRB5_PRINCIPAL_PARSE_MUST_REALM +requries the input string to with a realm. +.El +.Pp +.Fn krb5_unparse_name +and +.Fn krb5_unparse_name_flags +prints the principal +.Fa princ +to the string +.Fa name . +.Fa name +should be freed with +.Xr free 3 . +To the +.Fa flags +argument the following flags can be passed in +.Bl -tag -width Ds +.It Dv KRB5_PRINCIPAL_UNPARSE_SHORT +no realm if the realm is one of the local realms. +.It Dv KRB5_PRINCIPAL_UNPARSE_NO_REALM +never include any realm in the principal name. +.It Dv KRB5_PRINCIPAL_UNPARSE_DISPLAY +don't quote +.El +On failure +.Fa name +is set to +.Dv NULL . +.Fn krb5_unparse_name_fixed +and +.Fn krb5_unparse_name_fixed_flags +behaves just like +.Fn krb5_unparse , +but instead unparses the principal into a fixed size buffer. +.Pp +.Fn krb5_unparse_name_short +just returns the principal without the realm if the principal is +in the default realm. If the principal isn't, the full name is +returned. +.Fn krb5_unparse_name_fixed_short +works just like +.Fn krb5_unparse_name_short +but on a fixed size buffer. +.Pp +.Fn krb5_build_principal +builds a principal from the realm +.Fa realm +that has the length +.Fa rlen . +The following arguments form the components of the principal. +The list of components is terminated with +.Dv NULL . +.Pp +.Fn krb5_build_principal_va +works like +.Fn krb5_build_principal +using vargs. +.Pp +.Fn krb5_build_principal_ext +and +.Fn krb5_build_principal_va_ext +take a list of length-value pairs, the list is terminated with a zero +length. +.Pp +.Fn krb5_make_principal +works the same way as +.Fn krb5_build_principal , +except it figures out the length of the realm itself. +.Pp +.Fn krb5_copy_principal +makes a copy of a principal. +The copy needs to be freed with +.Fn krb5_free_principal . +.Pp +.Fn krb5_principal_compare +compares the two principals, including realm of the principals and returns +.Dv TRUE +if they are the same and +.Dv FALSE +if not. +.Pp +.Fn krb5_principal_compare_any_realm +works the same way as +.Fn krb5_principal_compare +but doesn't compare the realm component of the principal. +.Pp +.Fn krb5_realm_compare +compares the realms of the two principals and returns +.Dv TRUE +is they are the same, and +.Dv FALSE +if not. +.Pp +.Fn krb5_principal_match +matches a +.Fa principal +against a +.Fa pattern . +The pattern is a globbing expression, where each component (separated +by /) is matched against the corresponding component of the principal. +.Pp +The +.Fn krb5_principal_get_realm +and +.Fn krb5_principal_get_comp_string +functions return parts of the +.Fa principal , +either the realm or a specific component. +Both functions return string pointers to data inside the principal, so +they are valid only as long as the principal exists. +.Pp +The +.Fa component +argument to +.Fn krb5_principal_get_comp_string +is the index of the component to return, from zero to the total number of +components minus one. If the index is out of range +.Dv NULL +is returned. +.Pp +.Fn krb5_principal_get_realm +and +.Fn krb5_principal_get_comp_string +are replacements for +.Fn krb5_princ_realm , +.Fn krb5_princ_component +and related macros, described as internal in the MIT API +specification. +Unlike the macros, these functions return strings, not +.Dv krb5_data . +A reason to return +.Dv krb5_data +was that it was believed that principal components could contain +binary data, but this belief was unfounded, and it has been decided +that principal components are infact UTF8, so it's safe to use zero +terminated strings. +.Pp +It's generally not necessary to look at the components of a principal. +.Pp +.Fn krb5_principal_get_type +and +.Fn krb5_principal_set_type +get and sets the name type for a principal. +Name type handling is tricky and not often needed, +don't use this unless you know what you do. +.Pp +.Fn krb5_princ_realm +returns the realm component of the principal. +The caller must not free realm unless +.Fn krb5_princ_set_realm +is called to set a new realm after freeing the realm. +.Fn krb5_princ_set_realm +sets the realm component of a principal. The old realm is not freed. +.Pp +.Fn krb5_sname_to_principal +and +.Fn krb5_sock_to_principal +are for easy creation of +.Dq service +principals that can, for instance, be used to lookup a key in a keytab. +For both functions the +.Fa sname +parameter will be used for the first component of the created principal. +If +.Fa sname +is +.Dv NULL , +.Dq host +will be used instead. +.Pp +.Fn krb5_sname_to_principal +will use the passed +.Fa hostname +for the second component. +If +.Fa type +is +.Dv KRB5_NT_SRV_HST +this name will be looked up with +.Fn gethostbyname . +If +.Fa hostname +is +.Dv NULL , +the local hostname will be used. +.Pp +.Fn krb5_sock_to_principal +will use the +.Dq sockname +of the passed +.Fa socket , +which should be a bound +.Dv AF_INET +or +.Dv AF_INET6 +socket. +There must be a mapping between the address and +.Dq sockname . +The function may try to resolve the name in DNS. +.Pp +.Fn krb5_get_default_principal +tries to find out what's a reasonable default principal by looking at +the environment it is running in. +.Pp +.Fn krb5_parse_nametype +parses and returns the name type integer value in +.Fa type . +On failure the function returns an error code and set the error +string. +.\" .Sh EXAMPLES +.Sh SEE ALSO +.Xr krb5_425_conv_principal 3 , +.Xr krb5_config 3 , +.Xr krb5.conf 5 +.Sh BUGS +You can not have a NUL in a component in some of the variable argument +functions above. +Until someone can give a good example of where it would be a good idea +to have NUL's in a component, this will not be fixed. diff --git a/crypto/heimdal/lib/krb5/krb5_rcache.3 b/crypto/heimdal/lib/krb5/krb5_rcache.3 new file mode 100644 index 000000000000..0b7e83aa0717 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_rcache.3 @@ -0,0 +1,163 @@ +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_rcache.3 17462 2006-05-05 13:18:39Z lha $ +.\" +.Dd May 1, 2006 +.Dt KRB5_RCACHE 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_rcache , +.Nm krb5_rc_close , +.Nm krb5_rc_default , +.Nm krb5_rc_default_name , +.Nm krb5_rc_default_type , +.Nm krb5_rc_destroy , +.Nm krb5_rc_expunge , +.Nm krb5_rc_get_lifespan , +.Nm krb5_rc_get_name , +.Nm krb5_rc_get_type , +.Nm krb5_rc_initialize , +.Nm krb5_rc_recover , +.Nm krb5_rc_resolve , +.Nm krb5_rc_resolve_full , +.Nm krb5_rc_resolve_type , +.Nm krb5_rc_store , +.Nm krb5_get_server_rcache +.Nd Kerberos 5 replay cache +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Li "struct krb5_rcache;" +.Pp +.Ft krb5_error_code +.Fo krb5_rc_close +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_default +.Fa "krb5_context context" +.Fa "krb5_rcache *id" +.Fc +.Ft "const char *" +.Fo krb5_rc_default_name +.Fa "krb5_context context" +.Fc +.Ft "const char *" +.Fo krb5_rc_default_type +.Fa "krb5_context context" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_destroy +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_expunge +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_get_lifespan +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fa "krb5_deltat *auth_lifespan" +.Fc +.Ft "const char*" +.Fo krb5_rc_get_name +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fc +.Ft "const char*" +.Fo "krb5_rc_get_type" +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_initialize +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fa "krb5_deltat auth_lifespan" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_recover +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_resolve +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fa "const char *name" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_resolve_full +.Fa "krb5_context context" +.Fa "krb5_rcache *id" +.Fa "const char *string_name" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_resolve_type +.Fa "krb5_context context" +.Fa "krb5_rcache *id" +.Fa "const char *type" +.Fc +.Ft krb5_error_code +.Fo krb5_rc_store +.Fa "krb5_context context" +.Fa "krb5_rcache id" +.Fa "krb5_donot_replay *rep" +.Fc +.Ft krb5_error_code +.Fo krb5_get_server_rcache +.Fa "krb5_context context" +.Fa "const krb5_data *piece" +.Fa "krb5_rcache *id" +.Fc +.Sh DESCRIPTION +The +.Li krb5_rcache +structure holds a storage element that is used for data manipulation. +The structure contains no public accessible elements. +.Pp +.Fn krb5_rc_initialize +Creates the reply cache +.Fa id +and sets it lifespan to +.Fa auth_lifespan . +If the cache already exists, the content is destroyed. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_data 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_rd_error.3 b/crypto/heimdal/lib/krb5/krb5_rd_error.3 new file mode 100644 index 000000000000..00203cdae240 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_rd_error.3 @@ -0,0 +1,98 @@ +.\" Copyright (c) 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_rd_error.3 21059 2007-06-12 17:52:46Z lha $ +.\" +.Dd July 26, 2004 +.Dt KRB5_RD_ERROR 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_rd_error , +.Nm krb5_free_error , +.Nm krb5_free_error_contents , +.Nm krb5_error_from_rd_error +.Nd parse, free and read error from KRB-ERROR message +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_rd_error +.Fa "krb5_context context" +.Fa "const krb5_data *msg" +.Fa "KRB_ERROR *result" +.Fc +.Ft void +.Fo krb5_free_error +.Fa "krb5_context context" +.Fa "krb5_error *error" +.Fc +.Ft void +.Fo krb5_free_error_contents +.Fa "krb5_context context" +.Fa "krb5_error *error" +.Fc +.Ft krb5_error_code +.Fo krb5_error_from_rd_error +.Fa "krb5_context context" +.Fa "const krb5_error *error" +.Fa "const krb5_creds *creds" +.Fc +.Sh DESCRIPTION +Usually applications never needs to parse and understand Kerberos +error messages since higher level functions will parse and push up the +error in the krb5_context. +These functions are described for completeness. +.Pp +.Fn krb5_rd_error +parses and returns the kerboeros error message, the structure should be freed with +.Fn krb5_free_error_contents +when the caller is done with the structure. +.Pp +.Fn krb5_free_error +frees the content and the memory region holding the structure iself. +.Pp +.Fn krb5_free_error_contents +free the content of the KRB-ERROR message. +.Pp +.Fn krb5_error_from_rd_error +will parse the error message and set the error buffer in krb5_context +to the error string passed back or the matching error code in the +KRB-ERROR message. +Caller should pick up the message with +.Fn krb5_get_error_string 3 +(don't forget to free the returned string with +.Fn krb5_free_error_string ) . +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_set_error_string 3 , +.Xr krb5_get_error_string 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_rd_safe.3 b/crypto/heimdal/lib/krb5/krb5_rd_safe.3 new file mode 100644 index 000000000000..d024ae48e206 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_rd_safe.3 @@ -0,0 +1,81 @@ +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_rd_safe.3 17385 2006-05-01 08:48:55Z lha $ +.\" +.Dd May 1, 2006 +.Dt KRB5_RD_SAFE 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_rd_safe , +.Nm krb5_rd_priv +.Nd verifies authenticity of messages +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Ft krb5_error_code +.Fn krb5_rd_priv "krb5_context context" "krb5_auth_context auth_context" "const krb5_data *inbuf" "krb5_data *outbuf" "krb5_replay_data *outdata" +.Ft krb5_error_code +.Fn krb5_rd_safe "krb5_context context" "krb5_auth_context auth_context" "const krb5_data *inbuf" "krb5_data *outbuf" "krb5_replay_data *outdata" +.Sh DESCRIPTION +.Fn krb5_rd_safe +and +.Fn krb5_rd_priv +parses +.Li KRB-SAFE +and +.Li KRB-PRIV +messages (as generated by +.Xr krb5_mk_safe 3 +and +.Xr krb5_mk_priv 3 ) +from +.Fa inbuf +and verifies its integrity. The user data part of the message in put +in +.Fa outbuf . +The encryption state, including keyblocks and addresses, is taken from +.Fa auth_context . +If the +.Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE +or +.Dv KRB5_AUTH_CONTEXT_RET_TIME +flags are set in the +.Fa auth_context +the sequence number and time are returned in the +.Fa outdata +parameter. +.Sh SEE ALSO +.Xr krb5_auth_con_init 3 , +.Xr krb5_mk_priv 3 , +.Xr krb5_mk_safe 3 diff --git a/crypto/heimdal/lib/krb5/krb5_set_default_realm.3 b/crypto/heimdal/lib/krb5/krb5_set_default_realm.3 index e4b9a36c7cde..27467d816b3b 100644 --- a/crypto/heimdal/lib/krb5/krb5_set_default_realm.3 +++ b/crypto/heimdal/lib/krb5/krb5_set_default_realm.3 @@ -1,44 +1,45 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_set_default_realm.3,v 1.2 2003/04/16 13:58:11 lha Exp $ +.\" $Id: krb5_set_default_realm.3 17462 2006-05-05 13:18:39Z lha $ .\" -.Dd Mar 16, 2003 +.Dd April 24, 2005 .Dt KRB5_SET_DEFAULT_REALM 3 .Os HEIMDAL .Sh NAME -.Nm krb5_free_host_realm -.Nm krb5_get_default_realm -.Nm krb5_get_default_realms -.Nm krb5_get_host_realm +.Nm krb5_copy_host_realm , +.Nm krb5_free_host_realm , +.Nm krb5_get_default_realm , +.Nm krb5_get_default_realms , +.Nm krb5_get_host_realm , .Nm krb5_set_default_realm .Nd default and host realm read and manipulation routines .Sh LIBRARY @@ -46,6 +47,12 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_error_code +.Fo krb5_copy_host_realm +.Fa "krb5_context context" +.Fa "const krb5_realm *from" +.Fa "krb5_realm **to" +.Fc +.Ft krb5_error_code .Fo krb5_free_host_realm .Fa "krb5_context context" .Fa "krb5_realm *realmlist" @@ -72,13 +79,22 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "const char *realm" .Fc .Sh DESCRIPTION +.Fn krb5_copy_host_realm +copies the list of realms from +.Fa from +to +.Fa to . +.Fa to +should be freed by the caller using +.Fa krb5_free_host_realm . +.Pp .Fn krb5_free_host_realm frees all memory allocated by .Fa realmlist . .Pp .Fn krb5_get_default_realm returns the first default realm for this host. -The realm returned should be free with +The realm returned should be freed with .Fn free . .Pp .Fn krb5_get_default_realms @@ -87,7 +103,7 @@ returns a terminated list of default realms for this context. Realms returned by .Fn krb5_get_default_realms -should be free with +should be freed with .Fn krb5_free_host_realm . .Pp .Fn krb5_get_host_realm @@ -109,11 +125,11 @@ DNS is used to lookup the realm. .Pp When using .Li DNS -to a resolve the domain for the host a.b.c, +to a resolve the domain for the host a.b.c, .Fn krb5_get_host_realm looks for a .Dv TXT -resource record named +resource record named .Li _kerberos.a.b.c , and if not found, it strips off the first component and tries a again (_kerberos.b.c) until it reaches the root. @@ -123,6 +139,10 @@ If there is no configuration or DNS information found, assumes it can use the domain part of the .Fa host to form a realm. +Caller must free +.Fa realmlist +with +.Fn krb5_free_host_realm . .Pp .Fn krb5_set_default_realm sets the default realm for the @@ -140,5 +160,5 @@ If there is no such stanza in the configuration file, the .Fn krb5_get_host_realm function is used to form a default realm. .Sh SEE ALSO -.Xr krb5.conf 5 , -.Xr free 3 +.Xr free 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_set_password.3 b/crypto/heimdal/lib/krb5/krb5_set_password.3 index e2e3086314f1..45ed41d477f6 100644 --- a/crypto/heimdal/lib/krb5/krb5_set_password.3 +++ b/crypto/heimdal/lib/krb5/krb5_set_password.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,15 +29,16 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: krb5_set_password.3,v 1.3.2.1 2004/06/21 10:51:20 lha Exp $ +.\" $Id: krb5_set_password.3 14052 2004-07-15 14:39:06Z lha $ .\" -.Dd June 2, 2004 +.Dd July 15, 2004 .Dt KRB5_SET_PASSWORD 3 .Os HEIMDAL .Sh NAME .Nm krb5_change_password , .Nm krb5_set_password , -.Nm krb5_set_password_using_ccache +.Nm krb5_set_password_using_ccache , +.Nm krb5_passwd_result_to_string .Nd change password functions .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) @@ -57,7 +58,7 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_context context" .Fa "krb5_creds *creds" .Fa "char *newpw" -.Fa "krb5_principal targprinc", +.Fa "krb5_principal targprinc" .Fa "int *result_code" .Fa "krb5_data *result_code_string" .Fa "krb5_data *result_string" @@ -72,17 +73,23 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_data *result_code_string" .Fa "krb5_data *result_string" .Fc +.Ft "const char *" +.Fo krb5_passwd_result_to_string +.Fa "krb5_context context" +.Fa "int result" +.Fc .Sh DESCRIPTION These functions change the password for a given principal. .Pp .Fn krb5_set_password and -.Fa krb5_set_password_using_ccache -is the newer two of the three functions and uses a newer version of the -protocol (and falls back to the older when the newer doesn't work). +.Fn krb5_set_password_using_ccache +are the newer of the three functions, and use a newer version of the +protocol (and also fall back to the older set-password protocol if the +newer protocol doesn't work). .Pp .Fn krb5_change_password -set the password +sets the password .Fa newpasswd for the client principal in .Fa creds . @@ -90,20 +97,47 @@ The server principal of creds must be .Li kadmin/changepw . .Pp .Fn krb5_set_password -changes the password for the principal -.Fa targprinc , -if +and +.Fn krb5_set_password_using_ccache +change the password for the principal +.Fa targprinc . +.Pp +.Fn krb5_set_password +requires that the credential for +.Li kadmin/changepw@REALM +is in +.Fa creds . +If the user caller isn't an administrator, this credential +needs to be an initial credential, see +.Xr krb5_get_init_creds 3 +how to get such credentials. +.Pp +.Fn krb5_set_password_using_ccache +will get the credential from +.Fa ccache . +.Pp +If .Fa targprinc is -.Dv NULL -the default principal in +.Dv NULL , +.Fn krb5_set_password_using_ccache +uses the the default principal in .Fa ccache -is used. +and +.Fn krb5_set_password +uses the global the default principal. .Pp -Both functions returns and error in +All three functions return an error in .Fa result_code -and maybe an error strings to print in +and maybe an error string to print in .Fa result_string . +.Pp +.Fn krb5_passwd_result_to_string +returns an human readable string describing the error code in +.Fa result_code +from the +.Fn krb5_set_password +functions. .Sh SEE ALSO .Xr krb5_ccache 3 , .Xr krb5_init_context 3 diff --git a/crypto/heimdal/lib/krb5/krb5_storage.3 b/crypto/heimdal/lib/krb5/krb5_storage.3 new file mode 100644 index 000000000000..cc03c5b5e24a --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_storage.3 @@ -0,0 +1,427 @@ +.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_storage.3 17884 2006-08-18 08:41:09Z lha $ +.\" +.Dd Aug 18, 2006 +.Dt KRB5_STORAGE 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_storage , +.Nm krb5_storage_emem , +.Nm krb5_storage_from_data , +.Nm krb5_storage_from_fd , +.Nm krb5_storage_from_mem , +.Nm krb5_storage_set_flags , +.Nm krb5_storage_clear_flags , +.Nm krb5_storage_is_flags , +.Nm krb5_storage_set_byteorder , +.Nm krb5_storage_get_byteorder , +.Nm krb5_storage_set_eof_code , +.Nm krb5_storage_seek , +.Nm krb5_storage_read , +.Nm krb5_storage_write , +.Nm krb5_storage_free , +.Nm krb5_storage_to_data , +.Nm krb5_store_int32 , +.Nm krb5_ret_int32 , +.Nm krb5_store_uint32 , +.Nm krb5_ret_uint32 , +.Nm krb5_store_int16 , +.Nm krb5_ret_int16 , +.Nm krb5_store_uint16 , +.Nm krb5_ret_uint16 , +.Nm krb5_store_int8 , +.Nm krb5_ret_int8 , +.Nm krb5_store_uint8 , +.Nm krb5_ret_uint8 , +.Nm krb5_store_data , +.Nm krb5_ret_data , +.Nm krb5_store_string , +.Nm krb5_ret_string , +.Nm krb5_store_stringnl , +.Nm krb5_ret_stringnl , +.Nm krb5_store_stringz , +.Nm krb5_ret_stringz , +.Nm krb5_store_principal , +.Nm krb5_ret_principal , +.Nm krb5_store_keyblock , +.Nm krb5_ret_keyblock , +.Nm krb5_store_times , +.Nm krb5_ret_times , +.Nm krb5_store_address , +.Nm krb5_ret_address , +.Nm krb5_store_addrs , +.Nm krb5_ret_addrs , +.Nm krb5_store_authdata , +.Nm krb5_ret_authdata , +.Nm krb5_store_creds , +.Nm krb5_ret_creds +.Nd operates on the Kerberos datatype krb5_storage +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Li "struct krb5_storage;" +.Pp +.Ft "krb5_storage *" +.Fn krb5_storage_from_fd "int fd" +.Ft "krb5_storage *" +.Fn krb5_storage_emem "void" +.Ft "krb5_storage *" +.Fn krb5_storage_from_mem "void *buf" "size_t len" +.Ft "krb5_storage *" +.Fn krb5_storage_from_data "krb5_data *data" +.Ft void +.Fn krb5_storage_set_flags "krb5_storage *sp" "krb5_flags flags" +.Ft void +.Fn krb5_storage_clear_flags "krb5_storage *sp" "krb5_flags flags" +.Ft krb5_boolean +.Fn krb5_storage_is_flags "krb5_storage *sp" "krb5_flags flags" +.Ft void +.Fn krb5_storage_set_byteorder "krb5_storage *sp" "krb5_flags byteorder" +.Ft krb5_flags +.Fn krb5_storage_get_byteorder "krb5_storage *sp" "krb5_flags byteorder" +.Ft void +.Fn krb5_storage_set_eof_code "krb5_storage *sp" "int code" +.Ft off_t +.Fn krb5_storage_seek "krb5_storage *sp" "off_t offset" "int whence" +.Ft krb5_ssize_t +.Fn krb5_storage_read "krb5_storage *sp" "void *buf" "size_t len" +.Ft krb5_ssize_t +.Fn krb5_storage_write "krb5_storage *sp" "const void *buf" "size_t len" +.Ft krb5_error_code +.Fn krb5_storage_free "krb5_storage *sp" +.Ft krb5_error_code +.Fn krb5_storage_to_data "krb5_storage *sp" "krb5_data *data" +.Ft krb5_error_code +.Fn krb5_store_int32 "krb5_storage *sp" "int32_t value" +.Ft krb5_error_code +.Fn krb5_ret_int32 "krb5_storage *sp" "int32_t *value" +.Ft krb5_error_code +.Fn krb5_ret_uint32 "krb5_storage *sp" "uint32_t *value" +.Ft krb5_error_code +.Fn krb5_store_uint32 "krb5_storage *sp" "uint32_t value" +.Ft krb5_error_code +.Fn krb5_store_int16 "krb5_storage *sp" "int16_t value" +.Ft krb5_error_code +.Fn krb5_ret_int16 "krb5_storage *sp" "int16_t *value" +.Ft krb5_error_code +.Fn krb5_store_uint16 "krb5_storage *sp" "uint16_t value" +.Ft krb5_error_code +.Fn krb5_ret_uint16 "krb5_storage *sp" "u_int16_t *value" +.Ft krb5_error_code +.Fn krb5_store_int8 "krb5_storage *sp" "int8_t value" +.Ft krb5_error_code +.Fn krb5_ret_int8 "krb5_storage *sp" "int8_t *value" +.Ft krb5_error_code +.Fn krb5_store_uint8 "krb5_storage *sp" "u_int8_t value" +.Ft krb5_error_code +.Fn krb5_ret_uint8 "krb5_storage *sp" "u_int8_t *value" +.Ft krb5_error_code +.Fn krb5_store_data "krb5_storage *sp" "krb5_data data" +.Ft krb5_error_code +.Fn krb5_ret_data "krb5_storage *sp" "krb5_data *data" +.Ft krb5_error_code +.Fn krb5_store_string "krb5_storage *sp" "const char *s" +.Ft krb5_error_code +.Fn krb5_ret_string "krb5_storage *sp" "char **string" +.Ft krb5_error_code +.Fn krb5_store_stringnl "krb5_storage *sp" "const char *s" +.Ft krb5_error_code +.Fn krb5_ret_stringnl "krb5_storage *sp" "char **string" +.Ft krb5_error_code +.Fn krb5_store_stringz "krb5_storage *sp" "const char *s" +.Ft krb5_error_code +.Fn krb5_ret_stringz "krb5_storage *sp" "char **string" +.Ft krb5_error_code +.Fn krb5_store_principal "krb5_storage *sp" "krb5_const_principal p" +.Ft krb5_error_code +.Fn krb5_ret_principal "krb5_storage *sp" "krb5_principal *princ" +.Ft krb5_error_code +.Fn krb5_store_keyblock "krb5_storage *sp" "krb5_keyblock p" +.Ft krb5_error_code +.Fn krb5_ret_keyblock "krb5_storage *sp" "krb5_keyblock *p" +.Ft krb5_error_code +.Fn krb5_store_times "krb5_storage *sp" "krb5_times times" +.Ft krb5_error_code +.Fn krb5_ret_times "krb5_storage *sp" "krb5_times *times" +.Ft krb5_error_code +.Fn krb5_store_address "krb5_storage *sp" "krb5_address p" +.Ft krb5_error_code +.Fn krb5_ret_address "krb5_storage *sp" "krb5_address *adr" +.Ft krb5_error_code +.Fn krb5_store_addrs "krb5_storage *sp" "krb5_addresses p" +.Ft krb5_error_code +.Fn krb5_ret_addrs "krb5_storage *sp" "krb5_addresses *adr" +.Ft krb5_error_code +.Fn krb5_store_authdata "krb5_storage *sp" "krb5_authdata auth" +.Ft krb5_error_code +.Fn krb5_ret_authdata "krb5_storage *sp" "krb5_authdata *auth" +.Ft krb5_error_code +.Fn krb5_store_creds "krb5_storage *sp" "krb5_creds *creds" +.Ft krb5_error_code +.Fn krb5_ret_creds "krb5_storage *sp" "krb5_creds *creds" +.Sh DESCRIPTION +The +.Li krb5_storage +structure holds a storage element that is used for data manipulation. +The structure contains no public accessible elements. +.Pp +.Fn krb5_storage_emem +create a memory based krb5 storage unit that dynamicly resized to the +ammount of data stored in. +The storage never returns errors, on memory allocation errors +.Xr exit 3 +will be called. +.Pp +.Fn krb5_storage_from_data +create a krb5 storage unit that will read is data from a +.Li krb5_data . +There is no copy made of the +.Fa data , +so the caller must not free +.Fa data +until the storage is freed. +.Pp +.Fn krb5_storage_from_fd +create a krb5 storage unit that will read is data from a +file descriptor. +The descriptor must be seekable if +.Fn krb5_storage_seek +is used. +Caller must not free the file descriptor before the storage is freed. +.Pp +.Fn krb5_storage_from_mem +create a krb5 storage unit that will read is data from a +memory region. +There is no copy made of the +.Fa data , +so the caller must not free +.Fa data +until the storage is freed. +.Pp +.Fn krb5_storage_set_flags +and +.Fn krb5_storage_clear_flags +modifies the behavior of the storage functions. +.Fn krb5_storage_is_flags +tests if the +.Fa flags +are set on the +.Li krb5_storage . +Valid flags to set, is and clear is are: +.Pp +.Bl -tag -width "Fan vet..." -compact -offset indent +.It KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS +Stores the number of principal componets one too many when storing +principal namees, used for compatibility with version 1 of file +keytabs and version 1 of file credential caches. +.It KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE +Doesn't store the name type in when storing a principal name, used for +compatibility with version 1 of file keytabs and version 1 of file +credential caches. +.It KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE +Stores the keyblock type twice storing a keyblock, used for +compatibility version 3 of file credential caches. +.It KRB5_STORAGE_BYTEORDER_MASK +bitmask that can be used to and out what type of byte order order is used. +.It KRB5_STORAGE_BYTEORDER_BE +Store integers in in big endian byte order, this is the default mode. +.It KRB5_STORAGE_BYTEORDER_LE +Store integers in in little endian byte order. +.It KRB5_STORAGE_BYTEORDER_HOST +Stores the integers in host byte order, used for compatibility with +version 1 of file keytabs and version 1 and 2 of file credential +caches. +.It KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER +Store the credential flags in a krb5_creds in the reverse bit order. +.El +.Pp +.Fn krb5_storage_set_byteorder +and +.Fn krb5_storage_get_byteorder +modifies the byte order used in the storage for integers. +The flags used is same as above. +The valid flags are +.Dv KRB5_STORAGE_BYTEORDER_BE , +.Dv KRB5_STORAGE_BYTEORDER_LE +and +.Dv KRB5_STORAGE_BYTEORDER_HOST . +.Pp +.Fn krb5_storage_set_eof_code +sets the error code that will be returned on end of file condition to +.Fa code . +.Pp +.Fn krb5_storage_seek +seeks +.Fa offset +bytes in the storage +.Fa sp . +The +.Fa whence +argument is one of +.Bl -tag -width SEEK_SET -compact -offset indent +.It SEEK_SET +offset is from begining of storage. +.It SEEK_CUR +offset is relative from current offset. +.It SEEK_END +offset is from end of storage. +.El +.Pp +.Fn krb5_storage_read +reads +.Fa len +(or less bytes in case of end of file) into +.Fa buf +from the current offset in the storage +.Fa sp . +.Pp +.Fn krb5_storage_write +writes +.Fa len +or (less bytes in case of end of file) from +.Fa buf +from the current offset in the storage +.Fa sp . +.Pp +.Fn krb5_storage_free +frees the storage +.Fa sp . +.Pp +.Fn krb5_storage_to_data +converts the data in storage +.Fa sp +into a +.Li krb5_data +structure. +.Fa data +must be freed with +.Fn krb5_data_free +by the caller when done with the +.Fa data . +.Pp +All +.Li krb5_store +and +.Li krb5_ret +functions move the current offset forward when the functions returns. +.Pp +.Fn krb5_store_int32 , +.Fn krb5_ret_int32 , +.Fn krb5_store_uint32 , +.Fn krb5_ret_uint32 , +.Fn krb5_store_int16 , +.Fn krb5_ret_int16 , +.Fn krb5_store_uint16 , +.Fn krb5_ret_uint16 , +.Fn krb5_store_int8 , +.Fn krb5_ret_int8 +.Fn krb5_store_uint8 , +and +.Fn krb5_ret_uint8 +stores and reads an integer from +.Fa sp +in the byte order specified by the flags set on the +.Fa sp . +.Pp +.Fn krb5_store_data +and +.Fn krb5_ret_data +store and reads a krb5_data. +The length of the data is stored with +.Fn krb5_store_int32 . +.Pp +.Fn krb5_store_string +and +.Fn krb5_ret_string +store and reads a string by storing the length of the string with +.Fn krb5_store_int32 +followed by the string itself. +.Pp +.Fn krb5_store_stringnl +and +.Fn krb5_ret_stringnl +store and reads a string by storing string followed by a +.Dv '\n' . +.Pp +.Fn krb5_store_stringz +and +.Fn krb5_ret_stringz +store and reads a string by storing string followed by a +.Dv NUL . +.Pp +.Fn krb5_store_principal +and +.Fn krb5_ret_principal +store and reads a principal. +.Pp +.Fn krb5_store_keyblock +and +.Fn krb5_ret_keyblock +store and reads a +.Li krb5_keyblock . +.Pp +.Fn krb5_store_times +.Fn krb5_ret_times +store and reads +.Li krb5_times +structure . +.Pp +.Fn krb5_store_address +and +.Fn krb5_ret_address +store and reads a +.Li krb5_address . +.Pp +.Fn krb5_store_addrs +and +.Fn krb5_ret_addrs +store and reads a +.Li krb5_addresses . +.Pp +.Fn krb5_store_authdata +and +.Fn krb5_ret_authdata +store and reads a +.Li krb5_authdata . +.Pp +.Fn krb5_store_creds +and +.Fn krb5_ret_creds +store and reads a +.Li krb5_creds . +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_data 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_string_to_key.3 b/crypto/heimdal/lib/krb5/krb5_string_to_key.3 new file mode 100644 index 000000000000..cf96f4e013bf --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_string_to_key.3 @@ -0,0 +1,156 @@ +.\" Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_string_to_key.3 17820 2006-07-10 14:28:01Z lha $ +.\" +.Dd July 10, 2006 +.Dt KRB5_STRING_TO_KEY 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_string_to_key , +.Nm krb5_string_to_key_data , +.Nm krb5_string_to_key_data_salt , +.Nm krb5_string_to_key_data_salt_opaque , +.Nm krb5_string_to_key_salt , +.Nm krb5_string_to_key_salt_opaque , +.Nm krb5_get_pw_salt , +.Nm krb5_free_salt +.Nd turns a string to a Kerberos key +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_string_to_key +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "const char *password" +.Fa "krb5_principal principal" +.Fa "krb5_keyblock *key" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_key_data +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "krb5_data password" +.Fa "krb5_principal principal" +.Fa "krb5_keyblock *key" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_key_data_salt +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "krb5_data password" +.Fa "krb5_salt salt" +.Fa "krb5_keyblock *key" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_key_data_salt_opaque +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "krb5_data password" +.Fa "krb5_salt salt" +.Fa "krb5_data opaque" +.Fa "krb5_keyblock *key" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_key_salt +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "const char *password" +.Fa "krb5_salt salt" +.Fa "krb5_keyblock *key" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_key_salt_opaque +.Fa "krb5_context context" +.Fa "krb5_enctype enctype" +.Fa "const char *password" +.Fa "krb5_salt salt" +.Fa "krb5_data opaque" +.Fa "krb5_keyblock *key" +.Fc +.Ft krb5_error_code +.Fo krb5_get_pw_salt +.Fa "krb5_context context" +.Fa "krb5_const_principal principal" +.Fa "krb5_salt *salt" +.Fc +.Ft krb5_error_code +.Fo krb5_free_salt +.Fa "krb5_context context" +.Fa "krb5_salt salt" +.Fc +.Sh DESCRIPTION +The string to key functions convert a string to a kerberos key. +.Pp +.Fn krb5_string_to_key_data_salt_opaque +is the function that does all the work, the rest of the functions are +just wrapers around +.Fn krb5_string_to_key_data_salt_opaque +that calls it with default values. +.Pp +.Fn krb5_string_to_key_data_salt_opaque +transforms the +.Fa password +with the given salt-string +.Fa salt +and the opaque, encryption type specific parameter +.Fa opaque +to a encryption key +.Fa key +according to the string to key function associated with +.Fa enctype . +.Pp +The +.Fa key +should be freed with +.Fn krb5_free_keyblock_contents . +.Pp +If one of the functions that doesn't take a +.Li krb5_salt +as it argument +.Fn krb5_get_pw_salt +is used to get the salt value. +.Pp +.Fn krb5_get_pw_salt +get the default password salt for a principal, use +.Fn krb5_free_salt +to free the salt when done. +.Pp +.Fn krb5_free_salt +frees the content of +.Fa salt . +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_data 3 , +.Xr krb5_keyblock 3 , +.Xr kerberos 8 diff --git a/crypto/heimdal/lib/krb5/krb5_ticket.3 b/crypto/heimdal/lib/krb5/krb5_ticket.3 new file mode 100644 index 000000000000..4f6d45ba5765 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_ticket.3 @@ -0,0 +1,137 @@ +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_ticket.3 19543 2006-12-28 20:48:50Z lha $ +.\" +.Dd May 1, 2006 +.Dt KRB5_TICKET 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_ticket , +.Nm krb5_free_ticket , +.Nm krb5_copy_ticket , +.Nm krb5_ticket_get_authorization_data_type , +.Nm krb5_ticket_get_client , +.Nm krb5_ticket_get_server , +.Nm krb5_ticket_get_endtime +.Nd Kerberos 5 ticket access and handling functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Li krb5_ticket ; +.Pp +.Ft krb5_error_code +.Fo krb5_free_ticket +.Fa "krb5_context context" +.Fa "krb5_ticket *ticket" +.Fc +.Ft krb5_error_code +.Fo krb5_copy_ticket +.Fa "krb5_context context" +.Fa "const krb5_ticket *from" +.Fa "krb5_ticket **to" +.Fc +.Ft krb5_error_code +.Fo krb5_ticket_get_authorization_data_type +.Fa "krb5_context context" +.Fa "krb5_ticket *ticket" +.Fa "int type" +.Fa "krb5_data *data" +.Fc +.Ft krb5_error_code +.Fo krb5_ticket_get_client +.Fa "krb5_context context" +.Fa "const krb5_ticket *ticket" +.Fa "krb5_principal *client" +.Fc +.Ft krb5_error_code +.Fo krb5_ticket_get_server +.Fa "krb5_context context" +.Fa "const krb5_ticket *ticket" +.Fa "krb5_principal *server" +.Fc +.Ft time_t +.Fo krb5_ticket_get_endtime +.Fa "krb5_context context" +.Fa "const krb5_ticket *ticket" +.Fc +.Sh DESCRIPTION +.Li krb5_ticket +holds a kerberos ticket. +The internals of the structure should never be accessed directly, +functions exist for extracting information. +.Pp +.Fn krb5_free_ticket +frees the +.Fa ticket +and its content. +Used to free the result of +.Fn krb5_copy_ticket +and +.Fn krb5_recvauth . +.Pp +.Fn krb5_copy_ticket +copies the content of the ticket +.Fa from +to the ticket +.Fa to . +The result +.Fa to +should be freed with +.Fn krb5_free_ticket . +.Pp +.Fn krb5_ticket_get_authorization_data_type +fetches the authorization data of the type +.Fa type +from the +.Fa ticket . +If there isn't any authorization data of type +.Fa type , +.Dv ENOENT +is returned. +.Fa data +needs to be freed with +.Fn krb5_data_free +on success. +.Pp +.Fn krb5_ticket_get_client +and +.Fn krb5_ticket_get_server +returns a copy of the client/server principal from the ticket. +The principal returned should be free using +.Xr krb5_free_principal 3 . +.Pp +.Fn krb5_ticket_get_endtime +return the end time of the ticket. +.Sh SEE ALSO +.Xr krb5 3 diff --git a/crypto/heimdal/lib/krb5/krb5_timeofday.3 b/crypto/heimdal/lib/krb5/krb5_timeofday.3 index 6d5dbb3ddf56..4163cc1b7165 100644 --- a/crypto/heimdal/lib/krb5/krb5_timeofday.3 +++ b/crypto/heimdal/lib/krb5/krb5_timeofday.3 @@ -1,57 +1,118 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_timeofday.3,v 1.5 2003/04/16 13:58:18 lha Exp $ -.\" -.Dd July 1, 2001 +.\" $Id: krb5_timeofday.3 18093 2006-09-16 09:27:28Z lha $ +.\" +.\" Copyright (c) 2001, 2003, 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_timeofday.3 18093 2006-09-16 09:27:28Z lha $ +.\" +.Dd Sepember 16, 2006 .Dt KRB5_TIMEOFDAY 3 +.Os HEIMDAL .Sh NAME .Nm krb5_timeofday , -.Nm krb5_us_timeofday -.Nd whatever these functions do +.Nm krb5_set_real_time , +.Nm krb5_us_timeofday , +.Nm krb5_format_time , +.Nm krb5_string_to_deltat +.Nd Kerberos 5 time handling functions .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h -.Ft "krb5_error_code" -.Fn krb5_timeofday "krb5_context context" "krb5_timestamp *timeret" -.Ft "krb5_error_code" -.Fn krb5_us_timeofday "krb5_context context" "int32_t *sec" "int32_t *usec" +.Pp +.Li krb5_timestamp ; +.Pp +.Li krb5_deltat ; +.Ft krb5_error_code +.Fo krb5_set_real_time +.Fa "krb5_context context" +.Fa "krb5_timestamp sec" +.Fa "int32_t usec" +.Fc +.Ft krb5_error_code +.Fo krb5_timeofday +.Fa "krb5_context context" +.Fa "krb5_timestamp *timeret" +.Fc +.Ft krb5_error_code +.Fo krb5_us_timeofday +.Fa "krb5_context context" +.Fa "krb5_timestamp *sec" +.Fa "int32_t *usec" +.Fc +.Ft krb5_error_code +.Fo krb5_format_time +.Fa "krb5_context context" +.Fa "time_t t" +.Fa "char *s" +.Fa "size_t len" +.Fa "krb5_boolean include_time" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_deltat +.Fa "const char *string" +.Fa "krb5_deltat *deltat" +.Fc .Sh DESCRIPTION +.Nm krb5_set_real_time +sets the absolute time that the caller knows the KDC has. +With this the Kerberos library can calculate the relative +difference between the KDC time and the local system time and store it +in the +.Fa context . +With this information the Kerberos library can adjust all time stamps +in Kerberos packages. +.Pp .Fn krb5_timeofday returns the current time, but adjusted with the time difference between the local host and the KDC. .Fn krb5_us_timeofday also returns microseconds. .Pp -.\".Sh EXAMPLE +.Nm krb5_format_time +formats the time +.Fa t +into the string +.Fa s +of length +.Fa len . +If +.Fa include_time +is set, the time is set include_time. +.Pp +.Nm krb5_string_to_deltat +parses delta time +.Fa string +into +.Fa deltat . .Sh SEE ALSO -.Xr gettimeofday 2 +.Xr gettimeofday 2 , +.Xr krb5 3 diff --git a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 b/crypto/heimdal/lib/krb5/krb5_unparse_name.3 index ed96c5d34fe8..274d638d6694 100644 --- a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 +++ b/crypto/heimdal/lib/krb5/krb5_unparse_name.3 @@ -1,35 +1,35 @@ .\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_unparse_name.3,v 1.8 2003/04/16 13:58:18 lha Exp $ +.\" $Id: krb5_unparse_name.3 12329 2003-05-26 14:09:04Z lha $ .\" .Dd August 8, 1997 .Dt KRB5_UNPARSE_NAME 3 diff --git a/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3 b/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3 new file mode 100644 index 000000000000..9a34648981b4 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb5_verify_init_creds.3 @@ -0,0 +1,103 @@ +.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_verify_init_creds.3 22071 2007-11-14 20:04:50Z lha $ +.\" +.Dd May 1, 2006 +.Dt KRB5_VERIFY_INIT_CREDS 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_verify_init_creds_opt_init , +.Nm krb5_verify_init_creds_opt_set_ap_req_nofail , +.Nm krb5_verify_init_creds +.Nd "verifies a credential cache is correct by using a local keytab" +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Pp +.Li "struct krb5_verify_init_creds_opt;" +.Ft void +.Fo krb5_verify_init_creds_opt_init +.Fa "krb5_verify_init_creds_opt *options" +.Fc +.Ft void +.Fo krb5_verify_init_creds_opt_set_ap_req_nofail +.Fa "krb5_verify_init_creds_opt *options" +.Fa "int ap_req_nofail" +.Fc +.Ft krb5_error_code +.Fo krb5_verify_init_creds +.Fa "krb5_context context" +.Fa "krb5_creds *creds" +.Fa "krb5_principal ap_req_server" +.Fa "krb5_ccache *ccache" +.Fa "krb5_verify_init_creds_opt *options" +.Fc +.Sh DESCRIPTION +The +.Nm krb5_verify_init_creds +function verifies the initial tickets with the local keytab to make +sure the response of the KDC was spoof-ed. +.Pp +.Nm krb5_verify_init_creds +will use principal +.Fa ap_req_server +from the local keytab, if +.Dv NULL +is passed in, the code will guess the local hostname and use that to +form host/hostname/GUESSED-REALM-FOR-HOSTNAME. +.Fa creds +is the credential that +.Nm krb5_verify_init_creds +should verify. +If +.Fa ccache +is given +.Fn krb5_verify_init_creds +stores all credentials it fetched from the KDC there, otherwise it +will use a memory credential cache that is destroyed when done. +.Pp +.Fn krb5_verify_init_creds_opt_init +cleans the the structure, must be used before trying to pass it in to +.Fn krb5_verify_init_creds . +.Pp +.Fn krb5_verify_init_creds_opt_set_ap_req_nofail +controls controls the behavior if +.Fa ap_req_server +doesn't exists in the local keytab or in the KDC's database, if it's +true, the error will be ignored. Note that this use is possible +insecure. +.Sh SEE ALSO +.Xr krb5 3 , +.Xr krb5_get_init_creds 3 , +.Xr krb5_verify_user 3 , +.Xr krb5.conf 5 diff --git a/crypto/heimdal/lib/krb5/krb5_verify_user.3 b/crypto/heimdal/lib/krb5/krb5_verify_user.3 index 1357ef186ebe..8086bc04baf4 100644 --- a/crypto/heimdal/lib/krb5/krb5_verify_user.3 +++ b/crypto/heimdal/lib/krb5/krb5_verify_user.3 @@ -1,49 +1,52 @@ -.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: krb5_verify_user.3,v 1.10 2003/04/16 13:58:11 lha Exp $ -.\" -.Dd March 25, 2003 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_verify_user.3 22071 2007-11-14 20:04:50Z lha $ +.\" +.Dd May 1, 2006 .Dt KRB5_VERIFY_USER 3 .Os HEIMDAL .Sh NAME .Nm krb5_verify_user , .Nm krb5_verify_user_lrealm , .Nm krb5_verify_user_opt , -.Nm krb5_verify_opt_init +.Nm krb5_verify_opt_init , +.Nm krb5_verify_opt_alloc , +.Nm krb5_verify_opt_free , +.Nm krb5_verify_opt_set_ccache , .Nm krb5_verify_opt_set_flags , .Nm krb5_verify_opt_set_service , .Nm krb5_verify_opt_set_secure , .Nm krb5_verify_opt_set_keytab -.Nd Heimdal password verifying functions. +.Nd Heimdal password verifying functions .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS @@ -55,6 +58,10 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Ft void .Fn krb5_verify_opt_init "krb5_verify_opt *opt" .Ft void +.Fn krb5_verify_opt_alloc "krb5_verify_opt **opt" +.Ft void +.Fn krb5_verify_opt_free "krb5_verify_opt *opt" +.Ft void .Fn krb5_verify_opt_set_ccache "krb5_verify_opt *opt" "krb5_ccache ccache" .Ft void .Fn krb5_verify_opt_set_keytab "krb5_verify_opt *opt" "krb5_keytab keytab" @@ -79,7 +86,7 @@ The principal whose password will be verified is specified in .Fa principal . New tickets will be obtained as a side-effect and stored in .Fa ccache -(if +(if .Dv NULL , the default ccache is used). .Fn krb5_verify_user @@ -109,7 +116,7 @@ if given as ). .Pp The -.Nm krb5_verify_user_lrealm +.Fn krb5_verify_user_lrealm function does the same, except that it ignores the realm in .Fa principal and tries all the local realms (see @@ -119,11 +126,20 @@ realm. If the call fails, the principal will not be meaningful, and should only be freed with .Xr krb5_free_principal 3 . .Pp +.Fn krb5_verify_opt_alloc +and +.Fn krb5_verify_opt_free +allocates and frees a +.Li krb5_verify_opt . +You should use the the alloc and free function instead of allocation +the structure yourself, this is because in a future release the +structure wont be exported. +.Pp .Fn krb5_verify_opt_init resets all opt to default values. .Pp None of the krb5_verify_opt_set function makes a copy of the data -structure that they are called with. Its up the caller to free them +structure that they are called with. It's up the caller to free them after the .Fn krb5_verify_user_opt is called. @@ -180,7 +196,7 @@ The principal whose password will be verified is specified in .Fa principal . Options the to the verification process is pass in in .Fa opt . -.Sh EXAMPLE +.Sh EXAMPLES Here is a example program that verifies a password. it uses the .Ql host/`hostname` service principal in @@ -215,10 +231,10 @@ main(int argc, char **argv) } .Ed .Sh SEE ALSO -.Xr krb5_err 3 , .Xr krb5_cc_gen_new 3 , -.Xr krb5_cc_resolve 3 , .Xr krb5_cc_initialize 3 , +.Xr krb5_cc_resolve 3 , +.Xr krb5_err 3 , .Xr krb5_free_principal 3 , .Xr krb5_init_context 3 , .Xr krb5_kt_default 3 , diff --git a/crypto/heimdal/lib/krb5/krb5_warn.3 b/crypto/heimdal/lib/krb5/krb5_warn.3 index 7ed4b31fbc1d..5610cd8dc42e 100644 --- a/crypto/heimdal/lib/krb5/krb5_warn.3 +++ b/crypto/heimdal/lib/krb5/krb5_warn.3 @@ -1,32 +1,86 @@ -.\" Copyright (c) 1997 Kungliga Tekniska Högskolan -.\" $Id: krb5_warn.3,v 1.7 2003/04/16 19:31:49 lha Exp $ -.Dd August 8, 1997 +.\" Copyright (c) 1997, 2001 - 2006 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: krb5_warn.3 19085 2006-11-21 07:55:20Z lha $ +.\" +.Dd May 1, 2006 .Dt KRB5_WARN 3 .Os HEIMDAL .Sh NAME -.Nm krb5_warn , -.Nm krb5_warnx , -.Nm krb5_vwarn , -.Nm krb5_vwarnx , +.Nm krb5_abort , +.Nm krb5_abortx , +.Nm krb5_clear_error_string , .Nm krb5_err , .Nm krb5_errx , +.Nm krb5_free_error_string , +.Nm krb5_get_err_text , +.Nm krb5_get_error_message , +.Nm krb5_get_error_string , +.Nm krb5_have_error_string , +.Nm krb5_set_error_string , +.Nm krb5_set_warn_dest , +.Nm krb5_get_warn_dest , +.Nm krb5_vabort , +.Nm krb5_vabortx , .Nm krb5_verr , .Nm krb5_verrx , -.Nm krb5_set_warn_dest +.Nm krb5_vset_error_string , +.Nm krb5_vwarn , +.Nm krb5_vwarnx , +.Nm krb5_warn , +.Nm krb5_warnx .Nd Heimdal warning and error functions .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_error_code +.Fn krb5_abort "krb5_context context" "krb5_error_code code" "const char *fmt" "..." +.Ft krb5_error_code +.Fn krb5_abortx "krb5_context context" "krb5_error_code code" "const char *fmt" "..." +.Ft void +.Fn krb5_clear_error_string "krb5_context context" +.Ft krb5_error_code .Fn krb5_err "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "..." .Ft krb5_error_code .Fn krb5_errx "krb5_context context" "int eval" "const char *format" "..." +.Ft void +.Fn krb5_free_error_string "krb5_context context" "char *str" .Ft krb5_error_code .Fn krb5_verr "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "va_list ap" .Ft krb5_error_code .Fn krb5_verrx "krb5_context context" "int eval" "const char *format" "va_list ap" .Ft krb5_error_code +.Fn krb5_vset_error_string "krb5_context context" "const char *fmt" "va_list args" +.Ft krb5_error_code .Fn krb5_vwarn "krb5_context context" "krb5_error_code code" "const char *format" "va_list ap" .Ft krb5_error_code .Fn krb5_vwarnx "krb5_context context" "const char *format" "va_list ap" @@ -35,23 +89,43 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Ft krb5_error_code .Fn krb5_warnx "krb5_context context" "const char *format" "..." .Ft krb5_error_code +.Fn krb5_set_error_string "krb5_context context" "const char *fmt" "..." +.Ft krb5_error_code .Fn krb5_set_warn_dest "krb5_context context" "krb5_log_facility *facility" .Ft "char *" +.Ft krb5_log_facility * +.Fo krb5_get_warn_dest +.Fa "krb5_context context" +.Fc .Fn krb5_get_err_text "krb5_context context" "krb5_error_code code" +.Ft char* +.Fn krb5_get_error_string "krb5_context context" +.Ft char* +.Fn krb5_get_error_message "krb5_context context, krb5_error_code code" +.Ft krb5_boolean +.Fn krb5_have_error_string "krb5_context context" +.Ft krb5_error_code +.Fn krb5_vabortx "krb5_context context" "const char *fmt" "va_list ap" +.Ft krb5_error_code +.Fn krb5_vabort "krb5_context context" "const char *fmt" "va_list ap" .Sh DESCRIPTION -These functions prints a warning message to some destination. +These functions print a warning message to some destination. .Fa format is a printf style format specifying the message to print. The forms not ending in an .Dq x -prints the error string associated with +print the error string associated with .Fa code along with the message. The .Dq err -functions exits with exit status +functions exit with exit status .Fa eval after printing the message. .Pp +Applications that want to get the error message to report it to a user +or store it in a log want to use +.Fn krb5_get_error_message . +.Pp The .Fn krb5_set_warn_func function sets the destination for warning messages to the specified @@ -60,9 +134,100 @@ Messages logged with the .Dq warn functions have a log level of 1, while the .Dq err -functions logs with level 0. +functions log with level 0. .Pp .Fn krb5_get_err_text fetches the human readable strings describing the error-code. +.Pp +.Fn krb5_abort +and +.Nm krb5_abortx +behaves like +.Nm krb5_err +and +.Nm krb5_errx +but instead of exiting using the +.Xr exit 3 +call, +.Xr abort 3 +is used. +.Pp +.Fn krb5_free_error_string +frees the error string +.Fa str +returned by +.Fn krb5_get_error_string . +.Pp +.Fn krb5_clear_error_string +clears the error string from the +.Fa context . +.Pp +.Fn krb5_set_error_string +and +.Fn krb5_vset_error_string +sets an verbose error string in +.Fa context . +.Pp +.Fn krb5_get_error_string +fetches the error string from +.Fa context . +The error message in the context is consumed and must be freed using +.Fn krb5_free_error_string +by the caller. +See also +.Fn krb5_get_error_message , +what is usually less verbose to use. +.Pp +.Fn krb5_have_error_string +returns +.Dv TRUE +if there is a verbose error message in the +.Fa context . +.Pp +.Fn krb5_get_error_message +fetches the error string from the context, or if there +is no customized error string in +.Fa context , +uses +.Fa code +to return a error string. +In either case, the error message in the context is consumed and must +be freed using +.Fn krb5_free_error_string +by the caller. +.Pp +.Fn krb5_set_warn_dest +and +.Fn krb5_get_warn_dest +sets and get the log context that is used by +.Fn krb5_warn +and friends. By using this the application can control where the +output should go. For example, this is imperative to inetd servers +where logging status and error message will end up on the output +stream to the client. +.Sh EXAMPLES +Below is a simple example how to report error messages from the +Kerberos library in an application. +.Bd -literal +#include <krb5.h> + +krb5_error_code +function (krb5_context context) +{ + krb5_error_code ret; + + ret = krb5_function (context, arg1, arg2); + if (ret) { + char *s = krb5_get_error_message(context, ret); + if (s == NULL) + errx(1, "kerberos error: %d (and out of memory)", ret); + application_logger("krb5_function failed: %s", s); + krb5_free_error_string(context, s); + return ret; + } + return 0; +} +.Ed .Sh SEE ALSO +.Xr krb5 3 , .Xr krb5_openlog 3 diff --git a/crypto/heimdal/lib/krb5/krb_err.et b/crypto/heimdal/lib/krb5/krb_err.et new file mode 100644 index 000000000000..f7dbb6ce7a66 --- /dev/null +++ b/crypto/heimdal/lib/krb5/krb_err.et @@ -0,0 +1,63 @@ +# +# Error messages for the krb4 library +# +# This might look like a com_err file, but is not +# +id "$Id: krb_err.et,v 1.7 1998/03/29 14:19:52 bg Exp $" + +error_table krb + +prefix KRB4ET +ec KSUCCESS, "Kerberos 4 successful" +ec KDC_NAME_EXP, "Kerberos 4 principal expired" +ec KDC_SERVICE_EXP, "Kerberos 4 service expired" +ec KDC_AUTH_EXP, "Kerberos 4 auth expired" +ec KDC_PKT_VER, "Incorrect Kerberos 4 master key version" +ec KDC_P_MKEY_VER, "Incorrect Kerberos 4 master key version" +ec KDC_S_MKEY_VER, "Incorrect Kerberos 4 master key version" +ec KDC_BYTE_ORDER, "Kerberos 4 byte order unknown" +ec KDC_PR_UNKNOWN, "Kerberos 4 principal unknown" +ec KDC_PR_N_UNIQUE, "Kerberos 4 principal not unique" +ec KDC_NULL_KEY, "Kerberos 4 principal has null key" +index 20 +ec KDC_GEN_ERR, "Generic error from KDC (Kerberos 4)" +ec GC_TKFIL, "Can't read Kerberos 4 ticket file" +ec GC_NOTKT, "Can't find Kerberos 4 ticket or TGT" +index 26 +ec MK_AP_TGTEXP, "Kerberos 4 TGT Expired" +index 31 +ec RD_AP_UNDEC, "Kerberos 4: Can't decode authenticator" +ec RD_AP_EXP, "Kerberos 4 ticket expired" +ec RD_AP_NYV, "Kerberos 4 ticket not yet valid" +ec RD_AP_REPEAT, "Kerberos 4: Repeated request" +ec RD_AP_NOT_US, "The Kerberos 4 ticket isn't for us" +ec RD_AP_INCON, "Kerberos 4 request inconsistent" +ec RD_AP_TIME, "Kerberos 4: delta_t too big" +ec RD_AP_BADD, "Kerberos 4: incorrect net address" +ec RD_AP_VERSION, "Kerberos protocol not version 4" +ec RD_AP_MSG_TYPE, "Kerberos 4: invalid msg type" +ec RD_AP_MODIFIED, "Kerberos 4: message stream modified" +ec RD_AP_ORDER, "Kerberos 4: message out of order" +ec RD_AP_UNAUTHOR, "Kerberos 4: unauthorized request" +index 51 +ec GT_PW_NULL, "Kerberos 4: current PW is null" +ec GT_PW_BADPW, "Kerberos 4: Incorrect current password" +ec GT_PW_PROT, "Kerberos 4 protocol error" +ec GT_PW_KDCERR, "Error returned by KDC (Kerberos 4)" +ec GT_PW_NULLTKT, "Null Kerberos 4 ticket returned by KDC" +ec SKDC_RETRY, "Kerberos 4: Retry count exceeded" +ec SKDC_CANT, "Kerberos 4: Can't send request" +index 61 +ec INTK_W_NOTALL, "Kerberos 4: not all tickets returned" +ec INTK_BADPW, "Kerberos 4: incorrect password" +ec INTK_PROT, "Kerberos 4: Protocol Error" +index 70 +ec INTK_ERR, "Other error in Kerberos 4" +ec AD_NOTGT, "Don't have Kerberos 4 ticket-granting ticket" +index 76 +ec NO_TKT_FIL, "No Kerberos 4 ticket file found" +ec TKT_FIL_ACC, "Couldn't access Kerberos 4 ticket file" +ec TKT_FIL_LCK, "Couldn't lock Kerberos 4 ticket file" +ec TKT_FIL_FMT, "Bad Kerberos 4 ticket file format" +ec TKT_FIL_INI, "Kerberos 4: tf_init not called first" +ec KNAME_FMT, "Bad Kerberos 4 name format" diff --git a/crypto/heimdal/lib/krb5/krbhst-test.c b/crypto/heimdal/lib/krb5/krbhst-test.c index bf981047062c..38b0b6a36c30 100644 --- a/crypto/heimdal/lib/krb5/krbhst-test.c +++ b/crypto/heimdal/lib/krb5/krbhst-test.c @@ -36,7 +36,7 @@ #include <err.h> #include <getarg.h> -RCSID("$Id: krbhst-test.c,v 1.3 2002/08/23 03:43:18 assar Exp $"); +RCSID("$Id: krbhst-test.c 15466 2005-06-17 04:21:47Z lha $"); static int version_flag = 0; static int help_flag = 0; @@ -66,11 +66,11 @@ main(int argc, char **argv) int types[] = {KRB5_KRBHST_KDC, KRB5_KRBHST_ADMIN, KRB5_KRBHST_CHANGEPW, KRB5_KRBHST_KRB524}; const char *type_str[] = {"kdc", "admin", "changepw", "krb524"}; - int optind = 0; + int optidx = 0; setprogname (argv[0]); - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); if (help_flag) @@ -81,8 +81,8 @@ main(int argc, char **argv) exit(0); } - argc -= optind; - argv += optind; + argc -= optidx; + argv += optidx; krb5_init_context (&context); for(i = 0; i < argc; i++) { diff --git a/crypto/heimdal/lib/krb5/krbhst.c b/crypto/heimdal/lib/krb5/krbhst.c index e0cc9f47f217..094fd4f9c64d 100644 --- a/crypto/heimdal/lib/krb5/krbhst.c +++ b/crypto/heimdal/lib/krb5/krbhst.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,8 +33,9 @@ #include "krb5_locl.h" #include <resolve.h> +#include "locate_plugin.h" -RCSID("$Id: krbhst.c,v 1.43.2.1 2003/04/22 15:00:38 lha Exp $"); +RCSID("$Id: krbhst.c 21457 2007-07-10 12:53:25Z lha $"); static int string_to_proto(const char *string) @@ -66,6 +67,9 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, int proto_num; int def_port; + *res = NULL; + *count = 0; + proto_num = string_to_proto(proto); if(proto_num < 0) { krb5_set_error_string(context, "unknown protocol `%s'", proto); @@ -82,11 +86,8 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm); r = dns_lookup(domain, dns_type); - if(r == NULL) { - *res = NULL; - *count = 0; + if(r == NULL) return KRB5_KDC_UNREACH; - } for(num_srv = 0, rr = r->head; rr; rr = rr->next) if(rr->type == T_SRV) @@ -112,6 +113,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, while(--num_srv >= 0) free((*res)[num_srv]); free(*res); + *res = NULL; return ENOMEM; } (*res)[num_srv++] = hi; @@ -139,13 +141,14 @@ struct krb5_krbhst_data { unsigned int flags; int def_port; int port; /* hardwired port number if != 0 */ -#define KD_CONFIG 1 -#define KD_SRV_UDP 2 -#define KD_SRV_TCP 4 -#define KD_SRV_HTTP 8 -#define KD_FALLBACK 16 -#define KD_CONFIG_EXISTS 32 - +#define KD_CONFIG 1 +#define KD_SRV_UDP 2 +#define KD_SRV_TCP 4 +#define KD_SRV_HTTP 8 +#define KD_FALLBACK 16 +#define KD_CONFIG_EXISTS 32 +#define KD_LARGE_MSG 64 +#define KD_PLUGIN 128 krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, krb5_krbhst_info**); @@ -161,12 +164,26 @@ krbhst_empty(const struct krb5_krbhst_data *kd) } /* + * Return the default protocol for the `kd' (either TCP or UDP) + */ + +static int +krbhst_get_default_proto(struct krb5_krbhst_data *kd) +{ + if (kd->flags & KD_LARGE_MSG) + return KRB5_KRBHST_TCP; + return KRB5_KRBHST_UDP; +} + + +/* * parse `spec' into a krb5_krbhst_info, defaulting the port to `def_port' * and forcing it to `port' if port != 0 */ static struct krb5_krbhst_info* -parse_hostspec(krb5_context context, const char *spec, int def_port, int port) +parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd, + const char *spec, int def_port, int port) { const char *p = spec; struct krb5_krbhst_info *hi; @@ -175,7 +192,7 @@ parse_hostspec(krb5_context context, const char *spec, int def_port, int port) if(hi == NULL) return NULL; - hi->proto = KRB5_KRBHST_UDP; + hi->proto = krbhst_get_default_proto(kd); if(strncmp(p, "http://", 7) == 0){ hi->proto = KRB5_KRBHST_HTTP; @@ -213,14 +230,38 @@ parse_hostspec(krb5_context context, const char *spec, int def_port, int port) return hi; } -static void -free_krbhst_info(krb5_krbhst_info *hi) +void +_krb5_free_krbhst_info(krb5_krbhst_info *hi) { if (hi->ai != NULL) freeaddrinfo(hi->ai); free(hi); } +krb5_error_code +_krb5_krbhost_info_move(krb5_context context, + krb5_krbhst_info *from, + krb5_krbhst_info **to) +{ + size_t hostnamelen = strlen(from->hostname); + /* trailing NUL is included in structure */ + *to = calloc(1, sizeof(**to) + hostnamelen); + if(*to == NULL) { + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + + (*to)->proto = from->proto; + (*to)->port = from->port; + (*to)->def_port = from->def_port; + (*to)->ai = from->ai; + from->ai = NULL; + (*to)->next = NULL; + memcpy((*to)->hostname, from->hostname, hostnamelen + 1); + return 0; +} + + static void append_host_hostinfo(struct krb5_krbhst_data *kd, struct krb5_krbhst_info *host) { @@ -230,7 +271,7 @@ append_host_hostinfo(struct krb5_krbhst_data *kd, struct krb5_krbhst_info *host) if(h->proto == host->proto && h->port == host->port && strcmp(h->hostname, host->hostname) == 0) { - free_krbhst_info(host); + _krb5_free_krbhst_info(host); return; } *kd->end = host; @@ -243,7 +284,7 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd, { struct krb5_krbhst_info *hi; - hi = parse_hostspec(context, host, def_port, port); + hi = parse_hostspec(context, kd, host, def_port, port); if(hi == NULL) return ENOMEM; @@ -255,7 +296,7 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd, * return a readable representation of `host' in `hostname, hostlen' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host, char *hostname, size_t hostlen) { @@ -296,7 +337,7 @@ make_hints(struct addrinfo *hints, int proto) * in `host'. free:ing is handled by krb5_krbhst_free. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host, struct addrinfo **ai) { @@ -329,13 +370,14 @@ get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host) static void srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, - const char *proto, const char *service) + const char *proto, const char *service) { krb5_krbhst_info **res; int count, i; - srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service, - kd->port); + if (srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service, + kd->port)) + return; for(i = 0; i < count; i++) append_host_hostinfo(kd, res[i]); free(res); @@ -382,6 +424,15 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, struct addrinfo hints; char portstr[NI_MAXSERV]; + /* + * Don't try forever in case the DNS server keep returning us + * entries (like wildcard entries or the .nu TLD) + */ + if(kd->fallback_count >= 5) { + kd->flags |= KD_FALLBACK; + return 0; + } + if(kd->fallback_count == 0) asprintf(&host, "%s.%s.", serv_string, kd->realm); else @@ -411,8 +462,8 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, hi->proto = proto; hi->port = hi->def_port = port; hi->ai = ai; - memmove(hi->hostname, host, hostlen - 1); - hi->hostname[hostlen - 1] = '\0'; + memmove(hi->hostname, host, hostlen); + hi->hostname[hostlen] = '\0'; free(host); append_host_hostinfo(kd, hi); kd->fallback_count++; @@ -420,6 +471,86 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, return 0; } +/* + * Fetch hosts from plugin + */ + +static krb5_error_code +add_locate(void *ctx, int type, struct sockaddr *addr) +{ + struct krb5_krbhst_info *hi; + struct krb5_krbhst_data *kd = ctx; + char host[NI_MAXHOST], port[NI_MAXSERV]; + struct addrinfo hints, *ai; + socklen_t socklen; + size_t hostlen; + int ret; + + socklen = socket_sockaddr_size(addr); + + ret = getnameinfo(addr, socklen, host, sizeof(host), port, sizeof(port), + NI_NUMERICHOST|NI_NUMERICSERV); + if (ret != 0) + return 0; + + make_hints(&hints, krbhst_get_default_proto(kd)); + ret = getaddrinfo(host, port, &hints, &ai); + if (ret) + return 0; + + hostlen = strlen(host); + + hi = calloc(1, sizeof(*hi) + hostlen); + if(hi == NULL) + return ENOMEM; + + hi->proto = krbhst_get_default_proto(kd); + hi->port = hi->def_port = socket_get_port(addr); + hi->ai = ai; + memmove(hi->hostname, host, hostlen); + hi->hostname[hostlen] = '\0'; + append_host_hostinfo(kd, hi); + + return 0; +} + +static void +plugin_get_hosts(krb5_context context, + struct krb5_krbhst_data *kd, + enum locate_service_type type) +{ + struct krb5_plugin *list = NULL, *e; + krb5_error_code ret; + + ret = _krb5_plugin_find(context, PLUGIN_TYPE_DATA, "resolve", &list); + if(ret != 0 || list == NULL) + return; + + kd->flags |= KD_CONFIG_EXISTS; + + for (e = list; e != NULL; e = _krb5_plugin_get_next(e)) { + krb5plugin_service_locate_ftable *service; + void *ctx; + + service = _krb5_plugin_get_symbol(e); + if (service->minor_version != 0) + continue; + + (*service->init)(context, &ctx); + ret = (*service->lookup)(ctx, type, kd->realm, 0, 0, add_locate, kd); + (*service->fini)(ctx); + if (ret) { + krb5_set_error_string(context, "Plugin failed to lookup"); + break; + } + } + _krb5_plugin_free(list); +} + +/* + * + */ + static krb5_error_code kdc_get_next(krb5_context context, struct krb5_krbhst_data *kd, @@ -427,6 +558,13 @@ kdc_get_next(krb5_context context, { krb5_error_code ret; + if ((kd->flags & KD_PLUGIN) == 0) { + plugin_get_hosts(context, kd, locate_service_kdc); + kd->flags |= KD_PLUGIN; + if(get_next(kd, host)) + return 0; + } + if((kd->flags & KD_CONFIG) == 0) { config_get_hosts(context, kd, "kdc"); kd->flags |= KD_CONFIG; @@ -438,7 +576,7 @@ kdc_get_next(krb5_context context, return KRB5_KDC_UNREACH; /* XXX */ if(context->srv_lookup) { - if((kd->flags & KD_SRV_UDP) == 0) { + if((kd->flags & KD_SRV_UDP) == 0 && (kd->flags & KD_LARGE_MSG) == 0) { srv_get_hosts(context, kd, "udp", "kerberos"); kd->flags |= KD_SRV_UDP; if(get_next(kd, host)) @@ -461,7 +599,8 @@ kdc_get_next(krb5_context context, while((kd->flags & KD_FALLBACK) == 0) { ret = fallback_get_hosts(context, kd, "kerberos", - kd->def_port, KRB5_KRBHST_UDP); + kd->def_port, + krbhst_get_default_proto(kd)); if(ret) return ret; if(get_next(kd, host)) @@ -478,6 +617,13 @@ admin_get_next(krb5_context context, { krb5_error_code ret; + if ((kd->flags & KD_PLUGIN) == 0) { + plugin_get_hosts(context, kd, locate_service_kadmin); + kd->flags |= KD_PLUGIN; + if(get_next(kd, host)) + return 0; + } + if((kd->flags & KD_CONFIG) == 0) { config_get_hosts(context, kd, "admin_server"); kd->flags |= KD_CONFIG; @@ -500,7 +646,8 @@ admin_get_next(krb5_context context, if (krbhst_empty(kd) && (kd->flags & KD_FALLBACK) == 0) { ret = fallback_get_hosts(context, kd, "kerberos", - kd->def_port, KRB5_KRBHST_UDP); + kd->def_port, + krbhst_get_default_proto(kd)); if(ret) return ret; kd->flags |= KD_FALLBACK; @@ -518,8 +665,16 @@ kpasswd_get_next(krb5_context context, { krb5_error_code ret; + if ((kd->flags & KD_PLUGIN) == 0) { + plugin_get_hosts(context, kd, locate_service_kpasswd); + kd->flags |= KD_PLUGIN; + if(get_next(kd, host)) + return 0; + } + if((kd->flags & KD_CONFIG) == 0) { config_get_hosts(context, kd, "kpasswd_server"); + kd->flags |= KD_CONFIG; if(get_next(kd, host)) return 0; } @@ -534,6 +689,12 @@ kpasswd_get_next(krb5_context context, if(get_next(kd, host)) return 0; } + if((kd->flags & KD_SRV_TCP) == 0) { + srv_get_hosts(context, kd, "tcp", "kpasswd"); + kd->flags |= KD_SRV_TCP; + if(get_next(kd, host)) + return 0; + } } /* no matches -> try admin */ @@ -544,7 +705,7 @@ kpasswd_get_next(krb5_context context, kd->get_next = admin_get_next; ret = (*kd->get_next)(context, kd, host); if (ret == 0) - (*host)->proto = KRB5_KRBHST_UDP; + (*host)->proto = krbhst_get_default_proto(kd); return ret; } @@ -556,6 +717,13 @@ krb524_get_next(krb5_context context, struct krb5_krbhst_data *kd, krb5_krbhst_info **host) { + if ((kd->flags & KD_PLUGIN) == 0) { + plugin_get_hosts(context, kd, locate_service_krb524); + kd->flags |= KD_PLUGIN; + if(get_next(kd, host)) + return 0; + } + if((kd->flags & KD_CONFIG) == 0) { config_get_hosts(context, kd, "krb524_server"); if(get_next(kd, host)) @@ -596,7 +764,8 @@ krb524_get_next(krb5_context context, static struct krb5_krbhst_data* common_init(krb5_context context, - const char *realm) + const char *realm, + int flags) { struct krb5_krbhst_data *kd; @@ -608,6 +777,12 @@ common_init(krb5_context context, return NULL; } + /* For 'realms' without a . do not even think of going to DNS */ + if (!strchr(realm, '.')) + kd->flags |= KD_CONFIG_EXISTS; + + if (flags & KRB5_KRBHST_FLAGS_LARGE_MSG) + kd->flags |= KD_LARGE_MSG; kd->end = kd->index = &kd->hosts; return kd; } @@ -616,43 +791,53 @@ common_init(krb5_context context, * initialize `handle' to look for hosts of type `type' in realm `realm' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_init(krb5_context context, const char *realm, unsigned int type, krb5_krbhst_handle *handle) { + return krb5_krbhst_init_flags(context, realm, type, 0, handle); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_krbhst_init_flags(krb5_context context, + const char *realm, + unsigned int type, + int flags, + krb5_krbhst_handle *handle) +{ struct krb5_krbhst_data *kd; - krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, - krb5_krbhst_info **); + krb5_error_code (*next)(krb5_context, struct krb5_krbhst_data *, + krb5_krbhst_info **); int def_port; switch(type) { case KRB5_KRBHST_KDC: - get_next = kdc_get_next; + next = kdc_get_next; def_port = ntohs(krb5_getportbyname (context, "kerberos", "udp", 88)); break; case KRB5_KRBHST_ADMIN: - get_next = admin_get_next; + next = admin_get_next; def_port = ntohs(krb5_getportbyname (context, "kerberos-adm", "tcp", 749)); break; case KRB5_KRBHST_CHANGEPW: - get_next = kpasswd_get_next; + next = kpasswd_get_next; def_port = ntohs(krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT)); break; case KRB5_KRBHST_KRB524: - get_next = krb524_get_next; + next = krb524_get_next; def_port = ntohs(krb5_getportbyname (context, "krb524", "udp", 4444)); break; default: krb5_set_error_string(context, "unknown krbhst type (%u)", type); return ENOTTY; } - if((kd = common_init(context, realm)) == NULL) + if((kd = common_init(context, realm, flags)) == NULL) return ENOMEM; - kd->get_next = get_next; + kd->get_next = next; kd->def_port = def_port; *handle = kd; return 0; @@ -662,7 +847,7 @@ krb5_krbhst_init(krb5_context context, * return the next host information from `handle' in `host' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next(krb5_context context, krb5_krbhst_handle handle, krb5_krbhst_info **host) @@ -678,7 +863,7 @@ krb5_krbhst_next(krb5_context context, * in `hostname' (or length `hostlen) */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next_as_string(krb5_context context, krb5_krbhst_handle handle, char *hostname, @@ -693,13 +878,13 @@ krb5_krbhst_next_as_string(krb5_context context, } -void +void KRB5_LIB_FUNCTION krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle) { handle->index = &handle->hosts; } -void +void KRB5_LIB_FUNCTION krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle) { krb5_krbhst_info *h, *next; @@ -709,7 +894,7 @@ krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle) for (h = handle->hosts; h != NULL; h = next) { next = h->next; - free_krbhst_info(h); + _krb5_free_krbhst_info(h); } free(handle->realm); @@ -734,8 +919,10 @@ gethostlist(krb5_context context, const char *realm, while(krb5_krbhst_next(context, handle, &hostinfo) == 0) nhost++; - if(nhost == 0) + if(nhost == 0) { + krb5_set_error_string(context, "No KDC found for realm %s", realm); return KRB5_KDC_UNREACH; + } *hostlist = calloc(nhost + 1, sizeof(**hostlist)); if(*hostlist == NULL) { krb5_krbhst_free(context, handle); @@ -761,7 +948,7 @@ gethostlist(krb5_context context, const char *realm, * return an malloced list of kadmin-hosts for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_admin_hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -773,7 +960,7 @@ krb5_get_krb_admin_hst (krb5_context context, * return an malloced list of changepw-hosts for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_changepw_hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -785,7 +972,7 @@ krb5_get_krb_changepw_hst (krb5_context context, * return an malloced list of 524-hosts for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb524hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -798,7 +985,7 @@ krb5_get_krb524hst (krb5_context context, * return an malloced list of KDC's for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krbhst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -810,7 +997,7 @@ krb5_get_krbhst (krb5_context context, * free all the memory allocated in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_krbhst (krb5_context context, char **hostlist) { diff --git a/crypto/heimdal/lib/krb5/kuserok.c b/crypto/heimdal/lib/krb5/kuserok.c index a79532e21b66..8f0ff996960d 100644 --- a/crypto/heimdal/lib/krb5/kuserok.c +++ b/crypto/heimdal/lib/krb5/kuserok.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,76 +32,231 @@ */ #include "krb5_locl.h" +#include <dirent.h> -RCSID("$Id: kuserok.c,v 1.7 2003/03/13 19:53:43 lha Exp $"); +RCSID("$Id: kuserok.c 16048 2005-09-09 10:33:33Z lha $"); -/* - * Return TRUE iff `principal' is allowed to login as `luser'. - */ +/* see if principal is mentioned in the filename access file, return + TRUE (in result) if so, FALSE otherwise */ -krb5_boolean -krb5_kuserok (krb5_context context, - krb5_principal principal, - const char *luser) +static krb5_error_code +check_one_file(krb5_context context, + const char *filename, + struct passwd *pwd, + krb5_principal principal, + krb5_boolean *result) { - char buf[BUFSIZ]; - struct passwd *pwd; FILE *f; - krb5_realm *realms, *r; + char buf[BUFSIZ]; krb5_error_code ret; - krb5_boolean b; + struct stat st; + + *result = FALSE; - pwd = getpwnam (luser); /* XXX - Should use k_getpwnam? */ - if (pwd == NULL) + f = fopen (filename, "r"); + if (f == NULL) + return errno; + + /* check type and mode of file */ + if (fstat(fileno(f), &st) != 0) { + fclose (f); + return errno; + } + if (S_ISDIR(st.st_mode)) { + fclose (f); + return EISDIR; + } + if (st.st_uid != pwd->pw_uid && st.st_uid != 0) { + fclose (f); + return EACCES; + } + if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) { + fclose (f); + return EACCES; + } + + while (fgets (buf, sizeof(buf), f) != NULL) { + krb5_principal tmp; + char *newline = buf + strcspn(buf, "\n"); + + if(*newline != '\n') { + int c; + c = fgetc(f); + if(c != EOF) { + while(c != EOF && c != '\n') + c = fgetc(f); + /* line was too long, so ignore it */ + continue; + } + } + *newline = '\0'; + ret = krb5_parse_name (context, buf, &tmp); + if (ret) + continue; + *result = krb5_principal_compare (context, principal, tmp); + krb5_free_principal (context, tmp); + if (*result) { + fclose (f); + return 0; + } + } + fclose (f); + return 0; +} + +static krb5_error_code +check_directory(krb5_context context, + const char *dirname, + struct passwd *pwd, + krb5_principal principal, + krb5_boolean *result) +{ + DIR *d; + struct dirent *dent; + char filename[MAXPATHLEN]; + krb5_error_code ret = 0; + struct stat st; + + *result = FALSE; + + if(lstat(dirname, &st) < 0) + return errno; + + if (!S_ISDIR(st.st_mode)) + return ENOTDIR; + + if (st.st_uid != pwd->pw_uid && st.st_uid != 0) + return EACCES; + if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) + return EACCES; + + if((d = opendir(dirname)) == NULL) + return errno; + +#ifdef HAVE_DIRFD + { + int fd; + struct stat st2; + + fd = dirfd(d); + if(fstat(fd, &st2) < 0) { + closedir(d); + return errno; + } + if(st.st_dev != st2.st_dev || st.st_ino != st2.st_ino) { + closedir(d); + return EACCES; + } + } +#endif + + while((dent = readdir(d)) != NULL) { + if(strcmp(dent->d_name, ".") == 0 || + strcmp(dent->d_name, "..") == 0 || + dent->d_name[0] == '#' || /* emacs autosave */ + dent->d_name[strlen(dent->d_name) - 1] == '~') /* emacs backup */ + continue; + snprintf(filename, sizeof(filename), "%s/%s", dirname, dent->d_name); + ret = check_one_file(context, filename, pwd, principal, result); + if(ret == 0 && *result == TRUE) + break; + ret = 0; /* don't propagate errors upstream */ + } + closedir(d); + return ret; +} + +static krb5_boolean +match_local_principals(krb5_context context, + krb5_principal principal, + const char *luser) +{ + krb5_error_code ret; + krb5_realm *realms, *r; + krb5_boolean result = FALSE; + + /* multi-component principals can never match */ + if(krb5_principal_get_comp_string(context, principal, 1) != NULL) return FALSE; ret = krb5_get_default_realms (context, &realms); if (ret) return FALSE; - + for (r = realms; *r != NULL; ++r) { - krb5_principal local_principal; - - ret = krb5_build_principal (context, - &local_principal, - strlen(*r), - *r, - luser, - NULL); - if (ret) { - krb5_free_host_realm (context, realms); - return FALSE; - } - - b = krb5_principal_compare (context, principal, local_principal); - krb5_free_principal (context, local_principal); - if (b) { - krb5_free_host_realm (context, realms); - return TRUE; + if(strcmp(krb5_principal_get_realm(context, principal), + *r) != 0) + continue; + if(strcmp(krb5_principal_get_comp_string(context, principal, 0), + luser) == 0) { + result = TRUE; + break; } } krb5_free_host_realm (context, realms); + return result; +} - snprintf (buf, sizeof(buf), "%s/.k5login", pwd->pw_dir); - f = fopen (buf, "r"); - if (f == NULL) +/** + * Return TRUE iff `principal' is allowed to login as `luser'. + */ + +krb5_boolean KRB5_LIB_FUNCTION +krb5_kuserok (krb5_context context, + krb5_principal principal, + const char *luser) +{ + char *buf; + size_t buflen; + struct passwd *pwd; + krb5_error_code ret; + krb5_boolean result = FALSE; + + krb5_boolean found_file = FALSE; + +#ifdef POSIX_GETPWNAM_R + char pwbuf[2048]; + struct passwd pw; + + if(getpwnam_r(luser, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) + return FALSE; +#else + pwd = getpwnam (luser); +#endif + if (pwd == NULL) return FALSE; - while (fgets (buf, sizeof(buf), f) != NULL) { - krb5_principal tmp; - buf[strcspn(buf, "\n")] = '\0'; - ret = krb5_parse_name (context, buf, &tmp); - if (ret) { - fclose (f); - return FALSE; - } - b = krb5_principal_compare (context, principal, tmp); - krb5_free_principal (context, tmp); - if (b) { - fclose (f); - return TRUE; - } +#define KLOGIN "/.k5login" + buflen = strlen(pwd->pw_dir) + sizeof(KLOGIN) + 2; /* 2 for .d */ + buf = malloc(buflen); + if(buf == NULL) + return FALSE; + /* check user's ~/.k5login */ + strlcpy(buf, pwd->pw_dir, buflen); + strlcat(buf, KLOGIN, buflen); + ret = check_one_file(context, buf, pwd, principal, &result); + + if(ret == 0 && result == TRUE) { + free(buf); + return TRUE; } - fclose (f); + + if(ret != ENOENT) + found_file = TRUE; + + strlcat(buf, ".d", buflen); + ret = check_directory(context, buf, pwd, principal, &result); + free(buf); + if(ret == 0 && result == TRUE) + return TRUE; + + if(ret != ENOENT && ret != ENOTDIR) + found_file = TRUE; + + /* finally if no files exist, allow all principals matching + <localuser>@<LOCALREALM> */ + if(found_file == FALSE) + return match_local_principals(context, principal, luser); + return FALSE; } diff --git a/crypto/heimdal/lib/krb5/locate_plugin.h b/crypto/heimdal/lib/krb5/locate_plugin.h new file mode 100644 index 000000000000..251712c8940d --- /dev/null +++ b/crypto/heimdal/lib/krb5/locate_plugin.h @@ -0,0 +1,64 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: locate_plugin.h 18998 2006-11-12 19:00:03Z lha $ */ + +#ifndef HEIMDAL_KRB5_LOCATE_PLUGIN_H +#define HEIMDAL_KRB5_LOCATE_PLUGIN_H 1 + +#include <krb5.h> + +enum locate_service_type { + locate_service_kdc = 1, + locate_service_master_kdc, + locate_service_kadmin, + locate_service_krb524, + locate_service_kpasswd +}; + +typedef krb5_error_code +(*krb5plugin_service_locate_lookup) (void *, enum locate_service_type, + const char *, int, int, + int (*)(void *,int,struct sockaddr *), + void *); + + +typedef struct krb5plugin_service_locate_ftable { + int minor_version; + krb5_error_code (*init)(krb5_context, void **); + void (*fini)(void *); + krb5plugin_service_locate_lookup lookup; +} krb5plugin_service_locate_ftable; + +#endif /* HEIMDAL_KRB5_LOCATE_PLUGIN_H */ + diff --git a/crypto/heimdal/lib/krb5/log.c b/crypto/heimdal/lib/krb5/log.c index bd7451b4bcb7..c04f50fd9aa8 100644 --- a/crypto/heimdal/lib/krb5/log.c +++ b/crypto/heimdal/lib/krb5/log.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,13 +33,13 @@ #include "krb5_locl.h" -RCSID("$Id: log.c,v 1.31 2002/09/05 14:59:14 joda Exp $"); +RCSID("$Id: log.c 19088 2006-11-21 08:08:46Z lha $"); struct facility { int min; int max; - krb5_log_log_func_t log; - krb5_log_close_func_t close; + krb5_log_log_func_t log_func; + krb5_log_close_func_t close_func; void *data; }; @@ -47,10 +47,10 @@ static struct facility* log_realloc(krb5_log_facility *f) { struct facility *fp; - f->len++; - fp = realloc(f->val, f->len * sizeof(*f->val)); + fp = realloc(f->val, (f->len + 1) * sizeof(*f->val)); if(fp == NULL) return NULL; + f->len++; f->val = fp; fp += f->len - 1; return fp; @@ -114,7 +114,7 @@ find_value(const char *s, struct s2i *table) return table->val; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_initlog(krb5_context context, const char *program, krb5_log_facility **fac) @@ -134,13 +134,13 @@ krb5_initlog(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_func(krb5_context context, krb5_log_facility *fac, int min, int max, - krb5_log_log_func_t log, - krb5_log_close_func_t close, + krb5_log_log_func_t log_func, + krb5_log_close_func_t close_func, void *data) { struct facility *fp = log_realloc(fac); @@ -150,8 +150,8 @@ krb5_addlog_func(krb5_context context, } fp->min = min; fp->max = max; - fp->log = log; - fp->close = close; + fp->log_func = log_func; + fp->close_func = close_func; fp->data = data; return 0; } @@ -162,7 +162,7 @@ struct _heimdal_syslog_data{ }; static void -log_syslog(const char *time, +log_syslog(const char *timestr, const char *msg, void *data) @@ -211,7 +211,7 @@ struct file_data{ }; static void -log_file(const char *time, +log_file(const char *timestr, const char *msg, void *data) { @@ -220,9 +220,11 @@ log_file(const char *time, f->fd = fopen(f->filename, f->mode); if(f->fd == NULL) return; - fprintf(f->fd, "%s %s\n", time, msg); - if(f->keep_open == 0) + fprintf(f->fd, "%s %s\n", timestr, msg); + if(f->keep_open == 0) { fclose(f->fd); + f->fd = NULL; + } } static void @@ -253,7 +255,7 @@ open_file(krb5_context context, krb5_log_facility *fac, int min, int max, -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) { krb5_error_code ret = 0; @@ -284,7 +286,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) ret = open_file(context, f, min, max, NULL, NULL, stderr, 1); }else if(strcmp(p, "CONSOLE") == 0){ ret = open_file(context, f, min, max, "/dev/console", "w", NULL, 0); - }else if(strncmp(p, "FILE:", 4) == 0 && (p[4] == ':' || p[4] == '=')){ + }else if(strncmp(p, "FILE", 4) == 0 && (p[4] == ':' || p[4] == '=')){ char *fn; FILE *file = NULL; int keep_open = 0; @@ -300,6 +302,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) ret = errno; krb5_set_error_string (context, "open(%s): %s", fn, strerror(ret)); + free(fn); return ret; } file = fdopen(i, "a"); @@ -308,12 +311,13 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) close(i); krb5_set_error_string (context, "fdopen(%s): %s", fn, strerror(ret)); + free(fn); return ret; } keep_open = 1; } ret = open_file(context, f, min, max, fn, "a", file, keep_open); - }else if(strncmp(p, "DEVICE=", 6) == 0){ + }else if(strncmp(p, "DEVICE", 6) == 0 && (p[6] == ':' || p[6] == '=')){ ret = open_file(context, f, min, max, strdup(p + 7), "w", NULL, 0); }else if(strncmp(p, "SYSLOG", 6) == 0 && (p[6] == '\0' || p[6] == ':')){ char severity[128] = ""; @@ -336,7 +340,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_openlog(krb5_context context, const char *program, krb5_log_facility **fac) @@ -360,20 +364,26 @@ krb5_openlog(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_closelog(krb5_context context, krb5_log_facility *fac) { int i; for(i = 0; i < fac->len; i++) - (*fac->val[i].close)(fac->val[i].data); + (*fac->val[i].close_func)(fac->val[i].data); + free(fac->val); + free(fac->program); + fac->val = NULL; + fac->len = 0; + fac->program = NULL; + free(fac); return 0; } #undef __attribute__ #define __attribute__(X) -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog_msg(krb5_context context, krb5_log_facility *fac, char **reply, @@ -403,7 +413,7 @@ krb5_vlog_msg(krb5_context context, else actual = msg; } - (*fac->val[i].log)(buf, actual, fac->val[i].data); + (*fac->val[i].log_func)(buf, actual, fac->val[i].data); } if(reply == NULL) free(msg); @@ -412,7 +422,7 @@ krb5_vlog_msg(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog(krb5_context context, krb5_log_facility *fac, int level, @@ -423,7 +433,7 @@ krb5_vlog(krb5_context context, return krb5_vlog_msg(context, fac, NULL, level, fmt, ap); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log_msg(krb5_context context, krb5_log_facility *fac, int level, @@ -442,7 +452,7 @@ krb5_log_msg(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log(krb5_context context, krb5_log_facility *fac, int level, diff --git a/crypto/heimdal/lib/krb5/mcache.c b/crypto/heimdal/lib/krb5/mcache.c index 115760406bae..01bcb09d3bea 100644 --- a/crypto/heimdal/lib/krb5/mcache.c +++ b/crypto/heimdal/lib/krb5/mcache.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: mcache.c,v 1.15.6.1 2004/03/06 16:57:16 lha Exp $"); +RCSID("$Id: mcache.c 22107 2007-12-03 17:22:51Z lha $"); typedef struct krb5_mcache { char *name; @@ -47,14 +47,13 @@ typedef struct krb5_mcache { struct krb5_mcache *next; } krb5_mcache; +static HEIMDAL_MUTEX mcc_mutex = HEIMDAL_MUTEX_INITIALIZER; static struct krb5_mcache *mcc_head; #define MCACHE(X) ((krb5_mcache *)(X)->data.data) #define MISDEAD(X) ((X)->dead) -#define MCC_CURSOR(C) ((struct link*)(C)) - static const char* mcc_get_name(krb5_context context, krb5_ccache id) @@ -65,7 +64,7 @@ mcc_get_name(krb5_context context, static krb5_mcache * mcc_alloc(const char *name) { - krb5_mcache *m; + krb5_mcache *m, *m_c; ALLOC(m, 1); if(m == NULL) @@ -78,12 +77,25 @@ mcc_alloc(const char *name) free(m); return NULL; } + /* check for dups first */ + HEIMDAL_MUTEX_lock(&mcc_mutex); + for (m_c = mcc_head; m_c != NULL; m_c = m_c->next) + if (strcmp(m->name, m_c->name) == 0) + break; + if (m_c) { + free(m->name); + free(m); + HEIMDAL_MUTEX_unlock(&mcc_mutex); + return NULL; + } + m->dead = 0; m->refcnt = 1; m->primary_principal = NULL; m->creds = NULL; m->next = mcc_head; mcc_head = m; + HEIMDAL_MUTEX_unlock(&mcc_mutex); return m; } @@ -92,9 +104,11 @@ mcc_resolve(krb5_context context, krb5_ccache *id, const char *res) { krb5_mcache *m; + HEIMDAL_MUTEX_lock(&mcc_mutex); for (m = mcc_head; m != NULL; m = m->next) if (strcmp(m->name, res) == 0) break; + HEIMDAL_MUTEX_unlock(&mcc_mutex); if (m != NULL) { m->refcnt++; @@ -146,20 +160,25 @@ mcc_initialize(krb5_context context, &m->primary_principal); } -static krb5_error_code -mcc_close(krb5_context context, - krb5_ccache id) +static int +mcc_close_internal(krb5_mcache *m) { - krb5_mcache *m = MCACHE(id); - if (--m->refcnt != 0) return 0; if (MISDEAD(m)) { free (m->name); - krb5_data_free(&id->data); + return 1; } + return 0; +} +static krb5_error_code +mcc_close(krb5_context context, + krb5_ccache id) +{ + if (mcc_close_internal(MCACHE(id))) + krb5_data_free(&id->data); return 0; } @@ -176,12 +195,14 @@ mcc_destroy(krb5_context context, if (!MISDEAD(m)) { /* if this is an active mcache, remove it from the linked list, and free all data */ + HEIMDAL_MUTEX_lock(&mcc_mutex); for(n = &mcc_head; n && *n; n = &(*n)->next) { if(m == *n) { *n = m->next; break; } } + HEIMDAL_MUTEX_unlock(&mcc_mutex); if (m->primary_principal != NULL) { krb5_free_principal (context, m->primary_principal); m->primary_principal = NULL; @@ -192,7 +213,7 @@ mcc_destroy(krb5_context context, while (l != NULL) { struct link *old; - krb5_free_creds_contents (context, &l->cred); + krb5_free_cred_contents (context, &l->cred); old = l; l = l->next; free (old); @@ -300,7 +321,7 @@ mcc_remove_cred(krb5_context context, for(q = &m->creds, p = *q; p; p = *q) { if(krb5_compare_creds(context, which, mcreds, &p->cred)) { *q = p->next; - krb5_free_creds_contents(context, &p->cred); + krb5_free_cred_contents(context, &p->cred); free(p); } else q = &p->next; @@ -316,6 +337,121 @@ mcc_set_flags(krb5_context context, return 0; /* XXX */ } +struct mcache_iter { + krb5_mcache *cache; +}; + +static krb5_error_code +mcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor) +{ + struct mcache_iter *iter; + + iter = calloc(1, sizeof(*iter)); + if (iter == NULL) { + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + + HEIMDAL_MUTEX_lock(&mcc_mutex); + iter->cache = mcc_head; + if (iter->cache) + iter->cache->refcnt++; + HEIMDAL_MUTEX_unlock(&mcc_mutex); + + *cursor = iter; + return 0; +} + +static krb5_error_code +mcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id) +{ + struct mcache_iter *iter = cursor; + krb5_error_code ret; + krb5_mcache *m; + + if (iter->cache == NULL) + return KRB5_CC_END; + + HEIMDAL_MUTEX_lock(&mcc_mutex); + m = iter->cache; + if (m->next) + m->next->refcnt++; + iter->cache = m->next; + HEIMDAL_MUTEX_unlock(&mcc_mutex); + + ret = _krb5_cc_allocate(context, &krb5_mcc_ops, id); + if (ret) + return ret; + + (*id)->data.data = m; + (*id)->data.length = sizeof(*m); + + return 0; +} + +static krb5_error_code +mcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor) +{ + struct mcache_iter *iter = cursor; + + if (iter->cache) + mcc_close_internal(iter->cache); + iter->cache = NULL; + free(iter); + return 0; +} + +static krb5_error_code +mcc_move(krb5_context context, krb5_ccache from, krb5_ccache to) +{ + krb5_mcache *mfrom = MCACHE(from), *mto = MCACHE(to); + struct link *creds; + krb5_principal principal; + krb5_mcache **n; + + HEIMDAL_MUTEX_lock(&mcc_mutex); + + /* drop the from cache from the linked list to avoid lookups */ + for(n = &mcc_head; n && *n; n = &(*n)->next) { + if(mfrom == *n) { + *n = mfrom->next; + break; + } + } + + /* swap creds */ + creds = mto->creds; + mto->creds = mfrom->creds; + mfrom->creds = creds; + /* swap principal */ + principal = mto->primary_principal; + mto->primary_principal = mfrom->primary_principal; + mfrom->primary_principal = principal; + + HEIMDAL_MUTEX_unlock(&mcc_mutex); + mcc_destroy(context, from); + + return 0; +} + +static krb5_error_code +mcc_default_name(krb5_context context, char **str) +{ + *str = strdup("MEMORY:"); + if (*str == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + + +/** + * Variable containing the MEMORY based credential cache implemention. + * + * @ingroup krb5_ccache + */ + const krb5_cc_ops krb5_mcc_ops = { "MEMORY", mcc_get_name, @@ -331,5 +467,11 @@ const krb5_cc_ops krb5_mcc_ops = { mcc_get_next, mcc_end_get, mcc_remove_cred, - mcc_set_flags + mcc_set_flags, + NULL, + mcc_get_cache_first, + mcc_get_cache_next, + mcc_end_cache_get, + mcc_move, + mcc_default_name }; diff --git a/crypto/heimdal/lib/krb5/misc.c b/crypto/heimdal/lib/krb5/misc.c index baf63f6d525d..8050bdb9b467 100644 --- a/crypto/heimdal/lib/krb5/misc.c +++ b/crypto/heimdal/lib/krb5/misc.c @@ -33,4 +33,54 @@ #include "krb5_locl.h" -RCSID("$Id: misc.c,v 1.5 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: misc.c 21174 2007-06-19 10:10:58Z lha $"); + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_s4u2self_to_checksumdata(krb5_context context, + const PA_S4U2Self *self, + krb5_data *data) +{ + krb5_error_code ret; + krb5_ssize_t ssize; + krb5_storage *sp; + size_t size; + int i; + + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_clear_error_string(context); + return ENOMEM; + } + krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); + ret = krb5_store_int32(sp, self->name.name_type); + if (ret) + goto out; + for (i = 0; i < self->name.name_string.len; i++) { + size = strlen(self->name.name_string.val[i]); + ssize = krb5_storage_write(sp, self->name.name_string.val[i], size); + if (ssize != size) { + ret = ENOMEM; + goto out; + } + } + size = strlen(self->realm); + ssize = krb5_storage_write(sp, self->realm, size); + if (ssize != size) { + ret = ENOMEM; + goto out; + } + size = strlen(self->auth); + ssize = krb5_storage_write(sp, self->auth, size); + if (ssize != size) { + ret = ENOMEM; + goto out; + } + + ret = krb5_storage_to_data(sp, data); + krb5_storage_free(sp); + return ret; + +out: + krb5_clear_error_string(context); + return ret; +} diff --git a/crypto/heimdal/lib/krb5/mit_glue.c b/crypto/heimdal/lib/krb5/mit_glue.c new file mode 100644 index 000000000000..7440d5476279 --- /dev/null +++ b/crypto/heimdal/lib/krb5/mit_glue.c @@ -0,0 +1,369 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" +RCSID("$Id: mit_glue.c 20042 2007-01-23 20:37:43Z lha $"); + +/* + * Glue for MIT API + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_make_checksum(krb5_context context, + krb5_cksumtype cksumtype, + const krb5_keyblock *key, + krb5_keyusage usage, + const krb5_data *input, + krb5_checksum *cksum) +{ + krb5_error_code ret; + krb5_crypto crypto; + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; + + ret = krb5_create_checksum(context, crypto, usage, cksumtype, + input->data, input->length, cksum); + krb5_crypto_destroy(context, crypto); + + return ret ; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key, + krb5_keyusage usage, const krb5_data *data, + const krb5_checksum *cksum, krb5_boolean *valid) +{ + krb5_error_code ret; + krb5_checksum data_cksum; + + *valid = 0; + + ret = krb5_c_make_checksum(context, cksum->cksumtype, + key, usage, data, &data_cksum); + if (ret) + return ret; + + if (data_cksum.cksumtype == cksum->cksumtype + && data_cksum.checksum.length == cksum->checksum.length + && memcmp(data_cksum.checksum.data, cksum->checksum.data, cksum->checksum.length) == 0) + *valid = 1; + + krb5_free_checksum_contents(context, &data_cksum); + + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_get_checksum(krb5_context context, const krb5_checksum *cksum, + krb5_cksumtype *type, krb5_data **data) +{ + krb5_error_code ret; + + if (type) + *type = cksum->cksumtype; + if (data) { + *data = malloc(sizeof(**data)); + if (*data == NULL) + return ENOMEM; + + ret = der_copy_octet_string(&cksum->checksum, *data); + if (ret) { + free(*data); + *data = NULL; + return ret; + } + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_set_checksum(krb5_context context, krb5_checksum *cksum, + krb5_cksumtype type, const krb5_data *data) +{ + cksum->cksumtype = type; + return der_copy_octet_string(data, &cksum->checksum); +} + +void KRB5_LIB_FUNCTION +krb5_free_checksum (krb5_context context, krb5_checksum *cksum) +{ + krb5_checksum_free(context, cksum); + free(cksum); +} + +void KRB5_LIB_FUNCTION +krb5_free_checksum_contents(krb5_context context, krb5_checksum *cksum) +{ + krb5_checksum_free(context, cksum); + memset(cksum, 0, sizeof(*cksum)); +} + +void KRB5_LIB_FUNCTION +krb5_checksum_free(krb5_context context, krb5_checksum *cksum) +{ + free_Checksum(cksum); +} + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_valid_enctype (krb5_enctype etype) +{ + return krb5_enctype_valid(NULL, etype); +} + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_valid_cksumtype(krb5_cksumtype ctype) +{ + return krb5_cksumtype_valid(NULL, ctype); +} + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype) +{ + return krb5_checksum_is_collision_proof(NULL, ctype); +} + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_is_keyed_cksum(krb5_cksumtype ctype) +{ + return krb5_checksum_is_keyed(NULL, ctype); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_copy_checksum (krb5_context context, + const krb5_checksum *old, + krb5_checksum **new) +{ + *new = malloc(sizeof(**new)); + if (*new == NULL) + return ENOMEM; + return copy_Checksum(old, *new); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_checksum_length (krb5_context context, krb5_cksumtype cksumtype, + size_t *length) +{ + return krb5_checksumsize(context, cksumtype, length); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_block_size(krb5_context context, + krb5_enctype enctype, + size_t *blocksize) +{ + krb5_error_code ret; + krb5_crypto crypto; + krb5_keyblock key; + + ret = krb5_generate_random_keyblock(context, enctype, &key); + if (ret) + return ret; + + ret = krb5_crypto_init(context, &key, 0, &crypto); + krb5_free_keyblock_contents(context, &key); + if (ret) + return ret; + ret = krb5_crypto_getblocksize(context, crypto, blocksize); + krb5_crypto_destroy(context, crypto); + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_decrypt(krb5_context context, + const krb5_keyblock key, + krb5_keyusage usage, + const krb5_data *ivec, + krb5_enc_data *input, + krb5_data *output) +{ + krb5_error_code ret; + krb5_crypto crypto; + + ret = krb5_crypto_init(context, &key, input->enctype, &crypto); + if (ret) + return ret; + + if (ivec) { + size_t blocksize; + + ret = krb5_crypto_getblocksize(context, crypto, &blocksize); + if (ret) { + krb5_crypto_destroy(context, crypto); + return ret; + } + + if (blocksize > ivec->length) { + krb5_crypto_destroy(context, crypto); + return KRB5_BAD_MSIZE; + } + } + + ret = krb5_decrypt_ivec(context, crypto, usage, + input->ciphertext.data, input->ciphertext.length, + output, + ivec ? ivec->data : NULL); + + krb5_crypto_destroy(context, crypto); + + return ret ; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_encrypt(krb5_context context, + const krb5_keyblock *key, + krb5_keyusage usage, + const krb5_data *ivec, + const krb5_data *input, + krb5_enc_data *output) +{ + krb5_error_code ret; + krb5_crypto crypto; + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; + + if (ivec) { + size_t blocksize; + + ret = krb5_crypto_getblocksize(context, crypto, &blocksize); + if (ret) { + krb5_crypto_destroy(context, crypto); + return ret; + } + + if (blocksize > ivec->length) { + krb5_crypto_destroy(context, crypto); + return KRB5_BAD_MSIZE; + } + } + + ret = krb5_encrypt_ivec(context, crypto, usage, + input->data, input->length, + &output->ciphertext, + ivec ? ivec->data : NULL); + output->kvno = 0; + krb5_crypto_getenctype(context, crypto, &output->enctype); + + krb5_crypto_destroy(context, crypto); + + return ret ; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_encrypt_length(krb5_context context, + krb5_enctype enctype, + size_t inputlen, + size_t *length) +{ + krb5_error_code ret; + krb5_crypto crypto; + krb5_keyblock key; + + ret = krb5_generate_random_keyblock(context, enctype, &key); + if (ret) + return ret; + + ret = krb5_crypto_init(context, &key, 0, &crypto); + krb5_free_keyblock_contents(context, &key); + if (ret) + return ret; + + *length = krb5_get_wrapped_length(context, crypto, inputlen); + krb5_crypto_destroy(context, crypto); + + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_enctype_compare(krb5_context context, + krb5_enctype e1, + krb5_enctype e2, + krb5_boolean *similar) +{ + *similar = krb5_enctypes_compatible_keys(context, e1, e2); + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_make_random_key(krb5_context context, + krb5_enctype enctype, + krb5_keyblock *random_key) +{ + return krb5_generate_random_keyblock(context, enctype, random_key); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_keylengths(krb5_context context, + krb5_enctype enctype, + size_t *ilen, + size_t *keylen) +{ + krb5_error_code ret; + + ret = krb5_enctype_keybits(context, enctype, ilen); + if (ret) + return ret; + *ilen = (*ilen + 7) / 8; + return krb5_enctype_keysize(context, enctype, keylen); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_prf_length(krb5_context context, + krb5_enctype type, + size_t *length) +{ + return krb5_crypto_prf_length(context, type, length); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_prf(krb5_context context, + const krb5_keyblock *key, + const krb5_data *input, + krb5_data *output) +{ + krb5_crypto crypto; + krb5_error_code ret; + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; + + ret = krb5_crypto_prf(context, crypto, input, output); + krb5_crypto_destroy(context, crypto); + + return ret; +} diff --git a/crypto/heimdal/lib/krb5/mk_error.c b/crypto/heimdal/lib/krb5/mk_error.c index ae9e10a5efbb..704664993435 100644 --- a/crypto/heimdal/lib/krb5/mk_error.c +++ b/crypto/heimdal/lib/krb5/mk_error.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: mk_error.c,v 1.18 2002/09/04 16:26:04 joda Exp $"); +RCSID("$Id: mk_error.c 15457 2005-06-16 21:16:40Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_error(krb5_context context, krb5_error_code error_code, const char *e_text, @@ -47,7 +47,8 @@ krb5_mk_error(krb5_context context, krb5_data *reply) { KRB_ERROR msg; - int32_t sec, usec; + krb5_timestamp sec; + int32_t usec; size_t len; krb5_error_code ret = 0; @@ -68,9 +69,9 @@ krb5_mk_error(krb5_context context, } msg.error_code = error_code - KRB5KDC_ERR_NONE; if (e_text) - msg.e_text = (general_string*)&e_text; + msg.e_text = rk_UNCONST(&e_text); if (e_data) - msg.e_data = (octet_string*)e_data; + msg.e_data = rk_UNCONST(e_data); if(server){ msg.realm = server->realm; msg.sname = server->name; diff --git a/crypto/heimdal/lib/krb5/mk_priv.c b/crypto/heimdal/lib/krb5/mk_priv.c index b89f7e97218d..87e429af8cba 100644 --- a/crypto/heimdal/lib/krb5/mk_priv.c +++ b/crypto/heimdal/lib/krb5/mk_priv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,103 +33,123 @@ #include <krb5_locl.h> -RCSID("$Id: mk_priv.c,v 1.31 2002/09/04 16:26:04 joda Exp $"); +RCSID("$Id: mk_priv.c 16680 2006-02-01 12:39:26Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data *userdata, krb5_data *outbuf, - /*krb5_replay_data*/ void *outdata) + krb5_replay_data *outdata) { - krb5_error_code ret; - KRB_PRIV s; - EncKrbPrivPart part; - u_char *buf; - size_t buf_size; - size_t len; - u_int32_t tmp_seq; - krb5_keyblock *key; - int32_t sec, usec; - KerberosTime sec2; - int usec2; - krb5_crypto crypto; - - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; - - krb5_us_timeofday (context, &sec, &usec); - - part.user_data = *userdata; - sec2 = sec; - part.timestamp = &sec2; - usec2 = usec; - part.usec = &usec2; - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - tmp_seq = auth_context->local_seqnumber; - part.seq_number = &tmp_seq; - } else { - part.seq_number = NULL; - } - - part.s_address = auth_context->local_address; - part.r_address = auth_context->remote_address; - - krb5_data_zero (&s.enc_part.cipher); - - ASN1_MALLOC_ENCODE(EncKrbPrivPart, buf, buf_size, &part, &len, ret); - if (ret) - goto fail; - - s.pvno = 5; - s.msg_type = krb_priv; - s.enc_part.etype = key->keytype; - s.enc_part.kvno = NULL; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free (buf); - return ret; - } - ret = krb5_encrypt (context, - crypto, - KRB5_KU_KRB_PRIV, - buf + buf_size - len, - len, - &s.enc_part.cipher); - krb5_crypto_destroy(context, crypto); - if (ret) { - free(buf); - return ret; - } - free(buf); - - - ASN1_MALLOC_ENCODE(KRB_PRIV, buf, buf_size, &s, &len, ret); - - if(ret) - goto fail; - krb5_data_free (&s.enc_part.cipher); - - ret = krb5_data_copy(outbuf, buf + buf_size - len, len); - if (ret) { - krb5_set_error_string (context, "malloc: out of memory"); - free(buf); - return ENOMEM; - } - free (buf); - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - auth_context->local_seqnumber = - (auth_context->local_seqnumber + 1) & 0xFFFFFFFF; - return 0; - -fail: - free (buf); - krb5_data_free (&s.enc_part.cipher); - return ret; + krb5_error_code ret; + KRB_PRIV s; + EncKrbPrivPart part; + u_char *buf = NULL; + size_t buf_size; + size_t len; + krb5_crypto crypto; + krb5_keyblock *key; + krb5_replay_data rdata; + + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + outdata == NULL) + return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + + if (auth_context->local_subkey) + key = auth_context->local_subkey; + else if (auth_context->remote_subkey) + key = auth_context->remote_subkey; + else + key = auth_context->keyblock; + + memset(&rdata, 0, sizeof(rdata)); + + part.user_data = *userdata; + + krb5_us_timeofday (context, &rdata.timestamp, &rdata.usec); + + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { + part.timestamp = &rdata.timestamp; + part.usec = &rdata.usec; + } else { + part.timestamp = NULL; + part.usec = NULL; + } + + if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) { + outdata->timestamp = rdata.timestamp; + outdata->usec = rdata.usec; + } + + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { + rdata.seq = auth_context->local_seqnumber; + part.seq_number = &rdata.seq; + } else + part.seq_number = NULL; + + if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) + outdata->seq = auth_context->local_seqnumber; + + part.s_address = auth_context->local_address; + part.r_address = auth_context->remote_address; + + krb5_data_zero (&s.enc_part.cipher); + + ASN1_MALLOC_ENCODE(EncKrbPrivPart, buf, buf_size, &part, &len, ret); + if (ret) + goto fail; + if (buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + s.pvno = 5; + s.msg_type = krb_priv; + s.enc_part.etype = key->keytype; + s.enc_part.kvno = NULL; + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) { + free (buf); + return ret; + } + ret = krb5_encrypt (context, + crypto, + KRB5_KU_KRB_PRIV, + buf + buf_size - len, + len, + &s.enc_part.cipher); + krb5_crypto_destroy(context, crypto); + if (ret) { + free(buf); + return ret; + } + free(buf); + + + ASN1_MALLOC_ENCODE(KRB_PRIV, buf, buf_size, &s, &len, ret); + if (ret) + goto fail; + if (buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + krb5_data_free (&s.enc_part.cipher); + + ret = krb5_data_copy(outbuf, buf + buf_size - len, len); + if (ret) { + krb5_set_error_string (context, "malloc: out of memory"); + free(buf); + return ENOMEM; + } + free (buf); + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) + auth_context->local_seqnumber = + (auth_context->local_seqnumber + 1) & 0xFFFFFFFF; + return 0; + + fail: + free (buf); + krb5_data_free (&s.enc_part.cipher); + return ret; } diff --git a/crypto/heimdal/lib/krb5/mk_rep.c b/crypto/heimdal/lib/krb5/mk_rep.c index 1026df0f3328..570a83720132 100644 --- a/crypto/heimdal/lib/krb5/mk_rep.c +++ b/crypto/heimdal/lib/krb5/mk_rep.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,9 @@ #include <krb5_locl.h> -RCSID("$Id: mk_rep.c,v 1.21 2002/12/19 13:30:36 joda Exp $"); +RCSID("$Id: mk_rep.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf) @@ -55,14 +55,37 @@ krb5_mk_rep(krb5_context context, body.ctime = auth_context->authenticator->ctime; body.cusec = auth_context->authenticator->cusec; - body.subkey = NULL; + if (auth_context->flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) { + if (auth_context->local_subkey == NULL) { + ret = krb5_auth_con_generatelocalsubkey(context, + auth_context, + auth_context->keyblock); + if(ret) { + krb5_set_error_string (context, + "krb5_mk_rep: generating subkey"); + free_EncAPRepPart(&body); + return ret; + } + } + ret = krb5_copy_keyblock(context, auth_context->local_subkey, + &body.subkey); + if (ret) { + krb5_set_error_string (context, + "krb5_copy_keyblock: out of memory"); + free_EncAPRepPart(&body); + return ENOMEM; + } + } else + body.subkey = NULL; if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - krb5_generate_seq_number (context, - auth_context->keyblock, - &auth_context->local_seqnumber); - body.seq_number = malloc (sizeof(*body.seq_number)); + if(auth_context->local_seqnumber == 0) + krb5_generate_seq_number (context, + auth_context->keyblock, + &auth_context->local_seqnumber); + ALLOC(body.seq_number, 1); if (body.seq_number == NULL) { krb5_set_error_string (context, "malloc: out of memory"); + free_EncAPRepPart(&body); return ENOMEM; } *(body.seq_number) = auth_context->local_seqnumber; @@ -76,6 +99,8 @@ krb5_mk_rep(krb5_context context, free_EncAPRepPart (&body); if(ret) return ret; + if (buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); ret = krb5_crypto_init(context, auth_context->keyblock, 0 /* ap.enc_part.etype */, &crypto); if (ret) { @@ -94,6 +119,8 @@ krb5_mk_rep(krb5_context context, return ret; ASN1_MALLOC_ENCODE(AP_REP, outbuf->data, outbuf->length, &ap, &len, ret); + if (ret == 0 && outbuf->length != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); free_AP_REP (&ap); return ret; } diff --git a/crypto/heimdal/lib/krb5/mk_req.c b/crypto/heimdal/lib/krb5/mk_req.c index a554123b0081..5f64f01e9560 100644 --- a/crypto/heimdal/lib/krb5/mk_req.c +++ b/crypto/heimdal/lib/krb5/mk_req.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,9 @@ #include <krb5_locl.h> -RCSID("$Id: mk_req.c,v 1.24 2001/06/18 20:05:52 joda Exp $"); +RCSID("$Id: mk_req.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req_exact(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, @@ -56,7 +56,7 @@ krb5_mk_req_exact(krb5_context context, ret = krb5_copy_principal (context, server, &this_cred.server); if (ret) { - krb5_free_creds_contents (context, &this_cred); + krb5_free_cred_contents (context, &this_cred); return ret; } @@ -65,7 +65,7 @@ krb5_mk_req_exact(krb5_context context, this_cred.session.keytype = (*auth_context)->keytype; ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred); - krb5_free_creds_contents(context, &this_cred); + krb5_free_cred_contents(context, &this_cred); if (ret) return ret; @@ -79,7 +79,7 @@ krb5_mk_req_exact(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, diff --git a/crypto/heimdal/lib/krb5/mk_req_ext.c b/crypto/heimdal/lib/krb5/mk_req_ext.c index 922be9e0b4da..b6d55c8815ac 100644 --- a/crypto/heimdal/lib/krb5/mk_req_ext.c +++ b/crypto/heimdal/lib/krb5/mk_req_ext.c @@ -33,134 +33,120 @@ #include <krb5_locl.h> -RCSID("$Id: mk_req_ext.c,v 1.26.4.1 2003/09/18 20:34:30 lha Exp $"); +RCSID("$Id: mk_req_ext.c 19511 2006-12-27 12:07:22Z lha $"); krb5_error_code -krb5_mk_req_internal(krb5_context context, - krb5_auth_context *auth_context, - const krb5_flags ap_req_options, - krb5_data *in_data, - krb5_creds *in_creds, - krb5_data *outbuf, - krb5_key_usage checksum_usage, - krb5_key_usage encrypt_usage) +_krb5_mk_req_internal(krb5_context context, + krb5_auth_context *auth_context, + const krb5_flags ap_req_options, + krb5_data *in_data, + krb5_creds *in_creds, + krb5_data *outbuf, + krb5_key_usage checksum_usage, + krb5_key_usage encrypt_usage) { - krb5_error_code ret; - krb5_data authenticator; - Checksum c; - Checksum *c_opt; - krb5_auth_context ac; + krb5_error_code ret; + krb5_data authenticator; + Checksum c; + Checksum *c_opt; + krb5_auth_context ac; - if(auth_context) { - if(*auth_context == NULL) - ret = krb5_auth_con_init(context, auth_context); - else - ret = 0; - ac = *auth_context; - } else - ret = krb5_auth_con_init(context, &ac); - if(ret) - return ret; + if(auth_context) { + if(*auth_context == NULL) + ret = krb5_auth_con_init(context, auth_context); + else + ret = 0; + ac = *auth_context; + } else + ret = krb5_auth_con_init(context, &ac); + if(ret) + return ret; - if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) { - ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session); - if(ret) - return ret; - } + if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) { + ret = krb5_auth_con_generatelocalsubkey(context, + ac, + &in_creds->session); + if(ret) + goto out; + } -#if 0 - { - /* This is somewhat bogus since we're possibly overwriting a - value specified by the user, but it's the easiest way to make - the code use a compatible enctype */ - Ticket ticket; - krb5_keytype ticket_keytype; + krb5_free_keyblock(context, ac->keyblock); + ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock); + if (ret) + goto out; + + /* it's unclear what type of checksum we can use. try the best one, except: + * a) if it's configured differently for the current realm, or + * b) if the session key is des-cbc-crc + */ - ret = decode_Ticket(in_creds->ticket.data, - in_creds->ticket.length, - &ticket, - NULL); - krb5_enctype_to_keytype (context, - ticket.enc_part.etype, - &ticket_keytype); + if (in_data) { + if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) { + /* this is to make DCE secd (and older MIT kdcs?) happy */ + ret = krb5_create_checksum(context, + NULL, + 0, + CKSUMTYPE_RSA_MD4, + in_data->data, + in_data->length, + &c); + } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 || + ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 || + ac->keyblock->keytype == ETYPE_DES_CBC_MD4 || + ac->keyblock->keytype == ETYPE_DES_CBC_MD5) { + /* this is to make MS kdc happy */ + ret = krb5_create_checksum(context, + NULL, + 0, + CKSUMTYPE_RSA_MD5, + in_data->data, + in_data->length, + &c); + } else { + krb5_crypto crypto; - if (ticket_keytype == in_creds->session.keytype) - krb5_auth_setenctype(context, - ac, - ticket.enc_part.etype); - free_Ticket(&ticket); - } -#endif + ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); + if (ret) + goto out; + ret = krb5_create_checksum(context, + crypto, + checksum_usage, + 0, + in_data->data, + in_data->length, + &c); + krb5_crypto_destroy(context, crypto); + } + c_opt = &c; + } else { + c_opt = NULL; + } - krb5_free_keyblock(context, ac->keyblock); - krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock); + if (ret) + goto out; - /* it's unclear what type of checksum we can use. try the best one, except: - * a) if it's configured differently for the current realm, or - * b) if the session key is des-cbc-crc - */ + ret = krb5_build_authenticator (context, + ac, + ac->keyblock->keytype, + in_creds, + c_opt, + NULL, + &authenticator, + encrypt_usage); + if (c_opt) + free_Checksum (c_opt); + if (ret) + goto out; - if (in_data) { - if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) { - /* this is to make DCE secd (and older MIT kdcs?) happy */ - ret = krb5_create_checksum(context, - NULL, - 0, - CKSUMTYPE_RSA_MD4, - in_data->data, - in_data->length, - &c); - } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5) { - /* this is to make MS kdc happy */ - ret = krb5_create_checksum(context, - NULL, - 0, - CKSUMTYPE_RSA_MD5, - in_data->data, - in_data->length, - &c); - } else { - krb5_crypto crypto; - - ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); - if (ret) - return ret; - ret = krb5_create_checksum(context, - crypto, - checksum_usage, - 0, - in_data->data, - in_data->length, - &c); - - krb5_crypto_destroy(context, crypto); - } - c_opt = &c; - } else { - c_opt = NULL; - } - - ret = krb5_build_authenticator (context, - ac, - ac->keyblock->keytype, - in_creds, - c_opt, - NULL, - &authenticator, - encrypt_usage); - if (c_opt) - free_Checksum (c_opt); - if (ret) + ret = krb5_build_ap_req (context, ac->keyblock->keytype, + in_creds, ap_req_options, authenticator, outbuf); +out: + if(auth_context == NULL) + krb5_auth_con_free(context, ac); return ret; - - ret = krb5_build_ap_req (context, ac->keyblock->keytype, - in_creds, ap_req_options, authenticator, outbuf); - if(auth_context == NULL) - krb5_auth_con_free(context, ac); - return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, @@ -168,7 +154,7 @@ krb5_mk_req_extended(krb5_context context, krb5_creds *in_creds, krb5_data *outbuf) { - return krb5_mk_req_internal (context, + return _krb5_mk_req_internal (context, auth_context, ap_req_options, in_data, diff --git a/crypto/heimdal/lib/krb5/mk_safe.c b/crypto/heimdal/lib/krb5/mk_safe.c index 8bfa06675997..0b75759a5f65 100644 --- a/crypto/heimdal/lib/krb5/mk_safe.c +++ b/crypto/heimdal/lib/krb5/mk_safe.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,92 +33,109 @@ #include <krb5_locl.h> -RCSID("$Id: mk_safe.c,v 1.28.4.1 2004/03/07 12:46:43 lha Exp $"); +RCSID("$Id: mk_safe.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data *userdata, krb5_data *outbuf, - /*krb5_replay_data*/ void *outdata) + krb5_replay_data *outdata) { - krb5_error_code ret; - KRB_SAFE s; - int32_t sec, usec; - KerberosTime sec2; - int usec2; - u_char *buf = NULL; - size_t buf_size; - size_t len; - u_int32_t tmp_seq; - krb5_crypto crypto; - krb5_keyblock *key; - - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; - - s.pvno = 5; - s.msg_type = krb_safe; - - s.safe_body.user_data = *userdata; - krb5_us_timeofday (context, &sec, &usec); - - sec2 = sec; - s.safe_body.timestamp = &sec2; - usec2 = usec; - s.safe_body.usec = &usec2; - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - tmp_seq = auth_context->local_seqnumber; - s.safe_body.seq_number = &tmp_seq; - } else - s.safe_body.seq_number = NULL; - - s.safe_body.s_address = auth_context->local_address; - s.safe_body.r_address = auth_context->remote_address; - - s.cksum.cksumtype = 0; - s.cksum.checksum.data = NULL; - s.cksum.checksum.length = 0; - - ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret); - if (ret) - return ret; - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free (buf); - return ret; - } - ret = krb5_create_checksum(context, - crypto, - KRB5_KU_KRB_SAFE_CKSUM, - 0, - buf, - len, - &s.cksum); - krb5_crypto_destroy(context, crypto); - if (ret) { - free (buf); - return ret; - } - - free(buf); - ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret); - free_Checksum (&s.cksum); - if(ret) - return ret; - if(buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - - outbuf->length = len; - outbuf->data = buf; - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - auth_context->local_seqnumber = - (auth_context->local_seqnumber + 1) & 0xFFFFFFFF; - return 0; + krb5_error_code ret; + KRB_SAFE s; + u_char *buf = NULL; + size_t buf_size; + size_t len; + krb5_crypto crypto; + krb5_keyblock *key; + krb5_replay_data rdata; + + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + outdata == NULL) + return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + + if (auth_context->local_subkey) + key = auth_context->local_subkey; + else if (auth_context->remote_subkey) + key = auth_context->remote_subkey; + else + key = auth_context->keyblock; + + s.pvno = 5; + s.msg_type = krb_safe; + + memset(&rdata, 0, sizeof(rdata)); + + s.safe_body.user_data = *userdata; + + krb5_us_timeofday (context, &rdata.timestamp, &rdata.usec); + + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { + s.safe_body.timestamp = &rdata.timestamp; + s.safe_body.usec = &rdata.usec; + } else { + s.safe_body.timestamp = NULL; + s.safe_body.usec = NULL; + } + + if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) { + outdata->timestamp = rdata.timestamp; + outdata->usec = rdata.usec; + } + + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { + rdata.seq = auth_context->local_seqnumber; + s.safe_body.seq_number = &rdata.seq; + } else + s.safe_body.seq_number = NULL; + + if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) + outdata->seq = auth_context->local_seqnumber; + + s.safe_body.s_address = auth_context->local_address; + s.safe_body.r_address = auth_context->remote_address; + + s.cksum.cksumtype = 0; + s.cksum.checksum.data = NULL; + s.cksum.checksum.length = 0; + + ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret); + if (ret) + return ret; + if(buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) { + free (buf); + return ret; + } + ret = krb5_create_checksum(context, + crypto, + KRB5_KU_KRB_SAFE_CKSUM, + 0, + buf, + len, + &s.cksum); + krb5_crypto_destroy(context, crypto); + if (ret) { + free (buf); + return ret; + } + + free(buf); + ASN1_MALLOC_ENCODE(KRB_SAFE, buf, buf_size, &s, &len, ret); + free_Checksum (&s.cksum); + if(ret) + return ret; + if(buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + outbuf->length = len; + outbuf->data = buf; + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) + auth_context->local_seqnumber = + (auth_context->local_seqnumber + 1) & 0xFFFFFFFF; + return 0; } diff --git a/crypto/heimdal/lib/krb5/n-fold-test.c b/crypto/heimdal/lib/krb5/n-fold-test.c index 7cf49051435e..248e232c0569 100644 --- a/crypto/heimdal/lib/krb5/n-fold-test.c +++ b/crypto/heimdal/lib/krb5/n-fold-test.c @@ -32,7 +32,7 @@ #include "krb5_locl.h" -RCSID("$Id: n-fold-test.c,v 1.4 2001/03/12 07:42:30 assar Exp $"); +RCSID("$Id: n-fold-test.c 21745 2007-07-31 16:11:25Z lha $"); enum { MAXSIZE = 24 }; @@ -102,7 +102,9 @@ main(int argc, char **argv) for (t = tests; t->str; ++t) { int i; - _krb5_n_fold (t->str, strlen(t->str), data, t->n); + ret = _krb5_n_fold (t->str, strlen(t->str), data, t->n); + if (ret) + errx(1, "out of memory"); if (memcmp (data, t->res, t->n) != 0) { printf ("n-fold(\"%s\", %d) failed\n", t->str, t->n); printf ("should be: "); diff --git a/crypto/heimdal/lib/krb5/n-fold.c b/crypto/heimdal/lib/krb5/n-fold.c index d0db5e81cbaa..53528cfd1f78 100644 --- a/crypto/heimdal/lib/krb5/n-fold.c +++ b/crypto/heimdal/lib/krb5/n-fold.c @@ -32,21 +32,23 @@ #include "krb5_locl.h" -RCSID("$Id: n-fold.c,v 1.6 1999/08/27 09:03:41 joda Exp $"); +RCSID("$Id: n-fold.c 22190 2007-12-06 16:24:22Z lha $"); -static void +static krb5_error_code rr13(unsigned char *buf, size_t len) { unsigned char *tmp; int bytes = (len + 7) / 8; int i; if(len == 0) - return; + return 0; { const int bits = 13 % len; const int lbit = len % 8; tmp = malloc(bytes); + if (tmp == NULL) + return ENOMEM; memcpy(tmp, buf, bytes); if(lbit) { /* pad final byte with inital bits */ @@ -75,9 +77,10 @@ rr13(unsigned char *buf, size_t len) } free(tmp); } + return 0; } -/* Add `b' to `a', both beeing one's complement numbers. */ +/* Add `b' to `a', both being one's complement numbers. */ static void add1(unsigned char *a, unsigned char *b, size_t len) { @@ -95,22 +98,28 @@ add1(unsigned char *a, unsigned char *b, size_t len) } } -void +krb5_error_code KRB5_LIB_FUNCTION _krb5_n_fold(const void *str, size_t len, void *key, size_t size) { /* if len < size we need at most N * len bytes, ie < 2 * size; if len > size we need at most 2 * len */ + krb5_error_code ret = 0; size_t maxlen = 2 * max(size, len); size_t l = 0; unsigned char *tmp = malloc(maxlen); unsigned char *buf = malloc(len); + if (tmp == NULL || buf == NULL) + return ENOMEM; + memcpy(buf, str, len); memset(key, 0, size); do { memcpy(tmp + l, buf, len); l += len; - rr13(buf, len * 8); + ret = rr13(buf, len * 8); + if (ret) + goto out; while(l >= size) { add1(key, tmp, size); l -= size; @@ -119,8 +128,10 @@ _krb5_n_fold(const void *str, size_t len, void *key, size_t size) memmove(tmp, tmp + size, l); } } while(l != 0); +out: memset(buf, 0, len); free(buf); memset(tmp, 0, maxlen); free(tmp); + return ret; } diff --git a/crypto/heimdal/lib/krb5/name-45-test.c b/crypto/heimdal/lib/krb5/name-45-test.c index f1455cddd2a7..0bb05f5531a5 100644 --- a/crypto/heimdal/lib/krb5/name-45-test.c +++ b/crypto/heimdal/lib/krb5/name-45-test.c @@ -31,8 +31,9 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "krb5_locl.h" +#include <err.h> -RCSID("$Id: name-45-test.c,v 1.3.2.1 2003/05/06 16:49:14 joda Exp $"); +RCSID("$Id: name-45-test.c 19763 2007-01-08 13:35:49Z lha $"); enum { MAX_COMPONENTS = 3 }; @@ -58,10 +59,10 @@ static struct testcase { {"krbtgt", "FOO.SE", "FOO.SE", "FOO.SE", 2, {"krbtgt", "FOO.SE"}, NULL, 0, 0}, - {"foo", "bar", "BAZ", "BAZ", 2, - {"foo", "bar"}, NULL, 0, 0}, - {"foo", "bar", "BAZ", "BAZ", 2, - {"foo", "bar"}, + {"foo", "bar2", "BAZ", "BAZ", 2, + {"foo", "bar2"}, NULL, 0, 0}, + {"foo", "bar2", "BAZ", "BAZ", 2, + {"foo", "bar2"}, "[libdefaults]\n" " v4_name_convert = {\n" " host = {\n" @@ -69,8 +70,8 @@ static struct testcase { " }\n" "}\n", HEIM_ERR_V4_PRINC_NO_CONV, 0}, - {"foo", "bar", "BAZ", "BAZ", 2, - {"foo5", "bar.baz"}, + {"foo", "bar2", "BAZ", "BAZ", 2, + {"foo5", "bar2.baz"}, "[realms]\n" " BAZ = {\n" " v4_name_convert = {\n" @@ -79,7 +80,7 @@ static struct testcase { " }\n" " }\n" " v4_instance_convert = {\n" - " bar = bar.baz\n" + " bar2 = bar2.baz\n" " }\n" " }\n", 0, 0}, @@ -152,8 +153,15 @@ main(int argc, char **argv) struct testcase *t; krb5_context context; krb5_error_code ret; + char hostname[1024]; int val = 0; + setprogname(argv[0]); + + gethostname(hostname, sizeof(hostname)); + if (!(strstr(hostname, "kth.se") != NULL || strstr(hostname, "su.se") != NULL)) + return 0; + for (t = tests; t->v4_name; ++t) { krb5_principal princ; int i; @@ -207,12 +215,15 @@ main(int argc, char **argv) t->v4_name, t->v4_inst, t->v4_realm, s); free(s); val = 1; + krb5_free_context(context); continue; } } - if (ret) + if (ret) { + krb5_free_context(context); continue; + } if (strcmp (t->v5_realm, princ->realm) != 0) { printf ("wrong realm (\"%s\" should be \"%s\")" @@ -266,15 +277,18 @@ main(int argc, char **argv) "krb5_524_conv_principal %s " "passed unexpected", printable_princ); val = 1; + krb5_free_context(context); continue; } } if (ret) { krb5_free_principal (context, princ); + krb5_free_context(context); continue; } krb5_free_principal (context, princ); + krb5_free_context(context); } return val; } diff --git a/crypto/heimdal/lib/krb5/net_read.c b/crypto/heimdal/lib/krb5/net_read.c index 38ff0ea639a3..f0fa2ce7a0e9 100644 --- a/crypto/heimdal/lib/krb5/net_read.c +++ b/crypto/heimdal/lib/krb5/net_read.c @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: net_read.c,v 1.6 2002/08/21 09:08:06 joda Exp $"); +RCSID("$Id: net_read.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_net_read (krb5_context context, void *p_fd, void *buf, diff --git a/crypto/heimdal/lib/krb5/net_write.c b/crypto/heimdal/lib/krb5/net_write.c index 5d87b9754761..868015fa9214 100644 --- a/crypto/heimdal/lib/krb5/net_write.c +++ b/crypto/heimdal/lib/krb5/net_write.c @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: net_write.c,v 1.7 2002/08/21 09:08:07 joda Exp $"); +RCSID("$Id: net_write.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_net_write (krb5_context context, void *p_fd, const void *buf, @@ -45,3 +45,61 @@ krb5_net_write (krb5_context context, return net_write (fd, buf, len); } + +krb5_ssize_t KRB5_LIB_FUNCTION +krb5_net_write_block(krb5_context context, + void *p_fd, + const void *buf, + size_t len, + time_t timeout) +{ + int fd = *((int *)p_fd); + int ret; + struct timeval tv, *tvp; + const char *cbuf = (const char *)buf; + size_t rem = len; + ssize_t count; + fd_set wfds; + + do { + FD_ZERO(&wfds); + FD_SET(fd, &wfds); + + if (timeout != 0) { + tv.tv_sec = timeout; + tv.tv_usec = 0; + tvp = &tv; + } else + tvp = NULL; + + ret = select(fd + 1, NULL, &wfds, NULL, tvp); + if (ret < 0) { + if (errno == EINTR) + continue; + return -1; + } else if (ret == 0) + return 0; + + if (!FD_ISSET(fd, &wfds)) { + errno = ETIMEDOUT; + return -1; + } + +#ifdef WIN32 + count = send (fd, cbuf, rem, 0); +#else + count = write (fd, cbuf, rem); +#endif + if (count < 0) { + if (errno == EINTR) + continue; + else + return count; + } + cbuf += count; + rem -= count; + + } while (rem > 0); + + return len; +} diff --git a/crypto/heimdal/lib/krb5/pac.c b/crypto/heimdal/lib/krb5/pac.c new file mode 100644 index 000000000000..1b21750e5d4d --- /dev/null +++ b/crypto/heimdal/lib/krb5/pac.c @@ -0,0 +1,1041 @@ +/* + * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +RCSID("$Id: pac.c 21934 2007-08-27 14:21:04Z lha $"); + +struct PAC_INFO_BUFFER { + uint32_t type; + uint32_t buffersize; + uint32_t offset_hi; + uint32_t offset_lo; +}; + +struct PACTYPE { + uint32_t numbuffers; + uint32_t version; + struct PAC_INFO_BUFFER buffers[1]; +}; + +struct krb5_pac_data { + struct PACTYPE *pac; + krb5_data data; + struct PAC_INFO_BUFFER *server_checksum; + struct PAC_INFO_BUFFER *privsvr_checksum; + struct PAC_INFO_BUFFER *logon_name; +}; + +#define PAC_ALIGNMENT 8 + +#define PACTYPE_SIZE 8 +#define PAC_INFO_BUFFER_SIZE 16 + +#define PAC_SERVER_CHECKSUM 6 +#define PAC_PRIVSVR_CHECKSUM 7 +#define PAC_LOGON_NAME 10 +#define PAC_CONSTRAINED_DELEGATION 11 + +#define CHECK(r,f,l) \ + do { \ + if (((r) = f ) != 0) { \ + krb5_clear_error_string(context); \ + goto l; \ + } \ + } while(0) + +static const char zeros[PAC_ALIGNMENT] = { 0 }; + +/* + * + */ + +krb5_error_code +krb5_pac_parse(krb5_context context, const void *ptr, size_t len, + krb5_pac *pac) +{ + krb5_error_code ret; + krb5_pac p; + krb5_storage *sp = NULL; + uint32_t i, tmp, tmp2, header_end; + + p = calloc(1, sizeof(*p)); + if (p == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "out of memory"); + goto out; + } + + sp = krb5_storage_from_readonly_mem(ptr, len); + if (sp == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "out of memory"); + goto out; + } + krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); + + CHECK(ret, krb5_ret_uint32(sp, &tmp), out); + CHECK(ret, krb5_ret_uint32(sp, &tmp2), out); + if (tmp < 1) { + krb5_set_error_string(context, "PAC have too few buffer"); + ret = EINVAL; /* Too few buffers */ + goto out; + } + if (tmp2 != 0) { + krb5_set_error_string(context, "PAC have wrong version"); + ret = EINVAL; /* Wrong version */ + goto out; + } + + p->pac = calloc(1, + sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (tmp - 1))); + if (p->pac == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + + p->pac->numbuffers = tmp; + p->pac->version = tmp2; + + header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers); + if (header_end > len) { + ret = EINVAL; + goto out; + } + + for (i = 0; i < p->pac->numbuffers; i++) { + CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].type), out); + CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize), out); + CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_lo), out); + CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_hi), out); + + /* consistency checks */ + if (p->pac->buffers[i].offset_lo & (PAC_ALIGNMENT - 1)) { + krb5_set_error_string(context, "PAC out of allignment"); + ret = EINVAL; + goto out; + } + if (p->pac->buffers[i].offset_hi) { + krb5_set_error_string(context, "PAC high offset set"); + ret = EINVAL; + goto out; + } + if (p->pac->buffers[i].offset_lo > len) { + krb5_set_error_string(context, "PAC offset off end"); + ret = EINVAL; + goto out; + } + if (p->pac->buffers[i].offset_lo < header_end) { + krb5_set_error_string(context, "PAC offset inside header: %d %d", + p->pac->buffers[i].offset_lo, header_end); + ret = EINVAL; + goto out; + } + if (p->pac->buffers[i].buffersize > len - p->pac->buffers[i].offset_lo){ + krb5_set_error_string(context, "PAC length off end"); + ret = EINVAL; + goto out; + } + + /* let save pointer to data we need later */ + if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) { + if (p->server_checksum) { + krb5_set_error_string(context, "PAC have two server checksums"); + ret = EINVAL; + goto out; + } + p->server_checksum = &p->pac->buffers[i]; + } else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) { + if (p->privsvr_checksum) { + krb5_set_error_string(context, "PAC have two KDC checksums"); + ret = EINVAL; + goto out; + } + p->privsvr_checksum = &p->pac->buffers[i]; + } else if (p->pac->buffers[i].type == PAC_LOGON_NAME) { + if (p->logon_name) { + krb5_set_error_string(context, "PAC have two logon names"); + ret = EINVAL; + goto out; + } + p->logon_name = &p->pac->buffers[i]; + } + } + + ret = krb5_data_copy(&p->data, ptr, len); + if (ret) + goto out; + + krb5_storage_free(sp); + + *pac = p; + return 0; + +out: + if (sp) + krb5_storage_free(sp); + if (p) { + if (p->pac) + free(p->pac); + free(p); + } + *pac = NULL; + + return ret; +} + +krb5_error_code +krb5_pac_init(krb5_context context, krb5_pac *pac) +{ + krb5_error_code ret; + krb5_pac p; + + p = calloc(1, sizeof(*p)); + if (p == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + + p->pac = calloc(1, sizeof(*p->pac)); + if (p->pac == NULL) { + free(p); + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + + ret = krb5_data_alloc(&p->data, PACTYPE_SIZE); + if (ret) { + free (p->pac); + free(p); + krb5_set_error_string(context, "out of memory"); + return ret; + } + + + *pac = p; + return 0; +} + +krb5_error_code +krb5_pac_add_buffer(krb5_context context, krb5_pac p, + uint32_t type, const krb5_data *data) +{ + krb5_error_code ret; + void *ptr; + size_t len, offset, header_end, old_end; + uint32_t i; + + len = p->pac->numbuffers; + + ptr = realloc(p->pac, + sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * len)); + if (ptr == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + p->pac = ptr; + + for (i = 0; i < len; i++) + p->pac->buffers[i].offset_lo += PAC_INFO_BUFFER_SIZE; + + offset = p->data.length + PAC_INFO_BUFFER_SIZE; + + p->pac->buffers[len].type = type; + p->pac->buffers[len].buffersize = data->length; + p->pac->buffers[len].offset_lo = offset; + p->pac->buffers[len].offset_hi = 0; + + old_end = p->data.length; + len = p->data.length + data->length + PAC_INFO_BUFFER_SIZE; + if (len < p->data.length) { + krb5_set_error_string(context, "integer overrun"); + return EINVAL; + } + + /* align to PAC_ALIGNMENT */ + len = ((len + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT; + + ret = krb5_data_realloc(&p->data, len); + if (ret) { + krb5_set_error_string(context, "out of memory"); + return ret; + } + + /* + * make place for new PAC INFO BUFFER header + */ + header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers); + memmove((unsigned char *)p->data.data + header_end + PAC_INFO_BUFFER_SIZE, + (unsigned char *)p->data.data + header_end , + old_end - header_end); + memset((unsigned char *)p->data.data + header_end, 0, PAC_INFO_BUFFER_SIZE); + + /* + * copy in new data part + */ + + memcpy((unsigned char *)p->data.data + offset, + data->data, data->length); + memset((unsigned char *)p->data.data + offset + data->length, + 0, p->data.length - offset - data->length); + + p->pac->numbuffers += 1; + + return 0; +} + +krb5_error_code +krb5_pac_get_buffer(krb5_context context, krb5_pac p, + uint32_t type, krb5_data *data) +{ + krb5_error_code ret; + uint32_t i; + + /* + * Hide the checksums from external consumers + */ + + if (type == PAC_PRIVSVR_CHECKSUM || type == PAC_SERVER_CHECKSUM) { + ret = krb5_data_alloc(data, 16); + if (ret) { + krb5_set_error_string(context, "out of memory"); + return ret; + } + memset(data->data, 0, data->length); + return 0; + } + + for (i = 0; i < p->pac->numbuffers; i++) { + size_t len = p->pac->buffers[i].buffersize; + size_t offset = p->pac->buffers[i].offset_lo; + + if (p->pac->buffers[i].type != type) + continue; + + ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len); + if (ret) { + krb5_set_error_string(context, "Out of memory"); + return ret; + } + return 0; + } + krb5_set_error_string(context, "No PAC buffer of type %lu was found", + (unsigned long)type); + return ENOENT; +} + +/* + * + */ + +krb5_error_code +krb5_pac_get_types(krb5_context context, + krb5_pac p, + size_t *len, + uint32_t **types) +{ + size_t i; + + *types = calloc(p->pac->numbuffers, sizeof(*types)); + if (*types == NULL) { + *len = 0; + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + for (i = 0; i < p->pac->numbuffers; i++) + (*types)[i] = p->pac->buffers[i].type; + *len = p->pac->numbuffers; + + return 0; +} + +/* + * + */ + +void +krb5_pac_free(krb5_context context, krb5_pac pac) +{ + krb5_data_free(&pac->data); + free(pac->pac); + free(pac); +} + +/* + * + */ + +static krb5_error_code +verify_checksum(krb5_context context, + const struct PAC_INFO_BUFFER *sig, + const krb5_data *data, + void *ptr, size_t len, + const krb5_keyblock *key) +{ + krb5_crypto crypto = NULL; + krb5_storage *sp = NULL; + uint32_t type; + krb5_error_code ret; + Checksum cksum; + + memset(&cksum, 0, sizeof(cksum)); + + sp = krb5_storage_from_mem((char *)data->data + sig->offset_lo, + sig->buffersize); + if (sp == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); + + CHECK(ret, krb5_ret_uint32(sp, &type), out); + cksum.cksumtype = type; + cksum.checksum.length = + sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR); + cksum.checksum.data = malloc(cksum.checksum.length); + if (cksum.checksum.data == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length); + if (ret != cksum.checksum.length) { + krb5_set_error_string(context, "PAC checksum missing checksum"); + ret = EINVAL; + goto out; + } + + if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) { + krb5_set_error_string (context, "Checksum type %d not keyed", + cksum.cksumtype); + ret = EINVAL; + goto out; + } + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + goto out; + + ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, + ptr, len, &cksum); + free(cksum.checksum.data); + krb5_crypto_destroy(context, crypto); + krb5_storage_free(sp); + + return ret; + +out: + if (cksum.checksum.data) + free(cksum.checksum.data); + if (sp) + krb5_storage_free(sp); + if (crypto) + krb5_crypto_destroy(context, crypto); + return ret; +} + +static krb5_error_code +create_checksum(krb5_context context, + const krb5_keyblock *key, + void *data, size_t datalen, + void *sig, size_t siglen) +{ + krb5_crypto crypto = NULL; + krb5_error_code ret; + Checksum cksum; + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; + + ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0, + data, datalen, &cksum); + krb5_crypto_destroy(context, crypto); + if (ret) + return ret; + + if (cksum.checksum.length != siglen) { + krb5_set_error_string(context, "pac checksum wrong length"); + free_Checksum(&cksum); + return EINVAL; + } + + memcpy(sig, cksum.checksum.data, siglen); + free_Checksum(&cksum); + + return 0; +} + + +/* + * + */ + +#define NTTIME_EPOCH 0x019DB1DED53E8000LL + +static uint64_t +unix2nttime(time_t unix_time) +{ + long long wt; + wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH; + return wt; +} + +static krb5_error_code +verify_logonname(krb5_context context, + const struct PAC_INFO_BUFFER *logon_name, + const krb5_data *data, + time_t authtime, + krb5_const_principal principal) +{ + krb5_error_code ret; + krb5_principal p2; + uint32_t time1, time2; + krb5_storage *sp; + uint16_t len; + char *s; + + sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo, + logon_name->buffersize); + if (sp == NULL) { + krb5_set_error_string(context, "Out of memory"); + return ENOMEM; + } + + krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); + + CHECK(ret, krb5_ret_uint32(sp, &time1), out); + CHECK(ret, krb5_ret_uint32(sp, &time2), out); + + { + uint64_t t1, t2; + t1 = unix2nttime(authtime); + t2 = ((uint64_t)time2 << 32) | time1; + if (t1 != t2) { + krb5_storage_free(sp); + krb5_set_error_string(context, "PAC timestamp mismatch"); + return EINVAL; + } + } + CHECK(ret, krb5_ret_uint16(sp, &len), out); + if (len == 0) { + krb5_storage_free(sp); + krb5_set_error_string(context, "PAC logon name length missing"); + return EINVAL; + } + + s = malloc(len); + if (s == NULL) { + krb5_storage_free(sp); + krb5_set_error_string(context, "Out of memory"); + return ENOMEM; + } + ret = krb5_storage_read(sp, s, len); + if (ret != len) { + krb5_storage_free(sp); + krb5_set_error_string(context, "Failed to read pac logon name"); + return EINVAL; + } + krb5_storage_free(sp); +#if 1 /* cheat for now */ + { + size_t i; + + if (len & 1) { + krb5_set_error_string(context, "PAC logon name malformed"); + return EINVAL; + } + + for (i = 0; i < len / 2; i++) { + if (s[(i * 2) + 1]) { + krb5_set_error_string(context, "PAC logon name not ASCII"); + return EINVAL; + } + s[i] = s[i * 2]; + } + s[i] = '\0'; + } +#else + { + uint16_t *ucs2; + ssize_t ucs2len; + size_t u8len; + + ucs2 = malloc(sizeof(ucs2[0]) * len / 2); + if (ucs2) + abort(); + ucs2len = wind_ucs2read(s, len / 2, ucs2); + free(s); + if (len < 0) + return -1; + ret = wind_ucs2toutf8(ucs2, ucs2len, NULL, &u8len); + if (ret < 0) + abort(); + s = malloc(u8len + 1); + if (s == NULL) + abort(); + wind_ucs2toutf8(ucs2, ucs2len, s, &u8len); + free(ucs2); + } +#endif + ret = krb5_parse_name_flags(context, s, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2); + free(s); + if (ret) + return ret; + + if (krb5_principal_compare_any_realm(context, principal, p2) != TRUE) { + krb5_set_error_string(context, "PAC logon name mismatch"); + ret = EINVAL; + } + krb5_free_principal(context, p2); + return ret; +out: + return ret; +} + +/* + * + */ + +static krb5_error_code +build_logon_name(krb5_context context, + time_t authtime, + krb5_const_principal principal, + krb5_data *logon) +{ + krb5_error_code ret; + krb5_storage *sp; + uint64_t t; + char *s, *s2; + size_t i, len; + + t = unix2nttime(authtime); + + krb5_data_zero(logon); + + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); + + CHECK(ret, krb5_store_uint32(sp, t & 0xffffffff), out); + CHECK(ret, krb5_store_uint32(sp, t >> 32), out); + + ret = krb5_unparse_name_flags(context, principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &s); + if (ret) + goto out; + + len = strlen(s); + + CHECK(ret, krb5_store_uint16(sp, len * 2), out); + +#if 1 /* cheat for now */ + s2 = malloc(len * 2); + if (s2 == NULL) { + ret = ENOMEM; + free(s); + goto out; + } + for (i = 0; i < len; i++) { + s2[i * 2] = s[i]; + s2[i * 2 + 1] = 0; + } + free(s); +#else + /* write libwind code here */ +#endif + + ret = krb5_storage_write(sp, s2, len * 2); + free(s2); + if (ret != len * 2) { + ret = ENOMEM; + goto out; + } + ret = krb5_storage_to_data(sp, logon); + if (ret) + goto out; + krb5_storage_free(sp); + + return 0; +out: + krb5_storage_free(sp); + return ret; +} + + +/* + * + */ + +krb5_error_code +krb5_pac_verify(krb5_context context, + const krb5_pac pac, + time_t authtime, + krb5_const_principal principal, + const krb5_keyblock *server, + const krb5_keyblock *privsvr) +{ + krb5_error_code ret; + + if (pac->server_checksum == NULL) { + krb5_set_error_string(context, "PAC missing server checksum"); + return EINVAL; + } + if (pac->privsvr_checksum == NULL) { + krb5_set_error_string(context, "PAC missing kdc checksum"); + return EINVAL; + } + if (pac->logon_name == NULL) { + krb5_set_error_string(context, "PAC missing logon name"); + return EINVAL; + } + + ret = verify_logonname(context, + pac->logon_name, + &pac->data, + authtime, + principal); + if (ret) + return ret; + + /* + * in the service case, clean out data option of the privsvr and + * server checksum before checking the checksum. + */ + { + krb5_data *copy; + + ret = krb5_copy_data(context, &pac->data, ©); + if (ret) + return ret; + + if (pac->server_checksum->buffersize < 4) + return EINVAL; + if (pac->privsvr_checksum->buffersize < 4) + return EINVAL; + + memset((char *)copy->data + pac->server_checksum->offset_lo + 4, + 0, + pac->server_checksum->buffersize - 4); + + memset((char *)copy->data + pac->privsvr_checksum->offset_lo + 4, + 0, + pac->privsvr_checksum->buffersize - 4); + + ret = verify_checksum(context, + pac->server_checksum, + &pac->data, + copy->data, + copy->length, + server); + krb5_free_data(context, copy); + if (ret) + return ret; + } + if (privsvr) { + ret = verify_checksum(context, + pac->privsvr_checksum, + &pac->data, + (char *)pac->data.data + + pac->server_checksum->offset_lo + 4, + pac->server_checksum->buffersize - 4, + privsvr); + if (ret) + return ret; + } + + return 0; +} + +/* + * + */ + +static krb5_error_code +fill_zeros(krb5_context context, krb5_storage *sp, size_t len) +{ + ssize_t sret; + size_t l; + + while (len) { + l = len; + if (l > sizeof(zeros)) + l = sizeof(zeros); + sret = krb5_storage_write(sp, zeros, l); + if (sret <= 0) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + len -= sret; + } + return 0; +} + +static krb5_error_code +pac_checksum(krb5_context context, + const krb5_keyblock *key, + uint32_t *cksumtype, + size_t *cksumsize) +{ + krb5_cksumtype cktype; + krb5_error_code ret; + krb5_crypto crypto = NULL; + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + return ret; + + ret = krb5_crypto_get_checksum_type(context, crypto, &cktype); + ret = krb5_crypto_destroy(context, crypto); + if (ret) + return ret; + + if (krb5_checksum_is_keyed(context, cktype) == FALSE) { + krb5_set_error_string(context, "PAC checksum type is not keyed"); + return EINVAL; + } + + ret = krb5_checksumsize(context, cktype, cksumsize); + if (ret) + return ret; + + *cksumtype = (uint32_t)cktype; + + return 0; +} + +krb5_error_code +_krb5_pac_sign(krb5_context context, + krb5_pac p, + time_t authtime, + krb5_principal principal, + const krb5_keyblock *server_key, + const krb5_keyblock *priv_key, + krb5_data *data) +{ + krb5_error_code ret; + krb5_storage *sp = NULL, *spdata = NULL; + uint32_t end; + size_t server_size, priv_size; + uint32_t server_offset = 0, priv_offset = 0; + uint32_t server_cksumtype = 0, priv_cksumtype = 0; + int i, num = 0; + krb5_data logon, d; + + krb5_data_zero(&logon); + + if (p->logon_name == NULL) + num++; + if (p->server_checksum == NULL) + num++; + if (p->privsvr_checksum == NULL) + num++; + + if (num) { + void *ptr; + + ptr = realloc(p->pac, sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (p->pac->numbuffers + num - 1))); + if (ptr == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + p->pac = ptr; + + if (p->logon_name == NULL) { + p->logon_name = &p->pac->buffers[p->pac->numbuffers++]; + memset(p->logon_name, 0, sizeof(*p->logon_name)); + p->logon_name->type = PAC_LOGON_NAME; + } + if (p->server_checksum == NULL) { + p->server_checksum = &p->pac->buffers[p->pac->numbuffers++]; + memset(p->server_checksum, 0, sizeof(*p->server_checksum)); + p->server_checksum->type = PAC_SERVER_CHECKSUM; + } + if (p->privsvr_checksum == NULL) { + p->privsvr_checksum = &p->pac->buffers[p->pac->numbuffers++]; + memset(p->privsvr_checksum, 0, sizeof(*p->privsvr_checksum)); + p->privsvr_checksum->type = PAC_PRIVSVR_CHECKSUM; + } + } + + /* Calculate LOGON NAME */ + ret = build_logon_name(context, authtime, principal, &logon); + if (ret) + goto out; + + /* Set lengths for checksum */ + ret = pac_checksum(context, server_key, &server_cksumtype, &server_size); + if (ret) + goto out; + ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size); + if (ret) + goto out; + + /* Encode PAC */ + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE); + + spdata = krb5_storage_emem(); + if (spdata == NULL) { + krb5_storage_free(sp); + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE); + + CHECK(ret, krb5_store_uint32(sp, p->pac->numbuffers), out); + CHECK(ret, krb5_store_uint32(sp, p->pac->version), out); + + end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers); + + for (i = 0; i < p->pac->numbuffers; i++) { + uint32_t len; + size_t sret; + void *ptr = NULL; + + /* store data */ + + if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) { + len = server_size + 4; + server_offset = end + 4; + CHECK(ret, krb5_store_uint32(spdata, server_cksumtype), out); + CHECK(ret, fill_zeros(context, spdata, server_size), out); + } else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) { + len = priv_size + 4; + priv_offset = end + 4; + CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out); + CHECK(ret, fill_zeros(context, spdata, priv_size), out); + } else if (p->pac->buffers[i].type == PAC_LOGON_NAME) { + len = krb5_storage_write(spdata, logon.data, logon.length); + if (logon.length != len) { + ret = EINVAL; + goto out; + } + } else { + len = p->pac->buffers[i].buffersize; + ptr = (char *)p->data.data + p->pac->buffers[i].offset_lo; + + sret = krb5_storage_write(spdata, ptr, len); + if (sret != len) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + /* XXX if not aligned, fill_zeros */ + } + + /* write header */ + CHECK(ret, krb5_store_uint32(sp, p->pac->buffers[i].type), out); + CHECK(ret, krb5_store_uint32(sp, len), out); + CHECK(ret, krb5_store_uint32(sp, end), out); + CHECK(ret, krb5_store_uint32(sp, 0), out); + + /* advance data endpointer and align */ + { + int32_t e; + + end += len; + e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT; + if (end != e) { + CHECK(ret, fill_zeros(context, spdata, e - end), out); + } + end = e; + } + + } + + /* assert (server_offset != 0 && priv_offset != 0); */ + + /* export PAC */ + ret = krb5_storage_to_data(spdata, &d); + if (ret) { + krb5_set_error_string(context, "out of memory"); + goto out; + } + ret = krb5_storage_write(sp, d.data, d.length); + if (ret != d.length) { + krb5_data_free(&d); + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + krb5_data_free(&d); + + ret = krb5_storage_to_data(sp, &d); + if (ret) { + krb5_set_error_string(context, "out of memory"); + goto out; + } + + /* sign */ + + ret = create_checksum(context, server_key, + d.data, d.length, + (char *)d.data + server_offset, server_size); + if (ret) { + krb5_data_free(&d); + goto out; + } + + ret = create_checksum(context, priv_key, + (char *)d.data + server_offset, server_size, + (char *)d.data + priv_offset, priv_size); + if (ret) { + krb5_data_free(&d); + goto out; + } + + /* done */ + *data = d; + + krb5_data_free(&logon); + krb5_storage_free(sp); + krb5_storage_free(spdata); + + return 0; +out: + krb5_data_free(&logon); + if (sp) + krb5_storage_free(sp); + if (spdata) + krb5_storage_free(spdata); + return ret; +} diff --git a/crypto/heimdal/lib/krb5/padata.c b/crypto/heimdal/lib/krb5/padata.c index bcf795255a34..b2b70f52e786 100644 --- a/crypto/heimdal/lib/krb5/padata.c +++ b/crypto/heimdal/lib/krb5/padata.c @@ -33,13 +33,34 @@ #include "krb5_locl.h" -RCSID("$Id: padata.c,v 1.2 1999/12/02 17:05:11 joda Exp $"); +RCSID("$Id: padata.c 15469 2005-06-17 04:28:35Z lha $"); PA_DATA * -krb5_find_padata(PA_DATA *val, unsigned len, int type, int *index) +krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx) { - for(; *index < len; (*index)++) - if(val[*index].padata_type == type) - return val + *index; + for(; *idx < len; (*idx)++) + if(val[*idx].padata_type == type) + return val + *idx; return NULL; } + +int KRB5_LIB_FUNCTION +krb5_padata_add(krb5_context context, METHOD_DATA *md, + int type, void *buf, size_t len) +{ + PA_DATA *pa; + + pa = realloc (md->val, (md->len + 1) * sizeof(*md->val)); + if (pa == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + md->val = pa; + + pa[md->len].padata_type = type; + pa[md->len].padata_value.length = len; + pa[md->len].padata_value.data = buf; + md->len++; + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/parse-name-test.c b/crypto/heimdal/lib/krb5/parse-name-test.c index 29bd6bb760ac..7e6070538904 100644 --- a/crypto/heimdal/lib/krb5/parse-name-test.c +++ b/crypto/heimdal/lib/krb5/parse-name-test.c @@ -31,8 +31,9 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "krb5_locl.h" +#include <err.h> -RCSID("$Id: parse-name-test.c,v 1.3.4.1 2004/03/22 19:27:36 joda Exp $"); +RCSID("$Id: parse-name-test.c 16342 2005-12-02 14:14:43Z lha $"); enum { MAX_COMPONENTS = 3 }; @@ -62,7 +63,7 @@ static struct testcase { {"a/b/c", "a/b/c@", "", 3, {"a", "b", "c"}, FALSE}, {NULL, NULL, "", 0, { NULL }, FALSE}}; -int +int KRB5_LIB_FUNCTION main(int argc, char **argv) { struct testcase *t; @@ -188,5 +189,6 @@ main(int argc, char **argv) } krb5_free_principal (context, princ); } + krb5_free_context(context); return val; } diff --git a/crypto/heimdal/lib/krb5/pkinit.c b/crypto/heimdal/lib/krb5/pkinit.c new file mode 100644 index 000000000000..a0b6a4e07938 --- /dev/null +++ b/crypto/heimdal/lib/krb5/pkinit.c @@ -0,0 +1,2070 @@ +/* + * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +RCSID("$Id: pkinit.c 22433 2008-01-13 14:11:46Z lha $"); + +struct krb5_dh_moduli { + char *name; + unsigned long bits; + heim_integer p; + heim_integer g; + heim_integer q; +}; + +#ifdef PKINIT + +#include <heim_asn1.h> +#include <rfc2459_asn1.h> +#include <cms_asn1.h> +#include <pkcs8_asn1.h> +#include <pkcs9_asn1.h> +#include <pkcs12_asn1.h> +#include <pkinit_asn1.h> +#include <asn1_err.h> + +#include <der.h> + +#include <hx509.h> + +enum { + COMPAT_WIN2K = 1, + COMPAT_IETF = 2 +}; + +struct krb5_pk_identity { + hx509_context hx509ctx; + hx509_verify_ctx verify_ctx; + hx509_certs certs; + hx509_certs anchors; + hx509_certs certpool; + hx509_revoke_ctx revokectx; +}; + +struct krb5_pk_cert { + hx509_cert cert; +}; + +struct krb5_pk_init_ctx_data { + struct krb5_pk_identity *id; + DH *dh; + krb5_data *clientDHNonce; + struct krb5_dh_moduli **m; + hx509_peer_info peer; + int type; + unsigned int require_binding:1; + unsigned int require_eku:1; + unsigned int require_krbtgt_otherName:1; + unsigned int require_hostname_match:1; + unsigned int trustedCertifiers:1; +}; + +static void +_krb5_pk_copy_error(krb5_context context, + hx509_context hx509ctx, + int hxret, + const char *fmt, + ...) + __attribute__ ((format (printf, 4, 5))); + +/* + * + */ + +void KRB5_LIB_FUNCTION +_krb5_pk_cert_free(struct krb5_pk_cert *cert) +{ + if (cert->cert) { + hx509_cert_free(cert->cert); + } + free(cert); +} + +static krb5_error_code +BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer) +{ + integer->length = BN_num_bytes(bn); + integer->data = malloc(integer->length); + if (integer->data == NULL) { + krb5_clear_error_string(context); + return ENOMEM; + } + BN_bn2bin(bn, integer->data); + integer->negative = BN_is_negative(bn); + return 0; +} + +static BIGNUM * +integer_to_BN(krb5_context context, const char *field, const heim_integer *f) +{ + BIGNUM *bn; + + bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL); + if (bn == NULL) { + krb5_set_error_string(context, "PKINIT: parsing BN failed %s", field); + return NULL; + } + BN_set_negative(bn, f->negative); + return bn; +} + + +static krb5_error_code +_krb5_pk_create_sign(krb5_context context, + const heim_oid *eContentType, + krb5_data *eContent, + struct krb5_pk_identity *id, + hx509_peer_info peer, + krb5_data *sd_data) +{ + hx509_cert cert; + hx509_query *q; + int ret; + + ret = hx509_query_alloc(id->hx509ctx, &q); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Allocate query to find signing certificate"); + return ret; + } + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + + ret = hx509_certs_find(id->hx509ctx, id->certs, q, &cert); + hx509_query_free(id->hx509ctx, q); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Find certificate to signed CMS data"); + return ret; + } + + ret = hx509_cms_create_signed_1(id->hx509ctx, + 0, + eContentType, + eContent->data, + eContent->length, + NULL, + cert, + peer, + NULL, + id->certs, + sd_data); + if (ret) + _krb5_pk_copy_error(context, id->hx509ctx, ret, "create CMS signedData"); + hx509_cert_free(cert); + + return ret; +} + +static int +cert2epi(hx509_context context, void *ctx, hx509_cert c) +{ + ExternalPrincipalIdentifiers *ids = ctx; + ExternalPrincipalIdentifier id; + hx509_name subject = NULL; + void *p; + int ret; + + memset(&id, 0, sizeof(id)); + + ret = hx509_cert_get_subject(c, &subject); + if (ret) + return ret; + + if (hx509_name_is_null_p(subject) != 0) { + + id.subjectName = calloc(1, sizeof(*id.subjectName)); + if (id.subjectName == NULL) { + hx509_name_free(&subject); + free_ExternalPrincipalIdentifier(&id); + return ENOMEM; + } + + ret = hx509_name_binary(subject, id.subjectName); + if (ret) { + hx509_name_free(&subject); + free_ExternalPrincipalIdentifier(&id); + return ret; + } + } + hx509_name_free(&subject); + + + id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber)); + if (id.issuerAndSerialNumber == NULL) { + free_ExternalPrincipalIdentifier(&id); + return ENOMEM; + } + + { + IssuerAndSerialNumber iasn; + hx509_name issuer; + size_t size; + + memset(&iasn, 0, sizeof(iasn)); + + ret = hx509_cert_get_issuer(c, &issuer); + if (ret) { + free_ExternalPrincipalIdentifier(&id); + return ret; + } + + ret = hx509_name_to_Name(issuer, &iasn.issuer); + hx509_name_free(&issuer); + if (ret) { + free_ExternalPrincipalIdentifier(&id); + return ret; + } + + ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber); + if (ret) { + free_IssuerAndSerialNumber(&iasn); + free_ExternalPrincipalIdentifier(&id); + return ret; + } + + ASN1_MALLOC_ENCODE(IssuerAndSerialNumber, + id.issuerAndSerialNumber->data, + id.issuerAndSerialNumber->length, + &iasn, &size, ret); + free_IssuerAndSerialNumber(&iasn); + if (ret) + return ret; + if (id.issuerAndSerialNumber->length != size) + abort(); + } + + id.subjectKeyIdentifier = NULL; + + p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); + if (p == NULL) { + free_ExternalPrincipalIdentifier(&id); + return ENOMEM; + } + + ids->val = p; + ids->val[ids->len] = id; + ids->len++; + + return 0; +} + +static krb5_error_code +build_edi(krb5_context context, + hx509_context hx509ctx, + hx509_certs certs, + ExternalPrincipalIdentifiers *ids) +{ + return hx509_certs_iter(hx509ctx, certs, cert2epi, ids); +} + +static krb5_error_code +build_auth_pack(krb5_context context, + unsigned nonce, + krb5_pk_init_ctx ctx, + DH *dh, + const KDC_REQ_BODY *body, + AuthPack *a) +{ + size_t buf_size, len; + krb5_error_code ret; + void *buf; + krb5_timestamp sec; + int32_t usec; + Checksum checksum; + + krb5_clear_error_string(context); + + memset(&checksum, 0, sizeof(checksum)); + + krb5_us_timeofday(context, &sec, &usec); + a->pkAuthenticator.ctime = sec; + a->pkAuthenticator.nonce = nonce; + + ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret); + if (ret) + return ret; + if (buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + ret = krb5_create_checksum(context, + NULL, + 0, + CKSUMTYPE_SHA1, + buf, + len, + &checksum); + free(buf); + if (ret) + return ret; + + ALLOC(a->pkAuthenticator.paChecksum, 1); + if (a->pkAuthenticator.paChecksum == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + ret = krb5_data_copy(a->pkAuthenticator.paChecksum, + checksum.checksum.data, checksum.checksum.length); + free_Checksum(&checksum); + if (ret) + return ret; + + if (dh) { + DomainParameters dp; + heim_integer dh_pub_key; + krb5_data dhbuf; + size_t size; + + if (1 /* support_cached_dh */) { + ALLOC(a->clientDHNonce, 1); + if (a->clientDHNonce == NULL) { + krb5_clear_error_string(context); + return ENOMEM; + } + ret = krb5_data_alloc(a->clientDHNonce, 40); + if (a->clientDHNonce == NULL) { + krb5_clear_error_string(context); + return ENOMEM; + } + memset(a->clientDHNonce->data, 0, a->clientDHNonce->length); + ret = krb5_copy_data(context, a->clientDHNonce, + &ctx->clientDHNonce); + if (ret) + return ret; + } + + ALLOC(a->clientPublicValue, 1); + if (a->clientPublicValue == NULL) + return ENOMEM; + ret = der_copy_oid(oid_id_dhpublicnumber(), + &a->clientPublicValue->algorithm.algorithm); + if (ret) + return ret; + + memset(&dp, 0, sizeof(dp)); + + ret = BN_to_integer(context, dh->p, &dp.p); + if (ret) { + free_DomainParameters(&dp); + return ret; + } + ret = BN_to_integer(context, dh->g, &dp.g); + if (ret) { + free_DomainParameters(&dp); + return ret; + } + ret = BN_to_integer(context, dh->q, &dp.q); + if (ret) { + free_DomainParameters(&dp); + return ret; + } + dp.j = NULL; + dp.validationParms = NULL; + + a->clientPublicValue->algorithm.parameters = + malloc(sizeof(*a->clientPublicValue->algorithm.parameters)); + if (a->clientPublicValue->algorithm.parameters == NULL) { + free_DomainParameters(&dp); + return ret; + } + + ASN1_MALLOC_ENCODE(DomainParameters, + a->clientPublicValue->algorithm.parameters->data, + a->clientPublicValue->algorithm.parameters->length, + &dp, &size, ret); + free_DomainParameters(&dp); + if (ret) + return ret; + if (size != a->clientPublicValue->algorithm.parameters->length) + krb5_abortx(context, "Internal ASN1 encoder error"); + + ret = BN_to_integer(context, dh->pub_key, &dh_pub_key); + if (ret) + return ret; + + ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length, + &dh_pub_key, &size, ret); + der_free_heim_integer(&dh_pub_key); + if (ret) + return ret; + if (size != dhbuf.length) + krb5_abortx(context, "asn1 internal error"); + + a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8; + a->clientPublicValue->subjectPublicKey.data = dhbuf.data; + } + + { + a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes)); + if (a->supportedCMSTypes == NULL) + return ENOMEM; + + ret = hx509_crypto_available(ctx->id->hx509ctx, HX509_SELECT_ALL, NULL, + &a->supportedCMSTypes->val, + &a->supportedCMSTypes->len); + if (ret) + return ret; + } + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_mk_ContentInfo(krb5_context context, + const krb5_data *buf, + const heim_oid *oid, + struct ContentInfo *content_info) +{ + krb5_error_code ret; + + ret = der_copy_oid(oid, &content_info->contentType); + if (ret) + return ret; + ALLOC(content_info->content, 1); + if (content_info->content == NULL) + return ENOMEM; + content_info->content->data = malloc(buf->length); + if (content_info->content->data == NULL) + return ENOMEM; + memcpy(content_info->content->data, buf->data, buf->length); + content_info->content->length = buf->length; + return 0; +} + +static krb5_error_code +pk_mk_padata(krb5_context context, + krb5_pk_init_ctx ctx, + const KDC_REQ_BODY *req_body, + unsigned nonce, + METHOD_DATA *md) +{ + struct ContentInfo content_info; + krb5_error_code ret; + const heim_oid *oid; + size_t size; + krb5_data buf, sd_buf; + int pa_type; + + krb5_data_zero(&buf); + krb5_data_zero(&sd_buf); + memset(&content_info, 0, sizeof(content_info)); + + if (ctx->type == COMPAT_WIN2K) { + AuthPack_Win2k ap; + krb5_timestamp sec; + int32_t usec; + + memset(&ap, 0, sizeof(ap)); + + /* fill in PKAuthenticator */ + ret = copy_PrincipalName(req_body->sname, &ap.pkAuthenticator.kdcName); + if (ret) { + free_AuthPack_Win2k(&ap); + krb5_clear_error_string(context); + goto out; + } + ret = copy_Realm(&req_body->realm, &ap.pkAuthenticator.kdcRealm); + if (ret) { + free_AuthPack_Win2k(&ap); + krb5_clear_error_string(context); + goto out; + } + + krb5_us_timeofday(context, &sec, &usec); + ap.pkAuthenticator.ctime = sec; + ap.pkAuthenticator.cusec = usec; + ap.pkAuthenticator.nonce = nonce; + + ASN1_MALLOC_ENCODE(AuthPack_Win2k, buf.data, buf.length, + &ap, &size, ret); + free_AuthPack_Win2k(&ap); + if (ret) { + krb5_set_error_string(context, "AuthPack_Win2k: %d", ret); + goto out; + } + if (buf.length != size) + krb5_abortx(context, "internal ASN1 encoder error"); + + oid = oid_id_pkcs7_data(); + } else if (ctx->type == COMPAT_IETF) { + AuthPack ap; + + memset(&ap, 0, sizeof(ap)); + + ret = build_auth_pack(context, nonce, ctx, ctx->dh, req_body, &ap); + if (ret) { + free_AuthPack(&ap); + goto out; + } + + ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret); + free_AuthPack(&ap); + if (ret) { + krb5_set_error_string(context, "AuthPack: %d", ret); + goto out; + } + if (buf.length != size) + krb5_abortx(context, "internal ASN1 encoder error"); + + oid = oid_id_pkauthdata(); + } else + krb5_abortx(context, "internal pkinit error"); + + ret = _krb5_pk_create_sign(context, + oid, + &buf, + ctx->id, + ctx->peer, + &sd_buf); + krb5_data_free(&buf); + if (ret) + goto out; + + ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(), &sd_buf, &buf); + krb5_data_free(&sd_buf); + if (ret) { + krb5_set_error_string(context, + "ContentInfo wrapping of signedData failed"); + goto out; + } + + if (ctx->type == COMPAT_WIN2K) { + PA_PK_AS_REQ_Win2k winreq; + + pa_type = KRB5_PADATA_PK_AS_REQ_WIN; + + memset(&winreq, 0, sizeof(winreq)); + + winreq.signed_auth_pack = buf; + + ASN1_MALLOC_ENCODE(PA_PK_AS_REQ_Win2k, buf.data, buf.length, + &winreq, &size, ret); + free_PA_PK_AS_REQ_Win2k(&winreq); + + } else if (ctx->type == COMPAT_IETF) { + PA_PK_AS_REQ req; + + pa_type = KRB5_PADATA_PK_AS_REQ; + + memset(&req, 0, sizeof(req)); + req.signedAuthPack = buf; + + if (ctx->trustedCertifiers) { + + req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers)); + if (req.trustedCertifiers == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + free_PA_PK_AS_REQ(&req); + goto out; + } + ret = build_edi(context, ctx->id->hx509ctx, + ctx->id->anchors, req.trustedCertifiers); + if (ret) { + krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers"); + free_PA_PK_AS_REQ(&req); + goto out; + } + } + req.kdcPkId = NULL; + + ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length, + &req, &size, ret); + + free_PA_PK_AS_REQ(&req); + + } else + krb5_abortx(context, "internal pkinit error"); + if (ret) { + krb5_set_error_string(context, "PA-PK-AS-REQ %d", ret); + goto out; + } + if (buf.length != size) + krb5_abortx(context, "Internal ASN1 encoder error"); + + ret = krb5_padata_add(context, md, pa_type, buf.data, buf.length); + if (ret) + free(buf.data); + + if (ret == 0 && ctx->type == COMPAT_WIN2K) + krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0); + +out: + free_ContentInfo(&content_info); + + return ret; +} + + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_mk_padata(krb5_context context, + void *c, + const KDC_REQ_BODY *req_body, + unsigned nonce, + METHOD_DATA *md) +{ + krb5_pk_init_ctx ctx = c; + int win2k_compat; + + win2k_compat = krb5_config_get_bool_default(context, NULL, + FALSE, + "realms", + req_body->realm, + "pkinit_win2k", + NULL); + + if (win2k_compat) { + ctx->require_binding = + krb5_config_get_bool_default(context, NULL, + FALSE, + "realms", + req_body->realm, + "pkinit_win2k_require_binding", + NULL); + ctx->type = COMPAT_WIN2K; + } else + ctx->type = COMPAT_IETF; + + ctx->require_eku = + krb5_config_get_bool_default(context, NULL, + TRUE, + "realms", + req_body->realm, + "pkinit_require_eku", + NULL); + ctx->require_krbtgt_otherName = + krb5_config_get_bool_default(context, NULL, + TRUE, + "realms", + req_body->realm, + "pkinit_require_krbtgt_otherName", + NULL); + + ctx->require_hostname_match = + krb5_config_get_bool_default(context, NULL, + FALSE, + "realms", + req_body->realm, + "pkinit_require_hostname_match", + NULL); + + ctx->trustedCertifiers = + krb5_config_get_bool_default(context, NULL, + TRUE, + "realms", + req_body->realm, + "pkinit_trustedCertifiers", + NULL); + + return pk_mk_padata(context, ctx, req_body, nonce, md); +} + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_verify_sign(krb5_context context, + const void *data, + size_t length, + struct krb5_pk_identity *id, + heim_oid *contentType, + krb5_data *content, + struct krb5_pk_cert **signer) +{ + hx509_certs signer_certs; + int ret; + + *signer = NULL; + + ret = hx509_cms_verify_signed(id->hx509ctx, + id->verify_ctx, + data, + length, + NULL, + id->certpool, + contentType, + content, + &signer_certs); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "CMS verify signed failed"); + return ret; + } + + *signer = calloc(1, sizeof(**signer)); + if (*signer == NULL) { + krb5_clear_error_string(context); + ret = ENOMEM; + goto out; + } + + ret = hx509_get_one_cert(id->hx509ctx, signer_certs, &(*signer)->cert); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Failed to get on of the signer certs"); + goto out; + } + +out: + hx509_certs_free(&signer_certs); + if (ret) { + if (*signer) { + hx509_cert_free((*signer)->cert); + free(*signer); + *signer = NULL; + } + } + + return ret; +} + +static krb5_error_code +get_reply_key_win(krb5_context context, + const krb5_data *content, + unsigned nonce, + krb5_keyblock **key) +{ + ReplyKeyPack_Win2k key_pack; + krb5_error_code ret; + size_t size; + + ret = decode_ReplyKeyPack_Win2k(content->data, + content->length, + &key_pack, + &size); + if (ret) { + krb5_set_error_string(context, "PKINIT decoding reply key failed"); + free_ReplyKeyPack_Win2k(&key_pack); + return ret; + } + + if (key_pack.nonce != nonce) { + krb5_set_error_string(context, "PKINIT enckey nonce is wrong"); + free_ReplyKeyPack_Win2k(&key_pack); + return KRB5KRB_AP_ERR_MODIFIED; + } + + *key = malloc (sizeof (**key)); + if (*key == NULL) { + krb5_set_error_string(context, "PKINIT failed allocating reply key"); + free_ReplyKeyPack_Win2k(&key_pack); + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + ret = copy_EncryptionKey(&key_pack.replyKey, *key); + free_ReplyKeyPack_Win2k(&key_pack); + if (ret) { + krb5_set_error_string(context, "PKINIT failed copying reply key"); + free(*key); + *key = NULL; + } + + return ret; +} + +static krb5_error_code +get_reply_key(krb5_context context, + const krb5_data *content, + const krb5_data *req_buffer, + krb5_keyblock **key) +{ + ReplyKeyPack key_pack; + krb5_error_code ret; + size_t size; + + ret = decode_ReplyKeyPack(content->data, + content->length, + &key_pack, + &size); + if (ret) { + krb5_set_error_string(context, "PKINIT decoding reply key failed"); + free_ReplyKeyPack(&key_pack); + return ret; + } + + { + krb5_crypto crypto; + + /* + * XXX Verify kp.replyKey is a allowed enctype in the + * configuration file + */ + + ret = krb5_crypto_init(context, &key_pack.replyKey, 0, &crypto); + if (ret) { + free_ReplyKeyPack(&key_pack); + return ret; + } + + ret = krb5_verify_checksum(context, crypto, 6, + req_buffer->data, req_buffer->length, + &key_pack.asChecksum); + krb5_crypto_destroy(context, crypto); + if (ret) { + free_ReplyKeyPack(&key_pack); + return ret; + } + } + + *key = malloc (sizeof (**key)); + if (*key == NULL) { + krb5_set_error_string(context, "PKINIT failed allocating reply key"); + free_ReplyKeyPack(&key_pack); + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + ret = copy_EncryptionKey(&key_pack.replyKey, *key); + free_ReplyKeyPack(&key_pack); + if (ret) { + krb5_set_error_string(context, "PKINIT failed copying reply key"); + free(*key); + *key = NULL; + } + + return ret; +} + + +static krb5_error_code +pk_verify_host(krb5_context context, + const char *realm, + const krb5_krbhst_info *hi, + struct krb5_pk_init_ctx_data *ctx, + struct krb5_pk_cert *host) +{ + krb5_error_code ret = 0; + + if (ctx->require_eku) { + ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert, + oid_id_pkkdcekuoid(), 0); + if (ret) { + krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate"); + return ret; + } + } + if (ctx->require_krbtgt_otherName) { + hx509_octet_string_list list; + int i; + + ret = hx509_cert_find_subjectAltName_otherName(ctx->id->hx509ctx, + host->cert, + oid_id_pkinit_san(), + &list); + if (ret) { + krb5_set_error_string(context, "Failed to find the PK-INIT " + "subjectAltName in the KDC certificate"); + + return ret; + } + + for (i = 0; i < list.len; i++) { + KRB5PrincipalName r; + + ret = decode_KRB5PrincipalName(list.val[i].data, + list.val[i].length, + &r, + NULL); + if (ret) { + krb5_set_error_string(context, "Failed to decode the PK-INIT " + "subjectAltName in the KDC certificate"); + + break; + } + + if (r.principalName.name_string.len != 2 || + strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 || + strcmp(r.principalName.name_string.val[1], realm) != 0 || + strcmp(r.realm, realm) != 0) + { + krb5_set_error_string(context, "KDC have wrong realm name in " + "the certificate"); + ret = KRB5_KDC_ERR_INVALID_CERTIFICATE; + } + + free_KRB5PrincipalName(&r); + if (ret) + break; + } + hx509_free_octet_string_list(&list); + } + if (ret) + return ret; + + if (hi) { + ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, + ctx->require_hostname_match, + HX509_HN_HOSTNAME, + hi->hostname, + hi->ai->ai_addr, hi->ai->ai_addrlen); + + if (ret) + krb5_set_error_string(context, "Address mismatch in " + "the KDC certificate"); + } + return ret; +} + +static krb5_error_code +pk_rd_pa_reply_enckey(krb5_context context, + int type, + const heim_octet_string *indata, + const heim_oid *dataType, + const char *realm, + krb5_pk_init_ctx ctx, + krb5_enctype etype, + const krb5_krbhst_info *hi, + unsigned nonce, + const krb5_data *req_buffer, + PA_DATA *pa, + krb5_keyblock **key) +{ + krb5_error_code ret; + struct krb5_pk_cert *host = NULL; + krb5_data content; + heim_oid contentType = { 0, NULL }; + + if (der_heim_oid_cmp(oid_id_pkcs7_envelopedData(), dataType)) { + krb5_set_error_string(context, "PKINIT: Invalid content type"); + return EINVAL; + } + + ret = hx509_cms_unenvelope(ctx->id->hx509ctx, + ctx->id->certs, + HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT, + indata->data, + indata->length, + NULL, + &contentType, + &content); + if (ret) { + _krb5_pk_copy_error(context, ctx->id->hx509ctx, ret, + "Failed to unenvelope CMS data in PK-INIT reply"); + return ret; + } + der_free_oid(&contentType); + +#if 0 /* windows LH with interesting CMS packets, leaks memory */ + { + size_t ph = 1 + der_length_len (length); + unsigned char *ptr = malloc(length + ph); + size_t l; + + memcpy(ptr + ph, p, length); + + ret = der_put_length_and_tag (ptr + ph - 1, ph, length, + ASN1_C_UNIV, CONS, UT_Sequence, &l); + if (ret) + return ret; + ptr += ph - l; + length += l; + p = ptr; + } +#endif + + /* win2k uses ContentInfo */ + if (type == COMPAT_WIN2K) { + heim_oid type; + heim_octet_string out; + + ret = hx509_cms_unwrap_ContentInfo(&content, &type, &out, NULL); + if (der_heim_oid_cmp(&type, oid_id_pkcs7_signedData())) { + ret = EINVAL; /* XXX */ + krb5_set_error_string(context, "PKINIT: Invalid content type"); + der_free_oid(&type); + der_free_octet_string(&out); + goto out; + } + der_free_oid(&type); + krb5_data_free(&content); + ret = krb5_data_copy(&content, out.data, out.length); + der_free_octet_string(&out); + if (ret) { + krb5_set_error_string(context, "PKINIT: out of memory"); + goto out; + } + } + + ret = _krb5_pk_verify_sign(context, + content.data, + content.length, + ctx->id, + &contentType, + &content, + &host); + if (ret) + goto out; + + /* make sure that it is the kdc's certificate */ + ret = pk_verify_host(context, realm, hi, ctx, host); + if (ret) { + goto out; + } + +#if 0 + if (type == COMPAT_WIN2K) { + if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) != 0) { + krb5_set_error_string(context, "PKINIT: reply key, wrong oid"); + ret = KRB5KRB_AP_ERR_MSG_TYPE; + goto out; + } + } else { + if (der_heim_oid_cmp(&contentType, oid_id_pkrkeydata()) != 0) { + krb5_set_error_string(context, "PKINIT: reply key, wrong oid"); + ret = KRB5KRB_AP_ERR_MSG_TYPE; + goto out; + } + } +#endif + + switch(type) { + case COMPAT_WIN2K: + ret = get_reply_key(context, &content, req_buffer, key); + if (ret != 0 && ctx->require_binding == 0) + ret = get_reply_key_win(context, &content, nonce, key); + break; + case COMPAT_IETF: + ret = get_reply_key(context, &content, req_buffer, key); + break; + } + if (ret) + goto out; + + /* XXX compare given etype with key->etype */ + + out: + if (host) + _krb5_pk_cert_free(host); + der_free_oid(&contentType); + krb5_data_free(&content); + + return ret; +} + +static krb5_error_code +pk_rd_pa_reply_dh(krb5_context context, + const heim_octet_string *indata, + const heim_oid *dataType, + const char *realm, + krb5_pk_init_ctx ctx, + krb5_enctype etype, + const krb5_krbhst_info *hi, + const DHNonce *c_n, + const DHNonce *k_n, + unsigned nonce, + PA_DATA *pa, + krb5_keyblock **key) +{ + unsigned char *p, *dh_gen_key = NULL; + struct krb5_pk_cert *host = NULL; + BIGNUM *kdc_dh_pubkey = NULL; + KDCDHKeyInfo kdc_dh_info; + heim_oid contentType = { 0, NULL }; + krb5_data content; + krb5_error_code ret; + int dh_gen_keylen; + size_t size; + + krb5_data_zero(&content); + memset(&kdc_dh_info, 0, sizeof(kdc_dh_info)); + + if (der_heim_oid_cmp(oid_id_pkcs7_signedData(), dataType)) { + krb5_set_error_string(context, "PKINIT: Invalid content type"); + return EINVAL; + } + + ret = _krb5_pk_verify_sign(context, + indata->data, + indata->length, + ctx->id, + &contentType, + &content, + &host); + if (ret) + goto out; + + /* make sure that it is the kdc's certificate */ + ret = pk_verify_host(context, realm, hi, ctx, host); + if (ret) + goto out; + + if (der_heim_oid_cmp(&contentType, oid_id_pkdhkeydata())) { + krb5_set_error_string(context, "pkinit - dh reply contains wrong oid"); + ret = KRB5KRB_AP_ERR_MSG_TYPE; + goto out; + } + + ret = decode_KDCDHKeyInfo(content.data, + content.length, + &kdc_dh_info, + &size); + + if (ret) { + krb5_set_error_string(context, "pkinit - " + "failed to decode KDC DH Key Info"); + goto out; + } + + if (kdc_dh_info.nonce != nonce) { + krb5_set_error_string(context, "PKINIT: DH nonce is wrong"); + ret = KRB5KRB_AP_ERR_MODIFIED; + goto out; + } + + if (kdc_dh_info.dhKeyExpiration) { + if (k_n == NULL) { + krb5_set_error_string(context, "pkinit; got key expiration " + "without server nonce"); + ret = KRB5KRB_ERR_GENERIC; + goto out; + } + if (c_n == NULL) { + krb5_set_error_string(context, "pkinit; got DH reuse but no " + "client nonce"); + ret = KRB5KRB_ERR_GENERIC; + goto out; + } + } else { + if (k_n) { + krb5_set_error_string(context, "pkinit: got server nonce " + "without key expiration"); + ret = KRB5KRB_ERR_GENERIC; + goto out; + } + c_n = NULL; + } + + + p = kdc_dh_info.subjectPublicKey.data; + size = (kdc_dh_info.subjectPublicKey.length + 7) / 8; + + { + DHPublicKey k; + ret = decode_DHPublicKey(p, size, &k, NULL); + if (ret) { + krb5_set_error_string(context, "pkinit: can't decode " + "without key expiration"); + goto out; + } + + kdc_dh_pubkey = integer_to_BN(context, "DHPublicKey", &k); + free_DHPublicKey(&k); + if (kdc_dh_pubkey == NULL) { + ret = KRB5KRB_ERR_GENERIC; + goto out; + } + } + + dh_gen_keylen = DH_size(ctx->dh); + size = BN_num_bytes(ctx->dh->p); + if (size < dh_gen_keylen) + size = dh_gen_keylen; + + dh_gen_key = malloc(size); + if (dh_gen_key == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + memset(dh_gen_key, 0, size - dh_gen_keylen); + + dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen), + kdc_dh_pubkey, ctx->dh); + if (dh_gen_keylen == -1) { + krb5_set_error_string(context, + "PKINIT: Can't compute Diffie-Hellman key"); + ret = KRB5KRB_ERR_GENERIC; + goto out; + } + + *key = malloc (sizeof (**key)); + if (*key == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + + ret = _krb5_pk_octetstring2key(context, + etype, + dh_gen_key, dh_gen_keylen, + c_n, k_n, + *key); + if (ret) { + krb5_set_error_string(context, + "PKINIT: can't create key from DH key"); + free(*key); + *key = NULL; + goto out; + } + + out: + if (kdc_dh_pubkey) + BN_free(kdc_dh_pubkey); + if (dh_gen_key) { + memset(dh_gen_key, 0, DH_size(ctx->dh)); + free(dh_gen_key); + } + if (host) + _krb5_pk_cert_free(host); + if (content.data) + krb5_data_free(&content); + der_free_oid(&contentType); + free_KDCDHKeyInfo(&kdc_dh_info); + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_rd_pa_reply(krb5_context context, + const char *realm, + void *c, + krb5_enctype etype, + const krb5_krbhst_info *hi, + unsigned nonce, + const krb5_data *req_buffer, + PA_DATA *pa, + krb5_keyblock **key) +{ + krb5_pk_init_ctx ctx = c; + krb5_error_code ret; + size_t size; + + /* Check for IETF PK-INIT first */ + if (ctx->type == COMPAT_IETF) { + PA_PK_AS_REP rep; + heim_octet_string os, data; + heim_oid oid; + + if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { + krb5_set_error_string(context, "PKINIT: wrong padata recv"); + return EINVAL; + } + + ret = decode_PA_PK_AS_REP(pa->padata_value.data, + pa->padata_value.length, + &rep, + &size); + if (ret) { + krb5_set_error_string(context, "Failed to decode pkinit AS rep"); + return ret; + } + + switch (rep.element) { + case choice_PA_PK_AS_REP_dhInfo: + os = rep.u.dhInfo.dhSignedData; + break; + case choice_PA_PK_AS_REP_encKeyPack: + os = rep.u.encKeyPack; + break; + default: + free_PA_PK_AS_REP(&rep); + krb5_set_error_string(context, "PKINIT: -27 reply " + "invalid content type"); + return EINVAL; + } + + ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL); + if (ret) { + free_PA_PK_AS_REP(&rep); + krb5_set_error_string(context, "PKINIT: failed to unwrap CI"); + return ret; + } + + switch (rep.element) { + case choice_PA_PK_AS_REP_dhInfo: + ret = pk_rd_pa_reply_dh(context, &data, &oid, realm, ctx, etype, hi, + ctx->clientDHNonce, + rep.u.dhInfo.serverDHNonce, + nonce, pa, key); + break; + case choice_PA_PK_AS_REP_encKeyPack: + ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &data, &oid, realm, + ctx, etype, hi, nonce, req_buffer, pa, key); + break; + default: + krb5_abortx(context, "pk-init as-rep case not possible to happen"); + } + der_free_octet_string(&data); + der_free_oid(&oid); + free_PA_PK_AS_REP(&rep); + + } else if (ctx->type == COMPAT_WIN2K) { + PA_PK_AS_REP_Win2k w2krep; + + /* Check for Windows encoding of the AS-REP pa data */ + +#if 0 /* should this be ? */ + if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { + krb5_set_error_string(context, "PKINIT: wrong padata recv"); + return EINVAL; + } +#endif + + memset(&w2krep, 0, sizeof(w2krep)); + + ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data, + pa->padata_value.length, + &w2krep, + &size); + if (ret) { + krb5_set_error_string(context, "PKINIT: Failed decoding windows " + "pkinit reply %d", ret); + return ret; + } + + krb5_clear_error_string(context); + + switch (w2krep.element) { + case choice_PA_PK_AS_REP_Win2k_encKeyPack: { + heim_octet_string data; + heim_oid oid; + + ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, + &oid, &data, NULL); + free_PA_PK_AS_REP_Win2k(&w2krep); + if (ret) { + krb5_set_error_string(context, "PKINIT: failed to unwrap CI"); + return ret; + } + + ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &data, &oid, realm, + ctx, etype, hi, nonce, req_buffer, pa, key); + der_free_octet_string(&data); + der_free_oid(&oid); + + break; + } + default: + free_PA_PK_AS_REP_Win2k(&w2krep); + krb5_set_error_string(context, "PKINIT: win2k reply invalid " + "content type"); + ret = EINVAL; + break; + } + + } else { + krb5_set_error_string(context, "PKINIT: unknown reply type"); + ret = EINVAL; + } + + return ret; +} + +struct prompter { + krb5_context context; + krb5_prompter_fct prompter; + void *prompter_data; +}; + +static int +hx_pass_prompter(void *data, const hx509_prompt *prompter) +{ + krb5_error_code ret; + krb5_prompt prompt; + krb5_data password_data; + struct prompter *p = data; + + password_data.data = prompter->reply.data; + password_data.length = prompter->reply.length; + + prompt.prompt = prompter->prompt; + prompt.hidden = hx509_prompt_hidden(prompter->type); + prompt.reply = &password_data; + + switch (prompter->type) { + case HX509_PROMPT_TYPE_INFO: + prompt.type = KRB5_PROMPT_TYPE_INFO; + break; + case HX509_PROMPT_TYPE_PASSWORD: + case HX509_PROMPT_TYPE_QUESTION: + default: + prompt.type = KRB5_PROMPT_TYPE_PASSWORD; + break; + } + + ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); + if (ret) { + memset (prompter->reply.data, 0, prompter->reply.length); + return 1; + } + return 0; +} + + +void KRB5_LIB_FUNCTION +_krb5_pk_allow_proxy_certificate(struct krb5_pk_identity *id, + int boolean) +{ + hx509_verify_set_proxy_certificate(id->verify_ctx, boolean); +} + + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_pk_load_id(krb5_context context, + struct krb5_pk_identity **ret_id, + const char *user_id, + const char *anchor_id, + char * const *chain_list, + char * const *revoke_list, + krb5_prompter_fct prompter, + void *prompter_data, + char *password) +{ + struct krb5_pk_identity *id = NULL; + hx509_lock lock = NULL; + struct prompter p; + int ret; + + *ret_id = NULL; + + if (anchor_id == NULL) { + krb5_set_error_string(context, "PKINIT: No anchor given"); + return HEIM_PKINIT_NO_VALID_CA; + } + + if (user_id == NULL) { + krb5_set_error_string(context, + "PKINIT: No user certificate given"); + return HEIM_PKINIT_NO_PRIVATE_KEY; + } + + /* load cert */ + + id = calloc(1, sizeof(*id)); + if (id == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + ret = hx509_context_init(&id->hx509ctx); + if (ret) + goto out; + + ret = hx509_lock_init(id->hx509ctx, &lock); + if (password && password[0]) + hx509_lock_add_password(lock, password); + + if (prompter) { + p.context = context; + p.prompter = prompter; + p.prompter_data = prompter_data; + + ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p); + if (ret) + goto out; + } + + ret = hx509_certs_init(id->hx509ctx, user_id, 0, lock, &id->certs); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Failed to init cert certs"); + goto out; + } + + ret = hx509_certs_init(id->hx509ctx, anchor_id, 0, NULL, &id->anchors); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Failed to init anchors"); + goto out; + } + + ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain", + 0, NULL, &id->certpool); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Failed to init chain"); + goto out; + } + + while (chain_list && *chain_list) { + ret = hx509_certs_append(id->hx509ctx, id->certpool, + NULL, *chain_list); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Failed to laod chain %s", + *chain_list); + goto out; + } + chain_list++; + } + + if (revoke_list) { + ret = hx509_revoke_init(id->hx509ctx, &id->revokectx); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Failed init revoke list"); + goto out; + } + + while (*revoke_list) { + ret = hx509_revoke_add_crl(id->hx509ctx, + id->revokectx, + *revoke_list); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Failed load revoke list"); + goto out; + } + revoke_list++; + } + } else + hx509_context_set_missing_revoke(id->hx509ctx, 1); + + ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx); + if (ret) { + _krb5_pk_copy_error(context, id->hx509ctx, ret, + "Failed init verify context"); + goto out; + } + + hx509_verify_attach_anchors(id->verify_ctx, id->anchors); + hx509_verify_attach_revoke(id->verify_ctx, id->revokectx); + +out: + if (ret) { + hx509_verify_destroy_ctx(id->verify_ctx); + hx509_certs_free(&id->certs); + hx509_certs_free(&id->anchors); + hx509_certs_free(&id->certpool); + hx509_revoke_free(&id->revokectx); + hx509_context_free(&id->hx509ctx); + free(id); + } else + *ret_id = id; + + hx509_lock_free(lock); + + return ret; +} + +static krb5_error_code +select_dh_group(krb5_context context, DH *dh, unsigned long bits, + struct krb5_dh_moduli **moduli) +{ + const struct krb5_dh_moduli *m; + + if (bits == 0) { + m = moduli[1]; /* XXX */ + if (m == NULL) + m = moduli[0]; /* XXX */ + } else { + int i; + for (i = 0; moduli[i] != NULL; i++) { + if (bits < moduli[i]->bits) + break; + } + if (moduli[i] == NULL) { + krb5_set_error_string(context, + "Did not find a DH group parameter " + "matching requirement of %lu bits", + bits); + return EINVAL; + } + m = moduli[i]; + } + + dh->p = integer_to_BN(context, "p", &m->p); + if (dh->p == NULL) + return ENOMEM; + dh->g = integer_to_BN(context, "g", &m->g); + if (dh->g == NULL) + return ENOMEM; + dh->q = integer_to_BN(context, "q", &m->q); + if (dh->q == NULL) + return ENOMEM; + + return 0; +} + +#endif /* PKINIT */ + +static int +parse_integer(krb5_context context, char **p, const char *file, int lineno, + const char *name, heim_integer *integer) +{ + int ret; + char *p1; + p1 = strsep(p, " \t"); + if (p1 == NULL) { + krb5_set_error_string(context, "moduli file %s missing %s on line %d", + file, name, lineno); + return EINVAL; + } + ret = der_parse_hex_heim_integer(p1, integer); + if (ret) { + krb5_set_error_string(context, "moduli file %s failed parsing %s " + "on line %d", + file, name, lineno); + return ret; + } + + return 0; +} + +krb5_error_code +_krb5_parse_moduli_line(krb5_context context, + const char *file, + int lineno, + char *p, + struct krb5_dh_moduli **m) +{ + struct krb5_dh_moduli *m1; + char *p1; + int ret; + + *m = NULL; + + m1 = calloc(1, sizeof(*m1)); + if (m1 == NULL) { + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + + while (isspace((unsigned char)*p)) + p++; + if (*p == '#') + return 0; + ret = EINVAL; + + p1 = strsep(&p, " \t"); + if (p1 == NULL) { + krb5_set_error_string(context, "moduli file %s missing name " + "on line %d", file, lineno); + goto out; + } + m1->name = strdup(p1); + if (p1 == NULL) { + krb5_set_error_string(context, "malloc - out of memeory"); + ret = ENOMEM; + goto out; + } + + p1 = strsep(&p, " \t"); + if (p1 == NULL) { + krb5_set_error_string(context, "moduli file %s missing bits on line %d", + file, lineno); + goto out; + } + + m1->bits = atoi(p1); + if (m1->bits == 0) { + krb5_set_error_string(context, "moduli file %s have un-parsable " + "bits on line %d", file, lineno); + goto out; + } + + ret = parse_integer(context, &p, file, lineno, "p", &m1->p); + if (ret) + goto out; + ret = parse_integer(context, &p, file, lineno, "g", &m1->g); + if (ret) + goto out; + ret = parse_integer(context, &p, file, lineno, "q", &m1->q); + if (ret) + goto out; + + *m = m1; + + return 0; +out: + free(m1->name); + der_free_heim_integer(&m1->p); + der_free_heim_integer(&m1->g); + der_free_heim_integer(&m1->q); + free(m1); + return ret; +} + +void +_krb5_free_moduli(struct krb5_dh_moduli **moduli) +{ + int i; + for (i = 0; moduli[i] != NULL; i++) { + free(moduli[i]->name); + der_free_heim_integer(&moduli[i]->p); + der_free_heim_integer(&moduli[i]->g); + der_free_heim_integer(&moduli[i]->q); + free(moduli[i]); + } + free(moduli); +} + +static const char *default_moduli_RFC2412_MODP_group2 = + /* name */ + "RFC2412-MODP-group2 " + /* bits */ + "1024 " + /* p */ + "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" + "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" + "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" + "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" + "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" + "FFFFFFFF" "FFFFFFFF " + /* g */ + "02 " + /* q */ + "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68" + "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E" + "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122" + "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6" + "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0" + "FFFFFFFF" "FFFFFFFF"; + +static const char *default_moduli_rfc3526_MODP_group14 = + /* name */ + "rfc3526-MODP-group14 " + /* bits */ + "1760 " + /* p */ + "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" + "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" + "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" + "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" + "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" + "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" + "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" + "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" + "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" + "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" + "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF " + /* g */ + "02 " + /* q */ + "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68" + "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E" + "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122" + "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6" + "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E" + "E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF" + "C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36" + "B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D" + "F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964" + "EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288" + "0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF"; + +krb5_error_code +_krb5_parse_moduli(krb5_context context, const char *file, + struct krb5_dh_moduli ***moduli) +{ + /* name bits P G Q */ + krb5_error_code ret; + struct krb5_dh_moduli **m = NULL, **m2; + char buf[4096]; + FILE *f; + int lineno = 0, n = 0; + + *moduli = NULL; + + m = calloc(1, sizeof(m[0]) * 3); + if (m == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf)); + ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[0]); + if (ret) { + _krb5_free_moduli(m); + return ret; + } + n++; + + strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf)); + ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[1]); + if (ret) { + _krb5_free_moduli(m); + return ret; + } + n++; + + + if (file == NULL) + file = MODULI_FILE; + + f = fopen(file, "r"); + if (f == NULL) { + *moduli = m; + return 0; + } + + while(fgets(buf, sizeof(buf), f) != NULL) { + struct krb5_dh_moduli *element; + + buf[strcspn(buf, "\n")] = '\0'; + lineno++; + + m2 = realloc(m, (n + 2) * sizeof(m[0])); + if (m2 == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + _krb5_free_moduli(m); + return ENOMEM; + } + m = m2; + + m[n] = NULL; + + ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element); + if (ret) { + _krb5_free_moduli(m); + return ret; + } + if (element == NULL) + continue; + + m[n] = element; + m[n + 1] = NULL; + n++; + } + *moduli = m; + return 0; +} + +krb5_error_code +_krb5_dh_group_ok(krb5_context context, unsigned long bits, + heim_integer *p, heim_integer *g, heim_integer *q, + struct krb5_dh_moduli **moduli, + char **name) +{ + int i; + + if (name) + *name = NULL; + + for (i = 0; moduli[i] != NULL; i++) { + if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 && + der_heim_integer_cmp(&moduli[i]->p, p) == 0 && + (q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0)) + { + if (bits && bits > moduli[i]->bits) { + krb5_set_error_string(context, "PKINIT: DH group parameter %s " + "no accepted, not enough bits generated", + moduli[i]->name); + return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; + } + if (name) + *name = strdup(moduli[i]->name); + return 0; + } + } + krb5_set_error_string(context, "PKINIT: DH group parameter no ok"); + return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; +} + +void KRB5_LIB_FUNCTION +_krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) +{ +#ifdef PKINIT + krb5_pk_init_ctx ctx; + + if (opt->opt_private == NULL || opt->opt_private->pk_init_ctx == NULL) + return; + ctx = opt->opt_private->pk_init_ctx; + if (ctx->dh) + DH_free(ctx->dh); + ctx->dh = NULL; + if (ctx->id) { + hx509_verify_destroy_ctx(ctx->id->verify_ctx); + hx509_certs_free(&ctx->id->certs); + hx509_certs_free(&ctx->id->anchors); + hx509_certs_free(&ctx->id->certpool); + hx509_context_free(&ctx->id->hx509ctx); + + if (ctx->clientDHNonce) { + krb5_free_data(NULL, ctx->clientDHNonce); + ctx->clientDHNonce = NULL; + } + if (ctx->m) + _krb5_free_moduli(ctx->m); + free(ctx->id); + ctx->id = NULL; + } + free(opt->opt_private->pk_init_ctx); + opt->opt_private->pk_init_ctx = NULL; +#endif +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pkinit(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_principal principal, + const char *user_id, + const char *x509_anchors, + char * const * pool, + char * const * pki_revoke, + int flags, + krb5_prompter_fct prompter, + void *prompter_data, + char *password) +{ +#ifdef PKINIT + krb5_error_code ret; + char *anchors = NULL; + + if (opt->opt_private == NULL) { + krb5_set_error_string(context, "PKINIT: on non extendable opt"); + return EINVAL; + } + + opt->opt_private->pk_init_ctx = + calloc(1, sizeof(*opt->opt_private->pk_init_ctx)); + if (opt->opt_private->pk_init_ctx == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + opt->opt_private->pk_init_ctx->dh = NULL; + opt->opt_private->pk_init_ctx->id = NULL; + opt->opt_private->pk_init_ctx->clientDHNonce = NULL; + opt->opt_private->pk_init_ctx->require_binding = 0; + opt->opt_private->pk_init_ctx->require_eku = 1; + opt->opt_private->pk_init_ctx->require_krbtgt_otherName = 1; + opt->opt_private->pk_init_ctx->peer = NULL; + + /* XXX implement krb5_appdefault_strings */ + if (pool == NULL) + pool = krb5_config_get_strings(context, NULL, + "appdefaults", + "pkinit_pool", + NULL); + + if (pki_revoke == NULL) + pki_revoke = krb5_config_get_strings(context, NULL, + "appdefaults", + "pkinit_revoke", + NULL); + + if (x509_anchors == NULL) { + krb5_appdefault_string(context, "kinit", + krb5_principal_get_realm(context, principal), + "pkinit_anchors", NULL, &anchors); + x509_anchors = anchors; + } + + ret = _krb5_pk_load_id(context, + &opt->opt_private->pk_init_ctx->id, + user_id, + x509_anchors, + pool, + pki_revoke, + prompter, + prompter_data, + password); + if (ret) { + free(opt->opt_private->pk_init_ctx); + opt->opt_private->pk_init_ctx = NULL; + return ret; + } + + if ((flags & 2) == 0) { + const char *moduli_file; + unsigned long dh_min_bits; + + moduli_file = krb5_config_get_string(context, NULL, + "libdefaults", + "moduli", + NULL); + + dh_min_bits = + krb5_config_get_int_default(context, NULL, 0, + "libdefaults", + "pkinit_dh_min_bits", + NULL); + + ret = _krb5_parse_moduli(context, moduli_file, + &opt->opt_private->pk_init_ctx->m); + if (ret) { + _krb5_get_init_creds_opt_free_pkinit(opt); + return ret; + } + + opt->opt_private->pk_init_ctx->dh = DH_new(); + if (opt->opt_private->pk_init_ctx->dh == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + _krb5_get_init_creds_opt_free_pkinit(opt); + return ENOMEM; + } + + ret = select_dh_group(context, opt->opt_private->pk_init_ctx->dh, + dh_min_bits, + opt->opt_private->pk_init_ctx->m); + if (ret) { + _krb5_get_init_creds_opt_free_pkinit(opt); + return ret; + } + + if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) { + krb5_set_error_string(context, "pkinit: failed to generate DH key"); + _krb5_get_init_creds_opt_free_pkinit(opt); + return ENOMEM; + } + } + + return 0; +#else + krb5_set_error_string(context, "no support for PKINIT compiled in"); + return EINVAL; +#endif +} + +/* + * + */ + +static void +_krb5_pk_copy_error(krb5_context context, + hx509_context hx509ctx, + int hxret, + const char *fmt, + ...) +{ + va_list va; + char *s, *f; + + va_start(va, fmt); + vasprintf(&f, fmt, va); + va_end(va); + if (f == NULL) { + krb5_clear_error_string(context); + return; + } + + s = hx509_get_error_string(hx509ctx, hxret); + if (s == NULL) { + krb5_clear_error_string(context); + free(f); + return; + } + krb5_set_error_string(context, "%s: %s", f, s); + free(s); + free(f); +} diff --git a/crypto/heimdal/lib/krb5/plugin.c b/crypto/heimdal/lib/krb5/plugin.c new file mode 100644 index 000000000000..bae28496aaf8 --- /dev/null +++ b/crypto/heimdal/lib/krb5/plugin.c @@ -0,0 +1,264 @@ +/* + * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" +RCSID("$Id: plugin.c 22033 2007-11-10 10:39:47Z lha $"); +#ifdef HAVE_DLFCN_H +#include <dlfcn.h> +#endif +#include <dirent.h> + +struct krb5_plugin { + void *symbol; + void *dsohandle; + struct krb5_plugin *next; +}; + +struct plugin { + enum krb5_plugin_type type; + void *name; + void *symbol; + struct plugin *next; +}; + +static HEIMDAL_MUTEX plugin_mutex = HEIMDAL_MUTEX_INITIALIZER; +static struct plugin *registered = NULL; + +static const char *plugin_dir = LIBDIR "/plugin/krb5"; + +/* + * + */ + +void * +_krb5_plugin_get_symbol(struct krb5_plugin *p) +{ + return p->symbol; +} + +struct krb5_plugin * +_krb5_plugin_get_next(struct krb5_plugin *p) +{ + return p->next; +} + +/* + * + */ + +#ifdef HAVE_DLOPEN + +static krb5_error_code +loadlib(krb5_context context, + enum krb5_plugin_type type, + const char *name, + const char *lib, + struct krb5_plugin **e) +{ + *e = calloc(1, sizeof(**e)); + if (*e == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + +#ifndef RTLD_LAZY +#define RTLD_LAZY 0 +#endif + + (*e)->dsohandle = dlopen(lib, RTLD_LAZY); + if ((*e)->dsohandle == NULL) { + free(*e); + *e = NULL; + krb5_set_error_string(context, "Failed to load %s: %s", + lib, dlerror()); + return ENOMEM; + } + + /* dlsym doesn't care about the type */ + (*e)->symbol = dlsym((*e)->dsohandle, name); + if ((*e)->symbol == NULL) { + dlclose((*e)->dsohandle); + free(*e); + krb5_clear_error_string(context); + return ENOMEM; + } + + return 0; +} +#endif /* HAVE_DLOPEN */ + +/** + * Register a plugin symbol name of specific type. + * @param context a Keberos context + * @param type type of plugin symbol + * @param name name of plugin symbol + * @param symbol a pointer to the named symbol + * @return In case of error a non zero error com_err error is returned + * and the Kerberos error string is set. + * + * @ingroup krb5_support + */ + +krb5_error_code +krb5_plugin_register(krb5_context context, + enum krb5_plugin_type type, + const char *name, + void *symbol) +{ + struct plugin *e; + + e = calloc(1, sizeof(*e)); + if (e == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + e->type = type; + e->name = strdup(name); + if (e->name == NULL) { + free(e); + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + e->symbol = symbol; + + HEIMDAL_MUTEX_lock(&plugin_mutex); + e->next = registered; + registered = e; + HEIMDAL_MUTEX_unlock(&plugin_mutex); + + return 0; +} + +krb5_error_code +_krb5_plugin_find(krb5_context context, + enum krb5_plugin_type type, + const char *name, + struct krb5_plugin **list) +{ + struct krb5_plugin *e; + struct plugin *p; + krb5_error_code ret; + char *sysdirs[2] = { NULL, NULL }; + char **dirs = NULL, **di; + struct dirent *entry; + char *path; + DIR *d = NULL; + + *list = NULL; + + HEIMDAL_MUTEX_lock(&plugin_mutex); + + for (p = registered; p != NULL; p = p->next) { + if (p->type != type || strcmp(p->name, name) != 0) + continue; + + e = calloc(1, sizeof(*e)); + if (e == NULL) { + HEIMDAL_MUTEX_unlock(&plugin_mutex); + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + e->symbol = p->symbol; + e->dsohandle = NULL; + e->next = *list; + *list = e; + } + HEIMDAL_MUTEX_unlock(&plugin_mutex); + +#ifdef HAVE_DLOPEN + + dirs = krb5_config_get_strings(context, NULL, "libdefaults", + "plugin_dir", NULL); + if (dirs == NULL) { + sysdirs[0] = rk_UNCONST(plugin_dir); + dirs = sysdirs; + } + + for (di = dirs; *di != NULL; di++) { + + d = opendir(*di); + if (d == NULL) + continue; + + while ((entry = readdir(d)) != NULL) { + asprintf(&path, "%s/%s", *di, entry->d_name); + if (path == NULL) { + krb5_set_error_string(context, "out of memory"); + ret = ENOMEM; + goto out; + } + ret = loadlib(context, type, name, path, &e); + free(path); + if (ret) + continue; + + e->next = *list; + *list = e; + } + closedir(d); + } + if (dirs != sysdirs) + krb5_config_free_strings(dirs); +#endif /* HAVE_DLOPEN */ + + if (*list == NULL) { + krb5_set_error_string(context, "Did not find a plugin for %s", name); + return ENOENT; + } + + return 0; + +out: + if (dirs && dirs != sysdirs) + krb5_config_free_strings(dirs); + if (d) + closedir(d); + _krb5_plugin_free(*list); + *list = NULL; + + return ret; +} + +void +_krb5_plugin_free(struct krb5_plugin *list) +{ + struct krb5_plugin *next; + while (list) { + next = list->next; + if (list->dsohandle) + dlclose(list->dsohandle); + free(list); + list = next; + } +} diff --git a/crypto/heimdal/lib/krb5/principal.c b/crypto/heimdal/lib/krb5/principal.c index d46f32801700..8d9c8805415a 100644 --- a/crypto/heimdal/lib/krb5/principal.c +++ b/crypto/heimdal/lib/krb5/principal.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -41,7 +41,7 @@ #include <fnmatch.h> #include "resolve.h" -RCSID("$Id: principal.c,v 1.82.2.1 2003/08/15 14:30:07 lha Exp $"); +RCSID("$Id: principal.c 21741 2007-07-31 16:00:37Z lha $"); #define princ_num_comp(P) ((P)->name.name_string.len) #define princ_type(P) ((P)->name.name_type) @@ -49,7 +49,7 @@ RCSID("$Id: principal.c,v 1.82.2.1 2003/08/15 14:30:07 lha Exp $"); #define princ_ncomp(P, N) ((P)->name.name_string.val[(N)]) #define princ_realm(P) ((P)->realm) -void +void KRB5_LIB_FUNCTION krb5_free_principal(krb5_context context, krb5_principal p) { @@ -59,23 +59,31 @@ krb5_free_principal(krb5_context context, } } -int +void KRB5_LIB_FUNCTION +krb5_principal_set_type(krb5_context context, + krb5_principal principal, + int type) +{ + princ_type(principal) = type; +} + +int KRB5_LIB_FUNCTION krb5_principal_get_type(krb5_context context, - krb5_principal principal) + krb5_const_principal principal) { return princ_type(principal); } -const char * +const char* KRB5_LIB_FUNCTION krb5_principal_get_realm(krb5_context context, - krb5_principal principal) + krb5_const_principal principal) { return princ_realm(principal); } -const char * +const char* KRB5_LIB_FUNCTION krb5_principal_get_comp_string(krb5_context context, - krb5_principal principal, + krb5_const_principal principal, unsigned int component) { if(component >= princ_num_comp(principal)) @@ -83,14 +91,15 @@ krb5_principal_get_comp_string(krb5_context context, return princ_ncomp(principal, component); } -krb5_error_code -krb5_parse_name(krb5_context context, - const char *name, - krb5_principal *principal) +krb5_error_code KRB5_LIB_FUNCTION +krb5_parse_name_flags(krb5_context context, + const char *name, + int flags, + krb5_principal *principal) { krb5_error_code ret; - general_string *comp; - general_string realm; + heim_general_string *comp; + heim_general_string realm = NULL; int ncomp; const char *p; @@ -101,19 +110,38 @@ krb5_parse_name(krb5_context context, int n; char c; int got_realm = 0; + int first_at = 1; + int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE); - /* count number of component */ + *principal = NULL; + +#define RFLAGS (KRB5_PRINCIPAL_PARSE_NO_REALM|KRB5_PRINCIPAL_PARSE_MUST_REALM) + + if ((flags & RFLAGS) == RFLAGS) { + krb5_set_error_string(context, "Can't require both realm and " + "no realm at the same time"); + return KRB5_ERR_NO_SERVICE; + } +#undef RFLAGS + + /* count number of component, + * enterprise names only have one component + */ ncomp = 1; - for(p = name; *p; p++){ - if(*p=='\\'){ - if(!p[1]) { - krb5_set_error_string (context, - "trailing \\ in principal name"); - return KRB5_PARSE_MALFORMED; - } - p++; - } else if(*p == '/') - ncomp++; + if (!enterprise) { + for(p = name; *p; p++){ + if(*p=='\\'){ + if(!p[1]) { + krb5_set_error_string (context, + "trailing \\ in principal name"); + return KRB5_PARSE_MALFORMED; + } + p++; + } else if(*p == '/') + ncomp++; + else if(*p == '@') + break; + } } comp = calloc(ncomp, sizeof(*comp)); if (comp == NULL) { @@ -146,7 +174,10 @@ krb5_parse_name(krb5_context context, ret = KRB5_PARSE_MALFORMED; goto exit; } - }else if(c == '/' || c == '@'){ + }else if(enterprise && first_at) { + if (c == '@') + first_at = 0; + }else if((c == '/' && !enterprise) || c == '@'){ if(got_realm){ krb5_set_error_string (context, "part after realm in principal name"); @@ -177,6 +208,12 @@ krb5_parse_name(krb5_context context, *q++ = c; } if(got_realm){ + if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { + krb5_set_error_string (context, "realm found in 'short' principal " + "expected to be without one"); + ret = KRB5_PARSE_MALFORMED; + goto exit; + } realm = malloc(q - start + 1); if (realm == NULL) { krb5_set_error_string (context, "malloc: out of memory"); @@ -186,9 +223,18 @@ krb5_parse_name(krb5_context context, memcpy(realm, start, q - start); realm[q - start] = 0; }else{ - ret = krb5_get_default_realm (context, &realm); - if (ret) + if (flags & KRB5_PRINCIPAL_PARSE_MUST_REALM) { + krb5_set_error_string (context, "realm NOT found in principal " + "expected to be with one"); + ret = KRB5_PARSE_MALFORMED; goto exit; + } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { + realm = NULL; + } else { + ret = krb5_get_default_realm (context, &realm); + if (ret) + goto exit; + } comp[n] = malloc(q - start + 1); if (comp[n] == NULL) { @@ -206,7 +252,10 @@ krb5_parse_name(krb5_context context, ret = ENOMEM; goto exit; } - (*principal)->name.name_type = KRB5_NT_PRINCIPAL; + if (enterprise) + (*principal)->name.name_type = KRB5_NT_ENTERPRISE_PRINCIPAL; + else + (*principal)->name.name_type = KRB5_NT_PRINCIPAL; (*principal)->name.name_string.val = comp; princ_num_comp(*principal) = n; (*principal)->realm = realm; @@ -217,29 +266,42 @@ exit: free(comp[--n]); } free(comp); + free(realm); free(s); return ret; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_parse_name(krb5_context context, + const char *name, + krb5_principal *principal) +{ + return krb5_parse_name_flags(context, name, 0, principal); +} + static const char quotable_chars[] = " \n\t\b\\/@"; static const char replace_chars[] = " ntb\\/@"; +static const char nq_chars[] = " \\/@"; #define add_char(BASE, INDEX, LEN, C) do { if((INDEX) < (LEN)) (BASE)[(INDEX)++] = (C); }while(0); static size_t -quote_string(const char *s, char *out, size_t index, size_t len) +quote_string(const char *s, char *out, size_t idx, size_t len, int display) { const char *p, *q; - for(p = s; *p && index < len; p++){ - if((q = strchr(quotable_chars, *p))){ - add_char(out, index, len, '\\'); - add_char(out, index, len, replace_chars[q - quotable_chars]); + for(p = s; *p && idx < len; p++){ + q = strchr(quotable_chars, *p); + if (q && display) { + add_char(out, idx, len, replace_chars[q - quotable_chars]); + } else if (q) { + add_char(out, idx, len, '\\'); + add_char(out, idx, len, replace_chars[q - quotable_chars]); }else - add_char(out, index, len, *p); + add_char(out, idx, len, *p); } - if(index < len) - out[index] = '\0'; - return index; + if(idx < len) + out[idx] = '\0'; + return idx; } @@ -248,19 +310,31 @@ unparse_name_fixed(krb5_context context, krb5_const_principal principal, char *name, size_t len, - krb5_boolean short_form) + int flags) { - size_t index = 0; + size_t idx = 0; int i; + int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0; + int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0; + int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0; + + if (!no_realm && princ_realm(principal) == NULL) { + krb5_set_error_string(context, "Realm missing from principal, " + "can't unparse"); + return ERANGE; + } + for(i = 0; i < princ_num_comp(principal); i++){ if(i) - add_char(name, index, len, '/'); - index = quote_string(princ_ncomp(principal, i), name, index, len); - if(index == len) + add_char(name, idx, len, '/'); + idx = quote_string(princ_ncomp(principal, i), name, idx, len, display); + if(idx == len) { + krb5_set_error_string(context, "Out of space printing principal"); return ERANGE; + } } /* add realm if different from default realm */ - if(short_form) { + if(short_form && !no_realm) { krb5_realm r; krb5_error_code ret; ret = krb5_get_default_realm(context, &r); @@ -270,49 +344,66 @@ unparse_name_fixed(krb5_context context, short_form = 0; free(r); } - if(!short_form) { - add_char(name, index, len, '@'); - index = quote_string(princ_realm(principal), name, index, len); - if(index == len) + if(!short_form && !no_realm) { + add_char(name, idx, len, '@'); + idx = quote_string(princ_realm(principal), name, idx, len, display); + if(idx == len) { + krb5_set_error_string(context, + "Out of space printing realm of principal"); return ERANGE; + } } return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_fixed(krb5_context context, krb5_const_principal principal, char *name, size_t len) { - return unparse_name_fixed(context, principal, name, len, FALSE); + return unparse_name_fixed(context, principal, name, len, 0); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_fixed_short(krb5_context context, krb5_const_principal principal, char *name, size_t len) { - return unparse_name_fixed(context, principal, name, len, TRUE); + return unparse_name_fixed(context, principal, name, len, + KRB5_PRINCIPAL_UNPARSE_SHORT); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_unparse_name_fixed_flags(krb5_context context, + krb5_const_principal principal, + int flags, + char *name, + size_t len) +{ + return unparse_name_fixed(context, principal, name, len, flags); } static krb5_error_code unparse_name(krb5_context context, krb5_const_principal principal, char **name, - krb5_boolean short_flag) + int flags) { size_t len = 0, plen; int i; krb5_error_code ret; /* count length */ - plen = strlen(princ_realm(principal)); - if(strcspn(princ_realm(principal), quotable_chars) == plen) - len += plen; - else - len += 2*plen; - len++; + if (princ_realm(principal)) { + plen = strlen(princ_realm(principal)); + + if(strcspn(princ_realm(principal), quotable_chars) == plen) + len += plen; + else + len += 2*plen; + len++; /* '@' */ + } for(i = 0; i < princ_num_comp(principal); i++){ plen = strlen(princ_ncomp(principal, i)); if(strcspn(princ_ncomp(principal, i), quotable_chars) == plen) @@ -321,13 +412,13 @@ unparse_name(krb5_context context, len += 2*plen; len++; } - len++; + len++; /* '\0' */ *name = malloc(len); if(*name == NULL) { krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } - ret = unparse_name_fixed(context, principal, *name, len, short_flag); + ret = unparse_name_fixed(context, principal, *name, len, flags); if(ret) { free(*name); *name = NULL; @@ -335,25 +426,34 @@ unparse_name(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name(krb5_context context, krb5_const_principal principal, char **name) { - return unparse_name(context, principal, name, FALSE); + return unparse_name(context, principal, name, 0); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_unparse_name_flags(krb5_context context, + krb5_const_principal principal, + int flags, + char **name) +{ + return unparse_name(context, principal, name, flags); +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_short(krb5_context context, krb5_const_principal principal, char **name) { - return unparse_name(context, principal, name, TRUE); + return unparse_name(context, principal, name, KRB5_PRINCIPAL_UNPARSE_SHORT); } #if 0 /* not implemented */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, char **name, @@ -364,7 +464,7 @@ krb5_unparse_name_ext(krb5_context context, #endif -krb5_realm* +krb5_realm * KRB5_LIB_FUNCTION krb5_princ_realm(krb5_context context, krb5_principal principal) { @@ -372,7 +472,7 @@ krb5_princ_realm(krb5_context context, } -void +void KRB5_LIB_FUNCTION krb5_princ_set_realm(krb5_context context, krb5_principal principal, krb5_realm *realm) @@ -381,7 +481,7 @@ krb5_princ_set_realm(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal(krb5_context context, krb5_principal *principal, int rlen, @@ -401,7 +501,7 @@ append_component(krb5_context context, krb5_principal p, const char *comp, size_t comp_len) { - general_string *tmp; + heim_general_string *tmp; size_t len = princ_num_comp(p); tmp = realloc(princ_comp(p), (len + 1) * sizeof(*tmp)); @@ -477,7 +577,7 @@ build_principal(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_principal(krb5_context context, krb5_principal *principal, krb5_const_realm realm, @@ -500,7 +600,7 @@ krb5_make_principal(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_va(krb5_context context, krb5_principal *principal, int rlen, @@ -510,7 +610,7 @@ krb5_build_principal_va(krb5_context context, return build_principal(context, principal, rlen, realm, va_princ, ap); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_va_ext(krb5_context context, krb5_principal *principal, int rlen, @@ -521,7 +621,7 @@ krb5_build_principal_va_ext(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_ext(krb5_context context, krb5_principal *principal, int rlen, @@ -537,7 +637,7 @@ krb5_build_principal_ext(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal *outprinc) @@ -560,7 +660,7 @@ krb5_copy_principal(krb5_context context, * return TRUE iff princ1 == princ2 (without considering the realm) */ -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) @@ -579,7 +679,7 @@ krb5_principal_compare_any_realm(krb5_context context, * return TRUE iff princ1 == princ2 */ -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) @@ -593,7 +693,7 @@ krb5_principal_compare(krb5_context context, * return TRUE iff realm(princ1) == realm(princ2) */ -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) @@ -605,7 +705,7 @@ krb5_realm_compare(krb5_context context, * return TRUE iff princ matches pattern */ -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_match(krb5_context context, krb5_const_principal princ, krb5_const_principal pattern) @@ -623,7 +723,7 @@ krb5_principal_match(krb5_context context, } -struct v4_name_convert { +static struct v4_name_convert { const char *from; const char *to; } default_v4_name_convert[] = { @@ -686,14 +786,16 @@ get_name_conversion(krb5_context context, const char *realm, const char *name) * if `func', use that function for validating the conversion */ -krb5_error_code -krb5_425_conv_principal_ext(krb5_context context, - const char *name, - const char *instance, - const char *realm, - krb5_boolean (*func)(krb5_context, krb5_principal), - krb5_boolean resolve, - krb5_principal *princ) +krb5_error_code KRB5_LIB_FUNCTION +krb5_425_conv_principal_ext2(krb5_context context, + const char *name, + const char *instance, + const char *realm, + krb5_boolean (*func)(krb5_context, + void *, krb5_principal), + void *funcctx, + krb5_boolean resolve, + krb5_principal *princ) { const char *p; krb5_error_code ret; @@ -702,7 +804,7 @@ krb5_425_conv_principal_ext(krb5_context context, char local_hostname[MAXHOSTNAMELEN]; /* do the following: if the name is found in the - `v4_name_convert:host' part, is is assumed to be a `host' type + `v4_name_convert:host' part, is assumed to be a `host' type principal, and the instance is looked up in the `v4_instance_convert' part. if not found there the name is (optionally) looked up as a hostname, and if that doesn't yield @@ -724,7 +826,7 @@ krb5_425_conv_principal_ext(krb5_context context, if(p){ instance = p; ret = krb5_make_principal(context, &pr, realm, name, instance, NULL); - if(func == NULL || (*func)(context, pr)){ + if(func == NULL || (*func)(context, funcctx, pr)){ *princ = pr; return 0; } @@ -740,21 +842,24 @@ krb5_425_conv_principal_ext(krb5_context context, struct dns_reply *r; r = dns_lookup(instance, "aaaa"); - if (r && r->head && r->head->type == T_AAAA) { - inst = strdup(r->head->domain); + if (r) { + if (r->head && r->head->type == T_AAAA) { + inst = strdup(r->head->domain); + passed = TRUE; + } dns_free_data(r); - passed = TRUE; } else { r = dns_lookup(instance, "a"); - if(r && r->head && r->head->type == T_A) { - inst = strdup(r->head->domain); + if (r) { + if(r->head && r->head->type == T_A) { + inst = strdup(r->head->domain); + passed = TRUE; + } dns_free_data(r); - passed = TRUE; } } #else struct addrinfo hints, *ai; - int ret; memset (&hints, 0, sizeof(hints)); hints.ai_flags = AI_CANONNAME; @@ -781,7 +886,7 @@ krb5_425_conv_principal_ext(krb5_context context, NULL); free (inst); if(ret == 0) { - if(func == NULL || (*func)(context, pr)){ + if(func == NULL || (*func)(context, funcctx, pr)){ *princ = pr; return 0; } @@ -793,7 +898,7 @@ krb5_425_conv_principal_ext(krb5_context context, snprintf(host, sizeof(host), "%s.%s", instance, realm); strlwr(host); ret = krb5_make_principal(context, &pr, realm, name, host, NULL); - if((*func)(context, pr)){ + if((*func)(context, funcctx, pr)){ *princ = pr; return 0; } @@ -820,7 +925,7 @@ krb5_425_conv_principal_ext(krb5_context context, for(d = domains; d && *d; d++){ snprintf(host, sizeof(host), "%s.%s", instance, *d); ret = krb5_make_principal(context, &pr, realm, name, host, NULL); - if(func == NULL || (*func)(context, pr)){ + if(func == NULL || (*func)(context, funcctx, pr)){ *princ = pr; krb5_config_free_strings(domains); return 0; @@ -844,7 +949,7 @@ krb5_425_conv_principal_ext(krb5_context context, snprintf(host, sizeof(host), "%s.%s", instance, p); local_host: ret = krb5_make_principal(context, &pr, realm, name, host, NULL); - if(func == NULL || (*func)(context, pr)){ + if(func == NULL || (*func)(context, funcctx, pr)){ *princ = pr; return 0; } @@ -870,7 +975,7 @@ no_host: name = p; ret = krb5_make_principal(context, &pr, realm, name, instance, NULL); - if(func == NULL || (*func)(context, pr)){ + if(func == NULL || (*func)(context, funcctx, pr)){ *princ = pr; return 0; } @@ -879,7 +984,35 @@ no_host: return HEIM_ERR_V4_PRINC_NO_CONV; } -krb5_error_code +static krb5_boolean +convert_func(krb5_context conxtext, void *funcctx, krb5_principal principal) +{ + krb5_boolean (*func)(krb5_context, krb5_principal) = funcctx; + return (*func)(conxtext, principal); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_425_conv_principal_ext(krb5_context context, + const char *name, + const char *instance, + const char *realm, + krb5_boolean (*func)(krb5_context, krb5_principal), + krb5_boolean resolve, + krb5_principal *principal) +{ + return krb5_425_conv_principal_ext2(context, + name, + instance, + realm, + func ? convert_func : NULL, + func, + resolve, + principal); +} + + + +krb5_error_code KRB5_LIB_FUNCTION krb5_425_conv_principal(krb5_context context, const char *name, const char *instance, @@ -972,7 +1105,7 @@ name_convert(krb5_context context, const char *name, const char *realm, * three parameters. They have to be 40 bytes each (ANAME_SZ). */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_524_conv_principal(krb5_context context, const krb5_principal principal, char *name, @@ -1043,7 +1176,7 @@ krb5_524_conv_principal(krb5_context context, * Create a principal in `ret_princ' for the service `sname' running * on host `hostname'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sname_to_principal (krb5_context context, const char *hostname, const char *sname, @@ -1085,3 +1218,37 @@ krb5_sname_to_principal (krb5_context context, krb5_free_host_realm(context, realms); return ret; } + +static const struct { + const char *type; + int32_t value; +} nametypes[] = { + { "UNKNOWN", KRB5_NT_UNKNOWN }, + { "PRINCIPAL", KRB5_NT_PRINCIPAL }, + { "SRV_INST", KRB5_NT_SRV_INST }, + { "SRV_HST", KRB5_NT_SRV_HST }, + { "SRV_XHST", KRB5_NT_SRV_XHST }, + { "UID", KRB5_NT_UID }, + { "X500_PRINCIPAL", KRB5_NT_X500_PRINCIPAL }, + { "SMTP_NAME", KRB5_NT_SMTP_NAME }, + { "ENTERPRISE_PRINCIPAL", KRB5_NT_ENTERPRISE_PRINCIPAL }, + { "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID }, + { "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL }, + { "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID }, + { NULL } +}; + +krb5_error_code +krb5_parse_nametype(krb5_context context, const char *str, int32_t *nametype) +{ + size_t i; + + for(i = 0; nametypes[i].type; i++) { + if (strcasecmp(nametypes[i].type, str) == 0) { + *nametype = nametypes[i].value; + return 0; + } + } + krb5_set_error_string(context, "Failed to find name type %s", str); + return KRB5_PARSE_MALFORMED; +} diff --git a/crypto/heimdal/lib/krb5/prog_setup.c b/crypto/heimdal/lib/krb5/prog_setup.c index 3f5efb65fdca..0586155ac461 100644 --- a/crypto/heimdal/lib/krb5/prog_setup.c +++ b/crypto/heimdal/lib/krb5/prog_setup.c @@ -35,22 +35,22 @@ #include <getarg.h> #include <err.h> -RCSID("$Id: prog_setup.c,v 1.9 2001/02/20 01:44:54 assar Exp $"); +RCSID("$Id: prog_setup.c 15470 2005-06-17 04:29:41Z lha $"); -void +void KRB5_LIB_FUNCTION krb5_std_usage(int code, struct getargs *args, int num_args) { arg_printusage(args, num_args, NULL, ""); exit(code); } -int +int KRB5_LIB_FUNCTION krb5_program_setup(krb5_context *context, int argc, char **argv, struct getargs *args, int num_args, void (*usage)(int, struct getargs*, int)) { krb5_error_code ret; - int optind = 0; + int optidx = 0; if(usage == NULL) usage = krb5_std_usage; @@ -60,7 +60,7 @@ krb5_program_setup(krb5_context *context, int argc, char **argv, if (ret) errx (1, "krb5_init_context failed: %d", ret); - if(getarg(args, num_args, argc, argv, &optind)) + if(getarg(args, num_args, argc, argv, &optidx)) (*usage)(1, args, num_args); - return optind; + return optidx; } diff --git a/crypto/heimdal/lib/krb5/prompter_posix.c b/crypto/heimdal/lib/krb5/prompter_posix.c index 4aea3a422987..e0f407fb247e 100644 --- a/crypto/heimdal/lib/krb5/prompter_posix.c +++ b/crypto/heimdal/lib/krb5/prompter_posix.c @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: prompter_posix.c,v 1.7 2002/09/16 17:32:11 nectar Exp $"); +RCSID("$Id: prompter_posix.c 13863 2004-05-25 21:46:46Z lha $"); -int +int KRB5_LIB_FUNCTION krb5_prompter_posix (krb5_context context, void *data, const char *name, @@ -49,9 +49,11 @@ krb5_prompter_posix (krb5_context context, fprintf (stderr, "%s\n", name); if (banner) fprintf (stderr, "%s\n", banner); + if (name || banner) + fflush(stderr); for (i = 0; i < num_prompts; ++i) { if (prompts[i].hidden) { - if(des_read_pw_string(prompts[i].reply->data, + if(UI_UTIL_read_pw_string(prompts[i].reply->data, prompts[i].reply->length, prompts[i].prompt, 0)) diff --git a/crypto/heimdal/lib/krb5/rd_cred.c b/crypto/heimdal/lib/krb5/rd_cred.c index 4a7d74cad5db..c3f732201f3d 100644 --- a/crypto/heimdal/lib/krb5/rd_cred.c +++ b/crypto/heimdal/lib/krb5/rd_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,14 +33,32 @@ #include <krb5_locl.h> -RCSID("$Id: rd_cred.c,v 1.18 2002/09/04 16:26:05 joda Exp $"); +RCSID("$Id: rd_cred.c 20304 2007-04-11 11:15:05Z lha $"); -krb5_error_code +static krb5_error_code +compare_addrs(krb5_context context, + krb5_address *a, + krb5_address *b, + const char *message) +{ + char a_str[64], b_str[64]; + size_t len; + + if(krb5_address_compare (context, a, b)) + return 0; + + krb5_print_address (a, a_str, sizeof(a_str), &len); + krb5_print_address (b, b_str, sizeof(b_str), &len); + krb5_set_error_string(context, "%s: %s != %s", message, b_str, a_str); + return KRB5KRB_AP_ERR_BADADDR; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *in_data, krb5_creds ***ret_creds, - krb5_replay_data *out_data) + krb5_replay_data *outdata) { krb5_error_code ret; size_t len; @@ -50,12 +68,21 @@ krb5_rd_cred(krb5_context context, krb5_crypto crypto; int i; + memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part)); + + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + outdata == NULL) + return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + *ret_creds = NULL; ret = decode_KRB_CRED(in_data->data, in_data->length, &cred, &len); - if(ret) + if(ret) { + krb5_clear_error_string(context); return ret; + } if (cred.pvno != 5) { ret = KRB5KRB_AP_ERR_BADVERSION; @@ -70,28 +97,53 @@ krb5_rd_cred(krb5_context context, } if (cred.enc_part.etype == ETYPE_NULL) { - /* DK: MIT GSS-API Compatibility */ - enc_krb_cred_part_data.length = cred.enc_part.cipher.length; - enc_krb_cred_part_data.data = cred.enc_part.cipher.data; + /* DK: MIT GSS-API Compatibility */ + enc_krb_cred_part_data.length = cred.enc_part.cipher.length; + enc_krb_cred_part_data.data = cred.enc_part.cipher.data; } else { - if (auth_context->remote_subkey) + /* Try both subkey and session key. + * + * RFC4120 claims we should use the session key, but Heimdal + * before 0.8 used the remote subkey if it was send in the + * auth_context. + */ + + if (auth_context->remote_subkey) { ret = krb5_crypto_init(context, auth_context->remote_subkey, 0, &crypto); - else + if (ret) + goto out; + + ret = krb5_decrypt_EncryptedData(context, + crypto, + KRB5_KU_KRB_CRED, + &cred.enc_part, + &enc_krb_cred_part_data); + + krb5_crypto_destroy(context, crypto); + } + + /* + * If there was not subkey, or we failed using subkey, + * retry using the session key + */ + if (auth_context->remote_subkey == NULL || ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) + { + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); - /* DK: MIT rsh */ - if (ret) - goto out; - - ret = krb5_decrypt_EncryptedData(context, - crypto, - KRB5_KU_KRB_CRED, - &cred.enc_part, - &enc_krb_cred_part_data); - - krb5_crypto_destroy(context, crypto); + if (ret) + goto out; + + ret = krb5_decrypt_EncryptedData(context, + crypto, + KRB5_KU_KRB_CRED, + &cred.enc_part, + &enc_krb_cred_part_data); + + krb5_crypto_destroy(context, crypto); + } if (ret) goto out; } @@ -101,6 +153,8 @@ krb5_rd_cred(krb5_context context, enc_krb_cred_part_data.length, &enc_krb_cred_part, &len); + if (enc_krb_cred_part_data.data != cred.enc_part.cipher.data) + krb5_data_free(&enc_krb_cred_part_data); if (ret) goto out; @@ -110,7 +164,6 @@ krb5_rd_cred(krb5_context context, && auth_context->remote_address && auth_context->remote_port) { krb5_address *a; - int cmp; ret = krb5_make_addrport (context, &a, auth_context->remote_address, @@ -119,18 +172,12 @@ krb5_rd_cred(krb5_context context, goto out; - cmp = krb5_address_compare (context, - a, - enc_krb_cred_part.s_address); - - krb5_free_address (context, a); - free (a); - - if (cmp == 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; + ret = compare_addrs(context, a, enc_krb_cred_part.s_address, + "sender address is wrong in received creds"); + krb5_free_address(context, a); + free(a); + if(ret) goto out; - } } /* check receiver address */ @@ -140,32 +187,24 @@ krb5_rd_cred(krb5_context context, if(auth_context->local_port && enc_krb_cred_part.r_address->addr_type == KRB5_ADDRESS_ADDRPORT) { krb5_address *a; - int cmp; ret = krb5_make_addrport (context, &a, auth_context->local_address, auth_context->local_port); if (ret) goto out; - cmp = krb5_address_compare (context, - a, - enc_krb_cred_part.r_address); - krb5_free_address (context, a); - free (a); - - if (cmp == 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; + ret = compare_addrs(context, a, enc_krb_cred_part.r_address, + "receiver address is wrong in received creds"); + krb5_free_address(context, a); + free(a); + if(ret) goto out; - } } else { - if(!krb5_address_compare (context, - auth_context->local_address, - enc_krb_cred_part.r_address)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; + ret = compare_addrs(context, auth_context->local_address, + enc_krb_cred_part.r_address, + "receiver address is wrong in received creds"); + if(ret) goto out; - } } } @@ -185,25 +224,23 @@ krb5_rd_cred(krb5_context context, } } - if(out_data != NULL) { + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) { + /* if these fields are not present in the cred-part, silently + return zero */ + memset(outdata, 0, sizeof(*outdata)); if(enc_krb_cred_part.timestamp) - out_data->timestamp = *enc_krb_cred_part.timestamp; - else - out_data->timestamp = 0; + outdata->timestamp = *enc_krb_cred_part.timestamp; if(enc_krb_cred_part.usec) - out_data->usec = *enc_krb_cred_part.usec; - else - out_data->usec = 0; + outdata->usec = *enc_krb_cred_part.usec; if(enc_krb_cred_part.nonce) - out_data->seq = *enc_krb_cred_part.nonce; - else - out_data->seq = 0; + outdata->seq = *enc_krb_cred_part.nonce; } /* Convert to NULL terminated list of creds */ *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, - sizeof(**ret_creds)); + sizeof(**ret_creds)); if (*ret_creds == NULL) { ret = ENOMEM; @@ -214,7 +251,6 @@ krb5_rd_cred(krb5_context context, for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) { KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i]; krb5_creds *creds; - size_t len; creds = calloc(1, sizeof(*creds)); if(creds == NULL) { @@ -225,15 +261,18 @@ krb5_rd_cred(krb5_context context, ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, &cred.tickets.val[i], &len, ret); - if (ret) + if (ret) { + free(creds); goto out; + } if(creds->ticket.length != len) krb5_abortx(context, "internal error in ASN.1 encoder"); copy_EncryptionKey (&kci->key, &creds->session); if (kci->prealm && kci->pname) - principalname2krb5_principal (&creds->client, - *kci->pname, - *kci->prealm); + _krb5_principalname2krb5_principal (context, + &creds->client, + *kci->pname, + *kci->prealm); if (kci->flags) creds->flags.b = *kci->flags; if (kci->authtime) @@ -245,9 +284,10 @@ krb5_rd_cred(krb5_context context, if (kci->renew_till) creds->times.renew_till = *kci->renew_till; if (kci->srealm && kci->sname) - principalname2krb5_principal (&creds->server, - *kci->sname, - *kci->srealm); + _krb5_principalname2krb5_principal (context, + &creds->server, + *kci->sname, + *kci->srealm); if (kci->caddr) krb5_copy_addresses (context, kci->caddr, @@ -257,19 +297,25 @@ krb5_rd_cred(krb5_context context, } (*ret_creds)[i] = NULL; + + free_KRB_CRED (&cred); + free_EncKrbCredPart(&enc_krb_cred_part); + return 0; -out: + out: + free_EncKrbCredPart(&enc_krb_cred_part); free_KRB_CRED (&cred); if(*ret_creds) { for(i = 0; (*ret_creds)[i]; i++) krb5_free_creds(context, (*ret_creds)[i]); free(*ret_creds); + *ret_creds = NULL; } return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred2 (krb5_context context, krb5_auth_context auth_context, krb5_ccache ccache, diff --git a/crypto/heimdal/lib/krb5/rd_error.c b/crypto/heimdal/lib/krb5/rd_error.c index ca02f3d61a83..e7646467afdb 100644 --- a/crypto/heimdal/lib/krb5/rd_error.c +++ b/crypto/heimdal/lib/krb5/rd_error.c @@ -33,11 +33,11 @@ #include "krb5_locl.h" -RCSID("$Id: rd_error.c,v 1.6 2001/05/15 06:35:10 assar Exp $"); +RCSID("$Id: rd_error.c 21057 2007-06-12 17:22:31Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_error(krb5_context context, - krb5_data *msg, + const krb5_data *msg, KRB_ERROR *result) { @@ -45,20 +45,23 @@ krb5_rd_error(krb5_context context, krb5_error_code ret; ret = decode_KRB_ERROR(msg->data, msg->length, result, &len); - if(ret) + if(ret) { + krb5_clear_error_string(context); return ret; + } result->error_code += KRB5KDC_ERR_NONE; return 0; } -void +void KRB5_LIB_FUNCTION krb5_free_error_contents (krb5_context context, krb5_error *error) { free_KRB_ERROR(error); + memset(error, 0, sizeof(*error)); } -void +void KRB5_LIB_FUNCTION krb5_free_error (krb5_context context, krb5_error *error) { @@ -66,7 +69,7 @@ krb5_free_error (krb5_context context, free (error); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_error_from_rd_error(krb5_context context, const krb5_error *error, const krb5_creds *creds) diff --git a/crypto/heimdal/lib/krb5/rd_priv.c b/crypto/heimdal/lib/krb5/rd_priv.c index 36ffed598067..ed7a2ccc5278 100644 --- a/crypto/heimdal/lib/krb5/rd_priv.c +++ b/crypto/heimdal/lib/krb5/rd_priv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,130 +33,153 @@ #include <krb5_locl.h> -RCSID("$Id: rd_priv.c,v 1.29 2001/06/18 02:46:15 assar Exp $"); +RCSID("$Id: rd_priv.c 21751 2007-07-31 20:42:20Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, krb5_data *outbuf, - /*krb5_replay_data*/ void *outdata) + krb5_replay_data *outdata) { - krb5_error_code ret; - KRB_PRIV priv; - EncKrbPrivPart part; - size_t len; - krb5_data plain; - krb5_keyblock *key; - krb5_crypto crypto; - - memset(&priv, 0, sizeof(priv)); - ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len); - if (ret) - goto failure; - if (priv.pvno != 5) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADVERSION; - goto failure; - } - if (priv.msg_type != krb_priv) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_MSG_TYPE; - goto failure; - } - - if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else if (auth_context->local_subkey) - key = auth_context->local_subkey; - else - key = auth_context->keyblock; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - goto failure; - ret = krb5_decrypt_EncryptedData(context, - crypto, - KRB5_KU_KRB_PRIV, - &priv.enc_part, - &plain); - krb5_crypto_destroy(context, crypto); - if (ret) - goto failure; - - ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len); - krb5_data_free (&plain); - if (ret) - goto failure; + krb5_error_code ret; + KRB_PRIV priv; + EncKrbPrivPart part; + size_t len; + krb5_data plain; + krb5_keyblock *key; + krb5_crypto crypto; + + if (outbuf) + krb5_data_zero(outbuf); + + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + outdata == NULL) { + krb5_clear_error_string (context); + return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + } + + memset(&priv, 0, sizeof(priv)); + ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len); + if (ret) { + krb5_clear_error_string (context); + goto failure; + } + if (priv.pvno != 5) { + krb5_clear_error_string (context); + ret = KRB5KRB_AP_ERR_BADVERSION; + goto failure; + } + if (priv.msg_type != krb_priv) { + krb5_clear_error_string (context); + ret = KRB5KRB_AP_ERR_MSG_TYPE; + goto failure; + } + + if (auth_context->remote_subkey) + key = auth_context->remote_subkey; + else if (auth_context->local_subkey) + key = auth_context->local_subkey; + else + key = auth_context->keyblock; + + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) + goto failure; + ret = krb5_decrypt_EncryptedData(context, + crypto, + KRB5_KU_KRB_PRIV, + &priv.enc_part, + &plain); + krb5_crypto_destroy(context, crypto); + if (ret) + goto failure; + + ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len); + krb5_data_free (&plain); + if (ret) { + krb5_clear_error_string (context); + goto failure; + } - /* check sender address */ - - if (part.s_address - && auth_context->remote_address - && !krb5_address_compare (context, - auth_context->remote_address, - part.s_address)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; - goto failure_part; - } - - /* check receiver address */ - - if (part.r_address - && auth_context->local_address - && !krb5_address_compare (context, - auth_context->local_address, - part.r_address)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; - goto failure_part; - } - - /* check timestamp */ - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_timestamp sec; - - krb5_timeofday (context, &sec); - if (part.timestamp == NULL || - part.usec == NULL || - abs(*part.timestamp - sec) > context->max_skew) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_SKEW; - goto failure_part; - } - } - - /* XXX - check replay cache */ - - /* check sequence number. since MIT krb5 cannot generate a sequence - number of zero but instead generates no sequence number, we accept that - */ - - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if ((part.seq_number == NULL - && auth_context->remote_seqnumber != 0) - || (part.seq_number != NULL - && *part.seq_number != auth_context->remote_seqnumber)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADORDER; - goto failure_part; - } - auth_context->remote_seqnumber++; - } - - ret = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length); - if (ret) - goto failure_part; - - free_EncKrbPrivPart (&part); - free_KRB_PRIV (&priv); - return 0; - -failure_part: - free_EncKrbPrivPart (&part); - -failure: - free_KRB_PRIV (&priv); - return ret; + /* check sender address */ + + if (part.s_address + && auth_context->remote_address + && !krb5_address_compare (context, + auth_context->remote_address, + part.s_address)) { + krb5_clear_error_string (context); + ret = KRB5KRB_AP_ERR_BADADDR; + goto failure_part; + } + + /* check receiver address */ + + if (part.r_address + && auth_context->local_address + && !krb5_address_compare (context, + auth_context->local_address, + part.r_address)) { + krb5_clear_error_string (context); + ret = KRB5KRB_AP_ERR_BADADDR; + goto failure_part; + } + + /* check timestamp */ + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { + krb5_timestamp sec; + + krb5_timeofday (context, &sec); + if (part.timestamp == NULL || + part.usec == NULL || + abs(*part.timestamp - sec) > context->max_skew) { + krb5_clear_error_string (context); + ret = KRB5KRB_AP_ERR_SKEW; + goto failure_part; + } + } + + /* XXX - check replay cache */ + + /* check sequence number. since MIT krb5 cannot generate a sequence + number of zero but instead generates no sequence number, we accept that + */ + + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { + if ((part.seq_number == NULL + && auth_context->remote_seqnumber != 0) + || (part.seq_number != NULL + && *part.seq_number != auth_context->remote_seqnumber)) { + krb5_clear_error_string (context); + ret = KRB5KRB_AP_ERR_BADORDER; + goto failure_part; + } + auth_context->remote_seqnumber++; + } + + ret = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length); + if (ret) + goto failure_part; + + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) { + /* if these fields are not present in the priv-part, silently + return zero */ + memset(outdata, 0, sizeof(*outdata)); + if(part.timestamp) + outdata->timestamp = *part.timestamp; + if(part.usec) + outdata->usec = *part.usec; + if(part.seq_number) + outdata->seq = *part.seq_number; + } + + failure_part: + free_EncKrbPrivPart (&part); + + failure: + free_KRB_PRIV (&priv); + return ret; } diff --git a/crypto/heimdal/lib/krb5/rd_rep.c b/crypto/heimdal/lib/krb5/rd_rep.c index 7f947de5e143..8c9b7bb441d7 100644 --- a/crypto/heimdal/lib/krb5/rd_rep.c +++ b/crypto/heimdal/lib/krb5/rd_rep.c @@ -33,85 +33,92 @@ #include <krb5_locl.h> -RCSID("$Id: rd_rep.c,v 1.22 2001/06/18 02:46:53 assar Exp $"); +RCSID("$Id: rd_rep.c 17890 2006-08-21 09:19:22Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, krb5_ap_rep_enc_part **repl) { - krb5_error_code ret; - AP_REP ap_rep; - size_t len; - krb5_data data; - krb5_crypto crypto; + krb5_error_code ret; + AP_REP ap_rep; + size_t len; + krb5_data data; + krb5_crypto crypto; - krb5_data_zero (&data); - ret = 0; + krb5_data_zero (&data); + ret = 0; - ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len); - if (ret) - return ret; - if (ap_rep.pvno != 5) { - ret = KRB5KRB_AP_ERR_BADVERSION; - krb5_clear_error_string (context); - goto out; - } - if (ap_rep.msg_type != krb_ap_rep) { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string (context); - goto out; - } + ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len); + if (ret) + return ret; + if (ap_rep.pvno != 5) { + ret = KRB5KRB_AP_ERR_BADVERSION; + krb5_clear_error_string (context); + goto out; + } + if (ap_rep.msg_type != krb_ap_rep) { + ret = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_clear_error_string (context); + goto out; + } - ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); - if (ret) - goto out; - ret = krb5_decrypt_EncryptedData (context, - crypto, - KRB5_KU_AP_REQ_ENC_PART, - &ap_rep.enc_part, - &data); - krb5_crypto_destroy(context, crypto); - if (ret) - goto out; + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); + if (ret) + goto out; + ret = krb5_decrypt_EncryptedData (context, + crypto, + KRB5_KU_AP_REQ_ENC_PART, + &ap_rep.enc_part, + &data); + krb5_crypto_destroy(context, crypto); + if (ret) + goto out; - *repl = malloc(sizeof(**repl)); - if (*repl == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto out; - } - ret = krb5_decode_EncAPRepPart(context, - data.data, - data.length, - *repl, - &len); - if (ret) - return ret; + *repl = malloc(sizeof(**repl)); + if (*repl == NULL) { + ret = ENOMEM; + krb5_set_error_string (context, "malloc: out of memory"); + goto out; + } + ret = krb5_decode_EncAPRepPart(context, + data.data, + data.length, + *repl, + &len); + if (ret) + return ret; - if ((*repl)->ctime != auth_context->authenticator->ctime || - (*repl)->cusec != auth_context->authenticator->cusec) { - ret = KRB5KRB_AP_ERR_MUT_FAIL; - krb5_clear_error_string (context); - goto out; - } - if ((*repl)->seq_number) - krb5_auth_con_setremoteseqnumber(context, auth_context, - *((*repl)->seq_number)); - if ((*repl)->subkey) - krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey); + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { + if ((*repl)->ctime != auth_context->authenticator->ctime || + (*repl)->cusec != auth_context->authenticator->cusec) + { + krb5_free_ap_rep_enc_part(context, *repl); + *repl = NULL; + ret = KRB5KRB_AP_ERR_MUT_FAIL; + krb5_clear_error_string (context); + goto out; + } + } + if ((*repl)->seq_number) + krb5_auth_con_setremoteseqnumber(context, auth_context, + *((*repl)->seq_number)); + if ((*repl)->subkey) + krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey); -out: - krb5_data_free (&data); - free_AP_REP (&ap_rep); - return ret; + out: + krb5_data_free (&data); + free_AP_REP (&ap_rep); + return ret; } -void +void KRB5_LIB_FUNCTION krb5_free_ap_rep_enc_part (krb5_context context, krb5_ap_rep_enc_part *val) { - free_EncAPRepPart (val); - free (val); + if (val) { + free_EncAPRepPart (val); + free (val); + } } diff --git a/crypto/heimdal/lib/krb5/rd_req.c b/crypto/heimdal/lib/krb5/rd_req.c index 590952eb3bb8..0f33b9716454 100644 --- a/crypto/heimdal/lib/krb5/rd_req.c +++ b/crypto/heimdal/lib/krb5/rd_req.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_req.c,v 1.47.8.3 2003/10/21 20:10:33 lha Exp $"); +RCSID("$Id: rd_req.c 22235 2007-12-08 21:52:07Z lha $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -101,7 +101,7 @@ decrypt_authenticator (krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ap_req(krb5_context context, const krb5_data *inbuf, krb5_ap_req *ap_req) @@ -136,6 +136,14 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) int num_realms; krb5_error_code ret; + /* + * Windows 2000 and 2003 uses this inside their TGT so it's normaly + * not seen by others, however, samba4 joined with a Windows AD as + * a Domain Controller gets exposed to this. + */ + if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0) + return 0; + if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) return KRB5KDC_ERR_TRTYPE_NOSUPP; @@ -155,7 +163,60 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) return ret; } -krb5_error_code +static krb5_error_code +find_etypelist(krb5_context context, + krb5_auth_context auth_context, + EtypeList *etypes) +{ + krb5_error_code ret; + krb5_authdata *ad; + krb5_authdata adIfRelevant; + unsigned i; + + adIfRelevant.len = 0; + + etypes->len = 0; + etypes->val = NULL; + + ad = auth_context->authenticator->authorization_data; + if (ad == NULL) + return 0; + + for (i = 0; i < ad->len; i++) { + if (ad->val[i].ad_type == KRB5_AUTHDATA_IF_RELEVANT) { + ret = decode_AD_IF_RELEVANT(ad->val[i].ad_data.data, + ad->val[i].ad_data.length, + &adIfRelevant, + NULL); + if (ret) + return ret; + + if (adIfRelevant.len == 1 && + adIfRelevant.val[0].ad_type == + KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION) { + break; + } + free_AD_IF_RELEVANT(&adIfRelevant); + adIfRelevant.len = 0; + } + } + + if (adIfRelevant.len == 0) + return 0; + + ret = decode_EtypeList(adIfRelevant.val[0].ad_data.data, + adIfRelevant.val[0].ad_data.length, + etypes, + NULL); + if (ret) + krb5_clear_error_string(context); + + free_AD_IF_RELEVANT(&adIfRelevant); + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ticket(krb5_context context, Ticket *ticket, krb5_keyblock *key, @@ -204,7 +265,7 @@ krb5_decrypt_ticket(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_authenticator_checksum(krb5_context context, krb5_auth_context ac, void *data, @@ -220,8 +281,10 @@ krb5_verify_authenticator_checksum(krb5_context context, &authenticator); if(ret) return ret; - if(authenticator->cksum == NULL) + if(authenticator->cksum == NULL) { + krb5_free_authenticator(context, &authenticator); return -17; + } ret = krb5_auth_con_getkey(context, ac, &key); if(ret) { krb5_free_authenticator(context, &authenticator); @@ -244,7 +307,7 @@ out: } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, @@ -265,7 +328,7 @@ krb5_verify_ap_req(krb5_context context, KRB5_KU_AP_REQ_AUTH); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req2(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, @@ -276,10 +339,14 @@ krb5_verify_ap_req2(krb5_context context, krb5_ticket **ticket, krb5_key_usage usage) { - krb5_ticket t; + krb5_ticket *t; krb5_auth_context ac; krb5_error_code ret; + EtypeList etypes; + if (ticket) + *ticket = NULL; + if (auth_context && *auth_context) { ac = *auth_context; } else { @@ -288,69 +355,98 @@ krb5_verify_ap_req2(krb5_context context, return ret; } + t = calloc(1, sizeof(*t)); + if (t == NULL) { + ret = ENOMEM; + krb5_clear_error_string (context); + goto out; + } + if (ap_req->ap_options.use_session_key && ac->keyblock){ ret = krb5_decrypt_ticket(context, &ap_req->ticket, ac->keyblock, - &t.ticket, + &t->ticket, flags); krb5_free_keyblock(context, ac->keyblock); ac->keyblock = NULL; }else ret = krb5_decrypt_ticket(context, &ap_req->ticket, keyblock, - &t.ticket, + &t->ticket, flags); if(ret) goto out; - principalname2krb5_principal(&t.server, ap_req->ticket.sname, - ap_req->ticket.realm); - principalname2krb5_principal(&t.client, t.ticket.cname, - t.ticket.crealm); + ret = _krb5_principalname2krb5_principal(context, + &t->server, + ap_req->ticket.sname, + ap_req->ticket.realm); + if (ret) goto out; + ret = _krb5_principalname2krb5_principal(context, + &t->client, + t->ticket.cname, + t->ticket.crealm); + if (ret) goto out; /* save key */ - krb5_copy_keyblock(context, &t.ticket.key, &ac->keyblock); + ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); + if (ret) goto out; ret = decrypt_authenticator (context, - &t.ticket.key, + &t->ticket.key, &ap_req->authenticator, ac->authenticator, usage); if (ret) - goto out2; + goto out; { krb5_principal p1, p2; krb5_boolean res; - principalname2krb5_principal(&p1, - ac->authenticator->cname, - ac->authenticator->crealm); - principalname2krb5_principal(&p2, - t.ticket.cname, - t.ticket.crealm); + _krb5_principalname2krb5_principal(context, + &p1, + ac->authenticator->cname, + ac->authenticator->crealm); + _krb5_principalname2krb5_principal(context, + &p2, + t->ticket.cname, + t->ticket.crealm); res = krb5_principal_compare (context, p1, p2); krb5_free_principal (context, p1); krb5_free_principal (context, p2); if (!res) { ret = KRB5KRB_AP_ERR_BADMATCH; krb5_clear_error_string (context); - goto out2; + goto out; } } /* check addresses */ - if (t.ticket.caddr + if (t->ticket.caddr && ac->remote_address && !krb5_address_search (context, ac->remote_address, - t.ticket.caddr)) { + t->ticket.caddr)) { ret = KRB5KRB_AP_ERR_BADADDR; krb5_clear_error_string (context); - goto out2; + goto out; + } + + /* check timestamp in authenticator */ + { + krb5_timestamp now; + + krb5_timeofday (context, &now); + + if (abs(ac->authenticator->ctime - now) > context->max_skew) { + ret = KRB5KRB_AP_ERR_SKEW; + krb5_clear_error_string (context); + goto out; + } } if (ac->authenticator->seq_number) @@ -363,38 +459,226 @@ krb5_verify_ap_req2(krb5_context context, ret = krb5_auth_con_setremotesubkey(context, ac, ac->authenticator->subkey); if (ret) - goto out2; + goto out; + } + + ret = find_etypelist(context, ac, &etypes); + if (ret) + goto out; + + ac->keytype = ETYPE_NULL; + + if (etypes.val) { + int i; + + for (i = 0; i < etypes.len; i++) { + if (krb5_enctype_valid(context, etypes.val[i]) == 0) { + ac->keytype = etypes.val[i]; + break; + } + } } if (ap_req_options) { *ap_req_options = 0; + if (ac->keytype != ETYPE_NULL) + *ap_req_options |= AP_OPTS_USE_SUBKEY; if (ap_req->ap_options.use_session_key) *ap_req_options |= AP_OPTS_USE_SESSION_KEY; if (ap_req->ap_options.mutual_required) *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; } - if(ticket){ - *ticket = malloc(sizeof(**ticket)); - **ticket = t; - } else - krb5_free_ticket (context, &t); + if(ticket) + *ticket = t; + else + krb5_free_ticket (context, t); if (auth_context) { if (*auth_context == NULL) *auth_context = ac; } else krb5_auth_con_free (context, ac); + free_EtypeList(&etypes); return 0; - out2: - krb5_free_ticket (context, &t); out: + if (t) + krb5_free_ticket (context, t); if (auth_context == NULL || *auth_context == NULL) krb5_auth_con_free (context, ac); return ret; } +/* + * + */ + +struct krb5_rd_req_in_ctx_data { + krb5_keytab keytab; + krb5_keyblock *keyblock; + krb5_boolean check_pac; +}; + +struct krb5_rd_req_out_ctx_data { + krb5_keyblock *keyblock; + krb5_flags ap_req_options; + krb5_ticket *ticket; +}; + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx) +{ + *ctx = calloc(1, sizeof(**ctx)); + if (*ctx == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + (*ctx)->check_pac = (context->flags & KRB5_CTX_F_CHECK_PAC) ? 1 : 0; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_keytab(krb5_context context, + krb5_rd_req_in_ctx in, + krb5_keytab keytab) +{ + in->keytab = keytab; /* XXX should make copy */ + return 0; +} + +/** + * Set if krb5_rq_red() is going to check the Windows PAC or not + * + * @param context Keberos 5 context. + * @param in krb5_rd_req_in_ctx to check the option on. + * @param flag flag to select if to check the pac (TRUE) or not (FALSE). + * + * @return Kerberos 5 error code, see krb5_get_error_message(). + * + * @ingroup krb5 + */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_pac_check(krb5_context context, + krb5_rd_req_in_ctx in, + krb5_boolean flag) +{ + in->check_pac = flag; + return 0; +} + + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_in_set_keyblock(krb5_context context, + krb5_rd_req_in_ctx in, + krb5_keyblock *keyblock) +{ + in->keyblock = keyblock; /* XXX should make copy */ + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_ap_req_options(krb5_context context, + krb5_rd_req_out_ctx out, + krb5_flags *ap_req_options) +{ + *ap_req_options = out->ap_req_options; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_ticket(krb5_context context, + krb5_rd_req_out_ctx out, + krb5_ticket **ticket) +{ + return krb5_copy_ticket(context, out->ticket, ticket); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_out_get_keyblock(krb5_context context, + krb5_rd_req_out_ctx out, + krb5_keyblock **keyblock) +{ + return krb5_copy_keyblock(context, out->keyblock, keyblock); +} + +void KRB5_LIB_FUNCTION +krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx) +{ + free(ctx); +} + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_rd_req_out_ctx_alloc(krb5_context context, krb5_rd_req_out_ctx *ctx) +{ + *ctx = calloc(1, sizeof(**ctx)); + if (*ctx == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +void KRB5_LIB_FUNCTION +krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx) +{ + krb5_free_keyblock(context, ctx->keyblock); + free(ctx); +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req(krb5_context context, + krb5_auth_context *auth_context, + const krb5_data *inbuf, + krb5_const_principal server, + krb5_keytab keytab, + krb5_flags *ap_req_options, + krb5_ticket **ticket) +{ + krb5_error_code ret; + krb5_rd_req_in_ctx in; + krb5_rd_req_out_ctx out; + + ret = krb5_rd_req_in_ctx_alloc(context, &in); + if (ret) + return ret; + + ret = krb5_rd_req_in_set_keytab(context, in, keytab); + if (ret) { + krb5_rd_req_in_ctx_free(context, in); + return ret; + } + + ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out); + krb5_rd_req_in_ctx_free(context, in); + if (ret) + return ret; + + if (ap_req_options) + *ap_req_options = out->ap_req_options; + if (ticket) { + ret = krb5_copy_ticket(context, out->ticket, ticket); + if (ret) + goto out; + } + +out: + krb5_rd_req_out_ctx_free(context, out); + return ret; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req_with_keyblock(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, @@ -404,31 +688,41 @@ krb5_rd_req_with_keyblock(krb5_context context, krb5_ticket **ticket) { krb5_error_code ret; - krb5_ap_req ap_req; + krb5_rd_req_in_ctx in; + krb5_rd_req_out_ctx out; - if (*auth_context == NULL) { - ret = krb5_auth_con_init(context, auth_context); - if (ret) - return ret; + ret = krb5_rd_req_in_ctx_alloc(context, &in); + if (ret) + return ret; + + ret = krb5_rd_req_in_set_keyblock(context, in, keyblock); + if (ret) { + krb5_rd_req_in_ctx_free(context, in); + return ret; } - ret = krb5_decode_ap_req(context, inbuf, &ap_req); - if(ret) + ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out); + krb5_rd_req_in_ctx_free(context, in); + if (ret) return ret; - ret = krb5_verify_ap_req(context, - auth_context, - &ap_req, - server, - keyblock, - 0, - ap_req_options, - ticket); + if (ap_req_options) + *ap_req_options = out->ap_req_options; + if (ticket) { + ret = krb5_copy_ticket(context, out->ticket, ticket); + if (ret) + goto out; + } - free_AP_REQ(&ap_req); +out: + krb5_rd_req_out_ctx_free(context, out); return ret; } +/* + * + */ + static krb5_error_code get_key_from_keytab(krb5_context context, krb5_auth_context *auth_context, @@ -469,34 +763,44 @@ out: return ret; } -krb5_error_code -krb5_rd_req(krb5_context context, - krb5_auth_context *auth_context, - const krb5_data *inbuf, - krb5_const_principal server, - krb5_keytab keytab, - krb5_flags *ap_req_options, - krb5_ticket **ticket) +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_rd_req_ctx(krb5_context context, + krb5_auth_context *auth_context, + const krb5_data *inbuf, + krb5_const_principal server, + krb5_rd_req_in_ctx inctx, + krb5_rd_req_out_ctx *outctx) { krb5_error_code ret; krb5_ap_req ap_req; - krb5_keyblock *keyblock = NULL; krb5_principal service = NULL; + krb5_rd_req_out_ctx o = NULL; + + ret = _krb5_rd_req_out_ctx_alloc(context, &o); + if (ret) + goto out; if (*auth_context == NULL) { ret = krb5_auth_con_init(context, auth_context); if (ret) - return ret; + goto out; } ret = krb5_decode_ap_req(context, inbuf, &ap_req); if(ret) - return ret; + goto out; if(server == NULL){ - principalname2krb5_principal(&service, - ap_req.ticket.sname, - ap_req.ticket.realm); + ret = _krb5_principalname2krb5_principal(context, + &service, + ap_req.ticket.sname, + ap_req.ticket.realm); + if (ret) + goto out; server = service; } if (ap_req.ap_options.use_session_key && @@ -507,36 +811,80 @@ krb5_rd_req(krb5_context context, goto out; } - if((*auth_context)->keyblock == NULL){ + if((*auth_context)->keyblock){ + ret = krb5_copy_keyblock(context, + (*auth_context)->keyblock, + &o->keyblock); + if (ret) + goto out; + } else if(inctx->keyblock){ + ret = krb5_copy_keyblock(context, + inctx->keyblock, + &o->keyblock); + if (ret) + goto out; + } else { + krb5_keytab keytab = NULL; + + if (inctx && inctx->keytab) + keytab = inctx->keytab; + ret = get_key_from_keytab(context, auth_context, &ap_req, server, keytab, - &keyblock); + &o->keyblock); if(ret) goto out; - } else { - ret = krb5_copy_keyblock(context, - (*auth_context)->keyblock, - &keyblock); - if (ret) - goto out; } - ret = krb5_verify_ap_req(context, - auth_context, - &ap_req, - server, - keyblock, - 0, - ap_req_options, - ticket); + ret = krb5_verify_ap_req2(context, + auth_context, + &ap_req, + server, + o->keyblock, + 0, + &o->ap_req_options, + &o->ticket, + KRB5_KU_AP_REQ_AUTH); - if(keyblock != NULL) - krb5_free_keyblock(context, keyblock); + if (ret) + goto out; + /* If there is a PAC, verify its server signature */ + if (inctx->check_pac) { + krb5_pac pac; + krb5_data data; + + ret = krb5_ticket_get_authorization_data_type(context, + o->ticket, + KRB5_AUTHDATA_WIN2K_PAC, + &data); + if (ret == 0) { + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_data_free(&data); + if (ret) + goto out; + + ret = krb5_pac_verify(context, + pac, + o->ticket->ticket.authtime, + o->ticket->client, + o->keyblock, + NULL); + krb5_pac_free(context, pac); + if (ret) + goto out; + } + ret = 0; + } out: + if (ret || outctx == NULL) { + krb5_rd_req_out_ctx_free(context, o); + } else + *outctx = o; + free_AP_REQ(&ap_req); if(service) krb5_free_principal(context, service); diff --git a/crypto/heimdal/lib/krb5/rd_safe.c b/crypto/heimdal/lib/krb5/rd_safe.c index bbba237b270f..b2fb5c59d776 100644 --- a/crypto/heimdal/lib/krb5/rd_safe.c +++ b/crypto/heimdal/lib/krb5/rd_safe.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_safe.c,v 1.27 2002/09/04 16:26:05 joda Exp $"); +RCSID("$Id: rd_safe.c 19827 2007-01-11 02:54:59Z lha $"); static krb5_error_code verify_checksum(krb5_context context, @@ -82,109 +82,132 @@ out: return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, krb5_data *outbuf, - /*krb5_replay_data*/ void *outdata) + krb5_replay_data *outdata) { - krb5_error_code ret; - KRB_SAFE safe; - size_t len; - - ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len); - if (ret) - return ret; - if (safe.pvno != 5) { - ret = KRB5KRB_AP_ERR_BADVERSION; - krb5_clear_error_string (context); - goto failure; - } - if (safe.msg_type != krb_safe) { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_clear_error_string (context); - goto failure; - } - if (!krb5_checksum_is_keyed(context, safe.cksum.cksumtype) - || !krb5_checksum_is_collision_proof(context, safe.cksum.cksumtype)) { - ret = KRB5KRB_AP_ERR_INAPP_CKSUM; - krb5_clear_error_string (context); - goto failure; - } - - /* check sender address */ - - if (safe.safe_body.s_address - && auth_context->remote_address - && !krb5_address_compare (context, - auth_context->remote_address, - safe.safe_body.s_address)) { - ret = KRB5KRB_AP_ERR_BADADDR; - krb5_clear_error_string (context); - goto failure; - } - - /* check receiver address */ - - if (safe.safe_body.r_address - && auth_context->local_address - && !krb5_address_compare (context, - auth_context->local_address, - safe.safe_body.r_address)) { - ret = KRB5KRB_AP_ERR_BADADDR; - krb5_clear_error_string (context); - goto failure; - } - - /* check timestamp */ - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_timestamp sec; - - krb5_timeofday (context, &sec); - - if (safe.safe_body.timestamp == NULL || - safe.safe_body.usec == NULL || - abs(*safe.safe_body.timestamp - sec) > context->max_skew) { - ret = KRB5KRB_AP_ERR_SKEW; - krb5_clear_error_string (context); - goto failure; - } - } - /* XXX - check replay cache */ - - /* check sequence number. since MIT krb5 cannot generate a sequence - number of zero but instead generates no sequence number, we accept that - */ - - if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if ((safe.safe_body.seq_number == NULL - && auth_context->remote_seqnumber != 0) - || (safe.safe_body.seq_number != NULL - && *safe.safe_body.seq_number != - auth_context->remote_seqnumber)) { - ret = KRB5KRB_AP_ERR_BADORDER; - krb5_clear_error_string (context); - goto failure; - } - auth_context->remote_seqnumber++; - } - - ret = verify_checksum (context, auth_context, &safe); - if (ret) - goto failure; + krb5_error_code ret; + KRB_SAFE safe; + size_t len; + + if (outbuf) + krb5_data_zero(outbuf); + + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + outdata == NULL) { + krb5_set_error_string(context, "rd_safe: need outdata to return data"); + return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + } + + ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len); + if (ret) + return ret; + if (safe.pvno != 5) { + ret = KRB5KRB_AP_ERR_BADVERSION; + krb5_clear_error_string (context); + goto failure; + } + if (safe.msg_type != krb_safe) { + ret = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_clear_error_string (context); + goto failure; + } + if (!krb5_checksum_is_keyed(context, safe.cksum.cksumtype) + || !krb5_checksum_is_collision_proof(context, safe.cksum.cksumtype)) { + ret = KRB5KRB_AP_ERR_INAPP_CKSUM; + krb5_clear_error_string (context); + goto failure; + } + + /* check sender address */ + + if (safe.safe_body.s_address + && auth_context->remote_address + && !krb5_address_compare (context, + auth_context->remote_address, + safe.safe_body.s_address)) { + ret = KRB5KRB_AP_ERR_BADADDR; + krb5_clear_error_string (context); + goto failure; + } + + /* check receiver address */ + + if (safe.safe_body.r_address + && auth_context->local_address + && !krb5_address_compare (context, + auth_context->local_address, + safe.safe_body.r_address)) { + ret = KRB5KRB_AP_ERR_BADADDR; + krb5_clear_error_string (context); + goto failure; + } + + /* check timestamp */ + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { + krb5_timestamp sec; + + krb5_timeofday (context, &sec); + + if (safe.safe_body.timestamp == NULL || + safe.safe_body.usec == NULL || + abs(*safe.safe_body.timestamp - sec) > context->max_skew) { + ret = KRB5KRB_AP_ERR_SKEW; + krb5_clear_error_string (context); + goto failure; + } + } + /* XXX - check replay cache */ + + /* check sequence number. since MIT krb5 cannot generate a sequence + number of zero but instead generates no sequence number, we accept that + */ + + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { + if ((safe.safe_body.seq_number == NULL + && auth_context->remote_seqnumber != 0) + || (safe.safe_body.seq_number != NULL + && *safe.safe_body.seq_number != + auth_context->remote_seqnumber)) { + ret = KRB5KRB_AP_ERR_BADORDER; + krb5_clear_error_string (context); + goto failure; + } + auth_context->remote_seqnumber++; + } + + ret = verify_checksum (context, auth_context, &safe); + if (ret) + goto failure; - outbuf->length = safe.safe_body.user_data.length; - outbuf->data = malloc(outbuf->length); - if (outbuf->data == NULL) { - ret = ENOMEM; - krb5_set_error_string (context, "malloc: out of memory"); - goto failure; - } - memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length); - free_KRB_SAFE (&safe); - return 0; -failure: - free_KRB_SAFE (&safe); - return ret; + outbuf->length = safe.safe_body.user_data.length; + outbuf->data = malloc(outbuf->length); + if (outbuf->data == NULL && outbuf->length != 0) { + ret = ENOMEM; + krb5_set_error_string (context, "malloc: out of memory"); + krb5_data_zero(outbuf); + goto failure; + } + memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length); + + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) { + /* if these fields are not present in the safe-part, silently + return zero */ + memset(outdata, 0, sizeof(*outdata)); + if(safe.safe_body.timestamp) + outdata->timestamp = *safe.safe_body.timestamp; + if(safe.safe_body.usec) + outdata->usec = *safe.safe_body.usec; + if(safe.safe_body.seq_number) + outdata->seq = *safe.safe_body.seq_number; + } + + failure: + free_KRB_SAFE (&safe); + return ret; } diff --git a/crypto/heimdal/lib/krb5/read_message.c b/crypto/heimdal/lib/krb5/read_message.c index 124499ad4c4f..5e03507b66a5 100644 --- a/crypto/heimdal/lib/krb5/read_message.c +++ b/crypto/heimdal/lib/krb5/read_message.c @@ -33,16 +33,18 @@ #include "krb5_locl.h" -RCSID("$Id: read_message.c,v 1.8 2001/05/14 06:14:51 assar Exp $"); +RCSID("$Id: read_message.c 21750 2007-07-31 20:41:25Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_message (krb5_context context, krb5_pointer p_fd, krb5_data *data) { krb5_error_code ret; - u_int32_t len; - u_int8_t buf[4]; + uint32_t len; + uint8_t buf[4]; + + krb5_data_zero(data); ret = krb5_net_read (context, p_fd, buf, 4); if(ret == -1) { @@ -51,13 +53,15 @@ krb5_read_message (krb5_context context, return ret; } if(ret < 4) { - data->length = 0; + krb5_clear_error_string(context); return HEIM_ERR_EOF; } len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]; ret = krb5_data_alloc (data, len); - if (ret) + if (ret) { + krb5_clear_error_string(context); return ret; + } if (krb5_net_read (context, p_fd, data->data, len) != len) { ret = errno; krb5_data_free (data); @@ -67,7 +71,7 @@ krb5_read_message (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_priv_message(krb5_context context, krb5_auth_context ac, krb5_pointer p_fd, @@ -84,7 +88,7 @@ krb5_read_priv_message(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_safe_message(krb5_context context, krb5_auth_context ac, krb5_pointer p_fd, diff --git a/crypto/heimdal/lib/krb5/recvauth.c b/crypto/heimdal/lib/krb5/recvauth.c index d72b5c644db6..03482851268c 100644 --- a/crypto/heimdal/lib/krb5/recvauth.c +++ b/crypto/heimdal/lib/krb5/recvauth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: recvauth.c,v 1.16 2002/04/18 09:41:33 joda Exp $"); +RCSID("$Id: recvauth.c 20306 2007-04-11 11:15:55Z lha $"); /* * See `sendauth.c' for the format. @@ -45,7 +45,7 @@ match_exact(const void *data, const char *appl_version) return strcmp(data, appl_version) == 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer p_fd, @@ -61,7 +61,7 @@ krb5_recvauth(krb5_context context, keytab, ticket); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_recvauth_match_version(krb5_context context, krb5_auth_context *auth_context, krb5_pointer p_fd, @@ -73,33 +73,54 @@ krb5_recvauth_match_version(krb5_context context, krb5_keytab keytab, krb5_ticket **ticket) { - krb5_error_code ret; - const char *version = KRB5_SENDAUTH_VERSION; - char her_version[sizeof(KRB5_SENDAUTH_VERSION)]; - char *her_appl_version; - u_int32_t len; - u_char repl; - krb5_data data; - krb5_flags ap_options; - ssize_t n; - - /* - * If there are no addresses in auth_context, get them from `fd'. - */ - - if (*auth_context == NULL) { - ret = krb5_auth_con_init (context, auth_context); - if (ret) - return ret; - } - - ret = krb5_auth_con_setaddrs_from_fd (context, - *auth_context, - p_fd); - if (ret) - return ret; - - if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) { + krb5_error_code ret; + const char *version = KRB5_SENDAUTH_VERSION; + char her_version[sizeof(KRB5_SENDAUTH_VERSION)]; + char *her_appl_version; + uint32_t len; + u_char repl; + krb5_data data; + krb5_flags ap_options; + ssize_t n; + + /* + * If there are no addresses in auth_context, get them from `fd'. + */ + + if (*auth_context == NULL) { + ret = krb5_auth_con_init (context, auth_context); + if (ret) + return ret; + } + + ret = krb5_auth_con_setaddrs_from_fd (context, + *auth_context, + p_fd); + if (ret) + return ret; + + if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) { + n = krb5_net_read (context, p_fd, &len, 4); + if (n < 0) { + ret = errno; + krb5_set_error_string (context, "read: %s", strerror(errno)); + return ret; + } + if (n == 0) { + krb5_set_error_string (context, "Failed to receive sendauth data"); + return KRB5_SENDAUTH_BADAUTHVERS; + } + len = ntohl(len); + if (len != sizeof(her_version) + || krb5_net_read (context, p_fd, her_version, len) != len + || strncmp (version, her_version, len)) { + repl = 1; + krb5_net_write (context, p_fd, &repl, 1); + krb5_clear_error_string (context); + return KRB5_SENDAUTH_BADAUTHVERS; + } + } + n = krb5_net_read (context, p_fd, &len, 4); if (n < 0) { ret = errno; @@ -108,104 +129,83 @@ krb5_recvauth_match_version(krb5_context context, } if (n == 0) { krb5_clear_error_string (context); - return KRB5_SENDAUTH_BADAUTHVERS; + return KRB5_SENDAUTH_BADAPPLVERS; } len = ntohl(len); - if (len != sizeof(her_version) - || krb5_net_read (context, p_fd, her_version, len) != len - || strncmp (version, her_version, len)) { - repl = 1; - krb5_net_write (context, p_fd, &repl, 1); - krb5_clear_error_string (context); - return KRB5_SENDAUTH_BADAUTHVERS; + her_appl_version = malloc (len); + if (her_appl_version == NULL) { + repl = 2; + krb5_net_write (context, p_fd, &repl, 1); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + if (krb5_net_read (context, p_fd, her_appl_version, len) != len + || !(*match_appl_version)(match_data, her_appl_version)) { + repl = 2; + krb5_net_write (context, p_fd, &repl, 1); + krb5_set_error_string (context, "wrong sendauth version (%s)", + her_appl_version); + free (her_appl_version); + return KRB5_SENDAUTH_BADAPPLVERS; } - } - - n = krb5_net_read (context, p_fd, &len, 4); - if (n < 0) { - ret = errno; - krb5_set_error_string (context, "read: %s", strerror(errno)); - return ret; - } - if (n == 0) { - krb5_clear_error_string (context); - return KRB5_SENDAUTH_BADAPPLVERS; - } - len = ntohl(len); - her_appl_version = malloc (len); - if (her_appl_version == NULL) { - repl = 2; - krb5_net_write (context, p_fd, &repl, 1); - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; - } - if (krb5_net_read (context, p_fd, her_appl_version, len) != len - || !(*match_appl_version)(match_data, her_appl_version)) { - repl = 2; - krb5_net_write (context, p_fd, &repl, 1); - krb5_set_error_string (context, "wrong sendauth version (%s)", - her_appl_version); free (her_appl_version); - return KRB5_SENDAUTH_BADAPPLVERS; - } - free (her_appl_version); - - repl = 0; - if (krb5_net_write (context, p_fd, &repl, 1) != 1) { - ret = errno; - krb5_set_error_string (context, "write: %s", strerror(errno)); - return ret; - } - - krb5_data_zero (&data); - ret = krb5_read_message (context, p_fd, &data); - if (ret) - return ret; - - ret = krb5_rd_req (context, - auth_context, - &data, - server, - keytab, - &ap_options, - ticket); - krb5_data_free (&data); - if (ret) { - krb5_data error_data; - krb5_error_code ret2; - - ret2 = krb5_mk_error (context, - ret, - NULL, - NULL, - NULL, - server, - NULL, - NULL, - &error_data); - if (ret2 == 0) { - krb5_write_message (context, p_fd, &error_data); - krb5_data_free (&error_data); - } - return ret; - } - - len = 0; - if (krb5_net_write (context, p_fd, &len, 4) != 4) { - ret = errno; - krb5_set_error_string (context, "write: %s", strerror(errno)); - return ret; - } - - if (ap_options & AP_OPTS_MUTUAL_REQUIRED) { - ret = krb5_mk_rep (context, *auth_context, &data); - if (ret) - return ret; - ret = krb5_write_message (context, p_fd, &data); + repl = 0; + if (krb5_net_write (context, p_fd, &repl, 1) != 1) { + ret = errno; + krb5_set_error_string (context, "write: %s", strerror(errno)); + return ret; + } + + krb5_data_zero (&data); + ret = krb5_read_message (context, p_fd, &data); if (ret) return ret; + + ret = krb5_rd_req (context, + auth_context, + &data, + server, + keytab, + &ap_options, + ticket); krb5_data_free (&data); - } - return 0; + if (ret) { + krb5_data error_data; + krb5_error_code ret2; + + ret2 = krb5_mk_error (context, + ret, + NULL, + NULL, + NULL, + server, + NULL, + NULL, + &error_data); + if (ret2 == 0) { + krb5_write_message (context, p_fd, &error_data); + krb5_data_free (&error_data); + } + return ret; + } + + len = 0; + if (krb5_net_write (context, p_fd, &len, 4) != 4) { + ret = errno; + krb5_set_error_string (context, "write: %s", strerror(errno)); + return ret; + } + + if (ap_options & AP_OPTS_MUTUAL_REQUIRED) { + ret = krb5_mk_rep (context, *auth_context, &data); + if (ret) + return ret; + + ret = krb5_write_message (context, p_fd, &data); + if (ret) + return ret; + krb5_data_free (&data); + } + return 0; } diff --git a/crypto/heimdal/lib/krb5/replay.c b/crypto/heimdal/lib/krb5/replay.c index 4298d12e2f1b..12894d96a95e 100644 --- a/crypto/heimdal/lib/krb5/replay.c +++ b/crypto/heimdal/lib/krb5/replay.c @@ -34,13 +34,13 @@ #include "krb5_locl.h" #include <vis.h> -RCSID("$Id: replay.c,v 1.9 2001/07/03 19:33:13 assar Exp $"); +RCSID("$Id: replay.c 17047 2006-04-10 17:13:49Z lha $"); struct krb5_rcache_data { char *name; }; -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve(krb5_context context, krb5_rcache id, const char *name) @@ -53,11 +53,12 @@ krb5_rc_resolve(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve_type(krb5_context context, krb5_rcache *id, const char *type) { + *id = NULL; if(strcmp(type, "FILE")) { krb5_set_error_string (context, "replay cache type %s not supported", type); @@ -71,12 +72,15 @@ krb5_rc_resolve_type(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve_full(krb5_context context, krb5_rcache *id, const char *string_name) { krb5_error_code ret; + + *id = NULL; + if(strncmp(string_name, "FILE:", 5)) { krb5_set_error_string (context, "replay cache type %s not supported", string_name); @@ -86,22 +90,26 @@ krb5_rc_resolve_full(krb5_context context, if(ret) return ret; ret = krb5_rc_resolve(context, *id, string_name + 5); + if (ret) { + krb5_rc_close(context, *id); + *id = NULL; + } return ret; } -const char * +const char* KRB5_LIB_FUNCTION krb5_rc_default_name(krb5_context context) { return "FILE:/var/run/default_rcache"; } -const char * +const char* KRB5_LIB_FUNCTION krb5_rc_default_type(krb5_context context) { return "FILE"; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_default(krb5_context context, krb5_rcache *id) { @@ -113,7 +121,7 @@ struct rc_entry{ unsigned char data[16]; }; -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_initialize(krb5_context context, krb5_rcache id, krb5_deltat auth_lifespan) @@ -134,14 +142,14 @@ krb5_rc_initialize(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_recover(krb5_context context, krb5_rcache id) { return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_destroy(krb5_context context, krb5_rcache id) { @@ -156,7 +164,7 @@ krb5_rc_destroy(krb5_context context, return krb5_rc_close(context, id); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_close(krb5_context context, krb5_rcache id) { @@ -181,7 +189,7 @@ checksum_authenticator(Authenticator *auth, void *data) MD5_Final (data, &md5); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep) @@ -229,14 +237,14 @@ krb5_rc_store(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_expunge(krb5_context context, krb5_rcache id) { return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_get_lifespan(krb5_context context, krb5_rcache id, krb5_deltat *auth_lifespan) @@ -254,21 +262,21 @@ krb5_rc_get_lifespan(krb5_context context, return KRB5_RC_IO_UNKNOWN; } -const char* +const char* KRB5_LIB_FUNCTION krb5_rc_get_name(krb5_context context, krb5_rcache id) { return id->name; } -const char* +const char* KRB5_LIB_FUNCTION krb5_rc_get_type(krb5_context context, krb5_rcache id) { return "FILE"; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache *id) diff --git a/crypto/heimdal/lib/krb5/send_to_kdc.c b/crypto/heimdal/lib/krb5/send_to_kdc.c index 94dae303077e..2582a615c052 100644 --- a/crypto/heimdal/lib/krb5/send_to_kdc.c +++ b/crypto/heimdal/lib/krb5/send_to_kdc.c @@ -33,7 +33,12 @@ #include "krb5_locl.h" -RCSID("$Id: send_to_kdc.c,v 1.48 2002/03/27 09:32:50 joda Exp $"); +RCSID("$Id: send_to_kdc.c 21934 2007-08-27 14:21:04Z lha $"); + +struct send_to_kdc { + krb5_send_to_kdc_func func; + void *data; +}; /* * send the data in `req' on the socket `fd' (which is datagram iff udp) @@ -78,7 +83,7 @@ recv_loop (int fd, krb5_data_free (rep); return -1; } - if(nbytes == 0) + if(nbytes <= 0) return 0; if (limit) @@ -157,6 +162,15 @@ send_and_recv_tcp(int fd, return 0; } +int +_krb5_send_and_recv_tcp(int fd, + time_t tmout, + const krb5_data *req, + krb5_data *rep) +{ + return send_and_recv_tcp(fd, tmout, req, rep); +} + /* * `send_and_recv' tailored for the HTTP protocol. */ @@ -198,6 +212,7 @@ send_and_recv_http(int fd, s[rep->length] = 0; p = strstr(s, "\r\n\r\n"); if(p == NULL) { + krb5_data_zero(rep); free(s); return -1; } @@ -205,12 +220,14 @@ send_and_recv_http(int fd, rep->data = s; rep->length -= p - s; if(rep->length < 4) { /* remove length */ + krb5_data_zero(rep); free(s); return -1; } rep->length -= 4; _krb5_get_int(p, &rep_len, 4); if (rep_len != rep->length) { + krb5_data_zero(rep); free(s); return -1; } @@ -304,28 +321,40 @@ send_via_proxy (krb5_context context, * in `receive'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendto (krb5_context context, const krb5_data *send_data, krb5_krbhst_handle handle, krb5_data *receive) { - krb5_error_code ret = 0; + krb5_error_code ret; int fd; int i; + krb5_data_zero(receive); + for (i = 0; i < context->max_retries; ++i) { krb5_krbhst_info *hi; while (krb5_krbhst_next(context, handle, &hi) == 0) { - int ret; struct addrinfo *ai, *a; + if (context->send_to_kdc) { + struct send_to_kdc *s = context->send_to_kdc; + + ret = (*s->func)(context, s->data, + hi, send_data, receive); + if (ret == 0 && receive->length != 0) + goto out; + continue; + } + if(hi->proto == KRB5_KRBHST_HTTP && context->http_proxy) { - if (send_via_proxy (context, hi, send_data, receive)) - continue; - else + if (send_via_proxy (context, hi, send_data, receive) == 0) { + ret = 0; goto out; + } + continue; } ret = krb5_krbhst_get_addrinfo(context, hi, &ai); @@ -367,39 +396,209 @@ out: return ret; } -krb5_error_code -krb5_sendto_kdc2(krb5_context context, - const krb5_data *send_data, - const krb5_realm *realm, - krb5_data *receive, - krb5_boolean master) +krb5_error_code KRB5_LIB_FUNCTION +krb5_sendto_kdc(krb5_context context, + const krb5_data *send_data, + const krb5_realm *realm, + krb5_data *receive) { - krb5_error_code ret; - krb5_krbhst_handle handle; - int type; + return krb5_sendto_kdc_flags(context, send_data, realm, receive, 0); +} - if (master || context->use_admin_kdc) - type = KRB5_KRBHST_ADMIN; - else - type = KRB5_KRBHST_KDC; +krb5_error_code KRB5_LIB_FUNCTION +krb5_sendto_kdc_flags(krb5_context context, + const krb5_data *send_data, + const krb5_realm *realm, + krb5_data *receive, + int flags) +{ + krb5_error_code ret; + krb5_sendto_ctx ctx; - ret = krb5_krbhst_init(context, *realm, type, &handle); + ret = krb5_sendto_ctx_alloc(context, &ctx); if (ret) return ret; + krb5_sendto_ctx_add_flags(ctx, flags); + krb5_sendto_ctx_set_func(ctx, _krb5_kdc_retry, NULL); + + ret = krb5_sendto_context(context, ctx, send_data, *realm, receive); + krb5_sendto_ctx_free(context, ctx); + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_set_send_to_kdc_func(krb5_context context, + krb5_send_to_kdc_func func, + void *data) +{ + free(context->send_to_kdc); + if (func == NULL) { + context->send_to_kdc = NULL; + return 0; + } + + context->send_to_kdc = malloc(sizeof(*context->send_to_kdc)); + if (context->send_to_kdc == NULL) { + krb5_set_error_string(context, "Out of memory"); + return ENOMEM; + } - ret = krb5_sendto(context, send_data, handle, receive); - krb5_krbhst_free(context, handle); + context->send_to_kdc->func = func; + context->send_to_kdc->data = data; + return 0; +} + +struct krb5_sendto_ctx_data { + int flags; + int type; + krb5_sendto_ctx_func func; + void *data; +}; + +krb5_error_code KRB5_LIB_FUNCTION +krb5_sendto_ctx_alloc(krb5_context context, krb5_sendto_ctx *ctx) +{ + *ctx = calloc(1, sizeof(**ctx)); + if (*ctx == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + return 0; +} + +void KRB5_LIB_FUNCTION +krb5_sendto_ctx_add_flags(krb5_sendto_ctx ctx, int flags) +{ + ctx->flags |= flags; +} + +int KRB5_LIB_FUNCTION +krb5_sendto_ctx_get_flags(krb5_sendto_ctx ctx) +{ + return ctx->flags; +} + +void KRB5_LIB_FUNCTION +krb5_sendto_ctx_set_type(krb5_sendto_ctx ctx, int type) +{ + ctx->type = type; +} + + +void KRB5_LIB_FUNCTION +krb5_sendto_ctx_set_func(krb5_sendto_ctx ctx, + krb5_sendto_ctx_func func, + void *data) +{ + ctx->func = func; + ctx->data = data; +} + +void KRB5_LIB_FUNCTION +krb5_sendto_ctx_free(krb5_context context, krb5_sendto_ctx ctx) +{ + memset(ctx, 0, sizeof(*ctx)); + free(ctx); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_sendto_context(krb5_context context, + krb5_sendto_ctx ctx, + const krb5_data *send_data, + const krb5_realm realm, + krb5_data *receive) +{ + krb5_error_code ret; + krb5_krbhst_handle handle = NULL; + int type, freectx = 0; + int action; + + krb5_data_zero(receive); + + if (ctx == NULL) { + freectx = 1; + ret = krb5_sendto_ctx_alloc(context, &ctx); + if (ret) + return ret; + } + + type = ctx->type; + if (type == 0) { + if ((ctx->flags & KRB5_KRBHST_FLAGS_MASTER) || context->use_admin_kdc) + type = KRB5_KRBHST_ADMIN; + else + type = KRB5_KRBHST_KDC; + } + + if (send_data->length > context->large_msg_size) + ctx->flags |= KRB5_KRBHST_FLAGS_LARGE_MSG; + + /* loop until we get back a appropriate response */ + + do { + action = KRB5_SENDTO_DONE; + + krb5_data_free(receive); + + if (handle == NULL) { + ret = krb5_krbhst_init_flags(context, realm, type, + ctx->flags, &handle); + if (ret) { + if (freectx) + krb5_sendto_ctx_free(context, ctx); + return ret; + } + } + + ret = krb5_sendto(context, send_data, handle, receive); + if (ret) + break; + if (ctx->func) { + ret = (*ctx->func)(context, ctx, ctx->data, receive, &action); + if (ret) + break; + } + if (action != KRB5_SENDTO_CONTINUE) { + krb5_krbhst_free(context, handle); + handle = NULL; + } + } while (action != KRB5_SENDTO_DONE); + if (handle) + krb5_krbhst_free(context, handle); if (ret == KRB5_KDC_UNREACH) - krb5_set_error_string(context, - "unable to reach any KDC in realm %s", *realm); + krb5_set_error_string(context, + "unable to reach any KDC in realm %s", realm); + if (ret) + krb5_data_free(receive); + if (freectx) + krb5_sendto_ctx_free(context, ctx); return ret; } krb5_error_code -krb5_sendto_kdc(krb5_context context, - const krb5_data *send_data, - const krb5_realm *realm, - krb5_data *receive) +_krb5_kdc_retry(krb5_context context, krb5_sendto_ctx ctx, void *data, + const krb5_data *reply, int *action) { - return krb5_sendto_kdc2(context, send_data, realm, receive, FALSE); + krb5_error_code ret; + KRB_ERROR error; + + if(krb5_rd_error(context, reply, &error)) + return 0; + + ret = krb5_error_from_rd_error(context, &error, NULL); + krb5_free_error_contents(context, &error); + + switch(ret) { + case KRB5KRB_ERR_RESPONSE_TOO_BIG: { + if (krb5_sendto_ctx_get_flags(ctx) & KRB5_KRBHST_FLAGS_LARGE_MSG) + break; + krb5_sendto_ctx_add_flags(ctx, KRB5_KRBHST_FLAGS_LARGE_MSG); + *action = KRB5_SENDTO_RESTART; + break; + } + case KRB5KDC_ERR_SVC_UNAVAILABLE: + *action = KRB5_SENDTO_CONTINUE; + break; + } + return 0; } diff --git a/crypto/heimdal/lib/krb5/sendauth.c b/crypto/heimdal/lib/krb5/sendauth.c index c2889ee777f7..a7242f0daf9c 100644 --- a/crypto/heimdal/lib/krb5/sendauth.c +++ b/crypto/heimdal/lib/krb5/sendauth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: sendauth.c,v 1.19 2002/09/04 21:34:43 joda Exp $"); +RCSID("$Id: sendauth.c 17442 2006-05-05 09:31:15Z lha $"); /* * The format seems to be: @@ -62,7 +62,7 @@ RCSID("$Id: sendauth.c,v 1.19 2002/09/04 21:34:43 joda Exp $"); * } */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer p_fd, @@ -78,7 +78,7 @@ krb5_sendauth(krb5_context context, krb5_creds **out_creds) { krb5_error_code ret; - u_int32_t len, net_len; + uint32_t len, net_len; const char *version = KRB5_SENDAUTH_VERSION; u_char repl; krb5_data ap_req, error_data; @@ -223,11 +223,11 @@ krb5_sendauth(krb5_context context, ret = krb5_rd_rep (context, *auth_context, &ap_rep, rep_result ? rep_result : &ignore); + krb5_data_free (&ap_rep); if (ret) return ret; if (rep_result == NULL) krb5_free_ap_rep_enc_part (context, ignore); - krb5_data_free (&ap_rep); } return 0; } diff --git a/crypto/heimdal/lib/krb5/set_default_realm.c b/crypto/heimdal/lib/krb5/set_default_realm.c index 8b872dfaa8b6..98040bc2e9d6 100644 --- a/crypto/heimdal/lib/krb5/set_default_realm.c +++ b/crypto/heimdal/lib/krb5/set_default_realm.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: set_default_realm.c,v 1.13 2001/09/18 09:43:31 joda Exp $"); +RCSID("$Id: set_default_realm.c 13863 2004-05-25 21:46:46Z lha $"); /* * Convert the simple string `s' into a NULL-terminated and freshly allocated @@ -65,7 +65,7 @@ string_to_list (krb5_context context, const char *s, krb5_realm **list) * Otherwise, the realm(s) are figured out from configuration or DNS. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_realm(krb5_context context, const char *realm) { diff --git a/crypto/heimdal/lib/krb5/sock_principal.c b/crypto/heimdal/lib/krb5/sock_principal.c index 7bb0bdfb022d..9b4ba978a1b6 100644 --- a/crypto/heimdal/lib/krb5/sock_principal.c +++ b/crypto/heimdal/lib/krb5/sock_principal.c @@ -33,9 +33,9 @@ #include "krb5_locl.h" -RCSID("$Id: sock_principal.c,v 1.16 2001/07/26 09:05:30 assar Exp $"); +RCSID("$Id: sock_principal.c 13863 2004-05-25 21:46:46Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sock_to_principal (krb5_context context, int sock, const char *sname, diff --git a/crypto/heimdal/lib/krb5/store-test.c b/crypto/heimdal/lib/krb5/store-test.c index 512d2a5c96d0..aec2dfe7cb35 100644 --- a/crypto/heimdal/lib/krb5/store-test.c +++ b/crypto/heimdal/lib/krb5/store-test.c @@ -32,7 +32,7 @@ #include "krb5_locl.h" -RCSID("$Id: store-test.c,v 1.1 2001/05/11 16:06:25 joda Exp $"); +RCSID("$Id: store-test.c 16344 2005-12-02 15:15:43Z lha $"); static void print_data(unsigned char *data, size_t len) @@ -106,10 +106,13 @@ main(int argc, char **argv) sp = krb5_storage_emem(); krb5_make_principal(context, &principal, "TEST", "foobar", NULL); krb5_store_principal(sp, principal); + krb5_free_principal(context, principal); nerr += compare("Principal", sp, "\x0\x0\x0\x1" "\x0\x0\x0\x1" "\x0\x0\x0\x4TEST" "\x0\x0\x0\x6""foobar", 26); + krb5_free_context(context); + return nerr ? 1 : 0; } diff --git a/crypto/heimdal/lib/krb5/store.c b/crypto/heimdal/lib/krb5/store.c index b0ca731c67b8..c9cbbb5cef33 100644 --- a/crypto/heimdal/lib/krb5/store.c +++ b/crypto/heimdal/lib/krb5/store.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store.c,v 1.38.4.1 2004/03/09 19:32:14 lha Exp $"); +RCSID("$Id: store.c 22071 2007-11-14 20:04:50Z lha $"); #define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V)) #define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE) @@ -42,62 +42,62 @@ RCSID("$Id: store.c,v 1.38.4.1 2004/03/09 19:32:14 lha Exp $"); #define BYTEORDER_IS_HOST(SP) (BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_HOST) || \ krb5_storage_is_flags((SP), KRB5_STORAGE_HOST_BYTEORDER)) -void +void KRB5_LIB_FUNCTION krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags) { sp->flags |= flags; } -void +void KRB5_LIB_FUNCTION krb5_storage_clear_flags(krb5_storage *sp, krb5_flags flags) { sp->flags &= ~flags; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_storage_is_flags(krb5_storage *sp, krb5_flags flags) { return (sp->flags & flags) == flags; } -void +void KRB5_LIB_FUNCTION krb5_storage_set_byteorder(krb5_storage *sp, krb5_flags byteorder) { sp->flags &= ~KRB5_STORAGE_BYTEORDER_MASK; sp->flags |= byteorder; } -krb5_flags +krb5_flags KRB5_LIB_FUNCTION krb5_storage_get_byteorder(krb5_storage *sp, krb5_flags byteorder) { return sp->flags & KRB5_STORAGE_BYTEORDER_MASK; } -off_t +off_t KRB5_LIB_FUNCTION krb5_storage_seek(krb5_storage *sp, off_t offset, int whence) { return (*sp->seek)(sp, offset, whence); } -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_storage_read(krb5_storage *sp, void *buf, size_t len) { return sp->fetch(sp, buf, len); } -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_storage_write(krb5_storage *sp, const void *buf, size_t len) { return sp->store(sp, buf, len); } -void +void KRB5_LIB_FUNCTION krb5_storage_set_eof_code(krb5_storage *sp, int code) { sp->eof_code = code; } -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION _krb5_put_int(void *buffer, unsigned long value, size_t size) { unsigned char *p = buffer; @@ -109,7 +109,7 @@ _krb5_put_int(void *buffer, unsigned long value, size_t size) return size; } -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION _krb5_get_int(void *buffer, unsigned long *value, size_t size) { unsigned char *p = buffer; @@ -121,7 +121,7 @@ _krb5_get_int(void *buffer, unsigned long *value, size_t size) return size; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_storage_free(krb5_storage *sp) { if(sp->free) @@ -131,7 +131,7 @@ krb5_storage_free(krb5_storage *sp) return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_storage_to_data(krb5_storage *sp, krb5_data *data) { off_t pos; @@ -170,7 +170,7 @@ krb5_store_int(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int32(krb5_storage *sp, int32_t value) { @@ -181,6 +181,13 @@ krb5_store_int32(krb5_storage *sp, return krb5_store_int(sp, value, 4); } +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint32(krb5_storage *sp, + uint32_t value) +{ + return krb5_store_int32(sp, (int32_t)value); +} + static krb5_error_code krb5_ret_int(krb5_storage *sp, int32_t *value, @@ -197,7 +204,7 @@ krb5_ret_int(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int32(krb5_storage *sp, int32_t *value) { @@ -211,7 +218,21 @@ krb5_ret_int32(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint32(krb5_storage *sp, + uint32_t *value) +{ + krb5_error_code ret; + int32_t v; + + ret = krb5_ret_int32(sp, &v); + if (ret == 0) + *value = (uint32_t)v; + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int16(krb5_storage *sp, int16_t value) { @@ -222,7 +243,14 @@ krb5_store_int16(krb5_storage *sp, return krb5_store_int(sp, value, 2); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint16(krb5_storage *sp, + uint16_t value) +{ + return krb5_store_int16(sp, (int16_t)value); +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int16(krb5_storage *sp, int16_t *value) { @@ -239,7 +267,21 @@ krb5_ret_int16(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint16(krb5_storage *sp, + uint16_t *value) +{ + krb5_error_code ret; + int16_t v; + + ret = krb5_ret_int16(sp, &v); + if (ret == 0) + *value = (uint16_t)v; + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int8(krb5_storage *sp, int8_t value) { @@ -251,7 +293,14 @@ krb5_store_int8(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_uint8(krb5_storage *sp, + uint8_t value) +{ + return krb5_store_int8(sp, (int8_t)value); +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int8(krb5_storage *sp, int8_t *value) { @@ -263,7 +312,21 @@ krb5_ret_int8(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_uint8(krb5_storage *sp, + uint8_t *value) +{ + krb5_error_code ret; + int8_t v; + + ret = krb5_ret_int8(sp, &v); + if (ret == 0) + *value = (uint8_t)v; + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_data(krb5_storage *sp, krb5_data data) { @@ -280,7 +343,7 @@ krb5_store_data(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_data(krb5_storage *sp, krb5_data *data) { @@ -301,16 +364,16 @@ krb5_ret_data(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_string(krb5_storage *sp, const char *s) { krb5_data data; data.length = strlen(s); - data.data = (void*)s; + data.data = rk_UNCONST(s); return krb5_store_data(sp, data); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_string(krb5_storage *sp, char **string) { @@ -328,7 +391,7 @@ krb5_ret_string(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_stringz(krb5_storage *sp, const char *s) { size_t len = strlen(s) + 1; @@ -344,7 +407,7 @@ krb5_store_stringz(krb5_storage *sp, const char *s) return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_stringz(krb5_storage *sp, char **string) { @@ -377,22 +440,92 @@ krb5_ret_stringz(krb5_storage *sp, return 0; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_stringnl(krb5_storage *sp, const char *s) +{ + size_t len = strlen(s); + ssize_t ret; + + ret = sp->store(sp, s, len); + if(ret != len) { + if(ret < 0) + return ret; + else + return sp->eof_code; + } + ret = sp->store(sp, "\n", 1); + if(ret != 1) { + if(ret < 0) + return ret; + else + return sp->eof_code; + } + + return 0; + +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_stringnl(krb5_storage *sp, + char **string) +{ + int expect_nl = 0; + char c; + char *s = NULL; + size_t len = 0; + ssize_t ret; + + while((ret = sp->fetch(sp, &c, 1)) == 1){ + char *tmp; + + if (c == '\r') { + expect_nl = 1; + continue; + } + if (expect_nl && c != '\n') { + free(s); + return KRB5_BADMSGTYPE; + } + + len++; + tmp = realloc (s, len); + if (tmp == NULL) { + free (s); + return ENOMEM; + } + s = tmp; + if(c == '\n') { + s[len - 1] = '\0'; + break; + } + s[len - 1] = c; + } + if(ret != 1){ + free(s); + if(ret == 0) + return sp->eof_code; + return ret; + } + *string = s; + return 0; +} + -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_principal(krb5_storage *sp, - krb5_principal p) + krb5_const_principal p) { int i; int ret; if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) { - ret = krb5_store_int32(sp, p->name.name_type); - if(ret) return ret; + ret = krb5_store_int32(sp, p->name.name_type); + if(ret) return ret; } if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) ret = krb5_store_int32(sp, p->name.name_string.len + 1); else - ret = krb5_store_int32(sp, p->name.name_string.len); + ret = krb5_store_int32(sp, p->name.name_string.len); if(ret) return ret; ret = krb5_store_string(sp, p->realm); @@ -404,7 +537,7 @@ krb5_store_principal(krb5_storage *sp, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_principal(krb5_storage *sp, krb5_principal *princ) { @@ -420,7 +553,7 @@ krb5_ret_principal(krb5_storage *sp, if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) type = KRB5_NT_UNKNOWN; - else if((ret = krb5_ret_int32(sp, &type))){ + else if((ret = krb5_ret_int32(sp, &type))){ free(p); return ret; } @@ -430,24 +563,38 @@ krb5_ret_principal(krb5_storage *sp, } if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) ncomp--; + if (ncomp < 0) { + free(p); + return EINVAL; + } p->name.name_type = type; p->name.name_string.len = ncomp; ret = krb5_ret_string(sp, &p->realm); - if(ret) return ret; + if(ret) { + free(p); + return ret; + } p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val)); - if(p->name.name_string.val == NULL){ + if(p->name.name_string.val == NULL && ncomp != 0){ free(p->realm); + free(p); return ENOMEM; } for(i = 0; i < ncomp; i++){ ret = krb5_ret_string(sp, &p->name.name_string.val[i]); - if(ret) return ret; /* XXX */ + if(ret) { + while (i >= 0) + free(p->name.name_string.val[i--]); + free(p->realm); + free(p); + return ret; + } } *princ = p; return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p) { int ret; @@ -465,7 +612,7 @@ krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p) { int ret; @@ -484,7 +631,7 @@ krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_times(krb5_storage *sp, krb5_times times) { int ret; @@ -498,7 +645,7 @@ krb5_store_times(krb5_storage *sp, krb5_times times) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_times(krb5_storage *sp, krb5_times *times) { int ret; @@ -517,7 +664,7 @@ krb5_ret_times(krb5_storage *sp, krb5_times *times) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_address(krb5_storage *sp, krb5_address p) { int ret; @@ -527,7 +674,7 @@ krb5_store_address(krb5_storage *sp, krb5_address p) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_address(krb5_storage *sp, krb5_address *adr) { int16_t t; @@ -539,7 +686,7 @@ krb5_ret_address(krb5_storage *sp, krb5_address *adr) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_addrs(krb5_storage *sp, krb5_addresses p) { int i; @@ -553,7 +700,7 @@ krb5_store_addrs(krb5_storage *sp, krb5_addresses p) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr) { int i; @@ -564,6 +711,8 @@ krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr) if(ret) return ret; adr->len = tmp; ALLOC(adr->val, adr->len); + if (adr->val == NULL && adr->len != 0) + return ENOMEM; for(i = 0; i < adr->len; i++){ ret = krb5_ret_address(sp, &adr->val[i]); if(ret) break; @@ -571,7 +720,7 @@ krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_authdata(krb5_storage *sp, krb5_authdata auth) { krb5_error_code ret; @@ -587,7 +736,7 @@ krb5_store_authdata(krb5_storage *sp, krb5_authdata auth) return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) { krb5_error_code ret; @@ -597,6 +746,8 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) ret = krb5_ret_int32(sp, &tmp); if(ret) return ret; ALLOC_SEQ(auth, tmp); + if (auth->val == NULL && tmp != 0) + return ENOMEM; for(i = 0; i < tmp; i++){ ret = krb5_ret_int16(sp, &tmp2); if(ret) break; @@ -624,8 +775,8 @@ bitswap32(int32_t b) * */ -krb5_error_code -_krb5_store_creds_internal(krb5_storage *sp, krb5_creds *creds, int v0_6) +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_creds(krb5_storage *sp, krb5_creds *creds) { int ret; @@ -641,19 +792,17 @@ _krb5_store_creds_internal(krb5_storage *sp, krb5_creds *creds, int v0_6) ret = krb5_store_times(sp, creds->times); if(ret) return ret; - ret = krb5_store_int8(sp, 0); /* this is probably the - enc-tkt-in-skey bit from KDCOptions */ + ret = krb5_store_int8(sp, creds->second_ticket.length != 0); /* is_skey */ if(ret) return ret; - if (v0_6) { + + if(krb5_storage_is_flags(sp, KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER)) ret = krb5_store_int32(sp, creds->flags.i); - if(ret) - return ret; - } else { + else ret = krb5_store_int32(sp, bitswap32(TicketFlags2int(creds->flags.b))); - if(ret) - return ret; - } + if(ret) + return ret; + ret = krb5_store_addrs(sp, creds->addresses); if(ret) return ret; @@ -667,29 +816,7 @@ _krb5_store_creds_internal(krb5_storage *sp, krb5_creds *creds, int v0_6) return ret; } -/* - * store `creds' on `sp' returning error or zero - */ - -krb5_error_code -krb5_store_creds(krb5_storage *sp, krb5_creds *creds) -{ - return _krb5_store_creds_internal(sp, creds, 1); -} - -krb5_error_code -_krb5_store_creds_heimdal_0_7(krb5_storage *sp, krb5_creds *creds) -{ - return _krb5_store_creds_internal(sp, creds, 0); -} - -krb5_error_code -_krb5_store_creds_heimdal_pre_0_7(krb5_storage *sp, krb5_creds *creds) -{ - return _krb5_store_creds_internal(sp, creds, 1); -} - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) { krb5_error_code ret; @@ -711,13 +838,13 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) if(ret) goto cleanup; /* * Runtime detect the what is the higher bits of the bitfield. If - * any of the higher bits are set in the input data, its either a - * new ticket flag (and this code need to be removed), or its a + * any of the higher bits are set in the input data, it's either a + * new ticket flag (and this code need to be removed), or it's a * MIT cache (or new Heimdal cache), lets change it to our current * format. */ { - u_int32_t mask = 0xffff0000; + uint32_t mask = 0xffff0000; creds->flags.i = 0; creds->flags.b.anonymous = 1; if (creds->flags.i & mask) @@ -736,7 +863,172 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) cleanup: if(ret) { #if 0 - krb5_free_creds_contents(context, creds); /* XXX */ + krb5_free_cred_contents(context, creds); /* XXX */ +#endif + } + return ret; +} + +#define SC_CLIENT_PRINCIPAL 0x0001 +#define SC_SERVER_PRINCIPAL 0x0002 +#define SC_SESSION_KEY 0x0004 +#define SC_TICKET 0x0008 +#define SC_SECOND_TICKET 0x0010 +#define SC_AUTHDATA 0x0020 +#define SC_ADDRESSES 0x0040 + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_creds_tag(krb5_storage *sp, krb5_creds *creds) +{ + int ret; + int32_t header = 0; + + if (creds->client) + header |= SC_CLIENT_PRINCIPAL; + if (creds->server) + header |= SC_SERVER_PRINCIPAL; + if (creds->session.keytype != ETYPE_NULL) + header |= SC_SESSION_KEY; + if (creds->ticket.data) + header |= SC_TICKET; + if (creds->second_ticket.length) + header |= SC_SECOND_TICKET; + if (creds->authdata.len) + header |= SC_AUTHDATA; + if (creds->addresses.len) + header |= SC_ADDRESSES; + + ret = krb5_store_int32(sp, header); + + if (creds->client) { + ret = krb5_store_principal(sp, creds->client); + if(ret) + return ret; + } + + if (creds->server) { + ret = krb5_store_principal(sp, creds->server); + if(ret) + return ret; + } + + if (creds->session.keytype != ETYPE_NULL) { + ret = krb5_store_keyblock(sp, creds->session); + if(ret) + return ret; + } + + ret = krb5_store_times(sp, creds->times); + if(ret) + return ret; + ret = krb5_store_int8(sp, creds->second_ticket.length != 0); /* is_skey */ + if(ret) + return ret; + + ret = krb5_store_int32(sp, bitswap32(TicketFlags2int(creds->flags.b))); + if(ret) + return ret; + + if (creds->addresses.len) { + ret = krb5_store_addrs(sp, creds->addresses); + if(ret) + return ret; + } + + if (creds->authdata.len) { + ret = krb5_store_authdata(sp, creds->authdata); + if(ret) + return ret; + } + + if (creds->ticket.data) { + ret = krb5_store_data(sp, creds->ticket); + if(ret) + return ret; + } + + if (creds->second_ticket.data) { + ret = krb5_store_data(sp, creds->second_ticket); + if (ret) + return ret; + } + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_creds_tag(krb5_storage *sp, + krb5_creds *creds) +{ + krb5_error_code ret; + int8_t dummy8; + int32_t dummy32, header; + + memset(creds, 0, sizeof(*creds)); + + ret = krb5_ret_int32 (sp, &header); + if (ret) goto cleanup; + + if (header & SC_CLIENT_PRINCIPAL) { + ret = krb5_ret_principal (sp, &creds->client); + if(ret) goto cleanup; + } + if (header & SC_SERVER_PRINCIPAL) { + ret = krb5_ret_principal (sp, &creds->server); + if(ret) goto cleanup; + } + if (header & SC_SESSION_KEY) { + ret = krb5_ret_keyblock (sp, &creds->session); + if(ret) goto cleanup; + } + ret = krb5_ret_times (sp, &creds->times); + if(ret) goto cleanup; + ret = krb5_ret_int8 (sp, &dummy8); + if(ret) goto cleanup; + ret = krb5_ret_int32 (sp, &dummy32); + if(ret) goto cleanup; + /* + * Runtime detect the what is the higher bits of the bitfield. If + * any of the higher bits are set in the input data, it's either a + * new ticket flag (and this code need to be removed), or it's a + * MIT cache (or new Heimdal cache), lets change it to our current + * format. + */ + { + uint32_t mask = 0xffff0000; + creds->flags.i = 0; + creds->flags.b.anonymous = 1; + if (creds->flags.i & mask) + mask = ~mask; + if (dummy32 & mask) + dummy32 = bitswap32(dummy32); + } + creds->flags.i = dummy32; + if (header & SC_ADDRESSES) { + ret = krb5_ret_addrs (sp, &creds->addresses); + if(ret) goto cleanup; + } + if (header & SC_AUTHDATA) { + ret = krb5_ret_authdata (sp, &creds->authdata); + if(ret) goto cleanup; + } + if (header & SC_TICKET) { + ret = krb5_ret_data (sp, &creds->ticket); + if(ret) goto cleanup; + } + if (header & SC_SECOND_TICKET) { + ret = krb5_ret_data (sp, &creds->second_ticket); + if(ret) goto cleanup; + } + +cleanup: + if(ret) { +#if 0 + krb5_free_cred_contents(context, creds); /* XXX */ #endif } return ret; diff --git a/crypto/heimdal/lib/krb5/store_emem.c b/crypto/heimdal/lib/krb5/store_emem.c index 526cf32f65f8..b59a647f8043 100644 --- a/crypto/heimdal/lib/krb5/store_emem.c +++ b/crypto/heimdal/lib/krb5/store_emem.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store_emem.c,v 1.13 2002/10/21 15:36:23 joda Exp $"); +RCSID("$Id: store_emem.c 21745 2007-07-31 16:11:25Z lha $"); typedef struct emem_storage{ unsigned char *base; @@ -112,16 +112,27 @@ emem_free(krb5_storage *sp) free(s->base); } -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_emem(void) { krb5_storage *sp = malloc(sizeof(krb5_storage)); + if (sp == NULL) + return NULL; emem_storage *s = malloc(sizeof(*s)); + if (s == NULL) { + free(sp); + return NULL; + } sp->data = s; sp->flags = 0; sp->eof_code = HEIM_ERR_EOF; s->size = 1024; s->base = malloc(s->size); + if (s->base == NULL) { + free(sp); + free(s); + return NULL; + } s->len = 0; s->ptr = s->base; sp->fetch = emem_fetch; diff --git a/crypto/heimdal/lib/krb5/store_fd.c b/crypto/heimdal/lib/krb5/store_fd.c index e31b956143d4..15f86fcac30b 100644 --- a/crypto/heimdal/lib/krb5/store_fd.c +++ b/crypto/heimdal/lib/krb5/store_fd.c @@ -1,75 +1,89 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store_fd.c,v 1.10 2002/04/18 14:00:39 joda Exp $"); +RCSID("$Id: store_fd.c 17779 2006-06-30 21:23:19Z lha $"); -typedef struct fd_storage{ +typedef struct fd_storage { int fd; -}fd_storage; +} fd_storage; #define FD(S) (((fd_storage*)(S)->data)->fd) static ssize_t -fd_fetch(krb5_storage *sp, void *data, size_t size) +fd_fetch(krb5_storage * sp, void *data, size_t size) { return net_read(FD(sp), data, size); } static ssize_t -fd_store(krb5_storage *sp, const void *data, size_t size) +fd_store(krb5_storage * sp, const void *data, size_t size) { return net_write(FD(sp), data, size); } static off_t -fd_seek(krb5_storage *sp, off_t offset, int whence) +fd_seek(krb5_storage * sp, off_t offset, int whence) { return lseek(FD(sp), offset, whence); } -krb5_storage * +static void +fd_free(krb5_storage * sp) +{ + close(FD(sp)); +} + +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_fd(int fd) { - krb5_storage *sp = malloc(sizeof(krb5_storage)); + krb5_storage *sp; - if (sp == NULL) + fd = dup(fd); + if (fd < 0) return NULL; + sp = malloc(sizeof(krb5_storage)); + if (sp == NULL) { + close(fd); + return NULL; + } + sp->data = malloc(sizeof(fd_storage)); if (sp->data == NULL) { + close(fd); free(sp); return NULL; } @@ -79,6 +93,6 @@ krb5_storage_from_fd(int fd) sp->fetch = fd_fetch; sp->store = fd_store; sp->seek = fd_seek; - sp->free = NULL; + sp->free = fd_free; return sp; } diff --git a/crypto/heimdal/lib/krb5/store_mem.c b/crypto/heimdal/lib/krb5/store_mem.c index b0be2002a3b8..e6e62b5a62e4 100644 --- a/crypto/heimdal/lib/krb5/store_mem.c +++ b/crypto/heimdal/lib/krb5/store_mem.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include "store-int.h" -RCSID("$Id: store_mem.c,v 1.11 2002/04/18 14:00:44 joda Exp $"); +RCSID("$Id: store_mem.c 20307 2007-04-11 11:16:28Z lha $"); typedef struct mem_storage{ unsigned char *base; @@ -64,6 +64,12 @@ mem_store(krb5_storage *sp, const void *data, size_t size) return size; } +static ssize_t +mem_no_store(krb5_storage *sp, const void *data, size_t size) +{ + return -1; +} + static off_t mem_seek(krb5_storage *sp, off_t offset, int whence) { @@ -87,7 +93,7 @@ mem_seek(krb5_storage *sp, off_t offset, int whence) return s->ptr - s->base; } -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_mem(void *buf, size_t len) { krb5_storage *sp = malloc(sizeof(krb5_storage)); @@ -112,8 +118,33 @@ krb5_storage_from_mem(void *buf, size_t len) return sp; } -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_data(krb5_data *data) { - return krb5_storage_from_mem(data->data, data->length); + return krb5_storage_from_mem(data->data, data->length); +} + +krb5_storage * KRB5_LIB_FUNCTION +krb5_storage_from_readonly_mem(const void *buf, size_t len) +{ + krb5_storage *sp = malloc(sizeof(krb5_storage)); + mem_storage *s; + if(sp == NULL) + return NULL; + s = malloc(sizeof(*s)); + if(s == NULL) { + free(sp); + return NULL; + } + sp->data = s; + sp->flags = 0; + sp->eof_code = HEIM_ERR_EOF; + s->base = rk_UNCONST(buf); + s->size = len; + s->ptr = rk_UNCONST(buf); + sp->fetch = mem_fetch; + sp->store = mem_no_store; + sp->seek = mem_seek; + sp->free = NULL; + return sp; } diff --git a/crypto/heimdal/lib/krb5/string-to-key-test.c b/crypto/heimdal/lib/krb5/string-to-key-test.c index 0ea5cd18d20e..30075ea6b956 100644 --- a/crypto/heimdal/lib/krb5/string-to-key-test.c +++ b/crypto/heimdal/lib/krb5/string-to-key-test.c @@ -31,8 +31,9 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "krb5_locl.h" +#include <err.h> -RCSID("$Id: string-to-key-test.c,v 1.7 2001/05/11 16:15:27 joda Exp $"); +RCSID("$Id: string-to-key-test.c 16344 2005-12-02 15:15:43Z lha $"); enum { MAXSIZE = 24 }; @@ -48,10 +49,12 @@ static struct testcase { {0xfe, 0x67, 0xbf, 0x9e, 0x57, 0x6b, 0xfe, 0x52}}, {"assar/liten@FOO.SE", "hemligt", ETYPE_DES_CBC_MD5, {0x5b, 0x9b, 0xcb, 0xf2, 0x97, 0x43, 0xc8, 0x40}}, +#if 0 {"@", "", ETYPE_DES3_CBC_SHA1, {0xce, 0xa2, 0x2f, 0x9b, 0x52, 0x2c, 0xb0, 0x15, 0x6e, 0x6b, 0x64, 0x73, 0x62, 0x64, 0x73, 0x4f, 0x6e, 0x73, 0xce, 0xa2, 0x2f, 0x9b, 0x52, 0x57}}, +#endif {"nisse@FOO.SE", "hej", ETYPE_DES3_CBC_SHA1, {0x0e, 0xbc, 0x23, 0x9d, 0x68, 0x46, 0xf2, 0xd5, 0x51, 0x98, 0x5b, 0x57, 0xc1, 0x57, 0x01, 0x79, 0x04, 0xc4, 0xe9, 0xfe, 0xc1, 0x0e, @@ -130,6 +133,8 @@ main(int argc, char **argv) printf ("\n"); val = 1; } + krb5_free_keyblock_contents(context, &key); } + krb5_free_context(context); return val; } diff --git a/crypto/heimdal/lib/krb5/test_acl.c b/crypto/heimdal/lib/krb5/test_acl.c new file mode 100644 index 000000000000..e52f31a8b5a1 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_acl.c @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> + +RCSID("$Id: test_acl.c 15036 2005-04-30 15:19:58Z lha $"); + +#define RETVAL(c, r, e, s) \ + do { if (r != e) krb5_errx(c, 1, "%s", s); } while (0) +#define STRINGMATCH(c, s, _s1, _s2) \ + do { \ + if (_s1 == NULL || _s2 == NULL) \ + krb5_errx(c, 1, "s1 or s2 is NULL"); \ + if (strcmp(_s1,_s2) != 0) \ + krb5_errx(c, 1, "%s", s); \ + } while (0) + +static void +test_match_string(krb5_context context) +{ + krb5_error_code ret; + char *s1, *s2; + + ret = krb5_acl_match_string(context, "foo", "s", "foo"); + RETVAL(context, ret, 0, "single s"); + ret = krb5_acl_match_string(context, "foo foo", "s", "foo"); + RETVAL(context, ret, EACCES, "too many strings"); + ret = krb5_acl_match_string(context, "foo bar", "ss", "foo", "bar"); + RETVAL(context, ret, 0, "two strings"); + ret = krb5_acl_match_string(context, "foo bar", "ss", "foo", "bar"); + RETVAL(context, ret, 0, "two strings double space"); + ret = krb5_acl_match_string(context, "foo \tbar", "ss", "foo", "bar"); + RETVAL(context, ret, 0, "two strings space + tab"); + ret = krb5_acl_match_string(context, "foo", "ss", "foo", "bar"); + RETVAL(context, ret, EACCES, "one string, two format strings"); + ret = krb5_acl_match_string(context, "foo", "ss", "foo", "foo"); + RETVAL(context, ret, EACCES, "one string, two format strings (same)"); + ret = krb5_acl_match_string(context, "foo \t", "s", "foo"); + RETVAL(context, ret, 0, "ending space"); + + ret = krb5_acl_match_string(context, "foo/bar", "f", "foo/bar"); + RETVAL(context, ret, 0, "liternal fnmatch"); + ret = krb5_acl_match_string(context, "foo/bar", "f", "foo/*"); + RETVAL(context, ret, 0, "foo/*"); + ret = krb5_acl_match_string(context, "foo/bar/baz", "f", "foo/*/baz"); + RETVAL(context, ret, 0, "foo/*/baz"); + + ret = krb5_acl_match_string(context, "foo", "r", &s1); + RETVAL(context, ret, 0, "ret 1"); + STRINGMATCH(context, "ret 1 match", s1, "foo"); free(s1); + + ret = krb5_acl_match_string(context, "foo bar", "rr", &s1, &s2); + RETVAL(context, ret, 0, "ret 2"); + STRINGMATCH(context, "ret 2 match 1", s1, "foo"); free(s1); + STRINGMATCH(context, "ret 2 match 2", s2, "bar"); free(s2); + + ret = krb5_acl_match_string(context, "foo bar", "sr", "bar", &s1); + RETVAL(context, ret, EACCES, "ret mismatch"); + if (s1 != NULL) krb5_errx(context, 1, "s1 not NULL"); + + ret = krb5_acl_match_string(context, "foo", "l", "foo"); + RETVAL(context, ret, EINVAL, "unknown letter"); +} + + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + + setprogname(argv[0]); + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + test_match_string(context); + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_addr.c b/crypto/heimdal/lib/krb5/test_addr.c new file mode 100644 index 000000000000..1ab47aecc028 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_addr.c @@ -0,0 +1,202 @@ +/* + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> + +RCSID("$Id: test_addr.c 15036 2005-04-30 15:19:58Z lha $"); + +static void +print_addr(krb5_context context, const char *addr) +{ + krb5_addresses addresses; + krb5_error_code ret; + char buf[38]; + char buf2[1000]; + size_t len; + int i; + + ret = krb5_parse_address(context, addr, &addresses); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_address"); + + if (addresses.len < 1) + krb5_err(context, 1, ret, "too few addresses"); + + for (i = 0; i < addresses.len; i++) { + krb5_print_address(&addresses.val[i], buf, sizeof(buf), &len); +#if 0 + printf("addr %d: %s (%d/%d)\n", i, buf, (int)len, (int)strlen(buf)); +#endif + if (strlen(buf) > sizeof(buf)) + abort(); + krb5_print_address(&addresses.val[i], buf2, sizeof(buf2), &len); +#if 0 + printf("addr %d: %s (%d/%d)\n", i, buf2, (int)len, (int)strlen(buf2)); +#endif + if (strlen(buf2) > sizeof(buf2)) + abort(); + + } + krb5_free_addresses(context, &addresses); + +} + +static void +truncated_addr(krb5_context context, const char *addr, + size_t truncate_len, size_t outlen) +{ + krb5_addresses addresses; + krb5_error_code ret; + char *buf; + size_t len; + + buf = ecalloc(1, outlen + 1); + + ret = krb5_parse_address(context, addr, &addresses); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_address"); + + if (addresses.len != 1) + krb5_err(context, 1, ret, "addresses should be one"); + + krb5_print_address(&addresses.val[0], buf, truncate_len, &len); + +#if 0 + printf("addr %s (%d/%d)\n", buf, (int)len, (int)strlen(buf)); +#endif + + if (truncate_len > strlen(buf) + 1) + abort(); + if (outlen != len) + abort(); + + krb5_print_address(&addresses.val[0], buf, outlen + 1, &len); + +#if 0 + printf("addr %s (%d/%d)\n", buf, (int)len, (int)strlen(buf)); +#endif + + if (len != outlen) + abort(); + if (strlen(buf) != len) + abort(); + + krb5_free_addresses(context, &addresses); + free(buf); +} + +static void +check_truncation(krb5_context context, const char *addr) +{ + int i, len = strlen(addr); + + for (i = 0; i < len; i++) + truncated_addr(context, addr, i, len); +} + +static void +match_addr(krb5_context context, const char *range_addr, + const char *one_addr, int match) +{ + krb5_addresses range, one; + krb5_error_code ret; + + ret = krb5_parse_address(context, range_addr, &range); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_address"); + + if (range.len != 1) + krb5_err(context, 1, ret, "wrong num of addresses"); + + ret = krb5_parse_address(context, one_addr, &one); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_address"); + + if (one.len != 1) + krb5_err(context, 1, ret, "wrong num of addresses"); + + if (krb5_address_order(context, &range.val[0], &one.val[0]) == 0) { + if (!match) + krb5_errx(context, 1, "match when one shouldn't be"); + } else { + if (match) + krb5_errx(context, 1, "no match when one should be"); + } + + krb5_free_addresses(context, &range); + krb5_free_addresses(context, &one); +} + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + + setprogname(argv[0]); + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + print_addr(context, "RANGE:127.0.0.0/8"); + print_addr(context, "RANGE:127.0.0.0/24"); + print_addr(context, "RANGE:IPv4:127.0.0.0-IPv4:127.0.0.255"); + print_addr(context, "RANGE:130.237.237.4/29"); +#ifdef HAVE_IPV6 + print_addr(context, "RANGE:fe80::209:6bff:fea0:e522/64"); + print_addr(context, "RANGE:IPv6:fe80::209:6bff:fea0:e522/64"); + print_addr(context, "RANGE:IPv6:fe80::-IPv6:fe80::ffff:ffff:ffff:ffff"); + print_addr(context, "RANGE:fe80::-fe80::ffff:ffff:ffff:ffff"); +#endif + + check_truncation(context, "IPv4:127.0.0.0"); + check_truncation(context, "RANGE:IPv4:127.0.0.0-IPv4:127.0.0.255"); +#ifdef HAVE_IPV6 + check_truncation(context, "IPv6:::1"); + check_truncation(context, "IPv6:fe80::ffff:ffff:ffff:ffff"); +#endif + + match_addr(context, "RANGE:127.0.0.0/8", "inet:127.0.0.0", 1); + match_addr(context, "RANGE:127.0.0.0/8", "inet:127.255.255.255", 1); + match_addr(context, "RANGE:127.0.0.0/8", "inet:128.0.0.0", 0); + + match_addr(context, "RANGE:130.237.237.8/29", "inet:130.237.237.7", 0); + match_addr(context, "RANGE:130.237.237.8/29", "inet:130.237.237.8", 1); + match_addr(context, "RANGE:130.237.237.8/29", "inet:130.237.237.15", 1); + match_addr(context, "RANGE:130.237.237.8/29", "inet:130.237.237.16", 0); + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_alname.c b/crypto/heimdal/lib/krb5/test_alname.c index 8a6ec6dc8f85..e8397b748026 100644 --- a/crypto/heimdal/lib/krb5/test_alname.c +++ b/crypto/heimdal/lib/krb5/test_alname.c @@ -34,10 +34,10 @@ #include <getarg.h> #include <err.h> -RCSID("$Id: test_alname.c,v 1.4 2003/04/17 05:46:45 lha Exp $"); +RCSID("$Id: test_alname.c 15474 2005-06-17 04:48:02Z lha $"); static void -test_alname(krb5_context context, krb5_realm realm, +test_alname(krb5_context context, krb5_const_realm realm, const char *user, const char *inst, const char *localuser, int ok) { @@ -102,12 +102,12 @@ main(int argc, char **argv) krb5_context context; krb5_error_code ret; krb5_realm realm; - int optind = 0; + int optidx = 0; char *user; setprogname(argv[0]); - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); if (help_flag) @@ -118,8 +118,8 @@ main(int argc, char **argv) exit(0); } - argc -= optind; - argv += optind; + argc -= optidx; + argv += optidx; if (argc != 1) errx(1, "first argument should be a local user that in root .k5login"); diff --git a/crypto/heimdal/lib/krb5/test_cc.c b/crypto/heimdal/lib/krb5/test_cc.c index 15181f4d9746..075cfe237fba 100644 --- a/crypto/heimdal/lib/krb5/test_cc.c +++ b/crypto/heimdal/lib/krb5/test_cc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003 Kungliga Tekniska Högskolan + * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,25 +31,21 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "krb5_locl.h" +#include <getarg.h> #include <err.h> -RCSID("$Id: test_cc.c,v 1.1 2003/03/10 00:26:40 lha Exp $"); +RCSID("$Id: test_cc.c 22115 2007-12-03 21:21:42Z lha $"); -#define TEST_CC_NAME "/tmp/foo" +static int debug_flag = 0; +static int version_flag = 0; +static int help_flag = 0; -int -main(int argc, char **argv) +static void +test_default_name(krb5_context context) { - krb5_context context; krb5_error_code ret; + const char *p, *test_cc_name = "/tmp/krb5-cc-test-foo"; char *p1, *p2, *p3; - const char *p; - - setprogname(argv[0]); - - ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); p = krb5_cc_default_name(context); if (p == NULL) @@ -68,7 +64,7 @@ main(int argc, char **argv) if (strcmp(p1, p2) != 0) krb5_errx (context, 1, "krb5_cc_default_name no longer same"); - ret = krb5_cc_set_default_name(context, TEST_CC_NAME); + ret = krb5_cc_set_default_name(context, test_cc_name); if (p == NULL) krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed"); @@ -77,9 +73,459 @@ main(int argc, char **argv) krb5_errx (context, 1, "krb5_cc_default_name 2 failed"); p3 = estrdup(p); - if (strcmp(p3, TEST_CC_NAME) != 0) + if (strcmp(p3, test_cc_name) != 0) krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed"); + free(p1); + free(p2); + free(p3); +} + +/* + * Check that a closed cc still keeps it data and that it's no longer + * there when it's destroyed. + */ + +static void +test_mcache(krb5_context context) +{ + krb5_error_code ret; + krb5_ccache id, id2; + const char *nc, *tc; + char *c; + krb5_principal p, p2; + + ret = krb5_parse_name(context, "lha@SU.SE", &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_gen_new"); + + ret = krb5_cc_initialize(context, id, p); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_initialize"); + + nc = krb5_cc_get_name(context, id); + if (nc == NULL) + krb5_errx(context, 1, "krb5_cc_get_name"); + + tc = krb5_cc_get_type(context, id); + if (tc == NULL) + krb5_errx(context, 1, "krb5_cc_get_name"); + + asprintf(&c, "%s:%s", tc, nc); + + krb5_cc_close(context, id); + + ret = krb5_cc_resolve(context, c, &id2); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_resolve"); + + ret = krb5_cc_get_principal(context, id2, &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_get_principal"); + + if (krb5_principal_compare(context, p, p2) == FALSE) + krb5_errx(context, 1, "p != p2"); + + krb5_cc_destroy(context, id2); + krb5_free_principal(context, p); + krb5_free_principal(context, p2); + + ret = krb5_cc_resolve(context, c, &id2); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_resolve"); + + ret = krb5_cc_get_principal(context, id2, &p2); + if (ret == 0) + krb5_errx(context, 1, "krb5_cc_get_principal"); + + krb5_cc_destroy(context, id2); + free(c); +} + +/* + * Test that init works on a destroyed cc. + */ + +static void +test_init_vs_destroy(krb5_context context, const krb5_cc_ops *ops) +{ + krb5_error_code ret; + krb5_ccache id, id2; + krb5_principal p, p2; + char *n; + + ret = krb5_parse_name(context, "lha@SU.SE", &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_cc_gen_new(context, ops, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_gen_new"); + + asprintf(&n, "%s:%s", + krb5_cc_get_type(context, id), + krb5_cc_get_name(context, id)); + + ret = krb5_cc_resolve(context, n, &id2); + free(n); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_resolve"); + + krb5_cc_destroy(context, id); + + ret = krb5_cc_initialize(context, id2, p); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_initialize"); + + ret = krb5_cc_get_principal(context, id2, &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_get_principal"); + + krb5_cc_destroy(context, id2); + krb5_free_principal(context, p); + krb5_free_principal(context, p2); +} + +static void +test_fcache_remove(krb5_context context) +{ + krb5_error_code ret; + krb5_ccache id; + krb5_principal p; + krb5_creds cred; + + ret = krb5_parse_name(context, "lha@SU.SE", &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_gen_new"); + + ret = krb5_cc_initialize(context, id, p); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_initialize"); + + /* */ + memset(&cred, 0, sizeof(cred)); + ret = krb5_parse_name(context, "krbtgt/SU.SE@SU.SE", &cred.server); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + ret = krb5_parse_name(context, "lha@SU.SE", &cred.client); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_cc_store_cred(context, id, &cred); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_store_cred"); + + ret = krb5_cc_remove_cred(context, id, 0, &cred); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_remove_cred"); + + ret = krb5_cc_destroy(context, id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_destroy"); + + krb5_free_principal(context, p); + krb5_free_principal(context, cred.server); + krb5_free_principal(context, cred.client); +} + +static void +test_mcc_default(void) +{ + krb5_context context; + krb5_error_code ret; + krb5_ccache id, id2; + int i; + + for (i = 0; i < 10; i++) { + + ret = krb5_init_context(&context); + if (ret) + krb5_err(context, 1, ret, "krb5_init_context"); + + ret = krb5_cc_set_default_name(context, "MEMORY:foo"); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_set_default_name"); + + ret = krb5_cc_default(context, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_default"); + + ret = krb5_cc_default(context, &id2); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_default"); + + ret = krb5_cc_close(context, id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_close"); + + ret = krb5_cc_close(context, id2); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_close"); + + krb5_free_context(context); + } +} + +struct { + char *str; + int fail; + char *res; +} cc_names[] = { + { "foo", 0, "foo" }, + { "%{uid}", 0 }, + { "foo%{null}", 0, "foo" }, + { "foo%{null}bar", 0, "foobar" }, + { "%{", 1 }, + { "%{foo %{", 1 }, + { "%{{", 1 }, +}; + +static void +test_def_cc_name(krb5_context context) +{ + krb5_error_code ret; + char *str; + int i; + + for (i = 0; i < sizeof(cc_names)/sizeof(cc_names[0]); i++) { + ret = _krb5_expand_default_cc_name(context, cc_names[i].str, &str); + if (ret) { + if (cc_names[i].fail == 0) + krb5_errx(context, 1, "test %d \"%s\" failed", + i, cc_names[i].str); + } else { + if (cc_names[i].fail) + krb5_errx(context, 1, "test %d \"%s\" was successful", + i, cc_names[i].str); + if (cc_names[i].res && strcmp(cc_names[i].res, str) != 0) + krb5_errx(context, 1, "test %d %s != %s", + i, cc_names[i].res, str); + if (debug_flag) + printf("%s => %s\n", cc_names[i].str, str); + free(str); + } + } +} + +static void +test_cache_find(krb5_context context, const char *type, const char *principal, + int find) +{ + krb5_principal client; + krb5_error_code ret; + krb5_ccache id = NULL; + + ret = krb5_parse_name(context, principal, &client); + if (ret) + krb5_err(context, 1, ret, "parse_name for %s failed", principal); + + ret = krb5_cc_cache_match(context, client, type, &id); + if (ret && find) + krb5_err(context, 1, ret, "cc_cache_match for %s failed", principal); + if (ret == 0 && !find) + krb5_err(context, 1, ret, "cc_cache_match for %s found", principal); + + if (id) + krb5_cc_close(context, id); + krb5_free_principal(context, client); +} + + +static void +test_cache_iter(krb5_context context, const char *type, int destroy) +{ + krb5_cc_cache_cursor cursor; + krb5_error_code ret; + krb5_ccache id; + + ret = krb5_cc_cache_get_first (context, type, &cursor); + if (ret == KRB5_CC_NOSUPP) + return; + else if (ret) + krb5_err(context, 1, ret, "krb5_cc_cache_get_first(%s)", type); + + + while ((ret = krb5_cc_cache_next (context, cursor, &id)) == 0) { + krb5_principal principal; + char *name; + + if (debug_flag) + printf("name: %s\n", krb5_cc_get_name(context, id)); + ret = krb5_cc_get_principal(context, id, &principal); + if (ret == 0) { + ret = krb5_unparse_name(context, principal, &name); + if (ret == 0) { + if (debug_flag) + printf("\tprincipal: %s\n", name); + free(name); + } + krb5_free_principal(context, principal); + } + if (destroy) + krb5_cc_destroy(context, id); + else + krb5_cc_close(context, id); + } + + krb5_cc_cache_end_seq_get(context, cursor); +} + +static void +test_copy(krb5_context context, const char *fromtype, const char *totype) +{ + const krb5_cc_ops *from, *to; + krb5_ccache fromid, toid; + krb5_error_code ret; + krb5_principal p, p2; + + from = krb5_cc_get_prefix_ops(context, fromtype); + if (from == NULL) + krb5_errx(context, 1, "%s isn't a type", fromtype); + + to = krb5_cc_get_prefix_ops(context, totype); + if (to == NULL) + krb5_errx(context, 1, "%s isn't a type", totype); + + ret = krb5_parse_name(context, "lha@SU.SE", &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_cc_gen_new(context, from, &fromid); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_gen_new"); + + ret = krb5_cc_initialize(context, fromid, p); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_initialize"); + + ret = krb5_cc_gen_new(context, to, &toid); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_gen_new"); + + ret = krb5_cc_copy_cache(context, fromid, toid); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_copy_cache"); + + ret = krb5_cc_get_principal(context, toid, &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_get_principal"); + + if (krb5_principal_compare(context, p, p2) == FALSE) + krb5_errx(context, 1, "p != p2"); + + krb5_free_principal(context, p); + krb5_free_principal(context, p2); + + krb5_cc_destroy(context, fromid); + krb5_cc_destroy(context, toid); +} + +static void +test_prefix_ops(krb5_context context, const char *name, const krb5_cc_ops *ops) +{ + const krb5_cc_ops *o; + + o = krb5_cc_get_prefix_ops(context, name); + if (o == NULL) + krb5_errx(context, 1, "found no match for prefix '%s'", name); + if (strcmp(o->prefix, ops->prefix) != 0) + krb5_errx(context, 1, "ops for prefix '%s' is not " + "the expected %s != %s", name, o->prefix, ops->prefix); +} + + +static struct getargs args[] = { + {"debug", 'd', arg_flag, &debug_flag, + "turn on debuggin", NULL }, + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "hostname ..."); + exit (ret); +} + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + int optidx = 0; + krb5_ccache id1, id2; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + test_fcache_remove(context); + test_default_name(context); + test_mcache(context); + test_init_vs_destroy(context, &krb5_mcc_ops); + test_init_vs_destroy(context, &krb5_fcc_ops); + test_mcc_default(); + test_def_cc_name(context); + test_cache_iter(context, "MEMORY", 0); + { + krb5_principal p; + krb5_cc_new_unique(context, "MEMORY", "bar", &id1); + krb5_cc_new_unique(context, "MEMORY", "baz", &id2); + krb5_parse_name(context, "lha@SU.SE", &p); + krb5_cc_initialize(context, id1, p); + krb5_free_principal(context, p); + } + + test_cache_find(context, "MEMORY", "lha@SU.SE", 1); + test_cache_find(context, "MEMORY", "hulabundulahotentot@SU.SE", 0); + + test_cache_iter(context, "MEMORY", 0); + test_cache_iter(context, "MEMORY", 1); + test_cache_iter(context, "MEMORY", 0); + test_cache_iter(context, "FILE", 0); + test_cache_iter(context, "API", 0); + + test_copy(context, "FILE", "FILE"); + test_copy(context, "MEMORY", "MEMORY"); + test_copy(context, "FILE", "MEMORY"); + test_copy(context, "MEMORY", "FILE"); + + test_prefix_ops(context, "FILE:/tmp/foo", &krb5_fcc_ops); + test_prefix_ops(context, "FILE", &krb5_fcc_ops); + test_prefix_ops(context, "MEMORY", &krb5_mcc_ops); + test_prefix_ops(context, "MEMORY:foo", &krb5_mcc_ops); + test_prefix_ops(context, "/tmp/kaka", &krb5_fcc_ops); + + krb5_cc_destroy(context, id1); + krb5_cc_destroy(context, id2); + krb5_free_context(context); return 0; diff --git a/crypto/heimdal/lib/krb5/test_config.c b/crypto/heimdal/lib/krb5/test_config.c new file mode 100644 index 000000000000..7fe224e68812 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_config.c @@ -0,0 +1,124 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "krb5_locl.h" +#include <err.h> + +RCSID("$Id: test_config.c 15036 2005-04-30 15:19:58Z lha $"); + +static int +check_config_file(krb5_context context, char *filelist, char **res, int def) +{ + krb5_error_code ret; + char **pp; + int i; + + pp = NULL; + + if (def) + ret = krb5_prepend_config_files_default(filelist, &pp); + else + ret = krb5_prepend_config_files(filelist, NULL, &pp); + + if (ret) + krb5_err(context, 1, ret, "prepend_config_files"); + + for (i = 0; res[i] && pp[i]; i++) + if (strcmp(pp[i], res[i]) != 0) + krb5_errx(context, 1, "'%s' != '%s'", pp[i], res[i]); + + if (res[i] != NULL) + krb5_errx(context, 1, "pp ended before res list"); + + if (def) { + char **deflist; + int j; + + ret = krb5_get_default_config_files(&deflist); + if (ret) + krb5_err(context, 1, ret, "get_default_config_files"); + + for (j = 0 ; pp[i] && deflist[j]; i++, j++) + if (strcmp(pp[i], deflist[j]) != 0) + krb5_errx(context, 1, "'%s' != '%s'", pp[i], deflist[j]); + + if (deflist[j] != NULL) + krb5_errx(context, 1, "pp ended before def list"); + krb5_free_config_files(deflist); + } + + if (pp[i] != NULL) + krb5_errx(context, 1, "pp ended after res (and def) list"); + + krb5_free_config_files(pp); + + return 0; +} + +char *list0[] = { "/tmp/foo", NULL }; +char *list1[] = { "/tmp/foo", "/tmp/foo/bar", NULL }; +char *list2[] = { "", NULL }; + +struct { + char *fl; + char **res; +} test[] = { + { "/tmp/foo", NULL }, + { "/tmp/foo:/tmp/foo/bar", NULL }, + { "", NULL } +}; + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + int i; + + ret = krb5_init_context(&context); + if (ret) + errx(1, "krb5_init_context %d", ret); + + test[0].res = list0; + test[1].res = list1; + test[2].res = list2; + + for (i = 0; i < sizeof(test)/sizeof(*test); i++) { + check_config_file(context, test[i].fl, test[i].res, 0); + check_config_file(context, test[i].fl, test[i].res, 1); + } + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_crypto.c b/crypto/heimdal/lib/krb5/test_crypto.c new file mode 100644 index 000000000000..0837911f26aa --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_crypto.c @@ -0,0 +1,215 @@ +/* + * Copyright (c) 2003-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> +#include <getarg.h> + +RCSID("$Id: test_crypto.c 16290 2005-11-24 09:57:50Z lha $"); + +static void +time_encryption(krb5_context context, size_t size, + krb5_enctype etype, int iterations) +{ + struct timeval tv1, tv2; + krb5_error_code ret; + krb5_keyblock key; + krb5_crypto crypto; + krb5_data data; + char *etype_name; + void *buf; + int i; + + ret = krb5_generate_random_keyblock(context, etype, &key); + if (ret) + krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); + + ret = krb5_enctype_to_string(context, etype, &etype_name); + if (ret) + krb5_err(context, 1, ret, "krb5_enctype_to_string"); + + buf = malloc(size); + if (buf == NULL) + krb5_errx(context, 1, "out of memory"); + memset(buf, 0, size); + + ret = krb5_crypto_init(context, &key, 0, &crypto); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_init"); + + gettimeofday(&tv1, NULL); + + for (i = 0; i < iterations; i++) { + ret = krb5_encrypt(context, crypto, 0, buf, size, &data); + if (ret) + krb5_err(context, 1, ret, "encrypt: %d", i); + krb5_data_free(&data); + } + + gettimeofday(&tv2, NULL); + + timevalsub(&tv2, &tv1); + + printf("%s size: %7lu iterations: %d time: %3ld.%06ld\n", + etype_name, (unsigned long)size, iterations, + (long)tv2.tv_sec, (long)tv2.tv_usec); + + free(buf); + free(etype_name); + krb5_crypto_destroy(context, crypto); + krb5_free_keyblock_contents(context, &key); +} + +static void +time_s2k(krb5_context context, + krb5_enctype etype, + const char *password, + krb5_salt salt, + int iterations) +{ + struct timeval tv1, tv2; + krb5_error_code ret; + krb5_keyblock key; + krb5_data opaque; + char *etype_name; + int i; + + ret = krb5_enctype_to_string(context, etype, &etype_name); + if (ret) + krb5_err(context, 1, ret, "krb5_enctype_to_string"); + + opaque.data = NULL; + opaque.length = 0; + + gettimeofday(&tv1, NULL); + + for (i = 0; i < iterations; i++) { + ret = krb5_string_to_key_salt_opaque(context, etype, password, salt, + opaque, &key); + if (ret) + krb5_err(context, 1, ret, "krb5_string_to_key_data_salt_opaque"); + krb5_free_keyblock_contents(context, &key); + } + + gettimeofday(&tv2, NULL); + + timevalsub(&tv2, &tv1); + + printf("%s string2key %d iterations time: %3ld.%06ld\n", + etype_name, iterations, (long)tv2.tv_sec, (long)tv2.tv_usec); + free(etype_name); + +} + +static int version_flag = 0; +static int help_flag = 0; + +static struct getargs args[] = { + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, + sizeof(args)/sizeof(*args), + NULL, + ""); + exit (ret); +} + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + int i, enciter, s2kiter; + int optidx = 0; + krb5_salt salt; + + krb5_enctype enctypes[] = { + ETYPE_DES_CBC_CRC, + ETYPE_DES3_CBC_SHA1, + ETYPE_ARCFOUR_HMAC_MD5, + ETYPE_AES128_CTS_HMAC_SHA1_96, + ETYPE_AES256_CTS_HMAC_SHA1_96 + }; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + salt.salttype = KRB5_PW_SALT; + salt.saltvalue.data = NULL; + salt.saltvalue.length = 0; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + enciter = 1000; + s2kiter = 100; + + for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) { + + time_encryption(context, 16, enctypes[i], enciter); + time_encryption(context, 32, enctypes[i], enciter); + time_encryption(context, 512, enctypes[i], enciter); + time_encryption(context, 1024, enctypes[i], enciter); + time_encryption(context, 2048, enctypes[i], enciter); + time_encryption(context, 4096, enctypes[i], enciter); + time_encryption(context, 8192, enctypes[i], enciter); + time_encryption(context, 16384, enctypes[i], enciter); + time_encryption(context, 32768, enctypes[i], enciter); + + time_s2k(context, enctypes[i], "mYsecreitPassword", salt, s2kiter); + } + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_crypto_wrapping.c b/crypto/heimdal/lib/krb5/test_crypto_wrapping.c new file mode 100644 index 000000000000..1618fdf11797 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_crypto_wrapping.c @@ -0,0 +1,164 @@ +/* + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> +#include <getarg.h> + +RCSID("$Id: test_crypto_wrapping.c 18809 2006-10-22 07:11:43Z lha $"); + +static void +test_wrapping(krb5_context context, + size_t min_size, + size_t max_size, + size_t step, + krb5_enctype etype) +{ + krb5_error_code ret; + krb5_keyblock key; + krb5_crypto crypto; + krb5_data data; + char *etype_name; + void *buf; + size_t size; + + ret = krb5_generate_random_keyblock(context, etype, &key); + if (ret) + krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); + + ret = krb5_enctype_to_string(context, etype, &etype_name); + if (ret) + krb5_err(context, 1, ret, "krb5_enctype_to_string"); + + buf = malloc(max_size); + if (buf == NULL) + krb5_errx(context, 1, "out of memory"); + memset(buf, 0, max_size); + + ret = krb5_crypto_init(context, &key, 0, &crypto); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_init"); + + for (size = min_size; size < max_size; size += step) { + size_t wrapped_size; + + ret = krb5_encrypt(context, crypto, 0, buf, size, &data); + if (ret) + krb5_err(context, 1, ret, "encrypt size %lu using %s", + (unsigned long)size, etype_name); + + wrapped_size = krb5_get_wrapped_length(context, crypto, size); + + if (wrapped_size != data.length) + krb5_errx(context, 1, "calculated wrapped length %lu != " + "real wrapped length %lu for data length %lu using " + "enctype %s", + (unsigned long)wrapped_size, + (unsigned long)data.length, + (unsigned long)size, + etype_name); + krb5_data_free(&data); + } + + free(etype_name); + free(buf); + krb5_crypto_destroy(context, crypto); + krb5_free_keyblock_contents(context, &key); +} + + + +static int version_flag = 0; +static int help_flag = 0; + +static struct getargs args[] = { + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, + sizeof(args)/sizeof(*args), + NULL, + ""); + exit (ret); +} + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + int i, optidx = 0; + + krb5_enctype enctypes[] = { + ETYPE_DES_CBC_CRC, + ETYPE_DES_CBC_MD4, + ETYPE_DES_CBC_MD5, + ETYPE_DES3_CBC_SHA1, + ETYPE_ARCFOUR_HMAC_MD5, + ETYPE_AES128_CTS_HMAC_SHA1_96, + ETYPE_AES256_CTS_HMAC_SHA1_96 + }; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) { + test_wrapping(context, 0, 1024, 1, enctypes[i]); + test_wrapping(context, 1024, 1024 * 100, 1024, enctypes[i]); + } + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_forward.c b/crypto/heimdal/lib/krb5/test_forward.c new file mode 100644 index 000000000000..163995334ed9 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_forward.c @@ -0,0 +1,136 @@ +/* + * Copyright (c) 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> +#include <getarg.h> + +RCSID("$Id$"); + +static int version_flag = 0; +static int help_flag = 0; + +static struct getargs args[] = { + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, + sizeof(args)/sizeof(*args), + NULL, + "hostname"); + exit (ret); +} + +int +main(int argc, char **argv) +{ + const char *hostname; + krb5_context context; + krb5_auth_context ac; + krb5_error_code ret; + krb5_creds cred; + krb5_ccache id; + krb5_data data; + int optidx = 0; + + setprogname (argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + if (argc < 1) + usage(1); + + hostname = argv[0]; + + memset(&cred, 0, sizeof(cred)); + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + ret = krb5_cc_default(context, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_default failed: %d", ret); + + ret = krb5_auth_con_init(context, &ac); + if (ret) + krb5_err(context, 1, ret, "krb5_auth_con_init failed: %d", ret); + + krb5_auth_con_addflags(context, ac, + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, NULL); + + ret = krb5_cc_get_principal(context, id, &cred.client); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_get_principal"); + + ret = krb5_make_principal(context, + &cred.server, + krb5_principal_get_realm(context, cred.client), + KRB5_TGS_NAME, + krb5_principal_get_realm(context, cred.client), + NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_make_principal(server)"); + + ret = krb5_get_forwarded_creds (context, + ac, + id, + KDC_OPT_FORWARDABLE, + hostname, + &cred, + &data); + if (ret) + krb5_err (context, 1, ret, "krb5_get_forwarded_creds"); + + krb5_data_free(&data); + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_get_addrs.c b/crypto/heimdal/lib/krb5/test_get_addrs.c index 97e3b2b1e583..1d53e0eb8c68 100644 --- a/crypto/heimdal/lib/krb5/test_get_addrs.c +++ b/crypto/heimdal/lib/krb5/test_get_addrs.c @@ -34,7 +34,7 @@ #include <err.h> #include <getarg.h> -RCSID("$Id: test_get_addrs.c,v 1.4 2002/08/23 03:42:54 assar Exp $"); +RCSID("$Id: test_get_addrs.c 15474 2005-06-17 04:48:02Z lha $"); /* print all addresses that we find */ @@ -77,11 +77,11 @@ main(int argc, char **argv) krb5_context context; krb5_error_code ret; krb5_addresses addrs; - int optind = 0; + int optidx = 0; setprogname (argv[0]); - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); if (help_flag) @@ -92,8 +92,8 @@ main(int argc, char **argv) exit(0); } - argc -= optind; - argv += optind; + argc -= optidx; + argv += optidx; ret = krb5_init_context(&context); if (ret) diff --git a/crypto/heimdal/lib/krb5/test_hostname.c b/crypto/heimdal/lib/krb5/test_hostname.c new file mode 100644 index 000000000000..095cb391633e --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_hostname.c @@ -0,0 +1,152 @@ +/* + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> +#include <getarg.h> + +RCSID("$Id: test_hostname.c 15965 2005-08-23 20:18:55Z lha $"); + +static int debug_flag = 0; +static int version_flag = 0; +static int help_flag = 0; + +static int +expand_hostname(krb5_context context, const char *host) +{ + krb5_error_code ret; + char *h, **r; + + ret = krb5_expand_hostname(context, host, &h); + if (ret) + krb5_err(context, 1, ret, "krb5_expand_hostname(%s)", host); + + free(h); + + if (debug_flag) + printf("hostname: %s -> %s\n", host, h); + + ret = krb5_expand_hostname_realms(context, host, &h, &r); + if (ret) + krb5_err(context, 1, ret, "krb5_expand_hostname_realms(%s)", host); + + if (debug_flag) { + int j; + + printf("hostname: %s -> %s\n", host, h); + for (j = 0; r[j]; j++) { + printf("\trealm: %s\n", r[j]); + } + } + free(h); + krb5_free_host_realm(context, r); + + return 0; +} + +static int +test_expand_hostname(krb5_context context) +{ + int i, errors = 0; + + struct t { + krb5_error_code ret; + const char *orig_hostname; + const char *new_hostname; + } tests[] = { + { 0, "pstn1.su.se", "pstn1.su.se" }, + { 0, "pstnproxy.su.se", "pstnproxy.su.se" }, + }; + + for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { + errors += expand_hostname(context, tests[i].orig_hostname); + } + + return errors; +} + +static struct getargs args[] = { + {"debug", 'd', arg_flag, &debug_flag, + "turn on debuggin", NULL }, + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "hostname ..."); + exit (ret); +} + + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + int optidx = 0, errors = 0; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + if (argc > 0) { + while (argc-- > 0) + errors += expand_hostname(context, *argv++); + return errors; + } + + errors += test_expand_hostname(context); + + krb5_free_context(context); + + return errors; +} diff --git a/crypto/heimdal/lib/krb5/test_keytab.c b/crypto/heimdal/lib/krb5/test_keytab.c new file mode 100644 index 000000000000..97361cc19a31 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_keytab.c @@ -0,0 +1,191 @@ +/* + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> + +RCSID("$Id: test_keytab.c 18809 2006-10-22 07:11:43Z lha $"); + +/* + * Test that removal entry from of empty keytab doesn't corrupts + * memory. + */ + +static void +test_empty_keytab(krb5_context context, const char *keytab) +{ + krb5_error_code ret; + krb5_keytab id; + krb5_keytab_entry entry; + + ret = krb5_kt_resolve(context, keytab, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_resolve"); + + memset(&entry, 0, sizeof(entry)); + + krb5_kt_remove_entry(context, id, &entry); + + ret = krb5_kt_close(context, id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_close"); +} + +/* + * Test that memory keytab are refcounted. + */ + +static void +test_memory_keytab(krb5_context context, const char *keytab, const char *keytab2) +{ + krb5_error_code ret; + krb5_keytab id, id2, id3; + krb5_keytab_entry entry, entry2, entry3; + + ret = krb5_kt_resolve(context, keytab, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_resolve"); + + memset(&entry, 0, sizeof(entry)); + ret = krb5_parse_name(context, "lha@SU.SE", &entry.principal); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + entry.vno = 1; + ret = krb5_generate_random_keyblock(context, + ETYPE_AES256_CTS_HMAC_SHA1_96, + &entry.keyblock); + if (ret) + krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); + + krb5_kt_add_entry(context, id, &entry); + + ret = krb5_kt_resolve(context, keytab, &id2); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_resolve"); + + ret = krb5_kt_get_entry(context, id, + entry.principal, + 0, + ETYPE_AES256_CTS_HMAC_SHA1_96, + &entry2); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_get_entry"); + krb5_kt_free_entry(context, &entry2); + + ret = krb5_kt_close(context, id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_close"); + + ret = krb5_kt_get_entry(context, id2, + entry.principal, + 0, + ETYPE_AES256_CTS_HMAC_SHA1_96, + &entry2); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_get_entry"); + krb5_kt_free_entry(context, &entry2); + + ret = krb5_kt_close(context, id2); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_close"); + + + ret = krb5_kt_resolve(context, keytab2, &id3); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_resolve"); + + memset(&entry3, 0, sizeof(entry3)); + ret = krb5_parse_name(context, "lha3@SU.SE", &entry3.principal); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + entry3.vno = 1; + ret = krb5_generate_random_keyblock(context, + ETYPE_AES256_CTS_HMAC_SHA1_96, + &entry3.keyblock); + if (ret) + krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); + + krb5_kt_add_entry(context, id3, &entry3); + + + ret = krb5_kt_resolve(context, keytab, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_resolve"); + + ret = krb5_kt_get_entry(context, id, + entry.principal, + 0, + ETYPE_AES256_CTS_HMAC_SHA1_96, + &entry2); + if (ret == 0) + krb5_errx(context, 1, "krb5_kt_get_entry when if should fail"); + + krb5_kt_remove_entry(context, id, &entry); + + ret = krb5_kt_close(context, id); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_close"); + + krb5_kt_free_entry(context, &entry); + + krb5_kt_remove_entry(context, id3, &entry3); + + ret = krb5_kt_close(context, id3); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_close"); + + krb5_free_principal(context, entry3.principal); + krb5_free_keyblock_contents(context, &entry3.keyblock); +} + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + + setprogname(argv[0]); + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + test_empty_keytab(context, "MEMORY:foo"); + test_empty_keytab(context, "FILE:foo"); + test_empty_keytab(context, "KRB4:foo"); + + test_memory_keytab(context, "MEMORY:foo", "MEMORY:foo2"); + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_kuserok.c b/crypto/heimdal/lib/krb5/test_kuserok.c new file mode 100644 index 000000000000..04a6f210a05e --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_kuserok.c @@ -0,0 +1,106 @@ +/* + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <getarg.h> +#include <err.h> + +RCSID("$Id: test_kuserok.c 15033 2005-04-30 15:15:38Z lha $"); + +static int version_flag = 0; +static int help_flag = 0; + +static struct getargs args[] = { + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, + sizeof(args)/sizeof(*args), + NULL, + "principal luser"); + exit (ret); +} + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + krb5_principal principal; + char *p; + int o = 0; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &o)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= o; + argv += o; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + if (argc != 2) + usage(1); + + ret = krb5_parse_name(context, argv[0], &principal); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_unparse_name(context, principal, &p); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name"); + + ret = krb5_kuserok(context, principal, argv[1]); + + krb5_free_context(context); + + printf("%s is %sallowed to login as %s\n", p, ret ? "" : "NOT ", argv[1]); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_mem.c b/crypto/heimdal/lib/krb5/test_mem.c new file mode 100644 index 000000000000..8989caed7484 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_mem.c @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> + +RCSID("$Id: test_mem.c 15931 2005-08-12 13:43:46Z lha $"); + +/* + * Test run functions, to be used with valgrind to detect memoryleaks. + */ + +static void +check_log(void) +{ + int i; + + for (i = 0; i < 10; i++) { + krb5_log_facility *logfacility; + krb5_context context; + krb5_error_code ret; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + krb5_initlog(context, "test-mem", &logfacility); + krb5_addlog_dest(context, logfacility, "0/STDERR:"); + krb5_set_warn_dest(context, logfacility); + + krb5_free_context(context); + } +} + + +int +main(int argc, char **argv) +{ + setprogname(argv[0]); + + check_log(); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_pac.c b/crypto/heimdal/lib/krb5/test_pac.c new file mode 100644 index 000000000000..a22fe3a8c6c5 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_pac.c @@ -0,0 +1,295 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +RCSID("$Id: test_pac.c 21934 2007-08-27 14:21:04Z lha $"); + +/* + * This PAC and keys are copied (with permission) from Samba torture + * regression test suite, they where created by Andrew Bartlet. + */ + +static const unsigned char saved_pac[] = { + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, + 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, + 0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59, + 0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00, + 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, + 0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00, + 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, + 0x57, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x41, 0x00, 0x4c, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x57, 0x00, 0x32, 0x00, + 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x41, 0x00, 0x4c, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x57, 0x00, 0x49, 0x00, + 0x4e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x33, 0x00, 0x54, 0x00, 0x48, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x4b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, + 0x15, 0x00, 0x00, 0x00, 0x11, 0x2f, 0xaf, 0xb5, 0x90, 0x04, 0x1b, 0xec, 0x50, 0x3b, 0xec, 0xdc, + 0x01, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x80, 0x66, 0x28, 0xea, 0x37, 0x80, 0xc5, 0x01, 0x16, 0x00, 0x77, 0x00, 0x32, 0x00, 0x30, 0x00, + 0x30, 0x00, 0x33, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x24, 0x00, + 0x76, 0xff, 0xff, 0xff, 0x37, 0xd5, 0xb0, 0xf7, 0x24, 0xf0, 0xd6, 0xd4, 0xec, 0x09, 0x86, 0x5a, + 0xa0, 0xe8, 0xc3, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x76, 0xff, 0xff, 0xff, 0xb4, 0xd8, 0xb8, 0xfe, + 0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00 +}; + +static int type_1_length = 472; + +static const krb5_keyblock kdc_keyblock = { + ETYPE_ARCFOUR_HMAC_MD5, + { 16, "\xB2\x86\x75\x71\x48\xAF\x7F\xD2\x52\xC5\x36\x03\xA1\x50\xB7\xE7" } +}; + +static const krb5_keyblock member_keyblock = { + ETYPE_ARCFOUR_HMAC_MD5, + { 16, "\xD2\x17\xFA\xEA\xE5\xE6\xB5\xF9\x5C\xCC\x94\x07\x7A\xB8\xA5\xFC" } +}; + +static time_t authtime = 1120440609; +static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL"; + +int +main(int argc, char **argv) +{ + krb5_error_code ret; + krb5_context context; + krb5_pac pac; + krb5_data data; + krb5_principal p; + + ret = krb5_init_context(&context); + if (ret) + errx(1, "krb5_init_contex"); + + ret = krb5_parse_name(context, user, &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_pac_parse(context, saved_pac, sizeof(saved_pac), &pac); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_parse"); + + ret = krb5_pac_verify(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_verify"); + + ret = _krb5_pac_sign(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock, &data); + if (ret) + krb5_err(context, 1, ret, "_krb5_pac_sign"); + + krb5_pac_free(context, pac); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_data_free(&data); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_parse 2"); + + ret = krb5_pac_verify(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_verify 2"); + + /* make a copy and try to reproduce it */ + { + uint32_t *list; + size_t len, i; + krb5_pac pac2; + + ret = krb5_pac_init(context, &pac2); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_init"); + + /* our two user buffer plus the three "system" buffers */ + ret = krb5_pac_get_types(context, pac, &len, &list); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_get_types"); + + for (i = 0; i < len; i++) { + /* skip server_cksum, privsvr_cksum, and logon_name */ + if (list[i] == 6 || list[i] == 7 || list[i] == 10) + continue; + + ret = krb5_pac_get_buffer(context, pac, list[i], &data); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_get_buffer"); + + if (list[i] == 1) { + if (type_1_length != data.length) + krb5_errx(context, 1, "type 1 have wrong length: %lu", + (unsigned long)data.length); + } else + krb5_errx(context, 1, "unknown type %lu", + (unsigned long)list[i]); + + ret = krb5_pac_add_buffer(context, pac2, list[i], &data); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_add_buffer"); + krb5_data_free(&data); + } + free(list); + + ret = _krb5_pac_sign(context, pac2, authtime, p, + &member_keyblock, &kdc_keyblock, &data); + if (ret) + krb5_err(context, 1, ret, "_krb5_pac_sign 4"); + + krb5_pac_free(context, pac2); + + ret = krb5_pac_parse(context, data.data, data.length, &pac2); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_parse 4"); + + ret = krb5_pac_verify(context, pac2, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_verify 4"); + + krb5_pac_free(context, pac2); + } + + krb5_pac_free(context, pac); + + /* + * Test empty free + */ + + ret = krb5_pac_init(context, &pac); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_init"); + krb5_pac_free(context, pac); + + /* + * Test add remove buffer + */ + + ret = krb5_pac_init(context, &pac); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_init"); + + { + const krb5_data cdata = { 2, "\x00\x01" } ; + + ret = krb5_pac_add_buffer(context, pac, 1, &cdata); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_add_buffer"); + } + { + ret = krb5_pac_get_buffer(context, pac, 1, &data); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_get_buffer"); + if (data.length != 2 || memcmp(data.data, "\x00\x01", 2) != 0) + krb5_errx(context, 1, "krb5_pac_get_buffer data not the same"); + krb5_data_free(&data); + } + + { + const krb5_data cdata = { 2, "\x02\x00" } ; + + ret = krb5_pac_add_buffer(context, pac, 2, &cdata); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_add_buffer"); + } + { + ret = krb5_pac_get_buffer(context, pac, 1, &data); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_get_buffer"); + if (data.length != 2 || memcmp(data.data, "\x00\x01", 2) != 0) + krb5_errx(context, 1, "krb5_pac_get_buffer data not the same"); + krb5_data_free(&data); + /* */ + ret = krb5_pac_get_buffer(context, pac, 2, &data); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_get_buffer"); + if (data.length != 2 || memcmp(data.data, "\x02\x00", 2) != 0) + krb5_errx(context, 1, "krb5_pac_get_buffer data not the same"); + krb5_data_free(&data); + } + + ret = _krb5_pac_sign(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock, &data); + if (ret) + krb5_err(context, 1, ret, "_krb5_pac_sign"); + + krb5_pac_free(context, pac); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_data_free(&data); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_parse 3"); + + ret = krb5_pac_verify(context, pac, authtime, p, + &member_keyblock, &kdc_keyblock); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_verify 3"); + + { + uint32_t *list; + size_t len; + + /* our two user buffer plus the three "system" buffers */ + ret = krb5_pac_get_types(context, pac, &len, &list); + if (ret) + krb5_err(context, 1, ret, "krb5_pac_get_types"); + if (len != 5) + krb5_errx(context, 1, "list wrong length"); + free(list); + } + + krb5_pac_free(context, pac); + + krb5_free_principal(context, p); + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c b/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c new file mode 100644 index 000000000000..e23bef9a9ee0 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_pkinit_dh2key.c @@ -0,0 +1,218 @@ +/* + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> +#include <getarg.h> + +RCSID("$Id: test_pkinit_dh2key.c 18809 2006-10-22 07:11:43Z lha $"); + +static void +test_dh2key(int i, + krb5_context context, + const heim_octet_string *dh, + const heim_octet_string *c_n, + const heim_octet_string *k_n, + krb5_enctype etype, + const heim_octet_string *result) +{ + krb5_error_code ret; + krb5_keyblock key; + + ret = _krb5_pk_octetstring2key(context, + etype, + dh->data, dh->length, + c_n, + k_n, + &key); + if (ret != 0) + krb5_err(context, 1, ret, "_krb5_pk_octetstring2key: %d", i); + + if (key.keyvalue.length != result->length || + memcmp(key.keyvalue.data, result->data, result->length) != 0) + krb5_errx(context, 1, "resulting key wrong: %d", i); + + krb5_free_keyblock_contents(context, &key); +} + + +struct { + krb5_enctype type; + krb5_data X; + krb5_data key; +} tests[] = { + /* 0 */ + { + ETYPE_AES256_CTS_HMAC_SHA1_96, + { + 256, + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + }, + { + 32, + "\x5e\xe5\x0d\x67\x5c\x80\x9f\xe5\x9e\x4a\x77\x62\xc5\x4b\x65\x83" + "\x75\x47\xea\xfb\x15\x9b\xd8\xcd\xc7\x5f\xfc\xa5\x91\x1e\x4c\x41" + } + }, + /* 1 */ + { + ETYPE_AES256_CTS_HMAC_SHA1_96, + { + 128, + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + }, + { + 32, + "\xac\xf7\x70\x7c\x08\x97\x3d\xdf\xdb\x27\xcd\x36\x14\x42\xcc\xfb" + "\xa3\x55\xc8\x88\x4c\xb4\x72\xf3\x7d\xa6\x36\xd0\x7d\x56\x78\x7e" + } + }, + /* 2 */ + { + ETYPE_AES256_CTS_HMAC_SHA1_96, + { + 128, + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e" + "\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" + "\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c" + "\x0d\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b" + "\x0c\x0d\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a" + "\x0b\x0c\x0d\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" + "\x0a\x0b\x0c\x0d\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08" + }, + { + 32, + "\xc4\x42\xda\x58\x5f\xcb\x80\xe4\x3b\x47\x94\x6f\x25\x40\x93\xe3" + "\x73\x29\xd9\x90\x01\x38\x0d\xb7\x83\x71\xdb\x3a\xcf\x5c\x79\x7e" + } + }, + /* 3 */ + { + ETYPE_AES256_CTS_HMAC_SHA1_96, + { + 77, + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e" + "\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" + "\x0e\x0f\x10\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c" + "\x0d\x0e\x0f\x10\x00\x01\x02\x03" + "\x04\x05\x06\x07\x08" + }, + { + 32, + "\x00\x53\x95\x3b\x84\xc8\x96\xf4\xeb\x38\x5c\x3f\x2e\x75\x1c\x4a" + "\x59\x0e\xd6\xff\xad\xca\x6f\xf6\x4f\x47\xeb\xeb\x8d\x78\x0f\xfc" + } + } +}; + + +static int version_flag = 0; +static int help_flag = 0; + +static struct getargs args[] = { + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, + sizeof(args)/sizeof(*args), + NULL, + ""); + exit (ret); +} + + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + int i, optidx = 0; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { + test_dh2key(i, context, &tests[i].X, NULL, NULL, + tests[i].type, &tests[i].key); + } + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_plugin.c b/crypto/heimdal/lib/krb5/test_plugin.c new file mode 100644 index 000000000000..18e9fcd28674 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_plugin.c @@ -0,0 +1,126 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <krb5_locl.h> +RCSID("$Id: test_plugin.c 22024 2007-11-03 21:36:55Z lha $"); +#include "locate_plugin.h" + +static krb5_error_code +resolve_init(krb5_context context, void **ctx) +{ + *ctx = NULL; + return 0; +} + +static void +resolve_fini(void *ctx) +{ +} + +static krb5_error_code +resolve_lookup(void *ctx, + enum locate_service_type service, + const char *realm, + int domain, + int type, + int (*add)(void *,int,struct sockaddr *), + void *addctx) +{ + struct sockaddr_in s; + + memset(&s, 0, sizeof(s)); + +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + s.sin_len = sizeof(s); +#endif + s.sin_family = AF_INET; + s.sin_port = htons(88); + s.sin_addr.s_addr = htonl(0x7f000002); + + if (strcmp(realm, "NOTHERE.H5L.SE") == 0) + (*add)(addctx, type, (struct sockaddr *)&s); + + return 0; +} + + +krb5plugin_service_locate_ftable resolve = { + 0, + resolve_init, + resolve_fini, + resolve_lookup +}; + + +int +main(int argc, char **argv) +{ + krb5_error_code ret; + krb5_context context; + krb5_krbhst_handle handle; + char host[MAXHOSTNAMELEN]; + int found = 0; + + setprogname(argv[0]); + + ret = krb5_init_context(&context); + if (ret) + errx(1, "krb5_init_contex"); + + ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA, "resolve", &resolve); + if (ret) + krb5_err(context, 1, ret, "krb5_plugin_register"); + + + ret = krb5_krbhst_init_flags(context, + "NOTHERE.H5L.SE", + KRB5_KRBHST_KDC, + 0, + &handle); + if (ret) + krb5_err(context, 1, ret, "krb5_krbhst_init_flags"); + + + while(krb5_krbhst_next_as_string(context, handle, host, sizeof(host)) == 0){ + found++; + if (strcmp(host, "127.0.0.2") != 0) + krb5_errx(context, 1, "wrong address: %s", host); + } + if (!found) + krb5_errx(context, 1, "failed to find host"); + + krb5_krbhst_free(context, handle); + + krb5_free_context(context); + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_prf.c b/crypto/heimdal/lib/krb5/test_prf.c new file mode 100644 index 000000000000..94fb67dffaee --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_prf.c @@ -0,0 +1,102 @@ +/* + * Copyright (c) 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "krb5_locl.h" + +RCSID("$Id: test_prf.c 20843 2007-06-03 14:23:20Z lha $"); + +#include <hex.h> +#include <err.h> + +/* + * key: string2key(aes256, "testkey", "testkey", default_params) + * input: unhex(1122334455667788) + * output: 58b594b8a61df6e9439b7baa991ff5c1 + * + * key: string2key(aes128, "testkey", "testkey", default_params) + * input: unhex(1122334455667788) + * output: ffa2f823aa7f83a8ce3c5fb730587129 + */ + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + krb5_keyblock key; + krb5_crypto crypto; + size_t length; + krb5_data input, output, output2; + krb5_enctype etype = ETYPE_AES256_CTS_HMAC_SHA1_96; + + ret = krb5_init_context(&context); + if (ret) + errx(1, "krb5_init_context %d", ret); + + ret = krb5_generate_random_keyblock(context, etype, &key); + if (ret) + krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); + + ret = krb5_crypto_prf_length(context, etype, &length); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_prf_length"); + + ret = krb5_crypto_init(context, &key, 0, &crypto); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_init"); + + input.data = rk_UNCONST("foo"); + input.length = 3; + + ret = krb5_crypto_prf(context, crypto, &input, &output); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_prf"); + + ret = krb5_crypto_prf(context, crypto, &input, &output2); + if (ret) + krb5_err(context, 1, ret, "krb5_crypto_prf"); + + if (krb5_data_cmp(&output, &output2) != 0) + krb5_errx(context, 1, "krb5_data_cmp"); + + krb5_data_free(&output); + krb5_data_free(&output2); + + krb5_crypto_destroy(context, crypto); + + krb5_free_keyblock_contents(context, &key); + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_princ.c b/crypto/heimdal/lib/krb5/test_princ.c new file mode 100644 index 000000000000..d1036c1b3b44 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_princ.c @@ -0,0 +1,366 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <err.h> + +RCSID("$Id: test_princ.c 22071 2007-11-14 20:04:50Z lha $"); + +/* + * Check that a closed cc still keeps it data and that it's no longer + * there when it's destroyed. + */ + +static void +test_princ(krb5_context context) +{ + const char *princ = "lha@SU.SE"; + const char *princ_short = "lha"; + const char *noquote; + krb5_error_code ret; + char *princ_unparsed; + char *princ_reformed = NULL; + const char *realm; + + krb5_principal p, p2; + + ret = krb5_parse_name(context, princ, &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_unparse_name(context, p, &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed)) { + krb5_errx(context, 1, "%s != %s", princ, princ_unparsed); + } + + free(princ_unparsed); + + ret = krb5_unparse_name_flags(context, p, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (strcmp(princ_short, princ_unparsed)) + krb5_errx(context, 1, "%s != %s", princ_short, princ_unparsed); + free(princ_unparsed); + + realm = krb5_principal_get_realm(context, p); + + asprintf(&princ_reformed, "%s@%s", princ_short, realm); + + ret = krb5_parse_name(context, princ_reformed, &p2); + free(princ_reformed); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) { + krb5_errx(context, 1, "p != p2"); + } + + krb5_free_principal(context, p2); + + ret = krb5_set_default_realm(context, "SU.SE"); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_unparse_name_flags(context, p, + KRB5_PRINCIPAL_UNPARSE_SHORT, + &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (strcmp(princ_short, princ_unparsed)) + krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed); + free(princ_unparsed); + + ret = krb5_parse_name(context, princ_short, &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) + krb5_errx(context, 1, "p != p2"); + krb5_free_principal(context, p2); + + ret = krb5_unparse_name(context, p, &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed)) + krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_set_default_realm(context, "SAMBA.ORG"); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_parse_name(context, princ_short, &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (krb5_principal_compare(context, p, p2)) + krb5_errx(context, 1, "p == p2"); + + if (!krb5_principal_compare_any_realm(context, p, p2)) + krb5_errx(context, 1, "(ignoring realms) p != p2"); + + ret = krb5_unparse_name(context, p2, &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed) == 0) + krb5_errx(context, 1, "%s == %s", princ, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p2); + + ret = krb5_parse_name(context, princ, &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) + krb5_errx(context, 1, "p != p2"); + + ret = krb5_unparse_name(context, p2, &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (strcmp(princ, princ_unparsed)) + krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p2); + + ret = krb5_unparse_name_flags(context, p, + KRB5_PRINCIPAL_UNPARSE_SHORT, + &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name_short"); + + if (strcmp(princ, princ_unparsed) != 0) + krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_unparse_name(context, p, &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name_short"); + + if (strcmp(princ, princ_unparsed)) + krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_parse_name_flags(context, princ, + KRB5_PRINCIPAL_PARSE_NO_REALM, + &p2); + if (!ret) + krb5_err(context, 1, ret, "Should have failed to parse %s a " + "short name", princ); + + ret = krb5_parse_name_flags(context, princ_short, + KRB5_PRINCIPAL_PARSE_NO_REALM, + &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_unparse_name_flags(context, p2, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_unparsed); + krb5_free_principal(context, p2); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name_norealm"); + + if (strcmp(princ_short, princ_unparsed)) + krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed); + free(princ_unparsed); + + ret = krb5_parse_name_flags(context, princ_short, + KRB5_PRINCIPAL_PARSE_MUST_REALM, + &p2); + if (!ret) + krb5_err(context, 1, ret, "Should have failed to parse %s " + "because it lacked a realm", princ_short); + + ret = krb5_parse_name_flags(context, princ, + KRB5_PRINCIPAL_PARSE_MUST_REALM, + &p2); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + if (!krb5_principal_compare(context, p, p2)) + krb5_errx(context, 1, "p != p2"); + + ret = krb5_unparse_name_flags(context, p2, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_unparsed); + krb5_free_principal(context, p2); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name_norealm"); + + if (strcmp(princ_short, princ_unparsed)) + krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p); + + /* test quoting */ + + princ = "test\\ principal@SU.SE"; + noquote = "test principal@SU.SE"; + + ret = krb5_parse_name_flags(context, princ, 0, &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_unparse_name_flags(context, p, 0, &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name_flags"); + + if (strcmp(princ, princ_unparsed)) + krb5_errx(context, 1, "q '%s' != '%s'", princ, princ_unparsed); + free(princ_unparsed); + + ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_DISPLAY, + &princ_unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name_flags"); + + if (strcmp(noquote, princ_unparsed)) + krb5_errx(context, 1, "nq '%s' != '%s'", noquote, princ_unparsed); + free(princ_unparsed); + + krb5_free_principal(context, p); +} + +static void +test_enterprise(krb5_context context) +{ + krb5_error_code ret; + char *unparsed; + krb5_principal p; + + ret = krb5_set_default_realm(context, "SAMBA.ORG"); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_parse_name_flags(context, "lha@su.se@WIN.SU.SE", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + + if (strcmp(unparsed, "lha\\@su.se@WIN.SU.SE") != 0) + krb5_errx(context, 1, "enterprise name failed 1"); + free(unparsed); + + /* + * + */ + + ret = krb5_parse_name_flags(context, "lha\\@su.se@WIN.SU.SE", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lha\\@su.se\\@WIN.SU.SE@SAMBA.ORG") != 0) + krb5_errx(context, 1, "enterprise name failed 2: %s", unparsed); + free(unparsed); + + /* + * + */ + + ret = krb5_parse_name_flags(context, "lha\\@su.se@WIN.SU.SE", 0, &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lha\\@su.se@WIN.SU.SE") != 0) + krb5_errx(context, 1, "enterprise name failed 3"); + free(unparsed); + + /* + * + */ + + ret = krb5_parse_name_flags(context, "lha@su.se", + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name_flags"); + + ret = krb5_unparse_name(context, p, &unparsed); + if (ret) + krb5_err(context, 1, ret, "krb5_unparse_name"); + + krb5_free_principal(context, p); + if (strcmp(unparsed, "lha\\@su.se@SAMBA.ORG") != 0) + krb5_errx(context, 1, "enterprise name failed 2: %s", unparsed); + free(unparsed); +} + + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + + setprogname(argv[0]); + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + test_princ(context); + + test_enterprise(context); + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_renew.c b/crypto/heimdal/lib/krb5/test_renew.c new file mode 100644 index 000000000000..5fa2de1b9fa0 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_renew.c @@ -0,0 +1,122 @@ +/* + * Copyright (c) 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "krb5_locl.h" +#include <err.h> +#include <getarg.h> + +RCSID("$Id$"); + + +static int version_flag = 0; +static int help_flag = 0; + +static struct getargs args[] = { + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, + sizeof(args)/sizeof(*args), + NULL, + "[principal]"); + exit (ret); +} + +int +main(int argc, char **argv) +{ + krb5_principal client; + krb5_context context; + const char *in_tkt_service = NULL; + krb5_ccache id; + krb5_error_code ret; + krb5_creds out;; + int optidx = 0; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + if (argc > 0) + in_tkt_service = argv[0]; + + memset(&out, 0, sizeof(out)); + + ret = krb5_init_context(&context); + if (ret) + krb5_err(context, 1, ret, "krb5_init_context"); + + ret = krb5_cc_default(context, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_default"); + + ret = krb5_cc_get_principal(context, id, &client); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_default"); + + ret = krb5_get_renewed_creds(context, + &out, + client, + id, + in_tkt_service); + + if(ret) + krb5_err(context, 1, ret, "krb5_get_kdc_cred"); + + if (krb5_principal_compare(context, out.client, client) != TRUE) + krb5_errx(context, 1, "return principal is not as expected"); + + krb5_free_cred_contents(context, &out); + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_store.c b/crypto/heimdal/lib/krb5/test_store.c new file mode 100644 index 000000000000..2ce6c8dac363 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_store.c @@ -0,0 +1,252 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include <getarg.h> + +RCSID("$Id: test_store.c 20192 2007-02-05 23:21:03Z lha $"); + +static void +test_int8(krb5_context context, krb5_storage *sp) +{ + krb5_error_code ret; + int i; + int8_t val[] = { + 0, 1, -1, 128, -127 + }, v; + + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { + + ret = krb5_store_int8(sp, val[i]); + if (ret) + krb5_err(context, 1, ret, "krb5_store_int8"); + krb5_storage_seek(sp, 0, SEEK_SET); + ret = krb5_ret_int8(sp, &v); + if (ret) + krb5_err(context, 1, ret, "krb5_ret_int8"); + if (v != val[i]) + krb5_errx(context, 1, "store and ret mismatch"); + } +} + +static void +test_int16(krb5_context context, krb5_storage *sp) +{ + krb5_error_code ret; + int i; + int16_t val[] = { + 0, 1, -1, 32768, -32767 + }, v; + + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { + + ret = krb5_store_int16(sp, val[i]); + if (ret) + krb5_err(context, 1, ret, "krb5_store_int16"); + krb5_storage_seek(sp, 0, SEEK_SET); + ret = krb5_ret_int16(sp, &v); + if (ret) + krb5_err(context, 1, ret, "krb5_ret_int16"); + if (v != val[i]) + krb5_errx(context, 1, "store and ret mismatch"); + } +} + +static void +test_int32(krb5_context context, krb5_storage *sp) +{ + krb5_error_code ret; + int i; + int32_t val[] = { + 0, 1, -1, 2147483647, -2147483646 + }, v; + + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { + + ret = krb5_store_int32(sp, val[i]); + if (ret) + krb5_err(context, 1, ret, "krb5_store_int32"); + krb5_storage_seek(sp, 0, SEEK_SET); + ret = krb5_ret_int32(sp, &v); + if (ret) + krb5_err(context, 1, ret, "krb5_ret_int32"); + if (v != val[i]) + krb5_errx(context, 1, "store and ret mismatch"); + } +} + +static void +test_uint8(krb5_context context, krb5_storage *sp) +{ + krb5_error_code ret; + int i; + uint8_t val[] = { + 0, 1, 255 + }, v; + + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { + + ret = krb5_store_uint8(sp, val[i]); + if (ret) + krb5_err(context, 1, ret, "krb5_store_uint8"); + krb5_storage_seek(sp, 0, SEEK_SET); + ret = krb5_ret_uint8(sp, &v); + if (ret) + krb5_err(context, 1, ret, "krb5_ret_uint8"); + if (v != val[i]) + krb5_errx(context, 1, "store and ret mismatch"); + } +} + +static void +test_uint16(krb5_context context, krb5_storage *sp) +{ + krb5_error_code ret; + int i; + uint16_t val[] = { + 0, 1, 65535 + }, v; + + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { + + ret = krb5_store_uint16(sp, val[i]); + if (ret) + krb5_err(context, 1, ret, "krb5_store_uint16"); + krb5_storage_seek(sp, 0, SEEK_SET); + ret = krb5_ret_uint16(sp, &v); + if (ret) + krb5_err(context, 1, ret, "krb5_ret_uint16"); + if (v != val[i]) + krb5_errx(context, 1, "store and ret mismatch"); + } +} + +static void +test_uint32(krb5_context context, krb5_storage *sp) +{ + krb5_error_code ret; + int i; + uint32_t val[] = { + 0, 1, 4294967295UL + }, v; + + for (i = 0; i < sizeof(val[0])/sizeof(val); i++) { + + ret = krb5_store_uint32(sp, val[i]); + if (ret) + krb5_err(context, 1, ret, "krb5_store_uint32"); + krb5_storage_seek(sp, 0, SEEK_SET); + ret = krb5_ret_uint32(sp, &v); + if (ret) + krb5_err(context, 1, ret, "krb5_ret_uint32"); + if (v != val[i]) + krb5_errx(context, 1, "store and ret mismatch"); + } +} + + +static void +test_storage(krb5_context context) +{ + krb5_storage *sp; + + sp = krb5_storage_emem(); + if (sp == NULL) + krb5_errx(context, 1, "krb5_storage_emem: no mem"); + + test_int8(context, sp); + test_int16(context, sp); + test_int32(context, sp); + test_uint8(context, sp); + test_uint16(context, sp); + test_uint32(context, sp); + + krb5_storage_free(sp); +} + +/* + * + */ + +static int version_flag = 0; +static int help_flag = 0; + +static struct getargs args[] = { + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, + sizeof(args)/sizeof(*args), + NULL, + ""); + exit (ret); +} + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + int optidx = 0; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + ret = krb5_init_context (&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + test_storage(context); + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/test_time.c b/crypto/heimdal/lib/krb5/test_time.c new file mode 100644 index 000000000000..02a0204477c7 --- /dev/null +++ b/crypto/heimdal/lib/krb5/test_time.c @@ -0,0 +1,87 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "krb5_locl.h" +#include <err.h> + +RCSID("$Id: test_time.c 18809 2006-10-22 07:11:43Z lha $"); + +static void +check_set_time(krb5_context context) +{ + krb5_error_code ret; + krb5_timestamp sec; + int32_t usec; + struct timeval tv; + int diff = 10; + int diff2; + + gettimeofday(&tv, NULL); + + ret = krb5_set_real_time(context, tv.tv_sec + diff, tv.tv_usec); + if (ret) + krb5_err(context, 1, ret, "krb5_us_timeofday"); + + ret = krb5_us_timeofday(context, &sec, &usec); + if (ret) + krb5_err(context, 1, ret, "krb5_us_timeofday"); + + diff2 = abs(sec - tv.tv_sec); + + if (diff2 < 9 || diff > 11) + krb5_errx(context, 1, "set time error: diff: %d", + abs(sec - tv.tv_sec)); +} + + + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + + ret = krb5_init_context(&context); + if (ret) + errx(1, "krb5_init_context %d", ret); + + check_set_time(context); + check_set_time(context); + check_set_time(context); + check_set_time(context); + check_set_time(context); + + krb5_free_context(context); + + return 0; +} diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c index 888218ee007e..7eb4d32fad57 100644 --- a/crypto/heimdal/lib/krb5/ticket.c +++ b/crypto/heimdal/lib/krb5/ticket.c @@ -33,19 +33,20 @@ #include "krb5_locl.h" -RCSID("$Id: ticket.c,v 1.5.8.1 2003/09/18 21:01:57 lha Exp $"); +RCSID("$Id: ticket.c 19544 2006-12-28 20:49:18Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_ticket(krb5_context context, krb5_ticket *ticket) { free_EncTicketPart(&ticket->ticket); krb5_free_principal(context, ticket->client); krb5_free_principal(context, ticket->server); + free(ticket); return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **to) @@ -79,3 +80,193 @@ krb5_copy_ticket(krb5_context context, *to = tmp; return 0; } + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_client(krb5_context context, + const krb5_ticket *ticket, + krb5_principal *client) +{ + return krb5_copy_principal(context, ticket->client, client); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_server(krb5_context context, + const krb5_ticket *ticket, + krb5_principal *server) +{ + return krb5_copy_principal(context, ticket->server, server); +} + +time_t KRB5_LIB_FUNCTION +krb5_ticket_get_endtime(krb5_context context, + const krb5_ticket *ticket) +{ + return ticket->ticket.endtime; +} + +static int +find_type_in_ad(krb5_context context, + int type, + krb5_data *data, + krb5_boolean *found, + krb5_boolean failp, + krb5_keyblock *sessionkey, + const AuthorizationData *ad, + int level) +{ + krb5_error_code ret = 0; + int i; + + if (level > 9) { + krb5_set_error_string(context, "Authorization data nested deeper " + "then %d levels, stop searching", level); + ret = ENOENT; /* XXX */ + goto out; + } + + /* + * Only copy out the element the first time we get to it, we need + * to run over the whole authorization data fields to check if + * there are any container clases we need to care about. + */ + for (i = 0; i < ad->len; i++) { + if (!*found && ad->val[i].ad_type == type) { + ret = der_copy_octet_string(&ad->val[i].ad_data, data); + if (ret) { + krb5_set_error_string(context, "malloc - out of memory"); + goto out; + } + *found = TRUE; + continue; + } + switch (ad->val[i].ad_type) { + case KRB5_AUTHDATA_IF_RELEVANT: { + AuthorizationData child; + ret = decode_AuthorizationData(ad->val[i].ad_data.data, + ad->val[i].ad_data.length, + &child, + NULL); + if (ret) { + krb5_set_error_string(context, "Failed to decode " + "IF_RELEVANT with %d", ret); + goto out; + } + ret = find_type_in_ad(context, type, data, found, FALSE, + sessionkey, &child, level + 1); + free_AuthorizationData(&child); + if (ret) + goto out; + break; + } +#if 0 /* XXX test */ + case KRB5_AUTHDATA_KDC_ISSUED: { + AD_KDCIssued child; + + ret = decode_AD_KDCIssued(ad->val[i].ad_data.data, + ad->val[i].ad_data.length, + &child, + NULL); + if (ret) { + krb5_set_error_string(context, "Failed to decode " + "AD_KDCIssued with %d", ret); + goto out; + } + if (failp) { + krb5_boolean valid; + krb5_data buf; + size_t len; + + ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length, + &child.elements, &len, ret); + if (ret) { + free_AD_KDCIssued(&child); + krb5_clear_error_string(context); + goto out; + } + if(buf.length != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + ret = krb5_c_verify_checksum(context, sessionkey, 19, &buf, + &child.ad_checksum, &valid); + krb5_data_free(&buf); + if (ret) { + free_AD_KDCIssued(&child); + goto out; + } + if (!valid) { + krb5_clear_error_string(context); + ret = ENOENT; + free_AD_KDCIssued(&child); + goto out; + } + } + ret = find_type_in_ad(context, type, data, found, failp, sessionkey, + &child.elements, level + 1); + free_AD_KDCIssued(&child); + if (ret) + goto out; + break; + } +#endif + case KRB5_AUTHDATA_AND_OR: + if (!failp) + break; + krb5_set_error_string(context, "Authorization data contains " + "AND-OR element that is unknown to the " + "application"); + ret = ENOENT; /* XXX */ + goto out; + default: + if (!failp) + break; + krb5_set_error_string(context, "Authorization data contains " + "unknown type (%d) ", ad->val[i].ad_type); + ret = ENOENT; /* XXX */ + goto out; + } + } +out: + if (ret) { + if (*found) { + krb5_data_free(data); + *found = 0; + } + } + return ret; +} + +/* + * Extract the authorization data type of `type' from the + * 'ticket'. Store the field in `data'. This function is to use for + * kerberos applications. + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_authorization_data_type(krb5_context context, + krb5_ticket *ticket, + int type, + krb5_data *data) +{ + AuthorizationData *ad; + krb5_error_code ret; + krb5_boolean found = FALSE; + + krb5_data_zero(data); + + ad = ticket->ticket.authorization_data; + if (ticket->ticket.authorization_data == NULL) { + krb5_set_error_string(context, "Ticket have not authorization data"); + return ENOENT; /* XXX */ + } + + ret = find_type_in_ad(context, type, data, &found, TRUE, + &ticket->ticket.key, ad, 0); + if (ret) + return ret; + if (!found) { + krb5_set_error_string(context, "Ticket have not authorization " + "data of type %d", type); + return ENOENT; /* XXX */ + } + return 0; +} diff --git a/crypto/heimdal/lib/krb5/time.c b/crypto/heimdal/lib/krb5/time.c index 9346546006a0..4cd992d48f27 100644 --- a/crypto/heimdal/lib/krb5/time.c +++ b/crypto/heimdal/lib/krb5/time.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,13 +33,38 @@ #include "krb5_locl.h" -RCSID("$Id: time.c,v 1.5 2001/05/02 10:06:11 joda Exp $"); +RCSID("$Id: time.c 14308 2004-10-13 17:57:11Z lha $"); + +/* + * Set the absolute time that the caller knows the kdc has so the + * kerberos library can calculate the relative diffrence beteen the + * KDC time and local system time. + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_set_real_time (krb5_context context, + krb5_timestamp sec, + int32_t usec) +{ + struct timeval tv; + + gettimeofday(&tv, NULL); + + context->kdc_sec_offset = sec - tv.tv_sec; + context->kdc_usec_offset = usec - tv.tv_usec; + + if (context->kdc_usec_offset < 0) { + context->kdc_sec_offset--; + context->kdc_usec_offset += 1000000; + } + return 0; +} /* * return ``corrected'' time in `timeret'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_timeofday (krb5_context context, krb5_timestamp *timeret) { @@ -51,9 +76,9 @@ krb5_timeofday (krb5_context context, * like gettimeofday but with time correction to the KDC */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_us_timeofday (krb5_context context, - int32_t *sec, + krb5_timestamp *sec, int32_t *usec) { struct timeval tv; @@ -65,7 +90,7 @@ krb5_us_timeofday (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_format_time(krb5_context context, time_t t, char *s, size_t len, krb5_boolean include_time) { @@ -74,14 +99,16 @@ krb5_format_time(krb5_context context, time_t t, tm = gmtime (&t); else tm = localtime(&t); - strftime(s, len, include_time ? context->time_fmt : context->date_fmt, tm); + if(tm == NULL || + strftime(s, len, include_time ? context->time_fmt : context->date_fmt, tm) == 0) + snprintf(s, len, "%ld", (long)t); return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_deltat(const char *string, krb5_deltat *deltat) { if((*deltat = parse_time(string, "s")) == -1) - return EINVAL; + return KRB5_DELTAT_BADFORMAT; return 0; } diff --git a/crypto/heimdal/lib/krb5/transited.c b/crypto/heimdal/lib/krb5/transited.c index 8f48ff1d93fd..9b67ecc04f26 100644 --- a/crypto/heimdal/lib/krb5/transited.c +++ b/crypto/heimdal/lib/krb5/transited.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: transited.c,v 1.10.2.3 2003/10/22 06:07:41 lha Exp $"); +RCSID("$Id: transited.c 21745 2007-07-31 16:11:25Z lha $"); /* this is an attempt at one of the most horrible `compression' schemes that has ever been invented; it's so amazingly brain-dead @@ -69,10 +69,10 @@ make_path(krb5_context context, struct tr_realm *r, struct tr_realm *tmp; if(strlen(from) < strlen(to)){ - const char *tmp; - tmp = from; + const char *str; + str = from; from = to; - to = tmp; + to = str; } if(strcmp(from + strlen(from) - strlen(to), to) == 0){ @@ -87,6 +87,10 @@ make_path(krb5_context context, struct tr_realm *r, if(strcmp(p, to) == 0) break; tmp = calloc(1, sizeof(*tmp)); + if(tmp == NULL){ + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } tmp->next = path; path = tmp; path->realm = strdup(p); @@ -100,11 +104,17 @@ make_path(krb5_context context, struct tr_realm *r, p = from + strlen(from); while(1){ while(p >= from && *p != '/') p--; - if(p == from) + if(p == from) { + r->next = path; /* XXX */ return KRB5KDC_ERR_POLICY; + } if(strncmp(to, from, p - from) == 0) break; tmp = calloc(1, sizeof(*tmp)); + if(tmp == NULL){ + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } tmp->next = path; path = tmp; path->realm = malloc(p - from + 1); @@ -166,10 +176,13 @@ expand_realms(krb5_context context, for(r = realms; r; r = r->next){ if(r->trailing_dot){ char *tmp; - size_t len = strlen(r->realm) + strlen(prev_realm) + 1; + size_t len; if(prev_realm == NULL) prev_realm = client_realm; + + len = strlen(r->realm) + strlen(prev_realm) + 1; + tmp = realloc(r->realm, len); if(tmp == NULL){ free_realms(realms); @@ -272,6 +285,10 @@ decode_realms(krb5_context context, } if(tr[i] == ','){ tmp = malloc(tr + i - start + 1); + if(tmp == NULL){ + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } memcpy(tmp, start, tr + i - start); tmp[tr + i - start] = '\0'; r = make_realm(tmp); @@ -285,6 +302,11 @@ decode_realms(krb5_context context, } } tmp = malloc(tr + i - start + 1); + if(tmp == NULL){ + free(*realms); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } memcpy(tmp, start, tr + i - start); tmp[tr + i - start] = '\0'; r = make_realm(tmp); @@ -299,7 +321,7 @@ decode_realms(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_decode(krb5_context context, krb5_data tr, char ***realms, int *num_realms, const char *client_realm, const char *server_realm) @@ -362,7 +384,7 @@ krb5_domain_x500_decode(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) { char *s = NULL; @@ -393,7 +415,7 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited(krb5_context context, krb5_const_realm client_realm, krb5_const_realm server_realm, @@ -431,7 +453,7 @@ krb5_check_transited(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited_realms(krb5_context context, const char *const *realms, int num_realms, diff --git a/crypto/heimdal/lib/krb5/v4_glue.c b/crypto/heimdal/lib/krb5/v4_glue.c new file mode 100644 index 000000000000..37b1e35dd188 --- /dev/null +++ b/crypto/heimdal/lib/krb5/v4_glue.c @@ -0,0 +1,939 @@ +/* + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb5_locl.h" +RCSID("$Id: v4_glue.c 22071 2007-11-14 20:04:50Z lha $"); + +#include "krb5-v4compat.h" + +/* + * + */ + +#define RCHECK(r,func,label) \ + do { (r) = func ; if (r) goto label; } while(0); + + +/* include this here, to avoid dependencies on libkrb */ + +static const int _tkt_lifetimes[TKTLIFENUMFIXED] = { + 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318, + 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684, + 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720, + 191077, 204289, 218415, 233517, 249664, 266926, 285383, 305116, + 326213, 348769, 372885, 398668, 426234, 455705, 487215, 520904, + 556921, 595430, 636601, 680618, 727680, 777995, 831789, 889303, + 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247, + 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000 +}; + +int KRB5_LIB_FUNCTION +_krb5_krb_time_to_life(time_t start, time_t end) +{ + int i; + time_t life = end - start; + + if (life > MAXTKTLIFETIME || life <= 0) + return 0; +#if 0 + if (krb_no_long_lifetimes) + return (life + 5*60 - 1)/(5*60); +#endif + + if (end >= NEVERDATE) + return TKTLIFENOEXPIRE; + if (life < _tkt_lifetimes[0]) + return (life + 5*60 - 1)/(5*60); + for (i=0; i<TKTLIFENUMFIXED; i++) + if (life <= _tkt_lifetimes[i]) + return i + TKTLIFEMINFIXED; + return 0; + +} + +time_t KRB5_LIB_FUNCTION +_krb5_krb_life_to_time(int start, int life_) +{ + unsigned char life = (unsigned char) life_; + +#if 0 + if (krb_no_long_lifetimes) + return start + life*5*60; +#endif + + if (life == TKTLIFENOEXPIRE) + return NEVERDATE; + if (life < TKTLIFEMINFIXED) + return start + life*5*60; + if (life > TKTLIFEMAXFIXED) + return start + MAXTKTLIFETIME; + return start + _tkt_lifetimes[life - TKTLIFEMINFIXED]; +} + +/* + * Get the name of the krb4 credentials cache, will use `tkfile' as + * the name if that is passed in. `cc' must be free()ed by caller, + */ + +static krb5_error_code +get_krb4_cc_name(const char *tkfile, char **cc) +{ + + *cc = NULL; + if(tkfile == NULL) { + char *path; + if(!issuid()) { + path = getenv("KRBTKFILE"); + if (path) + *cc = strdup(path); + } + if(*cc == NULL) + if (asprintf(cc, "%s%u", TKT_ROOT, (unsigned)getuid()) < 0) + return errno; + } else { + *cc = strdup(tkfile); + if (*cc == NULL) + return ENOMEM; + } + return 0; +} + +/* + * Write a Kerberos 4 ticket file + */ + +#define KRB5_TF_LCK_RETRY_COUNT 50 +#define KRB5_TF_LCK_RETRY 1 + +static krb5_error_code +write_v4_cc(krb5_context context, const char *tkfile, + krb5_storage *sp, int append) +{ + krb5_error_code ret; + struct stat sb; + krb5_data data; + char *path; + int fd, i; + + ret = get_krb4_cc_name(tkfile, &path); + if (ret) { + krb5_set_error_string(context, + "krb5_krb_tf_setup: failed getting " + "the krb4 credentials cache name"); + return ret; + } + + fd = open(path, O_WRONLY|O_CREAT, 0600); + if (fd < 0) { + ret = errno; + krb5_set_error_string(context, + "krb5_krb_tf_setup: error opening file %s", + path); + free(path); + return ret; + } + + if (fstat(fd, &sb) != 0 || !S_ISREG(sb.st_mode)) { + krb5_set_error_string(context, + "krb5_krb_tf_setup: tktfile %s is not a file", + path); + free(path); + close(fd); + return KRB5_FCC_PERM; + } + + for (i = 0; i < KRB5_TF_LCK_RETRY_COUNT; i++) { + if (flock(fd, LOCK_EX | LOCK_NB) < 0) { + sleep(KRB5_TF_LCK_RETRY); + } else + break; + } + if (i == KRB5_TF_LCK_RETRY_COUNT) { + krb5_set_error_string(context, + "krb5_krb_tf_setup: failed to lock %s", + path); + free(path); + close(fd); + return KRB5_FCC_PERM; + } + + if (!append) { + ret = ftruncate(fd, 0); + if (ret < 0) { + flock(fd, LOCK_UN); + krb5_set_error_string(context, + "krb5_krb_tf_setup: failed to truncate %s", + path); + free(path); + close(fd); + return KRB5_FCC_PERM; + } + } + ret = lseek(fd, 0L, SEEK_END); + if (ret < 0) { + ret = errno; + flock(fd, LOCK_UN); + free(path); + close(fd); + return ret; + } + + krb5_storage_to_data(sp, &data); + + ret = write(fd, data.data, data.length); + if (ret != data.length) + ret = KRB5_CC_IO; + + krb5_free_data_contents(context, &data); + + flock(fd, LOCK_UN); + free(path); + close(fd); + + return 0; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_tf_setup(krb5_context context, + struct credentials *v4creds, + const char *tkfile, + int append) +{ + krb5_error_code ret; + krb5_storage *sp; + + sp = krb5_storage_emem(); + if (sp == NULL) + return ENOMEM; + + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_HOST); + krb5_storage_set_eof_code(sp, KRB5_CC_IO); + + krb5_clear_error_string(context); + + if (!append) { + RCHECK(ret, krb5_store_stringz(sp, v4creds->pname), error); + RCHECK(ret, krb5_store_stringz(sp, v4creds->pinst), error); + } + + /* cred */ + RCHECK(ret, krb5_store_stringz(sp, v4creds->service), error); + RCHECK(ret, krb5_store_stringz(sp, v4creds->instance), error); + RCHECK(ret, krb5_store_stringz(sp, v4creds->realm), error); + ret = krb5_storage_write(sp, v4creds->session, 8); + if (ret != 8) { + ret = KRB5_CC_IO; + goto error; + } + RCHECK(ret, krb5_store_int32(sp, v4creds->lifetime), error); + RCHECK(ret, krb5_store_int32(sp, v4creds->kvno), error); + RCHECK(ret, krb5_store_int32(sp, v4creds->ticket_st.length), error); + + ret = krb5_storage_write(sp, v4creds->ticket_st.dat, + v4creds->ticket_st.length); + if (ret != v4creds->ticket_st.length) { + ret = KRB5_CC_IO; + goto error; + } + RCHECK(ret, krb5_store_int32(sp, v4creds->issue_date), error); + + ret = write_v4_cc(context, tkfile, sp, append); + + error: + krb5_storage_free(sp); + + return ret; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_dest_tkt(krb5_context context, const char *tkfile) +{ + krb5_error_code ret; + char *path; + + ret = get_krb4_cc_name(tkfile, &path); + if (ret) { + krb5_set_error_string(context, + "krb5_krb_tf_setup: failed getting " + "the krb4 credentials cache name"); + return ret; + } + + if (unlink(path) < 0) { + ret = errno; + krb5_set_error_string(context, + "krb5_krb_dest_tkt failed removing the cache " + "with error %s", strerror(ret)); + } + free(path); + + return ret; +} + +/* + * + */ + +static krb5_error_code +decrypt_etext(krb5_context context, const krb5_keyblock *key, + const krb5_data *cdata, krb5_data *data) +{ + krb5_error_code ret; + krb5_crypto crypto; + + ret = krb5_crypto_init(context, key, ETYPE_DES_PCBC_NONE, &crypto); + if (ret) + return ret; + + ret = krb5_decrypt(context, crypto, 0, cdata->data, cdata->length, data); + krb5_crypto_destroy(context, crypto); + + return ret; +} + + +/* + * + */ + +static const char eightzeros[8] = "\x00\x00\x00\x00\x00\x00\x00\x00"; + +static krb5_error_code +storage_to_etext(krb5_context context, + krb5_storage *sp, + const krb5_keyblock *key, + krb5_data *enc_data) +{ + krb5_error_code ret; + krb5_crypto crypto; + krb5_ssize_t size; + krb5_data data; + + /* multiple of eight bytes */ + + size = krb5_storage_seek(sp, 0, SEEK_END); + if (size < 0) + return KRB4ET_RD_AP_UNDEC; + size = 8 - (size & 7); + + ret = krb5_storage_write(sp, eightzeros, size); + if (ret != size) + return KRB4ET_RD_AP_UNDEC; + + ret = krb5_storage_to_data(sp, &data); + if (ret) + return ret; + + ret = krb5_crypto_init(context, key, ETYPE_DES_PCBC_NONE, &crypto); + if (ret) { + krb5_data_free(&data); + return ret; + } + + ret = krb5_encrypt(context, crypto, 0, data.data, data.length, enc_data); + + krb5_data_free(&data); + krb5_crypto_destroy(context, crypto); + + return ret; +} + +/* + * + */ + +static krb5_error_code +put_nir(krb5_storage *sp, const char *name, + const char *instance, const char *realm) +{ + krb5_error_code ret; + + RCHECK(ret, krb5_store_stringz(sp, name), error); + RCHECK(ret, krb5_store_stringz(sp, instance), error); + if (realm) { + RCHECK(ret, krb5_store_stringz(sp, realm), error); + } + error: + return ret; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_create_ticket(krb5_context context, + unsigned char flags, + const char *pname, + const char *pinstance, + const char *prealm, + int32_t paddress, + const krb5_keyblock *session, + int16_t life, + int32_t life_sec, + const char *sname, + const char *sinstance, + const krb5_keyblock *key, + krb5_data *enc_data) +{ + krb5_error_code ret; + krb5_storage *sp; + + krb5_data_zero(enc_data); + + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); + + RCHECK(ret, krb5_store_int8(sp, flags), error); + RCHECK(ret, put_nir(sp, pname, pinstance, prealm), error); + RCHECK(ret, krb5_store_int32(sp, ntohl(paddress)), error); + + /* session key */ + ret = krb5_storage_write(sp, + session->keyvalue.data, + session->keyvalue.length); + if (ret != session->keyvalue.length) { + ret = KRB4ET_INTK_PROT; + goto error; + } + + RCHECK(ret, krb5_store_int8(sp, life), error); + RCHECK(ret, krb5_store_int32(sp, life_sec), error); + RCHECK(ret, put_nir(sp, sname, sinstance, NULL), error); + + ret = storage_to_etext(context, sp, key, enc_data); + + error: + krb5_storage_free(sp); + if (ret) + krb5_set_error_string(context, "Failed to encode kerberos 4 ticket"); + + return ret; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_create_ciph(krb5_context context, + const krb5_keyblock *session, + const char *service, + const char *instance, + const char *realm, + uint32_t life, + unsigned char kvno, + const krb5_data *ticket, + uint32_t kdc_time, + const krb5_keyblock *key, + krb5_data *enc_data) +{ + krb5_error_code ret; + krb5_storage *sp; + + krb5_data_zero(enc_data); + + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); + + /* session key */ + ret = krb5_storage_write(sp, + session->keyvalue.data, + session->keyvalue.length); + if (ret != session->keyvalue.length) { + ret = KRB4ET_INTK_PROT; + goto error; + } + + RCHECK(ret, put_nir(sp, service, instance, realm), error); + RCHECK(ret, krb5_store_int8(sp, life), error); + RCHECK(ret, krb5_store_int8(sp, kvno), error); + RCHECK(ret, krb5_store_int8(sp, ticket->length), error); + ret = krb5_storage_write(sp, ticket->data, ticket->length); + if (ret != ticket->length) { + ret = KRB4ET_INTK_PROT; + goto error; + } + RCHECK(ret, krb5_store_int32(sp, kdc_time), error); + + ret = storage_to_etext(context, sp, key, enc_data); + + error: + krb5_storage_free(sp); + if (ret) + krb5_set_error_string(context, "Failed to encode kerberos 4 ticket"); + + return ret; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_create_auth_reply(krb5_context context, + const char *pname, + const char *pinst, + const char *prealm, + int32_t time_ws, + int n, + uint32_t x_date, + unsigned char kvno, + const krb5_data *cipher, + krb5_data *data) +{ + krb5_error_code ret; + krb5_storage *sp; + + krb5_data_zero(data); + + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); + + RCHECK(ret, krb5_store_int8(sp, KRB_PROT_VERSION), error); + RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_KDC_REPLY), error); + RCHECK(ret, put_nir(sp, pname, pinst, prealm), error); + RCHECK(ret, krb5_store_int32(sp, time_ws), error); + RCHECK(ret, krb5_store_int8(sp, n), error); + RCHECK(ret, krb5_store_int32(sp, x_date), error); + RCHECK(ret, krb5_store_int8(sp, kvno), error); + RCHECK(ret, krb5_store_int16(sp, cipher->length), error); + ret = krb5_storage_write(sp, cipher->data, cipher->length); + if (ret != cipher->length) { + ret = KRB4ET_INTK_PROT; + goto error; + } + + ret = krb5_storage_to_data(sp, data); + + error: + krb5_storage_free(sp); + if (ret) + krb5_set_error_string(context, "Failed to encode kerberos 4 ticket"); + + return ret; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_cr_err_reply(krb5_context context, + const char *name, + const char *inst, + const char *realm, + uint32_t time_ws, + uint32_t e, + const char *e_string, + krb5_data *data) +{ + krb5_error_code ret; + krb5_storage *sp; + + krb5_data_zero(data); + + if (name == NULL) name = ""; + if (inst == NULL) inst = ""; + if (realm == NULL) realm = ""; + if (e_string == NULL) e_string = ""; + + sp = krb5_storage_emem(); + if (sp == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); + + RCHECK(ret, krb5_store_int8(sp, KRB_PROT_VERSION), error); + RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_ERR_REPLY), error); + RCHECK(ret, put_nir(sp, name, inst, realm), error); + RCHECK(ret, krb5_store_int32(sp, time_ws), error); + /* If it is a Kerberos 4 error-code, remove the et BASE */ + if (e >= ERROR_TABLE_BASE_krb && e <= ERROR_TABLE_BASE_krb + 255) + e -= ERROR_TABLE_BASE_krb; + RCHECK(ret, krb5_store_int32(sp, e), error); + RCHECK(ret, krb5_store_stringz(sp, e_string), error); + + ret = krb5_storage_to_data(sp, data); + + error: + krb5_storage_free(sp); + if (ret) + krb5_set_error_string(context, "Failed to encode kerberos 4 error"); + + return 0; +} + +static krb5_error_code +get_v4_stringz(krb5_storage *sp, char **str, size_t max_len) +{ + krb5_error_code ret; + + ret = krb5_ret_stringz(sp, str); + if (ret) + return ret; + if (strlen(*str) > max_len) { + free(*str); + *str = NULL; + return KRB4ET_INTK_PROT; + } + return 0; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_decomp_ticket(krb5_context context, + const krb5_data *enc_ticket, + const krb5_keyblock *key, + const char *local_realm, + char **sname, + char **sinstance, + struct _krb5_krb_auth_data *ad) +{ + krb5_error_code ret; + krb5_ssize_t size; + krb5_storage *sp = NULL; + krb5_data ticket; + unsigned char des_key[8]; + + memset(ad, 0, sizeof(*ad)); + krb5_data_zero(&ticket); + + *sname = NULL; + *sinstance = NULL; + + RCHECK(ret, decrypt_etext(context, key, enc_ticket, &ticket), error); + + sp = krb5_storage_from_data(&ticket); + if (sp == NULL) { + krb5_data_free(&ticket); + krb5_set_error_string(context, "alloc: out of memory"); + return ENOMEM; + } + + krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT); + + RCHECK(ret, krb5_ret_int8(sp, &ad->k_flags), error); + RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error); + RCHECK(ret, get_v4_stringz(sp, &ad->pinst, INST_SZ), error); + RCHECK(ret, get_v4_stringz(sp, &ad->prealm, REALM_SZ), error); + RCHECK(ret, krb5_ret_uint32(sp, &ad->address), error); + + size = krb5_storage_read(sp, des_key, sizeof(des_key)); + if (size != sizeof(des_key)) { + ret = KRB4ET_INTK_PROT; + goto error; + } + + RCHECK(ret, krb5_ret_uint8(sp, &ad->life), error); + + if (ad->k_flags & 1) + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); + else + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); + + RCHECK(ret, krb5_ret_uint32(sp, &ad->time_sec), error); + + RCHECK(ret, get_v4_stringz(sp, sname, ANAME_SZ), error); + RCHECK(ret, get_v4_stringz(sp, sinstance, INST_SZ), error); + + ret = krb5_keyblock_init(context, ETYPE_DES_PCBC_NONE, + des_key, sizeof(des_key), &ad->session); + if (ret) + goto error; + + if (strlen(ad->prealm) == 0) { + free(ad->prealm); + ad->prealm = strdup(local_realm); + if (ad->prealm == NULL) { + ret = ENOMEM; + goto error; + } + } + + error: + memset(des_key, 0, sizeof(des_key)); + if (sp) + krb5_storage_free(sp); + krb5_data_free(&ticket); + if (ret) { + if (*sname) { + free(*sname); + *sname = NULL; + } + if (*sinstance) { + free(*sinstance); + *sinstance = NULL; + } + _krb5_krb_free_auth_data(context, ad); + krb5_set_error_string(context, "Failed to decode v4 ticket"); + } + return ret; +} + +/* + * + */ + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_krb_rd_req(krb5_context context, + krb5_data *authent, + const char *service, + const char *instance, + const char *local_realm, + int32_t from_addr, + const krb5_keyblock *key, + struct _krb5_krb_auth_data *ad) +{ + krb5_error_code ret; + krb5_storage *sp; + krb5_data ticket, eaut, aut; + krb5_ssize_t size; + int little_endian; + int8_t pvno; + int8_t type; + int8_t s_kvno; + uint8_t ticket_length; + uint8_t eaut_length; + uint8_t time_5ms; + char *realm = NULL; + char *sname = NULL; + char *sinstance = NULL; + char *r_realm = NULL; + char *r_name = NULL; + char *r_instance = NULL; + + uint32_t r_time_sec; /* Coarse time from authenticator */ + unsigned long delta_t; /* Time in authenticator - local time */ + long tkt_age; /* Age of ticket */ + + struct timeval tv; + + krb5_data_zero(&ticket); + krb5_data_zero(&eaut); + krb5_data_zero(&aut); + + sp = krb5_storage_from_data(authent); + if (sp == NULL) { + krb5_set_error_string(context, "alloc: out of memory"); + return ENOMEM; + } + + krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT); + + ret = krb5_ret_int8(sp, &pvno); + if (ret) { + krb5_set_error_string(context, "Failed reading v4 pvno"); + goto error; + } + + if (pvno != KRB_PROT_VERSION) { + ret = KRB4ET_RD_AP_VERSION; + krb5_set_error_string(context, "Failed v4 pvno not 4"); + goto error; + } + + ret = krb5_ret_int8(sp, &type); + if (ret) { + krb5_set_error_string(context, "Failed readin v4 type"); + goto error; + } + + little_endian = type & 1; + type &= ~1; + + if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) { + ret = KRB4ET_RD_AP_MSG_TYPE; + krb5_set_error_string(context, "Not a valid v4 request type"); + goto error; + } + + RCHECK(ret, krb5_ret_int8(sp, &s_kvno), error); + RCHECK(ret, get_v4_stringz(sp, &realm, REALM_SZ), error); + RCHECK(ret, krb5_ret_uint8(sp, &ticket_length), error); + RCHECK(ret, krb5_ret_uint8(sp, &eaut_length), error); + RCHECK(ret, krb5_data_alloc(&ticket, ticket_length), error); + + size = krb5_storage_read(sp, ticket.data, ticket.length); + if (size != ticket.length) { + ret = KRB4ET_INTK_PROT; + krb5_set_error_string(context, "Failed reading v4 ticket"); + goto error; + } + + /* Decrypt and take apart ticket */ + ret = _krb5_krb_decomp_ticket(context, &ticket, key, local_realm, + &sname, &sinstance, ad); + if (ret) + goto error; + + RCHECK(ret, krb5_data_alloc(&eaut, eaut_length), error); + + size = krb5_storage_read(sp, eaut.data, eaut.length); + if (size != eaut.length) { + ret = KRB4ET_INTK_PROT; + krb5_set_error_string(context, "Failed reading v4 authenticator"); + goto error; + } + + krb5_storage_free(sp); + sp = NULL; + + ret = decrypt_etext(context, &ad->session, &eaut, &aut); + if (ret) + goto error; + + sp = krb5_storage_from_data(&aut); + if (sp == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "alloc: out of memory"); + goto error; + } + + if (little_endian) + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); + else + krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE); + + RCHECK(ret, get_v4_stringz(sp, &r_name, ANAME_SZ), error); + RCHECK(ret, get_v4_stringz(sp, &r_instance, INST_SZ), error); + RCHECK(ret, get_v4_stringz(sp, &r_realm, REALM_SZ), error); + + RCHECK(ret, krb5_ret_uint32(sp, &ad->checksum), error); + RCHECK(ret, krb5_ret_uint8(sp, &time_5ms), error); + RCHECK(ret, krb5_ret_uint32(sp, &r_time_sec), error); + + if (strcmp(ad->pname, r_name) != 0 || + strcmp(ad->pinst, r_instance) != 0 || + strcmp(ad->prealm, r_realm) != 0) { + krb5_set_error_string(context, "v4 principal mismatch"); + ret = KRB4ET_RD_AP_INCON; + goto error; + } + + if (from_addr && ad->address && from_addr != ad->address) { + krb5_set_error_string(context, "v4 bad address in ticket"); + ret = KRB4ET_RD_AP_BADD; + goto error; + } + + gettimeofday(&tv, NULL); + delta_t = abs((int)(tv.tv_sec - r_time_sec)); + if (delta_t > CLOCK_SKEW) { + ret = KRB4ET_RD_AP_TIME; + krb5_set_error_string(context, "v4 clock skew"); + goto error; + } + + /* Now check for expiration of ticket */ + + tkt_age = tv.tv_sec - ad->time_sec; + + if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) { + ret = KRB4ET_RD_AP_NYV; + krb5_set_error_string(context, "v4 clock skew for expiration"); + goto error; + } + + if (tv.tv_sec > _krb5_krb_life_to_time(ad->time_sec, ad->life)) { + ret = KRB4ET_RD_AP_EXP; + krb5_set_error_string(context, "v4 ticket expired"); + goto error; + } + + ret = 0; + error: + krb5_data_free(&ticket); + krb5_data_free(&eaut); + krb5_data_free(&aut); + if (realm) + free(realm); + if (sname) + free(sname); + if (sinstance) + free(sinstance); + if (r_name) + free(r_name); + if (r_instance) + free(r_instance); + if (r_realm) + free(r_realm); + if (sp) + krb5_storage_free(sp); + + if (ret) + krb5_clear_error_string(context); + + return ret; +} + +/* + * + */ + +void KRB5_LIB_FUNCTION +_krb5_krb_free_auth_data(krb5_context context, struct _krb5_krb_auth_data *ad) +{ + if (ad->pname) + free(ad->pname); + if (ad->pinst) + free(ad->pinst); + if (ad->prealm) + free(ad->prealm); + krb5_free_keyblock_contents(context, &ad->session); + memset(ad, 0, sizeof(*ad)); +} diff --git a/crypto/heimdal/lib/krb5/verify_init.c b/crypto/heimdal/lib/krb5/verify_init.c index 243ac5fa433f..37db34669290 100644 --- a/crypto/heimdal/lib/krb5/verify_init.c +++ b/crypto/heimdal/lib/krb5/verify_init.c @@ -33,15 +33,15 @@ #include "krb5_locl.h" -RCSID("$Id: verify_init.c,v 1.17 2002/08/20 14:47:59 joda Exp $"); +RCSID("$Id: verify_init.c 15555 2005-07-06 00:48:16Z lha $"); -void +void KRB5_LIB_FUNCTION krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options) { memset (options, 0, sizeof(*options)); } -void +void KRB5_LIB_FUNCTION krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options, int ap_req_nofail) { @@ -69,7 +69,7 @@ fail_verify_is_ok (krb5_context context, return TRUE; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_init_creds(krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, @@ -80,14 +80,12 @@ krb5_verify_init_creds(krb5_context context, krb5_error_code ret; krb5_data req; krb5_ccache local_ccache = NULL; - krb5_keytab_entry entry; krb5_creds *new_creds = NULL; krb5_auth_context auth_context = NULL; krb5_principal server = NULL; krb5_keytab keytab = NULL; krb5_data_zero (&req); - memset (&entry, 0, sizeof(entry)); if (ap_req_server == NULL) { char local_hostname[MAXHOSTNAMELEN]; @@ -182,7 +180,6 @@ cleanup: if (auth_context) krb5_auth_con_free (context, auth_context); krb5_data_free (&req); - krb5_kt_free_entry (context, &entry); if (new_creds != NULL) krb5_free_creds (context, new_creds); if (ap_req_server == NULL && server) diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.8 b/crypto/heimdal/lib/krb5/verify_krb5_conf.8 index 7d854bf7b49a..28f84aba41e0 100644 --- a/crypto/heimdal/lib/krb5/verify_krb5_conf.8 +++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.8 @@ -1,6 +1,37 @@ -.\" $Id: verify_krb5_conf.8,v 1.7 2002/08/20 17:07:28 joda Exp $ +.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.Dd August 30, 2001 +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: verify_krb5_conf.8 14375 2004-12-08 17:52:41Z lha $ +.\" +.Dd December 8, 2004 .Dt VERIFY_KRB5_CONF 8 .Os HEIMDAL .Sh NAME @@ -19,22 +50,30 @@ and parses it, thereby verifying that the syntax is not correctly wrong. If the file is syntactically correct, .Nm tries to verify that the contents of the file is of relevant nature. +.Sh ENVIRONMENT +.Ev KRB5_CONFIG +points to the configuration file to read. +.Sh FILES +.Bl -tag -width /etc/krb5.conf -compact +.It Pa /etc/krb5.conf +Kerberos 5 configuration file +.El .Sh DIAGNOSTICS Possible output from .Nm include: -.Bl -tag -width "<path>" +.Bl -tag -width "FpathF" .It "<path>: failed to parse <something> as size/time/number/boolean" Usually means that <something> is misspelled, or that it contains weird characters. The parsing done by .Nm -is more strict than the one performed by libkrb5, and so strings that -work in real life, might be reported as bad. +is more strict than the one performed by libkrb5, so strings that +work in real life might be reported as bad. .It "<path>: host not found (<hostname>)" Means that <path> is supposed to point to a host, but it can't be recognised as one. .It <path>: unknown or wrong type -Means that <path> is either is a string when it should be a list, vice +Means that <path> is either a string when it should be a list, vice versa, or just that .Nm is confused. @@ -42,19 +81,11 @@ is confused. Means that <string> is not known by .Nm "" . .El -.Sh ENVIRONMENT -.Ev KRB5_CONFIG -points to the configuration file to read. -.Sh FILES -.Bl -tag -width /etc/krb5.conf -compact -.It Pa /etc/krb5.conf -Kerberos 5 configuration file -.El .Sh SEE ALSO .Xr krb5.conf 5 .Sh BUGS Since each application can put almost anything in the config file, -it's hard to come up with a water tight verification process. Most of +it's hard to come up with a watertight verification process. Most of the default settings are sanity checked, but this does not mean that every problem is discovered, or that everything that is reported as a possible problem actually is one. This tool should thus be used with diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.c b/crypto/heimdal/lib/krb5/verify_krb5_conf.c index 6017dfc85f80..b55fbd7a86b0 100644 --- a/crypto/heimdal/lib/krb5/verify_krb5_conf.c +++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,17 +35,20 @@ #include <getarg.h> #include <parse_bytes.h> #include <err.h> -RCSID("$Id: verify_krb5_conf.c,v 1.17.2.2 2004/02/13 16:19:44 lha Exp $"); +RCSID("$Id: verify_krb5_conf.c 22233 2007-12-08 21:43:37Z lha $"); /* verify krb5.conf */ static int dumpconfig_flag = 0; static int version_flag = 0; static int help_flag = 0; +static int warn_mit_syntax_flag = 0; static struct getargs args[] = { {"dumpconfig", 0, arg_flag, &dumpconfig_flag, "show the parsed config files", NULL }, + {"warn-mit-syntax", 0, arg_flag, &warn_mit_syntax_flag, + "show the parsed config files", NULL }, {"version", 0, arg_flag, &version_flag, "print version", NULL }, {"help", 0, arg_flag, &help_flag, @@ -138,23 +141,68 @@ check_host(krb5_context context, const char *path, char *data) int ret; char hostname[128]; const char *p = data; + struct addrinfo hints; + char service[32]; + int defport; struct addrinfo *ai; + + hints.ai_flags = 0; + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = 0; + hints.ai_protocol = 0; + + hints.ai_addrlen = 0; + hints.ai_canonname = NULL; + hints.ai_addr = NULL; + hints.ai_next = NULL; + /* XXX data could be a list of hosts that this code can't handle */ /* XXX copied from krbhst.c */ if(strncmp(p, "http://", 7) == 0){ p += 7; + hints.ai_socktype = SOCK_STREAM; + strlcpy(service, "http", sizeof(service)); + defport = 80; } else if(strncmp(p, "http/", 5) == 0) { p += 5; + hints.ai_socktype = SOCK_STREAM; + strlcpy(service, "http", sizeof(service)); + defport = 80; }else if(strncmp(p, "tcp/", 4) == 0){ p += 4; + hints.ai_socktype = SOCK_STREAM; + strlcpy(service, "kerberos", sizeof(service)); + defport = 88; } else if(strncmp(p, "udp/", 4) == 0) { p += 4; + hints.ai_socktype = SOCK_DGRAM; + strlcpy(service, "kerberos", sizeof(service)); + defport = 88; + } else { + hints.ai_socktype = SOCK_DGRAM; + strlcpy(service, "kerberos", sizeof(service)); + defport = 88; } if(strsep_copy(&p, ":", hostname, sizeof(hostname)) < 0) { return 1; } hostname[strcspn(hostname, "/")] = '\0'; - ret = getaddrinfo(hostname, "telnet" /* XXX */, NULL, &ai); + if(p != NULL) { + char *end; + int tmp = strtol(p, &end, 0); + if(end == p) { + krb5_warnx(context, "%s: failed to parse port number in %s", + path, data); + return 1; + } + defport = tmp; + snprintf(service, sizeof(service), "%u", defport); + } + ret = getaddrinfo(hostname, service, &hints, &ai); + if(ret == EAI_SERVICE && !isdigit((unsigned char)service[0])) { + snprintf(service, sizeof(service), "%u", defport); + ret = getaddrinfo(hostname, service, &hints, &ai); + } if(ret != 0) { krb5_warnx(context, "%s: %s (%s)", path, gai_strerror(ret), hostname); return 1; @@ -162,17 +210,16 @@ check_host(krb5_context context, const char *path, char *data) return 0; } -#if 0 static int mit_entry(krb5_context context, const char *path, char *data) { - krb5_warnx(context, "%s is only used by MIT Kerberos", path); + if (warn_mit_syntax_flag) + krb5_warnx(context, "%s is only used by MIT Kerberos", path); return 0; } -#endif struct s2i { - char *s; + const char *s; int val; }; @@ -304,6 +351,12 @@ struct entry all_strings[] = { { NULL } }; +struct entry all_boolean[] = { + { "", krb5_config_string, check_boolean }, + { NULL } +}; + + struct entry v4_name_convert_entries[] = { { "host", krb5_config_list, all_strings }, { "plain", krb5_config_list, all_strings }, @@ -313,13 +366,16 @@ struct entry v4_name_convert_entries[] = { struct entry libdefaults_entries[] = { { "accept_null_addresses", krb5_config_string, check_boolean }, { "capath", krb5_config_list, all_strings }, + { "check_pac", krb5_config_string, check_boolean }, { "clockskew", krb5_config_string, check_time }, { "date_format", krb5_config_string, NULL }, + { "default_cc_name", krb5_config_string, NULL }, { "default_etypes", krb5_config_string, NULL }, { "default_etypes_des", krb5_config_string, NULL }, { "default_keytab_modify_name", krb5_config_string, NULL }, { "default_keytab_name", krb5_config_string, NULL }, { "default_realm", krb5_config_string, NULL }, + { "dns_canonize_hostname", krb5_config_string, check_boolean }, { "dns_proxy", krb5_config_string, NULL }, { "dns_lookup_kdc", krb5_config_string, check_boolean }, { "dns_lookup_realm", krb5_config_string, check_boolean }, @@ -328,6 +384,7 @@ struct entry libdefaults_entries[] = { { "encrypt", krb5_config_string, check_boolean }, { "extra_addresses", krb5_config_string, NULL }, { "fcache_version", krb5_config_string, check_numeric }, + { "fcc-mit-ticketflags", krb5_config_string, check_boolean }, { "forward", krb5_config_string, check_boolean }, { "forwardable", krb5_config_string, check_boolean }, { "http_proxy", krb5_config_string, check_host /* XXX */ }, @@ -342,21 +399,38 @@ struct entry libdefaults_entries[] = { { "ticket_lifetime", krb5_config_string, check_time }, { "time_format", krb5_config_string, NULL }, { "transited_realms_reject", krb5_config_string, NULL }, + { "no-addresses", krb5_config_string, check_boolean }, { "v4_instance_resolve", krb5_config_string, check_boolean }, { "v4_name_convert", krb5_config_list, v4_name_convert_entries }, { "verify_ap_req_nofail", krb5_config_string, check_boolean }, + { "max_retries", krb5_config_string, check_time }, + { "renew_lifetime", krb5_config_string, check_time }, + { "proxiable", krb5_config_string, check_boolean }, + { "warn_pwexpire", krb5_config_string, check_time }, + /* MIT stuff */ + { "permitted_enctypes", krb5_config_string, mit_entry }, + { "default_tgs_enctypes", krb5_config_string, mit_entry }, + { "default_tkt_enctypes", krb5_config_string, mit_entry }, { NULL } }; struct entry appdefaults_entries[] = { { "afslog", krb5_config_string, check_boolean }, { "afs-use-524", krb5_config_string, check_524 }, + { "encrypt", krb5_config_string, check_boolean }, + { "forward", krb5_config_string, check_boolean }, { "forwardable", krb5_config_string, check_boolean }, { "proxiable", krb5_config_string, check_boolean }, { "ticket_lifetime", krb5_config_string, check_time }, { "renew_lifetime", krb5_config_string, check_time }, { "no-addresses", krb5_config_string, check_boolean }, { "krb4_get_tickets", krb5_config_string, check_boolean }, + { "pkinit_anchors", krb5_config_string, NULL }, + { "pkinit_win2k", krb5_config_string, NULL }, + { "pkinit_win2k_require_binding", krb5_config_string, NULL }, + { "pkinit_require_eku", krb5_config_string, NULL }, + { "pkinit_require_krbtgt_otherName", krb5_config_string, NULL }, + { "pkinit_require_hostname_match", krb5_config_string, NULL }, #if 0 { "anonymous", krb5_config_string, check_boolean }, #endif @@ -378,7 +452,7 @@ struct entry realms_entries[] = { { "v4_instance_convert", krb5_config_list, all_strings }, { "v4_domains", krb5_config_string, NULL }, { "default_domain", krb5_config_string, NULL }, -#if 0 + { "win2k_pkinit", krb5_config_string, NULL }, /* MIT stuff */ { "admin_keytab", krb5_config_string, mit_entry }, { "acl_file", krb5_config_string, mit_entry }, @@ -394,7 +468,6 @@ struct entry realms_entries[] = { { "default_principal_flags", krb5_config_string, mit_entry }, { "supported_enctypes", krb5_config_string, mit_entry }, { "database_name", krb5_config_string, mit_entry }, -#endif { NULL } }; @@ -408,6 +481,8 @@ struct entry kdc_database_entries[] = { { "realm", krb5_config_string, NULL }, { "dbname", krb5_config_string, NULL }, { "mkey_file", krb5_config_string, NULL }, + { "acl_file", krb5_config_string, NULL }, + { "log_file", krb5_config_string, NULL }, { NULL } }; @@ -422,13 +497,25 @@ struct entry kdc_entries[] = { { "enable-kerberos4", krb5_config_string, check_boolean }, { "enable-524", krb5_config_string, check_boolean }, { "enable-http", krb5_config_string, check_boolean }, - { "check_ticket-addresses", krb5_config_string, check_boolean }, - { "allow-null-addresses", krb5_config_string, check_boolean }, + { "check-ticket-addresses", krb5_config_string, check_boolean }, + { "allow-null-ticket-addresses", krb5_config_string, check_boolean }, { "allow-anonymous", krb5_config_string, check_boolean }, { "v4_realm", krb5_config_string, NULL }, { "enable-kaserver", krb5_config_string, check_boolean }, { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean }, { "kdc_warn_pwexpire", krb5_config_string, check_time }, + { "use_2b", krb5_config_list, NULL }, + { "enable-pkinit", krb5_config_string, check_boolean }, + { "pkinit_identity", krb5_config_string, NULL }, + { "pkinit_anchors", krb5_config_string, NULL }, + { "pkinit_pool", krb5_config_string, NULL }, + { "pkinit_revoke", krb5_config_string, NULL }, + { "pkinit_kdc_ocsp", krb5_config_string, NULL }, + { "pkinit_principal_in_certificate", krb5_config_string, NULL }, + { "pkinit_dh_min_bits", krb5_config_string, NULL }, + { "pkinit_allow_proxy_certificate", krb5_config_string, NULL }, + { "hdb-ldap-create-base", krb5_config_string, NULL }, + { "v4-realm", krb5_config_string, NULL }, { NULL } }; @@ -436,6 +523,7 @@ struct entry kadmin_entries[] = { { "password_lifetime", krb5_config_string, check_time }, { "default_keys", krb5_config_string, NULL }, { "use_v4_salt", krb5_config_string, NULL }, + { "require-preauth", krb5_config_string, check_boolean }, { NULL } }; struct entry log_strings[] = { @@ -444,13 +532,26 @@ struct entry log_strings[] = { }; -#if 0 +/* MIT stuff */ struct entry kdcdefaults_entries[] = { { "kdc_ports", krb5_config_string, mit_entry }, { "v4_mode", krb5_config_string, mit_entry }, { NULL } }; -#endif + +struct entry capaths_entries[] = { + { "", krb5_config_list, all_strings }, + { NULL } +}; + +struct entry password_quality_entries[] = { + { "policies", krb5_config_string, NULL }, + { "external_program", krb5_config_string, NULL }, + { "min_classes", krb5_config_string, check_numeric }, + { "min_length", krb5_config_string, check_numeric }, + { "", krb5_config_list, all_strings }, + { NULL } +}; struct entry toplevel_sections[] = { { "libdefaults" , krb5_config_list, libdefaults_entries }, @@ -460,10 +561,11 @@ struct entry toplevel_sections[] = { { "kdc", krb5_config_list, kdc_entries }, { "kadmin", krb5_config_list, kadmin_entries }, { "appdefaults", krb5_config_list, appdefaults_entries }, -#if 0 + { "gssapi", krb5_config_list, NULL }, + { "capaths", krb5_config_list, capaths_entries }, + { "password_quality", krb5_config_list, password_quality_entries }, /* MIT stuff */ { "kdcdefaults", krb5_config_list, kdcdefaults_entries }, -#endif { NULL } }; @@ -532,15 +634,17 @@ main(int argc, char **argv) krb5_context context; krb5_error_code ret; krb5_config_section *tmp_cf; - int optind = 0; + int optidx = 0; setprogname (argv[0]); ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed"); + if (ret == KRB5_CONFIG_BADFORMAT) + errx (1, "krb5_init_context failed to parse configuration file"); + else if (ret) + errx (1, "krb5_init_context failed with %d", ret); - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); if (help_flag) @@ -551,8 +655,8 @@ main(int argc, char **argv) exit(0); } - argc -= optind; - argv += optind; + argc -= optidx; + argv += optidx; tmp_cf = NULL; if(argc == 0) diff --git a/crypto/heimdal/lib/krb5/verify_user.c b/crypto/heimdal/lib/krb5/verify_user.c index 1cd571b23d01..1edbaff7e23b 100644 --- a/crypto/heimdal/lib/krb5/verify_user.c +++ b/crypto/heimdal/lib/krb5/verify_user.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: verify_user.c,v 1.17 2002/08/20 14:48:31 joda Exp $"); +RCSID("$Id: verify_user.c 19078 2006-11-20 18:12:41Z lha $"); static krb5_error_code verify_common (krb5_context context, @@ -78,7 +78,7 @@ verify_common (krb5_context context, if(ccache == NULL) krb5_cc_close(context, id); } - krb5_free_creds_contents(context, &cred); + krb5_free_cred_contents(context, &cred); return ret; } @@ -90,7 +90,7 @@ verify_common (krb5_context context, * As a side effect, fresh tickets are obtained and stored in `ccache'. */ -void +void KRB5_LIB_FUNCTION krb5_verify_opt_init(krb5_verify_opt *opt) { memset(opt, 0, sizeof(*opt)); @@ -98,31 +98,49 @@ krb5_verify_opt_init(krb5_verify_opt *opt) opt->service = "host"; } -void +int KRB5_LIB_FUNCTION +krb5_verify_opt_alloc(krb5_context context, krb5_verify_opt **opt) +{ + *opt = calloc(1, sizeof(**opt)); + if ((*opt) == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + krb5_verify_opt_init(*opt); + return 0; +} + +void KRB5_LIB_FUNCTION +krb5_verify_opt_free(krb5_verify_opt *opt) +{ + free(opt); +} + +void KRB5_LIB_FUNCTION krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache) { opt->ccache = ccache; } -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab) { opt->keytab = keytab; } -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure) { opt->secure = secure; } -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service) { opt->service = service; } -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags) { opt->flags |= flags; @@ -136,13 +154,15 @@ verify_user_opt_int(krb5_context context, { krb5_error_code ret; - krb5_get_init_creds_opt opt; + krb5_get_init_creds_opt *opt; krb5_creds cred; - krb5_get_init_creds_opt_init (&opt); + ret = krb5_get_init_creds_opt_alloc (context, &opt); + if (ret) + return ret; krb5_get_init_creds_opt_set_default_flags(context, NULL, - *krb5_princ_realm(context, principal), - &opt); + krb5_principal_get_realm(context, principal), + opt); ret = krb5_get_init_creds_password (context, &cred, principal, @@ -151,7 +171,8 @@ verify_user_opt_int(krb5_context context, NULL, 0, NULL, - &opt); + opt); + krb5_get_init_creds_opt_free(context, opt); if(ret) return ret; #define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D)) @@ -161,7 +182,7 @@ verify_user_opt_int(krb5_context context, #undef OPT } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user_opt(krb5_context context, krb5_principal principal, const char *password, @@ -199,7 +220,7 @@ krb5_verify_user_opt(krb5_context context, /* compat function that calls above */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user(krb5_context context, krb5_principal principal, krb5_ccache ccache, @@ -223,7 +244,7 @@ krb5_verify_user(krb5_context context, * ignored and all the local realms are tried. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user_lrealm(krb5_context context, krb5_principal principal, krb5_ccache ccache, diff --git a/crypto/heimdal/lib/krb5/version-script.map b/crypto/heimdal/lib/krb5/version-script.map new file mode 100644 index 000000000000..df8804a4e316 --- /dev/null +++ b/crypto/heimdal/lib/krb5/version-script.map @@ -0,0 +1,722 @@ +# $Id$ + +HEIMDAL_KRB5_1.0 { + global: + krb524_convert_creds_kdc; + krb524_convert_creds_kdc_ccache; + krb5_425_conv_principal; + krb5_425_conv_principal_ext2; + krb5_425_conv_principal_ext; + krb5_524_conv_principal; + krb5_abort; + krb5_abortx; + krb5_acl_match_file; + krb5_acl_match_string; + krb5_add_et_list; + krb5_add_extra_addresses; + krb5_add_ignore_addresses; + krb5_addlog_dest; + krb5_addlog_func; + krb5_addr2sockaddr; + krb5_address_compare; + krb5_address_order; + krb5_address_prefixlen_boundary; + krb5_address_search; + krb5_aname_to_localname; + krb5_anyaddr; + krb5_appdefault_boolean; + krb5_appdefault_string; + krb5_appdefault_time; + krb5_append_addresses; + krb5_auth_con_addflags; + krb5_auth_con_free; + krb5_auth_con_genaddrs; + krb5_auth_con_generatelocalsubkey; + krb5_auth_con_getaddrs; + krb5_auth_con_getauthenticator; + krb5_auth_con_getcksumtype; + krb5_auth_con_getflags; + krb5_auth_con_getkey; + krb5_auth_con_getkeytype; + krb5_auth_con_getlocalseqnumber; + krb5_auth_con_getlocalsubkey; + krb5_auth_con_getrcache; + krb5_auth_con_getremotesubkey; + krb5_auth_con_init; + krb5_auth_con_removeflags; + krb5_auth_con_setaddrs; + krb5_auth_con_setaddrs_from_fd; + krb5_auth_con_setcksumtype; + krb5_auth_con_setflags; + krb5_auth_con_setkey; + krb5_auth_con_setkeytype; + krb5_auth_con_setlocalseqnumber; + krb5_auth_con_setlocalsubkey; + krb5_auth_con_setrcache; + krb5_auth_con_setremoteseqnumber; + krb5_auth_con_setremotesubkey; + krb5_auth_con_setuserkey; + krb5_auth_getremoteseqnumber; + krb5_build_ap_req; + krb5_build_authenticator; + krb5_build_principal; + krb5_build_principal_ext; + krb5_build_principal_va; + krb5_build_principal_va_ext; + krb5_c_block_size; + krb5_c_checksum_length; + krb5_c_decrypt; + krb5_c_encrypt; + krb5_c_encrypt_length; + krb5_c_enctype_compare; + krb5_c_get_checksum; + krb5_c_is_coll_proof_cksum; + krb5_c_is_keyed_cksum; + krb5_c_keylengths; + krb5_c_make_checksum; + krb5_c_make_random_key; + krb5_c_prf; + krb5_c_prf_length; + krb5_c_set_checksum; + krb5_c_valid_cksumtype; + krb5_c_valid_enctype; + krb5_c_verify_checksum; + krb5_cc_cache_end_seq_get; + krb5_cc_cache_get_first; + krb5_cc_cache_match; + krb5_cc_cache_next; + krb5_cc_clear_mcred; + krb5_cc_close; + krb5_cc_copy_cache; + krb5_cc_copy_cache_match; + krb5_cc_default; + krb5_cc_default_name; + krb5_cc_destroy; + krb5_cc_end_seq_get; + krb5_cc_gen_new; + krb5_cc_get_full_name; + krb5_cc_get_name; + krb5_cc_get_ops; + krb5_cc_get_prefix_ops; + krb5_cc_get_principal; + krb5_cc_get_type; + krb5_cc_get_version; + krb5_cc_initialize; + krb5_cc_move; + krb5_cc_new_unique; + krb5_cc_next_cred; + krb5_cc_next_cred_match; + krb5_cc_register; + krb5_cc_remove_cred; + krb5_cc_resolve; + krb5_cc_retrieve_cred; + krb5_cc_set_default_name; + krb5_cc_set_flags; + krb5_cc_start_seq_get; + krb5_cc_store_cred; + krb5_change_password; + krb5_check_transited; + krb5_check_transited_realms; + krb5_checksum_disable; + krb5_checksum_free; + krb5_checksum_is_collision_proof; + krb5_checksum_is_keyed; + krb5_checksumsize; + krb5_cksumtype_valid; + krb5_clear_error_string; + krb5_closelog; + krb5_compare_creds; + krb5_config_file_free; + krb5_config_free_strings; + krb5_config_get; + krb5_config_get_bool; + krb5_config_get_bool_default; + krb5_config_get_int; + krb5_config_get_int_default; + krb5_config_get_list; + krb5_config_get_next; + krb5_config_get_string; + krb5_config_get_string_default; + krb5_config_get_strings; + krb5_config_get_time; + krb5_config_get_time_default; + krb5_config_parse_file; + krb5_config_parse_file_multi; + krb5_config_parse_string_multi; + krb5_config_vget; + krb5_config_vget_bool; + krb5_config_vget_bool_default; + krb5_config_vget_int; + krb5_config_vget_int_default; + krb5_config_vget_list; + krb5_config_vget_next; + krb5_config_vget_string; + krb5_config_vget_string_default; + krb5_config_vget_strings; + krb5_config_vget_time; + krb5_config_vget_time_default; + krb5_copy_address; + krb5_copy_addresses; + krb5_copy_checksum; + krb5_copy_creds; + krb5_copy_creds_contents; + krb5_copy_data; + krb5_copy_host_realm; + krb5_copy_keyblock; + krb5_copy_keyblock_contents; + krb5_copy_principal; + krb5_copy_ticket; + krb5_create_checksum; + krb5_crypto_destroy; + krb5_crypto_get_checksum_type; + krb5_crypto_getblocksize; + krb5_crypto_getconfoundersize; + krb5_crypto_getenctype; + krb5_crypto_getpadsize; + krb5_crypto_init; + krb5_crypto_overhead; + krb5_crypto_prf; + krb5_crypto_prf_length; + krb5_data_alloc; + krb5_data_cmp; + krb5_data_copy; + krb5_data_free; + krb5_data_realloc; + krb5_data_zero; + krb5_decode_Authenticator; + krb5_decode_ETYPE_INFO2; + krb5_decode_ETYPE_INFO; + krb5_decode_EncAPRepPart; + krb5_decode_EncASRepPart; + krb5_decode_EncKrbCredPart; + krb5_decode_EncTGSRepPart; + krb5_decode_EncTicketPart; + krb5_decode_ap_req; + krb5_decrypt; + krb5_decrypt_EncryptedData; + krb5_decrypt_ivec; + krb5_decrypt_ticket; + krb5_derive_key; + krb5_digest_alloc; + krb5_digest_free; + krb5_digest_get_client_binding; + krb5_digest_get_identifier; + krb5_digest_get_opaque; + krb5_digest_get_rsp; + krb5_digest_get_server_nonce; + krb5_digest_get_session_key; + krb5_digest_get_tickets; + krb5_digest_init_request; + krb5_digest_probe; + krb5_digest_rep_get_status; + krb5_digest_request; + krb5_digest_set_authentication_user; + krb5_digest_set_authid; + krb5_digest_set_client_nonce; + krb5_digest_set_digest; + krb5_digest_set_hostname; + krb5_digest_set_identifier; + krb5_digest_set_method; + krb5_digest_set_nonceCount; + krb5_digest_set_opaque; + krb5_digest_set_qop; + krb5_digest_set_realm; + krb5_digest_set_responseData; + krb5_digest_set_server_cb; + krb5_digest_set_server_nonce; + krb5_digest_set_type; + krb5_digest_set_uri; + krb5_digest_set_username; + krb5_domain_x500_decode; + krb5_domain_x500_encode; + krb5_eai_to_heim_errno; + krb5_encode_Authenticator; + krb5_encode_ETYPE_INFO2; + krb5_encode_ETYPE_INFO; + krb5_encode_EncAPRepPart; + krb5_encode_EncASRepPart; + krb5_encode_EncKrbCredPart; + krb5_encode_EncTGSRepPart; + krb5_encode_EncTicketPart; + krb5_encrypt; + krb5_encrypt_EncryptedData; + krb5_encrypt_ivec; + krb5_enctype_disable; + krb5_enctype_keybits; + krb5_enctype_keysize; + krb5_enctype_to_keytype; + krb5_enctype_to_string; + krb5_enctype_valid; + krb5_enctypes_compatible_keys; + krb5_err; + krb5_error_from_rd_error; + krb5_errx; + krb5_expand_hostname; + krb5_expand_hostname_realms; + krb5_find_padata; + krb5_format_time; + krb5_free_address; + krb5_free_addresses; + krb5_free_ap_rep_enc_part; + krb5_free_authenticator; + krb5_free_checksum; + krb5_free_checksum_contents; + krb5_free_config_files; + krb5_free_context; + krb5_free_cred_contents; + krb5_free_creds; + krb5_free_creds_contents; + krb5_free_data; + krb5_free_data_contents; + krb5_free_error; + krb5_free_error_contents; + krb5_free_error_string; + krb5_free_host_realm; + krb5_free_kdc_rep; + krb5_free_keyblock; + krb5_free_keyblock_contents; + krb5_free_krbhst; + krb5_free_principal; + krb5_free_salt; + krb5_free_ticket; + krb5_fwd_tgt_creds; + krb5_generate_random_block; + krb5_generate_random_keyblock; + krb5_generate_seq_number; + krb5_generate_subkey; + krb5_generate_subkey_extended; + krb5_get_all_client_addrs; + krb5_get_all_server_addrs; + krb5_get_cred_from_kdc; + krb5_get_cred_from_kdc_opt; + krb5_get_credentials; + krb5_get_credentials_with_flags; + krb5_get_creds; + krb5_get_creds_opt_add_options; + krb5_get_creds_opt_alloc; + krb5_get_creds_opt_free; + krb5_get_creds_opt_set_enctype; + krb5_get_creds_opt_set_impersonate; + krb5_get_creds_opt_set_options; + krb5_get_creds_opt_set_ticket; + krb5_get_default_config_files; + krb5_get_default_in_tkt_etypes; + krb5_get_default_principal; + krb5_get_default_realm; + krb5_get_default_realms; + krb5_get_dns_canonicalize_hostname; + krb5_get_err_text; + krb5_get_error_message; + krb5_get_error_string; + krb5_get_extra_addresses; + krb5_get_fcache_version; + krb5_get_forwarded_creds; + krb5_get_host_realm; + krb5_get_ignore_addresses; + krb5_get_in_cred; + krb5_get_in_tkt; + krb5_get_in_tkt_with_keytab; + krb5_get_in_tkt_with_password; + krb5_get_in_tkt_with_skey; + krb5_get_init_creds; + krb5_get_init_creds_keyblock; + krb5_get_init_creds_keytab; + krb5_get_init_creds_opt_alloc; + krb5_get_init_creds_opt_free; + krb5_get_init_creds_opt_get_error; + krb5_get_init_creds_opt_init; + krb5_get_init_creds_opt_set_address_list; + krb5_get_init_creds_opt_set_addressless; + krb5_get_init_creds_opt_set_anonymous; + krb5_get_init_creds_opt_set_canonicalize; + krb5_get_init_creds_opt_set_default_flags; + krb5_get_init_creds_opt_set_etype_list; + krb5_get_init_creds_opt_set_forwardable; + krb5_get_init_creds_opt_set_pa_password; + krb5_get_init_creds_opt_set_pac_request; + krb5_get_init_creds_opt_set_pkinit; + krb5_get_init_creds_opt_set_preauth_list; + krb5_get_init_creds_opt_set_proxiable; + krb5_get_init_creds_opt_set_renew_life; + krb5_get_init_creds_opt_set_salt; + krb5_get_init_creds_opt_set_tkt_life; + krb5_get_init_creds_opt_set_win2k; + krb5_get_init_creds_password; + krb5_get_kdc_cred; + krb5_get_kdc_sec_offset; + krb5_get_krb524hst; + krb5_get_krb_admin_hst; + krb5_get_krb_changepw_hst; + krb5_get_krbhst; + krb5_get_max_time_skew; + krb5_get_pw_salt; + krb5_get_renewed_creds; + krb5_get_server_rcache; + krb5_get_use_admin_kdc; + krb5_get_warn_dest; + krb5_get_wrapped_length; + krb5_getportbyname; + krb5_h_addr2addr; + krb5_h_addr2sockaddr; + krb5_h_errno_to_heim_errno; + krb5_have_error_string; + krb5_hmac; + krb5_init_context; + krb5_init_ets; + krb5_init_etype; + krb5_initlog; + krb5_is_thread_safe; + krb5_kerberos_enctypes; + krb5_keyblock_get_enctype; + krb5_keyblock_init; + krb5_keyblock_key_proc; + krb5_keyblock_zero; + krb5_keytab_key_proc; + krb5_keytype_to_enctypes; + krb5_keytype_to_enctypes_default; + krb5_keytype_to_string; + krb5_krbhst_format_string; + krb5_krbhst_free; + krb5_krbhst_get_addrinfo; + krb5_krbhst_init; + krb5_krbhst_init_flags; + krb5_krbhst_next; + krb5_krbhst_next_as_string; + krb5_krbhst_reset; + krb5_kt_add_entry; + krb5_kt_close; + krb5_kt_compare; + krb5_kt_copy_entry_contents; + krb5_kt_default; + krb5_kt_default_modify_name; + krb5_kt_default_name; + krb5_kt_end_seq_get; + krb5_kt_free_entry; + krb5_kt_get_entry; + krb5_kt_get_full_name; + krb5_kt_get_name; + krb5_kt_get_type; + krb5_kt_next_entry; + krb5_kt_read_service_key; + krb5_kt_register; + krb5_kt_remove_entry; + krb5_kt_resolve; + krb5_kt_start_seq_get; + krb5_kuserok; + krb5_log; + krb5_log_msg; + krb5_make_addrport; + krb5_make_principal; + krb5_max_sockaddr_size; + krb5_mk_error; + krb5_mk_priv; + krb5_mk_rep; + krb5_mk_req; + krb5_mk_req_exact; + krb5_mk_req_extended; + krb5_mk_safe; + krb5_net_read; + krb5_net_write; + krb5_net_write_block; + krb5_ntlm_alloc; + krb5_ntlm_free; + krb5_ntlm_init_get_challange; + krb5_ntlm_init_get_flags; + krb5_ntlm_init_get_opaque; + krb5_ntlm_init_get_targetinfo; + krb5_ntlm_init_get_targetname; + krb5_ntlm_init_request; + krb5_ntlm_rep_get_sessionkey; + krb5_ntlm_rep_get_status; + krb5_ntlm_req_set_flags; + krb5_ntlm_req_set_lm; + krb5_ntlm_req_set_ntlm; + krb5_ntlm_req_set_opaque; + krb5_ntlm_req_set_session; + krb5_ntlm_req_set_targetname; + krb5_ntlm_req_set_username; + krb5_ntlm_request; + krb5_openlog; + krb5_pac_add_buffer; + krb5_pac_free; + krb5_pac_get_buffer; + krb5_pac_get_types; + krb5_pac_init; + krb5_pac_parse; + krb5_pac_verify; + krb5_padata_add; + krb5_parse_address; + krb5_parse_name; + krb5_parse_name_flags; + krb5_parse_nametype; + krb5_passwd_result_to_string; + krb5_password_key_proc; + krb5_plugin_register; + krb5_prepend_config_files; + krb5_prepend_config_files_default; + krb5_princ_realm; + krb5_princ_set_realm; + krb5_principal_compare; + krb5_principal_compare_any_realm; + krb5_principal_get_comp_string; + krb5_principal_get_realm; + krb5_principal_get_type; + krb5_principal_match; + krb5_principal_set_type; + krb5_print_address; + krb5_program_setup; + krb5_prompter_posix; + krb5_random_to_key; + krb5_rc_close; + krb5_rc_default; + krb5_rc_default_name; + krb5_rc_default_type; + krb5_rc_destroy; + krb5_rc_expunge; + krb5_rc_get_lifespan; + krb5_rc_get_name; + krb5_rc_get_type; + krb5_rc_initialize; + krb5_rc_recover; + krb5_rc_resolve; + krb5_rc_resolve_full; + krb5_rc_resolve_type; + krb5_rc_store; + krb5_rd_cred2; + krb5_rd_cred; + krb5_rd_error; + krb5_rd_priv; + krb5_rd_rep; + krb5_rd_req; + krb5_rd_req_ctx; + krb5_rd_req_in_ctx_alloc; + krb5_rd_req_in_ctx_free; + krb5_rd_req_in_set_keyblock; + krb5_rd_req_in_set_keytab; + krb5_rd_req_in_set_pac_check; + krb5_rd_req_out_ctx_free; + krb5_rd_req_out_get_ap_req_options; + krb5_rd_req_out_get_keyblock; + krb5_rd_req_out_get_ticket; + krb5_rd_req_with_keyblock; + krb5_rd_safe; + krb5_read_message; + krb5_read_priv_message; + krb5_read_safe_message; + krb5_realm_compare; + krb5_recvauth; + krb5_recvauth_match_version; + krb5_ret_address; + krb5_ret_addrs; + krb5_ret_authdata; + krb5_ret_creds; + krb5_ret_creds_tag; + krb5_ret_data; + krb5_ret_int16; + krb5_ret_int32; + krb5_ret_int8; + krb5_ret_keyblock; + krb5_ret_principal; + krb5_ret_string; + krb5_ret_stringnl; + krb5_ret_stringz; + krb5_ret_times; + krb5_ret_uint16; + krb5_ret_uint32; + krb5_ret_uint8; + krb5_salttype_to_string; + krb5_sendauth; + krb5_sendto; + krb5_sendto_context; + krb5_sendto_ctx_add_flags; + krb5_sendto_ctx_alloc; + krb5_sendto_ctx_free; + krb5_sendto_ctx_get_flags; + krb5_sendto_ctx_set_func; + krb5_sendto_ctx_set_type; + krb5_sendto_kdc; + krb5_sendto_kdc_flags; + krb5_set_config_files; + krb5_set_default_in_tkt_etypes; + krb5_set_default_realm; + krb5_set_dns_canonicalize_hostname; + krb5_set_error_string; + krb5_set_extra_addresses; + krb5_set_fcache_version; + krb5_set_ignore_addresses; + krb5_set_max_time_skew; + krb5_set_password; + krb5_set_password_using_ccache; + krb5_set_real_time; + krb5_set_send_to_kdc_func; + krb5_set_use_admin_kdc; + krb5_set_warn_dest; + krb5_sname_to_principal; + krb5_sock_to_principal; + krb5_sockaddr2address; + krb5_sockaddr2port; + krb5_sockaddr_uninteresting; + krb5_std_usage; + krb5_storage_clear_flags; + krb5_storage_emem; + krb5_storage_free; + krb5_storage_from_data; + krb5_storage_from_fd; + krb5_storage_from_mem; + krb5_storage_from_readonly_mem; + krb5_storage_get_byteorder; + krb5_storage_is_flags; + krb5_storage_read; + krb5_storage_seek; + krb5_storage_set_byteorder; + krb5_storage_set_eof_code; + krb5_storage_set_flags; + krb5_storage_to_data; + krb5_storage_write; + krb5_store_address; + krb5_store_addrs; + krb5_store_authdata; + krb5_store_creds; + krb5_store_creds_tag; + krb5_store_data; + krb5_store_int16; + krb5_store_int32; + krb5_store_int8; + krb5_store_keyblock; + krb5_store_principal; + krb5_store_string; + krb5_store_stringnl; + krb5_store_stringz; + krb5_store_times; + krb5_store_uint16; + krb5_store_uint32; + krb5_store_uint8; + krb5_string_to_deltat; + krb5_string_to_enctype; + krb5_string_to_key; + krb5_string_to_key_data; + krb5_string_to_key_data_salt; + krb5_string_to_key_data_salt_opaque; + krb5_string_to_key_derived; + krb5_string_to_key_salt; + krb5_string_to_key_salt_opaque; + krb5_string_to_keytype; + krb5_string_to_salttype; + krb5_ticket_get_authorization_data_type; + krb5_ticket_get_client; + krb5_ticket_get_endtime; + krb5_ticket_get_server; + krb5_timeofday; + krb5_unparse_name; + krb5_unparse_name_fixed; + krb5_unparse_name_fixed_flags; + krb5_unparse_name_fixed_short; + krb5_unparse_name_flags; + krb5_unparse_name_short; + krb5_us_timeofday; + krb5_vabort; + krb5_vabortx; + krb5_verify_ap_req2; + krb5_verify_ap_req; + krb5_verify_authenticator_checksum; + krb5_verify_checksum; + krb5_verify_init_creds; + krb5_verify_init_creds_opt_init; + krb5_verify_init_creds_opt_set_ap_req_nofail; + krb5_verify_opt_alloc; + krb5_verify_opt_free; + krb5_verify_opt_init; + krb5_verify_opt_set_ccache; + krb5_verify_opt_set_flags; + krb5_verify_opt_set_keytab; + krb5_verify_opt_set_secure; + krb5_verify_opt_set_service; + krb5_verify_user; + krb5_verify_user_lrealm; + krb5_verify_user_opt; + krb5_verr; + krb5_verrx; + krb5_vlog; + krb5_vlog_msg; + krb5_vset_error_string; + krb5_vwarn; + krb5_vwarnx; + krb5_warn; + krb5_warnx; + krb5_write_message; + krb5_write_priv_message; + krb5_write_safe_message; + krb5_xfree; + + # com_err error tables + initialize_krb5_error_table_r; + initialize_krb5_error_table; + initialize_krb_error_table_r; + initialize_krb_error_table; + initialize_heim_error_table_r; + initialize_heim_error_table; + initialize_k524_error_table_r; + initialize_k524_error_table; + + # variables + krb5_mcc_ops; + krb5_acc_ops; + krb5_fcc_ops; + krb5_kcm_ops; + krb4_fkt_ops; + krb5_wrfkt_ops; + krb5_mkt_ops; + krb5_fkt_ops; + krb5_akf_ops; + krb5_srvtab_fkt_ops; + krb5_any_ops; + heimdal_version; + heimdal_long_version; + krb5_config_file; + krb5_defkeyname; + + # Shared with GSSAPI krb5 + _krb5_crc_init_table; + _krb5_crc_update; + + # V4 compat glue + _krb5_krb_tf_setup; + _krb5_krb_dest_tkt; + _krb5_krb_life_to_time; + _krb5_krb_decomp_ticket; + _krb5_krb_decomp_ticket; + _krb5_krb_create_ticket; + _krb5_krb_create_ciph; + _krb5_krb_create_auth_reply; + _krb5_krb_rd_req; + _krb5_krb_free_auth_data; + _krb5_krb_time_to_life; + _krb5_krb_cr_err_reply; + + # Shared with libkdc + _krb5_principalname2krb5_principal; + _krb5_principal2principalname; + _krb5_s4u2self_to_checksumdata; + _krb5_put_int; + _krb5_get_int; + _krb5_pk_load_id; + _krb5_parse_moduli; + _krb5_pk_mk_ContentInfo; + _krb5_dh_group_ok; + _krb5_pk_octetstring2key; + _krb5_pk_allow_proxy_certificate; + _krb5_pac_sign; + _krb5_plugin_find; + _krb5_plugin_get_symbol; + _krb5_plugin_get_next; + _krb5_plugin_free; + _krb5_AES_string_to_default_iterator; + _krb5_get_host_realm_int; + + # testing + _krb5_aes_cts_encrypt; + _krb5_n_fold; + _krb5_expand_default_cc_name; + local: + *; +}; diff --git a/crypto/heimdal/lib/krb5/version.c b/crypto/heimdal/lib/krb5/version.c index 5f0fd6680bf5..f7ccff5bc882 100644 --- a/crypto/heimdal/lib/krb5/version.c +++ b/crypto/heimdal/lib/krb5/version.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: version.c,v 1.3 1999/12/02 17:05:13 joda Exp $"); +RCSID("$Id: version.c 7464 1999-12-02 17:05:13Z joda $"); /* this is just to get a version stamp in the library file */ diff --git a/crypto/heimdal/lib/krb5/warn.c b/crypto/heimdal/lib/krb5/warn.c index 72398bf4605e..85f143b8b4b6 100644 --- a/crypto/heimdal/lib/krb5/warn.c +++ b/crypto/heimdal/lib/krb5/warn.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$Id: warn.c,v 1.14 2003/04/16 16:13:08 lha Exp $"); +RCSID("$Id: warn.c 19086 2006-11-21 08:06:40Z lha $"); static krb5_error_code _warnerr(krb5_context context, int do_errtext, krb5_error_code code, int level, const char *fmt, va_list ap) @@ -96,7 +96,7 @@ _warnerr(krb5_context context, int do_errtext, #undef __attribute__ #define __attribute__(X) -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarn(krb5_context context, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((format (printf, 3, 0))) @@ -105,7 +105,7 @@ krb5_vwarn(krb5_context context, krb5_error_code code, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...) __attribute__ ((format (printf, 3, 4))) { @@ -113,14 +113,14 @@ krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarnx(krb5_context context, const char *fmt, va_list ap) __attribute__ ((format (printf, 2, 0))) { return _warnerr(context, 0, 0, 1, fmt, ap); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warnx(krb5_context context, const char *fmt, ...) __attribute__ ((format (printf, 2, 3))) { @@ -128,7 +128,7 @@ krb5_warnx(krb5_context context, const char *fmt, ...) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verr(krb5_context context, int eval, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 4, 0))) @@ -138,7 +138,7 @@ krb5_verr(krb5_context context, int eval, krb5_error_code code, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_err(krb5_context context, int eval, krb5_error_code code, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 4, 5))) @@ -147,7 +147,7 @@ krb5_err(krb5_context context, int eval, krb5_error_code code, exit(eval); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 3, 0))) { @@ -155,7 +155,7 @@ krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap) exit(eval); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_errx(krb5_context context, int eval, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 3, 4))) { @@ -163,7 +163,7 @@ krb5_errx(krb5_context context, int eval, const char *fmt, ...) exit(eval); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabort(krb5_context context, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 3, 0))) @@ -173,7 +173,7 @@ krb5_vabort(krb5_context context, krb5_error_code code, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 3, 4))) { @@ -181,7 +181,7 @@ krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...) abort(); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabortx(krb5_context context, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 2, 0))) { @@ -189,7 +189,7 @@ krb5_vabortx(krb5_context context, const char *fmt, va_list ap) abort(); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abortx(krb5_context context, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 2, 3))) { @@ -197,9 +197,15 @@ krb5_abortx(krb5_context context, const char *fmt, ...) abort(); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac) { context->warn_dest = fac; return 0; } + +krb5_log_facility * KRB5_LIB_FUNCTION +krb5_get_warn_dest(krb5_context context) +{ + return context->warn_dest; +} diff --git a/crypto/heimdal/lib/krb5/write_message.c b/crypto/heimdal/lib/krb5/write_message.c index 3e23a3aaa951..1694a1075e41 100644 --- a/crypto/heimdal/lib/krb5/write_message.c +++ b/crypto/heimdal/lib/krb5/write_message.c @@ -33,15 +33,15 @@ #include "krb5_locl.h" -RCSID("$Id: write_message.c,v 1.8 2001/07/02 18:43:06 joda Exp $"); +RCSID("$Id: write_message.c 17442 2006-05-05 09:31:15Z lha $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_message (krb5_context context, krb5_pointer p_fd, krb5_data *data) { - u_int32_t len; - u_int8_t buf[4]; + uint32_t len; + uint8_t buf[4]; int ret; len = data->length; @@ -55,7 +55,7 @@ krb5_write_message (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_priv_message(krb5_context context, krb5_auth_context ac, krb5_pointer p_fd, @@ -72,7 +72,7 @@ krb5_write_priv_message(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_safe_message(krb5_context context, krb5_auth_context ac, krb5_pointer p_fd, |